2012
10.26

So I just got back from Northeast Ohio Information Security Summit where I gave a talk on “Baking in Security”. I give a similar talk with the same title back in April at Notacon which you can see here. Once the video link becomes available for my more recent talk I will update this post. The short of my talk is that infosec professionals can learn a lot about infosec by baking or cooking.

During both talks I referenced several recipes and at my most recent talk got called out on if I had any links to the recipes. What follows is a list of those recipes along with some of my other favorites. Most of these recipes I found on allrecipes.com which has become my goto place when I really need to get a recipe that isn’t overly complex.

The Moist Carrot Cake recipe is what you see me make during the talk and I use this Cream Cheese frosting to top it off. At my more recent talk I mention a Vegan Carrot Cake recipe I have tried. I tried to make a vegan buttercream frosting which failed miserably so I am on the hunt for a vegan cream cheese frosting to rival my old standby. I really challenge you to see if there is any major difference in the taste of either cake, taking in account for the frosting.

Another recipe I mention in my talk, which I think is my favorite by far over the last almost two years is Amatriciana. I have made a few modifications to the recipe, the most significant is using a full 12-16 oz of bacon instead of four pieces. The other modification I have done is to make the exact same base sauce but with Italian Sausage, which I add sugar in to reduce the tomato taste. I don’t put noodles in this but use it as a topping for the base pasta. I only do the sausage sauce occasionally as the base recipe is tasty on its own.

The recipe that has surprised me the most would be Brussels Sprouts. I have a dislike of green food, or at least I did until I started cooking. My wife found this recipe and thought it looked good so I made it. Not only did I like, my 11 year old son will eat them.

Since my kids inspired me to start down the path of learning new things to bake and cook I would fall short if I didn’t mention their favorite breakfast recipe. These Crepes are by far the most made item of my new recipe box, and you don’t need to buy a special fancy crepe pan for it to work.  My kids love to take these crepes, fill them with the cream cheese frosting I mentioned above along with bananas, strawberries, blueberries, and then roll them up and put some maple syrup on top. It is always flattering when their friends spend the night and wake up chanting “Crepes!”

I also mentioned I made a recipe @gdead posted for French Bread. This turned out really good with the exception of an error I was able to correct. This recipe has cups and teaspoons for measures but the temp is in C instead of F some make sure you pay close attention.

A more recent favorite is this Tangy Grilled Pork Tenderloin which is so much better if you let it marinade for a day or two. If you need to use up the honey then you can also make Sweet, Sticky and Spicy Chicken. If you don’t want the meat you can substitute in some sauteed eggplant or use this Eggplant with Garlic Sauce recipe.

It is funny how I have found cooking as a way to relax, I have also found it a way to better understand information security. Take a shot and make something new, you may just surprise yourself.

2012
07.19

A few weeks back our family went to the beach to have a week of rest and relaxation. We have a longstanding tradition when we go to the beach of digging a big hole near where our chairs and umbrella. This was born out of a need to contain our youngest son when he was just a little one. We would dig a hole big enough that he couldn’t climb out and wide enough so he had his own sandbox.  It may seem odd to you, but my kids enjoy it and that is what counts.

This year we took a little different to our hole digging. I should note that my youngest is 4 years old and no longer requires her own sandbox so the hole is more to stake our claim on the beach than for containment. On the first day we dug a hole as deep as we could, and on the second day we did the same but made sure it was at least eight to ten feet long. Now to answer a burning question I know you have, no we didn’t move our spot each day on the beach. The tide came up so high and so strong, as the full moon was out, the previous days hole would be completely refilled with sand. We would have a pristine beach to create something new each day.

It was on the third day that a new challenge was made. As I was digging out the beginnings of the hole my wife said “so how are you going to top yesterday?” I was stumped, I mean I could dig a moat the whole way around our beach gear but that didn’t seem too difficult. Then my youngest son, who we started digging holes for in the first place, said why not make a maze. The six year old had made the challenge and I had to make it a reality. He set to work drawing an outline of the maze and my 8 and 11 years old set to work digging. When it was done we had seven levels, the deepest being 5 feet in depth, and trenches that covered an area about 15 feet by 20 feet. We sat back and reveled in our creation, then went back to our condo and watched the tide take it away.

We skipped a day, and then on day five an six created new patterns in the sand a little bigger than the last. Kids from families around us would come over and play in the trenches or help us dig a new part. People walking down the beach would comment on our work, but only three phases were ever reused. The best comment came from a lifegaurd ridding down the beach on a four wheeler. He pulled up to the hole, peered over the edge and said “WOW! That is cool!” and then drove off. And each evening when we went in, someone would come over to the spot and stake a claim to it until the waters erased our days work.

