What I hope people reading Cory’s post walk away with is the recognition that sects exist. We all have various fanatics at each of the organization where we work. Many are good people earnest and true in their desire to do their jobs well. Yet, they could not be more different in their solutions to the problems facing their organizations. They may fall into the high priests or heretics camps, or a dozen other camps.

Let us talk about some of the divisions within IT and security. Richard Bejtlich points out in his post, , “Steve Liesman on Inputs vs Outputs,” two camps. Richard is continuing an argument he previously made in “Controls Are Not the Solution to Our Problem.” He argues that too much time and resources are being spent on auditing controls that are far too input-centric. Instead, Richard feels controls should become more output-aware and recommends directing attention away from inputs and devoting more energy to outputs. Included are some real world examples that management could understand and relate to. Steve Liesman is quoted in relation to our current economic crisis, “It’s not what you’re doing that matters; it’s whether or not it works.” Consider the following questions. Within your security organization, who focuses on controls/inputs and who focuses on output? How much of a division exist between these groups? Where do the auditors fit in?

To point out other divisions within security, take a look at Jeremiah Grossman recent post, “Quick Wins and Web Application Security.” To quote Jeremiah paraphrasing a recent conversation with Joseph Feiman (Gartner):

During an event a panel of Gartner Analysts asked the audience what the best way is for organization to invest $1 million dollars in effort to reduce risk. The choices were Network, Host, or Application security to which the Gartner analysts made their cases for these three disciplines. The catch was the budget could not be shared between them and must be prioritized into a single initiative. The audience selected Application security. However, the Gartner CSO (who took the role of CIO in the play) overruled the audiences’ decision. They instead selected Network security, while at the same time curiously agreeing that Application security would have been the better path. His rational was that that it is easier for him to show results to his CEO if he invests in the Network.

Gary McGraw was recently interviewed by James McGovern for the SilverBullet podcast. They discuss the recent release of “Building Security In Maturity Model (BSIMM).” In the interview, Gary was asked about the leaders of the enterprises that “have a clue in making their security posture better.” While the leadership that helped develop the BSIMM had very diverse backgrounds, James asked, “It sounds like they are all from a technical background at some level. Are there IT executives out there that understand software security that are just business people?” Gary responded, “I don’t know the answer to that. I really don’t know any. I will say this about these people, they are the sort of hybrid people that can speak business and also have a very deep technical background. As you know those kind of creatures are rare on earth. Right now it appears that they might be necessary to cause software security initiatives to be a success. Hopefully, we will gain enough experience and write down enough empirical science that won’t be the case in the future.”

It is not a great surprise to learn that a major divide exists between the IT and the business camp. Recent frameworks often include governance components in an attempt to help bridge the gap between the two camps. As an example, the IT Governance Institute® (ITGI™) recently released v0.1 of risk based framework based on the principles of enterprise risk management standards/frameworks such as COSO ERM2 and AS/NZS 4360,3. The framework is called Risk IT. ITGI would argue that existing IT risk guidance documents tend to focus solely on IT security. Risk IT is meant to cover all aspects of IT risk. ITGI also develops the Control Objectives for Information and related Technology (COBIT), which is focused on “providing a comprehensive framework for the delivery of information technology-based services.” Risk IT and COBIT are meant to compliment each other. COBIT is a set of good practices which provide the means of risk management; while Risk IT is meant to set good practices for the ends by “providing a framework for enterprises to identify, govern and manage IT risk.” Recall Richard Bejtlich argument concerning the division between the controls/inputs and outputs.

All these different sects make effective security most difficult. A layered approach to security fails to work when the layers operate in isolation. Gary McGraw gets an “amen!” for describing leaders of the enterprises that understand security as a “sort of hybrid people that can speak business and also have a very deep technical background. As you know those kind of creatures are rare on earth.” On top of having an understanding that reaches into areas throughout the organization, they need to be leaders.

Rob Goffee and Gareth Jones wrote an article, “Leading Clever People.” Goffee and Jones will be publishing a book with the same title late in 2009. An audio interview is available from the London Business School. Goffee and Jones conducted over a 100 interviews with leaders at major organizations and report the relationships effective leaders have with their “clever people” can be shaped by seven shared characteristics:

1. They know their worth—and they know you have to employ them if you want their tacit skills.
2. They are organizationally savvy and will seek the company context in which their interests are most generously funded.
3. They ignore corporate hierarchy; although intellectual status is important to them, you can’t lure them with promotions.
4. They expect instant access to top management, and if they don’t get it, they may think the organization doesn’t take their work seriously.
5. They are plugged into highly developed knowledge networks, which both increases their value and makes them more of a flight risk.
6. They have a low boredom threshold, so you have to keep them challenged and committed.
7. They won’t thank you—even when you’re leading them well.

Now you may be thinking, “I am security, not the CEO of the company. I am not even their project manager. Why are you talking about leadership? What should I care about business? If users just did what I told them, life would be good.” It is important to note that a characteristic not listed above is “empathy.” Folks in your organization are not going to try and see things from security’s point of view. They want to do their job and if security appear to be a road block, they will go around. We need to avoid having each sect doing their own thing. As what occurs in many religions, an “us verses them” attitude will develop. If you want people to follow, you must first lead. To lead “clever people” you must understand those people.

James Parker, Southwest Airlines ex-CEO, offers some advice. He has written a fascinating book titled “Do the Right Thing.” One story particularly interesting concerned a manager who didn’t succeed despite being very intelligent and ambitious. “When this person finally left, I asked one of his former employees why she thought everybody disliked her former boss so much. She summed it up: ‘Because he was the kind of person who kissed up and spit down.’ ” When problems arose at American, “the primary focus of communications was blaming and avoidance of blame – in contrast, when something went wrong at Southwest, the focus of communications was problem-solving,” Parker quotes from the book, “The Southwest Airlines Way“.

James Parker and Barbara Stocking, Chief Executive of Oxfam GB, discuss below “Leadership in an Age of Uncertainty” with moderator Deborah G. Ancona. The discussion focuses on the need for distributed leadership. A key point made is that companies need “employees doing things outside the narrow scope of their job responsibilities, to contribute to the success of overall operations.” This is the cornerstone of the concept of “relational competence.”

The world continues to get more complicated. In response, more specialization occurs, which leads to less understanding of other groups. The history of religions have shown us how difficult things can get when various sects develop. In the corporate world communication breaks down, the focus on the mission is lost, and the relational competence of a company dissolves. I started this post with the statement that I come bearing no answers, only questions. While that is true, I have pointed to some very intelligent people who discuss the various sects and offer possible ways to coexist. Security professionals cannot exist in their own camp, separate from the rest of the organization, dictating how people should do their jobs. In such an environment, it will not matter if every pronouncement is the embodiment of wisdom and truth. Failure is inevitable. Abraham Lincoln offered these wise words when he addressed the Washington Temperance Society on February 22, 1842:

If you would win a man to your cause, first convince him that you are his sincere friend. Therein is a drop of honey that catches his heart, which, say what you will, is the great high-road to his reason, and which, when once gained, you will find but little trouble in convincing his judgment of the justice of your cause. If indeed that cause really be a just one.

On the contrary, assume to dictate to his judgment, or to command his action, or to mark him as one to be shunned and despised, and he will retreat within himself, close all the avenues to his head and his heart; and though your cause be naked truth itself, transformed to the heaviest lance, harder than steel, and sharper than steel can be made, and though you throw it with more than herculean force and precision, you shall be no more able to pierce him, than to penetrate the hard shell of a tortoise with a rye straw.

Amen, brother Abraham.

This past Monday, portions of the plan dealing with the counterintelligence, supply chain security, and research and development, were discussed with industry group. Up until now, disclosures have been limited to information regarding effort to improve the security of government network. The Deputy Secretary for DHS, Paul Schneider, discussed the three focus areas:

1. Establishing the front lines of defense against cyber attacks and reducing current vulnerabilities.
2. Defending against a full spectrum of threats by using intelligence.
3. Shaping the future through research and investment in new technologies.

It is interesting that Schneider cited the conflict between Russia and Georgia as “perhaps the first instance of military actions containing a clear cyber element.” There is no doubt that the government is very concern about cyber’s role in future warfare. Jack M. Germain wrote an article for TechNewsWorld titled “The Winds of Cyber War.” Tom Stracener, Sr. Security Analyst for Cenzic, told Germain, “The attack on Georgia shows an economy of scale. It was massive attacks on multiple levels. This is not just a U.S. problem. Hamas and Hezbollah have been doing this for years against Israeli Web sites. These types of attacks against opponents’ Web sites are also very common in South America. All of this points to a future of widespread information warfare. It is becoming one more big weapon in the war arsenal.”

