Language is vital to me in my role as a security manager.
I rely heavily on it when I’m interviewing a job candidate. I can tell pretty quickly what someone’s IT background has been and whether he knows what he’s talking about by the words he uses.
Can he explain something in little teeny words? Then he really does understand it. Does he insist on using the textbook terms, and sound like he’s quoting rather than owning the words? Danger sign.
“batch job” == mainframe background
“cron job” == Unix background
“information assurance” == DoD background
“IT security” == corporate background
“cyber”-anything == law enforcement or federal gummint background
using “risk assessment,“ “vulnerability assessment,“ and “penetration testing” interchangeably == clueless
And I hate it when people are sloppy in their writing, especially when they’re vendors. If I see too much evidence of rote copying and pasting in a proposal, I suspect the vendor is just phoning it in and doesn’t really want the contract. If I see less-than-literate language, it depends on its character: I can tell when something is simply written by a non-native English speaker and I cut him some slack. (Sometimes I can even tell the writer’s native language based on the English mistakes he makes.) If they’re the kind of mistakes made by someone who grew up in this country and should know better, my opinion of his services plummets dramatically.
In security, details count. I can tell whether a brochure was written by a marketroid or by someone who really understands and cares about the product. If I’m going to hire services, the most important thing I want to do is have a conversation with the staff who will actually be performing them. I can tell by talking to them whether they’re going to be competent, diligent and trustworthy.
I’ve had wonderful employees who were smart as the day is long, but I had to translate their emails whenever I forwarded them outside of the group. For those who were non-native English speakers, it was even worse: you tend to use smaller words when you’re not using your native language, and that often makes you sound blunt. (For Germans who ARE blunt, it’s even worse. 
) I’ve had to resolve many a misunderstanding between colleagues that came from an unluckily phrased email message, especially when they’d never met in person.
Language counts when I’m trying to write policies, troubleshoot problems, define risk, sell ideas, and educate users. It’s amazing how much of my time is spent arguing semantics in functional specifications.
By the way, did I mention that I’m an INTP? 
Posted by
shrdlu on Friday, May 18, 2007
(3)
Comments •
Permalink •
Wash your data when it comes in from the Internet. Do you want to get viruses?
Don’t leave the firewall open!
Don’t share your shared secret with anyone else. (?)
I don’t care whether your friends are doing it. On MY network, you’re not doing it, and that’s final.
Just wait until the CEO gets home!
You tracked that worm into the house. YOU clean it up. I’m tired of cleaning up after all of you.
I don’t care who started it; I’m finishing it. Both of you, go to your offices!
No games until you clean up your hard drive!
When YOU pay for the computer, THEN you can keep it private. Until then, I’m coming in whenever I want.
How many times do I have to tell you not to open strange attachments?? Am I talking to a wall??
Because I’m the ISO, that’s why!
and finally:
Just wait until you have users of your own, then you’ll understand.
Posted by
shrdlu on Sunday, May 13, 2007
(1)
Comments •
Permalink •
Did you know that Google Analytics considers Liechtenstein to be a city in Switzerland?
I know the Swiss keep accidentally “invading” them every so often, but really now. Google has the Maps, after all. Can’t they get this right?
(Oh, and they misspell Liechtenstein, too. Heaven forfend they should try to tackle “Vaduz.“)
Posted by
shrdlu on Sunday, May 13, 2007
(0)
Comments •
Permalink •
Yes, I’m cheating. My brain has turned to tapioca for the time being, so I’m just going to do a meta-post and list all the different categories of SecurityBlogPost that I can think of.
So far, I have:
- Thinly veiled (if at all) marketing post.
- New sploit o’ the day.
- Which security vendor is buying whom, and who cares.
- Cute real-life personal anecdote turned into security metaphor.
- Railing against the “war on terrorism” and the stupid security it’s engendered.
- Security Snark[tm] aimed at bitchslapping another blogger.
- Incredibly esoteric, academic discussion, usually having to do with risk analysis, statistics and math. (Which is Hard.)
- And of course, the FUD post.
Any more out there? Play along!
Posted by
shrdlu on Friday, May 11, 2007
(5)
Comments •
Permalink •
Look, I don’t want to turn this into an All Marcus, All the Time slobberblog, but damn if he hasn’t gone and started something else fun.
