I sometimes shy away from the obvious big news that everyone is already talking about, but finally I read a decent enough article about the recent HBGray Federal drama, over at ars technica, of all places. That and the Krebs piece (whom I’ll just unofficially credit as breaking the news, when I saw his comments on Twitter as the Super Bowl was starting…) are all you really need.

Anonymous got into HBGary Federal’s e-mail server, for which Barr was the admin, and compromised it, extracting over 40,000 e-mails and putting them up on The Pirate Bay, all after watching his communications for 30 hours, undetected. In an after-action IRC chat, Anonymous members bragged about how they had gone even further, deleting 1TB of HBGary backup data.

I’ll be the first to say that *everyone* is weak somewhere, even security firms, and it is difficult to always find attacks (through automated or manual means). Nonetheless, you need to be better at your damn security. Yes, a dedicated group of attackers can give anyone hell over x period of time, but you shouldn’t fall within days, not be able to detect it for 30 hours, and so on. And you surely as hell shouldn’t be so arrogent to expose such ignorance. The entire organization should have known that this guy was about to prick a group that would, in and of itself, be a major risk agent/threat, and have acted appropriately.

On the other hand, one of my favorite quotes: “A smooth sea never made a skillful mariner,” can be equated to an IT mantra, “we learn the most when we’re troubleshooting critical issues.” While one or a few of the major players, and maybe even this branch of the company, may end up flaming out because of this, hopefully the other bit players and techs and businesspersons will learn a valuable lesson and take some extra experience away from this.

As far as the major players go, it’s hard to feel sorry for either Aaron Barr or another recent “victim” Mr. Evans, when they’re essentially un-empathizable. It’s like the dumbass in the bar who keeps daring you to hit him and keeps barking loudly and making a scene all night, then starts crying when you do hit him and break his jaw. Rather than take moral sides in these situations, I’d just like say, “Welcome to 2011.”

I’m not sure if I should laugh, cry, or just facepalm in regards to recent use of the Hoover Dam as part of the US internet “kill switch” debate.

“The bill, one aide said, would give the president the power to force “the system that controls the floodgates to the Hoover Dam” to cut its connection to the net if the government detected an imminent cyberattack.”

I’ll not pick on everything that is wrong here, but I will say that if we’re going to be so concerned about systems that are supposedly connected to the Internet, so much so that we will have provisions to close those connections if necessary (which presumedly won’t itself break anything)….then why the hell is the connection there in the first place? My guess is people are assuming such lax security without actually verifying that there really are layers involved. The risks of insider employees (or mistakes) is still greater…

If there’s one single thing we can learn about security today compared to 30 years ago, it is a matter of increased scale and speed (efficiency). Sure, it’s nice to keep the museum doors open for visitors and staff and then lock them in a crisis, but digital networks operate far faster than any one person can react and with such efficiency that damage is done before some “switch” can even be triggered.

Been developing web apps for a while and want to move to web app security? There’s room for you! Check out Jeff Snyder’s recent post about Hot Security Skills: Web Application Security [warning: may come up as a job recruitment site on web filters].

I really like that he dives down into what I think is important in most roles of security: practical experience. In this case, employers want experienced coders/developers. Diving deeper, you can see they would also like candidates to have experience with security scanning tools and web app firewalls. I’d argue those are a bit harder to get ones hands on, as some of them are a bit spendy depending on the vendor. But I bet you can get some hands-on if you just ask the vendors and explain you’re trying to improve your skillset and might actually end up making indirect sales with recommends (hint hint)…

Now, if you look at everything Jeff lists, you’ll probably see why there is a shortage of web app security engineers! Those requirements are pretty damn high, even for experienced people, and they start diving in other areas that may be less familiar (database administration, WAF, advanced authentication, various server administration…). If you have all these skills, just sticking to development will be solid bucks, let alone bothering with security! I consider it rare that a developer really understands or ever tackles these other things, some of which are often in the sysadmin ballpark.

Nonetheless, don’t let such high requirements chase you or someone you know away from web app security. There are no doubt opportunities for less experienced gigs and it’s really only those first 5 years of job experience that are the hardest, whether you’re doing practical work or outright security work. If you know your security shit, you can probably bypass the “I was a Ruby developer for 15 years [huh?]” requirement.

