An Historical Retrospective of the Future: 2013

Information Class Warfare part V

Information Security Process: Repeat

August 30, 2013

Information Security like all relationships requires time and effort. I use a security management system which works well for the companies I have secured and maintained. Classify, Secure, Audit, Educate, Repeat. Not a memorable acronym, but a very valuable path to cycle through. Each iteration has made my companies better prepared for the inevitable attacks and recovery easier and faster.

Repeat, yes, more than just to keep you as a security professional relevant to your employer, but also, repeat at sporadic intervals.

Perhaps this is the most important step, but all of the previous steps should be repeated.

Classification: Revisit your information classification document at least annually to verify that types of information can be added or removed. I have found that the levels of security and access rarely change, more likely that some services have been added or removed in the past year, so the information associated with those products needs to be added to the scope of your security planning or removed.

Securing Devices: These documents should be revisited more often, a scheduled review should be done at least every six months, but they should also be revisited every time a new vulnerability is released for the various systems or networks to verify that adequate controls are in place to mitigate a loss and that security is still at the same levels before the vulnerability was known.

Auditing procedures are generally an ongoing activity, but the guidelines and tools should be reviewed at least annually to see if there are better ways to make the job of auditing easier.

Education for each employee should be part of the on-boarding process, with static links pointing them to useful information specific to their job and a time should e set aside to visit each team at least once a year to see if they have any new issues they wish to address. Short fifteen minute meetings do not impact productivity and longer detailed questions can be answered outside of the meeting scope.

I hope this short series of articles was of use to you, these are some general principles that I use every day as an information security professional.

.wdnii.

Information Class Warfare part IV

Information Security Process: Security Education

August 29, 2013

Security Education is always an interesting topic for me to espouse. This can be done in large meetings with power points, white boards and boring speeches, just to show that you have exposed every employee to the magic of security. Another alternative are the various online materials which employees can use on their own, the more interesting piece is that your employees can refer back to these materials when they are actually useful.

Another way to avoid the large auditoriums and conference rooms full of employees who would rather be working and helping the company keep and create new revenue is to hold small short meetings with the various teams and if there needs to be longer discussions break those into several small 15 minute meetings. Getting directly to the specific points, flaws and how they can best keep your company information accessible, correct and private. This of course requires you as a security professional to spend many more hours preparing different presentations and holding many more meetings, spending much more time talking than the standard several hour big speech which usually causes more confusion and glazed expressions than a better security posture for your company. This method also lets your coworkers know that you are available if they have any issues, or questions.

The educational points on which I like to focus are that security is each persons responsibility, and as they say in New York "If you see something, say something". These general speaking points can be tailored into relevance for almost every group. I also try to let them describe what they feel are the relevant security issues in their departments, doing this twice once at the beginning of the presentation and then at the end after they have had a chance to hear why you think the various pieces of their job are important.

A few don'ts about your presentation, don't try to prove you are an expert in their field, don't try to be their friend, and don't over simplify your requirements.

I hope this is helpful, just a few tricks that I use every day when I do my various roles as a security professional.

.wdnii.

Information Class Warfare part III

Information Security Process: Internal Auditing

August 28, 2013

I cover auditing of the various security policies in this short article. Perhaps one of the driest piece of this repetitive puzzle, unless you decide to make this a game.

Continuous scanning, is one of the best methods to secure internal and external networks. These will detect poorly configured servers before external auditors, or hackers, and alert you to each device someone attempts to slip onto your network. Using a log consolidation system, helps identify threats and attacks, but can also be used for auditing. Attack each server with one of the various vulnerability frameworks and rotate through those only during maintenance windows or when agreed by the product owner. The logs will help indicate if there are any additional vulnerabilities that can be exploited, along with the framework reporting.

The game I generally see security professionals play is to attack servers and try to determine vulnerabilities before the System or Network Engineers are able to patch those servers, this always encourages poor cooperation between these teams, which succeed or fail only with each others help. A more interesting way is to hire outside auditors to test your site security or internal corporate security, and then run your own internal tests to see if you can find more vulnerabilities than they did. This is always more rewarding and rarely incurs the wrath of those on your own team.

