Infosec Monogamy

August 1st, 2014 3 comments

swansI’ve been thinking a lot lately about how security professionals can grow their skills and experience most effectively. As someone who consults in large organizations, as well as runs training classes for infosec, I’ve long pondered what the right mix is to help people gain the broadest, most applicable knowledge and experience in the shortest amount of time. Personal motivation, self-study, and natural proclivity for certain types of work are all factors, of course. However, I do think there’s some general truths in how you go about acquiring jobs, working in those jobs for X length of time, and then moving on from those jobs to different ones.

From what I’ve seen, most corporate infosec jobs do not really allow you to explore a lot of new and different activities and disciplines. In other words, you start as a network monitoring staffer, you stay in that role, and you watch the traffic. Or, you work as a risk analyst or security architect, and you have zero chance of exploring things like vulnerability management or pen testing. And so on. This is not absolute. Some organizations I’ve worked in and observed really facilitate infosec team members moving in different directions and exploring new skill areas. On the flip side, some organizations are so understaffed that the security team does too MANY jobs, all of them somewhat haphazardly. Many organizations DO send people to training, but I see a lot of people come to SANS classes that are just learning something they’ll never do at work – pen testing in particular. A good 50% or more of my students in some conferences are learning pen testing because they think it’s “cool”, not because they have any hope whatsoever of doing it within their organization.

What do you value in a job? Aside from a paycheck, of course. If stability and a “comfort level” with your workplace is important to you, then you should stay in one organization for a longer amount of time. However, if you want to get real hands-on experience with a much broader variety of scenarios, tools, and disciplines, you’ll likely have to do a bit more “job hopping”. In some ways, I think infosec is vastly different from a lot of traditional IT, in that it is entirely different depending on where you are. Risks are different, politics are different, attacks and breaches differ, etc. Contrast this with an Exchange admin – Exchange is Exchange is Exchange, with some differences in integration and tweaks to make it work. I suppose the same could be said for someone whose infosec career is “tool focused”, like ASA firewalls or EnCase for forensics. But if you really want to learn more technical areas of security, and see more scenarios, I think you’ve got to move around a bit. One other reality is the “job rut” – people get burned out, and some organizations just don’t value security. That may also be as good a reason as any to get the hell on down the road to something new and different.

One argument I get is that “knowing the organization” is invaluable in security…and to some extent, I agree. But really more for defense than offense. If you want to be a great defender of ONE ORGANIZATION, then you’ll probably need to stay there for a longer period of time to really get the lay of the land. If you want to be a better pen tester or red team member, you’ll likely need to work at a number of different places, or go work for a consulting firm (at least for a while to get more broad experiences). Some very big companies I know have so much stuff for pen testers to assess that they get a lot of variety. But most are not this way. So in general, I’d say that defense and risk positions may be good fits for longer-term positions in one organization. But if you want to do offense, you may be better off moving around a bit.

In general, I think loyalty to an organization is somewhat overrated. Most aren’t really loyal to you – that’s an old mentality from the 1950’s. Getting a bit more and different experience is a better way to go, in my opinion. I’ve also seen a trend related to tools and products – they’re really only useful as resume fodder in the earlier stages of your career, with some exceptions. If your goal is to be a firewall jockey, then go for it. List all those hardware and software versions you spend time with, because they DO matter. But later on, especially for risk-focused positions, or architect jobs, this seems to be less important (unless you need really advanced skills with a complex technology like a particular SIEM, for example). If you’re in more management-oriented roles, moving to new jobs tends to be more based on your track record of success stories versus hands-on skills. Did you develop a sound program at company X? Successfully coordinate a data breach defense at Organization Y? And so on.

Just some observations I’ve had over the years.

Categories: Information Security, Musings Tags:

A Hacker Looks at 40.

May 29th, 2014 5 comments

40Wow. It’s finally happened – the fabled 40th birthday that everyone loathes. It’s upon me. At 40, I think you’re supposed to reflect back on what you’ve done, what you’ve accomplished, what’s been good and bad, and where the hell you’re going in life. Right? OK, this will depend largely on the individual, but 40 feels like a pretty damn good spot to reflect. Why not?

