Security Samizdat won’t be updated for the time being. I have plans or this domain, and I hope to have it up and running again soon.

Meanwhile, the entries already posted are yours to peruse.

Kind regards

Alfredo

“Dripping Data: Understanding and Reducing Insider Threat“
(part I, part II, part III, part IV, part V), part VI)

Apparently more parts are yet to be published. I’ll add the appropriate links as Kai posts them.

While reading Greg Conti’s excellent “Security Data Visualization” I came across this wonderful piece of software: SequoiaView. It is developed at the Technical University of Eindhoven (The Netherlands)

“Ever wondered why your hard disk is full? Or what directory is taking up most of the space? When using conventional disk browsing tools, such as Windows Explorer, these questions may be hard to answer. With SequoiaView however, they can be answered almost immediately. SequoiaView uses a visualization technique called cushion treemaps to provide you with a single picture of the entire contents of your hard drive. You can use it to locate those large files that you haven’t accessed in one year, or to quickly locate the largest picture files on your drive.”

The software is available for free, but only for Windows systems. For Unix-like and Linux users, there are several options. One of them is GDMap, which is very similar to SequoiaView, but with only some basic functionality implemented. For KDE desktops, there is the powerful KDirStat (there is a Windows clone called WinDirStat). For Gnome users, there is Baobab. A nice alternative is firelight, which uses circular representation of treemaps to show similar data (only for KDE).

Wouldn’t it be nice if popular forensics packages, such as Helix, bundled these kind of tools?

“We’ve opened up a new front on the war on terror. It’s an attack on the unique, the unorthodox, the unexpected; it’s a war on different. If you act different, you might find yourself investigated, questioned, and even arrested — even if you did nothing wrong, and had no intention of doing anything wrong. The problem is a combination of citizen informants and a CYA attitude among police that results in a knee-jerk escalation of reported threats.”

Read the complete article here.

• Informática Forense I
• Informática Forense II
• Informática Forense III

UPDATE: The folks at Juris have translated the article to Portuguese (part I, part II, part III)

“A Multi-perspective Analysis of the Storm (Peacomm) Worm” by Phillip Porras, Hassen Saidi, and Vinod Yegneswaran. Also, some useful links in the same site with further info on Storm.

Seen at xkcd

“Companies are beginning to see that most of the tools they are using — firewalls, intrusion prevention, log analysis, even a lot of the data leak prevention tools — are really only useful after you’ve been compromised,” says Kevin Harvey, senior sales engineer at Fidelis, who has participated in hundreds of insider threat assessments for large enterprises. “What they’re looking to do now is develop ways to proactively seek out the threats and prevent them, rather than just find out who did it.”

I wonder if it’s possible to implement this without companies misunderstanding it and turning their IT environments into Orwellian “ubiquitous law-enforcement” tools?

Another key piece of the “counterintelligence” puzzle is monitoring employee activity. “In our environment, any employee can use an online form to report suspicious activity,” says an IT security officer at a large banking company, who asked not to be identified. “That alerts corporate security, which then investigates.

[…]Many experts also recommend using employee monitoring tools, which can help identify unusual behavior and activity at odd hours.

From Mathieson’s article:

Getting to a mature stage of IT security will take many organisations some time, Pescatore said: by 2010, Gartner estimates just a fifth will have reached its ‘operations excellence’ stage where they spend just 3-4% of IT on security, while two-fifths will still be in the previous ‘corrective’ stage, spending 7-8%.

In response to a question, Pescatore dismissed the idea that insider threats are growing: he believes that attacks generated by malicious insiders are stable at 20-25%. Half come from mistakes made by insiders, while around 30% of attacks are made solely by outsiders, the majority of whom are cybercriminals.

From Leyden’s article:

For security managers the process involves persuading their counterparts in, for example, application development to include security functions in their projects. In this way security expenditure in real terms can go up even as security budgets (as such) stay flat or modestly increase. Security budgets freed from firefighting problems can then be invested with a view to managing future risks.

“Even a reduced security budget does not necessarily mean reducing security-related spending,” Pescatore said. “Security professionals need to think in terms of changing who pays for security controls,” so they can “move upstream” and spend their time and resources on more demanding projects, he added.

Gartner predicts that security spending will rise 9.3 per cent in 2007, but will drop out the first ten spending priorities for CIOs for the first time since the prolific internet worms of 2003. Malware threats these days have evolved into targeted attacks featuring malware payloads designed not to draw attention to themselves.

It sounds reasonable. If all corporate departments assume their part in keeping the business secure (by means of security awareness, purchase of secure products and solutions, and inclusion of security-aware development practices, for example), the IT Security departments could shift from “firefighter mode” and focus on proactive security.