Internal Auditing is a crucial piece of the the security puzzle, and must be regularly executed to maintain a working and thorough knowledge of your networks, perimeters and the success of your policies.

.wdnii.

Information Class Warfare part II

Information Security Process: Securing (policies)

August 8, 2013

I cover securing information devices and paths in this article in a general way, though I can provide more specific resources.

Securing is a multi-part process, first is taking the original classification of critical systems and information paths and using those to derive specific security policies for each type of device. A security policy should state why it exists, and which pieces of the organization it is trying to secure. Also, and while seeming trivial a date, revision history and revision number is useful.

Each security policy should list the types of networks, devices and data that are included and excluded. For example, a machine which runs DNS (Domain Name Service) externally will most likely have different restrictions from a machine which runs DNS internally. The same with routers, internal routers may have different types of restrictions and required processes than internal routers.

A security policy should list the roles and responsibilities of the system, the information and/or the people who administer and use that system and/or data located on that device. Some systems are critical and the business will fail if those systems are impacted either with a security breach or natural disaster, so some security policies require a business recovery plan for those systems to be back online. This can be done via an active / active solution so the system and data recovery will be without interruption. A hot standby solution provides usually a short interruption which is usually considered not to impact any revenue generation. A cold standby site is another solution, where a copy of the data is kept and depending on the requirements usually the site can be back online in minutes to hours. The least expensive solution is to have off-site backups, where an entire site can be rebuilt from scratch, but the downtime can be quite extensive.

A security policy should list the authoritative documentation for the systems and information being secured, such as any relevant technical books, Internet RFCs, and vendor documentation. You should also reference other relevant security policies and mention that they should also be used. This is the easiest section to write.

My security policies include examples of configuration files and which sections of those files are required to be used, how the program should be run, such as the user and group designations, the user and group ID numbers and even the location on the file system where the programs should be located.

Finally, a section stating which audit procedures will be used and what type of external controls will be used around this type of system. Again for a DNS server this can mandate where the log files are written and how often the system is audited.

Overall though, my philosophy of security is that the information provided needs to be available and accurate when needed. So, a clear link from the data or information categorization needs to be linked to the consumers that use each resource and how these security procedures allow those consumers access to the correct information, but do not allow the information to become corrupt, or allow the consumers to become compromised or allow the consumers to compromise the data for any valid use.

.wdnii.

Information Class Warfare part I

Information Security Process: Classification

August 1, 2013

Information Security like all relationships takes time and effort. I use a security management system which works well for the companies I have secured and maintained. Classify, Secure, Audit, Educate, Repeat. Not a memorable acronym, but a very valuable path to cycle through. Each iteration has made my companies better prepared for the inevitable attacks and recovery easier and faster.

I only cover Information Classification in this article; it is the most ethereal of the process. Every other step's effectiveness can be measured quantitatively, but classification is qualitative.

I first identify the pieces of information vital to the company's survival, vital to their growth and then protect against losing any company secrets. This protects the company’s present, their future and their advantages over their competition. I label this information confidential and apply that tag to any device that has control, such as routers, switches, servers, laptops, cell phones, desks, offices, secretaries, conference rooms, and the corporate phone system, for examples. All of these provide a way for this information to be compromised, to fall into the wrong hands, or be lost which could be even worse.

How valuable is something? Information is an abstract concept, but represents tangible assets in my corporate world. I came up with a few rules on how to determine the value of various corporate assets and information. First, how valuable is it to the company? How valuable will it be tomorrow? How valuable will it be 5 years from now? Second, how valuable is it to a department in the company, and how valuable is that department? And finally, how valuable would this be to a competitor?

Creating this inventory of information locations and which pieces of technology they traverse on a given day gives a decent idea of what needs to be secured. For the smaller companies I generally find every piece of technology needs to be secured and maintained, because high value information passed through multiple times a day. For larger companies this list has been more granular.

While coming up with this classification matrix is necessary, generally most servers, routers, switches, laptops have the same or a similar configuration. But this is not the case with every environment, and especially with Bring Your Own Device.

While this view may seem over protective and intrusive, this is just to bring to the company’s attention where their highest level vulnerabilities are,. Securing is a separate issue and can usually does not have to disrupt current business practices.

