Thursday, November 25, 2010

Why everyone in infosec should do SABSA training

Last week I did my SABSA training and certification. I don't know how I went but I wanted to share the results of what I learned.

This post is long and I make no apologies for it. I wish someone had a post like this before I started on the training. I didn't have anyone I could turn to or who could really tell me what it was about until I had done it (which was frustrating). I mean I asked around but I didn't get an answer that really satisfied me. So I wanted to give the best writeup that I could to help explain to any other likeminded folk in the field or least give my thoughts on what I walked away with. So here it is.

For the uninitiated, SABSA stands for 'Sherwood Applied Business Security Architecture' and it is a method for applying an understanding of the business you are securing. By understanding the business, you are able to build in security that is appropriate to the context of that organisation.

My career journey has taken some very bizarre turns. When I took up my last role, I wanted to move into focused pentesting (from a role where I did some pentesting) and instead wound up doing a combination of stuff - security management, security consultant and solution design and architecture. I got to oversee a bunch of pentesters, hire pentesters and be fairly involved but it became a gradual divorce away from the hands on (which I still miss sometimes but other times I don't). But more to the point, I enjoyed what I was doing, although I think it took me a time to really appreciate it because it wasn't what I signed up for.

Anyway as I came from more of a sysadmin/pentester background, I would look at project designs and how to break them (typical 'break' vs 'build' mentality). Reviewing security controls because a question of trying to be as thorough as I could, and an exercise in mentally threat modelling various ways to break the solution design.

I would look at different methodologies for security testing, I would think of solutions in terms of the OSI model and what security services were required (authentication, authorisation, auditing, etc). I looked at OWASP to ensure a stringent design process was followed. We used contractual arrangements to enforce our needs where we could.  I'd spend time talking to the business and trying to spend more time listening than talking. I wanted to find out what their problem was and if I could address it. I also tried to keep up with all the tech (which is impossible once you get to this point doing this work as something has to give).

But the whole thing seemed and felt really adhoc. It was a case of finding what I could think of, springboarding ideas with my team mates and consistently asking myself "is this enough?".

I couldn't put a label on what I did exactly - but whatever it was - I was never aware of a methodology to help people like me doing the work I was doing. I became aware of architecture as a discipline owing to some good solution architects who heavily influenced my thinking and became aware of Enterprise Architecture as a discipline and how good solution design can help drive strategy. However that seemed great as an IT Architecture, or a Business Architecture, but nothing to help me in my discipline. I learned relatively quickly that pentesting was simply a way of measuring security effectiveness but in and by itself, didn't offer me anything beyond some assurance. It was around then I started to drift away a bit from pentesting.

I became aware of SABSA in 2008 through a co-worker. We'd both found the SABSA book by David Lynas, John Sherwood and Andy Clarke but neither of us really did anything with it. I think at a glance we had the same impression as everyone else. It looked great as a method but seriously, how practical was this light and fluffy stuff. We both came from similar backgrounds and I think had very similar thoughts on applying architecture - this all looked really high level theory and not very practical.We were still interested in the book and how it applied but we never got around to reading the book or doing the course.

Well, I finally started on that book earlier this year and got through most of it (3/4 I think). The course is an equally tough slog too. I consider myself pretty passionate on this topic btw, but after day 4 even the most passionate person will be tested I reckon!

As I went through the training I had an epiphany of sorts (actually I spent a good chunk of the weekend at Ruxcon ruminating about it too). Having read the book and seen some videos on architecture, I had some idea of how Architecture, as an IT discipline worked. But this course really highlighted for me why SABSA is THE single most important training I have had in my field to date. I wanted to share what I learned and highlight why I think other infosec professionals - regardless of their role, should do it.

What I learned:
I learned that the often disparate array of compliance standards, ISO standards, architecture frameworks and so on need not be. They can all integrate together. Once you understand the business you can begin to build that picture. The architecture frameworks (TOGAF, SABSA, Zachman, etc) are simply a "method of organised thinking". SABSA is the concrete which enables me to put together all the other building blocks together.

