2010
07.31

Three weeks fresh out of college and on the job as a auditor I found my self in a very interesting situation. Auditing small governments was the staple for my first few months, and small governments (townships, villages, etc) have some unique office buildings. In Ohio a township is the smallest form of “community” government you can have and is the least restrictive in regulating it’s residents. This is perfect for places like farmlands or low population areas. I was auditing a township and their township hall was a very old building. All the doors creaked when you opened them, paint was falling off the wall, there was very little lighting and if you plugged more than three things in you popped a fuse. If you didn’t know better you might think the place was haunted.

Three days into the audit, a third auditor stopped to drop off some work papers for my supervisor to review. Faintly from the door on the first floor we could hear her calling for us. When I got to the door she looked freaked out, and told me there was no way she was coming into this place. I couldn’t blame her, had I not been so focused on getting my work done and making a good impression I probably would have noticed how creepy the place seemed. My supervisor came out to the parking lot to get the work papers and we all had a laugh about this haunted town hall.

Fast forward three years. I was assigned a township which rented an old school building for a dollar a year as it’s town hall. I sat alone in the old cafeteria, and though it seemed slightly creepy I didn’t think much of it. Just two weeks and I would be on to larger projects. The first week went along normally, and the weekend came. When I got back to the audit site on Monday part of the building had been transformed into a haunted house as it is every October. This would not have bothered me as it was a fairly large building except the restrooms were smack dab in the middle of the haunted house.

Being 25 at the time I should not have been as nervous as I was to find the restroom. Being that it was an old school house, the floors were made of wood and creaked with every step. I looked for a light switch, but there were none I could find. I also forgot to mention that on the first day it was a dreary rainy day making it that much darker in the building. It was silly that a grown man couldn’t just walk right in to the haunted house, but it just didn’t feel right. I gathered my courage and walked in. At first it was easy, the set up actually seemed pretty basic. As I got closer to where I knew the restroom were though I realized I was in complete darkness and I could feel things that didn’t seem natural. When I reached the restroom door I quickly rushed through it and was happy to see the window had not been covered up. My heart was racing and as I turned to make the return trip I was moving a bit faster. Irrational as it may seem I was completely alone in the building and the creepy factor was off the charts.

Just before I reached the exit my pager went off. I would like to say I kept my calm, but I ran like a little boy trying to find his mom and dad’s bedroom door in the middle of a lightning storm. That’s right, I am not afraid to admit that I was scared beyond sanity at the age of 25. My wife and I had a good laugh that night over the tale, and my co-workers ribbed me for weeks. Just goes to show the auditor sitting across from you may put fear in your heart, but they are human and have fears of their own.

2010
07.30

The Recap

Two carnival workers called the police for directions across town after the carnival they were working for left town without them.

The Lesson

It seems a bit extreme to call the local police station for directions. I mean, there are plenty of places these two people could have walked to ask for directions. Instead they did the simplest thing they knew to solve their problem, they called 9-1-1. Who knows a community better than the police department right? It should come as no surprise to us then that when people have issues with their computers they call the first person that comes to mind. As security or technology professionals we are the stewards of that which we work to maintain and defend.

It can seem tedious sometimes when we are asked to help with those “help desk” tasks, but in doing those little things we go a long way towards making people comfortable with technology. We ask family, friends, and co-workers to trust us and take the steps we suggest to become more secure. In doing so we have to build a trust, and sometimes the best way to build trust is to help with the little things first. Not only do you build trust, you build confidence in people so they feel like they can handle what they don’t understand. Calling 9-1-1 for directions is not advised as it takes resources away from the real emergencies, however to the two people left in a strange place the idea of emergency probably jumped out the window. If we help with the little things, we may get help solving the bigger issues.

2010
07.24

I had an excellent experience today with my family. We took the time today to visit COSI (Center of Science and Industry) for the first time as a family. Despite the varying ages of our kids, it seemed each display had something for everyone, but I digress. Despite the many inspirations you could find in a place about science, I found two items I thought touched on the “science” behind information security. This isn’t to say you couldn’t relate these to other facets of our lives, I just found them very relevant to the infosec community. When you hear people refer to the “science” of infosec, they always talk about the ability to recreate your methods and achieve similar results. I am taking a slightly different approach.

The Foucault pendulum

As a kid I remember the first time I saw on of these large pendulum’s swinging back and forth and knocking over dominoes at certain time intervals. The point of the whole experiment is to demonstrate the fact the earth is rotating beneath us and though it may appear everything in the sky is moving around us, we are actually the objects in motion. Looking at the pendulum at any given time of the day will appear as if the pendulum is not swinging in a straight line, but in a more curved motion. However the pendulum never deviates and thus shows we have moved, our perspective has changed.

