Chicago, IL. United States of America
December 31, 2009
Cassandra Security has released part two in a series of white papers dedicated to critical infrastructure and key resources. This paper addresses historic threats and exploitation, challenges in securing and maintaining security of these environments, economic and political impact associated with a lack of potable water and much more. We hope you find this paper as enlightening and thought provoking as found the topic while researching and analyzing this aspect of CI. Look for part III in the series soon!
Seeing Tomorrow Today,
Cassandra Security
Critical Infrastructure Part II Drinking Water and Waste Management Treatment Systems 123109 – Final
On December 23, 2009, the United States Department of Justice concerning Stephen Watt released a statement. Stephen Watt is likely a name not rolling off the tongues in households across America however, his participation in what has been called to date the “largest identity theft in our nation’s history”, is likely quite familiar. You see, Watt, Stephen as I like to call him or soon-to-be federal prisoner Stephen Watt was an integral member of the team assembled by Albert Gonzalez (you remember Alberto right?), for the express purpose of stealing as many credit and debit card numbers as possible without being detected or ultimately prosecuted. The case in question is the now infamous TJX data breach. However, though not new news, the sentencing and pathology is something, which few, if any, are addressing.
In the statement released by the U.S. DOJ, Watt was sentence on December 22, 2009, for his role in the TJX breach, specifically for the creation of a sniffing (siphoning), application used to monitor and capture data including customer credit card and debit card information as it traversed across corporate computer networks. Watt, who pled guilty to conspiracy charges on October 28, 2008, was sentenced to two years’ imprisonment, to be followed immediately by three years of supervised release a condition of which was electronic monitoring of any computer use. Additionally, he was ordered to pay restitution for $171.5 million dollars US. For five years Watt unlawfully gained electronic access to corporate computer networks and in doing so downloaded customer’s credit and debit card information which he later used trafficked, sold and used for personal fraudulent gain. The United States Secret Service along with third party digital forensics firms investigated the case. Assistant U.S. Attorney Stephen Heymann, who is active Chief of the Computer Crime Unit of the Secret Service which spear headed this case, prosecuted it.
Watts’ attorney attempted to establish a scenario that suggests that he simply lacked sound judgment and was led to participate by his own intellectual curiosity and the bonds of friendship he had forged with Albert Gonzalez while the two were teenagers. I find this to be weak at best. Would I expect a defense attorney to suggest otherwise in a case such as this? No, I think that in a case such as this one if I were a defense attorney I would be looking for any plausible egress point possible in the hopes that one would lead to light. However, I would expect that those parties hearing and prosecuting the case would not fall prey to such delusional lines of thinking (I have no reason to believe nor am I insinuating that either Mr. Heymann or the Honorable Judge Nancy Getner did fall prey to such vapid arguments but rather arrived at a satisfactory judgment based on the facts and goals they were presented with and working toward).
The facts are clear: Stephen Watt willingly created ‘blaba’ for the express purpose of monitoring, collecting and siphoning credit and debit card information belonging to others. That this data resided on the TJX network and systems was but a technicality as Watt and his co-conspirators were, after all, engaged for the criminal profit. According to his defense, Watts’ had no idea his creation would be used for illegal activity (this is insulting to all who read it and to logic itself given the design intent, nature and use of the code). This clearly suggests that he is either a liar or lunatic given the amounts of evidence collected related to conversations and other salient details of the operation that he and Gonzalez led.
What I find interesting is the potential use of similar arguments of defense in cases such as Watts’ and others where the ability to distinguish right from wrong seems to be suspect. Let’s look a little more closely at Watts’ background. A highly intelligent software engineer with an impressive resume including, among others Morgan Stanley and Imagine Software (trading software manufacturer), Watt graduated high school at age 16 in Florida with a 4.37 grade point average. In 2004, he moved to New York to work for Morgan Stanley, and began frequenting nightclubs and experimenting with drugs. In 2007, he took a role with Imagine Software where he was working up to the time of his arrest. He cited his intellectual curiosity and as mentioned earlier, friendship with Gonzalez as being deciding factors in his participation however I believe (and so too did the prosecutors and judge involved), that the deciding factor was profit. Profit via criminal activity that did not seem to bother Watt or his accomplices in the slightest. Conventional thought suggests that they believed that the “banks” were insured by the FDIC and that the monies and profits acquired were reimbursable (never mind the damage they did to the reputations and credit ratings of countless thousands and overt brand damage they brought to the doorstep of TJX). Though Watt was not the mastermind of the breach, that honor belongs to Alberto Gonzalez who is currently awaiting sentencing in Boston, for up to seventeen years in federal prison. The two housed Watt’s code on a leased server located in Latvia and with it, over 16.3 million stolen credit card numbers while another 27.5 million stolen card numbers were located on a server in the Ukraine.
