Cyberspace, INternet (QP) - Christofer Hoff, the leading iconoclast blogger responsible for Rational Survivability, has announced a hostile takeover of Rich Mogull, slightly less iconoclastic but nevertheless highly respected author of Securosis. The market reacted strongly today, with shares of both blogs going every which way really, really fast. Mogull has been quoted as saying that he will “pwn the m**********r out of existence as soon as [he] can get [his] shareholders off the phone.”
Gartner immediately issued an analyst report praising the move, calling it “a double-Magic Quadrant scenario.” Yankee Group issued an opinion to the contrary, remarking that if you can’t measure it, it’s not worth getting excited over.
Other analysts in bloggerdom also rushed to comment. Mike Rothman posted, “So what? The two of them will never form a coherent business model without Security Mike included. I expect a bid any day now.” Alex Hutton celebrated the “meeting of two bitchin minds.” John Quarterman called it “just plain good risk management,” and itinerant blogger David Mortman, posting under fifteen separate names on eight separate blogs, said variations on a theme of “Awesome, dudes.”
No word yet on the name of the merged blog, although analysts are betting on “Surviving Rational Securosis.” Everyone is also holding their collective breath, waiting for the 800-pound gorilla of the security blogger world to decide whether to join in the M&A fun.
Posted by
shrdlu on Tuesday, April 01, 2008
(7)
Comments •
Permalink •
Yes, I’ve been buried in work. I’ve been burned out. I’ve been hung down, brung down, hung up, and ... well, you know the rest of the song. (You DO know the Song, don’t you?)
But I stopped by to bring you this impromptu list of Interesting Things you need to know when you’re an Information Security Officer. Enjoy.
- Child psychology (to deal with prima donnas of all stripes).
- Abnormal psychology (to predict which insiders will go bad).
- Marketing.
- Organizational training.
- Business process engineering.
- Which common words in the English language mean very specific things to a lawyer. Things which will cause her to blanch when you show her a security policy or statement of work.
- IT and financial auditing.
- All the federal and state laws governing computers, wiretapping, breach notification, and e-commerce.
- Economics.
- Statistical analysis.
- How to spell HIPAA.
- How to troubleshoot everything from layers 1 through 7 to prove that it isn’t your firewall that’s causing a problem in production.
- Forensics and chain-of-custody.
- The newest naughty or infected sites, so that you can recognize their droppings on the user’s desktop.
- Contract law.
- Budgeting.
- Project management.
- Accounting.
- What passes for risk assessment in your organization.
- Stress management, meditation and yoga.
- All programming languages. Yes, even COBOL, which is still in use for an obscure, yet important application on your network somewhere. Guaranteed.
- Asset management.
- How to spot snake oil encryption.
- Public speaking.
- QA testing.
- RFP writing.
- FOIA and what things not to do in email.
- Subtle, yet effective flattery.
- Veiled threat-making.
- Mind-reading.
Posted by
shrdlu on Thursday, March 20, 2008
(6)
Comments •
Permalink •
Mike Rothman passed along a good question here: if you had to pick a “theme” for yourself for 2008, what would it be?
Now, I don’t want a “theme” to equal “resolution(s).” I already have so much to do that I can’t face another list of obligations (even if they’re “obligations to self,” which I think is kind of an oxymoron—either you want to do them, or you don’t, and if you don’t, why should you feel obligated?). So the first thing that popped into my mind for a theme was:
Stop the Madness.
I’m so burned out right now that I don’t even want to think about security if it means I have to get up and do something about it. Personnel issues, budgets, procurements, contracts gone wild, big-ass projects that will probably scorch my personal earth for the next three years ... and then there are family obligations. I can’t face my inboxes, my desks are a mess (both at work and at home), I can’t find anything, and I have a brand-new Crackberry that I don’t even want to pick up.
New zero-days? Take a number, pal. If this is Wednesday, it must be another data breach. Hundreds of SSNs flitting by overhead, and I can’t be bothered to pick up my butterfly net.
I’m TIRED.
So my little Post-It note will say “STOP THE MADNESS” ... and if nothing else, maybe I’ll try to take some more regular vacation this year. Until the sticky note falls off my monitor and gets lost in the high tide.
