The Security Catalyst

Welcome to Part 3 of ” Information Security Practice as a Game of Chess.” In Parts 1 & 2, Ted Phelps explained the analogy and the players.  Now Ted explains the endgame as well as additional points to consider!

Endgame: A game of chess ends—often before 50 moves.
ISec, in contrast, goes on like an endless tournament. The only time it truly sees a loss is when an institution goes down in a disaster and never comes back. And that’s why working to prevent death by disaster is part of ISec’s strategy. However, players will certainly feel as if they have suffered a loss when someone breaches a system containing sensitive information—especially if they have worked to protect that system. Those losses hurt the institution and often hurt persons who have entrusted their personal information to our care. Although we have been checkmated by a crook, we may have to take the blame for the loss, paying for it with our jobs. Avoiding that is central to this game. But how about winning? Can we ever lift a toast to a game well played in ISec? Yes. With each new institutionalized advance we can pause and say, “Good Game. Congratulations!” But note what I am saying. I wouldn’t celebrate a win, exactly, with just any advance. If the advance, e.g., a new firewall, is not built into the organization’s culture in such a way that it transcends individual personalities, whether they be leaders-of-the-day or longtime bedrock technicians, then that advance is just one more good move on the chess board. It could dry up or run down when the boss turns attention to something else; it could get crushed in the turmoil that will follow the next checkmate by an intruder—and we know there will be one of those some day. But if it has soaked into us and become part of our habit of security, we really have something.

More to Ponder
Analogies are useful tools for learning. They are more than fun illustrations. They can inform us about the target concept, which in the case is ISec. Here are some further comments on the observations above made from the chess analogies.

1.    There is a game going on, a strategic conflict. And there really is just one client in this game, and that is information (the King). It is not about protecting computers and networks. They are just pieces on the board.
2.    Some people play the game well; others are novices. Some of each are our attackers. It would not be surprising if we found the game confusing; or that others do not; and that when we hear of others who do not, we find that they have been playing a long time.
3.    You do not become good by simply wishing to be good. You cannot buy skill. This takes time. The game can be studied or can be learned “on the job” playing it many times over the years.
4.    A new Player can lose (lose critical information, or his/her job) in just a few minutes under the deft moves of a skilled, focused opponent. Losing does not require a long, drawn out game. In a low-risk game among equally novice Players, one can last a long time running one, localized strategy at a time. Many opponents only come at us with one, localized strategy at a time, and we can deflect them one at a time and last a long time. But, a skilled comprehensive attack that uses many blended tactics at once will easily defeat the one-trick-at-a time novice Player. Novice Players focus on what is in their minds and enjoy the intricacy and challenge of executing their own tactics. They forget to continuously assess their own risk postures, which requires thinking like the opponent and spending time in defensive pondering of their own Pieces and their locations of the board. Novice Players lose by being surprised. They get surprised because they cannot take the time or cannot divide their attention in order to handle multiple tactics at once.
5.    There are some well-known, standard opening moves that can establish highly effective basic defensive and offensive positions. Even if the subsequent moves needed to play well are not yet learned, these basic opening moves can be done by the book and thereby delay an early defeat, even by an expert opponent.
6.    Novice Players and occasional, vacation-time Players, with a few dozen games of experience and playing a matched opponent can last for hours—which is equivalent to years of organizational life in ISec. Such a Player has a reasonable chance of winning, which in ISec would mean getting through several years without an embarrassing incident, going through many pawns and taking some painful hits, but never suffering a major career-ending information breach, and going on like this until retirement or the next voluntary change jobs. What the organization is experiencing in such a case is not excellent play, but reasonable play in a threat environment that has thus far only contained the typical, ambient threats and has not yet run into its first high-quality opponent.
7.    Few can afford to become excellent at this game. The players who do are mostly the ones that like it. The big financials, big defense, big government, big health, etc. have long ago gone into the game as pros. They play in a different league and are playing for money—big money.
8.    It is easy to think you’re doing well early in the game if you have a lot of pawns (projects, procedures, and protections)  in play. It looks good. But if they are not part of an organized strategy (of course, known to the Player) then they crowd the arena and crowd themselves and many will be taken when the opponent gets busy. Skilled Players use pawns as tactics within a strategy and are willing to sacrifice them in order to create a powerful defense. A good defense is not possible with too many pawns on the board.
9.    The Queen is the easiest piece to engage right away in impressive, flamboyant shows of force. But it is also the hardest piece to engage properly in a long-term strategic way. The early on flamboyant use can accidentally take her down.
10.    Skill in the use of the Queen is the single most telling skill for predicting success. But, a Player who does very little with the King and Queen early in the game and only plays the other major pieces and does so with some basic knowledge can last a long time in a game with a low impact opponent (the ambient threat environment). But the game will probably be lost (and quickly so under a skilled, directed attack) without a skilled handling of the Queen and King.