Germain’s article goes into further explanation of the government’s attempts to address these concerns. Patrick Peterson, Vice President of Technology at IronPort Systems, stated that the U.S. government decided 12 months ago to spend 30 million to prepare for cyber attacks by establishing the Comprehensive National Cybersecurity Initiative (CNCI). Germain reports that “CNCI was commissioned by two different executive orders to proactively harden government computer systems against intruders rather than reacting to intrusions after the fact.” Peterson goes on to explain, “The activities of the CNCI are so secretive that it functions as an underground agency. Even Senator [Joe] Lieberman, after hounding the administration for an explanation, only received an official letter that was heavily redacted, indicating that the CNCI is a super top secret agency that operates on a need-to-know basis.” Keep in mind that DHS has been designated to play a significant role in implementation of CNCI.

Schneider went on to say, “In research and development we will be spending a significant amount of resources in the private sector and that’s because that’s where the technology’s going to come from.” Industry has a vital role to play in the initiative, as Schneider points out, “We don’t own the nation’s information technology networks or communications infrastructure. What we are faced with is the absolute need for a very unique partnership in order to defend this network.”

The National Science Foundation FY 2009 budget request included $116.9 million for cybersecurity research and education, with $30.0 million specifically devoted respectively to research in usability ($10 million), theoretical foundations ($10 million), and privacy ($10 million) to support the CNCI. NSF stated, “These investments in cybersecurity and information security and privacy will produce research results that allow society to more fully exploit the potential benefits of an increasingly networked world. In addition, the Scholarship for Service program, which funds scholarships to build a cadre of federal professionals with skills required to protect the nation’s critical information infrastructure, increases by 30 percent to $15 million.”

Concerning the the intrusion detection component, Einstein, Schneider stated, “We’ll be deploying a much more aggressive system that will allow us to look for patterns of malicious code–to shut them down before they do real harm.” Schneider did not elaborate further on how these aggressive systems would shut down malicious code. Stephanie Condon, of CNET News, reports that DHS’ Under Secretary for the National Protection and Programs Directorate, Robert Jamison said the department is currently working closely with three different vendors to test “Einstein 2″ in different environments.

On Captol Hill yesterday, there was a hearing before the Subcommittee on Emerging Threats, Cybersecurity and Science and Technology called “Cybersecurity Recommendations for the Next Administration.” There is a live/recorded video feed of the hearing available.

Schneider expressed confidence in continuation of the cyber initiatives stating “The majority of the people running these programs will be running these programs on January 21.” Schneider continued to explain while “any administration can come in with new policies,” he said the elements of the Cybersecurity Initiative, like common situational awareness, “are foundation pieces of any cybersecurity strategy.” One might argue that Schneider comments may have been also addressing critics that are questioning DHS’ future role in cybersecurity. Dennis Fisher, Executive Editor for SearchSecurity, provides additional details in his article “DHS should lose cybersecurity authority, experts say.” Condon also provides insight in the article, “Critics: Homeland Security unprepared for cyberthreats.”

“Our view is that any improvement in the nation’s cybersecurity must go outside of DHS to be effective,” stated James Lewis, Director and Senior Fellow, Technology and Public Policy Program. Lewis appeared on behalf of CSIS’s Commission on Cybersecurity for the 44th Presidency, a group made up of 40 cybersecurity and government experts. A final report is expected in November and will contain recommendations for the next administration.

Government Accountability Office (GAO) released two reports (No. 1 and No. 2) adding to the public criticism of DHS. The GAO has been reporting on DHS’ cybersecurity efforts since 2005 and has made 30 recommendations to the department. David Powner, GAO’s director of information management issues, stated, “Clearly our work has demonstrated that DHS has been completely ineffective in fulfilling their role as the cybersecurity focal point.” The GAO’s new reports include descriptions of the department’s failure to fully address 15 key cyberanalysis and warning attributes related to activities such as monitoring government networks for unusual activity. “Congress has to be involved with this,” Lewis said, “to support building the infrastructure that will keep us secure.”

Paul Kurtz is a partner at Good Harbor Consulting (which is lead by Richard A. Clarke), and a former adviser to President Bush on cybersecurity issues. Kurtz reports that during a late June briefing for private-sector executives about the new cybersecurity initiative, senior DHS officials had disagreed openly about how to move ahead. “What was so discouraging about that day, and I’ll never forget it, is that we had infighting between DHS leaders as to how to proceed,” Kurtz said. “It demonstrated in spades the lack of leadership, and that no one is in charge at DHS. It was a travesty. We had 70 or so private sector people in the room who had spent a lot of time and once again been asked to come up with some ways that we could better work together and the department basically threw it overboard. It was incredibly discouraging to witness.” Kurtz also stated DHS’ problems stems from the fact that, “you have several people with their hands on the steering wheel.” Echoing Kurtz concerns is subcommittee member Rep. William Pascrell, D-N.J, “The last time I checked, we had at least four people at DHS who claim to be in charge of cybersecurity.”

Kurtz stressed that “there is good work being done.” Lewis agrees and describes the major problem being that the department, “really doesn’t have the authority to direct other departments and agencies. If anything, its authority has probably declined as other departments have moved out on this issue.” Lewis went on to say, “The conclusion we reached is only the White House has the authority and oversight for cybersecurity. This is now a serious national security problem and should be treated as such.” Lewis also expressed the opinion that strengthening the department’s authority was no longer a viable option at this point. “I began in this effort by thinking that we should strengthen DHS,” he told the hearing. “We did not receive much encouragement when we put that forward.” In the end, Lewis reports that his suggestion that the problems could be solved by strengthening DHS’ authority was “shot down by my own commission.”

Of course, this is Washington and other explanations for DHS’ criticism are possible. “Rearranging the deck chairs is a classic inside-the-Beltway pastime, but all that it ensures is that in two years the government’s cyber efforts will be in the same place,” Laura Keehner, DHS Press Secretary, stated. Michael Smith in his must read post, “Cage Match: OMB Report V/S GAO Report, Only One Comes Out Alive,” provides some great insight into the different perspectives and motives government agencies might have. In government, where a great deal of money is involved along with secrecy shrouding most of the operations, who knows what is real? Still, it is fun to watch and speculate. As promised, below are the links to publicly available articles from which the information used in this post was obtain.

• Government elaborates, slightly, on cybersecurity plan by Stephanie Condon
• Agencies discuss new cybersecurity plan by Ben Bain
• The Winds of Cyber War by Jack M. Germain
• Cybersecurity Recommendations for the Next Administration
• Critics: Homeland Security unprepared for cyberthreats by Stephanie Condon
• DHS should lose cybersecurity authority, experts say by Dennis Fisher, Executive Editor

The Pragmatic Programmers

This podcast is good for people doing development work in IT. While not all topics will be of interest, that is the nice thing about podcasts. You can always listen to the beginning of the podcast and skip those that do not grab your interest. The podcast focus is on the books the publisher produces and will feature interviews with the authors. A great podcast that would be of interest to most anyone (verses the podcast where the author’s book is on a specific language or platform) is Andy Hunt on Pragmatic Wetware. Andy discusses the Dreyfus model of skill acquisition, lateral specialization in the brain, mindmaps and more. It is a fascinating discussion.

CERT’s Podcast Series

This is a podcast I highly recommend to security professional. The speaker’s focus tends to be at the the enterprise level and offer good security discussions at that level. Nowadays, it is so important to not only speak tech, but also business. This is especially true when it comes to security. The security professional has to be able to step away from the details and discuss implementation at an organizational, and sometimes international, level. One of the recent podcasts is “Getting to a Useful Set of Security Metrics.” Clint Kreitner, president and CEO of the Center for Internet Security (CIS), talks about the CIS new project. To quote from the summary, Clint “discusses the challenges and opportunities in creating a common set of widely accepted security metrics that business leaders and security professionals can use to make better informed decisions.”

The Silver Bullet Security Podcast

Gary McGraw is well known and respected in the web application security area. Gary serves as host and is able to feature leaders in the security world as guests. For example, Gary has an Interview with Bill Cheswick, who is credited with coining the term “proxy” in 1990 with reference to firewalls. To quote from the description of the podcast, “Gary and Bill discuss whether we’re winning or losing the computer security war, how security threats have evolved from pimply-faced teenagers to organized crime, whether we should move security into ‘the cloud,’ and whether re-naming ‘Christmas lights’ to ’solstice lights’ would bypass NJ holiday decoration ordinances.”

