For nearly a year and a half I’ve been working to build the InfoSec program at my current company. This company is a late stage startup, but still a startup. This has been quite a challenge and I’ve learned a ton in the process. Some of the most important things I’ve learned:
- It doesn’t really matter what you think until you prove it. Analysis and understanding are more valuable than a thousand educated guesses.
- Key to understanding your risk is understanding your business, what assets are key to your business, and working your way through those from most critical to least.
- People do care about security, they just don’t think about it. Security in a startup isn’t as in your face as other problems like finances, availability & growth. You have to find ways to tie security to those things and it’s not easy. This probably doesn’t just apply to startups.
- To be in security, you must have patience. Lots of patience.
With these lessons learned, it’s time for a new chapter at a new company. I’m not leaving security but my role isn’t going to be only security. I’m taking a bit of a step back to what I really have enjoyed in the past – fixing & building infrastructure. I’m walking into a company with some pretty significant challenges and I’m actually pretty excited about it. After a few years of management, I’m ready to get my hands filthy again.
This blog may evolve a little, but I’ll keep rambling here about security stuff and probably other things. I’ll still be “the security guy” at the new place – but I’ll also be “the network guy”, “the systems guy” and probably 15 other things. This is what I do – I put myself in difficult situations & do my part to improve them. I’m pretty proud of what I’ve done in the last 1.5 years running a security program – for a guy who’s never done that before I think I made good progress. If nothing else, I got some good typing practice…
And since I love quotes:
“The follies which a man regrets most, in his life, are those which he didn’t commit when he had the opportunity.” – Helen Rowland
Here’s to no regrets…
“If everything seems under control, you’re just not going fast enough.” – Mario Andretti
I wrote an article or two about change control some time back. I called it “change control” because that’s what you were doing right? You were controlling change. Only, I didn’t really stop to think about what I actually was trying to control. Changes are a necessary part of any operation and when changes can’t happen that’s not good. Changes that happen fast aren’t usually bad unless something goes wrong. It’s not the change that you are fundamentally controlling. What you are actually trying to control is the risk of change and there are lots of aspects to doing that.
The race car driver going around the track isn’t trying to never slip or trade paint, she’s trying to be fastest and stay in the race. You can’t do that and guarantee you will never hit the wall – so you adjust your acceptance of risk to the point that you make good time around the track without getting knocked out of the race most of the time. Bad things happen sometimes, but you are doing ok if you come out ahead on average. Guys like Andretti are really good at this balancing act.
If you drive an ambulance, the math is completely different…
Read more…
This is another of those posts to my internal corporate blog that I figured may have some use to the larger community so I’ve re-posted them here. The goal is user awareness and arming people with information as well as keeping these issues top of mind when they become more common.
If you have comments, other resources for information about these attacks, or see something in this note that doesn’t quite look right please let me know – I always appreciate feedback.
Read more…
In January 2010 I will be mentoring a SANS MGT414 “SANS® +S™ Training Program for the CISSP® Certification Exam” course in Boulder Colorado. I’m excited about participating in the mentor program and if you are in the area and are interested in getting your CISSP, this is a great way to do it.
Read more…
It is probably one of the hardest parts of our job as security professionals – presenting security issues & the potential impact of risk while not becoming an easy target for dismissal by critics. Indeed, if your day is anything like mine, much of our time is spent justifying our assertions that problems do indeed present a risk that the business should care about.
It was this that came to mind as I read a post over on Tim Ferriss’ blog calling out a letter written by Dr. Martin Luther King Jr. The post describes the circumstances of the letter and speaks for itself regarding what can be taken away from it’s reading. The skills & posture used in this letter are things all security professionals (and really, all professionals) should learn. The letter is long, but even if you don’t read the whole thing Tim has highlighted (in bold) certain sections which stood out for him. The ability to acknowledge an argument and calmly disarm it with facts is a skill that takes practice – but this letter stands as a fine example to get you started.
How to Respond to Criticism – Learning from Dr. King
I’ll cite only this short bit at the end of the letter:
Never before have I written so long a letter. I’m afraid it is much too long to take your precious time. I can assure you that it would have been much shorter if I had been writing from a comfortable desk, but what else can one do when he is alone in a narrow jail cell, other than write long letters, think long thoughts and pray long prayers?
If I have said anything in this letter that overstates the truth and indicates an unreasonable impatience, I beg you to forgive me. If I have said anything that understates the truth and indicates my having a patience that allows me to settle for anything less than brotherhood, I beg God to forgive me.
This was an article I wrote for my internal blog @ work. I’ve re-posted it here incase others have a need to share information like this with their company as an awareness tool. Feel free to use and abuse.These are my opinions – there are plenty of other articles about how to do this.
We’re all familiar with the policies right?
“Your password must be a minimum of 8 characters, must contain an uppercase character, a lowercase character, a number, a special character (which ones, exactly, are special?), must not be a dictionary word, must not be your name, must not be your hometown, must not be another persons hometown, must not be the name of a planet, a galaxy, an alien race and must be changed every other week” – How in the world are you supposed to meet those requirements?
Read more…
Mubix posted a short bit titled “Simplicity is Security” and I wanted to add my $.02 to the idea. I think this statement is actually a good thing for people to consider. The premise of the article, as I saw it, was that the simpler a system is or the simpler a civilization lives, the more secure it becomes. This is somewhat based on the difficulty of subverting the security measures built into simple societies and also based on the idea that a simple life has little value if compromised to the public at large.
Read more…
In our jobs as security professionals we are asked to do two things which are often looked at as one in the same – “secure the organization” and “reduce risk”. I think a lot of security folks think of what they do as “making the organization more secure” but I’d like to take a second look at that and argue that if you are doing only this, you might not be actually reducing risk.
Read more…
There are a million ways to create a malicious USB key – here is one more which may or may not already be out there. In recent tests, this worked pretty well on PC’s running XP – Vista & Windows 7 appear more dicey.
In conducting some recent tests I needed something that was a bit more likely to get the data I need and less likely to get picked up by Virus Scanners. This article describes a combination of techniques to achieve a USB key that operates silently & remotely so that key recovery is not required to know who inserted the key or to gather data from their system. The attack focused on Windows as the easiest platform to attack and leverages the capabilities of the Sandisk U3 USB key and a meterpreter binary.
I’m using this for awareness training but you can use your imagination to come up with other options you can try out with permission.
Read more…
For the last year I’ve had a full time gig to build the InfoSec program at a small company. This is a company who had no prior security program and needed to have one built. Looking back on the last year there were a few things I did right, but plenty of things that didn’t go as expected. At the risk of putting my annual review out here for public scrutiny, lets talk about what I’ve learned and make some fun of us security professionals… at my expense.
Read more…
