I’ve noticed a trend over the past 6 months: DDoS traffic associated with elections.  A quick sampling of news will show the following:

• http://www.opendemocracy.net/od-russia/irina-borogan-andrei-soldatov/kremlin-and-hackers-partners-in-crime <-Russia
• http://www.theregister.co.uk/2012/03/26/hong_kong_vote_hack/ <-Hong Kong
• http://www.theregister.co.uk/2011/12/07/korean_election_ddos_row/ <-Korea
• http://www.cbc.ca/news/politics/story/2012/03/27/pol-ndp-voting-disruption-deliberate.html <-Canada (rybolov: yikes!)
• http://www.csoonline.com/article/700523/ddos-attackers-target-russian-election-webcams <-Russia again

Last week it picked up again with the re-inauguration of Vladimir Putin.

• http://en.ria.ru/russia/20120506/173265737.html
• http://www.washingtonpost.com/world/europe/peaceful-protest-turns-violent-in-moscow/2012/05/06/gIQAFti35T_story.html
• http://english.ruvr.ru/2012_05_06/73954450/
• http://www.rferl.org/content/independent_russian_daily_hit_by_dos_attack_kommersant/24571463.html

And then yesterday, Ustream and their awesome response: which, in the Rybolov-paraphrased version read something like: “We shall go on to the end. We shall fight in France, we shall fight on the Interblagosphere, we shall fight with growing confidence and growing strength in our blocking capabilities, we shall defend our videostreams, whatever the cost may be. We shall fight on the routers, we shall fight on the load balancers, we shall fight in the applications and in the databases, we shall fight by building our own Russian subsite; we shall never surrender!!!!1111” (Ref)

Afghanistan Presidential Elections 2004 photo by rybolov.

So why all this political activity?  A couple of reasons that I can point to:

• Elections are a point-in-time.  It’s critical for one day.  Anything that has a short window of time is a good DDoS target.
• DDoS is easy to do.  Especially for the Russians.  Some of them already have big botnets they’re using for other things.
• Other DDoS campaigns.  Chaotic Actors (Anonymous and their offshoots and factions) have demonstrated that DDoS has at a minimum PR value and at the maximum financial and political value.
• Campaign sites are usually put up very quickly.  They don’t have much supporting infrastructure and full/paid/professional staffing.
• Elections are IRL Flash Mobs.  Traffic to a campaign site increases slowly at first then exponentially the closer you get to the day of the election.  This stresses what infrastructure is in place and design ideas that seemed good at the time but that don’t scale with the increased load.

So is this the future of political campaigns?  I definitely think it is.  Just like any other type of web traffic, as soon as somebody figures out how to use the technology for their benefit (information sharing => eCommerce => online banking => political fundraising), a generation later somebody else figures out how to deny that benefit.

How to combat election DDoS:

• Have a plan.  You know that the site is going to get flooded the week of the election.  Prepare accordingly.  *ahem* Expect them.
• Tune applications and do caching at the database, application, webserver, load balancer, content delivery network, etc.
• Throw out the dynamic site.  On election day, people just want to know a handful of things.  Put those on a static version of the site and switch to that.  Even if you have to publish by hand every 30 minutes, it’s better than taking a huge outage.
• Manage the non-web traffic.  SYN and UDP floods have been around for years and years and still work in some cases.  For these attacks, you need lots of bandwidth and something that does blocking: these point to a service provider that offers DDoS protection.

It’s going to be an interesting November.

• Keeping Up With the DDoS Kids
• DDoS Planning: Business Continuity with a Twist
• DojoCon DDoS Video
• The Rise of the Slow Denial of Service
• Apache Killer Effects on Target

Considering that it’s a secondary source and therefore subject to being corrected later in an official announcement, but this is pretty big.  Requiring the Departments and Agencies to consider cloud solutions both scares me (security, governance, and a multitude of other things about rushing into mandated solutions) and excites me (now cloud solutions are formally accepted as viable).