Enterprise Leadership

I often find myself surprised by this show, because normally “enterprise leadership” is not a phrase that sparks much interest in me. Now I know, it is important that security people learn to talk to business leaders. Otherwise, you end up with non-technical managers setting themselves up as the translator for IT. Frequently, IT loses when that happens. This show frequently turns out to be very pertinent to the security professional. I will warn you, the show can be somewhat depressing. It may just reveal how badly your organization is being managed, even from the business side. Tom Parish does a great job interviewing top guns from across many industries.

A really good podcast to start with is the more recent interview with Warren Bennis. Warren is the author of “Transparency: How Leaders Create a Culture of Candor“. He is also Distinguished Professor of Business Administration at the University of Southern California. What I particularly liked is Warren stressing the importance of the people within the organization. He even uses the phrase, “1 plus 1 equals 3.” The idea is that together we can produce more than what we can do by ourselves. The show addresses the implementation of social networking, not for the sake of the “neatness factor” but to serve a purpose and benefit the company.

Here is a brief description: “Together Bennis, Goleman, and O’Toole explore why the containment of truth is the dearest held value of far too many organizations and suggest practical ways that organizations, their leaders, their members, and their boards can achieve openness. After years of dedicating themselves to research and theory, at first separately, and now jointly, these three leadership giants reveal the multifaceted importance of candor and show what promotes transparency and what hinders it. They describe how leaders often stymie the flow of information and the structural impediments that keep information from getting where it needs to go. This vital resource is written for any organization–business, government, and nonprofit–that must achieve a culture of candor, truth, and transparency.”

Also, the interview with Toby Redshaw, Global CIO of Avia Group, was very good. Initially I thought, “another ROI” discussion. What interested me was Toby’s discussing his role to make sure IT operates at the right pace, with the right resources, and with the right talent. Nice to hear people matter. To quote the episode’s description, “In this podcast, Toby Redshaw, the global CIO of the Aviva Group, talks about three areas that IT needs to improve: keeping an eye on the bottom line, trying to innovate ahead of competitors, and keeping the current talent base engaged and focused on the company’s goals.” The point is, it is not just about innovation.

IT Conversations

There are some really good podcasts posted under IT Conversations. I’ll confess, I end up skipping many of the podcasts because of limited time. If I made the time to listen to all of these podcasts, I have a feeling that I would a better IT professional. We do what we can. Let me point out some recent podcasts.

Jimmy Wales, creator of Wikipedia, talks at O’Reilly Media Open Source Conference. The podcast just brings up the idea of making things open source verses security through obscurity. It got me thinking about the heavy use of automation in security verses including people. Jimmy uses the example of wanting to open a restaurant. First step, we need to design the new restaurant. One thing we decide is to serve steak. In order to eat steak, we will need to give people knives. We know people sometimes stab others with knives. So, do we design the restaurant where each patron is put into a cage to prevent them from stabbing or being stabbed? Think of it this way, the cage idea is putting security at the end of the process, where you may only have bad possible choices. Now if security is designed into the process, better solutions are likely to be available. Wikipedia is possible because it was designed so changes could be rolled back. Sometimes to operate, there will be some acceptable risks. Before deciding what is an acceptable risk, you have to be aware of what those risks are and what possible solutions exist. Wikipedia is also designed with the idea of including people to make the product better. How might security utilize this philosophy?

Nat Torkington talks at OSCON is a very humorous talk. To quote IT Conversations, “Using black humor and irony to convey a noble idea, Nathan Torkington, the chair of OSCON, lightens up the mood, frequently throwing his audience into fits of laughter, as he hurriedly wraps up three key messages into the time allotted for one.” His talks is for just thirteen minutes. I wish I could of seen the slides. Still very funny. Listen to it for pure enjoyment.

Speaking of Security

This is done by RSA. Normally, I don’t care for vendor produced podcasts. RSA cover good security practices in a short, to the point, podcast. I like listening to these podcasts to help organize in my mind security topics as selling points to business managers. In the podcast I listened to today, Rod Nelsestuen from the TowerGroup talked about business continuity. Of importance to me is that he ties in security and risk management to the evolution of business continuity planning. It is a simple idea, but have you run into a business person who just doesn’t get IT security? You have to learn how to relate security to something they do understand and cannot dismiss.

FLOSS Weekly

Randal Schwartz is one of the people on IT I like to keep an eye on. Outside of his focus on open source solution, Randal has a keen instinct for interesting and useful IT technology. Plus, like Leo Laporte, he is a genuinely nice guy. Since I could not decide on just one episode, below are a few of the recent podcast topics I found particularly interesting. If you do any open source development, you need to listen to FLOSS Weekly.

The interview with John Roberts, CEO of SugarCRM is a great introduction to this open source customer relationship management (CRM) software. To quote from the SugarCRM website, “Sugar easily adapts to any business environment by offering a more flexible, cost-effective alternative than proprietary applications. SugarCRM’s open source architecture allows companies to more easily customize and integrate customer-facing business processes in order to build and maintain more profitable relationships. SugarCRM offers several deployment options, including on-demand, on-premise and appliance-based solutions to suit customers’ security, integration and configuration needs.”

In the interview with Jacob Kaplan-Moss on Django, they discusses this Python-based Web framework that “encourages rapid development and clean, pragmatic design.” Leslie Hawthorn from the Google Open Source Blog wrote this concerning Django, “We love Django, making use of it extensively in products like Google App Engine, so it was a pleasure and privilege to give back to this community.” Randal and Leo on a later podcast interviewed Jeff Robbins on Lullabot and Drupal. Lullabot is a consulting company specializing in Drupal. They also produce a weekly podcast focused on Drupal and building web sites.

Finally, check out the interview with Brian Aker of Drizzle, a lightweight fork of the MySQL database. To quote the Drizzle site, “the Drizzle project is building a database optimized for Cloud and Net applications. It is being designed for massive concurrency on modern multi-cpu/core architecture.”

Network Security Podcast

This is a podcast for security professionals. I started listening to this podcast when Martin McKeay flew solo. He did a great job. When Martin added Rich Mogull, the podcast got even better. The podcast consist of Martin and Rich discussing major news and topics in security. Frequently they will be joined by major players in the security field. Martin and Rich will also do special podcasts from security conferences. They went to Black Hat and Defcon, so I didn’t have to. My travel budget appreciates it. These guys do great straight security. With their different backgrounds, they really compliment each other.

Red Monk Podcast

Red Monk is like FLOSS, but with a whole gang of Randall Schwartzes. The co-hosts are Michael Cote and John Willis, who are joined by special guests. Sometimes I have no clue what they are talking about. That is a good thing. You get exposed to a bunch of topics from a bunch of people. For example, in their most recent podcast “Jane Curry Evaluates Nagios, OpenNMS, and Zenoss,” they discuss Jane’s paper. This is a 148 page draft paper titled “Open Source Management Options.” The podcasts also contain discussions of news and topics affecting IT professionals. Their podcasts tend to go over an hour, but are filled with content. Listen to the podcasts when you have some time to concentrate on what they are discussing. You will learn a great deal.

This WEEK in LAW (TWiL)

There might be something seriously wrong with me. I love to listen to lawyers talk. They are fascinating. Lawyers use the English language like IT folks will use computer languages. They will dissect points like the best debuggers I have ever met. While TWiL does not come out regularly, it is a true treat when it does. If you do not share my fascinating with lawyers, TWiL still will cover very relevant IT topics that should be of interest to anyone in the IT field. For example, check out the episode “Cloud Computing And EULA Law.” The podcast does tend to go longer than an hour, but cover a great deal of ground. It is so very important to be exposed to the laws that are affecting topics of importance to the IT world. The really great thing is, you get to listen to lawyers and it costs you nothing. Still, do consider donating to the folks who create these great podcasts.

Grammar Girl

While this podcast is not security, IT, or even business focused, it could prove most beneficial for anyone in the IT field. I grew up in New Jersey and I got into computers at the age of twelve. Those are two strikes against me when it comes to grammar. I am thankful for the tips that Grammar Girl provides. Disclaimer: if you find grammar mistakes on this site, which I am sure you will, just imagine how bad it would be if I never started listening to this podcast. You may also want to check out “the Public Speaker” podcast. Both podcasts are short, lasting less than ten minutes. That makes them easy to listen to while going about your day.

Parting Words

If you are wondering, “What about …”, take it easy. No insult was intended to your favorite podcast. This is not a “Top 10″ list. A friend asked me to recommend some security podcasts. This post is meant to discuss some of the great content that is out there. Since security should be integrated into the organization, I included some business and IT focused podcasts. Hopefully a few of these podcasts are new to you. Being told what you already know, while possibly providing some ego boosting, does not expand your horizons. That is the danger of group think. Break free! The power of podcasts are that they can introduce you to people who are in different positions, organizations, sectors of the industry, and even different fields.

