2011
04.22

A week has passed since I attended Notacon 8 in Cleveland Ohio. Not only did I go, I got to speak on my own and with my son. In 2010 I attended my first Notacon, which also happened to be my first ever public speaking experience. The experience was phenomenal and so I knew I not only wanted to go back this year, I also wanted to speak again. If you haven’t been to Notacon before you are truly missing an experience. You never feel like you have to be anywhere, but you want to be everywhere. Because of this laid back type of atmosphere you also get to connect with people in so many ways. So as I prepared my talk proposal for this year, my son came to me and said he wanted to do a talk with me. Being that my son was 9, I was a little taken back.

Just so my son wouldn’t be completely heartbroken I contacted the organizers and asked if they would even consider a talk given by a 9 year old and his father. The response I got back was what I would expect from the organizers “If it is interesting, absolutely.” With that out of the way my son and I sat down and hashed out our talk proposal which we then submitted. I also submitted a similar proposal for a talk I was submitting to BSides Cleveland. When I got the email that my son and I had been selected to give our joint talk I ran into my sons room and woke him up, or should I say he leaped out of bed and started shaking with joy. Over the next few months we outlined, rehearsed, and designed the slides.

The day of our talk came and we set out for our adventure. Our talk was going to be very early in the day so my son, and mostly myself, would not have time to get nervous. We decided that since our talk was titled “One Bad Cookie” we should bring cookies to hand out. From my point of view the talk went very well as my son eased into his thoughts and talked like it was just us having the same conversation we had been practicing the last two weeks. The audience was great, and more importantly through out the day everyone who we came in contact was welcoming to my son. He wasn’t the only kid there, but he wouldn’t have felt out of place even if he was. That is what makes Notacon such a great, local for me, event that I will always find time for in my schedule to go to.

When the video is available I will post it here and would love to hear any and all feedback. If you weren’t in the talk let me give you a teaser. There are things that make us aware we want to make something better, and in our youth we have the spirit to tackle those challenges. As adults we need to not only recapture that spirit, we need to help foster and not push to hard to make kids just like us. I don’t want to give the rest away so you will just have to wait a little longer to see it with your own eyes.

There are two ways I know this years Notacon was a success. First, I came away with a renewed passion to want to learn more, and expand into places I hadn’t thought of before. Second, my son walked out of our talk and wondered what we could present on next year. Not only did he ask that, he has been asking questions about what he learned and wants to know more. So this is a big thank you to all the people in the planning, execution, and participation of Notacon 8! You all know how to make a con not a con.

2011
02.28

My second month of trying new recipes is coming to a close. This month I started to try some sweet things along appetizers and main dishes. One of my sweet creations was a red velvet cupcake and cream cheese frosting. Of course my kids loved them and declared they were the best they ever had, but I was interested in what my wife thought. After tasting the cupcakes she said the frosting was outstanding, but the cupcake was a little dry. I knew the first batch I had cooked probably was in a minute or two longer than they should have been. A little later in the evening one of my sons said “daddy’s homemade cupcakes were sooooooo good.” My wife responded to me with “wait, you made the cupcakes from scratch also?” Although she thought I had slightly overcooked them she felt the recipe was really good and was impressed.

It is funny, usually when I would make cupcakes, cake, or brownies for that matter I usually start with a box mix. These are easy as they usually just need to add two or three items, mix and toss in a pan. After tasting my cupcakes though I can see the difference over the pre-made mix. This also can be the case in information security. We are constantly inundated with ads, information sheets, and phone calls where we are told that we can use a product that will solve our problems. For a time these may meet our requirements and get us up and moving with a speed we may require. However, after you build a solution from scratch you start to see where these “boxed” solutions don’t satisfy your new tastes.

Along the same lines, using fresh ingredients also can make a big difference. There is a definite taste difference between herbs and foods that come pre-packaged over ones that you may grow in your own home garden or get from a fresh market. Many times once you make something with those fresh ingredients you don’t want to use the pre-packaged ones again. Just like in cooking , it is important we use the right ingredients in our security programs. Even when you need to used those “boxed” products you can certainly enhance their functioning through your own home grown security experts. Cultivating the people in and around your security program will ensure that no matter what you have to start with, the final product works they way you need and want it to work.

