New to read: H(ackers)2O: Attack on City Water Station Destroys Pump. That article is what it is, and I can’t add too much to it other than the note that vendors need to start looking out. To get into target systems, attackers are now going after the systems and access that vendors hold, rather than just directly at a target. RSA is a prime example from early this year. In other words, you might become a target depending on your clients.

Incidentally, taking a very similar approach to classic espionage. (I’ve found this to be a common parallel with today’s nation-state-oriented attackers, i.e. The APT. We shouldn’t be surprised by any of this.)

It amuses me when a business tentatively moves into the “social media/networking” arena and has really no idea what they’re doing. I’m no expert (unless you count ~20 years socializing online), so I’ll try to keep this to short bullet points on individual ideas. This has a bit of a Twitter slant to it…

I should add my inspiration. I was on a security vendor site and popped into their forums. Which hadn’t been used too much lately. I then ended up on some unrelated vendor’s site as well, and I popped into their forums. There’s something about support forums where I can do things like self-serve, browse other people’s questions and realize, “Hey, that works for me, too,” and post my own questions. Honestly, I love forums, and every time I see one populated with a good social presence from the business, I feel a happy pang of nostalgia (which is sad itself, since I still feel forums are far more effective than any social media whizzbang in the last 10 years). I then checked out their Twitter link on their front page, and was extremely let down by how Not Right it felt. One felt tended to with loving customer service hands, and the other with sanitized Not-With-It marketing gloves.

[Aside: I do have to mention that while I love forums, I have to say that they’re also N-O-T-O-R-I-O-U-S as security black holes. I think Valve/Steam can give the most recent lesson on keeping your public systems secure, segregated, and updated….]

1. If you’re on Twitter and point me to your Twitter account in some fashion, I will judge you if you have only 75 followers. There are many, many accounts out there that look for popularity, and if you follow them, they will automatically follow you back. This artificially pumps up your own numbers. While I will check for and judge you on that, it definitely helps you blend in and look busy to a casual glance.

1.5. Being a security guy, I will also judge you (and I will check!) if most of your followers appear to be your own employees. While honorable, it just makes me think you emailed your own employees to sign up and bloat your numbers. I’ll check how active your followers are (I bet they’re not, at all). And I will also make note how I would social engineer my way into your company with all this spilled knowledge and access to people. Be careful! (I can probably also assume the first few followers are the marketing team and/or people resonsible. With context into what you do, my social engi attempts can be very targeted.)

2. Don’t let marketing own and stifle the social media presence. Too often a business thinks social participation is only a marketing opportunity. That’s wrong. Adopting social media is a way to open communication between you and others on a personal level. It allows people who like (or hate) you to talk with themselves as well! And it allows you to provide customer service and support.

Think of it this way. Social interaction with outside people has been happening far longer than we’ve talked about “social media.” It has happened in things like web forums where users can sign up, ask questions, make comments, and otherwise form a little social community. This is often organic between users and support departments; not marketing.

Marketing too often thinks about marketing opportunities and forgets about the customer support opportunities. And, really, when eliminating the planned marketing stunts out of the equation, I would guess that most Feel Good Marketing Stories don’t come from marketing’s presence with social media, but rather good (surprising!) support offered through such. That’s not the marketing team, that’s the customer support team (which can arguably report to Marketing…). That’s also not part of some brand campaign, but rather day-to-day attentiveness and quality.

3. For the love of all that is pure and good in this world, don’t let your Twitter feed turn into a press release pipeline or megaphone for links to the corporate blog. At least feel like a real person is behind the username. That’s really one of the biggest failures: when the social media presence feels stuffy, artificial, and useless to the sorts of people you’re wanting to follow/like/engage you. In short: be interesting to the people to whom you want to be interesting. Don’t be safe, and square, and otherwise a stick in the mud. Flavor, mistakes, and opinions make us interesting people.

