05.07.2010

By nature, I am an empiricist; it is who I am and works for me based on my bent toward analytics and multi-faceted (at times onerous),  levels of thought and pontification.   I am unapologetic about the way I approach things; it is simply who I am.   Having said that, I recognize that I am not – nor is my way of approaching things, universally embraced or right for everyone.   To assert otherwise would be intellectually dishonest.   I am particularly intrigued (and spend a lot of time reading and studying), determinism and randomness theory and philosophy.   For many of us, life is as simple as asking a question which the quintessential Canadian thinking mans band Rush asked on its 1991 album Roll The Bones “why are here, because we’re here, roll the bones”; while for others the question of why and perhaps more importantly the answer is not so simple.  I fall into the latter camp.

I a student of empiricism; I am a stalwart advocate of critical thinking and reasoning especially when it deals with philosophical schools of thought such as determinism vs. randomness and how they interact within the world in which I professionally live and work.   These ideas are not new.  In fact they are quite old.   They are in many respects extremely old and as a result of their vintage, they have been and remain the subject of great debate.   Authors and thinkers such as Nassim Nicholas Taleb, who wrote two of my favorite books on the subject : Fooled by Randomness and The Black Swan: The Impact of the Highly Improbable, go to great lengths to explain these concepts along with their impact on causality.    So too did David Hume, the famed Scottish philosopher, along with Karl Popper and Colin Howson.   Needless to say there is a long and strong tradition in examining deterministic vs. random philosophy as it relates to probability.   The concepts are as old as time itself; as long as mankind has had the ability to reason he has struggled with whether or not events occur due to deterministic causes (or more appropriately because of events which exist and influence other events thus arriving at the cause for a current event), or due to sheer randomness.  We are no different than our predecessor in this respect.   We seek knowledge with respect to the origins of things and events in addition to what there existence will mean to us as we move forward.   This desire to know unequivocally what influences outcomes and the probability of those outcomes is central to the theme of our existence.  As a result, it infiltrates (if we are paying attention), all aspects of our lies from the most complex to the least.   We find ourselves asking why certain things occur at the time and place that they did, and to what end.   I happened to be in New York City last weekend making my way to LaGuardia Airport via the Holland Tunnel at the height of the melee that was underway  surrounding the events of the car bomb discovered in Times Square.   Needless to say, traffic through the Holland Tunnel neither was less than forgiving nor was that which we encountered on way to Queens any better as a result.    On the trip into the city news commentators could be heard speculating with respect to the cause of this event.   Why would a young, respected young naturalized American citizen (Faizal Shahzad), find it acceptable to place a makeshift bomb in Times Square?  What was his reasoning?  His goal?   His message?   Who was behind the activity and what might be the logical extension seen as a result of this event? All valid questions.   All seeking validation with respect to understanding whether or not the causality associated with these questions and the event in question (not to mention the young man), was in fact deterministic in origin or random.  We know that it was in fact not random based on evidence that had been collected and authorities are continuing to investigate the events that lead to this event and ultimately influenced it from the perspective of cause.  We humans tend to this with all manner of things ranging from the serious to the trivial.

With respect to information security or security in general, I believe we do so more often than people realize.  Security or being secure, is in many respects dependent upon being able to detect, identify and observer causality.  In being able to accomplish these three things, we are better positioned to account and prepare for the unknown.  If you stop to think about that for a moment it should become quite clear that the act of securing anything – home, car, host, server, network, people – requires the acknowledgment  of historic reasoning (in both deterministic philosophy and randomness), while at the same time the acknowledgment of the unknown.

We see this often within the friendly confines of our industry.  Take for example the following:  An organization is instructed by a governing body that in order to achieve a state of conformity with its governing body the organization in question must meet and demonstrate achievement of x number of criteria.   Failure to do so will result in negative ratings that may or may not result in fines and / or the inability to conduct business transactions.   The governing body assumes that arriving at a state found to be in alignment with its standards will discount and eliminate (due to deterministic causality), any potential for randomness to manifest, thus negating the possibility.   But what if their assumption is wrong?   What if the data which they have assumed to be whole and comprehensive is not so?

