Security's Everyman

Security's Everyman

Wednesday, December 31, 2008

Farewell 2008

I hope everyone has a great New Year. 2008 was a interesting year to say the least. Let's hope that 2009 keeps us on our toes and that it's one where we kick some bad guys butts. :)

Thursday, December 18, 2008

Manageing Expectations

I've been dealing with sales people most of my career in technology. When I first got started in the field I had to deliver on the promises that they made to the customer. That or try to explain why what the salesman told him didn't really mean what he thought it meant. Then I moved into a position where I had to start dealing with them as the customer. I learned early on that some would do anything to make a sale. They would say anything, talk to anyone and that the price could always get a little better. Then there are those who were up front with you and who seemed to really have your best interest at heart. They are the ones who aren't afraid to tell you that their product doesn't meet your requirements. They will tell you that they can maybe get special pricing and it isn't tied to you making a decision today. They are the ones who really seek to know your environment so that they can recommend a solution that will honestly work for you.

Alan says that the problem that exists between sales and client is that neither really takes the time to understand the other. While I think that it will be beneficial to all parties for that to happen I don't agree that the problem lies there. I must say that most of the sales people that I've dealt with have been quality sales people who are good at what they do because they do try to understand their clients needs. I also think that whereas I may not truly understand the life of a sales person I do understand that they are dealing with their own set of challenges. I understand that they have to sell if they want to eat and keep their job. How can I best help them? By managing expectations. When I talk with someone about their product I try to be upfront with them if there is not a fit. I also try to be upfront with them as to when I may be ready to make a decision.

If I'm looking at deploying a solution whether it be vulnerability management, database monitoring, AV or anything else I will start gathering information several months in advance. Why? Because I've got several projects that I'm working on and I've got to ensure that the solutions work together and not against each other. Also I may actually do a eval way ahead of time just because it works for me to do it then. What I've noticed is that some sales people take that to mean I'm ready to buy. Even if I tell them that the project is months down the road. I try to manage their expectations so that they aren't investing lots of time in something that isn't going to happen for a while. If they are smart they will step back, stay in touch and be patient. Some have actually gotten upset that I was looking that far out and when I reached out to them closer to time they wouldn't submit a quote.

I've also learned that I need to manage their expectations once I've made my choice. This is something new to me because for the first time in my career I work for a company that has a procurement department. Always in the past when I made my decision I submitted it to Management and if they approved it then the order was placed within a few days. Here things are different. I make my decision, go to Management for approval and then it goes into the abyss call procurement. Once there all sorts of things may happen and then usually it emerges on the other side with a PO attached. That process can be anywhere from a couple of weeks to months but for me it had always been 6 to 8 weeks. Based on this I told a Account Rep that we should have no problem getting a PO cut by a certain date. That was my mistake. The date came and went and the PO was no where to be seen and procurement wasn't talking. The problem is that I had gotten VERY aggressive pricing on this and the Account Rep was new with the company so when the order didn't materialize within the set time frame her boss started to question her judgement in believing my reasons for wanting such aggressive pricing. If she had been not been new then her boss probably would have just said something like "Don't be so gullible next time", but in this case it was more like "Did we really make a good choice in bringing her on?". Of course I felt terrible because all of this was based on my lack of managing expectations. I've since learned that I need to do a better job of this. Actually that is what I was trying to do with the sales person that I'm now unhappy with. Yet in this case she wants to set herself up for failure instead of allowing me to try and help her.

So, yes we could all benefit from understanding each other better but more importantly we can all benefit by being upfront with each other. If I don't want to talk or don't have a need then so be it. If I tell you "Call me later" then that's what I mean. If you tell me your product can do X then it really better be able to do it without me having to jump through hoops. If it can't do it then just say so.

How about this. I know that my blog is read by techies, managers, sales, PR, and others. If we want things to work better than take my advice be honest, manage expectations and work together. Quit putting sales people off just because you don't want to deal with them. Tell them "not now call me in X weeks" or "please don't call me, I'll call you when I'm ready". Then when we do tell sales something they will believe us and not feel like we're giving them the runaround. For those of you in sales if we can call next month then call next month. Don't be pushy, don't try to tell us that you can "help" us speed up procurement. If we tell you that there is no way to get this done by the end of the month quit pressuring us with the latest deal of the moment.

One last thing. @anton_chuvakin made a comment on twitter yesterday that went something like this "XYZ "software suite is the most powerful and comprehensive system... in existence." Some people who do marketing are stupid :-)" I replied back "I had 27 sales people tell me that about their product last week" then Dr. A replied back with "well, all 27 were repeating what 1 marketing person told them :-)" I figure that one marketing person was Rothman. :)

Wednesday, December 17, 2008

Let the throw down begin!

Today Alan Shimel took me out to the wood shed and spanked me! So all in the spirit of good fun we're gonna go toe to toe and work this out.

My job here is to manage the security program. Part of my responsibilities are to evaluate products and make recommendations based upon the defined requirements and the ability of a product to meet those requirements. My CIO's job is to manage the entire IT organization and make sure that what we do matches up with the business requirements of the company. He does not evaluate and recommend products. If a sales persons goes to him he sends them the the appropriate department to talk to the SME.

Alan asks "But also who dropped dead and made Andy the single point of contact?"
Andy answers "My CIO made me that point of contact (although he is still living). At least until we are ready to move forward and his input is required.That does make me a gate keeper of sorts but only because that how we do things here."

Alan asks "Is Andy not only making the technical decisions but the business and financial ones as well?
Andy answers "No, I'm not making the business and financial decisions but I do have significant input into the role of security in the business. That is what Security Managers do. They are given information regarding business needs, goals and requirements and they make decisions and recommendations based upon them.

Alan asks "Is Andy the person signing the checks?"
Andy answers "Again, No. I do work within a budget and also part of my job is to ensure that we are spending our budget dollars wisely. So, that's kinda like saying what checks get signed.

Alan says "Here is what I have preached to sales people for years. It is imperative that they multi-thread into an account. Knowing the Andy's of the world is not enough to get the deal done. A good sales person should have relationships with people up and down the organization, including the ability to pick up the phone and speak to the CIO (especially if it is not some Fortune 100 type company). Does Andy really relish his role as the gatekeeper? Is it an ego thing?"
Andy replies "I understand Alan's point about having multiple levels of contact within a company because there are lots of people out there who will give you the run around instead of being honest and telling you the truth. Especially people in technology because many of them are just not good with people. I think that if you are getting the run around then going up the ladder is a fine plan, but if you have been given multiple valid reasons why this is not the time to move forward and you still try to push forward then you have issues. If I was in sales and really needed to make a sale I surely wouldn't waste my time trying to sell to a company that has (I'll say it once again) already given multiple valid reasons why this is not the time to move forward. I'd focus on a sale that I had a chance to make. Not to mention that having relationships also means that you maintain them at ALL levels. Do you really think that you are gaining anything by pushing when you have been told to wait? Is it beneficial to damage a relationship to make one sale? The security community is a small and often tight group of people. I'm amazed that almost everywhere I go I run into someone that knows someone else that I know. You make make a sale here while damaging a relationship but what about the next time we cross paths? The chances are VERY good that it will happen.

Here's a little story that recently happened to me. I was at a conference and was introduced to someone by a friend. That person happened to work for a company in Atlanta and we exchanged cards. After the conference I was contacted by that person to talk about their product. I met her for lunch along with 2 others from the company. All 3 of them had worked together along with the friend who introduced us. We're sitting in a restaurant and one of the says "Does any one know where so and so works now?" I said "Yeah, she's my vendor x rep". She had also worked with them. Then a few days later I get an email from another vendor rep who said "You remember the rep that I wanted to introduce you to from Vendor Y? Well, he told me that his wife had lunch with you the other day." She was the one from the first company. It's a small, small security world.

Alan says: "This salesperson was doing her job. She was not getting anywhere with Andy to her satisfaction and was multi-threading into the account. She could have been more up front with Andy about it, but my feeling is that anytime a security admin or manager "forbids" you from talking to other people in the organization they are overstepping their bounds and sending a message that this is not yet at the level of a real opportunity.
Andy replies: "Alan may have been reading another blog here because I can't find anywhere in there where I "forbid" her from anything. Maybe he's just drawing a conclusion. Kinda like the sales person concluded that I was only putting her off because I didn't want to bother with her or be honest with her. I also question his definition of what her job is. Her job is to sell product. That means that she finds potential clients (me), find out what my needs are, determine what her product can do to meet those needs and convince me that her solution is the best one for my needs. Her job is not to try and make a sale to someone whose job is not to manage security for the company. You don't go to the CMO to sell accounting software. If this were a small company where the CIO has more input in these decisions it would be different.

