David caught my attention when he explained that the most important part of their approach is to empower users to take full advantage of their systems. He qualified this with the example that while you could probably use their equipment, in particular their Intrusion Prevention System, or IPS, out of the box, you wouldn’t be taking full advantage of the power in the device.

This struck me as a very interesting take on the user education system.

As part of my day job, I work with IPS systems. In fact, I have evaluated, implemented and operated a few solutions from different vendors.  One vendor in particular collects comprehensive statistics anonymously (from their opt in system) and publishes them for review on their site. They show that 60-70% of all of their end users use their IPS filters on the ‘Recommended’ settings, meaning without any modification from the vendor-produced filters.

In Cisco’s view, this would suggest that users of the other Vendor systems aren’t taking full advantage of their appliances.

So who is right?

We’ve all heard it, that “the user” doesn’t know what they’re doing, that the less power we give them, the better. In that case, wouldn’t it make more sense for the company with a full team designing and analyzing filters and threats to develop and maintain the IPS in a User’s network than for the User itself?

After all, if a device ships with the setting in place to auto-apply updates from the vendor, then the vendor can have significant control over the client network. Add filters when a new threat pops up, and in a few months, once the threat dies down, just recommend the disabling of that filter since the user no longer needs it. Minimal involvement on the user’s part, and they’re likely protected better than they could have done on their own.

But is that more beneficial to the user than education?

I point towards Michael’s Awareness That Works™. What if, instead of assuming the User is a lesser life form that has no idea how to properly secure their network, we assume that they’re just uninformed? You don’t call someone an idiot when they can’t spell a word or speak your language; you educate them instead. Why should we treat Network Security any different? We in the industry use acronyms, tools, and words that are often referred to as another language. Heck, we are proud when we say that we think in a way contrary to the average user. But how is that different than if I were to say I was better than a German, since I speak English?

It seems Cisco is on the right track, maybe we could learn something from their ideas.

What do you think? How do we strike the balance between providing solutions that help get the job done while educating people to really use the tools to their maximum advantage?

This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author.

What you’ll find in this episode (Chapter 11)

Outsourcing makes sense for a lot of organizations and continues to gain in popularity. Does this drive to outsource and partner actually increase security and protection of information?

By leveraging the strategy and concepts shared in Into the Breach, learn how to build a firm foundation for success – including how to measure the effectiveness of the partner and ensure mutual and lasting benefit from the arrangement.

• Learn how to establish appropriate and measurable criteria upon which to make better decisions
• Understand how to assess potential partners and providers to ensure appropriate fit and mutual success
• Gain insights into verifying and building relationships based on trust and mutual understanding

If outsourcing and working with partners is part of the process, then this chapter is a must listen.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

When we left off, I had just decided it was time for me to throw my hat in the ring at BSides Austin; it was one month until my talk, and I had no idea what was about happen.

When I signed up, there were about 5-10 people signed up to attend, and 5 set up to speak. I could speak to 10 people, no sweat. Plus, I had only put myself down for a twenty-minute talk. That’s only ten slides, two minutes a slide. No sweat, right? Unfortunately, I failed to take something into account: the propensity for people to procrastinate.

I had signed up for my talk on a random whim, and as a result, had put it off immediately after I signed up. I had a basic outline of what I might want to say, but I had nothing concrete. So when I went back to the wiki a week or two later and saw that instead of the ten people that had previously been signed up, I was now looking at thirty people, the possibility that I would be streamed live over the internet and the fact that some people who I knew as bigger names would also be speaking at BSidesAustin. (I ended up sharing an hour slot with Robert “RSnake” Hansen, to give you an idea of the caliber of people there.)

Suddenly, this talk was real. When I signed up, I put my name down, tossed a few points in a document for an outline and didn’t think much of it for a few weeks. But now I was looking down a gun barrel pointed at the head of my career. Now, something that had seemed like a quick hop up, hop down thing seemed way more daunting than it had looked from far away. I quickly realized I was in trouble. Big trouble.

I was sitting and staring at my outline and looking at a dire situation. I wasn’t prepared for my talk. Heck, the talk I had lined out wouldn’t have passed my college course, much less a conference full of some of the most awesome people in InfoSec. So I turned back to where the whole idea of this talk had come into being: Twitter.

Ok, so I didn’t actually ask for help, per se. If I remember correctly, I believe my tweet read something like this: “Oh my God, what have I doe? I’m not in any way going to be ready for this talk. Maybe I should just withdraw my name, now that other people have signed up.” In my mind, I had no other options! I had read the articles, I had heard the rumors; InfoSec was a closed off, hard to enter industry. Why would they want some young punk with no speaking experience to say what’s been bugging him? I was an inexperienced professional speaker, and had no real credibility even in InfoSec.

Thankfully, other people didn’t agree with me. My tweet of defeat brought folks out of the woodwork to encourage me. People were telling me to stick with it, that BSides was the perfect place to make my entrance, that I would do ok. But one person in particular responded with more. I received a direct message from a guy I had followed in the past because I liked the idea of his site. He sent me a simple message: “If you quit now, you’ll regret it for the rest of your life. Send me what you have, if you’d like me to take a look.” An offer for help? Awesome! Just who is this guy?  Sant…Santar…Santarcangelo? Hey, this guy is a professional speaker! And he’s offering to help me without expecting anything in return? Maybe I can pull this off after all…

Tune in next week to see a heroic rescue, and the backbreaking work of our hero start to come together!

Continuing on the “things I learned from speaking” track, the next step is why I did what I did. What would prompt someone to speak at their first InfoSec con ever? And for that, it’s time for a story.

Picture this, if you will. You’re young, impressionable, and have just discovered the incredible community that is the InfoSec community on Twitter. You find a few names you recognize from your blogs, and follow them. Then you go down their follow list and start following anyone who mentions security in their description. Suddenly, you’re sitting at a few hundred people followed, and without realizing, you’ve stepped into a community of truly awesome people. You don’t know them by much more than some their handles, maybe their display name, but you now know you’re part of a community, if only on the fringe.

Then, one day, one of those people who seem to be talking with everyone all the time mentions he’s on your side of town. (I’ll give you a hint; he’s got a beard almost double my age.) One random lunch later, and I had decided that I needed to go to any con I could get my hands on. So imagine my excitement when I heard a con was coming to my state! That con was BSidesAustin.

Almost as soon as BSidesAustin had been announced, I put my name down on the wiki and began making travel plans. I wasn’t going to miss this. (As an aside, at one point I told my family that I wouldn’t be going with them on our family vacation so that I could go to BSidesAustin. Just to give you an idea of how dedicated I was to going.)

But then, in my con-noobish eyes, I saw a problem. One month out from the event, there were only about 4 or 5 speakers signed up, and most of those had denoted only twenty-minute talks. I did some quick napkin math and realized that there weren’t enough people signed up to fill time for the day. And if there aren’t enough speakers signed up, then people won’t come, and then the con might not happen. And there was no way that I would ever let that happen! So I mulled it over for a few days, and made a decision. I was going to speak at BSidesAustin.

And why wouldn’t I? I had taken Professional Presentations, so I knew* how to give a presentation, right? So I thought for a while, and decided that since the only real experience that I had was being young and an InfoSec professional, that would be what I would speak about. I asked a few people who I could bounce some ideas off, what they thought, and in short order, had added my name to the list of

speakers with a quick title and description. The talk was titled “The Young and the Restless.” It wasn’t until a few weeks later that I got my real wake up call.

*See my previous post for some of the revelations I had when I realized that I, in fact, didn’t know much about giving a talk.

Tune in next week to witness thrilling breakdowns, startling revelations, and heroic rescues!

This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author.

In this episode (Chapter 10)

Compliance is not a commodity that can be purchased. And demonstrating compliance at a point in time does not mean information is being protected properly. There is a growing chorus of practitioners that suggest compliance is not security; however, proper security can and often does lead to effective compliance.

The key in managing risk and demonstrating compliance is to engage people in the process of assessing and protecting information – with and without the use of technology and controls.

In this chapter, I share some personal experiences and research that demonstrate the difference between a reactionary approach to compliance and a more mature process that addresses many needs at once.

If you find yourself drowning in compliance – or are trying to convince others of a different approach – this chapter is written for you.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!

Note from Michael: I am excited to share this guest article from Joseph about his experiences speaking at BSides. I’m encouraging him to share more ideas in the future – and we might just get him as a contributor!

Last month, I attended my first security conference ever. It was also the first time that I spoke at a security conference. As a relative newcomer to the industry, I stepped out on a limb to give that talk, and it has rewarded me in spades. More, preparing for that talk taught me a few things that I’d like to share.

We aren’t preparing our up and coming speakers how to properly speak

While BSidesAustin was my first time to speak at a security conference, (which brought its own new set of nerves I had never experienced before) I am one of those people born with a predisposition to public speaking.

In order to earn the rank of Eagle Scout, I was required to earn a “Communications Merit Badge” culminating in a public speech of at least 10 minutes.  I completed that requirement by opening a fund raising luncheon with an audience that included mayors, State Representatives, and of Scout and political leaders.

As a computer science major at the University of North Texas, I took a required course called Professional Presentations, which taught – or claimed to teach – how to give professional presentations in the workplace. When I began preparing for BSidesAustin, I called on the experience that I had from my Eagle Scout experience and blended it with the lessons learned from this class, and my outline looked something like this:

• Introduction
• Agenda
• Point One
• Point Two
• Point Three
• Conclusion
• Questions and Answers

It’s a tried and true method of delivering a talk, right?

It’s what was ingrained in us as we learned that semester. What I realize now is that this method should be considered “tired and broken.”

The problem with this method is that it doesn’t engage an audience. Audiences have become conditioned to expect this method of delivery, and when they see a speaker beginning their talk in that style, the audience begins to tune out the speaker. So by your second slide, you’re already fighting an uphill battle for your audience’s attention. This is the last place you want to be as a new speaker.

When I began my preparations for BSidesAustin, I began to prepare my talk in the way I had been taught. It wasn’t until I sat down with my mentor and he explained the importance of properly engaging my audience that I threw out my slides and rebuilt my talk from the ground up. It felt like a leap of faith.

The reaction from my engaging talk was stunning, convincing me that we need to shift our thinking and change our behaviors if we are going to grow as a profession and make a difference.

Based on that experience and the way my eyes were opened (by my mentor and others), here are some considerations for the future:

We need to continue providing venues for new speakers to break the ice

BSidesAustin was an incredible experience, not just because of the community that was there, but also because of the fact that it gave me a place to try my hand at speaking about security.

It was a welcoming community that gave me the feedback I needed to grow in my speaking abilities. And yet, I still know that I couldn’t give either my BSidesAustin or BSidesBoston talks at my local ISSA chapter, NAISG group, or DC meetup. We have established speaking styles that we expect, and this keeps new speakers out of the places that, especially in the Dallas area, could desperately use them.

We need to personally be encouraging and mentoring new speakers to speak

I’ve said it in each of my talks, but I’ll say it over and over again, I would never have been able to execute my talk in Austin with any real measure of success without the help of my mentor.

Once I gave my first talk, the second one was much easier to give. But the most interesting thing that came out of my mentorship, was that I could immediately turn around and start taking the same advice I was given and give it to others who were preparing for their first talk. I used it in my Boston talk, and I’ll say it again, what you do now makes a lasting impact.

We need to offer additional opportunities to connect, engage and learn

Tools like the security catalyst community, career compass and the forth-coming guild with mentoring are great; we need more!

Stacy Thayer just had a great mentorship panel at SOURCEBoston, and when I asked her what motivated her to create the mentorship panel, she said it was a result of the mentorship she had when she was getting her start. It just keeps paying off.

Hopefully this gets you thinking about how you can get involved, and perhaps reconsider how you give your own talks.

Michael again: want to get involved? We’re relaunching the Security Catalyst Community this summer. We are expanding beyond forums and incorporating the Career Compass and mentoring (complete with training and guidance). Get constructive, get engaged and join us.

Think back to the best leader you’ve ever followed.

For me, it was my Professor of Military Science when I was in ROTC during my college stint.

Look at him and at first you’d see him as an “average” Army officer. He’d had a bunch of good assignments, some not so good assignments, and was finishing up his career teaching young men and women the finer art of leadership. If you only knew him casually you’d be wondering why all of these young men and women were so dedicated to the program, the Army, and (in a lot of ways) to him.

The reason I did was simple: the Major was able to describe a vision to me of what the Army could be, what I could be, what all of us – together – could accomplish. He told the stories of what he felt we could do in such clear and compelling language that we were enthusiastic to do some pretty (in retrospect) amazing things. Things that, outside of the context of the vision, made absolutely no sense…like jumping out of perfectly good airplanes while still in flight…like marching through mud, dust, and pollen for kilometer after kilometer…like lying in cold rain for hours waiting for the ‘bad guys’ to show up…and so on and so on.

Casting Vision: It’s Not Just A Sales Job

Without a compelling vision a leader is hamstrung.

They can push and pull the levers of the team, they can make adjustments to the machine that is the team – but they cannot get the team to reach it’s full capability. Without a compelling vision the leader is simply reacting to events instead of shaping the events and circumstances. The leader, without a vision, is not really leading at all.

Just to be clear – we’re not talking about the simple “performance management” task of assigning goals and objectives to individuals and ensuring that there is a cohesive flow to them. We’re not talking about “mission statements” or “purpose statements” (although they may enter the conversation later). We’re not even talking about how to justify the capital expenditure needed to get the “new system” online.

When we talk about casting vision we’re talking about being able to tell a story that accomplishes some very specific goals.

Acknowledge What Is

Any vision must start at the beginning.

You must be able to acknowledge the good, the bad, and the ugly about the current situation. You have to be completely honest about where you are coming from. To do otherwise begins with a foundation that cannot support even the most compelling vision.

Vision, built on false assumptions or denial of the past, collapses in on its own weight. That being said, don’t flagellate yourself (or the team) unnecessarily either.

As Sergeant Joe Friday says “Just the facts”.

Describe What Is To Come

Vision, at it’s simplest, is a story describing how things should (or can) be.

The story needs enough detail without going to deep. It needs to be lofty and idealistic without sacrificing a real sense of reality. The story needs to reach out to your team and show them that they can be much more than what they are today.

But a simple vision is, many times, not enough.

Vision needs to take into account what you want your team to accomplish and also show how that plays into the goals and aspirations of the larger team. Vision, especially for larger teams, needs to be large and sweeping and dramatic and dynamic.

Most importantly, the vision must be Yours.

Demonstrate Your Belief

Only you can effectively get your vision off the ground.

If you do not share it convincingly, if you cannot show that you believe it in the deepest fiber of your being, if you cannot demonstrate you are willing to sacrifice personally to make the vision appear then: You. Will. Fail.

Think back to when you knew the boss was simply mouthing words that the boss thought you wanted to hear. Recall when you could tell exactly which motivational book the boss was parroting. Remind yourself of all those times that you knew (and I mean, YOU KNEW) the boss wasn’t believing what they were saying.

Do you want to be that?

Make The Mental Shift Yourself First

Once you’ve communicated the vision to your team you must make the mental shift in all your communications, thoughts, and presentations and ensure that the tenets of your vision are constantly and consistently communicated.

You need to make your vision, no matter what it is, the focal point of all your activities. You must be “living the vision” every day in every way.

Once your team sees that you believe, once they know that you are not just “saying words”, once they realize that the vision is for real – then you can move on to the next (and, to me, most fun) step.

Help The Team See And Act On The Vision

Once the team sees that you believe and that you are willing to act on the vision they will be prepared to begin really looking at the vision the way you do and will start to act on it in ways that they think will help bring it about.

Your job is easy – you get to be a cheerleader, mentor, and disciplinarian all in one. You get the chance to reinforce the vision with team members and experience what I think is one of the coolest parts of leadership: you get to see your team members grow as people and you get to see your team grow in it’s capabilities.

But that growth doesn’t “just happen”… In our next episode we’ll talk about how to take your vision and use it to build a stronger team.

Let’s be direct:  we have a huge personal stake in the push toward cloud computing. Do companies that move to the cloud still need security professionals?

The answer is clear: yes — and even more than ever.

We are at the beginning of a huge paradigm shift in the middle of a deep recession. This perfect storm will drive the cloud to emerge as an architectural option that has clear economic and productivity impacts that will appeal to most IT shops. The decision to use “the cloud” will be one based upon two opposing forces: “do more with less” versus “risk management.”

However, this shift – whose success heavily relies upon abstracting the cost/complexity of underlying infrastructure — demands security professionals “up their game” to reflect that we are in a brave new world.

The stakes are high.

Let’s reflect on a recent headline:  a zero-day vulnerability exploited by a government to access private communications hosted by a major “cloud” provider.

This incident was front-page news – and the rationale for Google to threaten to cease business operations within the borders of China. Coverage and commentary of this incident extended beyond the usual IT publications to the US Security of State.

This is a big deal (and great movie plot).

But is it true?

Sometimes fact is stranger than fiction. In this case, it is likely some aspects are true and others false. Either way, it begs the question: what will the headlines read just a few years from now?

There are two ways security professionals must up their game:

First, security pros need to learn how to operate effectively in the context of business decisions.