4. Embrace the anonymity of the Internet. Don’t force me to register to submit comments on your blog. Don’t force me to have a Facebook account. Just because I don’t want to share my identity with what is almost certainly going to be your marketing machine, doesn’t make any of my opinions or experiences or needs any less relevent. Never, ever disparage one of the strongest pillars of Internet usage: anonymity. If you do, you immediately sound older than 50 and you shun a significant number of users. Unless you’re Facebook or Google+ where gathering this data is part of your direct revenue-generating business model, don’t do it. If you want to avoid embarassment and Internet trolls, use moderation or people who can handle those types of discussions/situations (those people who are social media experts but would never call themselves such because they were around before the term).

I’ve long been a proponent of sharing information about breaches and insecurity with our peers, so I liked a recent post by Adam over at New School… “Breach disclosure and Moxie’s Convergence.” There are two main takeaways for me.

First, if we don’t disseminate information, we can’t make breakthrus like the one described for Comodo and Moxie. And no one else will learn from the mistakes of others, or triumphs of others post-mistake.

Second, while it is important to “share” information especially amongst our peers (in a possibly controlled environment), it is a step further to actually be able to “publish” that information instead. For instance, it’s one thing to attend Infragard with an actual or just understood NDA in place, but another entirely to let the world know the information and be able to possibly action upon it.

While I will still always say we need to “share” information more, I’ll definitely have to keep in mind that the spectrum of sharing does have different meanings to others. The spectrum would look something like: private–>shared with a few–>shared with quite a few–>published. As long as we can share, it’s good, but it gets better as you move down that spectrum.

You get what you pay for.

Are you paying for a pat on the back and affirmation that you’re, “Doing ok…” with security?

Or are you paying for a critical look at your security with an aim to improve it?

Inspired in part be a Security Balance post.

A quick mention that Lenny Zeltser blogged about 3 tools to perform fake DNS responding. Now, this isn’t like forging your own responses necessarily. More like getting someone to send your system a DNS query, and these tools respond back with an IP address of your choosing.

Rothman has a great post about why someone may choose a managed security services provider (MSSP), and the comments are excellent. I’d certainly read more about people’s experiences with an MSSP both from the vendor but also the customers.

I’m pretty skeptical of the value, but totally agree with Rothman’s bullet points on why you’d go with one. Really, I think there are good reasons, and the best might be offloading the lower hanging alerts and events to someone else, and then blending what’s left into internal staff (the hybrid approach). But I just have a lot of skepticism of the value that could be provided to anything but the smallest businesses and largest enterprises…or those that have an extremely big interest in being solid with security (e.g. banks).

My skepticism comes from the convergence of operations and security, where changes may influence security events and visibility. For instance, when IPS visibility is minimized because operations needed a SPAN port for a while. Or when the SoC team can’t investigate an incident properly because they’re an outside entity without any real access to the customer devices. Or when a network layout is changed which creates gaps that the SoC team has no chance to anticipate.

Part of my skepticism is also my distance from the tasks at hand as well. I often imagine an MSSP SOC as little more than a smarter, more efficient, but less powerful automated alerting mechanism. Sure my IPS and AV and SIEM can log and interpret and send me alerts on important issues, but what is my MSSP going to give me beyond that stuff in the first place? Are they going to decide that all that ARP crap on my network isn’t worth 10k false alarms a day? Are they going to know that all those UDP connections opening at 9pm every night are tied to a single automated SQL job? Are they going to know that a Slapper alert on my firewall is useless because I don’t run Apache, or vice versa?

It just seems tough to me to think an MSSP SoC is going to be very effective except against the most obvious stuff, and even then with lots of luck.

It sort of sounds like a DLP solution. 🙂

Will a spam filter catch all malicious email sent to you? No.
Will a web filter block you from getting to all malicious sites? No.
Will a local antimalware tool prevent all malware from infecting your system? No.
Will your own diligence and paranoia weed out all email/web-borne issues? No.
Will reduced desktop rights protect your system? Not entirely.
Will your sandbox browser or script-blocking plugin stop everything? No (but close!).