Come with me on a little journey. What if she had convinced him to buy her product? Well, that would only happen in one of a couple of ways. First, he decided to make the decision on his own not knowing what the business requirements for this product are. He has no business being CIO. Second, he comes to me and tells me that he wants it and asks for my input. I tell him we don't need it at the moment, there are more pressing projects and I haven't decided on a vendor. He still buys it. He has no business being CIO. So we now have a product that we don't currently need, may not meet all of our requirements, may not be the best fit or the best value for us and I have another piece to force into my security program.
Who wins?
Not me. I've now got another product forced on me and I am learning that my input and opinion are not really valuable to the company so why not move on.
Not my CIO. He has lost my respect and possibly my services. Now he has to find someone else to come in and learn the environment, business and everything else.
Not my company. They just spend a lot of money that wasn't necessary and may not meet their needs.
Not the sales person. She has damaged relationships with a potential customer down the road.
Not the vendor. They have now sold a product that if it doesn't do as expected or doesn't meet the business requirements will only cause the customer to have a bad taste in their mouth.
All of this could have been avoided if the sales person simply chose to wait until next year when a "real" decision could be made.

One last thing and then I'll stop.
Alan said: "I really think it is more about Andy's ego than any real threat."
Andy replies: I can assure you that my ego was the least of the things that were hurt. At least from a "who does he think he is?" perspective. I must admit that it was a little bruised because by going "over my head" he basically said "I know that Andy has already spent lots of time and effort telling me all of the reasons why this wouldn't happen this year but I think he is lying to me so I'm going to go to the CIO and try to sell him my product." Maybe I'm over reacting a little here but I did tell her why I wanted her to wait and she still thought I was giving her the run around.

Tuesday, December 16, 2008

How to NOT sell me security products (Part 2)

This is a continuation of my earlier post. I'm adding to it for a couple of reasons. I wanted to tell more of the story than time permitted on the bus this morning and I received a pretty good comment from a former sales person looking at this from the perspective of a sales person. I'm going to post Sam's comment and then reply to it while adding more details.

Having been in that (sales) role many times, I have to say that your statement cries out "pigeonhole". In other words, a statement people would tell a salesperson in order to get them off their back, but without intention of follow up. I can't tell you how many times I've heard someone tell me something similar and never, ever follow through with their word (i.e. will talk to you after the first of the year - yeah, right). I'm just scratching the surface on this comment, though.

On top of this, it sounds to me like you're making a business decision based on a personal experience with a salesperson. That doesn't sound like the right thing to do, either. What if the company offered a great solution? You're going to pass it up because a salesperson ticked you off???

I'm not saying you are, but my experience has been that many customers lie just as much as their sales folks do. Two sides to each coin.

Sam, You make some good points and I realize that you are talking in generalities and not specifics, but I still get to reply because it's my blog. :) While I will admit that in the past I have put sales people off by telling them "we'll talk later" but I also usually tell them "You call me". That way it's clear that the ball is in their court. I may not be interested now but in a few weeks or months I may be. I always try and be honest with them and let them know if what they are selling fits any of my needs. If it doesn't then I tell them "Not now, maybe later". If I really want their product then if I don't hear from them w/i the set time period I'll reach out to them or someone else that can get me the same product.

This case was a little different. She had been pushing me to try and get this ordered before the end of the year. I had told her numerous times that I did not need her product at this time. It would be nice to have and would provide added security. It would also be easier to manage than the 2 or 3 free products that I'm currently using to do the same thing. I had also told her that even if I did want and need it right now that there was no way that I could get it through procurement in time to get end of year pricing. I explained to her that our procurement process is painfully slow and that no matter how important it was or what level of management wanted it things would not speed up to the point to have it approved by end of year. I explained that since it was not a need that I would not be able to get management sponsorship to "rush" it through. I explained that by waiting until next year I was not putting myself in a bad position. I also explained that the company would rather pay more and NOT rush than rush and make a wrong decision. I also explained that I was still evaluating other vendor offerings to meet these needs and that I had NOT made a decision as to which one I would choose. Yet she still made the decision to go to the CIO and try to tell him how much he needed this product. He didn't even know that I was evaluating products because it's not high enough on my list to let him know yet.

As for the "making a business decision based on a personal experience with a salesperson" comment you are right. I'm making the conscious decision to not do business with her based on several factors. First, I had made it clear that we were not ready to purchase a product. Second, I had given her a time to get back to me to further discuss this. Third, I had told her that talking to the CIO would produce no results because he does not evaluate and recommend products. Forth, She is extremely pushy. Fifth, She lied to the CIO and told him that I wanted the product and that we had a conference call lined up for the following day. Sixth, she pissed me off. Seventh, there are several other vendors that do the same thing just as well as her product. Now I can get passed number 6 because I've been pissed off by sales people before and still bought from them. Not to mention I've pissed off my fair share of people in the past. I have a very hard time getting past number 1-4 because I had been clear in making my needs, wishes, desires, etc known. I can't get past number 5 because the combination of 1-4 plus 5 shows that she has very little personal integrity. If she is willing to lie and go behind my back to make a sale how can I be expected to trust her in what she is telling me regarding the product, service, etc... (Lets not go into the "everyone lies" bit b/c even though any lie is not good there are limits).

How to NOT sell me security products

This will be short and to the point. If you WANT to sell me your product do NOT do the following.

Call my CIO and try to convince him that he needs your product AFTER I have told you to wait until after the first of the year to talk more with ME about this!

I don't know if this sales person reads my blog or not but if you do you have absolutely no chance of selling me your product now. Not here. Not at any other company that I may work for in the future.

Monday, December 15, 2008

3rd Party Security

Rebecca Herold has a post up regarding the importance of ensuring 3rd party security. This is one example of how sloppy (and sometimes even fairly good) security from a partner, client or vendor can cause you all sorts of headaches. There are lots of other reasons also to do security audits of those you give network access to. I know that lots of companies talk about doing this but I wonder how many really do. I run across lots of people who work for companies that have policies in place that state that they must do security audits before giving you access to the network. Yet many of these same people tell me that they actually DON'T do these required audits. I also run across vendors and others who tell me that they have been given access to company networks with no audit requirement at all. Occasionally they have to sign a "3rd Party Access Agreement" or some other such document.

What concerns me is that these companies are putting themselves in a bad place. They think that they are covered because policy is in place or because they ask you to sign a NDA. Neither of these will hold water if you have a problem that is caused by the 3rd party if you can't prove that you are doing your due diligence. If you have a requirement to do a 3rd party security audit then you had better do it. If you say that you require your 3rd parties to do X then you need to prove that you have verified that X is being done. We can't continue to throw out a requirement without doing our part to make sure that the requirement is being enforced.

There are lots of things that can go wrong when giving anyone access to your network; even your own users. It can be difficult enough to keep your users audited and ensure that their protections are in place and that you are doing all you can to protect your data and network from them. Then if you throw in the complication of a bunch of machines that you don't control or set requirements for it makes it even worse. That is why you really need to make sure that you are extra diligent in protecting your data from these.

The list of things that can go wrong is as long as my arm. They can bring in a system that has been infected with a virus that may be spread to your systems. Hopefully your AV is installed and up to date on all of your systems, but that isn't always the case. In some instances companies don't install AV on certain systems because of performance and compatibility issues. These systems could become infected and depending on the virus they may attempt to spread it to other systems constantly, they may become part of a bot-net that can do all sorts of nefarious things. It may be loaded with a rootkit or backdoor that gives a bad guy control of that system and then he can work his way through your network. There is also the possibility that a bad guy enters their network and uses one of their systems to gain access to your network. They could take data out of your network and lose it, give it away, sell it, use it for their own purposes. They could alter data, plant keyloggers, sniffers, AP's etc... The list goes on and on.

So therefore I repeat my premise that when dealing with 3rd parties we don't need to be as strict as we are with our users we need to be even more strict. We have to do more than use CYA with a policy or NDA. We have to verify that they are doing what we require and what they say they are doing. If not then you may find yourself on the receiving end of a legal or regulatory nightmare.

Thursday, December 11, 2008

Is that MY data?

Disclosure: I attended a half day seminar on e-discovery where this story was told by Randy Kahn of Kahn Consulting. It got me to thinking and some of this is reflective of some of his talk.

In early Sept 2008 United Airlines stock fell by as much as 75% because of a 6 year old article that found it's way onto Google. The article had no date attached to it and was accidentally re-posted to a newspapers web site. Over the weekend the article started turning up in searches about United Airlines. As investors and automatic investment software saw the article they started to panic and sell shares of United stock and caused the price to fall drastically. Luckily people actually started researching the information and discovered that it was old news and not relevant to present time. Fortunately the stock did rebound and regained most of the loss.