Some of you will say “40? WTF? That’s nothing.” And you know what? You’re right. 40 IS nothing. It’s been the most amazing ride so far, and things are only getting more interesting. So…a few observations on infosec, life, and the big picture. Warning: opinions ahead, and I get it if this is content easily skipped.

First, the industry we’re in. WOW. What a shit show. Who could have known what it’d turn into – I remember how I got into infosec, and never for a second thought it’d be this. So first, I was a fucking nerd as a kid. I wrote computer games in BASIC for the Commodore and Atari systems, most of which consisted of “What do you do? Turn left. Well, you die!” So yeah…game designer was out. I exploded shit in my basement as a kid with my chemistry set. I also took apart every electronic thing I could get my hands on, and *sometimes* put them back together. I was born to be a hacker, and that is all there is to it. So when one of my college professors hired me into a large Fortune 500 program, I had no idea what I was getting into, but security felt RIGHT. And today? Man, who could have imagined this?

I get bored easily. REAL easily. I need mental stimulation, and boring ass IT gigs sucked for me. Can you imagine being a day-to-day Exchange admin? That’s a “wake up in a cold sweat” nightmare for me. Day in, day out, Exchange. GAWD. So infosec? Yeah, it is volatile, and messy, and changes all the time. Thank goodness. I think change keeps you fresh, and this industry is just insane.

I miss some of the “old days”. I think it’s natural for some of us “old schoolers” who did infosec in the 90’s (or before). Back then, people had to innovate “solutions”, and actually understand sysadmin roles, technology, and maybe even code. Today, that is more rare than ever. We have pockets of brilliance…surrounded by an ocean of “just got my information assurance degree” bullshit that belies total lack of experience and real technical competence. Some of that is likely me being old and curmudgeonly, but damn…don’t talk security until you have done the actual work, or at least SOME of it.

So at 40 – how am I feeling about my infosec career and life in general? Let’s start with infosec, naturally. Infosec is the most incredible gift I could ever have received. All cynicism aside, it pays well, is dynamic, and more than anything…I love you people. Many of you are not just assholes, but FUCKING assholes. Some of us assholes NEED other assholes to hang out with. I love the vitriol, technical condescension, and pathetic attempts to deflect Twitter comments from your employers. You’re good company, and challenge the status quo…which is exactly what the industry needs. The ridiculous focus on all these stupid ass conferences? Not so much. But…you take the bad with the good.

What about life in general? Well, I’ll keep it short. I have far exceeded all of my wildest dreams. I have no real regrets at all, even though I’ve done some of the dumbest shit you’d ever hear about (most of which will remain private). I have an incredible wife and daughter, a few good friends, a lot of insane hacker acquaintances, and a good paying gig that I absolutely love. So all is well with the universe.

What advice could I offer? Heh. If you take advice from me…a big grain of salt should be involved. But in general, a few things I’ve learned along the way:

  1. Learn more. Constantly. If you are chillin’ with your skills from a few years back, no. Advance, learn more, or find a new gig. Infosec does NOT need dead weight.
  2. Make sure you have thick skin. If you are easily offended, or get worked up about critical comments and such, you need to toughen up. This is not an industry that cares about personal feelings. Good and bad, true, but it is what it is.
  3. Make as much money as you can. Seriously. Don’t be lulled into this “greed is bad, do it for the community” horseshit. You are in a very in-demand industry, and SOMEONE is going to make great money at it. Might as well be you. So do this.
  4. Do not make infosec your life. It’s a job. One you can, and should, enjoy SO MUCH. But your REAL life? That’s other things. If it’s not, you are putting all your eggs in one basket, and that directly defies some-or-another CISSP principle, I’m pretty sure. Seriously – get out more, explore hobbies, and think about the other part of your life that does not involve infosec. If there’s not one, you need to develop one.
  5. 1’s and 0’s are our work life. But step back. Look at the PEOPLE. Your family, friends. This is what matters most. Appreciate this more. Yes, you can.
  6. If your health sucks – change it. You cannot live a full and awesome life 200 pounds overweight and miserable. There’s nothing awesome about being a walking heart attack- and no, I’m not telling you to become a fitness nut. I am one, but that’s irrelevant. This is your LIFE. Your body lets you enjoy it. So take care of yourselves, people! I want to have a drink with you at DEF CON, and if you fucking die, that won’t happen. 😉

