April 9

Are We Losing More Freedom?

It’s been a few weeks since I last posted on here….sorry.  I have been a little caught up in prepping for my CISSP exam (which I passed) and then catching up with school work that I got a little behind on.  Well I am back and  I will do my best to keep this up do date, (at least bi-monthly).  This weeks post is actually something I did for a discussion board in my IT Ethics class but, it is something I feel strongly about and am fine with sharing this with the world.

Enjoy.

Do you like to speak you mind? Have you ever had an opinion about anything that isn’t in line with the “popular” opinion?  Would you like the government and/or the powers that be to tell you what you are allowed to say and read online?  Whether you are a conservative or a liberal, an anarchist or a conformist there is a damn good chance that you will say no to these questions.  Anyone would be hard-pressed to find someone who wants the government to have even more control over their freedom of speech and expression.  A large part of why this country was founded was to gain this right back and keep it.

All of us have seen those giving speeches, writing articles, posting tweets and just about anything else that exists saying that we need to limit these rights “to protect the children,” or “protect national security,” or for about a hundred other reasons.  Our freedom of expression was very carefully covered in the first amendment of the constitution.  According to Cornell University, “The First Amendment of the United States Constitution protects the right to freedom of religion and freedom of expression from government interference.”

As American citizens it is our duty to stand up for these important rights and do everything in our power to stop politicians and special interest groups from taking these rights away.  There have been several recent bills that have been attempted in our government’s “hallowed” halls, such as SOPA, and PIPA.  This is not mention currently active acts that were passed through under the guise of “protecting America’s interests” such as the USA Patriot Act and Europe’s “Right to be Forgotten” laws.  If you care about your freedom take a minute to visit the Electronic Frontier Foundations (EFF) website or follow EFF or the ACLU on Twitter to keep apprised of the latest attacks on our freedoms so you can do your part to fight back.

February 27

Do Your Job, or the World Will End in Flames

Ironically, just a week after posting my last blog (The Sky is Falling: Maintaining Optimism in the Face of Doomsayers) there was a long form article positing the opposite standpoint on Ars Technica.  The article in question is called “Cybergeddon: Why the Internet could be the next ‘failed state,’” and it discusses at length the report released by Jason Healey, director of the Cyber Statecraft Initiative at the Atlantic Council of the United States.  Healey’s report details the possible future of the internet.  While Healey is careful to indicate a few bright spots in the future prospects for the evolution of the internet, the overall tone is gloomy.

Healey has performed detailed analyses of trends in internet security which have led him to conclude that the internet as we know it may not survive much longer. While his assumptions and analyses are have merit, I have to at least hope that the future is less bleak than Healey paints it.  People have been prophesizing the end of the internet in one form or another almost since its inception.  While this report has more solid research on which to base its claims than do some other theories on internet apocalypse, it may not be the final word on the subject.

The current status quo of the internet is reasonably relaxed.  We use it almost constantly and feel safe shopping online in relative security, reading our emails without undue worry over who else can see them, and checking Facebook to see what antics our high school friends have gotten up to in the last forty-five minutes.  We spend our days watching YouTube and arguing on Twitter about what color a dress is (Team Blue, all the way).  The World Wide Web that we rely on is fairly safe, just like the neighborhood your parents grew up in.  Sure there are criminals and every week we hear about some major security breach, but generally we are safe if we are smart.  But is all that about to change?  Just as our children have lost the freedom to roam the streets in packs on bicycles that our parents enjoyed, may we be about to lose the freedom to proclaim our allegiance to Team Blue or order our cat food from Amazon without threat of identity theft?

Healey has laid out five possible scenarios which he believes represent the possible future of the internet.  They range from “paradise” where security has gotten so good the only crime online is from the elite hackers of the NSA or nation-state sponsored teams.  Otherwise crime in this projected future is so difficult to achieve on the web that it simply goes away.  The likelihood of this, according to Healey’s report, is very low and I would tend to agree.  The other end of the spectrum is what he called “Cybergeddon,” wherein the state of the web is compared to a failed state in which control of criminal elements is impossible and the internet descends into madness and anarchy, perhaps with flames and hardcore punk in the background.