Ten years ago, security focused on knocking ports, following exploits, and using flaws in network/core configurations to breach a system. Then the volume of exploits became overwelming, the OS/network became more resiliant, and the auditors moved in. This signaled a shift to checklists and conceptual assessments. The tao of scanning became commodity, and productized through services such as Qualys. IDS configuration became stale (well, also due to protocol complexity and encryption), and we all became unconvinced in the security associated with layer 3 and 4 firewall ACLs and IPS systems.

We’ve already seen a piece of this evolution as “risk management” has dominated security-focused job descriptions.

Security pros are applying “low level” security accumen to drive operational situational awareness and risk-based architectual decisions:

• What security controls does the provider place on data storage?
• Are they strong enough as the sole protection mechanism, or should we encrypt and build the added complexity into our application?
• What happens if the provider reports a breach?
• What is the impact and how will we cohesively respond?
• What do we expect from the provider?
• What does the provider commit to?
• Does the cost balance the consequence and likelihood of an incident?

Second, from a technology perspective, security professionals must build acumen to topics that sit higher in the stack.

Twelve years ago, we were implementing firewalls to defend against the “ping of death” and “smurf attacks”. Since then, the focus has steadily moved away from layers 2/3/4 and into layers 5/6/7 and out of the “stack” to focus on the user and business).

Cloud-based resources further increase the emphasis on applications, users and business. More than privacy and compliance, this means security professionals will need the skills and abilities to focus on these essential aspects and specific challenges like:

• Application Role Based Access Control (with Federation Technologies)
• Security of API interfaces that faciliate programatic access to an instance of a cloud-based service
• Incident Qualification/Response via “cloud” forensics
• Logical Data Encryption within “cloud” based storage
• Security of code that is developed and deployed to IaaS (Amazon/GoGrid) and PaaS (Microsoft Azure) providers
• Configuration and verification of virtual machines (within the IaaS Scenario)
• Defense against Economic Denial of Service Attacks
• Bridging the policies and metrics that the cloud provider exposes to the requirements of the business

For many, these topics are not as easy to master as TCP/IP and SMTP. Complicating the task, many of these concepts differ between providers, mesh together complex application-drive technologies, and change quickly. It’s also unclear how far we can venture into each (since many are based on what and how the provider exposes, and the complex nature of the protocols).

To make the right decisions, businesses must rely on practiced security professionals who are qualified and capable of voicing the appropriate concerns to the business. Without question, this requires greater focus on risk management by explaining complex topics that will drive a risk-managed embrace of cloud computing.

About Craig Nelson

Craig Nelson works at Microsoft, and is the host of the Cloud404 Blog (http://blog.cloud404.com). His expertise and education is in incident response, computer forensics, and security architecture.

What you’ll find in this episode (Chapter

The strategy has been revealed. The fundamentals of what is now The Catalyst Method have been shared (note: if you want the update on The Catalyst Method, drop me an email). The key considerations for a pilot shared – and now it is time to measure success.

So how do you measure what matters so you can communicate what counts?

In this chapter, “Measuring Success,” Michael draws on his background of social science and economics to explain a powerful approach to measuring success. Learn how to use the right mix of qualitative and quantitative measurements to get the feedback necessary for success.

Learn how to measure what matters and communicate what counts.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

What is the most important job/function of a leader?

• Inspire the team?
• Use resources effectively?
• Make tough decisions?
• Set an example?
• Develop others?

All of these are good answers and are important things for a leader to be sure they are accomplishing in an organization.

But none of these is the most important answer.

The number one job of a leader – the reasons leaders exist – is to bring change to organizations.

“That’s silly!” – is a common reply I hear when I make the statement.

“Leaders only bring change if change is what the organization needs. They assess the situation, analyze their resources, and only make changes if there is a reasonable chance of the change improving the organization.”

My response to that, in the words of my teenaged daughter, is  “Pssh!”.

Change:  If you aren’t doing it, you’re doing Leadership wrong.

Effective leaders are never satisfied with the status quo.

Of course, leaders will continue to celebrate good performances, boast the capabilities of their team, and value the circumstances they find themselves in. But more, a leader has the ability to see and accept the organization as it is and form a clear vision for how the organization can (and should) be.

Leadership, a friend once told me, is the where the science of the possible meets the art of the dream.

Leadership is the nuanced ability to see what could be and come up with the plan to create it out of what is already in existence. Effective leaders almost instinctively realize that slow and incremental change is a prison and that the only escape is dramatic and disruptive change.

Leadership is “Disruptive change?”

That’s crazy talk!

Look at all the people who lost or almost lost everything to disruptive change: New Coke…Webvan…the Pontiac Aztek…Hooters Air…

Only a fool or a liar would say there is no risk to disruptive change. But there are things you can do to minimize that risk:

Think, Rethink, and Rethink Again

The leader has to be completely honest with themselves about the environment they operate in, the resources available, and the chances of the disruptive change actually taking effect.

This thinking must be complete, honest, and is not done until the leader understands the environment completely.

The leader then needs to find a small group of trusted other leaders that they can toss the idea to with the intent of these other leaders shooting it so full of holes that almost nothing remains.

Whatever is left — whatever survives the onslaught —  forms the base of the next round of thinking. Once the thinking is done the thoughts have to be able to be put into simple and actionable statements:

• Changing the organizational structure? Then create a org chart to talk to and demonstrate.
• Changing processes?  Then show a picture that details before and after with the benefits.
• Changing the mission? Then create a succinct mission statement and show what is being changed and why.

Whatever the change, come up with a picture (1 slide, please, not a full deck – that’s for later) that can be used to explain the “why and how” of the change.

Talk the Team Through The Change

The worst thing to do once the thinking is done (you think) and the picture is ready is to simply dump the change on the team.

One of the biggest (and, sadly, most common) mistakes leaders make is to forget that, while the leader has been thinking through this change for weeks, the team just got told of the change and needs time to process and unpack it. They deserve the chance to see what the change is, how it impacts them, ask questions, and get answers.

The effective leader is able to effectively communicate the change to the team.

Using the picture of the “how and why” to show the team how the change will impact them and how it helps getting team goals accomplished.

Then step back, listen, and engage in the conversation. Remember – the team knows the system and might reveal something to tweak the change. In fact, this could be the difference between success and failure.

“That sounds an awful lot like sales! If I wanted to do sales I’d of taken that job with my cousin at the furniture store!”

Is it like sales?

Well, if “sales” means influencing people to see things from different perspectives – then yes.

But I prefer to think of it as “Casting A Vision” – which is what we’ll talk about next time.

Over the last few years, I’ve slowly worked through the elements to help friends – and each time I promise to make the approach public. Last weekend, I was called on my promise (thankfully) and decided to open it up. In the meantime, we have colleagues who need a boost – they need to build, calibrate and follow their career compasses.

This is a new program – so I am open to a small group of people running through the elements for their own benefits, and to help shape the elements that will be incorporated into the community. In fact, I’d like to figure out how to train others on the approach and work as a community to help each other out.

So it starts now.

And we’ll start small.

For now, no charge (money) to partcipate — but there is a cost. If you are interested, send me an email (securitycatalyst/gmail) or engage me on twitter (http://twitter.com/catalyst) and let’s discuss. We have to keep the initial run small, and we need people who are willing to participate fully and work through the entire system.

More details below:

Career Compass Overview

Whether you are currently a Security Professional or want to become one, this highly flexible program will help you set and meet your professional ambitions while serving lifestyle goals.

Set your Career Compass:

• To prepare for a raise
• To receive a promotion
• For career development
• If you are ready to move into the security field
• To find a new position (within your current company or outside it)

Determine your path and venture forth.

Setting Your Career Compass is a multi-faceted program to help you refine your career objectives and realize them.

It is a three-step process.

1.            You will first think about and answer a series of questions about yourself, your ideal working environments and your future. We help you align your answers – the ‘who you are’ – with what you have done and where you would like to go.

2.            Then we prepare you to effectively communicate your value to the right audience. With guidance you will build a personal brand in the form of a resume, bio, cover letter and whatever else is needed for you to reach your goals.

3.            With all the background work complete, we will help you follow the compass you built.

We do not judge.

Everyone thrives in different situations and has different desires in life. Our passion is to help you find the unique value you bring to an organization and position yourself for success.

Why the Compass approach works.

We guide you through a process that helps you explore your strengths, values and goals. As a result, you will understand yourself better than simply listening to someone tell you what they think, based on a questionnaire.

You will be self-aware.

You will have the clarity required to communicate your value effectively. After guiding you through this exploratory process, your Career Compass helps you position and differentiate yourself from others in a strong finished package – written and oral.

The program will help you craft a resume that is simple, powerful and designed to attract the attention of the “right” people. It will help you market yourself better and guide you to greater success.

How much time does this take?

Like most things in life, the more you invest into this program, the more you will get out of it. It is recommended that you budget 3-5 hours to complete step one, 3-5 hours for step two and 3-5 hours to begin step three.

Step three is ongoing but 3-5 hours gets people where they need to be. Some will breeze through the process. Others will need more time. There is no right answer, but the time you invest in yourself will pay off down the road.

Is Cloud Computing right for your business?

Cloud Computing.

Is it right for you? Sure.

Is it right for your business? <crickets>

By now, many have adopted a “cloud”-based service for personal use (sometimes without even realizing it). The definition of “cloud” can be a bit fuzzy at times, but to keep it simple: it’s a service provided over the Internet (“the big cloud”). This cloud includes services (from “smaller clouds”) from providers that offer hosted email, backups, document editing, picture sharing, and even password storage.

By linking all of the “clouds” together via fancy software (running on our desktop or elsewhere), our computing experience is much more fulfilling (and certainly more complex).

Given the vagueness of the definition, we can all rest assured that we are on the cutting edge by using “clouds” for our personal productivity.

But, when will “the cloud” be adopted and considered mainstream by the small, medium, and enterprise businesses of the world?

Three reasons businesses choose the cloud

The business reasons cited for using “the cloud” are likely one or more of the following:

1. Lack of time or expertise (including security) to build and maintain an in-house solution.

2. Seeking the advantage/speed of new features that are released quickly.

3. It’s cheap (either free, or subscription fees).

Beyond simple points, consider the depth and complexity of each.

Software technology can be complex to learn, install (correctly), and run (correctly). It only takes one mistake to reinforce the fact that essential tasks — such as patching, backup and restore, and monitoring — are expensive and time consuming.

With a finite amount of time and resources, many chose to focus on the business and leave the technical challenges to someone else (the cloud provider).

At the end of the day, this boils down to ensuring the service is running with the right features to drive a fulfilling and non-frustrating computing experience.

Can the cloud be more secure?

Many security breaches are due to improper configuration and lax administration and maintenance.

These issues can be pushed into the providers hands, who can manage “low level infrastructure issues” in a cost-efficient way through economies of scale. When a security defect is discovered, it’s likely the provider can quickly patch all of the instances of the software, and centrally determine if the defect had any consequence (i.e. it was used to compromise data).

If additional security is desired, additional security controls can be applied – matched to the value of the information. For example, organizations concerned about protecting the privacy of their data may choose to encrypt it before backing it up into a cloud-based solution.  The encryption will cost some additional CPU time, and add a bit more complexity to the restoration process.  However, it’s a cost that that can be readily accepted.

The Cloud – Personal

At a personal level, “the cloud” allows a consumer to do more with less, and allocate valuable time and money in other ways.

Individuals sitting on the sidelines — who don’t trust the cloud — will dwindle over time as reasonable mitigations are developed to alleviate concerns. For example, many online backup providers offer the ability to encrypt data with keys that are unknown to them (thus partially alleviating the concern that the provider’s employees can view data stored by its customers. I say partially because you still need to trust that the software is doing what they say!).

New services (such as Lastpass) are emerging to protect the most secret of our secret information (passwords).  A few years ago, I couldn’t imagine that such a service would be widely adopted.  However, now, it seems to be trickling into the “essential software” list of well-respected technologists.

The Cloud – Business

It’s a bit different at the business level.

Many businesses today are sitting on the cloud sidelines. This is because using the cloud for business purposes isn’t quite mainstream. From an architectural perspective, there are questions pertaining to the performance and manageability of cloud-based resources, and if the focus should be on “private clouds” (locally hosted resources that use similar patterns and practices related to cloud computing) rather then “public clouds.”

IT shops, who for the last 10 years have been fighting patch management, auditing, and other security issues, need time to understand if the cloud can meet the dizzying array of requirements that have emerged from the “post-9/11 security boom.”

Is the cloud right for business?

So, is “the cloud” right for your business? This is a serious decision – one that could cost a business its reputation. Thus, it has to be answered with clear conviction rather than the typical illusion associated with security.

Here’s a start: ask these three questions and discuss the answers with your team – including your security pros – to start to find out:

1 – What regulations is the business subject to? What operational principles and policies does the business have?  Can the cloud provider provide an adequate level of support? If not, can deficiencies be mitigated?

2 – Does the cloud provider offer security controls that allow an adequate level of protection?  If not, can deficiencies be mitigated?

3 – Does the cloud provider offer a level of operational transparency, so appropriate metrics and logs can be used for monitoring and reporting?

About Craig Nelson

Craig Nelson works at Microsoft, and is the host of the Cloud404 Blog (http://blog.cloud404.com).  His expertise and education is in incident response, computer forensics, and security architecture.

by Dennis Kuntz

“You rush a miracle man, you get rotten miracles.” – Miracle Max, from The Princess Bride

When building Security from Scratch, the challenge is in undertanding the situation from the start. Once the team is identified/assembled, the focus shifts rapidly to getting a handle on the security posture of the organization. This is not an “assessment” in a formal sense, but is more involved than simply checking for a firewall and antivirus.

Each situation is unique, but here are the areas I consider in my tactical review so I can understand what challenges lie ahead and form my plan of action:

• Information Security Policy
• Network/Perimeter Security Posture
• SDLC Security Policies/Procedures/Practices
• Applicable Compliance Requirements
• Security Awareness

I’ll share my approach and thinking below – but want to hear from you, too. Are there other areas you would include, avoid or otherwise consider? Leave a comment or send an email and we’ll expand together.

Information Security Policy

This is an area open to debate, but I like to check for and review the existing security policies. It provides insight into what, if anything, has been done. It generally provides clues, too, to why decisions were made.

I’ve found two major approaches to Information Security Policies:

(a)  a monolithic approach where the policy encompasses all areas with details

(b)  a piecemeal approach where you have a very general document that references more detailed documents.

If I get to choose, I prefer the piecemeal approach. It allows employees to get an overview of the policy and all of the areas covered, without overwhelming them with too much all at once with one huge document they’ll never read.

With the “piecemeal” approach, the details can be spelled out in the referenced documents that are easier to draft, update, and distribute.

Understanding the current approach and structure helps form a picture of the current environment. Here are some questions to ask when considering the existing Information Security Policy:

• Does a policy exist?
• Who wrote it, is it strictly boilerplate, and/or has it been reviewed by stakeholders and approved by management?
• Are the policies being followed?
• How are changes made/approved?
• Who currently maintains the policy?

Network/Perimeter Security Posture

Now, while I suggested just checking for firewalls and antivirus aren’t enough, it doesn’t mean they should be skipped. It’s too easy to limit one’s assessment of security posture to just those kinds of elements. With that said though, this is definitely something that should be included.

In addition to getting a good idea of the network architecture (diagrams, etc.), here are some questions to ask regarding the network and perimeter security posture:

• Is remote access allowed? If so, how – VPN, SSH, nothing?
• Are firewalls , WAF’s (Web Application Firewalls), and/or IDS/IPS’s employed? Where? Who manages/maintains them and their rule sets?
• Does your company have/maintain a DMZ?
• Is wireless access allowed from your premises (including both network access as well as “open” wifi)?
• Does your company have any resources/assets in “the cloud”?
• If in “the cloud”, what control does your company have over the security of resources, vs. those that are simply “built in” to the services offered?

This is obviously not a comprehensive list (if you think I missed something key, drop a comment).

The main focus is to get a tactical understanding of the network and potential points of exposure. While tactical, this allows the identification of strengths and weaknesses in the current layout to form the path to advance the posture.

Once the tactical review is done, it is important to run internal and external assessments to test the baseline performance of the existing controls. Ideally, this should include both comprehensive vulnerability assessments as well as comprehensive penetration testing. This can be easily handled in-house if budget is a challenge.

SDLC Security Policies/Procedures/Practices

It should be obvious that companies that conduct business on the “Internet” , develop software, or has any measure of internal development, that SDLC (System Development Lifecycle) practices are important as they relate to security.

However, this also matters to companies with only a web site that was created externally and is hosted/maintained by a third party ASP (Application Service Provider), with no internal development. When getting the lay of the land, take a look at the accepted development practices to make sure they take appropriate security measures into account.

Here are some questions to can ask :

• Who “owns” the SDLC?
• Is security specifically addressed in any SDLC documentation, especially regarding applicable best practices (i.e. OWASP Top 10 for web application development, buffer overflows for vulnerable languages, etc.)?
• Is there any formal secure development training available for developers?
• If third parties/outsourcing is used for development, are security practices published and/or open for review?
• What is the current state of security awareness among the developers, architects, etc. (this can be assessed by one-on-one interviews with developers, architects and managers)?

As with the Network/Perimeter Security Posture section, being able run assessments and have penetration testing done will go a long way toward establishing the effectiveness of current controls.