Ted Phelps
Information Security Officer
State University of New York
October 2006

As we continue our voting security series, I was intriqued by a solution that promises “Transparent, High Integrity, Open Source Elections” and decided to do some research. Well, the solution, called Punch Scan (http://www.punchscan.org/) is a well-designed solution that leverages unique paper ballots and cryptography. The more I learn, the more I want to know about it.

For this episode, I had the chance to interview four of the team members (by Skype) to discuss their involvement, how the system works, the implications and what the next steps are.

Coming up, we’ll visit with the Punch Scan team again to dig a bit deeper and more technically into the solution. I’m also working to contact someone at Black Box Voting to speak with them about lessons learned and how our industry can get engaged to help.

Comments, ideas are welcomed!

 

 SC39 [32:43m]: Play Now | Play in Popup | Download

By Adam Dodge 

Last week I had the pleasure of spending a Sunday afternoon watching football and eating pizza with Michael and his family. During one of our discussions, Michael mentioned a recent USA Today article he came across on new “Homeland Security” degrees that many colleges and universities now offer. Knowing that I am currently pursuing a Master’s Degree from Norwich University, Michael wondered what I thought about this new degree.

Let me state from the outset that, as someone with an excessive amount of education (one associates, two bachelor’s and an upcoming master’s degree), I believe that higher education is a good thing. However, the particulars of the “Homeland Security” major seem a bit off to me. According to the article, this new degree allows students to “do everything from create emergency management plans to design gas masks.” I will allow everyone a moment to let that last statement sink in.

Ignoring, for a moment, that designing gas masks and creating effective emergency management plans require an individual to have two completely different skill sets and aptitudes, is there any job in existence that requires a candidate to be fluent in both these areas? Yes, engineering, emergency management, language skills, cyber-security, international relations, and many more fields are all very important aspects of Homeland Security. However, it is unrealistic to believe that anyone would be able to master these diverse fields by the time they achieve their PhD with multiple years of work experience, let alone an undergraduate degree. The field itself is simply too broad.

So when organizations hire individuals with this type of training, these individuals might have a passing familiarity with most of the Homeland Security concept. At best this individual will have one or two areas of core strength and a shallow understanding of the rest of the field. While this is not necessarily a bad thing, wouldn’t this individual be better served by a bachelor’s degree in their area(s) of strength and perhaps a minor, concentration or certificate showing a base understanding in the area of Homeland Security? This way an individual with a public administration degree could still do emergency planning for Homeland Security, but would also have options should they choose pursue employment outside of emergency planning. The same goes for an engineering student that is fed up with designing gas masks.

In addition, the strength of Homeland Security, much like the strength in a good Information Security program, comes from the various viewpoints of those involved. A single individual’s viewpoint of a topic is just that, singular. No matter how hard they try, a single individual will never be able to see all aspects of an issue. This means that no matter what our education level, what our experiences, alone we will never see the whole picture.

However, by gathering a number of individuals that have different backgrounds in areas relevant to the topic at hand (Homeland Security), we can gain a much better understanding of the issues. For example, pulling together a team composed of engineers, emergency planners, border guards, intelligence individuals, etc, gives a Homeland Security team multiple viewpoints from multiple subject matter experts that have dedicated their lives to a single area of expertise and therefore bring a unique understanding to the team.

The need for this type of in-depth experience on a broad number of subject areas is why a degree in Homeland Security does not make sense. As the article points out, government agencies are looking to hire individuals in Homeland Security roles with expertise in technical areas as well. I find it very hard to believe that a student will gain this type of expertise in one of these new Homeland Security programs.

I understand the appeal these Homeland Security degrees have. After all, one single degree offers the allure of being able to make a difference, helping the country and studying current hot topic areas. However, I strongly urge any student interested in Homeland Security issues to take a more traditional major such as political science, international relation, engineering, computer science, information security, etc. and perhaps minor one of these “Homeland Security” programs if they wish.

Another option colleges and universities might wish to consider is creating concentrations in Homeland Security aspects for degree fields where there is a need. For example, a political science degree with a concentration in Homeland Security, or an engineering degree with a concentration in important areas to Homeland Security. This option allows students to gain a strong understanding of a career field while also learning how to apply this field of student to Homeland Security issues.

The added benefit to the students, again, is that these students have multiple job opportunities when they graduate. It is import for educational institutions to make sure that the student’s best interests are kept in mind with these new “Homeland Security” degrees and that it does simply become about gaining federal grant money. Incorporating Homeland Security concerns into more traditional degree fields or creating a minor in Homeland Security issues does just this. Not only will colleges and universities help arm students with the knowledge to better assist securing the country and ensuring the safety of its citizens, but they will be arming students with traditional degrees which translates into more job options then simply those involving Homeland Security.

