Security Ripcord

I’ve been doing a little running lately getting ready for the Corpus Christi Beach to Bay Relay. Today, instead of our usual four mile run, we decided to work on some sprints. We ran a mile and then started a series of 100 yard sprints with a 100 yard walk in between. Needless to say that the walking reset was filled full of huffing and puffing. At one point I noticed that I was hanging my head like most people do when they are tired. When I realized this I did what I always do, what I taught myself in the Marines after long runs and forced marches, I raised my head and started looking around. I use to do this because whenever you are the most tired is when you are the most vulnerable. You are not paying attention, you are breathing heavy, and you are doing everything you can just to take a break for a minute or two. Fortunately, the repercussions of me doing this now are not the same as they were back then.

All of this got me thinking about how we react to situations as a whole. I started thinking about how through training and effort we can begin to overcome hardships. I started thinking about how diligent practice can instill good habits and create muscle memory in any individual. Muscle memory is a condition where a body reacts without, or more precisely with only a little, thinking. You can see this by reviewing Rich Mogull’s posts on how he handled several car accidents after being out of the paramedics for a while. Rich did what came natural to him. He just reacted and, I’m sure, did a great job and a service.

“Yes, yes,” you are thinking to yourself right now. We have heard this all before. Practice makes perfect. Practice your incident response. Practice your backup procedures. Practice your disaster recovery. Practice makes perfect. Practice, Practice, Practice. Blah, blah, blah. Yes, I am tell you that. But what I want to emphasize is that you can train yourselves all day long and still make mistakes.

Running with my head down took me back to the days of running through the hills of Camp Pendleton and training myself to keep my head up and aware of my surroundings no matter how tired I was at the time. But what it really got me thinking about was being in the stack. Not the stack you are use to hearing about, the stack of Marines that are just about to enter a building or room that may contain hostiles. It didn’t matter where we were, once people started lining up and getting ready to move to action, their heads dropped. Not because they were tired or lazy, but because they were focused and waiting. Like a spring ready to uncoil all of its power. This occurred so often that it was not surprising to hear, “Keep your heads up in the stack!” whispered over the radio. Or have someone give you a quick rap on the helmet as a reminder. Everybody did it, everybody got sucked into it, and everybody was aware of it and watched out for their buddy, because that person was watching out for them.

So, how does this apply to us? Well, security professionals have a lot to accomplish on any given day. Logs to review, servers to patch, incidents to respond to, training to develop and give (and that is just the short list). Let’s face it. We are swamped with responsibility and duties. Everybody groans when we walk into a room but everybody notices when our duties start falling behind because it directly affects their business. With all of this activity, with all of this responsibility, it is very easy to get set into a common routine or mode. It is very easy for our heads to drop into our computers, logs, management consoles, spreadsheets, etc. We are doing our jobs and we are getting it done, but are we aware of our surroundings. Are we aware of the common sights and sounds of the office environment and server room. Are we listening to people talk when they need our guidance, input, or for us to listen for listening’s sake?

If you are, then good on you. Now look around and see who is not. Please, tap them on the head and tell them, “Keep your head up in the stack!”

Go forth and do good things,

Don C. Weber

Work has been quite an experience over the last couple of months. I have spent my time in the usual security professional mode - Firefighter. It is especially aggravating when much of that firefighting is documentation for certification and accreditation of a system (that could be quickly improved with the same level of effort) or collecting information through what could be considered broken processes. Security Blog readers hear about both of those concerns all of the time as they peruse the Security Blogscape. Security professionals wishing that they could make a difference within their organization. Wishing that the managers of the system and network administrators would just listen and implement. Hoping that the executive management will empower the security professionals within their organization by conveying to the rest of the company the importance of secure operations. Let’s face though, when we start talking about security within our different organizations the majority of what we want is for our organizations to follow good business practices. Companies who have a firm grasp on how their technology operates and have a process for change through open communications are much more secure that the companies that buy security products to act as stop gaps and try to prove or give the illusion of compliance.

The next generation of security professionals need to recognize this fact. Certainly we train them to know that their companies should be following industry standards like ISO 27001:2005 as I have already pointed out. But have we really started providing them with the abilities to integrate this into ITIL or CMMI. No, that is because for a business to achieve these standard they need to have business professionals to guide them through the process. Unfortunately, these business professionals have not been trained on how the security frameworks will fit into the organization and their compliance efforts. So, there is a gap. And when there is a gap that people don’t understand they tend to do one of two things:

• Ignore it.
• Throw money at it until they wish they had gone with the other method.