I worry that more will, upon being identified and caught, feign or claim ignorance or worse yet, the inability to determine right from wrong as a plausible defense making illegal activity of this sort, and its prosecution akin to violent crime prosecution and the insanity plea. I feel there is danger in this and in other defenses, being introduced into courts of law that suggest that a person guilty of committing (knowingly committing), a criminal act was unable to determine the legality of their actions due to some pre-existing circumstance or condition. Take the case of Gary McKinnon of the United Kingdom for example. McKinnon was found guilty of penetrating and disrupting computer systems and networks belonging to NASA and the United States Department of Defense. McKinnon, who claims to have been on a quest for truth regarding UFOs, penetrated over 90 classified systems and networks in 2001 and 2002. He faces extradition to the United States, which was granted by the courts of the United Kingdom however is currently fighting extradition to the United States based on his claims of suffering from Aspergers Syndrome (is a type of pervasive development disorder (PDD). PDDs are a group of conditions that involve delays in the development of many basic skills, most notably the ability to socialize with others, to communicate, and to use imagination), and based on the information gathered on it does not suggest a failure or inability to recognize wrong from right. In fact, there are many highly regarded, influential historical figures from all occupations that have been diagnosed with Aspergers.
Personally, I feel that defenses such as that posed by Watts’ attorney and by McKinnon are both scandalous and shameful. They insult and mock those who do suffer from diagnosable developmental disorders while, at the same time, attempt to insult the intelligence of the masses. In order to prevent them from becoming the defense de jour, it is my hope that the courts begin laying down much more restrictive, severe sentencing for criminal acts such as these. Failure to do so in many respects encourages the risk – reward calculation used by criminals in order to justify their activities.
First, I’m a fan of Social Networking and I was not expecting a re-direct to another site. Although this was temporary it was frustrating. After doing some poking around and speaking with my good friend and colleague, Will Gragido, I stumbled across this article that gave a little more insight into the issue. According to Claudine Beaumont, Technology Editor of the Telegraph UK, “visitors to Twitter.com were automatically redirected to another web page, which displayed a green flag and English and Arabic writing: This site has been hacked by the Iranian Cyber Army,” read the message. “The USA thinks they control and manage Internet access, but they don’t. We control and manage the Internet with our power, so do not try to the incite Iranian people.” First, I don’t categorize this as a hack but a compromise/Cyber Noise like a DDoS attack. I would have been impressed if they tagged the web site directly. The sophistication to pull this off is on the level of a “Script Kiddie”. The tools are freely available on the Internet that my 11 year old could pull off with the a few Google queries. I guess the Iranian Cyber Army has not been keeping up with the news lately. The US Gov’t ceded control of ICANN to the World for more information please check out the link: http://bit.ly/6KSuny .
The good thing is the people at Twitter were able to correct the issue very quickly as I mentioned, the level of sophistication and 
indirect control was minimal. Additionally, Twitter had another breach early this summer for more information on that please check out: http://bit.ly/2lUzNM. I don’t think this is going to be the last time and I’m sure other Social Networking sites have increased their security/posture/awareness. Lastly and more importantly, the Iranian Military has seized control of an oil field in Northern Iraq, link to Reuters: http://bit.ly/7H7TC5. With that said, although this is purely speculation a Cyber attack/message less then 24 hours before a physical attack. Could these be tied together…not sure but interesting though. Everyone’s thoughts and comments are welcomed.