By David Stern 

It is 2006 and I still encounter organizations that would rather bury their heads in the sand or float down “de-nile” than acknowledge that information security is an enabler of business. More and more states are passing laws that require the disclosure of a breach that includes personally identifiable information. In this article, Ill talk about one.

As a hypocritical New Yorker, I always labeled California as the “Left Coast” – talk about the pot calling the kettle black. In the winter of 2002, legislators in California did something extraordinary; they earned a little of my respect. Recognizing the growing danger of corporate databases to personal privacy, they implemented SB1386, a law that requires organizations to report any computer breaches that result in the loss of personally identifiable information. This law is a shining light for information security professionals who spend their days fighting the uphill battle to convince management that security matters.

There were sighs of relief from the board rooms of organizations without a California presence. SB1386 might have made the headlines, but over the next three years, over 30 states passed similar laws. In the winter of 2005, New York legislators began crafting their own data breach law. A04254-A/S3492-A, the Information Security Breach and Notification Act, became law on December 7, 2005.

NYS A04254-A/S3492-A ((http://assembly.state.ny.us/leg/?bn=A04254&sh=t)
Let’s take a look at the text of the law. The first significant section defines “personal information” as social security numbers, drivers license numbers or non-drivers ID numbers, and account numbers (including credit card numbers) that can be used in combination with an access code to get into personal financial information. Corporate counsel, managers, and board members cannot use shades of gray to hide here. It is hard to find a significant data breach that does not include at least one of these elements.

The second significant section clearly indicates the need to notify anyone affected by the breach. An organization “SHALL DISCLOSE ANY BREACH OF THE SECURITY OF THE SYSTEM FOLLOWING DISCOVERY OR NOTIFICATION OF THE BREACH IN THE SECURITY OF THE SYSTEM TO ANY RESIDENT OF NEW YORK STATE WHOSE PRIVATE INFORMATION WAS, OR IS REASONABLY BELIEVED TO HAVE BEEN, ACQUIRED BY A PERSON WITHOUT VALID AUTHORIZATION. THE DISCLOSURE SHALL BE MADE IN THE MOST EXPEDIENT TIME POSSIBLE AND WITHOUT UNREASONABLE DELAY.”

Furthermore, notification must be
“(A) WRITTEN NOTICE;
(B) ELECTRONIC NOTICE, PROVIDED THAT THE PERSON TO WHOM NOTICE IS
REQUIRED HAS EXPRESSLY CONSENTED TO RECEIVING SAID NOTICE IN ELECTRONIC FORM AND A LOG OF EACH SUCH NOTIFICATION IS KEPT BY THE PERSON OR BUSINESS WHO NOTIFIES AFFECTED PERSONS IN SUCH FORM; PROVIDED FURTHER, HOWEVER, THAT IN NO CASE SHALL ANY PERSON OR BUSINESS REQUIRE A PERSON TO CONSENT TO ACCEPTING SAID NOTICE IN SAID FORM AS A CONDITION OF ESTABLISHING ANY BUSINESS RELATIONSHIP OR ENGAGING IN ANY TRANSACTION.
(C) TELEPHONE NOTIFICATION PROVIDED THAT A LOG OF EACH SUCH NOTIFICATION IS KEPT BY THE PERSON OR BUSINESS WHO NOTIFIES AFFECTED PERSONS; OR
(D) SUBSTITUTE NOTICE, IF A BUSINESS DEMONSTRATES TO THE STATE ATTORNEY GENERAL THAT THE COST OF PROVIDING NOTICE WOULD EXCEED TWO HUNDRED FIFTY THOUSAND DOLLARS, OR THAT THE AFFECTED CLASS OF SUBJECT PERSONS TO BE NOTIFIED EXCEEDS FIVE HUNDRED THOUSAND, OR SUCH BUSINESS DOES NOT HAVE SUFFICIENT CONTACT INFORMATION. SUBSTITUTE NOTICE SHALL CONSIST OF ALL OF THE FOLLOWING:
(1) E-MAIL NOTICE WHEN SUCH BUSINESS HAS AN E-MAIL ADDRESS FOR THE
SUBJECT PERSONS;
(2) CONSPICUOUS POSTING OF THE NOTICE ON SUCH BUSINESS`S WEB SITE PAGE, IF SUCH BUSINESS MAINTAINS ONE; AND
(3) NOTIFICATION TO MAJOR STATEWIDE MEDIA.”