We’ll let me let all of you in on a little secret. It is something that you can take back to your organization and begin to implement immediately and it will not affect anybody outside of the security group, at first. Are you ready???? You might just hate this answer, so stop reading if you cannot handle it. Okay, I want you to “Document Your Processes!” *Gasps are heard around the world* Yes, documentation will get you over the hump. I’m not talking long, drawn out documentation that makes you stop everything that you are doing. No, I am talking about quickly documenting the steps you take to address any issue you devote time to repeatedly. I am also talking about creating process flow diagrams that show where and how tasks touch other departments within your organization. Don’t spend a lot of time on it at first. Just get it written down and saved into a location that all of your team members can access it. Then print them out and put them in a binder that will become your Standard Operating Procedures (dang, how did SOP slip in there?). As this binder starts to fill up, make copies and deliver a a copy to your boss and the other managers of the departments you deal with on a regular basis.

Now the ITIL and CMMI experts are ready to jump in here and tell us, “This is not enough to be compliant.” They would be correct. But each of them will have to admit that it is one way to start down the path. It is a necessary step that they will be looking for as they go down their checklists. See, a few of the things that they want to see from you and your department are:

• Does your department have documented processes and procedures?
• Does your department control their efforts through some type of program or project management method?
• Does your department have methods to analyze and improve the processes and procedures?
• Does your department make these process and procedures available to other departments within the organization?

By documenting how you approach each one of your department’s responsibilities you will start down a path that can be successfully integrated into the organization’s business processes. Managers will be able to start looking at your productivity and perform metrics on your duties which will help them determine many things, such as your value to the whole organization or whether your department is short handed. And what does it do for your department as a whole? You become more effective and efficient because you start doing things the same way every time (until it does not make sense to). You have opened communications to the rest of the organization and provided them with a method to take your example and some of your ideas and turn them into their own ideas (oh, the power of suggestion). All of this documentation you will help you and other members of your department quickly determine where your processes need improvement. Process documentation is an excellent tool when it comes time to point out issues to the members of your department. It drives straight to the heart of the problem in a manner that is easy for them to understand and provides them with the opportunity to make visible and fulfilling improvements.

Is all of this enough to “fill the gap” that I spoke of earlier? Of course not. It is just a start. One of the things that I am starting to consider are classes and certifications in program/process management. For this I have been pointed to the Program Management Institute by several security professionals and bloggers. I really don’t think it is going to hurt any security professional if they add PgMP, PMP, or CAPM to their alphabet soup. In fact, as individuals begin to progress through their careers these or similar education may become necessary. Many of our technical Brethern (who are still reading) are shifting uncomfortably in their seats because dreams of management duties are starting to fill their heads. Those, at least, that don’t come from a structured software or hardware development background. And they shouldn’t. Because these are the skill sets that are also necessary for technical engineers to improve how they do their business as much as it is a means for the managers to improve the department or organization.

Open communications is one of the things that we promote within our organizations. If your organization is “open communications challenged” then you must first start looking at yourself before you start pointing fingers or stomping feet. You must set the example. Live the lifestyle you preach. Hopefully it will make a difference. If it does not, well, then at least you have improved yourself and your department. The people around you will be more prepared for the next thing that comes along.

Go forth and do good things,

Don C. Weber

Apparently somebody over at the NBA’s Sacramento Kings franchise is upset that several of their cheerleaders were photographed partying. Now, first off, I don’t see that problem with this. These cheerleaders are adults. They are not necessarily responsible for being the role models like the NBA stars on the team. They are sex symbols. They have been hired to be sex symbols. And, if anybody does not like that term, fine….they are models. They have been hired to arrouse the attention of the largest demographic associated with the NBA, young and middle aged males. As models, and sex symbols, they are use to parading around in their underwear and being photographed. In fact, they like it. It is their job and it does not surprise me they can be found doing it during their off time. Really, the biggest thing they are guilty of is allowing a person to photograph them who was willing to place the photographs on the Internet. Maybe the Kings are mad that they did not get the royalties associated with the pictures.

All of that said, I guess it really boils down to the contract that these cheerleaders signed with the Sacramento Kings and, possibly, any policies that have been published by the NBA. Which leads me to consider any other jobs that these women may hold. Although most of them are probably models, I am sure that some of them have other jobs of varying responsibility. This leads me to the question of what if one of these women worked for you and she was one of your organization’s security professionals? What if she was your security analyst, team lead, or Chief Information Security Officer? Would these pictures have any bearing on her job status? Does this type of behavior demonstrate a lack of personal responsibility and open the flood gates to potentially compromising business situations?

My answer: I don’t know. I think I would have to weigh this situation with the personality of the individual, previous and current job performance, and any input by that individual while reviewing this information. Of course this all changes if there is a government issued security clearance involved. Which means that I would have to consider this information as possible behavior that could compromise the integrity of the individual and therefore increase the risk to national security.

Please leave a comment if you have an opinion about this topic. You can also read what other security professionals are saying about it in the Security Catalyst Community under the thread with the same title as this post.

Go forth and do good things,

Don C. Weber

Security Ripcord

/Hoff has inspired me again in his post Security Today == Shooting Arrows Through Sunroofs of Cars?. Actually, it was really more a combination of Tim Wilson’s post at Dark Reading and a quote from a show on the History channel that got me thinking. I’ll assume that you read Tim’s post and I’ll paraphrase the quote.

Darwin did not advocate that the strongest of a species will survive. Rather, he maintained that those species that adapt to change the fastest will survive.

I definitely agree with Tim’s posture that we need to evaluate how we are assigning priorities to issues identified in our risk assessments. I think it is definitely safe to say that most organizations are concentrating on the most visible protections and believing that they coincide with the greatest benefit. But, unfortunately, I am starting to think that many of us are not looking at the bigger picture. Yes, it is true that user activity, whether end-user or administrator, is the biggest threat to an environment. This may come from incidental activity, overt disobedience to policies, or even outright malicious activity. And it may be that awareness training is a big hitter when it comes to impacting security within an organization. But I don’t think it is the root cause and therefore the cost benefit is too low because it is not addressing the real issue.

Okay, just to clarify, I know that Tim was not trying to specifically come up with a ultimate solution outside of the fact that we need to think more outside of the box. And that is what I am trying to do here. In December of 2006 Time magazine writer Jeffrey Kluger published an article titled: How Americans Are Living Dangerously. In the article Jeffrey talks about how more Americans are killed in car crashes than in airplane crashes. Yet, despite the solid research findings, the majority of Americans prefer to drive than fly. This love of driving and be explained by Americans wanting to be in control. It doesn’t matter if the best person in the world is flying or driving. The majority of us want to be in the driver’s seat. In addition to control there is also the issue of personal choice. A person’s vehicle is their home away from home. I think a great example of this was shown in the 1992 film “Singles.” In the movie one of the main characters was involved in building a train system for the city of Seattle. After coming up with an elaborate and feasible plan he presented it to the major of the city. The major loved the idea but refused to fund it. He did so because he felt that the majority of the citizens of Seattle would not be willing to give up their personal vehicles and the train system would be a failure and a tax burden.

I say that we have this very same problem when it comes to computer systems. I don’t remember who said it but several months ago I heard somebody state that the biggest mistake in the computer industry was to name computers “Personal Computers” or PC. This gave the impression that a persons computer is their own property to do with what they will. Although this may be true at home, it should not be so in the work place. A much better term for business computers is “workstation” as it very clearly outlines the purpose of the system. Businesses should take these “workstations” and start planning how to limit the applications and services to only those that are absolutely necessary. Actually, I am starting to think that I prefer the idea of thin clients or Citrix deployments. Couple that with user awareness training and we are directly impacting one of the largest threat vectors.

Of course, how do we get the end-users and administrators past the warm, fuzzy, and cozy feeling of the “PC”? Well, I say that business should start treating their employees like adults. Most people in the information technology industry are smart and they should not be pampered. They need to have the expectations explained to them and then they need to be held accountable for those expectations. Organizations and employees all need to change to the threatening environment that they are computing within. Actually, in this instance, “need” is too strong of a word. Organizations and employees are not actually required to do anything at all. Change is not necessary to continue working in the short term. But those organizations and people who do change, the ones that look ahead and start planning their next steps by identifying root causes and being flexable, well, they will be the ones who are the most profitable and happy over the long haul.

Go forth and do good things,

Don C. Weber

Security Ripcord, Chris Hoff, Dark Reading, security evolution

I’ll have to say, moving from an organization that pushes back on change and external recommendations to one that embraces, analyzes, and implements recommendations and initiatives has certainly challenged me mentally. It is definitely time for me to “Put Up or Shut Up” when it comes to implementing a enterprise level security framework that integrates with the processes and procedures of the IT and development departments. Lucky for me the Department of Defense already recognizes the importance of information security and they have mandated many aspects of ISO 17799:2005. It is documenting the procedures and bringing them together so that each aspect augments the other that has proven an interesting, but so far not difficult, challenge.

For the last two months I have been working every minute at work. My blog reading has really suffered and it definitely makes me feel “out of the loop” on a lot of issues. Part of it is because by the time I get home I am done looking at a computer and ready to unwind. The most I usually bring myself to do is catch up on my emails to see if any of the other projects I am working on require attention. And even those projects have suffered a bit as you can see from my one month blog hiatus.

It is also a little difficult for me to break down what I want to write about. I have often started thinking about writing a post only to realize that after time a picture of security within my organization could be built by bits and pieces of my posts. The software we are using, steps we are taking, methods we have employed. Although initially seemingly innocuous could lead to “the death of a thousand cuts.” Another problem has been the fact that most of what I do is management. I provide leadership and guidance, get the ball rolling in certain directions, collect all of the information to try to find trends and determine cost, and act as the “face of security.” I even broke down last night and purchased a copy of Security Metrics which just reminded me that I have not been reading my feed list as I completely forgot about the SecurityMetrics blog.

All in all I just wanted to get something out there to let you all know that my one month blogging vacation is over. I am going to make a concerted effort to weed out the things I feel comfortable speaking about. This probably means that I’ll be moving away from some of my technical stuff and more towards developing and implementing processes and metrics. Such is my life.

Go forth and do good things,

Don C. Weber

security, metrics, process, Security Ripcord, Security Metrics, ISO 17799:2005

One of the things that I don’t understand is how people can justify not taking responsibility for their actions or the people who work for them. Here is an excerpt of a conversation I had at my job the other day. The story behind the lead up to this conversation is the beginning of an initiative to locate and identify the necessity for social security numbers distributed throughout the organization. The leader of the organization (let’s call him the CEO) had sent a list, to all employees, of things that were going to be done to help control sensitive information. Following this email I sent out a form employees needed to sign saying that they understood their responsibilities related to sensitive information, a permission form to identify storage areas containing this information, and a list of softwares that could be used to locate, store, and remove this information. This initiative was in response to the first item on the CEO’s list.

This is not verbatim. I am recreating the conversation from memory.

Department IT Person: Why didn’t this initiative come from the CEO.

Cutaway: Well, it did, this was the first item on the list he sent out.

Department IT Person: Yes, but it what you send didn’t have his name on it. This is came from your office. It didn’t come from the CEO.

Cutaway: Yes, he stated it would be coming from IT which I am a part of.

Department IT Person: I know, but it didn’t come from his email address.

Cutaway: Yes, but I began the email with his name and I pointed to the original list.

Department IT Person: But it didn’t come from his office. How do you expect me to get anybody to want to do this?

Cutaway: That is not my problem. This is an organization wide initiative. You are responsible for implementing it within your department.

Department IT Person: But it didn’t come from the CEO.

Cutaway: Your perception is not my problem.

Department IT Person: But don’t you think it would be more effective if it come from him directly.

Cutaway: This is how we have decided to respond to his first item. He cannot be expected to do everything. This is me doing my job. I cannot help how you perceive my office or respond to this initivative. But this is how the organization is moving forward with protecting sensitive information.

Department IT Person: Well, what are the consequences if somebody doesn’t do this? You don’t list any consequences.

Cutaway: The consequences are spelled out in the organization policy.

Department IT Person: Yes, but you don’t state it on any of this documentation.

Cutaway: The consequences are already spelled out in the policy. We don’t like to reprint them to avoid contradictory statements.

Department IT Person: So, what are the consequences.

Cutaway: They are spelled out in the policy.

Department IT Person: What are they?

Cutaway: Well, I guess ultimately you can get fired.

Department IT Person: So, if somebody doesn’t sign the document they will immediately be fired?

Cutaway: No.

Department IT Person: I don’t understand.

Cutaway: Well, if somebody doesn’t sign the document then they will be forbidden from interacting with sensitive information and possibly any information resources. This could potentially mean that they cannot do their job. What would your department do with a person who could not perform their duties.

Department IT Person: *does not respond*

Cutaway: Well, I image that you would fire the person.

Department IT Person: So, who is responsible for implementing the consequences?

Cutaway: Your department.

Department IT Person: My department?

Cutaway: Yes, your management is responsible for managing itself.

Department IT Person: I don’t understand.

*At this point I could only think of one thing to say.*

Cutaway: I’m sorry, that is not my problem.

Was that the best way to leave this conversation? Probably not. But, I was getting a little frustrated. It was obvious that this person just did not want to accept that fact that their department was going to be held accountable for managing their information or personnel. This is a very common perspective in the university environment that I find hard to understand because of my military background. I would expect a different attitude, especially with all of the universities that become news due to information disclosure.

Fortunately for me the organization I work for has recently experienced an information disclosure so the majority of the personnel are extremely receptive and grateful that control and responsibility requirements are being implemented. I am actually very impressed that this has been the only push back that I have received thus far in association with this initiative.

What is the lesson to be learned from this conversation? Well, some people are just not going to understand or want to understand. The old way of doing things is, to them, the best way of doing things. Security professionals need to understand this when they are contemplating their responses. At the same time I don’t think that people should be coddled. Most people respect straight forward and consistent responses. That is what I was actually trying to accomplish here. I pointed out the history of the event. I pointed out that individuals and departments are responsible for accepting responsibility. And I didn’t back-peddle when confronted on the issue. I didn’t make my statements in a confrontational or uncaring way. I maintained my tact throughout the conversation. One thing I could have done is try to end the conversation on a more positive point. I could have complimented the person on having the conversation and being opened to new ideas and initiatives.

Go forth and do good things,
Cutaway

responsibility, ESI, Security Ripcord

Security Ripcord Podcast
Show Notes:
It has been a long time in the making. Moving, traveling, and working have all gotten in the way of the production of this edition. But I seem to have gotten through it. Unfortunately I was unable to introduce Matt, our new co-host, but we are working on getting together real soon. Hopefully the next edition we will bring him on board.

Today we cover my introduction so that you know who I am and where my experience originates. We also introduce two segments, "Secure Chat" and "Leadership Traits." During "Secure Chat" I talk about creating Administrator User Agreements. In the "Leadership Traits" segment I talk about why I believe they are important for a security professional and I introduce you to a method we will be using to talk about them in up and coming episodes.

Please let me know your comments and insights by leaving me a comment here or by sending me an E-mail.

Links:

• USMC Leadership Traits - http://mcdetflw.tecom.usmc.mil/NBC/downloads/usmcleadership.pdf, http://www.emsc.nysed.gov/csl/resources/14_basic_traits.pdf
• ISC2 - CISSP - https://www.isc2.org/cgi-bin/content.cgi?category=97
• GIAC Cerifiction Information - http://www.giac.org/certifications/
• Cutaway Security - http://www.cutawaysecurity.com
• Security Ripcord - http://blog.cutawaysecurity.com

 

 Introductions and Admin User Agreements [14:42m]: Play Now | Play in Popup | Download

security, SANS, GIAC, administrator, CISSP, Security Ripcord, Cutaway Security

Welcome to another addition of the Security Ripcord Podcast.  In this episode we talk about the Windows Genuine Software Validation Tool and how to locate and change your Windows Product Key.  We also talk about volunteering to help wounded United States Service Men and Women. 

• Aleethia Foundation
• Project Valor-IT

Please let me know what you think by posting your comments here.  Even though I had some help from Martin McKeay, Dan Kuykendall, and Michael Santarcangelo I still have plenty of learning to do.   

Drinking Game Alert:

• One shot every time I say, "So…."
• Don't play if you are driving.

Yes, I am aware of this fault in my speaking habits and I will be working on it.  I decided to try and speak from notes rather than having the whole episode scripted.  So…hopefully it is not too annoying.

Show Notes:

• Windows Genuine Software Validation Tool 
• Microsoft PowerToys for Windows XP
• Microsoft's sordid spyware SNAFU
• NirSoft
• Magical Jelly Bean Keyfinder
• 
• 
• Belarc Advisor
• 
• 
• Marines' Hymn
• Aleethia Foundation
• Blackfive
• Project Valor-IT

 

 Changing the Windows Product Key - Episode 2: Play Now | Play in Popup | Download

Blackfive, Computerworld, iTunes, security, Nirsoft, BeLarc Advisor, Security Ripcord, Magical Jelly Bean Keyfinder, Windows Genuine Software Validation Tool

How individuals of an organization work together can have a big impact on the overall security of that organization's environment.  A group that works as a team to achieve specific goals will achieve those goals in a more efficient fashion.  This is true despite the abilities of the individuals involved: security professionals, system administrators, network administrators, technology managers, financial managers, human resources directors, application developers, vice presidents, CEOs, system accreditors, auditors, etc.  All of these people could be the top in their fields but if they do not plan, organize, and communicate very little will get accomplished.  The overall success of the project and how individuals work together can be attributed to a manager's techniques but it is the overall performance of the individual people and their willingness to work cohesively that eventually determines the majority of the projects outcome. 

So, here is the problem, but how does a security professional correct a situation where other individuals involved in the team are resistant to change.   Of course, as we all know, management support is a critical element.  Fortunately this is becoming less of an issue as more and more security incidents reach the front pages of local and national newspapers.  This places the responsibility on the rest of the team.  The following is a list of things that I think are important for the security professional to consider and implement in an attempt to bridge the gap with colleagues who are more resistant to change.

• Patience - It takes time for anybody to adjust to a new situation.  Exercising patience is a little easier when there is management by in to the situation.
• Faith In Your Abilities - You were selected to fill an important position because of your training and abilities.  Confident decisions, right or wrong, will show everybody that you are a willing participant that is not afraid of taking responsibility and accepting the resulting outcome, good or bad.
• Open Door Policy - Every security professional should be open to addressing issues and concerns from anybody as they arise.  A lot of people are going to have a lot of questions about a wide variety of issues.  Some of them may seem mundane because they are basic, but to the individual asking the question they are not basic and they are generally address an immediate issue that individual is experiencing.
• Information Center - Develop a location where people can find and refer others to policies, frequently asked questions, training, references to important documentation, acceptable and unacceptable software lists,  security related tools, product evaluations, etc.
• Communication - Keeping management informed of important situations is a necessity.  What many people do not realize is that communication between departments and groups is just as, if not more, important.  Not every important decision has to be passed through management for approval.  At the same time, individuals deserve to be informed of all situations that involve them. These individuals should be provided with all information they are not aware of so that they can make sound decisions and take appropriate actions.  When groups start communicating among themselves managers can spend less time bridging gaps and more time addressing other issues and planning for the future.
• Develop Individual Relationships - Security touches many areas in different ways.  Reaching out to people in different areas shows them that you are proactive and willing to assist and educate.  Interacting with system and network administrators is a given in all environments but a good security professional will seek out programmers, department managers, and other people that will affect or be affected by security related decisions.
• Enthusiasm - Love your job, love what you do day in and day out, and have faith that you are helping people by securing their information and their organizations.

As usual I have a good military example of how teamwork and professionalism can produce positive results.  During my time in the United States Marine Corps I had the pleasure of working with some of the best men in the world.  My unit operated in small groups of six men.  Of course all of these men were Alpha personalities and conflicts often ensued.  But when it was time for mission planning and execution all differences were set aside until all duties were accomplished.  Additionally, these six men only represented one group that made up a platoon of men.  Each group in the platoon had different responsibilities and expertise.  But when the mission called for a large force all of the teams were able to band together and successfully accomplish the task at hand.  Their success can be directly attributed to the elements that I have listed above.  Patience, faith, communication, relationships, enthusiasm, and an overall sense that they were a part of something big and important produced results that could not be accomplished individually.  It is not impossible to get these type of results from any organization.  All it takes is a little teamwork.

Go forth and do good things,

Cutaway 

Cutaway Security, Security Ripcord, Teamwork, Security Professional