Operation Bootstrap

New domain, new blog name, same guy. I hope you’re still listening!

I’m making it official – the old content remains accessible and the old domain will still work, but this blog is moving to another realm – Getting Operations running right in a small organization. In particular – there is an absolute horde of new startups doing all kinds of very cool things on the web. With the onset of Utility computing, some of these guys are doing this with a very minimal hardware footprint, but they still have the same old issues either way – they need to build & maintain a service. Oh, and they need to keep from getting pwned.

There is also a re-framing of the role of the Operations team member. We’re moving from hiring guys who can build systems and maintain hardware, to guys who can automate systems & understand the applications. It’s becoming less about rack & stack, and more about programatically defining how your systems should be & using tools to make them that way. Some folks call this DevOps, but I just call it a change in the needs of the business and the capabilities available to Operations teams. Money is tight, do more with less on someone else’s infrastructure – whatever you want to call it, it’s a change & I think it’s good.

But the other thing changing here is how closely teams work. In an old world – your Operations team maintained infrastructure, your Engineering team maintained applications, and those two silo’s talked when they needed something from the other. Some companies have grown very large by keeping those silos to a minimum, and having the people responsible for the applications work very closely with the production Operation. To me, this is the key – this makes it all work.

All of this means you need experienced Operations folks who understand Engineering, they understand Systems, they understand packaging, networks, security, etc. The skillset delta between the folks writing applications and the ones maintaing the production operation is diminishing & they are turning into one big team. The main difference is that they are kept separate by their role – one keeps the lights on and hinges oiled so the other can focus on building better apps.

So, lets see where this goes…

You’ve probably seen it before, you are courting some customer and they actually have a security team who actually audits their partners and vendors and who actually insists that security be important to the company. This customer wants to perform a security assessment of your organization – this might be an automated web scan, or it might be a full blown ISO assessment. Your sales/marketing/whoever person sends off an email like this:

Subject: Fwd: Security Assessment for widget services

Hi Guys, this is a huge opportunity for us but the customer would like to perform a security assessment before we move forward. It sounds like a great opportunity to get some free ethical hacking done and know what kinds of issues we have. What information do you need to allow them to move forward?

So, when you get this (and you eventually will) here are some things to think about.

Read more…

Alright – a little step off the beaten path today. So I have this blog and this domain called infoseczen, except now I don’t just do security day in and day out, I use bailing wire and bubblegum and lost episodes of MacGyver to make the impossible possible. At least, that’s what I tell myself – it’s better than being a janitor. So here are a few things you might find interesting.

First, over at Penelope Trunk’s blog, she talks about the triumph of just getting out of bed in the morning. We all know what it’s like to have a tough time starting your day, but I think she put a finer point on it. It’s that first step down the road toward something, overcoming that first hurdle that makes each step you take get you that much closer. When you finally complete that huge task, was it the last step you took or the first step you took that was the Triumph? Day in and day out I have tasks that I end up cruising through once I sit down and commit 10 minutes to getting started. I agree, the triumph is committing yourself to moving forward – the reward is completion. I also agree with her comment that high achievers do not have failure. There’s a big difference between making a mistake and failing – they are not the same. You make a mistake, you learn, you don’t make that mistake again. If that’s failure then Thomas Edison was one of the biggest failures of our time and we know that’s not the case.

Second, for those of you who might spend life in a Unix terminal like me…. I’ve used GNU screen for the last 10 years but have recently gone in search of something a little updated. Someone had to be working on an update right? Yes – I discovered tmux. Maybe I’ll post a bit more when I have a good handle on a solid configuration & how to get it working with all the other bits I used in screen (almost there). Anyhow, if you use screen and it’s perfect for you and you don’t like change, forget I ever said anything. If you are interested in splitting your screen windows a million ways, scripting your screen layout and being able to simultaneously attach to your session from multiple locations with a tool that’ll intelligently scale your terminal (like attaching from your Android device) then tmux might be for you.

Lastly, I think I’m coming to the conclusion that for me, being dedicated to security isn’t where it’s at. I want to educate your common techie about security and have those folks understand the important concepts and important issues so good decisions get made on the ground. I still think there’s plenty of important roles for security experts – there always will be – I just think for me it needs to be a balance between day to day implementation and troubleshooting and scalable architecture with security as a part of all of that. If we need an expert – I know where to go – but for me being that expert is not where it’s at.

I guess I don’t mind making mistakes, I like learning from them, and this is #101 because it’s my Triumph, that very basic, very first step.

Who do you educate about how to make good security decisions? How do you educate them? What is your goal in educating them? How often do you think about these questions?

I’ve stepped foot into two organizations now who were start-ups or late stage start-ups with some pretty significant security problems. The amusing part? The smaller of the two, the one with fewer resources, the one with fewer folks making all the security decisions, the one with really less at stake in a security breach – is magnitudes more secure than the other.

