Security Weekly Episode 215 For Thursday October 14th, 2010.
Special Cigar Segment
Paul Joyal, owner and operator of Mr J's Havana Smoke Shop, joins us again to talk about cigars.
- As if the choice of which cigar to smoke wasn't daunting enough, what are some of the new cigars coming out?
- There are many brands, some expensive, some pretty cheap. Some of the cheap ones quite frankly taste like dirt. Some of the expensive ones are good, but I find myself thinking it was not worth the money. In your opinion, what is the best value in cigars today?
- What is the deal with limited releases? Some of these cigars are just awesome and I really wish I could get them all the time. How come companies are doing all of these limited runs of cigars, why can't they make the blend all the time?
- What are some of the hidden gems in your humidor (for sale), the stuff that's "wicked good" but not a lot of people are asking for?
- Last time you said that in order to make your brand you told them which cigars you like to smoke. Which cigars are your favorite outside of your own blend?
- Which spirits go best with a cigar (types of Beer, Wine, Scotch?)
- How many different selections of scotch do you carry?
- What are some of the true hidden gems in your store, you know the stuff that's really good, priced well, and not too many people are asking for it.
- How do you decide which kinds of beer to carry? (Do you need help taste testing?)
- What is the most popular kind of beer sold in your store?
- What kinds of craft beer do you carry? Your favorites?
- Do you have a nice selection of aged wine at home?
For information about ordering cigars or liquor:
Mr J's Havana Smoke Shop
90 W Warwick Ave
West Warwick, RI 02893
Email: mrjshavana [at] aol.com
Call in to order "The Grotto" series cigar today!
Special Guest: Josh Corman
Josh is the Research Director of the 451 Group's enterprise security practice. Formerly, Josh was Principal Security Strategist for IBM Internet Security Systems. He is adept at speaking candidly while smoking Cigars, and may or may not have showered today. Welcome to the show Josh!
- Josh, what is enterprise security? I find that often times people will tell me, "Well, we need an enterprise security solution. And you've looked at source code before, so there is no way you can give us anything remotely close to "enterprise security". I also find that people will dismiss security measures because its not "enterprise security" ready, which just means it could never meet the requirements they put forth, SO they don't implement any security. The problem is, there is A LOT at stake, and enough risk exists that attackers will go to great lengths to compromise security. I mean, they don't even really have to, but they will.
- I recently ran across this article titled Two Things that Everyone in Infosec Agrees WIth, which are that security folks believe:
- They should never, ever have to justify themselves to the business with a ROI case
- They need more money from the business and don't understand why it is so hard to get
PCI Hug It Out - Interview With Josh Corman
Show Topics & Stories
- Microsoft releases record number of patches (81), Oracle releases (49), Adobe was last week - The question burning in my mind is, so what? We all make a big deal about applying Microsoft patches, Oracle, Adobe, and more, but does it really matter? Look, there are attackers who were exploiting these vulnerabilities before a patch was released. Just look at Stuxnet for an example of that. Why aren't we jumping up and down shouting: "Do SOMETHING about 0day vulnerabilities!". No, instead we jump around and say, "Patch your systems, HURRY!". I just think its messed up.
- Power plants no longer considered immune to infection, and targeted attacks become more precise - Whoa, whoa, wait just a second. Since when did we consider power plants "immune to infection"? I mean, they use computers, right? And ever since they started using computers, they have been PRONE to infection. In my experience, it seems that many infrastructure and control systems types like to ignore the fact that attackers can breach their security. Security is a low priority for these folks. And, I'm just going to come right out and say it, they like to sweep it under the rug. Anytime there is a problem with control systems security, it tries to live under a cloud of mystery. Here's the thing, its not going to get better unless we talk about it. You're not really buying time to fix the problems, you are just living with the risk. OHHH, and then Stuxnet comes out and has a rootkit for your PLCs. Do you think that's the first time? Hell no. Will it be the last? Hell no because so many controls systems just aren't taking security seriously. Look, Microsoft's security SUCKED BAD at one time. Its okay, happens to the best of us, however, they made it better. How did they do that? They joined with the community (Blue hat, and other efforts) and built it into their culture. Do they still have problems? Sure, but they are much better equipped to deal with them (And arguably have one of the largest code-bases in the world). Wow, what the hell is happening when we are looking at Microsoft for security advice.
- Traditional Pen Testing Is DEAD - Okay, first off, I just want to say that I love Dave. I mean, ever since we jumped on the bed naked together at Blackhat, there has been this special bond... Now, on to rip apart Dave's article :) I mean that in a nice way, because I hear what Dave is preachin' and I believe in it, I just think there is more depth to this topic and some points that need to be clarified. Lets all agree on a few things:
- A vulnerability scan is not a penetration test (even if there is some exploitation)
- A penetration test is not a vulnerability scan (even if there is some scanning)
- There exists mutually exclusive value in both vulnerability scanning and penetration testing
- Its okay to hire someone to perform vulnerability scanning, penetration testing, or a combination of the two
- A great penetration tester can understand the business requirements, paint a clear picture of risk to senior management, write their own tools, and make the best usage of automated tools both free and commercial
- Hiring someone to perform some form of assessment and having them spend time "Scanning" is okay if you don't perform any internal scans or covers areas not in your regular scanning
- If you hire someone for a penetration test, and they "Get in" and "steal" sensitive information, then tell you "oh, you need to patch x, y, and z" thats not very helpful
- I can give you free advice, if you're not patching your endpoints 3rd party software, you are likely already pwned
A penetration test should go beyond scanning, patching, firewalls and IDS. It should gauge how easily and attacker can penetrate your defenses and disrupt business operations or steal sensitive information. If a penetration tester can do damage in a week, imagine how much damage an attacker could do in a year? The most important part of a penetration test is the lessons learned. Did you detect the attacks? How about the communications channels? How did your users reaction? What things can you do to make it more expensive for an attacker to come after you? And most importantly, how do you balance security with the value of your business? Example, if your business is worth 1 million dollars, you should not spend $800,000 on security.
- DNS, Malware, Anti-Virus software - Wow, for once I think I will actually take the side of anti-virus software. Seriously. Okay, maybe not too seriously, but in any case its true that not all Anti-Virus software today is signature based. There is a lot of decent behavior or heuristic based stuff out there, and it does catch a certain percentage of malware. We never said, "Don't bother running Anti-Virus software". Okay, well, we just said it, but we didn't mean it. The author does have a point "The truth is that no-one in computer security, except perhaps the crooks themselves, can predict what tomorrow's malware, tomorrow's dodgy domain names, tomorrow's bot command and control servers, or tomorrow's illegal money-making scams are going to be." No one has a crystal ball, and they only thing we do have is: intelligence. This is one of the most important and fundamental concepts when dealing with security. You have to know what your enemies are up to. Sure, most of the time they are not YOUR enemy, likely they are using your resources to make money in some way, and you are really just a pawn in their game.
- BTW, you may want to re-think the "Sun Tzu" analogy after reading this.
- Legislation, Regulation, best practices...are they doing anything to improve security? Are they enough? Do they work? Why do we bother?