Announcing RŌNIN: A Linux DFIR and PenTest Distribution

I am pleased to announce the release of a new DefendLink project entitled RŌNIN.

"From one thing, know ten thousand..." -Miyamoto Mushashi

RŌNIN is a free linux security distribution (based on Lubuntu) that provides a platform both for training and conducting professional data forensics, penetration testing, and incident response engagements.

The primary objective of RŌNIN is to offer a fast/lightweight  linux desktop that includes a curation of security tools and resources that are useful for security professionals, instructors, and students alike.



RŌNIN has three main design goals that support this objective

1. Enhance Continual Learning - RŌNIN brings a wide array of documentation, video lessons, and other online materials together in one distribution.  By coupling the best tools together with easy access to reference materials and training resources, this project promotes development of concepts, tools, and techniques from a common platform.

2. Process Driven Design- Professional security engagements are built around a well defined set of goals, limitations, and deliverables.  RŌNIN  reflects this reality by placing tools into process areas where they might reasonably be used. For DFIR work, the structure is built around a basic Collection, Analysis, and Reporting model, and for security evaluation the layout is built around the  Penetration Testing Execution Standard.

3. Complete Work Platform - While RŌNIN comes loaded with security tools, it also provides popular linux desktop applications to extend a viable primary work platform for information security professionals.

To learn more about the RŌNIN project visit our web-site and/or download the latest release.

  

Simple Answers to Security Complexity

One of the old adages in information security is that "complexity is the enemy of security".  The reasoning behind this is simple. Complex systems are much harder to map-out (large attack surfaces), are often very difficult to manage effectively, and the long-term behavior of a complex system is more difficult to predict reliably (vulnerabilities + fault conditions).

This adage is less of an academic or philosophical statement as it is an observation borne out by more than a few (usually quite painful) professional experiences concerning the impacts of complexity.  Given these experiences, one might assume that we've all learned our lesson and issued a declaration of "never again".

Except, of course, we can't really say this.  Complexity is unavoidable amid organizational pressure to   integrate, deliver, and leverage IT systems on ever shorter time horizons.  However, IT specialists aren't the only ones feeling the brunt of this. Contractual, legal, and regulatory complexity is also growing to an all time high. So much for simplicity, right?

Well, the truth is you can't manage complexity with even more complexity.  Now more than ever, managing Information Security challenges require a solid grasp of the answers to some deviously simple questions.   The answers to these questions are fundamental as they form a map to what really matters most. Three very fundamental simple questions that must be answered include:

1. What are the mission and goals of your organization? 
2. What does "security" mean in context to these objectives?
3. How can you consistently generate and demonstrate value in support of these goals?

The key element with each of these questions is understanding how the mission of  your information security program fits into the "big picture" of your organization.   There is a reason, however, why these are deviously simple questions.  Finding the answers is a bit like assembling a puzzle.  Your senior executives will have some crucial pieces, but you will discover that other key insights come from line managers and end-users. Knowledge of varied business operation requirements within your organization is also essential to identifying which pragmatic security-tradeoffs both protect and enhance the capability of your organization to hit its targets.

Obviously, you build and refine this picture over time and continually adjust your security program in commensuration not only to new threats/obstacles but also to the evolution of new goals and opportunities.  Unfortunately though, many often put the cart before the horse.  They attempt to deal with complex issues (the "how') before they've attempted to gain any insight into basics (the "why").  Failures to address (and readdress) these simple questions inevitably lead to very costly and visible course corrections.

Dealing with these simple questions takes prioritization, patience, ability to listen, and often someone to help bring a valuable external perspective.  As always, the devil may be in the details, but someone has to be responsible for determining which set of details matter most.