When:

Wednesday, November 11, 2009

7pm – Networking

730pm – ATL NAISG Business

740pm – Keynote Presentation

830pm – End

Where:

Taco Mac – Lindbergh City Center

573 Main Street
Atlanta, Georgia 30324

What:

Taking Incident Response to the Next Level

This exciting and interactive presentation will discuss taking security incident response, not matter where you are, to the next level. We’ll specifically use the case study of a Fortune 100 company moving from a disjointed and undocumented response plan to the establishment of a Computer Security Incident Response Team. Topics will include realistic self-assessment, developing the business case, addressing small yet vital issues, and continual improvement.

Who:

Martin Fisher

Manager-Computer Security Incident Response Team

Delta Air Lines

Martin Fisher currently is leading the Computer Security Incident Response Team at Delta Air Lines. His 20-year IT career includes a broad set of experiences, including working the last five years at Delta to develop enhanced security incident response. A leader focused on developing teams, Martin currently is working to create a consolidated CSIRT for the largest airline in the world.

Why:

Atlanta has lots of User groups and technology related organizations that meet every month. So why should you attend NAISG?

1. Great opportunity to interact with some of Atlanta’s top security talent.
2. Good food, conversation and networking.
3. A focus on you and helping you in your day to day security endeavors.
4. Relevant topics that are interesting, entertaining, informative and most of all not a vendor sales pitch.
5. Focus on the needs of those in both operations and management.
6. No membership fees, sales pitches, or pressure to do anything but show up and learn (having a good time is encouraged though)

——————————————————————————————————————————-

I usually don’t blog about stories that everyone else has blogged about. I know that I really get fed up when I go through my RSS feeds and see post after post after post about some story. Take the SSN numbers being predictable story. I know I saw at least 50 different write ups on it. I guarantee you that everyone of you who read my blog saw that same story at least 10 times so why in the world would you want to see me write about it? But this time I’m going to break my own rule and write a little about a story that has made the rounds. I’m talking about the survey that Mike and Lee did regarding job satisfaction. Why? Because I was (note the emphasis) one of those “unsatisfied” individuals.

My story started a little over 2 years ago. I had just started a new job as the Senior Security Engineer for a company. I started on Monday and Tuesday I got the news that they also wanted me to be the Security Officer for the company. They needed a good deal of work in shoring up the security architecture and program. That meant that I would do less hands-on technical work than planned and spend the majority of my time trying to get the security house in order. I was elated. I had done similar work as part of my duties at my previous 3 employers and was excited at the opportunity to really build a program from the ground up.

One of the early concerns that I had was when the news was given to me about the change I was told that I’d have a dual reporting structure. My day to day reporting would be to the Manager of the Infrastructure group and I’d have a “dotted line” report to the CIO. That sounded reasonable especially early on as things were getting started. Then they told me that the CIO did not want me to go to him directly for anything that when he wanted me he would call me. That sounded odd at first but I figured that since he is the CIO and busy that made a little sense. I assumed that he would schedule a meeting with me in the next couple of weeks to talk about the program and hammer out some of the things that he wanted to see. A couple of weeks went by and still no meeting request. I went to my direct report manager and tried to talk with him about some of the things that needed to be talked about and got what I soon learned was his standard answer “What are the industry standards and best practices?”

One of the first things that I started looking at were policies and procedures. I needed to get a feel for what they said so I could better understand the overall company perspective on things. That didn’t get me too far because they were so old and outdated that they didn’t reflect much that was currently going on in practice nor did they reflect the current company and IT goals. So I set out on updating them as best I could. Since I was still new I spent a good deal of time talking with everyone I could to get a feel for how they needed to look. I still wasn’t getting anything from Management so I put them together and submitted them for review. Most of them sat for quiet some time without ever being looked at (over a year in most cases). Now I knew that I was really facing an up hill battle.

Things such as this continued for much of the time that I was there. I continued to do the things that I felt were necessary to build the house but with out any real help from management it was difficult to know what they really wanted and expected. I tackled PCI, internal audit findings, current practices within the various technology groups, new projects, existing projects. All of this with the goal of building cohesiveness within the security program. Things like ensuring that the server team, network team and application team were communicating regularly to ensure that the security tasks one team was doing was not being undone by another. Making sure that security got visibility into every program and that security has a voice in what was happening from an enterprise level.

