I’m sure you’ve had one of those days where you can’t bring yourself to do anything useful.
But have you ever noticed that if you’re leaning over your keyboard with your elbows on the desk and your head in your hands, and are staring numbly at the keyboard from the right distance away, and unfocus your eyes, the keys start floating like one of those Magic Eye stereograms?
I think I’ll go dig up our team’s Policy Enforcer and go have some fun.
Posted by
shrdlu on Friday, May 16, 2008
(2)
Comments •
Permalink •
Was talking with an incredibly smart friend of mine this morning, and as usual, he revved my brain into high gear and it stayed that way even after we hung up the phone.
I never could get what the deal was with GRC, and why it is supposed to be so new and hot and different from just plain compliance-with-a-dashboard. I think it’s because from what I’ve been able to grasp, the only “R” in GRC is the Risk of Not Being Compliant. And as we know, that’s only a small part of everyone’s risk factors.
Compliance is external. It’s commoditized and standardized, by design. It’s very close to being the opposite of risk management rather than just being a subset. Even when the compliance is mostly a matter of interpretation in the technical world, you’re chasing a binary answer: Are you compliant or not? And the authoritative answer will always be someone else’s, not your own. No wonder executives chafe at it and wish it would go away. They’re not going to embrace it lovingly in the form of an expensive reporting product. They really don’t care about someone else’s opinion all that much; they want to get back to making their own risk decisions.
By contract, risk is personal. It’s variable as hell. It “governs” what you spend your money on, and therefore, with or without a dashboard, your CEO is already doing risk assessment every time she decides what your security budget is going to be. Will you really be able to change her mind by showing her the dashboard and saying, “But—but—the needle is pointing to RED!” when you’re sitting there with your line items in your fiscal shopping cart?
As Rothman and others have pointed out, either you have C-cred or you don’t. Either you support your management in making their decisions, or you end up fighting them. And in decision support, it’s their questions that matter. You need to find out what those are and then choose the right instrumentation to help you answer them. (YOU, not your boss. If he wants to play with the tools himself, he doesn’t trust your answers.) He will decide how “compliant” he wants to be, based upon his other business and financial factors. And if you’re going to help him make risk decisions, the more you can help him calculate risk for the other factors besides compliance, the more valuable you will be overall.
One more thing: you will be appreciated more when you can identify the low risk as well as the high risk. Every time you can say, “I think we can get by with this solution, and here’s why,” you’ll make another (sometimes astonished) friend. Don’t bring in a GRC product and use it as a FUD machine. If you can’t use it to identify opportunities* as well as threats, it’s of very little use to you.
Remember, we’re supposed to be enablers. We’re supposed to be a service organization. (If these statements surprise you ... Sekurity—UR doin it Rong.)
*No, I do NOT mean “opportunities for security vendors to make more money.”
Posted by
shrdlu on Thursday, May 15, 2008
(6)
Comments •
Permalink •
You know, when I’m in a meeting with a big group of people and I say something and suddenly there’s this long, silent pause, I can never tell whether it means I just said something really stupid, or whether it means I said something so brilliant that it took everyone’s breath away, or I said something so confusing/obscure that it just went straight over everyone’s heads.
I really should try to figure it out sometime, especially if it’s the first option.
Posted by
shrdlu on Tuesday, May 13, 2008
(2)
Comments •
Permalink •
[Ed. note: Happy blogoversary to me! Time flies when you’re posting ... and especially when you’re not.]
Someday you, too, may be privileged to be able to design a username schema for your system, and I hope you’ll have your safety equipment to hand. There are few activities more contentious than naming something.
Let’s take a look at a few of the aspects you should consider when choosing the format of a username.
- Frequency of use. How often is your typical user going to be logging in? How long are you going to keep that account around? Persistence + infrequent use = forgotten username = help desk call (unless you are satisfied with letting them click a link to get it mailed to them).
- Disambiguation. How are you going to tell your Robert Smiths apart if you let the real name be part of the username? You can add a randomly generated disambiguator, but then you risk user memory lapses again. You can add a disambiguator that the user will remember, but that usually turns out to be biographical data. Please don’t tell me it’ll be the last 4 of the SSN.
- Basis for usage. Why are you letting a user on your system to begin with? Is it inherent in their job? Are you making access decisions based on their position, location, relationship, or other? How often is that likely to change?
- Other identity attributes available. Are you going to try to be clever and overload the username with role or organizational information or some such? Try not to do this as a poor man’s sorting function. Data modelers will hate you and spit on your office chair.
- Need for respectability. Are you going to let your users pick any aspect of their username? Is it a problem if they pick “yourcompanysucks”?