All in all, this hacker is looking at 40 with an incredible perspective on life. I’ve had severe highs and the most guttural lows along the way, but I would not trade my life for anything. I hope you feel the same. Cheers.

Categories: Information Security, Musings Tags:

“Back to Basics”: What does this mean?

May 25th, 2014 2 comments

B2BRecently, a pretty good-sized conference was held over in Europe called Infosecurity Europe 2014, and quite a few people I know were attending or speaking there. Two colleagues at SANS, James Lyne and Dr. Eric Cole, were both in attendance and talking to the press. At some point during their respective chats, both mentioned the idea that we should “get back to basics” in infosec. It really got me wondering, “WTF does that even mean?” This is such a cliché today, I think we may have lost sight of what the hell we’re even talking about when we say “let’s all just get back to basics”.

To be clear, both Eric and James are friends, and people that I have a lot of respect for. This really has nothing to do with them – they were just catalysts for me pondering the issue. In a post about Eric’s comments, he states that “…organizations seeking good security must return to the basics: asset identification, configuration management and change control.” In an article discussing some of James’ research and thoughts on security today, he states, “Security issues that we’ve known about for more than a decade are still a widespread problem that needs resolving. We need to get back to the very basics.”

So what ARE “the very basics”? And how exactly do we “get back to them”? Before giving my opinion on this, I think we run a real risk of oversimplifying what has become a very complex discipline. Times change, and “basics” do too. In the 1980’s or 1990’s, infosec “basics” were likely all about hardening operating systems and setting passwords for accounts, as well as limiting access and privileges. Today? I’d argue that only scratches the surface of “basics”. To adequately cover the “basics” of infosec, I think any organization, regardless of size, needs to include the following in their program:

  • Inventory management
  • Configuration management
  • Change control
  • Network access control and traffic filtering
  • Network intrusion detection/prevention
  • Host-based malware detection/prevention
  • Security policy
  • Security awareness
  • Incident response
  • Vulnerability management (emphasis on scanning and patching)

This can easily be argued, likely successfully. Should web app assessment be on this list? Secure coding? Pen testing? Forensics? The list could go on and on, but in my opinion, these are the foundational elements that every security program must have. So here’s the question – have we really gotten away from these? If so, what are we spinning our wheels with? Next-Gen thingamajigs? “Advanced Malware” detection and prevention platforms? Cloud and virtualization security architecture and design? Identity management? Encryption and PKI? DDoS defense? I don’t think we’ll solve our problems in infosec by trying to categorize one or more activities or tools as “basics” and focusing there, candidly. Not anymore. All of these things have merit, depending on your organization. No, I don’t think we need to get back to the basics. I think we need to get there for the FIRST TIME. Let’s face it, we’ve never had this licked. Things are more complex than ever, and we didn’t have a grasp on security when the environment was much simpler. The solution? There’s not one – not an easy one, anyway. We need more tools, more people that have real technical skills and who understand security across a lot of technologies, and more commitment from operations teams to help nail this down. So let’s drop the word “back” – let’s GET to basics first, and then we can optimize.

Categories: Information Security, Musings Tags:

Search Engines for OSINT and Recon

January 31st, 2014 2 comments

Based on the title to this post, you’re thinking, “Awesome, Dave! Welcome to 2006!” Well hang on there. There’s an amazing number of awesome search facilities that can be useful when doing OSINT and recon work for pen testing. I’ll list a lot of different sites that I have discovered and use regularly for both.

