Security Professional Pipeline

June 25, 2010 by · Leave a Comment

The demand for a trained and educated information security workforce here in the U.S. continues to grow.   Creating a pipeline of information security professionals has to start early.   A national campaign to develop the next generation of “Cyber Defenders” has been happening without the fanfare or kudos that it needs.

The Collegiate Cyber Defense Competition has existed since 2005 where, according to a USA Today article, has grown from five competing schools to 83 teams from colleges and universities.  A similar high school competition has also been established and is seeing great participation.   This is exciting!  An environment where talent merges with enthusiasm for the the information security field is the right environment to recruit professionals.

I hope these events continue to grow and inspire similar local and regional “cyberwar games” for high school and college teams.  I hope they become common recruiting grounds for both the public and private sector.     Well done.

Filed Under: Awareness and Education · Tagged With: , ,

Graphical History of Hacking

May 31, 2010 by · Leave a Comment

This was pretty cool.   Thanks to OnlineMBA and their post.

The History of Hacking
Via: Online MBA

Filed Under: Awareness and Education · Tagged With: ,

A Shame for InfoSec Transparency

March 13, 2010 by · Leave a Comment

The CISO of Pennsylvania was apparently fired after discussing a breach while serving on a panel at the recent RSA conference.  The removal appeared in several articles including this SCMagazine report.   The information provided by Bob Maley was a clear description of a threat that some states may face, an appropriate discussion for this panel.  However, it seems Maley didn’t get explicit permission to talk about this issue and was terminated for this breach of protocol.

There may be other personnel issues involved but the timing of this is certainly suspect.  While Maley should have been disciplined for violating communication protocol, the end result appears to be disproportionate to the offense.

The RSA panel was a great opportunity to share information and lessons learned.  Instead of embracing that level of transparency, we see a SCMagazine CISO of the Year finalist losing his job by trying to help others learn from his experience.  If others fear such action for sharing sanitized lessons learned then our field has taken a step backward in transparency and communication.  That’s a shame.

Filed Under: Awareness and Education · Tagged With: , ,

Back to Basics

March 11, 2010 by · 1 Comment

I just read an article “Basic security measures do wonders” and it drove home a point that seems to have been lost with the inundation of terms such as “CyberWar” and “Advanced Persistent Threat”.  While we spend a lot of time implementing new technologies or applying frameworks, we sometimes forget that applying basics and using our current tools more effectively can go a long way to improving the security posture of our organizations.

I’m not implying that we be stagnant in our approach to securing our information from changing threats.  It’s vitally important that we be agile in our defenses else we create the Cyber-Maginot line I’ve discussed earlier.  That said, we sometimes fail to tighten our current infrastructure in our pursuit of the latest headlines and buzzwords.

The article mentioned some basics that are worth repeating:

  • Turn logging on and monitor files but be careful that you don’t inundate yourself with irrelevant messages.
  • Examine network traffic patterns.  Learn what is normal traffic so that you can better identify abnormal patterns.
  • Access control to make sure employees have access to what they need to do their jobs but nothing else.
  • Enforcing security policies.
  • Having a consistent process for patching systems.
  • Know where your data is!

I would imagine most security professionals reading this will say “duh”.  I’d also be willing to bet that many organizations fail to apply all of these basic principles. Why?  Wouldn’t it be dumb to deploy the latest and greatest security technology only to be breached through an unpatched workstation?  It happens all the time.

Now, especially during an economic downturn, is a great time to re-evaluate your current tools to see where you can improve their effectiveness.  Can you improve your user provisioning/de-provisioning process?  Can you leverage scanning tools and results to improve a vulnerability remediation program?  Can you tighten up audit logs and alerts?  Can you create an inventory of sensitive information?  Can you engage business units to build a stronger relationship with security?  Can you develop an awareness campaign that is engaging and informative?

It seems to me improving what you have creates a stronger security program than having a huge number of half implemented tools and processes.  Tell me.  What areas can you improve today?

Filed Under: Awareness and Education, Business and Security · Tagged With: , ,

InfoSec targeted for use of “jargon” – Blah!

February 24, 2010 by · Leave a Comment

Why is it that terms used in the information security profession is referred to as “gobbledegook” while in other professions it’s known as nomenclature.  Every profession has its own jargon so for “experts” to label this as something unique to information security is rather unfair.

“One problem is that computer “geeks” use jargon to cloak their work in scholarly mystique, resulting in a lack of clarity in everything from instruction manuals and systems design to professional training, the experts said.”

