Monday, February 28, 2011

So I missed a point or two…

As is often the case with quick blog posts, a bit of reflection before posting could have added some clarity to my last one, The true cost of non-compliance is ZERO* .

As far as “things going wrong”, the trigger for pushing the cost above zero may not simply be “suffering a breach”, but is more likely “suffering an incident which is so bad we have to deal with it”.  Again, not a happy thought, but one we must accept if we want to make progress.  I am tempted to opine that this is especially true in small to mid-sized organizations, but I am repeatedly reminded that many large enterprises are just really big small businesses, so I’ll refrain from that.

Andy Ellis pointed out that there are costs, specifically internal reputational cost, which I missed.  Andy is smart like that.  that means hiring and keeping good people will be a problem, as will other things that can accompany morale issues.  They are hard to measure though, and are often overlooked until they reach a crisis stage- which I guess would qualify as “something going wrong”.



Sunday, February 27, 2011

The true cost of non-compliance is ZERO*

There has been lots of talk about the cost of compliance, and lately about the cost of non-compliance.  Most of the talk conveniently ignores this fact:
The cost of non-compliance is ZERO*

*if nothing goes wrong.

If you don’t think that the people making decisions on budgets should and do consider this fact, you are probably both more frustrated and less effective than you need to be.

I hear you saying “but Jack, things always go wrong”.  That is both true, and not true.  In the security world we mostly deal with things which have gone wrong, and that’s what we see.  The stuff humming along nicely (or at least not horribly) is usually under our radar.

The things most likely to go wrong are:

  • Getting caught
    • This likelihood ranges from “probable” for many under PCI to “indistinguishable from zero” for many others laws and/or regulations.
      • Note: you need to have former Assistant DAs explain lack of funding for regulatory enforcement to you when you try to convince them to secure their law practices to really enjoy this topic. Or so I’ve heard.
  • Suffering a breach
    • This still leaves open the question of whether being complaint would have prevented the breach
      • “Compliant” does not guarantee “secure”.
    • More importantly, this does not address whether compliance would have provided the most effective preventative (both from cost and logistic perspectives).

Monday, February 21, 2011

The Tonga Room, a moving experience


Note: this is a cross-post from my travel/liver damage blog.  I also posted here because of the significance of the topic to the InfoSec community.  Really.

It looks like the future of the Tonga Room involves a move to a new location.  What is the Tonga Room?  The Tonga Room is one of those special places which is so tacky that it comes out the other side and has class again.  Follow the link above to my last post on it for more details.  Rumor (wink, wink) is that the Tonga has been sold; name, fixtures, even employees- as a whole, to be moved to an as yet unknown location

Details are sketchy, but my sources are impeccable (always trust people in Hawaiian shirts) .  Expect the "new" Tonga in a new venue, but I don’t know when.  The month of April is when something happens, but as of yet I do not know if that is closing, reopening, or what.

There are more questions than answers at this time.

Will it still have the pontoon tiki boat stage?

Will the complete set of fixtures be part of the resurrected Tonga- including the masts ,railings, and rigging from the Forrester?

Will the loyal employees be treated well under the terms of the sale and under the new owners?

Will the Mai Tais still kick your butt down the hill?

Will there still be a hill to have said butts dragged up and kicked down?


For the past few years I have made a pilgrimage to the Tonga Room at the beginning (and often middle and end) of the week of the RSA conference (and now the week of Security BSides San Francisco, too). 


This year we spread the word a bit more and ended up with TongaCon, which kicked serious butt.  There were probably about 35-40 people who rolled through, more paper umbrellas than I could count, a live RickRolling of the bar by the band (FYI, Rick Astley covers should always be done by lounge bands on a pontoon boat).  There may have even been unfortunate events involving an unnamed journalist’s bald head and someone else’s beard, and possibly a “how many umbrellas can we stick in Jack’s beard” contest.  (You will have to find those pictures on your own).



More TongaCon photos here.

I am asking San Francisco locals (and everyone else interested) to keep me posted on the future of the Tonga Room, and I’ll share the info.



Friday, February 18, 2011

Value of Certifications survey

Mike and Lee over at Information Security Leaders have kicked off a new survey on the value of certifications in your information security career.  They put a lot of effort into their studies, and always share the results- so if you have 5-10 minutes take a look at the survey.

