So if you haven’t had an interest in Wikileaks, related individuals, the classified information that was leaked to them, and the people that did it, let’s get you caught up.

First, I would suggest the long New [...]]]> Current events have put into keen focus the balancing act between privacy, data controls, the reason secrets are kept, and ethics.

So if you haven’t had an interest in Wikileaks, related individuals, the classified information that was leaked to them, and the people that did it, let’s get you caught up.

First, I would suggest the long New Yorker piece on Julian Paul Assange, the ambassador and frontman of sorts for Wikileaks.

Then perhaps you can review the breaking news threat in Wired here, here, here, and here.

The 2600 Magazine synopsis here.

The Wikileaks video from 26c3. My commentary about those conference talks is here.

Really what’s happening here is a conflict of principals. Lamo informing on Manning to the feds is an interesting character distinction in a difficult situation.

This has moved from an example of the tipping of a balancing act between the two separate philosophical ideals of do no harm and that information should be free to one of polarizing schools of thought last weekend. When Manning told Lamo that he was hoovering up compartmentalized information in bulk and throwing it to Wikileaks (I paraphrase), Lamo seemed to reach his tipping point and turned him in.

I have respect for both ideals at play in the 101 write-ups already up about this, a lot of the reactions to it smacks of confirmation bias and radical honesty which prevents me taking some of it’s points very seriously. Taken to an extreme, my view is that these notions undermine diplomacy, privacy, free enterprise, and the rule of law.

Risky Business made an interesting characterization on their podcast that Wikileaks is not a journalistic organization. “You can be an activist or a journalist, but you can’t be both.” The concept of a shield for whistleblowers and journalists is an interesting one and one that I find appealing about Wikileaks. Being a hacktivist is also interesting but is rarely legal. Based on Manning’s chat logs, it’s clear that he went out of his way to gather sensitive data stored places where he did not have ready access and send it to unknown persons overseas.

The uncertainty of who processes that data at Wikileaks is part of what raises concern about the organization to Lamo and to United States agencies if I read the tea leaves correctly.

Interestingly enough, people like Assange feel entitled to picking and choosing what rule of law they follow. I would like to hear which set of laws that he and his organization feel are applicable to them.

The hacker culture ideal of “no more secrets” is great until you realize that it’s hard to have a meritocracy. Maybe it’s impossible.

Will Gragido and myself are going to give a talk sometime about our vision of the ideal natures of our industry. He, speaking about his ideal of a sort of modern bushi, and my taking the other side of the coin of the measured agitator. Samurai vs ninja; mod and troll.

These two archetypes, the one of honor and responsibility and one of instigator and agitator for change are what I see as being the key roles for success. The philosopher warrior and the maker of effective change; innovator and practitioner.

—

The individuals with our skillset in our industry are usually tasked with safeguarding of data people think is important.

Because of who we are and what we do on a daily basis, most people in this industry develop a highly refined sense of risk and of others maturity for dealing with risks and secrets. Would you ever want to employ someone to keep your secrets that wears one of these t-shirts?

I’ve only read my clients email when they have specifically requested that I do so. Why? Because I’m not a prick who betrays the responsibility that has been entrusted to me. It is my job to secure and safeguard data, not be entertained by it or share it irresponsibly or indiscriminately.

In the end, Manning betrayed the trust and oaths that he took to his employer and nation, the United States. Did he do this to serve what he perceived as a greater purpose? I guess I’ll look forward to learning his answer in court documents and in his lecture series and book on the subject when he pulls a Mitnick later on when he gets out of prison.

Meanwhile, Lamo continues to entertain the whirlwind. It should be an interesting HOPE and Defcon this year.

Related posts:

1. Software liability

I’ve had even less time to myself than usual lately so let me apologize in advance for not separating and expanding on my speaking [...]]]> This is a super high level presentation about basic threat modeling, SDL, and why a proactive stance is better than a reactive. I thought that it was fun.

