The Security Catalyst

On my way home this evening, I drove through a driving thunder storm. Along the way, stopped at a red light, I saw a group of middle-school children dancing and laughing in the rain. It was a sharp contrast from the adults I saw a few blocks back scurrying away….

Sitting at the light, I wondered - would I dance in the rain, or would I scurry to get out of it? Thinking about the example I would set for my children, I realized:

I would dance in the rain; I will dance in the rain. You might call me crazy (if I wasn’t crazy, I would be insane - thanks Jimmy Buffett) - but absorbing and celebrating the moment is where passion is born. It’s where we can feel free, and we can be ourselves. I will appreciate and respect you for trying. Hopefully you’ll do the same for me; but if not, I’ll be confident that I am me…

During the rest of the drive, I realized it’s not much different for security. All-too-often, we’re so concerned with what people think, what they say, how we’re perceived that we focus all our energy of being someone or something else. We stopped living in the moment; we stopped having fun. We stopped “dancing in the rain.”

I feel like our industry is a bit tired right now. A lot of us feel frustrated and that perhaps the industry has lost it’s way. I’m an optimist - and I see a lot of opportunity. I dance in the rain, and I know that we’re able to make a difference. In the US, we’re heading into a long holiday weekend that marks the end of summer and the return to work, to projects and to our efforts. My wish for you this weekend is that you are able to take some time to refresh. Find your own way to dance in the rain (or sing in the shower).

Renew your passion for security. When you come back, I’ll be here with ideas and will share my research and experiences to support your organization, and to support you. We can dance in the rain together and change the way people protect information!

Regardless of what the calendar says, the new year really begins in September. After a summer of obstacles to productivity, in September, we jump into gear.

This message is to update you on:

• Information Protection Assessment Toolkit (IPAT) – special offer deadline imminent
• September Events

Build Budgets, Awareness, Strategy… with IPAT
Special offer deadline

My plan for a guided, supported and realistic toolkit to help those responsible for security build a plan, budget and awareness program became real this summer. The Information Protection Assessment Toolkit (IPAT) and the IPAT preview program launched in July.

The special offer of a ½ day of my time to launch the program in your organization will soon end. As you can see from my schedule below, my hours are limited. Contact us to book your IPAT program before September 13th.

September events:.

The Protecting Information Workshop
Sponsored by: Albany, NY Tech Valley ISSA Chapter
Thursday, September 20th, 9am-3pm EST
MetLife facility, Rensselaer Technology Park, North Greenbush.
Thanks to their sponsorship, the fee is only $25 for non-members
Certificate: 5 Continuing Professional Education (CPE) credits
Registration: http://www.techvalleynyissa.org/

Security Solutions Virtual Tradeshow
Sponsored by: Ziff-Davis
Wednesday, September 26th, 11am -6pm EST
Registration: http://go.ziffdavisvts.com/securitysolutions

Into the Breach – Keynote Speaker
Sponsored by: CSO Breakfast club
Friday, September 28
Pittsburgh
Registration: http://www.csobreakfastclub.com/

Cutting Edge Conference
Sponsored by: Symantec Corporation (Internal event, closed to public)
October 2 & 3, 2007
Orlando, Florida.
Registration: closed

Enjoy a secure September.

Michael

I hope you got off to a great start this week - you deserve it. I was able to correct the podcast feed issues (which seem to be related to some sort of update in the latest version of wordpress). You should be able to again download and listen to Security Catalyst Podcasts…

I’m actually working on a podcast now, explaining why I don’t accept “but we have a policy” as a credible excuse when a company that has has a breach/disclosure of information looks to blame someone else. It’s becoming the next round of excuses, and I’ll be sharing some of my thoughts on what I’d like to see instead, and what you can do to make sure you don’t need to use that lame excuse (of course, pre-ordering Into the Breach is a good plan, too). Look for that this week, along with my weekly update.

