The Falcon's View

Unhappy New Year - Unemployed Again

2009-12-29T20:03:15Z

Hey folks - I just lost my job again. ARGH! I'm at a loss for what to say. In the meantime, I need a new job, and asap. I'm currently based in Fairfax, VA. Relo is not an option this time, but I am open to travel.

Resume is here: [ PDF ] [ DOCX ] [ DOC ]

2010 Prognostication

2009-12-16T21:53:13Z

I don't recall doing any sort of predictions for the coming year before, so I thought I might try it this year. Of course, far be it for me to deliver the line straight, so if you detect a wee bit of snark, then you might want to adjust your sarcasm meters, because I'm going for the gold here. :)

Without further adieu...

Millions will die. As happens every year, tens of millions of global citizens will die next year (Source: Wikipedia: World Population). Cause of death will vary, of course, from disease to natural causes to natural disasters and sheer violence. Death is one of the truisms that cannot be escaped. The mainstream media, politicians, and various special interest groups will nonetheless leverage FUD-filled death-related arguments to promote their various flawed agendas. Infosec professionals and analysts will begin to see the utility in such arguments and begin tying all online risks to death statistics. The success of security programs everywhere will increase dramatically as people flee the horror of the 2010 e-pandemic du jour.

Lawyers and politicians will win. They usually do. Of course, some will also lose, what with it being an election year, and that almost every case has legal representation on both sides. More importantly, though, is that it seems likely that we will continue to see growth in regulations, particularly over financial services, and possibly for health care as well. I'm actually rather convinced that 2010 will be known as "the year of the infosec lawyer" as the legal field rushes to embrace this arena. Of course, this also supports my case for legal defensibility (how conveeeeeenient).

American consumers will lose. As if the myth of privacy isn't enough to depress people, or the outright misrepresentation of policies by key corporations like Facebook enough to make you hurl, it seems we're likely to continue seeing vast erosion of rights, especially in the U.S. Because, as Google's Schmidt says, only evil people have anything to hide (I guess that means 100% full disclosure from Google on all things, right? I mean, their motto is "do no evil," right? right?). It's almost as if nobody in Congress cares about what might be good for constituents, as is evidenced by the rancid and rancorous health care debate.

Signature-based "security" products will be less signature-based. Continuing the trend of conceding that blacklists and whitelists have marginal utility, especially when scaling, vendors will continue to blame customers for product shortcomings while moving to a combination of cloud-based signature sets and more intelligent analytics. Certain vendors will continue to make broad claims about the inherent security of their platforms, regardless of the reality that millions of lines of code will absolutely contain exploitable errors. Consumers will continue to pay a steep price as attacks focus more on cross-platform applications, such as Acrobat Reader (PDF) and Flash, as well as web applications.

Organizations will bemoan regulations. While aggressively resisting investment in improved security architecture, awareness, and practices, organizations will continue to bemoan regulations requiring them to make those investments. Ironically, through those forced investments organizations will actually begin to carry a lower information risk load, with an overall positive benefit. Unfortunately, due to a lack of quality metrics, nobody will notice, except Verizon Business (via their data breach investigation report) and WhiteHat Security (via their quarterly webappsec report). Ok, so a few people will notice, but it will undoubtedly be the wrong people, who will then fall into arguments about statistical methods.

The security industry will keep trying to reach a consensus... on something... anything... please. Standards will continue to emerge as the number of opinions about security follows a fractal growth pattern. The DHS' threat of 1000 new "cybersecurity" professionals will further dilute the pool of ideas as retiring AF colonels make their play for jobs or budgets. Several quality initiatives will continue to obscure the market and eliminate any hope of common sense, such as the promotion of various "risk" frameworks like FAIR, Risk IT (ISACA), ISO 31000, and so on, etc, etc, ad nauseam. In the end, checklists will continue to abound while politicians make ham-fisted attempts at writing really awful legislation that insults everyone in the industry while solving no problems and creating dozens of new problems. In the end, the only real consensus achieved will be that people in the industry will continue to have job security for the foreseeable future.

Coda...
I'm sure I could say more, but... well, anyway... as 2012 approaches, I'm sure I'll have something more useful to contribute. Until then, here's to hoping that everybody has a happy holiday season, regardless of (dis)belief system. I'll be posting more between now and the end of the year, but not with any urgency.

BTW, keep an eye out for book news in the coming weeks. :)

NSS Labs Releases IPS Results

2009-12-14T19:33:23Z

NSS Labs released their Q4 2009 Network IPS Comparative Test Report last week, and it's a whopper! The following findings are very interesting:
* Tuning Is Very Important: While some vendors did ok out-of-box, the simple fact was that tuning greatly improved the effectiveness of even the worst performing system. It's imperative that a skilled engineer by brought in for initial tuning, and that tuning be done on a regular basis.
* You Get What You Pay For: It was striking to me how poorly Juniper did in the testing. They were the worst product by a long shot. It goes to show that saving big bucks is only useful if the product still does a decent job. However, sometimes cheap is just that: cheap.
* Surprising Top-Performers: The top recommendations were for IBM and McAfee products, with Sourcefire coming in at third. You'd expect Sourcefire to do well, and they definitely did not disappoint (except for missing one class of fragmentation avoidance technique). However, who would have guessed that IBM and McAfee were producing top-of-the-line products? These vendors must be ecstatic. Let's hope that it serves to motivate their competition to step up their respective games.

If you're going through IPS product selection, then this is a must-read report. It covers products from Cisco (1), IBM (2), Juniper (3), McAfee (2), Sourcefire (1), Stonesoft (3), and TippingPoint (3). Hopefully next go-round it will also include some other vendors, such as Nitro Security, to see how they compare, particularly out-of-the-box.

More On Possibility and "Risk"

2009-12-11T02:24:00Z

Hopefully few of you wasted time reading my rant Tuesday on possibility, probability, and an analyst who really got my goat. Today, instead of ranting I wanted to revisit this whole "possibility is not probability" notion, and particularly its relationship to risk and risk management. The main goal here is to put a stake in these semantic games once and for all and make some very clear points. We'll see how I do...

The problem with the overly simplified "possibility is not probability" line of argument, in a risk management context, is that it doesn't speak to key attributes of risk. At it's most fundamental, "risk" is a matter not just of the threat or vulnerability, but also of the likelihood it will be exposed, the likelihood it will be attacked, and the overall impact should it come to fruition. When we talk about risk, we have to consider all of these factors as they apply to our specific environment. You cannot take any one attribute and jump to a risk assessment generalization that applies equally to every situation or environment.

Another key problem is that, in risk management, we never really deal with events that aren't possible. In the spectrum of things we think about, everything is possible, though where that possibility sits on a 1 to 100 probability scale can vary widely. Even more importantly, there are some very real low-possibility (or low-probability, or low-frequency) events that absolutely must be considered because the potential impact is very high (e.g. natural disasters).

So this is where I find the "possibility is not probability" statement to be completely and totally wrong, especially from a risk management perspective. Whether or not an event is "probable" (i.e. probability > 50%) is not the only key factor that goes into our determination of whether or not treatment is necessary. It may not be "probable" that over half of your organization will be struck down by a pandemic, but it still bears consideration when you look at planning for remote access, spike licenses, sick leave policies, and so on (see my earlier "Embrace Murphy's Law" post).

Perhaps even more disconcerting to me is the impact of telling people to ignore low-probability threats in a blanket statement. I personally find it irresponsible and offensive. Nobody in a random external location, lacking an understanding of your context, can tell you or your organization what the right risk management decision is for a given threat or vulnerability. More egregious is trying to arbitrarily state that, because something is low-probability, it is also then "low risk." There's no way to know that; none whatsoever. Every environment is unique, and must be managed accordingly. We can categorize the severity of a given threat or vulnerability, but we absolutely cannot - with any reasonable degree of certainty or reliability - expand that categorization into an impact assessment for a given organization, which means that you cannot generalize the "risk" for a given threat or vulnerability.

This practice of declaring "risk" levels arbitrarily and generically is a trick of marketing, and a trap of the overzealous and self-important. Just as organizations have learned to assertively manage their auditors, so they must also reign in security vendors, analysts, and consultants making broad, damming claims about "risk." Letting other people tell you what your risks are independent of your unique environment is like taking career advice from a stranger based on what they heard from the Psychic Friends Network. It's so far removed from reality that, even if it sounds good, there's no way to know for sure whether or not it's useful or makes any sense in your given situation.

Quick Security Lessons From Target

2009-12-10T03:23:14Z

I really hate shopping at Target, which is probably why I end up spending so much time there every week. Every time I go to one it's like going on safari: you never know what you'll see, but you're hopeful you'll get something good. And, frankly, it's absolutely maddening. I've lost count of the number of times that I've purchased something trivial there (soap, for instance) only to come back to restock and find that the product is out or, more likely, not carried any more.

In thinking about it, the Target shopping experience is a lot like dealing with the faithful opposition in information security. There's a method to their madness, all designed to help drive up profitability, such as through increased spontaneous purchases. Following are three attributes of Target stores that can be generalized to our own infosec industry.

