mean what you say

Ever notice how people say things like, “Thank you,” in weird situations?

Customer: “Could you help me with this return I have?”
Retailer Geek: “Actually you’ll need to go to the front desk over there.”
Customer: “Cool, I’ll do that.”
Retailer Geek: “Thank you!”

Wait, what? People say things like “Thanks” when they’re not the ones getting anything out of the exchange. It seems almost like a reflex response that is meaningless. Or maybe a way to fill the space when one doesn’t have a real exchange to make when in a farewall/closing situation?

I actually , genuinely try to always be conscious and non-rote in my responses in this regard. I actually take mild offense to people who have these unthinking habits of saying things like, “bless you,” or “excuse me,” or “thank you,” with zero actual conscious effort to do so. To me, that steals the meaning entirely away.

from lee & mike: common traits of future infosec leaders

Lee & Mike often have excellent insights into the job searching of a CISO, and I liked a recent blog post of theirs enough to point back to it (even if, I would argue, the original question wasn’t really answered in an actionable way): “Common Traits of Future Information Security Leaders.”

In very brief, you could sum this up even quicker with: attitude, enthusiastic learning, good relationships with people, willing to fail, and aware of themselves. I’d also suggest that, between the lines, Lee would also say that successful CISOs take an active, deliberate approach to handling their career path and job/goals.

As a non-CISO, I would offer to the original question a few tips:
– be active and skilled and friendly in your current role, i.e. you leave smiles in your wake

– walk and talk the part of the next step you want for advancement (team lead, senior, mgr…)
– find out how the business works and what business/managers want to hear when talking about your role/duties/projects. You don’t make sure the network operates, you make sure that the business can deliver quality service through technology…
– consciously pick tasks/roles/projects that make you visible to the rest of the business whenever possible; be aware of “project management” skills during them
– be the knowledge expert in security and how it relates to the business
– delegate recurring, menial tasks and make sure your own duties are documented enough that someone “lower” can take them on while you slide yourself upwards
– make it known to your immediate boss your career goals (or HR) in a friendly, but firm way
– pursue certifications as you can, but at a digestible pace
– network in your area with like-minded persons (formal security groups or even informal bar-crawls)

– network in cyberspace as well, where you can almost certainly sound more senior than you really are in a current position! 🙂
– be ready and willing to move on to another opportunity

My goal in those suggestions is to move from being a person in a technical role to being a person in a technical role with aspirations and skills and desire to be in a managerial/lead role, thus getting started on the upward track.

obligatory wow cataclysm update

Every now and then I’ll indulge myself a WoW update on this blog, and since Cataclysm was launched last December, I may as well get this out of the way now. I am still no longer a raider (retired after Hyjal/BT), but instead just play 5mans and other fun things in my (lvl 12) guild. I will say, however, that with Cata’s approach to more casual raiding, I’ve been tempted to start in again, but am so far successful in resisting. Besides, 5man heroics are fun (difficult) enough as it is, and they should keep me entertained for some time.

With the recent game changes, I’ve found myself really stoked with the new challenges and the fact that even 5man heroics can’t be run on autopilot, even by DPSers. Since I am typically a heal class, however, I don’t like that I actually *depend* on DPS not fucking up. That’s new, and taking some getting used to. But overall, I really dig the new play mechanics (triage healing) and group mechanics. I love that it really takes some awareness for all classes to play now. Wrath 5mans were too quick, too easy, and just one good player could carry the whole run, with minor (ICC 5s) exception. Cata has brought the difficulty back!

My main is an 85 Resto Shaman who dabbles as Elemental now and then. He has taken quite well to the recent changes. In fact, I was never a haste whore even when haste started actually getting interesting back in late BC, so focusing on mana efficiency for Wrath isn’t so new to me. My philosophy has always been: I’m useless as a healer if I don’t have mana. So now he fits in nicely and currently heals 5man heroics. I’ve also always been a “busy” healer, so keeping busy in Wrath mechanics is second nature already. I love moving from UE/RT/HW neutral mode up into bombing some bigger heals out as needed and letting HST top people off while I regen mana with LB. This is my only toon currently running 5man heroics. (Yes, even PUGs, when not in guild runs which are vastly easier!)

