The Falcon's View

On "Responsibility Without Authority"

2009-07-16T17:06:51Z

Continuing my line of thinking from my previous post, "Do You Need a Security Department?", I wanted to speak to this notion of having responsibility without authority. It seems to be a problem common to many security people in their respective organizations, and it perplexes me greatly.

Traditionally, the response to this problem has been to undertake building a security organization that could essentially assert authority over key areas (access management, risk management, audit/testing, logging and monitoring, incident response, etc.). This approach made sense because most orgs were (are?) rife with people who simply do not "get" security. Rather than undertake a massive educational effort alone, which would take time and extend exposure, it instead made sense to just take ownership of these areas to ensure that the "right things" were done.

Today, however - and really the underlying point of my post - is that this may not necessarily be the best approach today. It will absolutely depend on the organization, no doubt about it. And I'm not saying you cannot or should not continue with the traditional approach. However, it bears consideration whether or not it is optimal and effective to grab authority rather than to simply make sure that the responsibility itself is properly placed.

If you think about it, security likely should not be truly responsible for much of anything. This whole "responsibility without authority" scenario is, in fact, a grave injustice that enables bad behavior; specifically, behavior where people deflect responsibility inappropriately. Culturally, this seems to jive with a larger issue (reminds me of Douglas Adams' "SEP field generator" concept). If you don't have to own your actions, then you don't have to act responsibly or appropriately. Requirements without consequences for failing to conform are worthless.

In the end, I'm increasingly inclined to believe that the reason we are where we are in this industry is because we in security roles have taken on too much responsibility. It's time to stop enabling bad behavior.

Do You Need a Security Department?

2009-07-16T06:36:46Z

(There's been some confusion about my post here. I'm not saying you "can't" setup a security department. I'm questioning whether you "should" set one up. I wonder if we've not created major problems for ourselves by taking too much direct ownership over the years, effectively creating a "nanny state" where the front-line folks aren't actually expected to act responsibly.)

I had an interesting discussion with my boss today, and I think it warrants further exploration. To give a little background, I'm the head of security for a mid-size tech firm. My role is new, meaning there haven't been any "formal" security practices in the past. Note that this does not mean they've not been doing security "stuff" - just that there hasn't been anything formal around it.

One of my challenges in this position has been to determine how best to setup a formal security program. This is a well-established company, with a variety of obligations and requirements, and that is running on a tight staff. There are not spare people to go around, which means that getting much of anything done is an uphill battle.

Without going into my approach (that's a post for another day), I wanted to delve into an interested side-discussion. Specifically, I've begun to wonder if it's really necessary to have a formal, dedicated security department any more. I wonder if we've perhaps reached the point where we simply need a few dedicated champions in key positions, possibly even with a matrix report-to relationship with your CISO/CSO, who can help drive initiatives within each respective area, ranging from risk management to policies to operations to development to audit and testing and beyond.

Ok, I lied, let me talk about my view of the big picture for 1 minute (give or take). The following diagram shows my updated TEAM Model (v2), for which I will be releasing a revised white paper in the not-too-distant future. I think it is fairly self-explanatory, but wanted to highlight it quickly, with this comment: You cannot implement all of this in one big shot at an existing organization - particularly one with limited resources.

Alrighty, back from that little segue, let's now talk about whether or not you really need a dedicated security department. Overall, I think the answer depends on the context. How big is your organization? What's your resource picture? How are responsibilities currently aligned and assigned? The reason these questions are important is because it helps define your constraints/scope. If you're in a situation like mine where you have no other resources but yourself, no pre-existing formal program, and really not much to lean on, then that is much different from, say, a large corporation that already has a lot of pre-existing program in place.

The IT Insource/Outsource Sine Wave

One thing to key to this question is one of financial prudence, and it seems to strongly resemble the sine wave cycle for evaluating whether to insource or outsource given IT functions. The insource/outsource sine wave is a modulation wave that swings between "definitely outsource" and "definitely insource" based on the cost to the organization. Without delving too much into the theory behind it, consider that a 2-person company is likely much better suited outsourcing a lot of IT than it is in trying to hire a staff to bring the services in-house. However, as that 2-person company grows, they will eventually cross a threshold where it actually makes more fiscal sense to bring those roles in-house. Similarly, if the company again continues to grow, they will eventually cross the threshold again where they can outsource the entirety of IT operations at a price point that is lower than the cost of keeping those resources internal.

Note that this sine wave does not look at other key factors, such as risk management or quality, but instead focuses solely on cost-effectiveness. A more complete analysis would obviously look at other factors to ensure that the quality of services being provided, for example, were in keeping with the expectations of the organization in either insource or outsource models. But I digress...

What's Really Important?

Thinking back to my TEAM Model, then, I wonder what functions are really necessary as part of a dedicated security function, versus what can be delegated out to the respective teams for performance. Again, bear in mind that the ultimate answer will vary depending on the organizational context. That being said, I think it's safe to draw these conclusions:

* If you already have a risk management team, then it makes sense to integrate information risk management into it. In fact, this approach may be far superior to keeping information risk management separate. Note that there may be an opportunity cost in getting your existing risk management team up-to-speed, but there may be significant long-term value here as well.

* Much of information security management responsibilities are operational in nature. You don't necessarily need dedicated security people hardening systems or writing secure code. In fact, I would argue that you almost never should have dedicated security people performing those functions, but should instead focus on ensuring that your existing personnel are well-trained.

* Logging, monitoring, and incident response is an area where I'm going to expect a lot of push-back. Why? Because, let's be honest, we security people don't tend to trust others in the organization (admit it!:). However, let's think about this for a minute. If you have proper policies and reporting in place, why can't your rely on your operations team to implement central logging and monitoring? In terms of incident response, show me an operational team that's not already doing this. Now, there is a potential major exception, and that's in ensuring a forensically sound response to a breach that may require legal support. However, once again, many organizations already have outsourcing arrangements with forensics teams because it's too expensive to maintain a team in-house (unless you're getting breached A LOT, which raises other red flags). I then flip back to ensuring you have a strong policy framework in place with decent training to back it up.

* Policies likely need to be owned by a dedicated security function. Your risk management team isn't going to write them. You darn well better not let your auditors write them. And, while it's likely ok for your operations team to write the procedures and configuration guides, someone still needs to check them. Now, this being said, I've seen organizations outsource the writing of the policies, and this is certainly a viable option. Ultimately, your senior management (or executive) team is responsible for publication and awareness. Overall, then, it seems logical to make this an assigned and dedicated security responsibility. On the other hand, we could assign this responsibility to your Legal Department (or in-house counsel). So, I don't think this is so much a hard-and-fast rule as it is just a limited logical conclusion.

* Security testing should be part of QA. It really should. This quip does not necessarily apply to certain regulatory requirements for qualified assessments, etc. Beyond that, however, this seems to be a set of activities that again maps cleanly into existing practices.

* IT audit should be part of your audit department. If you already have auditors, then IT audit may as well be part of that crowd. Make sure they have someone qualified, and off to the races you go. Ultimately, the reason for rolling these together is because your C*s already read and respond to audit reports. Streamline that reporting and viola you're good to go.

Now, a few caveats here.

1) Obviously, the above assumes a larger organization already.

2) If you're a small organization, then consider outsourcing these responsibilities altogether. Especially if you're already outsourcing much of what you're doing in IT.

3) It is absolutely vital that you have a CISO/CSO who does not report up through IT and who is treated as a true C-level executive. That person should be ultimately responsible for all of this good stuff. In a small company, this person is likely going to be very hands-on in nature.