- Will the username be immutable, technically or by policy? Will a user have to apply for a new account if something about the old one changes? How many help desk calls are you willing to support?
- Do you really think that obscuring the schema for the username will make attackers less likely to break in to your system? (Hint: if you choose anything other than a randomly generated string of characters for the username, it’ll end up being generated by an algorithm that is guessable. The security shouldn’t be in the username; it should be in the strength of the password. I hope my pentesters are reading this and will get off my frickin back.)
- Will you need to bulk generate or bulk upload new users? If this is the case, you’ll need to be able to generate and assign usernames automatically. Make sure your schema isn’t too complicated (let’s see, was that the first four of the last name? What about the twenty people named Li?).
- Do you have username length restrictions anywhere? Do you have the ability to create username aliases for an identity to interface with back office systems?
- Audit requirements. Will you need to keep retired accounts around for reporting purposes? I don’t recommend recycling usernames in any case.
- Will users need to have multiple accounts? If you just said no, think again. What about your developers and QA testers? Show me a developer who has fewer than 200 accounts associated with her name and I’ll show you a developer who isn’t earning her keep.
- Don’t even THINK about making the username case sensitive. Thank you.
I hope these little tips help you in your quest to create the perfect system. Good night, and good luck.
Posted by
shrdlu on Thursday, May 08, 2008
(3)
Comments •
Permalink •
I love to play with vendors.
I love to go to those thinly veiled marketing “seminars” where I eat the breakfast danishes, doodle on the notepads, and then stand up to ask ridiculous questions of the sales presenter. Once I actually got a networking guy to start making up stuff as he went along: I asked him if his router had built-in antivirus, and before I knew it, he had drawn up a whole new version of Unified Threat Management, complete with keylogging, database activity monitoring, and an executive dashboard. Too bad he was only selling WAPs.
But my favorite cat-and-mouse game is on the trade show floor, where I try to score all the neat schwag while leading on the booth babes. See, the really good schwag is stored under the table, behind the tablecloth, and they only pull it out if they think they’re gonna make a sale. So you have to go in dressed expensively, but without a tie. With a tie, you’re obviously another sales droid, maybe coming over to check out the competition. With the sharp suit, but without the tie, you look like the senior VP of something who is too important to care about making a good impression.
Whatever you do, DON’T wear one of those dorky Bluetooth earbuds. That’s a dead giveaway that you’re just a wannabe.
So I make a point of walking by the booth quickly, as though I’m about to meet someone equally important for lunch, and then let the display catch my eye. Reluctantly, I back up a few steps and cast my glance at the literature. I frown. By this point, the smell of the chum is almost unbearable and the sharks are circling; they can’t help themselves.
I rate the sales rep on the first line. “Can I help you?” is lame. “Are you concerned about threats to your [insert technical buzzword here]?” does a little better. “Say, didn’t I hear you speak on that panel at RSA?” is the best of all. Some cut to the chase and say, “Would you like a chance to win an iPod?” which is just shy of saying, “I’m dying for some leads here, please give me your business card.”
The trick is to keep them talking but keep your badge hidden, so they’re not really sure how important you are. “I think I bought this last year,” I say. “Oh no, wait, it wasn’t the IronBlade, it was the IronMaiden. Sorry, my mistake.” Spend a little time confusing them with their competition, and they’ll work even harder to see if they can woo you away. Talk about how you’re trying to expand your company’s security portfolio and improve your governance and compliance. Once you get the Most Important Sales Guy talking to you (he’s the one who was holding back, maybe talking on his cell phone, but still listening to the conversation), start mentioning the word “demo.” That’s usually enough to tip them over the edge, and they bring out the embroidered polo shirts or the neon-colored riding crops or whatever the really good schwag is. Score!
That’s the point where I hand them the business card of an ex-coworker from my previous company and tell them to give me a call. I go dump the loot in my briefcase (extra large for this reason) and come back to hit the next victim. If you time this right—say, while everyone else is in the sessions and the vendors are really bored—you can empty them all out before the break.
Sometimes if the schwag pickings don’t look appealing, I go around being really obnoxious and handing out the business cards of each booth’s competitor, which I collected at the previous conference. This works best at large national conferences, where they’re sure not to remember you. With a bit of finesse, I can get them all pissed off at each other and watch them tripping each other up with the power cables on the floor. Once I started a price war by telling each of four competing companies that two of the other ones were undercutting them by over 30 percent. I won’t say that this ended up in a hostile takeover bid ... you can draw your own conclusions and I’ll deny them all.