Ever notice how people say things like, “Thank you,” in weird situations?

Customer: “Could you help me with this return I have?”
Retailer Geek: “Actually you’ll need to go to the front desk over there.”
Customer: “Cool, I’ll do that.”
Retailer Geek: “Thank you!”

Wait, what? People say things like “Thanks” when they’re not the ones getting anything out of the exchange. It seems almost like a reflex response that is meaningless. Or maybe a way to fill the space when one doesn’t have a real exchange to make when in a farewall/closing situation?

I actually , genuinely try to always be conscious and non-rote in my responses in this regard. I actually take mild offense to people who have these unthinking habits of saying things like, “bless you,” or “excuse me,” or “thank you,” with zero actual conscious effort to do so. To me, that steals the meaning entirely away.

Lee & Mike often have excellent insights into the job searching of a CISO, and I liked a recent blog post of theirs enough to point back to it (even if, I would argue, the original question wasn’t really answered in an actionable way): “Common Traits of Future Information Security Leaders.”

In very brief, you could sum this up even quicker with: attitude, enthusiastic learning, good relationships with people, willing to fail, and aware of themselves. I’d also suggest that, between the lines, Lee would also say that successful CISOs take an active, deliberate approach to handling their career path and job/goals.

As a non-CISO, I would offer to the original question a few tips:
– be active and skilled and friendly in your current role, i.e. you leave smiles in your wake

– walk and talk the part of the next step you want for advancement (team lead, senior, mgr…)
– find out how the business works and what business/managers want to hear when talking about your role/duties/projects. You don’t make sure the network operates, you make sure that the business can deliver quality service through technology…
– consciously pick tasks/roles/projects that make you visible to the rest of the business whenever possible; be aware of “project management” skills during them
– be the knowledge expert in security and how it relates to the business
– delegate recurring, menial tasks and make sure your own duties are documented enough that someone “lower” can take them on while you slide yourself upwards
– make it known to your immediate boss your career goals (or HR) in a friendly, but firm way
– pursue certifications as you can, but at a digestible pace
– network in your area with like-minded persons (formal security groups or even informal bar-crawls)

– network in cyberspace as well, where you can almost certainly sound more senior than you really are in a current position! 🙂
– be ready and willing to move on to another opportunity

My goal in those suggestions is to move from being a person in a technical role to being a person in a technical role with aspirations and skills and desire to be in a managerial/lead role, thus getting started on the upward track.

Every now and then I’ll indulge myself a WoW update on this blog, and since Cataclysm was launched last December, I may as well get this out of the way now. I am still no longer a raider (retired after Hyjal/BT), but instead just play 5mans and other fun things in my (lvl 12) guild. I will say, however, that with Cata’s approach to more casual raiding, I’ve been tempted to start in again, but am so far successful in resisting. Besides, 5man heroics are fun (difficult) enough as it is, and they should keep me entertained for some time.

With the recent game changes, I’ve found myself really stoked with the new challenges and the fact that even 5man heroics can’t be run on autopilot, even by DPSers. Since I am typically a heal class, however, I don’t like that I actually *depend* on DPS not fucking up. That’s new, and taking some getting used to. But overall, I really dig the new play mechanics (triage healing) and group mechanics. I love that it really takes some awareness for all classes to play now. Wrath 5mans were too quick, too easy, and just one good player could carry the whole run, with minor (ICC 5s) exception. Cata has brought the difficulty back!

My main is an 85 Resto Shaman who dabbles as Elemental now and then. He has taken quite well to the recent changes. In fact, I was never a haste whore even when haste started actually getting interesting back in late BC, so focusing on mana efficiency for Wrath isn’t so new to me. My philosophy has always been: I’m useless as a healer if I don’t have mana. So now he fits in nicely and currently heals 5man heroics. I’ve also always been a “busy” healer, so keeping busy in Wrath mechanics is second nature already. I love moving from UE/RT/HW neutral mode up into bombing some bigger heals out as needed and letting HST top people off while I regen mana with LB. This is my only toon currently running 5man heroics. (Yes, even PUGs, when not in guild runs which are vastly easier!)

