Security Ripcord

Day two of TRISC was very interesting. I met up with Michael Farnum and Martin McKeay. We all listened to a great presentation by Karen Worstell and we experienced the security mindset (or lack thereof) of Integralis.

The second day of TRISC started normally. I showed up to Karen Worstell’s keynote not knowing what to expect and I left with new energy and more indication of how my efforts at my organization will eventually be successful. Karen’s talk covered convergence which I had mistakenly taken to mean network convergence. Instead, her talked explained how the Chief Security Officer (CSO) or the Chief Information Security Office (CISO) have to be people that understand there is more to security than just technical security. Certainly this is nothing new but she presented it very well and mixed in plenty of her experiences with Boeing, Microsoft, and other companies she has worked with over the years. The following are some of the key points she made about the convergence of responsibilities persons filling these positions face.

• TEAMWORK, TEAMWORK, TEAMWORK. Everybody is working towards the same goal. They have to do it together in order for it all to work successfully.
• Plausible Deniability is DEAD. Gone are the days of saying you did not know or did not understand. People are going to be held responsible for their actions and the actions of their companies.
• CSO/CISO are “building airplanes in the sky” while they are flying and filled with passengers. Businesses are up and running and they have to be secured on the fly. All the tasks related to security, compliance, response, and more has to be accomplished with minimal interruption to business. She also described it as performing open heart surgury on a patient that is walking around.
• Protection of Assets has to be planned out and all areas that affect this effort must be understood by the CSO/CISO. This means that they have to take an “interdisciplinary” approach to their management and problem solving.
• ISO 27001, ISO 17799 and the other ISO standards are your friends and should be your guidance. These standards are based on international efforts and the United States needs to stand up and take notice when developing new regulations to government protection of information and assets. Other countries around the world are requiring adherence to these standards by law.
• All current regulations such as HIPAA, GBLA, and PCI/DSS can be successfully adhered to by following the directions set forth in the ISO 27001 and 17799 standards. Isn’t it more cost effective to adhere to one standard that trying to map protections to all of the different regulations?
• The workplace can no longer operate with the concept of SILOs. An organization cannot successfully execute a security (and therefore business plan) if their internal departments operate independently of each other (in SILOs).
• Externalities to the CSO/CISO sphere of influence. To me this was the most important concept in her talk. Understanding and identifying pieces of the operations and efforts that can be assigned to or are the responsibility of somebody else. Of course this all goes back to management but it is a way that I have not been thinking. There are just some things that cannot be controlled or directly influenced and I have to focus on these things less. Concentrating on my job and executing a organized security plan will ensure I have done what I can within the organization. This does not mean laying down or ignoring critical issues. It does mean, however, understanding which fights to fight.

After Karen’s talk I made it a point to introduce myself. I thanked her for the inspiration and
direction. If you have a chance to meet this woman or attend one of her talks you should not pass it up.

After the initial keynote speech Michael, Martin, and I caught up and went to different sessions. Martin cornered us each for a Podtech interview which we were both more than happy to participate. After the interview we walked out to talk with a few vendors and the first booth we came across was operated by Integralis. Integralis is a security consulting company that has recently expanded into Texas. The thing that caught our eye as we walked up to the booth was the 30 GB Video iPod sitting on top of a bowl full of business cards. The second thing that caught our eye was the IBM ThinkPad sitting right next to it. The curious thing, however, was the fact that nobody was manning the booth. In fact, this booth was a bit off to the side, out of direct view by the other vendors who were eating or helping other people anyway.

So, after dropping a business card in the bowl we walked around looking for the booth team. We found them on the other side of the building talking to the team members of another booth whose vendor escapes me. After lunch all three of use made it a point to swing back by the Integralis booth and point out their casual behavior. There were two team members in the booth. The female was obviously a sales representative and the young man (24 years old perhaps) was a consultant with their Houston operation. Neither of these people seem impressed that this was a problem. The kid even joked that the better social engineering hack would have been to take out all of the business cards from the bowl and fill it with one card. I wanted to respond, “No, it would have been more funny if we stole your laptop and iPod. Took all of your documentation and trashed it. Then turned you sign upside down and wrote in big black letters “SECURITY GURUS!!”. But of course I just shock my head and walked off.

I hope that I win that iPod, but I can tell you right now, I will not be calling Integratis for their services and I will not be checking their website for job opportunities. This is definitely not the type of behavior and, worst of all, attitude to have as a security company. In fact, this is the type of attitude that give us all a bad name in the eyes of management and the press.

Soon after that Martin and I attended Michael’s presentation titled “Information Security Research – Tapping the Blogosphere.” Although Michael needs to work on his presenting skills (as do Martin and I) he was very passionate and the whole thing came off very well. It does amaze me that some very educated and tech-savvy people do not know about things like blogs, RSS, and Feed Aggregators. It made me realize why these conferences are still able to attract people. There are plenty of people out there who have not been exposed to this technology or that concept. What might seem normal to me is not necessarily normal to people that do not specifically operate within a certain technology, blogging and podcasting being a good example.

Well, I have to run off to Jeremiah Grossman’s presentation on “The Five Stages of Website Security Grief.” More on that later.

Go forth and do good things,
Cutaway

Integralis, ISO, TRISC, Security Ripcord, Karen Worstell, Water's Edge Consulting, Michael Farnum, Martin Mckeay

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.