I fear that this is more common than not within our space due to a lack of due diligence and grasp of historical accuracy with a forensic like precision.

Here’s another example:

A software-publishing house for quick processing of financial transactions develops an application.  It is seen as being mission critical to organizations that purchase it looking to capitalize off of any edge they can to beat their competitors to the market.   Speed in this case is very good.   The software publishers, realizing the importance and value of the application to their clientele decide to expeditiously develop and push the code to market rushing through all quality assurance (QA) and beta testing in order to beat the deadlines set by the executive teams in order to realize the greatest degree of revenue possible.  The developers run through the exercise of white boarding the data flow and block diagrams, technical requirement documentation, marketing requirement documents and product roadmap documents.     From there the code is pushed through the QA gauntlet at light speed and rushed into the beta testing customer environments.   Initial results are noted and brought back to product management and engineering who then wrestle with addressing the issues in a timely fashion in order stay within budget (both financial and time budgets), while not missing their window of opportunity within the market space.   The code is run through QA again, and pushed for GA candidacy.

But there is a fly in the ointment.   Some young (or not so young), perhaps charismatic (or at the very least quirky), individual is asked to look at the code or application as part of an audit and assessment and finds that low and behold it is vulnerable to an abundance of potential threats all of which can be exploited in a trivial manner.  At the same time this assessment is occurring the code and its publishers are reaping great successes and accolades.  The code, now a fully baked financial suite is swiftly on its way to becoming one of the most popular suites of its kind in 21st century business; yet, it is as vulnerable to exploitation as a runaway at a Port Authority bus station.  While our young or not so young, assessor of questionable charismatic quality, is reviewing the code, carefully noting the deficiencies and potential for complete exploitation, reports begin trickling into our software publisher that exploitative events have begun.  Worse yet, they were events that were not accounted for during initial or secondary quality assurance testing and thus perceived as being random.   We know however that randomness is simply the failure to take note of events that feed into causality, which therefore can be interpreted as a failure in paying attention to detail.   Perhaps one of the gravest mistakes anyone can make yet all too common within our world and history, let alone our industry.  So what are we to do about this?   How can we, as professionals convey a sense of urgency that supersedes and avoids a “chicken little” like knee-jerk response to events we encounter?  This is easier said than done especially in a world where information travels at the speed of light.   I believe that in order to achieve the proper perspective we need to encourage the following:

This is by no means a trivial event; nor has it ever been an easy proposition.   The ability to interpret historical events and data — even when they appear to be disparate and unrelated is paramount to achieving the goal of comprehensive deterministic understanding.  In short this allows us to avoid via scientific means the pitfalls associated with randomness and its associated theories.   In order that we may achieve this the ability to reflect upon our data sets and circumstance all while applying observing ego is of paramount importance.

Tags: , , Filed Under Assessment, Information Security Philosophy, Threat Modeling, risk management | Leave a Comment 

03.23.2010

Yesterday  I read a blog post at securosis.com which inspired me to think about innovation and our industry.  Rich asserted in his post that there is no market for security innovation.  Whether you believe this to be the case or not is irrelevant as my intention is not to debate this (personally I believe that there should always be a pragmatic side to innovation; that innovation should not only address preexisting deficiencies within available solutions but raise the bar in terms of effectiveness and applicability while offering potentially amazing peripheral benefits), point but rather to foster further discussions having to do with information security and the markets which are impacted as a result.  To begin with, Rich’s post gave me cause to consider the value we place on innovation as individuals and collectives and how said values impact innovation.   I believe this varies and, as Rich alluded to in his post, there is a spectrum associated with innovation in our industry. One end of that spectrum is expressed by that which lacks pragmatic value but is valuable in academic circles.  It is easy to discount this type of innovation as being purely academic and as a result, less valid than other more practical forms of innovation however, it is often through the most convoluted, esoteric innovation which new, massively applicable forms of innovation occur.  On the other end of the spectrum is the painfully practical; the ‘hammer and nails’ practical innovation which may or may not be terribly innovative (I’m willing to wager and on the latter), at all but really representative of the status quo.  If it isn’t broken don’t fix it…or improve upon it for that matter.  Then there is the happy medium; the gray area which I feel represents the best of everything the spectrum has to offer.  Here we see an ‘enlightened’ innovation coming to fruition.   This is the ideal and for what it is worth, what I strive for in my own work.   I believe here, we find that healthy blend of the practical and pragmatic and the truly mysterious; the realm of the dreamer where one is limited only by his or her creativity and ability to conceive and conceptualize.   To me, this is a beautiful thing.

