Jump to content


Most Liked Content


#454 ISP Filtration

Posted Ron B. on 04 October 2013 - 11:24 AM

Building on last night's discussion, below is an article I wrote for SC Magazine in 2010.  

From the CSO’s Desk

Water Under the Bridge – Ron Baklarz, CISO Amtrak

Think of the security of your network like that of your city tap water and home drinking supply.  The water supply originates from any number of unsafe-for-consumption sources such as rivers and streams, much like the network traffic that flows throughout the unsafe ecosystem of the Internet.   The unsafe water supply is collected at a regional purification and distribution facility and treated for impurities long before it reaches your home.  At this point, the tap water is safe for consumption.  But even though the water supply meets governmental standards for purity and consumption, we often take additional measures to further filter our water with home water conditioners, spigot filters, water jug filters, etc.  Some of us bypass our home water supplies altogether by drinking bottled water.

Doesn’t this appear to be a lot like the protective measures we take when we tap into the Internet?  We filter incoming Internet traffic in any number of ways.  At the corporate level there are firewalls, email/spam filters, network-based and host-based intrusion detection/prevention systems, anti-virus protections, personal firewalls, etc.  Hopefully at home, we use a minimum of anti-virus protections and personal firewalls on our systems.  I would compare the regional water purification and distribution facility to that of the Internet ISP.  But unlike the model of our water supply where purification takes place at the regional purification and distribution facility there is a lack of sufficient filtration and protections of Internet traffic as implemented by the ISPs.

There is a lot of unnecessary and potentially dangerous Internet traffic that could be filtered at the ISP level before it ever reaches our networks.  For example, I recently asked one of the major (huge) ISPs if they filtered out “bogons” and “fullbogons” from our incoming Internet traffic.  While the term “bogon” certainly sounds sinister, the bogon list is actually the list of IANA’s unassigned/reserved IP address space.  And “fullbogon” lists are assigned but not allocated IP addresses within an ISP.   By their very nature, Internet traffic originating from these IP addresses should not be traversing the Internet let alone entering into your corporate and home networks.  The ISP I questioned responded that they did not currently block bogons but were considering doing so.  One reason why this is important is one study available at www.team-cymru.org found that approximately 60% of Distributed Denial of Service (DDoS) network attack packets came from bogon address space.  

There are many other examples of possible ISP filtration and protection strategies that could be implemented such as “safelisting” filters to block access to known malicious websites and IP addresses and IP address ranges.  Now, not all DDoS attacks use bogon address space and filtration varies from ISP to ISP.  But this is one glaring example where defense-in-depth comes into play and we need all the defensive weapons in our arsenal that we can muster.  It would make sense to apply as many protections “up stream” as possible.  If the government is truly serious about cybersecurity, consideration should be given to developing and implementing standards governing ISP-level protections in a manner similar to those that apply to our water supplies.




#440 From Blog: NPR: “Your Digital Trail, and How It Can Be Used Against You”

Posted Professor Snyder on 03 October 2013 - 01:36 AM

Benni: Back in 2003, I traced a guy's footsteps going back a full 12 months with cell tower data (no GPS chip). The article is too old to appear in the Pittsburgh Post-Gazette's archives, but you can get it on Westlaw or Nexus/Lexis or I could tell you more in a more private venue.  That should be possible for any movements of a cellphone made since the 1980's.

2003 WLNR 5273116
Pittsburgh Post-Gazette (PA)
Copyright 2003 PG Publishing Co.
April 8, 2003

NEW EVIDENCE PERSUADES BANK ROBBER TO CONFESS

TORSTEN OVE, POST-GAZETTE STAFF WRITER


Serial bank robber Christopher Mark Lyons knew some of the tricks of the bank heist trade because he was once a teller and he'd been trained in bank security.

He didn't draw attention to himself inside a bank, he knew which drawers at a teller's station contained the bigger bills, he didn't leave any fingerprints behind and he got rid of his clothes after he did a robbery.

As bank robbers go, he was fairly smart -- but not smart enough.

Faced yesterday with new evidence he learned about just before his federal trial was to begin, Lyons admitted that he was the "Main Street Robber" who held up eight small town banks in Pennsylvania and Ohio last year.

He pleaded guilty to robbing five banks in Pennsylvania and accepted responsibility for three others in Ohio.

Almost all bank robbers plead guilty, but Lyons, 22, of Banksville, was convinced right up until jury selection that federal authorities didn't have enough on him.

That changed when he realized Assistant U.S. Attorney William Snyder would introduce cell phone records that placed him in the vicinity of the banks on the days of the robberies.