My Disc Priest was a surprise when he Smite-ground up as my second 85 character (leveling was easy as Disc…not blazing fast, but easy as pie). He also heals 5mans (AA spec, non-heroic so far) and just this week I’ve been dabbling in Holy as a second spec, just to compare and contrast that with the 2 sub-specs in Disc (PoH aoe heals vs AA). I didn’t expect to like Disc healing at 85, but so far I’ve really enjoyed the challenge and intricacy of managing Grace, Archangel, abusing Atonement/Penance, and otherwise leveraging the synergies of the new talents. As Holy, I’m looking forward to rolling Renews, which is a totally new playstyle than the past, and should be fun. Still, I expect to remain a Disc healer who can dabble into Holy/PoH-spam if necessary. This toon was my second toon back in vanilla and was a Holy/Fear-Ward-Bitch (ally dwarf) for BWL runs, so has always been heals).

My old main, my Warlock, is still sitting at 81, but in what little time I have played him since Cata hit, I’m stoked about leveling him up for 5mans sometime soon. Leveling with Soulswap is outright fun, and rolling DoTs on everything (Affliction) has been the way I played since vanilla WoW. All is good in the face-melting DPS department, whenever I get around to him again.

My DK tank is still 80 and I have decided she will be one of the last toons I get to 85. Not only is it asking a lot to master yet another new playstyle, but I don’t have much desire to get yet another toon up into 5man heroics yet. If I did, I’d have to relearn tanking (though it’s not as bad as most think it is) or figure out how to DPS on her…

My new Worgen is 36 right now and a baby Druid bear. I may in fact tank on this toon before my DK, assuming I get him leveled up someday. Leveling him up with a good friend of mine who runs a Priest Worgen.

Bejtlich recently posted about an article the trainwreck of running IT as a business. I suggest reading it with his emphasized points, and then reading the original article on InfoWorld. I’m tempted to repost the entire article, just because it is that thought-provoking; a bit of a surprise for rags like InfoWorld, which makes me scared that they may find this rogue article and remove it!

Seriously, read the article. Everything below this point is really just rewording the points Bob Lewis makes and Bejtlich emphasizes.

The article is chock full of good points, and I myself am in a company where IT is mostly run as a separate business silo where my ‘customers’ are other internal employees. Of course, this turns us into a utility company who is not necessarily being innovative and ahead of the curve, but rather increasingly pressured to reduce (or chargeback) costs and keep things flawless (classic negative conditioning). This also makes us captive to the culture of “the customer is always right,” or “give them the pickle.” (We’re not children anymore; the customer is not always right, and it’s only ok to give someone a pickle when their pickle request is reasonable.”)

Likewise, we shouldn’t be fighting against the business initiatives, but that is often how it feels. And it feels that way because our internal “customers” make requests/demands of us similar to how customers make often unreasonable demands of their vendors. It’s a disconnect. Not a communication disconnect, but rather a disconnect in the concept of shared ownership that comes from being all part of one business (which is ironic considering we’re employee-owned).* If we weren’t conditioned by the business to be risk-averse, we’d likely be on top of or already doing some of their requests!

Then again, maybe this whole article’s idea about how bad “IT as a business” is, is itself a product of even more pressure on IT budgets and cost. How better to eliminate that as your pressure by putting it on the shoulders of the whole company? Or it may be saying, “Help me, help you.”

I really love this part, and it is something I live through weekly, especially with how closely I work with our internal IT and developer teams:

“Or try to explain your file and print server hosting rates. It doesn’t matter that part of that rate is full backup and off-site storage. Or as part of a clustered environment you have built-in redundancy and that ensuring the server is updated and secured appropriately is part of that cost. Their friend Joe hosts these things on the side, and it is much cheaper.”

When IT is a business, selling to its internal customers, its principal product is software that “meets requirements.” This all but ensures a less-than-optimal solution, lack of business ownership, and poor acceptance of the results.

Other IT persons (developers, largely) are notorious for this. The classic example is, “Why does storage cost so much? I can go to Best Buy and get a terabyte on an external drive for $100.”

In fact, I would go so far and say that this whole problem of being an internal customer is compounded right now with the consumerization of IT; i.e. the influx of Apple products, mobile devices, cloud-based storage (which is just an “enterprise” way of saying “on the web” for most of these services), and outside hosting/solutions. This is why we’re losing this battle suddenly: the “customers” are making the recommends demands; not IT. IT is trying to avoid more black eyes, delivered as a result of being a “separate business.” (Managerial personalities can make an impact as well, especially those who refuse to ever be wrong, even when their requirements are horrid.)

