Thursday, May 31, 2007

Shell Game

I wanted to share an observation that I had this week with regards to information security "compliance" and that one of the significant downfalls of being "compliant" is that I see a tendency to turn security into a big shell game. After all if something does not exist how can it "NOT" be compliant? It's not there? right? The problem is that it is there and simply been "pencil whipped" away into oblivion. The issue is still real enough and your adversaries could care less about the 30 page white paper showing how great you are.

What I would like to really see happen is that an agency, don't know who, but someone who has the balls and political ammo in the government, basically someone who isn't affraid of living in a small remote cabin in Alaska for the rest of his/her natural life, to kick off a covert logical and physical test of government systems. This test would be completely independent of FISMA or the subsequent NIST SP 800-53 controls that are used as the basis for evaluation and more importantly to leaders in government "GRADES".

Having a real test that replicates a concerted brutal attack, like Solar Sunrise (Although I am not privy to the details), would be the reckoning that we have been long over due. I have seen too many times "safe scans" performed on systems to the point that the scan itself is worthless. We need to step things up and be more like our adversaries because I would rather be the one breaking something than a well funded and trained unit of state sponsored attackers bent on doing harm and thus loosing all control.

By the way if anyone out there has such a unit please feel free to drop by my house. I'd love to sign up and help. Overall I just want to see the shell game end and we start to transform from this dogma of "patch n report", "check the box", and most importantly "be the hunters not the prey". I'm just affraid that the stakes have grown to high for us to sit back and wait for some one to start beating doors down.

Monday, May 28, 2007

Carbon FootPrint

What would it look like to have a "green" or environmentally sensitive data center? One that used solar, wind, and other energy sources to supplement or even "gasp" to completely power operations. Fuel Cells are on the way that would use natural gas, which we seem to have a lot of, to create hydrogen to power the facility. In the interim what can you do today to reduce your power supply demands? Change lighting? Reduce non-essential power eaters? Install Wind Turbines?

We have to first assess what the carbon foot print of the data center is first before any step can be taken. I contend that in the future we will not only look at the physical, logical, but most importantly energy security of operations. I think that today it is assumed that during "normal" operations that power will be available. Going forward we should not make that assumption or else we all might just be left in the dark.

Hidden Vulnerability

As you may have noticed if you are following this blog, and I hope you are, I have been attempting to get my posts shorter and shorter. I got some great feedback that I was going into way too much detail. So with that said here is a blurb of thought for all to digest and consider.

The national energy issue is one that impacts us deeply and profoundly within the Information Technology industry. So I look around and ask "why haven't we risen up to fight for our energy rights?" After all we are one of the most vulnerable industrial sectors of the economy when it comes to our needs for energy. Without it we are out of business. The national power grid is aging and the dependence on foreign energy supplies leaves us in the IT industry at risk for our inability to provide continuous services that customers expect. We created this dragon and for the moment it still sleeps. But I fear the day when the electric company shuts down the grid and there is no diesel to run the generators. Just imagine what would happen today if the oil crisis of the 1970's happened today?

Back in the 1970's we were not dependent on information systems as part of our every day lives as we are today. The term data center did not even come into the public lexicon until the late 1980's. So what would happen? Think about it, especially the next time you write a contract for your fuel supply. Just like the weather man says "A storm is commin" but just like any weather man you never are quite sure if he is right or wrong.

Schools In Session

For most of us out there we have kids who just got out of school for the summer or have recently graduated ourselves. As for me I am back in school! I am pleased to announce that I have procured a Cisco Catalyst 1900 series router! So that means its time to hit the books and get up to speed on routing. The cool thing is that I picked the router up for about 20 bucks! I know that the 1900 series is wicked old but you can't pick up a router for that much at Microcenter that has all the features at the 1900 series. The best part is that I now can start my CCNA track!

Thanks to all those that encouraged me to start this path. I feel that I can not be an effective security practitioner unless I have detailed knowledge of the network down to layer 3. But more importantly I want to become a Information Security Architect. I love building things (system)!!!

To those that served and to those that we serve...

As someone who has been around the military all his life I like to think that I have a good appreciation for what this holiday weekend means. I find it disturbing that the people of this country seem to have collectively, not individually, the attention span of a two year old.

