Tag Archives: Issa

Quick ISSA-Be Meeting Wrap-Up

October 18, 2011 20:55 | 2 Comments |

Wim @ ISSA-BeQuick wrap-up about the last ISSA-Be chapter meeting… Wim Remes (@wimremes) was on stage to speak about visualization and his project to join the (ISC)² board.

In our world (information security), we collect a lot of (technical) data. How to present them in an efficient way to manager or non-techies? Wim’s talk title is “In the land of the blind, the squinter rules“. Wim does not present himself as a security visualization guru but tries to display information in a more efficient way. Some goods quote from his presentation: “When two worlds collide!” or the one of Edward Tufte: “Data can be beautiful, data should be beautiful“. I already saw Wim’s presentation in BlackHat Europe but he added more examples and changed lot of slides.

Do you know what represents the number “73″? This is the amount of slide types available in Microsoft Excel 2010! Some facts from the presentation:

  • Sometimes text is enough! Example to represent statistics about passwords length (using a mix of different font sizes)
  • Take care of your colors. Some color blind people might have difficulties to interpret them
  • The best visualization tool is the one you can choose to represent your data! If you’re not satisfied with the graphics generated by your solution, grab raw data and build your own dashboard.
  • Some visualization looks like “Sponsored by Crayola” :-)
  • Sometimes legends are not required
  • Position of key elements is critical on your dashboard (top-left or center for most important stuff and top-right for less interesting information)

Second part of the event was again focused on Wim, but now with his “future (ISC)² board member” cap! An open-discussion started about the upcoming election of the new (ISC)² board. Wim successfully passed the first phase and is hoping to get enough votes to be elected in November. Everything started with a reflexion about the value of the CISSP certification. Once you got your CISSP certification, you have to pay your AMF (“Annual Maintenance Fee“) but what can you expect in return? Today, almost anybody who attend a bootcamp or read books can pass the certification. “Why not imagine a CISSP+ if you submit white papers and some material?” said Wim. What did drive Wim?

  • “at least I tried”
  • Where are going my AMF? What’s the real value of the cert? (certification, content, process)
  • Need for more internationalization of the organization
  • More knowledge transfer between members
  • Crossing the board between countries and different security point of views
  • Transparency: is the income = outcome?

More information about Wim’s project at (ISC)² is available here.

Some news about the ISSA-Be chapter upcoming events:

  • CERT
  • SCADA security
  • Mobile device security
  • (Safely) Rolling out IPv6
  • Solving the Hex-Factor
  • Exploiting over DNS-tunnel

Follow them via their website.

Posted in: Belgium, Event, Security | Tagged: , , ,

Use your Logs to Detect Fraud

January 12, 2011 08:23 | 6 Comments |

Computer FraudI was invited by the ISSA Belgium chapter to talk last night about log management & SIEM (“Security Information and Event Management“). This is a very interesting topic but almost everything has been said (good as bad) on SIEM. I decided to innovate and to use some articles posted in this blog as practical examples of fraud detection. After the theory, some practice is always welcome! Let’s make your logs more valuable…

Fraud can be defined as “a deliberate deception, trickery, or cheating intended to gain an advantage“. This term is often closely linked to the world of finances. That’s why I prefer to use the word “suspicious“. An event  can be flagged as suspicious if it does not follow strict baselines. Four practical examples of suspicious activities were discussed:

  • MySQL Database changes
  • USB stick detection
  • Rogue access to resources
  • Mapping events to Google Maps

Each example was reviewed as a quick recipe to detect the suspicious event. All of them reported by OSSEC. The goal was to explain how to gain more visibility and more value from your logs at… an affordable price, read – without an (expensive) SIEM solution. Even, if smallest organizations don’t have budgets and resources, they can implement solutions to increase their security.

The presentation is available on Slideshare.com.

Posted in: Belgium, Event, Security | Tagged: , , , , ,

ISSA-Be Chapter Wrap Up: Cybercrime

May 11, 2010 22:09 | Leave a Comment |

Cybercrime I’m back from the last ISSA-Be meeting held in the Verizon offices in Leuven. Today’s topic was “Cybercrime: The actors, their actions, and what they’re after“. The speaker was Matthijs van der Wel, EMEA, manager of Verizon Business’ Forensics practice, who contributed to the Data Breach Investigation Report.

The talk was divided in two parts. In the first one, Matthijs reviewed the 2009 edition of the report. This is an annual document released by the Verizon Forensic Team. They analyze thousands of security breaches and compute some statistics. This document is a must read but, honestly, tons of numbers and graphs must be digested. Tonight, Matthijs reviewed some of them and gave nice example to illustrate some numbers. I already met him in Amsterdam last year during an (ISC)2 event. For those who are interested, the 2010 edition is almost done and will be released in June.

First the report is based on “security breaches”, such incident occurs when:

  • It is confirmed
  • Data have been stolen
  • And data have been abused!

The last point is important: If a laptop with critical data is stolen but the robber just reformat the drive to sell it on eBay, this is not considered as a security breach. Second important point: a specific incident can be critical for an organization while the same will be irrelevant for another one. Matthijs reviewed some example of classic security breaches (lot of them are due to stupid things, hélas!). He also explained why the online criminality is growing so quickly by comparing a bank robber and a hacker. The robber must come to the bank with a gun, point it to somebody and ask some money. If he’s lucky the Police will just arrest him or shoot him first. At the opposite, cyber criminality does not expose directly the bad guy. He can operate from home and evidences are very difficult to collect (he will jump onto several hosts located in several countries. It’s a nightmare for forensic investigators.

