So, You Wanna Be in InfoSec?

One of the most common questions I get asked is “How can I become an information security professional?”. These days, it seems that a ton more people want to be in the “business” of information security. I get the question so often, I thought I would write this post as a quick and easy way to respond.

Are You Serious?

The first response is a “gut check”. Are you serious that you want to be an infosec person? Do you even know what you are asking? My suggestion is 2 steps. Number 1, read a basic information security guide (not Hacking Exposed or something on an aspect, but something more general like the ISO standards). Number 2, invest in your career option enough to buy a few coffees or beers and ask a couple of security folks you know of and trust to sit down, one on one with you for an hour chat. Talk about that person’s career, what day to day security work is like in their experience and what they think about your ideas for moving forward. If you can’t or won’t invest in these basic steps, then quit now and choose another career path. Security work is all about research, reading, guidance, networking and conversations with other humans. If you can’t do these toddler steps, then forget running with the big dogs and find another pack.

Get Serious, Quick!

Step 1: Knowledge boost: Start to read every single security book you can find. Listen to podcasts, read web sites, subscribe to mailing lists. Read RSS feeds.

Step 2: Find a way to contribute: Work on an open source security project. If you can’t code, then write the documentation or contribute to testing. Start a website/blog and start to aggregate or gather other security news. Wax poetic on what you think of certain topics. Think of this part as turning knowledge into wisdom. It is where the rubber meets the road and where you will encounter some pain, humiliation and grief, but it is another form of “gut check” to make sure you are ready to be in infosec.

Step 3: Build a lab & practice security skills: Build a lab. Make it out of old hardware, virtualization systems, Live CD’s, etc. Then hack stuff. Secure stuff. Apply settings, scenarios, access controls. Shop at eBay, garage sales, thrift stores or Walmart to cut the cost down. Be creative and pragmatic, both are essential security skills.

Step 4: Brand yourself: Once you have some wisdom and insight, then update your resume. Build a personal brand. Read books by Seth Godin and Guy Kawasaki to learn to do this. Learn how to separate yourself from Joe Six-Pack and how to turn your security experiences with the above projects into valuable differentiators that open doors for you to get that job you wanted. Is it work? Yes. Is it hard work? Yes. Does it take time? Heck, yes. Is it worth it? If you get what you really want, heck yeah!!!!

It’s OK to Turn Back

If, at any point during the above steps, you decide you are not interested enough to continue, then don’t. Security is tedious, hard work. Most of it is COMPLETELY NOT SEXY and has nothing to do with Swordfish, Hackers or the Matrix, no matter how much you want to be Neo, Cereal Killer or Angelina Jolie. Security is mundane, boring, full of science, analysis and research. If you want to be great at it, you also need to understand business, marketing, math, human resources, education, more marketing, sales, basic programming, public speaking, more marketing and oh, yeah, more marketing. Why so much marketing? Because, believe it or not, people need to be sold on being secure. That is the largest irony of the job. You have to not just identify how to make them secure AND teach them how to be secure, BUT you ALSO have to SELL them on the idea that security is worth their investment of time, energy and resources. It’s not that they don’t want to be secure, it’s that humans are REALLY BAD AT MAKING RISK DECISIONS. Keep this in mind as your security career progresses. It is a handy meme.

Are there Shortcuts?

Maybe, if you wanna be average. More than likely not, if you wanna be truly GREAT at what you do. Everything in life has a price. The good, the bad and the security career. Paying that price is a part of the reward, you just might not know it yet. Pay the price. This is one system you really don’t wanna “hack” to get at the “easy way”, it makes for a lot of pain down the road when you look foolish.

What About Certifications?

I am not a believer in certs. I have never made any secret about my position. I DO NOT HAVE MY CISSP NOR AM I LOOKING TO EVER HAVE ONE. Certs are NOT a good measure of experience, work ethic or intelligence. They represent all that I hate about the security industry and the idea of doing the minimum. This is not to say that you should not pursue them or that they are not valuable, it is just my belief that the IT industry puts way too much stock in certs. They believe that most every CISSP is a real “security person” and knows their stuff. I have met plenty who do not. I have met plenty who I would not let manage my security. I have met some that I would, as well. The same goes for all certs (MCSE, CSA, etc.). Certs are just a BASIC qualification mechanism, no more, no less. Experience and what you have done in the past speak volumes more to me, and anyone I would want to work for or with, than a cert. Period.

I hope this answers those basic questions about how I think you should move toward being a security professional. I hope you do choose security as a career, if you are willing to invest in being great at it. The world needs more great security people, but we also need less inadequate security professionals. The industry has its charlatans and fakes, but it also has some of the best people on the planet. This industry has been good to me for almost two decades. I have met and made friends with some of the most talented, fascinating and warm people in the world. I am very blessed and very grateful. I hope you will be too. Buy me a cup of coffee if you want to talk more about it. I promise to try and help you figure out if this is the way you want to go, if you are willing to invest in yourself first BEFORE you seek my input. More than likely, you will find the same to be true for other security experts too. They just might like cheaper coffee than I do…. 🙂


The Economics of Insecurity

Wanna be bad at information security? Can you afford it?

Various sources, metrics and industry studies put a variety of numbers to data loss, but the general range is around $200-$250 per compromised customer/client/credit card, etc.

How many pieces of identity data does you company protect? How many clients do you have? How many employees are in your payroll and HR systems?

Information security is expensive. Software, services, assessments, policies, awareness and a myriad of other things all cost money. But, the next time you are asking yourself or upper management about your security budget, remember that $250 number. It may just give you, or someone else, some perspective on just what it all means.

Major Breach at Heartland Payment Systems

You’ve heard this story before. A major credit card company has experienced a massive breach. Tons and tons of data was stolen during the incident. They think they have it under control and are working with law enforcement. You should check your statements. Blah, blah, blah…

Once again, though, in this case, the company was certified as PCI compliant by their PCI auditors. If they were all compliant and filled to the brim with “fluffy, compliant goodness” then the attackers must have used some uber-hacking technique, right? Some bleeding edge tool or 0-day exploit that cut right through their defenses and rendered their compliant protections useless? Ummm…. NO…. The mighty technique that caused the damage? A sniffer!!!! (Some of the best technology that the late 80’s/early 90’s had to offer…)

How did I reach this conclusion? From their own press release:

“Last week, the investigation uncovered malicious software that compromised data that crossed Heartland’s network.” — sounds like a sniffer to me….(and a lot of other infosec folks…)

That’s right, the mighty sniffer strikes again. In the last couple of years, this same attack footprint has occurred over and over again. It has been largely successful. Why? Because companies don’t encrypt credit card data in transit across networks. Sure, many of them encrypt the database (not all, but many.) and some use various forms of endpoint protection, but many (way too many apparently) don’t encrypt the credit card data in transit across their networks.

Even worse, the PCI DSS DOES NOT REQUIRE THIS. That is how they can be compliant with PCI and still have this issue. What a cruel joke for consumers.

The DSS requires that organizations encrypt credit card data when it flows across “open, public” networks. Well, guess what, when your network gets compromised, even your “internal, private LAN”, it becomes “public” at least for the attackers. Misconfigure a firewall rule, get a workstation popped, allow a social engineer into the environment and that “private network” is not so private anymore, is it?

But, that never happens, right? Except when it does.

In my opinion, it is high time that organizations realize that compliance is not security. Compliance is a false goal set in sand. The real goal is risk management and data protection. In order to accomplish these goals, you have to make rational decisions and account for real threats, not just checklists compiled by some nebulous group of people in a “one size fits all fashion”. That is a fool’s errand.

As I have been saying for a while now, we have to start thinking differently about security. We have to forget the baselines and look at our risk from the view of a threat agent (a hacker, cyber-criminal, attacker, whatever!). We have to make rational choices that really do protect that which needs to be protected. We have to hope for the best and architect for abject failure. Anything less than that, and this is a story you we will just get to keep on telling….

Interested in learning more about “sniffing”? Click here for a great FAQ.

I also did an interview with Secure Computing Magazine about this. You can read that here.

Win7, Linux and the Future of the Desktop OS

First of all, I think one of the major reasons that Windows 7 will not “kill Linux on the Desktop” is cost. Quite honestly, unless they are going to make Windows 7 free, it might be popular enough to stall the spread of Linux on desktops in the developed world, but the rest of the world (the parts of the world where the next IT explosion will originate from because it is not already saturated) can not afford to purchase the licenses and will continue to grow Linux as their leading OS. How important is Linux in the emerging world? Google for Linux news in Brazil, India, the Middle East and find out. Linux has become BOTH the server AND desktop OS of choice in many of those areas. In addition, schools are teaching Linux as part of the curriculum, so that means additional armies of Linux users will eventually come to bear on the market over the next decade. That is likely a force that can not be derailed.

Second, I believe in open source. While the majority of users could care less about source and will never tweak their code, there are a core group of code geeks who will tweak stuff and play with things. These geeks will create improvement in the Linux desktop experience. The experience has been slowly and steadily improving over time. Don’t take my word for it, go back and download a VM of an early Ubuntu release and compare it to today. Ubuntu and the other open source Linux-based OS projects CONTINUALLY release new enhancements and upgrades that impact user experience. What releases have there been since Windows 98? XP, Vista and now Windows 7. How many releases of Ubuntu and other desktop environments have there been since the release of Windows 98? Basically, ALL OF THEM. Not to mention the fact that Ubuntu and the Linux movement isn’t dead. Just as they incorporated and learned from the powerful features of OS X, they will learn from, emulate and advance the experience in the future based on Windows 7 too. They will likely release a lot of changes over the next couple of years, even as Windows 7 reaches its mass market plateau. Likely, as they learn from and advance beyond, the “stall” will end and Ubuntu and the Linux desktop “movement” will experience further growth. Face it, the model is just more efficient.
Third, the idea that users choose desktop OS solely by features is ludicrous. The majority make their choice based on a combination of ease of use, brand familiarity, stability and PRICE. In the developed world, price might have less to do with it, and it is likely that ease of use and branding “what I use at work and already know” is more likely the top considerations. Followed by stability and price. But even in those decisions, Linux has made a huge improvement and at such a rapid pace THAT IF IT CONTINUES AT THAT PACE, it will easily surpass Windows in terms of everything but branding by the time Windows 7 hits its plateau of saturation. Business adoption is the key here. The more businesses that put Linux on the desktop, the more people get familiar and begin to use it at home. Add to that equation the coming army of global young people that have been using Linux as their base of education and you see a rising tide. I think of Windows 7, not as death for Linux, but as the last Microsoft desktop OS that will enjoy HUGE MARKET OWNERSHIP. I see a continued splintering of the desktop into Windows/Linux and OS X, with easier sharing, integration and cross platform collaboration in the future. Far from death, I see a market splinter where we reach some form of mutual equity, give or take small evangelic groups of BSD/Other/Netware+/Blah blah blah that ebb and flow. To demonstrate my point – I am sure Guy Kawasaki has no plans to switch from OS X to Windows 7 (nor do I) and I am sure Theo de Raadt is NOT going to dump OpenBSD anytime soon to become a Windows 7 user. Hardcore zealots will likely remain, but the majority of folks in the new “global economy” are likely to keep non-Windows OSs alive for a long long time.
Next is the subject of netbooks. A lot seems to be riding on them in these OS wars. The problem is, I am just not convinced that netbooks will remain a dominant force in the market place. They are kind of on a “computing land bridge” between the hand held devices that will evolve from smartphones and the real functionality and usability factors of a notebook/laptop. Given the reviews I have read about netbooks, it seems plausible that they may get swallowed into the sea as both sides of the land bridge exert pressure on them. Most folks say that they are just too physically small and lack core power to be true notebook replacements, and as the smartphone evolution occurs, I just don’t see how this remains a viable long term form factor, even in the emerging world. Thus anything that bets on netbooks in the Windows/Linux wars seems like an unsafe long term bet to me. (Note, I just bought a Linux-based EEEPC to try, but have not used it yet.)
So as not to leave security out of this, a lot depends on how well Microsoft did with security in Windows 7. (I have not yet used it myself, so only speculation and review based opinions here.) They made significant improvements in Vista and additional improvements are likely here too. Linux continues to have security issues as well, though, they too seem to be improving (without any real metrics research on my part). All operating systems though, face high levels of additional risks from all of the add-on apps and software users use on desktops. Part of what I think will be important in the future of security of desktop systems is how they minimize the damages that a user level compromise can do. How do they prevent escalation? How compartmentalized do they keep data? What detective and responsive controls do they build in to help compensate for bad user decisions? These are key elements in the future of desktop operating system selection. We all know, no matter how many posters we hang and meetings we hold, users continue to choose the dancing gnome or hamster bowling over security. They will click on bad links, visit naughty sites and make incredibly bad decisions. We just have to be ready for them and identify ways to minimize the risk those bad decisions pose to our information assets. What OS platforms would seem more capable of rapid evolution here? It seems to me that the myriad mindset and crowd-source is much more likely to create improvements here in the short term, but you decide for yourself. Bottom line, the future of the desktop operating system is in “compromise tolerance”. You can quote me on that one.
So, there you go, my opinions on the future of Windows 7 as Linux desktop killer. Maybe you agree, maybe you disagree. Let me know. Maybe I am totally wrong and I will be completely surprised 10 years from now. I don’t think so, but it has happened before. As always, your mileage and paranoia may vary.

