Archive for February, 2009

BS Filtering for CISOs: An Introduction

February 25th, 2009 2 comments

After spending a good amount of time in the information security industry, I have come to realize that one of the most important concepts for a security professional is that of properly filtering noise and BS. For technical professionals running intrusion detection engines and firewalls, filtering noise is probably most important, since you want to pay attention to the events that matter. For management, let’s say CISOs specifically, you need to tune a different kind of filter: The BS filter. Since I’ve been a CISO, talked to CISOs extensively, work with them now in multiple roles, train them with SANS, etc, I thought I’d start a little mini-series on the blog that outlined some of my lessons learned along the way.

Today, I’ll start with an introduction to the topic – why is BS filtering so important, and what forms can it take?

Let’s start with why BS filtering is important. Intuitively, I’m sure everyone reading this knows that getting BS’ed is not a good thing. The fact of the matter, though, is that we all do it. The degree to which we BS people and allow ourselves to be BS’ed will vary, of course, but it’s just a part of life. This can range from a simple scenario like making an excuse for why you can’t go out for drinks with coworkers, to a serious CYA elaboration to prevent yourself from getting canned due to being late on a project. Either way, we all do it. You can be the most integral person in the world, you still do some of it. It’s just human nature.

Why do CISOs need good BS filtering, though? For starters, it is the CISOs job to manage risk in an enterprise. Period. A good CISO knows that managing information-centric risk and advising senior management are the top priorities, and it is just flat-out impossible to do this when you believe everything people tell you. Thus…you need some healthy paranoia and skepticism. I’ll emphasize the “healthy” part – no one likes a freak that inherently distrusts everyone and creeps around developing conspiracy theories, either. I meet quite a few ANNOYING security people in this category, and it does not surprise me that they don’t get invited to many parties. But a little healthy skepticism goes a long way in this business. Why? Because Michael Santarcangelo has it right – security is really a “people problem” at the end of the day, and people are always selling something. Themselves, their projects, their opinions on security/risk/whatever. Being able to recognize when people are full of it, and to what degree, is a very valuable skill in determining how to manage risk in many cases. A few examples should help.

  • You are going to hire a new security analyst/architect/engineer. The resume looks stellar. This lady smiles, is fairly charming and pleasant, and can talk the talk. The primary job responsibilities are pretty technical in nature, but she has a bunch of certifications and lists every product and acronym known to man on her resume. Must be good, right? Bottom line – be skeptical. Her job is to sell you on hiring her. Do a thorough technical interview with other technical staff included, ask a few tough questions about specific technology or technical topics, maybe even do a little hands-on. I have caught more people full of sh*t in interviews than I care to recall.
  • That project manager (in many ways, the unholiest profession EVER, most IT people I know hate these folks) explains that there’s no need for a security review cycle to be built into Project X, because blah blah blah. That’s exactly how you should treat it, too – don’t let them snow you on this one.
  • The business unit manager explains that they need to buy Product Z to get the job done, and they are in a rush. This may not be BS, at least in his mind, but you should be skeptical and push a little deeper – can we review Product Z? Is there adequate time to test? Are there other reasons for wanting Product Z, and only Product Z?
  • A malware-related incident is underway, and you are hearing conflicting reports of how bad the damage is. Business unit says one thing, your security guy says another. These situations are tough – who do you trust? Common sense may say to trust your staff, but maybe you need this business unit as a political ally and you don’t want to just automatically alienate them. Most of the time, this situation can be facilitated by having the technical skills to cut through the jargon. If you don’t have enough technical acumen to understand at least the basic elements of the situation, you’ll get BS’ed in many cases.

There are a million more of these – people try to BS the security folks all the time. In future installments, I’ll walk through some specific case scenarios and give my <gasp!> opinions on how to recognize and properly filter the BS.

Categories: Information Security Tags:

Shack – Rejected!

February 10th, 2009 2 comments

So today, I have the pleasure of seeing my first LinkedIn network invitation REJECTED. Now, let me explain why I am blogging about this. Because my feelings are hurt? Nah. I have pretty thick skin, so that’s not it. Why, then?

The reason, quite simply, is because I am NOT one of those people that just tries to get as many connections/friends/twitter followers/whatever as possible. I connect with people for two reasons:

  1. I have a bitch of a time keeping up with business cards and such, and I need some way of keeping track of people. Tools like LinkedIn have actually been a Godsend for me for this reason alone.
  2. Most of my interesting opportunities in life have come from my connections to people. In fact, I have only gotten ONE job or consulting gig from an advertisement or job site. Every other one has come from connections to people and industry groups and associations.

To make my point of why and how this is useful, I’ll refer the erstwhile reader to Guy Kawasaki’s blog post about using LinkedIn to find jobs.

