Title: The Solution vs The Silver Bullet (or InfoSec Industry != InfoSec Practice)

Synopsis: The information security industry and information security practice are two concepts that should not be confused. The industry is for making money. The practice is for securing your organization. While the two certainly overlap on a Venn Diagram, there are large areas where never the two shall meet. The infosec practitioner needs to know how to discern where the practice stops and the industry starts. Otherwise, the Silver Bullet mentality will take over, and the practice becomes unmanageable. Join Michael on this talk to discover how to start down the path of discernment. Michael will give practical ideas on dodging the Silver Bullet cycle or getting out of it if you are there already.

The Texas Technology Summit is more of a general IT show with a good amount of security focus. I picked that venue for this talk because I wanted to test the talk first on that kind of general crowd. I wanted to see if it resonated with folks who might have security as a part of their job, but not be solely focused on security. Turns out that it did. I had great feedback that addressing security as a complex system rather than a checklist helped them with their approach to building a security program. I also talked about determining your organization’s current and desired security maturity levels, and using that data to help make decisions. That was also very well received.

I did have a couple of people at the show who are straight security professionals who I know and respect. They were very positive about the talk as well. So now I am going to try it on a security-focused crowd at NAISG DFW next week. We’ll see how it goes there. I may do a bit of tweaking between now and then, but overall I am happy with the talk. I’ll post a recording if I get one while I am there.

As I watched the showdown, a couple of points started forming in my head. The first was from the standpoint of a security professional with an interest in new security technologies. The second was from the was from the standpoint of an orator. So let’s start with the first one.

First – The Security professional

Each of the vendors seemed to attack the big issues of today, like cloud, malware, browser security, BYOD, etc. But you know what? I’m just a little tired of it all. Every year, we have more vendors. And every year, they fall away. And as I write this section of this post, I just want to stop and scream. So many products, and I keep getting reminded of Jeremiah Grossman’s post about increasing the attack surface with more security products. Yes, I know this doesn’t exactly equate. Every time a product comes out does not mean you are going to put it in your network. But there is this overload that has been coming and coming, and we have reached it.

So many of these issues – like BYOD – can be fixed using stuff you have in your security toolbox now. That doesn’t mean there isn’t a need for point products sometimes. But like Jeremiah said, bad guys shift tactics. And the more products there are guarding your network, the more they look for holes in those products. So it is smart to look at what you have and be smart about what you buy for security. Yes, we need innovation. But innovation is not limited to product vendors. You can innovate within your own enterprise. You can act differently, be more proactive, watch more closely, and use the tools you have. Let’s stop the cycle of buy, install, follow the shift, buy, install, follow the shift. Start hardening, start reviewing your risk, start learning your business, start determining your gaps, start creating a program.

Are there problems that can only be solved with a new product? Probably. But first we start doing things right instead of perpetuating the fraud that we have to constantly rely on others to innovate for us.

Second – The Orator

I have performed quite a few talks over my career. I have talked to fairly large audiences (200-300), and I have spoken with small, intimate audiences. Both have different challenges. With those talks, I have had plenty of time to prepare for the presentation. I practiced my talk, polished my slides, and then ran through it again. I have also done Toastmaster-like events where you have a random topic, little time to prepare, and only a few minutes to talk. The Innovation Sandbox has elements of both. Like Toastmasters, you don’t have a lot of time to talk. But like typical talks, you have time to prepare for the talk (i.e.practice), and you have time to polish the message.

Prepare, Prepare, Prepare – then Prepare Some More

Bobby Unser (Al Unser’s brother) said, “Success is where preparation and opportunity meet.” What struck me was how little the speakers seemed to prepare, and how badly their presentation was done. Even with this huge opportunity to speak in front a crowd that could possibly spell success for their company, they did not prepare. I just don’t get that.

Polish

Run the presentation with folks outside your company. Don’t talk in the echo chamber, or all you will get back is people saying it is great, it is wonderful, we’re gonna kill the ball with this presentation. Seriously people, you must let others hear the talk. Get feedback. Figure out where your doing stuff wrong, where you can adjust. Figure out out to get your message down in 3 minutes. And some advice: if you let others hear your stuff and they have no criticism, there are two possibilities: your presentation is phenomenal, or you picked the wrong people to listen to your presentation. In the immortal words of Sheldon Cooper, “Of those two scenarios, which one do you think is more likely?”