As a skilled professional we sometimes lose the fact that we are not moving, it is the world around us which moves. Sometimes we want others to bend to our will, and find we have a gap that never seems to be filled. When we understand the world is moving, setting the pace, we can adjust our methodology and find ways to anticipate where we will end up. In the display of the Foucault Pendulum, the items to be knocked over are purposely placed, in real life when we anticipate where the world around us is going, we set ourselves up to be in the right place at the right time. Then when we knock down each challenge, we move ahead to anticipate the next “right place.”

The Car and The Lever

The idea behind using a lever, or gaining leverage, is to take an object which seems near impossible to move under normal circumstances and multiply the energy available to move the object. Huh? Let me use the experiment to demonstrate. There is a car sitting on a platform which is attached to a very long, and large, lever. The lever is attached to a stand near the car and at two intervals after the stand are ropes hanging down from the lever. Perhaps click here to see what I am describing. The first rope is roughly the same distance from the stand as the car is from the stand. Pulling on this rope will result in a lot of sweat, but not much progress on lifting the car. Now you move to the rope at the end of the lever, which is approximately  two times the distance from the stand as the car and suddenly you find you can actually lift the car which is technically not humanly possible.

The words don’t match the visual, but what struck me was the idea we don’t always leverage all our tools or those skills of people around us. We are constantly trying to solve the days problems, and like in the pendulum example, stay ahead of the curve. It is no wonder we don’t always try to utilize all the tools at our disposal, and in the end try to move the unmovable. This isn’t to say we outright ignore what we have around us, we just don’t always see how we can gain leverage over our challenges. Using minimal energy to achieve a result that seems impossible is a goal we all would love to attain.

Applying Science

We need to stop and assess our tools and resources around us, learning to leverage all those to achieve our goals. This means having the time to make the assessment, but the point of leverage is a little bit of planning means a lot less energy overall will be used and we do the impossible. Given that we can leverage our resources, we are more likely to get ahead and find we can be in the right place at the right time. Since we are there to address the next threat before it occurs we expend less energy and gain more leverage. You may be saying right now “hold on, a perpetual motion machine is not possible”, but that shouldn’t stop us from trying to find one right. I mean, if the no one ever tried to find a way to move the unmovable we wouldn’t be talking about gaining leverage today now would we.

When thinking of science and information security, maybe we need to think more about innovation and not just reproducing results. Just a thought, I am interested to hear yours.

2010
07.09

Over the weekend I decided to clean the grout on our kitchen floor, or should I say my wife wanted me too. Either way, it needed done and oddly enough my kids volunteered to do it. They canvassed the floor and in ten minutes declared the job done. Knowing it needed more than a quick once over, I thanked them and then set out to do the task. Getting grout on a kitchen floor clean takes a lot of elbow grease, so I started in the places that looked the worst.

First up was in front of the sink and stove. I pushed the grout brush down hard and made sure nothing could survive my fury. Next was the main entry points from outside to the kitchen, even the best placed rug can’t keep dirty shoes from tracking in the great outdoors. I finished my most focused attack under the kitchen table and counter bar stools, both which collect the various food projectiles from little hands.

Having exhausted most of my strength, I then went to the low traffic areas. The dirt was much less prevalent here and came up with ease. In all the floor looked a lot better, and I used my resources wisely. While surveying my work the analogy to risk management and information security hit me. My kids focus was on getting coverage over the entire floor with even energy. I on the other hand focused my energy where it needed it most first.

This made me wonder how much we rely on a risk based approach to using resources. I am not saying it is an end all be all, but how often do we waste resources to simply say we have coverage. Sometimes it is easier to just cast the net wide, it saves the headache in explaining the approach. However in taking that approach you may not adequately cover the real threats.

Now before you start cursing me for missing the obvious, compliance can muddy the waters. Sometimes you have to cast your net wide to “pass”. However, if you rely on compliance to ensure you are secure you are headed for potential disaster. First off, the definition of compliance changes. So compliance today doesn’t ensure compliance in the future. Second compliance is general, not specific to your organization so you are meeting high level requirements only. I would suggest if you target your resources properly you can still achieve compliance and not just in the short run. That said, don’t blow all your resources on focused solutions, you still need some generalized solutions to cover your lower risk assets.

As I said at the start, this isn’t a guaranteed methodology, but it is one the seems to make sense. The grout In my kitchen wasn’t perfect when I was done, but it was much better and I feel better about those troubled area. Wisely implementing our information security resources using a risk based approach won’t just make us feel better, it should make us more secure.