Again, the law clearly states that notification must be made even when there is no concrete proof that the bad guys got away with the good stuff. Take an experienced team of incident response professionals and they will know whether the breach was successful just by looking at it. To hide behind uncertainty is certainly an unethical and perhaps illegal gamble.

The final significant section defines the recourse.
“(A) WHENEVER THE ATTORNEY GENERAL SHALL BELIEVE FROM EVIDENCE
SATISFACTORY TO HIM THAT THERE IS A VIOLATION OF THIS ARTICLE HE MAY BRING AN ACTION IN THE NAME AND ON BEHALF OF THE PEOPLE OF THE STATE OF NEW YORK, IN A COURT OF JUSTICE HAVING JURISDICTION TO ISSUE AN INJUNCTION, TO ENJOIN AND RESTRAIN THE CONTINUATION OF SUCH VIOLATION. IN SUCH ACTION, PRELIMINARY RELIEF MAY BE GRANTED UNDER ARTICLE SIXTY-THREE OF THE CIVIL PRACTICE LAW AND RULES. IN SUCH ACTION THE COURT MAY AWARD DAMAGES FOR ACTUAL COSTS OR LOSSES INCURRED BY A PERSON ENTITLED TO NOTICE PURSUANT TO THIS ARTICLE, INCLUDING CONSEQUENTIAL FINANCIAL LOSSES. WHENEVER THE COURT SHALL DETERMINE IN SUCH ACTION THAT A PERSON OR BUSINESS VIOLATED THIS ARTICLE KNOWINGLY OR RECKLESSLY, THE COURT MAY IMPOSE A CIVIL PENALTY OF THE GREATER OF FIVE THOUSAND DOLLARS OR UP TO TEN DOLLARS PER INSTANCE OF FAILED NOTIFICATION, PROVIDED THAT THE LATTER AMOUNT SHALL NOT EXCEED ONE HUNDRED FIFTY THOUSAND DOLLARS.
(B) THE REMEDIES PROVIDED BY THIS SECTION SHALL BE IN ADDITION TO ANY
OTHER LAWFUL REMEDY AVAILABLE.”

$150,000 may not seem like a lot of money to a large organization. It may be worth the gamble to keep it quiet. That is until you show up on the radar of an ambitious State Attorney General like Elliot Spitzer.

Unlike HIPPA or GLBA, this legislation is clearly defined. Information security professionals should be able to leverage this law to make headway in their organizations. Similar laws have been established in Arkansas, Connecticut, Delaware, Florida, Georgia, Illinois, Indiana, Louisiana, Maine, Minnesota, Montana, Nevada, New Jersey, New York, North Carolina, North Dakota, Ohio, Pennsylvania, Rhode Island, Tennessee, Texas, and Washington.

Whether your organization has 20 security guys or no security guys is irrelevant. If you have systems in any of the states mentioned above, this type of law forces the issue.

to be continued….

By Ron Woerner 

Stop everything you’re doing and get your wallet. Open it up and look at its contents. What’s in there? Do you still need it? (I’m refraining from saying, “What’s in your wa….?”)

I admit it, I suffer from packratitis. I like to save stuff just in case. Am I really any different than any other American? I think we all have a little packrat in us. While packratitis is not deadly, it can be uncomfortable. Especially if you store sensitive information and it gets lost. Plus, it’s a dangerous practice. What if I lost my wallet or it got stolen? Would I even know what I lost?

To combat my “illness,” I do a wallet check, once a year before Thanksgiving. I review all the crap I’ve accumulated over the past year and remove anything that’s no longer needed. I also take inventory of what’s left. That way I’ll know what I have to lose.

Another place we often find a case of packratitis is our personal or business computers. What’s on your laptop? Is it really necessary? Why are you keeping it? What if you lost your laptop or the hard drive crashed? Would you even know what you lost?

Packratitis can happen to anyone. It also has an easy cure. The short term solution is to take the advice from OnGuardOnline and “Stop Think Click.”

1. Think about what you’re putting in your wallet or on your computer. Is it really needed? What if it got lost? Don’t store it if you don’t really need it.
2. Have a backup. Safely store a copy of each of your sensitive items whether in your wallet or on your PC.
3. Periodically have a time to clean-up. No matter how diligent we are, crap still enters our life. Plan in advance to have a clean-up time.

Minimalism is a basic concept for security. The less sensitive items you have, the less you need to protect. Keeping the minimal amount increases security.

Together we can stomp-out packratitis. By working together, we all become stronger.

Welcome to Part 2 of ” Information Security Practice as a Game of Chess.” In Part 1, Ted Phelps explained the analogy. During this post, he explores the different pieces and roles they play. Which are you? How would you represent things differently? 