I’m also lining up some public opportunities for us to explore how to protect information together. Once those are firmed up, I’ll let you know about the time and dates, since this will be a low-cost and very limited engagement until we kick-start the Campaign Across America. I’m also up late working on The Catalyst Club - a way to allow you to improve your career (and make more money, get the girl, drive a fast car) by engaging and working with the information we write and talk about. I’m planning to share it with you in September - but might offer a preview to readers/listeners in the next few days.

For those tracking it, the fundamentals thread in the community continues to grow and explore our fundamentals. These are the very keys that will enable your success across the board - and we’ll be exploring them for our mutual benefit as we continue this process.

Lots of exciting things going on — have a great week!

I just got a heads up that my podcast feed is suddenly not working. I can verify it’s not working - and since today is my birthday and I’m heading out, I can further verify I won’t fix it until sometime this weekend.

Sorry for the inconvenience….

In the meantime, I posted the August Security Round Table this morning… and we’re already planning the next three shows! In August, we discuss the keys to your success in finding a new job, managing your career and well, the secret code word of the day. No not really - but you should listen to make sure.

Check it out here: http://www.securityroundtable.com/

Subscribe in iTunes here: http://phobos.apple.com/WebObjects/MZStore.woa/wa/viewPodcast?id=156964477

Have a great weekend!!

I’ve been really impressed by the exploration and resulting discussion of the fundamentals taking place in the Security Catalyst Community. Join the discussion: What are your “fundamentals” for security?

My quest for the fundamentals began initially considering the superstars of sports, and watching, then studying their routines. I’ve shared the fundamentals conversations with clients, friends and colleagues - and I love listening to the stories of how this applies to sports, to thing like teaching children match and science… all of the different ways we connect, consider and distill. It’s not a surprise to me that we’re collectively struggling to develop a clear list of the fundamental building blocks of information protection.

The current list
1. Confidentiality, Integrity and Availability
2. Defense-in-depth
3. Least Privilege
4. Simplicity

(and we’re currently discussing a few others)

It’s important to note that the discussion of fundamentals quickly veers into discussions of “how-to” - which is the next step. Many of us are entrenched in the day-to-day operations, and discussing the how-to is ABSOLUTELY NECESSARY for us to distill down to the fundamentals. I know the progress may seem slow, but it’s clear to me that we’re making progress, and this is only the beginning.

The Value of Fundamentals - through Triathlon
I am registered for Ironman 2008 in Lake Placid, NY (July 20, 2008). While the goal is a long way off, it also requires me to start training now, after several years of being away…

When I was younger, I was a competitive swimmer, swim instructor, cyclist and active triathlete - and was fortunate to have good coaching that drilled the fundamentals into me, whether I knew it or not. Looking back, I didn’t know it then, but I certainly appreciate having those fundamentals drilled into me. A few weeks into my training, I am finding that my “muscle memory” is surprising… and that allows me to both focus on building up my endurance base, but also to focus more deeply on the fundamentals so that I am even more efficient and effective. At the same time, I struggle with “what I used to be able to do” as I focus my time and energy on relearning and mastering the fundamentals. I firmly believe that a simple training plan based on proper application of the fundamentals will help me reach my goal.

As such, my approach to spend 8-10 weeks EXCLUSIVELY focused on fundamentals of swimming, cycling, running, nutrition and rest. The idea is to slowly introduce the right patterns and behavior that will guide the extended training and distance I will need to travel in the coming months (and years, since one certainly won’t be enough). I also am doing this while finishing my book, planning a campaign across america and launching some new assessment and awareness solutions — you guessed it — based on understanding and applying fundamentals.

I’m actually able to train in about 8-10 hours a week right now, which hasn’t impacted my business or my time with my children. In fact, I’m finding that I actually have MORE time and am more PRODUCTIVE in the time I do have. Weird, right?