One of my favorite stories of Abraham Lincoln involved the McCormick-Manny case of 1855, which I included in my post, “Herding Cats.” Since I enjoy the story so much, I am going to share it again. W. M. Dickerson, one of the Cincinnati lawyers, wrote, “Mr. Lincoln had prepared himself with the greatest care; his ambition was to speak in the case and measure words with the renowned lawyer from Baltimore. He came with the fond hope for making fame in a forensic contest with Reverdy Johnson. He was pushed aside, humiliated and mortified.” Edwin M. Stanton, the Baltimore lawyer, pretty much told Lincoln that he did not need Lincoln’s help. Stanton did not think well of Lincoln, describing him as “a long, lank creature from Illinois, wearing a dirty linen duster for a coat and the back of which perspiration had splotched wide stains that resembled a map of the continent.”

After the trial, Lincoln told Ralph Emerson, a young lawyer who was present at the trial, “I am going home. I am going home to study law.” Emerson asked, “Mr. Lincoln, you stand at the head of the bar in Illinois now! What are you talking about?” Lincoln replied, “Ah, yes, I do occupy a good position there, and I think that I can get along with the way things are done there now. But these college-trained men, who have devoted their whole lives to study, are coming West, don’t you see? And they study their cases as we never do. They have got as far as Cincinnati now. They will soon be in Illinois.” Emerson stated Lincoln turned to him, his countenance suddenly assuming that look of strong determination which those who knew him best sometimes saw upon his face, and said, “I am going home to study law! I am as good as any of them, and when they get out to Illinois, I will be ready for them.”

As you know, Lincoln was to become President of the United States and Stanton would become his Secretary of War. A mutual respect, loyalty, and trust would develop between these two very different men. The moral of the story is to continue to strive to improve and always remember that the greatest service is done by that which challenges us.

One needs to be careful not to fall into the trap of pretending one can make security problems disappear by simply passing laws. Some countries seem to be trying to do just this by outlawing such things as security tools (“UK government to consider hacker tool ban“, “Germany outlaws ‘hacking tools’: An impossible ban for sysadmins?“). This only results in security professionals being deprived of the very tools they need to do their jobs. In Europe, while laws get passed protecting the privacy of European citizens, the European governments ends up being exempt. “Europeans reserve their deepest distrust for corporations, while Americans are far more concerned about their government invading their privacy,” writes Bob Sullivan in his article, “‘La difference’ is stark in EU, U.S. privacy laws.” In the end, monitoring still occurs. It is just a question of who does the monitoring.

Others might not want to make security tools illegal, but instead limited the tools to those demonstrating a certain level of professional proficiency. Deb Radcliff writes in the article, “Computer Forensics Faces Private Eye Competition,” about pending legislation in South Carolina where digital forensic evidence gathered for use in a court must be collected by a person with a PI license or through a PI licensed agency. Deb writes, “Georgia, New York, Nevada, North Carolina, Texas, Virginia and Washington are some of the states going after digital forensic experts operating in their states without a PI license.” The article goes on to quote Steve Abrams, a licensed independent PI and computer forensic examiner based in Sullivans Island, S.C., “In April [2007], the state attorney general opined that even if you never set foot in South Carolina, if you’re collecting evidence to be used in court here, you still need a South Carolina [PI] license. Licensing authorities in New York, Pennsylvania, Texas and Oregon have opined the same way.”

I can’t help but think about a recent newspaper article titled “Robbery target isn’t only one who’s packing” written by Beth Brelje. While it is not directly about IT, please bear with me. Richard Flynn, owner of American Sport Shooting, made this great statement:

A lot of people who move from metropolitan areas are not use to not having a police force. I moved here in 1990, I could walk around the streets and never considered being armed. Now I will not consider going out without being armed. Anytime people move in, you get good and bad. Unfortunately we’ve got a good amount of bad. I don’t feel safe here. I considered it being prepared.

Once upon a time, I felt safe on the Internet and did not think about security. Then the world moved in and we all became just a few milliseconds away from every creep on the planet. Do we have an Internet police force keeping us safe? Even if the non existing cyber police really wanted to hear from us when our computers becomes infected with viruses, what could they do? The 165,000 men, women, and children of Monroe County would love it if everyone could just get along. Sadly, there are some bad folks who would love to cause harm in the county. The residents also would not object to a large police force that could deal with these criminals before any crime occurred. In the end, economically that is not a viable solution. So, 10,000 Monroe County residents, feel the need for some protection. I understand.

H.P. Lovecraft wrote in “Supernatural Horror in Literature” that “the oldest and strongest emotion of mankind is fear, and the oldest and strongest kind of fear is fear of the unknown.” This is a lesson repeated throughout history. Marie Curie, ever the scientist, wrote, “Nothing in life is to be feared. It is only to be understood.” Of course Marie Curie died of aplastic anemia. She fell victim of radiation from the many fascinating glowing substances she had learned to isolate. How could she have known? Understanding is not only important in overcoming fear, but it can be essential sometimes for life itself. Ignorance is often deadly. While the government works on writing laws that will eliminate Internet insecurity, it would be wise to keep open the option of dealing with these problems ourselves. The first step is to open our eyes and see the wolf. This is where monitoring comes into play. Know what is going on. Only then can we start working on a solution. Later, if the government can make our lives easier with another layer of protection, so much the better.

The next day, April 27th, marked the one year anniversary of the cyber attack on Estonia. The incident began when Estonian government moved a war memorial honoring Russian-Estonians who died fighting the Nazis. Gadi Evron, the former Israeli Government CERT manager who was in Estonia at the time of the attacks, has published an article titled, “Battling Botnets and Online Mobs” in the Georgetown Journal of International Affairs. Evan explains the attack:

Once bloggers started reporting their small-scale attacks, more experienced players became involved. Before long, botnets were being used. The involvement of the Russian government in the affair cannot be confirmed. What raised speculation, however, is the failure–or unwillingness–of the Russian authorities to stop the cyber riot against Estonia for over three weeks after the initial attack.

In an attempt to deal with future attacks, seven NATO countries are backing the establishment of the Cooperative Cyber Defence (CCD) Centre of Excellence (COE) in Estonia. General James Mattis, NATO’s Supreme Allied Commander Transformation/Commander, at the signing ceremony stated, “The need for a cyber defense center to be opened today is compelling…It will help NATO defy and successfully counter the threats in this area.” The center will be tasked with conducting research and training on cyber warfare. The US showed its backing by agreeing to send an observer.

Cyber attacks are occurring in every country. Last month Chinese hackers called for a DDoS against CNN.com in retaliation for news coverage of Tibet protesters. The organizers felt the news coverage was skewed against China. The attack was reported called off because the amount of coverage of the approaching attack expected to limit its effectiveness. Still, on the day of the planned attack, CNN was knocked offline for three hours. The Internet research website Netcraft reported, “CNN’s website suffered downtime within a three hour period on Sunday morning, followed by other anomalous activity on Monday morning, where response times were greatly inflated.”

Providing information on scale of compromised servers, malicious attackers, and the spread of malware is the Shadowserver Foundation. The organization gathers, tracks, and reports on malware, botnet activity, and electronic fraud. It is a great source of information concerning cybercrime. Richard Perlotto, the gentleman who runs the technology and operational side of the Shadowserver Foundation, spoke last week at the Asia Pacific Information Security conference (AusCERT2008). Additional presentations and interviews from the conference can be accessed through ITRadio. Below is a sample map showing DDoS attacks in 2007.

In the old days, countries controlled information through clamping down on the press and shutting down television stations. Pakistan meant to exercise country wide censorship February, when the the telecommunications ministry order access to YouTube blocked. According to Danny McPherson, Arbor Networks’ Chief Research Officer, in his posting “Internet Routing Insecurity::Pakistan Nukes YouTube?” Pakistan Telecom had three options:

1. deploy access-control lists (ACLs) on all your router interfaces dropping packets to or from these IPs
2. statically route the three IPs, or perhaps the covering prefix (208.65.153.0/24), to a null or discard interface on all the routers in your network
3. employ something akin to a BGP blackhole routing function that results in all packets destined to those three specific IPs, or the covering prefixes, being discarded as a result of null or discard next hop packet forwarding policies, as discussed here

Pakistan Telecom selected option three. Because Pakistan’s BGP traffic was offering very precise routes to what it declared were YouTube’s Internet servers, routers took it to be more accurate than YouTube’s own information about itself. That data was supposedly accidentally shared with Hong Kong’s PCCW, who failed to validate the BGP data. PCWW then shared the data with other ISPs throughout the Internet. Believing Pakistan Telecom had faster routes to YouTube, service provides started sending their YouTube traffic requests to Pakistan.