Inconsistency: If you've visited a few Target stores, one of the things you'll notice is that seemingly no two are laid out exactly the same way. There are about a half-dozen here in the area that I visit on a somewhat regular basis, depending on convenience, and every single one has a unique layout. In infosec - and particularly as regards phishing, spam, and web appsec - we find that inconsistency leads to confusion, which in turn leads to user error and compromise. Spam filters, URL filters, AV, IDS/IPS... these all rely on being able to match a consistent pattern. When the consistency isn't there, then the tools aren't overly useful. As for the attackers, they love to leverage off inconsistency to optimize their attacks. We need to find better ways to establish consistency in key areas (such as with authentication, reputation, identity, warnings, and errors) that can be used universally without limiting developer creativity.

Randomness: I swear, Target must use some sort of randomization engine in determining what products get sent to what stores, and for how long a given product will be carried. Randomness, of course, causes me to wander around looking for a suitable alternative, increasing the likelihood that I'll see other things and buy them. Similarly, attackers online use randomness to help evade security controls and to attract your attention.

Driving Spontaneity: Bouncing people around, causing them to browse just to find their normal purchases, helps increase spontaneous purchases. This effect is similar to "limited time only" sales, which is, of course, a popular phishing and spammer technique to drive people to make a hasty, bad decision. Every purchase you make at Target that was not planned or necessary is a win for them, just as every spam link you click is a win for the bad guys. It all comes down to finding the right triggers to cause you to react automatically instead of with forethought and planning.

The next time you make a shopping trip to Target, consciously look at the end-cap displays. Note how much you have to wander, or even criss-cross, the store just to find the few things you're seeking. The entire situation is skewed in their favor with the intent toward causing you to do something you wouldn't, under consideration, really need or want to do. Now compare this to common online attacks. The similarities are interesting, and suggest that these bad guys are as well-versed in influence, social engineering, and marketing as the supposed "good guys" are in the retail industry. :)

How Not To Talk To Customers

2009-12-10T03:03:28Z

I really hate dealing with tech support and customer service reps, especially on technical issues. It doesn't matter if I'm calling or sending email, inevitably someone says or does something so incredibly stupid that the entire process gets set back minutes if not hours. It can be something as simple as rigidly sticking to a troubleshooting flow chart, or as egregious as being rude and sloppy.

Recently I had two negative experiences with tech support. In the first case, I tried to tunnel a Linux-based client over SSH to an X console on my workstation as a workaround until firewall rules could be implemented, but kept getting a segmentation fault (often a sign of bad programming, not generally indicative of something with the X session itself). In the second case, a vendor tech support rep was sloppy in reading the submitted ticket, replying with troubleshooting details that didn't apply to the appliance we had, despite the pertinent information being in the very first sentence (of a 4-5 sentence email).

Just Plain Rude and Wrong

"The [redacted] client is not meant to be used in this manner, x-forwarding, and is not supported. The [redacted] Client already has encryption built-in; a ssl based encrypted connection is used for client server communication, and sending this connection through a ssh tunnel after already being encrypted would add more overhead that is not needed. We do have a [redacted] client for MAC, it is bundled with the server much like our Windows Clients. During installation you would be prompt for a complete or custom install; selecting custom would give you the option to install just the client and not the server."

Not to go too far afield, but I basically see three problems with their response:
1) It was rather snarky and unprofessional. Yes, I know, tech support people deal with idiots all the time, but why do they always seem to start from the assumption that each customer is dumb? I know Jack Daniel will disagree, but I think you really have to take the perspective of "reasonably intelligent until proven otherwise." More importantly, no matter how dumb you think your customer is, you still need to be respectful, at least in the initial conversation.
2) It was based on a lot of very bad assumptions. The tech support rep seems to assume that I was using SSH for security reasons (more security data transport). Not true - I simply was trying to work around firewall rules that were pending. He also seemed to think that SSH introduced much overhead and that this was causing the problem. Since I was getting a seg fault after the app was already running, this seems unlikely. Last, he assumes that I'm not aware of the other clients, which is of course simply not true. I in fact had the other clients installed, but as already noted, I needed firewall rules opened up before I could get them to work.
3) It didn't answer the question asked. Perhaps the single most irritating thing to me is that my question was never answered. I wanted to know if this seg fault issue had been experienced before, or if this was a new issue. Rather than answering the question, I instead got a snarky response full of bad assumptions that was no help whatsoever.

It's the Little Things
The other tech support experience I had was related to a vendor appliance on the fritz. I sent in the email, specifying serial number and model number in the very first sentence. It blew me away that the response I received instructed me to push buttons that did not exist on the model of appliance I was running. In fact, I even had to go through this a second time on the phone with tech support. They told me I needed to remove the face plate from the server and wouldn't believe me when I told them that it was already off and that there was, in fact, only one (1) button on the entire server (there wasn't even a rocker switch for the power on the back). Eventually they realized what model server I was running and switched gears, but not before wasting 20 minutes of my time.

My assumption is that because of the volume of tech support requests, techs are skimming requests and not paying attention to details. This, for me, is a huge pet peeve. Don't waste my time if you can't be bothered to read through the information provided. Yes, I can be wordy at times, but at least read the first couple sentences! Anyway... suffice to say, I find repeating myself to be frustrating, especially when the initial written communication has that information, on file, in a ticket, where it can be readily reviewed. It ranks right up there with going through a phone prompt, entering your account number, and then the minute you get to a live rep having them ask for all that information all over again. Praytell, why ask me to punch it in for the system if you're not going to make use of it later? I digress...

What sort of tech support annoyances have you experienced?

Actually, Possibility IS Probability (As Is Likelihood)

2009-12-08T15:32:31Z

[[ Please Note: This post has been significantly redacted since it's original posting. The original opening of the post was a personal attack against an industry analyst. I found myself extremely offended by the tone and timbre of the analyst's responses in a Twitter thread, compounded by his publishing a follow-up blog post that changed the message completely and tried to make it sound like he had been reasonable all along. Regardless, it did not justify in any way my publicly lashing out like I did, and as such I have cut all that nasty BS out of this blog post. Hopefully now this thread will represent a worthwhile contribution to the community. Of course, with the change, the title of this piece doesn't really make as much sense, but I'm sure we'll get over it... ]]

The Twitter Thread That Started It All

The full transcript of our exchange is below for you to read. Allow me to preface all of this by saying that trying to get a point across in 140 characters is darn near impossible, as can be evidenced by the fact that the other party completely missed my point numerous times. It's not completely his fault, of course. Human nature makes us want to be consistent with our beliefs, even in the face of overwhelming evidence that we're being a total prat.

The original tweet that started it all was:

"Other than worms, viruses, botnets, and drive-bys, can anyone think of security threats Mac users don't really have to deal with?"

My immediate response was to ask if he was being serious. Because, honestly, I thought he was joking. Why would you ever tell anybody that they shouldn't have to be concerned about common malware or targeted attacks, regardless of platform? This is tantamount to telling people "move to Mac, you'll be safer" - which is not definitively true!

The problem throughout this exchange is that the other person uses circular reasoning to defend his original statement. I consistently question his assertions, and he simply points back into his own argument as proof that he's right. It's a pity, because I really would like to see his evidence that malware is not a threat to Mac users. Unfortunately, despite what his "1337 dudes who understand that stuff" tell him (I think his comment was in reference to 64-bit architecture), the people I've spoken with in the know say that Mac malware exists and is commonly used, though more in targeted, rather than widespread, attacks. I'll comment on this more below.

Complete Thread With Commentary

Without further adieu, here's the complete exchange between the analyst and me on Friday (12/4). Note that my comments to him are prefaced with "@[ANALYST]" while his responses to me are prefaced with "@falconsview".

(@[ANALYST] original post) - Other than worms, viruses, botnets, and drive-bys, can anyone think of security threats Mac users don't really have to deal with? 12:27 PM Dec 4th
@[ANALYST] are you joking or serious? on twitter nobody can hear you scream... 12:32 PM Dec 4th

@falconsview I'm serious- Mac users aren't being hit with this stuff. It exists, but near 0 encounter rate. 12:33 PM Dec 4th

Maybe it is only a matter of time. But we don't know the timeframe, and the risks aren't here now. 12:36 PM Dec 4th

Seriously, I know OS X is loaded with vulns, but that's not the point- not that Mac users should be complacent, but the risks are different 12:37 PM Dec 4th

Risk is a numbers game- and we do a disservice if we equate low risk threats with high risk just because something is possible. 12:40 PM Dec 4th

This exchange is fascinating, because we see immediately several problems. First, the analyst dismisses the threat of malware to Macs because he's deemed it to be a "low risk threat." Ironically, he talks about this in the context of "risk" as a "numbers games" without defining risk, context, or providing any numbers. Sorry, but you can't have it both ways. Pony up real numbers, or go home.

He also makes a curious assertion, that Mac users aren't being afflicted with malware, even going so far as to declare a "near 0 encounter rate." There is a fatal flaw in his logic. If people like him are telling users not to worry about malware, and they are not running AV or thinking about malware, then how to do they know whether or not they're being affected? It's an inherently false statement. If you're not paying attention or looking for malware, then you're unlikely to find it. Sure, infosec professionals might be fine in this regard, being more likely to notice something funky with their system, but the average user absolutely is not.

