GhostNomad.com

Recently my 8 year old son had a soccer game where the ref didnt show up. Fortunately both coaches from his team were certified refs for the age group and one volunteered to help. The game was a tough match up but things went smothly, until the opposing teams goalie trapped the ball and then kicked it all the way into our goal. This was clearly not a goal based on league rules yet the opposing coach faught against the rule stating “other refs have counted those.” In the end our coach gave in and allowed the goal to stand as to not put the coach reffing in an awkward position.

Funny, when I was an auditor I used to hear this all the time. “The last auditor allowed us do do that.” My response always went something like “well I am not the last auditor.” I know this excuse is used a lot, not just in games or audits. How many times in infosec have you heard the phrase “we haven’t had to do THAT before.” So the question becomes is it wrong to enforce now?

We can’t and shouldn’t live by others judgements or mistakes. As information security proffesionals we have to do what is best for our organization. The basis for that are the policies and stanards that have been put in place. Sure there are times when we will accept risk because the bussines needs to opperate, but each situation must be evaluated individually. Risk acceptance should be understood by all parties each time a risk is introduced. Accepting it once will only lead to risk being aggregated above tollerable levels.

The coach on the opposing team was an adult and should have followed the rules. Instead he was more focused on winning. In the high stakes business world do we think adults make the right decisions? Running in a relaxed controls environment only leads to loss events and audit findings. Being an impartial ref is tough, but that is what makes us professionals.

Does it feel like we are in an endless loop of breach notifications? Obviously we are not properly securing our systems. If we were there should only be a system breach once in a great while. Or is it that we are doing our job and the threat landscape is just that complicated. I often hear people say in reference to a breach that it is not “if” but “when”. So we have two opposing views about security, either we are doing it all wrong or we do it right and bad things just happens.

I was making pizza for my kids to have for dinner. I was in a hurry because I needed to get my kids to their sporting events. I grabbed an oven mit and reached in the oven and took out the first pizza. Then I reached in again and grabbed the second. Within a second my hand felt like it was on fire causing me to drop the pizza pan. I pulled my hand out of the mit and placed it under cold water. After a minute i put my hand back in the mit and put a pot holder over top of the mit which allowed me to pull the pizza pan out.

So what went wrong. The simple answer is the control failed. I used an oven mit which should have protected my hand from the heat, instead it gave me a false sense of security. However I don’t buy it. There are several things that may have gone wrong. The mit could have been old and the protection diminished. The pizza pan could have been made from a material that conducted more heat than the mit was rated against. I could have used the mit improperly in my haste to get my kids fed and out the door. I could go on, but I think you get the point. Despite the best controls there are many variables the work against us.

So do we throw our hands up and accept defeat. No. Instead we need to press forward knowing that no matter how much we do, there is always something else we should consider. No system of controls is perfect, just keep that in mind. I would hate to see you get burned like I did.

Back in June of 2010 I gave at talk at the Northeast Ohio Information Security Forum titled “Who’s Afraid of the Big Bad Wolf: Accepting Audit as a Service.” Thanks to the guys at Security Justice I was able to dig up the audio from that talk.

And here are the slides.

I would love to hear your thoughts.

Podcast: Play in new window | Download

I gave a talk at Notcon 8 with ghostnomadjr, go check out the post at his site Notacon 8 Talk

In April I gave a talk at Notacon 8 titled “Educating Security Means a New Approach”. This was a version of the talk I gave at BSides Cleveland in February. If you have seen the video or attended BSides Cleveland there is still value in this talk as there were many good questions at the end. I want to thank all involved in Notacon 8 again for such a great experience and encourage you to attend the next one.

If you want to talk further about the ideas I present feel free to contact me or post a comment.

So you just built your sand castle on the beach. As the tide comes in you realize your creation will be knocked over. You are not deterred by this though, you move higher up the beach and start again. As the time passes you again realize the rising tide will take your castle down. You will not give up, so you go high above the highest tide line and yet again build your castle. Satisfied you are safe you go inside for the day.

However that evening you see a heavy storm out in the sea and the waves stir up so much they crash over your castle yet again. Not wanting to show defeat you go out the next day and build a castle well off the beach, and out of wood instead of sand. This stands for a few weeks until a hurricane blows in and wipes out everything in its path for miles inland. So you pack your bags and move far inland, then build your castle again out of wood. This stands for a time until a wild fire burns everything down.

Never one to be handed a loss, you travel farther in, in a vast clear valley and build your castle of brick. This castle lasts for many years but is continuously flooded destroying all the contents. Finally you move to high mountain top, and build the biggest, strongest castle. You spend the rest of your time here. But each night you realize you have forgotten what the sea smells like. You desire again to feel the sand between your toes. Yet you can’t leave the solid, secure home you have built.

