Lots going on these days personally and professionally.  At work there are just too many battles to list, but what else is new right?  On the home front I’ve got the yard prep for the kids playset that needs to be finished soon and a basement de-humidification project to handle.  Add on the other odds and ends that come with a wife and two young kids and there really just isn’t enough time in the day.

I left for work really early this morning because I need to leave early so that I can wield a chainsaw in the backyard.  We have some sizable trees that need to be cut back so that we can put the playset where we want it.  I was climbing trees with a bow saw this past weekend and made some progress, but that is some hard work…..so in comes the chainsaw.

So I cruise into the parking garage in no time since it is so early but realize that I left my access card at home.  Thats what I get for leaving early and rushing out the door.  I could either wait an hour or potentially longer for a co-worker to show up, or I could call security and try to get them to let me in.  I’m not one for waiting so I gave a call over to security.

A women answers and I explain that I am locked out and need access to company XYZ.  She then asks which entrance I am at and I tell her.  A few minutes later a security guard shows up and asks if I am the guy who is locked out.  He then asks which door (company) I need opened.  I point to the one for my company and he walks over and opens it.  He then asks if I need any other doors within the office open.  No thanks, have a nice day.

Mr. Security Guard….you sir have FAILED.  Your job is to SECURE, not open doors for anyone who asks.  No asking for ID, no confirmation that I actually work there, just a smile and a ring of keys and access cards.  Glad we have locks on the door when the nice security people will just come and unlock the door for you anyway?  Just another example of how you are only as strong as your weakest link.

A few readers have emailed me to find out if I was still alive because there have been no updates on the blog.  I am still alive though the past few weeks have just been a little crazy.  For those who care read on, for those who don’t skip this and wait for the next post.

After RSA I had a bunch of stuff to write about and most was already written so all I had to do was edit and post.  Easy enough.  However, after being out of the office for a week the pile of work to catch up on was large.  On top of that I was sick.  So working through being sick meant I was not 100% productive and when I went home I just wanted to sleep.

A week later I was feeling better and then really focused on getting caught up.  My head was down and I was spending a lot of hours working.  Plus spring is upon us and that means yard work.

This nice weather has also prompted the wife to push for a playset so the kid(s) can play out back this summer.  Lots of research went into this and just the other day I placed the order.  Good thing we got a sizeable tax return this year because this playset cost more than the KBB value of my car.  Yes, it is crazy to me that we are spending that kind of cash on a playset when I could tell the kids to climb some trees and maybe put a rope on a branch to make them equally as happy….but that is a story for another day.

The balance is coming back, so I hope to push out a few more posts this week to finish off my RSA coverage and then be back to my normal 2 or so posts per week.

Thanks for those who were concerned….will be posting again soon.

Dan

This session was a little more entry level than I expected but made some good points.  Had I not been living in the VM world for over two years this talk would have been much more enlightening.  The guys started by covering the WHY of virtualization and business justification which I think most of us have heard a million times by now. I was praying that it would get deeper.

Some points that were made on how to wrap better security around your VM environment:

• Limit access to the systems
• Harden the Host OS
• Set resource limits to prevent localized DoS and similar attacks
• Implement access controls (not remote root access for example)
• Disable Unnecessary services
• Ensure time sync is accurate, critical for troubleshooting and incident response.
• Patch, Patch, Patch

If nothing else, take away that you should approach security in a virtualized environment the same way you would in a physical environment.  Many of the risks are the same regardless of how things are implemented.  If any of the concepts above are new to you, step back and take a serious look at how you are securing things today.  There are some additional concerns with vm environments, but unless you focus on securing the basics the advanced attacks are the least of your worries.

What are some of these other risks?  You do all of the above and have firewalls in place, an IDS system, DLP systems, etc.  Why should you be worried about vm security?  Well what about Guest to Guest communication?  What about Guest to Host communication?  What about Host to Storage communication?  Are your security solutions going to see that traffic?  Nope.  Are they going to protect you?  You guessed it…..Nope.  If the traffic does not traverse the physical network, your physical security solutions will not be able to protect against it.