However, before you run around either proclaiming that “this is the death of serverhuggers” or “the end is nigh, all is lost” or even “I for one welcome our fluffy white overlords”, please consider the following:

• A “secure, reliable, cost-effective cloud option” is a very loaded statement very open to interpretation
• They already have to consider open source solutions
• They already have to consider in-sourcing
• They already have to consider outsourcing
• “Cloud” more often than not includes private clouds or community clouds
• Isn’t this just another way to say “quit reinventing the wheel”?
• Some Government cloud initiatives are actually IT modernization initiatives riding the bandwagon-du-jour
• Switching from Boeing, Northrup, and SAIC beltway bandit overlords to Google, Amazon, and SalesForce cloud overlords still mean that you have overlords

• Clouds, FISMA, and the Lawyers
• NIST Cloud Conference Recap
• FedRAMP: It’s Here but Not Yet Here
• Analyzing Fortify’s Plan to “Fix” the Government’s Security Problem
• Wanted: Some SCAP Wranglers

Ah yes, I’ve explained this about a hundred times this week (at that thing that I can’t blog about, but @McKeay @MikD and @Sawaba were there so fill in the gaps), thought I should get this down somewhere.

the 3 factors that determine how much money you will make (or lose) in a consulting practice:

• Bill Rate: how much do you charge your customers.  This is pretty familiar to most folks.
• Utilization: what percentage of your employees’ time is spent being billable.  The trick here is if you can get them to work 50 hours/week because then they’re at 125% utilization and suspiciously close to “uncompensated overtime”, a concept I’ll maybe explain in the future.
• Leverage: the ratio of bosses to worker bees.  More experienced people are more expensive to have as employees.  Usually a company loses money on these folks because the bill rate is less than what they are paid.  Conversely, the biggest margin is on work done by junior folks.  A highly leveraged ratio is 1:25, a lowly leveraged ratio is 1:5 or even less.

Site Assessment photo by punkin3.14.

And then we have the security assessments business and security consulting in general.  Let’s face it, security assessments are a commodity market.  What this means is that since most competitors in the assessment space charge the same amount (or at least relatively close to each other), this means some things about the profitability of an assessment engagement:

• Assuming a Firm Fixed Price for the engagement, the Effective Bill Rate is inversely proportionate to the amount of hours you spend on the project.  IE, $30K/60 hours=$500/hour and 30K/240 hours = $125/hour.  I know this is a shocker, but the less amount of time you spend on an assessment, the bigger your margin but you would also expect the quality to suffer.
• Highly leveraged engagements let you keep margin but over time the quality suffers.  1:25 is incredibly lousy for quality but awesome for profit.  If you start looking at security assessment teams, they’re usually 1:4 or 1:5 which means that the assessment vendor is getting squeezed on margin.
• Keeping your people engaged as much as possible gives you that extra bit of margin.  Of course, if they’re spending 100% of their time on the road, they’ll get burned out really quickly.  This is not good for both staff longevity (and subsequent recruiting costs) and for work quality.

Now for the questions that this raises for me:

• Is there a 2-tier market where there are ninjas (expensive, high quality) and farmers (commodity prices, OK quality)?
• How do we keep audit/assessment quality up despite economic pressure?  IE, how do we create the conditions where the ninja business model is viable?
• Are we putting too much trust in our auditors/assessors for what we can reasonably expect them to perform successfully?
• How can any information security framework focused solely on audit/assessment survive past 5 years? (5-10 years is the SWAG time on how long it takes a technology to go from “nobody’s done this before” to “we have a tool to automate most of it”)
• What’s the alternative?

• Security Assessment Economics
• Split-Horizon Assessments and the Oversight Effect
• Security Assessments as Fraud, Waste, and Abuse
• The CyberArmy You Have…
• How to Not Let FISMA Become a Paperwork Exercise

Fun things happened yesterday.  In case you hid under a rock, the Intertubes were rocking yesterday with the thudding of fingera on keyboard as I live-tweeted the Senate Homeland Committee’s hearing on “Protecting Cyberspace as a National Asset: Comprehensive Legislation for the 21st Century”.  And oh yeah, there’s a revised version of S.3474 that includes some of the concepts in S.773.  Short version is that the cybersecurity bills are going through the sausage factory known as Capitol Hill and the results are starting to look plausible.