Now compound this issue by noting that enterprises are increasingly deploying Mac workstations for their users. We're creating the conditions for a very big malware problem. Of course, never worry, the analyst down-plays it with his fuzzy math in declarative assertions, so the world will most certainly be safe, because he said so.

@[ANALYST] ignorance is bliss... the average Mac user isn't really running any sort of AV on their system... how do they know? 12:50 PM Dec 4th

@[ANALYST] lots of cross-platform bugs these days... not to mention that phishing doesn't usually care what OS you're running... 12:51 PM Dec 4th

@falconsview Phishing wasn't on my list... that's on the list of *real* threats. I only have virus, worms, botnets, BT... 12:53 PM Dec 4th

@falconsview Oh please- there is no evidence for widespread Mac malware. No reason for AV for most users. 12:54 PM Dec 4th

@falconsview It isn't ignorance- I filter for viruses on email and never see Mac ones, just Windows ones. I don't use AV on Win7 either. 12:55 PM Dec 4th

Gosh, here we go, more faulty conclusions based on vacuum analysis. First off, phishing as often as not deploys malware. So, if phishing is, in fact, a concern, then why isn't malware? Also, to my point here, cross-platform vulnerabilities affect Mac users as much as Windows users, which means that malware is absolutely a threat for this platform, even if the attack is targeting an application and not the OS (at least not directly).

What I find hilarious here is that the analyst's "evidence" that Mac malware is a minimal threat is based on his own limited analysis of his email AV?!? The problem here is that the analyst is suffering from the illusion that email-AV-filtering is some sort of definitive benchmark for malware. Sure, it's a great way to register the background noise, but it does nothing for targeted attacks.

More importantly, for his statement to mean anything, we'd have to believe that the AV vendors are investing tremendous resources into detecting and analyzing Mac-oriented malware. Unfortunately, since Mac users have been told not to worry about malware, there is not much market for Mac AV. More importantly, the number of people who are actively monitoring or noticeably affected by Mac malware is going to be dramatically less than the resources looking at Windows. We've literally created a blind spot here, all because of this fallacy promoted by analysts that users needn't worry about Mac malware. Again... his reasoning is circular here... you don't need to worry about Mac malware, thus you won't need to deploy Mac AV, thus there will be highly limited detection of Mac malware, which means you won't be aware of much Mac malware, thus you don't need to worry about Mac malware...

@[ANALYST] oh, man, you're not going to buy into Microsoft "64-bit is more secure" argument, too, are you? 12:59 PM Dec 4th

@[ANALYST] you're changing your parms, now... you asked what threats Mac users don't have to worry about... never said "widespread" there :) 1:01 PM Dec 4th from TweetDeck

@falconsview No- to worry about something it needs to be likely encountered by an average user. I didn't change anything. 1:03 PM Dec 4th

@falconsview If you learn 64 bit architectures and anti-exploitation techniques, you find that exploitation of memory flaws is much harder 1:04 PM Dec 4th

@falconsview At least that's what the 1337 dudes who understand that stuff tell me. 1:06 PM Dec 4th

@[ANALYST] it's a new architecture... *shrug* I think people too often equate new to hard(er)... we'll see how things actually play out... 1:10 PM Dec 4th

@[ANALYST] problem is, if the cross-plat apps continue to have issues, 32 vs 64, Win vs Mac will be decreasingly important... 1:11 PM Dec 4th

@falconsview Oh yeah- there will always be attack vectors, but 64 bit really does make it harder. 1:16 PM Dec 4th

@[ANALYST] harder based on how we do things today... it remains to be seen whether or not it makes it harder across the board... I assume "no" 1:17 PM Dec 4th

First, on Microsoft, 64-bit, and security... check out the article "64-bit Windows is More Secure, for Now" for more on that... basically, a malware fellow at Microsoft said that 64-bit architecture is inherently more secure. The truth is that, yes, 64-bit architecture changes the game a bit, but it is far, far, far too early to be declaring any sort of victory over hackers and malware developers. It always takes a little while for malware development on new platforms, so let's hold off a couple years before we try to make any declarations.

Back to the thread, the analyst has, in fact, changed the parameters. His original question asked about "security threats Mac users don't really have to deal with". He did not qualify that statement in any way, such as to say that the threats had to be widespread. He of course denies changing things up, but we all can read the thread here and see that, yes, he did in fact start changing the tune of his argument.

I'm also greatly amused by his "that's what the 1337 dudes who understand that stuff tell me" comment. Who cares? People say stuff blindly all the time (kind of like all of the analyst's assertions in this thread) without having any real backing. 64-bit is a new architecture, hooray, but pardon me for not celebrating prematurely. When 2011 rolls around and we still see a limited number of malware attacks for 64-bit, then I'll concede the point. However, I think that's extremely unlikely, so you'll excuse me if I don't jump on that bandwagon too quickly.

@falconsview I do think we'll see more cross platform via things like Flash. But pwnage will be more constrained. 1:17 PM Dec 4th

@[ANALYST] well-constructed targeted attacks can be far more devastating (& lucrative) than the old-school blast 'em all attacks... 1:18 PM Dec 4th

@falconsview How is that germane to the original question? 1:21 PM Dec 4th

@[ANALYST] your premise seems based in mainstream "hit 'em all" attacks to justify users skipping protection - seems faulty premise+logic... 1:29 PM Dec 4th

@falconsview No- my premise is that attacks that are very unlikely for someone to encounter in the real world are a low risk. 1:31 PM Dec 4th

@falconsview Your premise that we need to worry about anything possible has the flaw. 1:31 PM Dec 4th

@falconsview And the position that because platform security has sucked, it will always suck, is ad-hominum. Classic logic flaw. 1:31 PM Dec 4th

Here's where the "debate" starts going off the rails. It's interesting to me that the analyst views himself as a superior debater, yet his logic is constantly flawed. His ego is writing checks his logic can't cash.

So, the accusation the analyst makes here is that I'm making an "ad hominem" argument (he misspelled it). What is that, exactly? Well, he's trying to say that I'm attacking him as a person rather than his argument. However, if you read back into the thread above, I'm not at any point attacking him, just his faulty, unfounded, and often idiotic assertions.

The irony here is that his accusation of using an ad hominem argument is in fact tantamount to making an ad hominem argument. He's assertions have no backing, so he instead decides to start attacking me. He consistently mischaracterizes my questioning of his assertions and seems to lack comprehension of the counter-arguments being made.

Also curious here is his acquiescence that cross-platform attacks are valid and will continue to be a threat (even against Mac users). He quickly qualifies his agreement, however, saying that the success of these attacks will be "more constrained." Yes, this is absolutely true, but also further supports my primary argument. It's not the widespread attacks that I'm worried about, it's the targeted attacks. Read "Ending the PCI Blame Game" to hear about the so-called "third wave" in infosec and how the world is changing.

Unfortunately, the analyst is missing all of these counter-points. He's too invested in being consistent and "right" that he's not only refusing to entertain counter-arguments, but he's also decided to devolve into ad hominem arguments in his own defense.

@[ANALYST] you're implying and assuming points I didn't make... my assertion is we can't assume "better" just because "different"... 1:33 PM Dec 4th

@[ANALYST] and I never said anything ad-hominum... I never said "hey, it's Windows, it will be pwnd"... 1:33 PM Dec 4th

I went and looked up ad hominem for this post - it's clear from my comment here that I was thinking of something else.

@[ANALYST] in fact, just the opposite, I'm saying "just cuz it's Mac doesn't make it more secure" - that's a completely bogus argument... 1:34 PM Dec 4th

@[ANALYST] this is akin to the classic mono-culture thesis... it's only valid if 1 slice of the pie is much, much bigger than the others... 1:35 PM Dec 4th

@[ANALYST] if the slices are all relatively similar in size, then it will increase target diversity, while giving the illusion of decreased... 1:36 PM Dec 4th

@[ANALYST] ...threat per platform... you need to look at the whole pie, and right now we're not really doing that (not well, anyway)... 1:36 PM Dec 4th

I tried to introduce an analogy here, but the analyst missed the point... my point, quite simply, was that he was making a false assertion about an entire class of systems predicated on fuzzy data. Similarly, the mono-culture argument of several years ago does not necessarily hold as true today. So it goes for Mac malware. What may have been true several years ago is not a safe bet today.

@falconsview You aren't making a cogent argument- my position is that Macs are at much lower risk of certain threats. That's the reality. 1:40 PM Dec 4th

@falconsview Remember, I'm talking *today*, not trying to predict the future (on Macs) 1:41 PM Dec 4th

Of course the analyst doesn't find my argument believable, because I'm challenging all of his assertions. Note that he once again changes the actual basis of his argument. Remember that his first question was about what threats Mac users can ignore. He may have meant to imply all of these other things, but they were not stated, and thus cannot be assumed.

The interesting thing here is that in changing his argument he is effectively conceding the point. Malware is a threat for Macs, and thus it should not be completely ignored. Now he's saying - generically - that it's a "lower risk." In what context? In what environment? How can he make this statement and have it be true for all people in all environments? He can't. This is exactly the risk-as-FUD contention I made in my recent post "BeFUDdled by Risk".