Attack the Problem

Many wanted to talk more about their management team, like a great management team was all your company needs to attract venture capital or get people’s attention. I get that it is probably a factor, but as someone pointed out on Twitter (paraphrasing because I can’t find the tweet): “If your management team is famous, they need no introduction – if they’re not, they still don’t.” In other words, focus on the perceived problem and how you solve it. I had a really hard time figuring out a lot about their companies with the presentations. Most of my questions were answered when folks on the panel started asking their questions. That is fail-city in my book.

All right, I’m done ranting. I feel clean again. For now…

Wake up people, you are falling into the same old theistic behavior that we all as evolved sentient beings should eschew, neigh, …loathe. INFOSEC is not a religion and YOU are not the FUCKING POPE ok?

That’s a quote from Krypt3ia on his blog entitled “Infosec is not a religion”. He says this in his rant about the use of the term “evangelist” in security.

Krypt3ia is even nice enough to define the term for us. Now I know Krypt3ia is smart enough to know that a term can be used creatively so that it does not fall into the traditional use of the term. But his obvious hatred of religion (displayed by the quote above) doesn’t allow him to get around this, and it is unfortunate.

Is the term overused? Yes, I think it is. That is why I chose the title “Advocate” instead (thanks to Michael Santarcangelo for the help with the title). Has it turned into a buzzword or sorts? Maybe. But should people who have the title of evangelist be ashamed somehow? No, they shouldn’t. Should people who “take” that title for themselves be ashamed? No. It might be a little corny to take it for yourself, but it is not something to be ashamed of.

If someone is using the term “improperly to suit your needs of being center stage and telling everyone from the fucking mount what “they” should be doing” as Krypt3ia says, then why is he throwing his bile against only this term? Plenty of people put themselves forward as experts who are far from it, and they don’t always call themselves evangelists. Plenty of people want center stage (I’m not immune to that, and I’m pretty sure Krypt3ia is not immune either if his diatribes are any indication).

This is really just a case of projection. Krypt3ia doesn’t like religion, and he can’t stand to see the term used so much. It irritates him, so he blows up (he does that a lot, which is part of his charm). And while my use of the term “psychological projection” is not an exact fit for the clinical definition, I think I can use it here to fit my desired message, which is: Get a grip dude. It is just a term.

Holy crap, we recorded an episode. That’s all I got to say about that…

Show Notes:

InfoSec News Update –

• Howard Schmidt is Retiring – Link Here
• Vulnerability Stats of Publicly Traded Companies – Link Here
• Tool Update – Threadfix from Denim Group – Link Here
• The Mission Impossible Self-Destructing SATA SSD Drive – Link Here
• The WAF Wars – Link 1 / Link 2 / Link 3
• PwnieExpress Releases PwnPlugUI/OS 1.1 – Link Here
• App for scanning faces to gauge age at bars – Link Here
• Business Logic Testing defined – Link 1
• ErrataSec – Wants your hotel PCAP Files – Link 1 / Link 2

Discussion Topic –

1. Should specific security efforts be validated when the program as a whole is crap? Link Here

Music Notes:?Special Thanks to the guys at RivetHead for use of their tracks – http://www.rivetheadonline.com/

Tour Dates:

1. June 1 – Dallas – Curtain Club

Intro – RivetHead – “The 13th Step”
News Bed – RivetHead - “Beautiful Disaster”
Discussion Bed – RivetHead - “Difference”
Outro – RivetHead – “Zero Gravity”