Read more…

For nearly a year and a half I’ve been working to build the InfoSec program at my current company. This company is a late stage startup, but still a startup. This has been quite a challenge and I’ve learned a ton in the process. Some of the most important things I’ve learned:

• It doesn’t really matter what you think until you prove it. Analysis and understanding are more valuable than a thousand educated guesses.
• Key to understanding your risk is understanding your business, what assets are key to your business, and working your way through those from most critical to least.
• People do care about security, they just don’t think about it. Security in a startup isn’t as in your face as other problems like finances, availability & growth. You have to find ways to tie security to those things and it’s not easy. This probably doesn’t just apply to startups.
• To be in security, you must have patience. Lots of patience.

With these lessons learned, it’s time for a new chapter at a new company. I’m not leaving security but my role isn’t going to be only security. I’m taking a bit of a step back to what I really have enjoyed in the past – fixing & building infrastructure. I’m walking into a company with some pretty significant challenges and I’m actually pretty excited about it. After a few years of management, I’m ready to get my hands filthy again.

This blog may evolve a little, but I’ll keep rambling here about security stuff and probably other things. I’ll still be “the security guy” at the new place – but I’ll also be “the network guy”, “the systems guy” and probably 15 other things. This is what I do – I put myself in difficult situations & do my part to improve them. I’m pretty proud of what I’ve done in the last 1.5 years running a security program – for a guy who’s never done that before I think I made good progress. If nothing else, I got some good typing practice…

And since I love quotes:

“The follies which a man regrets most, in his life, are those which he didn’t commit when he had the opportunity.” – Helen Rowland

Here’s to no regrets…

“If everything seems under control, you’re just not going fast enough.” – Mario Andretti

I wrote an article or two about change control some time back. I called it “change control” because that’s what you were doing right? You were controlling change. Only, I didn’t really stop to think about what I actually was trying to control. Changes are a necessary part of any operation and when changes can’t happen that’s not good. Changes that happen fast aren’t usually bad unless something goes wrong. It’s not the change that you are fundamentally controlling. What you are actually trying to control is the risk of change and there are lots of aspects to doing that.

The race car driver going around the track isn’t trying to never slip or trade paint, she’s trying to be fastest and stay in the race. You can’t do that and guarantee you will never hit the wall – so you adjust your acceptance of risk to the point that you make good time around the track without getting knocked out of the race most of the time. Bad things happen sometimes, but you are doing ok if you come out ahead on average. Guys like Andretti are really good at this balancing act.

If you drive an ambulance, the math is completely different…

Read more…

This is another of those posts to my internal corporate blog that I figured may have some use to the larger community so I’ve re-posted them here. The goal is user awareness and arming people with information as well as keeping these issues top of mind when they become more common.

If you have comments, other resources for information about these attacks, or see something in this note that doesn’t quite look right please let me know – I always appreciate feedback.

Read more…

In January 2010 I will be mentoring a SANS MGT414 “SANS® +S™ Training Program for the CISSP® Certification Exam” course in Boulder Colorado. I’m excited about participating in the mentor program and if you are in the area and are interested in getting your CISSP, this is a great way to do it.

Read more…

It is probably one of the hardest parts of our job as security professionals – presenting security issues & the potential impact of risk while not becoming an easy target for dismissal by critics. Indeed, if your day is anything like mine, much of our time is spent justifying our assertions that problems do indeed present a risk that the business should care about.

It was this that came to mind as I read a post over on Tim Ferriss’ blog calling out a letter written by Dr. Martin Luther King Jr. The post describes the circumstances of the letter and speaks for itself regarding what can be taken away from it’s reading. The skills & posture used in this letter are things all security professionals (and really, all professionals) should learn. The letter is long, but even if you don’t read the whole thing Tim has highlighted (in bold) certain sections which stood out for him. The ability to acknowledge an argument and calmly disarm it with facts is a skill that takes practice – but this letter stands as a fine example to get you started.

How to Respond to Criticism – Learning from Dr. King

I’ll cite only this short bit at the end of the letter:

Never before have I written so long a letter. I’m afraid it is much too long to take your precious time. I can assure you that it would have been much shorter if I had been writing from a comfortable desk, but what else can one do when he is alone in a narrow jail cell, other than write long letters, think long thoughts and pray long prayers?

If I have said anything in this letter that overstates the truth and indicates an unreasonable impatience, I beg you to forgive me. If I have said anything that understates the truth and indicates my having a patience that allows me to settle for anything less than brotherhood, I beg God to forgive me.

This was an article I wrote for my internal blog @ work. I’ve re-posted it here incase others have a need to share information like this with their company as an awareness tool. Feel free to use and abuse.These are my opinions – there are plenty of other articles about how to do this.

---

We’re all familiar with the policies right?

“Your password must be a minimum of 8 characters, must contain an uppercase character, a lowercase character, a number, a special character (which ones, exactly, are special?), must not be a dictionary word, must not be your name, must not be your hometown, must not be another persons hometown, must not be the name of a planet, a galaxy, an alien race and must be changed every other week” – How in the world are you supposed to meet those requirements?

Read more…