02.24.2010

Next week is the annual RSA Conference, our industry’s largest trade expo and conference.   People from the world over will gather in the greater San Francisco, California area to attend the conference, the panels, walk the vendor floor to see what’s “hot” in the industry, network and engage in lively debate and discussion related to our trade craft.   Additionally, SecurityBSides San Francisco will be running during the same time.   At this conference speakers from points near and far will converge and share information with an audience eager to learn, grow, contemplate and debate all things information security related.  It is an exciting time and a series of events that should, if at all possible, not be missed.  I am looking forward to the trip to San Francisco for several reasons none of which are clandestine or confidential.  I’ll be speaking at SecurityBSides San Francisco with John Pirc and am very much looking forward to doing so.   I feel our presentation will be lively, invigorating, thought provoking, entertaining and above all informative.  Additionally, I feel it will be a nice opportunity to meet and confer with my peers on matters which we are in agreement and disagreement upon in the hopes of gaining greater levels of clarity and understanding all while encouraging respectful, thoughtful, professional discourse.

Too often in our industry (and life in general), do we see denigration become the rule as opposed to the exception within our industry leading to bad blood, misunderstanding and hurt (yes I’m saying it), hurt feelings.   We’re all human and I do not believe for a moment that any are above reproach.  Having said that, I’m looking forward to a new era of enlightened knowledge transfer and sharing with some of the industry’s best and brightest in the hopes that through such activity we will edge ever closer to addressing that which ails our industry and threatens our collective (in the bigger non-industry sense), way of life.  My challenge to my peers and myself for the coming week is to refrain from negativity and embrace constructive criticism and dialogue.  This will, no doubt, be more difficult for some than for others however my challenge stands.   My hope is that as a community of professionals we will adhere to some basic rules all (or most all of us) were taught by mom and dad and likely learned in kindergarten to boot:

  1. If you can’t say anything nice don’t say anything at all
  2. Even when you know that you know more or are more experienced don’t make a point of letting others know; it’s unseemly
  3. Do more good than harm

In short these in association with lessons espoused in cultures the world over such as those which advocate treating others with respect and in a manner which you would want to be treated should aid us all in making the most out of this exciting opportunity.    Have fun and see you at RSA!

Tags: , Filed Under Uncategorized | Leave a Comment 

02.15.2010

CODE BLUEIt is no secret that the world is a complex place.   Look at any news report on any network regardless of what your geopolitical bent is and you will notice three things:

  1. Everyone has an opinion
  2. Everyone’s opinion to him or herself is right and sacred
  3. Opinions without action are worthless

I am a huge fan of Erik Erikson, the revered developmental psychologist and psychoanalyst best known for his theory on social development.  His work and research in the field of ego psychology and social psychological development was landmark and amongst the neo-Freudian community, he in my opinion stood far above his peers.   Eriksonian theory suggests that psychosocial development occurs in a series of stages, which requires successful mastery of the initial stage in order to properly prepare and set the stage for all latter stages.   Likewise, Erikson theorized that the failure to master the initial stages can have a damning effect upon development though that this not to say that one cannot recover from and overcome these obstacles and subsequently (with hard work and diligence), arrive at a place which is prime for the stage one finds themselves in (there are of course limits and caveats associated with this, especially in considering the earliest stages where in the subject is still an infant and largely dependent upon others for nurturing).   The following table depicts Erikson’s stages of social psychological development nicely.

