$282,540 Soul Dollars
Quiz brought to you by money.co.uk

I missed CEIC this year, but a couple colleagues of mine were able to go. Both stated that it was an excellent conference. I hope to be able to go next year. At an ISSA meeting there was a gentleman from NetWitness who came in to give a vendor agnostic presentation about network forensics, which has always been a very interesting topic to me.

My colleague and I were very impressed with the product and thought that it would give us great leverage with trying to bring together behavior analysis, signature analysis, asset protection, governance and data leakage. This product rolls the behavior and signature analysis into one device and leaves the firewalls, antivirus, spam assasins and web filters out on the perimeter doing their thing. This device is passive and just sips the network logging every packet and then performs analysis and correlation on the data. What I liked about it is the fact that it will show you true context of your packets and data. It gives a impressive analysis on say a DNS packet that is using a non standard port. Or why this packet is behaving this way but based on all others like it, it should be behaving another way. If it looks like a duck and quacks like a duck, but doesn’t have feathers like a duck… it may not be a duck. The front-end was also very logical in flow and design and provided an easy incident response procedure process and methodology.

Now, at first I was comparing it to a UTM device knowing that they do not perform the same functionality, but kind of cross very loosely in their functions. I have since came to a realization it is like comparing apples to oranges. So I had to ask myself would I spend the money to have both a UTM and a TKND (Total Knowledge Network Device) deployed. Full TKNC (Total Knowledge Network Control) of your perimeter and internal network cannot be accomplished with only one device. The technology is not there yet. Now throwing in a TKND like NetWitness into the UTM umbrella is for me a waste of time and money. Call me a little old fashion, but the swiss army knife though handy, is still cumbersome when trying to get at each tool. I can’t help but think that a Management Console of some sort would be beneficial, but I am not sure having everything under one roof is the right approach.

When wading through neck deep information trying to pull out a needle in a haystack, I find that many are spending a lot of time wading through mounds of data trying to validate that there has been no data leakage or compromise of an important system or resource. The oh snap moment usually comes about a month later when an analyst finds something out of the ordinary and it snowballs into a data governance issue that suddenly feels like a David and Goliath moment. I am still on a quest to find or come up with the right TKND/UTM device. If anyone has any ideas they would like to share let me know.

Peace `||`/

It is official, I am a CISSP

“Congratulations! It gives me great pleasure to be the first to address you with the Certified Information Systems Security Professional (CISSP®) designation!

Based upon your examination results, a review of your application and acceptance of your endorsement, the (ISC)2 Board of Directors awarded you with the CISSP designation.”

SWEET !!!  I am so stoked.!!!!!

During my career I have had many experiences.  I tend to think of myself as a “Jack of all Trades Master of none” kinda of person. (hence the name of my business Jack of all Networks)  This could be good and bad depending on how you look at it.

When I was attending college I was fascinated by encryption and OS hardening and loved to do all kinds of “security assessments”.  Because of my interest in security, I decided that I would pursue a career in Computer/Information Security.  A couple of years ago I came to a crossroad.  I had an opportunity to to down the System Administration path or hold out for something in security.  I chose to hold out for a security job.  Finally, one came and it snowballed from there.  During my progression as a security professional it came time to prepare for a certification.

Now I am not a big fan of certain certifications, but do confess that I was caught up in the certification frenzy back in 2000-2001.  I don’t see many advertising certifications, but I do see more degree’s.  You can get your degree in just about anything these days if your willing to pay someone for it.  I even saw somewhere that you could pay $35 and get a Doctorate.  I am not sure what it was in, but I just don’t see many advertising certifications anymore. Today I think that there are a small number of certifications that have value, but they do not take the place of experience.

My analogy of a certification is compared to a cake, with the certification being the icing on the cake.  The cake itself is experience.  A degree is the nice chocolaty middle that makes the experience nice and moist and oh so good.  Now with experience and a degree the cake is good, but with a little certification it makes the cake that much more exquisite and desirable.  When applying for a job candidates should have experience to back up the degree and certification.

For the past 2 months I have been studying for the Certified Information Systems Security Professional certification.  I can say as of today I have passed the CISSP exam and soon will be able to add a very respected credential onto my resume.   There are two requirements in order to be considered a CISSP.  First, one must pass a 250 question multiple choice test.  Second, you must have at least 5 years experience in 2 or more of the 10 Common Body of Knowledge Domains.  Not only do you have to have 5 years you must prove your 5 years and it must be endorsed by CISSP in good standing.   I am thankful that I was able to pass.  The test was a bear and it is good that it is now behind me.  Good luck to all who attempt to attain that certification.

The Pig is in!!!!!

Just wanted to put a plug in for the Utah Snort Users Group.  Come one come all with your piggy questions.  If you would like future notices of meetings please subscribe to the mailing list

“Sourcefire has been kind enough to provide us with quite a bit of swag and other goodies.

The Utah Snort Users Group will be meeting this coming Wednesday, December 12 at the Salt Lake City Public Library, Conference Room D.  Justin Searle will be presenting on using Splunk to collect and analyze logs from Snort and Netfilter.

Splunk is a monitoring and reporting tool for IT system administrators with an emphasis on its search capabilities. ”

The City Library
210 East 400 South
Salt Lake City, UT  84111
12/12/2007   6:00 pm - ~9:00 pm  Conf. Room D

This past weekend I decided to set up a dual-homed firewall with openBSD.  Believe it or not this was a good setup and I am happy with the results.  I do recommend that this should not be setup by a casual user but could be if one understood UNIX/Linux Operating Systems.

