Sub

What AV software do you use?

What Vulnerability Scanners /do you use/ ?

Interview hakin9 2/2007

Be aware

Interview with Matt Jonkman

Matt Jonkman

We present the interview with our columnist, Matt Jonkan. Matt has been involved in Information Technology since the late-1980s. He has a strong background in banking and network security, network engineering, incident response, and Intrusion Detection. Matt is founder of Bleeding Snort (www.bleedingsnort.com), an open-source research community for Intrusion Detection Signatures and much more.



hakin9 team: Who is Matt Jonkman? Please, introduce yourself to our readers.

Matt Jonkman: I'm a mild mannered security consultant and penetration tester by day, and the founder and lead maintainer for Bleeding Edge Snort. I've done security mostly in the telecommunications and banking industry through my career, from very small to very large organizations. I'm from the US, grew up on a farm in Indiana.

H9: What can home Internet users do to protect themselves from today's threats?

MJ: Become aware! Understand that your windows PC should NEVER be exposed to the Internet. There should always be a natting router or firewall. And read up on the security features of whatever networking devices you purchase to get online.

Update your computer!! Apply the patches as soon as they're available. It's safe to do so, and very important.

Be skeptical! Don't trust every email that shows up, and don't click on a link because it looks ok, hover over and make sure. If you have any doubt, go to your online banking site as you normally would and log in that way.

But most importantly, Don't use Internet Explorer! IE7 may be better, but IE6 and prior are so full of holes that haven't been patched it's just not safe to browse any site. I personally recommend Firefox, but there are plenty of other very good and free browsers, and most have a much richer set of features than any MS product!

H9: What is the key area you feel companies need to improve on in terms of their Information Security in the next couple of years?

MJ: Awareness and policy integration. They're slightly different subjects, but related. By Awareness I mean knowing what's coming at your firewalls, who's portscanning you, where your internal users are surfing, and what vulnerabilities exist in the software you run. Where the policy integration has to come is with a management staff understanding of the threats the organization is facing, as well as the risk and likelihood of them occurring.

No organization will EVER be 100% secure, but it has to be a management level decision what risks to accept, and which to spend the money to fix. As much as we'd like to think so, us in the IT and Security groups don't generally understand the big picture of a business nor understand which parts are truly most important. The decisions about what risks to accept and which to mitigate must be made with the big picture fully in focus.

H9: What would you say has been the single best innovation, development or improvement in information security in the last couple of years?

MJ: I have a two-fold answer there. The best technical innovation has been the maturing of IPS and IDS. They started out as experimental, slow, and far too risky to use for automated blocking. Now it's a standard technology that has incredible benefits in the hands of an experienced security team.

But I think the most important development in security has been a significant start to the understanding by management teams that security is a part of daily operations, and can be a significant benefit. This in the US has been driven by some more stringent regulations and auditing for many companies, but the world-over is becoming evident.

H9: What do you believe is the greatest weakness or failure of existing security technologies or solutions?

MJ: Misuse. Nearly every technology has a benefit, or it'd likely not exist. Where they become problems is when they're deployed in a way not intended, not monitored adequately, or not deployed correctly.

What we have to solve in the next few years is getting all of the disparate technologies integrated and working together, so we can truly say “Here's a little black box. Install it and you're safe.” Security has to become that integrated, that automated, and that reliable. It just HAS to, or computing will become too risky to do online, setting us back 50 years.

H9: Do you think open source security tools are, or can be, viable in an enterprise?

MJ: Absolutely! I've made a career of it. They do require an experienced staff. 90% of the horror stories you hear of a Snort install failing, or a squid proxy being removed, were from it being deployed or managed by someone that did not understand the technology.

There are open source projects that can fill nearly ANY security function in an enterprise. But they require experience and learning. That's not to imply that every commercial product will just work out of the box and can be deployed by someone that knows nothing. But an open source project requires just a bit more. Thats a good thing though, because you'll learn more in the open source side, thus giving the enterprise a much more experienced team once the deployment is done.

H9: Why snort is called as the most widely deployed intrusion prevention technology worldwide?

MJ: Snort is a part of things you'd never imagine. There are hundreds of commercial products that use snort as their engine. Snort is reliable, open, easy to use, and has a gigantic community supporting it and writing signatures. There are few managed IDS providers that DON'T use snort. And there are few IDS experts that didn't start with snort.

The fact that snort is free and relatively easy to get in to makes it the default platform to learn on, and the snort signature language is the defacto standard language that all security experts speak. There are few IDS products that can't accept or translate a snort signature into their own language.

In short; it's free, it's good, it's modular, and it's free. :)

H9: There's been some debate recently on the value of the open source community to a product like Snort. While the popularity helps the product, some say community doesn't contribute as much as it seems. What's your response?

MJ: That is a concern we've had at Bleeding Edge Snort. We have a core of signature contributors that are generally in the industry doing this for a living. I would very much like to see more 'amateur' signature submitters, but I think many are scared off because of the number of folks that do submit who are giants in the field. I hope anyone that's considering submitting a signature or idea realizes that we go to great lengths to make sure that any idea isn't made fun of or put down. Most of our truly innovative ideas came from some guy in some dark corner of the community that had been tinkering with snort for 2 months. That fresh view of things is what we need, and with declining participation we miss more of those ideas every day.