I’ve had even less time to myself than usual lately so let me apologize in advance for not separating and expanding on my speaking notes from the deck like I have in the past. To make up for it, please feel free to use this deck if you are introducing SDL to your team(s).

Download file formats:
pdf
keynote

It was my hope that I could help out a little by giving a talk on my take of how our industry can best navigate during these [...]]]> The current field of information security is largely one of arcana, vagueness, arbitrary views, philosophy, mountaintop sages, a general lack of reliable data, and legions of vendors selling “best practices.”

It was my hope that I could help out a little by giving a talk on my take of how our industry can best navigate during these turbulent and weird times and come toward relevance and transparency.

That’s enough of a preface. Here’s the talk I gave at the Seattle NAISG meeting this month.

Opening slide

I started this talk with a brief clip of the last two minutes of Bruce Potter’s opening to Shmoocon 2010.

The whole video is available here. Other Shmoocon media is available here. My poor quality two minute clip can be found here.

Do you find this kind of talk discouraging? Do you take it personally? I do.

This is what I said when I was watching the streams.

Is this really the state of data in the information security industry?

So Bruce says that we’re “Failing at our jobs every day.” Does he has a point. I think that he does.

Largely information security, and at times IT in general, has not been relevant or contributing to IT goals. We’ve been largely thought of as a cost center or a hole that you have to dump money into to avoid not being in compliance and possibly going to jail.

Since we have been unable to have effective communication with business and larger industry, we have spawned the technology compliance industry as a byproduct of our failures to have a meaningful dialogue and back up our assertions with data.

Half of the problem here, I believe, is one of basic terms. Some people I have met think these things mean the same thing. Some other people are attached to some kind of security warrior monk philosophy where they are honor bound to defeat all insecurity and risk no matter the cost.

This is not how the world works. This is not how a successful risk management program works either.

It is about what is in the best interest and practical means of the organization.

There has been some unnecessary drama in PCI lately. The crux of the disagreement on conference panel discussions and elsewhere really boils down to this:

Compliance is not a governance model.

PCI exists because without it, some environments would not take the minimum steps to secure their data. PCI is a whip to those lagging behind on the bell curve industry average.

I have been informed recently and from a quality source that the average PCI assessment costs between 250k and 500k on average. These funds are straight out of IT and/or security budgets. These are funds that could be used to improve a security program instead of spinning the hamster wheel of pain.

So in effect, PCI punishes security programs that are already at the minimum standard and causes even greater problems for leaders the information security space who are being proactive and doing the prudent thing in that, depending on the QSA firm/consultant retained, there may be a disagreement on the compensating controls in place or visionary risk management decisions made.

But compliance has improved things, right?

Sadly, no.

A paper by Forrester Research, commissioned by Microsoft and RSA, the security division of EMC, found that even though corporate intellectual property comprises 62 percent of a given company’s data assets, most of the focus of their security programs is on compliance with various regulations. The study found that enterprise security managers know what their companies’ true data assets are, but find that their security programs are driven mainly by compliance, rather than protection. — Threatpost

In short: we are protecting the wrong things and we know it. Why are we doing it this way? Because we have failed to have a relevant conversation on risk as an industry for too long, now others are doing it for us.

Additionally, PCI is now considered a stream of revenue not only to auditors, but to the card issuing industry in general.

Think about what this means.

QSAs pick the fruit from the money tree, but the roots are the card issuers. The tree is going to get bigger and its fruit heavier.

So let us review the hamster wheel and its many problems.

We should be proactive, not reactive. We should lead the discussion with the rest of IT in what the data means and what to do about it instead of who is to blame for a gap in an audit map.

I boldly contend that no hamster wheel effort is a governance program as it is detached from the other processes at work. If an auditor is finding systematic flaws in your governance program, something is very wrong.

Please post your disagreements in the comments.