.wdnii.

Who Follows the Followers

Social Leadership

July 11, 2013

While checking twitter accounts of various technology companies I found an interesting correlation between the number of people that a company followed to the number of followers they had. Apple only follows nine people and Cisco over three thousand.

Another interesting bit, on Google+ the Google corporate page has fewer than two thousand +1s.

Following

Followers

Microsoft

1033

1716245

Google

394

6378566

Apple

9

1748061

Intel

1111

1727931

HP

815

116653

Oracle

491

139931

Cisco

3217

223250

.wdnii.

© 2013 Norris Proprietaries Inc.

Securing and Creating Chaos

Information Security and Software Engineers

July 8, 2013

As a security professional I am frequently asked “Which piece of the enterprise do you secure first?” As a developer, I am asked on a new platform “Which software do you port first?” These questions are both sides of the same coin.

In Information Security, coming into a startup whose focus is being fast, energetic and agile they look at me like alcoholics at an intervention. Like I am trying to take away their fix, their juice, their addiction. But in reality, I am trying to give them more. I just want to make sure they are drinking what they really like, so the beer drinkers get more beer, and the whiskey drinkers get more single malt. That metaphor holds.

My answer to the security question, which piece do you secure first, is also a question, “Which strand of spaghetti do you eat first when served a bowl?” Exactly, the easiest piece to come out. You look at the bowl, stick your utensil in, twist and pull. then things seem to line up, and slowly the chaos is clean.

Perhaps with Information Security there are some of the usual suspects, Identity Management, Role Assignments, Intrusion Detection, Intrusion Response, Services Protection, Information Loss Prevention to name a few. And I find that organizations are stronger or weaker in some of these areas. Which to address first? Find which piece can be done the fastest, cheapest and has the best return on investment. An old qualitative rule of thumb that I distill and discuss with co-workers, from engineers to the C-Levels.

As a developer on a new platform, I liken that to a new whiteboard waiting to be defaced. But the tools are easy, first an editor, to build a compiler and then I can write whatever software is needed, like a better editor. I imagine the process is like an architect, some just dump in the same foundations and build the same box in a different spot or others are artistic and the buildings seem to float.

So, with development the problem that needs to be solved is the opposite of security. With security you try to remove pieces without breaking the whole, with development you build a foundation and then the following levels, until you have a finished product.

But I find that rarely do I work on a new platform, instead I am thrust in the middle of a digital urban landscape, with various routes from where I am, to where my project needs to be. And I have to decide how to exist within the past digital environment, that others have left. Some developers don’t know how, or do not wish to learn, so they demolish and just build where they landed, and expect the corporate enterprise to come to them, others are immersed in the legacy systems and never try to build something new. But I envision the system as a whole, see the connections and move my project so I can take advantage of what exists while extending and making something more. This is how my development and security experience intertwine.

wdnii.

The Leader's Ship

Organizational Leadership
July 1, 2013

I have seen so many articles describing the enumerated habits of effective leaders, from what they eat, to how they phrase an email, and while intriguing and a good idea to study, this subject has been written to the point there is very few surprises. Most seem to paint a picture of a leader as the captain of a ship ordering his crew so that one boat reaches a safe port. While I imagine leaders who are admirals of a fleet of ships, or maybe a flotilla.

This also leads to other interesting questions such as why some groups of people are more effective at providing leadership throughout the world, throughout their nation or throughout their industry. Not just one individual motivating people, but an organization motivating their entire ecosystem to follow.

Since July 4th almost here, I am reminded as always of The Declaration of Independence which I think is one of the best examples of a group of people coming together and declaring not just that the citizens of one country were free, but that “all men are created equal”. While one man slaved and wrote the document, the adoption was by a group, and the US was birthed. The United States revolution inspired the French revolution, Haiti’s revolution and independence in other Latin American countries.

Mercedes Benz’s innovations starting with the automobile itself, continued with the modern car design by lowering the chassis, four wheel brakes, crumple zones, airbags and an exterior body line that most car companies still strive to copy. Their automobiles continue to vary the exterior design, and remain one of the top luxury brands. Mercedes Benz has lead the automobile industry from the very beginning and they still produce innovations that are coveted and copied by other car manufacturers.