@falconsview I never claimed Macs were more secure, only that they face less risk of certain attacks. 1:41 PM Dec 4th

@[ANALYST] yes, you're right, Macs are not as likely to be compromised by Windows exploits - great argument 1:45 PM Dec 4th

@[ANALYST] lack of data/evidence does not a case make - you cannot prove the negative - you cannot prove your original assertion 1:46 PM Dec 4th

@[ANALYST] anecdotally, while you're hearing Macs have far less malware, I've heard that they make great squishy targets... 1:47 PM Dec 4th

@[ANALYST] as for cogent, 140chars is hardly conducive to extensive arguments like these... 1:47 PM Dec 4th

@falconsview I can completely prove my position- Mac infection rates are practically 0. 1:51 PM Dec 4th

@falconsview Mac malware rates, according to the AV and cloud filtering vendors, are practically 0. 1:52 PM Dec 4th

@[ANALYST] prove that assertion - show me data that evaluates a statistically significant population of Macs that are not infected... 1:52 PM Dec 4th

More baseless "less risk" statements. Where's the evidence? He claims he can "completely prove" his assertions, yet where is the data? As you'll see below, he sandbags my request for proof and tells me it's "all over the place". More importantly, though, is that he's basing his arguments on undefined "risk" and undefined data sources and, as such, has in no way established any credibility. He instead turns nasty in his arguments, gets frustrated, and then begins making almost exclusively ad hominem arguments (attacking me, rather than my questions).

@falconsview You have nothing but FUD on your side. macs have vulns, but they aren't being exploited, and the numbers show that. 1:53 PM Dec 4th

Oh, sigh... it's funny, isn't it? He uses risk-as-FUD arguments, but then turns around and accuses me of using FUD when I question his assertions. I mean, seriously, read back... all I do is challenge his assertion. I don't make any of my own. That isn't FUD. He's fallen into this trap where I question what he says and he simply bristles and lashes out. Provide a data source, show some credibility for your argument, and then this discussion would change dramatically.

@[ANALYST] you're relying on data from vendors who don't provide products for the platform?!? seriously?? 1:53 PM Dec 4th

@[ANALYST] it's not FUD - I am challenging your assertion based on lack of data, and because you cannot prove a negative 1:54 PM Dec 4th

BTW- for those listening I firmly believe Apple has serious security problems with OS X. I'm not in the "invulnerable" crowd at all. 1:55 PM Dec 4th

But I can't equate possibility with probability when doing a risk assessment. 1:56 PM Dec 4th

Ah, sigh, here again we have a problem with semantics. His entire argument devolves to the semantic issue discussed at the top of this post. Too bad he can't just admit the problem and move on. Of course, he'd also have to provide real evidence, real data, real sources, real references. That's all I ask for, but he's unable or unwilling to provide it.

@falconsview Actually, those vendors *do* have products for the platform. Go talk to them yourself like I do. 1:57 PM Dec 4th

@falconsview I don't have time in Twitter to review all the malware numbers and infection rates from many reports- go look it up yourself. 1:58 PM Dec 4th

And here we have the cop-out. Again, assertions with no backing. He deflect, he defers, he makes allegations and acts condescendingly, but he doesn't provide any proof. Unfounded assertions, which was my entire point of contention with all of his comments.

@[ANALYST] there are, what, 2 vendors who have Mac-based AV, and they've released them this year? clearly there's a biz case based on threat. 1:59 PM Dec 4th

@[ANALYST] provide links if you have such conclusive evidence... 2:00 PM Dec 4th

@falconsview The evidence/data is all over the place, go look it up before you challenge my assertion. 2:00 PM Dec 4th

@falconsview All major AV companies offer mac AV. Every single one. Some going back decades. You clearly don't know the topic. 2:01 PM Dec 4th

@[ANALYST] fine, I quit - end of day here 2:03 PM Dec 4th

Once again, he makes some interesting assertions. Who qualifies as a "major AV company"? As far as I know, in terms of commercial solutions, only McAfee, Symantec, and Kaspersky have solutions, of which I'm pretty sure Symantec and Kaspersky just (re)launched this past year. Sure, there are lots of "free" AV solutions for the Mac, but I'm not overly confident in them (ClamAV and AVAST are ok, I suppose, but these are not "enterprise" solutions). It looks like Trend Micro released a Mac AV solution this year, too, with a bit more googling.

The point is this: what's causing AV vendors to now, in 2009, start releasing Mac AV products? Presumably because there's a market for it? What's driving the creation of that market? Merely "FUD" and pretty brochures? I find that rather unlikely. AV companies have invested significantly in Mac AV this year - there has to be a strong possibility for an up-side, or they wouldn't do it. What drives this belief? The increased likelihood of a threat, of course.

The funny thing here is that I don't even care if he's right or not, I just want him to actually provide some form of evidence. We spent an hour on this thread and all he did was bluster and back-pedal, changing his parameters a couple times. Oh, and degrade into derisive accusations, probably because his assertions were bogus.

Update: Ironically, Schneier has come out and said that Mac and Linux users can ignore AV, too. *sigh* Not the point, but still, these broad assertions are very dangerous, especially when they come from high-profile, reasonable-well-respected infosec people.

Embrace Murphy's Law

2009-12-07T16:42:03Z

"Anything that can go wrong will go wrong." -Murphy's Law

Oftentimes misadventures and quirky failures are attributed to the Fates and Murphy's Law, as if we should have a reasonable expectation that everything will go smoothly all the time. Of course, given even the shortest amount of thought, the notion is absurd; especially if you work in IT! Whether we like it or not, we are dealing with complex systems every day, whether those be computers or cars or trains or planes or humans. The amount we don't know pretty much always exceeds what we do know.

As such, it's time that we embrace Murphy's Law. Instead of fighting the inevitable, as has been the modus operandi of security the past few decades, we need to adopt a survivability mentality that focuses on defensible and recoverable systems and processes. Murphy's Law enlightens us greatly in this regard: if we don't embrace failure, then failure will embrace us. And, as no position is absolutely defensible, it seems that a good place to start embracing Murphy's Law is in enhancing system and process recoverability.

There seem to be four key areas where a recovery mindset should always be applied:
* Hardware Failures: Hard drives fail. Network links go down. Cooling fans die. Power cables get cut. These are facts, not FUD or innuendo.
* Schedule Failures: It's not always possible to get the right people in the right place at the right time. It's not always possible to get the right equipment ordered and delivered on the schedule desired.
* People Issues: We like to believe that people are capable of being consistent and reliable, and for the most part this is true. However, Murphy's Law tells us that we should expect key people to encounter unforeseen issues, such as sickness or family emergencies, at the least opportune time.
* Unclear Requirements: One of the more fatal flaws in managing projects or people is failing to clearly articulate the expectation for performance. Yet, even when requirements are specified clearly, concisely, it can be difficult achieving a common understanding. As such, one should expect fuzziness around requirements, and thus gaps between expected and actual performance.

To address some of these challenges, and to help embrace Murphy and his Law, these key practices are recommended:
- Update Policies: Policies provide your first line of due diligence effort when it comes to planning for the unexpected. Organizations should be familiar with business continuity planning and disaster recovery plans (BCP/DRP), but remember to expand those to account for more than just your typical break-fix scenarios. Additionally, policies for sick leave and remote access should be brought into the current era by allowing for extraordinary circumstances. Despite the media hype surrounding Avian Influenza and Swine Flu (H1N1), these plans should take into consideration pandemic scenarios (this Fall has already seen particularly virulent cold and flu strains). Plans should also consider natural disasters, man-made disasters, etc.
- Ensure Remote Access Capabilities: One key consideration in the face of schedule and people challenges is finding ways to bring people together online when face-to-face collaboration isn't possible. Teleconference solutions, unified communications using VoIP and instant messaging, and video conference technologies have all matured well in the past few years to meet some of these needs. In terms of remote access, one additional consideration is to discuss spike license agreements with your VPN vendor, such as to be used in the case of a pandemic or weather disaster that would necessitate a largely remote work force for a short period of time.
- Have a Communication Plan: It is imperative that organizations have communication plans in place, and that they provide personnel with routine awareness training about the communication plan. Severe weather, such as blizzards, ice storms, or tornadoes, can bring commuting to a standstill. The sudden emergence of a quickly spreading pandemic can force a switch into an emergency remote-worker configuration. In all cases, it's important to establish multiple communication vehicles, make personnel aware of those vehicles, and then follow the plan as needed. Incidentally, don't just rely on a single web site for your status communication, since the loss of your computing facilities could make it rather difficult to get the message out. Instead, make sure your communication plan is suitably diverse, making use of two or more communication vehicles for primary communication with personnel.
- Test It! One of the worst things you can do is write policies and plans without testing them. In the middle of a crisis is the wrong time to learn that you made an error in planning. Instead, test plans on a regular basis (at least annually). This advice goes double for failover sites. If you don't test failover plans, then how do you know that they'll work? The last thing you want to do is compound an event by having additional failures. An ounce of prevention is worth a pound of cure.

(Note: this was originally cross-posted from a previous employer's site, but they let me go, so I'm yanking the link-back.)

