The Security Catalyst

It is important that the Catayst Community be a comfortable and supportive environment that allows everyone an opportunity to ask questions, answer questions and have their voice added to the conversation. I was delighted yesterday when a member of our community approached me to tell me that it is working! He was able to get some guidance he needed and formed some new relationships with some people that are now helping to mentor and guide him.

My friends, welcome to the Security Catalyst Community - a place to grow and make relationships that will improve your career! I believe that by using our full names in the forum, we have been ablel to develop a virtual resource that meets the needs many of us have felt in the offline world. The best part is that we have only just begun on many levels.

March saw a real explosion in terms of members and activity. The quality of posting, content and discussion is amazing and will absolutely contribute to your improvement. Like everything else in life, the more you put in, the more you get out. Here are some hot and interesting topics that you can contribute to today!

Web App Security resources

Hard disk Encryption

Presentation Ideas - At Risk Teenagers

Certification Advice

Accreditation scheme for penetration testing companies launched in UK

Advantages/Disadvantages of working for a SMB or a Large Organization

My certifications, my choice!

Spinning up a Security Consult Business

IT & Security Magazines (and other paper publications)

What software is the world missing?

Where can I find GOOD statistics?

Fun/different awareness activities
Don’t see something here that is important to you? Come join the community and start a new topic. The entire community looks forward to learning from you and sharing in your passions.

PS: The forums are expanding again in the coming days. Look for an announcement shortly!

Below are a series of letters in response to the cyberbullying experienced by Kathy Sierra. If you don’t know, Kathy is a main contributor to the Creating Passionate Users website and blog. It’s one that I regularly read, enjoy, and recommend. You can read for yourself on that site what is happening to her. She openly and honestly has posted her experience. The letters below explain my feelings on what has happened and what needs to be done.

Dear Kathy,
First I want to thank you for your contributions to the cyber-community. Your writing and insights on your website and in your books are always thought provoking. You challenge the standard quo to make things better for everyone. You share openly and willingly, which may have made you vulnerable.
That’s why I’m so sorry for what’s happened. It’s so sad that an a&^3 has brought you down.
This may be another fear exercise for you. Please don’t let the fear stop you. Don’t let one person who’s too weak to say their name bring you down and stop your great efforts.
“Courage is not the absence of fear, but rather the judgement that something else is more important than fear.” Ambrose Redmoon
Please remember that you have many friends and supporters in the blogosphere (see the responses by Mike Murrary (http://www.episteme.ca/) and Rich Mogull (http://securosis.com/2007/03/27/we-cannot-tolerate-this/.)). We stand with you and behind you. We support you, what you say and what you do. The community needs you.

Hey a&^3,
Yea you! The one who’s harrassing Kathy.
Stand up and fight like a man. Don’t hide behind Internet anonymity. If you know anything about it, you’ll know that Internet anonymity can be a façade easily cracked using the right tools. The people with those skills and tools are already on the case. You will be caught and brought to justice. Publicly. Just like you publicly harassed our friend Kathy.
I suggest you either go back into your hole and hide or come out and except the consequences of your actions. The former will show you’re a wimp; the latter will show you’re a man.

Friends, Colleagues and Fine-Readers,
I appreciate you reading this far. I’m sorry you need to be brought into this. But we all need to stick together so we can work together and help each other.
Bullying is as old as time, but cyberbullying is a new phenomena encouraged by the apparent anonymity of the Internet. As you can see, it’s plaguing adults and kids alike. I encourage you to learn more about it and how to prevent it:
- http://www.cyberbullying.org/
- http://www.internetsuperheroes.org/cyberbullying/
- http://www.ncpc.org/parents/cyberbullying.php
It’s fine if you disagree with what someone has to say. Freedom of speech is a key principle of our Country and of the Internet. I only ask that it be said in a helpful and constructive manner. In fact I love thought-provoking feedback. “Every man… should periodically be compelled to listen to opinions which are infuriating to him. To hear nothing but what is pleasing to one is to make a pillow of the mind.” John Ervine

Join us in the Security Catalyst forums to (A) learn more about cyberbullying and other online threats and (B) show support for Kathy Sierra and other victims of cyberbullying.