But it is definitely true that in the snort community the majority of contributions come from a small group of people. That does not make the project less valuable, nor does it make starting a project like this less attractive. Perhaps another way to look at things is that since snort is running so well there is less need for the community to be extremely active.

Maybe a good test will be the upcoming Snort 3.0. There promise to be many significant changes, and surely a good number of bugs and ideas that need to be adjusted. I would bet we'll see a large part of the community step up and help, contribute, and chip in ideas and testing.

H9: What do IT shops use instead of Snort and why Snort be a better option?

MJ: There are a wide range of IDS/IPS products available, I can't begin to mention them all. And we can't even divide up by open and commercial, as a good portion of the commercial products out there are snort based as well.

Why is Snort a better option? Depends on the environment and experience level of the IT Staff. Snort is very flexible and powerful, and has a very extensive signature base. But if a local staff cannot afford the time to manage those signatures, or react to the incidents properly, then a commercial system (that includes training, support, and automated signature management) may be a better answer. I would add though, that 'black box' solution may be a better solution in the short run, but in the long run you'll end up with escalating licensing costs and an IT staff that is nto learning a thing about security and their network. A benefit of snort is that you HAVE to learn about your net and your apps to run it. That benefits everyone!

H9: What capabilities does snort have that might surprise or be underused by IT managers?

MJ: Good question! I think the most underused aspects of snort are applying signatures to find things that are not directly security related. If it happens on the network, snort can tell you about it. I say that over and over again to clients and students. We've used snort to help find how many users were moving to a new application, or when a particular UPS was rebooting without logging, or to generate alerts at night when automated network based surveillance cameras saw motion (but the built-in monitoring console was not able to generate an alert). The possibilities are endless, and it's important for the security engineers to open their minds and embrace the rest of their organization to make this tool available to all.

H9: What do you see as the most critical and current threats effecting Internet accessible websites?

MJ: The speed at which vulnerabilities surface and are exploited. I especially feel sorry for mass web osting outfits. There's jut no way they can be sure that none of the thousands of sites the host are not running vulnerable apps or code.

The same applies to the company hosting their own site. If you write your own code make SURE a third party reviews it on a regular basis, even if the code hasn't changed. The vulnerabilities have.

And run one of the products that can help prevent unknown attacks, like apache's Mod_Security.

H9: What is the most common mistake admins make in handling intrusion detection systems?

MJ: Not monitoring them. Too often someone asks to get snort installed, the admins do so, and then forget about it. Snort doesn't make decisions. Snort is just a lead generator. It will find leads that the security staff must follow up on and act upon. And this HAS to happen 24 hours a day. In a global world there's no such thing as after-hours. There's always someone up and looking to attack.

H9: Do you find proprietary software or open source software to be more and more secure nowadays?

MJ: I don't know if the statistics support it, but I find open source software to give me the best peace of mind these days, and thus the more secure.

I say that because there are far too many incidents where a commercial app's vulnerabilities are swept under the rug, quietly patched in normal patch cycles, or not patched at all. Whereas in the open source world things are found, and if they're not patched you can do it yourself. If the project is no longer supported and is useful, someone will take it over and handle those vulnerabilities.

But most importantly is the speed to patch. The open source world generally has apps that do singular tasks, and thus testing a patch is as easy as seeing if it still does this singular task. Most commercial apps are too large to quickly test, and too integrated in the the OS to test completely.

H9: Does Snort work well with any commercial database?

MJ: Absolutely! I've personally deployed many snort's going to Oracle as a backend. I prefer mysql as a backend as it doesn't require the DBA expertise Oracle does (nor the cost). But when that expertise is available and the licensing costs acceptable, Oracle makes for a VERY fast and effective snort install.

H9: What tools, particularly open source tools, work well in conjunction with snort?

MJ: The first tool you HAVE to consider with snort is SnortSam (www.snortsam.net). This alows you to use snort to send blocks to nearly any routing or firewall device, thus making an instant IPS.

BASE is an excellent event viewer, and for the more technically adept Sguil is the cream of the crop.

H9: What are the most important steps you would recommend for securing a new web server? web aplication?

MJ: Code review. You can throw nessus and nikto, all the standard scanners at it. But unless the code is audited you can never be sure that a human can't find a chink in the armor.

H9: And for the end, what advice would you give to people starting to learn about intrusion detection?

MJ: Deploy it! You can read all you like, but you won't begin to learn until you try to build and manage an install. Start out at home, watch the crud that is always coming at you, and watch where your kids surf. The knowledge you gain in tuning a ruleset and deploying a sensor is invaluable.

Once you start seeing the challenges in deploying, then you can start to begin to formulate the questions you need to answer to begin learning. Reading is a start, but it won't mean much until you try it.

Thanks for the interview, it's been an absolute pleasure!

Interviewed by Ewa Samulska