The Ars Technica article linked above is worth a read, particularly to understand the three remaining projected futures.  Time does not permit me a detailed discussion of all of these, but suffice it to say they cover eventualities that fall somewhere between the aforementioned extremes (continuation of current conditions, segregation of the internet, and a slightly toned down version of Cybergeddon).  You can and should take a look at it for more thorough information.  However, I would like to reiterate my call to optimism.  As a security professional, especially working on the offensive side like the bad guys, I am fully aware that the criminals have more and better ways to breach networks than we have to protect them.  Instead of burying our heads in the sand and bracing for the end of the web as we know it we need to find new ways to fight.  There are endless ways to attack a network, endless ways for bad guys to “think outside the box” and gain access to the money or data that they want.  That means there are at least as many possibilities for protecting the web and the computer systems we have all come to love and rely on.  Instead of accepting that they have the leg up we need to start to break down the rules and walls that are holding the “good guys” back.

We need to fight for our ability to change the face of the war that is taking place right now.  All through history the generals that were willing to break the mold, think outside the box, and even use tactics that were questionable at the time, are the ones that have succeeded over and over again.  We need to fight to convince our clients and employers.  We need to be the ones that have the leg up.  It will require us to work harder, to do things that stodgy businesses will balk at, but it is what will win.  The Fortune 500 Company that refuses to allow a pentesting team to do whatever it takes is going to be the first one to fall to a criminal attack.  Stop putting leashes on the security professionals, stop bowing to pressure and wasting your time duct-taping broken security models.  It is time for us to break the old security models and build new ones with new ideas, then break those with even newer ideas so we can constantly improve.  Constant improvement of security is regularly taught but rarely actually practiced.  It is time to fight, time to break things.  Prevent Cybergeddon.  Do your job.

February 22

The Sky is Falling: Maintaining Optimism in the Face of Doomsayers

This week proved to be highly eventful for the security community.  There have been major announcements and big revelations daily.  This week saw the revelation of the biggest bank heist of all time.  There was the announcement by Kaspersky about the “Equation Group” thought to be the NSAs elite hacker group.  There was even the discovery of some nasty malware that came pre-installed on consumer grade Lenovo computers.  These three announcements alone have been eye-opening for the security world, and there are two very distinct ways of looking at all of this news.  Either we could throw up our hands in despair at the realization that, despite all of our hard work, there is no way to stop these major breaches.  Or, as is hopefully the more common response, we could accept that we have a LOT of work to do and be grateful that there will be no shortage of job opportunities for the foreseeable future.

Personally, I am in the second camp, maintaining my optimism in the face of seemingly unsurmountable odds.  Despite the disheartening news and seeming inadequacy all of the controls we work so hard to enact, there is more we can do.  We have known for a long time that nothing is ever completely secure.  We have known that no amount of education and awareness training will keep users from falling victim to social engineering attacks.  More than all of that we know, as security professionals, that a determined attacker will gain access to their target’s systems eventually if they try hard enough for long enough.  This is not new information, though the amount of breaches being reported on can seem overwhelming.  For my part, I will continue to persevere in my attempts to keep my employers and my clients from being the next to experience a major breach.  With that in mind, I would like to briefly analyze some of the big stories of the week and discuss ways we can mitigate them.

First, the biggest bank heist of all time was announced this week by Kaspersky.  There have been a multitude of articles written about it, and a lot of analysis has been done as well.  One of the better assessments, as usual, was published by Brian Krebs.  He compared the breach to the notion of bleeding to death from a thousand cuts.  That is a perfect analogy.  These attackers strayed from the brash “hit and run” techniques that many of the organized crime related hackers based in Russia have been using for years.  They slowly and quietly infiltrated hundreds of banks.  After gaining access, they did not just steal a large sum of money and run.  Instead they just waited and watched until they understood the day-to-day activities and transactions.  Once they understood these rhythms, they made relatively small and unobtrusive money transfers that did not set off fraud alerts.  Their success with this strategy netted them somewhere around $10 million from hundreds of banks around the world.  This entire process started with phishing emails.  We as security professionals need to figure out new methods to detect this type of activity which gives us plenty of work to do in the near future.

