Monday, December 29, 2008

Hackers and Brand Marketing

Stray thoughts about something not directly related to security...

Some people "get" branding, and some don't.  And some that get branding don't even know that they get it, and certainly wouldn't call it "brand marketing" or heaven forbid, "personal branding"- but they do a better job of establishing and promoting their identity than some marketing professionals do with their products.

If you go to a hacker event- such as DefCon, Shmoocon, Day-Con, etc., you will see a lot of people who exhibit distinctive identities through a variety of means.  Specialized areas of expertise, diverse opinions, unique fashion statements, "interesting" personalities and more make people stand out, even in a crowd of hackers.  Most hackers also have a passion for technology and an eagerness to share information.

Unique identities, passion, sharing information- those are assets which can really "build brands".  Some hackers do these things out of ego, but it seems to come naturally to most.  Now think about how many professionally driven brands could really use some individuality and passion.

That's nice, Jack, but so what?  We often have to sell ourselves and our ideas to achieve our goals (or to simply get our jobs done)- and just like in traditional sales and marketing, if the brand is established and has a good reputation, it is easier to make the sale.  I'm not suggesting resorting to Media Prostitution, but it can't hurt to stop and think about "brand image" occasionally.



Monday, December 22, 2008

Free Information Security Training (and it is good!)

 FEMA, the people we think of when disaster strikes in the US, has a lot of good emergency preparedness training resources- which you would expect.  Check out their Emergency Management Institute for the course catalog of on-site and self-study courses for disaster prep; you can find general purpose training for individuals here.

What you might not expect is that FEMA would offer Cyber Security training- but they do, and it is good.  Information is at the Act Online site, including schedules for on-site training and the list of self-study courses.  From the site:

"ACT Online is an evolution of the Information Assurance program offered by the University of Memphis Center for Information Assurance. A partnership with Vanderbilt University and SPARTA, Inc. expands the proven classroom instruction into a fully capable web based method of instruction.

ACT Online provides a unique combination of expertise and capabilities and we leverage the background of a successful academic program in information assurance uniquely recognized by US Department of Homeland Security.  Our nationwide program uses a comprehensive approach to prepare professionals in identifying assets, recognizing vulnerabilities, prioritizing assets and implementing protection measures in cyber infrastructure."

They currently have four courses up and five more are in various stages of development.  The course catalog lists courses for general/non-technical, IT technical/professional and business professionals- from basics to ethics and forensics. 

OK, I need to pause here- yes, it is the same FEMA that underwhelmed us in the aftermath of Hurricane Katrina.  And yes, they are under DHS, the same folks who oversee TSA- the folks who run airport "security" in the US.  Don't hold that against them, FEMA is really trying to do some good work, and this is only one example of the new face of FEMA.  It is good stuff, and they are good people.

There is real content in these courses, and the testing isn't simple- the "Information Security Basics" pre-qualifying test made me think about things I haven't considered since taking my CISSP exam.  You can actually learn valuable things, and you can even turn trainable end-users (if there is such a thing) loose on the "Information Security for Everyone" course and raise their awareness.  The courses can also be used for running your own formal training sessions with the available training coordinator and reporting functions.

Note: You must be a US citizen to take advantage of this training.  I suppose you could lie about your citizenship, but if you do- I suggest you to skip the Cyber Ethics course.



Monday, December 15, 2008

Microsoft gets it wrong, again.

Nope, not what you are thinking- not a security rant, not a dumb reaction to something, not product quality, not even pricing or licensing.  It is how they treat the people responsible for their success- the admins in the trenches who make Windows work, the partners and developers- and their odd logic about getting your hands on a copy of Windows 7.

I have been a TechNet subscriber for many years, I can't imagine running a Windows shop without a subscription.  Others look on their MSDN and Action Pack subscriptions similarly. None of us get a copy of Windows 7 yet, but we can play a game of begging to get a copy- anyone can who finds the right links and is willing to play the game.  Sure, Microsoft will say they want people to provide feedback and contribute to the product, and they want control over distribution of beta code.  Nonsense.  The people so dependent on Microsoft technologies that we are willing to pay for the content, that's who should get their hands on early semi-public beta software, because we will make it work, and the more advanced look we get, the better job we will do of making it work.

