Archive for the 'Simple Security' Category

Jun 07 2011

New to Security? Get on Twitter

It’s not uncommon for me to get questions from aspiring security professionals asking, “What should I be doing to break into security?  How can I learn more about security?”  More and more, my answer to that is becoming simpler:  Get on Twitter.  (I’m @mckeay, unsurprisingly enough)

Twitter has become the “digital water cooler” for a huge number of security professionals.  I’m not saying all security professionals are on it, nor should they be.  But we long ago reached a point of critical mass where there are regular conversations on that used to only happen in the hallway tracks at conventions.  If you look at some of the organized conversations that several companies have done on Twitter (Symantec comes to mind) you’ll start to understand that they see a value to it.  If you look at some of the conversations I’ve personally had in the last 24 hours on almost any day, you’ll see bits and pieces that are of great value, even if the majority of the tweets are stupid quips and pointless jabs at friends.

And that’s what twitter is about, not the huge sweeping conversation or revelation that happen once in a blue moon, but the accretion of little ideas, little questions that will lead you to a deeper understanding of what the people who work in the security world day in day out are thinking.  Don’t expect a single tweet to rock your world and reveal the secrets of the universe.  Instead, look for the threads that explain how many people view security and the inner dialogue that led them there.  Don’t try to read every tweet, dip your toes into a communal stream of consciousness.  Boy, that sounds so pretentious when written out, but in a lot of ways, that’s exactly what twitter has become.

You’re going to have to dredge through a lot of crud to find the jewels in the twitter stream.  I know my own twitter stream is a perfect example of that.  For every one tweet I send that has value, I probably send twenty that are in-jokes or stupid references to some meme that no on cares about.  But I hope I make up for that when get started on a rant about PCI compliance or get involved in a conversation about the difference between learning security and learning business. You may have to put up with a hundred tweets or a thousand, but when you get the one piece of information you needed to hear at that specific moment, it will make everything else worth it.

Don’t plan on getting involved in twitter, other than very superficially, for the first month or so.  Send out a ‘hello world’ tweet before you follow your first person; we security types tend to be a little paranoid and may report you as spam if you’re just a raw profile with no tweets or a description of who you are.  Don’t spend a lot of time on twitter, just check in from time to time and add people who sound interesting as time goes by.  If you need a seed list of people to follow, start with Bill Brenner’s Security pros to find on Twitter.  He updates it almost every Friday.  Soak in the conversations and when you feel the time is right, start responding to people and putting forth your own ideas.

My boss recently started on twitter.  I was a little concerned when he followed me, but I figure anything I say on twitter is public anyway, so if he wanted to check in on what I said, it wouldn’t take more than an extra 30 seconds to find anything, so why worry.  If you’re worried about your friends or family or coworkers following you, then make your profile private or just make sure you don’t tweet anything you need to worry about (unlike certain Congressmen).  But one of the most interesting things I realized from having my boss follow me is that I’ve completely abandoned my RSS feeds in favor of getting most of my news from Twitter.  I learn about new stories faster on twitter than I ever did when they were coming to me through my news reader.  Better, I get to benefit of having people who’s views I have some understanding of filtering through the stories before I ever read them.

Once you’ve been on twitter for three to six months, you’ll no longer be an outsider if you’re making an attempt to engage.  Don’t force it, but don’t be afraid to contribute either.  Be natural, talk to the people who are out there, and get an understanding of the community.  There will be many voices, like mine, that seem to be nattering away at almost every hour of the day.  There will be voices that only speak up once every week or two.  Both have their value, both are worth listening to.  And don’t be afraid to unfollow someone if they offend you or seem to be a waste of time.  I won’t mind at all… I mean they won’t mind at all.

You should be looking to get an understanding of how security professionals view not only the hard security issues, but life in general in all the myriad aspects of a security career.  These are real people candidly expressing their viewpoints, exchanging ideas and generally growing by being part of the community.  Once you’ve started gaining that understanding of how people think, the part that’s really going to improve you as a security professional starts: challenge the status quo, question assumptions and look for the areas that people are turning a blind eye towards.