Link to MP3 ]]> http://infosecplace.com/blog/2012/05/21/an-information-security-place-podcast-episode-04-for-2012/feed/ 0 noHoly crap, we recorded an episode. That’s all I got to say about that… Show Notes: InfoSec News Update – Howard Schmidt is Retiring – Link Here Vulnerability Stats of Publicly Traded Companies – Link Here Tool Update – Threadfix […Holy crap, we recorded an episode. That’s all I got to say about that… Show Notes: InfoSec News Update – Howard Schmidt is Retiring – Link Here Vulnerability Stats of Publicly Traded Companies – Link Here Tool Update – Threadfix […] ↓ Read the rest of this entry...Security http://infosecplace.com/blog/2012/02/23/an-information-security-place-podcast-episode-03-for-2012/ http://infosecplace.com/blog/2012/02/23/an-information-security-place-podcast-episode-03-for-2012/#comments Fri, 24 Feb 2012 04:17:56 +0000 Michael Farnum http://infosecplace.com/blog/?p=1337 ↓ Read the rest of this entry...]]>

Today’s show is Michael interviewing Kevin Riggins. Kevin is an Enterprise Security Architect for a Fortune 500 financial services company. Kevin and Michael have some great conversation about Kevin’s job, what he is doing at RSA, where he blogs, the book he coauthored, etc. (look below in the show notes for links to everything).

Then a fun discussion starts about cloud, risk, mobility, risk in the cloud, risk in mobility, risk of mobility integrated with the cloud, and so on. Good stuff all around.

Here’s some links to stuff about Kevin and other stuff we talked about in the show.

Thanks go to Jeremiah Grossman for sitting down with Michael for some great discussion. Jeremiah is the CTO at Whitehat Security and a very well known figure in the InfoSec industry. Jeremiah and Michael talk about Hawaii, sharks, security philosophy, RSA, stage fright, Jeremiah’s TED talk (not published as of the posting of this entry), and the age of the InfoSec industry and whether young folks are coming into the fold.

You can find Jeremiah at Whitehat (link above) and his blog, and you can follow him and on Twitter as well. Jeremiah will be giving a talk and participating on panel at RSA as well, so be sure to attend those if you are going to the RSA Conference 2012.

What I find funny about this is that this has been an issue for a long time. Back when I was an InfoSec manager, I put in a videoconferencing system in 2006 to facilitate some communication with a sister company. When we set it up originally, I found that there were a lot of issues with putting an H.323 device behind a firewall. NAT broke it pretty easily, and I ended up putting it on the outside of the firewall for a time when we needed to setup a session, and I tore it down immediately after (we ultimately setup a private T-1 between us so we would have no issues – there was some sensitive info going across the line in those sessions). But when I was getting it setup for the first time and doing some testing, I found that the Polycom unit I was using had some test sites already in the address book. So I connected to a few of those to make sure things were working. I even had folks on the other end try to connect to me (yes, there were people on the other side just kinda hanging out. In fact, there were a few sites where it was like, you guessed it, a Google+ hangout – it was kinda fun and weird at the same time).

But after discovering that, I decided to turn on a bit of Google-fu and see if there were other sites out there that were also open. And again, the answer was yes. Google linked to a lot of sites (like this one) that had a list of “test” H.323 locations ready for connection. But what I quickly found out was that many of these “test” units did not seem to be for testing purposes at all (or maybe they had been at one time but someone forgot to secure them after they had been repurposed to a “real” site). Many were companies that often had these VC units setup in sensitive areas. Some of these had their audio and connected TV’s turned on, and people in the room would notice when a connection occurred. But very often i found that some had their audio and TV’s turned off, or the folks in the room ignored the connection signal. Basically, what HD said here:

…we did prove that most VC equipment provided little or no warning when an attacker dialed into the system. In most cases, the television set is off unless a call is expected. If the television is off, there is little indication that a call is in progress. The reason for this is two-fold;

First – the base unit, not the camera, is usually what has an indicator that turns on when a call is in progress. The base units are often stashed behind a cabinet, near the floor, or generally out of sight.

Second – newer cameras (specifically, the Polycom HDX series) are extremely quiet while being panned or zoomed and the only indication they provide is the direction they are facing. We conducted a “blind” test where the conference room VC unit was accessed during a Rapid7 general staff meeting. Twenty minutes into the meeting, nobody had noticed the camera swinging from the rest position to pointing at a participant’s laptop screen, zoomed in to capture his email and keystrokes.