Process should yield something. The result of an information security program should be an increasingly favorable risk position, not a new process to keep everyone busy as a cost center.

A risk management program should not enforce the status quo. It should produce data and discussions should be based on that data when it is new and not at the next quarterly, yearly, or root cause failure meeting.

If you are not being proactive by designing tests for development, finding configuration and application errors, and assessing your threat and architecture landscape, you are not running a governance program. You are likely only compliant.

Focus on what is possible, not what is allowed. Do not overly rely on any one mechanism or technology to protect you. Test or evaluate each piece of your architecture (defense in depth is good plug here) on its own. Better yet, find a way for it to prove that it is working. Collect this data for your compliance people and those whos work product has generated what it is measuring.

No one should have a problem with data in itself. If rewards are given to those trying to figure out who to blame for problems instead of correcting the problems themselves, something isn’t working right.

Other toothless and unsupported maturity models and governance frameworks are not much better off than just relying on arbitrary standards and compliance efforts.  They need someone to have their back and have real consequences baked in.

Risk management is the yin to the yang of quick-deploy-and-fix-later-maybe philosophy.

This is the same fight that quality assurance had twenty years ago and won. We have the same battles to make on the very same ground. All of the statistics about security flaws in software and systems are out there and undisputed; bugs are inexpensive to fix inline with development and orders of magnitude more expensive to fix later on.  Choosing a fundamentally insecure architecture to base your business on and then using piecemeal efforts to mitigate risk after the launch is also a pretty bad, but common, idea.

The business decision is the weighing of the risk of opportunity to get to market first and viability of the business due to flaws after launch. To feed this decision, we need to give the business straight forward information and not snake oil, fear, doubt, or frantic hand waving.

Frameworks at least put leadership for security issues at the table instead of a project footnote, but is it enough?

We need more data, to be credible based on this data, and we need to be backed by executive leadership based on our credibility and data.

We need to stop being the philosopher sages of IT and start having actual justifications for the methods and solutions we, as an industry, are advocating employing.

If we don’t do these things, how do we know if we’re doing a good job?

We need to collect and share data.

Part of the big compliance discussion has been the argument of “they were breached, so they must not have been compliant at time of incident.”

What do you say to that if you don’t have a lot of data backing up your risk management decisions?

Some schools of risk management dismiss all measurements as arbitrary and worthless. I don’t see how they can call themselves risk managers at all unless they base their decisions on at least the attempt to take a proactive stance by measurement and estimation instead of the baseline of the minimum standard of not being provably negligent.

Not surprisingly, there is a variety of opinion even on this.

Mike’s argument in favor of Donn and mountaintop sages.

Adam’sAlex’s argument against mountaintop sages.

Also Alex’s talk about why we’re hosed having to pick between the two (and more).

There is a lot to win by being in a leadership position in reducing the number of flaws and inefficiency in an environment.

Here are some more wins.

..and a few more.

Much of this is based on an ITIL model and the IT Process Institute’s findings which they would like to sell you.

We had better figure this out soon before our environments get too complex for us to manage or assess.  If we’re not there already, we’ll be there soon.

I contend that part of risk management is the ability to simplify and optimize. Do things for a reason and have some data to justify it.  Don’t just to things because some other people you talked to at a conference once said it was a good idea or because it was in a magic quadrant in a leadership document you bought from someone else.

I thought that this was a good quote.  Here’s a lot of Kabay’s work.

We, as an industry, have really talked about this for a very long time without much achievement.  Most of the commercial product space hasn’t been interested and we haven’t made them be interested.

Most talks I hear stop there. So what do we actually do about it?

Not only should we transparently collect and base our decisions on data, but we should do it in a way that doesn’t make us look like a bunch of egotistical babies.

Work with people to improve things instead of Conan the Barbarian approach to program management; use the carrot instead of the stick.  Help fix problems instead of just complaining how everything is trash and broken.  Make some friends instead of beating them over the head with the compliance hammer.