How did this happen? I can't say for sure but it sounds like someone wasn't managing their data very well. How does well managed data get mishandled like that? Obviously there is a legitimate business case for keeping old stories like this around. They are useful for research and such, but the data could have been tagged in such a way to keep something such as this from happening. It could have had restrictions placed on the way it could be used. The problem with this is that it requires technologies to make this stuff happen that unfortunately are not used by many companies. This makes data management and security a nightmare for many. 

Unfortunately I don't have a low cost, easy to implement answer to this problem but it is something that needs to be addressed in your company. We all know that we can't secure what we don't know about. We can't secure the data if we don't know where it is, who is accessing it and what they are doing with it. Data has been taken too lightly for too long. It's been treated like it doesn't matter and that it's impervious to loss, misuse or any other bad thing. Sure we play the game and put in firewalls to keep bad guys out and put in a few other things inside the network and on host systems to make us all feel a little better but we aren't managing the data itself. We aren't teaching the DBA's, Server Admins, End Users and anyone else that it is important that it not be tossed around like a rag doll. We're not building the case to Upper Management that having policy with teeth is critical to keeping us safe.

We write policies and set them in their little corner to be pulled out when the auditor asks for them or when someone does something bad, but other than that we pretty much ignore them. We don't train our users on what they say and why they say it, we don't teach them how to follow them. We don't work with the business units to ensure that the policies are even effective and enforceable. We don't meet with legal, compliance and other groups to see how the policy fits into law and regulations. We don't look at how a change to one policy affects other policies and makes them more or less effective and enforceable.

I know that I'm making a wide sweeping statement with much of this and that this isn't the case for all companies. The problem is that it occurs in way too many places because companies and people are just playing the game. They aren't taking their compliance and security programs seriously. They want to check their box and move on. They aren't thinking outside the box and looking at things from a holistic perspective. In today's world where data is king we can't play games. We can't do "just enough". We can't keep thinking that security is a nuisance that we have to live with. Management has to take the lead and hire and equip the right people with the right tools and training. They have to take security seriously and they have to realize that there has to be consequences for what happens to data and the consequences have to fall on the right people and it has to have some pain associated with it or nothing will really change.

Wednesday, November 26, 2008

Infophysical Security

Information security teams work hard to secure the data that they are responsible for. They put in perimeter protections, network protections, host protections and all sorts of devices to monitor and manage all of these devices and protections. Configurations are checked before they go into production and all changes are tested and approved. All of this hard work pays off when you look at firewall logs, IDS/IPS logs, and the reports that your SIEMs generate to show just how many attacks are blocked, dropped and stopped before they get to the goal of stealing or damaging your data.

Of course we all know that this can easily be bypassed by one unpatched system, zero day exploit, reckless admin or user or a really good hacker or social engineer. There is always something that isn't exactly as it should be and that one thing leaves you vulnerable. There is one other area that information security needs to have regular contact with and influence with. Physical Security. Physical Security are the ones who are tasked with keeping the bad guys physically away from the data. Unfortunately, many times these two disciplines don't communicate with each other and this lack of communication can ruin the well laid plans and protections that have been put into place.

CISO's and their management teams need to be proactive and take the lead in reaching out to the physical security teams at their company. They need to collaborate with each other and they need to work together to ensure that the data is protected. Often physical security teams don't realize the dangers that a person can present when they allow them to roam the halls unescorted or when they don't do their job and ensure that a person is really supposed to be there. They don't understand that a good hacker may not be able to gain physical access to the data center due to other access controls in place but if he gets a hold of a hot network jack or a unmanned system. They aren't aware of the fact that a seemingly innocent flower, stuffed animal or other item can hide wireless AP's, mini laptops, wireless cameras, etc...

This is another reason that when you are rolling out a security awareness program you need to ensure that it's not a generic one size fits all program. Different departments need to be taught different things so that they are aware of the things that are most likely to affect them. A effective security program will reach out to all lines of business and work with them to be proactive in securing the data.

Tuesday, November 25, 2008

Someone Please Help Me Understand

A friend came to me with a delima. A company is replacing all PC's within the organization. They are looking at buying laptops, desktops and VDI terminals. They are also using this as an opportunity to ensure that they have all the security software that they need on the systems to provide the most protections. They are looking at things such as AV, DLP, Encryption, HIPS, etc... One of the guys on the team decided that they needed phone home software to help in recovery of lost or stolen devices. Actually he says that it's pretty handy software. It has the ability to do much more than just phone home. It takes inventory of all software on the machine, alerts you when new software is installed, gives you asset management capabilities, can reinstall itself if the software gets removed, and lots more. They are considering installing this on all systems because a few desktops have gone missing. When asked how many and over how long a period of time no one was able to give an answer. Yet they are willing to invest thousands of dollars in this software that will really not give them anything that they don't already have except the phone home capability. So why the big rush to buy something that isn't needed?

There are several questions that need to be asked and answered before a purchase such as this can be justified in my mind.

  1. Just how many systems do actually go missing every year?
  2. Are they really missing or are they just not being tracked properly as they are moved, replaced, etc?
  3. How many systems can they afford to lose per year before they actually see any real value in this program?
  4. Can they replace any other applications with this software? Asset tracking, System Monitoring, etc
  5. How much of an investment in infrastructure and personnel resources will be required to manage this program.
According to my friend none of these things have been thought about enough to give an answer yet still the push is on to include this application when the systems are replaced. So I thought I'd ask you to give me answers that I can pass on to my friend. I figure that's about as useful as what he is currently getting. :)

The Sky is falling....... no wait it's not the sky.

Remember my "Pay Close Attention" post a few days ago? I hope you did because obviously I didn't. At least I didn't heed my own advice. Not long ago I had a Pen Test done against my network. I got the report back, looked it over and wrote up a Management report and sent it off to Management (imagine that). I had a few actions items that I needed to address and put them on a to do list and went on with life. Granted life has been VERY busy and since none of the action items were critical they kept getting pushed aside. Well today I made a point to take action on them and fired off a few emails to the proper people to get the issues resolved. That's where the problem (little as it may be) started.

I won't go into specifics but here is the scoop. A issue was identified and the host system was finger printed. If you have ever done a Pen Test or scanned systems to determine the OS you know that it isn't 100% accurate and that is what happened here. The scan came back with it's "best guess" and since it was known that we do have that particular OS and device in use on our network the assumption was made that this was most likely what the device was. This is where I quit paying attention. The emails that I sent were based on the assumption and not the "facts" regarding the type of device. As I started to get feed back from the vendor and one of our engineers I had to do a little more research to get them the answers that they were requesting. That is when I actually paid attention to the IP address that was associated with the device and I realized that it could not be the "assumed" device. Are y'all still following this, it's confusing me.

So since I didn't pay attention at the beginning I had to start back pedaling an trying to explain how I could make such an obvious mistake. Of course Management had also been copied on emails so there was no keeping this just between those in the Network Engineer team. So what can I learn from this? PAY ATTENTION! Things aren't always as they seem. :)

Friday, November 14, 2008


I feel like I'm never going to get back into the swing of blogging again. I keep trying to do daily posts but it doesn't work. I've got a few thoughts running through my head that I wanted to throw out. Most of it is security related but not all.

First, Wednesday night we had our kickoff meeting of the Atlanta NAISG chapter. It was a success. There were about 8 of us, but that's not bad for a first meeting. Especially considering that we didn't do much advertising. Mostly word of mouth. Everyone there seemed to have a good time and seems genuinely interested in making this work. Brad Dinerman, NAISG founder, flew down from Boston to help us kick things off and give our first talk.

I was listening to a Manager Tools podcast the other day and they were talking about the importance of attitude. Attitude makes a big difference in most everything. If you have a good attitude then things usually go better. People enjoy being around you more and usually give you more respect and listen to what you have to say. It makes for a better day for you and makes for better results out of what you are trying to accomplish. It also makes other people feel good when you have a upbeat attitude. That reminded me of someone that I met last week at ISD. As I was listening to the Security Researchers Roundtable I noticed that Billy Hoffman of HP was really energetic and passionate as he spoke. It made me listen a little closer to what he had to say because of the energy that he had. After the talk I went up to meet him and there was someone else with him (no names). As I introduced myself to them and told them how much I enjoyed the talk the other person was real standoffish and just said a lame "thanks". Billy on the other hand was very appreciative of the fact that I took the time to let them know. He talked to me a few minutes about Atlanta (he went to GA. Tech) and my job. As we parted he commented on how he enjoyed meeting me. None of this was a big deal but the attitude he put out really made a difference. That is something that many of us in the IT world need to work on. We need to get past our often introverted personality and project goodness to our users and this will go a long way in changing the negative mindset that many have towards their IT department.