McPherson spoke with ITRadio on the topic, “How to destroy the Internet.” In the interview, McPherson discusses what occurred in Pakistan and how, “the control path, in general, on the Internet (DNS and routing, in particular) are two of the most fragile pieces of the Internet infrastructure.”

Kimberly Zenz, Senior Threat Analyst at VeriSign iDefense, pointed out that times have changed and blocking a site from an ISP is an increasingly unreliable way of censoring the Internet. Bringing down a site with a DDoS or shutting down the Internet completely are more effective options. For example, faced with a major protest movement for the first time since 1990, the government of Myanmar cut off the country’s Internet access completely. The actions of the Myanmar government are not unique. The OpenNet Initiative (ONI) tracks Internet censorship with the aim “to investigate, expose and analyze Internet filtering and surveillance practices in a credible and non-partisan fashion.” The site has a intriguing global filtering map and can provide valuable non-partisan information on Internet censorship throughout the world.

RFE/RL President Jeffrey Gedmin raises the concern that the number of cyberattacks will only increase, when he stated:

The Belarusians, the Iranians — they all have basically the same objective. They see free information — flowing information of ideas and so forth — as the oxygen of civil society. They’ll do anything they can to cut it off. If it means jamming, if it means cyberattacks, that’s what they’ll do.

Providing additional insight into the conditions that are helping foster hacking, Zenz was interviewed and presented at AusCERT2008. For additional information, Zenz co-authored with Eli Jellenc the fascinating report “Global Threat Research Report: Russia.” While the report is focused on Russia, the conditions exist in may countries.

Remember the good old days when our view of hacking was mostly based on the movie War Games? Hackers where misunderstood high school kids who might break into a government site just for the thrill of it, or maybe to play games. Who can forget the famous lines, “Greetings Professor Falken, Shall We Play a Game?” If you don’t recall the movie, or that line, you really need to work on your geek culture. While life and hacking may have appeared simple in those days, one cannot deny that today’s Internet offers the most interesting challenges. It is an exciting time to be a security monk. In the end, what’s not to love?

Today, I wanted to take a break from the technical postings I have been doing lately and discuss a splintering that is occurring within organizations that can result in operational road blocks. With the introduction of different groups, a counterproductive “us” verses “them” attitude may develop. The possible problems occur when the various groups end up seeing all the problems of the organization being the result of the other groups. For example, at some point we have all encountered those security folks who seem to do nothing but use their position to be obstacles. “No” is their favorite word, and possibly the only word they know. At this point, many developers are probably nodding their heads. Well, folks have also experienced that group of developers who resist with all their ability working with security, claiming that security just hampers development. Does this sound familiar within your organization?

While security may at times cause problems in deploying a service, one has to ask is that always a bad thing? On Thursday the Guardian reported that the Italian government just published every citizen’s declared taxable income on the Internet. Why would they do this? The finance ministry claimed it was part of a crackdown on tax evasion. The tax minister, Vincenzo Visco, was quoted in Italy’s Corriere della Sera saying: “It’s all about transparency and democracy. I don’t see the problem.” So, what is the problem? First, the government did not have consent to make the information public. Second, it was one of the last acts of Prodi’s centre-left government before it leaves office this week. People have agendas that may not be in the best interest of the organization, or in this case the country. Could the act have been motivated by spite? ADOC, the Italian consumer group disagrees with Vincenzo Visco, claiming “It’s a clear violation of privacy law.” They go on to point out, “The forms for the tax return do not contain a warning about the publication of data or a specific clause authorising publication, which is a further violation of the same law.” Just because something can be done technologically, does that mean it should be done? Security professionals sometimes need to step up and say, “heck no!” If they are unwilling or unable to make their voices heard, they have failed the organization.

Security can serve many purposes. It can be a time saver, helping to avoid major delays while keeping services running. The United Press ran a story on Saturday titled, “Students accused of hacking into grades.” Key points:

• Four Texas high school students are accused of hacking into school district computers to change the marks of at least 60 pupils, school authorities said.
• The Fort Bend Independent School District has suffered a monetary loss of at least $190,000 because of the incident, which makes it a potential felony, investigators said.
• Court documents reportedly do not give details explaining how investigators calculated the losses.

One is left questioning where the $190,000 loss would come from? Good security procedures include backups procedures along with other steps that may have prevented the changing of the grades. Maybe the Fort Bend Independent School District should take a look at the ISO 27001 security site, which promotes the ISO/IEC 27000-family information security standards. What might be real helpful is the site’s checklist for implementing ISO/IEC standards. Implementing a backup and recovery procedure is on the checklist. The school district would find the site a very good starting point. Following good security practices, at the very least, could have made recovery easier and thus less expensive.

If upon hearing standards and procedures, you started wondering about time overruns, I would point out that in many instances time is saved in the long run. We have all heard people expressing how it is sometimes faster to do things oneself than telling someone how to do something. The same principle applies. Lao Tzu summed it up well when he wrote the famous lines, “Give a man a fish; you have fed him for today. Teach a man to fish; and you have fed him for a lifetime.” One of the greatest lesson a person can learn is that we all have limits. It is part of the human condition. Once you have reach your limit, you have to reach out to the community to come together and work towards a common goal. The Amish have a tradition known as barn raising, where the community comes together to assemble a barn for a newlywed couple or to replace a barn destroyed by wind or fire. In one to two days the community is able construct what an individual could not hope to build by themselves without great effort and time.

IT Conversations posted a talk given by Anthony Ravitz, Project Coordinator, Real Estate & Workplace Services, Google, Inc., titled, “Google’s Solar Photovoltaic System.” It was very interesting to hear all the innovative thinking that goes on at Google. What I really found fascinating came during the question and answer phase. Anthony was asked about Google telecommuting policy. Anthony answered that Google does not have a telecommuting policy. Google feels that it is essential that their employees are able to come together and exchange ideas. This is currently done by the old fashion method of coming into work and talking to your coworkers. This amazed me to hear, but the justification was not surprising. Michael Santarcangelo, founder and Chief Security Catalyst, did a podcast titled “Why Virtual Teams Fail (and how to avoid it)” which explored why virtual teams fail, based on research from a group of graduate students at Johns Hopkins Carey School of Business. To quote from the podcast, virtual teams were threatened by:

• Concerns regarding the ability to protect sensitive information
• Lack of a single platform that provides all the tools necessary to optimize
• The struggles of virtual communication
• Poorly or under-trained users
• The challenge of building trust without the use of face-to-face communication

While a whole posting, or podcast, could be done discussing each of these challenges, the bottom line is that these challenges end up impacting workers abilities to come together as a team. Eliezer Yudkowsky posted “The Robbers Cave Experiment” where he discussed the book “Intergroup Conflict and Cooperation: The Robbers Cave Experiment” by Sherif, Harvey, White, Hood, and Sherif (1954/1961). It is a fascinating study involving 22 boys between 5th and 6th grade, selected from 22 different schools in Oklahoma City. The boys came from stable middle-class Protestant families, and they were doing well in school with a median IQ 112. The boys were as well-adjusted and as similar to each other as the researchers could manage. The purpose of the study was to investigate the causes, and possible remedies, of intergroup conflict. The 22 boys were divided into two groups of 11 campers. To quote Eliezer:

In Stage 1, each group of campers would settle in, unaware of the other group’s existence. Toward the end of Stage 1, the groups would gradually be made aware of each other. In Stage 2, a set of contests and prize competitions would set the two groups at odds.

They needn’t have bothered with Stage 2. There was hostility almost from the moment each group became aware of the other group’s existence: They were using our campground, our baseball diamond. On their first meeting, the two groups began hurling insults. They named themselves the Rattlers and the Eagles (they hadn’t needed names when they were the only group on the campground).

Eliezer goes on to report:

Each group developed a negative stereotype of Them and a contrasting positive stereotype of Us. The Rattlers swore heavily. The Eagles, after winning one game, concluded that the Eagles had won because of their prayers and the Rattlers had lost because they used cuss-words all the time. The Eagles decided to stop using cuss-words themselves. They also concluded that since the Rattlers swore all the time, it would be wiser not to talk to them. The Eagles developed an image of themselves as proper-and-moral; the Rattlers developed an image of themselves as rough-and-tough.

I have sometimes wondered if managers and top level executives might be carrying out their own version of this experiment. Security professionals need to work together with everyone within an organization. As in the Robbers Cave Experiment, groups within an organization can choose to view others with suspicion, and blame all their problems on Them. In so doing, they reinforce their own mistaken opinions to the detriment of the organization.