Will any one of the above be the “right” answer for your business? No.
Will all of the above reduce your risk quite significantly? Yes, when done properly!
Will (broad) detection/monitoring of strange things catch the rest? No, but it should come close!

(This was prompted by some Starbucks spam email that made it through our filters today [despite a forged To address!], and a few users reported, but upon investigation I see our web filter is already blocking this domain. It simply illustrates that layered defense is paramount.)

It’s tempting to look at that sandbox/script-blocking as a best solution, but it’s also one that is entirely in the hands of the end user much of that time, specifically for script-blocking. For many people that I suggest use it, they end up getting sick of it and just allow everything or go back to using a poor browser choice. I’m not a big fan of security that users can turn off at will and without tracking or safety nets.

Whenever I hear about “cloud storage” or “document management in the cloud” (both uses of the term “cloud” are marketing uses and synonymous with “Internet/web/server” and not actual cloud computing), my bigger kneejerk reactions run the gamut of, “You want to lose control of your sensitive documents?” and, “Don’t you dare mention backups; backups are a fundamental part of IT since it started and don’t need to be put online!”

But I read an article, “Online Document Management – Protecting Your Confidential Data”, by someone associated with a business that offers this service. Despite that, I found it well-written enough to pass on.

I liked the reasons posed for moving, and I agree with them, even if reluctantly. Traditional file servers based on popular OS versions are simply not adequate without lots of work, from a security perspective. The log suck. Management sucks. And there’s always one or two admins who just don’t do things the way they should be done, and then you have to live with their shoddy solutions that you can’t change without impacting business process.

Here are some additional thoughts I’d add.

a) By consuming someone else’s online document management solution, you really are playing by their rules. No more “creative” solutions to strange problems and requests. You tailor your processes to the rules of the service, not the other way around. This is great for keeping things in line with what you want to do. If you manage the service, then you’ll have to deal with the political machinations of requests to change this and that and why they’re “possible” but bad ideas. If someone else manages it, you typically have a much easier ability to say, “Nice idea, but that’s not how it works.” This isn’t so great, however, if you rely on innovative, creative ideas to fix strange business processes that are unique to you.

b) I really want the business hosting the online document management to be very transparent and clear with thier own processes, most importantly: their system change process and feature pipeline, the access their own people have to my documents, etc.

c) Mobile device support for document access is still a big challenge. Throwing it online often makes device compatibility someone else’s problem. However, it could also alienate some users whose devices aren’t supported. Though, to be fair, more than likely a current solution is already alienating them!

d) If there are any apps to help consume the service, are connections securely made and documents securely uploaded? If there is something like an SSL mismatch, will the user be warned?

e) When being consumed on the local device, can you determine whether someone downloaded the file to their device to use elsewhere or just viewed it online (this is usually a bit of a “trap” question…).

At the end of the day, I’m still not sold on the practice of online document management for anyone but the smallest of shops that have less budgets, are more agile, and likely less attacked or interesting. But they’re useful services to keep in mind.

Wired posted up an article that made the Twitter rounds yesterday, “Busted! Two New Fed GPS Trackers Found on SUV”. I have a few thoughts to share on why this is important in total, but this particular instance isn’t quite so important. As a quick recap, a California man found various different GPS units on his car and even had a report of the Feds messing with his girlfriend’s car.

1. This guy may be innocent, but there are certainly reasons to track his whereabouts. His cousin is a wanted man. He drove his cousin’s wife to Mexico (where presumably his cousin is). Gosh, let’s see, I would imagine LEO is tracking him in case he goes to wherever his cousin is hiding. I bet this would qualify as a justified reason to track his vehicle. All I’m saying here is this wasn’t necessarily some completely innocent person who has no connections or ties to anything. He’s, at best, an unfortunate collateral damage because of his family members.