Onion Routing and Darknets
Technology is marvelous. It enables, encourages and aids us in our daily lives and in ways, which many have never dreamed possible. Technology is a gift, as fire from Prometheus was to humanity; it is an essential enabler. Technology lacks intention, as it is inanimate. We give it purpose. Or perhaps more appropriately, we append intentions and uses to it and describe use cases for it. Some good, some bad, but all our own. Technology lacks the ability to discern right from wrong (note: let’s table any discussion about AI or the like for the moment as that is an entirely different and drawn discussion); good from bad in the way in which you or I might. Technology represents the manifestation of ideas from the realm of thought into the material world. Innovations, which were once in the mind or on the development board of men and women the world over, made reality by the hard work and ingenuity of those same men and women or others of like mind. However, this is not to say that technology cannot (as we have seen and described so often here and likely will in the future), be used for purposes other than those for which they were originally intended with nefarious or dark ends in mind. However, this is not technologies fault but rather the fault of man.
While researching in the lab some malware, I got side tracked and began playing with covert channel technology in virtual environments. Nothing fancy, just run of the mill technology that is easily had. In doing so, I began thinking a great deal about the use cases for such technology in the public sector, the private sector and points outside of those worlds. In digging more deeply I began to notice something troubling, something that resonated deeply within my mind and security driven personality and that was the potential for utilization of such technology for bitter ends. I have been tinkering with Onion Routing technology for years. Largely because I find that, some of the most effective means of obfuscating ones intentions are not necessarily to be had in convoluted, high-speed low drag technologies but rather in mature yet lesser known ones which take advantage of clever algorithmic implementations and cryptography. Take Onion Routing for example.
Onion Routing is not new. In fact, Onion Routing enabled environments have been around for more than a decade now and date back to the original intellectual property developed by Michael G. Reed, Paul F. Syverson, and David M. Goldschlag, and patented by the United States Navy in US Patent No. 6266704 (1998). Nowadays, several technologies and solutions utilize Onion Routing — some above scrutiny and others squarely positioned to be scrutinized. Onion Routing quite simply, is a technique that enables anonymous communications over networks and computer systems. It works by repeatedly encrypting and then forwarding message traffic to network nodes known as Onion Routers (catchy huh?). Each Onion Router then removes a layer of encryption within the message traffic it has received in order to uncover the next set of routing instructions. It then forwards the message traffic on to the next router where the process is repeated until delivery is complete. The net effect is that no node (ideally), knows who the original source of the traffic was, what the intended destination is, or what the contents of the message traffic is thusly creating an inherently ’secure’ transmission environment which applies and affords “plausible deniability” to those using it. However, during the course of researching, tinkering and reading the research work of others, it became clear to me (as it had been to others as well), that Onion Routed environments are no more secure than any other environment if one takes the time to study and look for opportunities of exploitation. It is possible to monitor, intercept and observe data being sent and received (in motion and at rest), on a local host. Many consider this indisputable and I tend to agree with them. Here is a short list of weaknesses associated with Onion Routed environments:
- Weak defense against timing analysis
- Intersection attacks and predecessor attacks
- Exit node issues (can be sniffed by the operator)
So far it all sounds pretty cut and dry right? Then I began looking at what and why these solutions might be utilized outside of the public sector and for what purpose. There is a variety of reasons individuals and groups might gravitate towards utilizing these communications models. Some lay squarely in the realm of criminal activity. Others masquerade under the pretense of political discourse (hiding behind United States Supreme Court rulings on the rights to anonymity for citizens as part of political discourse activities — which by the way I think is fine so long as that is what is truly occurring), while in all actuality attempt to push subversive or counter culturally driven agendas (which, if they were exposed for what they truly represent I reckon would not garner the protection afforded to citizens by the Supreme Court decision). In this entry, I am going to avoid delving too deeply into scrutinizing the intentions of those who use this technology as a means of effectively promoting political discourse. I will say that I believe there are those who utilize the technology (like all technologies and media if given the chance — TV, radio, newspapers, magazines, blogs, podcasts etc.), for questionable purposes largely due to its ability to obfuscate source and destination in addition to its availability.
Crypto-anarchism poses a threat to us all. Whether someone is leveraging ‘darknets’ to propagate information or ideologies (so of which is illegally obtained and deemed sensitive and / or classified), or giving presentations with no intention of obfuscating their intentions on subject matter deemed subversive. We as information security professionals must be alert and vigilant. In doing so, we can better defend those who cannot defend themselves while aiding in preventing criminal activity. There is a need to ‘watch the watchmen’. I believe it is the responsibility of us all to do so; not a minority. Especially a minority who believes they are above the law and entitled to disseminate information that they are not legally entitled. That is dangerous business and not for amateurs. Information, which is deemed ‘sensitive’ or ‘classified’ should be treated as such and tradition dictates, is disseminated on a ‘need to know basis’. Deviating from that practice, regardless of what one believes to be legitimate reasoning is dangerous, and criminal. I believe that technologies such as Onion Routed networks or ‘dark nets’, can be utilized for good, however, they are and will likely continue to be corrupted and used for illegal, subversive and nefarious purposes as well.