One can see this reinforcement occurring, for example, when one encounters security folks who act like road blocks. Those employees will find people going around them in order to implement services. Those services will not be implemented in a secure manner. When those services get compromised, the security folks may point to how developers are cowboys and conclude that developers are the biggest security risk to an organization. Developers might leave security folks out of the planning and developing phases, only bringing them in at the tail end the day before the service is to go into production. Security will likely find so many problems that they will cry out, “You can’t put that into production!” The developers will sigh and say, “You see, another case of how security drag us down.” Policy people may leave everyone out when writing policy, resulting in them operating in their own separate world where the rest of the organization ignores policy. When an incident occurs, policy folks will say, “Not our fault. We wrote the policy but no one followed it.” Technical folks will say, “Not our fault. We were not aware of that policy. Even if we were aware, the policies were bureaucratic obstacles we had to bypass to get our job done. Besides, there is no way to implement the policies without a huge budget increase.” The finance folks will say, “There is no way the business can afford putting all that money into IT. We need more controls, metrics, etc. so we can see a return on investment.” Round and round it goes.

Segmentation and division seem almost built into an organization. As groups divide, drawing distinction between “us” and “them,” there is another interesting aspect at play. People bring to life their own impression of the world. Christine Carter, Ph.D. and the executive director of the Greater Good Science Center at UC Berkeley, wrote in her posting “Raising Optimistic Kids“:

There are three basic dimensions to an explanation: permanence, pervasiveness, and personalization. The OPTIMISITIC way of understanding why something GOOD happened would explain:

The cause of what just happened as Permanent (so it will reoccur);
And Pervasive (it will affect many other circumstances, too);
And Personal (I made it happen).

On the other hand, the PESSIMISTIC way of explaining why something GOOD just happened would illustrate that:

The cause of what just happened is Temporary (something short-lived caused it – probably won’t happen again);
And Specific (affecting only this situation);
And Impersonal (I didn’t have anything to do with what happened, other people or the circumstances did).

The reverse is also true when something bad happens. A kid trips on the sidewalk and skins her knee, dirtying her new dress. The pessimist thinks: “I’m so clumsy – I’m always tripping everywhere, and now I look stupid.” The cause of her fall is (1) permanent—she sees it as a personality trait, and therefore it is both (2) pervasive and (3) personal. On the other hand, the optimist thinks: “Dang! Someone oughtta fix that crack in the sidewalk!” She’s thinking that a flaw in the sidewalk, not her own inherent clumsiness, caused her to trip. That crack is (1) temporary; (2) specific to that moment; and (3) impersonal—she had nothing to do with it.

It is important for employees to have those optimistic qualities, mainly that sense of personal responsibility and connection to others. Communication is also key in that it is the counter balance breaking down the divisions that people build up. In the Robbers Cave Experiment, the researches attempted to reduce conflict by having the groups attend pleasant events together. It did not work. For example, shooting off Fourth of July fireworks developed into a food fight. How many times does an organization try to bring together members of their company by having them attend a dinner or some common event? While I have never seen a food fight develop, I have not seen much team spirit develop either at a company’s awards dinner. In the study, only after having the boys band together in common tasks, requiring cooperation from both groups, did the both groups start coming together. For example, dealing with a water shortage, restarting a stalled truck, etc. By the end of the trip, one group used the $5 won in a bean-toss contest to buy malts for all the boys in both groups.

Don C. Weber, writes a very interesting post, “Organized Security” which addresses the point of open communication being essential to an organization operations. Don writes:

Let’s face it though, when we start talking about security within our different organizations the majority of what we want is for our organizations to follow good business practices. Companies who have a firm grasp on how their technology operates and have a process for change through open communications are much more secure that the companies that buy security products to act as stop gaps and try to prove or give the illusion of compliance.

As work becomes more specialized, people’s knowledge also becomes specialized. Companies are reorganizing their workforce. Policy folks are being split from the technical people. Network, system administrators, developers, and security people might be split into separate groups. Workforces are being split between different locations. What are the unifying goals bringing members together? Organizations need to define this or they are doomed to multiple problems between the groups resulting in those goals never being achieved.

Diana Henry Scott, one of my favorite PMP-certified Project Manager podcasters, had two shows awhile back with Cheryl Mann, President and founder of Goals Insight, Inc. The shows were titled, “Building Effective Teams Part 1” and “Building Effective Teams Part 2“. Communication and working as a team are key. A foundation on how to operate based on good secure business practices must be established and communicated to each employee. Not in a “Though shalt” manner, but in a way where everyone knows how they are contributing to the operational success of the organization. It is all about establishing a community. Lao Tzu provided these wise words, “Go to the people. Live with them. Learn from them. Love them. Start with what they know. Build with what they have. But with the best leaders, when the work is done, the task accomplished, the people will say `We have done this ourselves.’”

Dave Oliver did a fantastic job discussing mind maps with his post, “Managing your Mind. Mindmaps, a handy tool for the Enterprise Architect.” I am tempted to stop writing, leaving the reader to simply read Dave’s post. I just have a few additional links and comments to provide.

There are many software packages to help with mind maps. Dave recommends Mindjet Mindmanager Pro 7, one of the most popular commercial products. If you want to evaluate the software, there is a free 21 day trial option. Want to try something else? There are plenty of other packages. The folks over at Mind-mapping.org have done an amazing job of maintaining a list of the various mind mapping software. The commercial products are too numerous to include, but if you are looking to experiment with mind mapping, the open source packages might provide a good cost effective starting point. Mind-mapping.org has provided a nice map of open source solutions.

Eric Hebert, has done a post “99 Mind Mapping Resources, Tools, and Tips.” While I won’t list all 99 links, here are the categories covered:

• Free Software
• Resources
• Professional Training
• In the News
• Examples of Mind maps
• Books
• E-Books
• Articles On the Web
• PDF Articles
• Blogs
• People
• Videos
• Noteworthy Paid Software

Dave and Eric posts provide a fairly complete list of available information for learning all about mind maps. Now to add a little connective intelligence. Jerry Manas, author of “Napoleon on Project Management: Timeless Lessons in Planning, Execution, and Leadership” and “Managing the Gray Areas,” president of project management consulting firm The Marengo Group, co-founder of the popular leadership blog site PMThink!, and a two-time Mindjet webinar presenter has a few very useful posting concerning mind mapping:

• Finding Clarity: Using MindManager® Pro 7 to Manage the Gray Areas.
• 101 Project Management Uses for Mind Mapping Software
• Mindmap Productivity Tips
• Think Clear: Mind Map to Innovate …
• Event Map: Mind Map Technique
• Enable Creativity to Generate Ideas …

The Controlling Chaos podcast, hosted by Dina Henry Scott, PMP and Sr. Project Manager at VSP, has two podcasts that have interesting information on mind mapping tools: MindManager Pro 7 with Michael Deutch and Mapping Your Way to Project Success!.

Using mind mapping techniques to help in the area of security, Rudolph Araujo, Senior Principal Consultant at Foundstone, did a posting “MindMapper vs. MindManager.” Rudolph writes:

I was using mind mapping for everything from building threat models and doing code reviews to working out my articles and presentations. I even convinced Foundstone to purchase a bunch of licenses of MindMapper as a lot of other people at Foundstone had become fans as well.

Over at the Security Catalyst, Michael Santarcangelo has been working with mind mapping. Michael writes about the Security Catalyst work with mind mapping to develop a map of the advancement of security. The work is discussed in his posts “What do you think the future of how we practice security looks like?,” “Mind mapping the future of how we practice security“, and “Advancing the Future of Security; a mind-map experiment.” Michael explains his interest in mind mapping when he writes:

I am a visually driven person. I think in non-linear ways, and have a 4′x8′ whiteboard in my office that I use several times a day. Mind mapping, therefore, is a natural fit for me. As a speaker, I’m generally impressed by those who also mind map. If you are also visual, you may find mind mapping works for you, too. In my quest for personal improvement, I have come to enjoy reading the thoughts of Grigor at Behind the Glasses. He’s covered mind mapping a bit, and recently covered the beta of MindMeister – an online, collaborative mind mapping tool.

The resulting map is available on MindMeister or in PDF format. Don C. Weber, Information Assurance Director at Ultimate Solutions, Inc. and a member of the Security Catalyst community, was inspired to use mind mapping to help him develop a security plan based on the ISO 17799:2005 standard. Don discusses his use of both the open source FreeMind and the commercial MindManager software. He also discusses the steps he went through to map ISO 17799:2005 in his posting “Mindmapping ISO17799:2005.”

