Silicon Shecky

Infosec Practitioner

Connect

Ducks in a Row

By Leave a Comment

It is getting to be budget time for many companies out there, and what better time to look at what we need to do our jobs. We all have our wish list, our dream list and eventually whittle that down to a practical list. Between all of that, there are the renewals to budget for plus figuring out any other spending to do. It is also a time to really take a look at our security maturity level and use that to actually work on the budget, or at least make recommendations to our bosses.

I honestly believe most blue teamers have one of two outlooks on their security maturity. First is the doom and gloom, always figuring they are not mature, always lamenting that they never will be mature. Now, this is not a completely bad outlook to take. Figuring you are less mature than your company is, allows you to focus on what you have and using it to the maximum potential. Unfortunately most of the gloom comes from the fact that you are understaffed and overstretched. Meanwhile the higher ups have bought into the latest marketing of the newest products. Oh boy, here comes more stretching on Stretch Armstrong. The thing is, even Stretch Armstrong will eventually either break or snap back, neither of which is good. Burnout is burnout no matter how you look at it, and a human can only do so much at once. If this is your situation, you need a champion in your corner, be that data or some other higher up who understands that by stretching so much, all that is happening is more hole are being put into place. What is the point of being cutting edge if you don’t know how to use it, or ignore most of it anyway? Really that doom and gloom all stem from the second outlook, which tends to permeate the higher ups more often than the rank and file.

We are more mature than we really are. We all see that, people thinking they are ready for the next step in security. We have all the latest and greatest so we have to be mature. What does it matter that our people have not had time off. We can just get another piece of automation software to replace them, or we can outsource. This comes with the other huge security hole to it. Even security software and products need updating and upgrading. who is going ot take that time? Who is going to have the time to train the software properly, and keep it tuned?

The reality of it all is once you have figured what you have to spend on current technology that you have in the company (licensing, upgrades etc…) and new personnel, the first thing that should be budgeted for is training. In fact, training should be all paid for in the first quarter, while the full budget is there, because as the year goes on that money will be the first thing chopped. You can go to the training in the third or fourth quarter, but pay for it as soon as the new budget takes effect, or as close to that as possible. That training should include training on the technology you have and/or the methods of doing what the technology you have does. From there should be training on something each person is interested in overall. That allows for growth of the staff in the areas they enjoy. Finally should be at least one security conference such as a BSides, Derbycon, Circle City Con or other lower cost options. This allows for networking and exchanging of ideas. Some of the best ideas I have had come from talking to people in the community, and some solutions to problems (scripts, stuck on how to do something with product X, etc…) have been found this way. Google is fine, but being able to know someone who has worked with X is better.

Once training is done, then you can look at what is available to potentially get. This should not be done without taking a look at what you already have and if you are using that to its maximum benefit. Taking that hard look must include results of any pen test/red team events that you have had done during the year. What were they able to do, and could that have been stopped or alerted on by the current technology you have. If it could have been taken care of without new technology, then why wasn’t it, and how can you get that tech to that point? Why waste money on a new technology that will do the same as some of what you already have? This also goes into the security idea of complexity breeds more holes. It doesn’t matter that it is security technology, the more complex something is, the more likely some hole is going to be missed.

Good luck to everyone on their new budgets. May you all get what you want and have to want for what is actually needed.

The forest or the trees?

By Leave a Comment

I was having an interesting conversation on twitter with Mr. Jeff Man this morning about the state of the infosec world. Mostly about our lack of true understand of risk, and how we have become one of our own biggest problems.

It all started with a tweet from Jeff, ” A vulnerability is one part of the risk equation, but not the only variable. Do we spend as much time on the other variables? #infosec“. Throughout the discussion we talked about understanding the variables in risk management, which in the end is what security really is.