I was listening to The Network Security Podcast on the way into town this morning and it was a recording of a bloggers meeting that DHS Secretary Michael Chertoff held in San Francisco earlier this week. Martin asked several questions about the TSA and airport security and Mr. Chertoff made a good point about the public not always seeing what is going on behind the scenes and therefore not understanding the why and where for of decisions that are made regarding airport security. While I don't think that we are doing the best job at airport security and I do often question the value in some of what they do (and why they aren't doing some other things) his comment did make me stop and think that I don't see the big picture in airport security. I don't have insight into all the data that goes into making the decisions that are made. They may look like stupid or inappropriate decisions to me. They may look like they do nothing more than make the public think that the TSA is doing something. But there is more to it than I see. In my job as Information Security Officer for my company I often look at decisions that are made above me and wonder why. Later on as I get more info or see things unfolding I realize that the decision made more sense then I gave it credit for. It's a good idea to withhold judgment until you know all of (or at least most of) the facts.

Tuesday, November 11, 2008

Pay Close Attention

Paying close attention to life can save us all a lot of headaches and unnecessary grief. This applies to our lives as information security professionals as well. We need to make sure that we pay close attention to what we are doing. Whether it's monitor logs, configuring devices, reviewing configs or RFP's, writing policy or procedures, etc... If we aren't careful and diligent in what we do we will make a small (hopefully it's small) mistake that may come back to bite us.

We also need to be careful of the message that we give to our customers and users. We need to ensure that we are clear in how we present the message and that it is in line with the business requirements. We need to make sure that we are looking for answers to solve a problem and not just saying "NO". How we communicate our security plans has to be in a way that the user will understand and that will make them want to work with us.

What made me think of this? This picture tells a story that is very different from the one that was trying to be conveyed. If Mom and Dad had paid attention to what little Suzie was drawing for her class project it just could have saved them lots and lots of embarrassment.

What little Suzie was trying to convey was that her Mom worked for a Hardware store and was selling a shovel to a customer.

Atlanta NAISG is Wednesday Night

Just a reminder to everyone in the Atlanta area that Wednesday November 12, 2008 is the date of the inaugural meeting of the NAISG chapter. We are meeting at 7:00 PM in Alpharetta, GA at 3030 Royal Blvd. South, Suite 220, Alpheretta, GA 30022. This is the office of Upgrade IT Consulting Services who has graciously allowed us to use their facility for our kick-off meeting. Pizza and drinks will be provided. The program will be given by the Founder and President of NAISG, Brad Dinerman. He will be speaking on "Employee Monitoring and Surveillance" You can read more about the meeting at the Atlanta chapter page of the NAISG web site.

Happy Veterans Day!

Today is Veterans Day in the US. A day when we honor all of those who have served in the Armed Forces. A day to stop and remember all the sacrifices made and to remember that our Veterans are the ones that have given their all to protect our freedoms.

I want to personally say a big THANK YOU to all of you who have served.

Last week when I was at Midway Airport in Chicago waiting for my flight home from ISD I spent several minutes viewing the display that they have set up to honor all those who fought in the Battle of Midway in World War II. I have to admit that it tugs at my heart strings to think about all that has been sacrificed by those who have fought for our freedoms and rights.

So today (actually doing this every day is a good idea) if/when you see a member of our military or a veterans make sure to tell them Thanks and if you get a chance buy them a cup of coffee.

Friday, November 07, 2008

ISD Wrap-Up

I had planned on doing a Day One and Day Two post but that didn't happen so I'm gonna do a all in one summary. Things started on Tuesday when I met up with Chris Hoff in the Hotel fitness center for a workout. After that was over I hooked up with Adrian Lane, Adam Dodge and David Mortman for dinner. After that there was a informal meet-up back at the hotel with some of the Tech Target team.

Things really got going on Wednesday morning.  The day started off with a talk by Kevin Mandia talking about Incident response. He shared some stories about cases that he had worked on and talked about trends in what he has been seeing and where he thought it might go. Unfortunately they didn't have paper for us and I didn't bring any so I was unable to take notes to give more detail.

Next up was the ear bleeding "4 Horsemen of the Virtual Apocalypse" talk by Chris Hoff. Why do I call it ear bleeding? Because he had a lot of info to cram into a 45 minute talk. Chris is the man when it comes to virtualization and security (or the lack there of). Unfortunately even though he talked fast he still didn't get it all in but he has the slides and notes available for download. I recommend getting it if you want to learn more about virtualization and security.

After that I had a hard choice. David Mortman and Mike Rothman were both speaking at the same time. I decided to listen to Mort's talk on Web 2.0 in the enterprise.  He talked about how it's here whether we like it or not and that as consumers of it we have to demand that the vendors/creators do it securely. He also went over the importance of secure code delivery across the board.

After lunch there was a Panel Discussion from this years winners of Tech Targets Security 7. They break the world up into 7 verticals and choose someone from each vertical who has made significant contribution to the world of information security during the last year or so. This years winners are Bill Boni, Mark Burnette, Michael Mucha, Marc Sokol, Eugene Spafford, Martin Valloud and Mark Weatherford.

Next we were treated to one of Joel Snyder's informative and entertaining talks on Security Agility.  Joel spoke about the need for IT and Security to be agile and why it is important. Joel's mantra is that it's better to be innovative than efficient. This goes against a lot of what is preached by many others. Joel believes that when we are innovative then we are agile and are better prepared to face the challenges that we come up against daily. Not only that but by being agile we can stay ahead of the curve and when business units come to us with a need or problem we are better prepared to help them.

Day two was a little slow (or maybe it was me) and by far the highlight was the Security Researchers Panel that included Thomas Ptacek, Billy Hoffman, Dave Aitel and Alexander Sotirov. They talked about SDLC, attacks, breaches and such. It was refreshing to hear guys of this caliber giving their insights into what was going on and possibly where we were headed. This panel was actually my favorite session of the whole conference.

I'll stop here. It's been a long post already and I've probably lost most of you by now.

Tuesday, November 04, 2008

TSA strikes again

I left Atlanta this morning to fly to Chicago for ISD. Last night as I was packing my bag and going through my laptop backpack to ensure that I didn't have any "contraband" that would raise the ire of a TSA agent. I had a Leatherman that I took out. Removed a USB drive that had a pen knife in it. Made sure not to pack my Cross Fountain Pen because there is no way in the world that I would throw it away if they told me I couldn't take it on the plane. I was careful to pack on liquids that were less than 3 ounces and packed them all in one 1 quart clear plastic bag.

As I went through security at the Atlanta airport all went well as my bags passed through the x-ray scanner and I walked through the metal detector. I grabbed my bag and other stuff and put it all back where it belongs and went on my merry way to the gate. The flight went well and I arrived in Chicago on time. As I was riding the train from the airport to the hotel all of a sudden I remembered that I had another knife in my laptop bag that I didn't remember taking out. It's a Buck 3" straight blade boot knife (don't ask why I carry it). I opened up the compartment that I keep it in and sure enough there it was. How the TSA missed it I'm not really sure. Now I'm faced with the delima of what to do with it. Do I take the chance that I can get it on the flight back to Atlanta? If they catch it what happens then? Do they just give me the option to give it up and go on my merry way or do the strip search me and put my name on the no fly list? Not real sure I'm willing to take that chance. Maybe I'll mail it to myself before I leave here.

Help a Hacker

A year or so ago I became a fan of the work that Johnny Long was doing. Not only his Google Hacking, No Tech Hacking, and other cool things, but also his Hackers for Charity work. Back in April I had the pleasure of seeing Johnny give his No Tech Hacking talk and I meet him after the talk. We spend a few minutes talking about hackers for charity. At that time I encouraged all of you to check out the site and do what you could to help with this endeavor. Today I'm renewing that call to action. There are a several things that you can do that are very easy, enjoyable and even free (not all are free). You can buy the book No Tech Hacking by clicking to the Amazon site directly from Johnny's site. When you do this all the proceeds go directly to Hackers for Charity. You can buy a "I Hack Charities" vinyl label for you laptop from here. Again all the proceeds go to hackers for charity. You can donate time, money or equipment to the cause. If you blog or podcast tell your readers and/or listeners about the work that is going on at Hackers for Charity.

Now there is something new that you can do. Peter Giannoulis, founder of The Academy web site, is offering to donate $1 for every new member that joins during the month of November. So not only do you get to make a charitable donation that costs you nothing but you also become a member of a very cool site that is aimed at making your job as a information security practitioner easier.

So I encourage all of you to take a look at the work that hackers for charity is doing and think about how you can help out and then do what you can.

Tuesday, October 28, 2008

Identity Theft knows no age

WOW! There has got to be a better way. My friend Mort has started a new blog with the Identity Protection company Debix. Today he has a post about a study that was done looking into identity theft and children. Yes, I said children. I'm talking people 17 years old and younger. I'm talking people who can't legally enter into a contract and therefore can't legally have credit. I'm talking boys and girls, little children, underage minors. I'm talking stupidity!