Check this out.
Now, I only looked at the PowerPoint, because I almost NEVER do podcasts. Mainly because people still generally can’t talk as fast as I can read, and I don’t have any spare time to speak of. Maybe the only one who can do it is Dick Hardt. But podcasts force me to do more unitasking than I can afford—and in my 20- to 30-minute commute, I spend all my time singing loudly along with the Rodgau Monotones, so I’m not going to displace them for more work-related stuff.
Anyway, what was I saying? Oh yes. The slides alone cracked me up. It looks like Ranum is going after risk assessment, metrics and the security industry in general with guns a-blazing. Schneier has decided that we don’t really need a security industry anyway, so Ranum will take it upon himself to do it in.
I can’t wait.
Posted by
shrdlu on Wednesday, May 09, 2007
(9)
Comments •
Permalink •
Whether you call it Identity 2.0 (watch the brilliant presentation here) or something else, a lot of smart people are discussing the future of digital identities.
They’ll probably solve it at some point. But not until they can get past the basic issue that on the Internet, looking at something is the same as possessing it.
As the wonderfully named Dick Hardt puts it, you walk into a store, show your choice of ID, and get your bottle of Stoli. But what if the cashier can automatically keep a copy of your ID, alter it, and use it in unlimited ways? What if you ran that risk every time you authenticated yourself, everyplace?
In meatspace, we perform all sorts of ancillary authentication besides just looking at the ID.
When I last lived overseas, about ten years ago, I used to send my mom flowers for Mother’s Day. At that time, wiring an order using FTD was just too expensive; I used to phone our hometown florist nearest her house and just order flowers over the phone, giving my credit card number for payment.
And it worked just fine. Why not? The florist heard a pleasant voice with the “right” kind of accent; you could hear pops and hisses on the long-distance connection that corroborated my story of being overseas; and what identity thief would use a stolen credit card to send flowers to someone? All of those subconscious cues led the florist to accept my “identification” without any other kind of authentication.
Authentication depended upon a lot of these nonverbal, usually unacknowledged methods of confirmation and corroboration. You took the trouble to show up in person, you had the right dress or the right uniform, you said the right words, you looked confident and at home, and maybe you even dropped names or provided other information in casual conversation that played the role of a shared secret. (It’s very amusing to watch Penn Jillette’s game show, Identity, to see contestants try to use all these identification and authentication skills in an overt way.) Once we started losing these additional cues, the ID cards we had started being less reliable.
And on the Internet, of course, it’s completely blown away. You hardly have to show up anywhere to be identified, authenticated, and authorized, especially for individual transactions using an account that has already been through the initial registration phase. Nowadays, any bored 14-year-old in Outer Slobovia can present the very limited credentials required for online transactions in Spokane.
Our historical process of authentication has involved many, many more factors than we ever realized. One factor, or two, seems ridiculous by comparison.
So the next generation of Identity has to solve both those problems: how to add a ton of factors back in, at least during the issuance of official ID, and how to keep that ID from being copied every time it’s viewed.
I just want to say to these folks, Good luck! We’re all counting on you.
Posted by
shrdlu on Sunday, May 06, 2007
(0)
Comments •
Permalink •
Those of you who read this blog (all five of you) know that I’m an aggressively practical sort of security geek. (You thought I was going to use the OTHER “p” word, didn’t you? ) One of the things that was so cool about the Lone Star Information Security Forum was the number of people there who were actually walking the walk. As in, they had holes in the bottoms of their shoes. When you’re under a confidentiality agreement, the amount of hair that gets let down is considerably more than you ever realized was there. There were lots of concrete stories that just blew me away.
Among the things I learned, in a gut-punching sort of way, is the real level of threat facing our critical infrastructure. Real people have died, and will continue to die, as a result of the compromise of automated control systems. Sure, I’ve heard the warnings for years, but all of them sounded like the bloviating of DHS drones trying to justify their tiny little piece of existence. And why? Because of the age-old dilemma of security information sharing. You don’t tend to believe assertions without real anecdotes (and, strictly speaking, you shouldn’t even trust the anecdotes, but go straight to the evidence, but let’s not dwell on that right now). And you’re not going to hear any serious security failure anecdotes in public records, such as testimony to Congress. This is why the same people who have made an incredibly strong case in private sound so ... tepid in the Congressional Record.
