cyber defense blog

One thing is evident from this year’s mega-security conference in San Francisco. The security industry is back with a vengeance.  The show was packed with attendees and the expo floor was busier than I can remember in the last seven years I have attended.   The reason? While economic downturns can curtail general IT spending and investments in upgrades and new technology deployments they have little impact on the need for securing existing infrastructure. Cyber criminals prey on companies in good times and bad.   Add to that the new found interest in security from governments as they discover that they are under attack from their advisories and you have a formula for a boom. 
Although I had an exhausting RSA this year (I met one on one with 48 vendors) my survey of the industry was not exhaustive.  But I saw much to commend at RSA Conference 2010. Here are my choices for Best of Show RSA Conference 2010:

1.    Astaro’s Red Box is the single most innovative product I saw.  It is a little appliance that is drop shipped to a remote office. Once it is plugged in to the network behind the router it creates an SSL tunnel back to head quarters.  It extends the corporate network to as many locations as desired. This leverages the investment in security at one location by extending it to many.  It is simple and inexpensive at MSRP of $299.
2.    F5’s new enterprise Big-IP edge gateway is based on SSL as well.  It uses the web application acceleration features that F5 usually deploys in front of web servers to allow faster access to those applications in a secure manner.
3.    PhoneFactor, a young company based in Kansas, has introduced strong authentication via SMS to add to their existing product that used voice authentication.  The idea is not new, Estonia has been doing phone based authentication for years, but the timing is right. Imagine a transaction authentication solution for your bank account.  Every time you transfer funds or pay a bill online you would acknowledge a text message sent to your phone. 
4.    GreenSQL.  While not officially exhibiting at RSA the founder of this Israeli startup, David Mamam,  was making the rounds. He introduced a database firewall that has been downloaded 75,000 times in its free form. The commercial version is a powerful solution that is affordable for the small to medium business.
5.    Secunia, the premier vulnerability research company announced an integration with Microsoft WSUS, making patching of critical vulnerabilities possible in quick and painless fashion.
6.    Damballa has found that they are in the right place at the right time. Their focus on fighting botnets turns out to be just what people are looking for post Google-Aurora. 
While cloud computing was the most hyped subject at RSA 2010 I saw the most development in authentication and extensions of protective capabilities in UTM solutions.  Privileged access management is gaining momentum with several vendors, including last year’s IT-Harvest Best of Show, Xceedium, were present.

The industry breathed a sigh of relief last week as they saw evidence that 2009 is behind us.  I look forward to a busy RSA 2011.

Imagine what a cyber offensive capability would look like.  Lots of discourse on US military uses of cyber attack has been bandied about this past year, but there has been no discussion of the actual tools.  Sure, it is assumed the cyber espionage techniques are in use by all parties.  But direct attacks to take down servers is either limited to DDoS, using bots or server farms to generate an overwhelming force, or kinetic attacks that would take out fiber via dragging anchors or well placed explosives.
For a demonstration of a cyber weapon, fittingly named XerXeS after the warrior king of Persia, watch the video that J35t3r (Jester) put together  and that Anthony Freed over at Security Island has published.   The Jester has advanced his anti-jihadi tool-chest considerably with an interactive interface complete with animated heart beat, and exploding targets.  The backend reportedly has been enhanced to use multiple source obfuscation techniques that hide the location of his attacking machine.  I assume that the source will always appear different to the victim if they examine their logs.  The autonomous aspect that allows him to set it up and let it run enhances his ability to cause havoc with his enemies, Taliban and other Jihadists actively using the Internet to recruit, train, and promulgate their anti-Western views.

This is the sort of tool that I expect will be used the next time war breaks out between two networked countries.  Why bother inciting a crowd to pummel a target website, when it can be strategically taken down just at the appropriate moment?   Attribution is carefully avoided using web anonymizers or redirectors.  THis type of attack against routers, programmable controllers for manufacturing and SCADA controllers, could be very effective.