The Security Catalyst

Before you bite my head off and determine I’m insane (to steal a line from my hero Jimmy Buffet, “If we weren’t all crazy, we would go insane), let me explain.
This weekend, I read an excellent post by Brad Feld — Talking About Failure. Go read his post, but in the meantime, his point is that we, collectively, don’t spend enough time talking about or thinking about failure. Brad focused on entrepreneurs and VCs - I’m going to expand that to security professionals.
We are conditioned in our practice of security to be especially leery of failure. Open any newspaper and you can read about the results of someone’s failure. Given the high stakes in security today, it often seems that “failure is not an option.” I bet some of us have even uttered those words in the not too distant past.
I agree we need to prevent catastrophic failure, but how many of you are comfortable, right now, admitting that you don’t know the answer to something? Can you think back to the last month and find a poor decision, failed project, or the like?
I used to joke that I did household projects twice: the first time, then the right way. Of course, that’s not really a joke. I have a list of projects that I worked on since I was old enough to hold a hammer and nails. I learned, through trial and error, how to build and repair almost everything around the house. As I got older (and my budget could afford it), I learned from my vast experience (including failures) that the right tools and some planning made a difference. If I hadn’t been willing to try things out and fail, I know I wouldn’t have learned as much.
I think we need to refocus the way we practice security. While we need to mindful of failures that create breaches or have dire consequences, it doesn’t mean that we do everything right the first time. We often experience some failures along the path, and it’s time we used that to our advantage.
I’m a big believer that we learn from extremes - extreme success and failure. When you muddle along in the middle, I don’t think we benefit that much, to be honest. I’m fortunate, I grew up in a family of positive values and was supported through each step. My parents took a simple gesture when I was small that will stay with me until I die (thanks Mom and Dad!) — see, in my room, I had a desk with a bulletin board over it. In addition to my american flags, my parents bought me a sign that read “you never fail until you stop trying.” It was blue letters on a white plastic background with the image of an eagle flying. I read that sign several times a day for more years than I can recall and have incorporated it into my basic belief structure.
So while I am not suggesting that you embrace failure and seek it out, I do believe that failure is important. What is valuable is what you do when you fail. Rather than knee-jerk away, take some time to step back and analyze what happened. I’m no expert on how to examine failure, but I’ll share with you some of my approach:
Read the rest of this entry »

We recorded the second episode of the Security Roundtable last week - and it is now available for your listening pleasure! On this episode, I was joined by SRT founding member Martin McKeay of the Network Security Podcast and special guest Alan Shimel from the Still Secure podcast.

We had a really engaging conversation about the recent laptop thefts and explored what has to be done about it, as well as expressed some opinions about the current actions. We talk about technical and non-technical solutions to address these issues.

We then explored the differences between the US and the European Union in terms of data privacy, breaches and breach reporting. I would really enjoy learning your opinion and hope you send me some feedback (until the forums/community is restored) — securitycatalyst@gmail.com.

Keep making a difference!

 

 SRT 2: Play Now | Play in Popup | Download

I came across this post by Keith Ferrazzi, author of Never Eat Alone : And Other Secrets to Success, One Relationship at a Time. I am enjoying this book and his insights, and plan to introduce and explore the relevance of some of his concepts to our practice of security over the coming year.

In his post, he talks about stretching out celebrations and celebrating life, but it is this sentence that really captured me:

If only today, you called the 5 people in the world who are most important to you and let them know that they are, it’s a great gift to give to yourself and them.

So what has that got to do with security? I realized that a lot of times, we we forget to acknowledge and thank the people closest to us, whether it be a spouse, family member or good friend — the very people who support our efforts to improve security. These are the people who support and inspire us, who let us vent and encourage us to continue with our passion. Have you stopped and honestly thanked them lately?
But then I kept thinking about this simple passage, and realized that in security (and generally in technology and even the workplace), we seldomly remember to thank those around us for their help. In security, it’s *easy* to tell when something went wrong or when someone makes a mistake. In the wave of recent data breaches, we have seen a lot of finger pointing. So rather than focus on the negative, I think we need to accentuate the positive. A simple, sincere thank-you is important to remember.
In my career, I have found support and inspiration from some really great people, often at times when I least expected it. I have tried to remember to thank people and tell them why they inspired me or helped me to be a better person; Keith’s post helped me remember what is important.
For next week, thank one person each day (so 5 people). Call them or visit them, and spend a few minutes telling them how you appreciate their ideas, support, inspiriation, approach or whatever is appropriate to share with them. Simple, honest and direct, no more. I know you will be pleased with the results and you will have further improved your practice as a professional.