Hello, where is the Security in this!

I am sure you are thinking “why am I reading a tale of your vacation.” There is security here, and now I will explain. Over the last year I have read blog posts and tweets regarding the futility of what infosec people do. We spend so much time building solutions only to have them almost immediately circumvented by someone determined to get at our data. You get the sense “why even try” has become the infosec mantra. Just like the ocean’s tide coming in and removing all my days work, we wake up each day to fight more infosec battles. The difference between what I did and what people complain about in infosec is I expected the end result. Yet knowing I would have to start fresh each day, I was inspired to create something new from scratch.

The other popular phrase in infosec currently is “It is not if, but when.” Knowing this, we need to come to work each day with the idea we are going to fight a new fight but what we learned from the day before will make the new days task stronger and better. We grow through failure, and as long as we have mitigated the risk of loss from that failure we can only get better. If we come in each day thinking “I already fixed this”, we set ourselves up to just repeat the previous days actions. Don’t just come to work each day ready to start over, you need to come ready to innovate ways to not just stop the current new threats, but threat others haven’t even thought of yet. Our passion to rebuild, innovate, and take on adversity will ensure that those who want our organizations crown jewels only get the costume jewelry.

The next time you are at the beach I challenge you to go dig or build something cool knowing the tide will take it away, then come out the next day and do it all over again. It just may be the therapy you have been looking for.

2012
06.29

No matter how you slice it, security cost money. Sure we can find solutions available that are free, but there is a cost associated with configuring, deploying, maintaining, and monitoring free solutions the same way those cost are there for fee based solutions. However, we tend to forget there is also a cost to the end user. This point was brought home to me in a real way not to long ago when I went to change the brakes on our van.

The Story

I tend to be a do-it-yourselfer with many aspects of my life. Even when I have never done something myself before, I will take up a task I think I am capable of performing. Part of this is driven by my desire to save money, but a bigger part of it comes down to challenging myself and the satisfaction I get from completing something most people don’t want to do. So recently, our van needed new brakes in the front. I have changed the brakes on my car several times over the years, so changing them on our van should be no big deal. Our van has alloy wheels, which cost more and so are more likely to be stolen than your standard rims. Thus the car company placed an added security feature of a locking wheel nut on each tire to prevent the theft.

As I was loosening the front passenger wheel the tire iron gave way and both the lock and the key shattered. I stood there shocked for a minute, and then went inside to look up how to fix this issue. My family knew something was amiss when I came in the house and darted off to the computer. A quick search revealed two answers, either take it to a mechanic who can break it off or purchase a non-key socket that can fit tightly over the broken nut in hopes of turning it. Not wanting to scratch the daylights out of the rim, I called a mechanic I normally use who told me the cost of the repair would be about $15 per tire, although it could be more based on amount of time it took. The problem they noted is that without the key I couldn’t get the remaining wheels off and noted I needed to find a new key or have them break all four off. I called the dealership where I got the car to see how much a replacement key was at the same time I was finding the order form from the manufacturer of the key/lock. Needless to say the dealership was going to charge me 4-5 times as much as directly from the manufacturer so I went the direct route.

After getting the new key two days later I took the car in and sure enough the mechanic got the nut off in under 15 minutes and had a new non-locking nut installed. All for a minimal cost, compared to what it could have been. I got the car back home, changed the brakes myself, and didn’t shatter any more parts in the process.

So What?

This whole ordeal got me thinking. There is obviously a concern when you put higher value parts on a car they will get stolen. So the car manufacturer looks at the potential of loss and says “Hey we can protect the value at the fraction of the cost to replace the part.” When buying a new car you are thinking “why wouldn’t I want to protect my investment,” and so you keep the security feature enabled (by default). The cost clearly outweighs the potential loss, or does it?

In my case, the car was in my garage and still drive-able despite the failure of the security feature. Sure my breaks were a little squeaky for a few extra days, but the car still had four tires and enough brakes to stop it for the time being. Consider a different scenario; however, one where some who has little experience changing a tire is driving down a road, away from home on trip even, and is no where near a place to get the car repaired. Either they hit something or the tire is just fatigued and blows out. The person pulls over and sets about to put the spare tire on when “CRACK” the lock and key shatter. Even if the situation is such that the driver calls someone to tow or change the tire for them and the person fixing the tire shatters the lock. You suddenly find yourself at the mercy of those who can fix the problem, and sometimes that means you get charged more than is reasonable because of the situation. In addition, you don’t know if another tire will blow out on your travels and may elect to remove the security from all tires just to play it safe.