What do we give up infosec to gain security. Do we take it to far, or do we find the balance. Can we build our solutions where others can enjoy them? Do we focus so much on security, we forget about the customer? In our isolation do we win, or do THEY win? Sometimes we just need to go back out on the beach and enjoy it.

As security analogies go, one that I have heard often compares security to a piece of candy. The outside of the candy is hard and crunchy and the inside is soft and chewy. The idea here is the outer layer, the perimeter if you will, is hardened to protect us. This is the point we do most of our security “stuff” to keep the bad guys out. Of course once you get through the hardened layer of security the inside layers are much more gentle because we know you are supposed to be here so lets minimize any further disruption. Keeping this analogy in mind, I was battling the annual outbreak of thistle in my flower beds. This spring is especially bad because we did not get mulch last summer so there really is no layer to prevent this meddlesome weed from going full bore and consuming every inch they can.

For the sake of those who have never had to remove thistle, at first glance it looks a bit prickly but not overwhelmingly so. However, if you grab the weed without the benefit of gardening gloves you will quickly find the very sharp barbs digging into your skin. Even if you have gloves on, if they aren’t thick enough you will still feel the sting. Over the years I have found the best approach to removing these weeds is to actually expose the root, which has no prickles, and pull it from there. You may be thinking at this point why not chop it off and be done with it. Well if you do that the deep root of the thistle will just regenerate and you will be back to struggle with it another day. So getting down to the root and then pulling the whole thing out is the best approach I have found.

So we now arrive at my new analogy, in that security is like a thistle. On the surface where every can see, it is sharp and unforgiving, but below the surface it is soft and vulnerable. Since the systems we are trying to secure are meant to be accessed by someone there has to be a point of entry. The candy with the hard crunchy shell presumably has to have that shell broken in order to get to the inside. But allowing entry into our systems doesn’t necessarily break the security. This is why I think our security models lend themselves more to the likeness of the thistle. We try and bury our roots and place our security on the visible parts of our systems. However, given the proper amount of time and motivation someone can find a way to get at our soft roots. Either by circumventing the controls through means of a vulnerability in another part of our system, or through gaining user credentials in an unauthorized manner.

Another observation I made about the thistle, which ultimately led me to realize going at the roots was the best approach, is what happens when thistle grows in another plant. When pulling thistle out of some evergreen bushes I noticed the prickles did not start until after the plant exited from the cover of the bush. Sure there can be some pain by reaching into the bush itself to get at the exposed part of the thistle, but you can also move parts of the bush out of the way. This made me think about how organizations treat connections to third parties. Does your organization maintain the same level security when making these connections as other outside parties, or is a reliance put on controls at the third party to reduce your organizations security measures? If you are relying on the third party controls, how do you gain assurance they can not be easily thwarted in order to access your systems?

At the end of a day pulling thistle I don’t come away completely unscathed. My hands usually burn with some pain after grabbing the wrong part of the plant or working around the other protective bushes. That said, I will endure the pain to remove the overbearing weed just like a determined attacker will endure discomfort to gain access to a valuable asset. This means we need to evaluate all our entry points and make sure we put up the proper security measures so they can’t get to our roots. We can’t just rely on surface security, we need to get below the surface and make sure the pain continues before our roots are finally exposed.

Thoughts of a mad man or an interesting approach, you decide and let me know.

A week has passed since I attended Notacon 8 in Cleveland Ohio. Not only did I go, I got to speak on my own and with my son. In 2010 I attended my first Notacon, which also happened to be my first ever public speaking experience. The experience was phenomenal and so I knew I not only wanted to go back this year, I also wanted to speak again. If you haven’t been to Notacon before you are truly missing an experience. You never feel like you have to be anywhere, but you want to be everywhere. Because of this laid back type of atmosphere you also get to connect with people in so many ways. So as I prepared my talk proposal for this year, my son came to me and said he wanted to do a talk with me. Being that my son was 9, I was a little taken back.

Just so my son wouldn’t be completely heartbroken I contacted the organizers and asked if they would even consider a talk given by a 9 year old and his father. The response I got back was what I would expect from the organizers “If it is interesting, absolutely.” With that out of the way my son and I sat down and hashed out our talk proposal which we then submitted. I also submitted a similar proposal for a talk I was submitting to BSides Cleveland. When I got the email that my son and I had been selected to give our joint talk I ran into my sons room and woke him up, or should I say he leaped out of bed and started shaking with joy. Over the next few months we outlined, rehearsed, and designed the slides.