Applicable Compliance Requirements

If the company is subject to any compliance requirements, it is vital to establish the current state of compliance. I will be covering this topic in more detail in a later post, but here are some questions you should ask:

• Is the company subject to government compliance (SOX, HIPAA, etc.)?
• Is the company subject to non-governmental compliance, such as PCI-DSS?
• Does the company need to remediate any recognized compliance violations and/or is there a deadline for any existing compliance efforts?
• Regarding existing compliance efforts, where/how far in the process is your company?
• Who or what department oversees any given compliance effort?

As noted in the first installment of this series, establishing relationships with other departments –especially regarding compliance – can go a long way toward achieving your company’s compliance goals.

Security Awareness

While “Security Awareness” can mean different – and specific – things to different people, I’m referring to it here in more general terms. In essence, you need to take a look at your company’s current behavioral and cultural stance and openness toward information security. Here are some questions you should ask:

• How much support will you have from stakeholders? From management? From everyone else?
• Related to the previous question, how much latitude will you have in making decisions – will you get to run the show, or will you end up having to be an order-taker?
• Is your position the culmination of a concerted effort to “become more secure”, or is it the result of a begrudging attitude to achieve a bare minimum? The answer to this one may take some effort to answer honestly….

Turning Your Eyes Toward Defining – and Achieving – Success

Once you have all of this in place – your team and a good idea of where you are – you can begin to understand what is needed to define “success” and the metrics needed to quantify that success.

What you’ll find in this episode (Chapter 6)

Chapter Six is where Michael explains how to customize and implement the Strategy to Protect Information. The information he shares is designed for immediate results by harnessing the power of people. By asking the right questions — in the right way — people are connected to the consequences of their actions and share information about known and unknown risks about the information they use every day.

The elements of this chapter are the building blocks to what is now called The Catalyst Methodâ„¢ — what Michael teaches, guides and uses to help organizations get results that improve awareness assessments and help deliver Awareness that Worksâ„¢.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

by Dennis Kuntz

“Individual commitment to a group effort — that is what makes a team work, a company work, a society work, a civilization work.” – Vince Lombardi

When faced with creating a new security program – Building Security from Scratch – it can be like George Taylor in The Planet of the Apes: you awaken to find your ship has crashed and you have little more than the clothes on your back. You have to figure things out and make use of what’s around you.

When in this situation, it is important to establish your bearings quickly. There are a lot of things to digest in order to start making a difference. As fate would have it, this seems to be a specialty of mine; I have accepted the challenge of creating a new role at least a half-dozen times in my career.

In my new position I have the honor and challenge of building a security program from scratch (hence the name of this column). Over the next year, I am going to share my plans, insights, and lessons-learned to contribute to a dialogue where we all can improve the way we protect our organizations.

Based on my experience, there are three steps to take when starting from scratch:

1. Getting Together: Who’s on Your Team?

The first question focuses on the team: “What will my team look like?” This is key whether you’re a “one man band” or you have (or get to build) a team. Understanding who is “on the team” puts you on a path to create a plan to determine how to be most effective tactically, and how to achieve strategic success. And the answer is more than just having people report directly to you.

This is not set in stone – more time generally yields a clearer picture, but starting with a picture is key.

2. Assess the Situation: How Will this Work?

With a snapshot of the team in place, it is time to assess the resources. This includes existing resources (personnel as well as software, etc.) and potential resources (budgeted items, management’s flexibility for unplanned spending, etc.).

As you identify resources – and the gaps between them – you’ll start to get a vision of your current situation, and your company’s overall posture. As this picture develops, you will more easily be able to map out how to address the gaps using those resources.

3. Get to know the family

Just as important though, is to figure out who the right people are in your “sister” departments, such as Human Resources, Legal, and as you might guess, IT.

Human Resources is essential because it manages the relationship between a company and its employees. While there are many non-risk functions an HR department performs, one of the most important is in managing situations involving employee misconduct, terminations, and other delicate issues. There will often be an overlap between HR’s responsibilities regarding any kind of internal employee issue and Information Security’s role in protecting internal assets. You will definitely need HR’s help in proceeding in any kind of internal investigations as it relates to employees, and they can definitely benefit from your expertise when addressing certain kinds of employee issues – and they may not even know it.

The Legal team in an organization normally helps to protect company assets by dealing with anything from relationships with external entities (via contracts, NDA’s, etc.), alongside HR with internal employee matters, managing the company’s posture when dealing with legal issues/requests that arise from “outside” the company (discovery requests for pending litigation, law enforcement requests, etc.), as well as compliance matters (PCI-DSS, HIPAA, SOX, etc.).

As an information security professional, you probably already have at least some familiarity with the functions of both of these groups. It should be pretty easy to see how cultivating relationships with these departments – and those like them, such as Document Management and Compliance departments – can help in your efforts to build your program. And that’s whether it’s a tip-to-tail effort, or something more concentrated like penetration testing. Less likely and possibly more beneficial to you, is that these departments may not be fully aware of the benefits you bring to their efforts.

Turning the One Man Band into a Symphony

Information Security is about managing risk.

In creating a security program, it pays to realize that even when alone, it requires a team. Showing other groups how their jobs can be easier while helping to manage risk and protect the company’s assets can effectively extend the security “team” beyond whatever may be listed on paper.

What are you doing as a one-man-band to make a difference? What challenges are you tackling? Drop a note in the comments and we’ll take it from there…

The concept of the audit, to some, may feel relatively new and immature. However, financial statements have been audited since the 1800s and regulated IT Audits got a footing in the 1970s. The challenge in making sense of audits is in the approach: are you driven by compliance and audits, or are you driving the audits and compliance?

In my experience, compliance and audits are more journey – and less road trip. The challenge in preparing for this journey is the murky starting point, winding roads and changing conditions that must be successfully navigated. And when finished, the reward is taking another lap.

Developing a “Culture of Compliance”

Day in and day out those who work in finance adhere to basic principles that over time have simply become habit. These basic principles are in part derived from the understanding that they will be audited against their actions. We, as IT experts, tend to have much more of a cowboy approach to getting work accomplished.  Now that IT is being held accountable we need to instill the same ideology of daily work ethics that is second nature in finance departments.

This concept of cultural development is awkward at best when considered in bits and bytes. While IT staff are experts in their fields, they often have difficulty in understanding why perceived red tape (commonly experienced as additional process to get code into production). For many, it just doesn’t make sense and feels more like an obstacle than a useful control.

Building the culture of compliance takes time, dedication, education, and influences some interesting debates. Yet the journey is rewarding and the results proof positive of the investment. Over the course of the next year, I’ll share my experiences learned over the last two decades to ease the journey for everyone.

Sell the concept, reap the benefits

Management responsibility – wait for it –  “must be driven from the top down.“ It’s quoted a lot, and for good reason. And I agree. The outcome of IT assessments, sometimes in combination with finance audits, has a direct impact on the bottom line.

Who would you rather do business with: a company who has process deficiencies and stated exceptions or one that passes the litmus test of standardized IT auditing?

Positive results are an endorsement that the organization is operating efficiently and more importantly securely. This endorsement should be used by your sales and marketing departments at every opportunity.

Building Support

Step one: find the right internal sponsor.  This sponsor should be the liaison to any audit firm partner. While IT management is needed to explain details of process, systems, and applications, they should not be on point. Often the best bet is a leader in finance. Building on years of experience, savvy finance management can simply save money.

Of course there are exceptions; mature IT organizations can fulfill this role with the understanding that it is critical to update senior finance management throughout any audit.

Should IT audit and compliance be managed internally?

This question needs to be asked regardless of the size of the organization. It is common practice to hire external audit firms (opposing) to prepare your organization for an IT audit. Independent assessments can help identify process deficiencies, help with documentation and, more importantly, ensure a smooth audit when it counts.

Quite simply, if you need to bring an organization into “compliance” within a predefined time frame external help may be your only option. If the decision (or only choice) is to manage this internally, then dedicated staff is essential. This team needs the expertise in systems, applications, security and perhaps more importantly the ability to communicate and educate others on why IT auditing is so important. We’ll explore this more in the future (and quite frankly, I’ve seen Michael in action, and he is the master of this  — and he makes it easy for others to do it, too).

One of the best tangible outcomes of this whole process is detailed documentation. Interesting how  there is never time to develop or update documentation; now the excuses are kicked and a valid reason exists. These policies, standards, and other documents are the foundation of the IT department, the keys to success.

What’s in it for me?

Develop this “Culture of Compliance” within the IT department and witness creative solutions being developed with the base principles of security and with forethought into what auditors really want, Who, What, When, and How!

Sound off

How have you developed a culture of compliance in your organization? Or has your compliance car skidded off the road along the path? Engage in the discussion in the comments and we’ll work on getting there together.

Leadership. It’s talked about a lot in today’s information security conferences and books – but how much of it is really happening?

Do we, as professionals, really embrace leadership and its inherent risks, rewards, and challenges?  Or, on the other hand, do we really embrace the status quo with its inherent frustration, ennui, and demotivating drag?

Don’t get me wrong – leadership in any field is hard. I’ve led teams that have done such diverse missions as application development to firefighting to deploying the varied weapon systems in platoon of main battle tanks…and I have come the believe that effectively leading teams in today’s information security environment is one of the most difficult tasks I’ve ever taken on. As I look back, around, and forward I’ve made a few conclusions.

Too much focus on the status quo

I wish I had a nickel for every time I heard a “leader” describe a “good day” as one where nothing went wrong, nothing broke, and (truth be told) nobody even noticed she or her team were there.

Why?

I think because for so long the business has seen information security as the “Department of ‘No!’” that any time we fly above the radar we get smacked – or at least that’s the fear. If the systems run today just like they ran yesterday we call that a win and hope that they’ll work tomorrow just the same way.

This primal desire for the status quo is one of the most significant issues that chains down information security leaders today and it’s a topic I’ll address in more detail later – but suffice is to say that the status quo is rarely, if ever, the ally of a successful leader.

Insane focus on a small group of miracle workers

We have developed an almost unnatural dependence in information security on the work and thinking of small groups over very smart people. We rely on that small cadre of “go-to” guys to design and build our systems, respond to incidents, and help develop policies and procedures – but we rarely leverage that small group of folks to develop larger and larger teams of security oriented co-workers.

Whether we realize it or not we begin to live in a cultural echo chamber where everyone listens to the same presentations at the same conferences, reads the same blog post, and anyone who dares speak out against the conventional wisdom for any reason is suspect…

The Status Quo of the Mojo

The last major impediment I’ve seen is a synthesis of the first two. When you combine an overvaluing of the status quo with an over-dependence on small groups the almost inevitable outcome of a culture of “Please $DIETY, don’t let me screw this up!”

Leaders and their teams become so averse to anything negative (especially if it’s outside the accepted norms of the team) that the goal of the team slowly and immutably transforms from providing the best security for the organization to a goal of not wanting to be caught screwing anything up. This fear (and that’s what it is) leads teams to fall into the trap of wanting to build systems that are “perfect” and “unhackable” and resisting efforts to design or implement systems that don’t meet these standards.

The natural progression of this fear eventually leads to leaders and teams developing and attitude that is occasionally indistinguishable from despair. You’ll hear or read comments like “Why should I deploy $SecurityTechnology? HD Moore could hack it in 5 minutes. Rsnake could get root and own me 25 ways from Sunday.”

Rarely will the speaker or writer of such comments even seem to evaluate whether or not $SecurityTechnology will actually help the organization as part of a complete security plan. Defeat, as the philosopher said, is complete even before a shot is fired.

What can we do about it?

For the next dozen or so posts I’m going to address these issues head on and provide you with a (potentially) counter-cultural view of your role as a leader and hopefully challenge you to rise the amazing challenges we face today in information security.

The light you see coming at you – it’s not a train. Trust me.

What are your leadership goals for 2010? Share you challenges and successes in the comments…

Identity Management (IDM), or Identity and Access Management (IAM), is a suite of products that work together (more or less cohesively) to manage users and their access/passwords across the enterprise. Most identity management product suites consist of three or sometimes four parts:

-        Role manager

-        Identity manager

-        Access manager

-        Audit manager (sometimes)

Although most product vendors have adopted similar terminology for their components, there is no true standard naming convention nor is there a requirement that vendors use the same name for their corresponding products. My experience is largely with Sun Microsystems’ identity management suite, but this product is not necessarily the right choice for everyone. I will try to remain as neutral as I can, but I ask your understanding if my terminology and examples tend towards what Sun uses.

The Bumpy Road to Consolidation

Have you ever wondered why there are so many components? Why not just make one product that does it all?

The answer lies in the history of identity management.

In the beginning…

… each of the components were stand-alone products created by niche start-ups.

Over time, the larger companies (the usual big players such as Sun, Oracle, IBM, etc.) took an interest in providing their own identity management solutions, and thus began buying out the start-ups and their products to build integrated suites. For example, Sun purchased Waveset as their identity manager and Vaau as their role manager. Oracle purchased Thor (identity manager), Oblix (access manager), and Bridgestream (role manager).

Does consolidation matter?

Consolidation of the marketplace has advantages and disadvantages.

On the plus side is one-stop-shop convenience, and one throat to choke when things go wrong. On the down side, you are stuck with what your vendor of choice offers – maybe their identity manager component is brilliant, but their role manager module just doesn’t meet your requirements.

Given the choice between a hot-and-cold suite or a lukewarm suite (i.e., one whose components are all just average), which do you select? You may also face pressure from management to stick with the vendor partner of choice – if you happen to be an IBM shop, management may be reticent to allow the introduction of HP’s identity management suite, even if it better meets your requirements.

We’ll address these and other product selection issues next December in the last article of this series, which focuses on requirements and product selection (if you need to know sooner, drop me a note and we can discuss). I bring it up now, however, because it’s important to think about what’s really important to your specific implementation as you go, so that when you get to requirements, you know how to prioritize and choose. Please keep an open mind – what you think is very important today may turn out to be less important as you dig deeper – and document your thoughts as you go!

Another big consideration of consolidation is internal interoperability. Just because all of the components are now sold by one vendor doesn’t mean that they are really integrated. It takes time for a company to truly fold in one of these modules. For example, Sun purchased Vaau as their role manager product about a year ago, yet there are still some interesting gaps in the ability of role manager and identity manager to interact.

The biggest consolidation is still pending: Oracle and Sun Microsystems are in process of merging (or trying to, anyway). Both companies currently offer a full-fledged identity management suite. If the merger does go through, what will happen to those products, and how will existing customers be impacted? I would be surprised if they kept both suites, but who knows?

The good news is that while the current round of consolidation is sorting itself out, there is plenty of foundational work to be done to prepare for the selection and implementation – especially with the process and data cleanups.

However, before we even embark on the detailed cleanups and process improvements necessary for success in Identity Management, it is important to take a moment to review the components of an identity management suite and ensure a common understanding and vocabulary. This matters not only for our time together, but also for each project considering identity management.

And Now… The Components!

So what are these things anyway – identity manager, role manager…? Let’s take a brief look at each.

Role Manager: the brains of the operation

The role manager module is where roles, rules, and hierarchies are stored. Except for the most basic actions, it is the role manager module that gathers information on existing users and decides what action should be taken for a particular user – what access they should receive, to which groups they should belong, what segregation of duties rules apply, and how to handle an approval vacancy. This information is particularly important for handling terminated and transferred users to maintain audit compliance.

Fully populating all of the information required to make role manager effective is one of the biggest challenges of identity management, but this is also where some of the greatest benefits are achieved.

It is important to note that role manager can store information even if it cannot be auto-provisioned/-deprovisioned. For example, you may choose to role-base your electronic devices (e.g., desktop vs laptop; cell phone vs smartphone) for manual provisioning/deprovisioning.

Identity Manager: the braun of the suite

The identity manager component typically interfaces with the target systems to initiate auto-provisioning and -deprovisioning workflows, synchronize passwords, execute bulk updates, etc. The identity manager module will trigger some actions on its own based on pre-determined workflows, or it will confer with role manager to execute more complex provisioning actions. Identity manager can be configured to execute workflow tasks automatically, or it can assign tasks to specific administrative personnel for manual action.

Access Manager: simplifying sign-on

In this case, access mostly refers to authentication – the access manager component is what facilitates “single sign-on,” although some modules also mediate authorization, thus the term “access” manager. Of course, as we all know, there really isn’t such a thing as true single sign-on (yet – maybe someday we’ll get there). Although we call it single sign-on, it would be more accurately termed “reduced sign-on.” In any case, when access manager is implemented with a target system, it allows centralized authentication (and possibly authorization) with a source of record such as LDAP or AD, to eliminate the need for individual local accounts and password files on each system.

Audit Manager: reams of eye candy for the auditors

The audit manager component is basically the reporting capability, and is somewhat optional. Some products offer this as a separate module. Other products might include this within identity manager or even role manager. Still others leave it up to the individual organization to integrate their identity management suite with their enterprise reporting tool and generate reports as desired. The reason this component is called audit manager is that when offered, it comes with a variety of out-of-the-box reports that are of particular interest to SOX, PCI, and other auditors.

Action speaks louder than words…

Each month, I suggest a few practices I have learned that will bring quick benefit. For this month, the actions are (theoretically) minimal, since this was an introductory article aimed at simply setting the stage. Still, there is work to be done!