Subversive Multi-Vector Threats
Introducing….The Subversive Multi-Vector Threat
I had originally intended on submitting this to Wikipedia for inclusion within it and Wikitionary however, it was expressed to me that it would be a violation of their Conflict of Interest (COI) policy to publish it there. As a result, I decided to publish here within the friendly confines of the Cassandra Security blog. In doing so, I hope to bring our industry (perhaps a little differently than I had originally intended) a new term to be used with respect to much of what interests me and others in the research community and much of what I spend my time thinking about in addition to researching. Having said that, I’d like to first point out that my purpose is not to promote myself with the introduction of this new term but rather shed some light on what I feel passionately about and believe warrants exposure in addition to reclassification.
Origins of Subversive Multi-Vector Threats (SMT)
As an information security researcher, practitioner, thinker, and so forth, I deduced after much time spent researching and examining them, many of the terms we use in the security industry are neither clear nor comprehensive enough to resonate with larger audiences. This became especially evident to me when I considered the interests of my fellow researchers and peers as we struggle to address the dynamic nature of the threat landscape. As a result, I set out to consider what I believed to be true or common among many of these next generation or advanced threats and came to a wonderfully rich conclusion which you will soon see published as a co-branded work with my friend and colleague John Pirc. I began theorizing that the need to create a new term (one that addresses the true, diverse nature of these threats while avoiding the pigeon hole effect seen and experienced with less appropriate and accommodating terms), due to a lack of a more appropriate alternative was required. Adding to my feeling dissatisfaction with the terminology and the limits it placed on both researchers and analysts, was the matter of contextual relevance. Some terms have more limited application as we have all seen, and due to this and other reasons (this is not to say that they are invalid which should be noted but rather that something else, something new is required to fill the gap I saw), the need to reclassify and create new categories was clear to me.
Definition of Subversive Multi-Vector Threats (SMT)
Subversive Multi-Vector Threats (SMT) are highly sophisticated, well crafted, executed attacks designed to use and exploit as many possible threat vectors as necessary to accomplish the missions milestones. What makes them different than other threats is the willingness to utilize people, process and technology weaknesses in order to meet their ends. Some might argue that this is not unique however I believe the context in which these threats are seen and will continue to be seen unequivocally constitutes something new, unique and different. These threats are designed to, in a dynamic fashion, place a greater or lessor amount of effort and emphasis in one area versus another over time as dictated by the mission’s goals and the leadership behind them. Subversive Multi-Vector Threats (SMTs) are complex unions of human intelligence, information security, communications intelligence / signals intelligence (COMINT)/ (SIGINT), and open sources intelligence (OPSINT) and differ greatly in this sense from other threat classes such as the Advanced Persistent Threat (APT), as a result.
Subversive Multi-Factor Threats (SMT) and Advanced Persistent Threats (APT)
Subversive Multi-Vector Threats (SMTs) differ dramatically from other well-known threat types in a number of ways as described above. The greatest differences noted between the types of threats I describe as being Subversive Multi-Vector Threats lies in the targets of interest and approaches to exploitation taken by each with respect to their targets. Whether they be targets of opportunity or directed, predesignated targets, exploitation mechanisms will vary in the world of the Subversive Multi-Vector Threats whereas in the world of the Advanced Persistent Threats (APT), though the avenues for exploitation may change their overall relevance is entrenched in the realm of the technical. As such, APTs are forced to focus and rely upon technological vulnerabilities present within a system or enterprise in order meet its goals. Not so with the Subversive Multi-Vector Threat. As I mentioned earlier, these threats are not bound to technology alone as an avenue of exploitation but rather often assess both people and process weakness equally in order to identify the path of least resistance while capitalizing upon the weakness of others.