If I had to nitpick on the original article, it would be the assertion that this whole “IT as a business/chargeback” issue is not that clearly a product of the outsourcing industry. I think business largely doesn’t know how to handle IT as an integral part, so the default behavior ends up fitting the “IT as a business” model where budgets are constrained, IT managers are pressured to justify costs, so they chargeback as a way to illustrate who is costing them what. This is a top-down problem; not a sideline/outsourcing problem.

* What is even more ironic, is the effort to force more innovation into the business over the last year. While I think it is wrong to “force” innovation and make it a requirement, it is even worse to try to do so in an environment where risk-averse actions are rewarded. This is whole topic in itself…

Shay Chen is apparently a “sec tool addict.” As such, he’s taken the time to compare a huge list of web application vulnerability scanners and present his findings. This is way too huge to digest quickly, so I won’t speak to his accuracy (even if I could spend the time to do so!), but this report can serve several purposes, the least of which is a very long list of tools to use and abuse in web app security. Hopefully he has somewhat valid results. I expect most tools have a sort of give-and-take when it comes to detecting vulns and being useful. It would be folly to try and rank them against static tests, as I’m sure you’d need a blended approach to get the most chance at high coverage. (He basically concludes as much, if you scroll down far enough.)

Seems to be a bit of a renaissance of security-oriented livecd distros floating about. Somewhat exciting since the long-past days of things like Phlak, Knoppix-STD, and some other one that had some green in it, was also an acronym, and included the letter “G” somewhere…I forget.

SamuraiWTF has been updated!

SecurityOnion has been updated!

DEFT will soon be updated!

BackBox is new?

Blackbuntu is new?

For any other ideas, check the livecd menu category to the right. Yes, I’m missing some like Helix or Nullbound. I just don’t always feel right grouping [off-and-on] commercial offerings under the ‘livecd’ category. Others like Russix (wireless-oriented livecd) seem to be MIA.

To welcome in a new year, trundle on over to read a recent post by Valsmith on how “penetration testing is rapidly becoming obsolete” (and read the great comments). Yes, this topic has come up in various forms the past few years, but too often those claims are made by analysts or people who aren’t actually doing the tests. Or if they are, what they’re really saying is, “Pen testing is changing from how we knew it.” I think Val’s post is more coherent than most.

I’d ramble on more about it, but it’s all been said before! I will just say that there is still going to be a market for people who can parse the security results and go the extra mile to produce real value, inclusive of pen testing. If you think IT/Ops can interpret and handle even today’s automated scanners and log managers and tools and vuln scanners web app firewalls and DLP auditing…you’re not living their reality. That sort of approach is usually called, “lip service” or compliance-oriented security. Seriously, how many auditors still miss the obvious things or get famboozled when confronted with too much technical smoke and mirrors?

Just wanted to point back to a post from Bejtlich, specifically talking about a recent Tweet of his:

Real IT/security talent will work where they make a difference, not where they reduce costs, “align w/business,” or serve other lame ends.

That doesn’t mean security shouldn’t align with business and all that jazz, but those items are not really the goal of anyone with half a good mind in security. They want to do cool things and make a difference. They’re passionate, enthusiastic about security, hacking, and defense. Who gets enthusiastic about aligning with business or reducing costs? Yes, some people do, but I think there is little intersection between those people and badass security geeks.

Funny how the tangible threat of action/leaks “possibly” against Bank of America has caused them to spring into action. Hopefully BoA is only ramping up internal investigating and not actually doing operations differently, otherwise that would beg the question, “Why weren’t you already doing x____?”

It’s also funny how much power Wikileaks has right now. Even simple short-term bluffing (if it only amounts to that) causes more security enhancing work to be done than so many security professionals can dream to get accomplished over years of internal risk evaluations that dance around full-on FUD alarms (execs and sec pros have different tolerances to where that FUD line lies…).

I really didn’t care much for Wikileaks vs governments, and somewhat wondered if it would stop there. Indeed, it looks like this may spill into large corporation realms, which interests me much more. This is a give-and-take topic all itself, and I’m resisting urges to opine about it further…

What if Wikileaks dropped hints it may be dropping data on your company soon? What are the chances of such data leaking?

