For nearly a year and a half I’ve been working to build the InfoSec program at my current company. This company is a late stage startup, but still a startup. This has been quite a challenge and I’ve learned a ton in the process. Some of the most important things I’ve learned:
- It doesn’t really matter what you think until you prove it. Analysis and understanding are more valuable than a thousand educated guesses.
- Key to understanding your risk is understanding your business, what assets are key to your business, and working your way through those from most critical to least.
- People do care about security, they just don’t think about it. Security in a startup isn’t as in your face as other problems like finances, availability & growth. You have to find ways to tie security to those things and it’s not easy. This probably doesn’t just apply to startups.
- To be in security, you must have patience. Lots of patience.
With these lessons learned, it’s time for a new chapter at a new company. I’m not leaving security but my role isn’t going to be only security. I’m taking a bit of a step back to what I really have enjoyed in the past – fixing & building infrastructure. I’m walking into a company with some pretty significant challenges and I’m actually pretty excited about it. After a few years of management, I’m ready to get my hands filthy again.
This blog may evolve a little, but I’ll keep rambling here about security stuff and probably other things. I’ll still be “the security guy” at the new place – but I’ll also be “the network guy”, “the systems guy” and probably 15 other things. This is what I do – I put myself in difficult situations & do my part to improve them. I’m pretty proud of what I’ve done in the last 1.5 years running a security program – for a guy who’s never done that before I think I made good progress. If nothing else, I got some good typing practice…
And since I love quotes:
“The follies which a man regrets most, in his life, are those which he didn’t commit when he had the opportunity.” – Helen Rowland
Here’s to no regrets…
This is another of those posts to my internal corporate blog that I figured may have some use to the larger community so I’ve re-posted them here. The goal is user awareness and arming people with information as well as keeping these issues top of mind when they become more common.
If you have comments, other resources for information about these attacks, or see something in this note that doesn’t quite look right please let me know – I always appreciate feedback.
Read more…
It is probably one of the hardest parts of our job as security professionals – presenting security issues & the potential impact of risk while not becoming an easy target for dismissal by critics. Indeed, if your day is anything like mine, much of our time is spent justifying our assertions that problems do indeed present a risk that the business should care about.
It was this that came to mind as I read a post over on Tim Ferriss’ blog calling out a letter written by Dr. Martin Luther King Jr. The post describes the circumstances of the letter and speaks for itself regarding what can be taken away from it’s reading. The skills & posture used in this letter are things all security professionals (and really, all professionals) should learn. The letter is long, but even if you don’t read the whole thing Tim has highlighted (in bold) certain sections which stood out for him. The ability to acknowledge an argument and calmly disarm it with facts is a skill that takes practice – but this letter stands as a fine example to get you started.
How to Respond to Criticism – Learning from Dr. King
I’ll cite only this short bit at the end of the letter:
Never before have I written so long a letter. I’m afraid it is much too long to take your precious time. I can assure you that it would have been much shorter if I had been writing from a comfortable desk, but what else can one do when he is alone in a narrow jail cell, other than write long letters, think long thoughts and pray long prayers?
If I have said anything in this letter that overstates the truth and indicates an unreasonable impatience, I beg you to forgive me. If I have said anything that understates the truth and indicates my having a patience that allows me to settle for anything less than brotherhood, I beg God to forgive me.
This year at the RSA Conference a few things showed up for me. First was the real lack of value the conference brings to anyone who is truly interested in security for the sake of making things secure. RSA is jam packed with vendor presentations, flashy displays, and watered down keynotes. I walked away wishing I could get my money back. The networking opportunities are ok but you never know what you are going to get – could be someone who does security, could be a sales executive – could be Joe Sixpack. I’m seriously looking at where else I can invest my own and my companies money for those few events we attend each year.
The second thing that showed up for me was how many vendors advertize that their product will make compliance easy. Do people really buy this stuff? Coming from my perspective, a relatively new InfoSec guy in a smaller organization who has never had formal security organization, there is nothing easy about compliance. I’m sure all these products do their part to make the laborious task of collecting data, auditing data, and enforcing controls a little easier – but do they make the entirety of compliance with something like PCI or SOX easy? You know the answer. What about making things secure!? Is that any easier?