Windows 7 is getting some good press, and it should- it is what Vista should have been.  Stuff works.  Stuff that doesn't work responds to the same fixes developed for Vista.  It is lighter, faster, and less annoying, but without losing the usability enhancements Vista brought.  I can confirm some of this because a friend bent some rules to get me a copy- which I can't use much longer because I can't get a license key.  That means I won't be able to do as much pre-release compatibility testing with key vendors' products before launch, nor document interoperability, or even tell people what I really think about the product.  This also means I won't have confidence in the product for longer after it is in the wild and will probably have to give the advice we have all given forever- "wait for Service Pack One before deploying", instead of "the beta process was so thorough, it's safe to start limited deployments".  That is stupid, and a symptom of what is wrong with Microsoft.  (Microsoft is one of those companies, you know several of them, full of great people who rarely let you down- but as an entity is most likely to disappoint you).

The security implications are clear, too.  For all it's problems, Vista is more secure than its predecessors, and Windows 7 should be more secure still.  The faster we get people off of older versions of Windows the better for all of us.  Vista was a disappointment; Windows 7 has promise, but if the roll-out is fumbled we'll continue to see XP, 2000, and even older systems out there, sitting ducks for attackers.



Saturday, December 13, 2008

SC World Congress follow up

I attended SC World Congress earlier this week, I need to put some research and thought into several things and write about them later- but for now here are some thoughts and observations.

  • It was a pretty good show, especially for a first event.
  • The Jericho Forum never wanted to steal our firewalls.  (but you knew that).
    • Besides De-perimeterization, they are contemplating the nature of collaboration, and they are steeling themselves to face the "cloud".
  • A drinking game involving the word/prefix "cyber" would kill any human in under ten minutes at a keynote at such events.
  • From a vendor perspective, people are still buying, but not a lot, and they are paying attention to what they buy.
  • The folks at Core Security are still cool.
  • I like to ridicule and criticize DHS and FEMA as much as most sentient beings, but they are doing something very good- free security training.
    • Go to to see the course curriculum, four courses are online and five more are in process.
    • There are courses for non-technical people, technical professionals, and business professionals.

And not directly related to SC World Congress, except that it was in NYC:

  • I'm not normally a big sushi fan, but Blue Fin, in the W Hotel in Times Square could change that.
  • Rm Fifty5 at the Dream Hotel in the Theater District is a fancy "hole in the wall" (that is a good thing, at least as far as I'm concerned), even if they can't make a decent Mojito.

I wish I could go to 25c3, but I won't make it, so I'll just have to wait for Shmoocon and SOURCE Boston for my next conference fixes.



Monday, December 8, 2008

A few relevant articles

Bill Brenner has an interesting article over at CSO Online about Fortify's announcement of the "death" of Pen Testing (hey, aren't those the folks who trash Open Source software at least annually, and have those embarrassing "booth-babes" at conferences- why, yes they are), and Alex Hutton posted his response to the idea on his Risk Analysis blog.

And, while at CSO I spotted this article on fighting piracy.  Some good points, but I think that we may have simply grown too soft to deal with it effectively.  Many people seem to have lost touch with the danger inherent in going to sea, and are unwilling to apply the needed harsh responses to maritime terror which will be required to control the problem.  By the way, it would be grossly oversimplifying the issue to blame containerization- but when large crews of men manned ships to load an unload the cargo, this kind of small-crew piracy would have been a lot harder to perform.



Thursday, December 4, 2008

The Fallacy of Penetration Testing

Prepare for sacrilege.  But please read to the bottom before flaming me.

Penetration testing is a farce and largely a waste of time and money.

There, I feel better, I've said it. Come on, there are really only two possible outcomes to a penetration test:

  • ONE: You confirm something you already know, that you are vulnerable to a sufficiently skilled and determined attacker.
    • If you don't know this already, abandon hope.
    • Really, just go into sales.
      • If you are that good at lying to yourself it will be easy to lie to others.
      • Just kidding.
        • Mostly.