We like to think that the people we see every day at work are as honest and hardworking as we are (and in the event I have misspoken for you, then we hope they are more honest and hardworking ) - but the commonly understood risk of insiders is that the bulk (upwards of 75%) of successful attacks are executed by insiders.

I suspect that some of what is considered an insider attack is really “insider error” or a variety of other accidental happenings that get lumped into the category.

However, if this is an area you’d like to explore more about, there is a new list started on the Yahoo! Groups dedicated to this topic. From the homepage description:

The insider threat group provides a forum to discuss resources and techniques to mitigate the threat posed by authorized personnel. Those interested in learning more about insider threat will benefit benefit from the exchange of tips and the opportunity to ask questions. The group is moderated to keep on topic.

As a matter of policy, group members have undertaken not to support or condone spammers. Our members do not purchase or even evaluate products from organisations that use spamming and ‘group fly posting’ as a sales tactic. Please do not waste your time or ours.

Related Link: http://www.ussecurityawareness.org

I have only recently signed up, so I’m not yet sure the relative value of this effort. My initial impression is positive and I look forward to your impressions, too.

About 3:45 this afternoon I got an automatic message that there was a new post on the forum - and it included the text. It was clearly an attack, so I took immediate action to both remove the post and the poster. The irony, of course, is that I review each account before allowing people in - and this poster took the time to complete the information. I had a suspicious feeling, but went ahead and approved the account anyway.

We’ll call that the First Lesson Learned: trust your instincts

Well, I didn’t get to the board in time, and the hack was successful; we’re currently working now to cordon off the forums and are assessing the damage to the system. However, as we’re walking through the server, we’re noticing several mistakes that I/we have made in hardening our server.

So I have confirmed that even the slightest mistake or oversight allows an attacker with time and patience the opportunity to strike. I’m flattered that someone thought the work we are doing to be worth investing the time to manually subscribe to the board, pose as a legitimate user and then execute an attack against our forum software.

So what now?

Well, we’re completing our damage assessment. To be honest, we have no clue if anyone has direct access to the server or if this was an attack on the software only. Clearly, we’ll take the forums down for a few days. It’s upsetting since we were just picking up speed; during that time, we’ll be assessing the situation and determining if we continue with the Invision software or move to a different platform. Ideas, comments and suggestions are certainly welcome.

To be on the safe side, we consider the current server to be a total loss. We do make regular backups and will be securing and transitioning to a different server over the coming days… and maybe a bit longer. As usual, this never happens at a “good” time, but it points out that even security people are vulnerable. And the depth of information required to be good across the board is deeper than an inch So, I’ll take notes on our actions and lessons learned and share them with you. I may wait a bit, document it, reflect on it, and then package it up to share. In the meantime, I have learned that nobody is perfect and now it’s time to learn some new aspects of server hardening.

Happy Father’s Day!

In reflecting on the lessons I learned (and continue to learn!) from my father (thanks, Dad!), I was considering the recent data breaches we have witnessed as a result of laptop (and other) theft. The reactions have been predictable and focus on finger pointing, passing the blame and then looking for the magical silver bullet that will solve the problems.

I think the solutions don’t start with technology, but rather start by addressing personal responsibility and accountability. From that basis, we are able to make better decisions and provide strong foundations on which to build our solutions.

In this podcast, I share with you some of the lessons I have learned in how we can affect this change. I share with you my experience and look forward to your contributions in the catalyst community.

I also share some of the listener survey results; great stuff for me, perhaps not as exciting for you. Thanks to your help, reviews and subscriptions, I have a healthy sense of what you expect and pledge to continue to improve and provide good value to you. If you want to know what’s coming ahead or provide feedback, please check the forums. And you are always welcome to send me an email, but for the next few months, I’m going to focus on programming.

If you’d like to explore or challenge the concepts I introduced today, please contribute to this thread in the forums.

 

 SC32 [22:05m]: Play Now | Play in Popup | Download

I am interested in how we support each other and the growing interest in security as part of the Catalyst Community. In this thread on the forum, we have been exploring which aggregators we use, which feeds we subscribed to and I have been interested in show we can share that information more effectively.

