The Security Catalyst

I’ve expressed my honest amazement at the power of having a community of passionate professionals coming together to support one another. Today there was a thread that just made sense (as it demonstrated the power and value in our efforts)…

The thread actually got started yesterday, and it is titled security is broken?
I contributed to it a bit today with my “reboot the industry” post, but the real value came from the voices engaged in the discussion, as demonstrated by this exerpt:

Quote from: mike.rothman on Today at 01:51:25 pm

That being said, we need to continue fighting the good fight. Maybe it’s thankless and maybe it’s futile (though I don’t think so), but I’m not willing to accept defeat. I don’t have that in me.

I don’t think there’s a job in IT that isn’t thankless. App developers work their tails off and develop a new application, and no says “thanks, that made my job easier.” Security professionals diligently work to protect corporate assets and consumer identities and no one says “Hey, thanks! No one stole my identity or sensitive data today, good job.” No one thanks the system admins when servers continue to run, and no one stops to pat the application admin on the back for keeping the applications running. No one says anything until there’s a problem, and then it’s all negative.

Churn in a call center is high because people can only take so much negativity before they burn out. That security professionals continue to trudge on, day after day, despite the negativity and pressure should be considered nothing short of amazing.

So thanks to all of you for protecting my identity today, for bringing to light new vulnerabilities so others can plug the holes, for trying to make the Internet a safer place for everyone, for keeping the bad guys from stealing sensitive data, for making sure the server this board is running on didn’t crash, for making sure the network was routing correctly so this post got to the right place, for writing some cool software that lets us all collaborate regardless of our location, and for doing your job the best that you can.

Lori (Lori from F5)

My friends, this is what our coming together is all about. You’re getting a glimpse at the power of our community - and why this is needed. You are invited to join us in these conversations, get energized and make a difference.
Lori writes an insightful blog, btw - which I suspect you would enjoy if you haven’t checked it out yet. Meantime - I want to thank the members (current and future) of the Security Catalyst Community. Each of you is making a difference and you inspire me!

If you enjoyed this post, make sure you subscribe to my RSS feed!

It seems that this year has been dominated by negativity: we have focused on month’s of bugs, slammed colleagues and users and even tried to prove through science that people don’t understand risk. In fact, many in our industry seem quick to point out that everything is wrong, nothing works…. and that’s not very comforting.

As I have traveled around the country, hosted some informal gatherings and met with friends and clients, I’ve been struck by how people, in general, look and act. Most of the people I have met in security seem “down”, rushed, angry and lacking hope.

So we start a year where we feel down trodden, upset, dejected and hopeless?

Open Culture (http://www.oculture.com/weblog/2007/03/famous_stanford.html) recently ran a story about the (in)famous Stanford Prison Experiment. After reading it, I remembered back to the first day of my new job after college. My first boss sat me down and told me, “Don’t F*** up, because if you do, the whole world will crush you. If you do a good job, no one will notice, and that’s okay.” In my experience, those words have sometimes been accurate. Since I “got my start,” I have always remembered that first conversation - mainly in the context of watching how many people in technology have been treated and how they chose to treat others.

Practicing Security Today is like the Famous Stanford Prison Experiment

The Stanford prison experiment was a psychological study of the human response to captivity, in particular to the real world circumstances of prison life and the effects of imposed social roles on behaviour. It was conducted in 1971 by a team of researchers led by Philip Zimbardo of Stanford University. Undergraduate volunteers played the roles of guards and prisoners living in a mock prison that was constructed in the basement of the Stanford psychology building.
– Wikipedia entry (http://en.wikipedia.org/wiki/Stanford_prison_experiment)

In the experiment, the behaviors of both the guards and the prisoners escalated quite quickly as each took on characteristics of their role — to the point where the experiment was ended early.

You can learn more here:

Wikipedia: http://en.wikipedia.org/wiki/Stanford_prison_experiment
The Official Website: http://www.prisonexp.org/
interesting overview: http://www.holah.karoo.net/zimbardostudy.htm

Some of you are probably reading this, recalling the experiment from your college days and wondering… do I think that we are the prisoners or the guards? Short answer is: “yes.”