After much meditation on Rich’s blog post, I arrived at a conclusion where I have found myself at many times before:

  1. Innovation is not dead
  2. Innovation is not non-existent
  3. Innovation does not require the creation of new markets though often times this is what occurs (I have reason to believe that this occurs not always due to impracticality but to bad marketing and a lack of clarity & vision on the part of the organizations in question)
  4. Innovation will always occur — whether in the basements, garages or livings of the United States of the formal research & development labs

As Thomas Edison said, ‘discontent is the first necessity of progress’.  Edison, like so many other men of action, knew the value of owning one’s dissatisfaction with situations and circumstance.  He knew that in doing so, a man (when properly motivated and given the room to do so), will work towards advancing and innovating in the present to ensure the future.   It is the same today as it was yesterday.  Innovation is neither dead nor unaccounted for.  Innovation is not for the weak, faint of heart, or lazy.  No.  In fact, innovation is (though some would have you think otherwise), is quite challenging.  It takes vision.  And vision is not something rooted in the sweet waters of the lazy or of those who are ‘busy for busy’s sake’.    Edison knew this.  He said “ Being busy does not always mean real work.  The object of all work is production or accomplishment and to either of these ends there must be forethought, system, planning, intelligence, and honest purpose, as well as perspiration.  Seeming to do is not doing”.  In the post I read yesterday, the author challenged the readers to consider whether or not innovation occurs organically and in response to new challenges or if it is dreamt up by academics with no practical or pragmatic application in mind.   I personally believe that innovation, as did Edison, occurs with one’s recognition of discontent in a something and would go beyond that to suggest that it is also the result of dreaming powerful, world changing dreams.  Whether it is a product, service, or combination of both; the recognition of the cycle of discontent and  progress via innovation is alive and well.

In our industry, we’re often faced with a veritable dead sea of mediocrity.  Large vendors (and some smaller ones) push the mediocre (at times with new and creative campaigns), as opposed those which are arguably more insightful.  The result is that innovative solutions are often overlooked due to their being new, innovative, or the product of a ’start up’.  The author of the blog wrote that innovation often forces the creation of a market rather than attacking a pre-existing one.  There may be some truth to that though I’d argue that this is not necessarily bad.  In my humble opinion innovation will continue as long as there are those willing and able to look at the world around them and say unequivocally that the status is quo is both unacceptable and illogical.   It will continue so long as there are those with vision who are unwilling to accept the mundane and mediocre being force fed to the masses by large, bloated vendors whose vision extends only as far as their balance sheets.

Tags: , Filed Under Information Security Philosophy | 2 Comments 

02.02.2010

In business, accountability is something that cannot be stressed enough.   This was true before the economic breakdown of 2009, and will continue to be long after.  Accountability is of paramount importance and perhaps more so than anything else, it is a good thing.   Accountability is something that at some base level, all humans can relate to.   Ask any child whether or not they receive reprimanding by their parents when found to be in violation of a rule and you will almost assuredly receive a response of ‘Yes’.   If you receive a ‘No’ than perhaps, that is a sign of bigger challenges and problems to come.   Regardless of the response, my belief is that you would be hard pressed to find anyone with any amount of intellectual honesty who would say that being accountable is a bad thing.

Accountability is a good thing.  It is of imperative importance.  Accountability aids us in the definition; maintenance and articulation of healthy boundaries that all humans need and require (though are not always seen or found present).  Boundaries, rooted in the freedom afforded by accountability, enable us to live, grow and prosper with the understanding that we are all responsible for our actions (of course there are things which we cannot control however our responses to external stimuli as Marcus Aurelius taught us, are well within our sphere of influence).  Accountability provides much more in the way of freedom than most would initially suspect.