Things were going on fairly well but I was quickly becoming unsatisfied. I felt that even though I was making progress and things were really shaping up that management really didn’t care about the program and that as long as we were keeping the auditors happy then everything was OK. When I tried to move the program “beyond the check box” I got push back. When I tried to get clarification on the direction I was taking the program I got blank stares. It was becoming evident that the only reason that they even had me there was because the auditors told them that they needed someone to shore up their program. It wasn’t a enterprise mandate (which unfortunately security rarely is). It wasn’t a Technology mandate or even a technology priority. It was an audit mandate and the technology department was audit driven. Audit reports went to the Board of Directors and therefore whatever audit wanted audit got.

By now I was seriously on my way to unsatisfied. When you are passionate about something and when you truly desire to do your best and you know that it’s not really making a difference because of corporate culture or management push back it’s hard to stay satisfied. It affected me beyond work. Fortunately not to the degree where it affected my family life but it did affect my blogging. You may have noticed that in the last several months my blogging has not been nearly as frequent as it had been. I was just so mentally wore out by the end of the day that I didn’t want to write about security because I was unhappy at work.

I thought about looking for other positions but didn’t want to give up. I still held onto a glimmer of hope that I could enable change. So I stuck with it. I was able to get a few things changed within the program that I felt would really make a difference. One of the “problems” that I saw was that I reported under the Infrastructure group. That meant that even though I had responsibilities for security in other groups they often pulled the “you don’t work in this department, you work in infrastructure” card. Then there was the resistance I got from Infrastructure at times. The “you work for me and will do things as I want” card was used often. I knew that in order to truly be effective I had to have a reporting structure outside the other departments. I needed to either report directly to the CIO or to the Director of the team that was responsible for the ancillary functions of IT. This group contained Change Management, QA and Compliance. I felt that if I could get the security program moved under that group that I would have more authority when needed. Since that group was independent of the other IT groups and due to the way it was structured it had that authority. I was able to convince the CIO to approve the move and that made a difference.

Unfortunately it did little to make a difference in the audit driven mentality of the whole IT program. So my dissatisfaction  continued. By this time I knew it was time to move on. Unfortunately before I could start a serious job hunt the economy bit me. Things were pretty well shored up in the house and now they could tell audit that we have things in order and money is tight so we had to make some changes. But that would be OK because they had the framework in place and they would continue to work under it as they had been for the last year or so. They now knew what to do to keep audit happy from a security perspective and since I didn’t do the hands-on day to day tasks needed to run the network I was the logical one to go.

So now I’m no longer a unsatisfied security pro. I’m currently an unemployed one, but I’m thoroughly enjoying getting back into the swing of reading and writing about security. I’m enjoying a renewed passion for security that had been worn down somewhat. It’s refreshing and encouraging. That’s my tale. It actually has a happy ending even though the ending hasn’t been fully written yet. I’m currently riding off into the sunset and waiting to see where the sunset leads.

——————————————————————————————————————————-

To the point that Raf made in saying that the participants in the conference were “lack-luster” and lacked passion I say “I completely understand”. I think that a big portion of Information Security Professionals are just flat wore out. They are having to do more with less and getting little support from management. That really can drain the energy from you and affect how you not only do your job but also your general attitude.

Before I go any further let me say that I am not a pen tester, vulnerability researcher or uber hacker by any means. I can and do some of the above when needed but for the most part I’m just a guy who believes strongly in doing my part to keep my little piece of the world secure. Unfortunately, the more places I go on the internet the bigger my piece of the world gets. If I’m going to use a internet based service, no matter what it is, then I expect it to meet a minimum level of various requirements and security is a big one. I also expect reasonable tech support services and a user interface that understandable and usable.

To vary slightly off path I want to say that I believe strongly that every insecure system, application and user out there hurts us all. It’s not just a “it’s my system and I can do what I want with it” world. When you disconnect from the internet and NEVER reconnect again then you can live your computing life that way. Until then you have a responsibility to keep your systems and applications secure and to practice “reasonable and secure” computing. If you don’t it affects way more than just you.

Back to my topic. So as I’m testing services I run across on that has an unusual “feature”. There are 2 “Continue” buttons at the bottom of the first page of the registration process. I’ve never seen this before and obviously am curios as to why. If you push one of the nothing happens (yes, I tested this in a secure environment) and if you press the other one you get different responses depending on whether or not you pushed the other one first.  So as I’m looking into what is going on I check the page source code to see what is going on and it appears that the “second” button is supposed to be hidden and is used for debugging. Someone just forgot to “hide” it after testing.

After I have completed my testing and have a pretty good understanding of exactly what happens under different circumstances I compose an email and send it to 2 different contacts that I was able to find for the site. Thus the reason for this post.

