04.04.2010

Introduction:  Changing the Paradigm

Lately, cyber-crime legislation seems to be in vogue.  The Cybersecurity Act introduced by Senators Rockefeller and Snowe (S. 773), and the International Cybercrime Reporting and Cooperation Act, introduced by Senators Gillibrand and Hatch, as well as some serious talk in the European Union of creating a treaty to address cyber criminal activity, have caused me to put a lot of thought into what would make such laws or treaties successful, and what would cause them to be ineffective, or worse, detrimental.  We should all be able to agree (based on solid research and evidence), that cybercrime exists, and that, as the Internet knows no legal or national boundaries, that it impacts us all, whether we find ourselves in the Americas, Asia-Pacific Rim, or somewhere in any number of European–Middle Eastern – African nations.

However, though we can agree on the existence and prevalence of cyber-crime globally, what we struggle to do and fail to agree upon is arriving at succinct way in which to address, investigate, and prosecute it on a global level.  As such, the need for a truly international legal framework, one which scales and encourages all nations to participate while ensuring that proper recourse is taken and justice is being served without bias is required now more so than ever before in human history.  Legislation drafted in a vacuum – regardless of the intentions of those parties responsible for its drafting and creation, will only serve to cloud the already murky waters of prosecution while ultimately negatively impacting the ability of one or many nations to prosecute these types of criminals.  A new era in thought and deed is required to usher in a formulaic, repeatable approach to prosecuting those actively involved activities deemed ‘criminal’, while preventing those from considering involvement from getting involved in the first place.

A Farewell to Arms: A New Era in Prosecuting Cyber-Criminals

The first premise of this treatise, I owe to a great conversation I had with Will Gragido of Cassandra Security, Inc.   It involves basing the international cybercrime laws I’m referring to above in the RICO statutes of the Untied States of America.  The Racketeer Influenced and Corrupt Organizations Act (commonly referred to as RICO Act or RICO) is a United States federal law that provides for extended criminal penalties and a civil cause of action for acts performed as part of an ongoing criminal organization.  It was first enacted by section 901(a) of the Organized Crime Control Act of 1970 (Pub.L. 91-452, 84 Stat. 922, enacted October 15, 1970) and is codified as Chapter 96 of Title 18 of the United States Code, 18 U.S.C. § 1961–1968.

Originally, according to Gragido, its authors had envisioned it solely being used in prosecutorial endeavors targeting members of the United States branch of the Italian Mafia known colloquially as La Cosa Nostra.  Its use has been realized beyond its initial purpose and continues to be used creatively by law enforcement in prosecuting others who were actively engaged in organized criminal activity.  As a result, its application is much more widespread and effective than comparable legislation and traditional, perhaps even out dated, prosecutorial tactics.  Were there an equivalent or a porting of the RICO Act to the cyber realm, cyber-law would move forward at the speed of light, thus enabling it to truly meet the needs of the Internet dependent global economy.  RICO-like statutes would mean that we could prosecute people who were racketeering and conspiring to perform illegal acts on the Internet (as implied by the basic tenets of the act), in addition to those who knowingly associate with known criminal entities.  People like Alberto Gonzalez, who was recently convicted for his instrumental role in the TJX data theft – a theft culminating in excess of 44 million credit cards, could have been stopped while in their planning stages.  Legislation such as the type being described here might very well have prevented some other crimes, such as Hannaford, Heartland, 7-11, and countless others.

Tempus Fugit: Time Flies and Waits for No One

We are living in progressive and wondrous times.  The passing of the Rockerfeller-Snowe bill within the Congress of the United States of America demonstrates a small, yet important glimpse of just how progressive they are.  This bill would permit the United States to apply an enforce sanctions against a nation who knowingly harbors cyber-criminals.  Though the bill is well intentioned, and in truth ahead of its time in some respects, it is fatally flawed in many areas not the least of which its failure to approach the importance of geo-presence and location within the legislation.   Criminals, as we all know, can hide, spoof, and bounce off many countries while they commit their crimes little effort provided they are well organized and possess a rudimental knowledge of tcp/ip networking and spoofing techniques.  As a result we would in many cases find ourselves applying sanctions against mules, hapless redirectors, or a botnet lieutenant guilty of nothing more than having an un-patched system connected via an enterprise or home network, to the internet.  I started thinking about how we surf the internet, or in other languages, how we navigate through it.  That gave me an idea that I would propose could be a great foundation.  We need a RICO-like statute that is based on Admiralty law.  I propose calling it Cyber-RICO.

