The Security Catalyst

One of the true benefits of sharing thoughts through spoken and written word is the ability to meet quality people. I thrive on conversation - especially discourse that leads to new understanding. I am a firm believer that through purposeful conversation, honest intentions and open minds we can solve a lot of challenges we face.

So when Martin McKeay and I were “chatting” online Tuesday night, he popped in with “Hey - no pressure, but do you want to cohost tonight?” It took about a minute to decide. He shared some links to stories to talk about and I took 30 minutes to read them and write down some ideas - and then boom - we recorded.

I really enjoyed the conversation and was really amped at the end. It took me a while to get ready for bed - my mind was still engaged. I hope you have a similar experience when listening!

Find the show notes here: http://netsecpodcast.com/?p=48

And the direct link to the program here: http://media.libsyn.com/media/mckeay/nsp-070108-ep110.mp3

(PS: I hope you still chose to listen to the programming on The Security Catalyst; however, somewhere in the feedchange, we seem to have confused iTunes. If it doesn’t look like we have new shows - you may want to unsubscribe and resubscribe.)

After a decade of participating in certification workshops (and similar events like program and solution development), I have witnessed an interesting trend emerge: ask ten professionals to define a term or concept and get twelve answers. Rarely these answers are tied to a standard framework or definition; instead, they tend to be based on the experience of the expert being asked (or offering their opinion anyway). In my experience, the resulting workshops muddle the opinions together to produce a result people claim pride in (because they have their own opinion incorporated) — but it rather than building on the wheel, it often reinvents the wheel.

Note: this can be easily tested. With the new awareness of the trend, look for it during a meeting, workshop or even in the stream of answers given on a mailing list of professionals. In most cases there will be a flood of answers that *seem* correct, but lack references or links. While this is not always a bad thing, it often leads to confusion and complication.

While this may not happen to all groups, it certainly happens to a lot of them. Why else do we have so many frameworks to assess risk? When you really dig into them, they all advocate essentially the same thing but with a variety of tools and ways to do it. Most “security” professionals feel that none of them is complete and continues to search for the holy grail (which means they decide to build it better).

This is an inherent challenge –- and benefit –- to working with a team of experienced, dedicated and passionate professionals: each has tremendous value to contribute based on their experience. The problem lies in distilling the various experiences into a useful solution instead of working to muddle them together into something that looks like the wheel we already have, but only slightly different (and not necessarily better).

In order to prevent the unnecessary reinvention of what already exists — and use time and resources to get better results — it is important to first understand the three main reasons this happens (tomorrow, we explore what to do about it):

1 - “Truthiness” Strikes Again!
If you have not (yet) watched The Colbert Report, “truthiness” is the term he coined, defined as:

“things that a person claims to know intuitively or ”from the gut“ without regard to evidence, logic, intellectual examination, or facts.” [http://en.wikipedia.org/wiki/Truthiness -- this is entirely worth the quick read and consideration]

There is too much “truthiness” in security today — inherent in the myriad of certifications, frameworks and solutions — and the industry overall. I suspect it is a result of exerting professional opinions combined with a [perceived] lack of time to back it up with references. This is, quite possibly, the single biggest challenge the industry faces right now: put enough experts in the room and everyone has an opinion that is a shade different from the others.

The paradox is these different opinions are precisely what is needed to distill to the core essence necessary for an effective solution. These opinions need to be captured, tied back to references and distilled for important elements. However, when faced in a group setting of experts, each person has an innate desire to share valuable information and insights; everyone wants to be “right.” Just because someone “claims it so” doesn’t make it true (even if it is written on the Internet).

Truthiness brings an unintended consequence: personal emotional involvement. It is easy to make a statement of “fact”, but more difficult (albeit necessary) to back it up with references and data that support the point. Call it ego, passion or whatever you want. Whether relying on a priori or a posteriori knowledge (I had to look it up, too: http://en.wikipedia.org/wiki/A_priori_and_a_posteriori_%28philosophy%29 - hat tip: Lori Mac Vittie), individual emotion and reputation becomes entangled in the result; this introduces unnecessary complication that muddies the end result.

(Pick the Brain recently ran a great post about this: Is Truthiness Holding Back Your Blog? — if you’re not reading this regularly, you should consider it)

2 - Failure to Focus on Fundamentals
The value of pulling together a team of professionals lies in their collective experience. These experiences inform opinions that are important when used to explore or contrast fundamental concepts. The challenge is ensuring the opinions are couched properly and tied back to the appropriate fundamental concepts. All-to-often, fundamentals — which take time to review, distill and cite — are left by the wayside. People accept “close enough” as being “good enough,” when, in fact, it is not (well, except for horse shoes and hand grenades).