Posted by
shrdlu on Wednesday, January 02, 2008
(0)
Comments •
Permalink •
I got all excited by this neato bubble chart by Hoff:
and really wanted to take it out for a test drive in my own organization ... until I realized that I had no idea what “impact” meant.
What is “security impact”? Does this mean the ability to make things “more secure”? How do you decide whether your firewall has more “security impact” than your antivirus? (Will the Ghost of Metrics Future please go back to haunting Ebenezer Jaquith? Thank you.)
What is “business impact”? Does this mean how visible your security measures are to your business users? Does it mean how fundamental it is to whatever application your business is using? Does it mean how much it would screw the business if it didn’t work right? Or does it mean how much your business thinks it is helping them accomplish their goals (as opposed to just keeping Bad Things From Happening)?
A firewall might not have any business impact if users don’t know or care that it’s there. But it sure as hell would impact the business if it went down. You could argue that it “enables” the business to connect with external parties, but they’ll come right back and argue that they could communicate with them better if that firewall wasn’t in the way.
The bubble chart there shows antivirus as having a high “business impact.” According to whom? Is it helping the business get the job done, or is it saving the users from themselves at a higher rate than the other security products in the portfolio?
I’d like to hear what you all would define as “impact.” Other than the medical term, that is.
Posted by
shrdlu on Tuesday, December 18, 2007
(9)
Comments •
Permalink •
When you have to deal with securing “disruptive technology,” as Hoff calls it, most of the time this technology is being brought in by senior management—who happen to need (and expect) access to the most confidential data. They are also the least likely to appreciate the technical difficulties involved in securing it. You cannot simply tell them that they can only use it to access public data. Try telling an exec with her brand spanking-new iPhone that she won’t be allowed to get her email on it.
Most vendors still do not understand this. They can take their “multi-layered security architecture,” fold it until it is all corners, and shove it in their patronizing poop chutes.
Oh, and while I’m at it? While I’m very happy that you homeroom mothers are trying to provide extra arts and crafts enrichment to our kids, please do not expect me to have the time or inclination to hunt down various art supplies, egg cartons, and other assorted flotsam and jetsam to send to school. I’m managing nine people, juggling five vendors, and trying to scrape up hundreds of thousands of dollars in funding by the end of the year. It’s all I can do to get my kid to do homework every frickin night before we both fall asleep. Please do your thing and leave me to do mine.
Posted by
shrdlu on Sunday, December 16, 2007
(0)
Comments •
Permalink •
Back in a couple of weeks, mebbe.
Posted by
shrdlu on Sunday, November 11, 2007
(0)
Comments •
Permalink •
LinkedIn is just making me depressed. It is reminding me that I’m getting old, because as I browse through the list of former colleagues, I recognize the names ... but I can’t remember anything about the people. So I don’t link to them.
That is all.
(Commentary from the preschooler, who is waiting for me to stop writing this and crank up YouTube already: “That’s good working. That’s good typing on the computer.")
Posted by
shrdlu on Sunday, October 28, 2007
(6)
Comments •
Permalink •
First I was afraid, I was petrified
Kept thinking I just had to have a firewall by my side
But then I read so many blogs
Saying that I must be wrong --
Completely wrong --
And how we all should get along
Here comes this post
From outer space
Where Hoff is throwing his new
Paradigm-shifting term in our face
I should have stayed with Jericho and got my CISSP
If I’d have known that I’d be stuck
With this “survivability” ...
Go on now, go
And blog some more
Say it’s all different
It’s not “security” any more
We’ll draw new graphs and charts and find some brand-new metrics we can try
Forget perimeters
Forget AV and PKI
Our information will survive
As long as we all join the club our data stores will stay alive
They’ll have water and MREs
They’ll build some shelters in the trees
They will survive ... they will survive ... hey hey!
(My humblest thanks to Pete Lindstrom for the inspiration.)