I sent 2 emails with the relevant information. I sent them copies of the error that was displayed, how to recreate the error and information as to why having an error of this type displayed is a hackers dream. To date I have not heard back from them and the site has not changed. It still has 2 “Continue” buttons. It still displays the error when you click the buttons in the right order. So since it’s been a while and nothing has happened I decided to write about it here. Not from the perspective of disclosing the site and hoping to “force their hand” but to talk about how to deal with such issues.

So how should you as a company deal with something such as this? At my last job shortly after I started we got an email from a “white hat” who said he had discovered a SQLi on our site. I did a little investigating myself and confirmed that we really did have a SQLi and so I got with my apps guys and got it fixed in a matter of minutes. I wanted to reach out to the guy who reported it and tell him thanks for the heads up and let him know that we appreciate him handling it this way and not a) exploiting it b) announcing it to the world. Since I was new in the position I decided to run it by my supervisor and he would not allow me to do so. He told me to ignore the guy and hope he left us alone. I wasn’t too keen on this but followed his directive and did not contact the guy. Was this the best course of action? I’m not 100% sure but I know that I didn’t like just leaving him hanging. What if it irritated him  and he came after us in other ways? What if he found other issues later and decided not to report them to us first since we ignored him? What were the implications of this? There are no hard and fast rules on something such as this. If someone says that they are a white hat and they are reporting a vulnerability or bug then chances are that they don’t care to be responded to but if they are a grey hat then this could be just the excuse they are looking for to justify their next step that is in the black hat realm.

Now, I’m not going to turn black hat on them and I really don’t care that they have not contacted me, but I do care that they have not fixed the problem. Because when others, who may be less amiable than me, find this they may have the skills and motivation to use this as an entry point into their network (yes they do have a “for pay” service that you pay for with your credit card) or to use it as a malware distribution point. Neither of which will benefit the company and both of which can hurt you and me.

THE GIRLS OF ERRATA!!

First, over at the Security Catalyst Community there are a couple of conversations going on that I think are quiet interesting (of course I started them so I’m biased). The first one has to do with the doom and gloom mindset that is going around in some corners of InfoSec. You can check it out and add your thoughts here (registration required)

Next there is a conversation about some simple things that we can do to simplify our lives and make our environments more secure.

Lori Macvittie has a good write up on Cloud Security considerations at the F5 blog.

Now, I haven’t read this yet but I can’t help but think that it’s good and well worth the time to go throught it. NIST – Small Business Security

On a non-security note my favorite Leadership Guru, John Maxwell, has posted the first chapter to a new book online. You can read it here.

Another one that I haven’t read yet but looks promising is the new issue of McAfee Security Journal.

PCI Guru Michael Dahn has a good article of the usefulness of a Capability and Maturity Model in a security program.

My good friend Martin Fisher has some great advice for us regarding IR and the leadership needed to have a successful program in your company. He has written 2 articles for the Security Catalyst Blog on this here and here.

I’ve got lots more reading to do so I’ll post more later. This should keep you busy for a while anyway.

Not that there isn’t plenty for us to be worried about, but we have to keep our rational minds about us. We can’t just talk about what’s wrong we have to focus on what’s right and what we can do to make things better. One of the things that I noticed at the GFIRST conference this week in Atlanta is that there was plenty of “woe is me” and very little of “here’s what we can do”. Even those that did have an idea as to what we need to do didn’t have much “real meat” to give us. If you don’t have good ideas or solutions and you are just sharing info then please make sure that you have run it through the tempering process. Are things really as bad as you think or is it just because you have seen a good deal of bad stuff lately? Are we beyond repair or is your perception currently clouded? Is it “game over” or are we just at half time and we’re needing to regroup?

These are the things that we need to think about before we get up and share information with others. Unless our goal is to engage them in the solution process then we need to really temper our thoughts. And I would venture to say that a conference is not the place to share info with the goal of engaging others in the solution.

FUD is rampant right now and we have to slow it’s progress. We have to look at who is saying it, where they got their data, what their motive is or may be, and what are their ideas on a solution. If we can’t get decent answers to these questions then I’d think twice about putting much stock into what they are saying. Let me give you a good example. Dave DeWalt, CEO of McAfee, said that there are 20+ countries armed and ready for cyber warfare. I tweeted that and shortly after that I got a request from Brian Honan for a link or some solid data to back that up. I didn’t have anything other than Mr. DeWalts word. Brian wanted facts to back up the quote because he was thinking rationally and not buying the FUD (or possible FUD).

I like to think that I’m a fairly rational thinker and that I don’t spread FUD and that I even put a stop to some of it. Hopefully I do. What I want to challenge you to do is also think rationally. Don’t react but plan ahead and think about what you hear and see. If there seems to be validity to it then think about possible solutions and engage others in the process. This is the kind of stuff that will gain us great strides in securing our systems and changing the way things are done.

