Silicon Shecky

IT News, Reviews and Thoughts

Connect

In our own sandbox

By Leave a Comment

We all do it. We are so caught up in what we do, and what we are, we give what seems to be good advice, but really is impractical advice. The world of Information Security is all about a balance that reduces risk while still allowing productivity, and we service, that is right SERVICE not only the company, but the end users.

The latest round of Cisco WebEx vulnerabilities produced a lot of the same advice. Patch now, make sure you are patched, please patch etc… you know the usual advice. Then I come across this on my feed:

Running WebEx in a VM seems like sound advice, almost a no brainer. Almost, is the key word. Let’s look at this from a more realistic perspective.

First, how many normal, everyday, end users that you know of can spin up a VM? Not many, which immediately makes this advice not practical for the every day person. Then add on licensing of the OS, driver compatibility for sound and video, memory amount and processor specs. All of that can create an issue too. So the theoretical secure answer of “Use a VM” becomes rather impractical overall.

Now, what implementing this solution might do is create a backlash from the sales force, the C level executives and possibly more. Add on that there is still nothing preventing them from not using the VM, and instead just using their desktop. What have we done? Basically given our department a black eye. Shown that we are not thinking of the needs of the people we service, let alone the company at large.

We do this all the time. I see solutions posted for different things, that just do not seem practical from a different perspective. Even patching can be detrimental, especially with legacy software which is why patch testing is important. The thing we need to do is work across the business units, talk with them, find people willing to try what might be an impractical solution if we really want to push for it. We need to get into the heads of the normal user and think like them. I use the (grand)parent test mentally. Is this something I can see my parents or grandparents who are non-IT people use. If not, then throw it in the impractical pile and find a different solution.

In the perfect world, our solutions should have little to no visibility to the end user when working properly. Reality is that this might not be possible, but we can still strive for it. We need to learn that the end user is not a burden, they are the reason we have jobs in this field in the first place.

K.I.S.S. up, or we lose

By Leave a Comment

There is a distinct possibility we overlooked it. It is just that little nagging in the back of our head, but still we know better, or do we?

 

So there I was, wondering why the Powershell script I modified and was using was not working. Why I was getting access denied errors. I went over the script again and again. I tried limiting the scope, hard coding information instead of having to input it, and still that same damn error. The answer was there, I just had to find it…

Yes, this was me recently. I bet you have been in a similar situation though. Can’t quite find that issue. Come on, we are smart, we know our stuff, but still we can’t find the answer. In my case it was I was using the wrong account to run the script. Stupid, simple and maddening. Only took a few days of troubleshooting to realize it. I should have known to double check the simple though, it has been a recurring theme in my life. Looking at a lot of the IT and infosec world, I think we all need to look at this.

I was a teenager back in the 80’s, tired of entering data statements to get the cool graphics on my Commodore 64. Compute’s Gazette had a program in there that would allow me an easier path once I inputted it and loaded it. Turtle graphics and commands, and I was going to get this going except it didn’t work. I checked the hundreds of numbers in all the data lines. Everything was right. I checked all my statements, compared back and forth for weeks, months, years. Still error when ran. The only way I could get it to not error was if I increased the if-then loop by one. That kept hitting me as I had to have messed up the data statements in some way. Five years passed, and I found the extra comma at the end of one of the data statements by total accident. That fixed the issue. A simple typo cause 5 years of troubleshooting off and on. I was bound to learn from this, to check for the simplest things. I would learn from it dammit, at least until I didn’t.

Think about it. Look at phishing, how we treat users, how we treat each other. How many times have you turned and said, “Oh that isn’t something I need to check,” and yet that was the problem. The simple answer. The one thing you didn’t feel the need to do.

I was learning to build and upgrade my own computers in the early to mid 90’s. I had changed out cards in the PC many times, and this was just a new sound card. Put it in, put everything back together, loaded the driver and… nothing. Only the boot beep code of the motherboard’s little speaker. No music, no sound effects, no nothing. Re-seat the card, check to make sure plugs are in solid. Still nothing. Try the old card, and nothing. Try a different slot, nothing. Six months of this, and I went to do some cabling cleanup. Yeah, I found that for 6 months I had the speakers plugged into the microphone jack and the microphone plugged into the speaker jack (the male ends of the plugs were not color coded back then). Switch the two plugs and I tried to make myself deaf from how loud I had the volumes turned up.

So where does this leave us. How many layers of devices do we have to “secure all the things?” What does each thing do? Do we know how to work with each device, piece of software, policy to its fullest extent? Do they even make sense or is it the old, “lets just throw things at it until it sticks,” scenario? How convoluted and complex has it all become, and why? I think for me ti is best summed up in a classic episode of Doctor Who during the Tom Baker era. He went to open a door with a complex electronic lock and pulled out a bobby pin to do it. When asked why he said,” the more complex the system the simpler it is to break with something simple.” Have we all gotten to the point where we have forgotten where we came from? Where we are just outsmarting ourselves? Do we listen to fresh eyes, fresh ideas or just throw them away as a bunch of nonsense? Are we willing to learn how to keep it simple, or have we made it easier for the bad guys to get through because of how overly complex we have made everything? Is our own cleverness our actual real weakness being exploited?

Have we lost sight of the future?

By Leave a Comment

The InfoSec industry is short handed, and we all know it. The question is what are we doing about it. Seriously, we have a community that is pretty welcoming. That is all fine and good, but have we not thought the process through enough. What happens when we are not here? With how fast things change, and come up, how are we getting people to want to get into our industry?

I look at our industry and am worried. We all know about the skills shortage, the amount of job openings, and how insecure everything is. We keep saying security is a process, not a destination and that is true. The issue though is we are focused on the here and now, at least most of us are. Those that are forward thinking, looking for the next issue, are only looking at technology. There is a bigger crises, and that is who will take over from our generation? Yes, we see people in their twenties at the conventions, but seriously look at how many there are. Who will take over from them?

The way I am seeing it, if we really want to be about security, we have to nurture the next generation. Think about it, how many times do people in our industry say it takes passion and a desire to learn to be part of the world of InfoSec? How many times do people in our industry brush off degrees, some of the certs, and say you need a cert that will run you $6000 and experience? How much of that can we actually impart on those that cannot afford a SANs class, or let alone a computer?

There are organizations out there such as Hak4Kidz who are aimed at the teen and pre-teen and are awesome about inspiring the next generation. Even with that though, how many slip through the cracks? How many do not have parents that can see it, or are able to pay for their children to attend these conferences? I recently talked with someone from Boys and Girls club and it got me thinking about all this. I was told how much these children loved it when they were being shown a little on how games were programmed. The interest in technology that they showed. Inner city youths who are poor, have to share a computer with the family if they are lucky, show interesting in the technology field. Now ask yourself, how many of these children will slip through the cracks, and how many innovations will be missed because of that.

We as a community need to start taking a long hard look at this. there are groups, Boys and Girls Clubs, Boy Scouts, Girl Scouts, Girls Inc., and many others that we can get in touch with and work out some sort of program. It might just be a one time thing, going in and showing them how to be a bit more secure, show them what some of the tricks are and how it can affect them. Sure we might only get a few per group, but think about it, that is a few more that will be interested in securing the future. The teen and pre-teens that show interest need to be mentored. If we really are about securing all the things, don’t we have to include the future? Isn’t that part of the scope, to make sure that we have enough people behind us for when we retire or are gone?