Giving for the Holidays

Now is the time when many folks open their hearts and their wallets to help others. At MSI, I am proud to say that we do this all year. This year alone we have worked on gathering and donating old cell phones for the Central Ohio Choices program, made donations to the One Laptop Per Child organization, donated our services to a group of non-profits and charities working to make the world a better place and performed various other functions. I am so very proud to lead a team of individuals who are fully committed to the goals of many of these organizations and who routinely work to improve the lives of others, the environment and our future.

Information security and technology aside, I wanted to take a few moments and give links to some very deserving organizations in my book. Of course, there are a ton of organizations out there, many are very very dedicated and do wonderful work. Organizations like the Red Cross/Red Crescent and so many others are deserving of your support year round, but here is a quick list of special organizations I hope you will support this year and in the future.

(RED) – This organization is fighting desperately to overcome the tragedy of HIV/AIDS. You can help by buying products with their logo, which will donate an amount of the sale to the cause.

Heifer – They provide animals and other micro-farming capabilities to emerging nations. Their tradition of passing new born animals back into the program is one of the greatest ideas ever!

Of course, One Laptop Per Child, who is taking measures to educate the youth of the world. Their “give one, get one” program is simply amazing. Try this, give one to the program and take the get one to a local school or pre-school and donate it too. Or, choose a neighbor or someone with children who could benefit from the technology. It is a great way to help.

Then there is Charity:Water , who is fighting to bring clean, safe drinking water to the world. Believe me, we will all need this in the future. The world could be a very different place in the future.

There are tons more I wish I could cover: dog shelters, Animal Rights Aruba, various anti-poverty and disease research groups, etc. The nice thing about charity today is that there are so many ways to give and so many organizations to support that everyone can find the right one to fit their own moral, religious and social compass. Just picking one is the first step. Hopefully, this quick list will get you started, or at least thinking about it.

We will now resume our regularly scheduled security banter. Thanks for reading, not just today, but all year long and everyone at MSI wishes you and yours a safe, peaceful and wonderful holiday season!

Hackers Hate HoneyPoint

HackersHateHPlogoed200.jpg

We have been getting so much great feedback and positive response to our HoneyPoint products that Mary Rose, our marketing person, crafted this logo and is putting together a small campaign based on the idea.

We are continuing to work on new capabilities and uses for HoneyPoint. We have several new tricks up our sleeve and several new ways to use our very own “security swiss army knife”. The capabilities, insights and knowledge that the product brings us is quickly and easily being integrated into our core service offerings. Our assessments and penetration testing brings this “bleeding edge” attack knowledge, threat analysis and risk insight to our work. We are routinely integrating the attack patterns and risk data from our deployed HoneyPoints back into the knowledge mix. We are adding new tools, techniques and risk rating adjustments based on the clear vision we are obtaining from HoneyPoint.