Luckily, we have some excellent writers such as Dan Geer, who can write both vividly and plainly at the same time. Read this. And if you don’t have time to click on a link, why, he’s provided an easy summary at the end:
• We need a system of security metrics, and it is a research grade problem.
• The demand for security expertise outstrips the supply, and it is a training problem and a
recruitment problem.
• What you cannot see is more important than what you can, and so the Congress must never
mistake the absence of evidence for the evidence of absence, especially when it comes to
information security.
• Information sharing that matters does not and will not happen without research into technical
guarantees of non-traceability.
• Accountability is the idea whose time has come, but it has a terrible beauty.
What hit home for me was the realization that my systems are directly linked to these critical infrastructure systems.
Yours are too.
They ALL are, thanks to the Internet. Each of us is the unattended back gate that could let in the attackers
next time
, if they but find it.
So let’s not lose sight of what really matters in information security. Every instant message or text message or email that you receive (O RLY?) should remind you how close we are, and that with closeness comes shared risk and shared responsibility. We are all each other’s keepers.
Posted by
shrdlu on Sunday, May 06, 2007
(2)
Comments •
Permalink •
Been meaning to toss out a quick answer to Pete Lindstrom’s kind effort to include me in the Security Snarkathon:
There is, however, one area that is surprisingly naive and worth calling out, especially since people like SHRDLU at Layer8 and Alex at RiskAnalys.is are reinforcing it. Both have echoed their support for Andy’s attack of annual loss expectancy and information asset valuation. Essentially, they are all saying that it feels good not to worry about it because it is hard or impossible to do. Ouch.
Now that I’ve identified which planet he must be blogging from, I can get back to him. Where in the world did I say that we shouldn’t include annual loss expectancy or that we should completely ignore asset valuation? Maybe I’m not reading my own writing correctly. Read it with me, now:
One other thing, though: I was terribly gratified and relieved to read that I’m not the only one who doesn’t think “asset value” can be practically calculated. All the risk-assessments-in-a-box I have seen have started off with an inventory and asset value, and hell, how am I supposed to compute the asset value of a firewall? In terms of its hardware cost? In terms of business loss if it’s a single point of failure? In terms of the criticality of data it passes or blocks?
I still don’t think asset value can be practically calculated. It can be “winged,“ as in “is it worth it?“ (which if you haven’t noticed is a binary question hiding a WHOLE lot of winging). That’s not to say we shouldn’t try, but there needs to be much more definitive structure around it than we currently have.
But maybe I’m wrong and it can be practically calculated. Show me how, Pete. You da man. Walk me through it. Let’s take two examples: my aforementioned firewall, which let’s say I happened to build out of an old 486 and which runs fine, even though it’s protecting a bunch of confidential data. The other example is a corporate desktop workstation.
First example: the firewall. Pete has this wisdom to impart:
At the very least, collecting costs and assigning that as a “minimum value” representation is not hard to do.
Cool. It cost me $50 on eBay (plus shipping) and, oh, about 4 total hours of setup time, which we’ll calculate at $70/hr if I were paying some generic contractor to do it. Does a “minimum value” of $330 even come CLOSE to being a reasonable point of risk discussion, if I’m protecting, say, 1000 SSNs with it? Does its value go up or down if I have it backed up by a redundant 486 so that it’s not an inline single point of failure?
Let’s go over to the corporate desktop. Let’s say it’s costing $500 per month in some seat management contract. Should I use that as my “minimum value”?
How about if I say it’s the CEO’s desktop?
How about if I say the CEO’s got business data stashed on it?
How about if I say it is or it isn’t being backed up?
How about if I say the business data includes corporate secrets?
Sure, Pete, a bare minimum value can be calculated if you only count the replacement cost. But we all know that’s NOT what’s really going to hit your pocketbook if it gets breached or lost. Considering the potential MAXIMUM asset value, depending upon how much you really know about it and which doomsday scenarios you concoct, the real ballpark could be millions of shekels. At which point I’d personally feel pretty silly bringing a figure like $500 to the risk analysis table.
