You know stuff. Share it. We’ll help.

You know stuff, you’ve seen interesting things, done interesting research, have a unique perspective.  You also know that the ability to communicate effectively deliver your message to an audience is critical to professional success.  But you haven’t spoken at a major event, and you need some advice and encouragement.  Maybe you are intimidated by public speaking- that’s very common (there’s even a word for this common fear, glossophobia).  Well, we’re here for you.  By “we”, I mean the BSides community in general, and in this case BSides Las Vegas in particular.

BSides events have always encouraged new speakers, and some events have offered or are offering guidance, up to and including mentorship and coaching. This year we are continuing the Proving Ground track at BSides Las Vegas, a program which pairs those new to speaking, or at least new to speaking at a national event, with experienced speakers who will mentor, guide, and encourage you through developing, tuning, and presenting your talk at BSides Las Vegas.

From the BSidesLV.org website:

One of our tracks is “Proving Ground” and the main criteria to get a slot in this track will be being a first time conference speaker. As we all know how hard it can be to find your voice, or even to just translate data into talking points that won’t lose your audience, we’re looking to pair each of the Proving Ground applicants up with a mid to high profile mentor, with a solid track record of public speaking, who will work with them from CFP to podium.

If this program sounds like something you’d be interested in, please review the BSLV Mentorship Program Information.

I sometimes use this image in “how to give better presentations” talks, because I think it shows what is wrong with talks at a lot of conferences- the focus is on the speaker, not on the audience where it belongs.  In the Proving Ground track our mentors put the focus on you, the new speaker- this gives you the support you need to focus on your message, and your audience.

Time is running out to submit for this opportunity, please review the information on the website, and submit if you can join us for BSides Las Vegas.

What if you are a more experienced speaker, but know you can do better?  Would a workshop with other speakers, sharing ideas and constructive criticism interest you?  Well then- let me know, and stay tuned.  And watch James Arlen’s talk on the topic if you get the chance whenever he’s giving it again.

 

Jack

The envelopes please…

I had a great time in London last week, I finally got to BSides London, had a good show at InfoSecurity Europe, and talked to partners and customers- and I got to co-host the second annual (we can call it that after only two, right?) Security Bloggers Meetup and first European Security Bloggers awards.  The blogger gathering was great, I got to meet and catch up with a lot of folks I don’t often see, and there were a lot of great conversations throughout the evening.

About those awards- the winners were:

• The Best Corporate Security Blog
• Sophos Naked Security Blog
• Best Security Podcast
• Eurotrash Security Podcast
• Best Security Video Blog
• InfoSec Cynic
• Best Personal Security Blog
• Thom Langford
• Most Entertaining Blog
• InfoSec Cynic
• Most Educational Blog
• Brian Honan’s Security Watch
• Best New Security Blog
• Dave Waterson on Security
• Best EU Security Twitterer, Tweeter, whatever
• @rik_ferguson
• Grand Prix Prize for the Best Overall Security Blog
• Sophos Naked Security Blog

Congrats to all the winners.

Big thanks again to Brian Honan for the heavy lifting in organizing the event and awards, to my coworkers and employer, Tenable Network Security, for sponsoring and arranging the food, drink, and venue, and to Qualys for sponsoring the awards.

We’ve already started planning for next year- the venue was great, so Tenable has again reserved the Prince of Teck pub for the evening of Tuesday, 29th of April 2014 for the next European Security Bloggers Meetup and Awards.

 

Jack

European Security Bloggers’ Awards

The European Security Bloggers’ Meetup is getting closer, and the nominations are in for the first European Security Blogger Awards.  Voting is now open at https://www.surveymonkey.com/s/EUSecurityBloggerAwards.  The rules are simple:

• Only one vote per person.
• How many votes per person?
• One
• We reserve the right to validate any of the votes by using the contact details given.
• Judges' decision is final.
• The purpose of the awards is to provide a fun platform to recognise those who share with the community. Please respect the spirit of the awards.

The Meetup will be on Tuesday the 23rd of April at the Prince of Teck Pub, from 18:00.  The Prince of Teck is near Earl’s Court, the site of InfoSecurity Europe.  If you would like to join us, please register here at Eventbrite.

This wouldn’t be possible without the efforts of Brian Honan, so if you join us make sure to thank him when you see him.

The European Information Security Bloggers Meetup is sponsored by the nice folks I work for, Tenable Network Security.  And- I’m happy to announce that awards will be sponsored by the good folks at Qualys.

 

Jack

Digital Natives, Digital Savages, and immigration

It has been a while since I’ve written about “Digital Natives”, but Krypt3ia’s recent post Digital Natives, Digital Immigrants, Exo-Nationals and The Digital Lord of The Flies has me thinking about it again.  He raises some great points in that post, and I would like to add a few thoughts of my own.  If you haven’t seen it already, take a few minutes to read Krypt3ia’s post, and I’ll meet you back here.

I think about the generational issues in technology and security, and only partly because I’m old.  Generational anomalies have intrigued me since I was a kid.  Back then I had a realization about my peers, I believe there were effectively two generations of the same age- those of use who were “late babies” of folks who went through World War II, and those who were the children of younger parents.  Those of us whose parents fought the war (mom flew in the WASP, dad served in the Navy) seemed to straddle the generation between our older siblings (the real Baby Boomers) and our peers.  If you know folks born in the late 50s or early 60s float this idea past them and see what they say.  Enough tangent, back on topic Jack.

Caution: metaphor and analogy abuse ahead, with some stereotyping thrown in for added color.  And I sound like an old fart.  Which I am.

First, those who have grown up with computer technology, the Digital Natives, have a level of familiarity and comfort with technology which is often mistaken for expertise- but for many the expertise is superficial at best.  Those of us who work in technology, especially in security, are often amazed by the brilliant young people around us- but we forget they are anomalies, not the norm.  The ability to grok the latest changes to Facebook does not equate to an understanding of web technology as much as it displays a level of comfort and familiarity.

That familiarity can be a problem- familiarity removes fear, and a lack of fear leads to excessive trust.  This should be a critical concern for those involved in security and privacy.  The familiarity and comfort often translates into people with amazing proficiency in technology, and a level of effectiveness that is astounding- just don’t forget to assess the security awareness of those young folks.

And about that effectiveness, it is not ubiquitous- let’s talk about your local gas stations, convenience stores, budget hotels, and livery services…  Yeah, if we’re going to use words like “natives” for people who have grown up with tech and “immigrants” for us old farts I am going there.  Dismissing “immigrants” is stupid, they (we) often fill niches in the economy that natives do not, for whatever reason.  The same is certainly true for technology.  It would be easy resort to ignorant claims about natives’ aversion to hard work- but that is certainly not true in tech, and the work on stress and burnout I’ve been involved in proves that.  It is also true that many “immigrants” will never master the level of understanding of new technology that will be required to keep up in the rapidly changing world of technology, but it is also true that those who have survived the workplace for a few decades are more likely to be able to effectively deal with the harsh realities of working for a living after surviving it all these years.

OK then, what’s your point Jack?  I’m not sure I have one, other than a sweeping generalization warning against buying in to sweeping generalizations.  If I were a better person I would suggest more cooperation and communication between generations to help each other adapt to the challenges we face, but that’s not my style.

 

And get off my lawn.

Jack

European Security Bloggers Meetup and Awards

This year will be the second annual European Security Bloggers’ Meetup, and will include the first European Blogger Awards.  The meetup will be Tuesday evening, the 23rd of April, from 18:00-21:00, in Kensington (London) near the Earls Court conference center (the site of InfoSecurity Europe).

BSides London is the following day, so it will be a busy week- join us for a relaxing and conversational evening before the madness gets overwhelming.

If you are a security blogger or podcaster, please sign up at the event’s Eventbrite page to get all the details.

Also, if you are a European security blogger or podcaster, please participate in the blogger award survey, nominate your favorite blogs and podcast now.

And thanks to Tenable Network Security (my employer), who has signed on as sponsor of this year’s gathering.

 

Jack

ThreadFix, an Open Source tool for software vulnerability management

As many know, I’ve spent the last couple of years in the vulnerability management world- at least what we generally accept as “vulnerability management”.  Although I think what we do at my “day job” (what a quaint concept, “day job”) is stellar, there is a hole in vulnerability management- vulnerability management for applications from a code review and process management perspective.  Known and published application vulnerabilities are part of a mature vulnerability management programs, but what about the results of internal and external code review and testing- how do you manage disparate data sources on vulnerabilities in your organizations code?  How do you share that information, and get the right information to the right people- in the format they want?  How do you leverage the information as quickly and effectively as possible?  For many people, I assume a kludge of ticketing and bugtracking tools are used, probably with a few spreadsheets tossed into connect dots that the tools don’t support.