It’s important that new security professionals understand we don’t exist in a job space that’s stable and safe.  Information security as a profession isn’t even 50 years old yet!  Some would say that it’s not even 25 years old as a distinct profession.  And it shows; every day the playing field is changing.  Right now it seems that the bad guys are winning, but by this time next year we may have turned things around and have a good handle on it.  Or things may be so bad you can’t trust anything that your computer tells you.  In either case the only constant you can reasonably expect in a career in security is change.  If you can’t live with that, get out now.

Why is this understanding of change important?  Because a lot of people on twitter come across as experts, either because they purposefully portray themselves as such or because they speak with such authority that other people ascribe that description to them.  In either case, there are a lot of people with strong opinions about how security came to where it is now, what is what in security, and how security should be.  Every one of them has a valid point somewhere, but every one of them makes mistakes and has ideas that won’t fit in your worldview or make sense as they’re presented.  So don’t take them at face value, challenge these ideas, form your own and come to a new understanding of how security was, how security is and how it should be.  If you’re going to be spending time in the security community, you have to realize you’re going to be one of the people who’s going to make the future happen, for better or worse. 

A closing thought: if you’d like a role-model for how to approach the security profession and twitter, ask Joseph Sokoly aka @jsokoly.  Joseph is young, hasn’t quite graduated from college yet, but has already created a name for himself in the community; first by reaching out to other security professionals to learn and later by presenting on breaking into the security field at BSides Las Vegas in 2010.  Is Joseph smart?  Hell yeah.  But is he so special that that alone makes him stand out in a crowd?  Not by a long shot; in a field that includes some brilliant minds, he only sits a little above average.  Where he has proven to be exceptional is that he’s integrated himself into the community and used twitter as his tool to get it started.  Not too many people will be able to reproduce his efforts, but not many people should try.

Twitter is an echo chamber.  Don’t ever make the mistake of thinking it is the sum total of what is out there for the security community or any community.  But do understand that it’s a powerful tool in learning what it means to be a security professional and its a valuable tool for getting to know people.  That involvement may be what gets you your first job as a security professional.  Or it might just teach you a new way of thinking about security.  And its always possible that I’m completely wrong and twitter may be a complete waste of time for you.  But it is worth looking into.

9 responses so far

Jun 07 2011

Network Security Podcast, Episode 243

Published by under General,Podcast,Simple Security

We blame Rafal Los for this week’s podcast.  He was looking for someone to host a discussion on which is easier to learn, the business side of the business or the security side of the business.  And he had a cast of characters he wanted discuss it with.  Being a well know sucker for these sort of conversations, Martin volunteered to moderate and help move the conversation along.  Except what started as a single discussion may mutate into an ongoing conversation.  No, none us are so passionate about what we do that we’d give up sleep in order to do it, are we?

Joking aside, this is a good discussion of how we view the disconnect between the security within a corporation and the business needs of a corporation.  As with many of these conversations, we all agree it’s a problem, but we don’t come to a concrete conclusion about how we can bridge the gap.  As long as we get more people to think about it though, that’s enough for now.  Look for the discussion under the hashtag #SecBiz on twitter.

Network Security Podcast, Episode 243, June 7, 2011
Time:  1:05:55

Show Notes:

No responses yet

Jan 19 2011

2011 Social Security Awards

I am so behind on my blogging it’s not funny.  I was supposed to say something about the 2011 Social Security Awards a couple of weeks ago, but between running around the country and writing long, boring reports on PCI compliance, something had to fall off the to-do list, and blogging was it.  Which is why it’s a little ironic to break the silence with a post honoring some of the best writers in our business.  After which I’ll probably be going back to radio silence as I try to create a small bubble of calm in my work schedule that will allow me to attend the RSA Conference with minimal interference.  Or at least that’s the theory.

This is the third annual Social Security Blogger Awards, and once again the committee putting it together, led by the incomparable Alan Shimel, has worked hard to improve both the process for deciding the categories and the process for voting.  There were a number of categorizations in last year’s awards that had many of us laughing and shaking our heads in confusion, but by that time it was too late to make changes.  So this year Alan and his team of judges, who are all professional writers who cover the security field, revamped the categories and I think everyone involved will agree that they’ve done a great job of it.  The judges picked the cream of the the blogs and podcasts from all the great people we have writing, now it’s up to you to decide who the real winners are.