Secondly, and possibly more disturbing, has been the revelations regarding the “Equation Group.”  This groups of highly sophisticated hackers has been able to successfully infiltrate any target.  It is thought that they are actually one of the elite teams that are part of the NSA.  This seems likely as many of the tactics linked to them are very advanced and would likely have required substantial resources only available as part of a state sponsored program.  It is also clear from the report that the activities reported are not very new, many occurred in the last five years.  What we know about are the old techniques.  The latest and best tactics are surely still hidden well from everyone.  The only redeeming portion of this information is that all of these attacks were highly targeted and not likely to spread beyond their targets.  Also, this revelation has provided interesting new techniques for researchers and penetration testers to begin testing and employing.

That last announcement is not terribly surprising.  It has been known for quite some time that many “free” software packages and low-cost computers come jammed with junk ware.  It was only a matter of time until some of that junk crossed the line to full force malware.  We as a community need to take advantage of this news and use it as a learning opportunity.  The public needs to be made aware of these dangers and security companies have an opportunity to begin releasing software that will clean out all of the junk from new systems.  Lenovo is not the only company to fill their computers with advertising to save money.  They are simply the first one that let a piece of malware get included (that we are currently aware of).

So, despite the litany of bad news that has come pouring out lately, we are not out of luck.  We need to keep our heads up and remember why we got into the field to begin with.  There will always be big breaches.  There will always be scary news.  This is not an invitation to start ringing our hands and beating our breasts.  If security were simple and static, we would all be out of work tomorrow.  It is the dynamism of the field, its constant surprises and unlikely quicksand paths that keep our work interesting and challenging.  Rather than bewail our failures, we must use them as opportunities to expand our knowledge and sharpen our creative abilities.  The sky is not falling, Chicken Little.  It will all be okay.

February 13

On the Frontlines with No Armor

Security professionals and researchers operate in a no man’s land between ethical websites and their shadier counterparts.  In the dark alleys and back streets of the internet we are able to discover the tactics and trends that are informing the actions of the attackers we spend our days combating.  But what if the very act of gathering intelligence for this battle were considered a crime by those you were trying to protect?  Unfortunately, it is.  Simply by doing the necessary research to competently perform your job, you risk being placed on a variety of government lists of potentially dangerous persons.  Sometimes you may risk more than that.  Events over the last few years have proven that the chances you will be arrested for doing your job are higher than we might like to think about.

This week there has been some controversy on the web regarding passwords.  Despite this sudden spike in conversation on the topic, passwords have actually been a point of contention in the IT Security community for some time.  The current controversy spawned from the actions of a security researcher by the name of Mark Burnett who writes a blog on Xato.com.  Burnett risked incarceration to release 10 million passwords.   He felt it would be helpful to the security community to release all of these passwords along with the usernames associated with them for the advancement of password research.  The reason he was worried, and rightly so, was because of what happened to Barrett Brown.

In 2012 Brown was arrested, not for stealing passwords or even committing a legally actionable crime, but for linking to a data dump that was publically available.  Granted, this dump was full of tens of thousands of stolen passwords that Anonymous had posted on the web, but they were publically available.  Regardless of the fact that Brown was a journalist and not a criminal, the FBI arrested and prosecuted him.  He was eventually sentenced to 63 months in jail and an $890,000 fine (according to this EFF article).  Brown is still incarcerated at the time of this writing, though there is a large movement lobbying for his release.

This alarming precedent has frightened countless journalists and security researchers into avoiding writing about hacks or linking to data and has made them concerned for their own freedom.  Because of this, Burnett felt it was necessary to preface his release with a lengthy explanation as to why the FBI should not arrest him.  In my opinion, it is a disturbing day when researchers and journalists are afraid to be arrested for doing their jobs.

As has been leaked on sites, such as this document on leaksource.info, and talked about by EFF and the ACLU, government watch lists do not differentiate the bad guys from the good guys.   I assume that I am on at least a couple of these lists for researching hacking techniques, reading sites like leaksource.info and wikileaks, and other perfectly legal activities I have participated in.  I am particularly careful not to do anything illegal because I have a family and a job that I would like to keep.  I don’t have any need or reason to break the law.  In the security community, in order to do our jobs, we have to study and know what the bad guys are doing.  This means we have to go to sites that are specifically watched by the government.  It means we read publications that trigger watch list entries.  Even having used TOR will put you on their lists.