The numbers and statistics are frustrating and scary. They are also very irritating to me. Why? Because there is NO (repeat NO) reason for someone 17 or younger to have their identity stolen and to have credit opened in their name. As advanced as we are technologically there is no reason for this to happen. It's utterly ridiculous that we have let things get to the point where banks and other financial institutions have not put processes in place to verify the information required to get credit opened in your a name. Simple steps and checks could be put in place to verify whether or not the owner of a SSN is 5, 15 or 55 years old.

As irritating as the data is there is also some good tips that we all need to follow, especially for our kids. Check out the blog to learn lots of good things about protecting your, and your kids, identity.

CSI Discount Code

Interested in attending CSI 2008 this year? Don't have the budget to pay full price? Well if you're interested in a 55% discount I can help you out. I have 2 discount codes that I can give if you are interested. Drop me a message and I'll get them to you.

Thursday, October 23, 2008

Too patch or not to patch

This morning I slept through my alarm. I woke up at 7:20 am and realized that there was no way that I'd make the last bus into town since it leaves at 7:35 am. That meant that I had to drive the 30 miles to the office. I wasn't happy. Normally I would have declared it a work from the coffee shop day but I had an audit meeting and a couple of other things on the calendar that I needed to take care of. It's now 11:30 pm and I'm still at the office and I'm glad that I didn't make the bus into town. I'd really be stuck here all night. Actually that may still happen.

After jumping into the shower and getting dressed I headed to a coffee shop to get some coffee and wait for traffic to lessen before making the drive into town. I fired up my laptop and started checking my RSS feeds and email. One of the first things I see is that Microsoft has a pre-release announcement of a out-of-cycle patch that they are releasing today. Once Microsoft released info and I thought about it I realized that this has the potential to be bad news. I remember Blaster, SQL Slammer and Nimda all too well.

We called a meeting to discuss the issue and determine what our approach to this would be. The management team is made up of former network engineers who lived through Nimda when it hit the company a few years back. As soon as the word "worm" was mentioned they got that far away look in their eyes. You know the one. It's the same look that you get when someone punches you in the gut. We discussed the pros and cons. We talked about what is the likelihood that we would actually get hit with anything. We talked about the potential impact if we did get hit. Like most companies we live and die by network activity. Due to the nature of our business we are in a little bit of a unique position because if something got loose on our network it could put people in physical danger as well as do damage to the business itself.

Needless to say the decision was made to start patching immediately. We've been at it for several hours now and still have a ways to go. We had to convince applications that this needed to be done. We had to put into place our emergency response team (OK, we don't have a real one but it sounds good). We had to get management buy in. Some would say that we are over reacting but since there has been confirmed reports of active exploits and Immunity Security has released an exploit for their tool and I just read that supposedly there is a new worm in the wild I think a little paranoia is good for the soul.

Tuesday, October 21, 2008

November is a BUSY month

I'm looking at my November calendar and it's already jam packed. In addition to the normal work and home things there is Thanksgiving and lots of other events. I'll be doing some traveling to conferences both as a attendee and panel member, plus attending a few things in the Atlanta area. If any of you are going to be at any of the following events I'd love to meet up and say hi.

Nov. 4 -6, 2008 Information Security Decisions - I'll be attending ISD in Chicago this year and am looking forward to it. I've been wanting to go since 2002 and it has never worked out until now. In my opinion TechTarget has some of the best seminars out there, especially when you consider that most of them are free of charge. I know that several of us are trying to plan a dinner on Tuesday the 4th so if you are going to be in town by then and want to join us let me know. Of courese there is also Wednesday dinner for any who want to get together then.

Nov. 12, 2008 The inagural meeting of the Atlanta Chapter of NAISG (National Information Security Group). I'm proud to be a founding member and on the advisory board for the Atlanta chapter. If you are in the Atlanta area we'd love to have you join us. I'll be posting more details soon.

Nov 17, 2008 CSI2008: Security Reconsidered - I'll be participating in a panel discussion titled "‘Why Information Security Should Evolve to Information Risk Management." Unfortunately I won't be able to attend the whole conference but I hope to have enough time to meet several people that I know via the internet but have not meet yet.

Nov 20, 2008 I'll be attending another TechTarget seminar in Atlanta. This one is on compliance and should prove to be interesting.

As I said, I'd love to meet any of you that will be at any of these events so just let me know.

Monday, October 20, 2008

NAISG - Birth of the Atlanta Chapter

It seems that technology is filled with it's share of things to do. From local chapters of national organizations to small meet-ups between friends who all work in technology. Everywhere you look there are conferences on all things technology. The bad thing about these events is that often they are not what you are looking for. If you are a pen tester then an ISACA meeting may not be your cup of tea. If you are a firewall jockey then InfraGard may not be what you are looking for. Then there is the question of value. Is the organization giving you value? Does it help you learn, connect with others, grow your career? Then when it comes to the conferences most of them are out of reach for you unless you either live close enough to not have travel expenses, you get a free pass or your company is willing to pay. A conference can easily run $4k before you know it. Even if you get a a press pass for some events the hotel, travel and per Diem cost alone can break the bank.

In Atlanta there are a few different opportunities to get involved with different organizations. There is ISSA, ISACA, InfraGard, and several other local groups that meet weekly, monthly, quarterly or whenever they get around to it. I've not been involved in any of these for a few different reasons. Value, Time, lack of content, etc... Well, for me at least that is about to change. Starting next month Atlanta will be the home of a new chapter of the NAISG (National Information Security Group). I'm supporting it for a few different reasons. (Now comes the full disclosure part) I am on the Advisory Council for the chapter so that does sway my opinion a bit, but not only that but I'm supporting it because I like the mission of the NAISG. It focuses on Information Security. It's not a platform for vendors to hock their wares, it's a good mix of "in the trenches" technology and soft skills that are needed to succeed in some areas of business. I also like it because there is no fees associated with it. I don't want to pay a national chapter, a local chapter, and a registration fee just to join a group that is asking me to give of my time and resources.

Anyway, the first meeting will be Wednesday Nov 12, 2008 at 7:00 PM. We will be meeting at 3030 Royal Blvd. South, Suite 220, Alpheretta, GA 30022. We are being hosted by Upgrade IT Consulting Services. There will be pizza and drinks provided. The program will be given by the Founder and President of NAISG, Brad Dinerman. He will be speaking on "Employee Monitoring and Surveillance" You can read more about the meeting at the Atlanta chapter page of the NAISG web site.

If you are in the Atlanta area we'd love to have you join us and become an inaugural member of the Atlanta chapter of NAISG. Tell your friends and co-workers to come also. Hope to see you there!

Monday, October 06, 2008

Lessons learned from the gas shortage

Since just before Hurricane Ike hit the Texas coast we have had problems with finding gas in the Atlanta area. When we are able to find it we are paying 20 to 30 cents a gallon above the national average and 50 to 70 cents above some areas. This has forced Atlantans to make changes in the way we live in many cases. We're making fewer trips to places that are unnecessary, combining trips so that we only have to go out once. Taking alternate transportation to work. Things like car pools, buses, trains, bikes, even working from home. Luckily, things are getting a better here now, at least on the supply side. The 1 - 2 hour wait for gas is over but we are still seeing several stations with little or no gas and we are still paying close to $4 a gallon.

In my opinion Atlanta needs to reconsider how we do transportation. I'm not talking about how our transit agencies are run or plan their systems. I'm talking about the average Joe and Jane Commuter. Atlantans rely way too much on their cars and way too little on other ways to get around. We tend to think nothing of making 4 trips when everything could be done in one trip. We love to drive. I assume it's so we will have more reason to complain about how bad traffic is. :)

So, how does this relate to Information Security or technology in general? I'm glad you asked! Just as Atlantans have had to come up with creative ways to handle the gas shortage we need to review creative ways to protect our networks and data. We need to look at what we have and how we can leverage it instead of buying something new. We need to look at how we are doing things and find ways to maximize our processes instead of just adding more to the pile. We need to think about how everything fits together and how we can make changes to improve security instead of making things more complex by adding additional layers. (I'm not talking about security layers but about layers that are unnecessary and make more problems than they solve).

Times are tough all over and that holds true for security programs also. As I'm writing this the Dow Jones is down 760 points for the second time in a week or so. It recovered some of the first loss but it's not getting any prettier out there in the foreseeable future. Companies are tightening belts and spending is going to slow way down and jobs are going to be lost. This is the time to get creative and show your company how you can make things better and save money. Of course creativity means risk and that may not be the best thing at the moment but at least let them know that you are thinking and working on ways to improve security w/o spending lots of money.