As always, I look forward to the night of the Security Bloggers Meetup at RSA.  This year, my influence on the whole process has been minimal, and as always, Jennifer Leggio has been shouldering far more than her fair share of the work.  Not to say I haven’t done anything… well, actually, I haven’t.  We’ve been doing this for a number of years now and it’s clear that Jennifer has a handle on everything and if I try to get further involved I’ll slow things down more than help.  Which goes back to my original point that I’m already too busy with the day job to help much.  But the SBM has become the central event of the RSA Conference, at least for me, and the pivot that all my other plans revolve around for the week.  The few hours we take out of an evening to connect and reconnect with the people in our community who distinguish themselves by trying to express the problems and solutions for our industry is worth more than almost anything else that goes on at RSA, at least for me.  People who are passionate about what we do are always exciting to be around.

Who are your favorites for this year’s Social Security Awards?  I especially like the new category “The single best security blog post of the year”.  Not everyone can write regularly, in fact some people may only put out one or two blog posts a month.  But the thought and quality of writing that goes into those infrequent posts is exceptional and deserves to be recognized.  And the folks who continue to put out exceptional content day after day just blow my mind. 

Go now, vote on the Social Security Awards.  Vote for your favorite, vote for the person you think is most deserving or vote in an utterly random fashion, as long as you vote.  While the awards are for bloggers and by bloggers, the reason we write is for the readers and listeners in the real world.  And this is your chance to help recognize the people you think have had the most impact and influence on our community.  Or at least amused you the most.

One response so far

Jan 03 2011

Good morning 2011

Published by under Blogging,General,Simple Security

It felt good.  I took the last two weeks of 2011 and took a hiatus from Twitter, I tried to stop reading security stories and I generally just stayed away from my home office and computer whenever I didn’t absolutely need to be working.  I still used the iPad and I couldn’t leave my phones behind, but it really felt good to deprioritize social media and email in favor of spending time with my family over the holidays.  And it felt good to just put a little distance between myself and all the stressors on the Internet and in my inbox. 

I don’t do year end reviews and I don’t do predictions; it’s not that I’m against them, it’s that I feel there are a lot of other people out there who have a better 10K foot view than I do.  Plus I hate looking back the next year and seeing how wrong I was about where everything was going.  That being said, I get the feeling that 2011 will be a year of change; too many people are complaining too loudly about being burnt out.  Too many people are saying ‘what we’re doing isn’t working’.  There were too many high profile incidents for people to ignore and keep on doing what they’ve been doing.  Or at least that’s my hope.

Alex Hutton sent out a tweet about a concept called ‘slow hunches‘ not to long ago.  The basic idea is that we all have portions of great ideas floating around in our heads, it’s when these ideas bump against other ideas and let them mature over time that the real game changers start to develop.  That’s a gross simplification of an entire book, but I hope it get’s the message across.  I know I have a number of these partially formed ideas in the back of my head and I know from experience that a number of other people across the industry have similar ideas floating around.  What I don’t know is how we get those ideas together in order to affect change.  Because doing the same ol’, same ol’ isn’t working.

Maybe I’m just optimistic and nothing will change.  But like the idea of slow hunches, there are so many incidents both big and small, happening right now that something has to give.  Rich (Mogull) is often telling me that as long as we can continue to do business within an acceptable level of fraud, nothing is going to change.  And he may be right.  But I hope he’s just more of a pessimist than I am.  And in the bigger picture, I’m sure he is right, since the more things change, the more they stay the same.  But I can still hope that someone amongst our community will come up with a seminal idea this year that will change the way we look at security.  Other than “let’s concentrate on the basics” that is.

No responses yet

Dec 20 2010

There’s nothing wrong with taking pictures

Published by under Government,Risk,Simple Security

I travel around the country a lot in my role as an assessor and being in security, I have a off again on again interest in taking pictures, specifically pictures of some of the odd places I find security cameras and the places they cover.  That and taking pictures of error messages that pop up on various screens and systems that are in public view.  I find it interesting to look at some of the odd places that companies have decided to put a camera and how much of the surrounding area surveillance catch that people probably don’t have any awareness of.  And in this day and age, I’m almost surprised that no one’s commented on my picture taking and called me a terrorist.  But guess what, people: Photographers are NOT terrorists.  Like most other photographers, I’m following a passion, however little someone else may understand it.  Get over your unfounded paranoia and get back to living your life.  And yes, 99.999% of your paranoia about terrorists plots is unfounded, no matter what the DHS and TSA might want you to think.  And most of the other .001% has some level of validity, but it’ll probably never affect you directly.

No responses yet

Dec 03 2010

Caught on Google Streetview

My friend Adrian Lane, over at Securosis, finds the best toys to play with.   This one, called Spokeo, lets you search on a name and see what sort of personal information is out there about that person.  Like Adrian, I always search on myself first, wanting to see what sort of information is out there about me.  And there’s a lot of it; even someone like myself who wishes they had some privacy leaks a lot of information, even if its just in public records.  Luckily I have a father with the same name, so our information is a little mixed up, with a sprinkling of misinformation added in.  If I can’t have privacy, having false information available to search engines is a good second.

The funniest part of looking up myself was finding my house in Streetview, which is offered directly in the Spokeo interface, then turning the camera around to see myself getting out of the car.  The picture’s about two years old, but it still jogged some memories of seeing the Google car drive by.  The picture is blurring and it’d be hard to recognize me from it, but there it is.  Being in a public place (the road), I’m not surprised to be photographed, but it does serve as a reminder of how often we’re being photographed in public, even if we are seldom aware of it.  That is to say that people who don’t live with a mild form of paranoia are seldom aware of. 

No responses yet

Oct 13 2010

The Friendly, Snuggly Security Bear and the Internet

If you’re not already scared of the people who want to listen in to your phones, then this video won’t worry you.

3 responses so far

Sep 18 2010

Logical fallacies in forums

Maybe it’s a little egotistical to reprint something you sent to a forum, but I thought I did a pretty good pointing out some of the fallacies I see all to often on forum mailing lists.  I doubt that I’ll actually influence the people most guilty of these fallacies, but the people who are borderline may be salvageable.

Good morning dear colleagues,

I wanted to take a moment to make everyone aware of a very useful site I found several years ago that’s helpful when getting involved in argumentation of any sort.  It is the Nizkor Project listing of logical fallacies.  I find it helps me a lot to be able to identify and call out specific logical fallacies, at least to myself, and it helps in forming the response to these logical fallacies.  As is often the case in online forums, the person guilty of the fallacies is either unaware of committing the fallacies in the first place or mistakes these fallacies for honest communication.  In either case, conversations with this sort of individual often devolves into appeals to emotion or ad hominem attacks.  I wanted to take some time this morning to point out a few of the fallacies that seem to be more common on this forum:

First, the ad hominem attack itself:
This is an attack on the person who’s making the argument rather than the argument itself, aka name calling.  This is also mirrored by the personal attack fallacy ( where the person claims that any argumentation is a personal attack against them.  This is also related to the appeal to pity, aka ‘They’re picking on me, therefore they must be wrong’

The second fallacy I often see is the red herring (  The answers that are sent to the forum have little or no relation to
the question that was asked.  This can be an innocent case of missing the point or it can be an example of purposefully leading the conversation away from the subject that was originally brought up.  If you see “you’re missing the point” in a reply, this is often the fallacy that was committed.

Another common fallacy on this forum is the appeal to authority (  We’re all experts of one level or another in this forum, otherwise we should never have been awarded our CISSP’s in the first place.  However, we sometimes try to falsely extend our authority in one area to cover areas that are tangential to our areas of expertise in was that are not appropriate.  Another example of this is citing vague articles or standards as supporting our cause when they really don’t have any direct bearing on the argument.  For example, just because Bruce Schneier is a respected author and cryptographer, he could not by any means be considered an expert on securing an Exchange server.  Another part of this fallacy that’s common is expecting that just because we hold certificates in certain disciplines, that we’re actually experts in that discipline.  A doctor who graduated at the bottom 5% of his class still graduated after all.

