Archive for October, 2011

Oct 17 2011

Think about what you want from your QSA/QSAC

Published by under PCI,Security Advisories

After four years of working as a Qualified Security Assessor (QSA) for two different Qualified Security Assessment Companies (QSAC) it’s a huge relief to be able to introduce myself as a ‘recovering QSA’.  As a friend of mine the pointed out, the taint of being a QSA is not something that washes off easily, it sticks with you in insidious ways, bubbling to the surface when you least expect it.  I make it sound worse than it really is, but I do find myself slipping into the mindset of “this is how you’d meet with a compliance requirement” sometimes when what I really want to say is “this is how you’d make your company more secure”.  After four years, it’s a hard habit to break.

Because of my experience as a QSA, I’ve had several people ask me for help picking out their next QSAC recently.  They want to know which company they should go with, what they should expect from the process and how to get to their Report on Compliance (RoC) as painlessly as possible.  For companies who are approaching PCI Compliance for the first time, it’s a scary proposition, because they’re painfully aware of how much they don’t know about what’s going to happen and what’s going to be required of them in the assessment.  For companies who’ve been through it before, they’re often feeling pretty smug in having last year’s RoC and underestimate the difference the QSA’s experience and understanding of the rules can make.  Companies who’ve been through the process many times understand that the specific QSA they get for their assessment is often more important than the company he or she works for.  Remember, you’re going to be assessed by that person and the company processes behind them are less important to you than their ability to understand your company.

Let’s get something out of the way:  if you simply want someone who can come in and check a bunch of boxes without understanding your infrastructure, go with the lowest bidder, someone who guarantees they’ll come in and assess your entire company in two days and phone the rest of their assessment in.  Seriously, if you’re not looking for a partner to give you advice in how to secure your environment and you just want a piece of paper with little or no increase in security, find someone who will give it to you.  Don’t look for an experienced QSA, look for one who’s relatively new to the job, one who can be bullied or fooled into agreeing with your assertions without verifying them.  We all know companies who operate on this business model exist and it’s not worth wasting your time and money if you are looking for check box compliance.  I’ve had too much experience with companies who could care less about securing their infrastructure and simply want to do the least amount of work possible to make the assessor go away.  If your company fits into that category, it’s less of a headache if everyone agrees to accept this premise and moves on. 

If you’re looking to get more out of an assessment than just a piece of paper though, you have a number of things to start considering.  How important is compliance to you versus how important is security to you?  Are your goals and your company’s goals the same?  Are you going to use the assessment to help you get funding for projects you know you need (and if not, why not)?  Is this your first assessment or have you been through several before?  Are you interested in having an on-going relationship with the QSAC and the QSA or do you want to get through this project and move on to your next headache?

It’s very important that your goals and the company goals are the same, and if they’re not, it’s even more important that you understand where they diverge and how you can use that stress to your advantage.  When the security department reports to the CFO or to a part of the organization that’s more concerned with how much money is being spent than how effective security measures are, your goals will probably be far different.  Learn to use the QSA in order to close that gap, use them as an appeal to authority.  “I know you don’t want to spend the money, but we won’t pass our assessment if we don’t” is a very powerful statement in many businesses.

Very few people conflate security and compliance at this point in time, at least that’s my hope.  But compliance can be a useful tool in getting the security tools you need in order to fulfill your commitment as a security professional to your company.  If you’re concerned with getting complaint more than you are about being secure, go back to the earlier point of simply getting the cheapest check box QSAC you can.  On the other hand, if you’re looking to be more secure when the process is complete, try to use compliance as a crowbar to pry funding from management.  Think a lot about that as you’re looking for a QSA, about how you can use the PCI DSS requirements to support your argument for new tools or additional headcount.  Your QSA can help a lot in this process, especially if his initial report comes back, especially if you both understand what you need and how it will help secure your company.  Most good QSA’s are also security professionals and get excited when you approach them as such instead of treating them like the enemy.  If you can frame the argument for a security control as a way to meet several compliance measures, your budget has a much greater chance of getting approved.

The first time you go through a PCI assessment is painful, no matter how well you think you understand the PCI DSS requirements and how to implement them.  And in many cases, the second assessment isn’t a lot easier, since it’s been 8-12 months since your previous assessment and you’ve let a number of the requirements slip without realizing it.  Look at the 2011 Verizon PCI Report and you’ll realize that this is exactly what happens to far to many companies.  Year over year numbers around maintaining compliance are actually a bit depressing when you read into them; you’d hope that getting controls in place were the hard part, but really, it’s the  maintenance of controls that is the hard part for most companies to do.  It makes sense in some ways, since it’s easier to concentrate on getting a IDS or log management solution set up than it is to monitor it on a daily basis.  Let this thought sink in as you’re looking for a QSA:  just because you were compliant last year doesn’t mean your teams have properly maintained the tools over time.