Google and Bing: These are the best known sites for these activities, and provide a lot of data. One cool feature many don’t use is the “Search Tools” in Google Search and Image Search. After you submit your search, click the “Search Tools” button in the upper right. You can hone in on date ranges for results, and for images you can choose only faces, clip art, and others, as well. Lots of good query tools out there for these two, but SearchDiggity from the Bishop Fox guys rocks.









The Wayback Machine: I think most folks are aware of this these days, too, but it deserves to be mentioned. If you’re looking for older versions of a site or data set, this is the place to grab it.

Google Groups or Yahoo GroupsSearching for gossip on companies or people posting stupid things that they shouldn’t may lead you to one of these sites. I’d say you’ll be surprised by what you find there, but…we all know that people just feel like they HAVE to share sometimes.

Bing vs. Google: For a comparison of the two search engines’ results, this is a great site, and may save you some time for quick keyword searches.

2LingualTo search using two different languages simultaneously on Google, consider 2Lingual. Great results sometimes, especially if you’re assessing an international organization or person who travels and works abroad.









Carrot2Carrot2 is one of my new favorites. It provides some cool visualization options for searches, and also has great results.










iSeek: iSeek is another of my favorites currently, primarily due to its categorization column on the left-hand side after searching. You can drill down into phone numbers, locations, and other keywords detected very quickly.












International Search with Yandex (Russian) and Baidu (Chinese): For international targets, these sites turn up some fascinating results, and both have good search delimiters, too.

GlobalFileSearch: A quick way to search for files scanned across FTP services. Similar to the “filetype:” or “ext:” queries with Google, but may prove useful…I’ve found a few excellent results there.











NerdyData: This site rocks, especially when I am doing recon for Web app tests. You can search for code snippets buried in site pages, JavaScript, etc. IMMENSELY USEFUL. You can look for code, patterns in code, look specifically for <meta> tags, look only for blog keywords, etc. Awesomesauce.









Qwant: Qwant sometimes has interesting info, as it aggregates across traditional search, social media, shopping sites, and more traditional news.

If anyone has different engines and sites they use for this, I’d love to hear about them, and I’m sure others would too. Any comments with new sites, I’ll vet and add to the post. Cheers!

Cool, a package! Oh noez! It’s from Attrition!

November 25th, 2013 Comments off

AttritionThis is a long overdue post, and has nothing to do with security, and everything to do with slow, simmering dementia and madness among us. I received a package from a certain “Brian Martin” a few months back. My schedule got a bit hectic, the package was set to the side, and I have finally gotten back in the US and cleaned up my office. What I found in this package, my friends, was nothing short of disturbing. I’ll list the contents, with my general impression of what they may mean.

  1. Numerous information security-related stickers: This is really the most “normal” thing in the shipment.
  2. An Attrition business card/thing and a wristband. Again, cool. No worries here.
  3. A Leonard Cohen CD. Now, undeniably, there’s something cool about Cohen. In fact, a lot cool. But…who would PART with such a thing? This is just the beginning of the insanity.
  4. Two wine cork/tops (one cork, one screw-off). Why was this still hanging around? Why were they saved to send on to me? Hmmm.
  5. Several small foam balls. Likely ripped mercilessly from the faces of stuffed clowns, which is creepy. Heading deeper into CrazyLand, for sure.
  6. Numerous keys from computers or other electronic equipment. Very likely ripped apart in a frenzied Mescaline-induced rage.
  7. Several small rubber discs. From what, I have no idea. Cryptic.
  8. Two plastic dinosaurs. Despite my intrinsic pleasure at receiving two small plastic dinosaurs, again I ask…who would PART with these?
  9. One shiny stone. Shiny.
  10. A discarded bank keychain. Junk.
  11. Most horrifying of all…a staggering stack of periodical renewal pullouts that span an awe-inspiring range of topics – science, history, geography, psychology, women’s anatomy, general nerdiness, and more. And going back to at least 2005. Where were these ACQUIRED? And why were they KEPT, in a long-term fiendish plot to send them on to an unsuspecting victim? This represents a deeply depraved character, without any doubt.

