infosec interview questions part III

I've had two other posts relating to questions to ask a candidate during an interview (here and here). It's a tough economy out there, lets reverse roles and ask questions to the interviewer. I'll still sort by Bloom's Taxonomy, however most questions are focused on understanding your potential environment and it's priorities.

Remember/Knowledge

• What tools do you or your team rely on?
  
• How big is the team, what are the hours expected?
  

Understand/Comprehension

• What is the goal of infosec within a company such as this?
  
• What kind of constraints does your department have?
  
• What regulations or mandates are you with-held to?
  

Apply

• What's the largest threat to your business? What countermeasures did you apply to mitigate?
  

Analyze

• Do you put more emphasis on protecting, responding, or staying in compliance?
  

Evaluate

• What is the biggest concern, security or otherwise, you would see me as addressing within your organization?
  

Create

• Where do you think security will be in 5 years as a [practice|industry|concept]?
  

I'll add more to this as I come up with ideas.

grassroots response to organized crime

The nation-states are lame when trying to prevent threats such as RBN. The air force attempted to create a cyberspace division but that crashed and burned.
Volunteer organizations like SANS, hostexploit, honeynet, and backbone providers are having a substantial affect on disrupting the threat's infrastructure.
atrivo, estdomains and now mccolo are either defunct or crippled.
I hope DHS or US-CERT had coordination going on in the background. I love this chart.

Code of Conduct

A team must develop respect and confidence through how they communicate. Section 4.2.1 of theCSIRT handbook from CERT/CC and CMU SEI outlines one such approach. It's nice but the gif they include in there is all but unreadable and I can't find other sources. Focusing on these areas on a continual basis will assist in doing so during a stressful time (such as handling incidents). Below is what it says:

1. Focus on the [teams] strengths
   
2. Adapt to the audience
   
3. Speak for yourself
   
4. Do not speak for others
   
5. Make complete statements
   
6. Make concise statements
   
7. Avoid the use of jargon
   
8. Be sensitive and diplomatic
   
9. Avoid arrogance
   
10. Avoid being familiar
    
11. State the facts
    
12. Be truthful
    
13. Retain control
    
14. Avoid shock tactics
    
15. Maintain confidences
    
16. Make no promises
    
17. Teach
    
18. Stress the positive
    
19. Apply quality control
    
20. Use constructive criticism
    

Infosec Interview Questions (part II)

Back in March I posted an article formulating my premise for conducting interviews on forward. If, kind reader, you find this page before sitting down with an interview with me please mention this article for brownie points. With that said, some questions as well as the bloom's taxonomy reasoning applied to them in order to pinpoint an individuals level of skillset.
Remember/Knowledge

• What's the Syntax to [scp|xcopy|robocopy|md5|net]?
  
• Where do you get your infosec news from?
  
• Please list the 7 layers of the OSI model.
  

Understand/Comprehension

• What is the goal of infosec within a company such as this?
  
• What's the difference between a risk and a threat?
  

Apply

• Which layer in the OSI model do you care about most as a security analyst? Why?
  
• Please describe the methodology/model for [incident response|e-discovery|forensics|network analysis|vulnerability management]
  
• Hand printout of a series of characters; have individual create a regex based on a set requirement
  

Analyze

• scenario: DNS reqest and 10 RRs are returned and TTL is < 300; what does this suggest?

Evaluate

• At the deepest technical level describe how [802.11b|dns|kerberos|a network tap|a dll|a hard disk] works. please point out security weaknesses or implications while you go.
  

Create

• Where do you think security will be in 5 years as a [practice|industry|concept]?
  
• any sort of role play interaction
  

It should be reiterated that these are a subset of questions to determine security knowledge; they should be combined with other probing questions on ethics, personality, workmanship, etc.

My SIRT Taxonomy

I have a three day course on SIRT starting tomorrow. I went ahead and created my own braindump of SIRT process breakdown on what's critical to a organization-wide SIRT team. Some of this I've had in my notes for awhile, other is stuff that's off-top of mind.
At the top of the hierarchy is "Response Program". That breaks down into roughly six components depending on how you break it down. Those are, in no specific order: Training & Awareness, Evidence Retention & Documentation, Management & Committee, Response, Detect, Escalate & Communicate. Lets break it down further:

Training & Awareness. Three components: Training of the staff to understand their part in these six components. Communication Campaigns in order to keep these individuals up to speed on changes, training, or simply to keep awareness high. Finally, Drills on a consistent basis. These drills may be paper-based, table top, or live fire.

Evidence Retention & Documentation. This includes a process for keeping Chain of Custody (and it's verification) as well as other Evidence Handling procedures such as storage or destruction. Finally; any documentation that must exist to satisfy any regulations, laws, audits, etc that need completed. Indeed, an audit of such procedures should be done on a regular basis to verify conformance with the procedure as well as best practice.

