Security Implementations & Scaling

SecureCode_product offeringI have been doing Information Security for a decade and a half and there is a disturbing pattern that still to this day has not abated. That pattern involves more of a philosophy than the actual scaling you would need to for designing a security solution for an organization. The scaling law I’m talking about is one that is usually recognized too late in the implementation process, namely the post-production phase of a project.

What I’m referring to is the amount of output you have to deal with that is a result of implementing a security solution without considering the resources necessary to manage and the resulting business process that need to accommodate this reality.

One of the best use cases that demonstrates this phenomena is around the implementation of a Data Loss Prevention (DLP) solution for an enterprise. A typical DLP solution usually involves three main areas:

  • Data in Motion – Data that traverses the network
  • Data at Rest – Data that is stored on disk
  • Endpoint Data – Data that typically is read and written to removable media
  • You have a number of approaches you could take. The most reasonable would be to focus on one of the three areas that consider was vital and to scale the scope of the inspections to very specific set of criteria. Is this how most DLP deployments go? No, instead usually all three are turned on at the same time and there is no scaling back of the criteria.

    The result; more incidents and false-positives than fleas at the Westminster Canine convention. Once this scenario is encountered you end up scaling back your efforts and loss at least 3 months of progress. So do yourself a favor when implementing a security solution and understand what our outputs are before they are produced.

    Warfield’s Apologetic Error

    bb-warfield-1851-1921-grangerOne of the most important aspects of any aspect of Christianity is that it is itself a complete system. Try to isolate any one component from the system and the same is no longer consistent. We see good example of this expounded by Greg Bahnsen in his book on Van Til’s apologetic in regards to B.B.Warfields method of apologetics:

    “We thus see two things about the philosophical (epistomological) perspective which Warfield encouraged the apologist to take: it should be (1) outside of a commitment to Scripture and (2) in agreement with the right reason of the unbeliever-in a word, autonomous.”

    Here we see two grave mistakes; one in that God’s authoritative word is not relevant at the outset of our dialogue with the unbeliever and two that Scriptures themselves must bow down to the rationality of the unbeliever before they can be accepted. So right out of the gate the Christian apologist who takes this approach is already defeated since the whold foundation for which he/she stands (The Holy Scriptures) is removed as a foundational basis for the apologetic and therefore it’s just a matter of whose rationality is more convincing.

    I hope you can see another danger in this approach and that this approach is reduced to mere opinion and probability among may ideas. Of course this will fail from a pure reasoning standpoint with the unbeliever, because the unbeliever has become vain in his reasoning (Romans 1:21), and he cannot receive the things of the Spirit, because they are foolishness. (I Cor 2:14)

    Let us remember that apologetics just like theology, evanlgelism, and philosophy are all part of a single system derived from the single authoratitive source of God’s Word.

    Source of Quote: Van Til’s Apologetic – Greg Bahnsen

    Python Script for Searching ExploitDB

    kali1So I was looking to cleanup my Twitter favorites list and starting with the oldest one that was dated from 2011, it was from an article for using a Python script for searching the local ExploitDB instance on Backtrack. So of course it peaked my interest and click on the source link directed me to a parked domain. Common problem with Open Source tools. After performing some Google-Fu, I found a copy and downloaded it to my Kali instance and of course it didn’t work as the path for the ExploitDB path has changed. So after a trivial change of pointing it to the correct path, bingo, it works.

    I have created a ‘Kali‘ repo on my Github if you want to grab it and I’m probably going to be making some updates to it over time.

    Christian Apologetics – Interpretation of Facts

    biblical_apologetics_degree_wideFrom Van Tils Apologetic by Greg Bahnsen:


    As Van Til goes on to say, if one does not begin with some such general truths (universals) with which to understand the particular observations in one’s experience, those factual particulars would be unrelated and uninterpretable -i.e., “brute”. In a chance universe, all particular facts would be random, have no classifiable identity, bear no predetermined order or relation and thus be unintelligible to man’s mind.

    I recently ran across what I consider a good use case for applying this principle of Christian apologetic’s; On the Reformed Theology G+ forum someone posted the following question: Do you accept the idea of objective morality? If so, what is your criteria for morality that isn’t subjective (open to interpretation)?

    Christianity asserts that it is the law of God as revealed in the Bible. This is not a subjective response as it’s an assertion of worldview and is not bound in a single subject or a few peoples opinion. We can also not treat the question of morality as say the shooting average of Lebron James. The rules of interpretation of shooting averages facts do not conflict with opposing worldviews, but of a basic understanding of mathematics.

    When we interpret the facts of morality we are dealing with transcendence in that the object is not bound by space or time. For the non-theist that believes everything is essentially ‘matter in motion’ this is antithetical to his presuppositions for which he interprets reality.