4) For mid-sized companies, your 1 or 2 dedicated security people should not be overly aggressive about trying to grow the security team. As far as I can tell, it's counter-productive. Even if your operations and development teams (if you have them) are heavily loaded, it will be far more useful and productive to demonstrate their need for additional resources than it will be to try and justify parallel resourcing. Case-in-point: identity and access management. While some facets, such as definition of roles, and policies that support the entire category, clearly should be owned by the CISO/CSO, much of it is purely operational in nature. Moreover, operations (or IT) benefits the most from implementing these solutions in the long-run. Make the case, get their buy-in, help with the project planning, and then get out of the way.

5) There is absolutely a need for a trusted security advisor. Guess what? That person does not necessarily need to be a full-time employee. At some point you will have enough practices in place that the organization can run relatively cleanly. Why burn a full resource, then, on babysitting that infrastructure? It just doesn't seem to make sense to me.

Work Yourself Out of a Job? Crazy Talk!

In essence, I am talking about nothing short of working myself out of a job here. In my context, it absolutely does not make sense to waste the money building a large security team. Much of what needs to be done today has to be owned by other people. My role, then, is far more of a coaching and advising responsibility than anything else. My job will quickly become about defining discrete projects that can have cost and resource estimates attached, be prioritized, and be executed by other people.

There are a few exceptions here. Security policies need to be written and distributed. Training and awareness needs to be conducted. Some oversight needs to be put in place. However, I view many of these things as short-term start-up tasks that in the long-run get handed back over to other teams.

Security has a very bad reputation for getting in the way of work. I'm increasingly of the opinion that the best way around this is to stop pushing projects as "security" work, and instead make them the responsibility of teams like operations/IT. Make a business case, spec out the requirements and the cost, and then hand it over to your management team to own.

What If Nothing Gets Done?

A part of project planning is justifying the project. In the end it's up to the executive management team to make risk decisions. The CISO/CSO can only provide the research and recommendations. If the money isn't available, then there's not much you can do. If there are other priorities that take precedence, then you have to respect that. Why? Because if the core of the business fails, then you won't really need to worry too much about security.

My Point

I fully expect this post to go over like a lead balloon. What I'm saying flies in the face of conventional wisdom, and what's worse, it actually advocates making people be responsible for their actions (outside of security). It's occurred to me, however, that maybe part of our problem in this industry is that we've been in a nanny state for far too long. Why should security accept the responsibility without the authority? Does that really make sense? It certainly isn't fair!

As such, I hope that you will take some time to seriously consider what I'm saying. Having a fully dedicated security department may not, in fact, be in the best interest of the organization. Sure, maybe you can justify a small team, and sure that might qualify as a "department." However, let's not get caught-up in such trivialities and instead look at the big picture. My guess is that a significant percentage of "security" has no place in a dedicated security department. If this is true, then we have an excellent opportunity to redefine this industry, break the counterculture monotony that we've become, and instead focus on making the right people responsible for the right things.

Pavel Brings RKC to Philly - 1st Time!!

2009-07-16T05:37:27Z

Hey kettlebell enthusiasts - guess what?!? John Du Cane of Dragon Door has announced that Pavel will be bringing the Russian Kettlebell Challenge to the east coast for the first time ever! The RKC will be October 9-11 in Philadelphia, PA.

Interested in attending? Sign-up by July 29th and save $1,000! For more information, head on over to Dragon Door.

Response to "Sue the Auditor..."

2009-07-13T17:58:27Z

My friend, Ben Rothke, asked me to post my comments to his recent piece "Sue the Auditor and Shut Down the Firm" over on CSO Online. The topic is one I've thought about a lot over the years; namely, how do you control quality and performance for 3rd party auditors. After all, quality is the core problem being targeted in the Savvis law suits, and the basis of the aforementioned article.

Overall, I think the point of the article is fine. I think there's a fundamental problem that needs to be addressed with auditing, though, and incompetent auditors is merely a symptom. The way IT audits often work is that you sign multi-year contracts and then, as the auditor, you find ways to cut your costs (aka "time spent auditing") every year in order to maximize your realization. Such an incentive inevitably means that auditors will try to staff gigs as cheaply as possible, which means you'll get inexperienced or incompetent auditors. It's a bad cycle, and one that will only be changed at expense to all involved. Certification, licensure, and strict liability might help, but it will also result in increasing the cost of audits.

There's also a question about the utility of having much stronger auditors. Does the benefit outweigh the cost? Do we really need auditors who are much stronger? I guess it depends on how high the stakes are for the audit. In the case of PCI DSS, where QSAs are publishing attestations of compliance upon which people can hang their hats, there certainly is a concern about quality. However, at the same time, there has to be a realization of limited liability. An audit is only a snapshot in time of a limited number of systems across a limited number of requirements. Especially when you factor in sampling, it should be painfully obvious that no audit result should be considered a gold standard.

What, then, is the solution? It's unclear to me if there are any good solutions today. A combination of metrics, security testing, audits, and overall due diligence documentation seem like a good starting point. Demonstrated and measurable organizational maturity may also be worthwhile. However, again, all of these may rely to more or less a degree on point-in-time attestation, which could expire before the auditor walks out of the building. It seems unlikely that this particular problem can or will be "solved" per se. It's not clear that it's "solvable" - or even if it's defined well enough to be solvable.

It's an interesting place we've come to in this industry. Clearly something is broken. Many things, most likely. A new paradigm sure would be nice.

Please Stop Cyber-*'ing Everything

2009-07-08T21:02:25Z

"You keep using that word. I do not think it means what you think it means."

Enough, please, dear kind souls. And the same for the rest of you lot. Let us all please stop using "cyber" as a prefix to anything and everything computer-related. Mmmmm-kay? Seriously...

Whoever decided that "cyber" meant computers and networks is apparently not very bright. I don't know who to blame, but blame definitely needs to be placed. According to Dictionary.com, cyber is "a combining form meaning “computer,” “computer network,” or “virtual reality,” used in the formation of compound words (cybertalk; cyberart; cyberspace) and by extension meaning “very modern” (cyberfashion)."

However, it then goes on to say that "cyber" is extracted from cybernetics, which it defines as "the study of human control functions and of mechanical and electronic systems designed to replace them, involving the application of statistical mechanics to communication engineering."

So, I'm a little confused. Who exactly decided that cyber should mean computer stuff? Why doesn't cyber mean human bio-tech instead? Yeah, sure, we have bionic ("utilizing electronic devices and mechanical parts to assist humans in performing difficult, dangerous, or intricate tasks, as by supplementing or duplicating parts of the body: The scientist used a bionic arm to examine the radioactive material") that accomplishes that task, too. But, seriously, why "cyber"? It just sounds dumb.

To President Obama, I suggest putting a stake in the ground and forcing a change to different terminology. You really aren't looking for a "Cyber-Security Czar." You're looking for someone to head up Information Assurance and Networked Systems Survivability. Maybe we can come up with a clever acronym for it (IANNS isn't overly catchy, I suppose), but please, please, please - enough with the cyber-this and cyber-that.

For more info on Networked Systems Survivability, check out:
http://www.sei.cmu.edu/programs/nss/
http://www.cert.org/research/97tr013.pdf
http://www.cert.org/archive/pdf/network-analysis.pdf
http://www2.cs.uidaho.edu/~krings/HICSS39.htm

InfoSec as Counterculture

2009-07-08T18:19:43Z

I've been (w)racking my brain for quite a long while as to why this whole infosec thing just doesn't seem to get through to people. Why are we still having the same conversations over and over and over and over again? Einstein is famously quoted for defining this practice as insanity ("Insanity: doing the same thing over and over again and expecting different results."). Namely, we're banging our heads against the brick wall that is "business" and coming up with the same stupid answers with the same stupid results.

At first (15 years ago) I thought it might be a problem with the technology. If only vendors wouldn't produce insecure products, then maybe life would be better. If only Microsoft didn't have to have Patch Tuesday every month, then maybe we wouldn't have so many compromised users. If only software could be written more perfectly, then maybe we wouldn't be having these conversations. Alas, perfection is not reasonable nor attainable, and humans are themselves fallible.