I know a woman who has a degree or two from MIT, one of them being in aerospace engineering. When she tries to say “Math is hard” with a straight face, we all blow suds out our noses and then go on to the next Babylon 5 DVD.
Math may or may not be hard. But picking the right numbers out of the air to add or subtract IS hard. I can give you value and loss statements in relative terms (green? five?) all day long. I can match my “green” with the other executives’ “chartreuse” and we can meet somewhere in the middle. We can answer “is it worth it?“ whenever we’re comparing two scenarios. But if I’m faced with a lame attempt at a “risk assessment” survey that asks me to list the number of desktops x asset value, I’m still going to claim that it’s a ridiculous question, has no practical answer that can be used for REAL risk assessment, and I’m going to do my loss expectancy calculations based on scenarios, not assets.
Scenario 1: loss of availability.
Scenario 2: loss of confidentiality.
Scenario 3: loss of integrity.
None of them can be applied to a desktop, or a firewall, or a Windows license. They’re all about the data. And even there, if I bring a worst-case number for each of those to the table, I’ll be accused of spreading FUD—which is not the point of risk analysis. Is the perceived value of a database really the same whether it’s breached, corrupted, or deleted? Show me that math, because that’s GOT to be a doozy of an equation.
So, let’s sum up: I have a possible “minimum value” which is a ridiculous number. I have a “maximum value” which my management is going to reject as being alarmist. The two of them are probably thousands or millions of integers apart. Pete, tell me where to meet you in the middle, and show me how it’s a practical calculation of asset value.
Don’t get me wrong: I’m going to keep trying. I haven’t seen anyone come up with a very simple, practical way of pulling numbers together consistently, though. I have yet to see any examples on the practical level that Andrew Jaquith has in the rest of his book. If he can’t do it either, and if you’re smarter than he is, take a crack at it. I’m all (pointy) ears.
Posted by
shrdlu on Saturday, May 05, 2007
(6)
Comments •
Permalink •
Having a GRAND old time at the Lone Star Information Security Forum. There is more clue per square inch here than just about any other place I’ve been. It’s like ... I don’t know, it’s like a whole conference full of grown-up, well-dressed, well-spoken security geeks. It’s like Pacific Tech’s Smart People on Ice.
Ranum alone is worth the price of admission for quote mining:
“My iPod could handle THAT.“ (referring to processing 60-70 log events per second)
“By 2020 we’ll have the INFOCALYPSE, where every man, woman and child over the age of 6 will be a Windows system administrator.“ (Describing his dark vision of the future of security.)
“Mainlining Gartner reports”
Oh, and the food is good, too. It sure beats the standard cold cuts and potato salad fare I get at other conferences.
I have real hope that at least some of the answers I’m seeking will be found here, among people who are actually doing the work and solving this stuff.
Posted by
shrdlu on Tuesday, May 01, 2007
(0)
Comments •
Permalink •
There are a lot of predictable search keywords and phrases that cause people to come to this site, such as: “reasons to become a CISSP,“ “VPN blocking access,“ “security metrics jaquith” (man, you write just one glowing review and suddenly your hits double), and variations on “layer 8.“
But some really make you go “hmmm.“ Here are my favorite search phrases from this month:
how do i tell the vendor my boss does not want to meet with him
That one’s easy. Just say it exactly that way. If the vendor’s pushing you that hard, s/he deserves a blunt answer.
layer of hell survey
I actually see “layers of hell” a lot. Maybe I should try to make my writing more infernal?
renovating to better serve you
Hint: start out your renovation by trying not to maliciously split infinitives.
onward thru the fog meaning
That’s a deep one. I wonder whether s/he ever found out?
Now, in the
“I don’t WANT to know what they were planning” department:
annoy your boss
event planning fake budget spreadsheet
(This might be the answer to the one just above.)
getting around password protected zip files
Naughty, naughty! Just follow the Dogmatic CSO’s advice and Just Say No.
barrista hole punch
I sure hope they were looking for a brand name called “Barrista,“ because otherwise I’d be really worried.