After connecting to a couple of them and hearing and seeing snippets of very sensitive discussions and realizing that these cameras were very good at zooming into documents, I decided to stop it. I am kinda bummed that I didn’t write about it in my blog back then (at least I don’t remember doing so, and I can’t find it in my archives), but oh well. I didn’t do any cool coding like HD did, and I am pretty sure this would still be a problem today anyway.

So basically, HD is right, and the VC dude is wrong. This is a problem. I know. I have seen this first hand by my own actions. I heard things that I wish I would not have heard about (maybe that is why I didn’t publish anything back then). Not crazy guvment secrets or anything, but it still was information that I could have used to hurt folks or profit from if I was that kind of person.

So IT and security folks, take a look at your videoconferencing setups. Realize that there are a lot of bad settings turned on by default, so make sure you lock them down. Get them off the Internet. Pay attention to where they are located. This can cause you a big headache.

[UPDATE: After re-reading my post and after reading the first comment, I want to say something. I am not saying that HD didn't do something cool, and I am not trying to disparage his work in any way. HD uses code, and he does it very well. I don't have the mad skillz that he does, and putting those scans together is pretty dang cool. I am glad someone with his platform showed that this was an issue that needed to be addressed. I was merely trying to point out that the issue has been around for a while and that I found it in other ways that didn't involve coding.]

“Symantec can confirm that a segment of its source code used in two of our older enterprise products has been accessed, one of which has been discontinued. The code involved is approximately six years old. Symantec’s own network was not accessed, but rather that of a third-party entity. This does not affect Symantec’s Norton products for our consumer customers. We are still gathering information on the details and are not in a position to provide specifics on the third party involved. Presently, we have no indication that the code disclosure impacts the functionality or security of Symantec’s solutions. Furthermore, there are no indications that customer information has been impacted or exposed at this time. Symantec recommends that users keep their solutions updated which will ensure protection against any new possible threats that might result from this incident. Given the early stages of the investigation, we have no further details to disclose at this time but will provide updates as we confirm additional facts.”

A blog post by @m1a1vet

]]> http://infosecplace.com/blog/2012/01/06/symantecs-latest-statement-on-source-code-theft/feed/ 0 http://infosecplace.com/blog/2012/01/06/security-lesson-from-a-mouse-story/ http://infosecplace.com/blog/2012/01/06/security-lesson-from-a-mouse-story/#comments Fri, 06 Jan 2012 10:46:11 +0000 Michael Farnum http://infosecplace.com/blog/?p=1301 ↓ Read the rest of this entry...]]> I was going through some old blog posts, and one I found contained the following story:

Mouse Story

A mouse looked through the
crack in the wall to see the farmer and his wife open a package.
“What food might this contain?” The mouse wondered -
he was devastated to discover it was a mousetrap.
Retreating to the farmyard,
the mouse proclaimed the
warning.
“There is a mousetrap in the house! There is a mousetrap
in the house!”
The chicken clucked and scratched, raised her head and
said, “Mr. Mouse, I can tell this is a grave concern to you
but it is of no consequence to me.
I cannot be bothered by it.”
The mouse turned to the pig and told him, “There is a
mousetrap in the house! There is a mousetrap in the house!”
The pig sympathized, but said,
“I am so very sorry, Mr. Mouse,
but there is nothing I can do about it but pray.
Be assured you are in my prayers.”
The mouse turned to the cow and said, “There is a
mousetrap in the house!
There is a mousetrap in the house!”
The cow said, “Wow, Mr. Mouse.
I’m sorry for you,
but it’s no skin off my nose.”
So, the mouse returned to the house, head down and dejected,
to face the farmer’s mousetrap– alone.
That very night a sound was heard throughout the house –
like the sound of a mousetrap catching its prey.
The farmer’s wife rushed to see what was caught. In the
darkness, she did not see it was a venomous snake
whose tail the trap had caught.
The snake bit the farmer’s wife.
The farmer rushed her
to the hospital and she returned home with a fever.
Everyone knows you treat a fever with fresh chicken soup,
so the farmer took his hatchet to the farmyard for the soup’s
main ingredient.
But his wife’s sickness continued,
so friends and neighbors came
to sit with her around the clock.
To feed them, the farmer butchered the pig.
The farmer’s wife did not get well; she died.
So many people came
for her funeral, the farmer
had the cow slaughtered to provide enough meat for all of them.
The mouse looked upon it all from his crack in the wall with great sadness.
So, the next time you hear someone is facing a problem and think it doesn’t concern you,
remember –
when one of us is threatened,
we are all at risk.