If you’ve read this far, you likely know that this is satire. I personally found this mixed bag o’ shit to be hilarious, and knowing that I have crazy-ass friends like Brian is oddly comforting. Isn’t that half the reason we’re in this business? To share in the crazy?

Cheers, folks, and happy Thanksgiving to all in the US.

Categories: Humor, Musings Tags:

Big Trouble in Little Infosec

October 29th, 2013 3 comments

big-trouble-little-china-thunder-explodesThe security “community” has been so incredibly drama-laden this year (largely due to media sensationalism and that wily A-P-T, yeah you know me!) that it’s been tough to stomach. That’s really not me being curmudgeonly, honest. I’ve had a fascinating year, done some amazing work with clients, and seen at least a good number of incredibly smart friends and colleagues at industry events and elsewhere. So, what’s got me wound up? Well, it’s that time of year, first of all. As a consultant who travels internationally a LOT, and stays busier than a rational human should be, I am reaching a point of exhaustion where I start reflecting on what I’ve seen and thinking a bit more philosophically about the state of the “industry”. Second, I’ve really had some big insights personally, just seeing things a bit more clearly for what they are.

You may have noticed that I surrounded the terms “community” and “industry” in quotes. That’s intentional. And directly related to concern #1:

If we’re a “community”, what are our values? And why do we qualify as an “industry”?

I’ll explain. From what I’ve seen, it might be time for us to work a little harder at helping the “normals” get secure. I know we THINK we all do. But ya know what? We’re NOT approachable. We are very quick to judge people not fit to compute. And that, my friends, is 99% of the world, in our eyes. We have to lower our bar, try to be a bit more understanding of Facebook people, and start solving the real problems of awareness and usage scenarios. And, uh, misogyny in IT. Or at least infosec. Really, being a bigot to women is pathetic these days. Especially if you are a fat, white and pasty nerdbot that doesn’t see much daylight.

As to the “industry” thing…please. Everything about infosec is a “feature”. We are not IT. We are not “risk”. We are a part of both. Yes, there’s money here. But we are NOT a strategic element. We’re a small piece of the business equation, no matter how important we think we are. Maybe, in some industries and situations. But not as “the norm”.

And so…problem #2: We think we’re more important than we are.

True, sadly. Especially the pompous CSO types who puff their chests out and talk about “metrics” and “governance” and “GRC” and “advanced threats”. We have a lot of the “let’s preen and act important” game going on, where people act very serious and try hard to dress nice and seem like they know what’s happening. Pffft. These folks are reacting just like everyone else, and the last fucking thing we need is more corporate politicians. Take your “GRC” and “dashboards” and go do something better suited, like create a colorful chart. UNLESS…you cover for the real team that actually does shit. And maybe once in a while, you enact some changes through your amazing PowerPoint skills of persuasion. Which leads me to #3:

We need a LOT less talkers. And a lot MORE “do-ers”.

Seriously. I’ve said this before. More than a few times, really. But what I see out there is concerning, folks. I see a lot of infosec professionals who, candidly, suck. Basic Windows skills and ability to fill out Word docs does NOT an infosec professional make. You need admin skills, network skills, DB skills, some code, and maybe more to be a well-rounded infosec person. Most are not. Some can learn, and want to. But many are in it for the perceived paycheck. If you are 20 years in and can’t use Linux, don’t expect me to give two fucks about you and your career. Because you don’t care. And neither do I. This isn’t a cushy 9-5, maybe we’ll get a pension someday, kind of gig. Keep learning, evolve or die. And if you DO care, and are trying to switch careers? I’m your biggest fan. I’ll help anyway possible.

And finally? Another topic I’ve harped on, at #4:

Bo don’t know code. And neither does infosec.

We need more people to code. Less click, more code. App issues are the now AND the future. If you can’t handle that…you’re on the way to dinosaur, sorry.

These are some harsh realizations. But really, we look at infosec and data breaches and wonder why things aren’t better. What if we’re a big part of the problem?