Creating Epic Fail Conditions: PCI and Best Practices

2009-12-04T21:56:23Z

I grow increasingly impatient over the entrenched status quo. Throughout all the blah-blah from vendors, analysts, consultants, etc., there is very little new - let alone hopeful - news to look forward to. Why? Because the old school mindset fails time and time again. Why? Because the objectives are all wrong. Forget about risk - there's almost no point in trying to manage it right now (for a number reasons, as if organizations are really managing info risk right now anyway). If you want to survive, then you must establish a (legally) defensible position and then focus on recoverability, since it's not if but when bad things will happen.

Fear not... despite the semi-angst-like nature of my opening paragraph, not all hope is lost. In fact, honestly, there's reason to be very hopeful, if only we can get mainstream thinking to shift away from the failed old ways. Old ways such as relying on "best practices" (aka "mediocrity") and checklists (*cough*PCI*cough*). You cannot simply look for a list of known bad things (*ahem*AVIDSIPSFWACLDLP*ahem*) and then hope that everything will be ok. Instead, you absolutely, positively MUST build a program that is flexible (see my Sept. '09 ISSA Journal article "Elasticity: Will your organization bend or break?"), that seeks to achieve a (legally) defensible position, and that optimizes recoverability for its environment (see "Defensibility and Recoverability").

This latest line of contention (perhaps sounding like a broken record from me) was triggered by a couple things I read today. First up, "Ending the PCI Blame Game" by Phil Mellinger (CEO, Turiss) posted on CSO Online. In it, Mellinger proposes changing the game, in part to get away from the "blame game" (aka "litigation"), though it's unclear what the new game is really supposed to be. He proposes five steps to the future, which are:

1) A moratorium on litigation to eliminate the "blame game" - This is just a bad idea, because the "blame game" (aka "litigation") should drive companies toward adopting a legally defensible position. A short-term moratorium might be ok, but only to give companies a chance to refocus on doing the right things (i.e. defensibility and recoverability). More importantly, achieving such a moratorium would really take an act of Congress, and that seems highly unlikely to happen.

2) Mellinger wants PCI to evolve to address so-called "third-wave attacks" - This is a moronic approach, promoting more of the same stupidity that got us here in the first place. We need to quit writing checklist responses to known threats. Instead, we need to require due diligence and define how you measure due diligence and then let the details sort themselves out (in court and on the books). If the position is not legally defensible, then companies will lose in court and the markets, plain and simple.

3) Improve fraud intelligence - This is very reasonable, though as part of an overall program, NOT simply adding more checklist items to PCI. Mellinger says "This is a complete change in our current PCI dogma..." but I'm not convinced what he's asking for really is a change. What he's advocating is more of the same reactivity and checklist response. Threat intelligence is great for feeding the evolution of security programs, but only when the programs focus on defensibility and recoverability (i.e. survivability).

4) Changes are needed in international laws that create sanctuaries for attackers - I absolutely agree, though this is only the responsibility of companies involved from a lobbying perspective. Addressing this issue will require political leverage and diplomacy. Good luck with that - I won't hold my breath. Competing nation-states have too much to gain strategically in maintaining these sanctuaries. The only way I could see this really happening is if the number of attacks originating from countries like the USA against countries like Russia and China were to increase dramatically (and be incredibly successful). Such a shift in the balance of attacks could drive all parties toward unilateral agreements equivalent to Cold War era agreements.

5) "...new security approaches must be developed to thwart attackers and their weapons..." - Yes, this is definitely a good idea, but again, this should be driven by the desire for achieving a (legally) defensible position and for optimizing recoverability; it should NOT be driven by some sort of old school reactionary mindset.

The other article that got me thinking about how things are so broken, but that there may be a light at the end of the tunnel, was Bejtlich's "Let a Hundred Flowers Blossom" post today. Overall, I think he's pretty solid on his premise, though - as usual - he makes me nervous as his progressiveness sounds marginally reactive. It's striking the balance that is important, of course, between reactive and proactive measures. Field-assessed security, done well, can be very effective in building a defensible position, but it does not in any way decrease the importance of recoverability.

One thing he does bring up that concerns me is the mono-culture argument... is this argument really valid any more? It seems to me that there are a couple flaws in it. Part of the mono-culture argument is that you don't want everything on the exact same system, because if you do that, then one compromise can affect everything. However, this isn't terribly close to reality, is it? Rarely will a single OS-level exploit (for example) successfully target Windows XP, Vista, 2003 Server, 2008 Server, and Windows 7 (dare I say it would never happen?). Application-level attacks would be a different story, of course, but the point is this: is there even such a thing as a mono-culture any more?

The other aspect of the mono-culture argument is based on a premise that one slice of the pie is significantly larger than all the other slices, such that moving platform to a smaller slice will benefit you by making you less of a target. Unfortunately, if enough platforms switch over time (as has happened), then the slices become more comparable in size. At some point, all (major) slices become equally appealing. While this may reduce the number of attacks against the originally dominate platform, one would expect to see a correlated increase in attacks against the other major slices. As such, has anything improved from a security standpoint? It seems that you still have to focus on defensibility and recoverability, and simply relying on a less popular platform is nowhere near adequate in either case.

Lastly, I would agree with him that some standards are needed, but I think they need to be outcome-oriented, requiring:
- analysis and capabilities that achieve recoverability objectives
- adequate measures be implemented to achieve a legally defensible posture
- a shift in mindset from "winnable" to "survivable" online conflicts/incidents/events

Comparably, attackers have nothing to lose while the targets have everything to lose. This sort of skewed loss ratio tells us that we cannot hope to be 100% successful, and thus must focus on reducing the size of the losses. We can only achieve this through a survivability approach that seeks to build a (legally) defensible position with optimized recoverability.

BeFUDdled by Risk

2009-11-30T15:35:51Z

"You keep using that word. I do not think it means what you think it means." -Inigo Montoya in The Princess Bride

In the past couple months I've come to hate the word "risk" and its associated phrase "risk management." It's not because risk itself is inherently bad or wrong, or that the need for good, quality risk management has changed. Rather, it's the overuse and misuse of the term that is really grating on me. Despite a lot more talk about risk, it seems that it's even less understood and even more poorly defined than ever before.

Perhaps the most egregious "risk" annoyance is its constant use as a FUD hammer for pushing products or agendas. It seems that every time we turn around, somebody is proclaiming that something is a HIGH RISK (bold, all caps, exclamation, exclamation, exclamation, omg we're all gonna die!). Unless, of course, we buy their product or support their agenda.

This problem is pervasive across multiple industries, most of which are these days loosely associated with "security" (I heard an ad on the radio last week that Northrup Grumman is now describing itself as a "security services company" - not because they're doing anything different, mind you, but because that's where a lot of the money is... homeland security, national defense and security, cyberwarfare and cybersecurity, etc.). Not that this is any different than ever before, but it seems that you cannot trust much of anything you read or hear these days. If you do, you'll be buying into irrational, FUD-based agendas that seek only to take your money and leave you no better off.

This line of thinking makes me wonder... if you're not particularly experienced with security or risk management, what hope do you have of really dealing effectively with any of this FUD and BS? If some vendor or VAR or consultant comes in making bold statements about "high risk" findings or issues, how do you evaluate and validate what's being said?

It seems to me that every time someone hear's the word "risk" they should immediately jump to a quick interrogation based on the following rubric:
1) Has "risk" been defined in my context?
2) Has the identified "risk" been prioritized within my context?
3) Is the "risk" being used to describe a problem or to promote a "solution"?
4) Has the "risk" been properly weighted against comparable concerns?

If the answers to these questions are inadequate, or simply "no," then you probably have a case of risk abuse on your hands. #3 there is a particular red flag to watch out for, with vendors, politicians, and mainstream media most notorious for flogging "critical issues" with "high risk" that are taken completely out of context and hyped up well beyond anything reasonable. If a vendor sends you marketing materials that talk about "risk" at all, then you should be highly suspicious. How do they know what is or is not a high risk for your organization?

We could go on to talk about how to structure risk profiles and a risk management program, but it's too much at this point. Organizations are failing at the simple step of vetting and validating what they're hearing. Until organizations and people quit accepting all "risk" claims at face value, there's really no point in talking about risk management. Why? Because you won't get the right kind of understanding or buy-in necessary to be successful.

It's time we empower people to challenge blind assertions. It's time to give them the basic tools, such as the responsibility to question what they're told, to begin fighting the rising tide of what is no less than fraud and deceit. Once these basic steps are taken, then we can talk about how to evolve that into a formal risk management program.

Refuse to be terrorized. Refute blind assertions. Question all non-contextual risk statements

Life As a Moving Experience

2009-11-24T02:05:49Z

I've moved a lot over the years. Cross-country twice this year already for starters, plus the move to NoVA from MT in 2003, the move to Central PA from MT, and then back, in 2002, down to Chicago in '98, up to the the Twin Cities in '99, and the move to MT in '01 in the first place. On top of all these home moves, we've also done a ton of driving vacations, driving through the vast majority of continental states in the last 10 years (I've driven through or in every state except SC, OR, and NE). Suffice to say, my life is about being in-motion, or so it seems.