A final fallacy to think on, not because it’s especially common on the forum, but because it’s especially common in our lives in general is the appeal to common practice (  Everyone is doing it, so it can’t be that bad, can it?  This is a fallacy that should be avoided in every aspect of life, not just security.  As parents have been asking their kids for eons, “If every one of your friends jumped off a cliff, would you jump too?”.  Everyone has a firewall at the perimeter of their network; does that make a firewall a best practice or does that just mean that it’s what people are doing because everyone else is doing it?  It may be the best thing to do in your situation, but unless you evaluate it based on your circumstances rather than what others do, you’ll never know.

I try not to make the mistake of ad hominem attacks, I try to attack a person’s argument whenever possible.  This is not always possible as the number of fallacies in a response rise and overwhelm any content that may be contained in a response.  Rather than continue down a path of personal attacks and appeals to emotion, I try to bow out of the conversation at that point.  But I’m not perfect. Next time you send a reply to the list, take a few minutes to check your logic and see if you’re committing any of these common fallacies.  It will help make your point and increase your standing with your colleagues.  Failure to do so can hurt your standing in the community greatly.

Thank you,


No responses yet

May 24 2010

Will merchants revert to their old ways?

I’m a big fan of tokenization and end to end encryption (E2E2).  Never mind the fact that neither technology is fully developed, nor do we even have a real definition of either technology.  The fact that both of these technologies have the potential to take credit card information our of the general merchant environment and gives the bad guys less reason to attack is enough for me.  It won’t stop attacks against merchants all together, but it will cut down on the value of breaking in and therefore cut down on the number of attacks, at least in theory.  It will also cut down on merchants’ responsibility for meeting with the PCI DSS requirements, since much of environment that the QSA’s have to review will now be out of scope.  But without the threat of PCI (and potential fines/fee increases) will merchants keep up the minimum security safeguards that PCI mandated or will they revert to their old ways and ignore security for the most part?

One of the big questions that comes up over and over again is how effective is PCI in securing the merchant environment.  And the answer is, no one really knows.  Breach disclosure laws prior to 2003 were non-existent, and even once California passed SB1386 and got the legal ball rolling, breach disclosures have been spotty at best.  Now that we’ve got some 40 states that have some form of breach disclosure law, the information we’re able to gather is much more consistent.  Unluckily, we still lost the ability to have any real baseline to measure the success of PCI against and anyone who says that PCI is or isn’t effective is mostly going on their own anecdotal evidence, not hard data.  Verizon’s Incident Metrics Framework may help in gathering statistics going forward, but we’ve already lost the data needed to measure the effectiveness of PCI.  (Disclaimer:  I work as a QSA for Verizon Business)

As tokenization and E2E2 take hold, we’re going to have another chance to see how effective PCI is in securing the merchant environment and whether or not merchants are really going to secure their environment without the threat of PCI hanging over their heads.  There’s almost nothing in PCI that a shop with a good security program shouldn’t be doing in the first place.  Firewall reviews, anti-virus, log monitoring, IDS, etc. are all safeguards that are mandated by PCI but are security measures that any good security shop should be putting in place for their organization by default.  The fact that many organizations couldn’t get the funding for some of these tools until PCI came along is a measure of how hard it is to get the budget for security.  And if organizations start losing the funding for these projects because tokenization and E2E2 have taken the majority of their systems out of the scope of PCI, we’ll know that PCI was the real driver for the safeguards, not any real concerns over security.

PCI is expensive.  Security is expensive.  Not necessarily because the tools are expensive, but because merchants ignored security for years and have had to spend a lot of money and time to implement the tools they should have been running in the first place.  If they can reduce the scope of the systems they have to protect through new technologies and no longer have to be assessed on an annual basis, do you think they’re going to keep paying for the tools that they implemented just for compliance or do you think they’re going to let their IDS and log management tools fall by the wayside?  I know that some of the shops I’ve seen will keep the tools and keep using them properly.  But I think the majority of merchants are going to go back to their old ways and do the bare minimum that their security group can fight to keep.  If your company’s marketing department depends on PCI to make sales, I’d be very afraid of tokenization and end-to-end encryption.

5 responses so far

May 21 2010

Are low standards better than no standards?