The sixties produced large anti-war demonstrations, which while having many leadership figures they were mainly composed of smaller groups of college aged men and women who challenged the past US actions and were able to dictate US foreign policy, along with other social changes.

Many people in the precursor to the Internet had shareware and provided free and donation software, but Netscape is the first company I know of that released fully functional free products alongside a similar premium software product, for which they charged money. This now seems to be the industry standard for most small to medium software companies.

In the same time frame other revolutions have failed, car company innovations such as push button transmissions and front wheel drive have either disappeared completely tor failed to gain traction for decades. Demonstrations such as the 99%, while having some victories have not dictated the US financial policies.

Here is why I think the above examples succeed, not only in accomplishing their goal, but inspiring a generation, or generations to follow.

The United States’s Declaration of Independence while stating lofty almost unattainable goals, had a direct purpose, a single villain not overly broad, not impossible. This piece of parchment stated what every American knew in their heart of hearts. From this example I believe the lessons are clear. And they signed their names, providing not only lip service to their objective, but putting a target on their back which they wore proudly.

Mercedes Benz’s innovations are many, but most involve safety. These are almost unnoticeable improvements. Perhaps Mercedes Benz was the first automobile manufacturer to realize that if your customers don’t die, they will come back and buy again. Also, with many of the safety innovations Mercedes Benz choose not to defend their patents, which helped spread adoption.

The sixties protests had primarily one goal, to stop the war on Vietnam. With this as the primary objective eventually they succeeded.

While Netscape may not be around anymore their influence is still felt on every desktop, laptop and mobile device.

These nations, companies, students made their trail easy to follow, not just for the members of their own group but for everyone in their ecosystem. They lowered the bar for entry, such as Mercedes Benz not defending some of their safety patents and The United States with the Monroe Doctrine. Finally they had a laser focus on the end goal a single definable destination.

Apple and Google follow these practices religiously, Apple never has too many versions of the iPhone products supported and Google regularly takes an axe to products such as wave and google reader to make room for their next innovation.

While leaders do deserve a large amount of credit, its is the group mindset, mythology and doctrine which will determine whether they are successful in leading others in the industry to follow their path.

wdnii

Interviewing the Company

Interviewing: A First Person Perspective
June 24, 2013

Before I begin this unapologetic look at one of my most recent interviewing experiences, I would like to say that this experience has not been typical. I have worked with very knowledgeable recruiters and human resource departments in the past and present, who have offered much needed advice, guidance and worked diligently to identify positions and companies where we both have thrived.

I have left the recruiting company and interviewing company names redacted, because I am not trying to embarrass anyone, but hope that this negative experience provides better service.

My phone rang, and the recruiter on the other end detailed a job which sounded tailored almost exactly to my qualifications. I recognized the agency immediately, very well known and respected throughout the Information Technology industry. Eagerly I accepted and scheduled the invitation for a phone screening.

After passing the recruiter’s phone screen, which consisted of just answering in the affirmative that I knew certain buzzwords; the recruiter passed along which company name at which I was going to be interviewing. I immediately remembered interviewing for almost the same position two years ago. I distinctly remember that their culture was not a good fit at the time. Same recruiting company, same end company. I was hoping they were much better than before and had progressed with their business outlook and internal information security issues.

The phone interview with the IT manager was almost exactly as before, his monotone questions and monologue showed a disinterest in his job, responsibilities and especially interviewing. He was unprepared, and as the conversation progressed the job requirements seemed to evolve. As he read more about what I have done in other companies his “Yeah, we need that too”, was repeated.

I accepted the onsite interview and decided to interview the company, and find out what they were really like. I have looked online to see company employee reviews, but honest internal company workings are almost never discussed, and rarely do I see reviews of recruiting companies. This particular recruiting company did not provide any additional information about the position, aside from what they had said on the phone. The better firms I have worked with in the past have been like AAA, they provide detailed maps, company history, places nearby to eat, even if the location is only a couple miles away. I always appreciate recruiters that take an interest in their job and build relationships with their clients and know their customers. This recruiter as not interested in either. But at this point I was not going to move forward with the position based on the phone interview, unless their office atmosphere was dynamically different than that soulless manager’s voice projected over the wire.