The point being, given the best case scenario for failure of security measures, there is still a potential for panic. Given the worst case scenario; however, the reaction can be down right irrational. I look back at my situation and realize the cost to “fix” the security and maintain it going forward knowing there could be another catastrophic failure far outweighed the actual cost of what it was protecting. As security professionals, we often look at what we are protecting and only think about the risk of loss and what loss will cost. What we don’t always figure in to the equation is the impact (cost) the secure measures impose on end users. How often do we consider the cost when a security measure catastrophically fails on our end users? Perhaps stepping back and looking beyond just the need to secure something can helps us make better decisions on how to implement security.

In the end our goal as a security professional should be to ensure our organizations, understand risk they are facing, the best approach to minimizing those risks, and still deliver a highly valued service or product to the customer. My faith in the security measures placed on protecting the rims of a car has been shaken and I don’t know that I would choose to have the security implemented again. We can’t keep allowing security to be marginalized or dismissed because we don’t consider the risk our solutions potentially create and the subsequent added cost.

2011
10.01

Recently my 8 year old son had a soccer game where the ref didnt show up. Fortunately both coaches from his team were certified refs for the age group and one volunteered to help. The game was a tough match up but things went smothly, until the opposing teams goalie trapped the ball and then kicked it all the way into our goal. This was clearly not a goal based on league rules yet the opposing coach faught against the rule stating “other refs have counted those.” In the end our coach gave in and allowed the goal to stand as to not put the coach reffing in an awkward position.

Funny, when I was an auditor I used to hear this all the time. “The last auditor allowed us do do that.” My response always went something like “well I am not the last auditor.” I know this excuse is used a lot, not just in games or audits. How many times in infosec have you heard the phrase “we haven’t had to do THAT before.” So the question becomes is it wrong to enforce now?

We can’t and shouldn’t live by others judgements or mistakes. As information security proffesionals we have to do what is best for our organization. The basis for that are the policies and stanards that have been put in place. Sure there are times when we will accept risk because the bussines needs to opperate, but each situation must be evaluated individually. Risk acceptance should be understood by all parties each time a risk is introduced. Accepting it once will only lead to risk being aggregated above tollerable levels.

The coach on the opposing team was an adult and should have followed the rules. Instead he was more focused on winning. In the high stakes business world do we think adults make the right decisions? Running in a relaxed controls environment only leads to loss events and audit findings. Being an impartial ref is tough, but that is what makes us professionals.

2011
09.16

Does it feel like we are in an endless loop of breach notifications? Obviously we are not properly securing our systems. If we were there should only be a system breach once in a great while. Or is it that we are doing our job and the threat landscape is just that complicated. I often hear people say in reference to a breach that it is not “if” but “when”. So we have two opposing views about security, either we are doing it all wrong or we do it right and bad things just happens.

I was making pizza for my kids to have for dinner. I was in a hurry because I needed to get my kids to their sporting events. I grabbed an oven mit and reached in the oven and took out the first pizza. Then I reached in again and grabbed the second. Within a second my hand felt like it was on fire causing me to drop the pizza pan. I pulled my hand out of the mit and placed it under cold water. After a minute i put my hand back in the mit and put a pot holder over top of the mit which allowed me to pull the pizza pan out.

So what went wrong. The simple answer is the control failed. I used an oven mit which should have protected my hand from the heat, instead it gave me a false sense of security. However I don’t buy it. There are several things that may have gone wrong. The mit could have been old and the protection diminished. The pizza pan could have been made from a material that conducted more heat than the mit was rated against. I could have used the mit improperly in my haste to get my kids fed and out the door. I could go on, but I think you get the point. Despite the best controls there are many variables the work against us.

So do we throw our hands up and accept defeat. No. Instead we need to press forward knowing that no matter how much we do, there is always something else we should consider. No system of controls is perfect, just keep that in mind. I would hate to see you get burned like I did.

2011
08.19

Back in June of 2010 I gave at talk at the Northeast Ohio Information Security Forum titled “Who’s Afraid of the Big Bad Wolf: Accepting Audit as a Service.” Thanks to the guys at Security Justice I was able to dig up the audio from that talk.

And here are the slides.

 

I would love to hear your thoughts.

2011
07.08

A Chat with Ghostnomadjr

I gave a talk at Notcon 8 with ghostnomadjr, go check out the post at his site Notacon 8 Talk

2011
07.07

In April I gave a talk at Notacon 8 titled “Educating Security Means a New Approach”. This was a version of the talk I gave at BSides Cleveland in February. If you have seen the video or attended BSides Cleveland there is still value in this talk as there were many good questions at the end. I want to thank all involved in Notacon 8 again for such a great experience and encourage you to attend the next one.

