donderdag 17 december 2015

Take my crypto from my cold dead hands

As much as our society today relies on technology, very few people actually understand how it works. This isn't only reflected in the fact that many of us geeks spend the holidays fixing random computer/smartphone/tablet problems during the holidays but also in the fact that legislators are making assumptions about technology that are ridiculous, if not asinine.

I've heard from several people that calling things ridiculous (or asinine) is not conducive to dialogue. "We need to meet them where they are", they say. "We need to talk in their language", they say.

I have the benefit of playing my euro card. My euro card allows me to be direct, maybe somewhat rude, and to the point. I don't play it often because I like to get along with people but I play it when it is needed. At this point, it is needed.

This week I find myself in the United States and I happened to watch the Republican presidential debates. The candidates were, among other things, adamant about the fact that a government should have access to encrypted communications. It's a debate that has been ongoing for a while now and it always boils down to the same thing : Encryption hampers law enforcement from doing their job. Encryption should be weakened so law enforcement can do their job.

My good friend Meredith Patterson already covered the technical impossibilities of weakening encryption here : https://medium.com/@maradydd/four-impossible-things-before-key-escrow-85478d949502#.cufwnrnph

My questions for today are : When did we become lazy? When did we we forget to use science to our advantage rather than our detriment?

Our society has made great strides forward thanks to encryption, and despite of it. The fact that you, today, can do bank transactions, exchange personal and health information, submit online taxes, etc. without having your data compromised is thanks to the advances in encryption. If done right, and not everybody is doing it right, your data is safe and you won't be running to the bank for new credit cards every week or you won't have your personal data exposed in the next breach.

It is the same encryption that is used for good, that could be used for bad. There isn't a single argument one can make that would justify weakening the encryption we use for good. Enabling a government, or any actor for this matter, to intercept or read encrypted data from bad guys weakens encryption for the good guys too. There is no way around that.

Now, the argument is that this is a new problem. This isn't true. It is a lie used by people that don't understand technology and that refuse to acknowledge our history.

The scytale was an encryption method used by the Greeks as far back as 300 B.C. It allowed confidential communications between parties and relied on a piece of paper wrapped around a stick. There is not a single piece of evidence that the Greeks considered to ban access to paper and sticks from the general population because they could use it to send hidden messages.

More recently, during World War II, the Germans used a thing called an enigma machine to encrypt messages. This made it insanely difficult for the allied troops to know what was going on. In fact, they considered they might lose the war due to this. At no point did any of the governments consider to ban encryption because the Germans were using it. At no point did the legislators, in that era, become stupid. No, they relied on science and technology to resolve the problem. They hired a guy called Alan Turing to enable them to read the Enigma-encrypted messages. Technology helped them win World War II.

Now, although the presidential debate I watched tried hard to prove me wrong, I don't think that people - in general - have become more stupid. We need to understand that encryption is necessary for our society to thrive. We need to acknowledge that turning back the clock has never helped a society to make advances.

If we are forced to live in a society that fears technology, the bad guys have won. If we are forced to live in a society that fears encryption, the bad guys have won. Our leaders (and I'm not sure if we call them that today) have a duty to protect us. You don't protect your house by taking out the locks.

Today I take a stance in this debate. You can come and take my encryption from my cold dead hands.

zaterdag 14 november 2015

of the CISSP, infosec licensure, and how we bring things upon ourselves

[Disclaimer: this post represents my personal opinion. It does not represent the opinion of any past, present, or future employers, clients, or associates.

I was looking forward to a quiet Saturday evening. I'm traveling tomorrow to be on site with a client on Monday. I did not count on Ed Bellis being active on the twitters and coming up with this jewel of a tweet :

CISSP certification requirements baked into contracts make me chuckle.

It put my brain in gear.

Straight out of the gates Ed makes 100% sense. Why would certain (security-related) tasks described in a contract require a CISSP? If anything, we know there are skilled people out there without any formal education or certification. We also know that there are some pretty unknowledgeable people out there holding multiple Masters degrees and dozens of certifications. Certifications do not guarantee knowledge. Why then would clients choose to require them in contracts?

The single question from Ed actually kicks a lot of hornet nests. More than he actually thinks, I believe. Ed, as far as I understand, is a bit shocked that he -as a known expert in our field- can not work on the contract he mentions because he does not hold a CISSP. He's probably as qualified as people holding the cert, if not more. Why would companies be so stupid to keep him out of the game?

I'm certain it is not personal, Ed ;-) Companies have been burned more than once. They have payed dearly on projects they awarded to players in our markets that promised them the world, and then horribly failed. Companies bring in inexperienced consultants, make junior people "learn on the job" (and the time paid for by their clients). We know it happens. We all hope it goes away. Obviously it won't. In the mean time, the clients play poker and they are cutting their losses.

Our industry doesn't, yet, have a form of licensure. There is no obvious way to tell bad players from good players. There isn't a real bar of entry. To save some of my Saturday night I will not debate whether licensure is a good or a bad thing and if a bar of entry is needed. I've had the privilege of discussing the topic of licensure with a diverse subset of my peers and I have not made my mind up yet. I'd encourage everybody to explore the topic and ponder on it for a while. I'd be happy to engage with you.

So here I am, putting myself in the position of the client. I need outside expertise for a security project. Let's say that 1 out of 5 of my previous security projects have failed because the partners I worked with under delivered, went over budget, etc. etc. I have payed dearly for that. The obvious choice is to go with a different partner, but how do I tell which is the good partner? I have no way of doing that. Do I roll a dice and dive into the deep with a new unknown? I don't want to take that risk. What are my options?