Over time, a tight grasp on fundamental concepts is loosened. As experience colors fundamental understanding, individuals accept “close enough” and rely on truthiness (afterall, it works in their professional lives). Failing to focus on fundamentals (or at least reference sources) leads to confusion of language resulting in wasted time and effort. This extends beyond the current session to future sessions where the specifics of the discussion have long since been forgotten. By failing to establish anchors to accepted standards, definitions, resources or other fundamentals, the essence is lost. As a result, it is difficult, if not impossible, to make meaningful progress.

Using language to reach a truly common understanding requires constant and skillful negotiation. Success comes when those involved work together to build a common set of anchors. Without a similar frame or grounding to the same perspective, it becomes increasingly difficult to reach the same conclusion.

3 - group think prevails

“Groupthink is a type of thought exhibited by group members who try to minimize conflict and reach consensus without critically testing, analyzing, and evaluating ideas. During groupthink, members of the group avoid promoting viewpoints outside the comfort zone of consensus thinking. A variety of motives for this may exist such as a desire to avoid being seen as foolish, or a desire to avoid embarrassing or angering other members of the group. Groupthink may cause groups to make hasty, irrational decisions, where individual doubts are set aside, for fear of upsetting the group’s balance.” [http://en.wikipedia.org/wiki/Groupthink]

Here is where this applies: most of these groups have few arguments. The few challenges that exist tend to be heated and passionate discussions centered on two different positions, both relying on truthiness. The sad reality is that most people have forgotten (or never learned) how to challenge and argue effectively.

This lack of practice in participating in argument is also hampered by the personal emotion. When the argument is centered on the idea of a person instead of a fundamental concept and how it is applied - it feels like a personal attack to the person who suggested it. And sometimes, it probably _is_ a personal attack. Regardless, it does not represent a constructive approach toward real results.

Realizing the conflicts are unproductive (and sometimes uncomfortable), groupthink kicks in. It is further compounded by those who are less certain of the facts who decide to remain quiet lest they be branded as unworthy of participation. The natural instinct is to presume the other person knows more and avoid the embarrassment of being wrong. So instead of vigorous and productive conversation, the group is met with tactic approval (and sometimes whispers in the corners).

Passion expressed as truthiness that is not anchored to references gives way to groupthink. The resulting product often resembles a reinvented wheel, instead of a solution that takes advantage of the good wheels already developed.

Your New Wheel (wait, did you want a new wheel?)
What about personal pride and taking ownership of the solution?

While “ownership” is believed to lead to better results (the whole concept of responsibility addressed in Into the Breach), few people want to own the efforts of someone else. Personal investment clashes with the fashionable approach of rejecting solutions “not made here” (which would take another series to explore). Basically, everyone wants to build their own, better solution (for various reasons). Unfortunately, as the process unfolds, the three elements outlined above combine to create an end result that the very professionals involved often distance themselves from. Personal pride turns to hurt emotions and bitter feelings. And the search for a new solution kicks back in.

How to overcome these challenges and build a successful framework/solution will be tackled in the next segment.

Technorati Tags: catalyst, comptia, fundamentals, groupthink, into the breach, trustmark, truthiness

I am going to continue my examination of the CompTIA Security Trustmark by sharing some challenges inherent in groups — and then revealing some simple steps to overcome those challenges. Read Part One or engage in the conversation.

As noted earlier in the series, Trustmark initially eases the path for “channel vendors” to gain confidence in their VARs. Regardless of whether each vendor is conducting some level of “due diligence” today (or not); by working together on a common framework and audit standard, churn is reduced while assurance and confidence increased.

Trustmark may be currently focused on the 20,000+ members of the reseller community, but I see a short path to benefitting the fortune 500 companies seeking to complete their due diligence on smaller partners. I even see a path for doctors, lawyers and other professionals. Much like BITS is becoming an accepted standard for large organizations [download the framework here: BITS Framework for Managing Technology Risk for IT Service Provider Relationships], Trustmark can do the same.

Three Challenges to Success
Whether developing the Trustmark, working any type of certification or developing a new process, there are three broad challenges to ensuring a successful outcome:

1. building the framework/solution
2. applying the framework/solution
3. verifying the framework/solution

The balance of this series will explore each of these challenges to reveal what happens and how they can be successfully met. Seems that each time I sit down to work on them, I learn (and the article expands). To make it more readable, I’ll be breaking these down into a series of of readable columns. However, if there is enough interest, I’ll pull them together in the end for a cohesive paper and make it available for download. I know that I’ll be referring back to this research to avoid mistake in future efforts.