My Disc Priest was a surprise when he Smite-ground up as my second 85 character (leveling was easy as Disc…not blazing fast, but easy as pie). He also heals 5mans (AA spec, non-heroic so far) and just this week I’ve been dabbling in Holy as a second spec, just to compare and contrast that with the 2 sub-specs in Disc (PoH aoe heals vs AA). I didn’t expect to like Disc healing at 85, but so far I’ve really enjoyed the challenge and intricacy of managing Grace, Archangel, abusing Atonement/Penance, and otherwise leveraging the synergies of the new talents. As Holy, I’m looking forward to rolling Renews, which is a totally new playstyle than the past, and should be fun. Still, I expect to remain a Disc healer who can dabble into Holy/PoH-spam if necessary. This toon was my second toon back in vanilla and was a Holy/Fear-Ward-Bitch (ally dwarf) for BWL runs, so has always been heals).

My old main, my Warlock, is still sitting at 81, but in what little time I have played him since Cata hit, I’m stoked about leveling him up for 5mans sometime soon. Leveling with Soulswap is outright fun, and rolling DoTs on everything (Affliction) has been the way I played since vanilla WoW. All is good in the face-melting DPS department, whenever I get around to him again.

My DK tank is still 80 and I have decided she will be one of the last toons I get to 85. Not only is it asking a lot to master yet another new playstyle, but I don’t have much desire to get yet another toon up into 5man heroics yet. If I did, I’d have to relearn tanking (though it’s not as bad as most think it is) or figure out how to DPS on her…

My new Worgen is 36 right now and a baby Druid bear. I may in fact tank on this toon before my DK, assuming I get him leveled up someday. Leveling him up with a good friend of mine who runs a Priest Worgen.

the it as a business trainwreck

Bejtlich recently posted about an article the trainwreck of running IT as a business. I suggest reading it with his emphasized points, and then reading the original article on InfoWorld. I’m tempted to repost the entire article, just because it is that thought-provoking; a bit of a surprise for rags like InfoWorld, which makes me scared that they may find this rogue article and remove it!

Seriously, read the article. Everything below this point is really just rewording the points Bob Lewis makes and Bejtlich emphasizes.

The article is chock full of good points, and I myself am in a company where IT is mostly run as a separate business silo where my ‘customers’ are other internal employees. Of course, this turns us into a utility company who is not necessarily being innovative and ahead of the curve, but rather increasingly pressured to reduce (or chargeback) costs and keep things flawless (classic negative conditioning). This also makes us captive to the culture of “the customer is always right,” or “give them the pickle.” (We’re not children anymore; the customer is not always right, and it’s only ok to give someone a pickle when their pickle request is reasonable.”)

Likewise, we shouldn’t be fighting against the business initiatives, but that is often how it feels. And it feels that way because our internal “customers” make requests/demands of us similar to how customers make often unreasonable demands of their vendors. It’s a disconnect. Not a communication disconnect, but rather a disconnect in the concept of shared ownership that comes from being all part of one business (which is ironic considering we’re employee-owned).* If we weren’t conditioned by the business to be risk-averse, we’d likely be on top of or already doing some of their requests!

Then again, maybe this whole article’s idea about how bad “IT as a business” is, is itself a product of even more pressure on IT budgets and cost. How better to eliminate that as your pressure by putting it on the shoulders of the whole company? Or it may be saying, “Help me, help you.”

I really love this part, and it is something I live through weekly, especially with how closely I work with our internal IT and developer teams:

“Or try to explain your file and print server hosting rates. It doesn’t matter that part of that rate is full backup and off-site storage. Or as part of a clustered environment you have built-in redundancy and that ensuring the server is updated and secured appropriately is part of that cost. Their friend Joe hosts these things on the side, and it is much cheaper.”

When IT is a business, selling to its internal customers, its principal product is software that “meets requirements.” This all but ensures a less-than-optimal solution, lack of business ownership, and poor acceptance of the results.

Other IT persons (developers, largely) are notorious for this. The classic example is, “Why does storage cost so much? I can go to Best Buy and get a terabyte on an external drive for $100.”

In fact, I would go so far and say that this whole problem of being an internal customer is compounded right now with the consumerization of IT; i.e. the influx of Apple products, mobile devices, cloud-based storage (which is just an “enterprise” way of saying “on the web” for most of these services), and outside hosting/solutions. This is why we’re losing this battle suddenly: the “customers” are making the recommends demands; not IT. IT is trying to avoid more black eyes, delivered as a result of being a “separate business.” (Managerial personalities can make an impact as well, especially those who refuse to ever be wrong, even when their requirements are horrid.)