This is just one of the many ways that HoneyPoint and the experience, methodology and dedication of MSI separate us from our competitors. Clients continue to love our rapport, reporting formats, flexibility and deep knowledge – but now, thanks to HoneyPoint, they also enjoy our ability to work with them to create rational defenses to bleeding edge threats.

You can bet that you will see more about HoneyPoint in the future. After all, hackers hate HoneyPoint, and in this case, being hated is fine with us!

RE: SANS Are We Doomed?

This kind of stuff is, in my opinion, exactly why management and consumers grow sick of hearing about information security and cyber-risk in general. For years now, security folks have been shouting to high heaven about the end of the world, cyber-terrorism, the cyber-jihad and all of the other creative phrasings for increased levels of risk and attacks.

SANS at least asks for good things too that represent hope, but the list is always small. It is always, as they point out, so much easier to create a list of threats and attack points than a list of what we have done, and are doing right. That’s human nature, to point to the short comings.

My point is that just as many real world risk pundits have said, we have to look at things through a higher level lens. We have to create RATIONAL security. Yes, we have to protect against increases in risk, black swans, 0 day exploits, huge bot-nets and all of the other examples of “bleeding edge threats”, but we have to realize that we have only so many resources to bring to bear and that risk will NEVER approach ZERO!

Here is a real world example:

I recently worked an incident where a complete network compromise was likely to have occurred. In that event, the advice of another analyst was to completely shut down and destroy the entire network, rebuild each and every device from the ground up and come back online only when a state of security was created. The problem: the business of the organization would have been decimated by such a task. Removing the IT capability of the organization as a whole was simply not tenable.

Additionally, even if all systems were “turned and burned” and the architecture rebuilt from the ground up, security “Nirvana” would likely not have been reached anyway. Any misstep, misconfigured system or device or mobile system introduced into the network would immediately raise the level of risk again. So would connecting the newly built “secure” network to the Internet. If 1 minute after the network went live a user clicked on the “dancing gnome” from a malicious email, then the network is in a risk state again. Not to mention or even dive into the idea that an internal attacker or rogue admin could exist inside the environment, even as it was being rebuilt.

Thus, the decision was made to focus not on mitigation of the risk, but on MINIMIZING it. Steps were taken to replace the known compromised systems. Scans and password changes became the order of the day and entire segments of the network were removed from operation to minimize the risk during a particularly critical 12 hour cycle where critical data was being processed and services performed. Today, this IT environment remains in a semi-trusted state, but they are quickly implementing a phased approach to restore full trust to the environment and bring it into compliance with security best practices.

Has there been some downtime? Sure. Has there been some cost? Sure. How about user and business process pain? Of course! But the impact on their organization, business bottom line and reputation has been absolutely less than if they had taken the “turn and burn” approach. They still have risk. They still have threats. They still have vulnerabilities, BUT they are moving to deal with them in a RATIONAL fashion.

RATIONAL response to risk is what we need, NOT gloom, doom and FUD. Finding the holes in security will always be easy, but understanding what holes need to be prevented, wrapped in detection and protected by response is the key. Only when we can clearly communicate to management and consumers alike that we have RATIONAL approaches to solving the security problems are they likely to start listening again. After all, who does anything different when the Internet security level moves from “mochachino” to “dirty martini” or vice versa???

E-Voting Follow Up

I think the presentation at TechColumbus went well. The crowd seemed into it and their questions, comments and feedback were good. Sorry to the person I had to shutdown during the talk – but we had a time limit and such for the presentation and we had to keep from getting on a tangent.

Overall the e-voting summary was that yes, the systems are broken. Yes, they have vulnerabilities. But, we know what many of them are and we know what many of the exploits look like when performed. The Secretary of State has implemented process controls and new techniques for monitoring and detection of many of the attacks that EVEREST identified. Even though the system might be less than perfect – YOU SHOULD STILL GET OUT AND VOTE.

Thanks to Terry Dick, the Ohio Secretary of State’s Office, TechColumbus, Platform Labs, Mike Krippendorf and David Garcia for the help with the presentation. Special thanks to the rest of the EVEREST team, without everyone’s dedication to the cause, it would not have been as successful as it was. Extra special thanks to those who attended, without you guys, we are just strangers talking to ourselves in a dark room!