If I want to vet every individual consultant that is going to be on my contract, that is going to cost me a lot of time. I may still not be able to validate all their experience and don't remove any of the risk. Sure, there are capable people out there but my previous experience tells me to remain cautious. What else can I do?

There is an organization out there that validates the fact that their certificate holders have at least 4 years experience in the industry. That is awesome, because now I can just check for their certificate and I know that they've been around for a while. Do they guarantee success? No, but they are not straight-out-of-school theory monkeys. At least there is a bigger chance that in the 4 years they have been around, they have seen some things and done some things that are relevant to the work they're supposed to be doing for me.

Is there a down side? Obviously. I know that there are very smart people out there without the certification that I require them to have. I am consciously choosing to not have them on the contract. Is that stupid? From their perspective probably yes. But here I am, choosing between vetting every candidate myself or relying on that certification that comes with at least 4 years of experience. Economically, I win more by doing the latter. You can argue your competence until pigs start flying, but you can't argue economics.

Now, in closure, we have to consider why we have come this far. Our industry is full of solution and services providers that jump on every opportunity to "do security", and fail at the cost of our clients. The theory of the lemon market has been repeated ad nauseum in talks, podcasts, and discussions over the past ten years (if not more). Do you truly expect your clients to sit by and do nothing? This then brings us back to the discussion on licensure. Historically, licensure has been introduced in professions for various reasons. Often they are introduced by government, to push out quacks and charlatans. Very few professions have been able to successfully introduce licensure themselves. Is it time for our profession to consider an attempt at licensure? And, if so, what would that look like?

Our clients definitely think it has become worth it to value 4 years of validated experience over X years of self-claimed expertise. Whether you like it or not.

dinsdag 10 november 2015

The plans I have for ISC2, its membership, and the industry

[This post is primarily meant for ISC2 Members but it might be interesting for security people in general, as I think what we need to do is not limited to a particular organization within our industry. It is a fight we need to fight together. For better or worse.]

You can read about the general idea behind my campaign for the ISC2 Board of Directors here.

You can read about what I've already done in my first "tour" on the Board here.

The past is the past. Between November 16th and November 30th, ISC2 Members vote for 4 new directors and they will have their work cut out for them. As much as you may believe that being a board member is a job without responsibility and a token position, it definitely is not. To my own detriment, I take this uncompensated responsibility very seriously and I want to make a difference. First and foremost for the membership, but also for our profession and our industry.

1. ISC2 needs to represent our interests. Left, right, and center.

I've said this before and I'll say it again : In all the important debates about information security - whether they are held in Washington DC, in the European Parliament, or anywhere else - ISC2 is absent and silent. As the organization that represents the largest amount of security professionals in the world, we can not afford to leave our voice unheard. On topics such as securing the Internet of Things, Export Control, and other legislative issues involving information security, we need ISC2 to be vocal and taking the responsibility to inform all parties without bias.

How can we do that?

The first step is engaging the membership. ISC2 will need to leverage the active membership it has to keep a finger on the pulse on all things information security around the globe. This can happen through a closer relationship between the organization and the chapters. The structure we built through the chapters is our biggest asset to create one voice that represents members, and industry, globally.

Secondly, ISC2 needs to strengthen its relationships with peer organizations in the industry. This has happened over the last few years, but I strongly believe we can do more. At this moment our profession is represented by "cavaliers seuls" and does not have the credibility it should have.

Third, we need to engage individuals outside the membership to weigh in on topics that ISC2 doesn't traditionally have a lot of credibility in so the organization can represent a balanced opinion, educate policy makers, and positively influence society.

One of the topics at hand is security research related to exploit development and export controls. Here I call for the immediate creation of an advisory council that has the ability to help the organization form the language on much-needed global education on the topic. The members of this council do not necessarily need to be ISC2 members. They need to be recognized experts on the topic that are willing to devote their time to doing the right thing.


2. We need to define what Security Engineering means.

[I understand that Engineering is a term some people are passionate about. I am not trying to find an alternative to the formal engineering science. I am open to suggestions to replace engineering with a better term.]

Some of my friends have heard me talk about this topic for a while now. It is something I wanted to kickstart in my first term on the Board, but that didn't happen because there were other priorities. I want to make it a priority in my next term, if allowed.

Security today is no longer a tale of firewalls and antivirus. As we build and use technology that influences our very lives, security is present on every level of those technologies. Starting at the hardware level, over the network and operating systems, through to the database and application technologies.

Saying that a single certification covers all of those areas is a lie. Fact is that we have no way to identify and recognize the security engineers that organizations so sorely need.

What I want ISC2 to build is a certification track that is aligned with engineering principles to provide certifications that allow us to educate, train, and certify those security engineers.

This will not be a certification that you can go to a bootcamp for and pass. The people that go through the whole track, eventually, will be the people organizations can rely on to build a secure IoT, secure vehicles, secure web technologies, secure ICS environments, etc. etc.

It is something we are missing, and it is something we sorely need. I will make it my priority from the moment I rejoin the board.

3. Make a more efficient Board of Directors

Without a doubt the most frustrating part of my first term on the Board of Directors was the significant amount of time we, as a Board, spent on managing ourselves. This Board's time should be spent on the strategic issues affecting the organization and its membership.

Currently the Board has 13 members while the ISC2 Bylaws prescribe a minimum amount of 7 members. There is no way for the members to evaluate the effectiveness of the individual Board members and make an informed decision on whether they are representing their interests. From my personal experience, not all Board members contribute to the common goals and in many cases the number of uninformed opinions actually detract from the tasks the Board has.

There are 3 things I want to achieve here :

1. I want the Board to reduce it's number of members to 9 over the next 3 years. That is 2 more than the Bylaws prescribe and 4 less than there are now. This will considerably lowers the cost related to the Board by itself. It will also force the Board members to be active because in a larger board, there is more room to hide in the shadows of those that do the work. Additionally, it forces the Board to rely on other members for the committees. This also feeds the leadership pool that the Board draws from, which is needed with the new and stricter term limits.

2. I want the Board to develop transparent communications about the performance of the Board in general and individual Board members specifically. Just like you know about how your representatives in government perform (absence, voting record, involvement in committees, bills proposed, etc.), ISC2 members have the right to know what their Board and its members do (or don't).

3. I need the membership to become more engaged with the Board of Directors. With 100000 members, we have a lot of brainpower, great ideas, and unlimited motivation to do positive work in our industry. Without the contribution of the membership, the Board can not be efficient. If I make it back to the Board in 2016, I will do my utmost to bring the Board to the membership and the membership to the Board.

I hope you are with me, because I am going all in on this one.

dinsdag 20 oktober 2015

One (ISC)2

Today I am kicking off my campaign for the (ISC)2 Board of Directors elections. You can find the slate here : https://www.isc2.org/board-slate/default.aspx

I'm excited to see so many good (and new!) candidates on the slate but obviously I'd like for you to cast a vote for me. I am proud of what was achieved during my first term on the board, between 2012 and 2014 and I would love to build on that momentum in the 2016-2018 term. I don't want to spend too much time on past achievements but I think they are important to know :

- David Shearer, who was at that moment the COO of (ISC)2, was selected as the new Executive Director after a thorough evaluation process. He took over from Hord Tipton on January 1st 2015.
- The (ISC)2 strategy was refocused on the membership, away from a pure focus on certification and training.
- The CISSP CBK and the exam based on it were reviewed and changed considerably. Reorganized domains and 40% more (and more technical) content were the results. The new certificate was launched in early 2015.
- As Chairperson of the Board I established the Bylaws committee. This committee focused on reviewing the (ISC)2 Bylaws, which were last changed in 2004. Earlier this year, the board brought the new bylaws before the membership. These new bylaws would establish stricter term limits, ensuring that the board sees a more constant influx of new blood and new ideas that would benefit the membership.
- During my first term (ISC)2 became more engaged with the security community. This happened through the support of BSides events and through the organization of (ISC)2's own Secure events. Not to forget the yearly Security Congress.

Obviously I am extremely proud of these achievements and, again, it would be my privilege if the membership decided that I can help build on that.

The core idea behind what I want to achieve is, as the title of this blog post doesn't try to hide, "One (ISC)2".

I believe in an organization that allows the members to collaborate, that provides a platform to share ideas and experiences, and that supports members learning from eachother. This will require an investment from the organization but also from the members themselves. The organization should bring the global membership together to achieve this.

I believe in an organization that represents security professionals when it comes to the bigger debates and initiatives in our profession. Most recently there have been very important debates in our industry about the use of strong cryptography, about regulation of security software and hardware, and about security in the Internet of Things. I believe an organization that represents a large amount of security professionals should be more present in these debates, through its members and by unifying the message the membership believes should be sent.

I believe in an organization that brings together professionals globally. Our profession is very fragmented and more often than not this leads to heated arguments. Whether we are incident responders, CISOs,  penetration testers, or anything in between, we are security professionals first. We share a common goal to make this world more secure and I believe (ISC)2 has the ability to drive this goal much harder than it currently does.

One (ISC)2 is the organization I want to help build during the next 3 years and I hope I can count on your support to do that. More details on what I want to achieve in which domains will be shared here over the next few weeks. In the mean time please motivate every (ISC)2 member that you know to engage in the pre-election discussions and choose the candidates that they vote for carefully.

I would look forward to serve the membership once more.

If you have any specific questions or remarks about me, my candidacy, or the future of (ISC)2, please do engage.    


zondag 16 augustus 2015

Leading in a do-oacracy ... afterthoughts

There's nothing like arriving in Las Vegas and Chris Nickerson roping you into a panel at BSides titled "Leading in a Do-ocracy". The panel was posted in the "I am the cavalry" track and the abstract of this panel looked like this:


What is a "do"-ocracy, and what does it take to lead one? While some people stand back and gawk at problems, others jump in to do something about what they see. Explore some common traits of do-ocracies, why they inspire others, and how leaders emerge. Learn from the successes and the failures of our panelists, and hopefully spark ideas within yourself that you can bring to a do-ocracy of your choosing or making.
Moderated by Tim Krabec, the panelists were Tod Beardsley, Beau Woods, Chris Nickerson, and myself. Nothing is better for a panel than an audience with an opinion and I can say I was happy that Keren Elazari decided to "give it to us" and become our fifth panelist. You can watch the panel here :







Now, being on a panel about leadership feels strange to me. I don't think I'm particularly knowledgeable on the subject and I don't see myself as a leader. Then again, we live in a world where everybody and their mom are keynote speakers on "leadership", "how to lead millenials to success", and other very interesting subjects. The funny part is that it is always very hard to track back any form of leadership experience in those peoples resume. Furthermore, most recently we have seen the advent of courses with super-awesome titles like "How to evolve from a middle manager to a middle leader". I kid you not, I wish I was though.



Let me be very clear, and this is my (very strong) personal conviction, some aspects of leadership can be adopted, maybe even faked, but leadership is not something that can be taught or learned.



Now, I do understand that some people might see me as a leader of some sort (Chris, I'm looking at you!) and I can't deny that I've been studying leadership in various forms since I was very young. I've also discussed the subject with people that, at some point in my life, were mentors to me. So here are the things I consider to be true about leadership.



Be the servant leader



Nothing makes a leader like quoting from some old book that most of the audience members have never read or, better, heard about. When it comes to servant leadership the Tao Te Ching gives a fairly good description :

The highest type of ruler is one of whose existence the people are barely aware.
Next comes one whom they love and praise.
Next comes one whom they fear.
Next comes one whom they despise and defy. 
When you are lacking in faith,
Others will be unfaithful to you.
The Sage is self-effacing and scanty of words. 
When his task is accomplished and things have been completed, All the people say, ‘We ourselves have achieved it!’


A leader rarely leads from the front. He's among the people doing the same work and at the disposal of the people, serving by the grace of the people. I guess what I'm trying to say is that leading in a do-ocracy is not about choosing the topics and gathering people around you to do them. It is about finding the topics that are important to the people and become part of the group, working in the trenches with them while not holding back on sharing knowledge, cycles, and sweat.



Understand your level



I've only recently become aware of the "5 levels of leadership" and it kinda hits home. Now, you have to understand that it takes all kinds of leaders to achieve success. A level 1 leader is not necessarily a bad leader, a level 5 leader might not be what you need in some circumstances. We, humans, like to think that we have to achieve the highest level and try to be who we are not to get there. For me, understanding your level of leadership is an important step of understanding where you can be most effective in helping to achieve goals. Here's those 5 levels:



1. Position - People follow because they have to.

2. Permission - People follow because they want to.

3. Production - People follow because of what you have done for the organization.

4. Person Development - People follow because of what you have done for them personally.

5. Pinnacle - People follow because of who you are and what you represent.



You can easily apply these levels to the people around you. You will quickly come to the conclusion that most people fall somewhere between level 2 and 4. You'll also realize that, as I said before, you know very few people that have evolved more than 1 level in their leadership abilities. That is what I mean when I say leadership can not be learned or taught.



Kaizen and continuous improvement



something, something, Six Sigma, black belt, Deming, Toyota.



I've read countless blogs and books on the Kaizen methodology. Moreover, I studied Kaizen before DevOps people started using Kanban boards to divorce yourself from responsible design and formal architecture. You can do that too and I'll not go into detail about what Kaizen means here.



I guess that the key take-away from Kaizen is that success is measured by the quality of your output. To me, it means these things:



  • You can not do ALL THE THINGS. You might want to do them but you can't do all of them WELL. Pick the things wisely and apply maximum effort. There is only one speed : Go!
  • Don't be a pussy and accept criticism. This is a big one! When you're doing stuff, people will come out of the woodworks and criticize you. It's cool and don't qualify them as detractors because they're saying something you don't like. All feedback is GOOD. Feedback shows that people care. Feedback allows you to steer where you are going (or not). The moment people stop giving feedback is not the moment where you're doing the right thing. It is probably the moment where you should consider abandoning your efforts because the people no longer care and you're merely doing this for yourself. 
  • Focus on your outputs and ensure that they are of the highest quality possible. Quality is not measured in the number of retweets and likes, those are dumb metrics. Quality is measured in how people apply your outputs to do other awesome things. It is measured in how people appropriate your shit and make it even better or apply it to do something completely different.
I'm sorry that this has become such a long post. I hope it is helpful to some of you. We all have a limited time out here and we can't all make a dent in the universe. We can do our best to leave this world better than we entered it. The badges and accolades we can receive are nice, but they mean nothing when the worms are nibbling on our toes. 

Do right, do with empathy, and do selflessly, but most importantly DO! 
Or don't, but then please get out of my way.

zaterdag 15 augustus 2015

Changes to the (ISC)2 Bylaws : Your vote is important


Note 1 : This post is only relevant if you are (looking to become) a member of (ISC)2 

Note 2 : As a member of (ISC)2 you might not care about voting on any matters related to (ISC)2. In this case, your vote is important. Even if you don’t care, do vote. This post exist to raise your awareness of such.

Note 3 : I was an (ISC)2 Board member from 2012 until 2014. I am currently not a Board member or in any way involved in the matters at hand. This post represents my personal view and not that of the (ISC)2 Board of Directors, any individual Director, or the organization.

On August 7th (ISC)2 management notified the membership of a special meeting that will be hosted at the (ISC)2 headquarters in Tampa, Florida. At this meeting there is currently one agenda point: 
“To approve of (ISC)² modifying the (ISC)² bylaws currently in effect since July 17, 2004 and replace them with the proposed amended and restated bylaws.” 

--VOTE HERE--> https://www.isc2.org/SpecialMeetingVote/  <--VOTE HERE--

As a member, I will vote in favor of these new bylaws and in this post, I shall explain why.

Bylaws, for any corporation, are basically the operational blueprint of the corporation. This means that they put into writing how the corporation is run, by whom, who bears which responsibility, etc. etc. They don’t change often and the (ISC)2 Bylaws have not changed since 2004. 

When I was Chairman of the Board in 2014, I specifically created a Bylaws committee that was tasked to review, and potentially amend, the (ISC)2 Bylaws. In that sense, the special meeting is a direct result of my actions back then.  I am actually happy to see that the Board has continued to work on this topic and is now proposing changes that are important for the membership. And those changes are GOOD!

For starters, the preamble to the Bylaws has changed significantly. While the strategic mission of the organization has moved from a product focus to a member focus back in 2012, this is now also reflected in the Bylaws. It is set in stone.

Many of the changes are cosmetic in nature or change wording to be current. I will not delve into those specifically. Then there are specific changes that relate to how the Board functions. One example is the following :

13. Action Without a Meeting/Written Consent. Directors may vote without a meeting if
(i) the vote being taken is in writing;
(ii) all Directors (100%) consent in writing; and
(iii) each Director’s consent is included the Board records. Consent may be given by
electronic means. Such consents shall be treated for all purposes as a vote at a meeting.
14. Telephonic Participation in Meetings. Other than during executive sessions, Directors
may participate in any meeting by means of a conference telephone call or similar
communications equipment by means of which all persons participating in the meeting
can hear each other at the same time. Participating by such means shall constitute
presence in person at such meetings.  