Additionally, APTs are typically identified within the context of environments that cater in part or in their entirety to the public sector. These organizations include DoD, DIB and Intelligence Agencies (though we and others feel that this will change over time). With respect to SMTs, I believe based on research and experience they are more criminally motivated and as a result cast a wider net than do the traditional threats associated with APTs however, this is not to say that one could not easily bleed into another. I believe that SMTs are more sophisticated largely due to their being able to easily identify and exploit weaknesses which have little to nothing to do with technology. SMT’s have the ability to compromise and as a result, take advantage of the weaknesses of character (in addition to their ignorance), demonstrated by people while exploring processes (policies and procedures as well), for deficiencies. I have always traditionally referred to this as the ability of experienced, motivated aggressors to “…knock one of the three legs out from under the three-legged stool upon which all organizations sit.” These legs are: people, process, and technology. To knock one down, any one, creates instability and weakness which can see the organization fall squarely on its bottom. This is paramount in identifying and defining Subversive Multi-Vector Threats (SMTs).
As a result, I argue that Subversive Multi-Factor Threats (SMTs) only further serve to underscore the need for the implementation of soundly constructed, risk-based security programs and frameworks, which address in exhaustive detail the areas, which require in gross detail the areas requiring the greatest levels of diligence and care possible.
Identifying and Addressing Subversive Multi-Vector Threats (SMT)
I believe that Subversive Multi-Vector Threats (SMTs), can only be truly addressed after an organization has assessed itself and identified its vulnerabilities and deficiencies as part of a thorough risk assessment. My assertion is that in doing so an organization can quickly identify areas where vulnerabilities and deficiencies exist which leave them exposed to potential exploitation of people, process and technology in order to gain. Demonstrating unrelenting diligence as part of an ongoing risk management initiative is or should be non-negotiable. Are their technologies which can aid in addressing these threats: yes to a degree. Recall that these threats, Subversive Multi-Vector Threats (SMTs), are not always going to involve technological exploitation. As a result, this could mean that a person who is fully credentialed, fully authorized to be where he or she is, could effectively compromise a system or environment in order to meet the goals of his or her leaders. This is of course quite bad however not impossible to address if you are up to the challenge and willing to invest in what is required to mitigate the threats.
What is Security Research Worth?
Recently I’ve been giving thought to the value of security research and what a customer might pay for access to information collected by an organization with an expertise in assessing technical threats and vulnerabilities, government mandates and geo-political climates and then applying this knowledge to information security programs and practices. There are very likely two knee-jerk responses to this with one being, “Why would I pay for something my people can research on the internet?” and the other might be “Well, if I can get true value to increase the security posture of my organization, sure I’d pay for it.”
In either case, we still don’t know how much we should be paying for this research. I would say that we must first start with figuring out what it would cost an employer to hire an experienced security analyst or engineer, who is then dedicated to this function. According to Payscale.com security specialty pay ranges from $63,000 on the low end to nearly $100,000 per year on the high end. Add to this another 35% for benefits and you have a $135,000 per year experienced employee to spend their entire day collecting information from various websites and other resources. But remember that this person will only work about 40 to 50 hours per week, so what about the rest of that time?
So let’s assume that you have a relief factor .7 (standardized for the private sector) so the number of persons needed for a single position is 1.7 to take into account weekends, vacation and sick time. That said, if you’re going to staff 3 positions to achieve 24×7x365 security research and analysis capabilities, the number of people needed for that team is 5.1 (we’ll round it down to 5) so the total employee cost for a year is $675,000 plus training and education costs.
Ok, I know that I’m making some assumptions here and the actual salaries could be higher or lower depending on market, candidate, etc. Also, I’m making the assumption that an organization would require 24×7x365 staff to perform full security research, analysis and monitoring of the threats, vulnerabilities, market factors and geo-political factors that could impact their critical systems and networks. By the way, security research does not refer to the need to manage their security infrastructure for specific, targeted events against their infrastructure.
This brings me back to my initial question. Is there value in holistic, independent security research? Would you pay to have access to this information?
I’m certain there is and I would urge you to consider the following as you consider the value of this information or type of service to your organization.