    So it’s not simply a matter of providing an argument that isn’t open to interpretation, but comes down to how one interprets the facts for which they are observing. And the method of interpretation is driven by their presuppositions.

    Automating VirtualBox Snapshots

    Pinterest-AutomationI depend a lot upon VirtualBox for my security-related research and testing. That being the case I make a lot of changes to my VirtualBox VM’s and losting a given state and not being able to rollback to last known good state would be very bad. Yes, you can take snapshots manually via the GUI or even by the means of the CLI. When you have over 20 VM’s that you manage this can be pain in the butt.

    This is where scripting comes in, so I built some simple Bash scripts to automate this process and have it run hourly via Cron.

    The first script simply outputs to STDOUT a list of all the VirtualBox VM’s in the system:

    vboxmanage list vms 
    

    This will simply produce the name and registration number of each VM you have defined on the system.

    Now to automate the snapshot process we simply craft something like:

    for i in `vmlist | awk '{print $1}' | perl -pi.orig -e 's/\"//g'`
       do
          echo "Creating snapshot for $i"
          vboxmanage snapshot $i take $i-`date +%Y%m%d%H%M%S`
       done
    

    This will create a snapshot for each VM with the snapshot name of each VM followed by a date/time stamp. Put this script in your crontab and your good to go.

    Do We Now Need to License Digital Sermons?

    drm
    Christianity Today has an article that expounds T.D. Jakes decison to file a lawsuit against a rapper that has referenced a portion of one of his sermons. To quote the justification for this:

    “The “Holy Ghost” remix by Jeezy featuring Kendrick Lamar was produced without the knowledge or consent of T.D. Jakes, TDJ Enterprises, Dexterity Music, or its associated companies. We are taking the necessary legal actions to stop the unauthorized use of T.D. Jakes’ intellectual property.”

    It will be interesting how the case actually works out in the courts and if it goes in Mr. Jakes favor, this could set a dangerous precedent for DRM and in particular for SermonAudio. I think an important point of reference is that T.D. Jakes does indeed consider his sermons intellectual property and that it’s not to be used without some form of royalty to be paid out. This is disturbing as we are instructed not to peddle the Word of God for profit:

    2 Cor 2:17: "For we are not, as so many, peddling the word of God;
    but as of sincerity, but as from God, we speak in the sight of God in Christ."

    I would exhort pastors everywhere if your going to license your digital sermons, please use the GPLV3 since as we have freely received, we should freely give.

    Hope I don’t get sued over this blog post.

    Assurance is not for Arminians

    I have been reading through Thomas Brooks, Heaven on Earth and the book has been focusing a lot on the doctrine of assurance and thought I would share some tid bits.

    “This precious ruth thus proved, looks sourly and wishly upon all those that affirm that believers cannot in this life attain unto a certain well-grounded assurance of their everlasting happiness and blessedness, as papists and Arminians; all know that know their writings and teachings, that they are in arms against this Christ-exalting, and soul-cheering doctrine of assurance. ‘I know no such thing as assurance of heaven in this life’, saith Grevinchovius the Arminian. Assurance is a pearl that they trample under feet; it is a beam of heaven that hath so much light, brightness, and shining glory in it, that their blear-eyes cannot behold it.”

    “Arminians are not ashamed to say, that God may crown a man one hour, and uncrown him in the next.”

    So we see in this excerpt from Mr. Brooks work that what the Arminian professes is actually antithetical to the gospel and brings if not bad news, then most certainly questionable news. From this we can see why the Roman Catholic church places such emphasis on purgatory; they have no hope of assurance without a meritorious work of penance that cannot ever be met since only Christ was sinless to pay the offenses against an infinite God would take an infinite amount of time to satisfy and that would never bet met and hence no hope at all.

    What saith the scripture? In John 10:29, Christ says, “My Father, which gave them me, is greater than all; and no man is able to pluck them out of my Father’s hand.”

    Notice that Christ assures the believer that salvation is not dependent upon the believer in that God’s electing purposes take precedence over man’s efforts to earn salvation. This does not make man an autonomous robot requiring no action on his part; it just means that God’s grace is sufficient to secure the believers position in Christ.

    Let the reader consider.

    Am I Evil?

    td1
    “And GOD saw that the wickedness of man was great in the earth, and that every imagination of the thoughts of his heart was only evil continually.” Genesis 6:5 (KJV)

     

    Before I became a Christian I was a big heavy metal fan of Metallica and one of their songs off of their first albums, was a song titled, “Am I Evil?”

    Years later, I am now a Reformed Christian and Calvinist and I thought that this song as bad as the lyrics are morally, does teach a fundamental Christian doctrine; Total Depravity.
    So what is the definition of Total Depravity?
    Continue reading