2. He does have a point where people may see someone tampering with his car. If my neighbors see someone tampering with my car, they may formulate an opinion of me and how maybe I’m a bad person because it looks like someone is GPS-tracking my vehicle. They may also think someone planted a bomb or some other nefarious device and report it to LEO. And suddenly I’m “on the grid” and “in the system.” If that happens because of some mixup or random GPS-tracking on me (who is otherwise about as clean as anyone), that would really suck. I really don’t want to do anything to get my name circulating in a flawed system upon which many things depend, ya know?

Granted, proving damages to reputation due to witnessed LEO involvement with me is probably never going to actually work in court.

The point is: mistakes happen, and it would really suck to be on the receiving end of a LEO/Fed mistake.

3. Without transparency and controls to some effect, I’m a firm believer that eventually (especially as more human beings become involved) a process will be subverted for non-official or non-moral reasons. Maybe to track a husband, or a friend’s girlfriend, or political dissidents, or whathaveyou. If it can be done, I’ll pretty much bet it will be done.

4. I’m not really sure why it would be such a bad deal to require warrants for GPS-tracking a vehicle. Perhaps there are other insinuations about tracking someone’s movements in public place (streets) and a slippery slope of judicial precendence there. That’s certainly possible since I’ve not studied up on this issue (I believe there is a court case and even legislation involved that I’m not familiar with.)

Lastly, this isn’t the last time we hear of this. We have issues already with in-car services doing tracking, cell phone tracking by private corps, and credit/debit histories. And it’s naive to think they *don’t* sell and/or give that information away in any way that will help their business. We also have an increasing number of traffic cameras being implement and increasingly scary amounts of license plate scanning on the roads and even facial recognition scanning!

So, in a way, this is a losing battle, but a battle that really needs to be fought. This process is essentially the reason we have a country like we do in the first place.

Last week I mentioned the HBR article, “What Every CEO Need to Know About the Cloud”. Today I saw Brandon Williams posted about a piece of the article I did not focus on and should have: the Chaos Monkey.

Brandon mentioned that the Chaos Monkey is probably revenue impacting. Yup! That makes people scared! But if you have a real event and can’t handle it properly, that will likely turn into an even more revenue impacting incident than it could have been. And when it comes to Operations: things *will* fail someday.

I agree there should be controlled incidents in operations and especially in security. But I would caution that there is a very fine line between doing these controlled incidents (or tests) in a positive way or in a way that people hate and will react badly to.

Learning from tests is paramount. Pointing fingers and slapping hands and smacking ears because something is missed is called Doing It Wrong. You’ll just result in scared, sensitive, and not-happy people. No one likes to be tested and to fail and then have it shoved into their face or performance review. Yes, that gets results, but the point of so much testing and education is improvement and positive conditioning, not negative conditioning and fear.

I casually noticed McKeay talking about a standing desk via Twitter recently, and I see he has a detailed blog post about his new standing desk (this is itself an interesting compare/contrast for Twitter vs Blogs…). While I’ve never entertained the idea myself (though, yes, I’ve seen treadmill/walking desks for WoW players), I have to admit I’m intrigued (clearly, since I’m even bothering with this post).

Let’s get a few things out of the way. A standing desk won’t necessarily burn more calories, but it certainly eliminates the “barrier” of having to stand up and be in awkward positions in relation to the computer in order to do something else. If you’re already standing, I can certainly see how much easier it is to just walk over and do something else or be just slightly more active. But I won’t begin to think this activity comes close to actual cardio activity; it’s just a gateway. More importantly, though, is the posture, blood flow, and core balance that can be improved by not sitting all day. I totally acknowledge and would expect that.

So let’s look at my computer use cases. At work, we do have the option of swapping our desk chair with an exercise ball; and I may be tempted to try this. But standing, at 6′, I can just barely see over our typical cubes, which would be strange over time. In short, most of our cubes just aren’t ready for standing. So let’s disregard my day job for now, though I’d probably get by with a standing desk at work just fine.