This greatly improves the efficiency of the Board. Where it gathers 4 times a year, decisions can not always wait for the next Board meeting to take place. These provisions make it possible for the Board to make decisions without an in-person meeting, allowing them to be more agile in their actions.

However, the most important change in this document is related to the Board Member term limits. When I joined the Board in 2012, one of the key elements that drove my platform was the membership’s objection to seeing the same people sitting on the Board all the time. Some Board Members have been, thanks to the flexible term limits in the 2004 bylaws, almost continuously on the Board since 14 years. The new bylaws will make this impossible, as they state :

Term Limits: “Service” means occupying any position as a Director of (ISC)². Service as a Director may not exceed six years in any ten year period; provided, that all Directors currently serving in office as of the effective date of these Bylaws may complete their duly elected or appointed term of Service. No one may serve as an appointed Director more than once, regardless of the duration of their appointment. An appointed Director may stand for election by the Members to a term subsequent to appointed service, subject to the term limitations stated herein 

Previously they stated the following :

Term Limits: No member may be elected to the Board more than twice in any seven year period.

Now you may ask why this is such a huge difference. My anwer here is two-fold :
  • First and foremost, this forces the Board to be on the lookout for new blood all the time. Where under the original terms, a Director had to wait only 1 year after 2 consecutive terms to run for election again, the wait is longer now and searching for new, talented Directors is an important task to guarantee continuity. It also allows the Board to get new ideas on board. This is key for the organization and the membership.
  • Secondly, however, it forces the Board into transparency. Under the original terms, there was always somebody there that knew (of) the history of the organization and the Board. Somebody that could clarify based on their personal knowledge. There was no immediate incentive to document or organize. With these new terms, the Board is obligated to maintain a formal history and to no longer rely on individual knowledge. It does not need to be argued that documentation leads to accountability, and that too was one of the key points that underpinned my platform to become a Board member back in 2012.

In that sense, this single meeting is the culmination of (more than) 3 years of effort to affect change. I can not discount the work that was done by Board members before I joined or the work that was done after I left. What is important is that we are finally there and you, as a member, can acknowledge this by voting “YES” for these important changes. 

I hope that you can find the time to confirm your vote and support the Board to continue their work for the membership.



woensdag 29 juli 2015

8 reasons why you are not a cyber soldier

Most recently I entered a twitter "debate" that wasn't really a debate at all. While the person that initiated the debate seemed to be looking to get consensus on the definition a certain term, their goal turned out to be getting confirmation of their definition of the term. Where their definition was firmly rooted in the military and CI world. I generally get annoyed by debates that are not debates but I get more annoyed by military jargon in our industry.

In recent years the security industry has started to use more and more military terms in its jargon. To a point where it really is becoming ridiculous, if not dangerous. While there certainly is state-level hacking activity going on. However, for many people in our industry that have a responsibility to solve hard security problems for organizations that shit is not relevant.

I'll repeat : "THAT SHIT IS NOT RELEVANT!"

I get it. As kids we already liked to play soldier, with wooden sticks being our automatic rifles and our friends being the willing enemy that we blew to smithereens while yelling PEW PEW PEW. The internet is our playground and we still like to be soldiers.

Personally, I like to refer to James Mickens' excellent column in USENIX' ;login:logout of January 2014

The “threat model” section of a security paper resembles the script for a telenovela that was written by a paranoid schizophrenic: there are elaborate narratives and grand conspiracy theories, and there are heroes and villains with fantastic (yet oddly constrained) powers that necessitate a grinding battle of emotional and technical attrition. In the real world, threat models are much simpler. Basically, you’re either dealing with Mossad or not-Mossad. If your adversary is not-Mossad, then you’ll probably be fine if you pick a good password and don’t respond to emails from ChEaPestPAiNPi11s@virus-basket.biz.ru. If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://. If the Mossad wants your data, they’re going to use a drone to replace your cellphone with a piece of uranium that’s shaped like a cellphone, and when you die of tumors filled with tumors, they’re going to hold a press conference and say “It wasn’t us” as they wear t-shirts that say “IT WAS DEFINITELY US,” and then they’re going to buy all of your stuff at your estate sale so that they can directly look at the photos of your vacation instead of reading your insipid emails about them. In summary, https:// and two dollars will get you a bus ticket to nowhere. Also, SANTA CLAUS ISN’T REAL.
So this post could be about threat models again but I feel that is way too much work a week before Security Summer Camp (pro-tip : bring a Nerf gun and shoot at everyone that uses military terms in their narrative!). Instead I hereby provide 8 reasons why you are a security professional instead of a cyber soldier. Here goes!


  1. Your business card does not mention your military rank and you do not measure your status by the number of stripes you have on your shoulder. 
  2. You do not have to salute a superior when you pass by them in the hallway. 
  3. Whenever a security requirement is requested, you do not reply with "SIR YES SIR!"
  4. You wear A&F t-shirts, button-up shirts, or a polo to work instead of a military uniform.
  5. Instead of living on (or near) a military base, you are living in a suburb with neighbors that have ordinary jobs. You probably drive a SUV and you worry about what kind of meat you'll throw on the BBQ next weekend.  
  6. Your family does not live in fear of a sudden deployment where their beloved family member (you) may very well never return from.
  7. On your way to work you do not have to worry about IEDs of any sort. Neither do you have to be concerned about a bunch of insurgents barging into the SOC where your comfortable office chair is located and where the scarf in the team colors of your favorite football (or soccer) team indicates "your" spot.
  8. You do not have to regularly clean your (cyber)weapons and train with them. Neither do you have to get up at 4am without notice to run a course around the data center in full gear.
All jest aside, being in the military is serious business. I have nothing but respect for people that have taken the responsibility to defend their country. The truth is that being a security professional is also very serious business these days. We don't get anywhere if we keep throwing around war-related terms, hollowing them out in the process. 

Our industry is young. Especially when we compare it to other industries. Military terms, without doubt, carry a meaning of urgency that is often not needed in day to day conversations and operations. Do we want to make ourselves a laughing stock or do we want to keep the seat at the business table that we have earned in the past few years? I don't think we'll make it by turning into our own Big Green Weenie.

Edit

I almost forgot that my good friend Kyrah wrote an excellent Master's Thesis titled "Wargames in the fifth domain" which is worth a read if you desire to go beyond the marketing value of "cyber".
The majority of cyber attacks that we have seen do not qualify as acts of war. Why then should we deal with them using a military framework? A military response is unlikely to solve any of the actual problems. What is needed is a civilian approach.

woensdag 20 mei 2015

omgSAPpwnage but then again not really ...

Disclaimer: I don't work for SAP. This is a personal blog and none of it represents the opinion of any entity other than myself.

That said, I ran across the following article today:
http://www.infosecisland.com/blogview/24531-Top-Three-Attack-Vectors-for-SAP-Systems.html

It is titled "Top Three Attack Vectors for SAP Systems" so I was expecting a list of (at least three) direct attack vectors against SAP Systems. Once again, as is the case for many articles on security subjects nowadays, I was disappointed. I can only hope to provide some perspective here from experience and my own insight into the problems surrounding corporate ERP systems.

The top three, as listed in the article and accompanied with comment by yours truly is as follows:

Pivoting Between SAP Systems, where the attack begins with a system with lower security to a critical system in order to execute remote function modules in the destination system
So an attacker is able to gain access to SAP Systems AFTER they have compromised (part of) the supporting infrastructure and and is then able to compromise other connected systems? You don't say! I fail to see how this is a direct problem with SAP systems. If you're not able to prevent OR detect compromises before they reach SAP systems, there isn't much that's stopping an attacker from getting there right? There isn't a big need for vulnerabilities in an SAP system to achieve this either. It's like saying you are able to send text messages in my name when I unlock my phone and hand it to you.
Portal Attacks, where backdoor users are created in the SAP J2EE User Management Engine and an attacker obtains access to SAP Portals and Process Integration platforms and their connected, internal systems
Uh?What? "where backdoor users are created"? Wouldn't you say all bets are off when an attacker is able to do this? Show me a remote and unauthenticated vector for an attacker to do this and I'm happy to put this on # 1 though.
Database Warehousing Attacks through SAP proprietary protocols, where an attacker executes operating system commands under the privileges of a particular user and by exploiting vulnerabilities in the SAP RFC Gateway to gain access to the the SAP database
Again, there is an assumption of prior compromise (including gaining access to credentials) to get to a point where this is possible.

I'm not saying that SAP doesn't have security issues. There are advisories released by the SAP Security team and patches are made available regularly that organizations should apply.

ERP hold a lot of your most valuable assets and they deserve your attention but the article as it is presented does not provide any credible evidence that attackers can arbitrarily access SAP Systems without going through considerable effort before. Moreover, the 3 vectors as presented are easy to address by doing the basics in your supporting infrastructure:

  • Identity Management, Access and Authorization.
  • Intrusion Detection, Log Management & Analysis, ...
  • Network & Host Monitoring
  • Systems Hardening
  • etc. etc.
If we're going to continue letting media drive our agenda (driven by PR companies and organizations interested in pushing a product (yeah, most of the content is provided by an organization pushing an SAP vulnerability scanner/tool) rather than looking to solve the hard underlying problems in security and how organizations should address  those, we're pretty much doomed.

Security is not sexy. Security is not solved with tools. Security is hard work and while I appreciate the idea behind putting it on the agenda with urgency, I'm pretty much tired of the flash fires that detract us from doing what is actually needed.

donderdag 16 april 2015

open letter to the ISC2 Membership

Disclaimer

I was an ISC2 Board Member from January 1st 2012 until December 2014. I am an ISC2 Member in good standing. I am, at this moment, not working for ISC2, with ISC2, or in any other fashion associated with ISC2. This letter represents my personal opinion only. It does not reflect the opinion of any organization I have been, am, or will be associated with.

That said ...

Good morning, good evening, or good night,

As an ISC2 Member, there is a big chance that you will find yourself in San Francisco, California next week. I understand that your agenda is full of awesome events, some professional and some a little less so, I think it is important to realize that the events in and around the Moscone Center are the ideal venue to interact with the organization you are a proud member of, and with it's Board members.

While I am sad to learn that ISC2 is not organizing a townhall meeting this year, there are still plenty of opportunities to meet them, get to know them, and to let them know how you feel as a member. 

ISC2 will be on the expo floor at booth #108 and #109. Additionally, there is a member reception on Wednesday April 22nd that you can RSVP for. There are undoubtedly alternative venues where you will run into representatives of the organization, especially the board members (<- it makes sense to familiarize yourself with their faces if you aren't already). 

As a member, first and foremost, we all have engaged ourselves to be part of, and contribute to, the membership. As such we bear a responsibility to want better for us. While I am personally not going to be in San Francisco with you, I would like to take the time to suggest some questions you can ask to your Board members in case you meet them or if you find yourself at a venue where you can interact with them.

Before I kick off, allow me to make one suggestion. In the event that you run into a member of ISC2 staff or a member of management, please take the time to give them a hug and thank them for the work they do every single day for you.