Make things better.  We can do it.

Here are some new sources of traditional metrics:

• CIS
• ISO
• NIST

You should be aware of them because people talk about them a lot. They might not be very useful for you, but at least you’ll have something to talk about.

Things that are generic to the entire IT world may not be interesting to the place where you are working. If it’s not interesting to people in your realm, they are likely useless.

I think I totally lifted these two slides from a Metricon talk as I completely don’t talk this way. You should read all of the Metricon talks. They are all interesting and we don’t hear enough of this kind of talk.

Instead we have people wondering where they can click for regulatory compliance or if they can buy Compliance as a Service. [CaaS]

This is straight out of the NIST document. It’s what they’re working on.  It’s worth knowing where your tax dollars are being spent.

..and I’m back with basics on what makes a good metric.

Metrics should be inexpensive. This means automated generation and gathering. This removes collection as a major source of errors and puts the “it magically happens” sense of wonder into the system.

Metrics should be interesting. If they’re not relevant, why did you bother collecting them?

Maverick metrics!

Verizon Business is pretty cool for releasing, not only the data, but a framework so that you too can release like data.

Awesome. Please everyone, do more things like this.

So you want to have a relevant metric program and not only show what empirically needs to be improved, but to show people why they should keep you around and continue paying you money?

Glad to hear it!  It’ll be useful, I promise.

Some things are hard to measure, but people have found ways of finding indicators of symptoms anyway.  A great example is of public health metrics.

Another tricky example is financial risk management because everyone finds money to be interesting.  Those models are usually an entire talk in themselves and it’s been done many many times.

If you have tools, working reporting methods in your organization, and/or a framework to make use of, make things easier on yourself and use what you have available.  Don’t make perfect the enemy of good.

Any tricks you can use to make information intuitive and digestible should be used.

Infographics are a good way to do it. Scorecards might work too.

Report only what is of interest and present solutions, not huge lists of problems. Keep the data that derived these interesting bits around in case someone wants more information.  Use data to make your case for why you have come to these recommendations, conclusions, policy decisions, or staffing levels.

Data is the answer.  It is the way.

So you want a metrics program but don’t know where to start? I have a couple of things for you to try.

First, think about what data sources you have around. Read this talk. Do you have application data or logfiles? What about a SIEM? Chances are you have loads and loads of data sources from which to glean metrics.

Ok. So how do you do it?

Look at some business intelligence software. There was one talked about at Metricon, but I suspect that I may like this one more. This may be just because they have a cool demo and can grab data from a variety of sources.

Don’t have a SIEM? Try playing around with the free license of Splunk.

Can’t figure any of this out? I used to work with a guy who started a company to help you out called Bitwork. They can give you metrics gleaned from your internal data and delivered in a SaaS model. Tell them what you need and let them figure it out for you.

Did you read this far? Cool!

I was a little unhappy with how it turned out as I thought that it was a bit vague and confusing, much like the current state of the industry, but I was told that many in attendance enjoyed it. Good enough.

Here’s some resources and additional reading.

CIO Mag: The Metrics Trap

Security Metrics: Replacing Fear, Uncertainty, and Doubt

Information Security Management Metrics: A Definitive Guide to Effective Security Monitoring and Measurement

securitymetrics.org and Metricon.

Truth to Power

A big thanks to the many people who were kind enough to discuss this topic with me for untold hours.  I appreciate it!

Related posts:

1. Agile Infosec
2. ITCi 2007
3. The Politics of Respect

Information Classification

Because of my work, classifying information comes as second nature. I have two separate and non-intersecting information streams. You are reading part of one of them.

100% of the talk about people on social [...]]]> In this brave new internet world (as of about 1995), I’ve been thinking of my personal information sharing generally as public and private.

Information Classification

Because of my work, classifying information comes as second nature. I have two separate and non-intersecting information streams. You are reading part of one of them.