And finally, in the
“Involuntarily Deep” category, which I will leave unadorned for you to contemplate as I have:
and i believe everything because you a layer
hallelujah layers
Posted by
shrdlu on Saturday, April 28, 2007
(0)
Comments •
Permalink •
A colleague said this to me once, and I wasn’t too sure he was entirely joking:
“We didn’t HAVE any security incidents until YOU came along.“
Many, many people reading this would be mentally adding, as I did at the time, “... that you KNOW of.“ Which is a fair enough comment, but really, people DO think this way. If someone doesn’t even consider a virus infection to count as a security incident, then what DOES count?
On the other end of the spectrum, you have people who apparently are counting a whole lot of things as “incidents.“ I’ve seen some statistics from organizations that claimed they were reporting incidents in the THOUSANDS. How in the world do you get that number? Are you counting every virus and spyware infection separately, and are you getting hundreds of machines infected per month? Are you counting all the hits on your external IDS? (I don’t count those, any more than I count the number of raindrops falling on my umbrella. Sure, if I got a leak in the umbrella, I’d be wet, and if I didn’t have the umbrella at all, I’d be REALLY wet, but what’s the point in measuring how wet I’m not getting?)
I count viruses and spyware as incidents, but I don’t count each one separately if they’re all on one machine. We usually notice it through our outbound IDS filtering, we clean it up, we scold the user, and we’re done. It’s about as annoying as cockroaches, mainly because we can’t always get users to stop leaving food out on the counter, and we can’t plug all the teeny tiny cracks. But as far as we can tell, we’re not getting elephants following the cockroaches in.
Not all incidents require what I would call an investigation, and not all investigations count as incidents. Only rarely in my world do the two overlap. I don’t count something as a security incident just because it occurred on the computer systems; our whole organization does its business on computers. You might as well call everything a physical security incident because it happened in the building. But I do get called upon to provide computer-based information in the investigation of certain HR issues. I can’t really decide whether I’m supposed to count those as “security incidents” just because my department was called in.
Misuse of computer access or circumvention of security measures: that counts as a security incident, fer sure.
Sending someone harassing IMs? That gets fuzzier. They’re just not being NICE on the computer; they’re not violating security policies (except for the “acceptable use” policies that say you have to be nice to people on the computer).
Forwarding chain email? That’s being STUPID on the computer. Not really a security matter, if you ask me, although I get as annoyed as the postmasters do when it ratchets up our email volume.
Changing a root password out from under another colleague because you don’t like him and don’t think he should be messing with your server? There’s probably not a policy against that. I’d call it a misuse of computer access, but only just barely. Is it an incident, or just an argument? (Or is it abuse?)
Maybe my colleague was right. Depending upon how you define an incident, we’re pretty damn lucky: leaving out viruses and whatnot, I’ve only had a few occasions where real misuse of computer access or circumvention of security measures has occurred. Then again, he doesn’t KNOW about any of the incidents because he doesn’t have a need to know and I don’t tell him. He probably thought those law enforcement agents sitting in my office were vendor sales babes. Whatev.
What matters in counting incidents is what my management defines them to be, and they do know what they are. If they consider them to be a threat to our business operations, and want to put them in the security column, that’s fine with me. Either way, I deal with them. What numbers I might report to an outside organization won’t be a one-to-one match with someone else’s definition of security incidents or favorite metrics, but that matters less to me. Once the security bean-counters come up with an unambiguous set of security metrics, I’ll be happy to use them in reporting, but I’m not losing sleep over it.
Posted by
shrdlu on Friday, April 27, 2007
(1)
Comments •
Permalink •
So, I was out at the zoo with my kids yesterday. They were doing the usual running around, turning into some quantum cloud with me as the loosely defined nucleus, and I spent pretty much all my time trying to determine their positions (or at least their velocities) without having my eyeballs unscrew themselves from my skull.
In one exhibit, I saw a little boy wandering around. My parent-Spidey-sense tripped, because subconsciously I noticed that he was not within “proper range” of anyone who looked like his parent. As my kids herded themselves back outside, my Spidey-sense immediately spotted two women walking back and forth in the playground across the way, in a manner that I recognized as being Urgent. I figured these were the women looking for the boy.
I sent my oldest back into the exhibit to find the boy, and just then another woman came out leading him. Their body language clearly showed that they were not related, and she was looking around to find his parent. I pointed her to the other two women across the way, she took him over there, and lo and behold, everyone was reunited happily.