About 10 years ago I then began thinking that it was a problem with the strategic vision of companies. If infosec was not included in the strategic planning of the business, then of course there wouldn't be any meaningful change. If infosec was driven in a strictly bottom-up fashion, then it would never achieve success as an organization-wide initiative. If infosec was not positioned as a business-enabler, then the ill-begotten reputation of security as jack-booted thugs would persistent. Alas, as it turns out, infosec strategy still eludes senior management, not in the least because technology should not drive decisions, but rather ride in as a solution to business problems. We failed to properly frame the problem, it seems.

About 5 years ago, I then began thinking about security as a matter of cognitive dissonance. Unlike real life, where threats are physically registered, in the online world threats do not generally have a physical incarnation. If there's no physical threat, then there's no physical reaction. Sure, trolls can sometimes raise our ire and set us off, but this is more the exception than the rule, and it certainly doesn't apply to threats like worms or ID theft. If someone waves a knife or gun in your face, then you'll have a physical and physiological reaction. If someone launches an automated attack against your computer, then you're unlikely to have much response at all (assuming you even notice).

About 2 years ago, I then began thinking about security as a problem of integrating information risk management into standard business risk management practices. Similar to the earlier theme on business enablement, this approach looked at how risk was surveyed/assessed and then managed by the business. Was the business getting an accurate picture of information risk? Does information risk management have the same markings as business risk management? Where's the commonality? Even now there is a need for improvement in this area, but it still doesn't explain the persistent disconnect. Even when we have well-defined information risk management that works well with business risk management, we still seem to encounter problems in getting the message across. People still make very bad decisions.

Today, then, I've concluded that the real problem here is that infosec is, in fact, a counterculture. By its very definition, a counterculture swims against the current. As a group of people in the industry, we represent a unique perspective that diverges from the mainstream. We speak our own language, have our own conferences, and are general separate from the world as we walk through it.

This counterculture of ours is markedly different from previous countercultures. Sure, we have our own literature and trends and poets and leaders, but thus far we've not classified our behavior as cultural in nature. This, I think, is a key to our failure. If we stop and accept that our movement represents a counterculture, then it frees us to do things differently. All of my previous notions about "what's wrong" are correct and can be harmonized, but the fundamental challenge is that we are not mainstream, no matter how hard we try to prove otherwise. To which I wonder "why fight it when we can embrace it?"

It's time to articulate ourselves as an alien race representing a counterculture from which the mainstream must learn and benefit. Our goal should not be to become the mainstream so much as to help the mainstream evolve. It's time we establish our zeitgeist, fly our flags proudly, and declare our position clearly and loudly. If the movement were to become mainstream, then that would be fabulous, but it should not be our goal so much as a desirable side-effect of our effort.

We are the security industry. We are business enablers. We are strategic thinkers. We are information risk managers. We are seers amongst the blind who can detect the unseen threats. It is our responsibility, our mantra, our mission, to help those who have not joined the movement. Cogito ergo sum.

Cut Through the Noise, Focus, Find Success

2009-06-28T05:27:16Z

I was recently out camping in a rather busy campground. Nearby was a group of teenage girls, wrangled by mothers who overall lacked the necessary training in crisis management to keep a lid on the brood. At the same time, I was working on a deadline to get a couple pieces written, and I have to say, the challenge was immense. The noise generated by the group of 12 or so girls seemed ebb and flow at rates rivaled only by large crowds at major sporting or entertainment events.

In many ways, this is the focus we face in information security. We are constantly surrounded by noise. Different people in varying parts of the organization are clamoring for attention, or battling with each other, or just generating a lot of background noise, and yet we're expected to buckle down and achieve our objectives. My favorite whipping boy, the PCI DSS, is an excellent example of a large noise potential, providing plenty of salient details, but also generating so much volume that it can drown out your hopes and dreams.

The key to success, then, is in finding a way to cut through the noise. In my case, I was able to position a citronella candle such that the flickering light provided a source of focus that took my mind off the background noise. In other cases, however, a candle may not work. Instead, it's important to find ways to block out the "unimportant" in order to cut through to the "important." These terms are, of course, subjective, but they bear out.

Compliance today, in many environments, provides a very large source of noise. Finding focus can be a challenge. But it's a challenge that can be met. Start with key principles of information security. Are business and operational requirements understood, well-defined, and well-communicated? How's your risk management? Do you have a completely framework in place (note, this is not just asking about risk assessments, but the entire risk management program)? How's your operational security? Do you have visibility into key systems (e.g. logging, data flow maps)? Have you defined key metrics? Are you actually measuring and tracking them? Are you performing routine audits and self-assessments? How's your security testing program?

It's easy to become overwhelmed with all of these topics and concepts, but focusing on fundamentals (risk management, operational security, quality and performance) can allow you achieve clarity and focus. Aim for a successful security program and the pieces will fall into place.

(Note: this article is cross-posted from T2PA Practical Security Core)

Hotel Booking Nightmare (Or, Avoid hotels.com - Seriously)

2009-06-25T19:31:58Z

I've tried to be patient, I really have. I've now booked hotels 6 times with hotels.com. Of those times, only 2 worked out correctly. The final straw came in the last 24 hours as I tried to book my last hotel for the vacation that starts, well, today. The web site had a major fault last night, the primary customer care was completely unable to find the reservation anywhere in their system. They sent me to the "other" customer care office (other one?), which last night informed me to give them a couple hours, that system was down.

So, I looped back this morning. Reservation still was MIA, so booked it again, same darned problem. Seriously?!? Call customer care, they're unable to find it (or the hotel I was trying to book!), send me back to the "other customer care" office. Hmmm. Other care finds the reservations, forces a confirmation email to be sent, but then they proceed to tell me that I'm going to have to pay the "non-refundable" $5 booking fee for the duplicate reservation. Squeeze me? WTFover? Demand to speak to a supervisor.

Connect to a supervisor, the call drops (I think our bad VOIP at work). Cell phone rings, it's the supervisor *whew*. I explain the problem, demand immediate cancellation of both reservations because they suck (yes I told her that hotels.com sucks completely). She cancels the duplicate and then tries to talk me out of canceling the original, then finally relents. Both cancellations are processed, I receive confirmation emails a few minutes later. So, now I need to watch like a hawk to make sure I don't get charged $5 or $10 for booking fees.

If You Book with hotels.com

If you ignore my warning and book with hotels.com, here's a few things you should know:
* They have hidden booking fees.
* Cancellation policies vary.
* They usually charge you the full price right away.
* You must cancel via hotels.com, not through the hotel itself.
* They don't always have the best rates.
* You may get charged by hotels.com for canceling, even if you're within the cancellation policy of the hotel.
* Each hotel maintains its own hotels.com cancellation policy, separate from the hotel's actual cancellation policy.
* What you gain in pricing, you will lose in customer service and easy of reservation management.
* They outsource/offshore their call centers - your experience may vary, though overall it wasn't the worst I've seen.

The Rest of My Booking Troubles (AAA Issues)

So, I finally got all the hotels.com stuff sorted after a couple hours of phone time. Next up, fix the reservation through AAA directly. Or not. My membership is with AAA Mid-Atlantic, and the hotel and rate I wanted was only available through AAA AZ. AAA AZ does not do membership transfers. They said I'd have to sign up for a new membership with them, and then would have to talk to AAA Mid-Atlantic about canceling and getting a partial refund. I called AAA Mid-Atlantic and they were astounded by this. AAA AZ recommended waiting until my current membership expired before signing up with them. Anyway...