1. Start an identity management journal. In this journal, document:
   1. Expectations of an identity management implementation: what needs to be accomplished? How long do you think it will take? (Hint: once you determine a timeframe, triple it, and you’ll be close =)
   2. What are the expected roadblocks? For example, any management or other influential people that are already leaning toward a specific product, or refuse to even consider a particular vendor? Knowing this information up-front will give you more time to build a strategy to influence, counteract, or otherwise prepare
2. Start considering the team:
   1. Is there anyone in the organization who has implemented an identity management solution before? If yes, ensure their availability to help guide the process
   2. Are there team members interested in learning? This is a great career growth opportunity for smart, hard-working team members that need a new challenge
   3. Does the existing access management team have the bandwidth to embark on process and data cleanups? Most of the up-coming work will naturally fall on them, but if they’re already overworked, it may present a problem. Remember, much of the cleanup work is highly labor-intensive, especially for large organizations. If significant resource constraints are expected, start fighting that battle now
3. Was any of the information in this article new or surprising? If so, spend a little extra time absorbing it or doing some online research.

I am here to help

Leave a comment or drop me a note to let me know how your effort is going. Does your journal reveal any interesting insights? Leave a comment to share with others or ask for guidance.

If you were asked to throw a few million dollars out the window, would you do it?

If yes, let me know where and when – I’ll happily wait outside with my catcher’s mitt. More likely, the quick answer to this question is a resounding “NO”. Few circumstances would lead someone to literally throw millions of dollars out the window, down the drain, etc. Not a million dollars, not in a million years.

What about companies that, effectively, waste millions of dollars trying to implement identity management?

The sad reality is that many organizations trying to implement identity management do just that – waste big money – on the wrong technology, or even on the right technology that sits idle because it can’t be used as designed. Worse, some organizations look to even more technology to “fix the shortcomings” of their selected product. The end result is the identity management version of Frankenstein’s monster.

If you peruse the latest identity management articles from your favorite research company, you’ll find the same discussions over and over:  How do we justify the cost?  Why do so many companies stop at “single sign-on”?  Why do implementations take so long?  Why do implementations get halted mid-effort?  What’s the true benefit of identity management?  What’s the ROI?  You’ll also find the same tired answers – whether in printed form, or at one of the many IAM conferences across the country: IAM saves costs at the help desk. IAM can help with audit. IAM can reduce headcount in your access services department. Companies bite off more than they can chew, ROI takes too long, so they give up.

But what does it all mean?

Are we really doomed to these behemoth infrastructures that sit largely un-used, while we pay off consulting and software bills that often run into the millions (if not tens of millions)?

No, we’re not.

IAM is not a lost cause. It can lead to lower costs, easier audit processes, and a demonstrated postive return on investment (ROI). But it takes time – and discipline. As with many aspects of security, identity management is not about technology – it’s about people and process. The technologies are out there, and getting ever-more mature. But, IAM is NOT a Mac or an iPhone – you don’t just turn it on and it magically works. There is a lot of configuration and even custom development that needs to be done after you install your product suite of choice. Even before that, there is a TON of data cleanup, data modeling, and process design that needs to take place, and that is at the heart of this series:

Identity Management in 13 Easy Steps

Of course, the series title is a bit tongue-in-cheek. There’s nothing particularly easy about identity management. Then again, it’s not rocket science, either. It just takes a little thought and a lot of tedious effort – and did I mention discipline? The focus of this series is all on process and data. In fact, product selection is saved until the very last article. That’s right – if you can keep your instant-gratification urges at bay, I recommend that you don’t even bother buying anything until you’re ready to use it. Why spend all that money on a fancy technology if it’s going to sit there, idle, while you beat your head against the wall trying to clean up the data and processes that it needs to function?

An identity management implementation will only be as good as the data and processes feeding it, and that’s the problem many companies face today – most organizations buy a product and figure out after the fact that they have a ton of work to do to make it function. As a result, there is such a lag between the time of purchase and the time of ROI, most management teams lose patience and halt the effort. If you pave the way to implementation by first cleaning house, when you implement the technology its benefit will be seen quickly, which will encourage management to keep it going and try more.

There’s another critical aspect to this approach: gaining the needed experience to properly document requirements. Identity management is extremely complex. No one can just walk in and “get it” in one sitting. Even if the high-level concepts seem obvious, you have to live with the dirty details for a while to really understand the needs of your particular situation. The better that understanding, the better the requirements. The better the requirements, the better the product selection. Choose the right product, and you avoid tossing millions out the window.

Are you ready for this journey?  If so, let’s get started. Here is the series I have planned – one article per month. This may not seem like much, but unless your implementation will have a very small user base, it will take longer than a month to execute most of these steps anyway. Of course, the series may change along the way – I’m already concerned about the volume of information I’m trying to fit into some of the articles. I may find as we go that a few of these topics will require multi-part articles. We’ll deal with that when it arises.

For now, here’s the intended schedule:

December 2009: Identity Management 101 – an overview of the different components of an IAM suite, to make sure we’re all on the same page and speaking the same language.

January 2010: Identifying Systems Integrations – not all systems will integrate (directly or indirectly) with IAM. Determine which ones will feed the priority list for the data cleanups and process work.

February 2010: Data Cleanup Part 1 – before your identity management system can work, it needs to be populated with all userIDs, and those IDs have to be clean. The first cleanup is focused on the primary IDs such as AD/LDAP and other key systems.

March 2010: Data Cleanup Part 2 – a key benefit of identity management is the ability to link userIDs in multiple formats from a variety of systems to the user’s primary record. The second cleanup focuses on identifying which IDs belong to which users in preparation for proper linking.

April 2010: Preparing for Password Self-Service – password self-service is a key cost savings of IAM, but it’s harder than you might think. This article will help you prepare your policies and your users for the technology to come.

May 2010: HR as a Source of Record – the HR system is a primary source of record for employees. It can also be one of the primary sources of errors and limitations for identity management. This article will explain the issues that most companies experience when interfacing with HR technologies (and departments).

June 2010: Role- and Rule-Basing – in order for auto-provisioning and -deprovisioning to work, the roles and rules need to be defined. This article will teach you how to avoid turning this effort into a rat’s nest.

July 2010: Role Hierarchies – workflows cannot be enabled without proper approval processes. But approvers aren’t always line managers. This article describes the various role hierarchies that should be established, and the synergies that can be achieved between identity management and other sources of record (e.g., financial systems).

August 2010: Workflows – workflows are the key to automating many processes. This article discusses the considerations in setting up workflows to ensure that they function effectively.

September 2010: Termination and Transfer Gotchas – terminations and transfers are key control activities that are of great interest to auditors. Getting this right in identity management will save everyone a lot of work. Getting it wrong can be disastrous. Learn the pitfalls in this article.

October 2010: Password Self-Service – whereas the April article deals with the foundational aspects of password self-service, this article deals more with the implementation aspects: how to select challenge questions that make sense, exposing PSS outside of the corporate network, etc.

November 2010: Effective Business Cases – now that your house is in order and you have almost a year’s experience with your organization’s circumstances, it’s time to build a business case to buy a product. This article explores a number of value-added functions of identity management that will intrigue your management and encourage them to allocate budget.

December 2010: Requirements and Product Selection – you’ve cleaned your data, defined your processes, and secured a budget. It’s finally time to pick a product. This article will help you document and prioritize detailed requirements based on a year’s experience in the trenches, so that you can make the best product decision possible.

In “Playing Games”, I shared some lessons that I learned while playing chess with my son. Chess is a rich example of the need for, and challenge of, planning ahead. For those unfamiliar with this game of skill and strategy, the goal is simple: Capture your opponent’s king and force him into a position known as “checkmate.”

During the game, opponents take turns moving one piece at a time until a player is considered to be in “checkmate”, meaning he can no longer move his king. An interesting element is the need to notify an opponent when they are one move away from being captured by declaring “check.” This is a great game rich with strategy and nuance, with more details here.

So how does chess fit into my “plan ahead” strategy?

If a player simply moves pieces on the board without thought as to how her opponent will act, pieces will be captured easily, leaving her with a weaker offense and defense. Opponents must be evaluated on how they will move; offense must be based on anticipation of defense. Chess is a game where there are two opponents with an obvious adversary, and the less obvious self.  Those who properly anticipate the other player position themselves for maximum advantage.

The act of protecting information is similar to the practice of protecting the King. Those who seek to attack the protected information are opponents, and considered what they are doing as a game.  I’m not suggesting that what we treat it as a game as well; rather, what is important is the strategy required for both.

Understanding that we are at a disadvantage from the start is key to devising our strategy. Our opponent needs to remain undetected until they have what they need. If they are discovered too early, the chances of achieving their goal drops dramatically.

by Dennis Kuntz

Most people like attention. Just like we did when we were kids, to get that attention we sometimes engage in good behavior and sometimes in bad behavior. As a parent I know that a sound approach is to focus on and reward the good behavior, while not giving the attention sought via the bad behavior.

A perspective among some information security practitioners seems to have emerged: This industry is mean to newcomers. People I respect – though admittedly only through my exposure to them via Twitter and some subsequent blog reading – have recently lamented the current state of the information security community vis-a-vis its collective attitude toward newcomers and those who legitimately want to learn.

One from Rafal Los goes so far as to say that “Infosec is Rotten”, and elaborates from there. The other, from Dave Shackleford, is less strident but offers a similar stance (and offers a lot of practical advice for those new to information security practice, by the way). Their main points are:

1. There are cliques within the established information security community

2. Members of those cliques seek to humiliate those asking certain questions – especially when those asking identify themselves as “new” to information security

3. As a whole, the information security field is not “welcoming, or mentoring, or open-minded about new people coming in.”

Based on my own experience, I’ve seen what they’re talking about when reading responses to blog comments, on social media outlets, and in forums, etc. I have wondered about it myself: What motivates it? How pervasive is it? How much of an impact does it have on those trying to enter the industry?

It has intrigued (but not surprised) me that a group whose genesis (it could be argued) stems from being socially outcast would naturally create socially-oriented subgroups that outcast others: Narcissistic exclusivity happens.

However, I don’t think it’s as widespread as some make it out to be. There may even be a more powerful trend of good people reaching out to assist others. Either that, or at least the positive influences in information security deserve an equal – or greater – due as do any negative cliques.

When I have had questions or needed a boost, there have been positive voices willing to reach out and lend a hand. And they have never asked me whether I am seasoned, green, or somewhere in-between.

From Michael Santarcangelo (@catalyst on Twitter) who has had nothing but guidance and help to offer, to Jamie Levy (@gleeda) who has helped me – pleasantly – with questions ranging from general forensics to troubled PyFlag installations; from Rob Fuller (@mubix) who has offered assistance with Offensive Security training, to H.D. Moore (@hdmoore) offering his thoughts on VM’s “endian-ness”.

The resumes of the names I have listed are impressive – these are not information security lightweights. And the exciting part is that these are only some of the people who routinely help others – I couldn’t begin to name all of the ones from whom I’ve had helpful, generous contact.

The good elements of information security are there, and they are active. Maybe we need to do a better job of seeking them out, engaging them, listening to and amplifying their efforts. Certainly their knowledge should be absorbed, and their l33tness bowed down to, but just as importantly, their generosity should be acknowledged and they should be thanked. Giving more public props to and highlighting the efforts of those who are doing The Right Thing will help to steer those impressionable newcomers in the right direction. We should also individually strive to emulate these people. This will put the attention and focus on what – and who – is more productive and better represents what we think our industry should be like. Ultimately this will be better for all of us.

(A note: yes, everyone I mentioned is on Twitter; that’s where I’ve “met” more information security people than anywhere else. I’ve met some in person and even become friends with some. And it’s a good place to interact with and learn from them).

Background:
A few months ago, Microsoft released (and silently installed through Windows Update) a .NET Framework Assistant add-on for the Firefox web browser. Microsoft installed this add-on to Firefox without warning the user that the add-on would be installed as part of the .NET Framework 3.5 Service Pack 1. Security professionals, bloggers, users in general all over the Internet were in an uproar over Microsoft’s activities. Propel forward a few months, and Mozilla proactively disables two Microsoft-installed add-ons; one of them is the infamous .NET FA add-on. Following some discussions with Microsoft, Mozilla later selected to unblock the .NET FA, but continued to block the .NET Windows Presentation Foundation add-on.

Situation:
The browser is rapidly becoming the “new” OS, and add-ons are the “new” applications. This is the new computer model. The momentum is moving toward SaaS, IaaS, PaaS and other cloud computing acronyms. The impact this is having is such that our browsers are acting more and more like Operating Systems.

If we look back and remember how networking has evolved over the years, we will notice a pattern.  Many years ago, networking emerged from thin clients, then it advanced to thick clients and now we are going back to thin clients. The browser is the new thin client. It’s essentially the new OS. It isn’t a coincidence that Google’s new OS is called Chrome OS. Or is it? Can anyone say: “Firefox patch Tuesday”? I think we may have witnessed the first Firefox patch push.

When Mozilla decided to proactively block two Microsoft add-ons, the result of this action was effectively the same as patching a vulnerability (automatic updates). The reason these two distinct actions are similar is because the results are the same; they both prevent, fix, or block a vulnerability from an exploit. The block imposed by Mozilla impacted every instance of Firefox automatically, without user interaction.

What’s even more disturbing with this model is its ability to completely bypass many perimeter defences. This cloaking behaviour is a huge blow for the security of our networks. It’s giving a transporter to our adversaries to infiltrate our networks. Once inside our browsers, this enemy fundamentally becomes a virtual insider on our networks. It turns our users into allies and uses tactics that are very effective and easy to deploy: Tricks like social engineering, spear phishing, SPAM and emails with various types of specially-crafted attachments, etc.

We must protect and educate our greatest asset, which is coincidentally also our weakest link: The user. Vulnerabilities such as XSS, XSF, drive-by downloads, etc. are almost always triggered by trusted, authenticated and authorized users on the network.

Conclusion:
I just touched on this subject, but I believe a general awareness strategy will have to play an important role in the future. The bad guys will keep winning as long as they are the only ones reaching out to our users. We must positively reach out to users or they will keep getting tricked into doing things against us (and themselves).

Whether you call it lay-offs, downsizing, rightsizing, redundancies, a reduction in force, or whatever, a reduction in staff stinks.  Downturns in the economy often translate to a reduced volume of business, resulting in a correlated reduction in staff.  One of the hardest jobs in Security is ensuring that those who are asked to leave no longer have access to the organization’s resources.  This is especially hard when you know those affected.  However it’s critical that this tough job be done.

The last thing you want or need is for an ex-employee to perform a malicious act as part of their departure.  The recent case with the Fannie Mae consultant is a great example of how a malcontent could potentially cause your organization grave damage.  Luckily, the Fannie Mae sys admin found the malicious script.

You shouldn’t depend on luck to protect your organization’s critical infrastructure during lay-offs. This article contains concrete steps for you to consider before, during, and after the dreaded layoffs.  [Note: the critical nature of these steps is, in actuality, job security for those who need to perform them. Maybe you can use them to justify your job and keep it off of the “chopping block.”]

Before the announcement

Just as in any project (and this is a project), planning and coordination are key.  Those managing or initiating the lay-offs (e.g., Human Resources) must have Security on-board early in the process.  Delays increase risk to the organization.  While secrecy is necessary to protect the process, trusted relationships must be established between all involved, including HR, Security, Legal, and Management.  Security needs to know who is affected in order to know what needs to be protected.  Security can also help properly protect the “list” prior to the official announcement.

Security personnel (both physical and information) need to ensure the protection of personnel and assets during the lay-offs.  On the physical side, you need to make sure that those announcing the lay-offs are protected should the employee(s) get upset or abusive.  Security officers should be trained and ready to handle potential conflicts and workplace violence.

Information security personnel should identify single points of (security) failure and high risk areas.  This includes administrators with expanded ability, authority or access.  Security should also determine if there are any single points of failure in the operations that would be affected by the lay-offs.  Management should address these critical points well before the announcement to prevent any unexpected denials of service.

Security personnel also need to develop processes to remove both physical and logical access as soon as the notification takes place.  This cannot occur too soon before the associate is notified, or else it might alert the associate, resulting in unexpected consequences.  (No one likes to find out that their position is eliminated by having their network or badge access disabled.)  Also, this cannot occur too long afterward, for obvious security reasons.  Ensuring the correct timing requires pre-planning.

As soon as the announcement is made that your organization is considering lay-offs, extend your monitoring efforts.  This could be before the actual lay-offs.  Rumors can spread, and associates might take these rumors as reason to start their preparation should their name be on “the list.”  Your efforts should include Data Leakage Protection (DLP) to ensure associates aren’t shipping critical company information (e.g., customer lists, intellectual property, or company employee data) to themselves or others.  This could occur on the network or off.  It’s very easy for an associate to sneak a USB drive filled with an encyclopedia of company data out the door. You also need to be cognizant of physical theft.

During the announcement

With your planning complete, it is now time to enact and follow those processes.  As soon as the associate is told that he or she is no longer employed by the organization, you need to disable the physical badge, logical network, and phone access.  The accounts should not be deleted, only disabled in case you need them in the future (e.g., rehires). It’s important that all access is also disabled for networks or assets that are externally accessible (e.g., VPN).  The time required for this activity will multiply if IT hasn’t kept complete documentation of each worker’s individual access rights, passwords, user names, and security cards.