At home, I typically am doing one of 4 things on my systems: movies/netflix, socializing/web browsing, tinkering with new technologies and such (research?), and video gaming. I can’t say I’ve ever watched a movie standing up and I’m not sure I’d dig that, but I bet I could mount my monitors on arms that could swivel and be positioned to accommodate a leisure position in a nearby chair. My socializing/tinkinger activities are probably pretty posture-neutral for me; it would be weird at first of course, but I bet I could do them just fine standing or sitting. There are, of course, times where I’m probably thinking or mulling something over and want a change of position, but that can be dealt with by walking away and flopping onto a beanbag (Lovesac) or something. What would be less convenient would be reading-at-length or watching webinars/presos, most likely.

(Aside: I spend an inordinate amount of time at my computers, but I also don’t spend any time at all in front of a television. In fact, I don’t have one that brings in any television stations. I have a plasma, but only for movies I want to watch away from my computers or to play console games, which isn’t all that much. So, at least I’m not lounging on a couch or Lay-Z-Boy for hours of awful television. I’ve gone 6 years now without television use, and about twice that without actually ever *watching* it [prior roommates would watch, but I would usually not].)

And then we’re to video gaming, a relatively important hobby to me. I’m pretty sure my casual MMO/WoW playing would be compatible with standing, but I’d really expect I’d get sick of standing when it comes to FPS gaming or anything with a controller. With a controller held in both hands, that probably would eliminate my ability to support myself with my hands like I would with my forearms when typing or using a mouse. Who knows! Really, gaming is about being in a pretty uniform position with hands supported consistently and solidly to allow quick and precise movements. I’m pretty sure standing for that would be taxing.

So, I’m still unsure. One idea would be to augment my current desk with a nearby stand-up desk which could hold some of my extra boxes and servers and gear. But I’d be willing to bet I’d gravitate to one desk and ignore the other.

I could possibly rig something up where my main machines can be rolled to and hooked up to KVM setups between the desks as I see fit. But other than a real workshop-like area, I bet that’ll never look less than tacky and messy. And I’d probably still gravitate one way or another.

Still, this idea is interesting enough to keep in my thoughts for the present!

Via the Infosecnews mailing list, I’ve read a CSOOnline article on “5 secrets to building a great security team”. Sounds fun, despite being geared around more of a C-level managerial perspective in a larger organization where “security” encompasses brand protection, organizational risk, and other things beyond just digital security.

1. Rethink everything. – Pretty much a safe, vague item, but a good one. There’s no right answers, and it really helps to sometimes sit back, figure out what is working and what isn’t working (not what’s broken, but just what isn’t awesome), and try something new.

2. Formalize underserved functions. – This item focuses entirely on diaster recovery / business continuity sorts of efforts. While not necessarily part of “security” in a traditional sense, it does deal with organizational risk, operational resiliency, and personal safety; things that “security” often has in its vision statements as well. I don’t mean to downplay these efforts, they’re just a different slice of the security pie than what typically gets my juices flowing.

3. Demand proven business skills. – Essentially, this talks about the value of an MBA and, more importantly, being able to understand and talk with the business, and its leaders, in their language. It’s hard to disagree with this as being a useful skill when you’re not 100% in the trenches every day.

4. Create a communications czar for security. – This sounds interesting, and I’m not sure I’ve heard of something like this before, but it certainly makes sense. I got the impression part of this role was to ease the changing (i.e. HR issues with sweeping changes) of how security works at Caterpillar, but the details really show someone who acts as internal PR for security, and probably as trainer and support. Security can definitely use some people people.

5. Nurture dissent. You know, I could leave this entire article and forget about it in minutes if but for this bullet point. Security (privacy, risk…) is a constantly debatable topic entirely because of its nature; always being at ends with evolving threats, but also it’s balancing act of security vs usability/convenience. Keeping this as an important, specific item allows a leader to always be able to illicit the most knowledge from his team members, rather than all of them just nodding and agreeing to whatever and letting the leader walk off their own cliff edge. It also really helps support the first item.