Reading about and remembering my cursory study of the Stanford prison experiment also made me realize that as “protecting information” has grown in importance, many people in the field of security have been given an opportunity they have never held - a chance to influence and sometimes to enforce. After years of receiving abuse, they find themselves in positions of power - and sometimes without guidance. So we take a reactive and negative approach to those around us. Perhaps some of our colleagues “assume the position” too much and get a bit carried away?

In some cases, we have folks that act like the guards; some act like prisoners and some, I believe, *were* prisoners that now have the role of guard - and they have a lot of memories guiding their actions.

Now, let me be clear - with all the plight in the world today, I’m not suggesting that we, collectively, take our practice of security to the extremes of the prison experiment. In fact, I’m not suggesting a direct comparison. I just happened to review an article on the topic a few weeks back and it has stuck with me that our practice of security might be allowing people to embellish their roles.

Regardless, this is a situation we cannot accept. Period.

We cannot accept this approach: reboot the industry

What happens when your computer doesn’t respond as you would like? Many of us check for run away processes and consult the logs. If you’ve ever worked with windows or supported windows users, a more common answer is: reboot the system.

In security today, I suspect we could “check the logs” and look for runaway processes, but I feel like we need a reboot. We have to flush from memory the bad blood and old experiences and get started with a clean(er) slate. We need a fresh start (or a least a fresh approach).

I believe that the better way to practice the protection of information protection is through a positive approach that stresses inclusion and builds partnerships. In the last year, I have watched people in our industry alienate the very people that have helped them. I have coached organizations away from taking a punitive approach to security. I have confessed that I love to learn, love to teach and truly enjoy working to simplify security and relate our concepts to people in a language they understand.

In Speaking About Security, we explore the power of the narrative. We learn through story (you can really see this in children). On a recent flight home, I was treated to “Night at the Museum” (http://www.imdb.com/title/tt0477347/). While it might not have been a movie I would have normally selected, I was amazed by the story. Without revealing details, the success came after abandoning a process of restriction and following a path of inclusion.

I’m not suggesting that Hollywood holds the answers, but we cannot ignore the fact that the “story” of this movie and the movie itself were both successful. They are natural to the human experience and something we need to strive for in our practice of security (and the protection of information).

After reboot: It’s time to get grounded and follow a new vision for security

I believe in a new vision. I see a way to practice security that minds the past while focusing on the basics. The future for us focuses on protecting information - and everyone has a role. Protecting information is dialogue; it cannot be simply a directive. The current strategy of relying solely on technology is not working, and it’s time to follow a better way. I believe that means we have to follow an inclusive strategy.

We have to foster a sense of trust among each other and our users. We have to reintroduce the concept of accountability and foster a culture that embraces and expects personal responsibility.

I tend to be the sort of person who prefers action to words. This approach influenced me to share more of my ideas through the blog and podcast this year and led me to create the inclusive and supportive Security Catalyst Community (http://community.securitycatalyst.com/forums/index.php). As that community continues to grow and thrive, I have met many other passionate professionals that have challenged and supported my growth - reinforcing to me that collaborating with others can be truly powerful.

I have decided to spend some time focusing on three key areas:

1. Architecting a shared new vision for approaching how we can protect information (security). It’s not *my* vision - it’s *our* vision and I invite you to join in the conversation and practice a new way.

2. Help security professionals find their voice. As a parent, I have watched my children struggle with communication and sometimes resort to hitting, tantrums or what we generally call “melt-downs.” I believe that our success in security is tied to our ability to successfully communicate in speaking, writing and presentations.

3. Providing organizations and security professionals the support needed to be successful at our jobs.

I have decided that for our profession to effectively protect information, I want to help each of you become more successful in what you do.

Supporting Your Growth and Development

Through a lot of conversations with clients, friends and even ISSA and Infragard chapters, it was revealed to me that I was already offering some of what people were looking for. As a result, I have improved some programs we already developed and accelerated the development of some new ones.

