– Staff. Don’t skimp on quality security staff. The anchor of any security team is the skill, talent, and enthusiasm of the top players. It is ok to have some lesser-skilled players or interns. They help provide perspective, an ability to allow senior staff to mentor, be mentored, and possibly do the things that you’d hate to have a $100k staffer do every day like cruise logs or something. In addition, be liberal with their training opportunities, both on and off the books.

– Operate the team as an advisory unit, a monitoring unit, and an active penetration team. Basically, don’t just watch for breaches or react to things already done. Be an internal consultation team for developers, sysadmins, or others who would like or need more guidance on security issues. The team should also be able to and allowed to do planned and unplanned security audits and penetration tests against company assets. It’s not just about implementing, tuning, and addressing trouble tickets about a host-based firewall on desktop systems, or auditing the systems through a central mgmt interface to ensure exceptions aren’t being granted by non-security-minded desktop staff. It’s about helping the business as a whole.

– Be given autonomy and authority in the company to make recommendations, on par with a high-level consultancy. If a security team expects an application to be built securely and offers proper assistance and knowledge to the app team, they should expect to have their concerns addressed reasonably, rather than what often turns into a mgmt political battle or simply ignored demands. It needs oversight over the company assets and IT, really.

1. No Big Box Tool beats a good admin, but we’re obsessed with the Big Box Tools. I’m not a big fan of all-in-one-boxes or UTM or centralized SOC-in-a-BOX. On one hand, I really like the power that tools have been getting in terms of analyzing and collecting data in one place. Sadly, I don’t think any single box performs better than other smaller tools being used wisely by a crafty admin to achieve the same goals. There is a certain watering down (each piece is lower quality compared to specialized tools) and dumbing down (take the analyst away from the guts long enough and he’ll only know how to work the GUI and not dig deeper manually) and feature-bloat (try to pack every option that 10,000 companies will use but no company uses half of them at once) to big boxes that simply cost in terms of quality. The real key here is whether you have a crafty admin with the time necessary to wisely wield those surgical tools. Instead, we too often take the quality hit to save some money…

2. Not enough time. In our American culture, we have this obsession with milking productivity from our workers. We demonize leisure time, personal time, even vacations; maybe not openly, but we insinuate that anything less than 100% is bad. This trickles down into IT staff who have little free time to improve their situation beyond rushing from one fire to the next, or one project to the next. You know you’re in this situation if you’re doing task A, notice that issue X is occuring just because you happen to see it, but know you won’t ever get to it and so just leave it. Security cannot be improved when time is booked. Either you don’t have the time to properly tune tools, investigate alerts (we’ve all had days where 1 alert takes 1 hour and days where 1000 alerts takes 5 minutes), do simple audits to verify security, or keep on top of current news. Let alone the mistakes that will be made due to the pressured time-boxing… You want to improve security? Improve the time your staff has to find and make enhancements. Anything else just means everyone relies on the audits and only does what is prescribed at the time. (This also means your staff needs to be enthused about security, and not just use their extra time to surf YouTube. If you don’t have enthused staff, then replace this item with : People who don’t hire enthused staff!)

3. Too many people still believe ignorance (or ignoring it) is an effective security strategy. I’m borrowing this straight from the article I just posted about earlier, because I think it is an epidemic (pandemic) problem. That noise coming from your engine? Yeah, it’ll go away, right? It wouldn’t happen to us! I think ignorance and human habits of ignoring problems is a real issue. I understand that some risks are accepted and not every problem absolutely needs resources pushed at it to solve it, but collectively we’re sucking with even the basics of digital security. (I think most organizations scope-limit their auditors from half the stuff that is wrong.)

4. Convenience trumps security, or, security is never as easy as it sounds. There are a few tasks that sound easy but illustrate exactly how time-consuming really managing security is: data classification company-wide, account oversight and review, file server permissions audits, knowing exactly what data is where (yay laptops!), log reviews, and change management. Convenience trumping security is a more appropriate way of saying functionality over security.

5. We want security now, for free, and to last for years without further inputs. How many PCI projects have we collectively seen that have deadlines? And after that deadline, PCI (or security) is considered done and the consultants/contractors let go). That’s a win for sure!

2. We also have this need to give quick representations of our risk or compliancy to management, often in the form of scores or grades.

I think these ideas should be combined “mashed up.” Screw the grading scale of A, B, C, and the levels like high, medium, low.

Imagine: You walk into the board room with several managers and execs. They get around to asking you how the company looks as far as compliance to PCI and/or your desired security level. You stand, flip open your notebook, and pull out a card the displays this picture:

seal clubbing

I don’t have to give details, I think it speaks for itself: STATUS BAD!

Here are some more examples of compliance status levels.

There are no correct answers to these topics! That is probably why opinions in these discussions can be very passionate and even violent! Sometimes in certain properly bounded contexts, there are correct answers, but mostly not.

(Late update: Personally, the more I listen to Chris Nickerson, the more I appreciate his frank opinions and where he has his head. It’s in the right place, and while I know he can have an acerbic sense of humor to some people, he’s increasingly one of those voices worth listening to if he tells you something.)