100% of the talk about people on social networks and things going horribly wrong are people who don’t make clear distinctions between the public, professional, personal, and social aspect of their lives. Getting into etiquette with social networks can be tricky. I find it best to, as a rule, separate business and pleasure.

Partial Disclosure

Public information is available for anyone in the world to read. I put it out there so that people can learn a bit about me.

The reason I started writing things in the public eye is because I realized that if I didn’t define myself and give people something to read who didn’t know me, someone else would. This is the same reason that I don’t publish raw slide decks of my presentations, but I put my speaking points intermixed with the slides in a blog posting. Text based communication loses a lot of intent and inflection, so I try to make up for it in this way.

I didn’t want to have a blog. Once upon a time, when I was younger (and even more naive), I thought that I could get by on merit alone; I believed that if I did good work, my work would be recognized for and stand on its merits. I read things like The Fountainhead (watch the movie) and took from it “Oh! If I do good work and work toward my own sense of excellence, I will triumph in the end!”

I don’t think so anymore.  I think success takes more than merit.

Not only do you have to do good work, but people need to know about it. You need to help people directly, impart lessons you’ve learned without being an arrogant jerk, and sell them on why a good solution is better than a thought-to-be-sufficient solution.

Blogging

When Livejournal came out, I thought that this was lame in the same way Jennicam was lame. My conclusion was that blogging was about media and attention seeking. I didn’t have a need to have a public blog for people who didn’t know me could learn tons about me without my knowing them.

More importantly, it wasn’t interesting.

I found it massively egotistical that anyone would want to know what I bought at the grocery store or ate for lunch. I didn’t understand sharing of the mundane. Clearly many people do not share this opinion today.

The stuff I put on my blog are my presentations, the way I manipulate data for my own uses when I haven’t seen it represented in my way previously, or my attempts to explain the poorly explained. The ideal that I aspire to is “I wouldn’t find it interesting to read, I don’t write it.” I imagine that might come off as rampagingly egotistical at times, but I really make an effort not to be. I laugh at myself and at life as much as possible. It’s pretty ridiculous a lot of the time. My work tends to be very serious and can effect, in a real appreciable way, the lives of others. I take it very seriously. When people do important work badly, I can take it as a personal affront.

I would like to post more, but too much of it is sensitive, under contractual obligations, or in personal confidence. Unlike many people that do not share my views, I can’t disclose in good faith.

Social networks

What I find interesting about social networks, and by that I mean mostly Twitter and Facebook, is that it can introduce a gray area between public and private information; a social periphery of information that busy people share in order to keep in touch with people they think are cool.

That’s pretty much how I view a friends list; “These are people I think are cool.” If I would invite you to an informal party is my general baseline for inclusion into my social network.

Twitter: Low attention span blogging and random link sharing.

Bad Penny: Informal writings, past sharable presentations, and general information sharing of things I find interesting.

Facebook: Fun people that I associate with socially.

LinkedIn: People I have done business with or know professionally that I would vouch for. Yes. I really do know all of those people and have had dealings in the past.

Be Cool

As any good rule, it is proven by its exceptions. Excessively cool people are allowed to break most rules.

My advice to everyone: be excessively cool and don’t take things seriously that do not merit being taken seriously.

Life is too short to be taken seriously. — Oscar Wilde

Work and play are words used to describe the same thing under differing conditions. –Mark Twain

In every real man a child is hidden that wants to play. –Friedrich Nietzsche

Humanity has advanced, when it has advanced, not because it has been sober, responsible, and cautious, but because it has been playful, rebellious, and immature. –Tom Robbins

Necessity may be the mother of invention, but play is certainly the father. –Roger von Oech

Related posts:

1. New Facebook private features
2. New Nettiqute: A simple guide to communicating with your favorite geeks.
3. I judge you: A social networks commentary

As per usual large non-technical business operations, and I feel that I must classify Comcast as such, they launched a product that [...]]]> After a few years of avoiding the cable industry, I went ahead and signed up for Comcast Highspeed2Go, a new bundled service where they resell Clearwire and combine it with conventional broadband home internet service.