What if someone you partner with is the next Honda/Silverpop and you suffer a breach because they suffered a breach?

Gawker recently had an issue that exposed the security of their web code (and overall posture) as crap. Not surprising. Reading the >comments to an article about it on The Register also yields no surprises.

There are plenty of managers and others who don’t understand the consequences and risks of not paying proper respects to security. They truly do need educated.

But there are others who *do* understand the risks, and who *still* make decisions that leave security lacking. This is what I call the big security gamble. And it is just a matter of the risk a company wants to accept, or at least put off until such a time (if ever) that something does happen. See, it’s that “if ever” part that really starts the shoving matches. In security, we really should be talking about the inevitability of an incident. But human nature won’t necessarily accept that inevitability. You really might be able to go for many, many years without suffering (or at least knowing you suffered) an incident. Kinda like not having car insurance and yet still driving…

It’s hard to argue that deadlines should be pushed in order to get security done right, especially when a product may be new and no one even knows if it is viable yet or going to succeed at all! What comes first, the product (and resultant revenues) or security spend? [I like to also say, to head off a natural line of argument: which comes first, learning how to assign a variable or learning how to assign a properly bounded and verified variable?] Of course, once it does succeed, that inertia of ignoring security is hard to turn around until something bad happens…

The fact is, economics will trump security. Hell, economics trumps *safety* even (though few people like to talk about that). This is life.

That sounds exceedingly defeatist and cynical, and in a way it is. But it really, really helps keep a security geek sane by coming to terms with reality every now and then. That won’t stop me from always giving the ideal suggestions when asked for, or trying to gain as much security ground as possible when given the chance. Or strive for doing security correct in the first place.

If I got pissed off at everyone who had a security incident or lapse or who didn’t cover every hole and feasible issue, I’d be pissed off at everyone. Granted, there is negligence and stupidity…but….you get my drift, I’m sure.

I’ve been quiet about the whole Wikileaks thing, and I likely will remain so. I don’t have anything to add that hasn’t been said already, and I gravitate closer to the fence than even I probably admit to myself.

Nonetheless, I won’t refrain from posting to nice articles on said subject, like this one from Chris Swan posted at Fudsec. I like his practical thoughts on the subject.

To add: This was a failure in a trusted user leaking docs. Would technology have prevented/alerted on this? Perhaps. But ultimately this still boils down to humans (talented staff, not just in security log-watching…) solving human problems (background checks, education, management…)

Now, maybe if they had body scanners and pat-downs whenever you enter or leave locations where you can view/manipulate sensitive data…

I like lists. Jay Jacobs over at his Behavioral Security blog posted a list of infosec “rules to live by.” Can’t say I disagree with any of them, but thought I’d add to the discussion a bit!

Rule 1: Don’t order steak in a burger joint. I don’t really have much to add to this excellent point!

Rule 2: Assume the hired help may actually want to help. I agree with this, but I’d also play with changing the wording in one of two ways. First: “Don’t assume anything.” Second: “Assume the hired help will follow the path of least resistence.” I know, I’m twisting that rule around almost 180 degrees. I get that awareness can (and does!) foster the ability for people to make proper decisions. But I can’t assume or rely on that enough to call it a rule. I really like the last line in Jay’s paragraph on this, though. Still, I think he makes a similar point he went after in this rule, in the next few rules.

Rule 3: Whatever you are thinking of doing it’s probably been done before, been done better, by someone smarter, and there is a book about it. Absolutely! This is where being in touch with the greater security community is invaluable.

Rule 4: Don’t be afraid to look dumb. I can’t say this enough, especially to myself. Don’t be afraid to look dumb! We only get one life, usually one shot at things like first or lasting impressions. Don’t waste yours and other people’s time with false facades. Take a shot, fail, learn, do it better the next time. Lay your balls out there. As I’m fond of saying in the sysadmin world: we learn the most only when we’re troubleshooting issues or in the middle of failure. This is why “fail” and looking dumb need to be intrinsic cultural values in an IT organization.

Rule 5: Find someone to mock you. I’d probably reword this rule, but the point absolutely stands: find people who will honestly challenge you, mutually. This is the age-old, “Surround yourself with people smarter than you,” maxim. But really, it’s about mutual respect and being able to follow rule #3 and still be a man (or woman).