Posted by
shrdlu on Saturday, October 27, 2007
(2)
Comments •
Permalink •
I’m enchanted with Carl Ellison’s paper proposing the concept of a “ceremony” as a sort of meta-protocol design that incorporates all eight layers. This is something I have to do nearly every day when fixing a broken business process or reviewing the design of an application—use cases generally only take into account what the user might click on, but not what might cause them to do so.
I think there’s just one thing missing from Ellison’s list here:
Those differences aside, the design process for a ceremony is the same as the process for a network protocol. Each node in the ceremony has:
1. state, held in the node’s memory in one or more locations
2. secrets, protected by tamper resistance and subject to access control
3. a state machine
4. input messages that are parsed and sometimes pre-processed, including
a. messages from other nodes
b. events (like a timer or, within a human node, a “desire”)
5. for each (input message, state) pair:
a. output messages
b. changes in state
6. service response times and communication bandwidth
7. probability of processing errors
8. probability of node death or loss of memory
I might add (9), the certainty of node replacement on a semi-regular basis, if you’re looking at a ceremony that involves human nodes that are part of organizations. You could call this “loss of memory,” but I don’t think that covers all the cases that designers absolutely have to plan for. (This is why we have documentation, but this is also why you have to make sure the documentation is available, accurate, and complete.) Nothing breaks a good protocol faster than having a key memory component take a better-paying job across the street.
Posted by
shrdlu on Wednesday, October 24, 2007
(1)
Comments •
Permalink •
Been thinking more about why Hoff and I keep talking at cross purposes with each other. Part of the problem is that I am stuck in the daily position of having to make what changes I can to improve security that are supported by my management’s view of their risk. There are a whole bunch of things that I’d love to implement, but realistically speaking, I can’t force them through all at once. I have to plan which measures will take care of the most low-hanging fruit, which are least invasive to the rest of the organization, which I and my team have the most control over getting done, and which are least expensive (in real dollars, not FTE effort). I have to figure out what I can squeeze out of the budget this year, what I can realistically argue for next year, and what has to be put in now in order to have a firm foundation for new systems and applications. My security plan is multi-year, of necessity.
Every year, I can generally get away with asking for one or two major projects which involve forcing the development teams and/or the sysadmins to remediate their systems. This year, I have an outsourcing to contend with that I didn’t ask for and which is going to use up all those spare cycles, so I’m hosed there. I can buy three or four security products as long as they’re noninvasive (i.e. my team can set them up without requiring help from everyone else). I can put a few new standards in place that require developers and sysadmins to tweak what they have. I can change all the processes I want within my own team, and I can change a few more processes elsewhere as long as they don’t cost significant money or effort.
I suspect I’m not too different from other security managers in this respect.
I was talking to an acquaintance who is in the throes of setting up Security By Contract. The security levels he has to implement are part of the contracted service he’s providing. The problem is that his client isn’t anywhere near a decent level of security, and he’s not sure he can get them very far any time soon. So he’s wary of setting the security goals too high in the contract he’s negotiating with them. The client, on the other hand, wants to throw every security setting and the kitchen sink into the contract, because they’re afraid that later on they won’t get it if they don’t ask for it now. I don’t know how they’re going to solve this impasse. Security By Contract is a very painful way to manage and it has very little to do with risk management (unless you count breach of contract as a risk; it’s the main one they’re forced to focus on).
Hoff is being paid to be evangelical about security. That’s great. We need those in the business. I wish I could join in the fun; I’ll watch from the sidelines and cheer. But during my day job, I’m stuck with the limits set by my management’s view of their risk. If I want to improve security here, I have to do it either very, very cheaply, or I have to raise the level of risk my management is perceiving, so that they’ll devote more money to it—without resorting to FUD, which destroys my credibility.
Hoff gets to be the visionary (or “wisionary,” as my Swiss colleagues used to pronounce it), and I get to be the face of Realpolitik as it pertains to security.
Maybe someday we can meet in the middle and get together for a beer. He’ll have to buy, though, because he’s the one with the expense account. 
Posted by
shrdlu on Monday, October 22, 2007
(12)
Comments •
Permalink •
One of my most mentally fruitful times is when I’ve just woken up. Somehow things that I’ve been puzzling over fall into place, and I get new insights that help me solve problems. My dad spent some of his career as an inventor, and for him the “epiphany time” was in the shower; it worked so well that his boss started paying his hot-water bills.
