Thursday, July 10, 2008

Information Security Jedi: Lightsabers

Over the last couple of weeks I've been making comparisons of the information security profession and the Jedi of the Star Wars Universe. I've talked about the Force, the Jedi, and the Sith. Today I'd like to talk about the primary weapon of the Jedi and the Sith, the lightsaber.

A lightsaber is essentially a laser sword that will pass cleanly through almost anything except for another lightsaber and certain exotic metals. It was used almost exclusively by people that were sensitive to the force because it was not very easy to use. Without proper training the lightsaber could be fatal to the person using it. And even if the person was able to use a lightsaber without killing himself it is hard to use it effectively unless you have the reflexes of someone strong with the Force. With all of these limitations, you might wonder why anyone would use this weapon. Well, in the hands of someone who is well trained and strong with the force, there is no finer weapon. It can slice through almost all melee weapons with no effort whatsoever, and it can be used to deflect blaster shots. A skilled Jedi could even throw the lightsaber short distances making it into a ranged attack weapon. It was elegant, small, lightweight, and became the very symbol of the Jedi order.

The lightsaber was as much ceremonial as it was functional. One of the major tasks of a Jedi or Sith apprentice was to construct a lightsaber. The apprentice would spend a significant amount of time building the lightsaber hilt, selecting the perfect crystal, and using the Force to improve the efficiency of the device. The shape, size, and weight were often determined by the species of the owner, and the style of lightsaber combat favored by the owner. I'm going to spend some time in the upcoming weeks talking about forms of lightsaber combat because that was what really sparked my interest in comparing the Jedi to information security professionals. For now, lets just say that there are different ways to use a lightsaber depending on your strengths, weaknesses, and goals.

For the information security professional, it is the tool kit that becomes his lightsaber. Think about it, you spend a great deal of time selecting which tools you want to assemble. Some of them are pretty standard, like nmap or nessus, and others are more specific to the work you do, such as the sleuth kit. An information security professional carefully decides which tools he is going to master, which ones he will keep a working knowledge of, and which ones to discard. This becomes the lightsaber of the information security professional. It is this toolkit that will be used to defend the information of the organization.

Using the lightsaber of information security, our Jedi can redirect attacks that are aimed at them, and in some cases, prevent attacks from occuring just by making his or her presence felt. An information securty Jedi will spend as much time practicing with his or her lightsaber as any Jedi did in the Star Wars Universe.

How does this comparison help you with your career? Remember that the set of tools that you use is the very weapon of your trade. Work hard to master the utilities in your toolkit, and remember that you probably don't have room for everything. If you become a master with your lightsaber, you will find that you don't have to use it as much, which will help you to advance in your career, and when you do have to use it you will be able to put down problems much more quickly.

As an example, I would point to my early days as a security Padawan. We had a worm spreading around our campus and we needed to eliminate it. As with most malware, Symantec antivirus was able to detect it, but wasn't doing anything to prevent machines from getting infected. I had one individual working with me who is much more experienced with the tools of information security, although IT security is not his full time job. I attaked the problem by gathering a sample of the malware, and installing it in an isolated virtual machine. I then used tools like filemon, regmon, and wireshark to find out what the program was doing on the wire. I discovered that after a machine was infected, it would make a DNS request for a particular host. I then set up a rule in snort to look for any DNS requests for that host and used the alerts to identify machines that were infected. My co-worker examined packet captures and looked for common elements among the machines. He determined that the worm was making use of a bug in VNC that was just under 1 year old. He then used nmap to scan our entire IP space for machines listening on the VNC port, and then ran the results through Nessus to find out which machines were vulnerable so they could be updated.

We each took a different approach to solving the problem, and while both were effective, his mastery of tools allowed him to put down the problem much faster and in a more proactive way. We were able to patch machines that hadn't been infected yet, which is always the best way to fix a problem. Thus his mastery of the lightsaber allowed him to eliminate an attack more quickly and was also able to prevent some attacks from happening at all.

No comments: