One of the weaknesses in hiring people you are familiar with to work with you or for you is propagation of poor practices from previous work environments. Today I witnessed the implementation of a pure shit policy on personal email usage based on Deparment of Defense logic, which means there is none. This is a direct result of a good ole boy network being built from a previous DoD relationship.
Security Leadership at GTCSS
I attended the Georgia Tech Cyber Security Conference in Atlanta, GA last Tuesday. It had been a long time since I was afforded the opportunity to attend a cyber-conference/discussion. The keynote speaker was Ret. Admiral James Fallon and he was followed by a panel of security leaders from various companies.
Adm Fallon’s speech focused on how much the threat had changed from a physical nature to a faceless digital threat. He also expressed concern about the lack of cooperation and teaming between organizations, both private and public, to address the increasing security threat.
The panel addressed some scripted questions, presented by Tony Spinelli. There were some interesting characters on the panel, with a couple who seemed overly paranoid and doomsday prognosticators. I get the fact security pros are somewhat paranoid by nature, but calling for the end of days is over the top. This type of nonsense makes us all in the professional sound like deranged shamans.
One of the questions I had for the panel, but did not get a chance to ask, was how to address the challenges faced in getting C-staff employees on board to support security initiatives. We see data breaches occurring, and there is some activity from peers in the same vertical markets to take precautions. However, the out of sight out of mind mentality still persist among company leadership.
I know this is a bold statement and politically incorrect, but it’s not like I give a shit about being PC to begin with. I believe IT security professionals like things just the way they are. Thing about it, if it wasn’t for hackers, cyber criminals and state sponsored attacks we would all be out of a job. Well, maybe not out of a job but definitely doing something else. Would you rather do anything besides your security work? Didn’t think so, and don’t believe anyone in the industry who says otherwise since they spend nearly every waking moment preventing, detecting, reacting, mitigating, correcting or researching. Don’t forget playing too at how exploits or tools work. I work with some real psychos, but they are valuable and way smarter than me.
Dmitri Alperovitch from McAfee was on the panel and was one of the two most interesting speakers. He was really focused on the cyber-criminal threat and really dismissed the term APT. I could tell he was irked every time someone used the acronym which was comical. Dmitry also commented on how we all have failed collectively at stopping cyber-attacks. Have we failed, or are we experiencing a type of evolutionary change? I think Cisco came up with great marketing when they took advantage of the phrase “the human network”. Their marketing video explains the virtual connection we have with virtually any spot on the planet, and off if you consider the Space Station. http://together.cisco.com/#/view/intro
While it is not conceivable to believe everyone wants this connection the rest of the human network, it is happening. Securing the connection and compartmentalizing (to steal a concept from the spook world) is the real challenge. Thomas Friedman, while I believe he is a liberal whack job, nailed the concept with his book “The World is Flat”. When the human network laid trans-oceanic fiber we were laying arteries and nerves to establish connections with various parts. Obviously, these connections pose a risk and concern for privacy. For example, HHS is attempting to protect electronic health records with this moronic Meaningful Use bullshit, or Meaningless Use if you prefer. In case you didn’t know, you can be best practiced to death and both providers and payers are scrambling to understand what Meaningful Use is and how it affects them. HIPAA is already pathetic and now they add in Meaningless Use requirements.
Dmitry also spoke briefly on the state sponsored threats and purposefully called out China. If anyone in the security industry denies China is involved in this activity, they should receive 20 lashings with a console cable.
Hamstrung Operations
Hamstring: To destroy or hinder the efficiency of; frustrate
This definition brought to you by Merriam Webster. Recently, I became a member of the most crippled security operations team I have ever seen in any organization. The principals managing the security operations are essentially strangling the capabilities of the SOC. An extremely troubling aspect is the SOC is tasked with responsibilities and service deliverables, but not the access to tools required to provide the level of service laid out in the statement of work.
The onus lies on the SOC too and there have been multiple occasions where they have displayed a lack of effort and attention to detail. The personnel are jaded and paralyzed by fear with the ability make decisions or act in any fashion resembling a SOC.
So how do you repair this failed operation? The principals can’t be replaced and the overall organization suffers from a clinical case of indifference and incompetence. If the contractors are replaced in the SOC, the same management environment still exists. Note the use of the term management and not leadership. You can start there by implementing a leadership culture. Next, bring in outside experience not affiliated with current organization or similar vertical markets. A good antidote for stagnation is fresh ideas from professionals outside your market. As for the SOC analyst, sometimes you need replacements, but they need to have the trust of the principals and belief in their abilities.
Organizational Silos and Security
Ever pulled a hamstring? Well if you haven’t it hurt like a mother and you have a very hard time walking with any fluid and graceful motion. Metaphorically speaking, this is what happens to organizations when they operate in organizational silos with no cross-functional interaction.