Management and/or Committee. The designation of an organization-wide membership of members who are responsible for three items: Providing the overall leadership and direction of the SIRT capabilities, Governance or oversight that such capabilities are mature, capable, practiced and ready when necessary, and finally the ability to grant the authority necessary for a SIRT to do what is needed in face of both certain and uncertain times.

Response. I see response as containing three key components (as outlined in NIST 800-61) which include containing a threat, eradicating the threat (and mitigation of vulnerabilities to prevent it in the future) as well as recovery into normal operations and further monitoring controls to confirm the threat has indeed been eradicated.

Detect. I keep the detect separate from response component; this is probably personal preference but I believe it allows for more accountability and focus on making sure all detection capabilities are in place. Detect focuses on processes targeted at the Identification, Validation, and Escalation of an event into an incident.

Escalate & Communicate. Three key areas: Triage/escalation protocols, contact lists, and definition of roles.


I'll add and subtract from these thoughts in followup posts after I complete the course.

On Primary Loyalty

This post is a tangent from my typical blog as it's a reply to selil which in turn is a reply to mtanji as instigated by Robb.

I see the question of primary loyalty as a means to the ends of which Selil suggested. More precisely I see the goal of the majority of Americans as the safety and success of their family. The primary loyalty factor is what determines in the safety/success of said family.

Examples:

• jobs. A company you work for may allow this. Large corporations will keep your family secure in order to keep employees. Smaller companies may have a direct impact on the community at large which directly pays off for the individual (local government, local utilities, tool & die manufacturer, farmer.
  
• industry. Specifically union jobs. teachers, plumbers, truckers, firefighters, cops, information technology.
  
• extended family. Everyone has an uncle who is a farmer right? I certainly do.
  
• religion. Not necessarily a faith as much as the local church, temple, or synagogue.
  

The vast majority of us will choose from these as well as other options as their primary loyalty to fulfill their commitment as a family member. A minority will have shunned their family and will align with sources of power and be detrimental to society by having their PL and family be the same thing (such as gangs or terrorists or Robb's global guerrillas). Off the cuff I suspect the confusion of PL and family as what leads to (or promotes) extremism.
Tanji's second question is perhaps easier. I vote for the Internet to allow myself the most choice. Choice is key. In RC world I hope for self correcting and connecting wireless networks which provide nearly the same level of connectedness as today if not more.
In the end we have at least two options, either a pizza delivery guy or an android in the center of the moon.

Fun Reading for Friday

• Diebold Finally Admits its Voting Machines Drop Votes from Schneier on Security
  
• Virus Infects Space Station Laptops (Again) from Wired Top Stories
  
• If You Want To Create a Mashup, Just Ask Your Browser. Mozilla Labs Launches Ubiquity. from TechCrunch
  

Security Religion

An audience I once sat in was challenged during a presentation by a co-worker to "develop your own personal security religion" if you haven't already done so as the consequences of not having one are too great. I assumed he was speaking to everyone but me.

Nonetheless I jotted this challenge down in my moleskin. I've not yet systematically wrapped my head around my own mindset or 'religion' to speak to it. But this article on OODA loops highlights some of my thoughts on how to develop a team-based mindset of security religion.

In many respects, the goal for a response team is to have the quickest OODA loop around as well as the independence to carry out rapid response. But the three elements the author lists as required for a maneuverable company resonated with me: mutual trust, clear sense of mission, and focus.

Make no mistake, those three items are done through proper leadership.

On Malware Investigations

I was recently asked how to investigate malware that has owned a particular windows host. This post will address some of the elements, methods, and goals of such an analysis but I will avoid any discussion of tools.

Elements of the whole

A holistic approach is needed but you must understand each element to gain the most value. These elements contain the evidence needed in order to gain insight into what happened. Not all are needed, but the more there are the more likely a validation of the dataset can be done.

The first element is at the network layer. This is your most trusted source of information as there are no questions regarding the integrity of the data. These sources include netflows (or any session data), any full packet captures, proxy logs, authentication logs (AD Domain Controllers, RADIUS, etc). The ideal situation would be a full packet capture during the initial infection as well as continually to track network activity. This also, barring encryption, confirms or denies if any information leakage occurred.

Additionally we have the operating system layer. This consists of items such as full memory dumps or process lists, services, eventlogs, application logs (such as antivirus, HIPS, IIS, SQL, etc). All this information may be suspect if the malware did gain complete ownership of the host. Because of this integrity question, any operating system information gained should be validated against either the file system or network layers. The operating system layer is much less obvious than the network layer and requires a lot of small items which may build into a builder picture.

The final element is the file system layer. The file system should be inspected through either a bootable CD or mounted in another system. This prevents integrity issues from rootkits. Important starting points include the Internet Cache, modified or creation times, prefetch, as well as AV quarantine directories.

Proper Methods

Mindset and minute details should always be front of mind. A simple spyware infection could turn into a full blown data loss fiasco. Collection of as much evidence as can be obtained should be done quickly but more importantly in sound practice to prevent any spoliation. It will slow things down, but it will preserve any sort of case that may need to be developed.

Once collected, a copy of the data set is then used for analysis. This analysis typically ends up with lots of tree branches going out in different directions. Most of those branches will end up as a dead end. The ones that do not should all collaborate with each other. If they don't, you are missing something. A single piece of data is uninteresting if you don't have at least one other source that gives validation.

The Goal

The goal in such an intrusion is to discover precisely "what" the malware does. This will allow you to answer the more important questions of the who, why, and how. The who will allow you to watch for future threats. The why will define the attack's motive which will clarify the potential and/or residual risk. The how will show where weaknesses are and allow for remediation of said weaknesses.

None of this is particularly new, perhaps some slant from my experiences but certainly not my ideas. Two heavy influences: Richard Bejtlich and Harlan Carvey.

Fun Reading for Tuesday

• charmsec: charmsec #6 is this thursday. Any twitter folks making it out? from Twitter / charmsec
  
• How to Survive a Power Blackout from Wired Top Stories
  
• RBN - Georgia Cyberwarfare – Attribution & Spam Botnets from Russian Business Network (RBN)
  
• Cloaking device could shield pacemakers from malicious signals from Engadget
  

Fun Reading for Friday

•  Fedora confirms: Our servers were breached from SecuriTeam Blogs
  
• Google hacking the Olympics from The Dark Visitor
  
• Mozilla drags IE into the future with Canvas element plugin from Ars Technica
  

Client vs Server Models

Twelve or thirteen years ago I told my family one day all their data would be accessible on the Internet and computers themselves wouldn't matter so much. They told me nobody would turn over their privacy like that so therefore it would never happen.
Every few years somebody tries to blow my mind by explaining how we're either going back to the mainframe model, client/server model, or peer model of computation and how ironic that really is in today's world. Cloud computing buzzwords have helped the occurrence of such conversations lately.

My twist on these computing models: it's not about whether input/output is centralized or decentralized but what effect is has on information. The tendency over time isn't about architecture necessarily but that is has continually evolved into creating higher degrees of complexity, mobility, and abstraction of the information.

Nothing groundbreaking, just food for thought.

On Cyberwar

I've only skimmed a dozen or so articles on the Georgian/Russian (so-called) Cyberwar. In my humble opinion the event is rather non-interesting as is being reported. It wasn't a cyberwar, it doesn't even appear to be a means of signals intelligence. So far all reports show that it was simply attacking the communications infrastructure to further cause confusion. No news on whether they attacked radio or cell phone signals.

The more interesting story is the use of civilians. I believe a similar tactic was used as protests from Chinese hackers during the Tibet riots earlier in the year. State sponsorship at it's best.

And while that may be interesting, the more important story is the actual war. Cyber or not, the entire event is going to unfold for some time. If a pullout does eventually occur, Georgia will still be heavily influenced by Russia politics. A concept they thought died along with the cold war.

Here, here,, and here for great analysis.

Fun Reading for Tuesday

• More Digital Freedom from Coaching Tip: The Leadership Blog
  
• charmsec: For those not counting, charmsec 6 is ten days away. That's Thursday August 28th. Prepare your black shirts. from Twitter / charmsec
  
• Open source license ruled enforceable, hippies rejoice from Engadget
  
• Privacy Survey from CERIAS Blog
  

Practicing Security in Hard Economic Times

Some interesting turns of events in the financial markets lately. This will have a lasting affect on companies big and small for the next few years. So how does that affect security?
"Ease of business vs Security". This is the typical trade-off security practitioners and businesses need to make. Arguably when times are rough financially that dictates a serious of actions by the business which includes a bigger magnifying glass on expenditures in order to control money flow. Depending on the level of pressure exerted on the company a higher degree of reactivity vs proactivity will occur as business works on meeting the needs of today vs long term. Did I mention I'm not an economist?
A few points:

• The economy has changed how security shops will do business for the near term. This should be obvious but that doesn't mean we won't learn it the hard way.
  
• Expect to think more short term as opposed to long term. (But not at the expense of the long term).
  
• Invest in raising security levels in the existing infrastructure as opposed to add-on solutions.
  
• Business changes rapidly during sporatic times. Be on your toes and slow your capital initiatives. Make sure you're ready to react when the business needs you. This will show that you're not a waste of money or time and, indeed, understand business.
  

Thoughts are still hazy on this for me, but I feel those will clear up as time goes on.

Fun Reading for Saturday

OPEN SOURCE WARFARE: Cyberwar from Global Guerrillas
August 2008 Microsoft patch Release from Verizon Business Security Blog
Police nab Shadow creators, force botnet to commit suicide from ArsTechnica: Security Content
Cognitive Waste from John Robb's Weblog

Name That Unmarked Vehicle.

I've always had the habit of scanning traffic while driving to spot unmarked police vehicles. Not particularly because I'm speeding but for the same reasons I am aware of surveillance cameras nearby.
Maybe it's a game I play to keep my mind from wondering. On the way in to work this morning I counted 9 tells that I typically use to spot an unmarked car that is behind me.

One of the tells even signals if it's a state or federal owned, which is handy if you're wanted by the FBI.

Clausewitz - "On War"

One of my long term books I've began reading is "On War". The first 68 pages consist of several forwards and introductions. It's heavy but good (I'm on page 19). I'm not a big quote person but my first favorite quote so far:

The conduct of war resembles the workings of an intricate machine with tremendous friction, so that combinations which are easily planned on paper can be executed only with great effort. Consequently the commander's free will and intelligence find themselves hampered at every turn, and remarkable strength of mind and spirit are needed to overcome this resistance. Even then many good ideas are destroyed by friction, and we must carry out more simply and modestly what in more complicated form would have given greater results

Patching

Premise: You cannot do an organization-wide push of security patches without major transaction costs.
Solution: Transaction costs must be lowered.

Options:

• Enable automatic updates via the builtin software mechanisms and deploy ad-hoc instead of structurally
  
• Break it down into smaller bits that aren't dependent on each other to faster get to 80% saturation.
  
• Allow pulls as well as pushes; let the mass decide how to deploy within a chosen framework.
  

Others?

Border Patrol vs Endpoint DLP Security

This is a bit of old news but I've had an index card note to mention it for awhile. Schneier posted an article for the Guardian regarding the government's allowance to let search or seizure of ones laptop while crossing the border.

Shortly after reading this I met w/ an endpoint DLP provider. This wasn't an SE, but a head developer. I asked said head developer the implications of bad border experiences when the HD itself is encrypted and the OS itself prevents data from being removed.

There was no answer. The real answer is to make sure you keep your data in the cloud and not on the HD. But that doesn't limit the border officers frustration that your laptop isn't being a good citizen, which may lengthen your stay at customs.

Why Voicemail should go extinct

I hate voicemail. The other day I put some thought into why I hate voicemail. There's a few that I came up with.
It's arcane. I realized it was arcane when apple revised it with their iphone to take voicemail out of the FIFO mentality. I don't have the patience to fight the interface anymore because there are simply better ways for people to get a hold of me. And they will find those ways when voicemail goes unanswered.

Its both pull and push. The sender pushes the message to me, which is great! I then have to pull the same message to me. And I have to blindly pull, not even selectively prioritize or filter. Voicemail is an all or nothing pull, and one that the sender blindly pushes and can only assume it's delivered. It's like UDP except with a horrible interface.

Email me, IM me, text me, twitter me, call my mobile. Do not leave me a voicemail because it has a high chance of not being filtered out and responded to but instead routed to the bit bucket.

Attacking the supply chain

What happens when attacks are on physical commodities and their supply chains? Last week's hubbub about counterfeit Cisco devices has created a bit of a stir. It's easy when it's software which can be corrected in a matter of months, but what happens when you can't trust your hardware? It seems that Cisco's current stance is to stand behind their supply chain.
This is a precarious position, indeed, it's something the Oil industry is trying (and failing) too. The software (or anything virtual/logical) supply chain can be easily fixed as the turnaround time can be hours or days. What happens when release cycles last months or years? If such a supply chain is attacked, or simply can't be trusted, then it'll be a bigger issue of applying a few patches.
Think oil and energy, think food, think transportation, think how slow the military industrial complex is on reacting.

Clay Shirky's new book

I'm about halfway through Clay Shirky's Here Comes Everybody. It's a great book so far and should be required reading to anyone who assumes that installing a wiki will automatically create some sort of community. But on page 42 was something very quotable which I wanted to share:

"his [now typical organization hierarchy] management system was designed to produce "such information, to be obtained through a system of daily reports and checks, that will not embarrass principal officers nor lesson their influence with their subordinates." If you have ever wondered why so much of what workers in large organizations know is shielded from the CEO and vice versa, wonder no longer: the idea of limiting communications, so that they flow only from one layer of the hierarchy to the next, was part of the very design of the system at the dawn of managerial culture."

I love that paragraph and the assertion that the hierarchal organization chart used by industry today, on principal, follows the OSI Model. The idea of social networks, collaboration, sharing, self-organizing, web 2.0, wikis, and other latest buzzwords conflict with this at a core level is interesting. Also, I would suggest that practiced data security models today rely on this OSI data encapsulation and without access control and data protection built into these web 2.0 products then little can be done to secure them.
One final thought: the person who creates a blog platform for organizations that lays out ACLs based on the companies org chart and creates communities based on peer levels as such will be have a nice hybrid platform for transitioning companies who are struggling to get out of the old hierarchy.

Another spin on hyperconnectedness

SC has an article up on The next generation of workers and their expectations. This combined with digital natives, hyperconnectedness, social surplus and the application of open source concepts to society are going to define information (and it's security) in the next 10-20 years.

hyperconnectedness

Ars posted a blurp on hyperconnectivity on the rise.
This begs several questions. If everyone is hyperconnected then everyone has devices that blur the line of business and personal. How is that secured traditionally? Will traditions work in that sort of environment?

I'd argue that traditions, as well as what is thought of as the typical company network perimeter, were just fads and band-aids. We need better solutions.

Security Systems

Way back in 2005 Emergent Chaos wrote up some examples of security principles based on the Star Wars movies. It was a bit goofy.

But offering examples based on a simplistic universe where everything can be taken at face value is extremely useful. It's much harder analyzing something such as a... grocery store, as not everyone is familiar with their processes and things that may happen behind the scenes.

But there are systems out there that can be analyzed from a security perspective that you don't need intimate knowledge of. The latest one that's occurred to me is the highway system. Next time you're stuck in traffic take a look around.

• Sign poles
  
• barriers
  
• privacy/sound walls
  
• lighting
  
• CCTV

All of these have an impact on security and some of the designs are specifically for that. Over head signs, for instance, have smooth poles up until past human reaching distance- any cross members aren't reachable- to prevent climbing.

marginalizing threats

I sit through several presentations a month. It's part of my job, and some of the presentations can even be insightful. But lets talk about threats. This is something most people like to touch on; certainly it's a topic that can be on the more exotic side. Cloak and dagger, espionage (e-espionage? i-espionage?) and all that.
Some advice to separate you from your competitors:
Do not talk about RBN (or other such organizations) and then reference "people living in their mother's basement".

On second thought, do not mention pimply kids or mothers basements no matter what your discussing.

It marginalizes the threat into a pigeon-holed ideal of what the threat was in 1989. Nowadays, The guy may still be in the basement but he simply an agent of a larger threat. It's irrelevant where he lives, but the fact that he spends 40-60 hours a week on herding his bot or owning websites and generally being a symptom of a bigger problem.

Get out of the old mindset, you're hurting the real issue here if you keep floating back and forth between threat models.

additional reading: Evolving Threats by Corman.

Charmsec #3

I'm trying to organize a <a href="http://citysec.org">citysec</a> meetup in baltimore.  There were a <a href="http://lists.shmoo.com/pipermail/secgeeks/2007-May/subject.html">few attempts</a> last year but it fizzled out.

<a href="http://citysec.org/forums/1/topics/15">Official update</a>

<blockquote>
What:
Informal meetup of infosec folks.

When:
Wednesday May 14th (humpday!)
7:00pm - whenever

Where:
Wharf Rat @ Camden (good beer, conveniently near 395 on Howard St & Pratt)
Barside. I’m not going to post a sign as the place is small. We’ll be the geeky looking folks in black shirts, right?

Why:
To talk security with other people who aren’t there just to get 3 CPE points.</blockquote>

L0pht panel

I somehow stumbled on a mention that SOURCE 2008 had a 'reunion' of several l0pht folks for a panel discussion. I always had fun reading their shenanigans back in the day and it was fun to watch.

I recommend listening to the Gorillaz while watching it. Here's the actual link if you want a slightly larger version.

Email as a platform

"When you have a hammer, everything looks like a nail." A corollary to this is:

When you have a budget, everything looks like a turnkey solution.

Unfortunately most technology solutions out there tend to be a wysiwyg. More precisely, there is no growth, no meaningful way to use the data other than what is offered out of the box. In essence, it is not a platform that will allow for future growth or changes. Indeed, a turnkey relies on the process to be created around the solution as opposed to the other way around.
This irritates me to no end; I don't want consoles or exported data- i simply want to get things done. I like to think I'm fairly clever at providing this flexibility for my personal needs. Lately I've been creating some internal processes to meet some company demands. turnkey solution? Sharepoint? custom code?
Nay say I; whichever solution should not get in the way of the business process. I've been experimenting with using email as the formal distribution method of process data and relying on excel for tracking. The goal of the process should be well understood by all; this sets the groundwork. No more than 5-6 generic flow rules else it's too confusing.
Email isn't all encompassing; but it is an interesting platform when viewed as such. In a lot of instances email processes actually can meet the lowest common denominator. Which, I submit, the LCD should always be the target when defining new processes. This will allow for a healthy maturation of the process. Too often we try to skip ahead.

Thought Experiment: Years 2013 - 2018

What will a typical company look like in the years through 2013 and 2018? Technology will have a large impact, and how that technology works will dictate a lot of security concerns to that company. While it may be completely pointless to predict anything past six months out; we need to at least have some sort of moving target. Keeping our heads in the weeds will keep us as reactive as we always are.

Some rough guesses off the top of my head:

• The network perimeter will be non-existent (or ineffective); virtualization and commodization will create a SaaS-like corporate environment available anywhere/anytime from any device. Eventually a de-facto identification method will exist across the internet which will give rise to this platform abstraction.
  
• Fast-paced and openness of information will be the norm; and is considered a critical competitive edge. Restricting this flow of data will not be tolerated.
  
• Black markets and espionage will be common place on the Internet; a global group continual effort to minimize their affects will emerge.
  

Obvious Influencers: Brave New War, The World is Flat, Rainbows End(fiction)

See you in 5 years to see where we are.

RSA conference

So the RSA conference is this week.

2007's conference had over 17,000 attendees. Good time for attackers to attack.

Interviewing infosec positions

The last time I went through the interviewing phase I did some googling and certainly stole some of the better ideas out there.

I've began building on top of my "top ten" list of interview questions to try and get at a more fundamental comprehension level understanding. I'm doing this by applying Bloom's taxonomy. This is what is typically used to reinforce certain levels of knowledge in the learning process. For instance, asking a candidate "What is DNS?" is a 'knowledge' level question while "Describe the functions of DNS and point out security flaws or implications to poor implementations of it that could exist" is a question that challenges the candidates knowledge and analyzing capability. My layman's understanding of this taxonomy is that the above question would fall under the Evaluate classification. I took the time to write down the taxonomy breakdowns in my moleskin as a future reference.

Can you tell my wife is a teacher?

Security Vs Productivity

After reading this blog post about security being "creative" I remembered something I jotted down in my moleskin back in October.

A disadvantage [security teams] face is the fact that we do not lead architecture changes that improve both security and enable individuals or the company.

To further explain that: security likes to tighten things down rather than put controls in place that can give perception of a more open environment. I suspect the entire "Security versus Productivity" argument is inaccurate; it's just the easy way out. We can make both a productive and secure environment if we're more clever.

Decentralizing the world

Let's weave a (completely speculative) web. From a society standpoint we've evolved from nation-states -> feudal systems -> empires -> nation states.
From a technology standpoint we've evolved -> microcomputers -> mainframes -> server/workstation -> upcoming virtualization and web2.0 platforms.
From a communications standpoint we've evolved from military comms -> POTS -> PBX -> Internet Protocol -> Cell networks.
From a newsfeed standpoint we've grown from word of mouth -> printing press -> television -> www.

So if you accept the idea that in the grand scheme of things the trend over time is to become more decentralized then how does that play on security? If "power" is decentralized, whether from king to federalistic systems or centralized switch-based telco hubs to diverse IP based routers, then "power" is also gained by each individual component.

Power is therefore being trusted and redistributed amongst all the systems individual components which allows for larger scaling in what that particular system is designed for. Let's apply this to a corporation. The corporation is designed to make money; and certainly power redistribution to the employees and away from a regimented command structure is happening internally to companies. This is based largely on the technologies the companies use (email,voip,ipods,blackberries,wikis,IM,salesforce,you name it) but also on leadership mindset changes and market forces such as globalization. These are all good things, as the corporation is now more nimble, and quicker at making money.

But it makes security really hard.

What's important? Acknowledging that the network perimeter is a security blanket and not much more than that. Figuring out a way to trust your data and not your infrastructure or necessarily even your data manglers (eg, your employees and partners).

I suspect the walls will eventually come down. Corporate networks will not exist, there will be simply a public (wireless) network cloud with a reliance on private channels and heavy focus on abstraction and virtualization.