Friday, October 03, 2008

Book Review - Into The Breach

I love to read. Unfortunately I don't get to read as much as I'd like to (blogs are the exception) and when I do get to read it's usually in short segments so reading a book can take a while. I used to spend lots of money on Technology books but realized that they usually just adorned my shelves and never were fully read so I quit buying them for the most part. Every now and then a really good book comes along that meets a need that you have and is enjoyable to read. One such book was Mike Rothman's "The Pragmatic CSO". It was short and didn't have a lot of fluff in it and it has proved to be very valuable to me over the last 18 or so months since I read it.

A few weeks ago my friend Michael Santarcangelo sent me a preview copy of his book "Into The Breach" to read. I liked it immediately because it's less than 100 pages long. :) I started reading it and new immediately that this was good stuff. I read about 25 pages and set it down. It then got buried under other things and I couldn't find it. I had another copy but had no idea what I had done with it either. Finally about 2 weeks later I found it and started reading it again. Unfortunately I'd only get to read about 5 pages in a sitting and then something else would demand my time. It took me a good 6 weeks to finally finish it. It should have taken me 2 to 3 hours to read it from cover to cover.

This book is quick and easy to read. It makes sense. Isn't filled with fluff and unnecessary stuff just to bloat the size and price. Michael lays out a solid plan for implementing processes that can literally change the way you protect information. He puts lots of emphasis on common sense, out of the box thinking and working with your users. The last part is key. Our users are the ones that primarily make put information at risk because they don't understand the whys and where for's of protecting data. Michael lays out a plan for engaging them and helping them understand why they need to do things differently.

This is a book that all of us need to read and take to heart. If you are serious about making a difference in your company then this book is for you. If you want to have your old fashioned assumptions challenged then "Into The Breach" will do just that.

I gave a copy of it to my CIO about a month ago to read. He told me that he would read it and let me know what he thought. He has now requested more copies because he wants all of his Directors and Managers to read it. We were on a call with Gartner this morning and he told our Gartner Rep about it and said that it was a book that he needed to read. You don't know my CIO (most of you anyway) but coming from him that is saying a lot. He is a man of few words and those he says he means.

Tuesday, September 30, 2008

Playing catchup

I think this may be the longest stretch that I've had with no blogging. My last post was on Sept 14th. Since then I've gone on vacation and been preparing for vacation and catching up after vacation. Needless to say it's been busy. Hopefully Ill be back to regular posting now.

I'm going to do a "catch-all" post to try and comment on a couple of things.

I'm going to start off by going back just over 2 months to a post that Rebecca Herold made regarding awareness training and a part 2 here. I starred this in Google Reader and then forgot all about it. I'm bad about that. I need things screaming at me so I will remember to go back and read it. Anyway, she talks about the fact that we often fail to give adequate awareness training to those who need it most. Specifically those who deal with customers on a daily basis. Our Receptionists, call center reps, etc. These folks are on the front lines but are often ignored as we focus our awareness training on those who are in "check box" positions. What I mean by that is that those who work with PCI data, financial info, etc.. Somewhere there is a regulation that says "train these people or else". We train them so we can claim compliance and then give the crumbs to the rest.

The next item is actually recent and both of these were posted within the last 24 hours. Two different stories with the same theme. I saw this one on first and then a few minutes later this one on It seems that we still haven't learned basic security in many cases. What's really sad is that in both of these cases there is really no excuse for this happening. It seems that we are still disposing of devices that have not been sanitized. One case involves a British MI6 agent selling a digital camera on eBay that had all sorts of Top Secret data on it. There were pictures, fingerprints, names of terror suspects and other information. I can see this happening to someone who is a "regular" person (obviously not the top secret data but selling a camera with pictures still on it) but a MI6 agent. I'm sure they are trained in basic security such as this. The next article talks about a Cisco VPN Concentrator that was bought by Andrew Mason on eBay that was still configured to automatically connect to the central VPN concentrator at the company it originally belonged to. It's a good thing that Andrew is one of the good guys. According to him he had full access to the network by simply plugging it in and connecting to the internet.

A story that is close to home involves patient data for 45 people who were patients at Atlanta's Grady Hospital. It seems that their data was inadvertantly put on a unsecured web site instead of on a secured web site. There are lots of interesting facts and issues involved in this that you can read about here. First of all often companies give too many people access to their web sites to add content. Just as we don't give everyone access to our financial data we shouldn't give everyone, or even several people, rights to add content to web sites. There is way too much risk in insecure or unauthorized code/data getting put up. We have a hard enough time getting our web developers to write secure code much less allowing marketing to add content at will or any other department. The second problem that I see is that Grady outsourced the work to one company who outsourced it to another company who outsourced it to a 3rd company. I'm not totally opposed to outsourcing but this is ridiculous. Either legal didn't do their job in contract negotiations or they need to do a better job in ensuring that outsourcers are staying within the bounds of the contract.

One last thing that I want to comment on. Kudos to Jeremiah Grossman and Robert "RSnake" Hansen for the way that they handeled themselves when vendors requested that they not release information regarding their OWASP talk on clickjacking. It shows maturity on their part to be patient and not try to rush something out just to get name recognition. Not that either of them are hurting for name recognition.

There are lots of other things that have been going on over the last 2 weeks but many other bloggers have done a great job of covering them so hopefully you already know all you need to know about them.

Sunday, September 14, 2008

CSI Video Interview

Last week I was interviewed by Robert Richardson, the Director of the Computer Security Institute, about the FOI concept that I've written about a few times. The interview is now up and you can find it here.

Friday, September 12, 2008

I want my Cingular back!

Until AT&T bought Bell South a while back I had not had many dealings with them outside of a T1 circuit or two that I had to manage. Honestly I wasn't happy with them then and I'm even more unhappy with them now.

I've been a Bell South/Cingular customer for a long time. My first personal cell phone was with a company (I can't remember their name for the life of me) that merged with another company and became Cingular. I had always been pretty happy with them. Service and coverage were both good and dropped calls were rare. Then along came AT&T. Now coverage stinks and dropped calls are a common occurrence. I'm not sure what exactly changed to cause this. Did they knock down some towers to make coverage worse? Are they randomly pulling the plugs on some calls just to irritate customers? It seems to me that since they inherited a good network that things would only get better as they added their infrastructure to what already existed. Obviously I'm wrong there.

I also have a AT&T aircard that I use (or try to use) when I'm working remotely. Actually I was pretty happy with it at first. I'd go to my favorite local coffee shop to work and had good coverage and no real problems. The when that shop closed I had to move to other coffee shops to work and I can't find one that has decent coverage. I get 2 bars on a good day but mostly one. Try to run VPN with one bar. Not gonna happen. Then when I do get going I lose the connection and have to reinitiate it. There are 3 coffee shops within a short distance of my house that I've tried working from and all of them are in bad coverage areas. They are not all side by side either. They are spread out so that I should be able to find decent coverage. So now instead of driving 2 to 4 miles away to work I'm having to expand my reach. Last week I tried a coffee shop about 9 miles away and had poor coverage. Today I'm at another one about 7 miles away that sits right in between 2 interstates and still coverage is poor and it continues to drop. Even in downtown Atlanta I have problems.

So I want my Cingular back. I want to go back to good coverage and to times when dropped calls and connections are rare. I want to go back to the good ole days!

Slow to criticize, quick to applaud

I usually try to criticize too quickly but occasionally I do. I don't think that my criticism of Apple yesterday was quick considering their past record that I mentioned in that post. However I did have my doubts as to how they would handle the bad driver issue and how quickly they would correct it. Today I see that they have already fixed the problem and are sending out updates to ITunes.

According to my secret source (OK, so it's not a secret source but I've always wanted to have one) Ed Bott has a new post up talking about the fix and his experiences with installing ITunes now that the fix has been released.

Good job Apple. I had my doubts but you proved me wrong.

Thursday, September 11, 2008

FOI in depth

OK, so what started out as a funny comment on Twitter has started to turn into something. The FOI (Failure of Investment) concept has been picked up on by a few others who have added to it, questioned it and some think it has a future. I read one post in particular that I wanted to comment on and expand my thoughts a bit. So instead of doing it via a comment on the blog I decided to do it here. Before I go any further I recommend that you hop over to Jack Daniel's blog at Uncommon Sense Security and read his thoughts on this. After all he was kind of the brain child behind this. I'll wait patiently for you to read it and then I'll continue.

Oh good, You're back.

Today, Sara Peters, who blogs at Security Provoked the blog of CSI (Computer Security Institute) picked up on the FOI concept and said that she liked it but wasn't sure she bought it yet. One of her concerns was the FOI focused too much on straight security and not enough on risk management. I would say to her that FOI is all about risk management. After all security is managing risk. If we don't support the business, by understanding it and it's goals, then we have failed. If we don't look at what we are doing in light of the business objectives then we are not securing the business but we are securing the technology which misses the mark. Security for the sake of security is no security at all.