To help people get grounded, focused and be able to “do more with less” without burning out, we have updated “Are you making a living or making a life?” - which is now available in a keynote, workshop and private workshop session. It’s an approach that shares how we can break the cycle, lead more “integrated lives” - as opposed to seeking “balance” - and build more effective relationships with those around us. Rather than acting out the Prison Experiment, it allows us to pursue a strategy of inclusion, to work together to protect information.

In March, we launched “Speaking About Security” to improve the ability of security professionals to communicate more effectively, inspiring their colleagues to take action.

Mike Rothman and I just announced the formation of the Security Education Network (SEN), which includes the Security Salons I have been forming, as a method to provide the information, insights and support needed to bring your performance to a new level. I’ll be writing more about that in the coming days.

This summer I launch my book, “Into the Breach: Why Corporations Fail to Protect Sensitive Information - and What Can be Done About It” — where we explore breaches and propose an approach to protecting information that allows business leaders to shift their culture away from the “security diet” to a “mindset of protecting information.” I look forward to sharing this with you.

We’re currently working on some different ways to get some needed information, resources and training to you. As soon as some plans firm up, I’ll make some announcements.

I am excited about this journey. I am passionate about my focus and my ability to help guide you and your organization. I firmly believe we need to learn from the past and work toward a better way. I offer up my approach of positive reinforcement, inclusion and education. I look forward to blending my passion, insights and approach with yours and with those of others. It’s time for a change, and I’m excited!

We plant plants…

We show you how to improve your gardening skills…

You grow gardens.

PS: I think I have finally fixed the formatting issues. - Santa 11:19a

If you enjoyed this post, make sure you subscribe to my RSS feed!

This simple question is actually quite revealing, and yet it’s something that few of us are prepared to answer quickly when someone asks us. Recently, Andrew Hay asked this question in the Security Catalyst Community. Here is the intro he posted:

I started a 3 part series on my blog which explain how I got into “The Business”….the security business that is. I encourage all of SCC members and bloggers to do the same as I am quite interested to hear if we have any parallels in our experiences. Here is part 1 in my 3 part series (http://www.andrewhay.ca/archives/81)

I have really enjoyed reading through the responses, even though I have been remiss in posting mine. It’s coming…

This concept really excited Ron Woerner and the other contributors, so we have decided to use this as an opportunity to not only share with you how we got our starts, but to challenge you to do the same. To encourage that, we’re each going to post how we got our starts, and then ask 5 other people who’s blogs we read to share with us how they got their start (and encourage them to do the same).

Sometimes this world feels impersonal, and I, for one, am interested to learn about you and how you got your start. If you already have a blog, there is no need to wait to be tagged… write it up! If you don’t have a blog, please join the catalyst community and share your experience with others. To me, this is about passion; I invite you to share your passion with us!

For us, Ron Woerner is going to start us off. I’m going to work on explaining mine and figure out who else I want to tag.

If you enjoyed this post, make sure you subscribe to my RSS feed!

It is important that the Catayst Community be a comfortable and supportive environment that allows everyone an opportunity to ask questions, answer questions and have their voice added to the conversation. I was delighted yesterday when a member of our community approached me to tell me that it is working! He was able to get some guidance he needed and formed some new relationships with some people that are now helping to mentor and guide him.

My friends, welcome to the Security Catalyst Community - a place to grow and make relationships that will improve your career! I believe that by using our full names in the forum, we have been ablel to develop a virtual resource that meets the needs many of us have felt in the offline world. The best part is that we have only just begun on many levels.

March saw a real explosion in terms of members and activity. The quality of posting, content and discussion is amazing and will absolutely contribute to your improvement. Like everything else in life, the more you put in, the more you get out. Here are some hot and interesting topics that you can contribute to today!

Web App Security resources

Hard disk Encryption

Presentation Ideas - At Risk Teenagers

Certification Advice

Accreditation scheme for penetration testing companies launched in UK

Advantages/Disadvantages of working for a SMB or a Large Organization

My certifications, my choice!

Spinning up a Security Consult Business

IT & Security Magazines (and other paper publications)

What software is the world missing?