Technorati Tags: catalyst, comptia, BITS, trustmark

Happy Monday! The forums have really seen an uptick in membership and activity in the last few weeks. This is a supportive environment where professionals come together to ask for help, share ideas and get validated. Here is some recent activity (and darn good discussions):

• Incident Response Case Study: Shutdown the Network?
• Protocol Security: Where does it belong?
• Web Server vs Reverse Proxy
• PCI DSS clarifies 6.6 Requirements
• IPS Matrix

I spent a great day in Rochester, NY yesterday. Here is some of the activity in the forums  - check it out to add your opinion or learn (lots here to learn from):

• Porn Scanner
• Reporting Incident Response Statistics
• Vulnerability Management Process/Workflow
• The cost of PCI compliance — or non-compliance — for small organizations
• DFRWS and OMFW

Here are some recent discussions. Got an opinion, jump in!

• Building trust in the Trustmark – would you use it? Trust it?
• CISSP - on it’s way out, or not. Or both?
• Black Hat/DefCon
• Do you use NAC/NAP/TNC?
• SAP Enteprise Portal

Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share). If you have not yet registered, please remember to use firstname.lastname as the standard.

Earlier today we received the shipment of “preview copies” for Into the Breach. This is the first book that I authored by myself (as opposed to contributing) - and it took longer than expected. Despite the delays, the entire journey has been amazing!

To open the book and hold the finished (albeit preview) product in my hands felt cool.Okay, I did a little happy dance in the office. Then I realized that the book website is out of date (and is slated for massive overhaul next weekend). We’re also working on the link for pre-orders and a final ship date for the Hardcover version…. mind racing, pressure building, I got back to work.

Just now, my children came home. My son actually snuck into my office (he’s getting good!), walked up behind me and yelled “Congratulations” and gave me a huge hug. He was as excited as his birthday when I handed him his own copy. He looked me dead in the eye and told me, “Daddy, this must have taken a lot of time. I am very proud of you.” His entire body let me know he was excited. And proud. A minute later, my daughter came running in, cheering for me. She immediately asked for her copy, hugged me and told me the book looked “great.”

The tears welled up as they scampered upstairs to put their books in “a safe place.”

I didn’t write this book for the sake of writing; rather I wrote to shift thinking and change behaviors. I asked, “What if breach isn’t the problem?” and then spent a few years blending and distilling sociology, psychology, applied economics and experience with technology to share some insights and suggest a path. I wrote to make a difference. The process of writing involved the entire family - and for that, I am grateful.

Holding the book today was an awesome feeling. And yet it was quickly trumped by the simple celebration and pride my children took in me. This is what really matters. Today is a day to remember.

Update: My parents and Grandmother came by for dinner. My son ran out to meet them - book in hand. Couldn’t wait to tell them “how totally awesome Daddy’s book is.” Totally an awesome day to remember.

Technorati Tags: catalyst, into the breach

Recent activity includes:

• NAC solution
• Security testing tools
• Sharing With Others

How hard is it to build trust?

“When people honor each other, there is a trust established that leads to synergy, interdependence, and deep respect. Both parties make decisions and choices based on what is right, what is best, what is valued most highly.” –Blaine Lee

In my last article, I introduced the efforts of CompTIA to address a growing need in business today with the Trustmark certification.  The Trustmark, initially focused on small and medium-sized VARs, represents a promising step forward in how businesses demonstrate and verify they protect information. As outlined in part one, I see a far larger benefit for small and medium businesses everywhere – provided Trustmark is positioned and grown properly.

Note: The more I think about Trustmark and the challenges of getting it right, the more I see vast potential. As such, I’m lengthening this article into a series of posts to share more ideas and invite constructive conversation.

 

The Challenges

Now I turn my attention to addressing the key challenges – with suggestions on how to meet and overcome them. This is also a call to action for professionals to come together to tackle these challenges industry-wide.

When I left the Trustmark workshop, I sensed the start of a necessary program that is heading in the right direction. In the weeks since, I have continued to consider the approach – and the challenges that must be overcome — in the context of my own experience with frameworks, education and industry measurement.

Aside: these challenges are not unique to Trustmark – these are challenges many of us face every day, especially when it comes to presentations, standards development, projects and our day-to-day activities.

The next few articles will address some of the key challenges and provide some insights – based on my experience – to successfully address those challenges.

1. No Need to Reinvent the Wheel
2. Provide Transparency with Support
3. Establish a Sound Audit Process

Make a Difference

While you may not (yet) share my enthusiasm for a way to verify how vendors and other businesses protect information, your experience, concerns, insights and ideas are essential to the success of this and other efforts. So – reach out to me by email, telephone, twitter or join me in the Security Catalyst Community to sound off.  I’m interested in any and all feedback – especially from small business owners, VARs, vendors, anyone who has been through this process. 

By blending our voices and experience together, we are able to influence positive change (while actively considering and addressing unintended consequences).

Stay tuned… 

“What questions do I need to ask to make sure my vendor is protecting my information?”

I got asked that question last week from a new client working through the Protecting Information Program (PIP). Following the PIP process, he realized vendors were supporting key systems — raising questions he could not answer. He needed more assurance that he wasn’t taking on unnecessary risk – and was looking for guidance. It is a good question. The challenge, however, is to provide an equally good answer.