Can we continue to trust Apple?

If you've read my blog for very long you probably know that I'm not a big fan of Apple, inc. I think that they have some very cool technology and in many ways I'd love to actually have some of it. A Macbook Pro would be nice to have because I think it's a really good laptop. I'd love to have a IPod Touch because it gives me the flexibility of using it as a mp3 and video player as well as allowing me to surf the Internet via wireless networks. Yet, I just can't bring myself to buy any of them because I just don't trust them.

Apple has shown itself time and again to only care about themselves and not their customers. They appear to be willing to do whatever it takes to further their agenda even if it means being dishonest and underhanded. They will even try to ruin the careers of security researchers if it will keep their public image intact. They are willing to try and increase market share for their Safari browser by sneaking it in an update.

I've heard and read horror stories about support when you have to send things off for repair. I've heard them deny that a vulnerability exists and then quietly fix it a month or two later. Then they have the gall to say that the fix wasn't for the earlier announced vulnerability but for something that was not publicly known. They don't seem to care that they release patches that don't fix what they say the patch fixes.

To me this all says that Apple, inc has an ethics problem and when it is this blatant I have a hard time doing business with them. It definitely affects the level of trust that I have in them. The question is will you and other customers continue to trust them?

Why do I ask this? It seems that once again Apple is sneaking things into their updates that they don't feel the need to inform us about. Ed Bott does a good job of chronicling issues with the latest release of ITunes 8 and some things that are happening when you think that all you are updating is ITunes and Quicktime. If what he and others are saying is true then not only is Apple sneaking things into the update process but they are also causing all sorts of problems with windows systems. How will Apple deal with these problems? That is the big question here. Not so much the fact that they are installing things beyond ITunes, although that is an issue that they need to deal with.

I've not installed ITunes 8 yet and won't until I know that the problems are fixed. Why do I use ITunes at all since I'm not an Apple fan. Because I bought a IPod Nano from my Brother-in-Law a few years back and I use ITunes  because it came with the IPod. At that time I actually still had some respect for Apple. When my IPod dies I imagine I will get a different mp3 player and ditch ITunes all together.

Monday, September 08, 2008

Voting Security

The other day I was looking on ITunes for a new information security podcast. I ran across a couple that I thought I'd download and see if they were worth subscribing to. One of them is called the Data Security Podcast and I listened to it this morning on the way to work. The podcast was pretty good, at least good enough that I'll listen to a couple more episodes before deciding if it will stay on my list or regulars.

One thing that they talked about was how Ohio has come up with some new regulations of electronic voting security. Things like not allowing poll workers to transport machines and related items (cards, etc) in their personal cars and not allowing them to store them at home overnight. Then they went on to talk about the potential badness that could occur by this happening. What really intrigued me was a suggestion that they made. They thought that it would be a good idea for information security professionals to volunteer to work the polls on election day. Their premise is that many information security professionals have a good understanding of the risks associated with electronic voting and may be able to keep an eye on things and help to keep the polls more secure. Of course the potential for bad to happen because of this possible could increase if hackers also volunteered to "help" at the polls. I think all in all that it is a good thing for us to get more involved in the democratic process in any way that we can.

Friday, September 05, 2008

How NOT to work securely from a coffee shop

Many of you are aware that my favorite independent coffee shop closed about a month ago. Since then I'm having a hard time finding a good place to work from when I don't go into the office. I've tried another local coffee shop that is just too small and uncomfortable to work from. I've tried 2 different Starbucks that have very poor reception for my AT&T air card so VPN is out of the question. Today I decided to drive a little farther to another Starbucks to try it out. Air card reception is good, coffee is good, atmosphere (music, tables, light, etc) is good. So I'm pretty happy.

When I got here there there several people sitting around so I found a table next to a wall with an outlet and set up shop. The table is one of three along a long booth seat. The middle table was empty and the other end table was occupied by a lady who also was set up to work. Papers were out, cell phone on the table, laptop up and running.  Shortly after I got here a friend of her's walked in and spoke to her. After getting his coffee he came back and asked her if she had a minute to talk. She said sure and he said lock your laptop and come with me.  She looked at him like he was a little off in the head and said "What do you mean?" He told her to password protect her laptop so that this guy (looking at me) won't steal all of your personal info. I looked at him and said "Good advice, I am a hacker". Then, of course, I told him that I was one of the good guys. So she locks her laptop and they go to the parking lot.

While she is in the parking lot with this guy all of her stuff is right here. Laptop, purse, cell phone, papers (insurance settlement related I gathered from her phone conversations), purse (which I'm sure had here wallet with license, credit cards, etc). They were gone for several minutes, plenty of time for someone with less morals and ethics to do lots of damage. After a while she come back and unlocks her laptop and goes back to work. After a few minutes she places a call and starts talking about work stuff. I heard her mention a claim settlement and then she seemed to realize that she was in public so she gets up and walks to the back of the store. Again, everything is left right there but this time her Laptop is not locked. She can't see the table she was at and I can't see her. Another perfect opportunity to take something, read something, load keystroke logger, get CC #'s etc.... It's a good thing I'm a good guy.

After about 15 minutes she comes back and goes back to work. Again after just a short time she's talking on the phone and tells the person that she can go to her car and print something out. I guess she has a 12v converter in her car. So she unplugs her laptop, picks up her purse and leaves the building. She's getting better but she left her phone and papers sitting there. In a few minutes her phone rings and it's all I can do not to answer it. I resist and a few minutes later she returns with her purse and laptop. Plugs back up and gets to work.  She stayed with her stuff for the rest of the time she is in the store, that is right up to the time she is ready to leave. She shuts down, unplugs and stacks everything up in a nice and neat stack. Then she goes to the bathroom with her stuff nicely stacked up and ready to be walked out the door. The shop was empty by now except for myself, the lady and a couple of employees who were not in sight.

This is a perfect example of what not to do. She made so many mistakes that I started to wonder if maybe this was some sort of a sting operation. I envision agents in the parking lot waiting with hands on guns for someone to do something illegal. Maybe someone with a high power lens across the street snapping pictures. If so then they failed to make a bust today. Maybe next time they will have more luck. :)

Security ROI - The debate continues

It seems that blog topics are cyclical and raise their head every few months. A couple of the hot ones are full disclosure and ROI both of which have reared their ugly heads lately. ROI has been on the front pages again in the last few days and it seems that as usual we can't agree on whether or not there is such a thing as security ROI. The purist say that it doesn't exist because it doesn't meet the "true" definition of ROI. The "revisionist" say that there is ROI on security but you have to measure it differently. Yada, yada, yada, the debate goes on and on..............zzzzzzzzzzzzzzz.

Yesterday it hit Twitter and several people jumped in and commented but one that really struck me came from my friend Jack Daniel. He said that the true measure of security is failure or as the new buzz word says "Security Fail". That hit a cord with me and I have to agree 100%. That is the true measure of security whether it be a device, application, or program. If you fail you lose. So Jack and I coined the new term FOI, Failure of Investment. When it comes to buying, implementing, or doing anything in regards to security the value of the investment is determined by success or failure. Not how much it cost vs. saved. Not how easy it is to deploy or manage. Not how much time it saves, etc.... The real measure is made when it protects or fails to protect.

It may be that it does a great job of protecting most of the time but the one failure may be it's (or your) demise. Now we have to define failure though. In my mind failure doesn't come because a new flaw was discovered in your AV, firewall, IDS/IPS, or other security device or app. It comes when that flaw isn't managed properly by either the vendor or your team. If the vendor fails to respond properly and the vulnerability is exploited then they fail. If they do respond properly and you fail to implement the fix or if you fail to look for and implement other measures to protect yourself during the vulnerability window then you fail. 

As we all know failure can be fatal to your job. So it's in our best interest to quit debating and trying to define Security ROI and to focus on preventing FOI.

Saturday, August 23, 2008

MBTA and responsible disclosure

What is responsible disclosure? That is a question that has not and will not be answered. It all depends on who you ask. One researcher will give one answer and another will give another answer. The same goes for those who work in other areas of information technology and information security. Networkers and developers, security pros and server admins. All will give different answers depending on their view of information security and the importance of discovering flaws and disclosing them.

The key word in this discussion is "responsible". Unfortunately even responsible doesn't mean the same thing to everyone. I guess in reality the word responsible can/does have a moving definition. If you find a vulnerability and it will take lots of skill, special tools and lots of money to exploit it on a wide scale then the risk of it being exploited is pretty low and disclosing it w/o going to the vendor is not as big a deal. On the other hand if you take the opposite of those things and you disclose without giving the vendor a chance to fix it is irresponsible. Those are the two extreme sides of the debate. It's all the stuff in the middle that causes the masses to argue over what is responsible and what isn't.