As information security professionals, we should all (I will not assume that all do however, I will suggest that we all should), be cognizant of the value of accountability.   If one looks at the continuum of information security, and its role within modern business today (regardless of the vertical or sector), one can conclude that being accountable should not be negotiable.  We do not live in a perfect however and as a result, we must assume that in some organizations, for better or worse, it will be seen as being negotiable.  In those cases where it is deemed negotiable, one need not look any further than to the leadership in place and their vision for both the culture.  Similarly, in those environments where it is deemed unacceptable to be negotiable with respect to accountability one need not look any further than the organizational the leadership teams.   When moral flexibility is allowed to negatively influence accountability, it should surprise no one when armies of auditors, assessors, consultants, vendors descend upon the environment in question to aid the bewildered, understaffed information security teams and management.  There is blood in the water and sharks can smell it for miles off.

The impact upon the organizational culture, receptivity and tone becomes more pronounced as well.  The cultural attitudes of the organization in question, in addition to the sub-cultures that exist within the primary organizations business units.  Any number of scenarios can come about as a result from those that are extremely open, productive and collaborative to those that are terribly conflicted and shut down from a productivity perspective.  Enterprises (whether in the public or private sector), do not need to settle for scenarios which encourage mediocrity and closed minded attitudes.  The establishment of accountability as an elementary aspect of organizational culture and politics (social and / or formal), is a wonderful place to begin.   This does not mean that organizations should begin encouraging Orwellian information gathering campaigns where rewards are given to those who inform on their co-workers infractions (real or perceived), but rather where all parties from within all roles understand their contribution to the organization in any and all forms to and including being accountable for ones’ own actions and to one another so as to prevent any damage to the organization and / its assets (tangible and intangible alike).

You might be saying to yourself as you read this “that sounds wonderful Will, however I live in the real world and work there to.   I have no use for esoteric philosophical idealism when I need to get the job done today, especially when I have to demonstrate compliance for God knows what to God knows who”.  Fair enough, I can appreciate that which is exactly why reply would go something like this “Of course you don’t, you’ve got a lot to accomplish in little time and with even less in the way of resources however if you take a few steps back from the situation, employing observing ego you will see that the advocacy of accountability in the form I am speaking of (predominantly through sound risk management based security programs and frameworks), would relieve you of much (not all), of the challenges you face”.  Crazy you?  Unrealistic?  Immature? Handsome (had to throw that in to see if you were paying attention ;) .  My assertion is that through the adoption of a solidly crafted risk based security program and framework; accountability can be achieved where it currently does not exist and supported & enhanced where it already does so.

So how do we get there from here in the absence of accountability?   The first step is to revisit your organizations P3 (process, procedure, and policy) to see what exists (if anything), to do date.   Odds are, something does though the state and maturity might vary.   Should you find yourself in a situation where you have none or what is roughly the equivalent of none, fear not.  This is not necessarily disastrous however, it should be addressed and amended swiftly in order to ensure the organization maintains its risk posture or, at the very least, becomes cognizant of it.

Tags: , , Filed Under Assessment, Audit, Cyber Defense, Information Security Philosophy, risk management | 2 Comments 

11.19.2009

tesla-age40Without Tesla, we security researchers may never have had formal reverse engineering procedures.   What you say?  Tesla was, in addition to other things, a security researcher focused on reverse engineering?  Clearly no, he was not.   Nikola Tesla was a brilliant man who lived in the age of Edison (or Tesla depending on who you ask ;) making his living as a specialist in areas of research having to do with mechanical and electric engineering.   He is known for the following:

Tesla LabNevertheless, perhaps what he is most noted for is the controversy, which ensued between 1891 – 1893.  At the time, Nikola Tesla was living and working in St.Louis, Missouri where his focus was on the production of devices used in his experiments with electricity.  His work saw the construction of various devices and apparatus that produced between 15,000 and 18,000 cycles per second.   Within the scope of his work, the transmission and radiation of radio frequency energy was a feature exhibited by Tesla that he proposed might be used for telecommunication of information.   He gave several demonstrations of his technology and work to very prestigious institutes including the Franklin Institute and the National Electric Light Association.   He was articulate, crisp and concise in his description of his wireless work that was both fascinating and groundbreaking.   The descriptions provided by Tesla contained all of the elements that were later incorporated into radio systems well before the development of the vacuum tube a feat which still amazes many to this day largely due to his staunch rejection of hertzian waves which he considered wasteful.   His work both superseded the work being conducted by Hertz and Bose while eclipsing the work of Edison and Marconi as well.   Tesla was truly the master of wireless transmissions.  He received the following US patents for his work in this space:

nikola-teslaThrough reasons not his own, Tesla’s innovation was (like that of others), misattributed to Guglielmo Marconi, who has been called the father of radio.  Marconi is said to have read about the experiments that Hertz did in the 1880s while he was on vacation in 1894 and about Tesla’s work as well and that this information led to the creation of his device that was largely comprised of components conceptualized by others. It was at this time that Marconi began to understand that radio waves could be used for wireless communications.  As interesting as all of this is, this is not the purpose of this blog post.  No, today’s blog focuses on a concept, a principle developed by Tesla, known as the Tesla Principle, which was paramount to his work and over time became less relevant but no less important in other forums.   What is the Tesla Principle?  Put plainly the Tesla Principle was used to describe (amongst other things) certain reversible processes invented by Nikola Tesla himself.  It was a brilliant and yet obvious means by which he could if the need arose work backwards in order to troubleshoot issues if necessary.  It was developed during Tesla’s research in alternating currents where the current’s magnitude and direction varied cyclically.  It marks the official birth of reverse engineering.

Reverse engineering is integral in puzzle solving and for those of us who make part or all of our living reverse engineering products, ideas, concepts, situations, the ability to work fluidly and linearly is important.  It enables us to, in an organized fashion; ensure that A led to B, B to C and so on.   It empowers us to interject a timeline and workflow where one does not exist.  It is quite elementary yet terribly important.   We in the information security industry require from time to time a healthy dose of the Tesla Principle whether wish to admit it or not.   I cannot imagine doing what we do without Tesla’s Principle in some form being utilized.   Simple because consumers are consuming and products are being purchased does not mean that challenges are being solved truly, completely and comprehensively.   As a result, the ability to reverse engineer or retrace our steps is both necessary and integral to success in technological pursuits as well as those having more to do with the philosophical and political elements of our craft.   Application of the theory however requires a level Dutch courage that is not ubiquitous throughout our industry or any industry for that matter.   It requires we use and put into practice observing ego and separate ourselves (personally), from the challenge in order to assess the incidents independently in order to gain the appropriate point view while arriving at best prospective and solution.

Tesla’s Principle can and should be applied to all we do as security thought leaders, practitioners, vendors and intelligentsia.  However, in doing so it requires an honest forth-coming response to the challenges we face, some being result of stagnation within the practitioner community, others the result of stagnation within the ranks of ownership and still others within the areas of responsibility belonging to the vendor community.   In explore what doesn’t work, hasn’t worked and cannot possibly work based on the facts as we have them, we enable ourselves to create a new, dynamic and effective solution designed to address the deficiencies seen in the original while delivering on all the promises articulated in the product release document (regardless of the form this takes).

Tesla on the Cover of TimeUltimately, it requires a scientific approach that calls for emotion to be considered, yet side lined in order to focus on improving people, process and technology for the greater good.   Can our industry withstand this change?  I don’t see how it has any choice given where business is going in general and the observable failures witnessed over the last several years (breaches, losses, compromises due to poor policy enforcement etc.), which could have been prevented had a re-engineering thought and process been conducted.   When I think of issues such as those seen in recent years.   Incidents such as those related to the VA, or Choicepoint, or more recently the loss of 60+ systems from Los Alamos Labs, I can only hope and pray that we as the leaders of the new generation take a lesson from Tesla and apply a similar principle in reinvestigating our efforts to see what is and is not working….clearly there is room for this today!

Tags: , , , Filed Under Information Security Philosophy, Uncategorized | 3 Comments