By standing together, we all become stronger.

By Joe Knape

If you play poker or have watched a few westerns, you may realize that having four aces in your hand is a winning hand nearly all of the time. While obtaining your four aces in poker is a different story, I want to share with you how you can (legally) stack the deck in your favor at work.

Ultimately our job is to ensure that the security advice we give aligns with and supports our company’s business expectations and requirements. Most people seem to understand this on some level which leads to a lot of discussion about the need to “keep the business in mind” (go here for a recent example). However, what are typically missing from these discussions are any easily adoptable, specific next steps that can be taken. “The 4 ACEs”, consisting of this post and three more to come, are my attempt at helping you, and me, fill the gap that exists between the theory of “keeping the business in mind” and the reality of trying to protect that business.

In this installment we talk about how to “Know the spACE”. In future posts we’ll talk about:

•    “Know the plACE” – How to gather a better understanding of your company’s specifics, be it finances, customer base, politics, etc.,
•    “Know the pACE”, - How to determine the pace and tempo of your organization and how that will help you be effective, and
•    “Know the mACE” – How to know the types of leverage you might have when trying to establish or improve security programs, process, procedures, etc.

Know the spACE – the 1st ACE

The first of the four aces, “Know the space”, is meant to remind you that you have to know the industry that your company is in. Is it in manufacturing, telecommunications, education, government, etc.?

Do you really know? If I asked you today – would you be able to quickly explain it to me in a way that I quickly understood? If not, how could you possibly know what kind of threats might exist?

If you’re not sure what industry your company is in, or where to go to find more information, some quick things you can do are:

•    “Google” for your company’s name,
•    Read any business articles that might have been written about your company,
•    Read any press releases your company might have made,
•    Look around to see what kind of trade magazines are being read by your coworkers and what kinds of trade shows are being attended
•    Read any non-security related magazines that might be lying around the office. Vogue and GQ don’t count (unless your company’s in grooming or fashion of course).

Speaking of “Googling” for your company’s name (or Dogpile, or Yahoo, or ), have you thought about some of the other types of information you might be able to gather using these search engines? What about

•    Has your company made any big announcements recently?
•    Are there any current legal problems involving your industry in general or your company in particular?
•    Are there a large number of public customer complaints or anti-company websites out there?
•    Is your company the industry leader or have a new and innovative solution that could be disruptive to the status quo?

I think you get the picture. The point here is you never know what’s going to make your systems a target and the better you know the industry in which your company operates, the better chance you have of addressing the right security issues before they become security failures.

To find your success:

1.    Figure out what industry or industries your company operates in.
2.    Read newspapers and magazines that are relevant to your industry and company and not just related to security.
3.    Keep an eye on industry-specific blogs, newspaper stories, press releases etc.

You see, most of the time, vulnerabilities are the same across not only systems but industries. A buffer overflow is the same anywhere the vulnerable software is the same. The threats, and therefore the risks, however, can be very different. Ultimately, the only way to know HOW to protect something is to know WHAT you’re trying to protect. Got it? Good.

So there you have it, no dealing from the bottom, nothing up your sleeve, just straightforward, easy steps toward getting your first ACE. There are only four in the whole deck, and when you can get them out of the deck and into your hand, your chances of winning the game are all but assured. This series of posts are meant to help you do exactly that. Stay tuned.

If you’d like to discuss this in more detail feel free to contact me through the blog or at jdknape@gmail.com; or, better yet, sign on to the Security Catalyst Forums and ask around.

Are you “connected”? Do you have a set of people you can call on when you have a problem or a question?

“Who ya gonna call?”

Ghostbuster’s won’t help you, but a community of like-minded professionals will. I’m talking about others who have been there and done that and who are ready and willing to offer advice. You can’t know everything, so it’s important to be connected to a group who collectively has the knowledge and experience to solve any problem.

Today’s environment requires a security professional/practitioner to be knowledgeable in so many areas extending beyond the twelve areas in ISO 17799. We must protect our organization’s critical assets, which requires us to have answers at our fingertips. You’re not going to get that ability from any degree, certification, or class. You only get it by being a part of a community; a network of similar professionals who are ready and able to offer advice and assistance.