I recently learned about and signed up for an account with Feed Collectors.

I requested an account and have uploaded my OPML list (which grew recently). I have yet to invest the time to really contribute (beyond my upload) and leverage this tool. I still believe there is a benefit from sharing ideas, knowledge and links.

I think it might be useful for several of us to join, share our OPML and leverage their services to build a good list of security information for us, but also for the larger community. If you join, you can find my feeds by searching for “Catalyst Collection” or by searching for my username: “Michael”.

If you request an invite and establish an account, please post up to this thread and then we can start helping each other find and share good security resources. I have noticed others with similar interests, and this might be a good way to share and learn more.
Let me know what you think, or if you think there is a better way.

I’m passionate about security, but also in exploring new solutions to the problems we face. Lately I’ve been exploring the economics of spam, and looking into ways we can disrupt the economics of spam in an effort to reduce it. During our first Security Round Table podcast, we talked about spam, and I mentioned that I was interested in disposable email addresses - and asked for links to companies that could do it.

A few days later, I came across Reflexion, a company with a different approach to reducing spam, since they use what they call “non-disposable” email addresses. I called and shared some good technical discussions, and then decided to interview Scott Barlow about their solution.

Now this marks the first time I have interviewed a vendor about their solution. I took an approach of asking the questions I would ask them if I were going to consider them for my company or on behalf of a client. I hope you find this useful, and if so, I will look for other noteworthy solutions to share with you.

Either way, let me know - and ask more questions in our forum in this thread (click on the link).

In the podcast, Scott mentions a link to a diagram, here is the diagram.

Also, here are some of the recent threads on the forums that I would enjoy your feedback on:

Certs, Degrees, And Stuff, The Professionalizing of the IT Industry

Security Blogs And Forums

What Are The First 5 Actions, Security Catalyst Case Study - Baselines

Wireless Security: Protecting Your Company (Westchester County, NY)

Promo: The Mighty Seek Podcast

 

 SC31 [35:22m]: Play Now | Play in Popup | Download

In October 2005 I launched the Security Catalyst in an effort to bring together passionate security professionals — to learn, to share, to improve our profession. The community is growing, and fostering some excellent and important conversations that I am honored to take part in. These efforts have reinforced in me the belief that it is important to explore and challenge our notions of what it means to be a security professional.

I think that we have yet to scratch the surface. I look forward to the coming months as we continue to push on conventional norms and start to envision the future of security. Already, this effort is leading me to put less reliance on certifications, and more on the ability to demonstrate learned knowledge. As you may recall from previous postings - information is not knowledge! Knowledge is cultivated from the careful and consistent practice of activities that transform information into something infinitely more useful.

So as I sit here researching my notions of the future of security (which I will share with you in the coming months), I wanted to share this posting (from the Church of the Customer blog) that I came across this evening. I read this and was immediately drawn to the passage. It’s about professional services (so as a consultant, this makes sense to me), but even if you are not a consultant, read the words, for I believe this is the essence of a true security professional.

This passage is taken from David Maister’s, (which I plan to purchase and read):
The conclusions many advisors draw are that they must be careful about giving away the store… The truth is, expertise is like love: not only is it unlimited, you destroy it only by not giving it away. Love for a child is not cut in half with the birth of a second child. And expertise is not to be confused with what can be scanned into a database. The human capacity for problem redefinition and creativity is what a successful advisor brings to every situation. It is unlimited; it only gets better with practice.

I have a deeply-held conviction that it is our responsibility as professionals to share our knowledge. By sharing our knowledge and providing a pathway for others to transform their information into knowledge, we can change the landscape for security (across the board). This certainly comes with risks, but it’s a chance I’ll continue to take. I hope you will too!

I got an email this morning from the editor of (IN)Secure magazing pointing out that I have been highlighted in the current issue. I am honored to be recognized for my efforts (as are my fellow Security Roundtable Podcasters) and wanted to not only share the good news with you, but to alert you to this magazine.

(IN)Secure is a free, online magazine that you can download in PDF format. I am starting to review some of the issues now, but am always supportive of a resource that aims to bring different perspectives to security and help people continue their practice. (IN)Secure may be a valuable resource for you.

(Tip of the hat to Martin McKeay for writing the article)

Either way, thanks for listening and helping to spread the word. Let me know what you think of (IN)Secure and perhaps we can help improve on their efforts!