Digital Sniper Rotating Header Image

Wallflowers

Has anyone else noticed people have become more clinical observers of everything in life? I’ve noticed people in general tend to observe, not get involved in anything and classify everything.  Seems as if a lot of people are more interested in being spectators of what is going on around them instead of being a part of it. As I write this, I can’t help but postulate our blogging and media culture has a lot to do with this. Anyone can be a journalist now, armed with a laptop, Internet connection and opinion. Maybe it also has to do with fear of being demonized, which is more far reaching with the Internet. This can affect reputation, family, friendships and employment.

People who claim to be disconnected from the digital world don’t realize they are included in this whether they choose to be or not. They may take some action or make a statement that will be posted by another person online and possibly tagged with a photo. This uncovers another revelation. When I think about people I know who are not avid users of the Internet or social media, I realize the majority are very outspoken about their beliefs and aren’t afraid to share it verbally. Has digitizing our thoughts and beliefs suppressed our individuality and character to some degree?

South Cackalacky Breach

Not a total shocker once you read the details of the findings which lead to the breach reported on Dark Reading. I can imagine the internal conversation when the architecture was devised and budgets discussed. I’m sure it went something like this:

“Hey, we might want to encrypt the resident record database with the social security numbers”, said the solution architect.

“We got better things to spend our budget on, besides, we got a firewall right?”, said the security illiterate CIO.

The Danger of Familiarity

One of the weaknesses in hiring people you are familiar with to work with you or for you is propagation of poor practices from previous work environments.  Today  I witnessed the implementation of a pure shit policy on personal email usage based on Deparment of Defense logic, which means there is none.  This is a direct result of a good ole boy network being built from a previous DoD relationship.

Security Leadership at GTCSS

I attended the Georgia Tech Cyber Security Conference in Atlanta, GA last Tuesday.  It had been a long time since I was afforded the opportunity to attend a cyber-conference/discussion.  The keynote speaker was Ret. Admiral James Fallon and he was followed by a panel of security leaders from various companies.

Adm Fallon’s speech focused on how much the threat had changed from a physical nature to a faceless digital threat.  He also expressed concern about the lack of cooperation and teaming between organizations, both private and public, to address the increasing security threat.

The panel addressed some scripted questions, presented by Tony Spinelli.  There were some interesting characters on the panel, with a couple who seemed overly paranoid and doomsday prognosticators.  I get the fact security pros are somewhat paranoid by nature, but calling for the end of days is over the top.  This type of nonsense makes us all in the professional sound like deranged shamans.

One of the questions I had for the panel, but did not get a chance to ask, was how to address the challenges faced in getting C-staff employees on board to support security initiatives.  We see data breaches occurring, and there is some activity from peers in the same vertical markets to take precautions.  However, the out of sight out of mind mentality still persist among company leadership.

I know this is a bold statement and politically incorrect, but it’s not like I give a shit about being PC to begin with.  I believe IT security professionals like things just the way they are.  Thing about it, if it wasn’t for hackers, cyber criminals and state sponsored attacks we would all be out of a job.  Well, maybe not out of a job but definitely doing something else.  Would you rather do anything besides your security work?  Didn’t think so, and don’t believe anyone in the industry who says otherwise since they spend nearly every waking moment preventing, detecting, reacting, mitigating, correcting or researching.  Don’t forget playing too at how exploits or tools work.  I work with some real psychos, but they are valuable and way smarter than me.

Dmitri Alperovitch from McAfee was on the panel and was one of the two most interesting speakers.  He was really focused on the cyber-criminal threat and really dismissed the term APT.  I could tell he was irked every time someone used the acronym which was comical.  Dmitry also commented on how we all have failed collectively at stopping cyber-attacks.  Have we failed, or are we experiencing a type of evolutionary change?  I think Cisco came up with great marketing when they took advantage of the phrase “the human network”.  Their marketing video explains the virtual connection we have with virtually any spot on the planet, and off if you consider the Space Station. http://together.cisco.com/#/view/intro

While it is not conceivable to believe everyone wants this connection the rest of the human network, it is happening.  Securing the connection and compartmentalizing (to steal a concept from the spook world) is the real challenge.  Thomas Friedman, while I believe he is a liberal whack job, nailed the concept with his book “The World is Flat”.  When the human network laid trans-oceanic fiber we were laying arteries and nerves to establish connections with various parts.  Obviously, these connections pose a risk and concern for privacy.  For example, HHS is attempting to protect electronic health records with this moronic Meaningful Use bullshit, or Meaningless Use if you prefer.  In case you didn’t know, you can be best practiced to death and both providers and payers are scrambling to understand what Meaningful Use is and how it affects them.  HIPAA is already pathetic and now they add in Meaningless Use requirements.

Dmitry also spoke briefly on the state sponsored threats and purposefully called out China.  If anyone in the security industry denies China is involved in this activity, they should receive 20 lashings with a console cable.

 

Hamstrung Operations

Hamstring: To destroy or hinder the efficiency of; frustrate

This definition brought to you by Merriam Webster. Recently, I became a member of the most crippled security operations team I have ever seen in any organization. The principals managing the security operations are essentially strangling the capabilities of the SOC. An extremely troubling aspect is the SOC is tasked with responsibilities and service deliverables, but not the access to tools required to provide the level of service laid out in the statement of work.

The onus lies on the SOC too and there have been multiple occasions where they have displayed a lack of effort and attention to detail. The personnel are jaded and paralyzed by fear with the ability make decisions or act in any fashion resembling a SOC.

So how do you repair this failed operation? The principals can’t be replaced and the overall organization suffers from a clinical case of indifference and incompetence. If the contractors are replaced in the SOC, the same management environment still exists. Note the use of the term management and not leadership. You can start there by implementing a leadership culture. Next, bring in outside experience not affiliated with current organization or similar vertical markets. A good antidote for stagnation is fresh ideas from professionals outside your market. As for the SOC analyst, sometimes you need replacements, but they need to have the trust of the principals and belief in their abilities.

The World is Flat

Tom Friedman talks about how technology has flattened the world in this 2005 video at MIT.  Looking at where we are today, he was spot on and nearly prophetic in his book “The World is Flat”.  Rather long, but very compelling.

Organizational Silos and Security

Ever pulled a hamstring?  Well if you haven’t it hurt like a mother and you have a very hard time walking with any fluid and graceful motion.  Metaphorically speaking, this is what happens to organizations when they operate in organizational silos with no cross-functional interaction.

In my experience this is commonplace in the Department of Defense and virtually every other US Federal agency, but it is more commonly referred to as turf wars.  Call it whatever you like, it’s dangerous to the business whether it’s the bottom dollar, lives on a battlefield or public funds.

So what is an organizational silo?  Well think of a grain silo and fill it up with people from one specific group of an organization who focus on one part of the business or operations.  There is your silo.  People in the silo operate in their own little grainy world and have no desire to share or accept input from other silos.  When they are forced to play as a group it is very succinct and sometimes unprofessional, resulting in less than stellar project performance and operational gains.

Why does this happen?  I’m sure it has something to do with sociological issues surrounding informal group definition.  People tend to stick together and form groups.  Organizational silos may form a large scale informal group because everyone in the silo has something in common, their mission.  Many people don’t like change and cross functional exercises introduce strangers and God forbid, interaction with others!

So how the hell does this relate to digital security?  If you look at the interaction between groups in an organization when performing a security assessment, it’s easy to see the relationship.  The business group operates like a ballistic missile leaving a wake of carnage in its path with IT requirements, ideas and pointed demands.  This is all warranted.  Yes that’s right, warranted.  Remember, IT and digital security are not the focus of the business, only enablers.  It may not seem fair, especially if you are feeble progressive school raised digital security expert, but guess what?  Life ain’t fair!  It’s our job to keep the business moguls and the infrastructure tyrants in check through balance, tactful approach and documentation of recommendations which are nullified by higher powers.  It’s usually a good idea to have proof you attempted due diligence and it was disapproved.  Sometimes if feels good to say “I told you so!”, but I don’t recommend it.

How does cross functional activities overcome silos?  Consultant answer, it depends.  Cross functional activities may be utilized by having resources from each silo contribute to a project which affects all the organizations.   Be careful, interaction!

Matrix organizations normally don’t deal with silo issues because of the meshed operations and utilization of resources across the functional silos.  Once I got to this point, I Googled organizational silos and the fifth result was an article called “Smashing Silos” by Evan Rosen of Bloomberg Business.  Unfortunately, I have rehashed almost everything he stated but the point I’m trying to make is that any project involving IT change or development should include someone from the CISO’s staff to provide guidance and stop the surprises or pointed demands, also known as risk acceptance.

Toor Complex

There is well known psychological condition some medical doctors are afflicted with called “The God Complex”.  A medical doctor suffering from this complex will exhibit an attitude of being a top tier human who grants life and does no wrong.

I have surmised many IT system administrators (sysadmins)also suffer from this complex.  After working the IT security industry for approximately five minutes, anyone can make the same determination.  These sysadmins who have what I’ll term “toor complex”, are insufferable.  They may be the root cause of many security compromises due to arrogance, impatience and inability to comply with laws other than their own.

A perfect storm is formed in the IT security world when a toor complex afflicted sysadmin is in collusion with a decision maker on the business side of an operation.  What I mean by this is you have a representative from IT who is impatient, hates compliance and just wants to make things work.  The decision maker from the business side also shares these flaws.  When they are combined things may get done quickly for the business, but usually at a steep price in the long run.

I worked an engagement where developers wanted to establish an environment close to an overseas customer’s operations.  This was conceived because of latency across the ocean in pulling data from a database residing in the US.  Two Dell 2950 servers were purchased and put in a rack, turned on and connected directly to a Cisco 851 provided by the local ISP.  Can you say SPAM relay?

I scanned the box remotely from the US and found, after one day online, the server had been compromised and configured to be a SPAM relay for a Russian group.  The worst part is customer data had been stored on the servers to prep it for the development environment.  I purchased an ASA5505 and put it behind the 851 and explained what happened to the executive and the sysadmin.  They were not phased and unconcerned with the entire set of events.  Why?  Because they were only concerned with providing a business function and had no concept of long term risk.  What would have happened if they would have lost all of the customer proprietary data, or the servers used as storage for a contraband item like child pornography?

Executives and sysadmins have this notion in their head that security exists only to make their jobs harder and burn up budgets.  If that were the case, we would get rid of both and do the work ourselves.

Convicted of Having Convictions

Our politics and nanny state has created sterile environment for us to operate in, period.  This has never been more apparent than this week when it was announced Mark Twain’s literary classic, The Adventures of Huckleberry Finn, has been modified to remove the word “nigger” and replaced with slave.  This was done to make the book more appeasing for high school reading lists.  Yes, it’s a word with terrible meaning and history, but you don’t rewrite one of the greatest story teller’s books because some people are not comfortable with it.  It’s not suppose to be comfortable or heartwarming.

If it causes such heartburn, then it should be removed from school reading list and the book preserved in its original form.  I mean hell, why don’t we rewrite the Bible, The Color Purple, A Tale of Two Cities or Fahrenheit 451 while the pens are out.

Sprint HTC EVO 4G

I recently upgraded my unreliable Blackberry 8350i with Nextel DirectConnect to a Sprint HTC EVO 4G cell phone/mini computer/mobile hotspot/GPS/HDTV/music player. This is a marvelous device with features only dreamed about or depicted on the big screen just a few years ago.

I’ll get the bad out of the way up front. In short, the battery leaves much to be desired on this device. Yesterday, I left the EVO in my car while at a baseball game with a full charge. It is set to sleep after one minute and I left the 4G service on, no WI-FI, no GPS. When I returned after the game, the battery was half depleted. All online tip givers and EVO specific sites state you should turn off all unused services when possible to save battery life. I can understand this and don’t have a problem with it, but there is the lazy human inconvenience issue to overcome. I know battery technology is advancing and the EVO is a definite candidate for a revolutionary power supply.

The most interesting component of this phone is the mobile hotspot feature. Sprint wants $29.99 a month for you to share the EVO’s 4G signal. BS! I walked out of the store because I refused to pay this ridiculous fee per month. However, the Sprint representative told me on the DL that you can “root” the phone and install an application that will allow you to share the 4G with a wireless client, like your laptop. Woo-hoo! Mobile Warcraft, here I come.

I am a bit concerned about using the automated root application to give you full control over the device. Most users will accept it without a second thought given to what underlying rootkit addons may be installed as well. I have notice many of the products are developed in China, a hotbed of hacker activity. So what you say? Well, your phone could be activated at any time to listen to you, just like a bug. The camera can be turned on to spy on your activity. GPS enabled to track your location and movement. Calls recorded, personal data stored on the device retrieved by a hacker. These are just examples of very real possibilities. Look, I’m a gadget whore too and I like the cool features that ultimately make devices very vulnerable to attackers. But, I’m also a paranoid freak who can’t help but think of an intruder being able to pwn me through my phone.