So how does this relate to security and our quest for fundamentals? Well, I think studying other fields for their fundamentals is a brilliant and important approach. Not much new has been created, but there is plenty to learn from, adapt and expand on. I’m finding that by following the fundamentals in my tri training, I am able to be more effective with less risk. AH-HA!

If we want to be more effective with less risk, then we also have to make the time to learn, study and learn to apply the fundamentals. And we have to do this all the time. Even as my training progresses, I am seeking the advice and counsel of coaches, clinics and incorporating basic drills to help my body continually understand and apply the fundamentals. In the beginning, it sometimes feels slow - and that can be frustrating. As time goes on, we realize we can go further, faster - whether in physical pursuits, or in our careers.

The practice of security is no exception to this rule. I will continue to explore the parallels and will be writing about them, sharing them here and looking forward to learning from each of the contributors here … soon, we’ll have a compelling and impressive list. Don’t worry about the struggle… this isn’t designed to be a quick exercise. It’s going to take some time, but that will be an amazing pay-off.

Maybe it’s because I’m more engaged (in the forums - I’m happily married, thank you)recently… Maybe it’s the triathlon training I started back into… Maybe it’s the moon…

Whatever it is, the discussions taking place in the Security Catalyst Community have been nothing short of spectacular recently. The more I study how we learn (and therefore how we grow & improve our practice of security), the more convinced I am that we need “safe havens” in which we can engage in conversations - conversations that allow us to negotiate new meanings and applications of our many and different experiences. Our fellow professionals are sharing their ideas, their time, their talents - with each other. Amazing. Engaging. Reassuring.

It’s happening - and if you’re not engaging in the conversations, you’re missing out. Membership has no cost - your participation is your currency. The only requirement we have is that you need to register using your real name - Firstname.Lastname is our format. We are building a community of passionate professionals. True professionals. You are invited!

Here is a sample of the exciting conversations taking place right now - jump in today!

Security heretics needed?
…In the past, those with heretical opinions have often triggered a vast change in what were orthodox techniques…

how often should I get involved?
… As a newer security person how often should I get involved with projects? I see alot of projects around me getting started that involve some level of security and I don’t even hear about them until the project is at near end or already deployed…

Looking for publicly available logs
…I’ve developed a new open-source tool to sift through logs and intend to publish it soon…

UTM Devices
…I am looking for some advice on the current range of UTM devices available. My company hosts a low volume application service provider environment for some of our clients situated on DMZs off our firewalls. These existing firewalls are due for imminent replacement and we are considering going the UTM route for the future…

Looking for people who have tried OSSEC
…we have a budding author looking for those with experience with OSSEC…

Spinning up a Security Consult Business
…This thread is simply amazing… I almost feel like this is a MUST READ!

Cost per seat for awareness
…So my initial question remains: how much are people allocating for awareness PER PERSON, per year? Security is not a seasonal event, so we have to invest properly to make a difference. The smaller your company, the more per person you’re likely to spend. The larger, the more likely you’re able to gain economy of scale….

The conversations taking place in the SCC are truly engaging - and I’ll briefly round up some of the top conversations in a while. Meantime, here is the current list of active members of the SCC, and the blogs and podcasts they maintain.

As a community designed to support the profession coming together, I’m thrilled to have so many outspoken and well-spoken members of the community. We now have an interim leadership board in place, and we’re working through some details on how to improve and expand the efforts of our community. Good times lie ahead!