1. The ISC2 Bylaws are 10 years old. As the primary document that governs the organization and its Board, I feel it is up for a thorough review. As an example, what was a mostly US-centric organization in 2004 is now a fully international organization with a global membership. What are you, as a Board, doing to govern yourself in order to make this organization successful? What are you, as a board, doing to keep our Bylaws up to date with todays reality? How can I, as a member, help with that?

2. As a member, I believe that ISC2 misses a lot of opportunities to provide value to its membership. What are you, as a Board, doing to ensure that the organization is able to develop initiatives that benefit the membership? What can I expect over the next few months and years as a member? How can I contribute to that?

3. As a member, I believe I am under-informed about what the organization does. Your last publication of annual meeting minutes happened in 2014, your last annual report was published in 2012. What are you, as a Board, doing to inform the membership about the organization, it's financial health, the strategic initiatives, and how I can become more involved to contribute to the success of the organization and us as the membership?

Now obviously, you will be challenged in San Francisco. I am the first to admit that there's more opportunity to be distracted than there is to stay focused. I also believe that as an ISC2 member, you owe it to yourself to ask these, and more questions. 

If you choose not to, I'd suggest you spend $85 in one of the awesome establishments you can find and consider to skip your next AMF payment.

In any case, enjoy the opportunity to spend time with your peers at RSAC and thank you for your contributions to make this digital world a safer place.

Sincerely,
Wim

maandag 13 april 2015

7 things in regards to conference calls

1. Being on time is being too late. You join conference calls 5 (FIVE) minutes beforehand, any later is too late. There can be some technical issues y'all need to root out.

2. Use a freaking phone. Most every conference call system has local/international dial-in numbers. Don't use Skype or other VoIP Systems. 

3. If you use a mobile phone, USE A FREAKING HEADSET.

4. There is NO REASON to use speakerphone functionality. NONE!

5. Use a phone that you can mute. We're not interested in what happens in your open space office or your living room. You can unmute yourself when you need to speak. At any other time, MUTE! MUTE! MUTE!

6. Be in a place where you work. Real office, home office, hotel room. Those are about the only places where you should be to do a conference call. Bar, playground, movie theater, your car, amusement park, casino, massage parlor, the gym? HELL NO! 

7. Be prepared. This should be a given but especially in a meeting where you can't see eachother, being prepared is not only courtesy, it is a must.
 

donderdag 12 februari 2015

(ISC)2's "Vulnerability Central" - what it is and what it isn't

[disclaimer: until December 31st I was a member of the (ISC)2 Board of Directors. My posts here are my personal opinion and not necessarily shared by any of the current Directors or the organization]

[disclaimer 2: I've personally written cve-search, a tool that enables you to do much of the same. Most of the recent development has been done by Alexandre Dulaunoy. You can find cve-search here: https://github.com/wimremes/cve-search. The goal of cve-search was to enable local lookup rather than using the internet. Alexandre has done an amazing job in adding features and functionality. I'm still amazed how open sourcing my crude script made it into such an awesome tool.]

(ISC)2 has recently launched "Vulnerability Central", a service for members at no additional cost that provides a feed of vulnerabilities and other information that they could use to stay up to date on recent vulnerabilities, threat reports, etc. etc. The service is offered through a company called Cytenna about which I unfortunately have not found much information apart from the fact that they exist and the following statement on their website:
"Cytenna was originally conceived in the research laboratories of InferLink Corporation. We are constantly innovating to provide our clients with better ways to connect the dots in an ever-rising sea of information."

Today I browsed through the functionality offered through the (ISC)2 portal and here is what I found:

  • The initial information feed (mostly composed of CVEs but it also contains data from other sources) is well laid-out. When clicking on an item, the information displayed is very much summarized. You'll have to click on the external links to get more information. That seems a bit weird because most of the information is public so it would make sense to incorporate it in the Vulnerability Central UI.
  • Filtering, it does it. One of the most important features of a this type of tool is customization. This can be done by editing your profile. You can basically tell the tool to filter only the information that you want to see based on keywords and keyphrases. This is good. I'd appreciate some more granularity or even different profiles (I could be a consultant working with/for different clients). One thing that hit me on the main page is that I can filter by "Show starred". It took me a while to understand what that meant and how I could "star" an item. Unfortunately I have to first open an item and then star it. I can not star items on the main page. This partially breaks the usefulness of the star feature. What is positive is that I can easily switch between filter modes (all, profile, starred). This would become even more powerful with the support of multiple profiles or filters.  
  • I have to log in with my (ISC)2 credentials. This is understandable because it is a member benefit but at the same time it limits the usability of the tool. If I want to use it, I'm restricted to the website and in a time of APIs and mobile applications that greatly limits how I can consume information. Support for API keys would be a definite plus here.
  • Vulnerability Central doesn't only provide vulnerability information, it also has a "News" and "Reports" section. Unfortunately those are hidden at the bottom of the page. They should have prominence at the top of the page. The "News" section provides links to security-relevant articles and the "Reports" section centralizes links to vendor and independent reports.
  • The information seems to be fairly up to date. I have not done extensive analysis of the accuracy but given that it is mostly based on public information, I think there should be no problem there.
  • There currently is no ability to export data sets. This should be #1 on the feature road map without any debate. If I am only able to consume the information on the website, its value drops to 0 immediately. Need.That.Yesterday!
Now I am sure that the usefulness of this new member benefit depends on how well you have built out your own information feed over the past years. It is by no means a panacea for your security information needs and in its current version it is by no means perfect.

Apart from my own tool, I am a big fan of www.cvedetails.com and OSVDB. Both offer similar functionality based on different data sets.