Categories: Information Security, Musings Tags:

Incentivizing “Makers”

August 14th, 2013 Comments off

buildThis post was directly inspired by @secmoose and I having a conversation over the last week, and was originally driven by my disappointment this year at DEF CON that, once again, we’re idolizing people that break things. To be clear, I break things. I have nothing against pen testers (I am one) or security researchers. But we show up in Vegas, listen to people talk about breaking stuff, try to break stuff, and then go home. Who builds anything? I know the DEF CON Kids program is doing a bit of this (awesome) and there’s certainly a handful of IR/intrusion analysis/monitoring/etc talks…but we are definitely skewed towards the “I broke this, look at me!” scene.

What to do? Well, here’s what I am NOT suggesting – let’s NOT stop what we’re doing. We are exposing some awesome issues, having better conversations than ever before (and with the NSA listening in to all of them, what could be wrong?), and slowly and steadily marching onward in this bizarre field. No, what I’d like to see, at least an initial dialogue on, is how we incentivize people who defend and build security versus find flaws in it. We all know that both are critical. So what can we do to get more “build” and “innovative defense” talks at cons, as well as activities that have a more dominant “build and defend” element?

@secmoose had some great thoughts on a more defense-oriented aspect of CTFs. CTFs are great for building and testing skills, but primarily for the offensive side. While there are definitely defense aspects included today (malware reversing, PCAP manipulations, “waterholing”, etc.), there could probably be a lot more. What about an entire campaign focused on “active defense” aggravating attackers using techniques and tools like those in the ADHD distro from @jstrand, @secureideas, and @pauldotcom? More “innovation” ideas on tools for defeating attacks, identifying malicious behavior and thwarting it? Just thinking out loud, really. Would love other ideas and thoughts you guys may have.

In fact, and this was one of my talk ideas for DEF CON this year (rejected) that we look at what the original spirit of a “hacking conference” was, and try to get back to those roots. Let’s invite more people that have nothing to do with breaking, building, *anything* in security, but have great ideas and do other work in science, robotics, engineering, etc. Let’s get some new blood and people outside our industry thinking about some of this and try to get back out of the box we’re in, creatively. Who knows? Could be fun.

Categories: Information Security, Musings Tags:

It is NOT time to “professionalize” information security.

May 24th, 2013 13 comments

AlDonaldsI recently read an article that was posted by my friend Brian Honan titled “Is it time to professionalize information security?” I know this debate’s been going on for a bit. I have a lot of respect for Brian (who supports licensing or “professionalizing” infosec), for a lot of reasons. If you’ve ever met the guy, and/or know of his accomplishments and track record, you likely do too. So to be clear, my opinions in this matter have nothing to do with Brian, and everything to do with what I see as a bad direction to take in our industry right now.

People – this is a “knee jerk” to the insanity that is information security. Things are chaotic, sure. Breaches, crime, national defense…all contributors to this mess. Top that off with a general distrust for vendors (with a perception of them selling “snake oil”), a disturbing number of “charlatans”, raging debates about certifications like the CISSP, drama at every turn, and constant cries of “we have to get better”. Sigh. I know, it sounds bad, right? But it really isn’t nearly as bad as it seems.

We are an “industry” in a very early stage, folks. I’ve said this before, I’ll say it again – we have a major, fundamental difference in infosec that makes it seem much worse – we have adversaries. They are working against us. When the Windows MCSE came out, it was a joke. Anybody could go learn a little about Windows, and become a “certified” Windows…, uh, person. But there was no diabolical Blofeld waiting in the wings to set Microsoft back, planning a global overthrow with Linux-wielding henchmen in an underground lair while he stroked his cat. Same for networking, whether Cisco or otherwise. Same for databases, CRM, enterprise middleware, and so on. Nope, only infosec has these shadowy lurkers who continually thwart our best efforts, stealing data and making the news.

