The Daily Heretic

Securing New Technologies

2011-08-19T10:32:00.003-05:00

Our nature is to resist change and fear the unknown.

Security isn't about eliminating risk. It isn't about saying no. Security is about knowledge; understanding risk and putting security risk in the right context, so business leaders can make informed decisions. When security is done right, it enables the business to embrace new and potentially transformative technologies and use them wisely to innovate and grow and produce business value. In today's global marketplace, leveraging new technologies to create a competitive advantage can mean the diference between businesses that succeed and those that fall by the wayside.

Today's technology is changing at a rapid pace, the enterprise perimiter is eroding and securing endpoints is not becoming any easier as computing is becoming ubiquitous; becoming embedded in our vehicles and consumer devices, in an increasingly interconnected worldwide web. In order to trust endpoints, transactions and secure information appropriately, technical solutions and standards are necessary but not sufficient themselves to solve the problems we face.

The key to securing new technologies is collecting more and better quantatative data about the threat landscape associated with the technology, as well as device, configuration, event and transaction information. Knowledge comes from the judicious use of this information, given that the answers we get are only as good as the questions we ask. This means taking huge data sets and reducing them to something that is manageable, while maintaining the integrity of the data. Data sharing between peers and in public and private partnerships will help to standardize how we collect and use this data and lead to better threat intelligence and risk management. With a methodical approach to model and use this data, security risk will no longer exist in its own silo, but become a part of the overall evaluation of business risk as meaningful security metrics mature in the coming years.

Change is inevitable and resistance is futile. If we fail to embrace new technologies, we are likely to watch our competitors pass us by. Knowledge is the key to understanding and providing creative ways to manage security risk in the face of uncertainty, and necessary to combat the fear that accompanies new and potentially transformative technologies.

Panel Accepted for Black Hat

2011-06-14T15:52:00.006-05:00

I'm excited that our panel on software vulnerabilities has been selected for Black Hat 2011, so I will be attending the executive forum and briefings, and staying around for Def Con on the weekend. It will be a long week, but should be exciting. The briefings are listed on the Black Hat website, and they all look great!

An Interview on Goals

2011-05-14T11:57:00.008-05:00

I recently discussed my ambitions and career goals, and wanted to share some of that discussion here. It gives a little insight as to my interests and the sort of decisions I face as I try to get more involved as a professional and volunteer.

Q: Where do you feel you are in your career, today?

A: I am currently a technical program manager in computer security, for a Fortune 100 multi-national company. I am mainly responsible for vulnerability management and strong authentication. So, I am dealing with vulnerability assessments and pen testing and network security, endpoint security, remote access security and architecting solutions to enable the business in a secure way. This can be quite challenging at times, but it is rewarding. I manage many complex, global projects, but am still an individual contributor, and I don't see my role changing anytime soon. I feel my skills have improved, and my knowledge of security and the business, but I was hired with this job title and pay grade and don't see any chance of that changing.

This is typical of the security function, in industry. I'm not complaining. I am glad I can add value and feel I am being successful at what I do. I just wonder if this is what I am best suited for.

Q: So are you looking to change jobs?

A: I don't think so. I do feel I need to challenge myself, in some way, and I do that by teaching and volunteering, as well as working hard at my day job. I'm a strong believer in lifelong learning, and finding a way to contribute to one's profession and society at large. It would be too easy to give in to my lazy side, and just do what comes easy and coast. I don't feel I'd be satisfied with that choice.

I want to keep my skills sharp, and in my present job I often need to push myself to do that. I could easily get comfortable and go on autopilot where I am, and stay in a silo, and do my job adequately and bide my time until I retire. That's very doable, and it would give me a relaxed lifestyle for sure, but I think it's important to grow as a professional and as an individual.

I've been fortunate to be able to do what I've been doing for the past 12 years. I work for a great company; an ethical company that is a leader at what they do. They are well respected, and right up there with Mom and Apple Pie. They have been very supportive and I've really come to understand how a security organization functions at a Fortune 100 company. I think I've come a long way, from when I came here in 1999 with only university and government experience. It's been a privilege. I've been afforded opportunities to travel to other countries and to see all aspects of a company that's been involved in manufacturing, sales, insurance, healthcare, banking and quite a number of acquisitions and divestitures over the years.