I arrived, as usual, twenty minutes ahead of time, had their documentation printed, but their secretary had no idea there were any interviews scheduled or that anyone was expected. After a brief wait their Information Technology manager showed, and we went into his office. He asked what position I was interviewing for, and I related the title from the email correspondence and he said, “No, you are here about a different position”. I held back a small laugh, yes at that point I knew this was going to be a fun day.

In his office he sat behind his desk and fidgeted, then asked or a copy of my resume, and we sat in silence while he read. Finally, he broke the silence and the interview process began in earnest, he began to mention the various projects that he needed complete, the list was very similar to their needs two years earlier. Same company, same security holes, just two years later. At this point I knew I was not moving forward with this company. I guess I could have walked out, but then I may not have had the funniest moments to relate here.

After just finishing reading my resume, he then began to recite my experience back to me, and incorrectly, I had to bite my lip to keep from laughing. I did correct him, “No, I am sorry, that is not a project I worked on”. Disinterested he glanced back at my resume and then he proceeded to look at the ceiling and relate his three years of experience with this company which from my take is really just the first three months of a typical startup. I listened intently and nodded appropriately and just noted to myself how clueless he was. He then proceeded to tell me that these were all project he could do himself, but I had a certification that he did not and that was the reason I was being considered.

He then brought in another employee to interview me in an old abandoned office that would have fit perfectly as a scene from The Walking Dead which I think is a distinct metaphor for the company I was interviewing. Yes, I was interviewing them.

The second interviewer kept putting his glasses on and taking them off, and sitting silently in a chair. He appeared to know nothing about the position, responsibilities and he asked very few questions. He looked as though he had never seen my resume before, and had no interest in doing the interview and in no rush to get back to work, even though I was recalling the long list of security projects that his manager had just told me he urgently needed completed. His words.

As I was leaving, they had violated so many security procedures I did cut them a break and return the badge they gave me at sign in. And with that, I mustered a hearty “Good Luck!” and was glad I had dodged that bullet two years ago.

wdnii

Finding, not Searching. The Theory of Answers.

Answer Theory
June 17, 2013

The question throughout human history has been how to find relevant information in the shortest amount of time; basically, to find the answer. I have always argued that people want to find the answer, not search.

The simplest solution has been to collect the information in some type of storage, memory, cave paintings, books, video, hard drives. And to pass that information from one person to another, via language, airwaves and networks, both social and digital. Currently "The Cloud" and "The Internet" seem to be the storage and information transit solutions.

Finding the answer from older storage solutions, like memory, books and even older computer mainframes required hours of manual labor, usually via an expert in the field, even after computers made information correlation faster and easier, still experts were required to find and provide answers. And these methods to supply answers were very expensive.

Ways to use the internet to generate answers evolved from the basic search functions, providing lists of links that anyone could view and determine which pieces were relevant, one distinction was that the question had to be asked, the other was that the links used very little information about who was asking the question. Probably the most used way to answer questions still in use, almost unchanged since Yahoo!

Some search engines use people to determine what the most likely searches people are making and tailor the results, like ask.com.

Social Information systems usually generate answers before requested based on a users biases and those of their friends. For example sending information on a concert before you even knew they were on tour. You no longer have to wait for an MTV news update. While being predictive social media sites generate noise, not every update is valuable information.

Hybrid answers are generated by combining the search methodology with social networking, having a user's search results influenced by their social media contacts, past searches and even current location. Google has various solutions which provide argumentatively better results using these methods.

A future successful version of the answer system would have less noise than social media systems, but provide relevant answers before a user asks. Google Now appears to do this by taking the most asked questions and dynamically providing the answer at the correct time, such as, "What will my commute home be like?"

And other solutions will use the phonemes from our searches to search youtube videos, music, tv shows and movies to provide better answers and better answer format. Of course this may bring an end to the #hashtag.