The day of our talk came and we set out for our adventure. Our talk was going to be very early in the day so my son, and mostly myself, would not have time to get nervous. We decided that since our talk was titled “One Bad Cookie” we should bring cookies to hand out. From my point of view the talk went very well as my son eased into his thoughts and talked like it was just us having the same conversation we had been practicing the last two weeks. The audience was great, and more importantly through out the day everyone who we came in contact was welcoming to my son. He wasn’t the only kid there, but he wouldn’t have felt out of place even if he was. That is what makes Notacon such a great, local for me, event that I will always find time for in my schedule to go to.

When the video is available I will post it here and would love to hear any and all feedback. If you weren’t in the talk let me give you a teaser. There are things that make us aware we want to make something better, and in our youth we have the spirit to tackle those challenges. As adults we need to not only recapture that spirit, we need to help foster and not push to hard to make kids just like us. I don’t want to give the rest away so you will just have to wait a little longer to see it with your own eyes.

There are two ways I know this years Notacon was a success. First, I came away with a renewed passion to want to learn more, and expand into places I hadn’t thought of before. Second, my son walked out of our talk and wondered what we could present on next year. Not only did he ask that, he has been asking questions about what he learned and wants to know more. So this is a big thank you to all the people in the planning, execution, and participation of Notacon 8! You all know how to make a con not a con.

My second month of trying new recipes is coming to a close. This month I started to try some sweet things along appetizers and main dishes. One of my sweet creations was a red velvet cupcake and cream cheese frosting. Of course my kids loved them and declared they were the best they ever had, but I was interested in what my wife thought. After tasting the cupcakes she said the frosting was outstanding, but the cupcake was a little dry. I knew the first batch I had cooked probably was in a minute or two longer than they should have been. A little later in the evening one of my sons said “daddy’s homemade cupcakes were sooooooo good.” My wife responded to me with “wait, you made the cupcakes from scratch also?” Although she thought I had slightly overcooked them she felt the recipe was really good and was impressed.

It is funny, usually when I would make cupcakes, cake, or brownies for that matter I usually start with a box mix. These are easy as they usually just need to add two or three items, mix and toss in a pan. After tasting my cupcakes though I can see the difference over the pre-made mix. This also can be the case in information security. We are constantly inundated with ads, information sheets, and phone calls where we are told that we can use a product that will solve our problems. For a time these may meet our requirements and get us up and moving with a speed we may require. However, after you build a solution from scratch you start to see where these “boxed” solutions don’t satisfy your new tastes.

Along the same lines, using fresh ingredients also can make a big difference. There is a definite taste difference between herbs and foods that come pre-packaged over ones that you may grow in your own home garden or get from a fresh market. Many times once you make something with those fresh ingredients you don’t want to use the pre-packaged ones again. Just like in cooking , it is important we use the right ingredients in our security programs. Even when you need to used those “boxed” products you can certainly enhance their functioning through your own home grown security experts. Cultivating the people in and around your security program will ensure that no matter what you have to start with, the final product works they way you need and want it to work.

We can’t be afraid to branch out from those things that make us comfortable just because they are generally foolproof. Sometimes taking that chance and trying something new, making it from scratch will not only surprise us but will also lead us to become more aware of how all the ingredients work. Thinking in terms of People, Process, and Technology we don’t want to use the box solution in all three. Lets use the ones we make from scratch to enhance those areas we find we need to use the box solutions.

So today I had the pleasure of giving a talk at BSides Cleveland. BSidesCLE was had held at the House of Blues which turned out to be a great venue for this event. The speakers  room very large and allowed for the participants to be relaxed. At the same time the lobby was a great place to kick back and chat with people if you wanted. I titled my talk “Please Step Away from the Binaries: Educating Security.” I have been thinking about a way to incorporate what my wife has been doing for the last 6 years in the space of Response to Intervention with my passion for information security. When looking at the common “People, Process, Technology” diagrams it came to me that security often misses the People part.

So I put together my thoughts on how information security professionals can improve educational opportunities, thus improving security. If you weren’t at the event, which was fantastic, you can see my talk here. My talk starts around 9 minutes, but if you aren’t familiar with the concept of BSides it is good to watch the introduction. I want to thank all the people who worked very hard to put BSidesCLE together, and to the other speakers and participants who made things  interesting. I look forward to the next BSidesCLE.

I am going to try and put my thoughts into a series of blog posts and being to expand on areas I didn’t get very detailed in during my talk. I look forward to hearing your thoughts on this talk and the ideas around security education programs.