Given this experience, I thought it only appropriate to sit back and reflect a bit on the moves of the last 10 years. There are lots of interesting lessons to learn, and I hope that you'll find these interesting and, perhaps, a wee bit amusing.

Communication Is Essential
It is vitally important to communicate clearly on multiple levels. For instance, in '99 my Dad helped me move from Chicago to the Twin Cities. I had a cell phone, but he didn't. At one point during the trip, after a refueling stop, we hit the interstate and headed off. Next thing I knew, he was nowhere to be seen. I had no way to contact him. I slowed down, I stopped, but overall I was at a loss. We were heading the same direction, but I was in the faster vehicle of the two (he drove the truck). Even if I was only 5 miles ahead, if our speed difference was only 5mph, then it would take an hour for him to catch-up; and that assumed I could maintain a slow enough speed that entire hour! (we caught up eventually - we used my mom at home as a relay and eventually met up again)

In other cases, it's the little things, such as a destination address. This last move everything ended up working out, but it was touch-n-go for a while. I simply wasn't sure if I was going to have a lease agreement before the movers left with all our stuff. While this was perhaps not the biggest problem, it was still an additional cause for stress in that I was on the verge of seeing all my things off without knowing if they would have a place to go in the end.

The little things can be a killer, too. Lease negotiations took seemingly forever after this move, not only because of a bad relay (the renting realtor), but because there was a single overly-restrictive clause that needed changing. In the end, I called the owner directly, explained my concerns, and we had an agreement that night, but until that point the "telephone game" paradigm came into play. The right message just wasn't getting through.

Strap The Rack On Right
It's the little things that matter most. Little things like getting enough sleep before putting things together, or strapping the bike rack onto the car the right way. In 2002 I moved across country to work for ICSA Labs. We were completely broke, and in fact couldn't even afford to move both of us (my wife ended up staying in MT while I was in PA - not a great time in our lives). Anyway, so we drove both cars cross-country for the move. I put my bike on the back of my wife's car. As it turns out, I did a lousy job of mounting the rack on the trunk. About 35 miles on the road, it fell off her car at the most inopportune time. I didn't notice until 20 minutes later that she wasn't behind me due to the road being windy and hilly.

Attention to detail, especially when packing, is of the utmost importance. Failure to read the fine print, put enough padding around delicate items, or to otherwise ensure that things are done well and right can result in loss and damage. Or, more importantly, significant emotional distress, as happened to my wife, and then to me, when the bike fell off the back of her car, she disappeared, and was in a dead zone for cell coverage. Crazy times that could have been avoided with a little clear thinking.

Don't Overload The Boxes
It is too easy to be clever about packing boxes. You figure "hey, I have so many cubic inches, I might as well use every last one, right?" Well, no, actually, space in boxes is not a bad thing. Especially when it comes to heavy items like books and dishes. Book, in particular, can be very easy to overload into boxes, as we learned the hard way in 2004 when we made a local move in VA.

My wife - an elementary teacher - has a large library of kids books. Both of us are avid readers, too, so we have a fairly large personal library as well. We picked boxes that were too big and filled them full of books. At the time we were moving from a 3-level townhouse, where the entry way was an immediate 25-step climb, into a single-level apartment on the 4th floor of the complex. We hired movers to help with things. They were not happy campers, for a couple reasons. At the destination, they literally refused to haul the book boxes up to the apartment, requiring us to instead open boxes and empty half their contents into laundry baskets - to haul upstairs on our own - rather than deal with the weight. (the other reason they were unhappy is the next topic: Tipping)

In our recent cross-country moves we found that, while the volume of our belongings only calculated out to be about 7,000 lbs. the actual weight was closer to 10,000 lbs. Why? Book boxes. We had somewhere in the range of 50 small boxes full of books and running an estimated 40-50 lbs. each. This weight adds up very quickly. Fortunately, we'd at least learned by this time to use smaller boxes (yay us), but there was significant extra cost in moving all this mass.

Tip Generously
My philosophy today, now that I'm now completely broke, is "always take care of those taking care of you." In other words, tip generously - especially when you've had very good service, or when you're entrusting others with your care or the care of your valuables and belongings. Thus far, in all the moves (I've personally moved 12 times since Feb '99, including 5 cross-country moves [MT->PA, PA->MT, MT->VA, VA->AZ, and AZ->VA]) we've had very little breakage. We forgot a kitchen drawer once (MT->VA move), and we lost a cheap floor lamp this last time (the base snapped off). However, thus far (with about 50% unpacked), it appears that everything else is full intact.

So, you might be wondering how much I tipped the movers (I certainly wasn't sure how much to tip before). It varied a bit from region to region given the variance in cost of living, but I generally tipped $40-50/pp (mover or driver) and then added a little extra on the top for the driver. I tipped at both ends (so the driver got double, since they're primarily responsible for your belongings). Also, I gave the tip to the driver directly and let him/her divvy it up to the rest of the team.

Note that I apply generous tipping to other areas, too, such as food and beverage. Because the math is easy, I frequently tip about 20% for good standard table service, and higher for exceptional service (less - sometimes much less - for worse service). I always tip bartenders well - especially when running a tab.

Living Minimally Is Difficult
There are really three aspects to this point. First, stuff really accumulates quickly! It's amazing how fast books and clothes and other random stuff pile up. And every move seems to entail buying piles of stuff that you only need for that specific place. It's rather infuriating.

Another challenge with minimal living is that it's too easy to become accustomed to all the various amenities of life. Television, for example. It's amazing how much time can be wasted in front of the TV. On the flip side, we've also found that it's rather silly to pay for TV now that we have a toddler because there's rarely time to lounge around in front of the tube (with the exception of Sunday NFL football).

Lastly, living out of a suitcase is a pain. Moving twice this year required multi-day drives across country, which meant living out of a suitcase with the bare essentials. Many times we started to look for things only to realize that they were packed. Now we have extras of certain necessities because we had to buy them on the road (toothpaste, razors, etc.).

All the little things add up quickly, especially when multiplied by what is considered "normal" by modern standards (like shaving daily).

Beds Are A Necessity
As much as we like the outdoors, camping really is not much fun, mainly because of sleeping on the ground. For longer periods of time, sleeping on the floor is simply not an option. I know, because I did it for 6 months, relying just on a camp mat, and I was miserable. Not only was I miserable, but I was not getting good quality sleep, which created one of those self-reinforcing cycles (never underestimate the importance of sleep).

In moving this time we got rid of our "guest bed" (sofa sleeper) before leaving AZ. Since our stuff wasn't scheduled to arrive until a few days after we moved into our new place, I made the decision to buy a new bed. Why? Well, because we needed a guest bedroom outfitted, but also because it provided a good opportunity to buy an inexpensive-yet-decent bed to sleep on until our own bed arrived. I highly recommend this approach, if you can afford it and have the space.

Spare Tires & Roadside Assistance
One might think that the argument for a spare tire is iron clad. Absolutely, it can be handy to have one, as I've found on at least one occasion. At the same time, I'm not fully convinced that they're actually altogether useful. On two different cross-country moves we had a car trunk full of stuff when we get a flat. Were we honestly supposed to empty our trunk to get the little donut spare so that we could drive 50mph down the highway to the next town? I guess that's the theory, but it seems rather silly.

In both of these cases we ended up with a tire shop coming out to us. In the first case we had a tire hazard warranty on the tire, so the tire service company simply brought a replacement tire, which it installed, with the other one marked as totaled. In the second case, the service truck was able to put air in the tire so that we could limp into town to the shop, where they pulled and patched the tire. In neither case did we end up having to unload the trunk, which is good.

The lesson here, I think, is that tire warranties and roadside assistance plans are far more important than the spare tires themselves. In the case of my Ford Escape, I'm not even sure if I have a spare tire (I think I might, but I've not remembered to crawl underneath to look). It's quite possible that I don't have a spare at all, which doesn't even really phase me all that much now. It's not like it's really benefitted me much to have a spare over the years.

Weight vs Volume Is Tricky, Or: Getting Screwed By Movers
In our attempt to live minimally, we have done a fairly good job of having very compact moves. This might seem like a good thing, but in the end can lead to getting burned, too. Specifically, book boxes (mentioned before) can lead to adding a lot of weight to a load without adding much volume. This last move we were fortunate to have reasonably honest estimators who looked through the house and then added lots of weight for books and weights.

You have to be very careful, though. Eagled-eyed, really, to make sure that the mover isn't going to completely screw you on the estimate. As it is, though we didn't have to pay out-of-pocket for the move to AZ, we definitely got screwed. Somehow the driver got a final weight that was a good 2,000 lbs. more than it should have been. Which leads me to...

Scams, Scams Everywhere
If you ever have the opportunity to move with a moving company, BEWARE!!! There are lots of bad companies out there doing a lot of scammy, scummy work. There is apparently very little regulation or enforcement in this market, and thus it's an industry rife with corruption.