Published by under Hacking,PCI,Simple Security

On Twitter this morning, @secrunner made the following comment:

“I think it’s surprising that PCI still hasn’t developed a program to certify pen testers or at least standardize the approach”

In reply I stated that given the level of certification for ASV’s (Approved Scanning Vendors), I’m just as happy if the PCI Council would stay out of the business of certifying pen testers or creating a standardized approach.  In reply @secrunner asked the following:

“In the spirit of PCI, isn’t even some standard (even a low one) better than none?”

The answer is, no, it’s not.  To be more specific, my answer was “Low standards for a merchant are better than nothing.  Low standards for a vendor are misleading at best, dangerous at worst.”  Let me explain why I think this way:

When you go shopping, one of the last things on your mind is probably “How does this merchant protect my cardholder information?”.  It’s one of the first things I think of, but that’s what I do for a living.  Most people are just concerned about if their merchant is going to have their size or the best price on the new toy they want.  They just assume the merchant has taken the necessary steps to secure their cardholder information.  And if they haven’t, consumers know that they’re only responsible for the first $50 dollars worth of fraud, and even that is usually absorbed by their bank or credit card company.  Sure, getting a new card issued to you is a bit of a hassle, but for most people it’s something that’s over and done with in a few minutes.

In this case, security is assumed and is not the primary concern of the person doing the purchasing.  A default standard such as the Payment Card Industry (PCI) Data Security Standards (DSS) is important and useful because it gives a baseline level of security for the industry to meet.  It may not be the level of security the company really needs to protect themselves, but all too often this baseline is more than the company was doing prior to the standard.  It may not be perfect security, but at least it pulls you up from the level of ‘low hanging fruit’. 

Certifying a vendor as a ‘compliant’ or ‘certified’ is a completely different story.  When an industry group such as the PCI Council makes a standard for a class of vendor and then certifies these vendors as meeting a certain baseline, this certification becomes one of the primary influencers in the purchasing decision.  Using the ASV certification as an example, a merchant won’t even consider a scanning vendor for their company unless the PCI Council has already certified them.  The merchant has to use a vendor who’s been certified otherwise they can’t submit the scans as part of their own compliance.  A large part of why this works is that external scanning of web sites is a fairly well understood, repeatable and, most importantly, testable process.  It can be easily automated and running the same test against the same site ten times will generally generate the same results every time (okay, maybe 90% of the time)

Penetration testing is an entirely different issue.  Yes, there are automated tools.  Yes, some pen testers don’t go much beyond that level.  But the good pen testers I know treat penetrating a company’s defenses more like an art than a science.  Metasploit and other tools are their paintbrushes, but it’s the person who’s using the tools that is actually making it possible to find the vulnerabilities in your company so that you can shore up your weaknesses and prevent someone else from finding them.  This isn’t a process that easily documented, standardized or testable.  It might be something you can do on a person by person basis, just as the PCI Council does for QSA’s now, but it would be nearly impossible to do for a company.

Let’s be honest, in the PCI-DSS, the idea of ‘penetration test’ is barely even defined.  It has to have a network portion and an application portion, but the how’s and what’s of penetration testing are left up to the QSA to verify and validate.  There’s no agreed upon standard in the industry of what makes a pen test a valid and acceptable pen test, let alone within the PCI community.  If the PCI Council wanted to certify pen testing companies, the first major hurdle they’d run into is making up that definition.  Then they’d have to come up with a way of testing companies’ adherence to the standards and create a certification program.  This would be a huge battle to undertake and the benefits would be minimal. 

Right now, it’s up to market pressures and QSA’s to determine what’s a ‘real’ penetration test.  If someone created a penetration testing certification there’s only one group of people it’d help:  marketing.  Most merchants wouldn’t read the requirements for the certification, they’d just use the certification process as a check box to weed out potential vendors.  And I can guarantee that the marketing teams would love that.  And I doubt it would make the results of penetration tests any better; in my opinion it would simply mean that most companies would ‘dumb down’ whatever they’re currently doing so that it met with the minimum standards and no more.  I much prefer seeing the merchant who’s having the pen test performed ask questions about exactly what’s going to be done and try to understand what they’re getting themselves in for.

3 responses so far

« Prev - Next »