Every thing I know, have learned and will learn (not just security related) I can apply using this framework to build a security model for my clients based on re-usable architecture. The "architecture" however, is never complete. It is a living breathing organism. Each project or each pass is an attempt to iteratively build up your understanding of the business. Each project is an opportunity to build upon those building blocks - re-use what you can or tailor to suit where appropriate. You never have a perfect "target". It just keeps moving. We've often known that security is a journey, not a destination - but seeing this through the eyes of an architecture framework is a very different thing. I think its like trying to describe being a parent to someone who doesn't have kids. There's the difference between knowing the path and walking the path, as Morpheus would say. :)

From a technical viewpoint, I learned how to structure controls so that controls at the various OSI layers are not done in isolation from each other. That you can build concrete controls. You can even forgo certain controls but it is not without an understanding of the potential consequences or the risk.  I also learned to truly build re-usable, extensible security services. Moreover, how they link back to business goals and objectives which enables demonstrable return on investment and develop a realistic form of risk assessment (pretty much the best system for risk assessment I have seen to date).

Incase people reading this think this is all high level fluff, the guys who developed this were the architects for Swiftnet (the system banks use to transfer funds internationally). Anyone who has heard of this or worked with banks will understand the importance of the system and the risks involved. As you go through the training, David Lynas (who is the main instructor globally - if not the only one I am aware of) will make clear his points through illustrated examples throughout his career and using examples from other people's careers. As someone who had done this sort of work before, I found these some of the most educational points of the training as I could relate it back to various situations of my own and either pat myself on the back for getting something right or mentally kick myself for thinking how I should have handled something differently.

I realise this is going on and on - but I really want to stress why I think this is worthwhile. I try to provide some context here based on a person's title/role or aspirantions here:

Security Managers/CISOs/CSOs
The SABSA framework integrates with just about every relevant standard or framework you can think of (ITIL, COBIT, ISO27000 series, etc) and a way for running security programs. It provides a method for delivering business driven security services with mesaurable results and a PRACTICAL form of risk assessment (the most practical I have seen). The risk management framework and how to measure security, will be worth the price of entry alone for you. 

Security Designers/Architects
I think you'll  come away with a similar view to myself and see how this all ties everything in together. Management, penetration testing, security standards, compliance, risk, technical controls and how to integrate them all - in a practical method. You will enjoy the focus of building and creating at a truly enterprise level and your game will be taken to another level.

Penetration Testers/Security Analysts
Pentesters are a funny lot with their training budgets.  Either they want to do Offensive Security course or for the more advanced ones, a top notch Immunity course by Dave Aitel - or they are usually happy to spend their own time with a few books and play around with stuff on their own. Now if you fall into the later category, you should definitely put it towards SABSA.

I mean lets face it - you're not going to put the budget towards anything else, why not learn how to review solution designs using a comprehensive strategy which will enable you to cover all the components? Why not learn how to link it back up to core business objectives? Truth is that will not take away from your technical skills - why not learn how to engage with the business at a higher level.

The short answer is if you haven't done the SABSA training, just get out there and do it. It will not takeaway from anything you have done to date. I can assure you it will only complement anything you do, regardless of what it is. And finally, I think it will really open your eyes in ways you hadn't considered previously. It won't solve world hunger and the "security problem" for good, but I will say that it is a damned good start. If more people had done this training in our field, I can honestly say that the world would be a safer place.

I hope this is useful.


- J.

Monday, November 22, 2010

Ruxcon 2010 & my talk: "No Holds Barred" Penetration Testing

EDIT: My Rapidshare link broke so I've resubmitted it using Google Docs.

Well my talk at Ruxcon is said and done. My slides can be found here.

Truth be told, it went better than I expected. I was worried that since I was not posting 0day code or providing a tool that there would be no interest. I don't think anyone was more suprised at seeing a fully packed room than me.

What started was going to be a series of grumblings about my views on penetration testing today ended up being more clearly focused on client side penetration testing.