The problem, then, was this: I couldn't book the hotel+rate through AAA Mid-Atlantic because they didn't see the hotel. I couldn't book the hotel+rate online through AAA AZ because I didn't have a AAA AZ membership. So, I ended up calling the AAA AZ travel line and, thankfully, they were able to hook me up. Per AAA AZ and AAA Mid-Atlantic, I'll likely not be able to use their respective web sites for booking travel for the foreseeable future, and will instead have to call. This is a bit of a pain, but whatever. It's rare that I need to go through their site anyway.

Long story short, after an hour on the phone, back and forth, I got my hotel booked at the same rate as hotels.com, and I have a confirmation number. Unfortunately, I still do not have a confirmation email for the hotel. So, I'm going to have to call them from the road to confirm that they have my reservation. I absolutely refuse to show up with only a confirmation number and no proof of the rate (which was much better than the AAA rate published on the hotel's own web site). I have a sneaking suspicion that I may still end up being screwed here. We'll see...

About Me

2009-06-23T07:24:10Z

Through various conversations and interactions it's come to my attention that I've never really properly introduced myself. By now, if you've read this blog at all, you've probably come to realize that I'm rarely challenged for words. So, forgive this indulgence while I delve into a little bit about who am I, where I've come from, what I've been doing, and so on. In so doing, I hope to give you a glimpse of who I am without providing detailed enough answers that would allow you to bypass passwords on all of my various accounts. :)

Little Benji

Arf. Haha just kidding. Sort of. Until 4th grade, I went by Benji. Then we moved and I decided that it was time for a more "grown-up" name. True story. People who know me from pre-4th grade still often call me Benji.

The name is actually an interesting short story. Benjamin means "son of the right hand". I am, in fact, the oldest of two boys. We brothers are very different, and yet so much alike. I was born in Wisconsin, where Dad was teaching high school math. Not long thereafter we returned to Ames, IA, where my Dad completed his PhD in Mathematics Education at Iowa State. He'd met my Mom there while he was working on his Masters degree, sweeping her up and then jaunting off to the hinterlands (well, hardly;).

My earliest memories are from when I was about 2 years of age (no lie). They involve hanging with my Grandpa Upchurch around the house, doing yard work, etc. My 3 most vivid memories are:
1) Grandpa accidentally slamming my fingers in the door of his Rambler.
2) Riding with Grandpa to the waste management facility to drop of yard waste.
3) The move from Ames to Morris.
Mom assures me that these memories are pre-3-years-old.

Fundamental Christian Upbringing

I've completely and thoroughly rejected organized religion. I like the philosophical teachings of Buddhism, as well as the writings of Deists like Thomas Jefferson and Benjamin Franklin, as well as Transcendentalists Ralph Waldo Emerson and Henry David Thoreau. That being said, I've not always been this way. In fact, far from it. I was raised in a conservative fundamental Christian home (northern Baptist churches). This upbringing taught me to take everything very seriously, almost in the manner of the apologists, but more in a self-loathing, self-disciplined, self-hating manner.

For those who have never been in that environment, I don't expect you to fully understand or appreciate the weight of this upbringing. Even now, I find it extremely difficult to explain what it was like. It was very much your stereotypical "hellfire and damnation" type preaching, combined with intense study of scriptures. Let me put it to you with an old joke (apologies in advance - this is meant in no way to offend):

A man died and showed up at the Pearly Gates, where St. Peter greeted him warmly. After the welcome, St. Peter offered to show the man around. They walked down a long radiant hallway with several doors. At the first door, the man peered in and saw a bunch of people sitting around eating with a long random buffet at one end. St. Peter explained that this was the Lutherans, enjoying a social time together. Next up there was a room with much celebration and noise. Here, St. Peter explained, were the Catholics, still living life to the fullest. As they approached the next room, St. Peter stopped and advised the man to be very quiet as they were going to quickly walk by. The man asked St. Peter why they needed to this, to which St. Peter responded "Oh, that's the Baptists - they think they're the only ones here."

This joke summarizes very well the type of upbringing I experienced within the Baptist church. We were told to keep ourselves separate as much as possible, and were reminded to beware the influence of the non-believers. I could go on, but I think you get my point.

So Serious, So Funny

While the religious upbringing certainly accounts in part for my high-strung, serious nature, don't be fooled into thinking it's solely responsible. I've been wound up tighter than a drum for much longer than I remember religious education. The fact of the matter is that I suffer from being the eldest son. My Mom, it seems, is also wound very tightly, and thus has passed this trait down to me. For example, I hate getting dirty - a trait that my Mom eagerly demonstrates every time she visits us and cleans the house from top to bottom! :)

The interesting thing is that I also have a very generous and sharp sense of humor. Ok, I'm a dry wit, I admit it. Puns, one-liners, zingers, and anything corny and lame: that's all me. :) Sorry! I've inherited my sense of humor from my Dad. I'm torn as to whether or not it's really a good thing. It is what it is. The good news is that I do have a sense of humor. Unfortunately, if you catch me at the wrong time, you are just as likely to get both barrels as you are to get a hearty laugh.

Believe it or not, I've mellowed considerably in the past 10 years. Those who are just starting to know me now might find that hard to believe, but it really is true. When I first got married (10 years this coming July) my wife refused to play tennis with me because I would get very upset at my lack of skillz and would devolve into a tirade-temper-tantrum. Today, we enjoy hitting around.

If there's one thing that I wish I could change about myself, it's how serious I tend to take life. This seriousness is a plague to me, because it causes me to constantly fight myself over whether or not I'm happy, satisfied, etc. At its darkest, it involves self-doubt, loss of confidence, and a being harder on myself than anyone might ever imagine. Who needs enemies when I can mentally shred myself?

Perhaps of any other trait, the seriousness and high-strung behavior (and, yes, hyper a lot of the time) is what people seem to note about me. It cause people to (incorrectly) describe me as acting older than my age when I was growing up. Now I recognize that I'm really not very well adjusted, despite making progress in this area.

Passion, Compassion, and Deep Emotions

Along with the seriousness comes a passion for my interests. I'm extremely passionate about information security, as well as other topics. This passion tends to come off badly in text-based conversations, but the simple fact is that I'm often enthusiastic to a fault about my ideas and opinions. This trait can be a fatal flaw at the worst of times, but is a wonderful resource when pursuing goals.

I am also a very compassionate person. I'm the schlepp who cries at movies. There are times when I feel the weight of the world on my shoulders, with a particular bent toward pain and suffering. I realize that this is not a particularly masculine quality, but it's who I am. Though few ever take me up on the offer, to my friends I extend a ear to listen, a hand up, or a shoulder to cry on. I consider this to be very much a lost quality in society as a whole. It vexes me to no end how cold a place our world can be.

Lastly, as you might expect, my emotions run deep. While I certainly won't claim to have the depth of feelings as the average woman, my roots definitely run deep. For this reason, when confronted with emotional discussions, I sometimes find myself overwhelmed or out of control. A perfect example happened today as I unleashed the full weight of my anger on a dear friend. I don't get truly anger very often at all, but when I do, watch out.

Through all of this, there is one thing that perplexes me more than anything, and that is how to live a life without regrets. I think it's a laudable goal, but it's one that has escaped me thus far. There is much I wish I had done or said over the years, and I very much wish I'd done things differently.

Failures of Mind, Body, and Spirit

In many ways, I feel like I'm only now coming of age, as strange as that may sound. Having grown up in a highly repressed environment, there is much I wish could be different. Regardless, the life I have now is all that I have to work with, and so it's best to make Jarritos Lima-Limon out of the proverbial lemons.

That being said, it's instructive to look back and points in my life where certain failures or frustrations have flummoxed me.

Wrestling fail - 8th gr

The single most defining moment in my athletic career came in 8th grade. I was a remarkably adept wrestler, undefeated throughout my 8th grade year, including wrestling JV (we were a big school - this was not podunk country wrestling). My skills were anchored around my strong legs, combined with a talent for sound strategy. Unfortunately, it all fell apart during the last Jr High meet.