Table 1: Erikson’s Stages of Social Psychological Development

Stage Basic Conflict Important Events Outcome
Infancy (birth to 18 months) Trust vs. Mistrust Feeding Children develop a sense of trust when caregivers provide reliability, care, and affection. A lack of this will lead to mistrust.
Early Childhood (2 to 3 years) Autonomy vs. Shame and Doubt Toilet Training Children need to develop a sense of personal control over physical skills and a sense of independence. Success leads to feelings of autonomy, failure results in feelings of shame and doubt.
Preschool (3 to 5 years) Initiative vs. Guilt Exploration Children need to begin asserting control and power over the environment. Success in this stage leads to a sense of purpose. Children who try to exert too much power experience disapproval, resulting in a sense of guilt.
School Age (6 to 11 years) Industry vs. Inferiority School Children need to cope with new social and academic demands. Success leads to a sense of competence, while failure results in feelings of inferiority.
Adolescence (12 to 18 years) Identity vs. Role Confusion Social Relationships Teens need to develop a sense of self and personal identity. Success leads to an ability to stay true to yourself, while failure leads to role confusion and a weak sense of self.
Young Adulthood (19 to 40 years) Intimacy vs. Isolation Relationships Young adults need to form intimate, loving relationships with other people. Success leads to strong relationships, while failure results in loneliness and isolation.
Middle Adulthood (40 to 65 years) Generativity vs. Stagnation Work and Parenthood Adults need to create or nurture things that will outlast them, often by having children or creating a positive change that benefits other people. Success leads to feelings of usefulness and accomplishment, while failure results in shallow involvement in the world
Maturity(65 to death) Ego Integrity vs. Despair Reflection on Life Older adults need to look back on life and feel a sense of fulfillment. Success at this stage leads to feelings of wisdom, while failure results in regret, bitterness, and despair.

At this point, you, the reader, may be wondering just what this has to do with what I typically write on here.   That is a great question and I am glad you are thinkingJ.  I believe our industry has, in many ways, met with conflicts (as described by Erikson or challenges), and failed in conquering them thusly finding itself following a derelict trajectory.   I believe several factors have contributed to this:

  1. An inordinate amount of emphasis being placed on compliance for compliance sake as opposed to improvement of risk posture
  2. A fundamental lack of value and understanding with respect to information security and all It influences in business and outside of it historically (though I feel this is beginning to change…slowly)
  3. Errant thinking and marketing campaigns on the part of certain vendors (you know who you are and as such there is no need to point you out here)
  4. The errant belief that what worked in the past will work today or tomorrow (applies to technology as well as thought / philosophy)
  5. The accepted ‘norm’ of intellectual dishonesty which has become grossly apparent to the trained eye and experienced practitioner

In terms of development, it is my opinion that the industry has progressed, though not without lumps and as a result, of incurring said lumps has approached each successive stage of development in a manner which though not ideal is certainly able to be right sized.    Should this right sizing not occur, I believe the industry at large will square and settle nicely into developmental stage 7 “Middle Adulthood” characterized by Generativity vs. Stagnation finding itself landing precariously in the realm of stagnation.   I do not do stagnation well, do you?   If not, let us continue to challenge our peers, our industry, our clients, our customers and ourselves to reclaim our industry and ensure generativity for all.

Tags: , Filed Under Cyber Defense, Information Security Philosophy, Security Philosophy, Uncategorized, risk management | Leave a Comment 

02.15.2010

Software is an essential, non-negotiable aspect of everything we experience in our daily lives.  It is a technological parallel of water to the biological realm.  All things within the worlds that govern the use and application of either software or water rely upon the sanctity and “cleanliness” of these resources in order to progress forward and ensure their existence.   Without a sense or guarantee of purity, much stands to be lost; most of which can only be hypothesized about or guessed at until an event of interest solidifies the inclinations of those who are speculating.  Consider all that you interface with on a daily basis, regardless of where you are located geographically on planet Earth.   Your communications systems, your medical and emergency response systems, your transportation systems, your drinking water and water treatment facilities, your power industry systems (end to end), your financial systems, your military systems etc etc.   This is a relatively short list and though that may be the case (and though I am fully aware of the greater scope of systems and technologies affected by software), we can see that precious little in the age in which we live exists outside the realm of engineering which is dependent upon secure software development.   Traditionally, software development lifecycles (SDLC) have been individually governed either by those parties responsible for the ‘framework’ of tools and / or coding languages which are used for development or by those parties within a given organization who have assumed responsibility for development are actively moving towards goals being set forth by their units of business which they support.  Whatever the case may be, there are certainly ample examples of glaring deficiencies within these processes, deficiencies which (when left unaddressed provided they are found or worse, ignored despite having been found), often have cataclysmic ends.