I am glad there are still researchers and journalists out there who will release and report on these topics or we would be far behind the bad actors out there.  I will continue to pursue my research, as part of my academic career, my job, and because it interests me.  If that means some bored analyst in a huge government building is reading everything I write then I hope he was amused by the Hamlet parody quote last week (courtesy of my wife) and I wish him a Happy Valentine’s Day.

So, don’t give in to scare tactics that frighten you into neglecting to do the research vital to maintaining your status in the field.   Keep up the good fight.  If it means we have to be on the same lists as the bad guys to stay aware of their trends and tactics, I am fine with that.  If it means that we have to be in the same prisons as them….well, then we really have a problem.  Given the importance of advancing the research in the field of information security, it is imperative that we enact legal protections for those of us who are engaged in the battle to stay ahead of attackers by monitoring and discussing their tactics in a forum of our peers.  The legal system must make it a priority to establish laws regarding the fair and legal use of available resources to further the knowledge of security professionals and researchers.  It cannot continue to prevent valuable research from being performed by setting legal precedent without reference to the rights of free speech for the press or the rights of professionals in the field to use reasonable efforts to attain information vital to the protection of private information.

February 6

To Certify or, Not to Certify

That is the question.  Whether ‘tis nobler in spirit to suffer the slings and arrows of being stuck in an administrative capacity  or to take up arms against a sea of job postings requiring proof of your knowledge and, by earning certifications, get them.

Let’s discuss certifications.  Which ones are worthwhile?  Which of them are hardest? Are any of them going to you help get a better job?  Most importantly, which require you to gain the most practical knowledge to pass (therefore benefitting you most in the long run by enhancing your knowledge base of useable techniques)?

The unfortunate truth is that certifications are big business.  However, most companies will pay IT professionals more if they have a few.  Depending on your area of expertise or the job you are shooting for, there are various paths that you can choose to take.  Since my focus is security and, more specifically, offensive security, this is the area on which I have focused in this blog post.

About 8 years ago I got lucky and was put into a position in the Army that eventually moved beyond its initial scope of administration into the field of IT security.  I was given a chance to be the Security Officer for a battalion, which led me to the decision to pursue a career in that field.  Up to that point I had been the network, system, server, and security administrator for the unit but had not yet been able to spend my time focusing on security.  I had earned only the CompTia Network+ certification which was required to have a domain admin account.  It was time for me to pick a certification path, and I chose to begin gathering the certifications necessary to advance my career in penetration testing.

The next logical certification for me to pursue at that time was the Security+, also offered by CompTia.  This is definitely a beginner cert that mostly requires learning enough to pass a 100 question test, but it was a great introduction into the field.  After this certification was complete I had gained enough knowledge about the sector to be able seriously consider the next steps in my path. I can say with certainty that there is no hard and fast route take, as there are a variety of options available.  However, these are the steps I took which seemed to best support my goals.

Since Penetration Tester was my ultimate goal I next sought the Certified Ethical Hacker (C|EH) from EC Council.  This too is a multiple choice type test that required me to learn some of the basic techniques of penetration testing in order to pass.  After this it was logical to pursue the Licensed Penetration Tester (L|PT) certification, also from EC Council.  In order to earn the L|PT you must first take and pass the EC Council Certified Security Analyst (E|CSA) exam.  The L|PT is a multiple choice exam as well that is essentially an extension of the C|EH and required a minimal amount of studying to enhance what I had learned for the C|EH.  To pass the L|PT you must take a practical exam requiring that you perform a full scale penetration test on a virtual system provided to you by EC Council and write a full report.  You have one week to complete the report and submit it.  This exam greatly helps aspiring penetration testers for the real job which requires frequent technical writing in this same vein.

As it stands, these are the certifications that I currently hold, but I do have two “in the wings” for which I have vouchers.  One is the eLearnSecurity Certified Professional Penetration Tester (ECPPT) which is similar to the L|PT in that it requires the use of penetration testing skills in a practical exam.  The first part of the exam is an actual pen testing exercise on a virtual network provided by eLearnSecurity.  The second half of the test, like the L|PT, requires that you submit a penetration test report to the examiners and with a pass or fail given based on your finding and reporting skills.