- Maclean, William, “Computer jargon baffles users, hinders security“, msnbc – Technology & Science, February 19, 2010.

This isn’t some malicious attempt to create a mystical club with secret words and handshakes.  Industry specific terminology helps those professionals within that industry communicate clearly with each other.  Isn’t this also true in finance, medicine, law, software design, architecture, etc?

Former U.S. Homeland Security Secretary Michael Chertoff had this to say:

Doctors and lawyers used to enjoy “a sense of mystified special knowledge,” Chertoff said. “But … once you empower people to understand what’s going on, doctors do a better job. So with cybersecurity the task is to make the architecture more user-friendly — and to teach people better.”

I don’t know about you but when a physician rattles off medical terminology I’m certainly not feeling empowered.  I do however trust that I’m being treated by someone trained in that particular field who understand the complexities and can communicate with peers (referrals) who also understand the “jargon”.  Isn’t this what they are paid for?  It’s no surprise that such a comment came from Chertoff who recently ran point for the miserably ineffective Cyber Shockwave simulation (aka propaganda) show.

Having “experts” come out and say things like “plain language is vital” is nothing new.  In any awareness or education campaign, the content of the message must be audience appropriate.  If you’re dealing with individuals with little experience in technology, then the awareness campaign has to incorporate examples and terms that are familiar with them in order to be effective.  That’s a no-brainer.

Perhaps next time these “experts” get together, someone should suggest they don’t need to tell us the completely obvious, the merely obvious will do.

Filed Under: Awareness and Education · Tagged With: , ,

Cyber Shockwave – A Bust

February 23, 2010 by · 1 Comment

CNN recently broadcast a cyber-attack simulation meant to demonstrate the potential cascading effects of a widespread attack on our nation’s infrastructure.  The exercise included former federal officials who played the role of key positions in the executive branch to show how the government would respond to the escalating incident.  They even had a flashy headline:

“Cyber Shockwave”


As much as I hoped that this would be a worthwhile simulation with good discussion, this really came across as propaganda wrapped in FUD.   It seemed like a sales pitch for more government control, especially with the catchphrase “We Warned You” included in the program.  We all should be concerned when government officials talk about “nationalizing Telco and Power”, “quarantine cell phones”, and “giving the option of unilateral disconnect”.

There is no doubt the threatscape is changing with the way we use technology.  Mobile devices certainly will see their share of malware.  Both public and private sector have lapses in their information security practices.  As we’ve seen with the latest attacks from China, there is a rise in targeted attacks.   That said, I have my doubts about a mobile botnet that wipes out cell phone communications, creates widespread power outages, and takes down Wall Street.

Cyber security is not a unilateral issue with government alone stepping in to save the day.  The private sector is particularly good at finding solutions to problems and they too have a dog in this fight.  Let’s bring the right players to the table to find a solution other than marshal law.

Bottom line:  Simulations are useful if they are appropriately scoped and are meaningful.  We could learn a lot from a good simulation that includes government and private sector participation.  In this case, CNN used the script from “Live Free or Die Hard” and wasted a lot of time and money.

Filed Under: Awareness and Education, National and State Privacy/Security Law, National InfoSec · Tagged With: , , , , ,

Don’t Let FUD Trump Value

January 22, 2010 by · Leave a Comment

The Google “Aurora” incident illustrates an ongoing problem with the “media motivated” approach many organization take in regards to information security.  A major event happens and there is a short-lived window of opportunity to ride the “it can happen to us” wave to secure some funding for the latest toy or gadget.  Unfortunately, some executives are unable to step out of the headline grabbing world of FUD (Fear, Uncertainty, and Doubt) and that is the only way security efforts ever show up on their radar.  That is unfortunate but shouldn’t convince information security professionals to operate entirely in that realm.

Threats are constantly evolving.  “Aurora’ today will be something else tomorrow.  Constantly jumping from one fire to the next unfortunately takes us out of the process improvement mode of operation.  Certainly there is some lessons learned from this incident that should be applied but ultimately, information security should be an evolving proactive process, not a panic stricken FUD game.

