Thursday, February 28, 2008

Becoming a better incident handler

On occasion I find myself poking around the net in search of military doctrine or other military papers. People certainly quote Sun Tzu constantly; mainly since they sound so clever. Of course these quotes come directly from "The Art of War" which is why I like the military doctrine stuff. The items the military publishes isn't trying to mystify or be clever but to turn the "Art" into "Science".
I submit that achieving a science to information security- specifically event handling and response- is what the entire community should strive towards.
This involves training, experience, developing methodologies, confidence in one self, leadership and hardcore skills. These things do not come quickly.
For a good time now I reflect on Blooms cognitive domains taxonomy to rate the training and general skillset. (Can you tell my wife is a teacher?) I still need to internalize those verbs to be able to significantly push boundaries. By this, I submit that asking questions such as "what happened?, what worked, what didn't work?" during debriefs of events is not nearly as effective as asking "How would you classify the event, Do you agree with X, Further break down the implications of X" etc.
But the other day John Robb posted an intriguing synopsis of current events. In that post he referenced the OODA loop which I was completely unfamiliar with. I like how it breaks down the decision process and I believe that understanding this feedback loop can have an even higher impact as an incident handler.
Additionally, Chet Richards has an excellent powerpoint on the OODA loop.

Monday, February 18, 2008

Shmoocon 08 observations

I've been to attending shmoocon since it opened back in 2005. I've not been to any other con- all my con experience is based purely on what Bruce brings to the table.
A few observations:
* This year there was less black-clad men while at the same time a rise in women and corporate looking folks. This seems inversely-proportional to the quality of the talks.
* Syn Phishus is lame and should have been fired for acting like a 16 year old
* Deviant's Gringo Challenge sounded great but I never had time to check it out. I hope it returns next year.
* Charlie Miller and Dino Dai Zovi's "Virtual Worlds - Real Exploits" was clever, unique, and all around great talk
* Jay Beale's talk was a disappointment, I left midway through for lunch. (Since when was it okay to plug your company while at the same time presenting on watered down trends that everyone has known for the last two years?)
* Only one talk on Vista security? We're stuck with Vista for the next few years, I expected more than one talk on the subject.

I am again happy that I attended this year. The reality check on mindsets and pushing my head out of my corporate security zone is refreshing and a good thing.

Thursday, February 7, 2008

What is after DLP?

Lets put things into perspective. The latest buzzword seems to be DLP. (Just ask Gartner). And I'm down with DLP, it makes sense after a fashion.

But really, now. There's two big problems that DLP doesn't address. Two items:
* prevention will fail
* public information has an amplifying affect

I don't particularly want to focus on prevention, but it needs mentioned. Information will end up in places you do not want it. Expect it, plan for it, don't ignore the simple fact.

Public information is much more damning because there's nothing that can be done. You can certainly attempt to put in draconian policies. Let me know how that works out.

As I said, public information has an amplifying affect. In another words, the sum of the parts add up to be much more valuable than each datum individually.

I submit that OSInt is not just for governments anymore. I suspect managed security service providers will begin collecting and aggregating information to analyze open source information for customers. Open source information has a leveling affect of the playing field for competitors. Worst case we ignore this easy way of collecting and applying information and the black market embraces it and makes a fortune. Best case, we develop free tools to allow anyone easy ways to analyze this information. This will allow both sides the same insights.

I've always considered technology a tool that amplifies results; I never thought of applying the same ideas to information. Something to think about.

Wednesday, February 6, 2008

Linkedin followup

I rambled about linkedin awhile back already. My stuck-in-traffic hypothesis today was something along the lines of "I bet a lot can be discovered about a company just with google and linked in".

So I did some farting around. First I checked out google and looked for a listing of "large private companies" and picked one at random that I had never heard of. I spent less than an hour on google to see what I could find about who we'll call company X.

Preliminary stuff of which I quickly got bored and stopped recording: Main headquarters is in Minneapolis, European headquarters is Geneva, locations all over the place. Big on logistics, supply chain, etc.

Slightly more interesting: lots of programmers have been at X one time or another. They have both Lotus and Exchange environments, wireless networks deployed, they use Dell, AS/4000, Oracle 9i as of 2006, previously it was 8i. They deployed WinNT back in 97, didn't see anything since. First internal portal was deployed in (i think) 1999 and used plumtree. Theres a service desk operation in the Netherlands.

Key words: ERP - some mention JD Edwards, some mention "new and proprietary" ERP. They have an internal "Global Office II" application. They have an internal transaction application using smalltalk, sybase and is over 4million lines of code, deployed in 1999. Powerbuilder v8, perl, java.

I left a few keywords out to not make it obvious who I selected. This was one google search by the way: "at Company X" inurl:in

I purposely didn't deepdive into divisions (i had around 4 division names and several business units as well as general IT keywords).

Lesson? Casing a company is pretty easy with linkedin if you're interested in 9 month to 9 year old stale information. Otherwise this was a pretty silly exercise and I wasted an hour of my life. The ROI on using this is possibly greater than single hits on mailing lists, job posting, blogs, etc.

If companies google me as an employment screening process, they should certainly expect the same from me.