1. exploit vs not exploit – I’m not sure this topic was given its fair due, but I’m not sure everyone was on the same page in the discussion anyway. Andy Willingham gave this the once-over already in a blog post. The topic brings up good questions on what you do on a test and what is actually meaningful. I notice I didn’t really weigh in on this topic, and honestly the view from the fence is fine for me and probably reflects both my security and operations sides.

2. SMB vs large enterprise – There is a big gap that is hopefully becoming less the elephant in the corner and more one of the usual voices in the conversation. The world of the SMB in security is dramatically different from that of an enterprise or a city-state-nation. Approaches that work for large enterprises can be ridiculous for SMBs, and vice-versa. I think it matters that this came up multiple times. This still needs to come up, and the topic deserves a month of posts in itself.

3. properly presenting findings/recommends to a business – I’m finding it hard to word this topic, but it really runs the gamut of how you present security to an organization. And this digs at a very sensitive topic: security aligning to the business. I sympathize with all sides to this discussion. You could give the security teams and CSO their highly technical reports and let them distill it down to what is relevent. Or you could align yourself with the business and report your findings directly to someone like the CEO, in the CEO’s terms. Honestly, maybe pen-test teams need to have both capabilities and have that project manager/lead who is the one that acts as a temporary CSO in the absence of one. This is a great topic, by the way, and I think really demonstrates the art and the versatility today’s security experts need to have; both the technical chops and the strategic chops and the ability to know when to use each.

4. “good enough security” – I think it was Mick from Pauldotcom that brought this up, and it didn’t get enough treatment, although I think this is also just as passionately divisive a topic as any. When you accept that there is no ultimately “secure” state, or there is no “win” in security, then you really do subscribe to some form of “good enough security.” Where that proper line is drawn is really the art of risk management, and that line is probably far lower for SMBs than large enterprises. Security pros these days have to be able to get into the mode where it’s not just about violently defending every little insecurity, but about recognizing each issue as part of the whole. Bad password policy? Fix it!! Outdated SSLv2 cipher on an internal app that is 5 years old used by one team? Consider letting it slide. (Side note: This is where lack of real security chops can bite many people in the ass. It is inevitable that non-tech people will look at issues presented and demand fixes for each one, even the “low” priotity ones. This creates wasted effort and inefficiency…and so on.)

5. privacy differences between europe and the us – I thought this was an excellent question by Nickerson to spark some conversation on a topic I hadn’t really dwelled on before. Because Europe has a different emphasis on privacy for people, they have an entirely different mindset in regards to security in organizations. Not saying it’s all good, but the difference can be useful.

6. listening to internal security experts vs paying someone outside the company to say the same damn thing – Good point on this topic, and I think every penetration tester or consultant or third party needs to not just work to align with the business and talk in a way the CxO understands, but also empower and support those internal persons who make security happen. Recognize and empower (and not undermine!) the talented security folks out there. Build networks, exchange advice, encourage; don’t have an antagonistic relationship with them, plop down some mysterious report on a CxO’s desk, then walk away briskly. Try to change the way the CxO views her internal support staff so that we can Get Shit Done. But yes, it really, really sucks when a CxO pays top dollar to get a report that says the exact same thing I may have been saying for years.

In WoW, and really any other RPG game, there are a few key tenets to making the most of your effort. Surprisingly, these tenets can match exactly across to real life endeavors. And every time I put forth some effort to improve one of these tenets in WoW (leveling up a toon, making some gold…), I’m reminded of the opportunity cost of putting that effort into something more tangible like my security career. (Don’t get me wrong; I’m a lifelong video game hobbyist, and I’m not saying video games are useless, but it shouldn’t dominate one’s time, just like any other hobby pursued in leisure time!)

So if you find yourself stuck in an MMORPG gaming rut, start looking to translate that effort over to something useful in security. This may start with asking yourself what it is about gaming that is relaxing, and why security does not bring that same relaxation. If it relaxes, stimulates, and makes you happy, then your free time will be spent in it just as casually as a 4-hour trip into WoW.

1. Knowing your class. From here I was going to go into knowing your skills, strengths, and weaknesses. In WoW, a warrior class doesn’t try to heal, and translate that into security skills and roles…somehow.

2. Grinding (aka leveling up). This is pretty basic to any role-playing game: your character gets stronger the more experience he gets, aka “leveling up.” In gaming, “exerience” is usually a value, even if it is hidden behind the scenes, which accrues as you fight and kill monsters. As your experience increases, you gain more power, and can tackle more powerful monsters, which will gain you experience…and so the hamster wheel begins to turn. A more physical version of this is lifting weights and slowly increasing your limits as your muscles and supporting structure build and grow.

Sometimes this is a “grind.” “Grinding” in WoW means the slow cycle of killing monsters and doing the same ol’ quests to gain your experience; basically it becomes a long, boring grind…kinda like work!

Growth in a security career comes much the same way; the more experience you have, the better you are able to handle the challenges in front of you. Often, this is gained by simply doing security-related things. The more nmap port scans you run, the better you are able to tackle complex scans. The more you use Metasploit to expand your empire, the more you can dig into the lesser-known components of the tool and not get bogged down on strange gotchas. The more PCI audits you do and reports you make, the better and quicker you get with them, and the more value you can provide efficiently to your client.