King: Information.
The King in chess is defensively weak; it can only capture or kill attackers that are right next to it and can only move one square at a time. Yet, it is the only piece that must remain in place throughout a game. Lose it, and you lose the game. Information is like that. It needs others for its defense, yet provides the foundation and meaning not only to the ISec “game” but to much of the life of the organization. Because our game is information security, not just computer, network or
IT security, our client is our information, especially our mission-critical and sensitive information. Good players keep their eyes on their Kings at all times, and analyze the shifting field of risk. In contrast, new players focus on the heat of the battle, often far from the King, and have a hard time keeping an effective, ongoing awareness of how those battles affect the shifting risk posture of their Kings. Parallels with protection of information are strong. Pouring attention into firewalls, IDS, IPS, and even encryption, keeps the new security players from doing risk assessments and data classification. The actual risk posture, which changes at least a few times a year, is not well understood. This takes practice. Kings, like our most secure information, are not out in the middle of the arena for all to see. We are usually surprised when information is breached. New ISec players focus on what is most visible in the battle. This is often the machinery used to defend against outside attacks on computers through the Internet or through physical penetration of buildings. We lock doors and put up firewalls. Meanwhile, the opponent can work through these defenses and attack our Information. Even a new player can, however, easily learn to shift the King into a well-known position of safety early in the game, a maneuver called “castling”. There are well-known moves in ISec, too, that protect Information, such as password protections on the applications that create and control sensitive information.

Queen: Executives and Policy.
The Queen is the most powerful piece in chess. It is considered about twice as powerful as the Rooks and three times as powerful as the Bishops and Knights. The reason for this designation is that a Queen can move anywhere there is line of sight, i.e., in straight lines across vacant squares. What element in an organization has such wide-ranging influence? Clearly, this is the key distinction of jobs in top management. It also is true of policy. Good players know the power of the Chiefs and of policy and plan carefully to engage it strategically as early as is wise. Using it too early can cause problems, both in chess and ISec. If Queens, Executives, and Policy are not well played, or if they are taken out of the game, winning is extremely difficult. Many battles can continue the game for a long time, but in time, the organization will crumble. A new chess player can be enthralled by the power of the Queen and use it far too much in the opening moves, exposing it too greatly and creating an unbalanced strategic position. Occasionally, an ISec player has access and influence with an Executive or has the power to create a policy early on. Doing so without also engaging the other critical elements of the organization is a classic management mistake resulting in missed leadership opportunities and the squandering of power. Policy and Executive powers must work as a team with the other elements to win the game.

Bishops: Business and IT Managers.
Like the Queen, the left and right Bishops can move as far as they wish along lines of sight, but only along diagonal channels. One operates on the black diagonals  and never touches anything on white. And the other is the opposite. They are like powerful agents with long-range control and power reaching across the organization at all times, yet kept within channels of power and influence. Chess players try to operate their Bishops as a team because taken together, they can touch every square.  The business and IT managers provide one of many interesting parallels to the Bishops. Business and IT operate in every region of the organization, but control distinct aspects of the organization. We could view HR, Building Security, and Legal Counsel also as Bishops.

Rooks (Castles): Systems and Applications.
Traditionally, the two Rooks are considered the strongest pieces after the Queen. Each Rook can play on every square. Their capability compliments the Bishops in that they also move as far as they wish along lines of sight, but only along the orthogonal lines (rows and columns, “ranks” and “files”). The orthogonal nature of the Rook’s motion reflects the structural nature of Information Technology infrastructure, which includes computers, networks, stored data, and computer applications. These structures touch the full matrix of the organization. The angular nature of the Bishop’s and Knight’s motion reflects the dynamic, fluid nature of people and process. An early move in chess, “castling” places the King in close protection of the Rook (Castle). Similarly, Information has a long-established relationship to Technology (Systems and Applications) as its most reliable protectors. A new chess player may think a castled King is perfectly safe behind a wall of Pawns, and that reflects an early, but unfounded, confidence managers can develop with respect to the security of their information and systems once firewalls, anti-virus, and password systems are in place. But a strategic, dedicated attacker, in chess and in ISec, will see ways around those defenses. “Social engineering,” for example, passes right through those defenses, somewhat like the surprising motion of the Knight.