My management seems to appreciate the value of my volunteering and serving on boards and participating in councils and peer groups. I learn a lot from networking and having discussions with peers in CISO groups, and doing all this, but it isn't required for my present job. I do it because I want to maintain currency, and to push my boundaries, and I really aspire to contribute as a thought leader in the security space. It is nice that my colleagues allow me to join in these discussions, even though I am an individual contributor in my present job.

Q: How else do you keep up with trends and changes in the security profession?

A: I try to stay up with technical advances by reading and talking to my peers, and other subject matter experts. I am past the point where I can spend much time deep-diving, and I need to deal with a broad range of issues, so I rely heavily on others for the technical stuff. I also participate in advisory councils and boards and I speak and blog on topics, when I have the time. I'd like to speak more, and write more, but in the commercial sector there isn't much opportunity or support for doing research, so I don't have much that people want to hear about. I am usually left with topics on corporate governance. I've gotten excited about security metrics, this year, and hope to speak more on that topic.

I used to work as a scientist, and I used to speak and write articles all the time, so I do miss that, but I compensate by developing courses in computer security and teaching. I find that is a great outlet for my inquisitive side.

Q: Would you like to be a security researcher?

A: I don't have a real interest in that. I wouldn't turn down an opportunity to direct research, if someone came to me with something exciting, but frankly there are younger and better people to do this. People much smarter than me. I'd actually like to be spending less of my time in the trenches and more time focusing on security strategy.

Q: Are you satisfied working in IT, when you used to be a scientist?

A: I don't consider myself to be an IT worker. I consider myself to be a scientist, an educator and a security professional. I think it's limiting to categorize people. There is a lot of similarity between the mindset of the scientist, who is trying to develop models of how nature works, and then see if those assumptions hold, and the mindset of the security professional, who makes assumptions about risk and then looks for ways to test those assumptions. My background as a scientist makes me well suited to develop logical models and to assess and address risk.

In addition, I feel that my background as a scientist, and my teaching, and the work I do as a volunteer with students promoting STEM education, and my work with the FBI, IEEE and other groups exposes me to many different viewpoints and I think that's important. It gives me a broader view of things, and helps me to consider problems from different perspectives.

Q: What's next for you, in your career?

A: If I stay on this course, I expect I will try to find more opportunities to travel and speak, and perhaps take on some more course development or try my hand at writing - I am just not sure how relevant my experience is to the broader security community. I think I'd be satisfied, but I would probably focus more of my energy into volunteer work and teaching, and maybe take on a more technical role with IEEE and my critical infrastructure protection work. There are certainly benefits to a less responsible day job, and a more laid back lifestyle. It is hard to imagine myself sitting in the same chair, in the same cubical, for another 15 years though, just waiting to retire.

Q: If you could choose any job, what would it be?

A: If I had my dream job, I suppose it would be one that's exciting and challenges me to always be learning and pushing my boundaries. I'd feel valued and appreciated and feel the same kind of enthusiasm every day as I go to work, that I feel when I am at a security conference, for example. I'd like to be a leader; a decision maker, doing something integral to the mission of the business, rather than seen as just another technical resource.

I'd like to be in a location that was outwardly motivating, and working with lots of people much smarter than me, so I can make informed decisions and maintain a level of excellence in whatever I'm doing. I'd like to have frequent opportunities to converse with thought leaders and innovators. Maybe it would be in a college town, where I'd be able to attend seminars and on the latest technologies and research. I think there are many more opportunities for a security professional on the coasts, because that's where the thought leaders are, and where you can interact in person with more of your peers. I am always getting invited to events, but being in the Midwest, not much goes on in our community. That's actually why I got involved with IEEE and became president of our local engineering and science council, so I could try to promote more activities like that, locally.

Q: Tell me more about why you feel that sort of interaction is important.