However, this tool is now available to 100,000 members across the globe. If you are a member, you should explore it, use it and provide (ISC)2 with your feedback. What is good and what is not? What feature are you missing and how can it be more useful to YOU? If they listen, Vulnerability Central has the potential of turning into a must-have tool in the chest of (ISC)2 members and even change how you work today.

The beauty of being part of a membership organization is that you directly benefit from the contributions of fellow members. The downside (or should I say opportunity?) is that your fellow members count on you to do the same.


maandag 19 januari 2015

Can we ... do better?

Disclaimer: In this blogpost I analyse one particular blogpost. This is not a personal attack against the author of said blogpost nor is it a value judgement against the content produced or the platform it is hosted on. Rather, the content analysed is relevant to a point I want to make and the who and what is secondary to that point. If anyone wants to use this to turn it into an ordinary flame war, go right ahead. I have bronchitis and as such I ain't got time for dat (1).

Disclaimer 2: This is my personal blog. It does not represent the opinion of any organisation that I am affiliated with. At best I have talked this through with my cat, who wholeheartedly agreed with me (but only when offered a considerable amount of treats).(2)

That said, here we go.

As a community, we have been looking for ways to reach outside the "echo chamber" for quite a while now. There have been concerted initiatives and some individuals have gone out on their own to carry out the messages we/they believe are important for the general public, governments and industries. This in itself is not a bad thing were it not that the only industry that seems to capitalise on this trend is the media industry (and by extension, the ad networks). Under pressure of time, people are rushed into voicing opinions rather than speaking from experience. After all, we have ads to sell ... good enough is OK!

I personally believe that we, as an industry, can do better. It's OK to say no to a media outlet. It's OK to embargo a post until you've found the time to make it valuable to your target audience. It's OK to value quality over quantity. It's OK to keep the standard high.

The article that triggered my outrage today was titled "Will 2015 Be the Year We Say Goodbye to Passwords?" . It is hosted on CSOOnline which, by its own words, tries to achieve the following:

CSO provides news, analysis and research on a broad range of security and risk management topics. Areas of focus include information security, physical security, business continuity, identity and access management, loss prevention and more.
The answer to the question posed in the title of the article obviously is a resounding "hell no!" but allow me to dig further.

First: the target audience. On a platform that calls itself CSOOnline, one would expect the content to be geared towards Chief Security Officiers. One would expect the analysis and research to be of value for a person (m/f) who is known to have little time for useless diatribe and/or clickbait. I, for one, would expect data-driven analysis followed by solid recommendations and actionable information. I, obviously, expected too much :(

Already in the first paragraph, we change the original question (it was the title of the article FFS!) to "With this in mind will 2015 be the year that two-step authentication and non-standard password security methods like biometrics become the norm for forward-thinking businesses?" Maybe asking a question in the title isn't that smart if you're not going to answer it anyway.

2FA or two-step authentication and biometrics do not REPLACE passwords. They perpetuate their use! They obviously increase the challenge for attackers to gain access to a system but that's nothing news.

This is the moment where we digress into a load of missed opportunities ... I illustrate.

Other forms of two factor authentication include the use of security tokens, similar to the RSA SecurID tokens, or using biometrics such as peoples’ fingerprints, retina scanning or other items unique to them. Apple for example have introduced fingerprint readers to unlock their latest range of iPhones.

What is interesting from the above developments is that it brings two factor authentication, previously an area mainly reserved for corporates, into the consumer arena. While this acceptance may make it easier for businesses to introduce two factor authentication to their workforce it may still be a number of years before we see this adoption take place. 
Wrong ... Apple's introduction of fingerprint readers and their related APIs have ALREADY brought biometric authentication to the consumer and adoption is happening RIGHT NOW. As an example, my bank leverages Touch ID to allow me to authenticate on my mobile banking application. This is NOW, not years from know! The audience for this article may be interested to know that they too can leverage this right now with very little effort. Missed opportunity #1. But who cares?

Let's continue:
Passwords, for all their weaknesses and issues, have the big advantage of being a very cost effective way of securing systems. Implementing and managing two factor authentication systems can introduce a lot of extra costs and overheads for companies to employ. Because of this the use of passwords will continue to be a necessary evil. 
What we need to do is educate users on how to select and use passwords securely, for them to use password managers to help them cope with the multitude of passwords they may have to use, and get companies to properly secure the passwords being used to access their systems.
This is probably the paragraph that irked me the most. We are talking to a CSO audience and all we can tell them is to tell users how to select "secure passwords" and to use "password managers"? Really? I've personally worked in complex IDM architectures for quite a while and I've custom built centralised authentication/authorization systems in heterogeneous IT environment from scratch. With all due respect, these recommendations don't cut it.

We are talking to an audience that, today, is responsible for a diverse set of technologies they didn't choose. An audience that is pressured into adopting cloud-based solutions to enable business units to do their actual job and keep their companies competitive. An audience that is challenged to respond to complex architecture questions and all we can tell them is to use stronger passwords and password managers? No, just no.

I agree that our challenge exists in breaking down very complex solutions into understandable chunks of information on an executive level but in all honesty, you can not address the password issue without talking about consolidation of directories (reducing the potential points of failure!), federated authentication and single sign on. This doesn't mean you have to quote RFCs on SAML, OAuth, etc. but if our common goal is to reduce the noise and to increase the signal, we have to start by being honest with ourselves and with our audience.

The article at hand is opinion more than it is something that shares experience/knowledge. As professionals we should hold ourselves to a higher standard when addressing the audience we care so much about. Next time when asked to write an article or partake in an interview or panel, I will ask myself "am I truly the person they want to talk about this subject" instead of letting my vanity get the better of me.

We can do better and we should.


(1) your messages of sympathy are much appreciated but I don't actually have bronchitis!! You just missed the Sweet Brown reference.
(2) I don't actually have a cat.