ShackF00

I have been insanely underwater for the last 2 weeks, so haven’t posted anything despite my best intentions. I am still buried, but wanted to post a short note about RSA next week. I will be there all week, and I’m looking forward to meeting up with everyone. I am still planning my agenda in terms of specific talks to attend, but at first glance there’s some awesomeness, and here’s what I want to check out just in terms of topics:

• Data breach lessons learned: We need more “from the trenches” stories and data, and I personally will be looking for more of these.
• Shifts in security technology: In particular, advances in DLP and movement toward application whitelisting and away from traditional “blacklist” AV.
• Advances in virtualization and cloud: I would like to see some good, definitive solutions and thoughts here this year instead of mostly hype. I think I will, since I know things are progressing in the industry.
• New directions in compliance and privacy/breach notification: Just to keep up, more than anything.

I’ll also be scouring the vendor area for good info, too – last year was wretched. Just nothing new or interesting that grabbed my attention, not to mention the lack of people at the conference in general.

See you there!

Musings

So here we are. 2010 – a new, shiny year for things to be as %*# up as ever. <sigh>

OK, OK, that was pessimistic sounding. I do have some thoughts in general on this year in security. Here we go:

• Compliance will be a hot topic again this year. PCI is growing (MasterCard Level 2 peeps, talking to YOU). HIPAA is being changed, legislators are looking at breach disclosure and other topics, etc.
• DLP – love it or hate it – will get more mature and could become even more relevant with tie-ins to e-Discovery and compliance mandates. Trust me, I hate buzzwords more than most, but I think the notion of keyword searches and data fingerprinting have merit. Just early in the evolution.
• Howard Schmidt will do almost nothing. Oh sure, he may *talk* and stuff…but I don’t see anything changing this year. The government is just way too bureaucratic and bloated to change quickly. Not his fault, but I don’t think he’ll be the infosec savior by any means.
• Cloud computing will start to become more tangible, and we WILL have to secure that beeyotch.
• On a related (sort of) note, virtualization security will leave the “Chicken Little” phase and assume a normal place as YAICTS (Yet Another Infrastructure Component To Secure).
• We will have to really address some of the major “gray area issues” in security. For example, the whole PI license for computer forensics issue…WTF?
• Please please please please PLEASE – can we stop being such geeks and embrace risk management as the cornerstone of information security? I’m all for packets, hacking tools, and the like, too…but businesspeople still look at security folks often times like the 17 year-old that still plays with Legos. We talk all this bullshit about wanting to be more accepted with business folks, but many of us don’t really walk the walk. And no, I do NOT think metrics are the answer. <shudder>.

Some other general thoughts (not security):

• It is officially time to stop clipping your phone to your belt. You are not Batman. In fact, not even Robin.
• All movie critics suck. Why do we listen to them at all? I, for one, do not need my movies to be deep and meaningful all the time.

And off we go.

Information Security, Musings

Call me crazy, but it bothers me that information security is so “hard”. I know, I know, seems like we all say this, and we endlessly rail against the usual evils that make our lives suck on a daily basis: management doesn’t understand, infrastructure is too complex, the Dev teams don’t give a $*@#&, etc. And on. And on. I have lived this life – it’s easy to fall into the mindset of going to work each day with a frame of reference that looks a bit like this:

1. I know my job. ***Whatever this may be***
2. I know my organization. ***Politics, infrastructure, etc.***
3. I know my team and their capabilities. ***Who does what***
4. I know our tools and systems ***Security-specific tools and systems like IDS, SIEM, etc.***
5. I *think* I know what my problems are.

One thing that’s interesting, though, is that we almost never get to build or design a security architecture from scratch. We just keep adding on or changing the Frankenstein monster that is our security machine, and gradually build up the complexity of it all and lose at least some semblance of control. Ugh. Just for the heck of it, what if you could start with a completely blank slate? I’m not talking tools, just a mindset of how to go about things? At the most simplistic level, my mental security model would probably look a little like this:

Network Level: Create a policy based on “Deny All” and allow only what’s needed.

Host Level: Application Whitelisting and Configuration Management via imaging and policy controls.

Application Level: Secure coding and QA, with behavioral assessment and input filtering.

You’ll also notice an up arrow with the term “Behavioral Assessment” – this signifies the importance (in my mind) of behavioral analysis and comprehension as you move from network –> Host –> Application. In other words, most important at the App, least important at the network. This is NOT to say that host and network behvaioral analysis is unimportant, far from it. But as a starting point, I’d go with the App since we should be able to define the flow of business logic within it and then observe deviation.