Where can I find GOOD statistics?

Fun/different awareness activities
Don’t see something here that is important to you? Come join the community and start a new topic. The entire community looks forward to learning from you and sharing in your passions.

PS: The forums are expanding again in the coming days. Look for an announcement shortly!

If you enjoyed this post, make sure you subscribe to my RSS feed!

Are you “connected”? Do you have a set of people you can call on when you have a problem or a question?

“Who ya gonna call?”

Ghostbuster’s won’t help you, but a community of like-minded professionals will. I’m talking about others who have been there and done that and who are ready and willing to offer advice. You can’t know everything, so it’s important to be connected to a group who collectively has the knowledge and experience to solve any problem.

Today’s environment requires a security professional/practitioner to be knowledgeable in so many areas extending beyond the twelve areas in ISO 17799. We must protect our organization’s critical assets, which requires us to have answers at our fingertips. You’re not going to get that ability from any degree, certification, or class. You only get it by being a part of a community; a network of similar professionals who are ready and able to offer advice and assistance.

Many cities have a community of security professionals. They are mostly professional groups such as InfraGard, the Information Systems Security Association (ISSA), and the Information Systems Audit and Control Association (ISACA). In Nebraska, we also have NebraskaCERT who for the past eight years has provided a network of professionals dedicated to two pillars of excellence: the Sharing of Knowledge and Applied Research. Through monthly meetings and annual conferences, they have provided a network of security professionals ready, willing and able to help each other. I really like having a local community to turn to when I have a question or need help. It also provides an excellent networking opportunity, which led to my current position.

The Security Catalyst Community is another example. What makes it unique is that it’s entire virtual. It is an online community that has many of the advantages of a local community. You can ask questions, provide answers, collaborate, and network. Plus you get multiple perspectives from around the world, not just your own backyard. It’s more than a monthly meeting, which is what most local groups provide. It’s a constant collaboration that’s not dependent on a set time schedule, which is perfect in this busy world. The range of topics, questions and answers is unlimited. The collective expertise is second to none. You can grow your knowledge while expanding other people’s knowledge. All from the comfort of your keyboard. [Santa editorial comment: We charge nothing for this benefit. The currency of our community is participation. Everyone is welcome to share ideas and insights – so we’re not about people who “know everything” – but instead a true community helping each other out.]

You can’t know it all. And you don’t have to if your part of a community. Participate in one today either in your local community or on-line. Join in the conversation, don’t just lurk. The key word is to participate and add to the community. Help others and they’ll be there to help you.

Remember, “By helping each other, we all become stronger.”

If you enjoyed this post, make sure you subscribe to my RSS feed!

Knowledge about what others are doing - a professional yardstick, if you will - is generally helpful to our efforts as security professionals. As the catalyst community continues to take shape, I have watched and participated in some excellent discussions. For me, that generally leads, then, to some sort of idea.

As a result, I am going to try a new “series” of short surveys designed to address topics that are considered important (by either the press or in the forums). The goal of these surveys is simple: keep them brief, keep them focused on topic and use the information to support those who participate. Hopefully, we can harness the power of working together and the virtual environment we have created to continue to provide benefit to us beyond the forums (and more is coming).

For our first survey, we are going to look at messaging security (spam filtering, anti-phishing and leak detection/prevention). I worked with fellow TCC member Josh Jabs to design this survey to address some core issues around how you and others are handling messaging security.

You can take the brief survey here: Click here to take the Security Catalyst Messaging Security Survey

This is our first attempt, so we tried to keep it simple. We are asking for email addresses and some other information to help qualify the results. At no time will any of this information be used on an individual basis. If you participate, you will have access to the immediate results (and can always ping me to get the latest). Once the survey is complete:

• the final results will be discussed in the forums
• everyone who participated will receive an emailed copy of the overview report
• participants will be invited to join a teleseminar/conference call where the results will be shared and the trends discussed

The hope is that the information collected helps make your job easier. You are welcome to share this link and encourage others to participate - the more who help, the better the result for us all. As always - comments or questions should come to me at securitycatalyst@gmail.com.

