Andrew Hay – Page 142

News

Protesting Using Computers != Cyberwar

June 24, 2009
Andrew Hay
1 Comment

Ever since the Iranian election demonstrators turned to social media applications, such as Twitter and Facebook, it appears as though every media outlet is calling anything that happens to touch, or think about touching, the Internet, “cyberwar”.

Being of the Jerry Springer and “One of these three soft drinks are poison, tune in at 11pm and we’ll tell you which one” generation, I understand why using an eye catching headline is used. Obviously you, the dirty media, want to drive people to your program/story/blog/cause but, in doing so, you’re perpetuating false information. If my father, who is retired Navy, heard the term “cyberwar” he’d immediately think of words like: military, attack, etc. and not words like: rally, demonstration, and so on.

Now, don’t get me wrong, I understand that the demonstrators in Iran are being brutalized. What people need to know, however, is that the demonstrations, support, or response cannot, and should not, be classified as “cyberwar”. If anything, the online support that is demonizing the election results should be classified as psychological warfare that, although a component of war, is not an immediate physical response.

The Wikipedia definition of psychological warfare hits the nail right on the head:

The U.S. Department of Defense defines psychological warfare (PSYWAR) as: “The planned use of propaganda and other psychological actions having the primary purpose of influencing the opinions, emotions, attitudes, and behavior of hostile foreign groups in such a way as to support the achievement of national objectives.”

Does this not more closely match what is happening right now? I think it does. Even though Wikipedia defines cyber-warfare as having a propaganda component, which can loosely be tied to psywar, I fear that too much emphasis is being placed on it.

True cyberwar, which has yet to be let slip, is still in its infancy stage. Just like cavalry warfare, trench warfare, and armored warfare, it has to be perfected – but that’s not to say that it isn’t being tested and polished on the worlds electronic battlefields.

For any media types who are thinking of using “cyberwar” as the basis for an article on what is obviously social dissidence and believers in democracy leveraging technology to spread information please, think of the cringing security professionals trying not to vomit or have an aneurysm reading your story.

P.S. If you want to understand what true cyberwar is going to be, check out the information on the new US Cyber Command being formed.

News

On the Road Again…

June 24, 2009
Andrew Hay
No Comments

As many of you already know, I’ve accepted a security analyst position at the University of Lethbridge in Alberta, Canada starting in August. I fully expect to hear “You left Bermuda for Lethbridge???” about a million times between now and probably well into 2010. It was, however, a very strategic move for my career and my family life so I have absolutely no regrets about coming to Bermuda and leaving at this time.

So what does this mean? Well my day-to-day job will fall into the following 3 categories:

Threat and vulnerability identification, classification, and analysis, including on-going research into emerging threats. Activities include system security assessments, vulnerability scanning, and security consulting.
Design, development, implementation, and management of technical security processes and systems to effectively mitigate identified risks (eg. IDS/IPS, log correlation/SIEM, 2-factor authentication, full-disk encryption, etc.)
Investigation, response, reporting, and tracking of security incidents, including all associated digital forensics activities.

That being said, I have a feeling that the 3 categories will probably expand to other duties as time goes on and other challenges present themselves.

I’ll probably also see everyone at conferences with greater frequency…hopefully as a presenter. The University sounds very supportive of my presentation/paper goals which is something I am quite happy about. They are also big supporters of training and education, for obvious reasons, and this should equate to more training opportunities. I also hope to blog more frequently and work on more personal projects (perhaps another book or two…maybe even a podcast). Only time will tell.

So wish me luck…it’s a big move back to Canada but I’m looking forward to it!

Articles

Response to: Can be OSSIM considered a SIEM? Is it enterprise ready?

June 19, 2009
Andrew Hay
1 Comment

It looks as though my comments on OSSIM did not fall on deaf ears. They have, in fact, caused my comments to be lumped in with Anton Chuvakin‘s and massaged into something that reads as “OSSIM is not a SIEM” and “OSSIM is too difficult for S/MB and not reliable enough for the Enterprise”. Ummm….alright. Let’s clarify a few things here:

I have never said that OSSIM was not a SIEM.

In fact I was a big supporter of it early on but fell out of love with it when there was no visible progress over a 2 year period. I’m not blaming the developers, and I totally understand the Open Source ideals, but you can’t argue that a product is as good or better than a commercial alternative just because it is free and Open Source. To quote a Southern friend of mine – that dog won’t hunt.

Is it an Enterprise SIEM?

No, I don’t believe it is (but am willing to be corrected). I see it as a great SIEM solution if you’re feeding it data from other Open Source products. Looking at the “collector” page, that lists the supported data sources, shows me that either the integration points are very generalized or the marketing material needs updating (for example it looks as though OSSIM can collect data from Microsoft Office and Netscape based on the logos). If I were in the market for a SIEM solution and saw the “collector” page I’d be just as confused as when I started looking.

When I last tried to use OSSIM I deduced it wasn’t user friendly enough for a SMB to use.

When I install a product, I don’t want to have to jump through numerous hoops to get it up and running. Back when I tried to install OSSIM I was sent all over hell and creation to find the required packages to get it up and running. This is not user friendly. Maybe I’m lazy…maybe I’m just too busy to screw around with a product to poke and prod it into working for me. Maybe this has changed since I last tried it but I’d need some serious convincing to go back.

Am I willing to give it a second chance?

Sure! I’m a big proponent of all SIEM technologies and would certainly open my mind to trying it again. I would, however, want to run it along side of a couple of enterprise SIEM solutions to see how it stacks up. I wouldn’t want to just evaluate the technology but would also like to see how the paid support stacks up against enterprise SIEM support channels.

Dom, If you’re up for the challenge, let me know 🙂

Author: Andrew Hay