If I had to nitpick on the original article, it would be the assertion that this whole “IT as a business/chargeback” issue is not that clearly a product of the outsourcing industry. I think business largely doesn’t know how to handle IT as an integral part, so the default behavior ends up fitting the “IT as a business” model where budgets are constrained, IT managers are pressured to justify costs, so they chargeback as a way to illustrate who is costing them what. This is a top-down problem; not a sideline/outsourcing problem.

* What is even more ironic, is the effort to force more innovation into the business over the last year. While I think it is wrong to “force” innovation and make it a requirement, it is even worse to try to do so in an environment where risk-averse actions are rewarded. This is whole topic in itself…

you compared how many web app vuln scanners?!

Shay Chen is apparently a “sec tool addict.” As such, he’s taken the time to compare a huge list of web application vulnerability scanners and present his findings. This is way too huge to digest quickly, so I won’t speak to his accuracy (even if I could spend the time to do so!), but this report can serve several purposes, the least of which is a very long list of tools to use and abuse in web app security. Hopefully he has somewhat valid results. I expect most tools have a sort of give-and-take when it comes to detecting vulns and being useful. It would be folly to try and rank them against static tests, as I’m sure you’d need a blended approach to get the most chance at high coverage. (He basically concludes as much, if you scroll down far enough.)

quick security livecd roundup

Seems to be a bit of a renaissance of security-oriented livecd distros floating about. Somewhat exciting since the long-past days of things like Phlak, Knoppix-STD, and some other one that had some green in it, was also an acronym, and included the letter “G” somewhere…I forget.

SamuraiWTF has been updated!

SecurityOnion has been updated!

DEFT will soon be updated!

BackBox is new?

Blackbuntu is new?

For any other ideas, check the livecd menu category to the right. Yes, I’m missing some like Helix or Nullbound. I just don’t always feel right grouping [off-and-on] commercial offerings under the ‘livecd’ category. Others like Russix (wireless-oriented livecd) seem to be MIA.

valsmith on the evolution of pentesting

To welcome in a new year, trundle on over to read a recent post by Valsmith on how “penetration testing is rapidly becoming obsolete” (and read the great comments). Yes, this topic has come up in various forms the past few years, but too often those claims are made by analysts or people who aren’t actually doing the tests. Or if they are, what they’re really saying is, “Pen testing is changing from how we knew it.” I think Val’s post is more coherent than most.

I’d ramble on more about it, but it’s all been said before! I will just say that there is still going to be a market for people who can parse the security results and go the extra mile to produce real value, inclusive of pen testing. If you think IT/Ops can interpret and handle even today’s automated scanners and log managers and tools and vuln scanners web app firewalls and DLP auditing…you’re not living their reality. That sort of approach is usually called, “lip service” or compliance-oriented security. Seriously, how many auditors still miss the obvious things or get famboozled when confronted with too much technical smoke and mirrors?

the motivation of security talent

Just wanted to point back to a post from Bejtlich, specifically talking about a recent Tweet of his:

Real IT/security talent will work where they make a difference, not where they reduce costs, “align w/business,” or serve other lame ends.

That doesn’t mean security shouldn’t align with business and all that jazz, but those items are not really the goal of anyone with half a good mind in security. They want to do cool things and make a difference. They’re passionate, enthusiastic about security, hacking, and defense. Who gets enthusiastic about aligning with business or reducing costs? Yes, some people do, but I think there is little intersection between those people and badass security geeks.

boa reacts to possible leak threats

Funny how the tangible threat of action/leaks “possibly” against Bank of America has caused them to spring into action. Hopefully BoA is only ramping up internal investigating and not actually doing operations differently, otherwise that would beg the question, “Why weren’t you already doing x____?”

It’s also funny how much power Wikileaks has right now. Even simple short-term bluffing (if it only amounts to that) causes more security enhancing work to be done than so many security professionals can dream to get accomplished over years of internal risk evaluations that dance around full-on FUD alarms (execs and sec pros have different tolerances to where that FUD line lies…).

I really didn’t care much for Wikileaks vs governments, and somewhat wondered if it would stop there. Indeed, it looks like this may spill into large corporation realms, which interests me much more. This is a give-and-take topic all itself, and I’m resisting urges to opine about it further…

What if Wikileaks dropped hints it may be dropping data on your company soon? What are the chances of such data leaking?

What if someone you partner with is the next Honda/Silverpop and you suffer a breach because they suffered a breach?