And when I really, really want to torture a particular vendor, I’ll ask them to set up a pilot for me ... every two years or so. They usually don’t have the same sales staff by that time, so they’re hopeful all over again that they’ll make a sale. I have fun playing with the new improved console, break it, and then send the system back in a fit of pique until the next time. These days I get my kicks by asking every vendor to do a pilot for me ... under VMware. The contortions they go through to convince me that they can virtualize are truly better than what you see at the Cirque du Soleil in Vegas.
Hey, man, I’m just softening them up for you. It’s a dirty job, but somebody’s got to do it ... and even Mike Rowe has his limits.
Posted by
shrdlu on Monday, April 28, 2008
(3)
Comments •
Permalink •
Saw this blog posting this morning on BlogInfoSec.com:
Slashdot Post On Security Ethics Demonstrates Professional Naiveness[sic]
wherein Kenneth Belva takes a frustrated security professional to task:
I wish this anonymous reader put their name to the article. Their statement above demonstrates their complete lack of understanding of the security process within a corporate environment from a political perspective.
Well, in the first instance, Mr. Belva demonstrates professional ignorance of certain words (it’s “naïveté"), and in the second, claims to understand “the security process within a corporate environment” without acknowledging the fact that the issue here is risk, not necessarily politics.
Read the original posting again:
“I am a senior security xxx in a Fortune 300 company and I am very frustrated at what I see. I see our customers turn a blind eye to blatant security issues, in the name of the application or business requirements. I see our own senior officers reduce the risk ratings of internal findings, and even strong-arm 3rd party auditors/testers to reduce their risk ratings on the threat of losing our business. It’s truly sad that the fear of losing our jobs and the necessity of supporting our families comes first before the security of highly confidential information. All so executives can look good and make their bonuses? How should people start blowing the whistle on companies like this?”
You could easily read this as someone who is overstating risk, or someone who is stating it accurately. It all depends on where you’re standing. If you’re on the left, you see it as being too far to the right, and vice versa.
This just underscores the need for an objective dialogue on risk, and a common taxonomy for everyone to use. (No, I swear I’m not trolling for more links from Alex and Jack; I really do believe this.) Everyone knows the situation where an auditor writes you up for allowing SSL v2 or some such silliness, and you just want to shake them by the lapels and say, “Why do you think this is a serious risk? Why is this serious enough to write up?”
So this situation could go either way—they really could be strong-arming auditors into reducing risk ratings on objectively serious issues, OR they could be giving the auditors plausible reasons to reduce the risk ratings. This is why we need explicit, written risk assessments that are open to discussion.
UPDATE
Mr. Belva was kind enough to notify me of his response:
I became aware of a post on Layer8 accusing me of being “professionally ignorant.” Unfortunately this individual will not allow people to comment on the Layer8 site unless one registers. So here is my reply to this blogger:
=============
I believe that naïveté and naiveness are synonyms and are both nouns, which means they are interchangeable.
Dictionary.com:
http://dictionary.reference.com/browse/Naiveness
——-
naiveness
noun
lack of sophistication or worldliness [syn: naivete] [ant: mundaneness]
WordNet® 3.0, © 2006 by Princeton University.
——-
Here’s Princeton’s direct URL which basically states the same thing as dictionary.com:
http://wordnet.princeton.edu/perl/webwn?o2=&o0=1&o7;=&o5;=&o1=1&o6;=&o4;=&o3;=&s=naiveness&i=0&h=0#c
——-
Perhaps a second post with a retraction is in order for your slander against me in regards to my “professional ignorance.”
Sure thing, buddy—I’ll retract my sarcasm if you actually respond to the main point of the post instead of whingeing about “slander.”
(Weren’t you doing the same thing when you accused the Slashdot poster of a “complete lack of understanding” as well as “naiveness”?)
Posted by
shrdlu on Friday, April 18, 2008
(11)
Comments •
Permalink •
I am going to Black Hat,
I am going to Black Hat,
I am going to Black Hat,
And that means DEFCON too (yeah!).
As you might recall, I’ve been given the chance to go to one out-of-state conference this year. I finally decided on Black Hat, because it didn’t seem like a vendor pimpfest, I can get into DEFCON for the same price, and hell, I’ve never been to Vegas. I’ve never been the least bit tempted by gambling, but I sure do want to catch me some more live Penn & Teller (it’s been ... damn, nearly a decade).
So now I find myself pondering the essentials: which t-shirts to pack? Crackberry under the clothes, or in the fanny pack?
I’m actually a little worried that I’ll find the attendees at DEFCON annoying. I’m envisioning a bunch of self-proclaimed badass geeks who are really just young punks who don’t know the ‘net existed before 1992. Yes, this officially means I’m old. But nobody would mistake me for cool anyway. I can be frumpy anywhere, so it might as well be Vegas.
Oh, and I’m going to the Lone Star Information Security Forum again this year, which I’m very much looking forward to. This year I will try not to drive back from Dallas during Tornado Night.
* Did you parents know that Steve Burns came out with some pretty cool indie rock after he left Blue’s Clues? Check it out.
Posted by
shrdlu on Thursday, April 17, 2008
(6)
Comments •
Permalink •
Well, it’s RSA week, and the security blogosphere has been pretty quiet except for the “having-a-great-time-meeting-cool-people-wish-you-were-here-posted-from-my-iPhone” entries, so I thought I’d do my part to fill the void.
How to keep a darknet in your own data center:
1. Order and receive the equipment before your outsourcer arrives. Get it cabled in.
2. Have the outsourcer put asset tags on everything in the server room that doesn’t move. Make sure this is done by someone whose sole job is asset tagging, and the resulting report goes to some central manager who knows nothing about your systems.
3. On the one day of the year that the outsourcer runs the network discovery scan, turn the machines off.
5. Make sure that the outsourcer never gets around to reconciling the network scan with the asset tag inventory, or if they do, make sure it’s done by someone in the central office who doesn’t know your systems and who will assume that the asset tagger just made a mistake.
4. Have your head of networking be sympathetic to your cause and keep his mouth shut.
5. Have system administrators from the outsourcer who are so slammed with work that if it doesn’t have a ticket assigned to it and ain’t on fire, they aren’t going to notice its existence.
6. Own and run the IDS/firewall/logging yourself.
7. Configure the servers using only freeware so that additional procurements don’t show up on the books.
8. Party on.
Notice I haven’t put any names in here so that they didn’t have to be changed ...
Posted by
shrdlu on Thursday, April 10, 2008
(3)
Comments •
Permalink •
Cyberspace, INternet (QP) - Christofer Hoff, the leading iconoclast blogger responsible for Rational Survivability, has announced a hostile takeover of Rich Mogull, slightly less iconoclastic but nevertheless highly respected author of Securosis. The market reacted strongly today, with shares of both blogs going every which way really, really fast. Mogull has been quoted as saying that he will “pwn the m**********r out of existence as soon as [he] can get [his] shareholders off the phone.”
Gartner immediately issued an analyst report praising the move, calling it “a double-Magic Quadrant scenario.” Yankee Group issued an opinion to the contrary, remarking that if you can’t measure it, it’s not worth getting excited over.
Other analysts in bloggerdom also rushed to comment. Mike Rothman posted, “So what? The two of them will never form a coherent business model without Security Mike included. I expect a bid any day now.” Alex Hutton celebrated the “meeting of two bitchin minds.” John Quarterman called it “just plain good risk management,” and itinerant blogger David Mortman, posting under fifteen separate names on eight separate blogs, said variations on a theme of “Awesome, dudes.”
No word yet on the name of the merged blog, although analysts are betting on “Surviving Rational Securosis.” Everyone is also holding their collective breath, waiting for the 800-pound gorilla of the security blogger world to decide whether to join in the M&A fun.
Posted by
shrdlu on Tuesday, April 01, 2008
(7)
Comments •
Permalink •
Yes, I’ve been buried in work. I’ve been burned out. I’ve been hung down, brung down, hung up, and ... well, you know the rest of the song. (You DO know the Song, don’t you?)
But I stopped by to bring you this impromptu list of Interesting Things you need to know when you’re an Information Security Officer. Enjoy.
- Child psychology (to deal with prima donnas of all stripes).
- Abnormal psychology (to predict which insiders will go bad).
- Marketing.
- Organizational training.
- Business process engineering.
- Which common words in the English language mean very specific things to a lawyer. Things which will cause her to blanch when you show her a security policy or statement of work.
- IT and financial auditing.
- All the federal and state laws governing computers, wiretapping, breach notification, and e-commerce.
- Economics.
- Statistical analysis.
- How to spell HIPAA.
- How to troubleshoot everything from layers 1 through 7 to prove that it isn’t your firewall that’s causing a problem in production.
- Forensics and chain-of-custody.
- The newest naughty or infected sites, so that you can recognize their droppings on the user’s desktop.
- Contract law.
- Budgeting.
- Project management.
- Accounting.
- What passes for risk assessment in your organization.
- Stress management, meditation and yoga.
- All programming languages. Yes, even COBOL, which is still in use for an obscure, yet important application on your network somewhere. Guaranteed.
- Asset management.
- How to spot snake oil encryption.
- Public speaking.
- QA testing.
- RFP writing.
- FOIA and what things not to do in email.
- Subtle, yet effective flattery.
- Veiled threat-making.
- Mind-reading.
Posted by
shrdlu on Thursday, March 20, 2008
(6)
Comments •
Permalink •
Mike Rothman passed along a good question here: if you had to pick a “theme” for yourself for 2008, what would it be?
Now, I don’t want a “theme” to equal “resolution(s).” I already have so much to do that I can’t face another list of obligations (even if they’re “obligations to self,” which I think is kind of an oxymoron—either you want to do them, or you don’t, and if you don’t, why should you feel obligated?). So the first thing that popped into my mind for a theme was:
Stop the Madness.
I’m so burned out right now that I don’t even want to think about security if it means I have to get up and do something about it. Personnel issues, budgets, procurements, contracts gone wild, big-ass projects that will probably scorch my personal earth for the next three years ... and then there are family obligations. I can’t face my inboxes, my desks are a mess (both at work and at home), I can’t find anything, and I have a brand-new Crackberry that I don’t even want to pick up.
New zero-days? Take a number, pal. If this is Wednesday, it must be another data breach. Hundreds of SSNs flitting by overhead, and I can’t be bothered to pick up my butterfly net.
I’m TIRED.
So my little Post-It note will say “STOP THE MADNESS” ... and if nothing else, maybe I’ll try to take some more regular vacation this year. Until the sticky note falls off my monitor and gets lost in the high tide.
Posted by
shrdlu on Wednesday, January 02, 2008
(0)
Comments •
Permalink •
I got all excited by this neato bubble chart by Hoff:
and really wanted to take it out for a test drive in my own organization ... until I realized that I had no idea what “impact” meant.
What is “security impact”? Does this mean the ability to make things “more secure”? How do you decide whether your firewall has more “security impact” than your antivirus? (Will the Ghost of Metrics Future please go back to haunting Ebenezer Jaquith? Thank you.)
What is “business impact”? Does this mean how visible your security measures are to your business users? Does it mean how fundamental it is to whatever application your business is using? Does it mean how much it would screw the business if it didn’t work right? Or does it mean how much your business thinks it is helping them accomplish their goals (as opposed to just keeping Bad Things From Happening)?
A firewall might not have any business impact if users don’t know or care that it’s there. But it sure as hell would impact the business if it went down. You could argue that it “enables” the business to connect with external parties, but they’ll come right back and argue that they could communicate with them better if that firewall wasn’t in the way.
The bubble chart there shows antivirus as having a high “business impact.” According to whom? Is it helping the business get the job done, or is it saving the users from themselves at a higher rate than the other security products in the portfolio?
I’d like to hear what you all would define as “impact.” Other than the medical term, that is.
Posted by
shrdlu on Tuesday, December 18, 2007
(9)
Comments •
Permalink •
When you have to deal with securing “disruptive technology,” as Hoff calls it, most of the time this technology is being brought in by senior management—who happen to need (and expect) access to the most confidential data. They are also the least likely to appreciate the technical difficulties involved in securing it. You cannot simply tell them that they can only use it to access public data. Try telling an exec with her brand spanking-new iPhone that she won’t be allowed to get her email on it.
Most vendors still do not understand this. They can take their “multi-layered security architecture,” fold it until it is all corners, and shove it in their patronizing poop chutes.
Oh, and while I’m at it? While I’m very happy that you homeroom mothers are trying to provide extra arts and crafts enrichment to our kids, please do not expect me to have the time or inclination to hunt down various art supplies, egg cartons, and other assorted flotsam and jetsam to send to school. I’m managing nine people, juggling five vendors, and trying to scrape up hundreds of thousands of dollars in funding by the end of the year. It’s all I can do to get my kid to do homework every frickin night before we both fall asleep. Please do your thing and leave me to do mine.
Posted by
shrdlu on Sunday, December 16, 2007
(0)
Comments •
Permalink •
Back in a couple of weeks, mebbe.
Posted by
shrdlu on Sunday, November 11, 2007
(0)
Comments •
Permalink •
LinkedIn is just making me depressed. It is reminding me that I’m getting old, because as I browse through the list of former colleagues, I recognize the names ... but I can’t remember anything about the people. So I don’t link to them.
That is all.
(Commentary from the preschooler, who is waiting for me to stop writing this and crank up YouTube already: “That’s good working. That’s good typing on the computer.")
Posted by
shrdlu on Sunday, October 28, 2007
(6)
Comments •
Permalink •