Without going into great detail, let me summarize with this: the first match the ref screwed me on the score because of a personal vendetta against my Dad. The 2nd and final match of the day, I was so upset and injured (I literally broke my hand on the gym wall after the first match) that I literally picked the poor kid against me up and slammed him on top of me, pinning myself to the mat. He had won before he even knew what was going on.

That moment of not only quitting, but completely folding, haunts me to this day. It is a demon that I still struggle to make peace with. I've only in the last year or so regained my competitive spirit, the impact was that severe. Others may mock or question this event in my life, but it is, and probably always will be, one of the greatest torments I will have faced.

Academy drop-out

I was an early appointee to the United State Air Force Academy. With that appointment I became extremely arrogant, to my own demise. Being early in the online days, I opened my big fat mouth on ISCA BBS and made all sorts of comments about how I was going to do well at the USAFA and I wasn't worried about anything. Boy did I learn a thing or two very quickly. I got my ass completely and thoroughly kicked. Not only was I not in adequate shape when I got there (despite coming in 2 wks after the State track meet), but I did not make the psychological shift. Remember how serious I am? I couldn't play the game that one needs to play. I took everything personally and deeply, to the point that I was unable to sleep. I finally washed out with an "adjustment disorder". Pinnacle of failure. How could I, "destined for this future," wash out?

The simple fact of the matter is that I was simply way too high-strung to be successful in that pressure cooker environment. It's easy now, 15 years removed, to realize my shortcomings then. What I find more interesting is how I keep experiencing similar challenges to this day. The more I learn, the more I realize that I still don't know.

Broken ankle

It took me 30 years before I broke my first bone, and I did it in grand fashion. No, not really. I was bouldering indoors at a climbing gym, went for the last hold, missed, and fell about 10 feet, landing perfectly on the edge of thick crash pad. My right ankle was already very loose from many, many, many sprains over the years, and so it easily rolled over, causing a fracture of the end of the fibula (i.e. the lateral maleolus). It was fortunately a stable break, but it ripped the ankle up fairly well. I was in a cast for 2 wks, and then rushed into rehab.

The problem is that I lost my nerve with bouldering. To this day, I'm extremely hesitant to climb without a rope. The immediate pain was quite severe, and I'm rather loath to experience that again.

Broken C7

I didn't know what I had done, but I knew I'd done it well. I had finished a kettlebell workout and then was cooling down in my office chair, catching up on email and the sort. About 20 minutes later when I got up I could barely move. My entire back was one massive knot and I was in severe pain. I've always had lots of cramps around my shoulders and neck (see high-strung comments above), but this was completely different.

After visiting the doc, it was concluded that I had fractures my C7 vertebra - a "full avulsion" - literally snapping the thin tip of the vertebra clean off. This occurred in September 2007, and I distinctly recall an event in May 2007 when I set my personal best for free-weight squats (365lbs). I was squatting alone, and I remember lifting the bar and doing my reps and feeling like my vertebra was pressed in as a result. It didn't really hurt, though, so I didn't think anything of it. I did find it odd that a vertebra that had previously stuck out was now smooth to my back.

It seems that doing kettlebell swings improperly (too much arching of the neck/back) aggravated this earlier event, resulting in the full avulsion of the C7. The pain was immense - something I'd never felt before.

Once the doctor established that the break was stable, I immediately sought out a massage therapist. Jennifer is my personal hero. If you live in Norther Virginia, I fully expect you to get in touch with her if you ever need a serious massage. If there's one thing I greatly miss about NoVA, it's massages by my dear friend Jennifer.
Serendipity Massage, Inc.

Aimless and adrift

For whatever reason, I've never felt settled. Anywhere. Ever. In many ways, I feel completely adrift, not really knowing my purpose in life. I guess it's not enough just enjoying the moment. I'm the guy who plans everything out. One thing I've learned in life is to quit making so many long-term plans, because none of them come to fruition. Maybe by the time I die I'll be able to truly live in the moment. Until then, I'll be drifting along awash in self-created misery and frustration. It is not a perfect world, and it never will be. Or so I keep trying to tell myself. ;)

The Importance of Sleep

Do not ever underestimate the importance of sleep. It is extremely important, as I've just come to realize again. As noted about the USAFA story, when I go long periods of time without sleep, bad things happen. The most recent sleep deprivation event just ended a couple weeks ago thanks to a help prescription from my new doctor. Inadequate sleep results in the body doing some very weird things. I lost my appetite and subsequently dropped 10lbs in 2 wks. Not that I couldn't stand to lose a few pounds, but this was not the healthy way to do it. Even now, I can feel that I'm nowhere near caught up on sleep.

Things that have improved since getting some sleep over the last week and a half: my aim is better tossing things into buckets (picking up toys); my mood is generally better; my focus is vastly improved; my self-confidence is slowly recovering; my heart rate has dropped about 10bpm; my appetite has returned; my ability to perform in Jiu-Jitsu has returned.

If you find yourself losing sleep on a recurring, extended basis, go to your doctor and get help immediately. Do not wait for things to get bad. Depression can set in, your judgment will suffer, and you may find yourself making very bad decisions. Not to mention the toll it will take on those around you. I'm thankful that I still have my job and family and friends after this event. Learn from me: sleep is a vital aspect of life.

The Importance of Music

I am a musician and music-lover. Regrettably, my art is now generally reserved to my car. I miss singing in a choir terribly, and I really don't know what to do about it. It used to be that you would join a church and sing in the choir and life would be grant. I don't see that as a particularly viable option now.

My first musical skills were singing and piano. Mom was my first piano teacher, and I thus learned to hate piano lessons (sorry Mom). Once I got to 5th grade I was able to pick up violin, which freed my from piano. I was a very good sight-reader, and in fact turned down a scholarship for violin when I attended Luther. I somewhat regret stopping violin (which I picked up for the first time last Fall since June 1994). More so, though, I miss singing.

I grew up in a musical family. Mom plays piano, taught piano lessons, and was always the church pianist and on the music committee. Dad was always the song leader in church and has directed the choir for about as long as I can remember. Together, their musical upbringing has heavily influenced my life.

When it comes to music, my tastes are quite varied. I was raised on traditional Christian music (hymns and gospel), as well as classical music. I'm a big fan of Bach and Beethoven. To this day, I find singing traditional hymns to be soothing, even if I don't believe the words.

I love lyrics. When I hear music, I want to know the words. It seems rare these days that people actually listen to the lyrics. Perhaps it's because most pop music has garbage for lyrics. Nonetheless, I think the lyrics are important. As said in the movie "Music and Lyrics" - melody is like dessert, while lyrics are like dinner.

To this day, music plays a very important role in my life. There is rarely a moment when I'm either listening to music, or have music playing in my head (Chris Cunningham's "soundtrack of mine" sums that up nicely). And I love many kinds of music, from classical to country, christian to metal, rock to adult contemporary. My music collection includes Josh Groban, Sara Barreiles, Tonic Sol-fa, Acappella, Joshua Bell, Gershwin, Bach, Beethoven, George Winston, Alan Jackson, Brad Paisley, Storyhill, Ellis, and so on. My iTunes playlists cover Classical, Rock, Metal, Folk, and Country, to name a few. Music provides lift to the soul.

Academic Achievement

Switching gears tremendously, I wanted to briefly comment on my academic nature. I wasn't a 4.0 student in HS, but I was darned close (3.95, I think it was). In 8th grade I led the Math Counts team to State. In HS I was involved on academic competition teams in addition to music and athletics. I was the kid who was literally in everything (I had to give up theater after 9th grade - just not enough time - though I could still be found helping out on tech on occasion, rather than being on stage). Anywho...