As per usual large non-technical business operations, and I feel that I must classify Comcast as such, they launched a product that they could not support. I spent a few hours on the phone with them attempting to figure out why they disabled wireless cards they sent me. They sent me a total of three cards and then disabled each of them after about a week.

This last week I didn’t feel like giving Comcast another two hour free tech support call and sent all of their wireless gear back to them. Previously I spent a few hours talking to people in attempts to navigate their broken process in order to get home service installed and activated.

The time of a consumer seems to be a free resource according to Comcast. They have a robodialer calling me now asking me to call some number. No thanks. I’m already at my quota for time wasted talking to you guys this month. I’ll be happy to pay you when you send me a bill consistent with our agreements.

This is nothing new. Back when I managed leased lines from telcos, I eventually found a backchannel into their top tier of support to get recurring and completely preventable problems resolved. I monitored their uptime. I reported their outages. I gave them their remediation process. If I didn’t, the business that I worked for would suffer.

Usually I assume good will, but my experiences as a consumer and as a professional with Comcast in particular point in another direction.

My point here is that branding is considered more substantial than service. I’m sure this is a business decision that was made when they worked the numbers and determined that giving five 9s of uptime and quick problem resolution was more expensive than just running more commercials, forcing out competition, suing municipal projects designed to give an alternative, and having the illusion of support on Twitter.

In an upcoming white paper, some associates and I will be discussing some aspects of this issue. Sometimes quality of service and streamlined operational works matter. Occasionally a company makes a business case for giving good service and honest commitments. Invariably, they are purchased and wrapped under one of the huge brands to be forgotten after their customers are re-absorbed into the amoeba of near-monopoly mediocrity.

This seems to be the new model for innovators and people who are good at their jobs:

• Find an unmet market need to improve
• Do it better, faster, more reliably, or with pretty colors
• Get bought out and paid (mostly) in stock
• See your business die at the hands of the insiders that can’t improve themselves
• Move on to something else

Where does this leave the market? Large non-agile organizations who are prone to mismanagement buy all of the intellectual property and use political influence and bare-knuckle market pressures to keep themselves on top of the heap.

Result: the market and consumers suffer.

See also the current state of patents, software and otherwise.

Some services and systems should not be held to the minimum standard of MBA business sufficiency where any excess money spent past the point where the customer will not fire the vendor is waste. My experience tells me that the standard of five 9s is generally becoming a thing of the past. Huge websites turn themselves off for multi-hour maintenance routinely with no notice. Cell phone providers incur day-long nationwide outages. Cable companies turn down a variety of services without warning or notification for undetermined amounts of time.

No standard of service seems to be the preeminent emerging standard of service. The myth of the disposable worker is in full effect here.

I’m seeing this as a market opportunity for service providers. I would wager that consumers who can pay will pay to not talk to these people. That was the Speakeasy sales model when I was their consumer in the past:

We’ll provide you with DSL service and you won’t have to talk to any incompetent jerks. Pay a little more a month and it’s completely worth it.

Speakeasy could compete with Covad and Qwest offerings (even though they resell the both of them) because the big guys do such a bad job of taking care of their customers. Qwest and Covad are on board with this Comcast consumer model.

These MITMing businesses should increase as this continues since real competition is not currently allowed to occur simply because consumer time does have a value that is not being addressed.

The cable and other telcos had better watch out that they don’t kill their own markets. As soon as a fast data alternative comes along, be it from Google, a national broadband plan, or fast unlimited wireless, all of their business models are toast.

Keep it up, guys. We’ll see you in the technology deadpool soon enough.

Related posts:

1. Comcast Wimax
2. Phone followup (again)
3. BBB complaint: Vonage