The Security Catalyst (Michael Santarcangelo) | http://www.securitycatalyst.com
The Network Security Blog and Podcast (Martin McKeay) | http://www.mckeay.net
Security Ripcord Blog and Podcast | http://blog.cutawaysecurity.com
Education Security Incidents (Adam Dodge) | http://www.adamdodge.com/esi
An Information Security Place (Michael Farnum) | http://infosecplace.com/blog
Andy, IT Guy (Andy Willingham) | http://andyitguy.blogspot.com/
Andrew Hay | http://www.andrewhay.ca/
Security Views | http://www.securityviews.com
Security Renaissance | http://securityrenaissance.com/
Marcin Wielgoszewski | http://www.tssci-security.com
Aditya Kuppa | http://rumblingsofaconfusedmind.blogspot.com
Sam Masiello | http://www.mxlogic.com/threat_center
Still Secure After All These Years (Alan Shimel) | http://www.stillsecureafteralltheseyears.com
John Biasi | http://www.john-biasi.com
Security Incite (Mike Rothman) | http://securityincite.com/blog/mike-rothman
Eric McMillen | http://www.mcmillengroup.com/blog/
Chris Hoff | http://rationalsecurity.typepad.com
RioSec Security WebLog (Chris Byrd) | http://www.riosec.com
James Costello | http://genesyswave.bloggerteam.com/
Harlan Carvey, CISSP | http://windowsir.blogspot.com
SecThis.com Security Podcast (Gene Naftulyev, CISSP) | www.secthis.com
Jon Robinson | www.jonsnetwork.com
The IT Security Guy (Joel Dubin) | http://www.theitsecurityguy.com
Augusto Paes de Barros, CISSP | http://www.paesdebarros.com.br/english & http://www.paesdebarros.com.br/indexpb.html
Chris Harrington | www.infosecpodcast.com
John Gerber | http://www.securitymonks.com
Steve Mullen | http://skmullen.wordpress.com
Rory McCune | http://www.mccune.org.uk/
Nick Owen | http://www.wikidsystems.com/WiKIDBlog
Rebecca Herold | http://www.realtime-itcompliance.com & podcasts at http://www.realtime-itcompliance.com/podcast/
Randy Armknecht | http://www.rarmknecht.net
Gary Hinson | http://www.NoticeBored.com
Daniel Miessler | http://dmiessler.com/ | http://dmiessler.com/study/
Didier Stevens, CISSP | https://DidierStevens.com
Lester Nichols, MCP | http://virtualmindshare.blogspot.com/
Amrit Williams | http://techbuddha.wordpress.com
Ken Camp | http://www.ipadventures.com/
Liudvikas Bukys | http://L.Bukys.org
David D Bergert, CISSP, CISA | http://www.infosecblurb.com
Justin Clarke | http://www.justinclarke.com
Garrett Gee | http://ggee.org
Andrew Storms | http://blog.ncircle.com/blogs/sync
Lori MacVittie | http://devcentral.f5.com/weblogs/macvittie/
Rob Newby | http://robnewby.blogspot.com
Andrew Mason | http://infosecandpcifromscratch.blogspot.com
Andy Steingruebl | http://securityretentive.blogspot.com/
Security Thoughts (Allen Baranov) | http://securethink.blogspot.com
Jeff Stebelton | http://jeffsoh.blogspot.com

My good friend Andy Willingham today celebrated one year of blogging. Andy, thanks for a year of sharing ideas, insights and your passions! If you’re not currently reading Andy’s Blog - you’re absolutely missing out. To celebrate a year, he pointed out that FaceTime recently experienced an unpleasant situation where customer information was disclosed. I think many of us realize that no one, and therefore no company is perfect. FaceTime has proven that - and I think Andy presented a balanced view of the situation.

I think in life, the measure of a person is how they address and handle mistakes. I think in business, the measure of a company is not whether a mistake/breach happens, but how the company handles an incident when it happens. We can split hairs over whether this constituted a breach or not. Regardless, customer information was at risk; customer information was disclosed. It’s not clear to me why that information would have been stored on the webserver, but I’m also not familiar with their architecture. Without question, on the scale of public outcry, this is and should be almost a non-issue. Almost.

While I suppose this isn’t exactly the type of event you want to incorporate on the front page of your website, the only public response I could find was in the computerworld article. From what I read in the Computerworld article - FaceTime acted quickly and even notified people impacted. Yet, I was bothered by this response:

However, Capri said no sensitive personal data such as credit card numbers, Social Security numbers or dates of birth was exposed because that information is not collected on the FaceTime Web site.