  • TWO: The Penetration Tester you hired isn't good enough.
    • Or more likely, you prevented them from doing their job.

We don't even agree about what "Penetration Testing" is, and most people are totally Testing Pensclueless about it.  Sure, you know what it means and so do I- but I bet it means different things to us.  It is a term that is used for everything from a cursory Nessus or Saint scan, to a full-blown attempt to penetrate and compromise any or all aspects of a system or environment by any method.  Whatever that means.  And not enough people agree on the meanings for the phrase to be valuable.  And, yes, you start every engagement by teaching the manager/customer/whoever exactly what *you* mean by "Penetration Test".  Just like every other good Pen Tester, and you all contradict each other, at least a little.  That doesn't help.

Another problem I have with the "Pen Testing Industry" is the offensive and ignorant term which accompanies it: Ethical Hacker.  Or, heaven forbid, Certified Ethical Hacker.  If what that implies about real hackers doesn't infuriate you, we probably really disagree about what hacker means. And you are wrong.  This one isn't just my opinion, people you should respect feel the same way.

Possibly most damning, Penetration Testing has taken on a life of its own, independent of the greater business- always a mistake in the greater scheme of things.

Does this mean we shouldn't test things, challenge systems, push limits until things break?  Of course not, but it needs to stop being a stand-alone, bolt-on afterthought. 

The answer certainly isn't as simple as "building in security" as some people claim.  First and foremost, I think it should be obvious that "building security in" from the beginning isn't that simple.  That needs to be a goal, but people make mistakes and deploy things poorly, threats evolve and new ones emerge.  We need to test and challenge systems to make sure they are secure, and to find holes so we can address them.  The key is that we need to integrate the efforts to get things right the first time with continued testing and corresponding remediation- in alignment with and in support of the needs of the business.  Consider that the Pen Tester often knows more about securing systems than the people trying to secure the information because they moved "up" from administration positions into their "security" roles- and so the people most able to secure the systems are only responsible for finding the problems.  Don't even start with the "we write great reports detailing remediation best practice yada, yada, yada".  Those reports are sitting right next to the audit reports and policies which haven't been seriously reviewed or updated since the last time something forced that.  I know that it isn't always as ugly as I've presented it, but it often is.  Maybe even "almost always" that ugly.

Pen Testing isn't going away anytime soon, nor should it.  It isn't going to be absorbed into the larger security process quickly, either.  But the sooner it is integrated into the overall security and business needs of the enterprise, the more secure our information will really be.  And that's the goal, right?  At least it is my goal.



Wednesday, December 3, 2008

Two more security podcasts

A couple of my journalist friends have relatively new security-focused podcasts which are now regulars in my commute listening rotation:

Fellow NAISG board member Bill Brenner is a Senior Editor at CSO Online and produces the CSO Security Perspectives Podcast.  In the Security Perspectives podcast Bill talks with a variety of industry experts on a wide range of security topics. (Bill did lower his usually impeccable standards once and interviewed me for an episode).

Brenno deWinter is a journalist and podcaster- but most of his content is in his native Dutch. Brenno has now started posting his English-language interviews as a separate podcast, The Security Update, for those of us who don't speak Dutch.  (Brenno also does the Laura speaks Dutch podcast for those English-speakers who want to learn Dutch).




Monday, December 1, 2008

Not hit by train, and Shmoocon tickets

A couple of quick notes-

I'm fine and I was not hit by a train- unlike this unlucky gentleman from the Boston area named Jack Daniels. (FWIW, I'm not that old yet, and there's no "s" at the end of my name). Thanks to those who checked to make sure it wasn't me.

Also, noon today, round two of Shmoocon tickets go on sale. They won't last long.

[Looks like they had some "issues" with ticket sales, details at the Shmoocon website]

I can't promise anything specific yet, but there will be some form of road trip from the Boston area to Shmoocon.