If you enjoyed this post, make sure you subscribe to my RSS feed!

This morning we closed the collaborative mind mapping project to map out the Advancement of How We Practice Security. I am excited to share with you that we had contributions and inputs from passionate professionals around the world contribute. As a result, this is a solid start on where, as a profession, we need to consider aligning our time, talents, and resources.

I have been a fan of mind mapping for non-linear thinking (and thinkers) for a while now. I was pleasantly surprised (though perhaps I shouldn’t have been) by how many others also are drawn to mind mapping. We had more people engaged and more countries represented than I expected. I can honestly share with you that I am blown away by the results of this effort - and believe we have a healthy framework to start developing.

I exported the map from mindmeister this morning. I was impressed by the effort that the development team there has put into this offering. The only big drawback was the way the information needed to be sorted. I took the exported map this morning and then “cleaned” it up by moving a few branches (especially the ones that said “new branch”) and then allowed my software to resort and resize the map. It’s a fairly dense map that was described (accurately) as a “wall of words.”

Outside of my contributions to this process, I have not altered any ideas or the fabric of what what shared. Here is what our combined effort looks like (png format):

What did I learn from this experience?

• Mind mapping truly is a powerful method to bring forth ideas
• Collaborative mind mapping _can_ work, but requires some structure in advance
• Allowing a collaborative tool around a specific topic allows ideas and inputs from around the world
• too many people and too much time leads to “a wall of words”
• the future of security and how we practice is looks engaging and is something I want to be part of

Care to share some ideas - I’d love to hear from you (contribute to the comments, or send me an email).

What’s next for our effort?
One of the elements of mind mapping that works for me is to let the map sit a bit, and then revisit it to either clean it up, or to start a new one and leverage the previous work (depends on how complex the map is, and how much effort it will take to reorganize my thoughts). I’d like to follow a similar approach here. That said, I’m not quite sure how to do that with a distributed group (and I have a lot on my plate right now). It seems to me that a small team of 3-5 to do the bulk of the work would be the easiest to manage for this round.

The goal of this “refinement stage” is to take the current map and build it out into a framework suitable for wiki-style development. If you have some ideas on how we can refine the map, want to lead the team or desire to participate, please send me an email (securitycatalyst@gmail.com) with your suggestions and qualifications.

How the Security Catalyst Community Will Support this Effort
We’re nearing the point where we can launch a centralized and authenticated jabber chat server (we’re pushing to have that done by the end of the month). Once that has been completed and launched, we’re turning our attention to “securitypedia” - a publicly viewable wiki for the members of the security catalyst community to develop, refine and share ideas.

This mind map will provide the structure for a discussion on the future of security, and eventually for a series of wiki pages to help provide a blue print for where we need to spend some time, allocate some training dollars and guide some research and development.

Once the wiki is in place and operational (I do not currently have an estimated timeframe), we’ll work to establish a small team to carry this effort forward. If you are interested in helping to carve out the vision for the future of how we practice security, send me a note at securitycatalyst@gmail.com and I’ll include you on a working group list. I suspect this will end up being a summer project, but I do hope that we are able to get it off the ground during Q2.

Here is a PDF version of the map: catalyst security.pdf

If you want this in either OPML format or would prefer some other method by which you can manipulate it, drop me a note and I’ll do my best to get you what you need (provided you give credit where credit is due and share your results back with the community).

Thanks for making this experiment a complete success. The beginning is almost here. Are you excited?

If you enjoyed this post, make sure you subscribe to my RSS feed!

Happy Friday! It has been a pretty exciting and hectic week for me this week - including a series of meetings determining how to advance a vision and pathway of improving how to improve our practice and ability to protect information. I find the more people I meet with, the more excited I get!

With that in mind, I’m really thrilled with the continued growth and expansion of the Security Catalyst Community. We’ve welcomed additional bloggers, podcasters and passionate and dedicated professionals to our community this week. For those of you who have recently joined us, welcome!