Cyber-RICO: Changing the Rules To Accommodate The Game

One might ask, why Admiralty law?  Well, for a variety of reasons.  First of all, Admiralty law (sometimes referred to as maritime law) deals with questions and offenses that happen in international waters, and I think that we can draw a solid parallel to the cloud like nature of the Internet and those very real waters.  It touches many countries, and we all have a vested interest in protecting it.  More importantly, no one nation can lay claim to, nor police international waters, as by definition, they are international and thus the responsibility of all who use and take advantage of them.  Think about that for a moment.  Who doesn’t use or take advantage of international waters if not directly, than indirectly? International commerce uses these waterways a seaborne transport mechanism for goods and services, much like people the world over use the Internet cloud.  And just like on the high seas, where for millennia privateers and pirates have sought to try to take advantage of the open, permeable nature of these waterways, so too in the Internet age have our own pirates (cyber-criminals) and privateers (economically motivated hackers), who have sought to take advantage of the nebulous nature of the Internet.

Back when maritime laws were developed, the principle reason that drove ratification of these multilateral treaties was self-interest.  Some nations, such as those that provided safe harbor to the pirates, were hesitant to come adopt them at first.  However, when the pirates turned against them, the countries own self-interest quickly encouraged them to ratify and espouse such a law

The basis of maritime law is that any country that has signed the multilateral treaty can involve themselves in the enforcement of the laws.  In the same fashion, the Internet Cyber-RICO would give countries the ability to prosecute cybercriminals that commit these crimes on the high seas of the Internet.  Even when country boundaries are crossed, international task forces could now work with a common framework of enforcement, such as with the current anti-piracy task forces that are working off the coast of Somalia.  They respond to any call for assistance, regardless of the flag that the afflicted vessel is flying.  That is the right spirit of the law, and it would work as well as it relates to cybercrime.

Filed Under Cloud Computing, Crime and Punishment, Cyber Crime, Information Security Philosophy, Uncategorized | 1 Comment 

03.19.2010

This post is very timely as we now have a use case that scratches the surface on exploiting Telematics.  For those of you that have never heard of Telematics, Wikipedia provides a great definition: “The integrated use of telecommunications and informatics, also known as ICT (Information and Communications Technology). More specifically it is the science of sending, receiving and storing information via telecommunication devices”. In most new cars today, you have the option of purchasing Telematics to provide integrated GPS, Wifi, Bluetooth, 3G and GSM.  These innovations are great as it keeps us connected and on track to our destination.  Furthermore, OnStar has been incredible to determine if you’ve been in an accident and with GPS can send first responders to your location…even helps if you lock your keys in the car ;-)  I just recently purchased a jeep and enjoy the benefits of Telematics as most consumers of these technologies.  However, at RSA San Francisco, I had an interesting conversation with my close friend and colleague Will Gragido on Telematics.  We discussed the dark-side/security risks associated with Telematics.  We went down the path of eavesdropping on conversations via Bluetooth, which can be done but difficult to pull off as you need to be in close proximity.  We also went down the path of hijacking the car’s wifi to see if we could get access to the GPS data and the fun we could have with that content.  We decided to table the discussion for a while but kept it on our list of emerging threats/exploitable technology  that could provide a new avenue for cyber actors to exploit.

Sadly, in my hometown of Austin, Texas someone pulled off a nefarious act of exploiting telematics.  Wired actually ran the story this week.  They did an incredible job in the article and for more information you can check it out: http://www.wired.com/threatlevel/2010/03/hacker-bricks-cars/ .  In short, a 20-year-old Omar Ramos-Lopez was accused of bricking cars through a service provided by Webtech Plus.  This gives the auto dealer the capability of trigger the car horn and disabling the car’s ignition remotely through the web.  Omar, choose to trigger the horn of a reported 100 cars.  Let’s step back and put our Blackhat on…just imagine the order of magnitude that can be delivered from a key board in disabling the ignition of all car’s that are connected to Webtech Plus.  Not playing armchair quarter back…but I will….this is classic insider threat/dis-gruntled employee and could have been avoided.  Let’s get to the basic building blocks of Information Security.  When someone leaves an organization, passwords and access must be changed, especially if they deal with the capability of controlling the ignition of car.  Although, Omar committed a nefarious act and should be punished according to the law if found guilty.  However,  the company should have done due diligence and this is probably a wake-up call in changing procedures when one leaves the company.