I know plenty of consultancies are technically capable and some might even have done client sides, but to the best of my knowledge I hadn't heard of any in Australia doing so. And if they did, they kept their cards very close to their chest. Or more to my thinking - they have done it but I think the repeatability might have been lacking.

Obviously a lot of this is just guesswork on my behalf and there was a limit to how much research I can do this on this front - so a good chunk of the talk was based purely on my own experiences in the field as someone who has hired pentesters and now working at a consultancy where we do pentesting (amoungst other things).

One of my gripes is that we are lagging behind our competitors in the sense we aren't actually doing client side penetration tests (as a general rule) in AU, at least not on the scale that happens in other countries. I think this means that there is a significant gap in terms of the coverage and assurance that our penetration testing coverage truly provides.

I want to raise awareness of this issue and really try and provide some suggestions how both parties can lift their game and get more of these happening. How both parties can try selling the service, when it is appropriate, how to justify in a business context, provide ROI (yes, it is possible), etc.

On Ruxcon, I have to say I was really impressed with the quality lineup, the registration, the management of the event - even little things, like the way the bartab, water even the toilets was handled. Hell, even Black Hat @ Caesar's Palace ran out of water. What does that tell you?

The CTF ran flawlessly (barring minor performance issues) which when you compare to previous years, are still trivial in comparison. If I had to come up with one gripe, it would be that the area infront of the bar was too small for the size and we wound up having to really yell to be heard, so I've subsequently lost my voice. I forgot to mention I like the fact that despite corporate sponsorship, there was no blatant advertising, no "vendor streams" and no bias towards speakers who happen to work for sponsors. AusCERT take note!

I've said it before but I must say it again - it was by far and away the best Ruxcon ever. If you have to pick one conference in Australia, make this your one.


- J.

Sunday, November 21, 2010

Ruxcon, SABSA and more random bits


It has been awhile but I will do a proper blog update soon. This week has been a build up for me on a number of levels, I've been up in Sydney completing the SABSA training, trying to study for that, polish up my talk then race back for Ruxcon. That and trying to sort out some admin issues with university meant I've been significantly under the pump and it all came to a head this week. So subsequently I've gotten sick and had to leave Ruxcon early (clearly I'm not up for this touring lifestyle).

I wanted to talk a bit about my talk, post the slides and some other odds and ends, so I'll be doing that in the next day or two.

But just briefly -

Ruxcon 2010 was the best year in the history of the conference. Props to Chris and the crew for organising it and the success. It is very clear he's learned from the successes and failures of other conferences and avoided all the pitfalls. To the degree that I would recommend overwhelmingly if you had to pick one conference in AU to attend, without a doubt, make it this one. I was very disappointed by AusCERT this year and I can safely say that I would not be keen to attending.

Secondly, the SABSA training really changed the way I look at architecture. This topic deserves a post on its own right and it will be forthcoming. I want to stress that this course is of benefit to ANYONE working in infosec -- I don't care if you are a pentester, a manager or an architect. David Lynas was able to really highlight how it all fits together with real world examples.

I guess, I had a kind of Neo moment (ala. The Matrix) where I feel like I 'see' the code now. It is all a bit hard to explain right now (given my sinus infection) but let me just categorically state that this course, the book and certification I believe to be strongly worthwhile. So go pick up a copy of 'Enterprise Security Architecture' by David Lynas, John Sherwood and Andy Clark. You will not be disappointed.

Anyway, I will update more soon but as this is my first conference presenting and when guys like Brett Moore, Billy Rios and Silvio Cesare are presenting, its an honor to be on the same list of speakers.  I'm just grateful for the opportunity to speak. I sincerely hope that even if people disagreed with my views that some of the points made can be taken and leveraged in some way to gain better traction on client side penetration tests.

I hope you all had a terrific weekend and enjoy whats left of the conference.

Best regards,

- J.

PS: My apologies to Daniel Grzelak. If you read this mate, I know I promised to be there (as you are speaking as I write this) but I am really not well. Sorry to let you down, but I know you'll kick ass.