Occasionally, the manager will request that the separated associate’s email, phone, or voicemail remain available.  This is to maintain contact with clients or customers.  Security needs to have an exception process in place to handle these requests while making sure the separated employee no longer has access.  It needs to be reassigned to the responsible manager or his/her delegate.  Allowing permanent access is not a good idea.  There should be a set timeframe for this access to remain active before it is disabled.

Also, consider any shared accounts used by the separating employees.  Do they know the UNIX root or Windows administrator password?  Whether it’s that or any other password for a service account, make sure the password is changed ASAP.

Physical security personnel need to be watching and ready in case the affected people become upset.  Normally, you don’t need a physical security presence to escort them.  That can be accomplished by the manager and/or HR representative.  However, Security should be ready in case things turn ugly.  Additionally, they should be watching what property is leaving.

Part of your process should include the retrieval of any assets used by or assigned to the separating employee.  This includes: Computers (laptops), USB drives, two-factor authentication tokens, cell phones / PDAs / pagers, and paper documents.  When the employee is notified, the manager and HR representative should retrieve these items along with any other property of the organization.  Of course, the employee should be allowed to pack up personal belongings, but corporate assets should remain.

Lastly, while the separations occur, continue to monitor online access and activities.  You never know the mindset or attitude of those who depart.  The potential for malicious acts is increased, especially against any resources that can be seen from the outside (external web sites).  Your IDS/IPS should be watching those external network assets and you should be ready to take action.

After the separations

While the major threat may have passed when the laid-off employees have left, it is not completely gone.  There are specific post-separation activities that need to occur to ensure risks stay low.

One of the most critical activities is the inspection of online and paper files left behind by the employee.  Each manager is responsible for making sure this occurs, because he or she is in the best position to know what is and is not needed.  This can be time consuming and tedious, but it can’t be ignored.  The benefit is the freeing of storage space.

The manager or their delegate needs to inspect each piece to determine its disposition and whether or not it is still needed for the business.  This person also needs to determine the retention period for any material that needs to be kept.  This may require collaboration with the legal or compliance department as this material can be recalled for legal proceedings.

Another post-separation activity is inspecting online files for potentially malicious content.  This is especially important for any systems administrators who were let go.  There have been many stories of sysadmins leaving backdoors, Trojan horses, and time or logic bombs behind.  Remaining sysadmins need to inspect any scripts created by the associates along with any scheduled jobs.  Failure to take this step could be devastating for the firm.

Lastly, use this time to document what went right during the process and where you have room for improvement.  Take time to learn from the experience and enhance the process.

Conclusion

Staff reductions are a part of corporate life.  As painful as they are, they are often critical to keep the organization functioning at full capacity.  Security needs to be an active participant in the lay-off process to ensure the risks are kept low.   The removal of access is only one of the many areas requiring the attention of Security.  They also need to be actively monitoring both the physical and on-line activities of the separating associates.  This isn’t to be intrusive, but to ensure the continual protection of the organization.

Having a positive security model with validation and enforcement provides a deterrent to malicious behavior as well as the tools to quickly indentify and contain threats when needed. A positive security model includes: policies, procedures, detective and preventative technology, and proactive monitoring.  The tips in this article will aid you in the development of your security model so you are ready when the time comes.

Checklist of Security Items to Consider with Lay-Offs

Before
Planning / Establish processes
Disabling access
Communications
Establish trusted contacts
HR
Legal
Security
Management
Identify single points of (security) failure
Employees who pose a danger (to themselves or others)
Administrators
Associates with access to sensitive or confidential data
Identify risks
Intellectual property
Confidential data
Property

During
Disable regular individual access
Logical
Physical
Phone
Email
Remove access to shared accounts
Administrator accounts
Service accounts
Other shared passwords
Asset retrieval
Computers (laptops)
USB drives
2 Factor authentication
Cell phones / PDAs / pagers
Paper documents
Enhance monitoring
IDS/IPS
Logs
Physical surveillance

After
Continued vigilance
Review of assets “left behind”
Online documents, files, and shared storage
eMail
Papers
Check for backdoors, Trojan horses, logic bombs
Unix
Windows
Databases
Network devices
Lesson’s learned
What went right?
What could be done better?
Process improvements

by Jeff Kirsch

Recently, my son told me a story about how he played chess with a friend at school. In his story, he said his friend executed a certain move; my son then asked me if I had ever tried that move. I was a bit confused; I’ve played chess on and off for at least 20 years, but I’ve never heard of this play. My son asked if we could play, and more importantly, if I could teach him. Looking at the clock, I thought about how I needed to get his siblings into bed, and that he needed to read a book for school.

He promised to read his book while I put his siblings to bed. After the other kids were in bed, I got him from his room (where he had read a chapter of his book), and we headed downstairs for his lesson.

I explained the chess pieces and how they moved; he remembered this from the last time we played. We began the game and I watched him bring his plan to fruition. I didn’t start with very much instruction, because I kne

w that the best instruction comes when you are “deep in the weeds”, so to speak. I took a few of his pieces, and the teaching began.

For each of his moves I helped him see what my next moves could be and how that would affect what he should do. With each move, he needed less and less instruction, but his questions became more complex. Of course, like most novice chess players, he still needed help remembering how the pieces moved (especially the knight). Looking at the clock, I realized it was just a few minutes till his bedtime, so I finally made an exchange of pieces I had put off for most of the ga

me. A few moves later he was in checkmate. He looked at me with a huge smile on his face and gave me a big hug. “That was fun, Daddy,” he said as I squeezed him tight. “I can’t wait to play again.” That is when two thoughts struck me, which I shared with him, and which I’ll share with you now.

In losing, you win

We hear all the time that most successful people failed, sometimes more than once, before

being successful. Even after those people “made it”, they still face bumps in the road. What came out of my mouth first to my son was, “In losing, you win.” I went on to explain that you have to lose a lot of games of chess in order to learn how to play the game. This came out almost automatically, but then I started to reflect on what I had said. I realized that I wasn’t just talking about the game, I was talking about life and all the challenges we face.

In information security it is easy to become overwhelmed. We always feel like we are three steps behind. We put together teams, we focus on security and secure practices, and try to funnel everything down to a few points where we can protect our vulnerabilities, only to find that someone left the back door open. To add insult to injury, we get raked over the coals because the one thing we forgot compromised everything we were trying to protect. However, until the day you forget to lock one door, you have no real concept of the consequences that await when you do fail. In that moment of failure we have the ability to learn the most.

A plan is good, but plan flexibly

My son went into the game thinking there was a defense he could set up in the beginning that would win the game. What my son didn’t take into account was that I would have a turn, and that I could attack his defense – thus also keeping him from the offense he had planned. He immediately understood his mistake and explained to me why he should have paid attention to what I was doing. I was again hit with the realization that the lessons from this game were more than just lessons about a game. If we only plan to defend our systems from attack, we fail to see the most critical vulnerability and fail to account for a possible offense.

Flexibility is critical not just in information security, but in all aspects of our personal and professional lives. People who plan ahead certainly can start out of the gate faster, but when they get a few miles down the road and their tire goes flat, how do they sustain momentum? If you can adjust your strategy not only to account for defense, but also to incorporate an offense, you double your chances for success. In the end, you even the playing field by using your strengths and understanding your opponents’ weaknesses.

In a moment of just playing a game with my son, I re-awakened the magic of chess and learned some valuable lessons. There are plenty of people who make fun of the game and those who play it, but there are just as many (if not more) who play it and get it. When you realize that it is not simply a game, but that it also has many lessons to impart, you find that “losing” really isn’t losing. But just as in chess, you’ll encounter people who don’t get what you do or why it is important. Instead of discounting them, find a away to convey what it is and why they should care. You aren’t going to convince everyone and it won’t be easy, but giving up before you start says a lot about your character and reflects the quality of your work.

by Dennis Kuntz

The government spends billions in research every year. Quite often the goal of that research is to create more effective fighting machines and mechanisms, better survival techniques, better gear for soldiers, etc. The array of researched technologies is huge, and wartime in particulate can spur a ton of research.

Also quite often, the results of that technology end up being used for civilian purposes. Researchers and scientists in World War II alone created and/or had significant impact in the areas of radar, jet engines, computers, synthetic rubber – the list goes on and on. It’s obvious today how those technologies, invested in by the military and the government primarily for the sake of the war, have been applied to our civilian lives.

Another thing to note about all of this is that the benefits of those government/military technologies have not been limited to the countries in which they were created. As peacetime would creep in, and alliances form where hostility once reigned, technology would be shared. Not to mention that even when those alliances didn’t form, the opposing sides would still have access to enemy technology (captured vehicles, interrogation, etc.) to get a foothold in implementing those technologies themselves.

This brings me to a question about malware. Malware is bad – hence its name. The folks who create it and apply it (as opposed to security researchers that create it for purposes of research) are at the very least not the most scrupulous bunch. There are legions of anti-malware researchers and malware analysts digging into these rogue pieces of software, poking and prodding at them, and figuring out how they work.

This piqued my curiosity: What technology (or use thereof) resulting from malware/anti-malware research has hit the “mainstream civilian” computing world? And no, I don’t mean Sony’s rootkit. I mean application of what has been learned – in obfuscation, more efficient coding techniques, remote distribution applications, etc. – in a way that is useful, but not necessarily matching its intended “wartime” purpose (you cannot make me say the “c—-war” word).

The closest thing I could find – yes, aside from Sony’s blunder – was a paper by Microsoft researchers discussing a “friendly worm” in terms of patch delivery. This is generalized by Bruce Schneier as “benevolent worms”, and which he calls a “stupid idea”.

Despite their ethics, the malware writers are very, very smart. The anti-malware researchers and the malware analysts are also very, very smart. So I pose the question to all of you – what useful applications of what has been learned in the battle against malware are waiting to be used?

Several years ago, one of my clients asked me to write a security policy for them (since I was the “Security Guy” at the consulting company they employed).  I spent a couple of hours looking at various templates and examples on the Internet.  What I found were a lot of carbon copies of the same few templates with “insert corporate name here”. Regardless, I created a security document for them; my client was happy to have something and I was able to help them out, but I was not really satisfied with what I had written and wanted to do better.

Recently, I’ve been working with a team to rewrite the security policies for my current employer; policies that look exactly like the one I put together for my client years ago. The review of the current documents made something clear to me: No one likes to write these documents, so they use templates as a quick way to get the job done.  Unfortunately, the template-based policies can be difficult to read through for people who need to work on them, and will most likely be unread by the employees who will be most affected by them.

So what can we do, dear reader?

I am going to start by defining policy this way:  A policy is a set of rules that supports an overall vision. This policy is developed using a set of standards, which are incorporated into procedures to implement the policy. For example, if the concept is that the company’s wireless network should be secure, the policy would state that technologies will be used to secure wireless communications on corporate sites. The standard would be that the general public would not be able to connect directly to the corporate network via wireless networking. The procedure would be to use WPA2 configured on the access points.  If a new technology comes out that proves to be more secure than WPA2, the policy does not need to be rewritten; just the procedure.  There can also be multiple procedures for the same policy, e.g. the procedure to implement WPA2 on Windows is different from the procedure to implement it on Linux.

It’s simple: The vision is the overall goal. The policy supports the vision, the standards measure how the policy relates to the vision, and the procedures support the policy.  Procedures should not typically be included in a policy document because they can be more dynamic and will change more often than the policy will.  In my current organization, policies have to be approved by the Executive Management team, and it can take as long as a month for one sentence to be approved.  Instead, procedures should be established at the team level and reviewed by direct management, so that changes to the procedure can be implemented quickly while still supporting the existing policy.

One of the best references I have found for this policy style are the PCI-DSS documents.  Vision, policy, and standard are established, and the procedures are left up to the individual companies.  The documents are easy to read and reference, and can be a great starting point for companies to examine how their own security policies are written.  Not everything in the PCI-DSS documents will be applicable to every organization and I do not necessarily agree with everything in them, but they are quite useful for readability and review by non-IT security staff.

The simple steps to follow to build your own company’s security policy:

1. Establish the vision.
2. Write the policy to support the vision.
3. Develop standards to measure the policy, and finally
4. Create the procedures to implement the policy

As a privacy and consumer advocate, it ruffles my feathers when otherwise legitimate companies force the public to disregard common-sense online safety practices in order to use their services. Among the many safety tips are:

1. Only give confidential personal information to people you affirmatively contact, never to anyone who spontaneously contacts you.
2. Don’t click on URLs in unsolicited e-mails.
3. If you want to click on an e-mail link, never click “dishonest” links – links that don’t match the displayed URL.

Bad Practices

American Student Assistance (ASA) is a non-profit organization which helps students keep track of their student loans. It’s also an example of a legitimate organization with some irresponsible privacy practices.

Earlier this year I received an unsolicited e-mail from the ASA. I had never heard of the ASA, but the e-mail insisted that they were “the guarantor of [my] federal student loans.” To this day my bank has not introduced me to the ASA. Of course, this spontaneous contact from an “authoritative” organization made me suspicious. Red Flag 1: Unsolicited e-mail claiming to be from an authoritative source.

The letter instructed me to follow a link to log in with my FAFSA PIN. I was also notified that I have a “Profile,” and was invited to Update my profile by clicking on a link. The link took me to an insecure and unbranded website which automatically filled out my name, e-mail address, and indicates that I have been opted-in to receive a newsletter. Red Flag 2: Unsolicited authoritative e-mail, requesting that you “log-in” using sensitive information on an unsecured, no-name server. Spam newsletters are a bonus.

But before clicking on the links, I moused over each of them to see where they led to. A link which purported to go to “www.amsa.com/bor” actually links through “http://click.email-asa.org/?qs=33c40ef691b275c8d3b7e7d0430ce34d0980241c6c7eb313b745465bb515d8d5″. In fact, each of the eight links in the e-mail were “dishonest,” in that the actual URL was different from the displayed URL. Red Flag 3: Dishonest links.

This e-mail screamed “Phishing Scam,” so I called the toll-free phone number listed in the e-mail. A woman answered the phone. She immediately asked for sensitive personal information. I gave her my first and last name, but refused to give her any additional information since they had contacted me and I had no way to verify who they were. Red Flag 4: Unsolicited third party requesting personal information over the phone.

ASA’s Privacy Policy contains the following promises:

We do not disclose any nonpublic personal information about you or our other current or former customers, except as permitted by law…. We restrict access to nonpublic personal information about you to our employees, contractors, and agents who need to know the information in order to provide service to you…. We maintain physical, technical, and administrative safeguards in compliance with federal regulations to safeguard your nonpublic personal information. (Accessed August 27, 2009.)

But ASA’s privacy policy didn’t translate to privacy practices. After I refused to share personal information the lady on the phone asked, “Is your name Aaron [X] Titus, or Aaron [Y] Titus?” Uncomfortable, I replied, “Aaron [X]…” She asked for my date of birth. When I refused to give it to her, she read it to me over the phone. When I refused to give her my address, she  repeated my full address including street, number state and zip code.   She told me which school I attended and that she had access to my social security number on her screen. Red Flag 5: A representative sharing sensitive personal information over the phone without first authenticating.

Since I had no idea who this organization was I asked, but never got a straight answer. She and her supervisor variously described the organization as a “government agency,” “not a government agency,” “a non profit government agency,” and a “non profit organization which receives federal funds.” They relied on some relationship with the federal government to gain credibility. Red Flag 6: A fishy and inconsistent story designed to earn your trust.

My Advice: Quit it

After filing a complaint with the company, I talked with ASA’s Privacy and Compliance Director, Betsy Mayotte. Ms. Mayotte was kind enough to apologize for the behavior of her organization, and convinced me that the ASA is a legitimate organization, albeit one with uneducated and dangerous privacy practices. Apparently the representative was re-trained. But they did not plan to change anything else.

The dishonest links were designed to measure click-throughs: A common marketing practice. The unbranded and insecure server which asked me to update my “profile” was the result of bad practices, laziness or poor training. The other blatant violations of their privacy policy and outrageous behavior by the representative was more of the same.

I wish I could say that this is an unusual event. But unfortunately I’ve seen similar behavior by my bank, and even former employers. When legitimate companies force consumers to be irresponsible, the online public becomes irresponsible. Forcing consumers to ignore common-sense safety practices may save you a buck in the short run, but they make your customers irresponsible and erode overall online public safety. So here’s my advice to legitimate companies who behave like phishing rings:

Quit it.

Seriously, stop training the public to be irresponsible. If you want to track click-throughs for an e-mail marketing campaign, set up a virtual redirect on your main server. If you got sensitive personal information through a third party, make sure to have that third party introduce you to the customer. Don’t send unsolicited e-mail, and don’t cold-contact potential customers to request that they share personal information. Once and for all, encrypt your website. If your marketing department isn’t all that tech-savvy, hire someone who is. Train your customer service representatives never to give out personal information without first authenticating the identity of the person on the other end of the line.

Privacy policies are not just legal boilerplate which you can write and forget. Make sure that your privacy policy matches your privacy practices. This means that your customer service representatives should be as familiar with it as your general counsel.

As our clients and customers naturally become more computer savvy, we often assume that they know (and remember) the basic tenets of security, including good “password hygiene”: Ensure that your password is difficult to guess, that it is never given to an unauthorized party, and that it is changed on a regular basis. But something happened today that reminded me that even the more knowledgeable among us can forget to be cautious when we are online.