Many cities have a community of security professionals. They are mostly professional groups such as InfraGard, the Information Systems Security Association (ISSA), and the Information Systems Audit and Control Association (ISACA). In Nebraska, we also have NebraskaCERT who for the past eight years has provided a network of professionals dedicated to two pillars of excellence: the Sharing of Knowledge and Applied Research. Through monthly meetings and annual conferences, they have provided a network of security professionals ready, willing and able to help each other. I really like having a local community to turn to when I have a question or need help. It also provides an excellent networking opportunity, which led to my current position.

The Security Catalyst Community is another example. What makes it unique is that it’s entire virtual. It is an online community that has many of the advantages of a local community. You can ask questions, provide answers, collaborate, and network. Plus you get multiple perspectives from around the world, not just your own backyard. It’s more than a monthly meeting, which is what most local groups provide. It’s a constant collaboration that’s not dependent on a set time schedule, which is perfect in this busy world. The range of topics, questions and answers is unlimited. The collective expertise is second to none. You can grow your knowledge while expanding other people’s knowledge. All from the comfort of your keyboard. [Santa editorial comment: We charge nothing for this benefit. The currency of our community is participation. Everyone is welcome to share ideas and insights – so we’re not about people who “know everything” – but instead a true community helping each other out.]

You can’t know it all. And you don’t have to if your part of a community. Participate in one today either in your local community or on-line. Join in the conversation, don’t just lurk. The key word is to participate and add to the community. Help others and they’ll be there to help you.

Remember, “By helping each other, we all become stronger.”

Knowledge about what others are doing - a professional yardstick, if you will - is generally helpful to our efforts as security professionals. As the catalyst community continues to take shape, I have watched and participated in some excellent discussions. For me, that generally leads, then, to some sort of idea.

As a result, I am going to try a new “series” of short surveys designed to address topics that are considered important (by either the press or in the forums). The goal of these surveys is simple: keep them brief, keep them focused on topic and use the information to support those who participate. Hopefully, we can harness the power of working together and the virtual environment we have created to continue to provide benefit to us beyond the forums (and more is coming).

For our first survey, we are going to look at messaging security (spam filtering, anti-phishing and leak detection/prevention). I worked with fellow TCC member Josh Jabs to design this survey to address some core issues around how you and others are handling messaging security.

You can take the brief survey here: Click here to take the Security Catalyst Messaging Security Survey

This is our first attempt, so we tried to keep it simple. We are asking for email addresses and some other information to help qualify the results. At no time will any of this information be used on an individual basis. If you participate, you will have access to the immediate results (and can always ping me to get the latest). Once the survey is complete:

• the final results will be discussed in the forums
• everyone who participated will receive an emailed copy of the overview report
• participants will be invited to join a teleseminar/conference call where the results will be shared and the trends discussed

The hope is that the information collected helps make your job easier. You are welcome to share this link and encourage others to participate - the more who help, the better the result for us all. As always - comments or questions should come to me at securitycatalyst@gmail.com.

This morning we closed the collaborative mind mapping project to map out the Advancement of How We Practice Security. I am excited to share with you that we had contributions and inputs from passionate professionals around the world contribute. As a result, this is a solid start on where, as a profession, we need to consider aligning our time, talents, and resources.

I have been a fan of mind mapping for non-linear thinking (and thinkers) for a while now. I was pleasantly surprised (though perhaps I shouldn’t have been) by how many others also are drawn to mind mapping. We had more people engaged and more countries represented than I expected. I can honestly share with you that I am blown away by the results of this effort - and believe we have a healthy framework to start developing.

I exported the map from mindmeister this morning. I was impressed by the effort that the development team there has put into this offering. The only big drawback was the way the information needed to be sorted. I took the exported map this morning and then “cleaned” it up by moving a few branches (especially the ones that said “new branch”) and then allowed my software to resort and resize the map. It’s a fairly dense map that was described (accurately) as a “wall of words.”

Outside of my contributions to this process, I have not altered any ideas or the fabric of what what shared. Here is what our combined effort looks like (png format):

What did I learn from this experience?