Take the survey from here:



Monday, February 14, 2011

Digging deeper into my last post

In my last post I mentioned my observation about Shmoocon Labs’ success at emulating an enterprise network, including some attributes not planned- specifically some inefficiencies, complexities, and balkanization of roles.
Note: as I said in the last post, this is not a shot at Shmoocon Labs, I think the Labs are fantastic- I’m just extending the learning experience beyond the stated curriculum.
Modern networks, even fairly small ones, are often more complex than they need to be.  The people who manage the networks have limited areas of expertise and generally work within their knowledge areas- this tends to mean a bias towards specific products, services, and techniques.  These are expected issues, no one can master all aspects of network or system administration; we all (well, most of us) do the best we can with the resources available and make stuff work.  I want to reiterate that point:
We do what we can, with what we have, and make the best of it.
That does mean that the results aren’t always pretty- but as is also true of my old pickup truck, we get the job done.
After years of doing the best we can with what we have in our environments, the cumulative result is frequently downright ugly- especially when seen through the eyes of outsiders.  (Good thing we aren’t judgmental when we enter new environments).
I am not suggesting we excuse or ignore the train wrecks we see in our daily InfoSec grind, they are usually easy to spot and should be called out.  It is our job to identify and try to resolve problems. 
If, however, we fail to consider how the situation evolved into its current state or we forget that no one set out to make a train wreck, we are likely to be ignored- or we will repeat the same mistakes that created the old mess (although the technology industry has an amazing aptitude for making the same old mistakes in new and exciting ways- but this isn’t a post on Cloud computing, so we won’t go there).


Saturday, February 12, 2011

Just like the real thing

NOTE: I debated writing this because some might take it as criticism of Shmoocon or dismiss it as my disappointment in the failure of my plans for participation in the Shmoocon Labs this year.  It is neither, it was simply a great learning experience- and like most of the best learning experiences, the lessons learned were not on the curriculum.

Shmoocon was great again this year.  The Shmoobus was entertaining as always, blizzard and its aftermath on the way down, rolling LAN party and much more on the way home. 

One of the things Shmoocon does every year is build their event network as a training event, Shmoocon Labs, not just to provide connectivity for the con.  They swoop in, split into teams (switching, firewall, wireless, services, visualization, etc.) and start building a network on Thursday morning and by Friday afternoon they have a (mostly) functional network serving the needs of the conference and its attendees.  And by Sunday evening it is all gone.  The goal is to build a truly “enterprise class” network, and they pull it off every year.

The various teams handle specific segments of the network, and while everyone works together, there is a segregation of duties between teams and tasks stay in the appropriate team.  Everyone on the labs crew is a volunteer, many even pay extra to participate and learn- this means expertise is based on the experience of those participating.  There are a lot of very experienced network engineers in the Shmoo team, and they do a killer job…


The network is complex.  It is done on purpose, as part of the training experience.  But complex *anything* is problematic in many ways.  Complexity brings challenges to configuration, compatibility, manageability security, and more.


Task isolation between teams means that sometimes the most expedient solutions are not applied because the team with primary responsibility for the task or service is given the opportunity to work through the issue and learn.


These “problems” aren’t really problems at Shmoocon, right?  They are part of the program, there are very good reasons for intentionally introducing these burdens and challenges.  And besides, everything works eventually and thus the labs are a success.

Hey, wait a minute…

“That’s not a problem because we do it on purpose, and besides, it works” sounds vaguely familiar, doesn’t it?  It turns out that they manage to capture more details of a true “Enterprise Network” than are in the plans.



Monday, February 7, 2011

Choir preaching, chamber echoing, etc.

There has been a lot of talk about the “echo chamber” of information security lately, mostly inside the echo chamber- about how we need to get outside of the echo chamber.


(image credit: Hugh MacLeod’s Gaping Void)

Likewise, there has been a debate about the “preaching to the choir” aspect of many security conferences.  This really makes me worry about what kind of churches you people go to.


If we’re going to play with these metaphors- I do not have a problem with the comfort of the echo chamber, nor do I think there is a problem with preaching to the choir.  We deserve to have fun occasionally, share information with people we know, build the relationships that help us do our jobs and get through our crises, and all the other things we do at gathering places- both physical and virtual.

The problem is when we never leave these enclaves.  We need to share what we learn.  We need to get our teeth kicked in by the realities of the real world, business needs, people’s priorities and biases.  Then retreat to our little cliques, recharge, and repeat.

Face it, if it was easy, most of us wouldn’t do it.  There is something a bit off about the “infosec” mind, and that’s OK.