I was on Twitter this morning (my username there is @Astrogirl426, if you’d like to add me to your follower list) when I began seeing tweets about a new service called “Twitviewer”. This service offered to let Twitter users find out who had recently viewed their Twitter page. Curious, I clicked the link and was sent to the Twitviewer home page, where I was prompted to enter my Twitter username and password.

Hopefully, this is the point at which anyone with a moderate amount of experience online would stop and think, “Hmm, this might not be a great idea. Let me wait and see if this service turns out to be legit.” Let me state here that there ARE some legitimate Twitter services that require you to enter your username and password to access them (TwitPic is just one of several). However, a brand-new service that requires your login information should always be approached with caution – if for no other reason that to see if any reports of “suspicious activity” surface.

Unfortunately, over the next few hours I saw quite a few of the people I follow on Twitter using the service (I knew this because the service sends out an automatic tweet from the individual when they use it for the first time). Sure enough, later in the afternoon I began reading warnings from Twitter against giving Twitter login information to this service.

So what did I learn from this? What can YOU learn from this? That even as people become more sophisticated about computers in general, and security in specific, we need to revisit the basics with them from time to time to remind them that these lessons are still important, and still relevant. And if you were one of those who used the Twitviewer service – change your password!

by James Costello

I would bet that you have someone in your life who “survives” out of the vending machine at the office. You know them:

1. Their desk is surrounded by potato chip bags, candy wrappers and soda cans.

2. They are the first one to get the new item out of the machine.

3. They consistently return to the same choices, but especially love new packaging even if the insides are still the same.

4. They base decisions on what is in the machine.

5. They purchase items because they have money in their pockets.

Do you know of companies that treat their security purchases like a trip to the vending machine?

1. They buy items with the prettiest packaging (or possibly the prettiest sales person). Don’t laugh; I’ve seen it happen.

2. They purchase items just based on the fact that it is either new or a new version. And we all know that “new” means it’s good, right?

3. They purchase items just because it’s in the machine or their sales representative presented it to them.

4. They buy the same product that they bought last year because they are not comfortable with change.

5. They buy because they have leftover budget for this year, but are not sure if it is something they really need.

So how do we, dear reader, avoid/prevent others from making purchases from the security vending machine?

1. Determine your corporate goals and work toward them. Okay, so that’s a bit clichéd, but I see this everyday as a project manager. When there is not a clear idea of what is wanted out of a project, it will drag on and possibly never get implemented to anyone’s satisfaction.

2. Identify your needs and purchase accordingly. What traffic are we trying to monitor? If you are more concerned with blocking inbound access than monitoring, then an IDS solution may not be the best use of funds. What data are we trying to protect? If all of your proprietary data is kept on one or two servers, hardening those servers will make the most impact. What services are we offering to our clients? If you are not offering any services locally, inbound traffic should be denied

3. Don’t let your budget burn a hole in your corporate pocket. Are you with an organization that determines next year’s budget based on how much you spent this year? (I know this would not fly at my house; why does this work in business?) Work with your financial group to create the budget. This sort of spending is foolish, especially in the current financial situation.

4. Don’t spend all of your budget at once. Plan for spending over the course of the entire year. I am reminded of my friends who are teachers for school districts in my area. They get paid once per month and have to budget for the entire time. My friends like to tell stories of first-year teachers who see this great big paycheck (well, for a teacher) and go out and spend it without realizing it will be another 30 days before they will get paid again. What is humorous for me is that they all admit to doing the same thing.

5. Just because something is shiny and new does not mean I have to have it.

When I was a senior in college 15 years ago, I needed a car to drive back and forth from college campus and the school district where I was going to be student teaching. I needed a car and it was going to be my first major purchase. I had $3500 to make the purchase and I could look anywhere I wanted. I could have taken my time to get the most car for my money, but I wanted to get it done and I knew I could spend all of the money I had on this car. (I failed to plan, I did not determine my needs, and I allowed the amount of money I had determine when I would buy) A day after I withdrew the money from my savings account, I drove off the car lot of a friend of the family with a car with no trunk space, a short back seat, and not enough horsepower. This car would barely do 60 mph (not so good for a college student who needed to drive 40 miles each day and was still on college time), I could not haul anything in it (this made moving out of the dorms when school was done, next to impossible), and finally it developed a habit of not starting when it rained (this was lived with for about a year as I had to make money to get it fixed, since I had spent all of my money on the car). I look back on that now and wonder how I survived, making those decisions.

I bought from the vending machine. Are you or your company doing the same?

]]> http://www.securitycatalyst.com/2009/07/the-security-vending-machine/feed/ 1 http://www.securitycatalyst.com/2009/06/minefield-of-bananas/ http://www.securitycatalyst.com/2009/06/minefield-of-bananas/#comments Tue, 16 Jun 2009 11:00:20 +0000 Guest Blogger http://www.securitycatalyst.com/?p=1851 by Jeff Kirsch

As adults we like to have some sense of order. We get into a routine; get up at the same time, take the same route to and from work, eat our meals, and head to bed all on a schedule. Sure, we like to think we add some randomness to our lives by not going to eat at the same place each day, but we go to eat at those “different” places at the same time every day. It’s not bad to have a routine; that is what gives you a sense of control in what sometimes seems like a chaotic world. The question is, how much tolerance do we have for randomness?

Me vs. Random

I have a morning routine that helps me get the kids ready so I can leave on time. Part of that morning routine is feeding my daughter. Recently she decided she likes to eat bananas. She also prefers to have the banana cut in half, and this is what turns out to be my demise. I go through the rest of the morning routine and lean over my daughter’s high chair tray to give her a kiss goodbye. I give a kiss, hug, and high five to my sons, and then I am off to work. A few hours into work, I push back from my desk and happen to look down to find a giant banana stain on my shirt. I came to work and walked around the office with this very noticeable stain on my shirt, without ever having realized the spot was there. As I wash the stain off my shirt I contemplate my options to avoid this situation in the future.

A few days later, my daughter was again eating her banana. As I leaned in to kiss her, I bent in a way that ensured she couldn’t get me with her banana.  I gave a kiss, hug, and high five to my sons, then I went off to work. As I walked into my office building, I noticed my reflection in the window. Lo and behold, there was something on my pants around knee level.  I looked down to find a nice banana stain just above the knee. I let out a sigh and headed up to the office, making a quick stop at the restroom to wash off my pants. I realized my strategy has not worked, so I began to reformulate a plan to ensure I didn’t continue showing up with stains on my clothes.

A week later I gave my daughter her morning banana, but this time I cut it up into small pieces. My thinking was, if I give it to her in small pieces she can’t jab me with it, and if she throws it I’ll notice. I went through the routine thinking I won this round – even though my daughter has already won the first two rounds. I saw she was done and walked over to get her out of her highchair to get her dressed, and that’s when it happened. First, let me tell you that the last thing I do before leaving for work is to put my socks and shoes on. I can’t say why that ends my morning routine, but it does. So as I walked over to my daughter in my bare feet, I stepped right into a minefield of banana pieces my daughter had thrown on the floor. Game, set, match. My one-year old just beat me three games to none.

Ordered Randomness

As IT professionals, we spend our time planning for the random event that could take down our critical systems. We design our systems and find order in a mostly random world, but we always know there is still the unknown. So it all comes down to how well we handle the response. By designing a program that balances order and randomness we prepare for suprises. If our first response to random events is to be disorderly, our designed responses will fail. However, if we maintain order while responding to random events, the chances of containing the event and minimizing the potential loss increases. My response to the situation presented by my daughter was meant to add order to the randomness. Perhaps the better response would have been to check my clothes before I left for work. Detecting random events early, maintaining order, and executing the response is how we avoid the banana minefields.

by Aaron Titus

Georges-Pierre Seurat was a 19th century French painter credited with starting Neo-impressionism and developing a painting technique called “pointillism.” His famous painting, La Parade, contains the detail on the right: A complicated series of blue, orange, pink, red, black, and yellow dots that together create a man’s profile.

This detail is the single best visualization of your “Data Self” I have seen. Your Data Self is a collection of your credit report, Facebook page, Google results, Bank account numbers, archived e-mails, and an endless parade of other data. Like pointillism techniques, which juxtapose contrasting dots to create vibrant masses of shaded tones, each piece of personal information is a single dot. Perhaps one is your address, your middle name, your pet’s name, or your favorite color. Maybe some represent your family, and others represent your friends or religious beliefs. Some represent your travels, magazine subscriptions, and purchase habits. Still others are intimate thoughts.

Taken individually or in small groups, they do not mean much- they may even seem to contrast or contradict one another. But all together they form your profile, or Data Self: A pretty good, but not 100% accurate representation of who you are. And this profile is exactly what data brokers, government actors, and marketers (among others) are trying to determine.

We leave trails of dots as we interact with others, especially online. As Gregory Conti, a computer science professor at the United States Military Academy at West Point, explained, “Free Web services aren’t free. We pay for them with micropayments of personal information.”

Since your Data Self is a digital alter-ego, with the power to enter contracts, grant access to your financial assets, have surgery, or commit crimes, you should actively shape and control access to your Data Self.

Hat tip: Daniel Solove

Recently I attended a talk by Jennifer Jabbusch about the dangers posed by black hats exploiting all manner of wireless devices. The audience was mostly non-technical law enforcement, so the talk contained a little FUD by design to shake them a little as to the gravity of the threats. It was an excellent presentation that was well-received. During the 15-minute break before Jack Wiles was to speak about physical security, I overheard the officer next to me (he was there to “take advantage of the free training”) speaking with the business continuity guy on his other side. This is what I overheard:

Now, my first thoughts were somewhat predictable: How could you not want to understand what, how, and why these guys and gals can do what they do? Wouldn’t that just help your job? With the increasing prevalence of electronic crimes specifically, and the increasing role wireless devices will continue to play in other crimes, how could you not care about this stuff? How could knowing more – of just about anything – not be something for which to strive, especially if you can apply it to what you do?

Now, I do not know this officer. He might be the laziest man on the force, and might skate by doing the minimum that’s expected of him. I honestly do not believe that to be the case. So, assuming that this was a skilled officer who cares about solving crimes and catching the bad guys, something struck me – what this officer was really saying was that he just wants to do his job. He doesn’t want to deal with anything that he doesn’t have to in order to solve crimes. Because if it’s something he doesn’t have to know or deal with then it takes time away from what he does have to know or deal with. He wants to be able to rely on the technical folks to do “their part” just like he wants the physical forensics team to do their part – and without him having to know about all of the ugly details.

What also struck me was that this was reality. Here was a real person, from real life, who considers having to know anything about technology – beyond what he needs to know to function – to be something to avoid. We encounter these people all the time in every industry. As “IT” folks in general, and “IT Security” folks specifically, what can we do to deal with people like this officer who just want to do their jobs without being overwhelmed by technology?

There are two primary things that we can do: First, we can educate people as to the benefits various levels of understanding of technology will have on what they are trying to accomplish. Does this officer need to know how to fire up Wireshark and rip into some packets to help him do his job? No, he doesn’t. But can understanding the ease with which black hats can commit crimes, as well as facilitate others’ illegal activity, help him have more insight into the crimes he’s investigating? I would venture to say that it absolutely will. We need to approach people like this officer with the understanding that they are, at the very least, unconvinced that this knowledge will be helpful, if not against it altogether. We need to tailor our educational messages in such a way as to help them see that they can attain the benefit of the knowledge without it having to be a complete jargon-and-acronym-filled head spin, and without it sucking up all of their valuable time.

But what about those who refuse to accept any benefit? That’s where the second item comes in.

Ultimately a good portion of our jobs involves providing an appropriate level of protection for whatever assets are our responsibility in such a way as to help the bottom line, or at least to impact it only as much as is appropriate. When we encounter people who refuse to take part or to help with this, we need to use innovation and creativity to protect the assets anyway. In the case of the officer, it’s just as he said – the technology guys (and gals) need to do their jobs. Would it help if the officer did know a little so that the knowledge about the case could dovetail between the groups a bit? As outlined above, yes, it probably would. But if that officer is doing his job, and that job doesn’t require his involvement in the technology pieces of the case, then we need to be the ones to step up and fill the gaps. Just as we might wish others would have a better understanding of what we do, it’s important that we do the same, because ultimately it matters more that things get done than who does them. If we can educate along the way, all the better.

I have been using Privoxy for many, many years. It was actually called the Internet Junkbuster when I was first introduced to it. In early 2000 when I started getting into security and privacy, it was one of the first tools I began using to disguise my user-agent string.

Modifying a user-agent string is a simple way to avoid malware infections from websites that use the user-agent string as a method to determine the browser type and version in order to infect or hijack a browser (most common with IE). I modify the user-agent string to this day. However, what I do now is pretty subtle. I add or remove a single dot somewhere within the string. This way, if someone quickly glances at logs, my new customized user-agent string doesn’t stick out like a sore thumb.

Another reason I like using Privoxy is to block banner adds. Especially today, with all the XSS vulnerabilities going around, this is quick and simple way to eliminate this threat. I also believe in cookie management. Privoxy can be used to manage your browser cookies and how they interact with websites. You can block them altogether or modify them to force a particular behavior, such as whether they are session cookies or permanent cookies. I know this is possible from within the browser, but Privoxy offers many more options and more flexibility for cookie management. It’s really cool stuff once you get into cookies and the how and why they work.

Privoxy is an effective tool for controlling tracking web bugs. Web bugs are tiny 1×1 images used to report back to a company (website) whether you have opened or visited a certain page. Once this 1×1 image is rendered by the browser, various statistics are sent back to the requesting server such as the IP address, date and time, browser version and type, etc. This information is usually sent directly to a third party which usually is an advertising company. But there are other uses for this technology such as by some services that will advise you when an email (including webmail) has been read.

Lastly, I like Privoxy because I can also control the referrer. When a connection is made to a website, the browser will let the web server know which URL it came from. This is called the referrer. With Privoxy it’s possible to modify or block the referrer string that is sent to a web server when a new connection is made. This way web servers think you browsed directly to the url instead of having clicked from a link (being referred by).

Privoxy is a proxy. It runs in the background. I install it locally on every computer I have. I have it run locally on the loopback interface, which is the default. The browser will need to be configured to use the local proxy for it to perform the necessary scrubbing. For myself, Privoxy is simply another tool or software like antivirus, antispyware, etc. It doesn’t matter whether I’m on Windows, Mac or Linux, I install and use Privoxy when possible.

This blogpost was triggered by something I experienced on the job, and a follow-up discussion I had with a few people. It even became more relevant as I discussed it with more people.

As Security professionals we tend not to believe in compliance. The reason is simple : compliance usually ends up with asking users to tick boxes periodically to stay compliant. Preferably at as low a cost as possible with the least of impact on the business.

Today, I think differently.

First off, you must realize that I don’t live in the United States. I’m European, Belgian if you want to narrow it down even further. The companies I deal with occasionally touch on PCI, and in rare cases SOX. For the majority of companies however, compliance is a choice (ISO, COBIT, SAS-70 and the like). In general there are two things we have to keep in mind and those are our national privacy law – protecting Personal Identifiable Information (PII) – and a collective labor agreement (which is largely based on the aforementioned law) protecting employee privacy. For banking and insurance companies there are additional regulations (largely based on BASEL II). Healthcare largely relies on the privacy law.  To many that may sound like a good thing, until you come across a situation where you realize that regulatory requirements would help you to gain a higher level of security. Read on …

As we were reviewing an application that is used to handle PII, we saw some amazing stuff. A user needs to fill in a username and password and then has to select a few parameters for his connection before actually logging in.  The parameters indicate where he is working (the site), for which department he will be working, and in what role. Much to our astonishment, the choice of parameters is limited solely based on the username entered (authentication happens at a later stage).  Additionally, this application keeps a user cache and a workstation cache (in a database) that ensures that a user doesn’t have to fill in everything the next time he opens the application.  Without getting too technical, it was possible to log in with a user using roles and responsibilities that wouldn’t be available under normal circumstances.  As we were talking this through, it became clear that the vendor of the application didn’t care about this problem. The reason was obvious – there was no way that we could make him own the problem. It wasn’t his problem.

I’m clearly staying vague about the details of the situation, but in my humble opinion this is a situation where regulatory compliance requirements clearly would have helped a great deal.  It would have forced this vendor to take security into consideration in his development lifecycle, and it would probably have even prevented this application from being released as it was. In such cases, compliance actually becomes an enabler for security. Because there are no regulations, the only thing a vendor has to worry about is keeping his cost as low as possible.  Any investment in security lowers his margin. At that level, the choices the vendor made are understandable.

As an organisation, I believe you do your utmost to protect the information that is invaluable for you and your customers. As a consultant I do my best to provide top quality services to secure that information. I am convinced that most hardware and software vendors sincerely want to help us with quality products to achieve our goals. When it comes to rules and regulations, I now believe they can keep the “cowboys” in check. And that alone is a major achievement.

by Bill Pennington

Maybe you didn’t see my last post in time to save your job, and you are now out on the street looking for one. I have been hiring people for close to 10 years now, and hiring today is a lot different than it was 10 years ago. These tips are based on what I see coming in these days in terms of resumes, and what I do when I see a resume that is at least passable.