A: I think it is important to hear from thought leaders in the security field, as well as academia and business entrepreneurs and policy makers. Too often people keep to one group, and don't pay attention to the others. Like I said before, I don't think we can thrive in a vacuum. I think when we expand our thinking, when we hear different perspectives and are exposed to diversity, it can be transformative.

Cyber Security Strategies Summit: Security in a Digital World

2011-05-04T11:19:00.004-05:00

Join us at the Cyber Security Strategies Summit the 10-12 of May 2011 at the Kellog Conference Center in Washington DC.

Education is the key to navigating the security landscape, whether you are managing new initiatives, implementing new programs or designing new technologies, being informed is the deciding factor in winning the cyber war.

The Cyber Security Strategies Summit will focus on education in a digital world of uncertainty.

Tailored to a wide spectrum of stakeholders, the Cyber Security Strategies Summit presents value to small business, enterprise and Government security officers across every vertical.

Topics being covered at the Cyber Security Strategies Summit will include:

Risk management techniques.

Information protection and privacy

Employee compliance and standards

Operation and security in the cloud

Mobile evolution and impact

Law enforcement and forensics

The event will offer the ideal environment for knowledge sharing and networking opportunities, while providing a stage for education.

ENTERPRISE: The enterprise security track is driven by industry case studies. Security experts from major companies will be presenting best practices in Cyber Security and Data Protection. Delegates that work in the private sector and would like to bring home new techniques and programs that are being implemented by other corporations should attend the enterprise track.

GOVERNMENT: Cyber security has become one of the most crucial issues facing the stability of our nation. Government agencies need to be equipped with the most up to date information available in the security environment. The Government track will discuss data protection, legislation, privacy and defending our nation against internal, international and terrorist threats.

MOBILE: The influx of smartphones is not just a convenient advancement in our daily lives; it is paradigm shift in our corporate and government security initiatives. The Mobile revolution is in full swing and integration is imperative. The mobile track will address delegates in both enterprise and government, with educational presentations of strategies and risks that will enable your organization to securely adapt to the changing tide.

CLOUD: The risks vs rewards of cloud computing is an imperative conversation to have, and at the center of it all is security. Is the cloud secure? Should we trust it? And how do we make the move safely? The hot button subject will be thoroughly addressed, with discussions that prove to be pertinent for both enterprise and government security officers.

Darin Andersen (Event Chair) - Chief Operating Officer at ESET

Ron Baklarz - Chief Information Security Officer at Amtrak

Patricia Titus - VP and Global Chief Information Security Officer at Unisys

Jim Christy - Special Agent, Director of Future Exploration at the Department of Defense Cyber Crime Center

Bob Samson - Director of Information Protection and Privacy at Marriott

Patrick Howard - Chief Information Security Officer at the Nuclear Regulatory Commission

Stacy Arruda - Supervisory Special Agent at the FBI Cyber Crime Unit

Wade Baker - Director of Risk Intelligence at Verizon Business

John Johnson - Security Program Manager at John Deere

Rick Harris - -Chief of Future Operations US-CERT, National Cyber Security Division at DHS

Richard H.L. Marshall - Director of Global Cyber Security Management National Cyber Security Division at DHS

Sol Bermann - Lead Privacy Policy Development, Business Continuity, User Advocacy at the University of Michigan

Eric S. Green - President of ELG Consulting
Adam Meyers - Director of Cyber Security Intelligence at SRA International
Jay Leek - VP of International Security at Equifax

SC Magazine Awards 2011

2011-02-09T15:16:00.003-06:00

The SC Magazine Awards 2011 takes place next Tuesday (2/15) at the Intercontinental Hotel in San Francisco. The awards ceremony will honor leaders in the security industry, from government to non-profits, and showcase the best in the vendor-space and security certifications and training programs. I have been asked to introduce the award for one category, so I'll definitely be there. I'm thinking of buying a bow-tie!

49th QCESC Banquet and Awards Ceremony

2011-02-09T13:42:00.002-06:00

Date: 24-February-2011
Time: 05:00PM to 09:00PM
Location: Putnam Museum, Davenport, Iowa

This year's Engineer's Week banquet will include displays from some of the 35 technical and professional science and engineering societies in the Quad Cities. There will be schoarships and awards and an induction to the Order of the Engineer, as well as a keynote speaker.