If you want to talk further about the ideas I present feel free to contact me or post a comment.

2011
06.23

So you just built your sand castle on the beach. As the tide comes in you realize your creation will be knocked over. You are not deterred by this though, you move higher up the beach and start again. As the time passes you again realize the rising tide will take your castle down. You will not give up, so you go high above the highest tide line and yet again build your castle. Satisfied you are safe you go inside for the day.

However that evening you see a heavy storm out in the sea and the waves stir up so much they crash over your castle yet again. Not wanting to show defeat you go out the next day and build a castle well off the beach, and out of wood instead of sand. This stands for a few weeks until a hurricane blows in and wipes out everything in its path for miles inland. So you pack your bags and move far inland, then build your castle again out of wood. This stands for a time until a wild fire burns everything down.

Never one to be handed a loss, you travel farther in, in a vast clear valley and build your castle of brick. This castle lasts for many years but is continuously flooded destroying all the contents. Finally you move to high mountain top, and build the biggest, strongest castle. You spend the rest of your time here. But each night you realize you have forgotten what the sea smells like. You desire again to feel the sand between your toes. Yet you can’t leave the solid, secure home you have built.

What do we give up infosec to gain security. Do we take it to far, or do we find the balance. Can we build our solutions where others can enjoy them? Do we focus so much on security, we forget about the customer? In our isolation do we win, or do THEY win? Sometimes we just need to go back out on the beach and enjoy it.

2011
05.23

As security analogies go, one that I have heard often compares security to a piece of candy. The outside of the candy is hard and crunchy and the inside is soft and chewy. The idea here is the outer layer, the perimeter if you will, is hardened to protect us. This is the point we do most of our security “stuff” to keep the bad guys out. Of course once you get through the hardened layer of security the inside layers are much more gentle because we know you are supposed to be here so lets minimize any further disruption. Keeping this analogy in mind, I was battling the annual outbreak of thistle in my flower beds. This spring is especially bad because we did not get mulch last summer so there really is no layer to prevent this meddlesome weed from going full bore and consuming every inch they can.

For the sake of those who have never had to remove thistle, at first glance it looks a bit prickly but not overwhelmingly so. However, if you grab the weed without the benefit of gardening gloves you will quickly find the very sharp barbs digging into your skin. Even if you have gloves on, if they aren’t thick enough you will still feel the sting. Over the years I have found the best approach to removing these weeds is to actually expose the root, which has no prickles, and pull it from there. You may be thinking at this point why not chop it off and be done with it. Well if you do that the deep root of the thistle will just regenerate and you will be back to struggle with it another day. So getting down to the root and then pulling the whole thing out is the best approach I have found.

So we now arrive at my new analogy, in that security is like a thistle. On the surface where every can see, it is sharp and unforgiving, but below the surface it is soft and vulnerable. Since the systems we are trying to secure are meant to be accessed by someone there has to be a point of entry. The candy with the hard crunchy shell presumably has to have that shell broken in order to get to the inside. But allowing entry into our systems doesn’t necessarily break the security. This is why I think our security models lend themselves more to the likeness of the thistle. We try and bury our roots and place our security on the visible parts of our systems. However, given the proper amount of time and motivation someone can find a way to get at our soft roots. Either by circumventing the controls through means of a vulnerability in another part of our system, or through gaining user credentials in an unauthorized manner.

Another observation I made about the thistle, which ultimately led me to realize going at the roots was the best approach, is what happens when thistle grows in another plant. When pulling thistle out of some evergreen bushes I noticed the prickles did not start until after the plant exited from the cover of the bush. Sure there can be some pain by reaching into the bush itself to get at the exposed part of the thistle, but you can also move parts of the bush out of the way. This made me think about how organizations treat connections to third parties. Does your organization maintain the same level security when making these connections as other outside parties, or is a reliance put on controls at the third party to reduce your organizations security measures? If you are relying on the third party controls, how do you gain assurance they can not be easily thwarted in order to access your systems?

At the end of a day pulling thistle I don’t come away completely unscathed. My hands usually burn with some pain after grabbing the wrong part of the plant or working around the other protective bushes. That said, I will endure the pain to remove the overbearing weed just like a determined attacker will endure discomfort to gain access to a valuable asset. This means we need to evaluate all our entry points and make sure we put up the proper security measures so they can’t get to our roots. We can’t just rely on surface security, we need to get below the surface and make sure the pain continues before our roots are finally exposed.

Thoughts of a mad man or an interesting approach, you decide and let me know.