At a minimum the following information needs to be available to the customer:
• Daily reports on the latest trends, threats, vulnerabilities and other issues that are relevant to the customer’s business or market
• Access to up to the minute threat and vulnerability data that allows an organization to customize and select security information relevant to their infrastructure
• Relevant information that covers not only technical threats and vulnerabilities but also anything specific across markets, geographies or political situations which can be used for an organization to understand the full impact of technical and geo-political events to their organizations
If a research organization can provide this type of information to a customer in a manner that doesn’t compromise their intellectual property or competitive advantage in a marketplace, there is certainly significant value to the customer. I just don’t know how much they would pay for this data. What would you?
We are tied to our worlds, tethered if you will, in many respects by our mobile devices. Our Apple iPhones and RIM Blackberries among others, aid us in keeping up with our professional and personal lives. They provide us a near real time (and in some cases real time depending on the platform and connectivity), window to the world. Information is available as quickly as electric signals are converted to light and back again over terrestrial and non-terrestrial infrastructure. It’s an amazing time to be alive. But for every convenience there is a price to pay. Isn’t that always the case? As the old saying goes there is no such thing as a free lunch and technological advancement is no different in that respect. We pay a price for convenience. We sacrifice aspects of humanity for expedience. We trade willingly many of those commonalities which all mankind shares in order to ensure we can check our email, reply to a twitter posting, conduct online financial transactions, post a photo on facebook or find a movie online.
There is nothing intrinsically wrong with this. In fact, it is quite normal to see some elements of human life become retired as technological advancement occurs. Take for example the written word. Writing letters in centuries past was an art form. Manipulation of language and style enabled individuals and groups to establish identities; voices via pen and paper. With the advent of the telegraph, then the telephone, then data communications etc. the medium and styles seen changed to meet the times. To meet the needs; the urgency of communication and coupled with the ability to provide near real time responses to questions or statements.
In late November I wrote a piece that discussed exploitation of jail broken iPhones and the introduction of worms to the world of Apple handhelds. As a RIM Blackberry user, I took a certain amount of pride in this as I secretly coveted the coolness of the iPhone then yet another mobile vulnerability was announced only this time; it was for the RIM Blackberry platform. This is not the first time malware for RIM platforms has been developed or identified. Back in 2006, Jesse D’Aguanno, director of professional services and research with Praetorian Global LLC. wrote and released what many of us believe was the first Trojan for the RIM platform. At the time, RIM stated that the exploitation was dependent upon whether or not the Blackberry Enterprise Server Administrator enabled the IT policy settings for mitigating such threats. However, this is not where the story ends. On December 1, 2009 RIM released a security advisory that addressed multiple vulnerabilities in the PDF distiller of some released versions of the BlackBerry Attachment Service. Within the advisory RIM stated that the following versions of BlackBerry Enterprise Server running on the following Microsoft Windows platforms were affected:
- BlackBerry Enterprise Server 5.0.0 running on Microsoft Windows version 2003 or 2008
- BlackBerry Enterprise Server 5.0.0 running on Microsoft Windows 2000
- BlackBerry Enterprise Server software versions 4.1.3 through 4.1.7, and BlackBerry Professional Software 4.1.4.
In convincing a user to view a specially crafted PDF file, an attacker might be able to execute arbitrary code or cause a denial-of-service condition on the system that hosts the BlackBerry Attachment Service. This of course is not the first nor will it be the last time we hear and see advisories such as these for mobile device platforms (I suspect that Palm’s WEBOS will be the next victim just as the Android by Google has been). For better than 90% of those who use these devices, what we are discussing will not resonate in the same way as it would with security researchers and analysts. For that percentage of the populace these devices are merely extensions of themselves; windows to the world as mentioned earlier, which allow them to access and be accessed. That access of course runs deep and wide through their lives and sees their worlds become more risk inclined than not.
But are we so different than the 90%? Don’t we use these devices in similar fashion? Certainly we look at the technology differently than do most as our business is the business of security and as a result we are naturally or artificially disposed to being suspicious of that which we do not know intimately or understand. As a result, you and I might conduct analysis on a device prior to using it or examine in an isolated lab environment a sample of malicious code using debuggers and other tools & techniques to assess behavior, payload and net effect of said code on a system or platform. However, corporations find themselves enabled and ready to deal with the advent of the introduction of malicious code and content, who is taking first watch in defense of those who use these devices independent of a corporate IT security program?
First of all, my apologies for the hiatus from posting and public contribution on this site. I have been incredibly busy the past few months wrapping up my old job with my former employer, doing some consulting work and launching a new network security start-up company in October with a few other very talented individuals.