Knights: Behavior and Security Practice.
Knights are not powerful agents, but they are tricky and have a special kind of illusive power. They can’t move or capture anything more than two squares away. Their move is often visualized as a 3-by-2 “L,” but it need not take a specific land route to get to the landing square. It can just arrive at that target by passing through or over other pieces, the way
cavalry can jump (the piece is shaped like the head of a horse) over obstacles in the field or a Ninja can somehow sneak past guards and walls. This means the Knight’s range of targets and strategic possibilities are more difficult for new players to visualize and control. What is like this in ISec? Certainly, human behavior with information is like that. It is largely unseen and out of direct control. The effects of worker’s behavior on the organization’s information is not as sweeping as that of policy and executives, but it can lead to some surprising benefits and painful losses. So, ISec strategy must include human behavior with information. Done well, it fills in many holes in an otherwise strong program, and can do so at a relatively low cost. The Knight has another parallel in ISec, which are the specialists, such as ISOs, security administrators, and auditors. The strategic action of the security specialists is often hard to grasp and their power and influence are not as far-reaching as the major business functions. But they finds their way into all parts of the organization when done well and they jump over departmental lines and functional silos.

Pawns: Projects, Procedures, Protections.
The chess board at the start displays a row of eight Pawns aligned like foot soldiers leading the battle or guards at a gate. Pawns have these primary attributes: 1) they are the weakest pieces (only move one square and only forward); 2) there are lots of them, 3) many live short lives. At least one Pawn is usually the first piece played and also the first to be captured. This has parallels with ISec projects and tactical defenses, such as firewalls and antivirus software. These go into the game early on and, like Pawns, are the easiest thing outside observers notice early in the game. Like Pawns, there are many of these. They also come and go at a faster rate than executives, business and IT managers, computer systems, applications, and the workforce. They are used by these for specific purposes and then get taken down or end. Good early moves with Pawns as well as projects and protections can create a strategic framework that lasts throughout much of the game.
Join us next week for the third and final posting where Ted explains the ‘endgame’ as well as several other points to ponder. 

Now that the elections are over, I figured it was a good time to step up the programming of the podcast by introducing some mini-series. I think mini-series will provide us the opportunity to pick topics that matter and dive a bit deeper. At least, we’re going to give it a try… feedback welcomed.

To kick it off, I figured we could start by looking at the security around electronic voting. Yea, I know, the elections are over. To me, that makes for perfect timing. Less stress right now, and a good time for our profession to think about how we can help to improve the process.

Here are some links as mentioned in the podcast:

Google Video

Hacking Democracy (http://www.hbo.com/docs/programs/hackingdemocracy/?ntrack_para1=leftnav_category7_show1)
HRM! It seems to have been removed from Google Video. Well, it’s still being aired on HBO - so hopefully you will get a chance to see a copy. It’s worth the watch!
Site to See

Securosis (http://www.securosis.com/)
Rich Mogul’s Bio (http://securosis.com/about/)

Voting Stories and Links

E-voting 2006: A touch screen, a missing vote, a mystery in Arkansas (http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9005063&source=rss_topic84)

Questions we can help answer? Stories you want me to explore? Cheers or Jeers? send me an email: securitycatalyst@gmail.com.

 

 SC38 [22:20m]: Play Now | Play in Popup | Download

By Joe Knape 

Have you ever hung up with a friend or family member feeling frustrated? We ask ourselves, “Why can’t they…”, or “How hard is it to…”, or my favorite, “Don’t they know that….” I’m going to let you in on the worst kept secret in the industry; THEY DON’T KNOW.

Corporations and employees have access to all sorts of training and security awareness materials (or should). Our friends and family don’t have the luxury of posters, and emails, and codes of conduct, etc. What they do have is a willingness to do the things that will keep them safe on the Internet as long as it doesn’t cause them to go into seizures trying to figure those things out. This is where you and I come in. We need to start sharing our hard-won wisdom and knowledge, freely, and often.

See Ron Woerner’s post on Local Tech Support – Like It Or Not for a “closer to home” take on this issue.

You might be wondering what I mean by freely and often, so let me tell you. Why not come up with four or five slides with some “best-practices” and give a quick (30 or 45 minute) presentation every once in a while. “Wait!” you say; “What kind of audience would be interested in that? How would I get the word out? I don’t have the time to do that. What’s in it for me?” Let me address these questions and concerns one at a time.

“What kind of audience would be interested in that?”
Anyone who watches television and has access to the Internet would be interested. Security professionals have been griping about FUD for years but it works. It gets people thinking. No, not cynical, jaded, “experts” like us, but certainly Mom and Dad and Uncle Bob.

“How would I get the word out?”
Think about who your audience is and then think about where you might get exposure to them. I’m thinking of organizations like: Rotary, Elks, MoPS (Mother’s of Preschoolers, for those of you without kids), book clubs, library patrons meetings, PTA, American Legion, etc. The list is varied and large.

“I don’t have time to do that!”
Oh, Really? You can’t find 30 minutes every couple of weeks or so to get up and present in front of a crowd of people who will probably hang on your every word? If that’s true you need to stop reading this, and any other, blog, and go find a time management course!