What I saw very little of at RSA was companies who make testing easier. Testing and education are such a small part of these shows but such a huge part of making security successful. I say this because it makes sense to me, not because it makes anything easier. Testing and training and planning are all challenging things and not always all that exciting. It’s hard to have a 50′ booth with 1000 square feet of carpet dedicated to testing and education programs. People don’t buy that – but they should. At the end of the day, it’s your receptionist, your engineers and your janitor who have a better chance of keeping your secrets from walking out the door than your firewall. There are definitely tech solutions which are important and do good things. Defense in depth is important – but don’t forget about the decision makers. The folks who can ask “Who are you? Why are you here?” when someone is where they shouldn’t be. The ones who can question that phonecall they just got and look for additional validation.
Checking a box saying you’ve done the right thing and an auditor has observed evidence to that fact is a good thing, but it’s not all there is – you aren’t done! I just hope people see through the hype of a show like RSA and realize security is about more than managing a massive infrastructure of tech tools.
Apparently the US government took advantage of clear weather and an uninformed public today to get some pictures of their shiny VC-25 with a few fighter jets. Unfortunately, the public didn’t appear to be informed about the plans and assumed a low flying aircraft might just be a bad thing.
If this is the truth of the matter this is very sad. In a world where we ask individuals and businesses to be vigilant, to take terrorism seriously, and to trust our government to protect us – why would we literally fly in the face of that and taunt an already frightened public with a stunt like this? To get pictures? Hi guys – photoshop, please.
We don’t like things like security warnings that you are supposed to click through because they de-sensitize people to threats – they remove the value of warnings when a threat is present. In this case, I’m not so sure how much you can do if another 747 is actually intent on hitting a building but lets not tell people that they should spend any time at all debating about whether or not it’s another government photo op.
This article is interesting and correctly points out something which I think is often missed when considering the risk of moving applications into the cloud. What do you do when there is a platform vulnerability which the provider is not addressing?
Read more…
A day or two ago I was building one of the Pirateology wooden pirate ships with my Son and thinking a bit about some of the policy creation tasks I have on my plate I found some similarities I thought would be interesting to share.
These construction kits were new to me in their method of construction. You would get a sheet of mostly pre-cut pieces that you had to first number according to a paper that comes with the set. The numbers are placed where the pieces interlock and you then construct the ship in numerical order. This provides you with some guidance but really, all you have to go on is the following:
- A single view of the ship on the front of the package
- A pile of shaped pieces of wood which you can associate with parts of that picture
- The numbers on the wood to tell you what pieces intersect with each other and the order of assembly
To me, this left quite a bit to the imagination; maybe that was the point. Regardless, I was able to assemble the ship with a bit of analysis and experimentation. That got me thinking – if I felt like this didn’t provide me with much guidance then why am I so comfortable creating process and policy where there was none before? It’s not really a mystery – the answer is that there’s more of a framework already in place than we realize, which is where the similarities started to appear for me.
Read more…
I just received an email from VMWare regarding this problem they unintentionally released in a production version of ESX & ESXi. The problem causes Virtual Machines running on this version of ESX to fail to power on after a particular date – today.
Have you checked to see what public sites are down today? Anyone who is diligent about updating ESX just got screwed big time. Now, if you make the assumption that any site which is down today and recovers shortly after VMWare releases an update is running ESX – you probably can guess even what version they are running exactly.
Combine this with the increased focus on hacking virtualized environments as evidenced by all the news coming out of Black Hat & Defcon this year and you should be very concerned. These are not products which have yet seen the scrutiny that platforms like Linux & Windows have had over the years. Seems like a dangerous time for someone to know exactly what version of VMWare you are running.
Update: I didn’t realize originally that this only impacted the startup of a VM on ESX. Sites would have to power off a VM for this problem to surface apparently. It’s not likely that many (reputable) sites would power off all of their VM’s before realizing this issue existed.
In recent years I’ve become a huge fan of SaaS based applications. I’m not only interested in this architecture for my career but also for the tools that I use every day. I think Google’s suite of tools are great for the most part, I think Amazon EC2/S3/SimpleDB/etc are moving in a very interesting direction and just today I see that just about everyone is getting into the game. But what assurance do I have that my data is still mine? Nobody wants their data locked into a particular service provider, yet there is no huge push to ensure it doesn’t.
Read more…