What is the Security Catalyst Community
We are working to create a positive community that allows professionals (or those who aspire to be professional) to come together to advance the way we think about and practice information security. Our aim is to build a resource that not only supports the needs of the community, but also grows with the community. To that end, we are in the process of adding in a chat (via jabber) and a shared wiki to continue to expand how we support your growth and development.

The Goals of the Security Catalyst Community
We have three basic goals:
1. provide a supportive environment where it’s safe to ask for help
2. create a culture where everyone is encouraged to provide ideas and insights - not just the proclaimed “experts”
3. share your passions, blend your energy with others - learn and grow.

I’m watching all three of these happen - and it’s exciting. I invite you to come and participate with us as part of an international dialogue that will allow you to improve your practice of security. If you’re new to the forums, please jump in, start posting and get engaged. The currency of this forum is participation - and the more voices in the dialogue, the more we all benefit.

http://community.securitycatalyst.com/forums/index.php 

Here are some of the conversations active and interesting this week:

Congratulations to our fellow Catalysts

Cisco PIX vs. IP Cop?

Need a good spam filter

Required/recommended reading

Gmail feeding spambots (speed vs security)

Gartner Symposium IT Expo — San Francisco

PCI and pen testing

Santarcangelo hosting informal gathering in PHX 3/20 - Tilted Kilt in Tempe @ 7p

How do you prove log review?

We added a new forum this week to address issues of “regulations and compliance” and are actively working to introduce some new areas of focus, too.

Have a topic burning that you want to talk about? Have a question the power of the community can help you solve? Come join us!

If you enjoyed this post, make sure you subscribe to my RSS feed!

Wow. This week we breezed past 1000 quality posts and are about to top 200 passionate professionals coming together to share ideas and help each other. Our community, designed to serve the needs of anyone practicing or interested in security, now welcomes more than 30 security bloggers and podcasters - and is poised for continued growth.

In establishing a community resource, we have worked to build a community where participation is your currency. Today we have forums. Soon, we will be incorporating a jabber/chat capability and a wiki. More improvements are being planned and supported - by the community for the community.

You are invited. Everyone uses their real names and we tackle areas of passion and interest in a supportive way. Everyone is an equal and the mindshare is truly inspirational. Join us and: (1) ask for help, (2) share your experiences and knowledge, or (3) share your passions and grow on a personal and professional level.

Our community is open to anyone with a question about or passion for the protection of information (and practice of information security). You can join here:

Here are some of the hot and interesting topics of the last few days. See something that sparks your attention? Come join the discussion or get one started today. We look forward to learning from you!

Required/recommended reading

What should an Information Security Program include/teach

Which disto of Linux/BSD to get the best experience?

Bird Flu Pandemic - fact or FUD?

Windows 2003 Service Security

Psychology of Security

Risk Management - Art or Science?

any tips for a New security analyst? (yes, there were some awesome suggestions)

Network versus Application Security

Information Security Program in Local Government

The SSN and Identity Theft… What’s the real issue?

Gmail feeding spambots (speed vs security)

It’s been a great week in the forums - and there is much more waiting for you. Come share your passions today and improve how you practice the protection of information.

If you enjoyed this post, make sure you subscribe to my RSS feed!

Again with a nod to Grigor for his insight and guidance, I wanted to kick off our mapping project with the following guidance to help structure our approach

1. Please add whatever you think is important to the map. Add new branches, add sub branches or whatever you think would be useful. In my own experience, it’s useful to ponder and distill your thought before adding it.

2. We are truly a global community working on this collaboration; please do not delete or modify what someone else has written. If you have a similar idea but want to take it a different direction, add another branch and run with it. Eventually, I’ll work to merge this into a complete map.

3. Please export the map and share copies. Ask those around you for opinions and welcome others to join us. Please also share what you create on your blog.

I’m really enjoying this - and I’m truly blown away at how the map has already grown in the first day. This is the power of working as a global community to advance the profession. And this is only the beginning.

We still have some slots available if you’d like to participate (send me an email: securitycatalyst@gmail.com)

If you enjoyed this post, make sure you subscribe to my RSS feed!