After waking up from a nap with my preschooler this weekend, I had a few more thoughts about Hoff’s Crusade and the reactions to it around the neighborhood. I recalled the arguments I was having with Hoff as to whether the D*Z is dead and comparing it to seat belts and airbags.
As Spaf and others say, we know how to write solid systems, but we don’t do it. Why not?
And for that matter, why do we put up with hundreds of thousands of car crashes a year? That’s one of the largest risks we face these days, and we could reduce it significantly in several ways, but nobody wants to do it.
To point out the obvious, it’s because the benefit is so large and so widespread that the cost in terms of risk is tolerable at its current level.
Now, let’s turn back to computers. Back in the olden days, when Real Programmers walked the earth, there weren’t a whole lot of computers. They were big, they were expensive, and they generally ran really important things. It was important to get programming right, as concisely as possible, using the fewest resources, and it became a point of pride to do so.
These days, of course, computers are everywhere. We all derive enormous benefit from them, couldn’t do without them, and they are plentiful and cheap compared to 30 years ago. They are also mediocre in terms of security and quality. Programming is the new factory work, and the emphasis is on volume and speed. It’s a lot easier to replace or complement a less-than-functional system with another one than it is to hand-craft it as if it were a one-of-a-kind artisanal piece.
Could it be that the very fact of computing’s ubiquity today is raising our risk tolerance threshold?
Is this why we don’t see consumers marching in the streets, calling for better auto safety or “information survivability”? The risk is so widely spread that it is easy to convince ourselves that we will never be affected by it. At the same time, the cost of reducing that risk further is unacceptable to us (public transportation? centrally controlled auto navigation? completely rewriting Windows from the bottom up?). We have both benefit and freedom the way things are now, with an easy recovery plan (wipe and re-install, or toss it out and buy a new one).
If this is the case, then our state of computing security may be precisely where it needs to be. Paging Dr. Pangloss ...
Posted by
shrdlu on Sunday, October 21, 2007
(7)
Comments •
Permalink •
That’s really a loaded question, actually, because the answer could be both “yes” and be bad at the same time.
Hoff is changing “security” to “survivability” and believes that will make everyone magically delicious^H^H^H^H^H^H^H^H^Henlightened and completely change the state of what we’re doing in our field. It’s been a while since I’ve seen someone go all Wittgenstein on our asses, but I wish you the best of luck, my friend. The Security Mike crack made me shoot blueberry cereal out my nose.
Do we make a difference? I don’t know about you, but I’m pretty sure I do.
Over the last two years at my particular organization I can see a team that has grown from three account administrators to a real security function, one that has completely revamped our network and security infrastructure (and D*Z), implemented log consolidation and an internal CA, has rolled out whole disk encryption for laptops, and is responsible for fixing dozens of serious application security flaws. Every time a user emails me and says, “I saw a suspicious email message in my mailbox, and thought you should know about it,” I know I’ve made a difference. Every time a sysadmin comes to see me and says, “There’s something I think you should look at” or “I really think we need to fix this,” I know I’ve made a difference. Every time we stop an attack through preventive measures, I know we’ve made a difference, because it would have gone like a hot knife through butter two years ago.
The rules of the game are completely different from what they were ten years ago. As an ISO ten years ago, I didn’t need to worry about SOX, Basel II, GLB, or Patch Tuesday. You could run servers with an uptime measured in hundreds of days without any problems and without any upgrades. We had just unveiled our first public website and done our first formal pentesting. We were convinced that log consolidation and normalization was a good idea but didn’t know how to do anything except roll our own. My biggest enemies were floppy disks and modems. (I’m sure Arthur remembers more about this time than I do, seeing as how he’s younger.)
Yes, a whole lot of discipline has disappeared from IT, and sometimes it seems like we’re the last bastions of it. (Bastions? Bastiges?) I’m not a smart person, so I’m waiting for the Enlightened Ones like Hoff and Spaf to tell me what I should be doing differently (besides thinking, in terrible grammar). As soon as they tell me what I can do to fix the world I didn’t make and have to live in, I’ll be all over it.
