Josh More – Starmind Blog

Those of you that have seen the series Planet Earth are probably aware of the glow worm cave. (Those of you that have not have some TV watching to do.) This is a cave full of cute little glow worms that make a light pattern on the ceiling of the cave that is reminiscent of the night stars. It's a beautiful sight to stare up at those little glittering pinpoints of lights.

Of course, that's the tourist spiel. In actuality, the "glow worms" are larval gnats that produce mucus and spin out long threads to entrap moths. When a moth becomes deluded by the mights and becomes trapped in the sticky threads, the larvae pull up the moth and liquefy and suck out their internal organs. After secreting mucus and dining upon moths for up to a year, they transform into gnats whereupon they mate and die... which seems like a lot of work to me, but then, I tend not to be consulted in matters such of this.

However, the lesson here is a good one. Namely, it's probably not worth travelling all the way to New Zealand to visit the the phosphorescent snot worm cave. However, a deeper lesson is that light attracts bugs. (Sure, I could have blogged about the moth and the candle, but then I'd not be able to talk about glow worms.) If you want to know something about the insects that inhabit a cave, just put out a light and see what comes visiting.

We do that in I.T. security to help identify the attackers that are on the Internet. We call them honeypots, which is likely a reference to Winnie the Pooh (I hope), but since I am not (yet) linking children's literature to security, we'll ignore that bit for now. Instead, we'll take a quick look at the value of Lepidopterisy. Just as a scientist can look at the types of moths ensnared in sticky mucusy silk and learn a lot about the ecology cage, a security researcher can examine the malware and attacks found within a honey pot and learn a lot about the sorts of attacks that they may be subjected to.

By creating your own honey pot, you get a chance to deal with attacks before (hopefully) they impact your production systems. However, just like fungus gnats larvae don't ignore the moths that stumble into their "webs" (strings, really), in order for this to be effective, you can't ignore what gets caught in the honey pot either.

Related posts

• Security Lessons from Nature – Autotomy (0)

In case you haven't figured it out, I fall back to blogging about an Aesop fable when I'm stuck for other things.  In this case, I am stuck underneath a cat and all of my mythological references are about half a meter out of reach. Luckily, many of Aesop's fables are available online. Like, for example, this one.

In this story, a sleeping lion is startled awake when a mouse runs across his nose. Looking all around for whatever woke him up, he checks all over his cave and finds nothing. A fox observes this behavior and, knowing that he can outrun a sleepy lion, makes fun of him for being afraid of a mouse. Attempting to safe face, the lion claims not to have been afraid, but more affronted by the bad manners.

As usual, Aesop completely missed the point of his story. Instead of being a droll observation of class structure of ancient Greece, it's obviously a better lesson for dealing with initial network probes. Probes are a fact of life on the Internet. All sorts of attackers on the Internet want to take over your systems. The first step is to send out a small probe and uncover various things about the potential targets. This is part of what firewalls are supposed to prevent.

A lion needs a few things as it sleeps. Air, probably being the most important. However, if it wishes to stay asleep, it helps to have a way to keep the mice out of the lion cave.

As an aside, I personally question how common it was for lions to sleep in caves. Modern lions don't seem to do this... though perhaps that has less to do with lion slumber preferences and more to do with a general lack of caves in subSaharan Africa.

So, if you have a lion that wish to keep vermin-free, it would help to put up some sort of chicken wire fence over the "cave", thereby allowing in air and preventing mice (and rats... it's a twofer!). In much the same way a firewall keeps out known malicious traffic so your servers can crunch their numbers in piece. Admittedly, our firewalls block worms. Worms are smaller and trickier than mice, which is why the firewalls are more complex and expensive than chicken wire.

Running without a firewall would be like trying to coax a lion into sleeping while they are being trampled flat by a veritable cascade of members of the family Muridae.

Related posts

• Mythic Monday – The Aging Lion and the Fox (0)
• Mythic Monday – Aesop: The Dog, The Rooster and the Fox (1)

There are three ways to approach this problem. The most common method is to ignore it, and apply patches as time permits. The logic here is that since applying patches can often require a maintenance window, it's hard to balance the business's needs against the risk of an attack by an unknown party. Since an increasing number of attacks are subtle, it's quite easy to convince yourself that it's not a big deal, and inadvertently accept more risk than you'd like. I don't really recommend this method.