This all gets back to the importance in security of detection, because in Richard Bejtlich’s oft-repeated words, prevention eventually fails. Kids can and do get really, really excited and run off without another look back. (Which is why I write my cell phone number on my kids’ arms before we go off to a place like this.) In this case, detection worked well to solve the problem. But how did it work?
It was the Hinkiness Factor. In this case, it was a function of my noticing an outlier (a boy without a responsible adult in “range,“ for some undefined value of “range”), and being trained as a parent to notice that outlier. (Which also explains why IDSes will never be that good at getting you the detection you need. A boy in a zoo exhibit? Just what you’d expect to see, right? Parents walking fast? Isn’t that normal when you’re chasing kids?) I put the rest of the puzzle together by putting a context around it, and identifying other symptoms that could be associated with it.
So you need someone who is trained to pay attention to what you want to detect, who is good at noticing things out of the usual context (i.e. something “hinky”), and who can pick other packets out of the stream to put the puzzle together. Remember: an intrusion shows up either as something “normal” coming from the “wrong” place, or something coming from a “normal” place but doing something “wrong.“ It’s all in the context, and neither signatures nor baselining will completely cover that.
Now, I really need to work in something about neurotic lions and flamingo poop to round out this security analogy, but I think I’ll leave that as an exercise to the reader. Me, I’m still beat from chasing the kids around the zoo.
Posted by
shrdlu on Tuesday, April 24, 2007
(2)
Comments •
Permalink •
There are few things that chill my blood more than having a colleague come up to me and show me proudly how they’ve got All! This! Data! on a USB flash drive.
From a security perspective, I hate USB fobs even more than I hate laptops and other removable media. Here’s why, in a nutshell: USBs are the easiest to have in an ambiguous security state.
You can generally tell right away when you’ve lost a laptop. CDs and floppy disks are a little harder to figure out, but they don’t carry nearly as much data as a 2-GB USB stick. This means that with a USB drive, you can potentially lose a large amount of data; the more data you have on it, the greater the chance that some of it will be confidential, and the greater the chance that you won’t remember exactly what it was. And because USB sticks are so small, you can very easily get into this state where you can’t find them, but you’re not ready to say that they’re actually lost or stolen. Did your dog swallow it? ‘Cause if that’s the case, maybe you don’t have to report a data breach. Maybe there wasn’t any confidential data on it; you’re not sure. Maybe, maybe, maybe ... that way lie the bogeymen called denial and rationalization, two of the security officer’s enemies.
Many of my colleagues don’t understand this risk until I pull out what I call the Boss Anger Scale for risk assessment. I ask them, “If you had to go tell your boss that you lost this, how mad would s/he be? How mad would the Top Boss be?“ Then their eyes widen in terror and they finally Get It.
Yeah, I know there’s encryption available for USB sticks. But there’s nothing you can do to force users to limit themselves to those approved kinds, when every vendor booth at a trade show is handing out others. And if you can’t trust a user to keep a drive away from his dog, can you really trust him to use encryption?
Posted by
shrdlu on Wednesday, April 18, 2007
(2)
Comments •
Permalink •
I’m excited to be able to attend the Lone Star Information Security Forum in May. I think a Forum is supposed to be better than a Conference—the former implies a more intimate setting, which this is supposed to be, and it implies more than one person in the room talking.* At any rate, it’s supposed to be press-free and vendor-neutral, with confidentiality agreements, so this may be the very thing I’m looking for. I’m certainly tired of listening to Identity Management 101 over and over again, with the slides the same but the vendor logos in the corners varying over time. And walking the Home Depot Security Trade Show Floor is fine when I’m going shopping for products, but not when I’m looking for solutions.
Besides, any gathering with two of my favorite Security Curmudgeons has got to be worth the time. Wonder if they’re going to include a Whisky BOF?
*And anything abbreviated to “Con” connotes (sorry) plenty of t-shirts with cutoffs, long hair, vadding and drugs. w00t!
Posted by
shrdlu on Monday, April 16, 2007
(0)
Comments •
Permalink •
Last month was my highest ever in terms of total “unique visitors” to this site.
This month, I’ve just passed that number today.
Wow. Are there just more script kiddies knocking at the door?
Posted by
shrdlu on Sunday, April 15, 2007
(4)
Comments •
Permalink •