My academic interests are very broad, ranging well beyond just Math or Computer Science. I was raised in a Science-oriented household. One of my favorite video series growing up was "Mysteries of the Unknown" (I think that's what it was called - cannot find any record of it today). It was a great Science series about various mysteries and their investigations therein.

When it comes to discussing various topics, I enjoy everything from Biology to Physics (astronomy in particular), Math and Computer Science (all aspects), Psychology and Cognitive Science, basic medicine and first aid, athletic training (as a discipline under medicine), and so on and so forth. For the record, I suck at Trivial Pursuit because I don't know anything about Pop Culture. I've read some history books, but I'm not too big of a fan. I'm slowly beginning to understand economics, as is also true of Bayesian statistics.

The point here is that my interests are broad, and love to discussing topics outside of infosec. I'm told that this can come off very badly, such as in a "know-it-all" kind of way (part of this also relates to a very, very bad habit of speaking over people, cutting them off, and reading ahead in the conversation - I get too darned eager for my own good sometimes).

All one needs to do is go back through my blog archives to see my varied interests. Most of them end up coming back to information security, but not all.

A Strong Mind in a Strong Body

I'm a firm believer in maintaining a healthy, active lifestyle. I'm also a hypocrite. :) My intentions are there, but I can also be extremely lazy. My main interests these days are in weight lifting, kettlebells, and Gracie Jiu-Jitsu. I switched to kettlebells when I wanted to train for both strength and endurance. I used to run, but my knees simply can't take the abuse any more (I used to be a hurdler).

Kettlebells are an interesting workout implement, and perhaps lead to the most diverse uses. For those not familiar, imagine a cannonball with a handle opposite a flat side. That's what it looks like. My collection includes a pair of 35lb, 53lb, and 70lb kettlebells. Since moving, I've not been able to work back up to the 70 pounders, which is unfortunate. I'll get there, in due time.

I also own an olympic bar and weights that total about 495 lbs. Due to my C7 fracture, I can't do squats any more, so I instead focus on dead lifts, and occasionally side press with the bar and a couple small plates. Overall, the dead lifts have made a huge improvement on my overall leg and core strength.

Rounding things out, I also use pistol squats for body-weight exercises. These supplement for my inability to do squats, and they are highly effective! Some day I hope to be able to do reps fully unassisted while hold both 70lb kettlebells. :)

Gracie Jiu-Jitsu is my most recent addition to training. My secret desire (oops, I'm telling, not so secret) is to achieve the level of Brown Belt so that I can start my own academy in Montana. I'm currently studying at a Relson Gracie school in Phoenix, and I'm very hopeful that I will again start making progress.

I first heard about Gracie JJ through the Discovery Channel show "Fight Quest" where the co-hosts went to Brazil and trained with the Gracies. I was immediately drawn in by the similarities to wrestling, though I've since found that I have good wrestling habits that are bad JJ habits. Nonetheless, I find the sport wonderful overall, and hope to some day compete, despite my age. ;)

Joy of Travel

Beyond my formalized workout habits, I also enjoy hiking (and sometimes camping). While we lived in Montana we were able to get a couple hundred trail miles on our boots. Moving to VA was very difficult, because you pretty much had to fly out to places. Which, don't get me wrong, was great, but it makes it very difficult to get away for the weekend. Overall, though, the only better place to live, I think, would have been NYC in terms of the ease of traveling around the world.

Unfortunately, we did not take full advantage of the opportunity until it was too late (i.e. we had a baby;). We visited Rome, Sorrento, and Athens, as well as friends in England. There are myriad other places we'd love to visit, but for now we'll have to settle again for the good ol' U-S-of-A.

We've driven across the entirety of the country. In fact, we ate fresh seafood in Seattle, WA, and Portland, ME, in the same year, both reached via car (no flights involved). I've also lived in several places. Since college, I've lived in Chicago, Minneapolis, Montana, Pennsylvania, Virginia, and now Arizona. I often wonder what will be next. We talk often of returning to Montana, but I think I'd also like to live in Sorrento for a while. Of course, I also said last week that I'd like to move to Honolulu in 3 years or so to advance my JJ training. :) Only time will tell where we'll end up in the future...

Aging Ungracefully

I don't care what anybody says, getting old sucks. Seriously. Memory gets weaker, joints ache, muscles ache, strength comes and goes, and so on. Despite all that, you'd think I'd get smarter at some point, but that doesn't seem to be particularly true. All I know is that I felt much more spry 10 years ago than I do now. :)

If I ever stop fighting aging, somebody smack me up-side the head, please. I'm unapologetic about this point: I see no reason to accept aging gracefully. If there's one thing I can try to do, it's work toward Thoreau's goal of "sucking the marrow of life". Maybe some day I'll actually figure out what the heck that means and start living by it. ;)

---

Details I've left out thus far: I'm married - coming up on 10 years very quickly. I've apparently married a saint, since she's put up with me this long. We have a lovely daughter who has a talent for making me laugh (most of the time). My parents are both around, as are my wife's. I have one set of grandparents still alive, in their 90s. My wife has younger grandparents on side still around. My family is relatively small, hers is relatively large. As much as I love music, I also love the quiet. As much as I love being off by myself, I feel weird now in an empty house. And... that's about all you're going to get from me this go-round.

I hope you've found this very long post of interest. If not, whatever, it's meant as much for me as anything else. :)

On Firm Foundation Grounded

2009-06-23T01:37:32Z

Trust. It's a fundamental precept of civilized society. Whether we like it or not, we must trust people we both know and don't know. To fail to do so would result in a complete breakdown in the fabric that is humanity. You trust the engineers who designed your car, your mechanic who worked on its engine, the engineers who designed the roads you drive, and the people around you who are in the same situation as you.

Trust. It's also a fundamental tenet of online life; one that is far more easily betrayed. If it is in human nature to trust, then so it is also in human nature to be duped by those who cannot, in fact, be trusted. In real life, we're often far more perceptive to cons than we are, or can be, online. The loss of the slightest nuances of non-verbal communication can mean the difference between simple understanding and total misunderstanding.

So it is that I read today about a new report indicating the degree of failed trust permeating our enterprises. According to the article "Survey: 20% of IT security professionals cheat on audits" we apparently cannot trust at least 20% of our colleagues in the security industry. I find this report deeply concerning on more than one level.

Key Observations

Before going into extended thoughts, here are my quick-hits:

* High-stakes compliancy: Part of the problem here is that compliance has become a high-stakes game. Rather than actually comply, we're now seeing the ill-gotten result. People will do anything possible to get a passing score, even if it means cheating, lying, or otherwise acting without integrity.

* Can't trust people: This is a very disconcerting to me. If we cannot trust the people we work with, then who can we trust? Yes, trust yourself, but consider the broader ramifications of this sad reality.

* The compliance house of cards: Compliance as it exists today is a house of cards. We now have proof that it's built on a foundation of lies and deceptions. If this house of cards falls apart, then be forewarned that the reaction could be swift and severe.

* Housekeeping is needed: There are a lot of good people out of work today. If you're a dishonest person who is lying about audit data in order to "pass," then I think it would behoove you to be on the look-out. Now is an extremely good time to make sure the right people are on the bus.

Impact on Regular Audits

Routine audits by outside parties has long been lampooned as ineffective and generally quite useless. I look at the new report and think a couple things. First, if you think audits are bad today, wait until the regulations requiring them start beefing up in response to the loss of integrity in the system. Second, it's long been my opinion that audits fail in value because of the auditors involved; lacking experience and access.

If this trend continues of organizations knowingly misrepresenting their state of compliance, I would fully expect the federal government to change the rules, just as they did with the so-called "stress tests" for the financial services sector. You think auditors are a pain now? Wait until you're required to provide full access to all of your systems and data, backed by indemnification from the government. Don't think that will happen? Keep making a mess of things and let's see.