1. Customize your email. Every resume I see these days comes in via email, either directly to me or from one of our current employees. Make sure that email is customized to the company and position you are looking for.  Nothing gets your resume ignored faster than an intro like, “I am really looking forward to expanding my role as a Snort IDS engineer,” when you are applying for a job as a web application tester. If you don’t care enough to change an email before you send it to me, then why the heck would I hire you?

2. Google your name and ALL your email address. That is what I am going to do.  What does that show? Can I find your Facebook profile, your LinkedIn profile, and your personal blog about raising 400 cats in your one-bedroom apartment? Step back and think about what all the data says about you. Are you raging about your current employer? Detailing how you just hacked your neighbors’ network? Talking about how much you really don’t want to work in security? All of those things are going to impact my decisions to even bring you in for an interview. Understand that and think about what you are displaying online. It is fine to be you and share, that is great, but understand that a stodgy insurance company might not hire a 30-something skateboarder (me) to be their CISO.

3. Use that network. There’s no faster way for you to get in the door than through a referral from someone I know or someone that currently works here.

4. Contact me via something other than email, such as Twitter, Facebook, or even the phone. I get about 400 emails per job posting, and nothing is going to make you stand out more than showing the effort to reach out to me in another way. In this market you have to show initiative and drive; simply reaching out to me on Twitter will put you in that top 1% real quick.

5. Read our freaking website!! This is question #2 after, “Did you have any trouble finding the office?”And don’t lie because question #3 is, “Tell me what we do.” If you can’t be bothered to find out a little about the company you want to work for before the interview, what does that say about your work ethic? Nothing good, I can assure you. I am not expecting you to be able to give me a perfect elevator pitch, but I do expect you to have made the effort.

If you are currently out of work please follow the tips above and let me know if they speed up the process at all. Every job opening is getting flooded with resumes; you have to make an effort to rise above the fray to get seen, even if you are a rockstar.

by Michael Starks

Bloggers and writers often lament the challenge of finding new material. When we do write about a topic, it is often a second-hand story, perhaps commenting on the big news of the day. This month is different, thanks to Gexa Energy, an electricity provider based in Houston, Texas.

Last month, my wife received a letter from Gexa Energy informing her that a data breach may have involved her non-public personal information. I guess they weren’t entirely sure. The letter describes how their monitoring systems alerted them to the intrusion on April 30, 2008, the date of the incident. The breach was contained and there is no evidence of any improper use of her information (had her information ever actually been involved). They even caught the person responsible and are prosecuting them, Gexa says.

Did you notice the timeframe between the discovery of the breach and the notification? I didn’t, until I read about it again in a news story. Almost a year passed before they let anyone know. But don’t worry, law enforcement told them not to tell anyone.

The letter went on to list the types of information that might have been accessed, which included the usual suspects: drivers license number, social security number, date of birth and so on. The next underlined sentence emphasized that no credit card numbers or bank account numbers were compromised.

Gexa was even helpful enough to point my wife to some sources for credit monitoring and reports, although these are already free resources. Finally, they created the ironically titled http://www.gexaenergy.com/dataprotection site to help everyone feel better about the whole thing. The letter closed with the usual statement of how they take things real serious-like and how they deeply regret her concern. No one signed the letter.

How a company responds after a breach is a strong indicator of their commitment to protecting your information. In this case, Gexa failed miserably. They:

1. Failed to accept personal responsibility for the breach by not having an executive sign the letter.
2. Failed to conclusively state what information had been accessed, and when.
3. Made no offer to pay for personal credit monitoring.
4. Used emphasis in the letter to minimize their culpability and responsibility.
5. Made the inexcusable and legally questionable decision to wait almost a full year before notifying affected people of the breach.

Breaches happen. In today’s world, that’s a fact. With this breach, Gexa’s response only serves to remind us that honesty is the best policy. Passing the buck and failing to take personal responsibility will only alienate customers who might otherwise have been willing to forgive you.

by Bill Pennington

Many of my contacts in the security sphere have recently gone through the dreaded layoff. Many of them have come to me for advice on finding a new position, and many of them ask me why they were in the position to be laid-off in the first place. I have had to layoff people in the past; sometimes it is easy and sometimes it is hard. Usually the first round of layoffs are the easiest for the person picking the victims. A few reasons why people are chosen in the first round of layoffs:

1. Attitude – Are you the one always complaining about stuff like no free drinks, not enough vacation days, or having to work a few hours late every once in a while? Guess what? You are inching yourself closer to the top of the list for layoffs. If the manager has to cut, they are going to make it easier on themselves by cutting the people who make their job harder. If you need constant care and feeding, your boss is not going to have time to do that after he cuts 20% of his staff. However, if you are always the person who stays late, asks for extra work, and has a can-do attitude, then you are going to be much further down the list of causalities.

2. Aptitude – Then we get to the basic question; are you good at what you do? I am far more likely to keep the person who can do the work of three people vs. the person who is barely handling his current work load. Remember, I have to not only cut budget by 20% but also have to figure out how I am going to keep up with the current workload after I make those cuts. Which leads to…

3. Specialist vs. Generalist – This one gets a bit tricky, but for the most part I am going to keep a generalist around as opposed to a specialist, since my generalist can cover for the specialist. The generalist might take a bit longer to get something done, but it will get done. If I keep the specialist I am going to have a hard time getting them to do something outside their specialty. Again, it is important to understand the dynamics. I have no choice but to let some people go, and being human, don’t want to be let go the next time around. I don’t want to give my boss a reason to put me on the layoff list. This is totally selfish but a very realistic reaction. The team I have left is going to have to do just as much, if not more, after I let people go. If you find yourself becoming a one-trick-pony, work harder to diversify and learn new skills. Don’t be the CheckPoint Firewall guru and only the Checkpoint Firewall guru; the more you know and can do the more likely it is that you will survive the first round layoffs.

4. Say “Yes”, always – This is a tough one for security people, since we are generally used to dealing with absolutes. It is pretty clear to us that deploying an unpatched Windows XP system on the internet is a bad idea. Deploying ATMs based on an unpatched Windows XP system and then hooking that to the internet makes me want to scream, “Nooooooooo!” but from a business standpoint that might be an acceptable risk. I always say “This is what we need to do in order for that to be secure.” Since you are not the “always-say-no” security guy, the more people who like you, the safer you are.

5. Sometimes you’re just unlucky – If I have to make cuts and everyone is great, it is going to come down to a “gut” call. All the above points are going to come into play, but in the end the differences are going to be so small that you really could not have done anything more to stay off the list.

If you find yourself in this unfortunate position, I will discuss ways to get out of it in Career Advice for Security Geeks, Part 2.

by James Costello

The scene opens on a small room in a coffee house in any town. A group of geeks sit in circle drinking lattes, cappuccinos and double shot skinny caramel macciatos.

One man stands and says “My name is James and I am addicted to IT security.”

(Group responds): Hi, James.

All right, I am not really addicted to IT security, but the 12 steps that those working through their own issues rely upon, can teach us a few things about our own work.

12 Steps of IT Security Anonymous

1. We admitted that we are powerless over security – that our lives had become unmanageable.
2. We came to believe that a device or application could return us to sanity.
3. We made a decision to turn our will and our lives over to the care of the device or application.
4. We made a searching and fearless inventory of our networks, servers, and computers.
5. We admitted to our boss, to ourselves, and to another human being the exact nature of our security problems.
6. We are entirely ready to have all these system defects removed, some requiring root access.
7. We humbly asked the administrators to remove our system shortcomings.
8. We made a list of all persons we had wrongly allowed access and became willing to amend access lists.
9. We made direct amends to access lists whenever possible except when to do so would wrongly deny access to shoes with appropriate permissions.
10. We continued to take network, server and workstation inventory and when we found problems corrected them.
11. We sought through prayer, hopefulness, and a bit of luck to avoid any serious security incidents.
12. Having made a mental awakening as the result of the steps, we tried to carry this message to other security professionals and to practice these principles in all our network and system operations.

Maybe I am stretching a bit with this, dear reader, but we can learn a lot.

1. Admitting that there is an issue makes resolving it faster and more straightforward.
2. Directly pursuing a resolution to an issue will also reduce its length and severity.
3. We are not alone in our work; seeking assistance and advice will speed resolution and provide opportunities to learn from our peers
4. No one device or application will resolve all of our security problems, but we need to have an integration plan to utilize the strengths of each device or application and mitigate the weakness of each as well.
5. We must be ready to work at it continuously because there will always be new challenges coming forth.

So dear reader, are you ready to admit you have problems and get to work on resolution?

by Adam Dodge

A few months ago, Andy IT Guy (here and here) and Alan Shimel (here and here) engaged in a blog-vs-blog debate on dealing with security product salespersons. Having just returned from a great time at Source Boston, I now find myself dealing with the ever present post-conference sales calls. Instead of rehashing the points that Andy and Alan brought up in their posts, I thought I would spend some time listing out a few requests to all sales people reading this post.

Request #1: Don’t approach our relationship as a sparring match

Let me start out by saying that I have no problem with salespeople and often welcome the information they provide. However, my time is not always my own at work. I have responsibilities that need to be attended to, meetings to attend and the occasional fire to put out. This means that there are days, and even weeks, when I am in and out of my office all day. If you call and receive my voicemail it is because I am busy, not because I am ducking your calls. Please feel free to leave a message or send me an email about your product. Whichever you choose, just make sure you do not keep calling over and over again without leaving a message. This type of behavior tends to sour my opinion of your company rather quickly.

Request #2: Respect what I tell you at a conference

Often at conferences I’ll see a company I am not familiar with or a product that looks interesting. Being a curious fellow, I often stop at these booths to find out more information. However, I am always upfront and honest as to whether or not I feel it would be a good fit in my environment or if there is a budget for this type of product. Please respect this and forward it to your sales staff. I understand that these conference booths exist to help generate sales leads and I respect that. When forwarding my information to your salespeople, do not tell them I am interested in your product unless this is what I have stated. My time is limited (see above) and I find it annoying to have the same conversations with salespeople over the phone as I did in person at the conference.

Request #3: Give me the data and let me decide

I understand the desire for salespeople and companies to highlight the major strengths of their products. After all, these strengths are exactly the reason I would want to purchase the product. However, if you are going to provide me with “proof” that your product is superior to the competition, I expect to be provided with the data behind these claims and the context for this data. If you do indeed have the better product, it should not be that hard to provide this information. Do not offer vague statements and unnamed sources and expect me to welcome your product with open arms. After all, if I am going to use my finite resources to purchase your product, I am going to do everything possible to ensure I get the best product possible for the money.

At the end of the day, I need security products to help monitor and manage my environment. I rely on salespeople to provide me with information on their products, get me in touch with individuals inside their companies to answer my questions and to keep me up-to-date on new products that might be of use. I understand that you are simply trying to do your job because that is all I am trying to do myself. There is no need for ours to be an adversarial relationship. However, if you choose to approach the relationship as such, I will happily take my business to a competitor if necessary.

by Ioana Justus

Ask any security professional what the biggest danger is to their organization’s security, and they’ll all say the same thing: end users. Some may be shocked at that answer, others will laugh ruefully, but it’s true. All it takes is one well-intended but computer illiterate person to bring any number of security controls to their knees. And of course, getting the word out – getting users to do the right things (and not do the wrong things) – is one of the biggest challenges that organizations face today.

Well, it turns out that the biggest problem that IT has in delivering good customer service is also, yes, the end user. I can’t tell you how many times I’ve gotten phone calls from desperate customers, which began with, “I’m not IT.” Yes, I know you’re not IT. It’s OK.

For me this situation has generally been nothing more than amusing, sometimes mildly annoying. But then I started talking to others in IT, and I discovered shock, disgust, and rage. “I can’t BELIEVE they don’t get it!!!” “How can they NOT get it?!?!?!” “Why won’t they learn????”

My responses to this may be surprising:

“I can’t believe they don’t get it” – get over it. They don’t get it. Being shocked and spending cycles on it won’t change this.

“How can they NOT get it?”/”Why won’t they learn?” – it depends. Some have never been taught. Others may have tried to learn, but had a bad teacher. Unfortunately, some genuinely don’t care. Either way, it doesn’t matter – at least not initially.

Here’s the deal: when a customer comes and asks for IT help, they’re coming into your house. You shouldn’t expect them to know any more about IT than you know about corporate law or advertising. Remind yourself that they’re not inherently stupid or difficult – they just have a different area of expertise. If an end-user makes a point of telling you “I’m not IT” what they’re really saying is one of the following;

I don’t think I’m smart enough to understand this.

I’m scared of this because in the past someone in IT talked down to me and made me feel stupid.

I don’t have time to understand this.

It’s not my job to understand this.

I don’t want to understand this.

Unfortunately, their fear or previous bad experiences will often manifest themselves as impatience and rudeness. But getting upset by their lack of understanding or bad attitude sets you up for failure. It ensures that you will be condescending or impatient, which will result in a bad experience for both of you and have repercussions beyond that one encounter: you will be more grumpy with the next customer, the customer may complain to your boss, and the customer will become even more entrenched in, “I’m not IT.” Ultimately, it’s your own heart attack in the making, and it doesn’t do anyone any good.

So start by patiently assisting the customer with the issue at hand. Use terms they will understand, lead them through it, and help them gain the confidence that it’s not that hard. Make it a positive experience for them. Not only will it make both of your days better, but you will have built a relationship of trust, making it more likely that this individual will seek out your assistance in the future and listen to what you have to say. They will also feel more comfortable sharing their needs and fears with you, which sets you up for addressing the bigger problem: why they don’t learn.

At the end of the day, operating a computer is a lot like driving a car – you need to know which pedals to push, and what the warning lights on the dashboard mean. You also need to know the rules of the road. But you don’t need to know how to change your own oil or fix the engine.

If end users could learn some basic computer literacy skills – like drivers need to learn the basic operation of a car – it would make serving their needs a lot easier. Unfortunately, no one requires a license to operate a computer. This is where that positive relationship comes in: it gives you the opportunity to start probing into why the customer doesn’t have the basic skills. If they’re scared or don’t think they can do it, help them learn – even if it takes a little extra time. If they think they don’t have time, help them understand how learning will save them time in the future. If they think it’s not their job, help them understand how basic computer literacy will make their job easier.

If they simply don’t care, then don’t worry about it. As they say, you can take a horse to water-and make sure the water is clean, and even shove its nose into the trough-but you can’t make it drink. If you provide the best service you can, and win over many other customers by making their job and yours easier, no one is going to fault you for those few that just don’t want to participate.

As recently as five years ago, if you worked for the tech department of most organizations, your job responsibilities were pretty clear-cut.  You were expected to fix the hardware when it broke, “fix” the software when someone crashed a program, and install updates and software as necessary. The skills required were cut-and-dry, and the surprises were pretty minimal. As far as information security was concerned, it was usually enough to simply hand down security measures and escape back to the sanctity of the IT “cave”.

We’ve come a long way, baby.

In the past few years, everything about the field has changed. Not only do job descriptions look drastically different, but the environment in which those jobs are taking place has changed. Budgets are smaller, the threats to organizations are greater, and the skills that are required have broadened. People in general are also more tech-savvy, which makes the job both more and less difficult. On one hand, IT is dealing less and less with people who are completely unfamiliar with computers and the internet; on the other, a little bit of knowledge can be a dangerous thing. People sometimes know just enough to create problems, and not enough to be able to fix them on their own.

In addition, we’ve come to the realization that it’s no longer enough to simply possess technical skills; IT workers now need to work with the rest of the organization to make security measures more successful. As I’ll discuss further below, success is much more likely when members of the organization are included in the process, rather than simply having security measures foisted upon them.

However, what this means for infosec employees is that they need a whole new set of skills, including the ability to communicate the value of what they do to fellow employees and to management. Job security is far from guaranteed for any member of the organization. Involving the rest of the organization in the development of security measures ensures buy-in from the organization for the measures and makes the success of these measures far more likely (and by extension, of the IT department as well).

How does involving those being affected by security measures in the process, make those measures more likely to meet with success? First, simply by going to the employees themselves to get information about they do their jobs, security measures become more specific to the people they’re actually supposed to help. A system that is designed around the people who are going to be using it is far more likely to be effective than one that isn’t.

Second, as people become more involved in the experience of creating these security processes, their fear of the measures that are introduced is diminished, making them more likely to comply and to be successful with such measures. They become partners in the security effort, and invested in its success.

True, change can be scary. But the opportunities inherent in such change make this an exciting time for the field. It’s not so bad out here after all.

Join Michael Santarcangelo as he reveals essentials for businesses to protect their information. Michael was a featured guest at the Microsoft Small Business Summit to share strategies from his book, Into the Breach: Protect Your Business by Managing People, Information and Risk. In this second segment, Michael continues the explanation of the steps businesses must take to protect information, then reveals how the Catalyst Method(tm) explained in his book allows businesses to reduce costs and even increase revenue!

Join Michael Santarcangelo as he reveals essentials for businesses to protect their information. Michael was a featured guest at the Microsoft Small Business Summit to share strategies from his book, Into the Breach: Protect Your Business by Managing People, Information and Risk. In this segment, Michael discusses the impact of security breaches, the hidden damages and explains his personal experience in how these events can happen to anyone. The segment ends with Michael outlining 5 steps every business must take to protect information.