Now, of course we want change management and patch management and monitoring tools and all of that…but as a simple mental model? I can get my arms around this thing pretty well. So given that we don’t get a “RESET” button in security…how do we return to a simplified view of things and build from there?

Information Security, Musings

Over the last few years, I’ve really noticed a trend in security practitioners who tend to ask: “Are we secure?”

Good question.

The problem with this question is that it implies that an absolute answer is required. However, at this point we can all guess that an answer of “yes” is too ambitious, whereas an answer of “no” doesn’t take into account any protective/defensive measures we may have employed.

Security is, in my opinion, unable to accommodate absolutes. There is no black. There is no white. There is only gray. That then leads to the inevitable follow-on: how (in)secure are we? And that, of course, is a much harder question to answer. Much attention has been devoted to security metrics, and Andy Jaquith’s book on the subject is a hell of a good start. Although lately, however, I’ve been doubting the ability of current risk management and metrics “best practices” to adequately frame the “current state” of our security and risk tolerance. Why?

Simple: Things Change.

Unless we’re measuring constantly and re-adjusting our concepts of risk posture, we’re likely to be (almost) always wrong. In its own right, this represents a series of absolutes itself. Every measurement we make, using your favorite metric or risk analysis measure (SLE, ALE, etc) is a point in time. Thus, an absolute, albeit one that is measured and quantified in some way. However, how do we accommodate for changes? How does a change in the environment impact the measurement we are relying on? I know products like Skybox and Redseal do “what-if” types of analysis, but I’m looking more at the big picture – how do we get a real idea of “how secure” we are? In real-time?

And yes, I know – this seems to be the stuff of unicorns and flying pigs, but I don’t want to be cynical or sarcastic forever. At some point, we need to get this right.

Information Security, Musings

Keeping an eye on those in power has always been a staple of relatively open governments and well-organized IT shops. Let’s focus on the latter, given that a discussion of the former could easily lead to rants. Visit EFF for more info on THAT area.

Keeping an eye on IT people with greater privilege levels has always been a challenge. Obviously, this could extend to NON-IT staff as well (Enron, anyone?), but in the information security division, we’re often dealing with abuse of privileges related to something or someone in IT. I really see four distinct levels of privilege monitoring that need to be considered:

1. The System Level: This is the realm of SysAdmins, who actually manage systems and make changes to them. Often, these teams will have Administrator or Root privileges to groups of platforms.
2. The Application Level: This level pertains to the DBAs and Developers of the world, who may have some degree of control over systems by extension of their control over the critical apps *running* on the system.
3. The Network-Infrastructure Level: This level relates to the network “plumbing”, or pieces and parts that hold the environment together. Network admins fall into this category.
4. The Backbone or Service Provider Level: Plumbing on a “macro” scale.

Most of us tend to focus in our organizations on the first three levels. We’re all using the traditional mechanisms to accomplish this, too – tools like “su” and “sudo” for *nix systems, UAC and “RunAs” for recent Windows varieties, and logs, logs, logs. Applications and network device OSs have their own mechanisms, too, most similar in nature to tools like “su” and “sudo”.

What about the backbone level, though? What can we do to exert “control” over what passes through? We’ve certainly got end-to-end encryption, but that may not be practical for everything. Simply monitoring Web browsing habits can reveal a lot about us, and much of this traffic is totally open. Recently, this very issue came up in Europe, as reported by BBC News. With all the talk about Cloud Computing, and sending more data and transactions outside our traditional IT infrastructures, we should all be concerned with what access people have to our private and sensitive data, habits, etc. Another issue: how do I know for certain that my private data is deleted after I request that it be removed from some Web site/service? All good questions. There are good and bad aspects of “watching” – for example, I don’t particularly care for my government spying on me (especially in the name of “anti-terrorism”. Sheesh.) But keeping an eye on those who are in positions of trust and authority? All for it.

Information Security, Musings

I recently finished reading Malcolm Gladwell’s latest book, “Outliers”. The book examines the reason why certain people and groups behave and perform in certain ways, or why certain events seem to happen to particular groups in disproportionately large numbers. Great book, fairly simple premise. I won’t dig much into the book’s conclusions, leaving that instead for the erstwhile reader.