You can go watch the video and read the written testimonies here.  This is mandatory if you’re working with FISMA, critical infrastructure, or large-scale incident response.  I do have to warn you, there are some antics afoot:

• Senator Collins goes all FUD on us.
• Senator McCain grills Phil Reitinger if DHS can actually execute a cybersecurity mission.
• Alan Paller gets all animated and opens up boxes of paperwork.  I am not amused.

• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 4
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 2
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 3
• In Response to “Cyber Security Coming to a Boil” Comments….
• Blow-By-Blow on S.773–The Cybersecurity Act of 2009–Part 5

Some days I feel like all this “continuous monitoring” talk around the beltway is just really a codeword for “buy our junk”, much like the old standby “defense in depth”, only instead of firewalls and IDS, it’s desktop and server configuration management.  Even better that it works for both products and services.  The BSOFH in me likes having a phrase like “Near Real-Time Continuous Compliance Monitoring” which can mean anything from “tying thermite grenades to the racks in case of being captured” to “I think I’ll make a ham sandwich for lunch and charge you for the privilege”.

Anyway, our IKANHAZFIZMA lolcats have finally found a control worth monitoring:  the world’s supply of overstuffed cheeseburgers.  This continuous monitoring thing is serious business, just like the Internets.

• Federal Computer Week and S.773
• Metricon is Next Week
• Oh Lookie, Somebody’s Doing What I Said To Do….
• CISOin’ Ain’t Easy, But It’s a Living
• Draft of SP 800-37 R1 is Out for Public Review

Rybolov’s note:  Vlad’s on a rant, at times like this it’s best sit back, read, and laugh at his curmudgeonly and snark-filled sense of humor.

So there I am having a beer at my favorite brew pub Dogfish Head Alehouse, in Fairfax, when my phone vibrates to this ditty…. I couldn’t get past the “breaking news.”

From: <The SANS Institute>

Sent: Friday, May 28, 2010 4:05 PM

To:Vlad_the_Impaler@myoldisp.net

Subject: SANS NewsBites Vol. 12 Num. 42 : House attaches FISMA corrections to Defense Authorization Bill for rapid action

* PGP Signed by an unmatched address: 5/28/2010 at 2:52:21 PM

Breaking News: US House of Representatives attaches new FISMA rewrite to Defense Authorization Bill. The press hasn’t picked it up yet, but NextGov.Com will have a story in a few minutes. This puts one more nail in the coffin of the Federal CISOs and security contractors who think they can go on ignoring OMB and go on wasting money on out of date report writing contracts.

Alan

Yet another millstone (pun intended) piece of legislation passed on a Friday with… a cheerleader?!?!??? Whoa.

This ruined what was turning out to be a decent Friday afternoon for me…

My beef is this — I guess I really don’t understand what motivates someone who vilifies Federal CISOs and security contractors in the same sentence? Does the writer believe that CISOs are in the pocket of contractors? Even I am not that much of a cynic… Which CISO’s are “ignoring OMB?” All of them except NASA? Are all of our Government CISOs so out of touch that they LIKE throwing scarce IT dollars away on “out of date report writing contracts?” (sic.) (Vlad – Are hyphens too costly?)

I could drop to an ad hominem attack against the writer, but that’s pretty much unnecessary and probably too easy. I’ll leave that to others.

Suffice to say that what is motivating this newsbit appears IMHO to be less about doing things the right way, and more about doing things their way while grabbing all the headlines and talking head interviews they possibly can. (See “self-licking Ice Cream Cone” in my last post)

Yeah, I’m a cynic. I’m a security professional. What’s yer point?

• Next Up in Security Legislation: S3474
• No, FISMA Doesn’t Require That, Silly Product Pushers
• Ooh, “The Word” is out on S 3474
• In Other News, I’m Saying “Nyet” on S.3474
• HR 5983–DHS Now Responsible for Contractor Security