Food Catered by Iowa Machine Shed Restaurant with Italian Chicken and Lemon Peppered Cod, with bread, potatoes, coleslaw, cottage cheese, and a cobbler for dessert. Water, ice tea and coffee are included. A cash bar will be open all night.

Cost $35 and $20 for full-time students (open to the public!)

Link here for more information and registration.

The End of Privacy - Personal Information on the Internet

2011-02-09T13:38:00.004-06:00

Date: 18-February-2011
Time: 05:30PM to 07:30PM

Announcing the upcoming talk by Mike Bazzell on Internet privacy, sponsored by the IEEE Computer Society of Iowa-Illinois, and the Quad City Cyber Security Group.

This presentation identifies many unknown repositories of personal information available to anyone on the internet. Through data mining companies and those that post personal information about others, data once considered private is now public. This look at our new lack of privacy will surprise even those that think they are not vulnerable. Over 120 sources of online information will be discussed. Aside from web sites, other technology such as digital camera data, document meta data, and files being unknowingly copied to your computer will be explained.

Link for more information and registration.

Cyber Security Strategies Summit

2011-02-09T13:32:00.002-06:00

(GSMI) Cyber Security Strategies Summit

Date: May 10-12, 2011

Location: Kellogg Conference Hotel, Washington, D.C.

I will be speaking on enterprise metrics, the afternoon of May 11th. Early registration ends March 4th.

Cyber Spoofed White House eCard Targets Execs

2011-01-13T11:25:00.004-06:00

My friend, Mike, at NetWitness, sent me information on a fake White House email that is circulating.

We were involved in the discovery of a Fake White House email that targeted senior government and a few corporate officials as part of Cyber Espionage campaign. The attack was Kneber again, a Zeus variant designed to steel credentials & confidential documents.

Fake White House holiday e-mail is cyber attack
Associated Press: January 6, 2011

Espionage Via Spoofed White House eCard
Network World By Ms. Smith – January 3, 2011

Kneber botnet strikes again, targets gov't agencies
ComputerWorld.com: By Gregg Keizer - January 4, 2011

Malware Campaign Cyber-Espionage or Cyber-Crime?
eWeek: By: Brian Prince – January 3, 2011

Spam Attack Captures Government Data
InformationWeek: By Mathew J. Schwartz - January 5, 201

Government computers hacked by fake e-mail
WashingtonTimes: By Shaun Waterman - January 5, 2011

Threatpost.com: White House E-Card Scam Part of Larger Zeus-Related Attack
By Dennis Fisher – January 4, 2011

RSA Conference 2011: On Enterprise Metrics

2011-01-07T15:07:00.004-06:00

My proposal for a peer-to-peer discussion on "Gathering and Applying Meaningful Security Metrics" at this year's RSA Conference in San Francisco was accepted. This means I will facilitate a discussion a peer-to-peer group discussion on the topic (P2P-201B), on Wednesday, February 16th at 8:30 AM.

Security metrics are somewhat subjective, but I feel that the more data we can gather, the more we can do. Sounds obvious, but very few security programs are based on objective data. This will be an opportunity for conference participants to share their experiences and learn from experts in the field.

FIRST Lego League Regionals

2010-12-10T11:42:00.003-06:00

What? 2nd Annual FIRST LEGO League Regional Qualifier
When? Saturday, December 11, 2010 (8am-4pm)
Where? Putnam Museum, 1717 W. 12th Street, Davenport, Iowa

Join us for the second annual, QCESC Co-Sponsored, FIRST Lego League Regionals at the Putnam Museum, in Davenport! This is a great event and we expect about 300 people at the museum tomorrow. [map]

Understanding Cyberwarfare: Stuxnet

2010-10-21T21:58:00.004-05:00

Follow this link, or click on the icon above to view an excellent video prepared by The Cyber Security Forum Initiative group on the threat posed by Stuxnet. For those of you unfamiliar with Stuxnet, it is a computer worm believed to have been developed in Belarus, which is designed to reprogram SCADA controls. These PCLs are used to control sensitive systems for utilities and other industrial systems, many of which are considered critical infrastructure. Stuxnet has raised the bar on cyber warfare, and confirmed that nation-states are actively using computer attacks against each other. The systems affected, appeared to have been nuclear systems in Iran, but similar attacks could, and probably are being used against other nations and industries, for the purposes of offensive cyber-warfare and industrial espionage.