Becoming a better incident handler

On occasion I find myself poking around the net in search of military doctrine or other military papers. People certainly quote Sun Tzu constantly; mainly since they sound so clever. Of course these quotes come directly from "The Art of War" which is why I like the military doctrine stuff. The items the military publishes isn't trying to mystify or be clever but to turn the "Art" into "Science".
I submit that achieving a science to information security- specifically event handling and response- is what the entire community should strive towards.
This involves training, experience, developing methodologies, confidence in one self, leadership and hardcore skills. These things do not come quickly.
For a good time now I reflect on Blooms cognitive domains taxonomy to rate the training and general skillset. (Can you tell my wife is a teacher?) I still need to internalize those verbs to be able to significantly push boundaries. By this, I submit that asking questions such as "what happened?, what worked, what didn't work?" during debriefs of events is not nearly as effective as asking "How would you classify the event, Do you agree with X, Further break down the implications of X" etc.
But the other day John Robb posted an intriguing synopsis of current events. In that post he referenced the OODA loop which I was completely unfamiliar with. I like how it breaks down the decision process and I believe that understanding this feedback loop can have an even higher impact as an incident handler.
Additionally, Chet Richards has an excellent powerpoint on the OODA loop.

Shmoocon 08 observations

I've been to attending shmoocon since it opened back in 2005. I've not been to any other con- all my con experience is based purely on what Bruce brings to the table.
A few observations:
* This year there was less black-clad men while at the same time a rise in women and corporate looking folks. This seems inversely-proportional to the quality of the talks.
* Syn Phishus is lame and should have been fired for acting like a 16 year old
* Deviant's Gringo Challenge sounded great but I never had time to check it out. I hope it returns next year.
* Charlie Miller and Dino Dai Zovi's "Virtual Worlds - Real Exploits" was clever, unique, and all around great talk
* Jay Beale's talk was a disappointment, I left midway through for lunch. (Since when was it okay to plug your company while at the same time presenting on watered down trends that everyone has known for the last two years?)
* Only one talk on Vista security? We're stuck with Vista for the next few years, I expected more than one talk on the subject.

I am again happy that I attended this year. The reality check on mindsets and pushing my head out of my corporate security zone is refreshing and a good thing.

What is after DLP?

Lets put things into perspective. The latest buzzword seems to be DLP. (Just ask Gartner). And I'm down with DLP, it makes sense after a fashion.

But really, now. There's two big problems that DLP doesn't address. Two items:
* prevention will fail
* public information has an amplifying affect

I don't particularly want to focus on prevention, but it needs mentioned. Information will end up in places you do not want it. Expect it, plan for it, don't ignore the simple fact.

Public information is much more damning because there's nothing that can be done. You can certainly attempt to put in draconian policies. Let me know how that works out.

As I said, public information has an amplifying affect. In another words, the sum of the parts add up to be much more valuable than each datum individually.

I submit that OSInt is not just for governments anymore. I suspect managed security service providers will begin collecting and aggregating information to analyze open source information for customers. Open source information has a leveling affect of the playing field for competitors. Worst case we ignore this easy way of collecting and applying information and the black market embraces it and makes a fortune. Best case, we develop free tools to allow anyone easy ways to analyze this information. This will allow both sides the same insights.

I've always considered technology a tool that amplifies results; I never thought of applying the same ideas to information. Something to think about.

Linkedin followup

I rambled about linkedin awhile back already. My stuck-in-traffic hypothesis today was something along the lines of "I bet a lot can be discovered about a company just with google and linked in".

So I did some farting around. First I checked out google and looked for a listing of "large private companies" and picked one at random that I had never heard of. I spent less than an hour on google to see what I could find about who we'll call company X.

Preliminary stuff of which I quickly got bored and stopped recording: Main headquarters is in Minneapolis, European headquarters is Geneva, locations all over the place. Big on logistics, supply chain, etc.

Slightly more interesting: lots of programmers have been at X one time or another. They have both Lotus and Exchange environments, wireless networks deployed, they use Dell, AS/4000, Oracle 9i as of 2006, previously it was 8i. They deployed WinNT back in 97, didn't see anything since. First internal portal was deployed in (i think) 1999 and used plumtree. Theres a service desk operation in the Netherlands.

Key words: ERP - some mention JD Edwards, some mention "new and proprietary" ERP. They have an internal "Global Office II" application. They have an internal transaction application using smalltalk, sybase and is over 4million lines of code, deployed in 1999. Powerbuilder v8, perl, java.

I left a few keywords out to not make it obvious who I selected. This was one google search by the way:

site:linkedin.com "at Company X" inurl:in

I purposely didn't deepdive into divisions (i had around 4 division names and several business units as well as general IT keywords).

Lesson? Casing a company is pretty easy with linkedin if you're interested in 9 month to 9 year old stale information. Otherwise this was a pretty silly exercise and I wasted an hour of my life. The ROI on using this is possibly greater than single hits on mailing lists, job posting, blogs, etc.

If companies google me as an employment screening process, they should certainly expect the same from me.