We all know nothing will ever be 100% secure. We have learned about formulas for figuring risk. We realize that we have to use intuition on this formula at times. Do we really understand that upper management looks at the monetary figures more? In a different way, look at the credit card companies here in the U.S. They have lagged behind moving to chipped cards, and still don’t require pins for those chips, even though they are more secure. The risk equation to them points out that they save money by paying out for breaches, instead of requiring the higher priced safer technology. Don’t take the initial hit until you have to. This same principle I remember being described as Japanese manufacturing principle. Figure out what percent of items will not be at proper specifications (returned due to defect). Build in part of that cost into the price, and if the overall cost of returns becomes too high then worry about a recall and redesign. Don’t fix it unless absolutely needed.

Once we grasp this idea, and I mean truly grasp and understand it, we can work with it to our favor. It might take longer term projections, or showing how the brand could be impacted with bad PR (according to some in marketing no PR is bad PR). The issue with us grasping this becomes more cultural though.

The vast majority of us are techies. We are the geeks, the nerds and we love being that type of person. We hyperfocus on the hard problems and ignore or shove to the side the stuff we don’t want to deal with. This though not only affects risk assessment, but the future of the infosec community.

Our community is young still in some ways, but has been getting a lot more rigid lately. Look at what we deem good certs vs. bad certs. How we accept different ideas in, and how we learn. Each year I see more of a divide in certain areas. Training, top notch training, is affordable through your work, if you are lucky, but to do it on your own. $5,000 is a lot of money to shell out, especially for the new people in our line of work, or those looking to break into it. Yes there are things like Cybrary and ITProTV with lower cost, online training (both on demand and virtual classroom). But that $5,000 is in person, hands on, focused training. It is the GIAC, which is a great cert. It is how to get people up to speed and on the same page. It can be a barrier, to entry at worst, but to advancement at the minimum. We as a community have to help ourselves out better with training.

See how thick the forest starts getting? See how we keep looking at just a few trees? We are getting to a point that our lack of vision is creating the problems we are trying to solve. Where we are the problem. The question is, where do we go from here?

The catch 22

By Leave a Comment

As I’ve been studying for the 70-410 Microsoft exam, I’ve come to the realization that I’m not ready, and I might not ever be.

Technology is a wondrous thing. It can take care of mundane, repetitive tasks, but only if you set it up and use it properly. It can also take over your world and control you, not quite Matrix style, but its getting there. Those of us that work in the IT field, be they developers, Network Admins, Penetration Testers, or any other number of fields, we do our best to keep up with the constant change of technology, not just for our own sake, but for societies. Someone has to know how to tame the technological beast. Certifications are a way of showing we understand the technologies out there, and have some degree of mastery over them.

Recently, there has been a challenge put forth called 90 Days to MCSA, through Microsoft learning. the goal is to get your MCSA be it in SQL, Server 2010, or Azure, in a 90 day period. I love learning (why else get into the IT field), and I love a good challenge, so I have embarked on the Server 2012 track. Over the last 10 days I have been studying for the Installation and Configuration exam (70-410) with a book from Microsoft press geared toward it. I also have a lab set up at my house for testing and doing the exercises. this should be simple you would think. Study the book, do the exercises, pass the exam. Theoretically, that is how it is supposed to go.

The problem with theories, is just that. They are theories, and real world can be indifferent to them. As I have almost finished the book (all 1600 pages of it) and done the exercises, I honestly do not feel much more ready to take the exam than I did before I started. Some of that could be because of the time frame from start to finish, which I will supplement with some other resources available to me. Some of it is that I don’t have access to any practice exams to gauge how I do on the various parts, and where my weaknesses are. Another portion is due to the face that while Server 2012 is new, and so are the exams, the books to study for it were released back in October, which means they were written while the software was still in Beta, and I have found issues with some of the exercises due to that fact (I won’t get into how many typos were in the book itself). This also leads me to a lack of confidence in taking the exam. When the official material is problematic, one has to wonder what they are actually in for.

The final issue I run into is that I like to know that I can pass the exam itself before I take it. I know others out there are like this also. We don’t want to go into that testing room and come out with a fail, especially with how much the exams cost. So we tend to push it off, time and time again, until there is new technology and new exams to take. In the mean time we get really good with the technology, but have no way of showing that little piece of paper to our employers, even though in the end it shouldn’t matter.

The question is though, when do you jump into the exam itself?