All too often, the goal of companies is to get the assessor in and out as quickly and painlessly as possible.  But is this really a good use of the resources you have at your disposal?  While compliance seems like a once a year exercise, it’s really a year round commitment; it’s just that you’re compliance is going to be assessed once a year.  The assessment represents a point in time view of your work, but in the long run, you’re going to be judged by what you do when the QSA isn’t there much more than you’ll be judged by what you do while she’s on-site.  If you have a QSA that you understand and can work with, it helps to have a relationship that you can use to call them up when you have a question.  Most QSA’s get to see a dozen or more different environments a year and asking them how other companies meet with a requirement can help steer you in the right direction to be more secure or save money.  If your QSA is a security professional first, they may be able to tell you how to meet a compliance requirement with a non-traditional technology. This may not be something you’re interested in, but using your QSA as a
trusted adviser rather than an enemy of the state can make maintaining
compliance easier throughout the year and passing your next assessment
much easier.  It may cost you slightly more in the short term but can have a long term return on investment.

These are all things you should be considering before you ever start talking to a QSAC and interviewing QSA’s.  Know what you want to get out of the relationship with them and it will make the process much clearer, or at least give you something to base your decisions upon along the way.  When you’re just looking for the piece of paper, go cheap and save your money for what really matters to you.  But if you want to use compliance as a means to becoming more secure, it’s going to change your whole process and how you’re going to frame questions when you interview your QSA before the choose one.  You are planning to interview a number of QSA’s, not just accept the one the company sends you after all, aren’t you?

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

Oct 04 2011

Network Security Podcast, Episode 255

Published by under Podcast

Rich and Martin are around this week and managed to pull off a show despite oggling the new iPhone (okay, maybe that was just one of us). We talk about the big announcement from Securosis before jumping into the week’s security news. High drama, low comedy, and you know the rest…

Network Security Podcast, Episode 255, October 4, 2011
Time: 31:48

Show Notes:

Securosis launches the Nexus. Rich turns into a marketing creep.
Electronic voting machines easy to hack. Still.
Governments love chewing on the juicy data you leave with Google and other service providers.
More details from the security leaders survey. Really worth reading.
Martin managed to watch live congressional cybersecurity hearing. Foolish.
Rich and Martin discuss certificate pinning.
Tonight’s music:  Gold Rush by The Crazy Majority

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

Comments Off on Network Security Podcast, Episode 255

Oct 04 2011

Live tweeting the House Intelligence Committee

Last night I got an email from Jim Engineer at e-Rainmaker PR stating that Kevin Mandia from Mandiant would be appearing before Congress.  I’m always interested in hearing the leaders in our industry speak to members of Congress, because it reveals a lot not only about how the thought processes of the folks who are presenting to Congress, it also reveals what our Congressmen think about security.  This hearing was no different from most, in that it showed there are definite agendas at work,but it also showed that the biggest concern for our Congress is the threat of China to our businesses and intellectual property, in addition to attacks on government properties.  I live tweeted as much of it as possible and I’d like feedback in the form of comments if you found it valuable.  Or even if you didn’t. Any misquotes are my own and are attributable to trying to listen and tweet at the same time.

General Hayden impressed me the most of the three speakers.  His main message was that the issue of cyber-security is a not something we should be in a rush to come up with ‘the answer’ for, but that we should be looking at having long conversations about what needs to be done in a thoughtful, logical manner.  While he encouraged legislation, he made it clear he wants the goal to be outcomes, not just compliance.  He was level headed and clearly understood the difference between security and compliance, something Kevin Mandia also backed up.

I thought Kevin was underutilized in this conversation.  He had some very good, clear thoughts on the subjects at hand, but the members of the committee seemed to give his testimony less credence, since it didn’t directly feed into the narrative they were trying to lead to.  His strongest statement was, “You will be breached, the security compromise is inevitable.” He followed it by stating that “In our last fifty incidents, forty-eight of them learned of the compromise from external third-parties like the FBI”.  That’s a pretty damning statement about the state of detection in our industry today.

And then there was Art Coviello.  I’m not going to dig too deeply into Mr. Coviello, but he was being a good CEO while also being an intellectually dishonest security professional, if you could call him a security professional at all.  Statements like “Our advanced technology allowed us to detect and react to the attack in progress” and “We were within hours of being able to stop the compromise” and other comments about how ‘swiftly’ RSA responded to the compromise go directly against the timelines in the press and against the history of how RSA notified the public and their customers of their compromise.  Remember, they didn’t even have a Chief Security Officer before the compromise, there was no one at the C-level responsible for security.  I was very unimpressed with Mr. Coviello today.

Not much will come from this Committee meeting, but it was educational to learn what message the members of Congress wanted to put out and how businesses are willing to help them.  It was also a lot of fun to live tweet it and see what security professionals around the country think.  Marty Roesch from Sourcefire (@mroesch) was especially cynical and entertaining.  But there were a lot of people who had good feedback and questions, for which I’m thankful.

Feedback on live tweeting is very appreciated, leave comments and expect me to do the same next time I have time and opportunity.  And here’s the press release from Jim.

For your information, MANDIANT
CEO Kevin Mandia will offer testimony to the House Intelligence
Committee at the invitation of Chairman Mike Rogers (R-MI) tomorrow Tuesday, Oct. 4, from 10 a.m. to 1 p.m.
Kevin is available to comment on his testimony should you have an interest in pursuing.

To view the testimony please visit:

“Cyber Threats and Ongoing Efforts to Protect the Nation” 10:00am – 1:00pm ET HVC-210

·         The Honorable Michael V. Hayden, Principal, The Chertoff Group
·         Mr. Arthur W. Coviello, Jr., Executive Chairman, RSA
Mr. Kevin Mandia, Chairman and Chief Executive Officer, MANDIANT

Chairman Rogers on the Cyber Security Hearing:
“Examining the threat of cyber attacks against the United States is of
utmost importance. The threat of cyber attacks continue to evolve. What
started out as a kid in the basement hacking into a school computer to
change a grade, has evolved into entire nation states focused and
determined to exploit our nation’s cyber systems. The Committee will
review recent developments in the evolution of the cyber threat against
the United States by nation state actors and others. Additionally, we
will evaluate the status of the United States government’s efforts at
providing cyber security within the government, the status of cyber
security in the private sector, and the sharing of government
information, including intelligence information, with the private sector
to enable it to better defend and protect our nation’s most critical
private systems.”


PS>  I think I only heard the dreaded “APT” once, from Art Coviello.  Figures.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

Oct 04 2011

Write to learn, learn to progress

Published by under Blogging

This weekend I saw a post called “What does eight years of blogging get you?”  I realized almost immediately that I’d been blogging for just over 8 years myself and that the author’s experiences mirror my own, though he’s a bit more prolific and encourages comments much more than I do.  In 8 years, I’ve written over 2000 posts, received over 2000 comments and recorded nearly 350 podcasts (including 100 interviews).  While perhaps too many posts have been about me and my travails, I have to say that the decision to start blogging has easily been the single most important and formative event of my career in security.  Nothing I’ve done, whether it’s getting a degree or my CISSP (no snickering!) has had nearly the effect on my career that blogging has.  Podcasting comes close, but is mostly an extension of the blog, and Twitter is a distant third; but my blog will still be around in the years after the security community has moved on to The Next Big Thing and Twitter is a fond memory.

Mitch nails it with his 8 reasons for still blogging.  I get a lot of people (okay, 1-2 a week) asking me for career advice in security and the two things I always tell them is to start blogging and to get involved in the security community on twitter.  Whether you understand it or not yet, you’ll learn that being able to communicate is one of the keystones of a career, even more important than the technical.  Let me say that again:  It’s more important to be able to communicate than to be able to configure or run a technology.  You’re ability to work with a specific technology may be the best in the world, but unless you can communicate with your management why what you do is important, you’ll never progress beyond the level of technologist.  That may be fine for you, but I suspect most people want to move on to bigger and better things at some point in their career.

Blogging is a great venue for exploring big thoughts that can’t be fleshed out in any other way.  I’m a huge fan of Twitter, but there are definitely limitations to how complex an idea you can communicate 140 characters at a time!  Blogging let’s me slow down, formulate my ideas in a coherent manner and lay them out in a logical fashion that I hope are easy to understand, or at least read.  But more importantly, it’s a discipline that has caused me to hone my critical thinking skills and aided me in understanding the thoughts that underlie my own ideas and concepts.  Putting these ideas out there also gives others the opportunity to provide feedback, point out where I’m wrong and sometimes just call me an idiot for my ideas.  Even when being called an idiot, I generally learn something from the process; if nothing else, I’ve learned how to take destructive criticism with a certain amount of aplomb.

I’ve also gotten to meet more great people than I can ever list thanks to blogging.  The security community seems insular when you first get involved, but blogging opens doors and allows you to meet people who were only a name to you at one time.  The first time I knew blogging was a big deal for my career was when I wrote a post criticizing Tenable for charging for the Nessus signatures.  Ron Gula reached out to me shortly after I posted and explained to me in great detail why it was a necessary move and started a friendship that remains today.  Putting yourself out there publicly will reveal you to people who are the actual movers and shakers in the security field and begin conversations that can last years.

For me, the culmination of 8 years of blogging came when I started my current role as a Security Evangelist for Akamai.  I’ve gushed about my job before, and won’t do so again, but I do want to point out that not only was I hired in part because of my blogging experience, and because blogging has allowed me to hone my thinking more than simply being a practitioner would ever allow.  The fact that I’m willing to put myself out there, to engage in dialogue and simply argue with people publicly in ways I hope further the profession were key factors in getting this role.  Think about that before you dismiss the idea of blogging.

[Slashdot] [Digg] [Reddit] [] [Facebook] [Technorati] [Google] [StumbleUpon]

2 responses so far

« Prev