As this is a wake-up call to the auto industry, we as security professionals need to keep this threat vector on our radar and if we serve this business vertical, we should press the issue and making sure access to this type of information is tightly controlled.  Perhaps their are frameworks around this specific threat and I’m looking for it.  Until then, keep secure and keep educating.  Your thoughts on Telematics?

Filed Under Cyber Crime, Next Generation Threats, Uncategorized, risk management | 7 Comments 

03.03.2010

John Pirc and I presented yesterday at Security BSides San Francisco 2010 and it was a wonderful experience.  I’d like to thank a few folks for aiding us and making that happen:

It was a great opportunity and many fine folks spoke and more still are planned to take the stage today.   Having said that, I’d like to encourage you all to check out BSides and support your local events.  If you don’t have one, reach out to the folks responsible for one and inquire about setting one up in a city near you.  These conferences are key in aiding continued growth and development in thought and action within our industry; without them and others like them, we risk much more than some might think.  RSA is going smashingly thus far.  It’s been a great opportunity to reconnect with old friends and colleagues, meet new ones and create opportunities.   Look for more updates on Twitter!

Tags: , Filed Under Uncategorized | Leave a Comment 

02.24.2010

Next week is the annual RSA Conference, our industry’s largest trade expo and conference.   People from the world over will gather in the greater San Francisco, California area to attend the conference, the panels, walk the vendor floor to see what’s “hot” in the industry, network and engage in lively debate and discussion related to our trade craft.   Additionally, SecurityBSides San Francisco will be running during the same time.   At this conference speakers from points near and far will converge and share information with an audience eager to learn, grow, contemplate and debate all things information security related.  It is an exciting time and a series of events that should, if at all possible, not be missed.  I am looking forward to the trip to San Francisco for several reasons none of which are clandestine or confidential.  I’ll be speaking at SecurityBSides San Francisco with John Pirc and am very much looking forward to doing so.   I feel our presentation will be lively, invigorating, thought provoking, entertaining and above all informative.  Additionally, I feel it will be a nice opportunity to meet and confer with my peers on matters which we are in agreement and disagreement upon in the hopes of gaining greater levels of clarity and understanding all while encouraging respectful, thoughtful, professional discourse.

Too often in our industry (and life in general), do we see denigration become the rule as opposed to the exception within our industry leading to bad blood, misunderstanding and hurt (yes I’m saying it), hurt feelings.   We’re all human and I do not believe for a moment that any are above reproach.  Having said that, I’m looking forward to a new era of enlightened knowledge transfer and sharing with some of the industry’s best and brightest in the hopes that through such activity we will edge ever closer to addressing that which ails our industry and threatens our collective (in the bigger non-industry sense), way of life.  My challenge to my peers and myself for the coming week is to refrain from negativity and embrace constructive criticism and dialogue.  This will, no doubt, be more difficult for some than for others however my challenge stands.   My hope is that as a community of professionals we will adhere to some basic rules all (or most all of us) were taught by mom and dad and likely learned in kindergarten to boot:

  1. If you can’t say anything nice don’t say anything at all
  2. Even when you know that you know more or are more experienced don’t make a point of letting others know; it’s unseemly
  3. Do more good than harm

In short these in association with lessons espoused in cultures the world over such as those which advocate treating others with respect and in a manner which you would want to be treated should aid us all in making the most out of this exciting opportunity.    Have fun and see you at RSA!