In the case of holdups in Butler and Hermitage, for example, authorities were able to use cell tower records to reconstruct Lyons' path as he drove down Interstate 79 back to his apartment on Saw Mill Run Boulevard.

Snyder didn't receive the records until Friday. Without them, the feds still had a good case. With them, Lyons knew his fate was sealed.



#415 Cybersecurity News Resources

Posted Larry M. on 28 September 2013 - 11:20 PM

Two must-read news sources:

1) Krebs on Security
Brian Krebs is a reporter who used to work at the Washington Post but left to start his own blog.  Krebsonsecurity.com is one of the best cyber security blogs available.

2) Security Now!
This is a weekly podcast by Steve Gibson and hosted by Leo Laporte.  It's available on iTunes and most other sources where podcasts are available.  Some sessions are very technical and can be lenghty but are very informative.  https://www.grc.com/securitynow.htm


#457 Article: "Why Mere Compliance Increases Risk"

Posted Larry M. on 06 October 2013 - 01:51 AM

Article in csoonline.com:  "Where mere compliance increases risk"

http://www.csoonline...-increases-risk

I have personally experienced examples where companies are more interested in compliance than security.  Executives have told me that they're compliant and therefore, they're safe.  They're under the false impression that compliance equals security.

The "compliance = security" myth is one reason why many companies are at greater risk than they think.  The article focuses primarily on security awareness training and states that focusing on the regulation itself instead of following the "spirit of the law" will not protect companies from liability.

As we progress through the course we need to remember to focus on protecting data instead of "checking the box."


#438 Cybersecurity News Resources

Posted Professor Snyder on 03 October 2013 - 01:15 AM

Yes, kpsigafo, I would recommend almost anything from Bruce Schneier. For those of you who are not familiar, he is a security guru (beyond cyber, too) who is the Security Futurologist at BT (was British Telecom) and who is presently at Harvard Law School's Center for Internet and Society.  His 2012 book "Liars and Outliers: Enabling the Trust that Society Needs to Thrive" is of particular interest, and I assign a small portion of it in the longer, on-campus version of this course.


#430 From Blog: NPR: “Your Digital Trail, and How It Can Be Used Against You”

Posted Benjamin Zaiser on 02 October 2013 - 03:33 AM

This may be a little bit dated, but it certainly fits this thread and should be worth a look.

In the course of Germany's implementation of the European Data Retention Directive of 2006 (obligating telcos to retain meta-data for at least 6 months for law enforcement purposes), a Green Party politician obtained his phone's pen register data that T-Mobile held for the previous 6 months. He handed it over to one of the country's major newspapers, which produced an interactive map that allows readers to follow every step he made in that period.

This was 2009, when the public just started to comprehend the ramifications of digitally communicated (Big) data. A nice heads-up back then, though. The map is fun to navigate and also released in English:

http://www.zeit.de/d...-data-retention

Have good night every one!

Benni


#318 From Blog: Dr. Zaius the cat the key to cybersecurity? WSJ on ethical hackers

Posted Professor_WCS on 28 March 2013 - 03:18 AM

Geoffrey A. Fowler wrote an interesting (and lighthearted) article for The Wall Street Journal on the tricks that ethical hackers use to teach company employees a cybersecurity lesson.  Companies hire these ethical hackers to test their employees; after the employees inevitably fail, “[t]hose who click get a [] stern warning[] from their tech departments.”

One such tactic is to send an e-mail out that reads “check out these kitties!”, with the promise of more cat pictures to follow.  Clicking on the link rewards the employee with a picture of Doctor Zaius–a cat with a purple mohawk–and the aforementioned warning from IT.

According to Fowler, similar tactics include leaving compromised thumb drives marked “confidential” in the parking lot and gaining physical access to computer systems by using disguises such as “package deliveryman and fire marshal.”



View the full article


#11 Natsec Employment Resources

Posted Lionel Hutz on 23 September 2012 - 10:22 PM

Stickied thread will all relevant websites/documents for NatSec employment opportunities.


Military Law Military
  • USAF OTS Forums(you gotta register, but this forum has a number of active duty and prospective AF officers talking about OTS.  The forums have subforums for each AFSC).

Intelligence

DoD

Law Enforcement


VIA INSCT, a compilation of links to NatSec employers.

Also via INSCT, job/internship/fellowship announcements.

Again via INSCT, a number of links about getting started in national security and counter terrorism.  The link has further links to job resource guides, security clearance guides, and basic job hunting tips.