We can’t be afraid to branch out from those things that make us comfortable just because they are generally foolproof. Sometimes taking that chance and trying something new, making it from scratch will not only surprise us but will also lead us to become more aware of how all the ingredients work. Thinking in terms of People, Process, and Technology we don’t want to use the box solution in all three. Lets use the ones we make from scratch to enhance those areas we find we need to use the box solutions.

2011
02.18

So today I had the pleasure of giving a talk at BSides Cleveland. BSidesCLE was had held at the House of Blues which turned out to be a great venue for this event. The speakers  room very large and allowed for the participants to be relaxed. At the same time the lobby was a great place to kick back and chat with people if you wanted. I titled my talk “Please Step Away from the Binaries: Educating Security.” I have been thinking about a way to incorporate what my wife has been doing for the last 6 years in the space of Response to Intervention with my passion for information security. When looking at the common “People, Process, Technology” diagrams it came to me that security often misses the People part.

So I put together my thoughts on how information security professionals can improve educational opportunities, thus improving security. If you weren’t at the event, which was fantastic, you can see my talk here. My talk starts around 9 minutes, but if you aren’t familiar with the concept of BSides it is good to watch the introduction. I want to thank all the people who worked very hard to put BSidesCLE together, and to the other speakers and participants who made things  interesting. I look forward to the next BSidesCLE.

I am going to try and put my thoughts into a series of blog posts and being to expand on areas I didn’t get very detailed in during my talk. I look forward to hearing your thoughts on this talk and the ideas around security education programs.

2011
02.11

My wife told me an interesting story the other day. She had gone to a drive thru to get a cup of coffee. The car in front of her was an older car and it was a very cold day. As the driver attempted to pull forward to the speaker his car stopped. We have all been in a drive thru and can understand the frustration which would follow when a car becomes disabled, after all we are there because we want fast service.  Yet my wife said the driver hopped out of the car and quickly corrected the problem. She said the whole ordeal took less than half a minute, and really wasn’t too bad.

Yet the person behind my wife felt those few seconds were to long and drove around not only the broken down but also my wife. The story doesn’t end there however. After the vehicle who jumped ahead in line placed a rather large order, the man in the broken down skipped in front of him. Broken down paid for the order, took it and drove off. My wife now had to wait for a very confused drive thru crew to sort out what had happened just to get her cup of coffee.

Besides the pure entertainment of the story I saw a point. In information security we are tasked with protecting our organizations assets. Each time an attacker attempts to break into our system we analyze their efforts and adjust our security posture to stop their next assault. For an attacker that just wants the quick hit this would be enough to ward off future attacks. However, given a determined attacker the shift in security will only slow them down and may aggravate them. Not that I am against causing a little stress to the aggressor, as long as we understand the consequences. In implementing security measures we can’t just focus on the immediate threats, we need to understand where all our weaknesses may lie.

We shouldn’t analyze an attack just to see how it was attempted, we also need to analyze what was the end game. Even if the end game wasn’t indicative of a determined attacker, we still need to ensure that we evaluate our weaknesses. I don’t mean to imply we should sit around and wait to fix our systems just so we can cover all the bases. We need to make sure as we apply new measures we continue to evaluate where we may get hit next. Also, we need to remain on guard for a change in tactics and watch incoming traffic for new patterns. Just like a game of chess we need to see our opponents next moves before they do, otherwise we are just tossing resources with no hope for returns.

The man who skipped ahead in the drive thru was in a rush and was more concerned about his time than that of all the people in line. Had he waited a few more seconds and not reacted out of haste everyone could have had their order and been on their way. Instead, the people who were patient ended up victims. Mr Breakdown ended up spending a lot of money he didn’t have to in order to make his point. The point being their was a higher cost to everyone based on one bad decision. Keeping a level head is what will keep professionalism in information security, and information security a valuable asset to our organizations.