The other exam I am taking in the next couple of months is the Certified Information Systems Security Professional (CISSP).  This is a certification that I have seen required on a number job postings.  While it is not penetration testing specific, it is well respected and known as a tough test that winnows out the less knowledgeable.  This exam is likely to be most strenuous I have ever studied for and is known for being brutal.  When taking the exam you are given 250 multiple choice exam questions to be answered within a 6 hour timeframe.

A few other certifications that are on my target list and that some of my colleagues hold are listed here.  SANS has a plethora of useful certifications available through its Global Information Assurance Certification (GIAC) program.  Some of the more sought after are:  GIAC Assessing and Auditing Wireless Networks (GAWN), GIAC Penetration Tester (GPEN), GIAC Exploit Researcher and Advanced Penetration Tester (GXPN), GIAC Web Application Penetration Tester (GWAP). Finally, one of the most well regarded of the various “practical” exams is the Offensive Security Certified Professional (OSCP). This one is highly respected because Offensive Security is the organization that produces the Kali Linux distribution.

My path through certification has helped my career immeasurably.  With every certification, I have been able to take professional steps that have brought me closer to my ultimate goal.  The value of carefully chosen certifications cannot be stressed enough, and it should be noted that many companies are happy to help support employee education by underwriting part or all of the costs for getting and maintaining them.  The choices I have made with regards to gathering certifications have greatly influenced my career, leading me to my current position as a Penetration Tester for a major financial services firm.  I have no doubt that these next certifications will yield more opportunities for professional growth.

January 31

From Defcon to Schmoocon: Where Will Your Travels Take You?

As the first month of the year comes to a close it is time for those of us in the IT Security field to decide what we will do to fulfill our CPEs for the certifications we hold.   This is exciting because it means that it is time to start considering which conferences you plan to attend this year.  It’s not too early to start planning, since getting time off and applying for possible company reimbursement can take time and need to be planned well in advance.

If you were planning on going to SchmooCon, it is too late since that just happened last month.  However, there are plenty of others coming down the pipe.  The conference likely to be most noted, most well-attended, and potentially most fun this year, as every year, is Defcon.  Defcon was a blast last year when it marked twenty-two years since its inception, a fact that makes me and many hackers feel old.  Last year was also the final year for this conference to be held at the famed Rio Hotel and Casino, a blessing in disguise as it has clearly outgrown the facility.  This year and, according to the website (https://www.defcon.org), for several years to come, the conference will be hosted by both The Paris and Bally’s Casino and Hotel, right there on the luxurious Las Vegas strip. These double locations should provide the conference with ample space to serve attendee needs.  If you can only go to one conference this year I would recommend Defcon.  Tickets cannot be purchased in advance but were only $220 cash at the door last year.  You can, however, book your room with a special discount as of this week.  If you want to stay at Bally’s or Paris and be right in the thick of it, it would behoove you to book your room now.

There are plenty of other conferences that happen later this year.  Just before DefCon is Blackhat (https://www.blackhat.com), which is very expensive.  Therefore, many people only go if their employer foots the bill.  If they will pay I recommend this conference as it has many interesting talks and is a bit more professional and organized than Defcon has been in the past.  This does not necessarily mean it is more fun, but if you are able to get company cost coverage why not spend an entire week in Vegas and attend both conferences?  There is also the B-Sides Las Vegas Conference (http://www.securitybsides.com/w/page/12194156/FrontPage), which takes place just before Blackhat.  You could easily spend a week and a half in Vegas attending these three conferences.  B-Sides also has a plethora of other conferences all over the US and Europe, these are listed on their website.

DerbyCon (https://www.derbycon.com/) takes place this September (according to the website tickets may already be sold out).  There are several good conferences that take place in Europe as well.  In Amsterdam there is the Hack-in-the-Box (http://www.hitb.org/) conference that has not been officially announced yet but often has some really great speakers, and the fact that it is in Amsterdam is a bonus.  One last conference that has been popular in the past and as I have been told by some that have attended is a very fun experience is the Chaos Computer Club (CCC) Congress (http://www.ccc.de/en/). This takes place in Koln (Cologne, for Americans) Germany and is one of the things on my bucket list.