In my experience this is commonplace in the Department of Defense and virtually every other US Federal agency, but it is more commonly referred to as turf wars. Call it whatever you like, it’s dangerous to the business whether it’s the bottom dollar, lives on a battlefield or public funds.
So what is an organizational silo? Well think of a grain silo and fill it up with people from one specific group of an organization who focus on one part of the business or operations. There is your silo. People in the silo operate in their own little grainy world and have no desire to share or accept input from other silos. When they are forced to play as a group it is very succinct and sometimes unprofessional, resulting in less than stellar project performance and operational gains.
Why does this happen? I’m sure it has something to do with sociological issues surrounding informal group definition. People tend to stick together and form groups. Organizational silos may form a large scale informal group because everyone in the silo has something in common, their mission. Many people don’t like change and cross functional exercises introduce strangers and God forbid, interaction with others!
So how the hell does this relate to digital security? If you look at the interaction between groups in an organization when performing a security assessment, it’s easy to see the relationship. The business group operates like a ballistic missile leaving a wake of carnage in its path with IT requirements, ideas and pointed demands. This is all warranted. Yes that’s right, warranted. Remember, IT and digital security are not the focus of the business, only enablers. It may not seem fair, especially if you are feeble progressive school raised digital security expert, but guess what? Life ain’t fair! It’s our job to keep the business moguls and the infrastructure tyrants in check through balance, tactful approach and documentation of recommendations which are nullified by higher powers. It’s usually a good idea to have proof you attempted due diligence and it was disapproved. Sometimes if feels good to say “I told you so!”, but I don’t recommend it.
How does cross functional activities overcome silos? Consultant answer, it depends. Cross functional activities may be utilized by having resources from each silo contribute to a project which affects all the organizations. Be careful, interaction!
Matrix organizations normally don’t deal with silo issues because of the meshed operations and utilization of resources across the functional silos. Once I got to this point, I Googled organizational silos and the fifth result was an article called “Smashing Silos” by Evan Rosen of Bloomberg Business. Unfortunately, I have rehashed almost everything he stated but the point I’m trying to make is that any project involving IT change or development should include someone from the CISO’s staff to provide guidance and stop the surprises or pointed demands, also known as risk acceptance.
Toor Complex
There is well known psychological condition some medical doctors are afflicted with called “The God Complex”. A medical doctor suffering from this complex will exhibit an attitude of being a top tier human who grants life and does no wrong.
I have surmised many IT system administrators (sysadmins)also suffer from this complex. After working the IT security industry for approximately five minutes, anyone can make the same determination. These sysadmins who have what I’ll term “toor complex”, are insufferable. They may be the root cause of many security compromises due to arrogance, impatience and inability to comply with laws other than their own.
A perfect storm is formed in the IT security world when a toor complex afflicted sysadmin is in collusion with a decision maker on the business side of an operation. What I mean by this is you have a representative from IT who is impatient, hates compliance and just wants to make things work. The decision maker from the business side also shares these flaws. When they are combined things may get done quickly for the business, but usually at a steep price in the long run.
I worked an engagement where developers wanted to establish an environment close to an overseas customer’s operations. This was conceived because of latency across the ocean in pulling data from a database residing in the US. Two Dell 2950 servers were purchased and put in a rack, turned on and connected directly to a Cisco 851 provided by the local ISP. Can you say SPAM relay?
I scanned the box remotely from the US and found, after one day online, the server had been compromised and configured to be a SPAM relay for a Russian group. The worst part is customer data had been stored on the servers to prep it for the development environment. I purchased an ASA5505 and put it behind the 851 and explained what happened to the executive and the sysadmin. They were not phased and unconcerned with the entire set of events. Why? Because they were only concerned with providing a business function and had no concept of long term risk. What would have happened if they would have lost all of the customer proprietary data, or the servers used as storage for a contraband item like child pornography?
Executives and sysadmins have this notion in their head that security exists only to make their jobs harder and burn up budgets. If that were the case, we would get rid of both and do the work ourselves.
Convicted of Having Convictions
Our politics and nanny state has created sterile environment for us to operate in, period. This has never been more apparent than this week when it was announced Mark Twain’s literary classic, The Adventures of Huckleberry Finn, has been modified to remove the word “nigger” and replaced with slave. This was done to make the book more appeasing for high school reading lists. Yes, it’s a word with terrible meaning and history, but you don’t rewrite one of the greatest story teller’s books because some people are not comfortable with it. It’s not suppose to be comfortable or heartwarming.
If it causes such heartburn, then it should be removed from school reading list and the book preserved in its original form. I mean hell, why don’t we rewrite the Bible, The Color Purple, A Tale of Two Cities or Fahrenheit 451 while the pens are out.