More importantly, though, is the need for reformation in the skills of the auditors. If I were going to write requirements for auditor qualifications, I would start with 10 years verified experience performing penetration and process testing, and then work on increasing salaries. In reality, you want your auditors to be top-notch professionals, not the people who are new to the field. Watch out if this happens, though, because you won't be able to cut corners as well then.

Bottom line here: if things continue down the current path, we should fully expect draconian mandates from the central government. This is not a desired outcome by any stretch of the imagination.

Impact on Self-Assessments

In this case, I'm using "self-assessment" very loosely. Any sort of internal assessment, whether it be for publication or not, is a self-assessment. In some cases, attestations are made based on self-assessments (see PCI SAQ). Other times, your self-assessment is for your own private, internal purposes. Regardless of your definition or use-case, it is imperative to understand the threat represented here.

If you cannot trust your employees, then you have a major problem. Due to this report, if you have 5 security people in your organization, then at least 1 of them is lying to you right now about something they've assessed. If you scale this up, there is simply no reasonable way that a C* can directly verify everything themselves. It is simply not realistic. Moreover, the point is not whether or not a C* can verify everything, but that the C* now has to be concerned about the reliability of information presented.

The impact of this realization is quite startling: major problems may be lurking in your environment unbeknownst to you. You are now required to either spend your own time independently investigating matters ("verifying"), or you'll have to find trusted outsiders to bring in to ferret out the truths for you. A loss of trust is very expensive.

Cop Out: "Trust but Verify"

I've never been fully comfortable with former Pres. Ronald Reagan's quote "trust but verify." It seems to me that if you truly trust people, then verification is not only not needed, but the act of verification immediately belies that trust. It's a cynical position, and yet it seems increasingly to be required. I find it very disconcerting that we must use this hedge against the realities of modern society.

Of course, one could argue that IT itself is build on the back of "trust but verify." Much of what we do in infosec is verify that an individual, system, or application should in fact be trusted. I have to wonder if this doesn't set a negative tone across the industry and the enterprise. "We do not implicitly trust anybody or anything." This of course balances against "once bit twice shy" I suppose, but it seems very jaded.

Is this really what we've come to as a people? That we cannot trust anything or anyone implicitly? How sad.

Impact of the Admission

I'm very concerned about the potential impact of this survey. I think it demonstrates very bad judgement (who admits to cheating, really?!?), but it also demonstrates what is likely a very serious problem. We already have enough problems to deal with (lack of innovation, a compliance-only focus, challenges with evolving defenses, increasingly sophisticated attackers, etc.). We really cannot afford the distraction of now having to thoroughly verify and re-verify the work of those working alongside us.

"Fool me once, shame on you. Fool me twice, shame on me."

The Status Quo: Cutting Corners

One of the things I'm extremely concerned about is the apparent status quo. People are so intent on achieving a compliance checkmark that they are apparently willing to violate the very nature and purpose of the process. It's no wonder so many major incidents are occurring despite PCI DSS being in place for a few years now. Is it really the state of American business that we can lie so openly about things? Look at the state of the economy and Wall Street and the mortgage industry and residential real estate. Look at how these houses of cards have fallen lately. Have we learned nothing from the events around us?

More importantly, what does this say in general about our ability to learn lessons? Are we so incapable of learning from the mistakes of others? Are we doomed to fail miserably? The thought struck me a few years ago, while visiting Rome, that in 2000 years tourists may be visiting the site that was once known as Washington, DC, talking about the high point and sudden collapse of our modern society. The thought was fleeting, shrugged off with a knowing nod that our people were resilient. Yet, I cannot help wondering if this rationalization was merely a way to appease my mind; the lie I told myself so as not to accept what would be true.

The Bitter Medicine (Remedy)

My biggest concern out of all of this mess is that it will trigger draconian regulations from the federal government. If you think PCI DSS is bad, wait until your coffers are drained by mandatory quarterly audits by a bureaucratic machine. If you want to see small business crushed, here is where it will happen. And, lest you think the small businesses will be exempted, bear in mind that these are the very orgs most often culpable in misrepresentations of compliance state (whether intentional or not).

Closing Thoughts

This portrayal of the situation may seem a bit apocalyptic, and I would certainly agree with that sentiment. However, I feel very strongly and passionately about the importance of trust within society, and I fear that we have gotten far away from a healthy place in this regard. It is my hope that everyone will take this survey as a reminder that we have much work to do when it comes to improving the information society to a place that is beneficial multi-laterally and without limitation.

I grew up in an academic - yet soundly conservative and religious - household, most prominently at Concordia Colleage in Moorhead, MN, where my Dad teaches Mathematics. Following are the first two verses of the "Hymn to Concordia" - the official anthem of the college. I'm no longer a religious person, but these words came to mind as I thought about the article and what it really said about society.

On firm foundation grounded, Concordia fair doth stand,
with love and hope surrounded from God’s almighty hand,
To sacred truth, Concordia, May thou e’er faithful be,
’Til "Soli Deo Gloria" we sing eternally.

In strength and faith forever, lead us where those have trod,
whose toil and chief endeavor have brought us close to God!
All hail to thee our founders, Concordia honors thee,
As "Soli Deo Gloria" we sing eternally.

Fun Reading: Hikaru no Go, Nightwing

2009-06-20T21:26:17Z

Since I'm catching up on my book reviews... forgive me for totally geeking out for a couple minutes to talk about my latest reading obsessions... I'm sure most of you will chuckle, chortle, laugh, or roll your eyes... but I'm guessing a few of you will appreciate this little missive... :)

In addition to regular books (fiction and non-fiction), I've also been exploring the world of graphic novels to help lighten the reading load. Sometimes you just need to break out the cake reading to give your mind a break, ya know? Toward that end, I've found two series that have provided a great break from thinking. :)

Hikaru no Go

The first series I started reading was the Japanese manga series Hikaru no Go. This is a graphic novel about a young boy (middle school age initially) who becomes possessed by the ghost of a great Go player. The boy - a true slacker - struggles with his identity in the face of the desire of the ghost, Fujiwara-no-Sai, to play Go. Over time, Hikaru comes to love the game, and decides to go pro. Overall, it's a lot of fun, and it's an extremely easy read.

Nightwing

I've been a fan of Batman for ages, since he's a superhero without special powers. However, Bruce Wayne did have significant financial resources at his disposal, allowing him to do more than the "average" person. As such, I've grown to appreciate Nightwing as a true warrior, much in the spirit as we have in infosec (also see Origin Stories: Nightwing and Wikipedia: Nightwing). Toward that end, I've started reading and collecting the Nightwing graphic novels, which collect each story arc from the comic book series into a single work. I've started out with Vol 1: A Knight in Bludhaven, and am slowly collecting the other volumes.

Related
In relation to the above, I've also started reading the new comics "Red Robin" and "Batman and Robin" as well as the new arc in the Batman series. I've also gone back to get the graphic novel of the "Batman: Final Crisis" series, and am eagerly awaiting the November release of the "Batman: Battle for the Cowl" (out of which Dick "Nightwing" Grayson assumes the role of Batman).

For more on Red Robin, see here.

For more on the history of Batman's sidekick, Robin, see here.

Overall, the entire Batman enterprise has gotten extremely complex, which is partly why I wandered away. Now that I'm older and in need of breaks from thinking hard all the time, I greatly appreciate having comics to return to. :)

Non-Fiction Review: The New School of Information Security

2009-06-20T20:41:45Z

I made quick work this week of The New School of Information Security by Adam Shostack and Andrew Stewart. This seminal work brings together all the bits and pieces that have been rolling around in my head for nigh on 10 years now. They've defined the "new school" in a manner that many of us have been talking about for ages. It's a break from the operations-driven, bottom-up, break-fix approach to something much more strategic and sensible.