As I look outside my window I do not see a single home with the Stars and Stripes flying aside from my own. To me this appears to be yet another sign of complacency. Have we forgotten we are fighting a war on many fronts? The war extends into the enterprises that we defend. Our adversaries don't care that we want to take time off to be with our families. As I have said before I think that it is human nature not to expect the worst. We tend to fall into depression when we live that way. But I think it is more than fair to say that given the opportunity, any opportunity, those that seek to harm us on a scale that has yet to be seen or understood will strike.

Wednesday, May 23, 2007

The WONK Strikes Back

It has been hammered into me for as long as I can remember that content is king. After all if we are reporting on the security posture of the enterprise we must get the content right to be able to present every threat and recommendations for mitigation of the risk through remediation of specific vulnerabilities and other methodologies that assure the business goals of our organizations are met.

One of the core elements of being a WONK is being focused more on style and grammar than content. Often I see WONK documentation that has little substance but looks “pretty” from a grammar perspective. A good friend and mentor told me once that he was chastised for having the wrong “verb tense” in the system security plan that he was submitting to the customer. I really would not have blamed him for going postal.

Content always should be king when we communicate as Information Security Professionals. However in further defining what it means to be an Information Security Professional we should take a long hard self examination of our own core skill sets that define what it means to be in this arena. I have seen absolutely kick @ss engineers who can spot a malformed packet from a mile away but could not write a report about it to save his/her life.

Case in point was a very young engineer who I worked with in Virginia who by all accounts was brilliant. However, when it came to basic communication skills he fell on his face. The tragedy there is that he has so much knowledge and could still be a great leader. Yet I feel that one of the core skills of any great leader is communication.

It’s ironic that most of the great information security engineers fit the mold of “deeply introverted” and thus are socially challenged which has the direct impact of impeding their ability to communicate.

I had a breakthrough this morning when I realized that it is not enough to simply have great content and a presentable looking document that gets the job done delivering that content. I was directly challenged and through that challenge I saw a door of opportunity for myself and possibly for a great number of others who are in similar circumstances.

That possibility is that we, the Information Security Professional community, take on the role of true leaders in the most meaningful way possible. That in addition to providing outstanding knowledge capital (content) and services that we step up to the next level and be extraordinary communicators. Until now I consider myself a “good” communicator.

Consider for incorporation into your permanent thought pathways what it would look like if every Information Security Professional were not just a good communicator but an extraordinary one? What kind of difference could we make on the world? Consider that we can transform from being the guardians at the gate to the masters of the realm?

What has stopped you from taking your career or more importantly your chosen profession to the next level? By next level I am not talking about a pay increase or even a fancier title. I am talking about elevating information security so that no organization, or no single person in the organization, ever thinks about information security as an after thought. What would that look like for you? What would that mean for you in your life to be able to have the level of integration with the other aspects of the enterprise?

I took at step forward today when I realized that in my quest to first transform myself then to impact the world by enrolling others in the possibility that we can ensure the mitigation of risk to information system such that in doing so we allow users and owners of that information to be freed from the world of fear that currently endure.

The WONK reminded me that it is not enough to just communicate well but that I should communicate extraordinarily. In doing so I believe that if you choose the path of being not only an outstanding information security practitioner but an extraordinary communicator that you will have the power to effect positive changes that you never thought possible.

Tuesday, May 22, 2007

Confessions of a WONK Part 1

Another day has dawned in the information security salt mines. I'm throwing up a couple of quick posts to create a lattice for future development and expansion. I want to open a discussion about all those people who don’t understand information security. Let’s call them WONKS.

I’ll talk about what that is latter but for now I wanted to share an experience I had where a information security project manager could not process that an incident that was being called out from outside an organization was less important than a vulnerability report that was due. The issue really came down to limited resources and only one engineer to get NIDS up and running so as to allow the capability to see what was going on at least from the network perspective. By the way note I said "get the NIDS up and running" as they were racked but not operational.

I think it is a not so secret dirty fact that most organization don’t have a clue what is going on inside the perimeter!!!! These are critical issues we have in our industry. We have too many people who claim to be part of information security but in reality just feel into this area of Information Technology (IT) or were doing something else and then got the dual hat of information security and the job they were doing which had little to nothing to do with information security. So in the follow up to this post “Confessions of a Wonk” I’ll talk about the various breeds of WONKS and the overarching need to mitigate there presence in our field.

I’ll put it another way in the form of an experience I had when I was working in the Aerospace Industry as an FAA Certified Airframe & Powerplant (A&P) technician. At the time I was working L-1011 “C” checks for American Trans Air out of Indianapolis, IN and was working with a guy who some how passed his A&P exam and got hired in as one of the other contractors. (We were all contractors at the time.) I saw him beating on a part of the airplane and immediately stopped him. I asked what he was doing and he proceeded to tell me a story. I asked him a few questions and then got into a “conversation” with him about professionalism and what it meant, for me at least, to be to be privileged to be able to work as an A&P and bear the responsibility of certifying airworthiness of the aircraft that I was entrusted with.

To which his response was I am just doing this because “It’s just a Job”. My response to that was then you need to think about another line of work before you kill yourself, maybe not a bad thing given his attitude towards his chosen profession, or worse, he kills a lot of other people. The same holds true for the WONKS. You need to seriously evaluate if this is the place you want to be.

If you want to be here, GREAT! Welcome! But understand that with that choice to be here you need to accept the responsibility of your choice and get that this is not just a job anymore. You can not just punch in and punch out when you feel like. As Information Security Professionals we, in some cases, literally hold the responsibility of life, property, and for the privileged few the very security of our nation. We are all part of a very young and immerging profession and believe it when I say that we have everything to prove and everything to lose right here and right now. The very core of the IT industry has begun shifting to ever cheaper and ever less experienced labor.

I saw the exact same thing happen in my previous life as an A&P technician. What amazes me is how fast the IT industry is shifting. What took the Airlines 40 years to do the IT industry has done in 10 years. That being that once, about 15 years ago, if you were in IT you could feel good about your work with some level of job security. We still have a chance to turn things around for information security. We need to codify ourselves beyond what ISC and other organizations are offering.

Yes I believe that organizations like ISC and SANS are doing great things but if we don’t take it to the next level and standardize what it means to be an information security practitioner and the various levels and areas of what that title means then we risk loosing control over our own destiny. When I was an active A&P technician I was privileged to be able to have advanced training that in essence type rated me to specific technologies. In Europe type rating means you can only work on a specific aircraft and be able to have the legal authority to return that specifc tpye of aircraft to service.

For example I have, although out of date, a Boeing 757 General Familiarization. This means that I have specialized training on the Boeing 757 and all the systems on that aircraft. Another type rating that I was privileged to hold was Category (CAT) II/III [AUTOLAND] Avionics certification. This meant that I was authorized under the carriers CAT II/III certificate to maintain, repair, test, and most importantly have the legal responsibility to return the system to service through signature authority for the autoland capabilities of the *MD-11 that I was certified on.

We need a similar system of controls on ourselves to escalate our profession. We need to consolidate and have an authority that won’t be shifted, moved, or corrupted at all to hand out certifications. We need to also have a system in place where the work that a person does as a security professional is held accountable to that person for life. I’m not saying anything that I am not already on the line for. For all I know there is a airplane parked in the desert somewhere with my signature on it.

I will be legally responsible for that aircraft and the people that fly on it until another A&P does the same work I did and signs off on it or until the airframe is destroyed. We need that level of accountability now. Sadly just about anyone with a normal IQ and enough money can get a CISSP by going to enough boot camps. That doesn’t mean the person knows anything about how information technology works. It simply means they had a lot of money and can pass the exam.

When I sat for my CISSP exam I met a lady who was taking the exam not because she involved in information security but because her company mandated that she have the certification as her sales department worked with the information security elements of companies and agencies that bought her product. So she was a sales rep taking the exam purely to look good to clients and for no other reason.

In all fairness and at the core of the “confession” is that I too was a WONK and only by understanding my inner WONK am I able to accept what I was and move on to be the security practitioner I know I am. So to all the folks who falsely claim the title of “Information Security Professional” but who just don’t get it please understand that there is nothing personal in this but that it is time for you, as I did, to wake up smell the burning data center, get smart or get out.

The world that we manage from the digital perspective is just too important for you to stay ignorant any longer. We need every single person who is working in the field of information security to be dedicated to one universal principal of transforming this industry to beyond everything that we know today if we are ever to have the hope of moving from detection and reaction and away from being hunted to being the hunters.

*[For those who don’t know most of the time when weather and visibility is poor the airplane lands itself. Also for the general public airline pilots don’t actually fly the plane most of the time. The onboard Flight Management Systems (FMS) do all the heavy lifting and pilots are trained not to fly the plane but let the FMS do it as the FMS can fly the plane with higher levels of fuel efficiency. Also another feature of FMS is that central maintenance control can see in real time what the airplane is doing and more importantly from a cost perspective what the engines are doing through the Full Authority Digital Engine Controls (FADEC). ]

Always Be Writing!

I learned last night a very powerful thing. Always have a notebook handy! There have been so many times in my life where I would think of something, that at the time I thought was powerful, and meant to write it down, only to have that feeling latter of disappointment at my not being able to remember.

So I am taking the stance that no matter when or where when I have a any idea I’m going to write it down or if I have access immediately post it no matter how raw the thought is. I can always go back and bio-engineer the work latter to transform it from cheap hamburger to filet mignon.

Thursday, May 17, 2007

State of Denial - Part 1

I want to call out that my use of IPS in my first big post (Dedication) wasn't the best. Since we all know that IPS is part of intrusion systems. Sorry about that but I was really trying to expand the definition of information processing because humans are as if not more important than the machines. I hope that never changes or has not changed.

State of Denial is an ongoing series to cover what I see as a lack of organizations acceptance of risk of operating information processing systems. This condition of not accepting or fully understanding risk is simply put “Bad Mojo”. I have seen too many time where folks who have been designated “system owner or operator” just don't have the skills to understand the information that is being given to them to make truly informed choices. I actually feel for them because they are given this duty with no real training and background. I wouldn’t say that they aren’t intelligent. Mostly the opposite! These are smart folks who have been “stuck” with duty and forced into work they probably would have never chosen on their own.

So the first thing we in the Information Security industry need to do is ensure that we always push for the best risk based cost effective recommendations. This is going to take some time but as a profession we just can’t push things that keep customers on the "hamster wheel of pain". I honestly think that there are those out there that would prefer that folks stay on the hamster wheel of pain. Many years ago at a conference in Maryland I got to see the patch management vendors show off their latest software.

Last year I took a look at some of the latest offerings and to be honest the sell hasn't changed and they have tacked on some more bells and whistles but beyond automating a labor intense task I don't see much value. After all is SUS free? And if you’re running Linux or Unix how often are you patching? (Always for critical issues) But if you have a box that you couldn't patch for whatever reason wouldn’t you shut it down, park it in a (virtual) firewalled VLAN with Intrusion Detection to keep an eye on it, or accept the risk with a clear understanding.

Or would we? This is the core of being in denial. System owners and operators that I have worked with simply say "Not my problem" and "We don't own it" so it doesn't affect us if the box or network segment goes "poof". You might notice that I like the word "POOF". It reminds me of cartoons I watched as a kid like the Rocky and Bullwinkle show. The part I love the most was the science dog dude and his kid side kick.

I just don't get how system owners keep getting away with pretending that they can deny risk!
We are all born with risk ahead, next to, and behind us. I think that next to death and taxes that risk should be added to that duo to form a trio of misery. Risk isn't fun (Unless you are like me and an adrenaline junkie) and as I have outlined before with regards to modern data processing systems we don't fully understand the risk because of the human factors.

When we close our eyes, pretend something isn't there at all, or make the choice to be ignorant of it, the fact is that what we fear and don't understand is still there waiting for the moment to control the next step. After all when a system owner chooses to live in the State of Denial the end effect is a complete loss of control while maintaining the illusion of control.

But that's all it is.... an illusion.

Sunday, May 13, 2007

Dedication - The Dark @rts

The world that we occupy today is dominated by our complete dependence on Information Processing Systems (IPS). One only need to look closely at modern inventory management and you can see that businesses today can’t live without the IPS infrastructure that enables higher profits through improved efficiencies gained by highly integrating processes and Information Technology (IT).

What this means for anyone who wants to compete in the world today is that you have to either operate with slave labor or invest in integrating IPS into your business. It does not matter what that business is or what you do with the data that is processed. You could be a director in a federal agency or the CEO of any size or manner of company. If you want to be competitive you have to “trust” that your IPS is operating with all the assurances that you won’t wake up in the morning to discover that your entire life just went “poof” due to a malicious compromise of your IPS.