As professionals working in the business world, plying our tradecraft we need to ask ourselves, our clients, our customers and anyone else who will listen (ideally those who have a ‘Stake’ in the decision making process which impacts the generation and delivery of this code), why we allow an insecure state to exist in something so key to our everything we do.  There are many reasons one could point to for the existence of these deficiencies:

a) Meeting or exceeding expectations of the investment community

b) Exceeding the ability of the competition to get to market and thusly secure a more stable position

c) Realization of a conceptualized solution to a need / want in the absence of irrefutable data

a) Coding with security in mind is as much an art as it is a science however it can be, in repeatable fashion via soundly crafted   process & procedure in addition to training and encouragement of skill set development be achieved

b) Resource / personnel challenges

a) Self-explanatory but can certainly be expanded upon in more gross detail at a later time

a)  Art meeting science; one cannot rush greatness or soundness of design however one can, through the use and employment of the right people, process and technology achieve the goals and complete the mission

b) Patience is non-negotiable

a) People fear what they do not understand

b)  People fear what they do understand but are unable to influence and / or change

c) People fear what they cannot contemplate

The net effect for our discipline and tradecraft is that we see (and experience daily), the results of either poor or total absence of, proper SDLC.   We cannot afford to become comfortable or complacent in a system which has to date, zero accountability and as such many are looking at the present, towards the future with new, bold ideas in mind hoping to effect change.  One such organization is one which I have both the privilege and honor of being affiliated with, The Rugged Software Initiative http://www.ruggedsoftware.org/ and https://groups.google.com/a/owasp.org/group/rugged-software.  My friend and colleague, Josh Corman, along with David Rice (author of “Geekonomics” and security professional), and Jeff Williams (CEO, Aspect Security) developed this concept and, with the help / guidance of several industry figures, delivered the Rugged Manifesto and initial presentation which they presented and released at SANS Application Security Summit February 5, 2010.   This is not the first time an SDLC methodology has been proffered up for the masses however, it is one of the only times which I can readily recall that a collective body of like minded individuals from disparate elements of industry have developed a framework akin to this which they hope to see adopted by the masses as mechanism for combating the threats presented by the deficiencies I mentioned earlier and others as well.  That being said, I and my peers at Cassandra Security stand in support of Rugged.  Many of us have and continue to function in assessor & auditor capacities and understand all too well the flawed state of code in the world today through our own analysis and through the work of others.  We believe in the concept and the goal.   Do we believe that it will be adopted universally and that all software development flaws will be eliminated?  No, we do not but we are hopeful that in encouraging the adoption and support of this ideal that we as professionals, as colleagues can encourage industry to address the points I made above and those contained within the body of The Rugged Software Initiative and Manifesto in order to mitigate the risk.   Get Rugged, it might just save your life.

Tags: , , Filed Under Audit, Cyber Defense, Information Security Philosophy, Security Philosophy, risk management | Leave a Comment 

02.11.2010

201002111745.jpg There is a lot of perennial talk of social engineering and direct project/resource management. Attempts to solve complicated political situations with manipulation or a slick widget tend not to work very well over time. They are not addressing the underlying issue.

The wedge of compliance or a mandate from a framework may get some base requirements moving. However, in order to get people; chief executives and influential management, towing the line for a healthy risk and security governance program, it will take something more. It takes a bidirectional respect for the people involved and bringing the conversation to them in terms that they, your audience, understands.

In short, technology risk in general is not well understood by many practitioners. Outside of direct practitioners it is barely understood at all. Technology risks to business can be so complicated to understand that it needs to be interpreted and put into well understood terms that everyone understands, such as dollars.

Fostering a climate of respect and reward of long term goals instead of a short-term win is key to the success of any real life security governance program.

I have some thoughts on how to begin.

Respect your audience:

Respect peoples time:

201002111747.jpg Respect your resources:

Respect the constraints of your organization:

Too often I hear other fellows in the trade using harsh words to begrudge people who do not understand risk management instead of lamenting their inability to express it in terms that they will understand. Too often problems arise in not communicating effectively and in not earning or giving respect. This failure in communication was what I read into this CSO Online article about a $10M raise in budget after a showboaty penetration report.

Ira says “grab by the balls.” I say “communicate effectively and with respect.”