• Mind mapping truly is a powerful method to bring forth ideas
• Collaborative mind mapping _can_ work, but requires some structure in advance
• Allowing a collaborative tool around a specific topic allows ideas and inputs from around the world
• too many people and too much time leads to “a wall of words”
• the future of security and how we practice is looks engaging and is something I want to be part of

Care to share some ideas - I’d love to hear from you (contribute to the comments, or send me an email).

What’s next for our effort?
One of the elements of mind mapping that works for me is to let the map sit a bit, and then revisit it to either clean it up, or to start a new one and leverage the previous work (depends on how complex the map is, and how much effort it will take to reorganize my thoughts). I’d like to follow a similar approach here. That said, I’m not quite sure how to do that with a distributed group (and I have a lot on my plate right now). It seems to me that a small team of 3-5 to do the bulk of the work would be the easiest to manage for this round.

The goal of this “refinement stage” is to take the current map and build it out into a framework suitable for wiki-style development. If you have some ideas on how we can refine the map, want to lead the team or desire to participate, please send me an email (securitycatalyst@gmail.com) with your suggestions and qualifications.

How the Security Catalyst Community Will Support this Effort
We’re nearing the point where we can launch a centralized and authenticated jabber chat server (we’re pushing to have that done by the end of the month). Once that has been completed and launched, we’re turning our attention to “securitypedia” - a publicly viewable wiki for the members of the security catalyst community to develop, refine and share ideas.

This mind map will provide the structure for a discussion on the future of security, and eventually for a series of wiki pages to help provide a blue print for where we need to spend some time, allocate some training dollars and guide some research and development.

Once the wiki is in place and operational (I do not currently have an estimated timeframe), we’ll work to establish a small team to carry this effort forward. If you are interested in helping to carve out the vision for the future of how we practice security, send me a note at securitycatalyst@gmail.com and I’ll include you on a working group list. I suspect this will end up being a summer project, but I do hope that we are able to get it off the ground during Q2.

Here is a PDF version of the map: catalyst security.pdf

If you want this in either OPML format or would prefer some other method by which you can manipulate it, drop me a note and I’ll do my best to get you what you need (provided you give credit where credit is due and share your results back with the community).

Thanks for making this experiment a complete success. The beginning is almost here. Are you excited?

I have an exciting opportunity for you and your team or organization.

I need to be in Phoenix, AZ for a wedding on March 31 and realized this is a great opportunity to do more work in the valley and meet more people. I am offering some fantastic incentives on my most popular keynotes and experiences. You could treat your team to a Spring Renewal with Are You Making a Living, Or a Life. This experience or key notes discusses how a positive vision can help them be more effective at work, reduce stress, and improve the quality of their time at home. Or take advantage of our new experience Speaking About Security. This experience will help your group improve their communication skills and increase your success.

Here a listing of the experiences and keynotes with incentives:
Experiences
- Speaking About Security
- Are You Making a Living, Or a Life?
- “Catalyst Session” - experience working with Michael in a way that infuses energy, passion and vision into your current efforts

Keynotes
- Transform Your Awareness Program
- Speaking About Security
- Are You Making a Living, or a Life?
- Into the Breach

Interested? Send me an email: securitycatalyst@gmail.com and we’ll arrange a time to speak. I need to lock in my tickets soon - so this is a first come, first to reap the rewards opportunity. I look forward to the chance to work with you.