Enter the good folks at Denim Group, they have created ThreadFix an Open Source “application vulnerability management platform”.  I had a chance to sit down with Dan and John from Denim at the recent RSA conference and take look at ThreadFix, I’m impressed.  Application security is not a major part of my day to day work, but it is still an area I try to keep an eye on- and ThreadFix looks like a great project.  As I mentioned, it is Open Source, but it also has an establish application security company behind it- this means you can grab the code from Google code and run with it on your own, or you can turn to Denim for assistance and support if you need some corporate backing in your environment.  The features of ThreadFix (from Denim’s ThreadFix page) include:

• Simplified View of Application Test Results
• Consolidate and de-duplicate imported results from open source, commercial dynamic and static scanning tools, as well as the results of manual testing and threat modeling to get a complete view of the state of your applications.
• Reports
• Get the latest security status of your applications while providing an eagle’s-eye view of your organization’s progress over time to pinpoint any process problems.
• Defect Tracker Integration
• Help security professionals translate application vulnerabilities into software defects and push tasks to developers in the tools and systems they are already using.
• Virtual Patching
• Create virtual Web Application Firewall (WAF) rules to help block malicious traffic while vulnerabilities are being resolved. While your organization takes on remediation of your applications, virtual patching helps guard against common vulnerabilities such as Cross-Site Scripting (XSS) and SQL Injections.
• Compatible with Open Source and Commercial Products
• ThreadFix is compatible with a number of commercial and freely available dynamic and static scanning technologies, SaaS testing platforms, IDS/IPS and WAFs and defect trackers.

Version 1.1 of ThreadFix is available as a release candidate now, and should be available as a stable release very soon; 1.1 adds support for additional scanners, including NTO Spider and IBM AppScan, and numerous other enhancements (and, of course, bug fixes).

If application security is part of your world, take a look at ThreadFix.

Side note and conference tip: if you want to talk with friends at an event like RSA, and know you’ll be crazy busy- go ahead and schedule a meeting, even through their PR folks’ messages in your inbox.  If you don’t, the week will disappear. Just don’t say “I’ll meet you in the lobby” at events the size of RSA, several thousand other people have the same idea and you end up playing cell phone Marco Polo.  If I hadn’t scheduled time with Dan and John I might have waved to them at a party, but couldn’t have had a meaningful conversation.

 

Jack

Improvement: incremental, or excremental?

“We NEED radical change- the only way we can solve the challenges of securing systems and information is through radical change in the way we… blah, blah, blah”.

What we need, and what many people understand, is to allow reality to participate in our pronouncements.  Yes, the state of InfoSec is pretty sad, and many approaches to improving it have sprouted sects which are devolving into bad religions (note that I didn’t say “metrics”, “risk”, or “pentesting”, you thought of those on your own).  To be clear, my objection is not with these practices, it is with irrational and often myopic faith in them.

I’ll tell you what we NEED, we need a cure for cancer.  Sadly, we aren’t likely to “cure” cancer anytime soon, there are too many different diseases under that label, and too many causes to simply “cure” it.  What we are getting, however, is (for many types of cancer) improved treatment, with improved quality of life, and higher survivability.  I truly hope that within a few generations people will look back on chemotherapy as we look back on bloodletting today; if that happens, I believe it will be through incremental gains.  (Note: do not naively dismiss the occasional value of bloodletting, for some maladies it enforced bed rest when that was what was needed most.  For the record, I am not a doctor, and I don’t even play one on Twitter- I am not suggesting a return to it as a mainstream medical treatment).  So, bloodletting occasionally helped people recover, when it didn’t make them worse or kill them.  Sounds a bit like chemo, doesn’t it?

As for InfoSec: we’re talking packets, not people. Having added a bit of perspective, let’s revisit what we need, and what we might get, in InfoSec.

 

It would be lovely, like a field of flowers in spring, to make radical changes to infrastructure, code, human behavior, etc.  We could all frolic through the greenfield networks, and rest easy with robust code handling our transactions.  I’m sure we would make any mistakes in design or implementation this time. 

 

 

Just watch out for hay fever in this dream world of yours.

 

 

I hate to rain on idealists’ parades (OK, you got me, I love it), but while some people do get to implement rapid radical change, remember that some people also get to win huge lotteries.  If you are reading this blog, I’ll assume that you, like me, are neither of the above.