An Information Processing System (IPS) is more than hardware and software. The modern IPS is composed of every single aspect that is needed for an organization to input and output data to yield the desired results for that company or government agency. This means that as information managers we need to redefine the basic roles and responsibilities in the organization. The current thinking with regards to role and responsibilities is that “IT” handles data and everyone else just does their jobs and relies on IT to function as required without the “users” thinking about what is going on to ensure that the support that IT provides is there.

It is after all the human element that keeps information security practitioners like me gainfully employed. Human behavior has and continues to drive security regardless of assets that are being protected. One of the key challenges to information security of a modern IPS is that humans while inherently predictable, within the constraints of defined sociology, are at the same time completely unpredictable. It is at this point in the evolution of the IPS that humans continue to be the driving source behind all exploitations of vulnerabilities within the IPS. It is also humans that make understanding risk to operations of IPS inherently unpredictable and ergo almost impossible to quantify in terms that a business or government can fully to plan for.

This is especially true within the US Federal Government where risk of operating information processing systems is not always clearly understood and the ability of managers to achieve high degrees of confidence that risk has been mitigated to acceptable levels is often qualitatively assessed. The qualitative assessment is tantamount to “Black Majic” or “Voodoo”. The system owner or operator makes a best guess and moves forward while often placing a blind fold on and “trusting” that everything will be okay. This kind of assessment is rampant within US Federal Government as apparent by testimony from Donald Reid, senior coordinator for Security Infrastructure at the State Department's Bureau of Diplomatic Security who said officials felt "pretty confident" that the recommended wrapper was the best course of action, although it was a difficult decision.

[ref: http://homeland.house.gov/about/subcommittees.asp?subcommittee=12]

In response to Mr. Reid’s comment Rep. James Langevin, D-R.I. said “I believe they made the determination that accessibility to data is more important than confidentiality and integrity.” To make a determination one needs to understand all the vectors that impact that choice. To be truly informed with regards to information security we need to be able to see clearly the future. After all how would you be able to be absolutely sure that the countermeasures that were put in place could withstand the random actions of a human being?

There are those out there that might read this and think I am on crank. The question might be posed “What about bot nets, malware, and other robots on the net?” I say that not a single line of code has been written by a machine that wasn’t first written by a human first. We are the progenitors of our own destruction. The day that machines have the ability to capture the level of creation that only humans and other mammals are privileged to enjoy is the day I check out for good.

The challenges we face as security practitioners today are more complex, more daunting, and carry more liability than ever before. In the beginning, no not the UNIVAC, there were mainframes. Security was simplistic compared to today. Access controls were centrally managed and architectures were fairly simple by today’s standards. A user had no real processing power at the terminal other than what was doled out by the central core. More importantly the knowledge to manipulate those early systems was also mostly centralized.

Understanding risk to the IPS was also easier to assess and report in the beginning. Bad code, human errors, and mechanical failure were leading causes of system failure. After 40 years those 3 basic areas of flaw remediation are with us like a moon and sun. Rising and falling with every iteration of generations of IPS.

What has changed is our relationship to risk. Risk has been with us since the beginning of time. What has changed is the scale of the consequences for failure of the IPS to perform the most basic of functions. That being the input and output of data flow in the designated direction and destination without corruption of the data, eavesdropping, or flat out failure to reach the intended destination. The stakes have never been higher and yet the risks are not fully understood. Mitigation of risk is currently performed to “acceptable” levels based on a level of trust and assurance that risk has been managed to the degree established by the organization, government, or corporation.

Risk is assumed, trusted, qualitatively, and even sometimes quantitatively assessed. These assessments assume many vectors to be both true and false and often trust that the worst case scenario will never happen. It is after all part of being human to go through life never expecting the worst things to happen.

Information Security has evolved from a very simplistic methodology of vulnerability remediation to the "The Dark @rt" (or Voodoo) that we see today. Today security practitioners anywhere can tell you what has been done and what threats have been mitigated. But no one can tell you with absolute certainty what will happen. This is the essence of “The Dark @rts” to which I am dedicating this blog to. To be able to provide true 360 degree visibility over the flow of data that passes through any organization, company, or government IPS.

We live in a world driven not by smokestacks and steel factories but digital shop floors where knowledge products are created and pedaled on a global scale. It is this world we protect and serve.

V/r Halon