It’s a fair and valid statement to make. I supposed I would advise a client to make a similar statement, save one exception: I’d leave out the aspect of tying personal information to a limited set of data. I’m troubled by the concept that if it wasn’t a social security number, credit card number or something of the same that no personal information was disclosed. Information of any kind has value - and while this was probably a mistake, I would expect a security company to have taken a different attitude.

I hope you are having a great summer and enjoying the opportunity to soak in the sunshine and spend time with the people you care about. After a client visit this week (in the RV), I managed to surprise the family and stop at Hershey Park yesterday afternoon for some “fun in the sun.” As I have shared with you, having the RV allows me the benefit of traveling to my clients with flexibility and freedom - and lately - at a COST SAVINGS from some of the airfare and hotel prices. On a personal level, it allows me to travel with my family and explore new areas - learning, teaching, and sharing. In the end, that works out to the benefit of my client, too.

Windshield Time & The Value of Fundamentals
Driving the RV allows me to work when inspired and provides plenty of “windshield time” to think. In the last week, I have spent a lot of time thinking. In specific, I have been really focused on WHY so many of us are in a state of constant REACTION. Seriously - I’m bothered about the state and health of our industry. Too many people are on-edge, look exhausted (and in many cases, defeated) and are making poor decisions. I really believe that we collectively need to get back to the basics. We need to focus on fundamentals and master them if we truly wish to be successful.

I walked back into the office today and caught up on the amazing conversation taking place in the Security Catalyst Community about fundamentals. I just spent a few days working with a valued client focusing on a tactical program to build security awareness. The theme we agreed on was that “security is a dialogue, not a directive.” I’ve firmly believed that for a few years now - and we have to design structures and opportunities for people to engage with us in conversations. Through these conversations, we are able to “negotiate” the meanings. Now, this doesn’t mean we change the meaning of principles and approaches. It means we engage in a conversation that allows us to come to a more complete and thorough understanding.

What I realized today is that we have to do the SAME THING as security professionals. The thread on fundamentals is giving us an opportunity to engage in a conversation of our own. When you join in our conversation, you’ll notice that we are sharing ideas, concepts, principles and asking questions - designed to help each of us find the common understanding. As a result, we are building an important list of fundamentals that each of us needs to:

• Know
• Explain
• Apply

The Importance of this Effort
Once we have a decent list of fundamentals, our opportunity then becomes one of exploring how to apply them in a way that makes our jobs easier. “Knowing” the fundamentals is important, but not a terminal step. We have to be able to then explain them to others and practice (continually) how to apply them. The more we study and explore the fundamentals, without question, the stronger we become. This is a key to my quest to help our profession break the cycle of reaction.

From the thread:

The point I was making is that security is not fundamentally different than it has been for centuries. The tools may be different, but the approach is still the same. You build barriers, monitor those barriers, and attack the intruder if they get through. Castles were still open to the general public, but could be quickly shut off in times of conflict. While the castle was open, the towers were not and had differing levels of protection based on the value of an asset and its use. For example the courtyard of a castle was open for commerce, but the open area was controlled by those watching from up above on the castle wall.

This came after a discussion that lead to adding “Defense-in-Depth” to the list.

The current list of Fundamentals
1. Confidentiality, Integrity and Availability
2. Defense-in-depth
3. Least Privilege

We’re currently exploring some tried and true principles and approaches and distilling them down to fundamentals. You are invited to participate (and benefit). Here is the discussion: http://community.securitycatalyst.com/forums/index.php/topic,523.0.html

To join the Catalyst Community - go to http://community.securitycatalyst.com/forums/index.php - and register using your full name, separated by a period. For example, my username is michael.santarcangelo.

We all look forward to learning from you!!