2010 Moms Night Out

2010-10-16T10:39:00.003-05:00

2010 Iowa Moms Night Out

to Raise STEM Awareness

Event Purpose: A fun night that will inspire and educate moms/parents about the importance of Science, Technology, Engineering and Math (STEM) education and the vital role they play with their children.
*Note: Free childcare (ages 2 and up) will be provided with advanced registration

Location:
Putnam Museum and IMAX Theatre
1717 W. 12th Street
Davenport, Iowa

[map]

Date: This coming Monday!

October 18, 2010
7:00 – 8:30 PM

Register:

On-line at (preferred method):

http://www.surveymonkey.com/s/D2N8LZB

For further information for Moms Night Out at the Putnam:
Phone number 563-324-1933

Keynote Speaker:
Joanne Howard, Manager Energy & Climate Strategy at John Deere, who will be discussing the importance of the STEM courses and how those lessons are used around the world.

Event Sponsor:

The state-wide sponsor for Moms Night Out for STEM is John Deere with generous support from Iowa Public Television and Hy-Vee.

The Moms Night Out satellite event is part of numerous other events scheduled across the nation during October in celebration of the first USA Science and Engineering Festival, to be held in Washington D.C. on October 23-24, 2010. The Moms Night Out event is being held on October 18 simultaneously at 20 locations in Iowa including Muscatine, Ottumwa, Cedar Falls, Waterloo, Des Moines, Ankeny, and Iowa City. You can register free for any of the sites per the link above.

Further Information on Mom’s Night Out for STEM:

Flyer for Moms Night Out Event at Putnam:

http://www.qcesc.org/MomsNightOut-putnam5.pdf

Moms Night Out on Facebook:

http://www.facebook.com/home.php?#!/pages/Moms-Night-Out-for-STEM-IOWA/126911334024570

Iowa Mathematics and Science Education Partnership (IMSEP):
http://www.iowamathscience.org/moms_night_out/

USA Science & Engineering Festival:
http://www.usasciencefestival.org/

National Science Festival

2010-10-16T10:30:00.004-05:00

National Science & Engineering Festival

October 10-24, 2010

We are in the middle of the National Science & Engineering Festival, October 10-24, 2010. As a part of that, and as a science educator, I encourage everyone to find, volunteer for or sponsor science and engineering related events. Don't feel discouraged that October is flying by so fast; try to find opportunities to participate in science events, even after this festival ends! This is a nationally sponsored activity, to raise awareness, but enthusiasm about science and engineering should continue, year-round!

October is National Cybersecurity Awareness Month

2010-10-16T10:20:00.004-05:00

October is National Cybersecurity Awareness Month (NCSAM), and the theme this year is, "Our Shared Responsibility". If you are part of the cyber security industry, or someone with knowledge to share, this is a good time to raise the topic of computer security. Visit the link above, by clicking on the NCSAM image.

July Star Party

2010-06-29T06:54:00.001-05:00

When? Saturday, July 17 - Beginning at sunset
Where? Wapsi River Environmental Center outside Dixon, Iowa

Free and open to the public

On-site 12- and 14-inch telescopes will be available at the St. Ambrose S. G. Menke Observatory for sky viewing; visitors are welcome to bring smaller telescopes as well.

For more information, contact Dr. Robert Mitchell at 563/333-6141. On the day of the event, the same number may be called for a recorded message that will either confirm the event or report a weather-related cancellation. For directions to the observatory, go to web.sau.edu and search for “Menke.”