We’re making progress. Really. Yeah, we have some idiots jumping on the bandwagon churning out Nessus reports as “pen tests”. So do we run to “certify” everyone so such an atrocity can never happen again? Really? You’d put us in a little box so that we can all feel safer? No. Here’s a better plan – those of us who are NOT clueless and DO provide quality work for clients or our businesses should work harder to educate people on this. That’s the problem. People are freaked out, they may not know any better, and they’re looking for solutions. Be it vendor or consultant or both, there’s ALWAYS a solution. Some are good, some are not. We’re falling prey to FUD, plain and simple. And if you get caught up in the daily whining on Twitter and elsewhere proclaiming that infosec is “so messed up” and that it “needs fixing”…well, you’re falling right into the drama-laden trap that plagues our industry.

The infosec industry needs creativity. It needs people who don’t fit the mold, who would rather set a kitten on fire than wear a tie, and who cannot help themselves from telling dick jokes, no matter when or where. Those people may not fit the “professionalization” scheme, but we would be SCREWED if we lose them. They think outside the box, they don’t look “corporate”, and they insist on wearing black T-shirts. I’m being purposefully stereotypical, of course. We’re a widely diverse crew these days, and we’re better for it. But thinking we’re failing so badly that we need to “professionalize” is silly. If that is the case, then why don’t we REALLY get to the heart of things, and professionalize programmers? It’s their shitty code that is causing a lot of the mess, there’s no denying this. While we’re at it, we should probably “professionalize” systems admins, network engineers, everyone. They screw up too, right? We should definitely “professionalize” project managers. Those people are a pain in the ass. Let’s make them certify!

C’mon. This isn’t the answer. Infosec is crazy, sure. But we’re not headed into doom and gloom as some would have you believe. We’re improving education programs all the time. I have met some of the college kids who are taking part in Red Team-Blue Team competitions, and some of them are crazy sharp. We’re trying to fix things like the CISSP, with guys like Wim Remes and Dave Lewis as our men on the inside. We’re having proper debates about “attacking back” and cyberwarfare (ugh), and so on. We’ll get there. But don’t react and put us in a little defined “program”. I don’t want to be a part of the Borg, not now and not ever. I have hundreds of happy clients who can attest to my work, and so do many of you. Let’s let folks like the Attrition crew smoke out the worst charlatans. And let’s try to keep our sense of humor AND reality along the way.

Categories: Information Security, Musings Tags:

Freaks and Geeks and Subcultures

March 20th, 2013 1 comment

In the last few days, there have been a flurry of stories about this supposedly sexist scenario at PyCon called Donglegate. Two dudes told some stupid dick jokes (referring to them as ‘dongles’) in the audience, a prominent female speaker heard them behind her, and she opted to make a big deal about it. Such a big deal, in fact, that they got fired from their jobs. I’m going to pull the “What the F***” card on this one. Lady – find somewhere else to make your soapbox stand, would you? This industry has REAL issues with sexism, but stupid dick jokes aren’t the problem, especially when they were obviously meant to be private conversation and not directed at anyone with malicious intent. Sheesh.

There’s been a lot of drama in the IT, and specifically the security, industries in the last few years. I think we’re experiencing a sort of cognitive dissonance, really. We keep being told that we need to be more professional and businesslike, so we are trying VERY hard to fit this ideal as an industry. I’ve come around on this thing, though. I am a product of a subculture, and I like that subculture. I like nose rings, tattoos, colored hair, stupid black T-shirts with juvenile and snarky slogans, and the idea that we still might be the smartest people in the room. And I don’t want to change ALL of it to fit an ideal someone else is creating for me.

I clean up well. I can wear business clothes and hang out in corporate environments with clients all day, and so do many of you. But I’m still the same tattooed geek who has been breaking shit since the 70’s. A lot of this drama, I think, is us feeling like we need to behave in a certain way to attain credibility…for SOME reason. We should stop this. I never want to hear this dumbass “getting a seat at the business table” crap anymore. If that is your goal in life, play the corporate politics and let the geeks do our thing. But do NOT deliberately create strife for others who are being nerds in their own culture, with their own peeps, and hurting no one in the process. If a crime is committed, do something. If someone offended you? FFS, get over yourself and adjust, or find your own damn subculture where you don’t need thick skin to hang with the people in the black T-shirts. Because we’ll be telling dick jokes. Awkwardly, granted, but…that’s us.

