Operation Bootstrap

This year at the RSA Conference a few things showed up for me. First was the real lack of value the conference brings to anyone who is truly interested in security for the sake of making things secure. RSA is jam packed with vendor presentations, flashy displays, and watered down keynotes. I walked away wishing I could get my money back. The networking opportunities are ok but you never know what you are going to get – could be someone who does security, could be a sales executive – could be Joe Sixpack. I’m seriously looking at where else I can invest my own and my companies money for those few events we attend each year.

The second thing that showed up for me was how many vendors advertize that their product will make compliance easy. Do people really buy this stuff? Coming from my perspective, a relatively new InfoSec guy in a smaller organization who has never had formal security organization, there is nothing easy about compliance. I’m sure all these products do their part to make the laborious task of collecting data, auditing data, and enforcing controls a little easier – but do they make the entirety of compliance with something like PCI or SOX easy? You know the answer. What about making things secure!? Is that any easier?

What I saw very little of at RSA was companies who make testing easier. Testing and education are such a small part of these shows but such a huge part of making security successful. I say this because it makes sense to me, not because it makes anything easier. Testing and training and planning are all challenging things and not always all that exciting. It’s hard to have a 50′ booth with 1000 square feet of carpet dedicated to testing and education programs. People don’t buy that – but they should. At the end of the day, it’s your receptionist, your engineers and your janitor who have a better chance of keeping your secrets from walking out the door than your firewall. There are definitely tech solutions which are important and do good things. Defense in depth is important – but don’t forget about the decision makers. The folks who can ask “Who are you? Why are you here?” when someone is where they shouldn’t be. The ones who can question that phonecall they just got and look for additional validation.

Checking a box saying you’ve done the right thing and an auditor has observed evidence to that fact is a good thing, but it’s not all there is – you aren’t done! I just hope people see through the hype of a show like RSA and realize security is about more than managing a massive infrastructure of tech tools.

Apparently the US government took advantage of clear weather and an uninformed public today to get some pictures of their shiny VC-25 with a few fighter jets. Unfortunately, the public didn’t appear to be informed about the plans and assumed a low flying aircraft might just be a bad thing.

If this is the truth of the matter this is very sad. In a world where we ask individuals and businesses to be vigilant, to take terrorism seriously, and to trust our government to protect us – why would we literally fly in the face of that and taunt an already frightened public with a stunt like this? To get pictures? Hi guys – photoshop, please.

We don’t like things like security warnings that you are supposed to click through because they de-sensitize people to threats – they remove the value of warnings when a threat is present. In this case, I’m not so sure how much you can do if another 747 is actually intent on hitting a building but lets not tell people that they should spend any time at all debating about whether or not it’s another government photo op.

I attended the Rocky Mountain Information Security Conference a few weeks ago and out of the whole deal I think the most significant insight I got was from a talk by Chris Nickerson of Lares Consulting. The talk speaks for itself, and I’ve included it below. Chris and his team are awesome and fun to hang out with too. If you have 45-60 minutes to watch the video below, it’s worth your time.

Chris Nickerson – Layer 8 Attacks, Social Engineering

The possibly less obvious thing that occurred to me after listening to this talk was that in this time of tight budgets and changing attacks, our best avenue of counterattack may be user education. I’m a little mixed on this though – while I know that the day to day decisions which really impact your organizations security happen at the individual level, I’m not sure how much you can improve that situation through user training. Some folks just don’t get it. That said, if you can enroll everyone (ok, 80% of ‘em?) in understanding the ways an attacker might enter into what they *personally* do every day and take advantage of them, can they make a difference? I bet they can. As always, defense in depth is important here too.

The challenges of training users goes beyond budgets & technology into areas plenty of InfoSec folks are probably less comfortable – Marketing, Politics and process.

Marketing – get a message to folks that helps them understand why this matters to them. What can they really do? A lot. Tell them what those things are!

Politics – Sorry guys and gals, politics goes with InfoSec like grease and mechanics. It’s a necessary evil but is what eases the movement toward bigger change.

Process – Training & Testing. Policies and documents are great – but when Vinnie drops by the front desk to con his way in, nobody’s looking at a document to figure out how to respond. Training raises awareness & nobody wants to be “caught” not responding appropriately. It takes time but all those testing failures should lead to more interest in training. This, I think, is where the rubber meets the road.

Chris is teaching a Social Engineering course at ChicagoCon - hopefully we’ll see more of this stuff going forward.