The second method is to fully embrace the situation and fork out the cash for a full patch management system. These solutions aren't cheap, but it does allow you to view your entire environment from a single console. This way, you basically outsource the tedious job of keeping on top of everything and use the tool to make sure that all machines on the network are kept fully updated. Now, this solutions doesn't eliminate the need to schedule downtime to get the patches applied, but it does simplify matters significantly... at least when you are only running software that is monitored by tool.

The third method is something of a middle solution. In situations where you either lack the budget for a patch management solution or are still investigating the varied options, you can simplify the process by doing a quick audit of each of your systems and uninstalling anything that isn't needed. The key here is system classification:

• Development systems should not directly face the Internet.
• Production systems should not have development software on them.
• Production servers should not have workstation software on them (Office, Adobe reader/flash, Web Browsers)

By eliminating all unnecessary software, you can massively reduce your attack surface. Simply put, if software isn't there, it cannot be exploited. Now, this doesn't eliminate the necessity to keep the software that is there up to date, but in the process of removing what's not needed, you can get a good idea as to what is there and monitor the patch releases for those few projects. It's not pleasant, but it is doable.

Related posts

• Small Business Attack – Patch Tuesday (and others) (0)

Every month, on the second Tuesday, Microsoft releases a set of patches to their software.  They're ranked in various ways, based on what they correct and how critical they may be.  Then, two things happen:

First of all, various security groups review them and start posting their opinions (I prefer the Internet Storm Center synopsis). After that, those of us with more internally-focused positions start reviewing the various summaries by both the security groups and Microsoft and work up an internal plan to test and deploy the patches appropriately. When, after everything looks right, we start deploying the patches to make sure that everything is nice and secure.

Secondly, the various more selfish security groups also review them... but in a tad different way. They investigate what the patches correct and start trying to come up with malicious code that exploits the problem. Then, at the same time that we're reviewing the patches for our environment, they're running tests against various other systems. If we're lucky, at the time that we're deploying the patches on our systems, they're deploying the new malware against our systems. If we're not lucky, they beat us to the punch.

Of course, this is a somewhat simplified scenario. There are a great many more vendors than Microsoft, so this cycle doesn't really take place on a monthly basis. Some vendors release updates on a quarterly basis, some are yearly and some are pretty much whenever they feel like it. So really, each day is a steady flood of vulnerability information and, if we're lucky, patches to go along with them.

If you can stay on top of the flood, you can keep your systems somewhat protected. Off course, if you miss something, you leave a hole that an attacker can easily find.

So what do you do about it?

Related posts

• Small Business Defense – Patch Management (0)

Poison dart frogs are, not surprisingly, covered with poison. I could go off at length about how different species have different levels of poison, and how not all of them were used to poison darts and how many of them are going extinct due to a nasty fungus that's only vulnerable to an eyewash solution... but that would be a bit too rambling even for me.

Instead, I'm going to talk about ants. I'm not going to go off about how they are communal, have some interesting chemical signals or even how they are vulnerable to some very interesting fungi that take over their brains (despite how unbelievably cool that is). No, the important thing is that the frogs eat the ants.

Boring, I know.

See, the poison dart frogs don't generate the poison themselves. Instead, they eat ants and push the poison from the ants out through their skins. Not only is that an awesome example of how a predator can turn a prey's defense into a defense for the predator while simultaneously rendering it useless for the prey (smart little froggies!), but it's also an example of the importance of operations.

See, an interesting side effect of this method of defense, is that if the ants go away, then so does the defense. Domesticated poison dart frogs aren't poisonous (which would make them dart frogs (which, since they neither throw darts nor are tailors, is a horrible name for them)). In order to keep the defense, they have to keep on acquiring ants.

Which gets me into mergers and acquisitions... which is where I wanted to go the whole time. When you conduct an acquisition, as the acquirer, it is often tempting to go for economies of scale and try to get the acquiree to do things your way. This just makes sense. After all, that's why you bought them, right?

Well, kinda.

Unless you bought them to kill them as competitors, they probably bring another value to the table as well. If you buy a poison dart company and then tell them "Now that you're part of GlobalConglomeratedWidgetCoInternational, you have do things our way... and we eat our own dogfood!" you'll definitely merge them into your organization... but if they're eating dogfood, they're not eating ants and you just have a dart company.

When merging operations, pay close attention to the operations of the other company and try to understand why they do things the way they do. There's generally a good one. Then the question would be whether the loss they face by doing things your way is outweighed by the operational efficiencies, and whether it's all that important that the darts be poisoned.

Related posts

• Security lessons from Nature – Fire ants and lizard evolution (0)