Tags: , Filed Under Uncategorized | Leave a Comment 

02.15.2010

CODE BLUEIt is no secret that the world is a complex place.   Look at any news report on any network regardless of what your geopolitical bent is and you will notice three things:

  1. Everyone has an opinion
  2. Everyone’s opinion to him or herself is right and sacred
  3. Opinions without action are worthless

I am a huge fan of Erik Erikson, the revered developmental psychologist and psychoanalyst best known for his theory on social development.  His work and research in the field of ego psychology and social psychological development was landmark and amongst the neo-Freudian community, he in my opinion stood far above his peers.   Eriksonian theory suggests that psychosocial development occurs in a series of stages, which requires successful mastery of the initial stage in order to properly prepare and set the stage for all latter stages.   Likewise, Erikson theorized that the failure to master the initial stages can have a damning effect upon development though that this not to say that one cannot recover from and overcome these obstacles and subsequently (with hard work and diligence), arrive at a place which is prime for the stage one finds themselves in (there are of course limits and caveats associated with this, especially in considering the earliest stages where in the subject is still an infant and largely dependent upon others for nurturing).   The following table depicts Erikson’s stages of social psychological development nicely.

Table 1: Erikson’s Stages of Social Psychological Development

Stage Basic Conflict Important Events Outcome
Infancy (birth to 18 months) Trust vs. Mistrust Feeding Children develop a sense of trust when caregivers provide reliability, care, and affection. A lack of this will lead to mistrust.
Early Childhood (2 to 3 years) Autonomy vs. Shame and Doubt Toilet Training Children need to develop a sense of personal control over physical skills and a sense of independence. Success leads to feelings of autonomy, failure results in feelings of shame and doubt.
Preschool (3 to 5 years) Initiative vs. Guilt Exploration Children need to begin asserting control and power over the environment. Success in this stage leads to a sense of purpose. Children who try to exert too much power experience disapproval, resulting in a sense of guilt.
School Age (6 to 11 years) Industry vs. Inferiority School Children need to cope with new social and academic demands. Success leads to a sense of competence, while failure results in feelings of inferiority.
Adolescence (12 to 18 years) Identity vs. Role Confusion Social Relationships Teens need to develop a sense of self and personal identity. Success leads to an ability to stay true to yourself, while failure leads to role confusion and a weak sense of self.
Young Adulthood (19 to 40 years) Intimacy vs. Isolation Relationships Young adults need to form intimate, loving relationships with other people. Success leads to strong relationships, while failure results in loneliness and isolation.
Middle Adulthood (40 to 65 years) Generativity vs. Stagnation Work and Parenthood Adults need to create or nurture things that will outlast them, often by having children or creating a positive change that benefits other people. Success leads to feelings of usefulness and accomplishment, while failure results in shallow involvement in the world
Maturity(65 to death) Ego Integrity vs. Despair Reflection on Life Older adults need to look back on life and feel a sense of fulfillment. Success at this stage leads to feelings of wisdom, while failure results in regret, bitterness, and despair.

At this point, you, the reader, may be wondering just what this has to do with what I typically write on here.   That is a great question and I am glad you are thinkingJ.  I believe our industry has, in many ways, met with conflicts (as described by Erikson or challenges), and failed in conquering them thusly finding itself following a derelict trajectory.   I believe several factors have contributed to this:

  1. An inordinate amount of emphasis being placed on compliance for compliance sake as opposed to improvement of risk posture
  2. A fundamental lack of value and understanding with respect to information security and all It influences in business and outside of it historically (though I feel this is beginning to change…slowly)
  3. Errant thinking and marketing campaigns on the part of certain vendors (you know who you are and as such there is no need to point you out here)
  4. The errant belief that what worked in the past will work today or tomorrow (applies to technology as well as thought / philosophy)
  5. The accepted ‘norm’ of intellectual dishonesty which has become grossly apparent to the trained eye and experienced practitioner

In terms of development, it is my opinion that the industry has progressed, though not without lumps and as a result, of incurring said lumps has approached each successive stage of development in a manner which though not ideal is certainly able to be right sized.    Should this right sizing not occur, I believe the industry at large will square and settle nicely into developmental stage 7 “Middle Adulthood” characterized by Generativity vs. Stagnation finding itself landing precariously in the realm of stagnation.   I do not do stagnation well, do you?   If not, let us continue to challenge our peers, our industry, our clients, our customers and ourselves to reclaim our industry and ensure generativity for all.