Filed Under Information Security Philosophy | Leave a Comment 

02.02.2010

Today I read a blog entry which both amused and troubled me.  The entry in question can be found here and was written by Anton Chuvakin, a smart cat who is obviously trying to draw parallels where they simply do not exist.  In this case, he asserts that there are at least 9 reasons which describe how (and why), the PCI-DSS standard and Advanced Persistent Threats (APTs) are alike.   Not being new to either, I thought I would read Anton’s entry and see where he was going with this…apparently to la la land…..  Let’s take a look at what he asserts.

First and foremost, he asserts that they are similar.   I find that humorous at best and borderline irresponsible at worst.  PCI, as you dear reader, are well aware is a governance standard created by the payment card industry (the PCI in the PCI-DSS) in order to ensure a homeostatic baseline from which all vendors, merchants, and processors conducting business with the big 6 in payment cards exists and can be measured against.   It has nothing to do with threat modeling or mitigation nor does it ensure (as we are painfully aware of due to the unfortunate events which took place at Heartland, Hannaford and a host of others who were either certified PCI Compliant or in the process of being certified), that anything beyond the scope of those systems which comprise the environment which processes credit card information are secured (this is accomplished via vulnerability scanning, and auditing against the standard), leaving the remainder of the enterprise to sway in the wind like yesterday’s laundry. For the record, I don’t think PCI is good or bad, but rather like climbing the rope in gym class: if you want to make the grade, you’ll get up that rope otherwise you’ll receive the consequences.  It doesn’t really speak to one’s athletic capabilities or aptitude however it does impact your grade…PCI is more akin to this than APTs.

Anton asserts the following (whether in jest or in all seriousness is debatable):

  1. Ok…this is cute but hardly relevant or helpful to any combating or faced with the prospects of combating and defending against the realities associated with APTs
  1. Both are not threats.  The penalities associated with the failure to comply with the PCI-DSS standard if one’s organization hopes to continue doing business processing credit card transactions is a promise whereas the threats associated with ‘APTs’ are wildcards and cannot be guaranteed as no two ‘APTs’ are alike.
  1. I have no issue with only because it is generally true that in making assumptions which eliminate the possibility of risk one does oneself no favors
  1. In all my years in consulting, working in research, and for two different information security vendors I have never met an organization who said updating was too hard.   I have however met several who have asserted that the politics which governed their environments were prohibited and that their management teams were — for better or worse, comfortable with the assumed level of risk under which they labored and operated.  Fair enough, it’s your environment, do as thou wilt.   However, in working with those who have been victimized by ‘APTs’ I can tell you that none have ever (let me reiterate EVER) said what’s the point in updating their malware defenses.  The reality is that 99.999 % of the time, they were completely unaware that their environments were at risk, they were updating their defenses and assumed their vendors were maintaining congruency and continuity with respect to the content they were delivering.   In most of these cases, the advanced analytic tools which were necessary (above and beyond logging and monitoring by the way), were not present within these environments and as a result the ability to track the activity associated with these threats was absent.
  1. “A” in APT stands for “advanced,” PCI is pretty advanced stuff for some people who have to be compliant with it (think: your neighborhood gas station)
  1. With PCI, you don’t always know what you need to do; with APT you almost never know what to do.
  1. Also, you are never “done” with PCI, you need to maintain compliance and security; you’re absolutely never “done” with APT.
  1. PCI compliance requires logging and monitoring; dealing with APT absolutely requires extensive logging and monitoring.
  1. People refuse to deal with PCI because they do not believe that anything bad will happen to them, similarly people refuse to deal with APT since they don’t know that APT has already happened to them.

I hope this comparison and contrast was helpful to those who read it as well as Anton’s blog. My goal in writing this is three fold:

  1. To ensure that the dialogue pertaining to APTs and other advanced families of threats remains pure and unadulterated.
  2. To ensure that inaccuracies and under developed concepts are prevented from permeating the cultural zeitgeist.
  3. To ensure certain parties avoid liberating graphics from entries posted here at Cassandra Security ;)

Tags: , Filed Under Advanced Persistent Threats (APT), Cyber Defense, Cyber Warfare, PCI-DSS, Subversive Multi-Vector Threats (SMTs), critical infrastructure | 4 Comments 

02.02.2010

In business, accountability is something that cannot be stressed enough.   This was true before the economic breakdown of 2009, and will continue to be long after.  Accountability is of paramount importance and perhaps more so than anything else, it is a good thing.   Accountability is something that at some base level, all humans can relate to.   Ask any child whether or not they receive reprimanding by their parents when found to be in violation of a rule and you will almost assuredly receive a response of ‘Yes’.   If you receive a ‘No’ than perhaps, that is a sign of bigger challenges and problems to come.   Regardless of the response, my belief is that you would be hard pressed to find anyone with any amount of intellectual honesty who would say that being accountable is a bad thing.