But I’ll still be calling it information security.
Posted by
shrdlu on Thursday, October 18, 2007
(6)
Comments •
Permalink •
Attended a talk today given by Dr. Larry Ponemon of the eponymous Institute. His name aside, he looks just like what would happen if Mr. Rogers spent some time in the intelligence arena and then became a professor at MIT (two of these three are true). His excellent talk about responsible information management made me think more about the challenges of information management, which encompasses more than just protection.
The trust given to an organization depends not only on how well it protects information, but also on how transparent it is. This sounds like a contradiction in terms, but it isn’t. People want a company to be forthcoming with information about itself: clear reporting on finances, admitting mistakes in an open fashion, and so on. They just don’t want the company to be forthcoming with their information. Nowhere is this more prevalent than in government, where you have to walk a fine line between releasing all data that you MUST release, and protecting all data that you MUST NOT release. Identifying which data is which is vital; Ponemon gave the example of a recent snafu in Massachusetts where an agency accidentally released Social Security numbers on CDs in response to a public information request. Companies are being penalized in court for not producing records upon request. Not only do you have to protect your information, but you also have to know where it is, keep it the right length of time, and be able to tell which parts are appropriate and required to be shared.
In a nutshell, when people want information to be free, they’re NOT talking about their own. They’re talking about non-personal institutional information, or they’re talking about someone else’s information (which is how The Smoking Gun makes its bread and butter).
Is this really any different from the past? I don’t think so. The only difference is, the issue has become intensified due to the volume and speed of information now available. Years ago, your reputation might be ruined if a lie were printed about you in the hometown newspaper, but now it can happen several times a day, all over the world, for little to no reason at all. Our information is much freer than it ought to be. I suspect that there will be a backlash at some point and the graffiti party that is currently the World Wide Web will settle down into consolidated media outlets and tamer public forums.
(I know, who am I to talk? I’m posting this, aren’t I? 
)
Posted by
shrdlu on Wednesday, October 10, 2007
(2)
Comments •
Permalink •
Gotta start training ‘em early ...
Posted by
shrdlu on Thursday, October 04, 2007
(4)
Comments •
Permalink •
Lovely, succinct post from Larry J. Hughes, Jr. on how to win friends and influence people through security ... well, okay, maybe not the friends part. As he points out, nobody shouts “Group hug!” when a security person enters a meeting. In the best case, it’s “Mmmm ... donuts!” and in the worse case, it’s “Release the hounds.”
His points include:
Say “no” by saying “yes.” Well, kinda. I’ve found it’s best to say, “Sure, I’d be happy to help you with that ... AND here’s what it’ll take.” It’s also known as being one step up from the can-do attitude: it’s the can-charge attitude. “Sure, we can do that for you, and here’s what it’ll cost.” All the best consultants work this way. (Stay away from “yes, but”—it’s too close to “no” and it’ll drive people crazy.)
Learn when to say “That’s good enough for now.” Preach it, bro. As a few people have been emphasizing lately (including Marcus Ranum), we’re not ever going to reach the state of Perfect Security. We’ll always have to settle for Good Enough Security, because that’s all the market will tolerate. I’ve sometimes shocked customers who were sure that I was going to put my foot down on something, when instead my back-of-the-mental-envelope risk analysis said that it was probably okay. People freak out when you start being reasonable, but then they kinda get to liking it.
Ask questions rather than making absolute statements. [...] It politely keeps the burden of justification where it belongs. Another good one. I found out third-hand that one developer said to another that I pretended not to understand things, but in reality I was forcing them to do their homework and think. I’m always in favor of attempting to make people reason things out for themselves. Once in a while it results in someone’s facial expression getting stuck in deer-in-the-headlights-mode, but that’s an externality as far as I’m concerned, so I’m okay with the risk.
If I had to pick three tips to give to security professionals, they would be:
1. Understand techology.
2. Understand risk.
2. Understand people.
That’s it in a nutshell. Now, go forth and secure that perimeter! (Sorry, Jericho.)
Posted by
shrdlu on Wednesday, September 26, 2007
(2)
Comments •
Permalink •