We often don’t have an end goal in sight, but rather know that we simply want to level up.

3. Leveling up tradeskills. WoW has what are called “tradeskills.” These are skills you build up by doing that activity. For instance, Fishing and Blacksmithing are two tradeskills. You can fish better and do blacksmithing activities better by, well, doing them in the first place. For something like blacksmithing, the higher your skill, the better your opportunity to make really cool and valuable things.

In other words, if you want to be good and useful at something specific, you have to practice it and get better, especially when it comes to various skills you want to acquire. Unlike leveling up, most often this begins with an end goal in mind, for instance, being able to use a particular skill to create/do XYZ which will gain you money or notoriety.

You want to be good at public speaking? You have to do some public speaking. You want to be good at coding exploits? You have to code some exploits. You want to be good at picking locks? Obviously, you have to pick some locks. (Nicely, WoW has a lockpicking skill you can build!)

And just like starting out your skills at a puny level in WoW, you usually start small. You do some low-key public speaking. You walk-through an exploit tutorial. You pick training locks.

So if you want to be known as being good at some tools or aspect of security, you gotta practice it and build up your skill. This isn’t so much a part of your character and confidence like leveling up your character, but more like being good with the tools you have and want.

In WoW, you can leverage these grown “tradeskills” to make in-game money so you can buy cooler gear and weapons. In real life, well, these skills will get your nice REAL things.

3. Gearing up. In WoW, your character’s success relies more on just his level (aka amount of experience earned). Success, especially as you get further into the game, resides very much in the gear and equipment you’ve acquired for your character. You won’t be very successful with a low level sword, but if you find a badass high level sword which you can use, you’ll be nicely ready to do some damage to the next red slime that oozes your way. Gearing up means a few things. First, giving yourself a chance to get/buy/find the gear. Second, knowing what gear is useful to you.

Security careers have the same dilemma. Some tools are going to be useful to you, but some will not.

Strangely, WoW doesn’t have unlimited inventory space for you to keep 1000 pieces of gear. In life, you really don’t have the aptitude and time to likewise hold onto and learn 1000 tools. Figure out what you need to improve, and pursue the tools that will help you succeed in your goals.

WoW players can put a ton of time into picking out, pursuing, and testing out their gear.

Oh, and don’t forget that you can get a bit literal with “gearing up.” A nice pair of slacks and a tie can increase your chances of getting what you need out of management, at times.

4. Socialization. The “MMO” part of the MMORPG genre means “massively multiplayer online,” meaning you’re playing with lots of other actual people around you. You can spend your time in a game like WoW and neven bother with anyone else, but you’ll only be able to learn on your own only so far, and you certainly cannot see most of the end-game content and challenges unless you socialize to some degree. Most often to experience end-game content, you have to join a guild (a group of players, much like a team) and start participating in group runs through tougher dungeons.

Obviously, careers are the same way. You can probably get by on your own for quite some time, but there will be many doors you simply can’t open or even get near without socializing with others in the career. Whether that is simply networking to find new opportunities, gaining contacts you can turn to when you need assistance, or finding smart people from whom you can learn new skills and knowledge. Better yet, this also means socializing with people more “newb” than you are; which gives you a chance to reinforce your own knowledge by regurgitating it to others to help them.

1. The Information Domain is manmade, and it is a domain where we can change the landscape, not be bound to changing for it.

2. We’re short-sighted, rather than long-sighted. We tackle immediate hurdles rather than perform city-planning.

3. Need to change from short-term fixes to long-term strategy.

4. 3 ways: leadership, research, information sharing.

5.Leadership: No one is jumping to save us. We need to lead the way.

6. “[Businesses] need to care much less about being compliant and more about being fundamentally secure – or if you prefer having better visibility into real risk [to the business, not necessarily to an asset].”

7. Too much of what we measure is point-in-time.

8. As infosec pros we have let compliance initiatives drive spending and have ridden along for the ride.

9. We lack the knowledge of the business and how to apply what we do in a meaningful way to the business. I still find this an arguable point. In some cases, the business needs to understand IT (and security) more to better understand business continuity… Nonetheless, this is usually the weakest point in topics like this, not because it is not true, but because it is arguable and situational. Can we always convince business to treat security more aligned with the business or part of the core business line? No. How often are we satisfied that security is good and top notch? Not often, if ever.

10. Vendors fall into the hole of non-innovative solutions that are just meeting our needs, without pushing forward. Vendors ned to be thought-leaders. In turn, vendors need to listen to their customers and deduce their actual needs. Consultants need to listen better. Vendors are in the same boat as internal security experts: trying to sell the idea. It would be far easier to be thought-leaders if security weren’t already perceived as dragging ont he heels of innovation and itself being drug into the boardrooms by breaches/regulations. Huge point about consultants!!! Need to listen better and the industry needs to ditch or teach the charlatans.

11. Get past the “way its been done.”

12. Research. We need to support research. Research should be revolutionary, not evolutionary.

13. Information Sharing. Collaborate with industry competitors.