“What’s in it for me?”
What kind of skills and experience might result from the above?

• Presentation Skills
• Ability to explain complex technical issues in “everyday language”
• Writing Skills – (If you’re the person that writes the presentation)
• Patience with others – (ok, maybe this one’s just me!)
• Public recognition
• Fewer urgent calls from friends and family asking how to recover from “my computer is acting weird”

To some, that might look like a scary list. There’s a running joke in public speaking circles that basically says most people would rather be the person being eulogized rather than the person giving the eulogy. With that said, this post isn’t about acquiring these skills, it’s about demonstrating them. I assume you all know how to use the Internet and the phonebook so, if you need to learn how to speak in public, write presentations, etc. there are plenty of resources available, and, since everyone learns differently I won’t be recommending any specifically.

It’s time to “stop preaching to the choir” and go out there and convert the unconverted.

This post was submitted to me via email from a good friend and colleague who understands the effort and wanted to continue the post I started yesterday. Someday we should convince Rich to blog with us on a regular basis!

Horseless Carriages and Whale Interpreters
Good progress.  I thought you were going a different direction with the analogy of a horseless carriage.  It does represent the relative unimportance of a name in the grand scheme of things.  I do refer to my vehicle as a buggy, however…  I think it also serves as a good analogy for the shift in fundamental thinking around security.  The old way is comparable to the horse-drawn carriage - of security bearing the burden and dragging a resistant load across the finish line into a state of compliance.

The new, desired model is that of a horseless carriage, where the will and the means are one and the same.  The model speaks to awareness, stewardship, integration, design for compliance, secure lifecycle, secure standards and solutions, and of a distinction between operational security (everyone doing everything securely) versus security Center of Excellence (Security as a function for compliance monitoring and subject matter expertise/leadership).

We all know as security professionals that our job as that horse is to put ourselves out of business and yet in all likelihood we will never succeed at doing so.  We can, however, succeed in transferring more of that responsibility to our various stakeholders.  In my mind, the era of firewalls being a “security product” is over - there is only secure network design and administration.  The era of antispam, antivirus, and content filtering as security initiatives is over - the era of secure messaging has arrived.  Same thing for application security and the need for software development to bring the people, process, and technology to bear that prevents vulnerabilities at the source, rather than as the result of costly security assessment and remediation process.

One of the lessons I’ve learned is that if you attempt to consolidate everything “security” into a single empire, you will simply fail.  You CANNOT absolve people of their responsibility to do things securely.  We see this now with the push for application security and the dollars spent on finding vulnerabilities through costly assessments that, in some cases, result in more revenue for developers to remediate the findings.  You CAN arm the right people with the right information at the right time integrated into the right process with the right controls and expert consulting services.  Lead.  Engage.  Align.  Perform.  If Cisco doesn’t have an exclusive right to the use of the word LEAP in the context of security, I think it captures the energy, direction, and significance of this as a global movement.

If there is a letter to add, it’s V for value.  For too long we have been advocating security for security sake.  At the end of the day we work for a business and we are here to enable the business to make money, securely.  We need to make our security investment wisely.  We need to continue to bring the tools to the table (such as Return on Security Investment or ROSI and threat modeling) that demonstrate that value.  We need the metrics that support that we aren’t simply pissing away shareholder value to chase ghosts.  On the flip-side, we also need to start burying the cost of security into everything we do, rather than rolling it up to a centralized security budget.  If it is a separate and discreet security person or technology, or too immature to embed within operational security - roll it up. If it is a requirement and an integrated part of a business process - leave it be.

In closing, we need to develop stronger business acumen so that we can tell our story in business terms.  The business still looks upon many security professionals as whale interpreters - on what basis can anyone not in the field refute our findings? (the whale just agreed with me, by the way).  The ability to put a ping flood, phishing scam, salami attack, buffer overflow, or tcp tsunami (see, I made that one up) into relevant terms and actions that a business person can digest is still a soft-skill and hard to come by.  We need career roadmaps for security professionals that develop these soft skills: communication, negotiation, and business acumen rather than the traditional focus on how to become the best damn whale interpreter in our field…
Editor: Thanks, Rich. Good insights and I really like the approach.

In the 1890s and into the early part of the 20th Century, a new way of travel was born. Initially called a “horseless carriage”, this mode of transportation eventually changed the way that people practiced transportation.

Ironically, I doubt that you refer to the vehicle you have in your driveway or garage as a “horseless carriage.” Instead, you probably call it a car, a truck, SUV or something else; some of you might even have named it (though, looking back, I never named any of my vehicles).

Does it matter if you call it an automobile and I call it a car, a truck, an SUV? Nope. What about vehicle, automobile or whatever marketing term you got? Not for a second. In fact, most of us couldn’t imagine life without some mode of this transportation. Hopefully, we will work together to introduce a new framework that will transform the way we practice information security (not IT Security) in the future.

