There has been a great deal of swirl lately regarding the topic of Chief Information Security Officers and what skills and/or qualifications are needed to position the organization for the best chance of success. On one end of the continuum, the existing pool of executives is brought in with highly-attuned business acumen. Perhaps the person has a Big4 consulting pedigree, an MBA from a well-respected university, and has forged relationships with other executives throughout social functions and other work arrangements.

On the other end of the continuum, an emerging trend suggests that when it comes to protecting assets, forging relationships, and establishing trust among stakeholders and board members, that the appropriate candidate should be well-versed in technology concepts and actually rise up through the information security ranks. The popular justification is that without understanding the threat landscape and actually having “dirt under the fingernails”, how can one fully anticipate and connect with the people that are the front lines in protection. I find it difficult to argue this justification; this suggests to me that business is in the midst of discovering that the proper approach is to seek balance and resist the temptation of moving the slider too far to the business-end of the continuum.

On Friday, November 4th, Security B-Sides Atlanta will be holding a panel discussion on this very topic. Participants include Dave Kennedy, CISO for Diebold, a Fortune 1000 company, as well as Rafal Los, Enterprise Cloud Security Strategist at HP. Those people within the community that have been observing from a distance would suggest that these two are on opposite ends of the spectrum on this topic. However, I am going to go out on a limb here and suggest that their philosophies are actually closer to converging than diverging.

Other professions have had this debate before, and we can draw parallels from the military as to whom makes the best general, or from the football field as to whom makes the best coach. As information security continues to maturate, it will be the practitioners—not the other executives—that determine the right combination of skill sets needed to be successful in an executive role. In other words, I am suggesting that currently, the business-pedigreed CISO is the safer perceived choice, not necessarily the better one. You see, the statistics are beginning to bore out a frightening pattern when it comes to protecting information assets: the trend is getting worse! More and more companies are getting breached under the watch of the business-focused CISO, suggesting a disconnect between theory and reality.

Sooner or later, information security practitioners will begin to realize that the effort required to move the continuum from the hardcore technical to business is not as great as once perceived. Simultaneously, those business-focused executives that are forced to become more technical will find the path much more difficult than anticipated. This will present some interesting discussions for businesses, as they struggle to determine the appropriate combinations for their respective needs. As anticipated, it appears that the optimal combination is not black or white. I think what can be agreed is that the role of the information security executive in today’s challenging climate should be reevaluated.

What do you think?

Coming off of Hack3rcon II, a question was posed to a mailing list about the presentations at the conference. I found the wording of the question to be a little awkward, as the person stated that “all presentations are equal, but which ones are more equal?” I interpreted that wording as a socially awkward way of asking the question, “which ones are worth his time”, and implicitly, “which ones sucked out loud?” In my view, I clearly thought there was a distinction, and shared my opinion. I was not trying to throw anyone under the bus; at the same time, I did not want to tiptoe around the feelings. The feedback I gave was not based on emotion. Now, at what point does the presenter get to hear that candid feedback? What are the chances that somebody like Grecs would be reading my response, absorb my feedback, and make a conscious decision to gear his presentation more towards a technical, information security audience?

I am not suggesting that we should be booing people off of the stage or throwing tomatoes if the presentation misses the mark. What I am suggesting is that—as presenters—we should be seeking candid and honest feedback from the audience members. We spend countless hours searching for that perfect cat picture and constructing our presentations for maximum effect. Maybe the key to improving presentations at an individual and societal level is to open that feedback loop in a non-threatening or demeaning way.

I propose some simplistic steps to improve the quality of presentations:
• Conference Organizers should provide feedback mechanisms for attendees. A brief, yet useful survey during the transitions between presenters could provide a wealth of feedback. This could be as low-tech as index cards, or as simple as an online survey accessible by electronic gadgets.

• Presenters should stick around after the presentation and actively seek feedback. In all likelihood, if a presenter asks an attendee a closed question, such as “how did you like the presentation”, the answer will be skewed on politeness. However, if you ask open questions, such as what would the attendee change about the presentation, there is a far greater chance for useful feedback.

• Attendees need to vocalize their disappointment in a tactful manner. Like I said above, this is not the time to throw tomatoes. The presenter did the best he or she could; if constructive criticism is not provided, there is a very good chance that you may come across the exact same presentation at the next conference.

What do you think? Hit me up at @K0nsp1racy.

The price is incredibly reasonable (it is Charleston, West Virginia), and a portion of the proceeds will be going to Hackersforcharity.org. Come see what I am fussing about, and while you are there, check out DualCore in concert!

Thanks to the 304Geeks and Hackers For Charity for putting on this awesome regional conference! For more information, visit http://www.hack3rcon.org.

• Users are dumb!
• We need to tell our users to stop clicking !
• There is no patch for user stupidity!

All of this talk got me to thinking. Who is really failing here? Who are the ones that are truly the dumb ones? As an information security professional, I am disappointed in the percentage of mouthpieces and/or practitioners that fail to grasp the basic tenets of how communication works. You see, like so many things, many of us suffer from the failure to effectively communicate the problem statement, accept criticism as an opportunity to improve, and –most of all—the failure to communicate. It is driving me nuts!

Quite simply, when your “user” clicks a hyperlink in a phishing message, we fall back on the yearly compliance tutorials, likely invented in response to the Melissa and Loveletter worms of 1999 and 2000, respectively. We sit back in our arrogant and condescending voice and say our training was not adhered to; that ‘user’ is dumb! Folks, it is 2011, and the problem has not gone away. Perhaps the payload has changed, as we now have advanced persistent threats (whatever that is), trojans, and rootkits. However, the vector remains IDENTICAL, and has for over a decade. We need a new approach, and we need to rethink how we address our (dumb) ‘users’.

I do not claim to know about every person’s specific scenario; however, I am an expense to my organization. I hemorrhage money from the company’s bottom line profits as a necessary evil to prevent the company from hemorrhaging larger amounts of money at the hands of lawyers and regulatory bodies. To imply that we are in a position to be condescending to anyone within the organization is absolutely, positively ridiculous. To imply, infer, or simply think that a ‘user’ as simply a ‘user’ is foolish. They are a partner. Their actions dictate a large portion of whether you are the pigeon or the proverbial statue. Yes, the term ‘user’ is compact, making for perfect slang on a PowerPoint deck or tweet. But to have to speak of being condescending to the hand that feeds you is incredibly arrogant.

Perhaps I am in the minority here; however, after listening to speaker after speaker talk about security as a ‘we’ versus ‘them’ scenario, I am quite certain that we cannot, and will not secure our environment through a tug of war or battle of attrition. According to Kumaraguru, Sheng, Acquisti, Cranor, & Hong (2010), our customers look to us to perform three concurrent and complementary tactics to mitigate threats (i.e. phishing message, etc.):

1. Silently and transparently remove it
2. Simplistically communicate/warn the customers of it
3. Train and communicate to the customers so that they can identify variations of it

So much of our focus as practitioners is on silently and transparently removing threats through automated devices such as firewalls, IDS/IPS, etc. The vendors (also a popular target in conferences) are marketing these directly to the people in the trenches. Vendors also have identified the opportunity to communicate/warn customers in a simplistic manner. For evidence, look at the green address bar in the browser. Unfortunately, the underlying protocol is broken, but hey, it is in fact simple. Mission accomplished.

If you notice the last tactic, this is the one that we fall flat on our face about in my opinion. We do yearly compliance training using canned presentations. We simply check the box, year after year, and expect a different outcome. While I am highly encouraged by the work of folks like Dave Kennedy’s Social Engineer’s Toolkit, providing the tools is simply not enough. We need to use these tools in everyday work and drive these types of training and awareness to the masses. Furthermore, we need to provide a consistent and repeatable framework on what the threats are, how they can be mitigated via awareness training, and provide support for organizations to implement the recommendations within the framework.

Rather than sitting back and launching a tirade about the educational competency of our stakeholders, while the collective community continues to hemorrhage like a stuffed pig over vectors and methods that are over a decade old, a number of us are seeking to do something about this vacuum of information. Of course this is blatant self-promotion for the Security Awareness Training Framework working group that is located at http://groups.google.com/group/SATF-workinggroup, but if you could recognize this, then why can’t we do a better job of recognizing phishing messages?

References
Kumaraguru, P., Sheng, S., Acquisti, A., Cranor, L. F., & Hong, J. (2010). Teaching Johnny not to fall for phish. ACM Transactions on Internet Technology , 10 (2), 1-31.

Overlaying the backdrop of operations logistical risk of national security over the speed and proliferation of privatized offshoring decisions, I cannot help but wonder if the net result of the individual and systemic chase for higher short-term profits has resulted in the overall weakening of the corporation’s sustainability. In other words—once again—have our executives have placed greed and short term profit margin over long term growth and stability? Of course, not every offshoring decision is a poor one; and periodicals like the Harvard Business Review and the Wall Street Journal may highlight case studies of successful offshoring and business process outsourcing initiatives. The point I am trying to make is consistent with many others: Perform the due diligence necessary to account for shifts in geopolitical and diplomatic climates, and include information privacy and legal perspectives into the business decision.

In closing the loop, the organization should feel comfortable enough in the capabilities of their information security management to include these critical resources in the earliest stages of the due diligence. In addition, the information security management must continue to bridge the gap between their technical expertise and leadership with the needs of the business. Therefore, the message to future information security managers and trusted advisors is one of balance between tech and true business acumen.

What are your thoughts? Email me at ken at kenyerrid dawt com.

References
Intelligence and National Security Alliance. (2011). Cyber intelligence: Setting the landscape for an emerging discipline. Arlington: Intelligence and National Security Alliance.

“Unfortunately, some people feel they are simply far too important to pay it forward, too busy to bother with the little fish that wants to learn, too intelligent to ever be wrong, and too self-centered to share the spotlight with the community. I can name a handful of people that fit these categories, and unfortunately, many of them have the lectern.”

It is unfortunate that there were a handful of people that would jump to the conclusion that I was grouping Kevin into that group. Trust me, the people that are in this group have earned their place, and I do not feel that Kevin Mitnick is in that place by any stretch. As Kevin correctly noted in the interview with the SE.org crew, I have never met or interacted with Kevin directly, and would only have a limited perspective based on online interactions.

I picked up Ghost in the Wires while on vacation in Seattle last week, as I really needed a break from reading about Chinese Information Warfare theory from Tim Thomas. I have to admit, I am absolutely hooked on the book, and Kevin deserves all of the success and exposure that he is receiving. If you have happened to be holding back on the book thinking it was going to be strictly about whistling launch codes or at a technical level different than your own, I would strongly encourage you to reconsider. The book is completely accessible; in fact, Kevin goes out of his way to explain things in layperson terms. The aspect of the book that I am particularly impressed with is in his description of the emotions and the vulnerability he shares with the reader throughout the book. Kevin is a guy who has been the statue far more than the pigeon, and for him to convey that level of openness and honesty is admirable.

So, to set the record straight for anyone that is still confused and cares… I do not have a grudge against Kevin Mitnick by any stretch. In fact, I hope I have the chance to meet him in person at Derbycon for what I hope is the beginning of a long term friendship. Furthermore, I think that Kevin said it best in his interview with Chris, Dave, and Jim regarding people trolling that only has limited interaction with Kevin or others people in the community (rather than paraphrase the comments, listen to it here). I can only imagine how difficult it is to manage others’ expectations, particularly strangers.

Finally… If Kevin and or others in the community felt I was trying to undermine or troll on Kevin’s success with his book, I sincerely apologize. I can assure you that my intention with my blog post was strictly related to the opportunity to share the love and throw a bone to the entire security community. At times, I have been critical to Kevin’s tweets and notices of book signings (even comparing the marketing strategy to *shudders* Gregory D. Evans of Ligatt Security) but completely understand Marketing 101, and do not blame him for it.

I want to believe that Kevin Mitnick is a nice person. I have never personally met him, although I have heard of his story. His book, Ghost in the Wires, is purportedly an expose of his life. For months now, I have been watching tweets about the book (self promotional) being released. I see self-promotional tweets about book signings and appearances. Quite honestly, it reminds me of the marketing that Mr. Gregory D. Evans executes. I do not fault the guy for wanting to make a living, and it is not my place to judge his motivation. But last night, Kevin Mitnick was given a golden opportunity to help change perspectives on the state of information security by appearing on The Colbert Report. Information security is an industry that still suffers from a perception of being unstructured, unprofessional outlaws and elitists. Despite all of the wonderful things that we do for each other and others in the world, this success stories are still not being communicated effectively. It is sad.

So rather than talking about being in solitary confinement for a year, and sitting at home on Valentine’s Day—statements that further extends the stereotypes of security professionals being nerds with no life— the statements that have me fired up is the ones where he had the opportunity to pay it forward to the community. Clearly, there was an opportunity for Kevin Mitnick to avoid bragging about hacking companies with their permission (again self-gratifying), and talk about how he had made mistakes in the past, served his time, and now spends his time along with millions in the community, in protecting companies from the bad guys. Simple wordplay, but powerful nonetheless. Mitnick squandered that chance.

The security community does so many wonderful things that do not see the light of day. Take the mission of Hackers for Charity and Infosec without Borders, look at the response to Gattaca’s wife or BarKode, whose medical battles have brought the entire community together for a common, charitable purpose. How about the story of Stacy Thayer and her husband in Vegas this year, getting her purse stolen, and the community giving her money and anything else she needed. The way people came together was nothing short of awesome for the entire community. But these stories remain guarded in the community, and trickle out at an anemic pace.

We need to make a better effort of paying our successes forward and telling community success stories. $Deity knows that the mainstream media picks up on every breach, misstep, and acronym to instill fear, uncertainty, and doubt. The community, collectively, is impacted by each failure, either directly, or by association. While we continue to propagate negative energy, other than the mainstream media, who do you think is laughing at us? We are not nearly as powerful as individuals; just ask hacktivist groups and state-sponsored information warfare collectives. For every person that thinks selfishly like Kevin Mitnick did last night, there are thousands of $country hackers that are content with standing shoulder to shoulder and fighting a collective information skirmish. Guess what, they are winning.

What is the solution? What is the call to action? The message I am trying to get across is one where we stop thinking like the front man of a rock band and more like the drummer. Our profession will never be sexy in the traditional sense, so why allow personal ego to interfere with advancing the industry? Look at the people in the community that teach others, that inspire, that actually listen to all comments and criticisms, and actually respond. The people I respect the most in the community have their heads on straight, are content with sharing the burden and the spotlight, and learn, as well as teach. Unfortunately, some people feel they are simply far too important to pay it forward, too busy to bother with the little fish that wants to learn, too intelligent to ever be wrong, and too self-centered to share the spotlight with the community. I can name a handful of people that fit these categories, and unfortunately, many of them have the lectern. The only way that our industry will advance is by transforming the people that get the opportunity and making sure that they hit the marks that are good for the community, not just for themselves.

I suppose I am being less critical, maybe I am being more open-minded. The fact of the matter is that until I hear something from the horse’s mouth, I am willing to allow my own opinions to remain my own, and not let other’s influence them. In other words, I believe people that are labeled as charlatans should have their day in court, among a jury of their peers (parallels to Mr. Evans litigious history is intended). I thought the industry had made some real progress by having an open dialog with Mr. Evans and some of his most vocal critics on the ISDPodcast. Unfortunately, much of the banter was circular and defensive, and very little was tangibly accomplished. However, the fact that Evans appeared on his own volition was a huge step for him and the industry at large. I agree that ‘distractions’ such as the accusations levied against Evans and others cast a certain aura of uncertainty within the industry. I believe that more of these discussions should occur and the “defendant” should have a chance to clear his or her name. Lastly, I would hate to see financial considerations serve as a deterrent from a labeled charlatan.

What I am proposing, beginning with my own offer of donation to Derbycon, is to remove finances from the ability to have an opportunity to have an alleged charlatan clear his or her name. Maybe we can call it Charlatan’s Purse (tongue in cheek). The idea would be to allow members of the information security community an opportunity to contribute money to a fund to allow the alleged charlatan to defend him or herself in a public forum. Think of it as a public defender’s office for alleged charlatans. Let’s remove the barriers to cleaning up the industry and push through the stalemate!

Let’s take Gregory D. Evans as an example. As of 8/8/2011, a roundtrip, 1st class ticket from Atlanta, Georgia to Louisville, Kentucky would cost under $900. Under my philosophy, a communal donation of less than $2,000 would get Evans a room, food (or Cristal), and a flight. The community would have the opportunity to interact with Mr. Evans. Fair trade? I think so.