Mind mapping is not going to help you lose weight, be sexier to members of the opposite sex, add hair to your head, and/or cure you of all that might ail you. Software, at its best, can only help you perform your job better. It does not provide a solution in and by itself. Mind mapping provides a technique which enables you to explore, capture and structure what’s going on in your mind. For some, mind maps will be of no help. There are countless other methods to do the same thing. It is up to you to experiment and find the solution that work best for you. The important thing is to realize that when the old way of doing business no longer works well, you need to stop doing things the way they have always been done. The known is comfortable, but it fails to advance you anywhere. Challenge yourself. Learn to do things differently. You will be glad that you did, and you just might become a little more sexier. When you step off the beaten path, anything is possible.

I found myself coming back to Bruce’s words this week. I was trying to access a SSL site, and I was getting the warning message that the certificate authority was unknownn. Immediately, my mind went to a man-in-the-middle attack. I looked at the source code of the site, and could see the page was accessing a gif image from another server via SSL. The gif image was a 1×1 pixel that blended into the page background. The page coders were probably having problems with table spacing and used this technique, copying code from a server that had a self signed certificate.

I tried reporting it, and found that folks thought me quite mad. I guess they figured I was just getting hung up on a minor issue. After all, no one else was reporting it. I, on the other hand, could not help but realize that all those folks I reported this to had failed to notice the problem. They accepted the self signed certificate and went on to log into the site. They were not using single sign on. This, I found more troubling.

What could an invalid certificate indicate? As Billy Joel would argue, it comes down to a matter of trust. Now imagine if an person came up to you and claimed to be an Nigerian princess, who may just needs to move millions of dollars over to the US. To prove her identity, she pulls out a Nigerian library card. You are not likely to believe her. Now, if the President, the Pope, the Dalai lama, and a whole bunch of security people accompanying her vouched for her, you might be more willing to accept she is who she says she is. An unknown certificate authority can claim to be from any company and issue certifications for any machine. Anyone can create a certificate authority and start issuing self signed certificates.

How do you put this to use? Someone wanting to gain credentials and information from employees at the Acme Corporation might use a man-in-the middle attack. They create their own certificate authority, claiming to be the certificate authority “Acme Corporation Public Issuing CA 01.” People trust things with numbers in it. It seems more authoritative. They issue a self signed certificate for one of their machines, approve it through their certificate authority, and the place the certificate on a machine to be used as a proxy server. This proxy server will intercept communications between Acme employees machines and the Acme mail server. Employees thinking they are signing into the Acme mail server, will end up providing their credentials to the proxy server. The proxy server will use the credentials to sign into the real Acme mail server and transfer data back and forth to the employees. This is made possible by the employee accepting the self signed certificate. SSL and the certificate only insures the data is encrypted from the employee computer to the destination, which is the hacker’s web proxy.

How would a hacker redirect traffic? There are a few ways. Maybe an old time DNS cache poisoning or ARP spoofing. A more interesting way recently discussed by the fine folks at Google and Georgia Institute of Technology involves open recursive DNS servers. At the Network and IT Security Conference: NDSS 2008, David Dagon, Chris Lee, and Wenke Lee presented “Corrupted DNS Resolution Paths: The Rise of a Malicious Resolution Authority.” They have discovered that there are over 17 million open recursive DNS servers. About 0.4%, or 68,000, are giving users false addresses to phishing sites. The point is, once an end user’s computer has been modified to use a poisoned DNS server, the system can be directed to any fake web site.

A web developer having problems with a table format, creates a situation where employees trying to access a web page use a self signed certificate from a unknown certificate authority. What is the big deal? Is it just me that answers, “plenty!” Is my brain wired differently? No. Might Bruce be right? Security does requires a particular mindset. It it not unique to security folks, but exists because of the continuous challenges faced by security professionals. Put simply, security professionals share some characteristics. These characteristics exist in people whose job requires them to be constantly learning and are challenged with an ever changing work landscape.

Ed Boyden did a posting, “How to Think.” Now Ed is an assistant professor in the MIT Media Lab and MIT Department of Biological Engineering. He leads the Neuroengineering and Neuromedia Group. When he applied for the job at the MIT Media Lab, he was asked to write a teaching statement. He ended up composing rules to help students “be creative, thoughtful, and powerful in a world where problems are extremely complex, targets are continuously moving, and our brains often seem like nodes of enormous networks that constantly reconfigure.” Here are the rules:

1. Synthesize new ideas constantly
2. Learn how to learn (rapidly)
3. Work backward from your goal.
4. Always have a long-term plan
5. Make contingency maps
6. Collaborate
7. Make your mistakes quickly
8. Write up best-practices protocols
9. Document everything obsessively
10. Keep it simple

I will not go through the rules in detail. Ed’s blog is a fascinating informative site that should be added to everyone’s RSS reader. I did want to pay particular attention to the first rule. Ed’s complete description is:

Synthesize new ideas constantly. Never read passively. Annotate, model, think, and synthesize while you read, even when you’re reading what you conceive to be introductory stuff. That way, you will always aim towards understanding things at a resolution fine enough for you to be creative.

I would argue this is essential for everyone, especially when it comes to security. Put simply, think. Don’t passively move through life. When something does not work, ask why does it not work? Why is a site generating an unknown certificate authority warning? Stop it from occurring so employees don’t get use to clicking whatever they need to in order to get what they perceive as annoying messages to go away.

Ed’s post also serves as a warning. How many times in our busy information filled life, as we attempt to learn rapidly, do we end up reading passively? Sure, we may be obtaining the facts, but does memorization of facts really help? When I first started listening to podcasts, I was jazzed. There was this pool of people willing to give up their time and share their knowledge and experience for those willing to listen. These people challenged me to see IT from a different point of view. As I preached the benefits of listening to podcasts, I heard from others how they were just too busy to listen. Instead, to keep informed, they would read RSS feeds. I read RSS feeds also, but the knowledge transfer is completely different. When reading blogs posts, how frequently do we skim the titles, or the first few lines, and move on? Nielsen Norman Group researchers did a study involving newsletters. They found that the average time allocated to an email newsletter after opening it is just 51 seconds. People scan the text, with only 19% of newsletters being read fully. Eyetracking observations of users reading RSS news feeds showed that people scan the headlines and blurbs in feeds even more ruthlessly than they scan newsletters. One of the reasons I write blogs is because it requires me to stop and think. It is similar to reaching. One learns from teaching because you are forced to question and dive deeper into subjects. You are not just learning a subject, you have to understand it.

Jeff Moser wrote an interesting posting, “What Does It Take To Become A Grandmaster Developer?” In it, Jeff asks the reader to, “See how much of the following sequences of letters and numbers you can memorize in the next 20 seconds:”

• T, E, X, A, S, O, H, I, O, V, E, R, M, O, N, T, R, H, O, D, E, I, S, L, A, N, D
• 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41

Jeff provides a graph of how people performed:

The point being that the results are not based on innate or raw talent. People in Group 1 realized that the letter where grouped by state names “TEXAS”, “OHIO”, “VERMONT”, and “RHODE ISLAND.” The number sequence, Group 1 members probably realized were the prime numbers up to 41. When tasked with remembering, they did so by using the groupings, verses having to memorize each letter and number. The people in Group 1 were able to remembered less overall information but recall everything through these “chunks.” In terms of raw memory talent, one could argue Group 6 won by trying and remembering more letters and numbers, even if it was only 20% of what Group 1 perfectly recalled. The bottom line is that Group 1 performed the task. Thinking, not memorizing, is a major component of learning.

Anders Ericsson editor of the book “Cambridge Handbook of Expertise and Expert Performance” states:

Successful people spontaneously do things differently from those individuals who stagnate. They have different practice histories. Elite performers engage in what we call “deliberate practice”–an effortful activity designed to improve individual target performance. There has to be some way they’re innovating in the way they do things.

John Cloud, staff writer for Time, in an article “The Science of Experience,” examines Ericsson’s book. John summarizes:

Ericsson’s primary finding is that rather than mere experience or even raw talent, it is dedicated, slogging, generally solitary exertion — repeatedly practicing the most difficult physical tasks for an athlete, repeatedly performing new and highly intricate computations for a mathematician — that leads to first-rate performance. And it should never get easier; if it does, you are coasting, not improving. Ericsson calls this exertion “deliberate practice,” by which he means the kind of practice we hate, the kind that leads to failure and hair-pulling and fist-pounding. You like the Tuesday New York Times crossword? You have to tackle the Saturday one to be really good.

Philip E. Ross writes for Scientific America the article “The Expert Mind.” Philip writes

The conclusion that experts rely more on structured knowledge than on analysis is supported by a rare case study of an initially weak chess player, identified only by the initials D.H., who over the course of nine years rose to become one of Canada’s leading masters by 1987. Neil Charness, professor of psychology at Florida State University, showed that despite the increase in the player’s strength, he analyzed chess positions no more extensively than he had earlier, relying instead on a vastly improved knowledge of chess positions and associated strategies.