I posted that back in 2006 (crap, I am getting old), and I said it had some security points. But the post also said that I was hungry when I was writing it (coincidentally, I am hungry right now also – huh, maybe I’m just always hungry…), so I didn’t break those down. Well fans, let me remedy that situation now. Here’s the lesson:

Your insecurity affects us all. If you know there is a security problem (whether that be by your own discovery or through someone else warning you), and you have the power to either fix it or influence someone who does have the power, then get ‘er done.

I know there are all kinds of caveats to that as far as risk, process, etc. But the raw edge needs to be there. Ignoring a problem does not make it go away. In today’s world of hactivism and hacking for hire, there are just too many attacks coming from too many angles. Test, fix, retest, fix, retest, fix, and so on. Stop screwing around.

This rant brought to you by @m1a1vet

]]> http://infosecplace.com/blog/2012/01/06/security-lesson-from-a-mouse-story/feed/ 0 http://infosecplace.com/blog/2012/01/06/an-information-security-place-podcast-episode-01-for-2012/ http://infosecplace.com/blog/2012/01/06/an-information-security-place-podcast-episode-01-for-2012/#comments Fri, 06 Jan 2012 10:04:07 +0000 Michael Farnum http://infosecplace.com/blog/?p=1292 ↓ Read the rest of this entry...]]>

Wow! 6 Months…and 2 job changes later, we are finally back to recording! YEAH!….Here the latest show from our intrepid hosts.

Show Notes:

InfoSec News Update –

• The Hacker News Hacking Awards : Best of Year 2011 – Link Here
• Japan’s Anti-Virus Virus – Link Here
• Nginx (pronunciation: “engine-ex”) becomes #2 web server
• Saudi hackers break into Israeli site – Link Here
• 3 Surefire Ways to Tick Off an Auditor – Link Here
• OWASP AJAX Crawling Tool – Link1 / Link2

Discussion Topic – 2012 Breach Report

1. Care2 Discloses Breach; Company Has Nearly 18 Million Members – Link Here
2. AntiSec hit California and NY Law Enforcement Sites – Link Here
3. Anonymous Nabs 50,000 Credit Card Numbers From Security Think Tank – Link Here

Music Notes:Special Thanks to the guys at RivetHead for use of their tracks – http://www.rivetheadonline.com/

Tour Dates:

1. Jan 6 – Dallas – Curtain Club
2. Jan 27 – Dallas – Trees
3. Jan 28 – Dallas – Trees
4. Mar 2 – Dallas – Curtain Club – 7th Album CD Release Party
5. Mar 3 – Houston – BFE Rock Club
6. Mar 24 – Fort Worth – The Rail Club
7. May 5 – Dallas – Renos Chop Shop

Intro – RivetHead – “The 13th Step”

News Bed – RivetHead - “Beautiful Disaster”

Discussion Bed – RivetHead - “Difference”

Outro – RivetHead – “Zero Gravity”

Link to MP3

]]> http://infosecplace.com/blog/2012/01/06/an-information-security-place-podcast-episode-01-for-2012/feed/ 0 noWow! 6 Months…and 2 job changes later, we are finally back to recording! YEAH!….Here the latest show from our intrepid hosts. Show Notes: InfoSec News Update – The Hacker News Hacking Awards : Best of Year 2011 – Link Here […] ↓ Read the rest Wow! 6 Months…and 2 job changes later, we are finally back to recording! YEAH!….Here the latest show from our intrepid hosts. Show Notes: InfoSec News Update – The Hacker News Hacking Awards : Best of Year 2011 – Link Here […] ↓ Read the rest of this entry...Security nonadult