“Best Practice is, however, often a misused term. It is frequently used to support politically correct ideals which, in reality take no account of individual need or circumstances. In this sense the ensuing practice is far from ‘best’ when the resulting effects are contrary to the real ideal situation. It is also used to prevent challenges to rules and systems that are, in reality, not best practice.”

– Wikipedia (http://en.wikipedia.org/wiki/Best_practice)

As suggested by the Wikipedia entry, “best practices” often fall short of being best. Worse, blind adoption of such practices in a rapidly evolving field leads to stagnation in thinking and innovation. Best practices can even make things worse – by increasing risk — while leaving no way out for those trying to actually make a difference for the better. For example:

Take, for example, anti-virus software. There have been multiple studies that have shown that the effectiveness of anti-virus software has been decreasing in recent years. One such study is described here http://www.heise-online.co.uk/security/Antivirus-protection-worse-than-a-year-ago–/news/100900.

Additionally, due to the pervasive nature of anti-virus software, any time a new device or access mechanism, say cellular phones or other portable “smart” devices, is being considered one of the first things that comes up is whether there is such software available for said device regardless of whether there is any real threat that exists and regardless of whether any risks might be actually mitigated by the use of such software. Now, am I saying that anti-virus software shouldn’t be installed? No, I can’t and won’t answer that question for you or your company.

What I am saying however, is that the implementation of anti-virus software tends to give people a false sense of security and this inability or unwillingness to look past anti-virus software at other viable solutions even when confronted with evidence of its ineffectiveness leads companies to unknowingly accept higher risk and makes it nearly impossible at times for security professionals who understand the risks and rewards involved to suggest and actually implement other, more innovative, and possibly more effective methods.

As we welcome a new year, we welcome new opportunity. One such opportunity is for security professionals to work together to rely less on ‘best practices’ and focus more on…

When you hear the term ‘industry-best practice’ ask yourself these questions and then try to stem the tide before the flood begins and it is too late:

1.     What is the definition of “best” and do you agree with it?

2.     What is the basis to determine if the authors of the ‘best practice’ are competent, complete and suited to your situation?

3.     What initial conditions or assumptions are necessary for the ‘best practice’ to be useful and does my current situation meet them?

If the answer or answers to any of these questions tend to leave you doubting the veracity or effectiveness of the “best practice” then maybe that particular practice shouldn’t be implemented since most likely it is simply some process or procedure that originated from some failed or failing initiative that will eventually go sour and make things worse in the long run.

Of course, that’s easier said than done but since the Security Catalyst Community is here to help we will be offering some follow-up blog posts to address such questions as, how to use the rejected practices to discover and document possible alternatives, how to use what you discover to push back properly, and what to do in the all too often case where the practice is implemented regardless of the forces mustered against it.

Your identity or Data Self is a digital alter-ego: a collection of personal facts which has its own life, fallacies, and mortality. Data is Self, but data is also treated like property. If Self is data, and data is property, then Self is property. If your Self is the property of others, then it can be bought, sold, traded, lost, stolen, or damaged like any other form of property. Identity Theft is just that: Where a person’s Data Self is stolen and abused.

Measures of BNL Success

With five years of breach notification law experience, it is essential to ask, “Are they working?” My shorthand answer is “yes, sort of.”

I’ll be the first to admit that breach notifications are noisy, and contain a strong element of political theater. Some contend that notification laws may even be harmful, distracting and confusing consumers into thinking they aren’t at risk if they don’t receive a notice. I agree that as currently written, breach notification laws have several shortcomings. But their success or failure should be measured in several ways:

1. Decreased Incidence of Identity Theft
2. Increased Awareness and Identity Control
3. Decreased Risk Behaviors and Incidence of Breach
4. Increased Victims’ Rights

1. Decreased Incidence of Identity Theft

Q: Do breach notification laws decrease identity theft?
A: Probably not. Several breach notification laws emphasize the need to protect consumers from identity theft and other misuse of a person’s Data Self. However, researchers Sasha Romanosky, Professor Rahul Telang, and Professor Alessandro Acquisti presented a well-reviewed paper which measured the change in the rate of reported identity thefts before and after data breach laws went on the books. Though drawn from incomplete FTC data, the paper convincingly demonstrates that breach notification laws have a negligible effect on reported identity theft rates. Instead, they suggest that a state’s gross domestic product and general fraud rate has a much stronger correlation with ID theft.

2. Increased Awareness and Identity Control

Q: Do breach notification laws increase identity risk awareness? How about consumers’ control over their identities?
A: Yes, to varying degrees. A cruel irony of data breaches is that the responsible organization is the only one who knows exactly what happened, and they have the strongest incentive to hide or skew the details. Many breaches go under- or unreported, regardless of law. Even well-intentioned organizations issue vague, incomplete, blame-shifting or liability-reducing press releases that leave victims in the dark. In order to effectively empower consumers to conduct their own risk analysis, breach notifications must contain the following elements:

• Who: The class of victims affected by the breach.
• What: A complete list of exposed information, not just the ones required by law.
• Where: Exposing entity’s contact information.
• How and When: Sufficiently detailed information about the how and when the breach occurred.
• How Much: Total number affected, Sensitivity of information exposed, Duration of exposure, and Distribution method (ie, stolen laptop, online exposure, or dumpster).
• What Now: A clear statement of consumer’s legal rights (or lack of rights); Concrete actions taken by the organization to fix problems, mitigate risk, or remedy harm; Suggested actions for the victim.

Of course, breach notification laws have much more lax reporting requirements than these. And although I agree that the average breach announcement is “noisy,” I think it would be a mischaracterization to label them as nothing more than “noise.” Even the least specific notifications build public awareness. For better or worse, most public awareness of identity risks come from news bulletins about data breaches. Although none of the announcements may put any particular individual on notice of a personal risk, these “noisy” notifications have a net positive effect of educating the population at large.

3. Decreased Risk Behaviors and Incidence of Breach

Q: Do breach notification laws decrease individual risk behavior?
A: Probably Not, but they have the potential to. An effective notification must contain actionable intelligence, which means Intelligence plus Action. For example, imagine that you are in a life raft in the middle of the ocean, with no hope of immediate rescue. You see bubbles. What do you do? You sink. You were able to gather intelligence, but had no way to act upon it. Intelligence without action breeds inaction.

However, imagine you’re on the same raft, and you see bubbles. But this time you have a patch kit and a hand pump. This time you have actionable intelligence, and you will likely attempt to patch the raft and pump it up.

An alert is only effective when it empowers a person to act. Typical breach announcements usually do nothing to empower individuals. Effective breach notifications require both intelligence and action. If either one of these elements is missing (as is often the case), it will fail to empower victims, and may even engender apathy.

Some suggest that in the current environment of data insecurity, consumers should be on constant high alert for identity theft, even without notice of a breach. After all, your Data Self is constantly being traded without your knowledge or consent in IT and business environments of questionable reputes.

It’s a nice thought, but not very helpful. Being on high alert all the time is essentially the same as not being on alert any of the time.

Q: Do breach notification laws encourage organizations to improve behavior?
A: Probably yes. The Romanosky paper found that notification laws likely encourage businesses to take more stringent safety precautions with personal information, because of the economic incentive to avoid breaches. However, the incentives to secure data do not appear to outweigh the market forces which devalue privacy. Both the Privacy Rights Clearinghouse and the OSF Data Loss Database show a steady, and perhaps even increasing number of breach incidents and lost records each year. While part of this increase may be attributable to better reporting, there is no solid indication that data breach incidents are decreasing.

4. Increased Victims’ Rights

Q: Do Breach Notification Laws Create New Rights for Consumers?
A: Absolutely yes. While not the silver bullet to cure all ails, breach notification laws are an important first step at creating rights for victims of breaches. Before BNLs, nobody had the right to know whether their Data Self had been compromised. Additional legislation will be necessary to address existing and emerging identity threats. Especially as Data Selves are treated as property, our society runs a risk that the unregulated trade of personal information could morph into a new form of digital human trafficking.

Legislative Improvements

Breach notification laws are a first step in regulating the trade of Data Selves. The right information at the right time, given to the right people, coupled with a clear course of action will empower people and catalyze change. Here are six legislative suggestions to effectively protect and empower consumers:

1. “Stewards,” not “Owners”: Given the tenuous and dangerous legal basis for “owning” personal information, notification laws should replace the concept of “personal information owners” with “personal information stewards.” This change would help sharpen the distinction between Data as Self versus Data as Property, and emphasize that third parties can’t “own” a Data Self. When Self is Data and Data is Property, then we run the risk that Self becomes Property.
2. Expand Reporting Requirements: Breach notifications should provide actionable intelligence, including who, what, when, how, how much, and “what now?” of each breach.
3. Standard Measures of Risk: I suggest using Size, Sensitivity, Duration, and Distribution.
4. Presumptive Loss: In order to successfully sue for a breach, a consumer must 1. Become an actual victim of identity theft, 2. Find the identity thief, 3. Prove that the thief’s copy of their SSN or other personal information came from the breaching entity, and 4. Prove that the entity had a legal obligation to keep that information private (a rare duty). This is an unreasonable and often insurmountable burden of proof. Instead, Tennessee has adopted a small presumptive “ascertainable loss” whenever a breach occurs. These nominal damages would recognize harm to reputation, apprehension, emotional distress, and violation of selfhood. They would also help counteract the market’s failure to value privacy
5. Require a Data Audit Trail: Stewards of personal information should maintain standard inventory controls on personal information, recording with whom and when the personal information was shared. This data trail would be used for data audits and could help establish causation in the case of a breach.
6. Automatic Credit Reporting: Consumers should get an automatic notification at any activity on their credit.

Aaron Titus is the Privacy Director for the Liberty Coalition and runs National ID Watch, and welcomes feedback.

Footnotes

Cal. Civ. Code §§ 1798.82-84.
See, e.g. N.H. Rev. Stat. § 359-C:2.
See, e.g. Ga. Code § 10-1-910(4),(7).
See, e.g. Cal. Civ. Code § 1798.81.5.(a).
Tenn. Code § 47-18-2102(1).

This weekend I finally did it. I was tired of the sub-par performance. Tired of being forced to redo the same job over and over again to get it right. Just plain tired of nothing working like it should. So I broke down. I had just had enough. This weekend I bought myself a new vacuum.

That’s right, yours truly is the proud owner of a fancy new vacuum cleaner and, believe me, it was well worth the purchase price. The amount of – let’s call it crud – crud that I pulled off my floor was downright sickening. Yet, it was also amazing. Here I thought that I was actually cleaning when vacuuming and all I was doing was tricking myself. Yes indeed, the vacuum was an excellent purchase. As an added bonus, I now have all these new attachments with which to play.

So what does all of this have to do with information security? Plenty. Anyone working in the information security field knows the pain of trying to institute necessary changes and running into the all to frequent wall called “I’ve been doing it this way for X years”. (This wall is also know as “Other organizations are doing it this way”.) Like me with my broken vacuum, people are comfortable with familiarity and often resist changing until absolutely necessary.

One of the tenets that gets tossed around when implementing any type of security controls is to make the process as transparent as possible to the target audience. Generally, we take this to mean that the controls should be hidden away from the end user as much as possible. However, there is a better way. Whenever possible, we need to improve security by implementing solutions that offer minimal differences in all aspects. In other words, replace the broken vacuum with a new one, not a mop.

However, simply because I replaced my old, broken vacuum with a shiny new one does not mean that I will be happy with the purchase. After all, if my new vacuum required complicated setup or extra operating steps (for example, constantly having to change a bag) I would by annoyed. Luckily this was not the case, two screws and an on-off switch equals a happy Adam. The same is true for any new security controls. Replacing a control with a better, yet familiar, control will only lead to frustration and avoidance of the new control.

Of course, new additions are not always a bad thing. For example, my vacuum came with a few attachments that I did not have before. Some of these attachments, like the upholstery cleaner, are welcome additions. (Long, white haired cat plus upholstery equals a chore!) However, other attachments, such as the “electro-static duster”, are not so useful.

The best part is that these additional components do not affect the main operation of the vacuum. The same should hold true for any security improvements we try to implement. Optional services need to be just that, optional. While these geegaws may add value, the main focus of the control needs to be the basic functionality of the control.

So there it is. Frustration with a bad vacuum cleaner leads to thoughts on how the best approach replacing outdate/non-functioning security controls. My mind works in mysterious ways. What are you still doing here? Go out and start selling vacuums at your organization.

By Joe Coates

Picture this.  You get on the elevator and realize you are alone with the CEO of your organization.  He looks at you and says, “Tell me in 25 words or less what you do and why it is important to this company.”

What would you say?  Do you have an answer prepared?  Does your answer have words like “synergize” or “leverage” or other corporate vision-speak that means next to nothing?

As the current financial credit crisis spreads across the globe, it is imperative to your career that you give serious thought to crafting a Personal Unique Selling Proposition (USP) for your job.

So what’s a USP?  The term was coined by an advertising and marketing heavy weight named Rosser Reeves in his 1961 book Reality In Advertising.  I believe the idea was best described by Dan Kennedy.  He says your USP needs to communicate to your audience why they should choose you over all their other alternatives, including doing nothing.  So from a Personal USP perspective, think about why your organization should choose you, above all other alternatives, to deliver the results you are expected to deliver.

 Probably the most famous USP in recent history is Domino’s classic “Fresh, hot pizza delivered in 30 minutes or less, guaranteed.”  Domino’s chose to focus on their ability to get the pizza to their customers hot and in a half hour or less.  They never claimed the pizza would be any good.   And thanks to that USP, they sold a lot of pizzas that were not very good.  But they were hot, and they came pretty quick, and you didn’t have to go get ‘em. 

Michael Santarcangelo’s USP for his terrific book Into The Breach is his approach to protecting information by educating actual living, breathing, thinking human beings on how to consciously protect information.  So while the market is preaching from the gospel of “Technology Will Save You”, Michael’s approach is to say technology is necessary and useful, but ultimately not enough if the people responsible for protecting information aren’t aware of the potential effects of their actions.

So how can you create a personal USP?    This is a great mind mapping exercise.  Start by plotting out what you are responsible for, and how that impacts the organization you work in.  What organizations do you directly touch.  What financial impact your work has on the organization.  What would happen if your role was eliminated.

Take your time with this.  It is well worth the effort.  So much of the marketing we are exposed to on a minute by minute basis is focused on being cute and clever, not on delivering an impactful statement on what makes the product or service unique.  For inspiration take a good look around at Michael’s   Security Catalyst website and see how his positioning is so different from the rest of the IT security consulting marketplace.  Then, for the rest of the day really ponder the ads, power point presentations (UGH!), radio spots and TV commercials and notice if any of them communicate a unique message about what they are selling.  My guess is you’ll find less than 10% do.  More likely less than 5%.

In closing, remember what Thomas Edison said. Opportunity is missed because it is dressed in overalls and looks like work.  Do the hard work to develop your Personal USP.  Then deliver on it and see the difference it makes in your career.  

 

 

Join me on Friday – September 19^th – at 2pm ET (11am PT) for Catalyst Live! – a live chat hosted by Michael Santarcangelo. This week, we look deeper into my recent freeware experience and welcome Dave Cole from Symantec to the call.

I’ll be monitoring twitter and the talkshoe client during the call, allowing us to field live calls, chats and instant messages. Participate in the conversation!

Join In!

Join the conversation on TalkShoe by using the spiffy browser-only client. For the more adventurous, check out the shiny TalkShoe Pro Java client.

To listen and join in – including to ask questions and engage in the conversation, launch your browser an click here: http://www.talkshoe.com/tc/25233 on Friday at 2pm ET.

Call in on regular phone or VOIP lines: dial (724) 444-7444 and enter the talkcast ID, 25233.

Every day, dozens of new vulnerability or virus alerts are released to warn and inform the public. The IT community, including those in IT security have become fairly numb to these alerts. For the most part, as long as patches are pushed out, and antivirus signatures are kept up to date, these releases make little impact. The occasional worm or botnet will grab headlines, but the accompanying vigilance soon fades. It’s an unfortunate consequence of the virulent Internet environment.

I have never had much interest in using my Facebook account, so when I saw the advisory relating to Facebook and Myspace virus activity, I let it fade into the background noise. In fact, my inbox was filling up with “silly” Facebook notifications to the point of annoyance, so I logged in with the intention of clearing out my connections. Taking stock of the large number of friend associations that I had led me to an AHA moment; EVERYONE uses Facebook.

Facebook isn’t just a toy for feinding teens. It is used by people of all ages on all of their computers, whether at work or at home. It is a fertile breeding ground and conduit for Web 2.0 content. In this case, it is the perfect launch pad for a worm: huge market penetration and a very large and mainly clueless wetware population.

The same can certainly be said about most other virus outbreaks. But in the case of Facebook, there are simply too many good reasons to make that fateful click. Users may think twice about falling for a phishing scam or even clicking on the dancing pig, but Facebook is the forbidden apple. I am not advocating taking any actions against Facebook use. The resulting effort would be a waste of time.

Consider the following example: A toy manufacturer announces a recall of a popular toy due to dangerous chemical contained within. Your child doesn’t have the toy, but you will probably want to make sure that his school and friends don’t have it either.

Take the time to generate an internal email blast warning all employees to be extra careful. Spend a little more time looking at security logs. Finally, take a walk over to the help desk manager and ask him to keep an eye out for increased ticket volume.

Don’t ignore this one.