The conferences I have mentioned are not even the tip of the iceberg, there are hundreds of choices all over the world.  There may even be one in your local area that does not necessitate travel and an expense account.  This site (http://www.concise-courses.com/security/conferences-of-2015/) has a fairly comprehensive listing of conferences. There are different conferences that cater to professionals of every specialty.  Take a look at the list, decide where you want to go this year, and start making your plans.  If you are looking to get your company to send you it would be a good idea to start asking now.   We all know how slow corporate bureaucracy can be, better start those wheels turning now so you don’t miss the boat.

January 24

Hacking Without Breaking the Law

After four years in a university exploring the academic side of offensive security, I have come to realize that no amount of theoretical knowledge can be considered a substitute for real world, practical experience.  I have had the undeniable advantage of working in the field for a number of years gaining a considerable amount of such experience, but the most useful practice I have gotten has been from another source altogether.  Best of all, this experience was both free and legal.

Most of the tools that professional offensive security practitioners use are free, and the majority of the most popular ones come in a free Linux distribution called Kali Linux (https://www.kali.org/downloads/).  Armed with a virtualization client, such as the free VirtualBox (https://www.virtualbox.org/) and some spare time to explore, there is a lot of practice available.

If you are just getting started, there are hundreds of options out there.  All of them will help aspiring offensive security practitioners, penetration testers, and hackers improve their skills.  A great tool to start with is provided by Rapid7, the owners of Metasploit, (arguably one of the greatest hacking tools in existence).  This tool is designed specifically to teach beginners how to perform a plethora of hacking exercises using Metasploit.  The Metasploitable 2 VM can be downloaded from https://information.rapid7.com/metasploitable-download.html.  Metasploit itself can be downloaded from the same site but is included as part of the Kali Linux distribution.

A couple of weeks ago I decided to undertake the “Brainpan 2” hackable VM challenge.  This is one of many virtual machines that are out there to help offensive security professionals and enthusiasts to hone their skills and get practical experience in a lab environment.  In general it was an educational system to work with.  It was enjoyable to hack into and challenging to find ways around the security.  This is more of an intermediate VM.  If you are interested in giving it a shot yourself you can access it and a ton of other great vulnerable VMs here: https://www.vulnhub.com/.  Vulnhub.com offers new VMs on a regular basis ranging in difficulty from beginner to expert.  Some even offer prizes for solving them first or in a new and interesting way.

Further hacking experiments are available elsewhere.  If you prefer not to install VMs, just install Kali Linux (available at https://www.kali.org/downloads/). Then, go to one of a large selection of websites that were designed to be hacked.  These websites are created for just this purpose, so there is no concern about the legality of honing your hacking skills by attempting to break in.  For example, check out https://www.hackthissite.org/ where there is a series of increasingly difficult challenges that teach practical web application hacking.

In short, there is no limit to the opportunities to practice hacking.  Anyone, as long as they have a computer and some time, can use them to their advantage.  If you Google “hack this site” there are over 45 million results and vulnhon.com has hundreds of VMs.  I have been working on these steadily for about six years and am not halfway through all the choices.  However, if you do happen to work through all of these, there are even more VMs on GitHub and a plethora of paid services that provide virtual networks, as well.  So if you are looking to learn how to hack there is no need to spend money or break the law.  Just install some free software and start hacking!

January 19

Think. Pause. Post.

Nye_Not Anonymous Poster

I have these two security awareness posters that I made last week and I thought they deserved to be shared with the world.  The one with the Anonymous logo is in response to a problem that I have seen getting worse and worse and some awareness is in order.  I am posting these with something like a GNU license, they are free to use and post where you wish, just please give credit where credit is due.  If anyone would like the Microsoft Publisher version for better quality, to make changes or just because feel free to shoot me an email (john.r.nye [at] gmail [dot] com), message me on the various social media I am member of or even leave a comment here on my blog.

Nye_Free Wifi Poster

 

January 18

Wetware Security and Compliance

Security Awareness Training, User Education, Information Assurance: all of these are words that many of us don’t like to hear.  Presentations, public speaking, and teaching are concepts that fill us with dread.  These words, in and of themselves, are not terrible or scary.  It is the connotations that have arisen around them over the last decade or more that frighten us.  It is widely accepted and constantly pointed out that the weakest link in any information system regardless of size, complexity or value is the wetware. Wetware is a word that many IT professionals and especially security professionals love to use to describe the people that use the systems they implement, design or protect.