2011
01.31

So as I mentioned in my first post of 2011, I decided to make a resolution to try a new recipe each week for the year. Don’t get me wrong, prior to this I knew how to cook it was just a somewhat limited menu. So one month in I have expanded my recipe box by 14 items. I have cooked or baked a range of items and I am starting to learn a few things. One important thing I have learned is there are two things make me nervous when trying something new. The first is when the cooking time is a range, which means I have to make a judgment call. The second thing that makes me nervous is the phrase “Season to Taste.”

I am still learning the way different spices add flavor to the food, so season to taste means I have a lot greater chance of failure. A perfect example is when I was making a sweet potato mash my wife had heard about on a cooking show. The recipe called for zesting an orange. It is very easy to add to much zest, and the first time I made the mash I over zested. However in my failure I learned a valuable lesson that will help me in the future. Just like in cooking, there is a “season to taste” aspect to information security

Anytime you try a new security product or architecture there is a time where you need to tune it to your environment. Each organization defines what level of risk they will accept, and the information security strategy should support that assessment. This means when you add new features you have to make sure they support the acceptable risk. First you build the solution in a test environment and see how it works. Then you begin to adjust the settings until you find the point where it meets the organizations objectives. Once you have it properly “seasoned” you put it into the production environment and monitor it to ensure it operates as expected. Just like any good recipe, over time you begin to add or remove functions/settings to make it operate even more effectively.

Although it may seem cooking and security have nothing in common, it would appear we can learn a little about each from the other. I suppose that is why others often use the phrase “bake security in”

2011
01.28

Driving home a few days ago I happened to be in the left lane, aka the passing lane. The highway split off in two directions and I found myself behind a tractor trailer. I soon found that the tractor trailer was moving slower than the middle and right hand lanes and the people behind me kept switching to the middle lane to get around the truck. If you have ever been in this position I am sure you find it frustrating because no one will let you get over being the person directly behind the truck. This went on for more miles than was reasonable for the driver ahead of me to be staying were he was. Finally the driver moved over and I was free to resume a more reasonable pace to get  home to my family.

Of course all was not lost being trapped behind the truck. It made me think about controls, and how often do we let old, slow moving controls continue to live. In IT and information security things are moving at a rapid pace, although sometimes we are just reviving old technology with a new name. The point is we can not just design a control environment and then let those controls run till the end of time. In the same respect, we shouldn’t let our auditors fall back on the controls they are most comfortable with just because the have worked in the past. From my time auditing local governments, I found people were reluctant to change a control even when it no longer was efficient or effective. The reason behind this was always “The auditors look for that.” From the perspective of an attestation, an auditor shouldn’t be the one to designate the controls rather management should. It is then the auditors job, with the assistance of you the client to show how those controls effectively do their job.

This means we constantly need to re-evaluate the controls we have in place to see if they make sense. When the technology behind the intended control changes, the control itself should be updated as well. This doesn’t mean the old controls go away, rather the old control should be enhanced. If you properly document the rationale behind your controls and ensure they are effectively controlling the environment, there should be no problem convincing your auditors. The key to getting audit to buy off is being transparent about how the control works and educating them as to why other controls don’t work. People often want to complain about auditor’s and their checklists, but if we don’t constantly ensure our controls are current with business needs and technology we are asking the auditors to just bring along the checklist.

Keep those older controls in places they are still effective, but don’t be afraid to update controls when the environment warrants the change. Remember controls aren’t for the auditors, controls are to protect your organization.

2011
01.02

Half Baked Security

Welcome to 2011. A new year, one certainly filled with new threats to systems housing information assets. Does this mean we should all despair. In short, no. First, though I want to talk about cooking. I recently have taken to cooking new things. When I first got married I knew how to cook only two or three things, and over the course of time my wife has taught me how to make a few more things. Still, I find from week to week I make the same things on a regular basis. Inspired by the many cooking shows my wife and I watch I began to try new ingredients in my standard menu items. In the last few months I have picked up some new recipes that have met with some success.