One section really grabbed my attention, though. In a discussion of really smart people, namely Chris Langan and Robert Oppenheimer, Gladwell examines why they each ended up where they did. Langan, arguably the smartest man alive, is a nobody: he lives in some rural town on a farm, got no real higher education, and has bounced around doing various jobs his whole life. Oppenheimer, on the other hand, ran the Manhattan Project and is widely considered one of the true geniuses of our time. Both, however, are inherently brilliant by the scales we commonly use (the modern IQ test, for example). Both were also presented with some significant hurdles along their unique paths, and the truth of it is that Oppenheimer had far more serious issues to contend with overall.

However, Oppenheimer prevailed where Langan did not. In reviewing the individual cases, Gladwell points out that Oppenheimer had something Langan did not: “practical intelligence”. To quote from the book:

It is procedural: it is about knowing how to do something without necessarily knowing why you know it or being able to explain it. It is practical in nature: that is, not knowledge for its own sake. It’s knowledge that helps you read situations correctly and get what you want.

In short, Oppenheimer could deal with people. Read body language, interpret situations. Figure out the best story to tell to BS himself out of a jam. It’s more than common sense. It’s a learned ability to interact with people and manipulate situations to benefit us the most. How can we think of this in terms of information security?

I’ve been saying for quite some time now that people skills are inherently more important then pure technical skills for both advancing your career and getting the job of security done day-to-day. It’s time to revisit that. First, people promote people they LIKE. People hire people they LIKE. People also tend to want to surround themselves with people LIKE THEM. Get the point? If you are a total goober, who still thinks your soldering iron is your best friend, then a wake-up call is in order: your days are probably numbered unless you’re just absolutely at the top of your game and your technical skills are in high demand.

Second, getting the job of security accomplished takes some politics. It takes some ego stroking. Some subtle manipulation. That’s really true of all the best business “dealmakers” out there today. I’m not suggesting dishonesty, or a lapse in ethics. Just the reality that you can’t be a bull in a china shop and expect people to give a damn about whatever it is you’re saying. I meet way too many supergeeks in this industry, some with real technical skills, who think that’s going to get them ahead forever. I especially love the geeks who can only feel superior by challenging other geeks publicly and trying to denigrate those with a lesser degree of technical skill. These people are sorely confused about, well, lots of things. And they CERTAINLY don’t have any practical intelligence!

Consider a simple example. Just tonight on one of the SANS GIAC mailing lists I am on, a guy was debating the age old struggle between the paranoid security guy and the user who wants to use Facebook a bit during the day. How do you handle this? Block all Internet? Only block some? This is really a totally open-ended question – the answer is absolutely “It Depends”. But working with business units and other organizational players may require some debate and tact. What if the CIO wants to use Facebook? Do you just stick to your technical guns and hope that works out? Errrr…..no. Probably not.

I am a geek. I love technical skills and topics, and read highly technical material voraciously. I constantly play with new technologies and techniques, convinced that this is important. And I really believe it is. But the skill I cherish the most? And the one I’ll be working on more than ever? You got it – my “practical intelligence”, or “dealing with people” skill. It will help me articulate security issues, explain my reasoning, and try to persuade people to see things my way much better than those obscure Unix commands ever will.

Information Security, Musings

So today, I have the pleasure of seeing my first LinkedIn network invitation REJECTED. Now, let me explain why I am blogging about this. Because my feelings are hurt? Nah. I have pretty thick skin, so that’s not it. Why, then?

The reason, quite simply, is because I am NOT one of those people that just tries to get as many connections/friends/twitter followers/whatever as possible. I connect with people for two reasons:

1. I have a bitch of a time keeping up with business cards and such, and I need some way of keeping track of people. Tools like LinkedIn have actually been a Godsend for me for this reason alone.
2. Most of my interesting opportunities in life have come from my connections to people. In fact, I have only gotten ONE job or consulting gig from an advertisement or job site. Every other one has come from connections to people and industry groups and associations.

To make my point of why and how this is useful, I’ll refer the erstwhile reader to Guy Kawasaki’s blog post about using LinkedIn to find jobs.

So let me turn this to the infosec field I live and breathe. Our field is one of those that is a bit easier to find employment in at the moment, at least if you have some skills that are marketable. Most infosec folks I know are employed, this of course is not an absolute. But folks – this doesn’t mean we can take this for granted. You should be looking to connect in some way with people you know, interesting people that THEY know, and others in your field that are related via industry groups. This is exactly what I do with LinkedIn – most of my connections I know or have met, some are just compelling or interesting people that have been introduced to me or have introduced themselves. I always check them out, make sure they seem to have some relevance to me or my field, and then typically connect with them if they do.