I did look at the calendar and in typical “sales clown guy” fashion thought “wow, 3 weeks left in 2009″. If you are responsible for InfoSec and deal in any way with technology partners, vendors, consultants and the like, you are probably under enormous pressure to try to close any outstanding business, sign deals and contracts, etc. before the clock strikes 12 on New Years Eve. The old “use it or lose it” calendar year budget style is alive in well in IT departments worldwide, trust me.
I wanted to provide a “change of pace” post on Cassandra Security, which will hopefully give some insight into the world of buying and selling security solutions. I have worked at two very large vendors in both sales support and direct sales roles, so I understand marketing and selling security to a wide range of customers.
You had better believe that whoever is trying to sell you a good or service here in December 2009, is also under an insane amount of pressure. This takes many forms, the most likely motivator is self-preservation. I like to refer to the last 6 weeks of Q4 as “the silly season“. This is where you can catch vendors and customers alike doing all sorts of crazy things to get a deal closed.
Sales people obviously want to sell you something anything to retire some of their quota (hopefully) and get a commission check. I am not sure how many people outside the sales world realize, but anywhere from 40-70% of a sales reps total compensation is commission, so you should use this knowledge to your advantage. With 3 weeks left in the quarter, you want to have any final pricing/discounts submitted today (preferably) to give this time to get through their sales management, order operations, distribution and reseller partners (if any). You also want to have final pricing so you can properly set expectations with your management. You may think you are being a hero by trying to save the company another 3%, but if your management team is expecting a Capital Expenditure in Q4, you better make one.
I wanted to go ahead and build a checklist of what tasks you should consider, both as a vendor/reseller and as an enduser/buyer of InfoSec products:
Vendor/Reseller of InfoSec Products/Services/Solutions
- Has the customer bought off on the solution (both technical and business wins)? If the answer is NO, I can pretty much guarantee with 99.999% certainty that you don’t have a deal that can be closed in the next 3 weeks. Miracles do happen, you may have pictures of the VP of IT doing provocative things in public places with rubber balloon animals and green Jell-O or the CFO may have been a college roommate of yours (both true stories and have happened btw), but if you are forecasting this to your sales management team and it does not close, have your LinkedIn profile updated and resume handy – you will need them!
- Do I have final pricing in place? If the answer is also NO, get your customer a final quote. This is part of being a good vendor sales rep.
- Is the proposed configuration correct and accepted by the enduser/customer? If not, get consensus with your internal customer champion’s help.
- Am I selling consulting with my product? If so, do I have a signed and accepted Scope of Work for consulting in place?
- Have you reached out to the procurement group at the customer? Are they aware of this upcoming purchase?
- Have contacts handy for any resellers, distributors, or other operations people that will help you book your order for your customer (goal is to turn the deal into revenue by the end of the month)
- Understand everyone’s schedule for the rest of December (a lot of folks take off the last week of the month, be prepared)
Endusers/Buyers of InfoSec
- Do I fully understand the solution I am buying? (HINT: If the answer is NO, stop reading this post NOW and go talk to your management team IMMEDIATELY and express your concerns if you are the decision maker or key influencer)
- Make sure you have final pricing and know to the penny what you are spending. If you do not, call your vendor sales person and/or reseller and GET AN OFFICIAL QUOTE IN WRITING!
- Have a time line and project plan in place for implementing your new solution (hopefully this will be in Q1 or early Q2 2010 – if it is later, you might want to investigate why you are making a spend decision now)
- Understand the implementation options and the “hows” and “whys”. You may also want to write an executive summary (no more than 2 pages) for your CIO/CISO and/or management team that explains the project. This gives them WRITTEN talking points they can use to explain the spend decision to CFO, CEO and the Board of Directors. Especially helpful since more and more CIOs report up through the CFO.
- Do you need professional services (i.e. consulting) with your purchase? Have you signed an agreed upon Scope of Work and have you been in contact with the consultant doing the work? Especially in the education space, a lot of consulting services are delivered in the last 3 weeks of December (makes sense as most of the users are students and faculty and they are hopefully off-campus).
- Do you understand the buying cycle and procurement process in your own organization? Do you need to file forms or applications, obtain signatures or approvals, or get official approval from a committee or peer group? If any are true, you might also want to communicate this to the sales people, unless you want them calling you multiple times a day for a status update when you don’t have one or one is not expected/available.