Please be certain to visit and support the members of the catalyst Community

The Security Catalyst (Michael Santarcangelo) | http://www.securitycatalyst.com
The Network Security Blog and Podcast (Martin McKeay) | http://www.mckeay.net
Security Ripcord Blog and Podcast | http://blog.cutawaysecurity.com
Education Security Incidents (Adam Dodge) | http://www.adamdodge.com/esi
An Information Security Place (Michael Farnum) | http://infosecplace.com/blog
Andy, IT Guy (Andy Willingham) | http://andyitguy.blogspot.com/
Andrew Hay | http://www.andrewhay.ca/
Security Views | http://www.securityviews.com
Security Renaissance | http://securityrenaissance.com/
Marcin Wielgoszewski | http://www.tssci-security.com
Aditya Kuppa | http://rumblingsofaconfusedmind.blogspot.com
Sam Masiello | http://www.mxlogic.com/threat_center
Still Secure After All These Years (Alan Shimel) | http://www.stillsecureafteralltheseyears.com
John Biasi | http://www.john-biasi.com
Security Incite (Mike Rothman) | http://securityincite.com/blog/mike-rothman
Eric McMillen | http://www.mcmillengroup.com/blog/
Chris Hoff | http://rationalsecurity.typepad.com
RioSec Security WebLog (Chris Byrd) | http://www.riosec.com
James Costello | http://genesyswave.bloggerteam.com/
Harlan Carvey, CISSP | http://windowsir.blogspot.com
SecThis.com Security Podcast (Gene Naftulyev, CISSP) | www.secthis.com
Jon Robinson |  www.jonsnetwork.com
The IT Security Guy (Joel Dubin) | http://www.thesecurityguy.com
Augusto Paes de Barros, CISSP | http://www.paesdebarros.com.br/english & http://www.paesdebarros.com.br/indexpb.html
Chris Harrington | www.infosecpodcast.com
John Gerber | http://www.securitymonks.com
Steve Mullen | http://skmullen.wordpress.com
Rory McCune | http://www.mccune.org.uk/
Nick Owen | http://www.wikidsystems.com/WiKIDBlog
Rebecca Herold | http://www.realtime-itcompliance.com & podcasts at http://www.realtime-itcompliance.com/podcast/
Randy Armknecht | http://www.rarmknecht.net
Gary Hinson | http://www.NoticeBored.com
Daniel Miessler | http://dmiessler.com/ |  http://dmiessler.com/study/
Didier Stevens, CISSP | https://DidierStevens.com
Lester Nichols, MCP | http://virtualmindshare.blogspot.com/
Amrit Williams | http://techbuddha.wordpress.com
Ken Camp | http://www.ipadventures.com/
Liudvikas Bukys | http://L.Bukys.org
David D Bergert, CISSP, CISA | http://www.infosecblurb.com

If you have a blog or podcast that you would like to have listed here, please send a message to securitycatalyst@gmail.com. I’ll also change your status to security blogger/podcaster.

Those of you located in Phoenix - we’re gathering at the Tilted Kilt, Tempe. 7pm. See you there.

Like many of you, I have been a member of ISSA, HTCIA and plenty of other organizations. As I have developed my career, I have found value in working with other professionals, and continue to find places to network, etc.

Of course, this is why a number of us came together to form the catalyst community

Anyway - I allowed my HTCIA membership to lapse. While I admire the group and their goals, when I moved to Albany, I was immediately disconnected, and as a result, didn’t want to keep spending the money for no return in value. I truly wish more organizations would start to understand that “meeting” does not mean everything has to happen in person. Many organizations would benefit either creating an online community - or at this point, getting engaged and helping to grow the catalyst community.

So this evening, I got this email message:

Dear HTCIA Member,

Our records indicate that your 2007 dues have not been paid. If payment is not received prior to April 15, 2007, you will be required to re-apply as a new member in HTCIA. Renewals can be done via our website at htcia.org, or you may fax your credit card information or mail payment to the International Office address below. After this date, 2007 dues renewals will not be accepted.

Thank you for your cooperation in this matter and for your continued support of HTCIA.

Sincerely,

So why did I bother to post this?

Perfect opportunity here was missed to demonstrate to me the value of renewing - instead, HTCIA decided to take a tactic of telling me that by not sending in dues, I would be forced to reapply. Personally, I would have asked why I didn’t pay the 2006 dues… and then remind me of some of the benefits and offered a telephone number to discuss what was going on, etc.

I read this message and instantly thought, “screw it.” I doubt that’s the reaction they wanted. But making me feel like an inconvenience to your organization doesn’t encourage me to want to stay. I still like and support the HTCIA - so this message isn’t about bashing them or suggesting that people not join. I think this is a great group and if you have a local chapter, you _should_ join. Yet this approach struck me as “the normal way of doing business” - and upset me. This message was focused on the HTCIA and not focused on me as a member - which is odd, since they are asking for money.

Is this how you treat your users? Are they inconveniences to you? Do you take the time to communicate in a way that meets their needs and demonstrates benefits to them (in their terms)?

Don’t make this mistake with your communications and opportunities to make a difference.