Taught by Dad

Confidentiality

June 16, 2013

Growing up I lived in small towns all my life, and my father was one of the respected ministers in the community. These places were so small that everyone knew everyone else’s business and even my elementary school teachers were eager to discuss town gossip in front of the class.

One day Mrs. C walked into class after our recess and had a solemn expression on her face. We had all taken our places at our desks, and I was ready to engage her in our nap time game of chess as we usually dueled while the rest of the class slept.

Instead she came to my desk, and took me outside. She explained that another student in the class, I’ll just call him N, his parents were getting a divorce and she wanted me to talk with him about how things weren’t that bad. At this time I had no idea what a divorce even was, but she picked me because of my father’s position. So a few minutes later N came out, and we talked.

Late that night, when my father came home I talked with him about what happened, and he told me that I had been entrusted with a very important piece of someone’s life, and I shouldn’t relate that information to anyone, and so I never discussed what was said even to my teacher.

Later in High School, our house was egged, eggs thrown at the doors, windows and cars. The clean up was messy. I was furious, wanting to know who did this, and of course to find justice. My father sensing my anger took me aside and told me not to mention this incident, but always remember and one day someone would lapse and mention something that they shouldn’t know, and then I could find out who. But if I let them know that they had any effect, then they wouldn’t need to pry to see my reaction, and i would probably not discover who was behind the prank.

My father never speaks bad of anybody, but is opinionated about policies. He never rakes mud over someone discussing their infidelities or faults. He has never broken confidence about anything discussed with him. He is a role model for information security.

These incidents helped to teach me how to control and take care of confidential information. How to keep private incidents private and how bringing someone else down does not make you a better person, and to be wary of people who do.

Each of these life lessons can be applied to information security, determine which pieces of the company to keep private, even from other employees. Keeping failed attacks undisclosed can bring out who actually caused the attack, because they may not be able to determine if their attack succeeded. And pointing fingers without evidence only burns bridges.

Happy Father’s Day

Information Aggregation

Information Visualization and Aggregation

June 10, 2013

The way I think of Information aggregation are processes which organize the incoming flow into various streams or channels, yes, channels like television. These channels could be, for example, like sections of a newspaper, “Sports”, “Current”, “Politics”, and can be grouped further by how well you trust the source such as: qualified information, unqualified information and advertising Information, or by the information being pushed up or down by other site users, such as on reddit.

There are way too many applications to individually name, but I am particularly interested in mobile apps, and the best appear to be: Flipboard, Google Now, Google Currents and Taptu.

Taptu has a nice interface, but ignores social media sites and only has access to news.

Google Currents does not aggregate between information providers, so you cannot see just a general category of ‘Sports’. But you can view the articles in the LA Times, for example. The information display feels to be displayed more by a program than by human design.

Google Now places applications on the google search page to customize information selection and the display dynamic, such as providing current conditions effecting the daily commute.

Flipboard is one of the more interesting applications. They provide access to social networking posts from your friends, magazines, newspapers and current trending social networking and news feeds. Some of the magazine articles are the initial teaser and then you are prompted to subscribe if you want to read the entire article. Flipboard uses a pictorial interface, like an advanced Tumblr., and Flipboard does display Tumblr. blogs better than Tumblr. The interface feels designed, less robotic.

Finally Android OS and the various widgets can fit into this category allowing aggregation updates, but each widget has a slightly different look and feel, not providing a uniform experience.

Next I expect we will see News TV aggregation would pull out snippets of the news programs for you to view only on the topics you were interested. You could build your own 30 minute news TV show from the various programs. Probably a few copyright issues to clear first.

Another along the same thought would aggregate articles on a single topic eliminating redundancy creating one article with all of the information. Be kind of interesting to run editorials from opposing points of view.

And an aggregation stream that will include radio and social tv channels, along with social picture, blogs, and the pay for media sites.

Finally, the big changes will come when some company can provide a subscription service which includes most all of the various premium content for one monthly fee. This will encourage a pay stream for internet content which is currently underperforming compared to other content/information delivery systems.

wdnii

	Following	Followers
Microsoft	1033	1716245
Google	394	6378566
Apple	9	1748061
Intel	1111	1727931
HP	815	116653
Oracle	491	139931
Cisco	3217	223250

Subscribe To