AutoHotkey

I love the alt-drag function built into X. This allows you to not have to go to the title bar in order to drag a window around on the desktop, just hold down the alt key. It took me ages to find anything equivalent for Win32 and then I replaced the laptop and didn't take the time to re-find it. So for future reference:

The app to use: Autohotkey

And the script as posted on how-to geek which i have copied local for convenience.

It's quite a good emulation and maybe a bit jerky but still in the acceptable realm.

Ediscovery pocket guide

I saw over on ediscoverylaw that the Federal Judicial Center released a Pocket Guide to Ediscovery. It's about 30 pages.
I've not yet read it, but it looks to be low on the legal-speak. This is a quick to-do post so I don't forget to at least skim it.

Why Zero Inbox Is Stupid

I really try. Merlin seemed to really be on to something. The premise makes sense, always keep a keep a clean slate and don't leave it sad. And by "sad", I mean crufty threads that won't and can't leave the inbox. Last I looked I had 346 items in my inbox, 66 of which were unread.
And it's not my fault.
My first instinct was to start measuring. I spent the last twenty minutes googling for some sort of plugin that does some deep analytics of email messages to establish trends. The simple idea of being able to measure simple items such as my top sender, recipient, thread, topic, sender whom I delete, sender whom I reply, hours spent in the inbox, high volume email hours, high volume email days, etc seems to be a rather straightforward and (slightly) useful thing.
jack squat.
I did certainly find some GTD, sales, and project management plugins; none of which seem worthy enough to mention let alone trial. But the fundamental problem is the simple fact that whichever agent I use should not be a burden or a hassle but a tool that enables.
Inbox Zero is a patch to a truly basic problem: corporate email does not scale to the email agents that exist.
This should have been apparent when Merlin couldn't answer a basic question on handling group responses to an email thread in his google presentation. Hindsight is always 20/20. No solutions here, just a sad rant.

Security Through Functionality

I was flipping through my aging moleskin this past weekend when I came across a one liner I had written.

A disadvantage [most security groups] face is the fact that we do not lead architecture changes that improve both security and functionality.
-10/07

It's easy to lose sight of the ball and focus on restricting of data and permissions instead of enabling technologies securely. Security orgs should be quicker on the uptake instead of challenging every move IT or the business makes.
An easy example would be revamping remote connections to the network. Your company use OWA as the primary connection? Citrix or Terminal Server? SSL VPN? Delve deeper into the setup and find out if it's meeting employees expectations. Then build a case for a better solution (VPN, Outlook over https, nfuse, whatever!).

vi + Outlook

Viemu looks extremely cool. It adds vi key bindings into Outlook. I haven't downloaded it yet ($79!@?!) but it looks like a full blown text editor and I'm not sure if it allows for navigation. I really would just love to have j, k and / bindings at the inbox level for quickly finding and skimming email messages.

I think this may be the first vi-esque program that I've seen that actually costs money. If anyone tries it I'd love to hear their thoughts.

Mobile Devices and Contexts

My brain has been going down a train of thought over the last few days. This train includes platforms, iPhones, digital natives, and contexts.
First lets start with platforms and what makes a platform succeed. There's even an entire book (which I've not read) called Platform Leadership. I'm beginning to think of things in a platform view in regards to input/output, creating an open structure, enhanceable and what not. The security industry fails all of these at some very basic level but that's a different post.
This contemplation led me to iPhones and blackberries. Expectations and trends to merging worklife with homelife is a fundamental problem. I've not seen any discussions on the separation of these two worlds. Personal data is private to the individual and Corporate data is private to the company. These two things should not be mixed, however blackberries and iPhones are doing just that. And it's unavoidable.
And then we have digital natives who set the expectations higher for their digital wants and expectations. Who wants to carry around a personal cell as well as a blackberry? Who wants separate address books or notes? The upcoming generation does not (I don't). This strengthens the argument for convergence of these two (corporate and individual) worlds.
The embedded market as well as computers in general need to seriously begin work on creating these contexts in devices. Minus an extra SIM, I see no reason why a mobile device cannot have both a work number as well as personal. The employee supplies the device and the company supplies the work SIM. From there on out it's a software issue. Context of data needs done. A certain policy should exist for corporate data versus personal data.
This data context needs created on the mobile workforce. One- because the security industry fails at creating scalable platforms and will not address what is a fundamental product issue. Two- because these devices are interacting with the company data and barring draconian rules (that will be circumvented) it is only a matter of time until the company loses the war. And finally, data is supposed to be easy to use, not arcane.
Incidentally, data contexts could be driven by a form of federated services. Microsoft could make this happen, google or cisco could also make it happen. Once the identity is known and apps understand context then we can apply inherent transparent separation.