Here’s hoping everyone has a nice weekend.

Yet More on SockStress…

OK gang, the story gets interesting again….

Check this out for some deeply technical details on some level of the basics of the attack. Fyodor has done an excellent write up of his guess.

You can also check out the response from the relevant researchers here.

I do like and understand Fyodor’s point that this smells like marketing. Perhaps we are supposed to believe that the vendors will have their responses coodinated and completed before the talk and disclosure? If not, then what is the point of waiting to disclose except to sell tickets to the conference?

This is a pretty HUGE can of worms that seems to have been opened by Kaminsky during the recent DNS issue. I guess it is just another nuance of this new age of attackers that we have entered. We will have to deal with more “huge holes” accompanied by media-frenzy, hype, researcher infighting and security vendor blather until the public and the press grow tired of it.

My point yesterday was that one of these days we will reach a point when some of these major vulnerabilities will not be able to be easily repaired or patched. When that becomes so, we may have to find a way to teach every day users how to plan for, and engineer for, acceptable failures. Until then, we should probably hone those skills and ideas, because it looks like where we are headed may just be fraught with scenarios where some levels of ongoing vulnerability and compromise may be a fact of life.

I believe strongly that we can engineer for failure. We can embrace data classification, appropriate controls and enclave computing in such a way that we can live with a fairly high level of comprise and still keep primary assets safe. I believe that because it seems to be the way we have dealt with other threats throughout history that we could not contain, eliminate or mitigate. We simply evolved our society and ourselves to the point where we could live with them as “accepted risks”. Some day, maybe even soon, we will be able to spend a lot less time worrying about whether or not users click on the “dancing gnome”, keep their workstations patched or if there is a vulnerability in some deep protocol…

The Protocol Vulnerability Game Continues…

First it was the quaking of the Earth under the weight of the DNS vulnerability that kept us awake at night. Experts predicted the demise of the Internet and cast doomsday shadows over the length of the web. Next came a laser focus on BGP and the potential for more damage to the global infrastructure. Following that came the financial crisis – which looks like it could kill the Internet from attrition when vendor, customer, banking and government dollars simply strangle it to death with a huge gasp!

Likely, we haven’t even seen the end of these other issues when a new evil raises it’s head. There has been a ton of attention on the emerging “sockstress” vulnerability. According to some sources this manipulation of TCP state tables will impact every device that can plug into a network and allow an attacker to cause denial of service outages with small amounts of bandwidth. If this is truly a protocol issue across implementations, as the researchers claim, then the effects could be huge for businesses and consumers alike.

What happens when vulnerabilities are discovered in things that can’t be patched? What happens when everyday devices that depend on networking become vulnerable to trivial exploits without mitigation? These are huge issues that impact everything from blenders to refrigerators to set top cable boxes, modems, routers and other critical systems.

Imagine the costs if your broadband ISP had to replace every modem or router in their client’s homes and businesses. What choice would they have if there were a serious vulnerability that couldn’t be fixed with a remote firmware upgrade? Even if the vulnerability could be minimized by some sort of network filtering, what else would those filters break?

It doesn’t take long to understand the potential gravity of attackers finding holes deep inside accepted and propagated protocols and applications.TCP is likely the widest used protocol on the planet. A serious hole in it, could impact risk in everything from power grid and nuclear control systems to the laundromat dryers that update a Twitter stream when they are free.

How will organizations that depend on huge industrial control systems handle these issues? What would the cost be to update/upgrade the robots that build cars at a factory to mitigate a serious hole? How many consumers would be able or willing to replace the network firewall or wireless router that they bought two years ago with new devices that were immune to a security issue?

Granted there should always be a risk versus reward equation in use, and the sky is definitely NOT falling today. But, that said, we know researchers and attackers are digging deeper and deeper into the core protocols and applications that our networks depend on. Given that fact, it seems only reasonable to assume that someday, we may have to face the idea of a hole being present in anything that plugs into a network – much of which does not have a mechanism to be patched, upgraded or protected beyond replacement. Beginning to consider this issue today just might give us some epiphanies or breakthroughs between now and the tomorrow that makes this problem real…