As the new year begins I have resolved to try a new recipe at least once a week, ensuring by the end of the year I will have almost two months of dishes under my belt. What I have come to realize, when restaurants have their tried and true recipes that people rave about plus those unique specials that only come a few times their are highly successful. That doesn’t mean it always is successful, but that formula seems to be the best. When you think about it, if a restaurant always served the same thing and then a new restaurant opened next door with something new the established place is likely to suffer. Given enough time the original establishment will become just another place to  eat.

Just like cooking, managing information security requires tried and true methods mixed with new techniques. Attackers are always looking for a way in, that will not change. So making it more difficult to find your vulnerabilities is critical in thwarting many of the attacks. When you rely on the same methods that everyone else is using it becomes easy for attackers to develop a scripted attack methodology. Furthermore, if they know your response techniques they can stay several steps ahead as you try to stop them.  If you mix things up, add new techniques, think ahead of the curve you may throw them for enough of a loop you get the upper hand. At a minimum, your systems become less desirable as a target to many small time attackers because there is a higher risk of detection.

Staying ahead of the curve, and the type of thinking used by attackers is exactly the type of response we need to add to our mix of security methods. In cooking, I was afraid to try new recipes for fear they would taste bad. Fear kept me from being successful not because I couldn’t do it, but because I wouldn’t do it. In this new year we need to take the reins and understand we can’t always have the upper hand, but we can gain it on a higher frequency if we stop being afraid and start challenging ourselves and our industry. Lets share our new recipes, improve on each others, and make progress in 2011.

2010
12.10

The Recap

A man reported his phone accidentally dialed his ex-wife from his pocket and was concerned because he had a protection order against his ex.

The Lesson

A protection order is a pretty serious thing, and breaking it can be serious as well. Sure the guy was the one who had the protection order against someone else, but the contact still could have serious consequences. As a security professional we need to ask ourselves if we know who our systems are communicating with. There are many concerns with the information going out of our networks. There are regulations that require customers to be notified when a breach occurs. Other regulations require the safeguarding of other privately identifiable information. However, extracting information isn’t the only traffic that can go out of our networks. As evidenced by recent events, there are more and more attacks using armies of other people’s machines. We can take the time to secure our most valued assets, but if we don’t monitor what is going out of our network the organizations we work for may suffer a damaged reputation. We need a good balance of ingress and egress filtering, while at the same time having a good balance of what we are monitoring. Make sure the next call your network makes isn’t one with serious consequences.

2010
11.17

So your audit report has been issued. Sure you may have received some issues, findings, or control weaknesses in either a letter to management or in the audit report itself, but the auditors are gone. Well don’t celebrate to much to fast. If your audit gave you a clean bill of health you can throw the party, but remember you must remain diligent on your controls. After all, the auditors may be done for now but they will come back. If you did have items noted to your management or in your report you have more work to accomplish. You may or may not agree with your auditors but when the next audit comes around one thing is certain, prior audit findings will be scrutinized.

Depending on your environment or the type of audit, audit findings may trigger some ongoing monitoring by the auditors. Other times you are left to adjust your environment while the auditors are absent. Regardless, simply disagreeing with your auditors and taking no actions at all will be disastrous. You may recall in a previous post I talked about tone at the top as a control. This is one of those areas auditors look at critically, because if you just leave audit findings in a report, tucked away in a drawer they will have little confidence you have a well controlled environment. How then do you approach addressing you auditors concerns?

The first and best advice I could give is start right away. If your auditors were good and alerted you early to what they found you could even begin to address the issues before your auditors leave. When things are fresh in your mind you are better equipped to tackle them. Waiting for a week, a month, or a few months down the road could be the difference between getting repeat issues or an off the record “Atta boy” from the next auditors. This means you need to really understand what your auditors meant in their findings. One caveat, auditors can not tell you how to do something (unless they are regulators) as their independence could be compromised. They can however tell you generally what they would expect to see for the issues be resolved. This is important to understand because if you miss the mark, you will have done the work in vain.