Sprint HTC EVO 4G
I recently upgraded my unreliable Blackberry 8350i with Nextel DirectConnect to a Sprint HTC EVO 4G cell phone/mini computer/mobile hotspot/GPS/HDTV/music player. This is a marvelous device with features only dreamed about or depicted on the big screen just a few years ago.
I’ll get the bad out of the way up front. In short, the battery leaves much to be desired on this device. Yesterday, I left the EVO in my car while at a baseball game with a full charge. It is set to sleep after one minute and I left the 4G service on, no WI-FI, no GPS. When I returned after the game, the battery was half depleted. All online tip givers and EVO specific sites state you should turn off all unused services when possible to save battery life. I can understand this and don’t have a problem with it, but there is the lazy human inconvenience issue to overcome. I know battery technology is advancing and the EVO is a definite candidate for a revolutionary power supply.
The most interesting component of this phone is the mobile hotspot feature. Sprint wants $29.99 a month for you to share the EVO’s 4G signal. BS! I walked out of the store because I refused to pay this ridiculous fee per month. However, the Sprint representative told me on the DL that you can “root” the phone and install an application that will allow you to share the 4G with a wireless client, like your laptop. Woo-hoo! Mobile Warcraft, here I come.
I am a bit concerned about using the automated root application to give you full control over the device. Most users will accept it without a second thought given to what underlying rootkit addons may be installed as well. I have notice many of the products are developed in China, a hotbed of hacker activity. So what you say? Well, your phone could be activated at any time to listen to you, just like a bug. The camera can be turned on to spy on your activity. GPS enabled to track your location and movement. Calls recorded, personal data stored on the device retrieved by a hacker. These are just examples of very real possibilities. Look, I’m a gadget whore too and I like the cool features that ultimately make devices very vulnerable to attackers. But, I’m also a paranoid freak who can’t help but think of an intruder being able to pwn me through my phone.
Penetration Test Costs
Research suggests the average cost of penetration testing is $200 per hour, as of April 2010. Most forum posts, which are really RFI’s and RFP’s, ask the wrong question. People ask in general how much a pen test costs and the answer is always, it depends. Finally, several individuals broke the costs down to show the price comes out to around $200 per hour in the United States. Sometimes this does not include a reporting fee, but like anything in the business, it depends on how the contract is written and what the deliverable are.
If someone were to use this $200 p/h fee and apply it to a military or civilian agency pen test, the price would be astronomical. The actual attack time would be $28,800 for 12 hour days, six days a week for two weeks. This doesn’t include travel costs, per diem and logistics, and this is for one pen tester!
James DeLuccia IV wrote a good blog post on pen tester evaluation back in 2006. He states in the conclusion good pen testers’ use automated pen testing products, like Core Impact, about 10% of the time. They develop impromptu based on findings to create a true pen test environment. This requires an extreme devotion to the profession and in our opinion a job which also requires it to be the professional’s hobby.
The costs associated with this profession are relatively high. Tools like Core Impact are pricey, yet there are alternatives such as Metasploit. A search of any technical penetration test related literature from online retailers, like Amazon, reveals the high costs associated for knowledge. Most of the information found in pen testing books can be found online for free, it just takes time and a willingness to find it.
Overcoming IT Politics
Office politics are always a joy to deal with. So what happens when it affects or compromises security? Good things don’t happen, that’s what. Let’s face it, office politics occur in every office regardless of the industry. It could be corporate, non-profit, government, military or whatever else you can imagine. Just like traffic on the highway, it’s a factor that must be dealt with and its effects minimized to limit interference. Easier said than done, trust me, I know.
In most cases, office politics is a result of poor promotion and employee rating systems which are biased and lack depth. The control is focused on one individual, the manager, who promotes adulation. Meanwhile, the manger engages in this behavior with their boss who is also an enabler. It turns into a vicious cycle comprising “good ole boy” networks and favoritism.
However, there is another method considered to be an enabler of office politics, management indecisiveness with lack of focus. If your management and executive team can’t make decisions or enforce decisions they do make, office politics and internal strife will escalate. One of the key contributing factors to this is when executives and management stagnant in one position for too long. There must be turnover and change in most cases for an organization to rebuild, take new direction and/or improve.
What does this have to do with security? If your security operations are suffering because other IT groups fail to cooperate due to power struggle or office politics you will be on the hook for failed security audits or compromises. “They wouldn’t give me access or equipment” is not the answer you want to give auditors or lawyers. However, giving this answer with evidence of your attempts to gain access or procure equipment required to secure company or government assets is a different story. One of the best approaches to change is for a negative impact to occur. Hope for a compromise or a massive audit failure due to security controls. It’s like a dangerous intersection with stops signs. Citizens ask for a stop light, but local officials won’t commit the funds to install one. However, when someone gets killed at the intersection action is take to install the traffic light and quell the public outrage. Promote your dangerous intersection as a point of concern and wait for the accident that gets you what you need. In the meantime, don’t get your nose too dirty.