Tags: , Filed Under Cyber Defense, Information Security Philosophy, Security Philosophy, Uncategorized, risk management | Leave a Comment 

01.15.2010

CB013130There is A LOT of press regarding Google and the Chinese exfiltrating data from many corporations.  The Wall Street Journal has a pretty good write up, if you have not had a chance to read it, I would encourage it: http://bit.ly/92Q1CI . Honestly, it does not matter if the attack vector was going through Google or any other medium for that matter.  It’s important to understand that any open Internet connection and the financial backing of a State and Non-State Sponsored Cyber hit, has and will continue to exploit any target of value.  First,  APT’s have been around for a long time.  Furthermore, the technology required in uncovering these “Subversive Multi-Vector Threats (SMT)” as my close colleague and friend, Will Gragido describe in a recent blog posting: http://bit.ly/8TlP6d are typically not core infrastructure security devices.  What are core infrastructure security devices? FW/UTM/NGFW, IPS, Web & Mail security, A/V, HIPS and some form of DLP to name a few.  These that I listed are great for detecting, stopping and mitigating about 80 – 90% of the attack surface according to an article where the NSA was quoted.  Keep in mind People, process and select few technologies and vendors bridge that 10 – 20% gap.

APT’s or as we here at Cassandra refer to as SMT’s are typically a topic that not a lot of security professional’s are qualified to speak about and because the threat’s are so stealth it’s not talked about.  Will and I recently gave a discussion on APT’s at ToorCon this past fall.  Our ToorCon presentation can be found here: http://bit.ly/73tuYA .  We are passionate and very experienced in dealing with this subject matter, as we’ve had to deal with this specific attack vector for the past 15 year’s.  It’s not surprising that it’s starting to get coverage and unfortunately, it’s probably the best vector for obtaining any type of data almost undetected.  Now with that said, the sky is not falling but corporations are going to have to make investments in key technologies and people if they really want to know what’s going on within their network.  Correlated event data from multiple threat feeds is a great thing but it’s not as powerful in having full session based data.  SMT’s are like bread crumbs that fall through the cracks and the type of technologies that can catch the breadcrumbs are those that are developed by Netwitness and Palantir to name a few.  Not plugging them but these type of technologies are needed in uncovering the stealth threats that go bump in the night and broad daylight.  Additionally, the time to protection is constantly shrinking and reactive point products that provide retroactive assurance can’t scale with the current threat landscape.  The paradigm from a silo data feed model needs to change.  A vendor that’s leading this model is McAfee.  Again,  at Cassandra we remain technology vendor agnostic, however, when it comes to the severity of the threats, the industry needs to change and follow the example of other vendors that are leading the battle in combating SMT’s or formely referred to as APT’s.  More to come on this topic.

Filed Under Advanced Persistent Threats (APT), Cyber Crime, Cyber Defense, Cyber Fraud, Cyber Terrorism, Cyber Warfare, Next Generation Threats, Uncategorized, critical infrastructure | 4 Comments 

12.09.2009

Recently I’ve been giving thought to the value of security research and what a customer might pay for access to information collected by an organization with an expertise in assessing technical threats and vulnerabilities, government mandates and geo-political climates and then applying this knowledge to information security programs and practices. There are very likely two knee-jerk responses to this with one being, “Why would I pay for something my people can research on the internet?” and the other might be “Well, if I can get true value to increase the security posture of my organization, sure I’d pay for it.”

In either case, we still don’t know how much we should be paying for this research. I would say that we must first start with figuring out what it would cost an employer to hire an experienced security analyst or engineer, who is then dedicated to this function. According to Payscale.com security specialty pay ranges from $63,000 on the low end to nearly $100,000 per year on the high end. Add to this another 35% for benefits and you have a $135,000 per year experienced employee to spend their entire day collecting information from various websites and other resources. But remember that this person will only work about 40 to 50 hours per week, so what about the rest of that time?

So let’s assume that you have a relief factor .7 (standardized for the private sector) so the number of persons needed for a single position is 1.7 to take into account weekends, vacation and sick time. That said, if you’re going to staff 3 positions to achieve 24×7x365 security research and analysis capabilities, the number of people needed for that team is 5.1 (we’ll round it down to 5) so the total employee cost for a year is $675,000 plus training and education costs.

Ok, I know that I’m making some assumptions here and the actual salaries could be higher or lower depending on market, candidate, etc. Also, I’m making the assumption that an organization would require 24×7x365 staff to perform full security research, analysis and monitoring of the threats, vulnerabilities, market factors and geo-political factors that could impact their critical systems and networks. By the way, security research does not refer to the need to manage their security infrastructure for specific, targeted events against their infrastructure.