Something else that was good to hear other people saying is the risk of a user escaping the guest and accessing the host.  I’ve been talking about this for over a year, and most people have told me it is next to impossible.  Well these guys not only referenced that it is a possibility, but that it has been done before.  Granted, it did not create any major issues, but the fact that it can be done is something to think about.  If you needed a reason to run public facing vm’s on a separate physical system than your critical business systems look no further (CVE-2007-4496).

I’m not saying that you need to avoid virtualization or that it is a less secure method of implementing services.  What I am saying is that you need to be aware of the pro’s and cons.  You need to stay on top of what the risks are and how to mitigate them.  You need to implement security not only on the guests, but on the hosts as well.  It will be an interesting year in this space, look forward to seeing it all unfold.

I’m still working on posts from a few sessions I attended but didn’t want those to hold up my review post.  Check back soon for those.  If I were grading the RSA conference it would get a B.  Being that is was my first time attending I can’t compare to prior years, but I had a good idea of what to expect.

Sessions:
While the sessions I attended were good I didn’t have a hard time deciding which to go to.  At a conference with so many sessions that surprised me a little.  I expected to be torn between a few sessions each slot but that wasn’t the case.  I thought some of the sessions lacked technical detail, being scaled back for the masses.  I guess that is a byproduct of RSA being more of a vendor conference…when is BlackHat again? 

My other issue with the sessions was that people were getting closed out.  You should have to register for the session to be guaranteed a seat and if there are free seats from no shows then you allow people from the waiting list.  This could easily be done since they are scanning your badge at each session anyway.

Expo Floor:
Maybe I expected too much, but the floor was a little boring.  I must have seen 35 vendors pitching some form of usb authentication tokens, some the size of an iPod.  There were also new anti-SPAM vendors.  What are we back in 2001?  Not only were they here….but there were claims of guaranteed 99% and 100% blocking with ZERO false positives.  I call BS on that.  The other disappointment was the lack of knowledge by vendors about what THEIR company did or how they did it.  I understand that not all booth workers will be able to talk in depth about product or service, but having a clue would be good.

Networking:
Here is where the conference exceeded my expectations.  I was able to meet and hang with some incredibly bright and fun people.  It was a good reality check to be chatting with others across multiple industries and find them to be facing similar issues/roadblocks.  I have already been inundated with LinkedIn requests, which is a good problem to have.

Parties:
ROCK ON!  As I expected, my liver was not ready for RSA.  I have the occasional glass or two of vino but that is usually about the extent of my alcohol consumption.  It was basically free food and drink every day and every night.  If I don’t have vodka or tequila for a while that will be fine with me.  I’m happy to report the late night parties did not stop me from attending my 8am sessions, but there were some obscenities targeted at the alarm clock each morning.

Summary:
Would I do it again, absolutely!  Anytime you can get that many people together from the tech sector good things will come of it.  Like most things in life, it is what you make of it.  You could easily just attend the sessions, walk the floor and go home but that is only a subset of the conference.  I interacted with speakers, vendors, and fellow conference attendees.  That is where I gained the most from RSA.

Wednesday night was the much anticipated Security Bloggers Meet-Up sponsored by Fortinet, Microsoft, and StillSecure.  One of the organizers was actually worried that no one would show up…..she had nothing to worry about.  The place filled up quickly and there was never a lack of people to talk to.

Like my earlier post stated, I was excited to meet a lot of the guys I only communicate with via email or blog comments.  It is nice to put a face with a name.  There were some people I didn’t connect with so I apologize if one of them was you.  You can take the geek out of the conference but we are still geeks so there was a lot of conversation about security that got more interesting as the free drinks flowed.  Talking about compliance after a few hours of open bar is always interesting.

In addition to meeting all these people, Martin McKeay and Rich Mogull were doing a live podcast from the event, pulling people in for mini interviews.  I’m not sure if the podcast was fully recorded and posted or not because Martin mentioned some technical difficulties, but you should check.

Props to all the organizers, especially Jen Leggio, who was stressing over the event for a while and from what I understand did a lot of the work.  Everyone I spoke with had a great time!

Here is some other coverage of the event, if you want to be listed send me the link:

• Still Secure
• InfoSec Events
• Security Warrior