So I sent an invitation to a fellow instructor in this little training organization I work with. This is a small group of people, only around 50-60 folks in the whole world. This guy is international, and we’ve never met in person. But I clearly identified myself as being connected to him via this particular group, and I am sure he looked at my profile. And he declined to connect with me. Why? I’m not sure. I’m inclined to think maybe the guy’s just an uptight douchebag. Shocking as it may seem, this sometimes happens.

Regardless, to anyone reading this bit of drivel – my advice to you is simple: Don’t do this. If someone takes some initiative and tries to connect with you on a professional level, you should probably accept that invitation. Unless, of course, you’re a douchebag.

Humor, Musings

The family and I went to see Cirque du Soleil’s Kooza show on Sunday in Atlanta, and it was nothing short of amazing. I’ve seen one of their shows before, it was also amazing, and so I wasn’t surprised that the experience was phenomenal. I had a thought though (danger, Will Robinson, he’s thinking again!) while driving home. Just a musing, perhaps, but I always try to find parallels between everyday life activities and the information security realm that I dwell in so much.

The big epiphany I had is this – it’s all practice.

What do you mean, Dave? Well, in a nutshell, these people are just awesome at what they do. They perform under pressure, with thousands of people watching them, and their routines are complex. The tiniest slip can spell disaster for whole groups of perfomers, and so they have their acts down to a science. Of course they have talent, as well – perhaps just raw athleticism. But the fact of the matter is that they have gotten as good as they are by simply practicing fanatically.

What wisdom does this hold for us security folks? Well, here’s a challenge for you – what have you committed to being the best at? How much work do you really put into being the absolute best IDS analyst, malware reverse engineer, firewall administrator, log analyst, compliance guru, etc? Well, you won’t get there by just showing up for work every day. You need to practice. A LOT. What kind of home lab do you have? How much time have you spent on network platforms, just relentlessly hammering the CLI? Scripts? Got script fu? Why not?

The economic climate sucks. Jobs are getting hacked all over the place. Yet those who know they’re the best don’t worry about that. They’ll always have someone wanting to hire them. Why? Because they practice. That’s what gets you to the top, not just brains, not your incredible wit, and certainly not all those letters you plaster after your name. You can do it. If you don’t have “become the best at my profession” somewhere on your 2009 Resolutions, add it in. You can do it. </peptalk>

–Shack

Musings

So once in a RARE while, I actually get something useful from the massive numbers of trade mags that show up at my house. You know, the ones you can get for free by saying that you’re an executive with a $100 million budget?

Network World tipped me off in the “GoodBadUgly” section to a new research project at the University of California at Davis. It uses peer-to-peer technology to detect anomalous behavior on systems, correlate it with behavior on other systems in the peer-to-peer network, and make decisions for active response with existing firewalls and IDS engines. Sounds kinda cool, right? Sure! My inner geek was curious, so I looked online and found an article with a little more detail at ComputerWorld.

On the surface, it sounds like a little more interconnected version of the Internet Storm Center (formerly known as DShield). Plus, the ability to interact with FW and IDS software based on some sort of behavior threshold reminds me of the Active Response functionality in Snort and other tools. Sounds cool. But……..I’m bothered for a few reasons. Let me explain:

1. In the article, it explains that “[t]he software would interact with existing personal firewalls and intrusion detection systems to gather data about anomalous behaviour…The software would share this data with randomly selected peer machines to determine how prevalent the suspicious activity was…”. I don’t know about anyone else, but I don’t want peer-to-peer software sharing IDS or FW details with other systems, especially random ones. This just sounds ripe for abuse.
2. End users are not intended to modify the detection parameters. OK, I can go for that. But what about security geeks like me? A quote from one of the researchers just didn’t sit right with me: “We don’t want to have humans in the loop.” Huh?

So let me get this straight. I am trusting a distributed system that interacts with my known and trusted security tools (IDS, FW), sends data to random systems, and doesn’t let me interact or tune the detection engine. Anyone else having visions of HAL and SkyNet? Or am I just a paranoid dork?

Wait, don’t answer that. Happy Friday.

Information Security, Musings

Love him or hate him, Tim Ferriss posts some really great content to his blog at www.fourhourworkweek.com. Check it out, you may enjoy reading some of his insights if you haven’t checked him out yet.

This post is short. Bottom line – Nick Vijicic is one of the most inspirational people I have ever seen. Want to put things in perspective? Check out this post and the video at Tim’s site here:

http://www.fourhourworkweek.com/blog/2009/01/12/nick-vijicic-get-back-up/#more-1064

Musings