This brings me back to my initial question. Is there value in holistic, independent security research? Would you pay to have access to this information?

I’m certain there is and I would urge you to consider the following as you consider the value of this information or type of service to your organization.

At a minimum the following information needs to be available to the customer:
• Daily reports on the latest trends, threats, vulnerabilities and other issues that are relevant to the customer’s business or market
• Access to up to the minute threat and vulnerability data that allows an organization to customize and select security information relevant to their infrastructure
• Relevant information that covers not only technical threats and vulnerabilities but also anything specific across markets, geographies or political situations which can be used for an organization to understand the full impact of technical and geo-political events to their organizations

If a research organization can provide this type of information to a customer in a manner that doesn’t compromise their intellectual property or competitive advantage in a marketplace, there is certainly significant value to the customer. I just don’t know how much they would pay for this data. What would you?

Filed Under Assessment, Cyber Crime, Cyber Defense, Cyber Terrorism, Cyber Warfare, Information Security Philosophy, Security Philosophy, Uncategorized, Vulnerabilities & Threat Research, critical infrastructure | 1 Comment 

12.09.2009

First of all, my apologies for the hiatus from posting and public contribution on this site.  I have been incredibly busy the past few months wrapping up my old job with my former employer, doing some consulting work and launching a new network security start-up company in October with a few other very talented individuals.

I did look at the calendar and in typical “sales clown guy” fashion thought “wow, 3 weeks left in 2009″.  If you are responsible for InfoSec and deal in any way with technology partners, vendors, consultants and the like, you are probably under enormous pressure to try to close any outstanding business, sign deals and contracts, etc. before the clock strikes 12 on New Years Eve.  The old “use it or lose it” calendar year budget style is alive in well in IT departments worldwide, trust me.

Coffee is for closersI wanted to provide a “change of pace” post on Cassandra Security, which will hopefully give some insight into the world of buying and selling security solutions.  I have worked at two very large vendors in both sales support and direct sales roles, so I understand marketing and selling security to a wide range of customers.

You had better believe that whoever is trying to sell you a good or service here in December 2009, is also under an insane amount of pressure.  This takes many forms, the most likely motivator is self-preservation.  I like to refer to the last 6 weeks of Q4 as “the silly season“.  This is where you can catch vendors and customers alike doing all sorts of crazy things to get a deal closed.

Sales people obviously want to sell you something anything to retire some of their quota (hopefully) and get a commission check.  I am not sure how many people outside the sales world realize, but anywhere from 40-70% of a sales reps total compensation is commission, so you should use this knowledge to your advantage.  With 3 weeks left in the quarter, you want to have any final pricing/discounts submitted today (preferably) to give this time to get through their sales management, order operations, distribution and reseller partners (if any).  You also want to have final pricing so you can properly set expectations with your management.  You may think you are being a hero by trying to save the company another 3%, but if your management team is expecting a Capital Expenditure in Q4, you better make one.

I wanted to go ahead and build a checklist of what tasks you should consider, both as a vendor/reseller and as an enduser/buyer of InfoSec products:

Vendor/Reseller of InfoSec Products/Services/Solutions

Endusers/Buyers of InfoSec

I know a lot of this is common sense, but often times it simply takes a minute to put yourself in another person’s position and frame of reference.  The vast majority of security sales people at least make an effort to provide some value to the InfoSec professional (note – value varies widely by vendor and the individual).  Sales folks want to close business and InfoSec professionals want to improve their protection posture.  There is clearly a common ground where the two can work together toward the common good of improving security posture at an acceptable price point.

Filed Under Uncategorized | 1 Comment 

12.09.2009

One last post before I hit the hay and try to finish my current Kindle read.

The more time I spend in the classroom as an Adjunct Professor at Colorado Technical University teaching security courses for those seeking degrees in various security disciplines, the more I realize that the vast majority of higher education students are receiving no computer security or information security training.  I am absolutely convinced that there should be a requirement that the vast majority of undergraduate students should have at least two computer/information security courses; one in their first semester of their first year and one in their final semester of their final year.  By the way, these are not IT or CompSci students I’m talking about.