Of course, certain logistical parameters would need to be established. I propose that an alleged charlatan should be treated respectfully, yet critically. I am not opposed to pre-formulating interview questions. The important thing in my mind is to free the alleged named charlatan from any barriers to help clear his or her name.

If you have any comments or ideas, please mention something on Twitter using hashtag #charlatanspurse

The event will feature some intense training opportunities at a very reasonable rate by some of the core people in the community. Last I checked, there were some slots open in a handful of the courses. After hours, the nerdcore rap group DualCore will be performing at the DerbyCon after party. The bottom line, you should defintely check this conference out if you have the hall pass.

First, if a vulnerability scanning product is putting an agent on the target, you lose. Most of the good ones I know of do not have this problem; however, in the race to improve scanning efficiency, don’t even think about it; not for a second, not for a minute. I see a tremendous opportunity for integration within the concept of vulnerability scanning. One major vendor that I am aware of has bolted on some functionality, but in my opinion, it is not the use case that I am looking for. While it is nice from a penetration testing standpoint to take the results from a scan and exploit the target; I am defensive minded. Therefore, how about an option to patch the vulnerability directly from the vulnerability scanning console? NOTE: I understand that there are times when change and config management may get in the way; but if I see a huge gaping hole on my web server and I am in a smallish shop, close the dang hole!

To take this concept one step further… Let’s look at the ‘typical’ asset definition within a vulnerability scanning system. While I agree that a vulnerability scanning system should not be the system of record for assets, wouldn’t it be cool if an upstream change to the system of record automatically popped the asset into the vulnerability scanning cycle? When combined with some rudimentary optional fields within the data source to retrieve nuances in the architecture, all of the sudden the vulnerability scanning begins getting smart. So what fields should/could be added to assist in scanning the enterprise. Most of the good ones use a concept of sites and asset groups in some flavor or variety. How about virtual vs. physical? How about Production, Dev, Test, DR, etc.? Sure, an admin with plenty of time on their hands could organize things to account for these variations; however, if there was integration with a config database, this stuff happens automatically!

Another area that I see vulnerability scanners missing on is the ability to fine tune the risk rating to account for specific conditions in the environment. If I have an IIS server serving public content (don’t laugh), versus one that is serving a collaboration site internally only, shouldn’t the risk reflect this, or at least be able to be modified? If we take the Base CVSS score for a particular vulnerability and apply a multiplier based on the role and/or location of the device, we get a much more accurate perspective on the prioritization of applying patches. Furthermore, when combined with the ability to instantly patch from the console, all of the sudden you have the ability to proactively solve the vulnerability and risk associated with it. This leads to much more flexible patching schedules as well. “Patch all internal development web servers running IIS in x location”  Bang, go. BTW… Update the config database to record the change in the configs too…

Next, the CVEs give great information on the vulnerability, and most scanners correlate that into a process that one can take to remediate the gap. Short of actually performing the patching, why not download the patch, hash it, and store it in a central location? In nearly all situations, if there are 50 database servers to patch, the handful of people tasked to do this work will either click the link in the remediation report or will navigate to the site and download the package… sometimes multiple times. This is a waste of time and effort in my opinion. Sure, the really cool kids will download it to a management server and/or common file share. Last time I checked, hashing is not immediately available on a file share, and some of the most popular software distribution applications are vendor specific.

In summary, I think that vulnerability scanners are getting better every day. Regardless of the product of choice, the most important thing to consider is scan efficiency and minimizing Type I and Type II errors. I get it. However, the market is getting increasingly crowded and performance and accuracy deltas are getting thinner and thinner. Maybe it is high time to peel away from the evolution of the anti-virus malware scanner model and look for tangible opportunities to make the products we use more intuitive and flexible to new use cases. If you are failing to make the connection between vulnerability and malware analysis, let me try to explain. Remember when anti-virus software was important? For years, emphasis was placed on scanning efficiency and minimizing errors. Because of a lack of planning, the industry, who had now become crowded, began bolting on features, bells and whistles, and simultaneously… bloat. Product differentiation should not be measured by a fancy HUD, a traffic light, font type, or any other aesthetic program. It seems that all antivirus products are within striking distance of sucking the same when it comes to Type I and Type II errors. I will save my antivirus opportunities for another time. Suffice it to say, the vulnerability scanning product market needs to continue to raise its game in the right direction.