Accountability is a good thing.  It is of imperative importance.  Accountability aids us in the definition; maintenance and articulation of healthy boundaries that all humans need and require (though are not always seen or found present).  Boundaries, rooted in the freedom afforded by accountability, enable us to live, grow and prosper with the understanding that we are all responsible for our actions (of course there are things which we cannot control however our responses to external stimuli as Marcus Aurelius taught us, are well within our sphere of influence).  Accountability provides much more in the way of freedom than most would initially suspect.

As information security professionals, we should all (I will not assume that all do however, I will suggest that we all should), be cognizant of the value of accountability.   If one looks at the continuum of information security, and its role within modern business today (regardless of the vertical or sector), one can conclude that being accountable should not be negotiable.  We do not live in a perfect however and as a result, we must assume that in some organizations, for better or worse, it will be seen as being negotiable.  In those cases where it is deemed negotiable, one need not look any further than to the leadership in place and their vision for both the culture.  Similarly, in those environments where it is deemed unacceptable to be negotiable with respect to accountability one need not look any further than the organizational the leadership teams.   When moral flexibility is allowed to negatively influence accountability, it should surprise no one when armies of auditors, assessors, consultants, vendors descend upon the environment in question to aid the bewildered, understaffed information security teams and management.  There is blood in the water and sharks can smell it for miles off.

The impact upon the organizational culture, receptivity and tone becomes more pronounced as well.  The cultural attitudes of the organization in question, in addition to the sub-cultures that exist within the primary organizations business units.  Any number of scenarios can come about as a result from those that are extremely open, productive and collaborative to those that are terribly conflicted and shut down from a productivity perspective.  Enterprises (whether in the public or private sector), do not need to settle for scenarios which encourage mediocrity and closed minded attitudes.  The establishment of accountability as an elementary aspect of organizational culture and politics (social and / or formal), is a wonderful place to begin.   This does not mean that organizations should begin encouraging Orwellian information gathering campaigns where rewards are given to those who inform on their co-workers infractions (real or perceived), but rather where all parties from within all roles understand their contribution to the organization in any and all forms to and including being accountable for ones’ own actions and to one another so as to prevent any damage to the organization and / its assets (tangible and intangible alike).

You might be saying to yourself as you read this “that sounds wonderful Will, however I live in the real world and work there to.   I have no use for esoteric philosophical idealism when I need to get the job done today, especially when I have to demonstrate compliance for God knows what to God knows who”.  Fair enough, I can appreciate that which is exactly why reply would go something like this “Of course you don’t, you’ve got a lot to accomplish in little time and with even less in the way of resources however if you take a few steps back from the situation, employing observing ego you will see that the advocacy of accountability in the form I am speaking of (predominantly through sound risk management based security programs and frameworks), would relieve you of much (not all), of the challenges you face”.  Crazy you?  Unrealistic?  Immature? Handsome (had to throw that in to see if you were paying attention ;) .  My assertion is that through the adoption of a solidly crafted risk based security program and framework; accountability can be achieved where it currently does not exist and supported & enhanced where it already does so.

So how do we get there from here in the absence of accountability?   The first step is to revisit your organizations P3 (process, procedure, and policy) to see what exists (if anything), to do date.   Odds are, something does though the state and maturity might vary.   Should you find yourself in a situation where you have none or what is roughly the equivalent of none, fear not.  This is not necessarily disastrous however, it should be addressed and amended swiftly in order to ensure the organization maintains its risk posture or, at the very least, becomes cognizant of it.

Tags: , , Filed Under Assessment, Audit, Cyber Defense, Information Security Philosophy, risk management | 2 Comments