Here is my take on this with some comments on the MBTA debacle thrown in.

  1. As Information Security Professionals it is our responsibility to act in a professional manner and to do all in our power to protect the company that we work for.
  2. If you are doing research on your own or for a company then you have a responsibility to protect your client or the company/vendor that you are researching.
  3. If you call yourself a White Hat researcher then you have a responsibility to act in responsible manner for all computer users.
  4. Responsible disclosure means that you give the vendor/company time to fix the issue before going public with it.
  5. The argument that vendors are not responsive a vulnerability is given to them is flawed because this is not the case most times.
In this instance the MIT students didn't act responsibly in several of these areas. #2, 3, 4 were all ignored for the most part. Giving a company 4 days advance notice is hardly responsible. Although there is some rumor floating around that the MBTA did have notice of some of the issues several months ago. Which if you think about it is true. They may not have known about this particular research from MIT but it has been public knowledge of the Mifare RFID chip being vulnerable since the Dutch researchers wrote their paper about a year ago. Not to mention the fact that the London Oyster Card also used the same chip and it was announced a few months back that it had been hacked.

If anyone would expect that the MBTA would be able to fix this in a short period of time then they are sadly mistaken. An issue such as this involves much more than just changing the encryption on the card. The software and firmware used in the readers and encoders have to be changed. The database has to has to be modified as well as the code in the vending machines that sell the tickets and much more. There has to be testing and QA before it can be rolled out into production. Not to mention that getting new cards is not something that you can just run down to Wal-Mart and pick up. Especially when you are dealing with something as big as this. There are specs that have to be figured out and agreed upon between the MBTA and their Fare collection vendor. Then they probably have to put out a bid on the new cards and give the card vendors time to submit proposals. Then they have to go through a selection process and then wait on a PO to be approved via their procurement process. Then they can place the order. Even at that point they are still not ready to go live. The vendor has to fill the order and once the new cards are in there is still the whole process of replacing the old cards. This means that the new specs will have to be backward compatable with the old ones because they can't just cut the old cards off and make everyone migrate to the new ones all in a day.

As things such as this and the DNS Metasploit exploit continue to happen it makes me less and less of a fan of disclosure until after vendors have released a patch and adequate time for the patch to be installed has passed. I'm not there yet. I still think that there is a place for researchers to find flaws and get the word to the vendor so they can be fixed. I'm even in favor of researchers releasing exploits prior to a patch if the vendor is ignoring the issue AND the issue is not of a nature that can cause serious widespread pwnage.

I have to admit that one thing that I recently read makes a lot of sense. I don't remember where I read it or who said it so if you know let me know so I can give them credit. Basically they said that instead of spending so much time looking for and focusing on vulnerabilities that have a very low risk to the public lets focus on fixing the ones we know about that do have the potential to cause serious problems. Let's also focus on writing better code and deploying more secure applications and infrastructures. This is where we can make a difference. Lets quit trying to make a name for ourselves by being the first to find something and make a name by being the ones who are willing to work together to make things better.

Wednesday, August 20, 2008

Sometimes things slip up on you

I was perusing my RSS feeds this morning and ran across this post by my friend Martin McKeay where he talks about missing his 5th year blog anniversary. That reminded me that I missed my 2nd year blog anniversary. I posted my first blog entry on Aug 9, 2006. It was an experiment to see how I would like it and it stuck. As Martin says in his post blogging has been a very good thing for me. It has opened many doors that more than likely would have remained closed if I had not started blogging. Ironically Martin is one of the key reasons that my blog has succeeded. I'm not sure how but he found my blog on Aug 11, 2006 and made a comment encouraging me to keep it up and he later linked to me and mentioned me on his podcast.

I've become a big fan of blogging and reading blogs. I consider reading blogs as a part of my job now because I learn from those I read and gain information and knowledge that I would not have. As I talk with other security and IT professionals who don't read blogs I'm amazed at how much more informed I am then they are about what is going on in the world of information security. I think the biggest benefit that I have gained from blogging is the friendships that I've developed w/ other bloggers and security professionals. Most of them I've never met, yet I know that I can call on them at any time if I need something. The next best thing has been the opportunity to interact with several of those of you who read my ramblings and then comment on them or send me emails. It's always good to know that what I have to say is enjoyed by others and occasionally adds value to them. Of course there are those who have disagreed with me from time to time and that's OK as well. Good healthy debate is good for the industry and helps to keep us sharp.

So, thanks to all of you who give me a few minutes of your time each day (that is when I don't go on a 2 week no blog spree). I hope that you stick around for the next several years.

Tuesday, August 19, 2008

I'm not an expert in all things security, but I am a thinker

My apologies to Glenn Beck for borrowing his line, but I think that it fits well. Not trying to toot my own horn just proud of the fact that I don't blindly follow the crowd. As you may know I haven't posted anything in over 2 weeks which is a first for me. Life continues to keep me busy and the last week or so have seen some personal events that have taken up lots of my time. During this time I've done a good bit of thinking and watching.

I'm not going to go into many details except to say that we had to buy a new vehicle recently due to my wife being the victim of another driver who wasn't paying attention while driving. At least not paying attention to driving, who was on the road near him, etc.. He may have been paying attention to something else but not these things. We also had to rent a car, talk to insurance adjusters and reps, make doctor visits, etc.... All the fun things that go along with something such as this. While I was doing these things I took advantage of the opportunity to practice my Johnny Long "No Tech Hacking" techniques. I noticed lots and lots of opportunities to gain access to personal information of other people and even to gain access into the computer systems of some of these companies.

I was left in offices alone w/ a logged on PC several times for various amounts of time. Several times there were also applications open that could spill their guts on other customers and clients. Many times I was left alone with documents loaded w/ PII right on the desk I was sitting at. I overheard lots of phone calls that involved names, addresses, credit scores, credit limits, etc...

Of course I was also asked to give sensitive information to many of these companies. Some needed it to fill out claim forms, reports, credit apps, etc... As usual many of the auto dealers wanted a copy of my drivers license before allowing me to test drive a car. When asked what they do with the copy I was told different things. Some said they were shredded, filed, thrown away and "I really don't know". Needless to say the answer given had a lot to do with whether or not I took a test drive and then I ensured that before I left the copy was truly destroyed.

In one office I was left alone w/ PII on the desk, several computers logged on w/ apps open, heard PII given out over the phone and then heard one girl tell the customer that the copy of the document was shredded to protect them. At least they have the right idea. They are just missing several pieces.

That's where the "I'm a thinker" part comes into play. What these companies need is to take a few minutes and think about what they are doing, why they are doing it and what they are not doing that needs to be done. The office above was taking a great step in shredding documents but they obviously either didn't have policies, processes and training in place to prevent lots of other errors. It's great that they shred a copy of a document that has my PII on it but what good does it do if all of the info on the document is freely available to others who are left alone in the office? This is why we can't just do "best practices" and move on. You have to take a look at the bigger picture of what is happening in your environment and work from there.

As the CSO or top security professional in a company it is difficult to know what all goes on out in user land unless you spend some time there. You need to talk to people who do the front line work and find out what they do that may need to be addressed. You need to either visit or at least have someone else visit different locations and departments to find out what is going on that the users would never be aware of. I'm talking about things such as giving out names, addreses and other information over the phone in front of other customers, leaving documents on a desk instead of filing them or at least putting them in a lockable drawer until you can get to them later. I realize that this is not the type of things that a busy security professional (especially if you are in the top spot) so this is where you can utilize your desktop support team and others who are in the field.

Another area that we need to pay attention to was made apparent recently by the legal department of the MBTA. In their efforts to stop a DefCon talk about how to hack the MBTA Charlie Card and other sloppy security issues, they released more info than would have been released by the talk. Not to mention that they brought lots more media attention to the fact than if they had just let the talk go on as scheduled. If they had bothered to consult with their security team they might have made better decisions in how to handle this.

As security professionals it's our job to protect the organization that we work for. We have to look out for their best interest even if it's in areas that we are not responsible for. What I mean by that is looking for things that aren't right and making them known to those who are responsible, doing our part to let others know that security is here to be an enabeler and not to hinder business. Letting them know that we can add value to all areas of the business if they will solicit our input (such as legal, HR, etc). Often these departments don't even think about how security can add value to what they do. Many times we think differently about problems because most of us think about how to make things do what they aren't supposed to do (or at least we are aware that the bad guys are doing this) and we see things from a point of view that the business units and even regular IT doesn't.

Creative Commons License
This work is licensed under a Creative Commons Attribution-NC-SA 3.0.