 What sparked this change is that I had a Linksys wireless router which had openWRT/dd-WRT on it. (I changed between the two often)  We had a fire in Ohio and I lost the wireless router.  I was in desperate need of a device and after searching for a day, I could not find one that had the right firmware.  I ended up buying one and could not use openWRT or dd-WRT.   I was reading an article about some security flaws in Linksys devices and I knew it was time to beef up the firewall a bit. 

I thought about using a linux box with iptables, but I was in the mood for something new.  Enter in openBSD with pf.  A sense of excitement came over me with this new idea of getting openBSD working.  I had a mission and it was time to get-er-done!

 Due to the fire I was very limited on my computer equipment supply and had only one PC that I could use.  Currently I have a Macbook Pro dual booting between Mac OSX Leopard and Windows.  I know I know I am a disgrace. I hold my head in shame for installing windows on a Mac. In my defense, all I can say is that my wife made me do it :).  My kids use a PC that has a European plug on it. It has the monitor, CD-ROM and USB devices all in one like an iMac.  I am not sure of the manufacturer. It is running windblows XP home.  I can’t really complain because it was free.  My last computer is an old Dell Optiplex(the skinny office one).  Can’t complain about it either, it was free.  Mac was not free! :) .  Anyway, I had Windows 2000 installed on the Optiplex. (You will be surprised what OS you will use when you don’t have any!).  After I got the macbook my wife started using it more along with the rest of the family.  Since they were using the Mac I removed windblows 2000 from the Optiplex PC and installed Ubuntu the first chance I got.  

After deciding that openBSD would be the choice. Ubuntu had to go.  I was so distraught to loose my good pal, but after a tear was shed the time came for the new OS to take over.   At this point I failed to remember that I needed a nother NIC.(At the time I could have swore I had an extra one lying around). After a time searching it was time to go and buy one.  I was excited because if I got a NIC with 3 or 4 connectors I could create all sorts of cool DMZ type setups.  Then I saw the price and was steered toward just one EXT Burb and one INT Burb.  After a quick trip to CompUSA a new NIC was purchased and installed the moment I got home. 

I am a strong proponent of RTFM so I will not go into the basic install procedures because you can read the documentation yourself.  However, I will point out some things that would have made life a little bit easier going through the experience.

The terminology and device names with openBSD are just a little different, but once you get familiar with it everything will make sense.  Reading the documentation helps. If you are not a UNIX user then take some time to read the documentation.

Installation 

You will need to plan ahead just a bit before you install just to make sure you know how much space you will give each mount point.  The documentation has a good guideline to help you along with a good example of how to partition your drive.  The Format Utility is very powerful and easy to use but can be overwhelming to someone with out prior UNIX/Linux knowledge.  Partitioning can always be done at the Sector level(but doesn’t need to be done via sectors) and therefore a good review of the documentation before you begin will be beneficial. 

Once you have partitioned your drive and set the mount points you come to verifying your mount points.  You need to remember which ones you have because if it starts with a /tmp it will end with a /tmp and if your not paying attention you will have to go through again. You may not understand what I am talking about here but when you go through it for the second time you will :).  When the partitioner is done it will ask you to create a hostname, Setup Networking and create a root password.  The Interface names for the Network Cards are not going to be the same eth0, eth1 like most linux users are used to.  You can always skip this part and configure the network interfaces later.  Read the documentation if you have questions. 

Now it is time to install the sets.  Sets are, very plainly, the OS files that run on your PC.  All the non-xwindows files will be selected, but if you will be using xwindows then select all Sets.   If you will not be putting X Windows on you do need the xbase42.tgz set.  At a minimum you will need base42, etc42, bsd and xbase42.tgz.  The reason you want xbase42 is that this set has certain libraries for BASH, wget, vim, screen and other packages that you may want to install later.  You have several options for getting the sets.  You can use the install42.iso i.e. the CD or you can use ftp, http if you have networking setup prior.  Obviously, if you want to use ftp or http you will need to know the path to the sets. The CD is always faster so choose that unless you get an itch to do it another way.

After installing the sets it is time to finish up.  at this point you will be ask to start a couple services.  Specifically SSH and NTP.  We want ssh so that we can remote in and I leave it up to personal preference for NTP… I always choose it and enter time.xmission.com.   Enter “no” for starting xwindws and no to change the default console.  Choose your timezone we are done and done.  There are a few things to do after the installation all you need to do now is follow the prompts and reboot

 After the installation.

After you reboot
One of your first things to read after you install your system is afterboot(8)
This assists you in securing SSH. Like not allowing root to ssh etc.
Don’t forget to send a dmesg as well to help development

I will post something on pf next time enjoy your new openBSD system.

Happy Thanksgiving Everybody!!!! Sorry I haven’t been keeping up on this for the handful of readers. It has been a crazy few months.  Hope to update things soon.

This isn’t related to Open source but cool none the less… I was in a car wreck last Friday and wanted to share the pictures. I don’t drive a fancy car, but I have had it for about 6 years now and it is a little trooper. I was on my way to meet my family to look at some houses, when a F350 hit me from behind and threw me into a Toyota Tundra.

I must be dreaming

Ubuntu servers hacked to attack others by ZDNet’s Ryan Naraine — According to a notice in the Ubuntu weekly newsletter, 5 of the 8 servers that are loco hosted had to be shut down after an investigation showed a variety of security problems.

It is sad to see something like this. But if there is no current updates being applied then it is all for not. More on this later.