  1. Vulnerability management is a process that requires checks and balances.  How do you know that all your systems are patched?  This goes beyond O/S patches but applications as well.
  2. Do you know what your users are installing?  Software deployment and management is part of an overall strategy to protect your systems.
  3. How do you know your systems have the latest anti-virus updates and signatures?  Obviously, anti-virus is a reactionary tool that typically fares poorly in detecting new malware but keeping out the old stuff is important too.
  4. Do you actively look for compromised systems?  How do you manage event information?  Do logs come in to a centralized location that can be indexed and analyzed or do you really believe an analyst is manually looking through millions of log events each day?
  5. Understand where your attacks are coming from and take action.  Look for weaknesses in your defenses and fix them or provide some type of compensating controls.  Learn from compromised systems and the information already available to you from IDS, SEIM, logs, etc.

Show that information security provides value without resorting to scare tactics else you become the “boy who cried wolf” and ineffective in your long term efforts.

Filed Under: Awareness and Education, Business and Security · Tagged With: , , ,

2010 Information Security Predictions

January 3, 2010 by · 2 Comments

I may as well get on the 2010 prediction bandwagon.

1.  With the rush to get into the “cloud” businesses will sacrifice security for the promise of efficiencies.  Attacks will be focused on the applications placed in the cloud, not necessarily the underlying OS infrastructure.  I predict there will be a large compromise of information stored in the cloud this year that will disrupt business processes for several businesses.

2.  The big talk about “cybersecurity” that comes from the Obama administration will be nothing more than talk.  Action taken will have little impact as the new Cybersecurity Czar/Coordinator has little authority to implement necessary changes in national information security.  This is most likely because of the pure volume of important “initiatives” being taken on by this Administration that will result in some areas, cybersecurity in this case, receiving less attention than required.  This isn’t a dig on the Administration, merely an observation that issues in terrorism, healthcare, economy, etc. will take precedence over fixing the cybersecurity issues facing the U.S.

3.  I predict there will be an even larger breach than what we saw with Heartland Payment Systems last year.  The financial motivations and organization surrounding cybercrime makes this type of criminal activity very profitable.  Attacks are being perfected while the resources to defend against such attacks continue to be too thin in most organizations.

4.  Mobile platforms will be the target of attacks this year.  The proliferation of iPhone/Blackberry and availability of mobile applications will prove a fertile environment for malware writers.  As more of these mobile devices are integrated into both business and personal worlds, the target will simply get too big to pass up.  Expect 2010 to be a big year for mobile attacks.

5.    With major attacks taking place in 2010 and hopefully and improving economy, the investment in information security will improve.  Specifically, there will be some growth in the need for both skilled technical staff and leadership positions where the ability to understand the business environment are emphasized.

I’ll be interested in seeing the twists and turns that are inevitable in the cybersecurity world and how organizations adapt to such a dynamic environment to protect sensitive information.  Good luck in 2010.

Filed Under: Awareness and Education, Business and Security, National InfoSec · Tagged With: , , , ,

Social Networking – “Loose Tweets Sink Fleets”

October 26, 2009 by · Leave a Comment

Social networking has enhanced collaboration for many companies but it creates a risk of employees sharing intellectual property or other strategically important company information with outsiders.  This certainly places an increased burden on strategically aligned CSO’s who must balance the need for security with business goals and objectives.

The Global State of Information Security survey produced by Price-Waterhouse-Coopers in conjunction with CIO magazine, demonstrated a growing concern over the risks associated with social networking.  While monitoring technologies can help within the company borders, access to social networking sites such as Facebook, Twitter, and Myspace fall clearly outside the watchful eye of security technology.

This then becomes a cultural issue tackled primarily with users education and security awareness programs that emphasize that information provided on social networks is in the public domain.

Bill Brenner, Senior Editor with CSO Magazine published the “Seven Deadly Sins of Social Networking Security” back in June of 2009.  Brenner lists these social networking sins as follows:

1.  Over-sharing company activities

2.  Mixing personal with professional

3.  Engaging in Tweet (or Facebook/LinkedIn/Myspace) rage

4.  Believing he/she who dies with the most connections wins

5.  Password sloth

6.  Trigger finger (clicking everything, especially on Facebook)

7.  Endangering yourself and others.

While social media is a fantastic method to share information and collaborate, it’s important to consider the content of what you’re posting to avoid risking your company and more importantly, yourself.   Remember the final 5 tweets of Harold Wigginbottom , Tech-Savvy CEO:

CSO Magazine, May 27, 2009

CSO Magazine, May 27, 2009

Help your employees.  Help yourself.

Filed Under: Awareness and Education, Business and Security · Tagged With: , , , ,
Newer Posts »