The Genesis of Security 2.0
Nearly 18 months ago, I started learning about a fledgling movement called Web 2.0. At the same time, I spend a lot of time working with clients and implementing solutions that felt flat, and starting looking for another way.

My personal mantra in life is simple,”to change the way people think.” With that in mind, I set out to start building a framework that would allow me to consistently explain my research to clients to help change the way they practice security.

I decided to call it Security 2.0 because it was built on the concepts and lessons learned from studying Web 2.0. But now that I’ve been working on it and have started to share it, I have come to realize that what we’re working on is bigger than a 2.0 name.

The framework of Security 2.0 consists of three dimensions:

1. Leveraging the elements of Web 2.0 that are effective to change the way we practice security. Simply, it’s about DESIGNING security in a way where it’s easy to explain and it’s easy to understand and use. It goes FAR beyond technology and actually gets down to working with people and process to make a difference. Of course, once we have a solid understanding of the culture and the solution, then we mate the appropriate technology to meet the solution. Not the other way around.

2. Securing Web 2.0. Whether you like the term or not, and whether you think it’s fad or not doesn’t make it go away. If you consider yourself a true professional, then it’s your responsibility as much as mine to work to INTEGRATE (and bolt-on) security into the new applications that keep coming out.

Let’s debate Web 2.0 sometime in the future. I’m not suggesting that I love the name, but the new solutions are coming out, and our users are using them, without regard to security. If we blow securing Web 2.0, we regress as a profession. We have to lead the way in breaking this cycle.

More broadly, we need to really focus on securing ‘emerging technologies and solutions.’

3. Preparing professionals to be successful leveraging this framework. It’s about how we think, how we present, manage, lead, work with others and the list goes on. I spent my summer proving these concepts in Fortune 50 companies. They work, and now it’s time to expand.

The Value of Security 2.0 as a Framework
To me, the value of this effort is in the collaborative nature in which it is being developed and allowed to evolve. The efforts of everyone contributing to this will be shared in a way that provides them recognition. More importantly, the framework will be open for others and freely shared. Of course, a framework still needs to be reviewed, adapted and applied – so creating and designing an effective framework is the first of an important series of steps.

The Name I Once Liked
I have to admit that all the attention focused on names lately has me a bit frustrated. I wish people would focus more on progress and less on names. The horseless carriage changed the world, and over time, the name changed with it.

While the goal with the Security 2.0 framework is nothing short of helping to change the way people practice information security, I have come to realize the name that had a simple start needs to change in order to be taken seriously and impact our industry.

As a framework, Security 2.0 is not really something to sell – it’s something to implement, to use, to practice. The inherent problem with calling it Security 2.0 (beyond the name being ursurped for ill-advised marketing campaigns COUGH COUGH Symantec COUGH COUGH), is that it allows itself to be rapidly updated. What’s next? Security 2.5? Security 3.0? Security 4.11.23b?

This is a framework meant to aid the development of security solutions, holistic solutions, and to guide the way we practice and explain security to others. At the end of the day, if we stick with Security 2.0 as a name, we run the risk of diluting the value of the approach and of the effort. Clearly, that won’t do.

I also started test-marketing the concept with my clients. The name, by itself, did nothing for anyone. After an explanation over lunch, the concepts were clear and the approach welcomed, but the name still didn’t ring true. In fact, I was told bluntly, “I cannot convince my management that we need Security 2.0.”

The good news is that led, immediately, to a discussion of how to rename it.

The Value of Keywords
One of the steps that I have been exposed to in this process is to list out “key words” that capture the essence of what you are trying to do. Keywords should capture the essence, the drive, anything that really matters.

As a framework, here are some of the important elements as I see them:

• Design
• Practice
• Integration
• Framework

Based conversations with the Trusted Catalysts and valued clients and friends, here are some of the keywords that have been kicked around to try to spark some ideas for new names for the framework:

Horizon, Security (Period), Revolution, Next Generation, Phoenix, Genesis, Bravo, Next Level, Generation S, V2, Fundamental, Shift, Overhaul

Potential Titles
And here are some suggestions for how we can rename this into a framework:

• Integrated Security Practice Framework (ISPF)
• Security Advancement Framework for Everybody (SAFE)

How do you make a difference?
We need to stop talking about names and start focusing on substance.
A subgroup of the Trusted Catalysts has started to work on expanding the current framework. As soon as we get more of the details fleshed out (which we may do in our first conference in 2007), we will post it publicly. And that’s when the work begins. We’ll need to come together to review it, design it, improve it, test it and then start using it.