- Are their any ancillary benefits of making this spend decision now – what are the pricing savings, is maintenance locked in for multiple years, do I get free training, etc.? make sure you know this and can communicate this to your management team (HINT: include in your Executive Summary to them for the project).
- Realize that you have an important role as the customer – you can either champion a spending decision or kill it. Choose wisely – your reputation, career and a lot of other factors may be riding on it. Heroes and goats in IT are made every day on decisions like these.
I know a lot of this is common sense, but often times it simply takes a minute to put yourself in another person’s position and frame of reference. The vast majority of security sales people at least make an effort to provide some value to the InfoSec professional (note – value varies widely by vendor and the individual). Sales folks want to close business and InfoSec professionals want to improve their protection posture. There is clearly a common ground where the two can work together toward the common good of improving security posture at an acceptable price point.
Higher Education and Information Security Awareness
One last post before I hit the hay and try to finish my current Kindle read.
The more time I spend in the classroom as an Adjunct Professor at Colorado Technical University teaching security courses for those seeking degrees in various security disciplines, the more I realize that the vast majority of higher education students are receiving no computer security or information security training. I am absolutely convinced that there should be a requirement that the vast majority of undergraduate students should have at least two computer/information security courses; one in their first semester of their first year and one in their final semester of their final year. By the way, these are not IT or CompSci students I’m talking about.
These students have majors in business, accounting, education, health care, law, criminal justice, administration, languages, political science, biology, chemistry, etc. The reason being? Nearly every one of these people will interact with a system that process or contains HR data, customer information, patient data, company trade secrets and a multitude of other types of information. These are among the people that reply to emails from Sgt Ralph Brek “with the United Nations troop in Afghanistan, on war against terrorism” (the latest phishing scam that’s shown up in my inbox) with all of the information that he’s requesting.
These are the same people who would very likely answer specific, targeted questions about the company for which they work if asked by an otherwise well meaning person. These are the people who would give up essential information that might otherwise be thought to be benign. But it’s not wholly their fault, I’ve a philosophy that those “stupid users” we hear so much about from IT and security staff only do what they are allowed to do, in the environment they are allowed to do it with the knowledge or training they are given. They are as much a victim in many cases as the organization whose information was just compromised.
This education would serve two purposes, first it would provide the institution the ability to train the students on the proper use of school assets by talking about real world issues that affect both the student and the institution (phishing, malware, etc.) and it would also prepare the graduating student for life after college as they enter the job market. However, I realize that many higher ed institutions will say, “Well, that’s not our responsibility” but they have this two year “general education” program that students go through to learn to write, spell, speak and interact, do they not? What’s the difference between a humanities class as a freshman for an accounting major and what I’m proposing above?
This train of thought for me has come from years of seeing classes, books, manuals and certifications geared toward the student or professional who wants to work in an information security discipline and not so much to the users or customers that the information security professional serves. It seems to me that part of this is backwards.
Job Postings and Too Much Information?
On a lark I decided to look at some security job postings, no not to look for a job but rather to look at what type of information is included in those postings. I had something hit me today that organizations looking to hire security professionals tend to place quite a bit of information in their job postings that could lead one to deduce what type of security applications, controls and countermeasures they have in place. When I was in the Air Force we called this Essential Elements of Friendly Information or EEFIs.
EEFIs themselves weren’t classified information, but with enough minor detail from multiple communications or, in this case, multiple web postings an adversary could determine some mission critical information.
Back to point, is it necessary to post specific information such as the below examples in job postings?
“Specific technical skill sets include: Anti-Virus (Symantec), Network Monitoring (Security, SecurFusion), IDS (SNORT, ISS), Vulnerability Assessment (Nessus, NMAP).”
Another posted required technical knowledge with Cisco PIX and TippingPoint IPS.
Yet another, for a public utility, requested knowledge with Firewall-1
These are just three examples that I found doing a quick search, I’m sure there are plenty more.
I realize that many of these are posted by staffing agencies so that it’s a bit difficult to pin point the specific company, but still is specific security technology too much to post in a job listing? I realize that, as a hiring employer, you don’t want to get inundated with resumes but on the other hand, as a potential attacker could this information be useful to me?