First and foremost, check out http://www.movingscam.com/ before you sign anything. It could very well save your bacon. It's amazing (appalling?) how many moving scams are out there. Here are a couple common scams:
* Empty Fuel Tank Weight: An unscrupulous driver may provide an initial truck weight with empty fuel tanks, and then weigh the truck loaded with full fuel tanks. This can add a ton of weight (almost literally!).
* Non-Binding Estimate: As I'll note below, you should get a binding estimate with a max amount to be paid. Otherwise, you could get asked to pay more after your load has been loaded and moved.
* Hostage Loads: One apparently common practice is that cut-rate movers will give you a very low quote, but then will suddenly jack the price on the other end. They'll tell you due to unforeseen circumstances, your load price is now much, much, much more. Pay up or they'll just keep your goods in storage until you agree to the new terms. You can file complaints, etc., but you may not be able to get your belongings for a while.
* Cash or Cashiers Check on Delivery: This appears to be the hallmark of most cut-rate scam movers. They'll accept a deposit up front on credit card, and even accept the first half of the estimate on credit card, but then will require a cash or cashiers check for the last half. Combine with the last point on hostage loads and you see how the scam works out for them. Even if you challenge the charge(s) on your card, they still get away with cash in hand. Good for them, bad for you.
* Non-refundable Deposits: Another attribute of a scam seems to be a non-refundable deposit. It's custom to require first half payment up front for personal moves, but this deposit nonsense seems to be specific to scam movers.
* BBB Accreditation (or not): Check the BBB listing for the mover you're looking to work with. Don't be surprised to find multiple listings for some of these scam movers. I almost bought into a scam fully (Oasis Moving), who claimed to be BBB Accredited, but was unable to provide proof. There were 3 listings on the BBB site - 2 listings for companies of the same name in other states, and then a non-accredited listing for the company in Las Vegas with which I seemed to be working. Note that, regardless of accreditation, you may still be able to find ratings online. C- is not a good rating, btw.
* No Live Estimator: The scam companies seem to rely on your own estimates, rather than on the estimates of professional estimators. The professional moving companies I queried (United, Graebel, Atlas, Bekins, etc.) all sent (or offered to send) estimators to walk through the house. The scam companies did not. Oftentimes they just wanted you to do all the work for them. RED FLAG!
* High Pressure Sales: A true hallmark of scams introduce a time limit that your estimate is only good for a limited time. Don't believe it. They're trying to pressure you into making a bad decision. If you're sensing pressure from a moving company, dump them ASAP because they're probably trying to scam you.
* "Too Good To Be True": Use common sense. If estimates from live estimators are consistently at a given level, yet some online company is significantly cheaper, you should be extremely skeptical. Where do they get the cost savings from? Cheaper equipment? Doubtful. Fuel charges are obviously the same. Cheaper labor? Probably not such a good idea. Sure, there's probably some wiggle room in the profit margin, but not 30-50%.

Get a Binding Estimate
If at all possible, get a binding estimate. Beware "estimates" that allow for +/- 10% (or more!) because you will inevitably end up paying + and not -. A binding estimate will set the top end for the cost of the move, with few exceptions. In the case of my move, the binding estimate from S&M Moving (a United carrier) was very good, and the company had reasonably good reviews, too. It's nice to know that you can't get burned after the fact with all sorts of add-on costs thanks to a poor estimate.

Assembly Required Can Be Good/Bad
Bookshelves and other storage materials that can be disassembled can be great for a compact move. However, at the same time, reassembling everything can be a pain, not to mention trying to keep track of all the hardware. In our case, we made some good choices with Libra shelving from the now-defunct Organized Living a few years ago. These shelves have served us very well. They're nothing special, yet decent pine construction with inlaid wood reinforcement. Anyway, I digress.

Non-disassembled furniture of the cheap-ish variety can actually be as much, if not more of, a pain as having to reassemble everything post-move. I say, spent a little bit more on decent disassemble-able shelving and ditch the heavy, cheapy chain store shelving. Bakers racks also make for durable, compact shelving, though they tend to be fairly hefty. Nonetheless, with a careful eye you can usually save a lot of trouble by getting decent take-apart shelving instead of stuff with cardboard backing that can be easily damaged.

Moving Into A New Home Is Expensive
It seems like it's always the hidden costs that kill you on the move. Eating dinner on the road for several days. Black-out curtains in a room with a southern exposure. Floor lamps for rooms with no ceiling lights. Rugs and mats for slippery hard floors. The list goes on and on. I figure that with almost every major move, there's probably in the ballpark of $2,000 in hidden costs associated with all the little "extras" that you have to put into the place. That kind of money adds up quickly - especially if you move twice in a year (*ahem*)!

Don't Forget A Towel
It can be the little things that are the most annoying. Like moving into a new place and forgetting to bring a towel or shower curtain. Or running out of soap or toothpaste or what-have-you in the middle of nowhere. It's not that these things are necessarily hard to get, but that you have to stop your forward progress for a side-trip to get the little things. Oh, sigh. :)

Seriously, though, when you think through a move, I highly recommend throwing in the little hygiene items you would need right away upon moving in. A towel, maybe sheets and a pillow, and so on. Especially if you're driving cross-country and can afford the extra little bit of space in your vehicle.

Protect Your Health
As if being sick isn't miserable enough, try being sick leading up to, during, and/or right after you move. It's miserable, and that's an understatement. And, I had the wonderful misfortune of this experience this last move (back to VA). I came down with a severe cold about a week before the move. Then I flew round-trip, making it worse. Driving cross-country was ok, though I went through tissue like crazy. All the hotel rooms made it worse, not to mention the really long days of endless driving. Sleep was in short supply (I'm looking at you Albuquerque and your stupid closed I-40 all night for a movie set!!!). All of these things led to a perfect storm that made me extremely sick, and even made our daughter very sick (she landed in the hospital with a severe case of the croup). For my part, my severe cold became a sinus infection and tonsillitis, followed by a stomach virus. 3 weeks of severe yuck, really. Not to mention the impact to the brain given all the sleep deprivation.

Sleep is important. Health is important. Eating well is important. Minimizing stress is important. All of these things will be challenged in a cross-country move.

Suffice to say, I'm done with moving for a while. As of right now, I feel like if I never moved again it would be too soon. Not to worry, though. Give me a couple years here and I'm sure the wanderlust will return. For now, though, I'm going to tuck under the covers and hide out for a bit. :)

Top 11 Signs We Never Settled in Phoenix

2009-11-23T21:37:32Z

11. Half our garage was full of packed boxes.
10. Only one car (of two) got AZ plates.
9. Bookshelves were never reassembled.
8. Half my clothes were still in tubs.
7. Only the kiddo had a doctor.
6. We never bothered to find a dentist.
5. We never bothered moving closer to our employers.
4. We never adjusted to having deadly creepy crawlies around the house. *shudder*
3. We kept all our winter clothing.
2. We still think 85 is a fairly warm day.
1. We sprinted at the first chance to move away.

How NOT To Build a Security Program

2009-11-13T22:12:39Z

Andy Willingham (Andy ITGuy, @andywillingham) had a post up early this week titled "Building a security program from the ground up". It's an interesting read, though a bit on the naive side. Having just come out of an environment where my role was to build a security program from the ground up, I have a little bit of insight into this challenge. Despite my own failure and eventual inexplicable job loss, there is still much to learn, and much that I can add to this discussion.

Of course, it wouldn't be right to talk about this topic without first acknowledging one of my major biases; that is, my strong preference toward the model I developed specifically toward how to structure an information assurance program (see my earlier posts "Do You Need a Security Department?" and the slightly older "My Philosophy of Security"). Below is a snapshot of the TEAM Model, which I'll most likely mention in my responses.

With that said, let me tackle some of Andy's comments and my gripe with them. Please note that I am working from the assumption of "building a security program from the ground up" and all that this implies (such as that there isn't already a program in place).

"Here are a couple of assumptions: They already have a firewall and host based security suite installed and up to date. Beyond that, it’s a crap shoot."

These are rather unfortunate assumptions. What is meant by "host based security suite"? AV? Something else? If you're coming into an existing organization to build a security program from the ground up, then you shouldn't come in with any assumptions. I've been in more than one organization that hasn't had a firewall, let along ANY host-based security (no AV, no HIDS, no logging, no monitoring, etc). Assumptions - especially bad assumptions - can be very bad things (see what a certain analyst says on this topic).

If you're going to assume anything going into a new "green field" opportunity like this, it should be that nothing exists, nothing is being done, and that you will be met with inordinate amounts of resistance and organizational inertia. You should assume that you will have been given the "happy" story during the interview process, and that reality is far more stark. You should also assume that, despite the lip service paid in the interviews, there will be no way to know the commitment of executive management until you are actually onboard and asking them to put some skin in the game.

"If I were coming into a company and had a free hand to do what I wanted I would first look at what I could do to get the biggest bang for my buck quickly and then focus on the long-term strategic planning."

Here we have another bad implicit assumption. There's no such thing as having a "free hand to do what I wanted" in an existing organization. To think otherwise is to be somewhat deluded. The reality is that the business existed before you got there, and it's likely to exist without you being there in the future, or so they'll all be thinking in the back of their minds.