I am still a firm believer that the first person or company that comes up with a truly revolutionary way to deal with this problem, short of Bender from Futurama’s answer, “Kill all humans,” will be the next Google or Microsoft.  The information security industry has been fighting for years to come up with a good method of training users and protecting their systems from the mistakes that people make.  Unfortunately for all the users that have been subjected to these attempts, and those who developed them, they don’t work that well.

A good place to start in fixing this problem is an examination of why these techniques don’t work.  First, I want to be completely clear.  I am not saying that the methods being spoken of have no impact at all.  I am sure than many, if not all, can be shown to reduce breaches through the human element in some statistical manner.  What I am saying is that, regardless of the training, compliance and technical controls that are put in place, wetware is still by far the least secure part of any information system.

These programs are often developed by security professionals.  As a group, these professionals tend to have trouble explaining the technical aspects of their jobs to the non-technical users.  This lack of effective communication prevents users from fully understanding the importance of what the programs are trying to accomplish and what they will gain out of paying attention.  Another reason that much of this education and training fails is because the typical users, at least the vast majority, don’t particularly care about security or technical details.  They just want to get their job done so they can do whatever it is they do when they are not at work.

While the above list of problems is far from comprehensive, it is a starting point for a much-needed conversation among security professionals attempting to surmount these obstacles in the workplace.  Maybe we, as security professionals, should consider the benefits of working with professional educators, professional presenters, professional performers, and others of that ilk, to develop training and presentations that are accessible, entertaining, and relevant to users by addressing concerns about presenter comprehensibility, effectiveness, and audience awareness.  Then we would be more able to address their personal concerns by showing how they can protect their own money, families, data and anything else they may actually care about.  If we can create training programs that serve as an overall catalyst to user interest in security procedures on a personal level, that may be enough to carry over into the workplace.

The human element is always the most penetrable part of any system, but it is up to us as security professionals to shore up our weakest points as best we can.  I hope this post goes some way towards provoking discussion about the measures best suited to bridging the gap between “that annoying IT guy who keeps asking me to retrain on security compliance” and the users who need this training to protect themselves and company information.

January 11

Policing Policy

This week in one of my classes we have been discussing policies and policy development.  This is a topic that none of us in IT love to discuss let alone engage in as participants in development.  This is the trend as I have seen it.  Policies may not be fun, but anyone in IT will tell you that if they are well written and executed properly then they are one of the more powerful tools in available to us as security professionals.

I spent some time in Internal Audit as an IT Security Auditor.  During this time every single audit I was part of started in the same way.  We would gather all organizational policies related to the department, function, or system that was to be reviewed.  Then we would search for the industry best practices, sample policies, and compliance standards that were similar.  We would then compare the internal document to the best practices documentation.  Inevitably, the standards and the best practices documentation would match up incredibly well.  Every audit I worked on was well written, thorough, and surprisingly similar to what we found on the SANS website, SOX compliance or some other applicable best practice.

The problem in almost every case came after this part.  Just having a really good policy does not equate to a passing audit.  In fact, those that had the most picture perfect polices tended to fare the worst when we began to investigate their practices.  I, like many probably do, find that the best practices and example policies are useful resources.  Unfortunately, a good policy needs to go beyond best practices and instead reflect the actual practices.  The poor auditees in these cases would have fared a lot better to have a policy that was not exactly up to industry standards, but instead matches the real-life practices that were.  (The poor auditees in these cases would have done better to align their policies with and planning processes with a realistic assessment of their current status, rather than attempting to engage in policies that are considered appropriate for organizations or departments operating at top efficiency.)

I am not saying that policies are a bad thing, I think they are one of the best, and least costly, tools that IT and executives have at their disposal to protect their organizations.  I am saying that these tools need to be forged for the use they were intended.  SANS has some great policies templates, and compliance is not something that we really have a choice about.  However, polices need to be developed for the organization and purpose for which they were created, not to have a pretty document that could never actually be put into action.  Instead follow best practices for policies, start where you are and review and update polices to work your way incrementally toward best practices.