Most InfoSec professionals, from the trenches to the executive level, are tied to environments with limited and infrequent opportunities for radical change.  We can make things a little better, with the goal of minimizing bad things and gradually improving overall.

 

 

Or, if we are brutally honest, we may admit we’re more like sewage plant engineers, and that “stink less tomorrow” is a laudable goal.

 

 

But some changes just aren’t worth the effort.  With our environments continuously becoming more hostile and elaborate, doing nothing means losing ground.  BUT, change does not assure improvement, and change for the sake of change may make things worse.  At the risk of offending some friends in the business, spending weeks or months researching a new anti-virus solution, then spending the time and money to implement it may not be worth the effort and investment.  Some poorly thought out “improvements” will actually make your environment less robust, and a lack of familiarity with new systems can set back your ability to properly manage and secure your environment.  Change for the sake of change is crap.  I would suggest you instead spend that time on filling known holes in your visibility and awareness- such as log aggregation and analysis (Disclaimer: yes, I know- I work for a company which sells this kind of tech. I have advocated this for years, it isn’t about sales), or application whitelisting, or improved patching- something, anything, that can actually move you forward.

Unless you are one of the “lottery winners” who can make big things happen fast, focus on the incremental changes you can make today.  And keep a wish list handy for when you win the lottery.

 

Jack

Thank goodness that’s over.

As Dickens once said:

“It was the best of times, it was the worst of times, it was the age of wisdom, it was the age of foolishness, it was the epoch of belief, it was the epoch of incredulity, it was the season of Light, it was the season of Darkness, it was the spring of hope, it was the winter of despair…”

I am, of course, talking about the week of madness in San Francisco which centers on, and swirls around, the RSA conference. I don’t know where to start, it was a wild week.

Security BSides San Francisco was a great event, a new lead organizer and team of new and veteran crew and volunteers put on a great event at a funky new venue, the DNA Lounge. The event also moved to Sunday and Monday from the Mon/Tues it has been the past two years. A couple of things could have gone more smoothly, but it was an outstanding event, in spite of some challenges. A wide variety of great content and peripheral events, and an unusual but effective venue made this event a success. It is hard to believe that three years ago was the first BSidesSF, which was only the third BSides event. BSidesSF 2013 was the 67^th BSides event globally (if my count is correct), and we’ve yet to hit the four-year anniversary of the first one. There are a lot of BSides events coming up, check the BSides wiki for all the details.

The RSA Conference itself was even more “RSA Conference” than usual, record attendance (I heard numbers like 24,000 people, but that’s unconfirmed), and record highs and lows. The expo floor was largely disgusting, the level of hype and chicanery was arguably worse than ever (a record not to be savored). This year brought a couple of revelations about the expo floor, primarily this:

The worst of the expo floor largely offers “InfoSec Homeopathy”, but without the advantages of any potential placebo effect- it simply diverts us from appropriate cures.

I would love to get a documentary (mockumentary?) crew to follow a few folks who’ve played this game for many years as they wander the aisles calling out the age of the “new technologies”, the acquired tech left to languish under the mismanagement of big firms, and the absolute snake oil. In this fantasy, Gene Spafford, Marcus Ranum, and Robert Graham are your tour guides through the show floor. I’m too fond of these folks to actually ask them to do it, however. In between the hype and hyperbole, there are always companies at the expo for the right reasons, to engage customers and prospects in rational conversations about their products and services- you just have to look past the booth babes, cars, and screaming barkers.

Speaking of “booth babes”, this year brought a worsening of the “booth babe” phenomenon. I hate to even mention their name for fear that P.T. Barnum was right, but ForeScout’s “Catholic Schoolgirl” attired booth women represented a new low. Based on comments from friends, it may be that no one is going to buy their product based on its merits, but that is no excuse. Sadly, they weren’t alone in the booth misogyny department. Speaking of misogyny, I did get to wear the latest in Misogyny Networks fashions a couple of times during the week.

Note that we do not have to put up with this, InfoSecurity Europe has updated their terms and conditions to prohibit “booth babes”. I applaud InfoSecurity Europe, and hope others follow their lead.

But it was not all bad, the crowds meant good traffic through the corporate overlords’ booth, and we had many good conversations about what we do and the way we see the landscape. Many others in the industry who were at RSAC to conduct business seemed to have a productive event as well. Unfortunately, the high booth traffic meant I didn’t get to see the talks I wanted to see, and there were several that looked good and had good reviews. But for me RSAC is about the business, so that’s where I focused. It’s worth mentioning that many attendees never visit the Expo floor, and many attendees never see a talk, and many seem to only be interested in the parties. You need to find an approach to RSAC that serves your needs- if you don’t, you’ll probably be mired in misery and frustration.

Speaking of parties, I avoided most of them this year and focused on a few smaller events where I could connect and reconnect with people. I did attend the Security Bloggers’ Meetup, it is a can’t-miss event for me where I can see folks in person I normally only see online. This year’s awards were great, with one notable exception: the judges voted me into the SBN “Hall of Fame” over better and more deserving nominees. I am grateful and flattered by the award, I just think many others have contributed more the security blogging community. Also winning this year was the Pauldotcom podcast, which has won four out of the five years the awards have been given. Since Paul and Larry launched the podcast many years ago, it has grown and evolved- the current crew of Paul, Larry, Mike, Allison, Patrick, and the audio and video team is a pleasure (and occasional terror) to work with and I’m honored to have been a part of it for the past couple of years.

Now, back to work.

Jack

Find your pebbles

I have just left one of my favorite gatherings of the year, Shmoocon, and I’m now at the Microsoft MVP Summit.  While they are very different events, and the total attendance overlap is probably fewer than five of us, there is a common thread: I’m spending time with people who have found something which interests them, and are exploring and sharing what moves them.

It is easy to dismiss the things we don’t care about personally, or ask “how could anyone get excited about [whatever]?”, but I think encouraging curiosity, exploration, and especially sharing what you know- these things are critically important, personally and professionally.  Even if others don’t agree, or you think you are just amusing yourself.

Some centuries ago a man looked back at his life’s work and said:

“I do not know what I may appear to the world, but to myself I seem to have been only like a boy playing on the sea-shore, and diverting myself in now and then finding a smoother pebble or a prettier shell than ordinary, whilst the great ocean of truth lay all undiscovered before me.”

Granted, some folks find pebbles which are more universally interesting, and shells which lead to advances for the greater good, but I think that quote should encourage you to find your pebbles to study and share.  It seems to have worked for Isaac Newton.

Jack

Virtually Absolute. Or not.

It is almost time for the RSA Conference, where those in attendance (and via the media, those not in attendance) will be bombarded with hype and hyperbole, on topics old, less old, contrary to popular belief, even new. 

The part of RSA which frustrates and demoralizes most attendees is the expo floor.  Some people avoid it entirely, which I can appreciate- but for those of us in the industry, we have to be on the floor, working for our companies, and checking out the state of the industry.  Others see it as a way to check out products and services, and talk directly to the vendors.  Whatever brings you to the expo floor, remember that it is a sales and lead generation event (which explains, poorly, the “booth babes”, fast cars, and other nonsense).

When talking to vendors, my standard advice applies: watch out for absolutes.  If anyone is claiming to have “the answer” to an InfoSec challenge, run away.  If someone claims to have “an answer”, you may want to listen if it interests you (but always keep the BS shields up, and keep an eye on the exit path). 

If you find someone who offers something shrouded in what are often derisively called “weasel words”, pay close attention.  These tend to fall into two categories:

Those overstating their product’s or service’s performance, who use weasel words to provide an escape clause for their “exaggerations”

and

those who know the world is complex and who are unwilling to promise the impossible, but believe in what they do.

In the former case, those not-quite-absolute words are indeed weasel words; in the latter, they are honesty.  Sadly, the former far outweighs the latter.  It may not be a compelling statement, but if someone tells you “I think we may be able to help you solve part of your challenge”, pay attention.  Maybe they’re offering crap, but more likely they are being brutally honest about the challenges of InfoSec, and have probably been in the trenches themselves and didn’t appreciate vendor tall tales.

Note: this advice primarily applies to face-to-face conversations.  Banners and marketing materials have to grab your attention; admit it, you aren’t going to respond if they don’t grab you.

And yes, as implied above, I’ll be at RSA, Tuesday-Thursday, mostly in the Tenable booth (it seems like the least I can do for them, considering the regular paychecks they send me).  I’ll also be around BSides San Francisco on Sunday and Monday.  Stop by and say hello, I’m pretty easy to spot.

 

Jack