Next, take the time to re-evaluate your entire control environment. You are wondering why I would recommend you do that, after all the auditors told you where to look. Depending on the type of finding you either had a catastrophic failure of multiple controls and the single one identified by the auditors was just the tip of the iceberg. On the other hand you may find just one control failed and you didn’t have any other controls to prevent a complete failure. Either way, looking at the overall environment may be critical in solving the problem. Lets look at a catastrophic failure. Was the control failure caused by a series of events that could not have been foreseen, something that only occurs once every hundred years? If that is the case the cost/benefit of correcting the failure may not be worth the effort. What if the catastrophic failure occurred because those people performing the controls don’t understand their responsibilities. That is an entirely different story, one which may play out audit after audit. Each of these should addressed very differently.

In the case of a single control failure, why did you only have one control? There may be a rational and completely justifiable reason, or you may have overlooked the possibility the control may fail due to the design of the control. I remember auditing a the payroll at a small city which had a small finance department staff. There was a payroll control which indicated any staff member submitting for overtime needed to have approval from payroll officer, but that a lack of approval did not prevent the pay from being distributed. I think we can all see the flaw here, and may even question whether this is a control since it doesn’t prevent an action. Regardless, the payroll officer went on vacation and a water main broke requiring several employees to work overtime. With my luck as an auditor I happened to pick a payroll transaction during this time period and discovered the complete failure of the control. In response to the audit finding, the control was modified to add a back up to the payroll officer but the pay still could be distributed without the signature.

Whether a catastrophic failure of many controls, or a failure of a single point control, understanding how the entire control environment is critical. Not only can you correct issues the auditors found, you may find potential areas of future weakness and correct them before they fail. There is an art to getting through an audit, but sometimes the masterpiece isn’t completed until you clean up all the paint drips.

2010
11.12

It is fall here in my neck of the woods, which means the leaves are changing and falling off the trees. It makes for a great time driving with all the bright colors. Driving in to work a few days ago I passed an place where all the leaves had fallen off the trees and I was able to see a house set back that is normally not visible. This reminded me of a house I had seen years back.

While doing an audit of a small township I would regularly pass a drive with a gate and fence that vanished into a dense forest. One year I was performing the audit after the leaves had fallen. As I passed the secured drive I notice the fence went into the trees about 100 feet on either side and then stopped. I had never noticed this before because the trees had obscured my view. It struck me as odd that someone would go to the expense of putting up an elaborate gate and very nice fence, only to have it end not to far after it started. In retrospect it doesn’t seem as odd.

We always hear about security through obscurity. The idea is you gain some level of security by obscuring what you have or what you are doing. A great example of this is when you remove any identifying information from an error message on a website so that a person doesn’t know your operating system or applications your are using. Of course a determined attacker can fingerprint your system to figure it out, but you make them go the extra step. Now back to my illustration. The trees, for at least half the year, provide the illusion that the security fence surrounds the home that wants protection. This will likely deter most people who would want to get in, but a determined person would follow the fence and find the point of weakness. Has the resident achieved  a higher level of security? It all depends on perspective.

You could argue that reducing the number of threats has increase security. However, I would suggest the same “obscurity” that is providing security to the home owner actually provides security to the threat. When you talk about physical security, visibility is critical. If you can’t see the threat how do you protect against it. The forest gives the threat cover to hide, while the resident feels they are secure. Now I will assume someone who goes to the expense of putting up a sophisticated fence likely has a security alarm system on the house itself. That said, the threat has all the time in the world to get as close as possible without being detected and search for vulnerabilities. Also, in the event the home is breached there is cover provided for a getaway and if the home alarm system doesn’t exist or fails there is no fear of being seen by neighbors or people passing by. In essence the obscurity relied on by the home owner provides more security to threat than to themselves.

The question we need to ask ourselves as security professionals is a simple one. Do we provide cover to a potential threat by allowing ourselves to believe obscurity gives us security. Obscurity can reduce the frequency of common threats and allow us to focus on the determined and targeted attackers. However, if we put to much faith in the security it provides we increase the risk rather than decrease it. Take the time to understand all the effects obscuring yourself has and consider if the obscurity benefits a determined attacker. If we don’t, we may find the front door open and all our valuables gone.