Traditionally, the answer to that question is focused on the vendor employees in terms of how many hold a security certification (my status as a CISSP Instructor has been valuable in the past). This is better than nothing, but all-too-common is the situation where the cobbler’s children wear no shoes (or the modern adaptation where the contractor’s spouse never has anything fixed around the house). 

Instead of relying on individuals holding certifications, some turn to checklists. Checklists are both good and dangerous (I feel another post coming on about my experiences with developing checklists). Checklists that are simple easy-to-understand and as easy to apply/answer are more effective. But what happens if the business asking the questions lacks the experience to gauge the answers?

We need a better solution.

I recently got an insider’s look at a better solution: The Security Trustmark, a new organizational-level certification being developed by CompTIA. Some limited information is available here: http://www.comptia.org/sections/trustmark/

From their website:

The CompTIA Security Trustmark is a vendor neutral accreditation around security business capabilities and processes that have been agreed upon by the IT industry to promote generally accepted security practices that will invoke the trust of end-users.

The objective of the CompTIA Security Trustmark accreditation is to develop a baseline standard of security practices around service and support business competencies for Solution Providers and Managed Services Providers (MSPs).

After participating in the workshop and spending a few weeks pondering this approach, I want to briefly introduce what I consider to be the benefits of this offering, share what I liked and explain where I see the challenges (tomorrow).

And then I want to learn – join me in the conversation about this whether by email (securitycatalyst - gmail), by twitter (http://twitter.com/catalyst), in the Security Catalyst Community Discussion Forums or by telephone. I want to learn about other models, efforts, and attempts. I want to understand if there are additional challenges for us to consider. I want to understand how this effort is (or becomes) useful to more people.

The Starting Point

Initially, this approach is geared toward small and mid-size vendors and VARS: companies that work within “the channel.” This approach:

• sets a standard for smaller companies to achieve, allowing them to demonstrate to their channel partners they pose less risk to work with
• allows vendors higher confidence across their entire channel
• creates distinction for VARs and Channel Vendors alike that results in competitive advantage

With the growing attention on breaches, privacy and compliance – rather than working to explain all of your measures, think of the power of explaining that you have attained the Trustmark – publicly verifiable and audited.

The Big Picture (as I see it today)

My passion for this, of course, is bigger. In the last few years, a growing challenge for those I work with is defining and explaining the minimum set of acceptable controls to protect information. Equally challenging for larger organizations is designing and employing third-party (vendor) review processes.

This results in a lot of re-creating the wheel. And it increases the cost of business for everyone involved. I have no argument with the need for due-diligence on vendors – but lament every year the lack of a “common application” approach that seems to work for university applicants.

Imagine being able to pre-validate vendors by virtue of having a Trustmark?

Provided the core elements of Trustmark are publicly available (transparent) and regularly maintained to represent the distilled good practices for managing people, information and risk, we collectively take a step forward.

• Businesses know what is expected of them – and will have the opportunity for the guidance and support to take the appropriate actions for their business. They can then earn the Trustmark designation and use that to differentiate themselves for contracts.
• Companies seeking to review vendors can greatly cut down on costs and timelines for vendors with a valid and audited Trustmark. It may not replace the current programs – but it certainly establishes a stronger base to start from and increases assurance while decreasing risk.

Done right, Trustmark is not another reinvention of the wheel. Rather, it provides a clear direction for businesses that distills the best of industry guidance. I envision this operating almost as an “overlay” – where several valid methods to meet the controls are deemed acceptable. This reduces complexity and more naturally meets the needs of those who seek the certification. For example, companies already compliant with HIPAA and PCI should be able to easily earn the Trustmark. At the same time, a company that need not meet any of those requirements is equally able to address and satisfy the controls necessary to get certified.

Over time, I envision this meeting the needs of car dealers, medical offices, bank branches – the very places we visit on a regular basis. I see this as the smartest way to distill the best of our industry and present guidance in simple terms to businesses that want to protect information, but focus on other areas (for example, making money).

Answering the Question

No question, I am excited about the potential Trustmark holds (both short-term and long-term). I see this as a real answer to valid and necessary questions about how vendors protect information — in a way that builds trust and allows everyone to focus on whatever they do best while meeting fiduciary duties.

As I was working on this article, I took an unexpected meeting with a company facing the same challenge: how to assess their vendors from an information-protection perspective. The marketplace is ready for standard guidance and a program that builds confidence; we have an opportunity to make a difference!

Tomorrow, I’ll continue this article by explaining the key challenges I see facing Trustmark, as well as some insights on how to avoid it. In the meantime – how do you answer the question when asked about assessing vendors? How do we avoid creating the wheel? How would this benefit your business?