Categories: Musings, Rants Tags:

Watching the Watchers, 2013 Style

January 31st, 2013 Comments off

We’ve never really been adept at dealing with insider threats. Some organizations have internal detection and monitoring programs, usually aligned with anti-fraud efforts, and some also include more robust forensics programs to look for evidence after-the-fact, but we still have a problem with insiders. With the proliferation of virtualization and cloud computing, we have more trouble than ever. There are two trends I see that explain this.

First, let’s talk virtual environments. A number of things tend to happen in virtual infrastructure that can lead to poor privileged user management and monitoring practices. First, many shops hand virtualization over to an existing admin group, like say…the Windows team. Not a great move, for a lot of reasons. This team still has to manage their existing systems and infrastructure, like Active Directory, DNS, and other platforms and applications. This means they’re part-time virtualization admins, at least for a while. A lot of folks think virtualization is easy, and it is…to a point. But virt technologies can suffer from neglect just like any other systems and apps can, and missing patches and failing to implement configuration controls can have a devastating effect. But relative to the point of insider control and monitoring, this arrangement usually leads to shortcuts in the way that admins log in and manage the environment  Many use generic administrator logins, including the local Admin account on Windows systems running vCenter. AD integration is easy, and highly recommended, and this can help with audit trails, but the practices are still poor – often the full Admin role is assigned within management platforms, with little to no role assignment or separation of duties. Coupled with the minimal logging often done in these environments and potentially generic admin account IDs…a recipe for disaster. One disgruntled admin could take out the entire environment, at least for a while.

What to do about this? Well, the most effective way to approach this issue is to follow a simple regimen, none of which is really new at all:

  1. Before deploying virtualization, or even once you have it up and running, set time aside to carefully plan and assign roles for VM admins, cloud admins, network teams, dev and DBA teams, etc. The major vendors, certainly Microsoft and VMware (XenServer role granularity is a bit meh), offer plenty of features to properly create and manage roles.
  2. Ensure your management interfaces to all components, including integrated and 3rd-party pieces in vBlock (Cisco UCS, EMC Ionix and Symmetrix, etc) and private cloud (vCloud, System Center varieties, etc.) are on a separate segment that you control very tightly. Ensure you have monitoring in place for this segment (behavioral and traditional signature-based) and also logging on each management platform.
  3. Have all administrators manage systems via a bastion host or “jump box”, which can be anything ranging from a Windows server you RDP into to vSphere Management Appliance or commercial options like the HyTrust appliance. Better management control, better audit trails, more of a pain in the ass for admins, but…something you should do.

I see a lot of organizations where security teams aren’t really monitoring the virtualization and cloud admins. This should change, quickly. Speaking of monitoring virtualization and cloud admins, let’s talk about the second trend, which is moving resource to public/hybrid/community clouds. There’s really two ways to look at the insider scenario here. The first way, while pretty defeatist in nature, could certainly resonate with some folks – you’re f**ked. You are pretty much going to have to rely on the cloud provider to do internal monitoring and privileged user management. Well, THAT’s depressing. The other way to look at this is via the standard argument for auditing and assessing providers – via SSAE 16, ISO 27001, and CSA STAR or other questionnaires and responses like those in the CSA CCM and CAIQ. At the moment, there’s really no way to monitor cloud admins actively yourself, so you’re at their mercy technically. You’ll have to rely on what the provider tells you, and continually check to make sure they’re doing what they say they’re doing. A great guide to insider threats in cloud environments has recently been published by the folks at CERT, titled “Insider Threats to Cloud Computing“. It breaks down the different types of cloud admins, what data and systems/apps they have access to (typically), and what you should be looking for when talking to providers about this. I highly recommend reading it.

Hopefully, the insider threat in both virtual and cloud environments is on your radar. If it’s not, it definitely should be.