These students have majors in business, accounting, education, health care, law, criminal justice, administration, languages, political science, biology, chemistry, etc.  The reason being?  Nearly every one of these people will interact with a system that process or contains HR data, customer information, patient data, company trade secrets and a multitude of other types of information.  These are among the people that reply to emails from Sgt Ralph Brek “with the United Nations troop in Afghanistan, on war against terrorism” (the latest phishing scam that’s shown up in my inbox) with all of the information that he’s requesting.

These are the same people who would very likely answer specific, targeted questions about the company for which they work if asked by an otherwise well meaning person.  These are the people who would give up essential information that might otherwise be thought to be benign.  But it’s not wholly their fault, I’ve a philosophy that those “stupid users” we hear so much about from IT and security staff only do what they are allowed to do, in the environment they are allowed to do it with the knowledge or training they are given.  They are as much a victim in many cases as the organization whose information was just compromised.

This education would serve two purposes, first it would provide the institution the ability to train the students on the proper use of school assets by talking about real world issues that affect both the student and the institution (phishing, malware, etc.) and it would also prepare the graduating student for life after college as they enter the job market.  However, I realize that many higher ed institutions will say, “Well, that’s not our responsibility” but they have this two year “general education” program that students go through to learn to write, spell, speak and interact, do they not?  What’s the difference between a humanities class as a freshman for an accounting major and what I’m proposing above?

This train of thought for me has come from years of seeing classes, books, manuals and certifications geared toward the student or professional who wants to work in an information security discipline and not so much to the users or customers that the information security professional serves.  It seems to me that part of this is backwards.

Filed Under Uncategorized | 2 Comments 

12.07.2009

Japan Declares War On the United StatesToday’s blog is going to be slightly different for me than might be expected.  I am not going to outline anything insightful or clever having to do with information security in practice or philosophy but rather focus on what this day means to me on a personal level.  Today is December 7, 2009.   Sixty-eight years ago, today the Japanese launched a surprise attack against the United States taking a sizeable portion the Pacific Fleet of the United States by surprise.  There is no doubt the surprise was complete and the job thorough.   The Japanese sent two waves of planes towards the sleeping fleet and sandy shores of Hawaii that day, the first arriving at 07:53, the second roughly an hour behind the first.   By 09:55, the attack was over and the message made unquestionably clear: Japan and the United States were at war.   By 13:00 that day, the aircraft carriers, which delivered the planes for the attack, were heading back to Japan.

Pearl Harbor BurnsIn the aftermath of the attack lay 2,403 dead, with 188 planes destroyed in addition to a crippled remnant of the United States Pacific Fleet that included eight severely damaged or destroyed battleships.  Roughly, three hours later, Japanese planes began what would become a daylong air campaign against the American facilities located in the Philippines.   Additionally, they struck Hong Kong, Malaysia and Thailand in a coordinated effort to use the element of surprise in order to deliver as much damage as quickly and effectively as they could against what they perceived to be key targets of opportunity.

4,820 miles away, in Chicago, my family received the news of the attacks at approximately 2pm along with the millions of others in the Chicagoland area.  My maternal grandfather would later be drafted into the United States Army and see action the South Pacific with anti-aircraft units, leaving behind for many years my grandmother, my godfather and an unborn uncle who my grandfather would not meet for more than two years.

remember december 7thIn addition to my maternal grandfather, many of my paternal great uncles would see action in both the South Pacific and Europe leaving behind friends, family and all they knew on the South Side of Chicago for these far and distant lands.   It would be sixty years until the United States would suffer another attack by foreign nationals on its soil however the events of September 11, 2001 are, in many respects quite different for many reasons from those which took place that fateful day sixty-eight years ago.  Years later, several other members or our family would join the armed services with myself and one of my cousins joining the United States Marines.  My cousin and I would become quite familiar with the history of that day and those days following it as the United States Marines were integral to the war effort in the Pacific.  Today, please take a moment to remember the sacrifices made by the people of the United States in the Greatest Generation.    Our lives have been inarguably influenced because of these events and our freedoms and ideals defended.  Remember December 7, 1941, haven’t forgotten grampa.

Semper Fi, Will…

Tags: , Filed Under Uncategorized | Leave a Comment 

Next Page »