That being said, I was a bit disappointed by the book, having heard all the hype. Really, I think the work is targeted more to people outside the industry than it is to people in the industry. Freshly minted CISSPs would benefit greatly from reading this book, as would those who think that infosec belongs in ill-conceived silos. Technology is not infosec, and infosec is not technology. Neither is compliance, for that matter. The sooner the world comes to understand and accept this, the sooner we'll be able to truly revolutionize this industry.

Conclusion: Buy and read this book. If you've been in the industry for a while and "get it" then this will seem like a good cursory summary. If you're new to infosec, or if you're living in a deluded world of silos, then read it and take it to heart. No bad will come from learning and accepting the lessons offered.

Fiction Review: Tetraktys by Ari Juels

2009-06-20T20:27:33Z

I finished reading Ari Juels' Tetraktys this week. Ari is Chief Scientist at RSA Labs, so brings a lot of tech cred to the table. This book is his first official work in the non-fiction realm, and it's definitely worth a read. I look forward to more from him.

In general, this book is typical of a first fiction work in that it has a degree of awkwardness. However, I think there's a lot of potential for the lead character, Ambrose Jerusalem, to grow into a series a novel that far exceeds Dan Brown's Dr. Robert Langdon, and is perhaps on-par with peak Tom Clancy's Jack Ryan. None of which is to say that Juels has written an action novel by any means. Just that the character has good sustainability potential.

The book overall was very fascinating. It's nice for a change to have the tech make sense. :) In the story, Ambrose Jerusalem is pulled out of his PhD program a few months early to tackle what appears to be a resurgence of the Pythagorean Cult, thought dead for millennia. Jeruslaem is uniquely skilled for the task, with an eerie resemblance in background to the author. :) Luckily, I don't recall any real-life Pythagorean conspiracies.

Far from formulaic, I did find the ending a little predictable, but not in such an overt way as to make the book a waste of time. Juels does tend to write a lot of descriptive detail that at times feels heavy (think Neal Stephenson), but overall the writing was fluid and keeps you moving. The book did end slightly abruptly (not as bad as Clancy's Teeth of the Tiger, where I literally called the book store to find out if my copy was missing pages), and there are of course several unresolved matters. However, none of the lingering issues are of particular merit to the immediate story.

Conclusion: I commend Juels for his effort and eagerly await his 2nd novel. If you like books by authors such as Dan Brown, Richard K. Morgan, or Neal Stephenson, then you should give this one a read.

Privacy Doghouse: City of Bozeman, MT

2009-06-19T21:26:47Z

Update: Jules Polonetsky at The Future of Privacy Forum wonders "Could Bozeman Montana city officials be prosecuted for Facebook snooping?"

Well, well, well. My adopted home state is in the news late this week, and for good reason. Apparently the geniuses at town hall in Bozeman decided that, as part of their "background check," they would not only ask what sites people were on, but also what their usernames AND passwords were (see good aggregation of media coverage here). While I can certainly understand and appreciate a desire to compel full disclosure of online activities that may negatively impact the city, this is clearly a case of people just not understanding fundamental privacy practices.

Do they also request house keys?

Perhaps the best concrete example I can give to demonstrate how ridiculous this request is would be as such: asking for username and password to social networking sites is akin to asking me for my house keys with the intent to search my home. In no uncertain terms, the City of Bozeman is completely out of line for requiring such access to make a hiring decision. While it's unclear the extent to which this information might be used, one need only be reminded of anti-discrimination (EOE) hiring laws to see the slippery slope.

More disconcerting to me is that the notion that someone thinks that they actually need this level of personal, private information to make a hiring decision. If you cannot get a good read off of an in-person interview or two, plus a decent background check, then you probably shouldn't be in a position to hire people.

Do they request permission to access?

Behind the initial visceral reaction, my next thought is whether or not the applicant signs an agreement authorizing the City of Bozeman to actually access those accounts. I'm no lawyer, but it seems to me that simply having the login information is neither implicit nor explicit consent to then access that account. It might be a fine bone of contention, but I think it's an important distinction to draw. In the New School of Privacy, authorization is as important, if not more important, than access itself.

Have they heard of "Google"?

This is, I think, the big "duh" question: why do they need this information disclosed? Forget about the username/password request, why do they need an applicant to tell them what accounts they have? A simple Google search on various combinations a person's name should be more than adequate. If you can't figure out who someone is from Googling, then there's a good chance only their friends are going to know who they are.

I have to believe that the city is being driven by some sort of liability concern, but there are clearly better ways to tackle this beast.

Who performs their background checks?

One question I have is on the background check itself. Is the city performing one on its own, or have they outsourced it to a 3rd party (which seems more likely)? If they're performing one on their own, then I would suggest they outsource to a professional agency. I realize there is a cost consideration here, but let's get serious for a moment and realize that the background check should only be run on candidates who have accepted an offer, not on every applicant. This cost should be straight-forward to control.

If the city is already outsourcing to a 3rd party, then I'm really curious, because this agency should be able to find public info about the applicant already. Did they ask for this other information? Somehow I doubt it...

How are these forms protected?

The more blatant question is how the data is protected once gathered, along with the question of if this reflects how they handle sensitive data in general. I'm not going to go into the concerns because they're obvious and over-discussed already, but it's a valid question to be asked.

Conclusion

How dumb can you get? Was this decision made without consulting the city attorney? Is there adequate justification? This situation strikes me as someone going a bit too far in what they perceive as their "job" around "due diligence." Hopefully they'll retract their app and come to grips with reality.

How NOT to Build a Security Program

2009-06-18T02:10:55Z

Life sure can be a doozy of a thrill sometimes. And then there are those times when you try to swallow the elephant whole and you get smooshed. The trick, then seems to be in eating that elephant one bite at a time (neverminding just how odd that sounds). This is the lesson I've learned in the past few weeks. As such, a few brief missives on mistakes that I've made thus far in my quest to build a security program.

* You cannot do everything all at once. Seriously. It's just not rational or sane.
* Prioritization is a myth without understanding the business and its priorities. I cannot tell you what's right if you don't tell me what is important.
* Setting expectations is great, as long as that doesn't change every week. Yes, business and life are fluid and dynamic, but at some point you have to put a stake in the ground.
* When faced with limited resources (read: nearly every imaginable case) you should first find out what you can do with what you have before launching into a sob story about how poor little you needs some resources.
* Models, frameworks, and methodologies are wonderful things, at least until you try to implement them. My TEAM Model is great on paper, but I've realized that it's not quite right. So, on the side I'm trying to revise it. And write a book. And figure out risk management. And. And. And. (see first point above)
* Don't forget, you didn't (likely) just fall into this position. You probably actually have real and useful experience that you bring to the table. Don't, um, forget to, ya know, recall and use it.
* PCI is not a security program roadmap. Yes, I know that. But do they know that? Compliance can be a great driver, but let's make sure the bus has the right people onboard and is heading in the right direction.

I'm sure there are lots of other "lessons learned" missives to add here. What are yours?

This seemed oddly appropriate, though I'm using it completely in the wrong context. :)

Where The River River Bends Lyrics
by Matthew Barber

Tell me what you think, tell me what you feel
Is this thing a fake, or is it for real
Is it what you hoped for, what you dreamed
Is it something strange, that you never seen

Does it lift you up, closer to the light
Does it send you raging into the night
Where did it begin, will it ever end
Where the sun sets and the river bends

Where the river bends, is a place I've been
The water's not as blue, and the grass well it ain't so green
The current gets strong, it can pull you down
You gotta swim hard, if you want to turn around

But I don't want to go there, baby not with you
I'm happy right here, now I got a love that's true
So let's stay awhile, and invite our friends
No one needs to go where the river bends

No No No
No No No
No No No
No No No

I don't want to go there, baby ever again
I'm gonna be with you right here till the very end
So let's stay forever and ever and ever amen
No one needs to go where the river bends

No No No
No No No
No No No