After a short break, the second part of the talk was about “forensics in the cloud”. A huge topic! ;-) Things must be clear: it’s almost impossible to perform investigation in the cloud. The main issues are:

  • We don’t know where are located the data
  • If it’s possible to access a backup?
  • How to access the logs?
  • How long are they kept?
  • Which events are logged?
  • In which format are stored the data?
  • etc..

The conclusions is simple: don’t put sensitive business in the cloud. If you need to keep the control, keep your data with you! One important remark from Matthijs about the data: It’s important to communicate in case of security breach but it’s also important to communicate before: Know your data! Know which data are collected from your customers or partners and tell them how you manage them.

Besides the talk, I meet the regular people and also new faces!

Note: The next OWASP Belgium Chapter meeting is scheduled on 1st of June and will cover the Belgian eID.

Posted in: Belgium, Event, Security | Tagged: , , , ,

OWASP & ISSA Belgium Chapter Meeting

February 1, 2010 23:02 | Leave a Comment |


I’m back from the last OWASP (organized together with ISSA) Belgium Chapter meeting. As usual, good times with friends from the Belgium Security landscape ;-) . Two topics were covered today. First GreenSQL, a database firewall, then an overview of the mobile malwares by Mikko Hypponen.

Almost one year to the day, I wrote a blog post about GreenSQL. Yuli Stremovsky, VP of Research and Development, was invited in Belgium to present his solution. Yuli first reviewed some common facts to explain why products like GreenSQL are important in today’s infrastructure. Databases are used everywhere and accessible online via web sites. Some common problems were covered (like SQL injection) – nothing new – but a solution like GreenSQL could be interesting in some cases.

GreenSQL acts as a proxy: before passing the SQL queries to the database server, several checks are performed and unexpected requests are blocked. Unfortunately, the product comes “empty” and the administrator has to define which queries will be accepted. The default rule is “deny all” and dangerous commands like “show processes” are also denied. As suggested by people in the room, some “set of queries” for common web applications (Jumla, WordPress, …) could be welcome to not reinvent the wheel.

I had an interesting discussion with Yuli: It could be interesting to export the events generated by GreenSQL to a third party system such as a log management solution. Another nice feature could be to filter the data sent back to the client (some kind of “DLP” module). Important remark: Using GreenSQL does not prevent developers to stay aware of security! Relying on GreenSQL only is a fail!

After a short break, Mikko Hypponen, Chief Research Officer for F-Secure, presented the situation of the malware lanscape in the mobile world and what can we expect in a (near) future. Mikko is a great speaker and gave a excellent presentation. He reviewed the story of malwares on mobile phones. Compared to common environments like Windows, there is “only” 500 known viruses targeting our mobile phone (interesting to know: Symbian is the top-target).

The evolution of mobile malwares follows the same way as on our PC’s. First they were not able to spread rapidly (the Bluetooth covers only a limited area) and had limited impacts. Today, the malwares are developed to stealth money! Mikko gave more details about an attack targeting mijn.ing.nl (web-banking site). Other malwares can send text messages or call high-rate phone numbers.Not surprising, lot of malwares hit the users due by forcing them to perform unsafe actions or displaying rogue informations. Nothing new, the human factor is the major problem. And what about the future? Mikko predicts: more malwares, mobile botnets, drive-by-exploits, rogue dialers and, of course, spam bots.

This was an excellent meeting with great topics. Lot of people were present due to the dual-organization OWASP-ISSA. See you next time!

Posted in: Belgium, Event, Security, Software | Tagged: , , , ,

ISSA Belgium Chapter Meeting: Introduction to OSSEC

January 21, 2010 23:39 | 1 Comment |

Back from the first ISSA Belgium Chapter Meeting of 2010. Today’s topic was “Introduction to OSSEC : Log Analysis and Host Intrusion Detection“. A very interesting topic for me. First because I’m involved in lot of SIEM projects. But especially because Wim Remes, the speaker, is a friend of mine.

Wim is a fan of OSSEC. This open-source tool is defined on the web site as “an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.“.

Wim’s choice was to split his talk in two big sections. First, a theoretical part, where he explained to the audience why a good log management solution is a must-have for all organizations (must they have to be compliant or not). Then, he dove into the tool and demonstrated via examples the power of OSSEC. The choice of two distinguished sections was the right one: everybody was able to understand the product (managers as executives).

Before this meeting, I had a very limited knowledge of OSSEC. For me, it was “just” an HIDS (“Host-based Intrusion Detection System). But it can perform much more interesting things! Using simple configuration files, it’s possible to setup basic events correlation. Example: 

<rule id=”100016″ frequency=”4″ level=”10″ timeframe=”180″>
  <if_matched_sid>100015</if_matched_sid>
  <same_source_ip/>
  <description>Multiple snort alerts with the watched ids</description>
</rule>

OSSEC is certainly not as performant as a true SIEM solution. It does not integrate retention policies for events, it does not collect events from lot of devices but, with the help of other tools, it’s possible to start an interesting log management solution and for an unbeatable price. Example: the integration of OSSEC & Splunk. And once you learned how to manage your events, why not switch to a real SIEM product?

Given the high number of questions asked during and after the presentation, it was really a nice topic! Well done Wim! I suppose that the slides will be available on SlideShare soon.

Posted in: Event, Security, Software | Tagged: , , , , , ,