We’re starting off with a bang! Atlanta’s own (he’s been here long enough to say that) Mike “Security Incite” Rothman will be presnting all NEW material. That means he’s not recycling old (yet very inciteful) material. I’ve talked with him about the presentation and I think that it’s something that we all need to hear.

PLEASE, PLEASE, PLEASE make plans to attend. Tell your friends! Tell your Twitter Tweeple and FaceBook friends. Announce it at work and anywhere else that there are people who want to hear more about security. They don’t have to work in security or even technology. The more non-techies we can get means that more people are learning how to do things securely and that means that Aunt Martha won’t be calling you for tech support as much.

Now that I’m through rambling here are the details!

September 9, 2009 — Atlanta NAISG Meeting

Taco Mac – Lindbergh (private room upstairs)

7pm – Networking

730pm – Presentation

Keynote: Mike Rothman, SVP Strategy & Chief Marketing Officer for eiQNetworks, Chief Blogger at Security Incite and author of the Pragmatic CSO

 The Pursuit of Security Happyness

For the most part, security professionals are a pretty grumpy lot. A good day for us is when nothing happens and we are always worrying about how we are going to die tomorrow. And it’s not getting any easier. Between bot outbreaks, audit findings, new mandates, budget cuts, and stupid users – it’s enough to put a security pro into a rubber room for a long period of time. Mike will provide a candid assessment of our self-inflicted angst and preview content from an upcoming manifesto that provides a number of techniques to do your job, without making yourself crazy.

Please RSVP to Meetings-Atlanta@naisg.org.

Our Sponsor this month will be eIQNetworks. They will be providing appetizers and and the first round of drinks.

Hope to see many of you there!

Day One
The Keynote by Dave DeWalt, President and CEO of McAfee, was entertaining if nothing else. He does give a good talk, but it leaves you wondering. He had lots of great figures and talking points but nothing to back it up. What I mean was no references just “McAfee Research”. Not that I doubt what he said so much as it would be nice to see some of the data that was used to get to these numbers.

I sat in on 4 sessions other than the keynote and got a 50% passing score. What I mean was that 2 of them were pretty good and the other two…. One was OK except that the information was dated and at least to me a bit elementary. Maybe part of that is because I’m cynical and hang around with too many really smart people who keep me in the loop better than many others. The other talk was just painful. To the point where it was all I could do to not walk out (as I’ve been known to do). I just kept holding out hope that the guy would pull it together and I’d discover that Web 2.0 wasn’t all messed up, but he didn’t. Actually the only thing that the talk had to do with Web 2.0 was the fact that the title contained the word Web 2.0

Day Two
Today was a better day. I was only able to sit in on two sessions and both of them were pretty good. No complaints from either. One was a “Tool Talk” where the presenter basically gave a list of IR tools and talked a little about them and what they were best suited for. The other was a talk on the evolving strategies around cyber security. The presenter was Amit Yoran of NetWitness and he has some interesting takes on the state of the industry and what we need to do to make it better. The one phrase that stuck with me was basically “We’ve already lost and it’s going to get worse before it get’s better”. Not exactly a pep talk, but when you’re getting your butt kicked sometime a reality check is what is needed more than a pep talk.

The folks that put on GFIRST did a first class job in organizing and executing. I wish I could go back for Thursday and Friday but I need to get cracking on my honey do list.

The week was quiet good. Not only did I get to meet some new friends I also was “fire hosed” with information. Not in a bad way. There is a lot of information to cover in a week but the instructor, Taiye Lambo, did a great job in keeping it relevant and interesting. It was honestly one of the few instructor led classes that i’ve taken where I didn’t have to fight sleep. The HISP is a fairly new cert, I think it started in 2005, and is meant to compliment others such as the CISSP, CISA, CISM. It focuses on using the ISO 27000 series as a basis for your security program. They encourage the implementation of a Information Security Management System and the course is meant to help you attain that goal.

The certification also requires CPE’s yearly so there is a “keeping fresh” component to it as well. It’s not a “pass the test and put initials after your name” program. You have to keep it up with CPE’s to maintain certification. Of course it’s not the letters or the certification that holds the value it’s the incentive to stay current and relevant that gives it value. It’s also the focus on a structured program that will help you implement and maintain a secure environment that will meet the varying and moving requirements of many different regulations and laws.

Check it out and even if the class or cert aren’t for you I’d encourage to dialogue with the guys and eFortresses. They are a great bunch and will add value to your day.