It’s true, the blogsphere (blogosphere?) for security news is smaller and a bit more watered-down these days. At least stuff that is interesting enough to link to. I’ve also found my own time for such reading to be smaller than usual lately. Normally I don’t plug sources, but I admit when I have a moment to catch up on 2 weeks’ of news, I typically start with the Infosecnews mailing list emails that build up. Older posts can also be perused at seclists.org’s archive.

Part of the reason for this plug is to cover my butt a bit and share the love. Sometimes when I make a mention of news elsewhere I may forget to say how I got pointed over there. When I can, I try to share that bit, but more often than not my forgotten sources are Twitter (thank you lack of search due to shortened URLs) and ISN.

The Harvard Business Review out on the newsstands right now has an article about what CEOs need to know about The Cloud. I’d link to it, but it’s behind a registration wall, and it’s not really worth but a skim for those who’ve heard the term before.

My first reaction is, “Gosh, looks like we lost the battle on what the definition of ‘cloud’ is.” Basically, anything that runs on a different system that you consume is the cloud. Web, email, files, whatever. Fine, I get it and I’m fine with that. Oh well!

I felt the article had a decent review of the definition of the cloud as well as the quick benefits. However, I did want to mention one I think didn’t get enough face time.

The things offered by the cloud are not so amazing that internal IT teams couldn’t do them. Sort of. That’s what the article says, and mentions that internal IT is stretched. I agree, and I’d say that at least these third-party app providers (cloud providers, SAAS…) can afford to have such a laser-focus that they can do a really good job with what they provide. I fully think that needed to be explicitly stated as a tangible benefit. Your internal CRM is cool, but that Salesforce.com CRM is going to be the better. I thought this just needed to be really highlighted as a point.

On the flip side, I felt the review of the risks/costs of cloud were really glossed over too lightly.

Specifically I didn’t like the lack of mention on how cloud applications (like docs in the cloud or email, or CRM..) are not going to every be nearly as customizable as your own internally managed apps and products. My company is currently in the midst of reviewing the replacement of our internal Microsoft Exchange infrastructure with something like GMail/Apps. But I can guarantee that many of the little pieces in our mail and calendaring settings and tweaks and processes are just not going to be possible in someone else’s product.

You get a laser-focused tool, but you get the same tool as everyone else gets, without any special sauce of your own.

Which actually brings up an entirely related point: What do you have when you and all of your competitors all use the same platform? You lose any ability to say you have better technology or better channels or better processes. You’re all going to be doing things the same way. (Some may even wonder if there might be a conflict of interest when Big Fish in an industry with bigger wallets influence a cloud provider’s tool to tailor to what they want…)

Some might praise this as a way to compete directly and solely on people and business product. I can buy that, but I’m not sure that’s something many businesses think about when going onto cloud services. In that way, the benefit is not to do work better than your competitors, it’s simply to cut costs of infrastructure.

I also felt like there was a glossed-over cost of control over your own data. At the end of the day, if you move to another provider or go back in-house or want to provide and have assurances that your data is protected and private and recoverable, you’re working under blind faith with your cloud provider. At least with internal infrastructure, you have unlimited ability to audit, test, and verify. (At the cost of an unlimited ability to cut corners, lie, cheat, and be negligent/ignorant.)

Essentially, we had this cycle where we moved from mainframes and time/cycle clocks and sharing to decentralized PCs, and we’re moving back to centralized computing. Yes, it will go back again, and repeat and probably for the same reasons: customization and control.

Randomly checked out the Fab.com CEO’s blog and found a nice, quick slideshow on 21 things they’ve learned at Fab.com. Really, these lessons can carry to anyone and is worth the 5 minutes to check it out.