IEEE Region 4 Educational Activities Blog

2010-06-22T21:47:00.003-05:00

I've added a new blog to update Region 4 IEEE members about various webinars, training, lifelong learning opportunities and other IEEE educational activities. Check it out!

IEEE Region 4 Educational Activities Blog

SC Virtual Symposium: The Insider Threat

2010-01-20T16:00:00.001-06:00

Things are coming together nicely for the SC Symposium: Managing Data Against Insider Threats on Thursday (1/21). The expo for the virtual symposium starts at 1 PM (EST). My keynote is at 3:55 PM (EST). Register here. These events happen monthly, so watch http://SCMagazine.com for upcoming symposia!

[Here are my slides and notes and Q and A, from the SC Magazine Symposium keynote.]

SC Virtual Symposium "Insider Threat"

2010-01-14T14:49:00.001-06:00

[This is the first time I've been the subject of spam, blocked by my own spam filters! ;-)]

SC Virtual Symposium: Managing data against insider threats

Date: Thursday, January 21st
Time: 1 - 5pm ET
Location: your computer

Earn CPE credits for attending*

Click on the link below to register for FREE:
http://sc.haymarketcomm.net/r/?ZXU=1063432&ZXD=57476866

With layoffs rampant, corporate leaders are increasingly concerned that employees may steal data to sell to cybercriminals. Insiders are a risk and companies must protect their critical assets against them. We learn from experts how it's done.

SC World Congress: Managing Data Against Insider Threats

2010-01-02T16:10:00.003-06:00

I'll be the keynote speaker for the SC World Congress virtual symposium, January 21st, 2010. The topic is "Managing Data Against Insider Threats". Register online to attend!

[ Register Here ]

How to Avoid Online Scams

2009-12-19T18:57:00.002-06:00

Lifehacker has a good article on how to avoid various online scams, such as: avoiding bank scams, protecting your password, using strong passwords, not buying anything unsolicited, and generally looking out for deals that look too good to be true (and often are!)

[ Link ]

Quad Cities FIRST Lego League Challenge

2009-12-14T08:02:00.003-06:00

There was a FIRST Lego League regional meet at the Putnam Museum on Saturday. Quite a good turnout, with a couple hundred kids (aged 9-14), parents and teachers from the region. The event was co-sposored by the Quad Cities Engineering and Science Council and Iowa State University. To learn more about FIRST programs, like this, visit http://www.usfirst.org.

[ Article from QC Times ]

The Evolving Role of the Security Manager

2009-11-20T14:28:00.002-06:00

Dan Kaplan, a senior editor at SC Magazine, wrote an excellent piece on the evolving role of the security manager and the value of security certification and training, in this month's "20th Anniversary" issue of SC Magazine. Dan included some of my comments, as well as those of other security leaders and innovators. Worth a read.

[Read the SC Magazine Article here.] [2nd Link]

New Quad City Cybersecurity Group Formed

2009-11-19T10:25:00.002-06:00

I've created a new group for the Quad City area, focused on cybersecurity issues. We also discuss infrastructure protection, physical security and related computer topics. At this time, the group is vetting new members, and we intend on meeting monthly. We met this last week for coffee, at Starbucks in Bettendorf, IA.

If you are a security expert, computer professional or interested community member, join us on Facebook or LinkedIn.

LANL Fails Again on Cybersecurity Efforts

2009-11-19T10:16:00.002-06:00

New security weaknesses have been idenfied in a recent GAO audit of Los Alamos computer systems. Having been a network and security manager, briefly in the 1990s, this comes as no real surprise. But, I would have thought after a spate of incidents in the past 13 years since I left to form my own company, they would have figured out a better way to protect their classified networks.

Los Alamos National Laboratory has spent $45 million to secure its classified computer network between fiscal years 2001 and 2008, according to a report issued Friday by the Government Accountability Office, yet significant weaknesses remain in safeguarding the confidentiality, integrity and availability of information stored on and transmitted over its classified computer network.

The audit, requested by the House Committee on Energy and Commerce, cites Los Alamos' management as saying funding for its core classified cybersecurity program has been inadequate for implementing an effective program during fiscal years 2007 and 2008.

[Read More]