So let me turn this to the infosec field I live and breathe. Our field is one of those that is a bit easier to find employment in at the moment, at least if you have some skills that are marketable. Most infosec folks I know are employed, this of course is not an absolute. But folks – this doesn’t mean we can take this for granted. You should be looking to connect in some way with people you know, interesting people that THEY know, and others in your field that are related via industry groups. This is exactly what I do with LinkedIn – most of my connections I know or have met, some are just compelling or interesting people that have been introduced to me or have introduced themselves. I always check them out, make sure they seem to have some relevance to me or my field, and then typically connect with them if they do.

So I sent an invitation to a fellow instructor in this little training organization I work with. This is a small group of people, only around 50-60 folks in the whole world. This guy is international, and we’ve never met in person. But I clearly identified myself as being connected to him via this particular group, and I am sure he looked at my profile. And he declined to connect with me. Why? I’m not sure. I’m inclined to think maybe the guy’s just an uptight douchebag. Shocking as it may seem, this sometimes happens. 🙂

Regardless, to anyone reading this bit of drivel – my advice to you is simple: Don’t do this. If someone takes some initiative and tries to connect with you on a professional level, you should probably accept that invitation. Unless, of course, you’re a douchebag.

Categories: Humor, Musings Tags:

Perception is Reality?

February 9th, 2009 2 comments

A guy I used to work for in the infosec field (of course) was always telling me that “perception is reality”. In his eyes, you could win the political game within our company by simply putting up a good front. Even if we were totally screwed up within the infosec group, or didn’t know what was going on with a project, or didn’t have a plan, we could create the illusion of competence by proactively bombarding people with information, acting a little smug and pompous, and berating other people for not caring about security (dammit!)

Was this a sound strategy? No, this guy was generally a boob and I worked for him only a short time. However, it really did get me thinking about a few ways to interpret this in the infosec space.

  1. Just because someone talks a good game does not mean they know what the f*** they are talking about. Frankly, I personally believe that a number of the people floating around in the “blogosphere” who are billing themselves as “security experts” should STFU. However, many people seem to feel that “they blog, therefore they have kung fu”. Perception, at least for the unwashed masses, is reality. Because you’ll never KNOW whether that cool blog guy actually has kung fu or not. And he knows it.
  2. A more global one this time. Do you think that most consumers inherently believe that their data is safe with companies who have it? Or the opposite? I think most people just sort of trust that their data is safe. And then when there’s a data breach, the company apologizes, and we all think “oh, well, they’ll just get BACK to being secure and all will be well.” Hmmmm.

Let’s focus on #2 (#1 was pure rant). I had the pleasure of meeting and speaking with Michael Santarcangelo of Security Catalyst about two weeks ago. He and I had lots in common, and hit it off well. One major point we agree upon was the total lack of outrage (in other words, the general complacency) of the populace WRT data breaches and data security overall. TJX loses 90 million people’s data, and people are still shopping there with no issues at all. Did they actually lose any customers? What about all the other breaches? Does anyone really care? Who really feels the pain? Who assumes the liability here?

OK, OK, I know this is sounding like a rant here, too, but really it’s just a question of whether people’s skewed perception of data security (it’s not that big a deal) in essence leads to the reality that it ISN’T that big a deal. This runs counter to all the ranting we do as security people, and of course no one will ADMIT that losing data might not really have long-term impacts at the moment. I’m certainly not saying we should give up the fight. And this doesn’t apply to data like sensitive intellectual property, health data, etc. Mostly payment card data, which can almost be considered ephemeral in some senses. But I ask – does perception equal reality in this case? Why or why not?

Categories: Information Security, Rants Tags:

Weekend Round-up: Google Issues and a Sad-but-True Comic

February 2nd, 2009 Comments off

Well, the weekend was not without PANIC (!!) and CONSTERNATION (!!). Saturday morning found me sitting at my desk, getting a little work done, and needing some information from the Oracle of the Internet. Looking for some info on Cisco switch commands, I was presented with a list of search results that were <GASP> all infected!!!

Imagine my sheer horror. The Internet was surely coming to a complete halt. Some evil mastermind had taken over all sites on the Web. Game over. To console myself, I went to Twitter to see who I could complain to at this early hour, and found that others were experiencing the same problem, albeit with a slightly lowered panic quotient. Hmmmm….the problem ACTUALLY could be Google, not a widespread evil plan to overthrow the Internet. Fast forward an hour, Google was operating just fine again. Thank Goodness!

The moral of this blurb: I am a pathetic little man. Losing Google for one hour actually caused me some frustration. You may not cook it in a spoon and inject it, or smoke it in a little glass pipe, but Google has successfully accomplished the Internet equivalent of addicting people to drugs. Ouch.

The next comment from the weekend is about a great old comic I saved from 2006 in Computerworld. I couldn’t find it anywhere online, so I scanned it in (apologies if it’s a little grainy, tried to keep it small). Given that my name is, well..Dave, I absolutely love this one. Just remember, folks, every time you connect to a WiFi hotspot you don’t recognize, God kills a kitten.


Categories: Humor, Information Security, Rants Tags: