So while I was passed out last night, it seems Los Twitteros were busy helping me out. I complained that I was having trouble coming up with interview questions for a new candidate, so a large number of them went to town. BSOFHs don’t cry, but they do occasionally suffer from an overflow of vitreous humor. Thanks, guys.
Since the Library of Congress will doubtless expunge every tweet referring to #QuestionsFromShrdlu, here they are, captured for posteriority. [Comments from me in italics.]
@Shpantzer: When you include the hashtag #Thuglife on your twitter messages, do people nod solemnly or laugh hysterically?
@Shpantzer: Which of the Rainbow books is your personal favorite? Recite a chapter of your choosing.
@Shpantzer: How many packets would a snort box crunch if a snort box could crunch packets?
@Corum: The vendor is related to someone in the C-Suite. When the presentation mentions “compliancy” do you walk out anyway?
@J4vv4d: Was Timothy Dalton the best Bond ever? @wolfinpdx: Using your knowledge of the TCP/IP stack, Python, APIs, and an Arduino, make me a tweeting toaster.
@Shpantzer: What is your numeric threshold for violence on the SCSoVLF? http://bit.ly/dBxgH7
wolfinpdx: Autobots or Decepticons? [Crowbars or Headcrabs?]
@mckeay: What are the four closest bars to the Moscone Center and how do you social engineer your way into the parties being held there?
@wolfinpdx: What is significant about Pat Cadigan’s “Synners”?
@mckeay: When was the last time you spilled blood in honor of the patron saint of computers and whose?
@mckeay: How do you get your boss’ phone to broadcast his location and what do you do with the information? @mckeay: How do you know I’m really @shrdlu and not just some peon who’s messing with a potential new boss?
@jaysonstreet: Are there compromising pics of you from DEFCON online? How much are you willing to pay to keep it that way?
@mckeay: How many times have you watched LoTR? Read? Read Bored of the Rings?
@cunningpike: You are in a house with four windows. They all face south. What color is the bear? [Xyzzy. Oh wait, wrong game.]
@jjarmoc: You find yourself in a dark corridor. A road heads north toward a light, shadows flank a cave to the east. ? [There, that’s the one.]
@mckeay: After all these questions, do you still want the job?
@biosshadow: What is the proper way to eat a gummy bear? #questionsforshrdlu #yumgummybears
@VS_: “If you knew what I know, how far away would you be right now?”
@gattaca: Are these my pants?
Shpantzer: How do you apply the Liebniz Rule in your daily life?
@wolfinpdx: Pirates or ninjas? [Beatles or Stones?]
@danielkennedy74: A scale has six bowling balls, 4 on 1, 2 on the other. Using two balls, tell me how you answer questions like these?
@armorguy: “Canadians. Threat to the Free World or the Entire World?”
@mckeay: Your CFO read an article on a plane and wants you to buy a new technology. How do you convince him your new IDS is it?
@danielkennedy74: You’ve discovered via mail filtering your CFO’s 7 evil ex-mistresses. What strategic security investment do you pitch? @armorguy: ” @myrcurial invites you to sit “for a little chat”. What NAFTA provisions are about to be violated?”
@rybolov: Pliers and a blowtorch or bamboo shoots under their fingernails?
@mckeay: How would you defeat the Kobayashi Maru scenario?
@armorguy: “@securityintern: Hot or Totally Hot?”
@mckeay: What’s the difference between this place and a madhouse? (You get better drugs at the madhouse)
@mckeay: Two men, @Beaker and @jeremiahg offer to teach you BJJ. How fast should you be running and why?
@rybolov: How many 80-hour workweeks fit into a 24-hour day?
@cyberhiker: What is your current salary? Are you willing to take a 50% pay cut and crappier benefits?
@mckeay: Your daughter attends Lower Merrion School District. Who’s your lawyer and who’s your contact at the FBI?
@cyberhiker: What year/make/model car do you drive? Correct answers are early 90’s toyota corrolla or honda civic.
@rybolov: Why the hell would any sane person want this job and what does this say about you as a candidate?
@xorrbit: vi or emacs? Choose your next words carefully $(firstname)onidas, for they may be your last… [If you’re not using “cat > $FILENAME,” you’re not really committed.]
@armorguy: “Which Dr. Who is your favorite? If not Tom Baker or David Tennant, you may go.” [Okay, Sylvester McCoy was kinda cute too.]
@mckeay: A drunk developer let himself into the building and is shooting your servers. Call the police or join him?
@VS_: “Arrange these numbers in correct order: 16, 18, 11, 30”. Now add these names: “Macallan, Talisker, Lagavulin”
@mckeay: You’ve just found out that developers are using your live database in testing. How many bodies do you have to dispose of? How?
@rybolov: Why didn’t you show up 30 minutes late to your own interview?
@cyberhiker: Name your favorite muppet, explain your answer.
@armorguy: “Who currently holds the mortgage on your soul? Are you current on interest payments? #QuestionsForShrdlu
@mckeay: What was your favorite issue of Make Magazine and how many projects have you completed? Almost completed?
@VS_: “When did you realise you’re not Napoleon?” “Certified or certifiable?”
@rybolov: Do you have more than an ounce of dignity left? How do we grind it out of you?
@mckeay: Which is your favorite X-man? Explain.
@mckeay: Someone has just asked if you have a hook, a half-diamond or a bogata handy. What are they and which do you have with you?
@armorguy: “In how many languages are you fluent in assorted profanities, obscenities, or vulgarities?”
@mckeay: How do you condition your liver for Black Hat and Defcon? RSA? Why the difference?
@armorguy: “At a conference @geekgrrl asks to see your phone. Do you let her? Explain your answer.” [Oh HELLZ no!]
@rybolov: How many uses can you think of for a cattle prod? [Legal or illegal?]
@mckeay: Where’s your towel?
@armorguy: “@rybolov approaches you with a flask. Do you drink it if offered? Why or why not?” [Of course—it’s the only way to inoculate yourself against ShmooFlu.]
@danielkennedy74: Have you ever been in a Turkish prison? Have you ever seen a grown man naked?
@rybolov: Can we dunk you in a pool full of pirhanas as a proof-of-concept?
@csoandy: Explain your similarities to MacGyver.
@mckeay: Your CFO has infected his machine for the third time this month. What do you do to his pr0n collection?
@mckeay: You haven’t seen your family in 3 weeks due to your work schedule. Is this a) desirable b) unavoidable or c) what family?
@cyberhiker: What is your favorite @exoticliability stripper story?
@armorguy: “After how many password resets is it legitimate to eviscerate a user?”
@danielkennedy74: 1 train leaves Chicago at 11:30am traveling 112mph. 1 leaves NY at 12, at 69mph. Where do you see yourself in 5 years?
@mckeay: The vendor has offered you bribes of money, chocolate or coffee. Which do you choose? (All 3 is an acceptable answer)
@rybolov: Is your last name “Roberts’); drop table users;—”?
@mckeay: How many action figures do you own? How many of them are in mint condition? How many can you part with for this job? [3 Babylon 5, plus 2 Sandman plush figures; all of them; NONE OF THEM.]
@armorguy: “Boxers, briefs, thongs, or commando? Please be prepared to show your work.”
@cyberhiker: When is the last time you sacrificed a team member for the community coffee machine?
@mckeay: Where do you keep your pr0n? Is it separate from your anime? Why or why not? [There’s a difference? #notentaclesplease]
@kriggins: When eliciting information from reluctant persons, do you prefer piercing or crushing implements? Why? [Crushing ones are more carpet-friendly.]
@Shpantzer: What is the proper use of the machete in the datacenter?
@danielkennedy74: Sometimes in infosec, the best laid plans go awry. Where would you hide the bodies?
@mckeay: Explain what the word “quine” means and why you should avoid “quine-like rages” [That’s a trick question. Rage is the new Greed; it’s Good.]
@armorguy: “.40 S&W or .45 ACP?”
@mckeay: Have you ever had to scrape whiteout off of a secretary’s screen? Off the boss’ screen?
@cyberhiker: Name your favorite open source security project. Demonstrate its use with the live CD in your bag.
@kriggins: Upon learning a dev has been given write access to production, please describe your response to the sysadmin.
@mckeay: In 140 characters or less, tell me your life story.
@armorguy: “Exactly which cube on the Help Desk will you reserve for @beaker? Why that one?”
@armorguy: “Describe, in 25 words or less, the 7 forms of ritual suicide you’ll accept from team members.”
@mckeay: What’s the best way to dispose of the body of the sales guy who won’t log off for your scheduled maintainance window?
@armorguy: “Given an IDS sensor, a Win95 laptop, and 2 patch cables - create in-depth network defense. You have 15 minutes.” [Just give me a pair of wire cutters and we’re done.]
@rybolov: What is your current AD password?
@kriggins: When describing the risk associated with a particular effort or action, what color scale do you use?
@mckeay: What is the mean time between failure of a floppy drive? How many computers do you own that still have them?
@armorguy: “Auditors: Necessary Evil or just Pure Effing Evil?” #QuestionsForShrdlu
@agent0x0: What is the airspeed velocity of an unladen swallow?
@mckeay: How many ways do you have with you to open a lock, right this moment? Have you read Practical Lockpicking?
@armorguy: “At what point are you legally justified in rectally inserting the IDS appliance into the salesperson?”
@rybolov: Which 3-letter vendor do I hate?
@rybolov: How many seconds would it take you to lock the AD administrator in the datacenter and trip the halon system?
@mckeay: How do you make a Hoffaccino? And how do you survive drinking one? [Hoffaccino is the new Pan Galactic Gargle Blaster.]
@rybolov: Users: weakest link ever or weakest link ever? #HereHaveASoftball
@mckeay: Whose secretary do you make friends with first? The CEO’s, the CFO’s or the receptionist? [Tip number one: do NOT call them “secretaries.”]
@armorguy: “What’s your favorite compliance framework?” (Note:This Is A Trick Question)
@rybolov: When did you stop beating your existing staff?
@rybolov: Let’s do some roleplay, shall we? I’ll be the CFO and you can be the CISO groveling for more budget. [Do I get a safeword?]
@armorguy: “How many ways to you know how to kill a man? How many to resuscitate? Why the discrepancy?”
@cyberhiker: When is the last time you saw “War Games”, “Sneakers”, “The Matrix” and “What about Bob”? (Must name all 4)
@rybolov: How many executives have you blackmailed this week/month/year over their web browsing history?
@armorguy: “Are you currently a fugitive from ISACA, ISC^2, ISSA, or the PCI Council? If not, why not?”
@kriggins: Describe to me your calming process when faced with abject stupidity or willful ignorance. [It involves a machete.]
@rybolov: “Have you ever used a machinegun to stem a wave of human attackers?”
@cyberhiker: When is the last time you made a small child cry? If this morning, was the child yours or one you just met?
@armorguy: “Do you realize that the fact you want this job tends to disqualify you? Can you explain yourself?”
@cyberhiker: Looking at your resume’, you are clearly qualified. What the hell did your parents do to you? [They let me read Heinlein at an early age.]
@cyberhiker: Do you promise to not throw me under the bus as soon as you take over?
@rybolov: “Can you juggle flaming chainsaws?”
@cyberhiker: Do you suck? And if not, will you continue to not suck?
@armorguy: What’s hard about “How do you crush the soul of a department manager?”, “What’s the access code to the Pit of Ultimate Darkness?”
@mckeay: “Are you willing to work ridiculously long hours with little recognition and even less pay?” is a good start [That’s how my current job started ...]
It’s getting really hard to find something to add to the Intel-MacAfee pile-on, but Bruce Schneier posted a comment that is worth repeating:
What we’re going to see is consolidation of non-security companies buying security companies. So, remember, if security is going to no longer be an end-user component, companies that do things that are actually useful are going to need to provide security.
Which makes complete sense. Security really shouldn’t be a separate discipline. When done right, security is a shadow organization of all of IT.
Please note: I am not using “shadow” in the sense of “opposition,” although that frequently happens (NVPs). I’m also not necessarily using it in the sense of “the real power behind the throne,” although that happens too. I’m using it in a more analogous sense: that every aspect of IT has an aspect of security to it, and we should be so closely aligned with IT itself (which itself should be so closely aligned with the business) that if we do our jobs right, you should only catch a glimpse of a shadow going by.
Sometimes non-practitioners make a very basic error in their assumptions.
They assume that security staff actually have CONTROL over their systems.
Most products are predicated on this assumption—here, just install this agent and you’re done. Put this on the single choke point in your network and you’re done. Just whitelist what users can install and you’re done.
And they have no idea how depressingly frequently their basic assumption is wrong. Too many security organizations are relegated to sad policy-writing and couldn’t even force an account disable if they wanted to. Hell, there are times when even the nominal centralized IT organization doesn’t have control over the network or most of the endpoints.
Without control, you have no security. It’s really as simple as that. It’s why procurements don’t happen; it’s why perfectly good products get shelved or only get implemented in an area slightly larger than what qualifies as a proof of concept. The organization has no way of forcing the rollout, or has to share control—not just viewing rights, but actual governance—among various competing groups.
Take a look at my Lopsided Pyramid of Pain[tm] below.
What do you potentially control the most? The few network devices that you have. What can you control the least? All those mobile devices that people bring in without even your knowledge, much less control. (Please don’t talk to me about Blackberry Enterprise Servers until you can convince them to control more than just Blackberrys. Say, an iPhone.)
Think about the security products on the market, and which ones are most easily adopted. Edge network device controls. Appliances. Agentless scanners. Network-based DLP.
Think about the ones that we all agree are a really good idea, and yet somehow aren’t taking off like they should. Endpoint solutions. Whitelisting. Big honking enterprise consoles. Anything that assumes that “heterogeneity” only means missing a few Windows patches. Anything that assumes that there’s only one system administration group, and they have only one boss.
This is also, coincidentally, why nobody wants to give up the idea of having a perimeter. Jericho Forum be damned, if it’s the only place where they have a chance of making changes, they’re going to keep their firewalls.
Vendors who are all about GRC need to take into account the use cases where “governance” means taking eight months to have lawyers approve your publishing a policy to declare that you can install something on any desktop the company owns. (Not anything connected to your internal network; just anything you can claim to have purchased.) They need to take into account third parties that run portions of your infrastructure that won’t actually agree to that policy. And they need to take into account the frequent cases where an organization doesn’t actually have a complete asset inventory, or where it’s responsible for protecting assets it doesn’t own, run by people who work at business partners.
I promise you, if you had a Ninja Coup Deployment Model*, allowing a security group to stage a rollout overnight that would be a fait accompli by morning, you’d have a lot more adoption by security groups that need help taking over their own enterprise.
*I just made that up. Licensing terms available for a very small fee.
Bob Blakley just tweeted a quote from a talk that set me off:
“If you integrate social networks & business, is HR going to ask you not to swear on the weekend?”
My very lawyerlike answer: it depends.
Social networks are here to stay, water is wet, and too much sugar is bad for you. We still don’t have new rulesets for privacy to go along with social media, so there are a lot of people blundering about doing the wrong thing. As every socmedaware geek will be happy to tell you very loudly, over drinks at a party, it simply has not sunk in with most people that what you post on the Internet is easily readable—no matter where it is or what controls you thought you put on it—and will be there forever. It has, however, started sinking in that ANYONE with a grudge against you can spread that grudge very publicly, and there’s little you can do to stop it.
The combination of those two realities means that the Mrs. Grundy of yore, peering at you from behind her curtained window and gossiping about you at church, ain’t got nothin’ on the Internet.
Once everyone has had his/her fifteen minutes of fame in real life and fifteen weeks of notoriety on the Internet, I expect we will settle down and stop pointing fingers at every slip. We will learn how to ignore published lies from bloggers and turn a blind eye to Facebook indiscretions. Until then, though, we have to hope that businesses will figure it out faster and will treat employees appropriately.
Does your employer have the right to monitor and govern your use of social networks? It depends an awful lot on context and the type of job you have. People who have positions requiring background checks are already used to this; I don’t expect they would bat an eye at the thought of the same investigator reading everything about them online. Those who are public figures by profession also understand this.
The shady area starts in the public sector, where individuals who are public servants by day (say, answering the phone or administering databases for a local governmental entity) expect that they will be allowed to clock out of this role when they go home at night. There are thousands of types of public sector jobs that do not involve being regarded as a public servant 24/7. So those people would like to be left alone in their houses, their places of worship, and their Friendster accounts. They did not sign up for cameras watching their every nose-pick at their desk, or the equivalent, in the name of transparency, accountability and whatever else.
As you go up the ladder, though, whether it’s in the public or the private sector, the rulesets clearly change, and everyone wants to know what the CEO of BP was doing on his off hours, especially if it could be turned against him by anyone with an agenda. “CEO OF BP SHOPS AT EXXON GAS STATION; BUYS SUNGLASSES AND KIT-KAT BAR!”
So it’s clear that gossip-worthiness falls along a spectrum, and we kinda know where that is in real life. Due to the power of search facilities, though, it’s not clear yet online. Our power to find out every mention of a person on the Internet is disproportional to how much we would hear about him in real life. It’s as though everyone came with his own newspaper now, and his own dedicated spot on the bulletin board at the Y. Somewhere deep down, we believe that because we can know so much about someone, he must be more of a public figure, and therefore must submit to the same privacy rules that public figures have.
In the public age of the Internet, we don’t know who public figures really are anymore.
I know too many people who take the attitude that because someone has an online presence of any kind, he has agreed to be a public figure with all that entails, and deserves every inspection or thrown tomato that he gets. They want to punish the grandmas and grandpas of the world for being “foolish” enough to put something out there in one community without understanding that there are no walls around communities on the Internet. This is not in the least bit helpful, and frankly, it smacks of technical elitism.
Having said that, we get into trouble when a non-public figure becomes too easily searchable or too ubiquitous online—say, because he has a unique name or is renowned in a large discussion forum. When a person is too visible online, it becomes more difficult to separate him from his day job, no matter what it is. A person who sticks out too much on the Internet becomes a reputational risk to his employer, and there’s just no getting around that. This would be the same if he were, say, running for public office or writing a column for a national magazine in his spare time. In this case, if the visibility is too high and it is too negative, the employer may have every right to say, “You’re damaging our reputation in a way that we have no way of stopping except by disassociating ourselves from you. Here’s a box for your personal belongings; it’s been nice knowing you.” Or the HR conversation may involve the words “conduct unbecoming to a board member/public servant/officer” and a disciplinary action.
We need to make sure that employers know the difference between visibility and searchability. When there is no expected visibility (and therefore reputational risk) attached to a job, the employer should not be searching online in non-professional areas for mentions of the person who is filling that job. When there is no real-life requirement for a background check, the employer should not be doing the equivalent of a background check online. That is disingenuous of the employer and demeaning to the employee; it’s as if the employer were insisting that the employee comply with business dress code on the weekends.
In other words, social network monitoring should be commensurate with the real responsibilities of the job, not commensurate with what is technically possible. I hope that employers will fall into line with this soon if they haven’t already. They should be able to defend logically the level of their surveillance (and let’s call it that, because that’s what it is). If they can justify interviewing Mrs. Grundy on her doorstep, then they can justify searching her blog.
But they’d better watch their own backs when they get online at night.
WARNING: SWEEPING GENERALIZATIONS AHEAD. Watch your feet.
I was pondering earlier why there appears to be such a large cultural gap among some areas of security, why some pockets of the security world are dismissed as irrelevant by others.
I think it has to do with attitude.
Some security professionals I know—who more likely than not come from the defense and law enforcement sides of the house—approach security questions from the perspective of defending against bad guys. They spend all their time and energy on war planning: “We’ve got to stop the users from hurting themselves and us!” “Loose lips sink ships!” “We’ve got to make them understand how DANGEROUS it is out there!” “Let’s calculate the risk to the last 15 decimals and maybe they’ll believe us.” “We need more policies and rules around this type of action.”
Others are trying to make things work in a safe manner. How can we enable cloud customers to audit their environments? How can we create an open, trustworthy method of ID management? How can we help users become more secure in an environment that is way too complicated?
I think I know which type of professional everyone else outside of security wants to work with and listen to. If you are not working in defense or law enforcement, you don’t make them part of your daily business. You don’t call the FBI to sit in on business meetings; you only call them if and when you get sufficiently pwn3d that you need help with prosecution; otherwise you’re going to call a commercial incident response company. When you want to roll out something new, you don’t ask the FDA to come help you design it and market it. You deal with them only as much as you need to—as much as regulations force you to. Anyone whose only tune is OMGWTFCYBERWAR! is not going to be invited up to the karaoke stage.
So which type of security professional are you? Are you a fighter or a builder?
Several people have been pointing out that security is fundamentally broken, and we need some radical adjustments to fix it. I’ve also been re-reading Thomas P.M. Barnett’sThe Pentagon’s New Map, in which he argues that globalization has disrupted the old rulesets that we formerly used as a society, and we need a bunch of new rulesets. Substitute “globalization” with “disruptive technologies,” and I think we’re onto something in the infosec space.
Take as an example the fact that everyone is talking about needing a “mobile device security policy.” These policies tend to fall into three categories:
1) No.
2) Only with the mobile devices we give you.
3) Uh ... is that the new iPad? Can I see it?
Number one is idealistic and completely impossible to enforce, unless you bodily frisk everyone walking in the door of your company. And even that doesn’t work when your employees just go out into the parking lot for a smoke^Wsmartphone break, as Trevor Hawthorn pointed out in his ShmooCon talk, in which he found out that a couple of the game buddies he was trailing via a smartphone game worked at Highly Secured Locations (around 30:00 into the video). Oops.
Number two is also unrealistic, for the same reasons as number one. People will happily take your company’s downscale Blackberry, AND bring their iPhone into work for the really cool stuff. And forget about BES; I think it’s going to be obsolete as soon as people figure out that as long as you have any kind of browser-enabled remote access to email, you can get it downloaded to your smartphone. I see my executives do it all the time.
Anything that doesn’t use a browser as its interface is probably going to be irrelevant pretty soon. The browser is where the cyberwar’s at. The browser, and ports 80 and 443.
So I’m calling the game, folks. We. Have. Lost.*
Like it or not, we have been moving steadily from the world in which everyone in a building used one teletype to connect to the computer, to a bunch of hardwired terminals, to desktops that “belonged” to the building, to the browser, which doesn’t belong to anyone and can’t be physically controlled.
Remember the briefcase? (Does anyone younger than 40 even know what one is?) When I was growing up, every man with a desk job had a briefcase in which to take home work. (Yeah, I said “man.” I’m that old.) My dad had one. Of course, he took really good care of it, because it also had his wallet in it. It was big enough that it was pretty hard to forget about. Now, the military and law enforcement got cool handcuffs that came with their briefcases, but not anyone else.
We’re still trying to adapt what used to be physical controls to software.
The Jericho Forum waded into this disrupted chaos with the recommendation that we head towards de-perimeteri{s,z}ation, which is a very good step in the right direction, but I suspect we need to go even farther than that. I think we need to pull back (run away, run away!) from battling with the user over what are now essentially office supplies. Let’s face it: mobile computing has become the (very fancy) equivalent of a phone, and notepad and a pencil—and we can no longer dictate AT ALL how people use them. (“No, you can only use OUR pens, and you can’t use them to write naughty words. That’s a violation of company policy. If you do it, we will send you a memo and tell you very sternly not to do it again.”)
Once I came up with the idea of putting every employee’s SSN on any USB drive they plugged into our desktops, to motivate them to take good care of it. My boss wasn’t down with that, surprisingly enough. But I think we still need to find the motivation.
So here it is: maybe we SHOULD throw our lot in with our employees. They’re putting their personal data on our desktops; they’re putting it on any PDA we hand to them; and likewise, they’re getting peanut butter in our chocolate by putting corporate data on their privately owned smartphone/tablet/pad/doily. Maybe we should embrace this, and work TOGETHER with the employee to secure BOTH kinds of data, since they’re going to be sharing all the same browser space and hardware and OS and wifi.
Now, the military and law enforcement can probably continue to get away with bodily searches, secure paper and tactical pencils, but the rest of us can’t. We are no longer in charge of how and where our communication and work tools are used. We need to stop demonstrating, over and over again, Einstein’s definition of insanity, and do something completely different.
Do I know how to do this? Of course not. I’m hoping that smarter heads than mine will take the ball and run with it. But I’ll be cheering you on, and maybe one day it won’t even sound all that crazy.
* UPDATE:George V. Hulme’s comment made me realize that I didn’t explain things very well. We have not lost the fight against “the bad guys.” We have lost it against our users. And let’s face it: today’s security models make it really hard to tell the difference between the two.
UPDATE 2: To follow Barnett’s model, if we really need new rulesets around security and privacy in this area of disruptive technology, maybe the policies that we (security) are creating are holding society back from developing those rulesets. We’re keeping them from the real objective by turning them against us, the security folks, instead of addressing the real gaps. (Thanks to @greg_pendergast for that one.)
I see a lot of frustration in the security community about breaches that happen because an organization didn’t have controls or configurations in place that we consider to be “the right ones.” (I won’t use the words “best practice,” or even the word “standards,” because God may move on from killing kittens to killing other adorable pets.) The consensus seems to be that if everyone just had “the right controls” in place uniformly, security would improve, and the voice of the turtle would once again be heard in our land.
Folks, it’ll never happen. And by “never,” I mean SO never that you should probably never have asked for it to begin with.
I will posit to you that managing security in an enterprise is not about managing controls; it’s about managing exceptions.
For every tool setting, there is an equal and opposite exception. (@nselby will know what prompted this.) If you look at a firewall, it’s pretty much one big exception right there: it’s a device you use when you have to connect two networks together even though you know you really shouldn’t. Every firewall rule that doesn’t have a “deny” in it is by definition an exception.
When an auditor comes a-knockin’, nearly everything she will ask you about is an exception. Why is this account still active? Why don’t you have setting X enabled? And for some of them, the answer will be, “Uh, we forgot,” but the most frustrating times are when you have to explain that you MEANT to do that; that there’s a solid business reason (hopefully with risk mitigation behind it) that just won’t allow things to be “standard.” I’ve known auditors who get that, and auditors for whom the word “exception” causes their heads to explode.
Here are some (maybe unspoken) rules around exceptions:
1) Exceptions need to have at their core a business reason for existing. (The proximate cause might be technical, but not the root cause.)
2) Exception decisions need to be made by the business, or by the business’s designee (often the CISO).
3) Exceptions should have a defined lifecycle and TTL. (They might be there until you get off the mainframe, but they’re still understood to have a limit, not be a permanent dismissal of the control itself.)
4) Exceptions need to be documented to the extent that they can be reviewed and/or explained at any time.
And this is where just about every security technology falls flat. They all assume that you will have every configuration of a tool at the “optimal” setting, the one they designed it for. Nearly all of them make it hard, if not impossible, to manage the exceptions in a consistent, consolidated way.
Every time you tune an IPS, you’re putting in exceptions. Every time you find a scanner hit that you know isn’t going to get fixed, you have an exception. (Ever tried to document exceptions in a 500-page PDF scanner report?) Baseline traffic is very hard to determine until you’re completely aware of the exceptions (otherwise known as, “This IS normal, you idiot.”). Every file share, every non-expiring password, every patch you can’t apply—they’re all exceptions.
Some CISOs try to list some of the major exceptions in a spreadsheet, but it’s nowhere near the scene of the crime(s), and you can’t possibly keep up with all of them. Tools need to come with easy, immediate exception management, so that for every setting, you can explain why it’s there.
Whenever you look at a firewall rule, half the time you’re going to be asking yourself, “Why is that there? Did *I* put it there? Do we still need it?” It would sure be nice if the explanation were right there, as a comment that could be version-tracked, exported into nice reports, searched on, and placed in a standard format that would be compatible with other exception entries in other tools. (Kind of like a syslog for exceptions.) It would be nice if you could mark a scanner finding as, “We KNOW it’s there. We’re not going to fix it. Just for these two machines, STOP REPORTING ON THIS.”)
Imagine a world where the CISO could print out a report of all exceptions granted to the Bahama office (those rogues). Not just all exceptions in one tool, but in EVERYTHING that has a security setting. Imagine being able to go through a report and immediately identify non-standard settings that you DIDN’T intend to put there, as opposed to having them get lost in the noise of all the ones you DID intend. And no, I’m not talking about Unified Threat Management, unless you consider an exception to be a self-inflicted threat.
I’ve been asking for this kind of enterprise tool management capability since, oh, 1998 or so. Won’t somebody please step up and make it happen?
It’s too bad that the stock term “identity and access management” leaves out the bridge between “identity” and “access”—and that is the relevant attributes attached to that identity.
Finding out whether someone is who he claims to be is pretty straightforward for the purposes of data collection. We do it every day with passport numbers and driver’s license numbers and so on. But that in itself is not enough to grant and manage someone’s access to a system. There are also methods for disambiguating identities within a system, whether it be by unique username, user ID, email address, or a combination of demographics (by the way, don’t try that last one at home for any really big system). We can do those parts of an IAM system.
But managing access is all about deciding WHAT that person needs and, most of all, WHY—and the WHY requires attributes.
Different systems have different business rules for their access. You might be granted access to a system because you’re a parent of a particular child; or because you’re an employee of a particular company; or because you’re a customer of a particular outfit. You might be a beneficiary of a service, a contributor of content, a Person of Size, or a candidate for office. One system won’t care whether you’re a parent, but it will care very much whether you’re still an employee.
So a system either explicitly or implicity assigns attributes to the identities it uses. A “title” might imply that the user is an employee. A relationship, such as “is related to $child,” would indicate that the user is a parent. Some of the attributes, like contact information, might be important or might not be, depending on the business rules; and that determines whether that information is validated and actively managed. You want to keep validating that someone is still an employee of your organization, but you might not care so much if he moves from Apartment 202 to Apartment 203 at home.
These attributes might lead to a user being assigned roles, but you shouldn’t confuse the two. The condition of an attribute determines which role(s) you’re assigned and for how long. For example, if you are the parent of a student at a school, you might be assigned a Parent role in the school’s grade-monitoring system, but if you lose custody of that student—or once the student leaves that school—you will have that role removed, along with the access. (Well, you *should* have it removed. Thus Spake the Auditor.)
This is why identity management is so hard to pull off. Even when two business areas agree that they need to manage the same attribute for access to their systems, they may disagree on lifecycle. One area might only be concerned with active customers, and the other might want to keep a user in its system if she has EVER been a customer, regardless of current activity. One area might have rules for validating an attribute that are unrelated to, or conflict with, the rules of the other business area. An identity might have multiple values for the same attribute (working for McDonald’s AND Burger King). The architect of an IAM system has to juggle all these aspects, and more.
Your only hope is to make all these attribute rules and assumptions transparent, so that you can have a running start at keeping them all in line. There are few things hairier than discovering that your business area was using a non-validated field in a database for crucial business decisions. This is also what keeps shared databases from being redesigned, by the way: when a field means different things to different people, and the meanings aren’t codified or documented anywhere.
I suppose it’s too late to add another “A” to IAM. Oh well. If you take up drinking, you might be able to see the doubled “A” or you might not, but at least it will ease your IAM headaches.
If you have kids, you know all about how Disney creates the same feeling of excitement. Whether it’s seeing a new movie or going to the theme parks, this is another company that does it right.
[...] So whatever business you are in, think about how you can surprise your customers in a positive fashion (yes, those pesky users who keep screwing everything up are your customers) and create excitement about what you are doing.
I know, we do security. It’s not very exciting when it’s going well. But wouldn’t it be great if a user was actually happy to see you, instead thinking, “Oh, crap, here comes Dr. No again, to tell me not to surf pr0n on the corporate network.”? Think about it. And expect more from yourself and everyone else you do business with.
So I just couldn’t help it: my inner Entrepeneur sat up, pulled the Bluetooth out of his ear, and spilled Hoffaccino down the front of his cargo pants. I’m inspired to go out there and Make a Difference.
I’m going to help the TSA remake their image. Create excitement. Yes, we’re going to follow the Disneyland model.
Why not? After all, they already have lines, and in some cases even a monorail. Can’t you imagine a TSA security line with those gorgeous antique-lettered signs that say “Waiting Time From This Point: 90 Minutes”? How much easier would crowd control be if they had costumed characters serenading the folks as they waited?
The night before your flight, you could get a multimedia text message on your phone from the TSA, saying, “Congratulations! You’re about to enter the Magic Kingdom!” When you entered the terminal, a jolly Snow White lookalike would greet you and wish you a wonderful stay. There would be TSA Franchise Music everywhere, and TSA souvenirs for sale, like X-Ray Operator Action Figures, monogrammed latex gloves, and TSA uniforms for the kids. And all the smiling TSA personnel would be encouraging you to take The Ride of a Lifetime! into the Magic Scanning Booth where you could assume the Position and get a keepsake photograph of yourself without your clothes, once you exited the other side. Think of the treasured memories! (Family portraits would be extra, but oh so worth it.)
The “No-Fly” List would become the “VIP Guest” list—the guests whom the TSA love so much, they won’t let them leave to get on the plane. Frequent fliers could book special package breakfasts with their favorite TSA characters. Everyone could glide along the moving walkways with their carryons, past animatronic figures singing “It’s a Small Seat After All.”
I think I’m really on to something here. The possibilities are endless. Let’s make some magic, shall we?
I knew that there were different security subcultures—the financial folks, the guvvies, the haXX0rs, the analysts, the vendors, the academics, and so on. I just didn’t realize how large a gap there was among some of them.
So I was sitting talking with a Researcher the other day, who was describing the practice of trading malware samples, and someone else at the table asked about reporting findings to US-CERT. There was an awkward silence. It was pretty clear that at least in one kind of community, when you find a 0day, reporting it to US-CERT is about as relevant as dialing the city’s Animal Control.
A few days later, I was sitting with some feds, and I got to wondering why there seems to be such a distance between them and the other circles I visit. I know a few other Twits who have a foot in both worlds, but why do they seem to be so far apart, and travelling in different directions? If I have a problem with some malware, I know which URL I’m going to head to for help: Twitter. It wouldn’t even occur to me to search in a vulnerability database; I’d want to get as close as I could to someone who could actually help me in real time ... and that’s not anyone I know in the official Emergency Management space.
Why do you think that is? It’s not that there aren’t smart people working in the public sector; I know there are. It’s not as if there aren’t some public-private partnerships out there, particularly with the largest security vendors and consulting companies. Is it simply that there are too many controls on the public sector security organizations so that they can’t react quickly enough or share enough to be useful? If you’re a malware researcher, is any public sector group on your speed dial? And if not, why not?
This kind of ties in to Jack Daniel’s latest posting, which exhorts security professionals who are not actually defending an enterprise to try doing so. Old jokes aside—walk a mile in someone’s shoes before criticizing him; that way, when you do criticize him, you’ll be a mile away and have his shoes—I think it would help the perspective of a lot of people to “switch cultures” and see how another half lives. There’s nothing like taking a recommended security measure and trying to make it work across continents, with no budget, with a weak or hostile management, or simply in an office where people think the Internet is Facebook.
Perhaps we are fracturing too much into navel-gazing security subgroups, in the same way that many people today only read the blogs or listen to the media that agree with their worldview. Nobody takes me seriously at Shmoocon if I’m in business drag rather than the regulation t-shirt; nobody takes me seriously at Big Commercial Conferences if I’m not wearing an expensive suit. There are too many people that I only see at one kind of conference. Maybe it’s time for us to get out there and mix it up a bit. We certainly can’t pull together to confront security threats if we can’t act as one community.
Welcome to my organization. This short document is intended to brief you on some very important rules of engagement as you prepare for your activities; please commit them to memory so that I don’t have to do it for you.
1. DO NOT wait until the last minute to ask for the initial meeting. Presumably you will have known you were going to do this audit for more than a week. I have a very busy schedule and nothing makes me want to cooperate more than having to cancel commitments I’ve made to other people to accommodate your lack of courtesy and planning.
2. DO NOT ask for subsequent meetings with me without telling me beforehand what you’re going to ask me. I need to know what your general questions will be so that I can select the appropriate staff to answer those questions and drag them away from their real work to do it. If you do not know what you’re going to ask me, then this is called a “fishing expedition” and I do not have time to make idle chat while you fumble your way around.
3. DO know what you’re talking about. If you are an IT auditor, for the sake of all that is holy, you’d better know some IT. DO NOT make me explain to you why a domain account is appearing in the account lists on every server. DO NOT make me explain to you that “nobody” is a perfectly legitimate Unix ID. DO NOT ask me what the “SMTP application” is for and who uses it.
4. DO NOT spray me and my team with fifteen emails a day asking various combinations of clarifying questions and requesting random screen shots. Put your questions and requests in a spreadsheet so that I can mark off what I’ve answered and what I haven’t.
5. Guess what? In a lot of cases you do not need to talk to me at all. My team members are clueful and can answer your questions just fine. It does no good to request to meet with me personally just because of the title I happen to hold. Especially if you have no idea what you’re going to ask me. See #2 above.
6. DO NOT ask me to violate my organization’s security policies for your convenience. After all, you’re here to audit them.
7. Try at least once or twice to understand the risk analysis behind our configuration. Nothing irritates me more than being written up for something that is dictated by your checklist but isn’t an actual security risk.
8. Oh, speaking of checklists: please update them. This is not 2003.
9. And finally: when our response in the formal report reads, “Management agrees with the findings,” it does NOT mean management agrees with the findings. It does not even mean “okay, you caught us.” In our book, “Management agrees with the findings” is a much politer way of inviting you to go audit yourself with a very sharp pencil.
This is one of those cases where a couple of 140-character tweets are not sufficient for a response.
@samj wrote: We’re not very good with risk, but the onus to demonstrate safety is on those who propose the risky action be taken.
That sounds eminently reasonable to security practitioners and skeptics alike; the problem is that in real life, it doesn’t work like this. The onus to demonstrate benefit is on those who propose the action be taken. The onus to demonstrate downside is on those who object to the action being taken. This is why security practitioners end up being the rain on everyone’s parade, and why those who are in the business area never think about risk. Their job is to sit around thinking of things to do that will bring benefit, not to sit around thinking of things NOT to do, or to figure out how to sabotage the idea they just had.
UPDATE: Who functions as a brake in your enterprise? Security. Attorneys. HR. Internal auditors. Accountants. In other words, all the fun people you REALLY want to invite to your next party.
Does being an executive make you ADD? Or do you become an executive because you’re naturally that way? It’s hard to tell, and I suppose it doesn’t matter.
I don’t mind thinking broad as long as I don’t also have to think deep. I don’t mind multitasking as long as I don’t have to concentrate on anything for a long time in order to do it properly.
Unfortunately, that’s not the way the CISO world works. You have to do risk analysis while shoveling email like coal into the roaring train engine; you have to write policy that will withstand legal scrutiny while going to 8 or 9 meetings a day. You have to review data models while a line of people forms outside your door.
So I finally reached my limit: one day I was going downstairs to a meeting, and by the time I reached the landing I had forgotten who I was meeting with and where they were (never mind what the meeting was actually about; I didn’t bother with that part. I figured they’d remind me once I got there). I knew it was time to ask for help.
Twitter is a wonderful thing; it’s a community just like the ones in other interactive spheres. My m’aidez was immediately answered by some of the smartest folks around, and I got some good tips from them, which I have been trying out this week. I’m passing them on to you, the reader, at cost (no additional markup!).
I’ll start with the obvious one: delegation. I was already delegating a lot, but I needed to do it more in some focused operational areas. I took myself off some high-volume email distributions to which I could contribute nothing and which did not require any action from me. (I realized that I did not need to know which post-patching smoke tests were executing successfully. Imagine that.) I also handed off some standing meetings that were taking up room every week in my calendar. I told staff members, “I don’t need to know about this unless it’s on fire. And if you’re planning to make someone unhappy, I want to know about it.”
Here’s a big one: I turned off notifications. All of them. The little Outlook envelope in the corner of my screen, the sound, the preview popping up, the vibrate and chime on my BlackBerry, all of it. The only things that generate a sound now are my appointment reminders and email from my lovely and talented $SPOUSE. I found that I could remember all by myself to check my email on a regular basis, but this way I would remember when I naturally reached the end of a thought process, without having those thought processes interrupted by teh shiny.
I blocked out 90 minutes at the start of each morning so that I will never have a meeting scheduled. I come in, I close the door, and most people tend to think I just haven’t arrived at work yet. I have time to start on a task and gather momentum before my first interruption of the day. Restricting my choices on what to work on in this manner forced me to concentrate on just one item at a time.
I went back to paper notes. I really hate them, because as an INTP, making notes feels like being redundant (if I already thought it, why do I have to think about it AGAIN while I’m writing it down?). But it makes me slow down.
Here’s a big one: I got rid of my choices in email too. I now have one ARCHIVE folder, one DELEGATED folder and that’s it. Instead of agonizing over where to file something, I have three choices with an email: keep (and mark for followup), delete, or archive—in the DELEGATED folder if I have to follow up sometime in the future to make sure it was done, or the regular ARCHIVE folder if not. I learned to trust the search function for the archive. I only keep the latest message in a mail trail for followup, or I only keep the first one, depending on which one has more information in it. In this way I went from having over 1300 messages in my Inbox to just eighteen—in ONE DAY. Cleaning out my inbox every day now takes a lot less time because I don’t have to think as much.
And finally, I took to heart what @myrcurial told me. He said, “Your brain is NOT your friend. Your brain does not want to be here in the office, thinking about this stuff. Your brain wants to be out riding bikes. So you can’t rely on your brain.” In a strange way, in order to be able to think better, I had to stop using my brain so much.
I hope these help someone else out there who is struggling with con—SQUIRREL!—centration issues. And feel free to leave any other tips and tricks in the comments.
DISCLAIMER: I am old. Old enough to be older than most people I meet on the security side of the ‘net; old enough to have people wonder what I’m doing at a conference of a Certain Stripe. But I’m not one of these people who sits back in wonderment at the brave new world of 2.0 or attends classes on How to Talk to Millennials, as if they were a separate species.
@jsokoly gave a great talk at B-Sides Austin on the problems that younger people have breaking into the security field. And I’m not saying “it was a great talk for a youngster,” either; it was a great talk, period. He pointed out the ridiculousness of requiring a CISSP for an entry-level security position, when the CISSP itself requires five years of experience. That’s certainly a sign of a clueless employer, right there; but he only touched on a much larger problem, which is How do you bootstrap ANYONE into the security field?
I got my opportunities in my career because someone took a chance on me—many “someones,” many times. I’m a great believer in paying that forward, and I try to mentor people where I can. But I do run into a big stumbling block when I try to help someone who doesn’t have IT experience, but who wants to break into security. I don’t want to encourage paper tigerdom, which is what I think happens when people come into security through the policy-writing door.
In a way, people like @jsokoly are at a disadvantage today, precisely because we have actual academic tracks, programs and certifications for IT security. Back when a computer science program involved learning FORTRAN, it was easy to move on into security because it was uncommoditized territory. This is how thought leaders came into security from fields as diverse as biology (marine or otherwise), mathematics, liberal arts and Chinese philosophy. These days, though, if you’re not a minted Cybersecurity Graduate, you’d better have an alternative pedigree that’s equally compelling.
So how do you get one, especially if you’re lacking in experience (I’m not saying “young”) and can’t afford to go to school? (The price of those five little letters goes up yearly, and if you’re not already making high five figures as a security professional, you can’t afford to waste hundreds of dollars to get them.) I make no secret of the fact that I believe you need a solid background in IT operations—preferably system administration, because if you work in a small enough shop you’ll end up learning network admin and you’ll have to troubleshoot applications as part of your job. I *think* that if you get five years of experience doing that, you can argue to anyone who asks that you spent time doing security as well, especially if you’re well-read on the issues and can discuss them with the right mindset.
But this sort of implies that security is not an entry-level field. And I may get arguments about that, and that’s okay. I know people in entry-level jobs who are “doing security”: they’re doing account administration, publishing “cybertips,” updating antivirus software, and maybe “administering” self-supporting firewall appliances. But with the exception of the last activity, I don’t know of many people who have been successful in breaking out of that entry-level status (and those that have, without the technical experience I mentioned earlier, only got as far as they did because the people who hired them didn’t know any better).
This would further imply that “security” is a specialization, and in order to get experience in it without getting the certification that specialization requires, you need to work in an area where they don’t treat security as a separate function. You may need to go for jobs that smell security-like but don’t actually have the word “security” in the title.
I’m not completely happy with this conclusion, because it means that when I start a promising candidate in an entry-level position in my organization, I have to send him or her out on a journeyman basis to get the next level of work experience somewhere else—somewhere outside of my specialized group. But I think it’s the best avenue for their success in the field. In the spirit of paying it forward, I think that it benefits us all to get new professionals up and running, no matter what tricks we might use to accomplish it.
Note that I still haven’t explicitly said that this is about “the next generation”—in fact, some of the entry-level people I’ve worked with have been older than I am. I still believe that the requirements for a security professional are experience, talent, speed, and personality; you don’t need to be a certain age to have the winning combination of those. Being young is a strong predictor of not having experience, but considering that I started hacking around at age 12,* it’s by no means a certainty. So if an individual who is chronologically challenged doesn’t make an issue of the fact, I don’t either.
One more thing: I don’t see how bringing new people into the field will cause me to lose my own position. Because of my background, I bring a different contribution to the table from what they would, and there’s room at the table for everyone. Just don’t laugh at me when I shoot tequila out my nose, please.
Just a quick note on something I’ve been thinking about when it comes to design reviews: input validation.
There are actually at least four different things that we mean by “validation,” and you need to decide which ones are important to implement based on the functions of your application and your risk analysis.
Type 1: Validation for safety - i.e., checking to make sure someone’s not trying to break your app with their input. (Paging Bobby Tables!) This should ideally be accomplished with really tight whitelisting, rather than enumerating all known badness. (Do I really have to say this any more? I hope not.)
Type 2: Validation for completeness - i.e. is this a required field? If so, does it have something in it?
Type 3: Validation for correctness - for example, if you have an Address field, you want to see something like “123 Sesame Street” instead of “I like cheese.”
Type 4: Validation for usefulness. By this I mean, validating for the characteristics you need if you’re planning to do something in particular with the data. Does it matter whether the person REALLY lives at 123 Sesame Street? Does it matter whether it’s spelled “Sesame” or “Sezamey”? Are you going to try to do something clever, like use it for a searching and/or grouping function? Are you going to make business logic or access decisions based on what they enter?
You must always do Type 1; Type 2 and 3 are the ones that developers tend to do the most on their own. Type 4 is what not-so-clever developers assume they’re doing, but aren’t; and they don’t discover it until they have a few terabytes of useless data. (Not doing Type 4 also leads to bad application security of a type that scanners won’t pick up.) However, Type 4 is optional if you’re using the input for information only and it doesn’t matter too much whether it’s accurate. If you really don’t care whether someone tampers with the data—for example, having a bad email address will simply ensure that the user never receives his password, so it’ll all come out in the wash—then don’t twist your head around doing #4, because that’s the most difficult kind and usually requires matching against disparate sources of business data.
Input validation is the mother sauce upon which you build your security variations. Allez cuisine!