In the comments of Andy's post Kevin Riggins makes the excellent observation that one of the first things you're going to need to do is go back to executive management AFTER the interview (and after you've started, presumably) to truly test their commitment and support. Without it, your life will be much more difficult. If you're thinking "not true, you can always do bottom-up", then sure, that's ok for certain operational concerns, but don't you dare bring up strategy or risk. :)

"I’d say the first thing I’d do is implement a monitoring system so I can have some insight into what is going on."

This comment isn't wrong, per se, it just fast-forwards through a number of steps. Monitor what? Logs? IDS? Firewall logs? Do you have a log server? Are you talking about *shudder* a SIEM solution? At the same time, what about policies and practices? So you're monitoring and seeing bad things... then what? Do you have the policies and executive support necessary to actually do something when you start seeing badness (and it definitely is when and not if).

Your goal from the outset should be to quickly assess the state of the environment and start architecting a path to a defensible and recoverable posture (see my posts "Defensibility and Recoverability" and "Surviving in Degraded Conditions: A Human Analogy" for more on what this means). Note that I say "quickly assess". Depending on the size of the organization, this could be done fairly quickly. Walk through a facility or two, talk to as many people as people, from execs to tech to the manager in between, and then start building that roadmap.

More important that anything here is that you need to learn what is critical to the business. If X blows up, then Y really bad consequence will occur. That sort of thing.

Also, note here that I'm not even talking about "risk" at all. Forget about risk for a moment and just think about basic prioritization. It very simply comes down to a) identifying what's critical to the business, b) defending what's critical to the business, and c) building contingency plans for adequate recovery of what's critical to the business when something bad happens.

"Once that was in place I’d probably implement a Vulnerability Management program that starts with Application and OS patching and then focus on the scanning, testing, exploiting etc..."

I have to be honest, my jaw dropped a bit when I read this one. That's quite the leap in logic. Don't get me wrong, patching is very important, but the way he says it here, almost nonchalantly, gives one the false impression that this is somehow easy or trivial. There is, in fact, so much more that needs to be done than simply going out and implementing such a program. Change management, configuration management, access control and management, etc. Sure, none of these are mandatory for patching, but they absolutely have ties into a Vulnerability Management program. As for scanning, testing, and exploiting... well, let's just say that this is somewhat jumping the gun, and an area where one needs to be very cautious, too.

Specifically, as you shift from the "push and pray" patch model to a formal Vulnerability Management program, don't forget that you are going to need to know what changes are being in your environment, when they're going in, what they're doing (impact), who made the change, and who authorized them, among other things. Yes, get the patching going (if it's not already), but hold off on the Vulnerability Management project until you have a better handle on processes.

---
After the last quote he talks about awareness training, governance, and policies & procedures being all run in parallel as much as possible. Gack. He talks earlier about long-term strategic planning, which is good in theory, but in practice not so much. He ends with "This is just a starting point." Fair enough, but the approach is far too technical without really knowing or understanding anything about the business, the environment, and - far more importantly - the people.

Allow me to offer alternative advice:

Garner Strong Executive Support: You must have strong executive support. None of this "responsibility without authority" nonsense. The minute you walk through the door, you will have to seek out and build support for everything you want to do. Unless you're given the authority to go make changes directly (extremely unlikely) then you will have to get various levels of management onboard for everything you want to do. Passive resistance can be deadly.

Lightning Assessment: You must understand what is important to the business, as well as begin to get a picture of why things are the way they are today (tech decisions, etc.). I'm not advocating here any sort of formal assessment, and I'm certainly not talking about "risk" anything. This is quite literally a very rapid organizational walk-through, if you will, to see who's around, what people do, and, more important than anything else, what is absolutely critical to the business. If you're unable to find this out, then I suggest looking for a new job, because what you're facing will be a situation not dissimilar to the one I was in. If the business doesn't have a solid direction ("making money" is not a solid direction), then you're not going to have much luck contributing to the success of the business. By the way, in addition to identifying what is critical to the business, you should also keep your eyes peeled for major gaping holes that need immediate redress.

Share Responsibility, Gain Accountability: Security needs to be a responsibility shared by everybody in the organization. Hence the role of basic awareness training. What I'm talking about here is something more radical. It's not enough to try to make people aware of security. Instead, you need them to have a vested interest in making sure critical assets are defended and can be recovered rapidly when something bad happens. From the investment comes a lever for establishing accountability. And, sad to say, it's then time to help move the business back from the squishy touchy-feely approach and get HR engaged so that when people do dumb, stupid, or patently bad things, they are disciplined accordingly, up to and including termination of employment. We seem to have lost the edge in the business world, and this is one area where we can start getting it back.

Not All Low-Hanging Fruit Are Equal: It's very tempting to walk into a new situation and immediately chase after the things that you personally know how to handle quickly and easily. Unfortunately, those things may be completely worthless in the grand scheme of things (well, not completely, I suppose). Based on the outcome of your Lightning Assessment above, you should know what's truly important to the business. From this, you should then be able to start focusing on how well protected those critical assets are. This is where you should start tackling low-hanging fruit. Now, obviously at the same time you need to keep an eye out for gaping holes that are so egregious that they cannot be allowed to stand.

Fight to Simplify: One of the biggest challenges in a ground-up opportunity is keeping yourself grounded. It's too easy - as I can attest from first-hand experience - to get completely overwhelmed by everything that needs to be done. This is why I recommend the previous steps, forcing yourself to find the truly important systems and then focus almost exclusively on them. It could be argued that this approach could be dangerous, and that is absolutely true. A long-term focus on just a narrow slice of the enterprise is fool-hardy. It will lead you to an outcome akin to all the major breaches we've read about recently. Now, in fact, this whole stripped-down approach is meant as a starter, not as a long-term strategy. At some point, you will have to look at the big picture. BUT... you can't really do any of that until you first establish the basics, building some political capital that will then free you to move onto bigger, better things.

Documentation and Processes: The one thing you will definitely have in your control is the ability to generate documentation. Whether it goes anywhere is, of course, a different story, but it is at least one thing you can - and definitely should - make use of. You'll want to document your findings, your short-term plans, your ideas, your low-hanging fruit, your critical business findings, etc. The other piece of documentation that is very useful relates to processes. It's great to start by documenting what people are doing today, and then offering incremental improvements to better formalize and standards those practices. Similarly, if nothing formal is being done (e.g. change management), you can develop basic processes to get the fundamentals in place (a formal write-up, a formal approval, a paper trail) and then you can go about iterating through incremental improvements over time as necessary. The key take-aways here are that a) you can write documentation from Day 1, b) make sure to bear in mind the difference between writing a process and having it followed.

Strategy: Everybody wants one, but how many actually use them? Seriously. Security has historically been reactive in nature. There are many proactive things we can do to help reduce some threats, but in the grand scheme of things it can be very difficult to make a case for proactive efforts until you have a baseline against which to measure success. Nonetheless, you will need a big picture at some point - though preferably after the first 6 months. The important role of a strategy is that it will look at the full breadth of the organization, rather than the short-term focus you've maintained just on critical resources. You NEED to look at everything at some point, because it is the weak links that will lead to the deepest attacks. Your strategy should also establish levels of tolerance for downtime, interruption, and loss of data. What we're talking about here is taking the critical resources initial assessment and expanding that into a broader conversation with executive management about how much pain they can tolerate in certain areas. This will help you set overarching priorities for the long-term. It will help you determine what your minimal level of defensibility and recoverability will need to be.

It would be easy to go on and on and on here, but I think the main points are covered. Certainly, there are other ways to tackle this challenge, but the above represents a significant chunk of what I learned in my 7 months facing such a challenge.

(Please Note: This is cross-posted from the T2PA Practical Security Core.)

A Couple (Brief) Political Quibbles...

2009-11-12T21:01:13Z

If you don't care about politics, or other peoples' views on politics, please skip this post... :)

I wanted to comment on two things that I've found rather annoying of late: health care reform and the Nobel Peace Prize.

On health care reform, I'm at a loss. Despite all the doom and gloom and FUD, I think people are failing (once again) to get ticked off for the right reasons. Specifically, writing a law that says "though shalt have health insurance" is NOT a national health care plan. Look at how poorly states do enforcing their requirement for car insurance. Now the federal government is supposed to use a similar tact, nationally, for all people? Please. It's complete bullocks, and I really think this thing should be put out of our misery. Basically, my taxes are going to be increased so that the federal government can do... what exactly?

On the Nobel Peace Prize, I'm at a bit of a loss to explain how a president who's served less than a year in office can win it. What has he done? I mean, I'm all for supporting President Obama, but his win here greatly cheapens this award. By all rights, he should have thanked the committee for their support and good intentions and then turned it down. Seriously. A prize unearned is no prize at all. I'm very disappointed in the Nobel committee.

Big, Nasty, Unfixed Adobe Flash Bug

2009-11-12T18:44:31Z

Hello kind souls! Just wanted to give you a heads-up on a new Flash vulnerability that affects any Flash server that allows uploads of any sort. Adobe has confirmed the vulnerability and shrugged about how to fix it.

For the full details, please visit the Foreground Security release:
http://www.foregroundsecurity.com/MyBlog/flash-origin-policy-issues.html

(Please Note: I am an employee of Foreground Security. That being said, this is a nasty bugger.)