Learning is about developing chunks of knowledge. This is applicable to how we take in information. Guy Kawasaki, posted an interview with Garr Reynolds, author of “Presentation Zen: Simple Ideas on Presentation Design and Delivery (Voices That Matter).” Garr says, “The goal of the book was not to offer panaceas and rigid rules, but instead to encourage people to think differently about their visuals, the way they present them, and how they connect with audiences. My hope is that people find some things new in the book that stimulate their creativity–helping them to discover a more ‘enlightened’ and more effective approach to presenting.” It is all about getting people to think and be actively involved. Only then can learning occur.

The brain is not a dumping ground of facts. Way back in high school I knew a kid who could tell you the capital of every state. Nice kid, but what the heck was the point? He went away to college, had a real rough time, and fortunately eventually learned life is not about memorizing. Experience does not equal exposure to facts that we store in memory and spit out to impress people. Well, unless you are playing Trivia Pursuit. Expertise comes from continuously building and reorganizing chunks of memory. Experience is the development of these chunks of memory. When a certificate signed by an unknown certificate authority is presented, chunks of memory start forming. First, the brain pulls from system administration experience information concerning how certificate authorities can be created and self signed certificates can be signed. Another chunk pulled involves phishing techniques. Another chunk involves man-in-the-middle attacks. Another chunks involves subverting DNS results. The more experience, the more chunks. All continuously being reorganized.

While we may need to be “repeatedly practicing the most difficult physical tasks,” I do need to put up a cautionary note. Everyone reading this blog is human, as far as I know. Humans need to realize that the brain has its own requirements to help remember and organize. Gregory Kellett, a researcher at UCSF investigating the psychophysiology of social stress, writes, “”Relaxing for your Brain’s Sake.” Gregory makes many great points. Here are a few requirements to deal with stress:

• Stay in the moment – Since our conscious awareness is only able to take and process a finite amount of information at a time, fully engaging our senses limits the amount of (often stress generating) mental chatter our brains are able to entertain.
• Catch zzzzzzs – People who do not get enough sleep not only get more exposure to cortisol during the night, but also have higher resting levels of this stress hormone during the day.
• Get kinetic – Prolonged exposure to stressful situations can inhibit the brain’s ability to generate new neurons (neurogenesis). Exercise by contrast has been proven to promote neurogenesis, counterbalancing damage experienced under times of sustained “non-relaxation”.

So what is so bad about not getting any exercise, sleep, and being stressed out? To quote from Gregory’s post, “Stress and Neural Wreckage: Part of the Brain Plasticity Puzzle:”

Our brains appear to be most vulnerable to the effects of excessive stress in a region called the hippocampus. The hippocampus is a mass of neurons each with multiple branch-like extensions (dendrites and axons) which make connections (synapses) with other neurons all across the brain. Among other things, this region is important in dealing with emotions and consolidating new memories. As with all brain regions, its ability to adapt relies upon being able to alter the branching and connections of its neurons. The hippocampus is also one of the only regions of the brain known to be able to produce new neurons, a process called neurogenesis.

Sometimes, you just have to stop being caught up in daily life. Don’t be in automatic operation mode. Think. Form new ideas. Collaboration is the best way to be exposed to new ways of thinking and challenging your own thoughts. It is okay to make mistakes. In genetic algorithms you learn combining the worse performing algorithm with the best, will often yield the final solution. This is how false peaks can be overcomed. Exam and challenge yourself. Never stop doing so. Take time to sleep. Get some exercise and try to relieve some stress. Some very intelligent people have provided a roadmap above for better learning. It would be wise to listen, think about what has been said, and follow what makes sense.

As a follow up to “The Trusted Internet Connections (TIC) Initiative?”, Robert Lemos has written an interesting article in SecurityFocus titled “Law Makers Voice Concerns Over Cybersecurity Plan“. The TIC initiative mandates that officials develop plans for limiting the number of Internet connections into their departments and agencies. The initiative also asks chief information officers to develop a plan of action and milestones for participating in the Homeland Security Department’s U.S. Computer Emergency Readiness Team’s Einstein initiative. The Einstein pilot program for cyber situational awareness (formerly the Strategic Analysis Program at the Transportation Department) monitors network security activity and is meant to increase global situational awareness.

There are many positive ideas behind TIC. Karen Evans, OMB’s administrator for e-government and information technology, points out, “The reduction of access points to trusted Internet connections will improve our situational awareness and allow us to address potential threats in an expedited and efficient manner. While we optimize and improve our security, it is also our goal to minimize overall operating costs for services through economies of scale.” Evans continues to point out, “We have to know what we own in order to protect it. We also must know we are managing risk at an acceptable level.” Those are good soundly accepted security ideas. It is difficult to argue with the idea that reduction of gateways with the addition of enhanced monitoring will not produce better, stronger, faster and less expensive security for government.

What I find most interesting in Lemons’ article is Robert Jamison, Under Secretary for the DHS National Protection and Programs Directorate, statements in relation to the Einstein program:

• “We only monitor a very small percentage of federal network traffic,” Jamison told the committee members. “We want, through this initiative, to increase that to 100 percent of all federal network traffic.”
• The information is analyzed on a daily basis, and so cannot detect threats in real time, Jamison said. He went on to explain, the system would be enhanced to do more real-time analysis.
• “We are currently not looking at any content,” Jamison said. “We are proposing that we are going to do that. The threats are real. Our adversaries are really adept at hiding their attacks in normal everyday traffic. The only way to really protect your networks is to have intrusion detection capabilities.“

Reading Jamison statements, one is reminded that the devil is always in the details. Law makers and former OMB employees are voicing concerns on several of the unclassified details. Below are a few of those details causing concerns.

Data Handling

With about 15 agencies voluntarily participate in the Einstein program, the Einstein program has been tested on a very small subset of government traffic. The Einstein program also has not been monitoring traffic in real time. The Einstein program is suppose to be enhanced to handle full packet inspection in real time. The enhancements are fairly major, being made to a program that is currently viewing a very limited set of data not in real time. Adding addition concern is the fact that no data has been produced indicating the effectiveness of the current system. Then again, such data might be part of the classified component of this initiative. Either way, there is little to indicate that the Einstein program is ready to handle the data in an effective manner with the future quantity and speed required.

Privacy

Evans testified as far as privacy and security is concerned, “we have been doing all of these activities in a very transparent way” under the existing approach. Jaikumar Vijayan writes in his article “Feds downplay privacy fears on plan to expand monitoring of government networks,” that Evans stated controls are being implemented to ensure that the privacy rights of federal workers and other individuals who access e-government systems are protected in the future as well.

Currently, the Einstein program only conducts flow analysis which tracks the source, destination, port and size of packets on the networks of 15 federal agencies. The privacy impact assessment, performed in 2004 was based on the flow analysis model and stated “the program is not intended to collect information that will be retrieved by name or personal identifier.” Once full packet capturing begins, personal identifiable information will be part of the data payload. How will privacy issues be addressed?

Personnel and Clearances

Another possible problem is that DHS Secretary Michael Chertoff’s wants to appoint Scott Charbo, the former CIO for the department, to the position of Deputy Under Secretary in charge of implementing the program. Some have voiced concerns over Charbo appointment. These concerns go back to when Charbo told the committee previously that he had not been briefed on incidents involving infiltration of government systems by foreign attackers. The reason he was not briefed was because Charbo, and other key personnel lacked the clearance to listen to classified briefings about cyber threats or attacks. Charbo explained to lawmakers, “This is an issue that needs to be addressed for a lot of CIOs. They need their classification levels raised.”

Charbo points out a major concern in the administration’s new cyber directive. Many CIOs don’t have clearance to view classified material. Since most of the directive is classified, this creates a problems since CIOs need to be in the loop to implement cybersecurity requirements or understand where potential threats are coming from.

Rep. Bennie Thompson (D-MS), chairs the Homeland Security Committee, in a February letter to DHS Secretary Michael Chertoff voiced concerns when he stated “Your decision to promote Mr. Charbo to Deputy Under Secretary of National Programs and Plans effectively places him in charge of the cyber initiative at the Department. Given his previous failings as Chief Information Officer, I find it unfathomable that you would invest him with this authority.” Some lawmakers are concerned with Charbo being put in charge of one of the most complicated national security issue in terms of threat and jurisdiction.

Intelligence vs. Security

Previously in my post, “FWC Reporting “Experts Find Fault With Cyberdirectives,” I quoted Glenn Schlarman, a former OMB official in charge of security policy who is now a consultant, concerns, “To solve the security problem, they want to use intelligence monitoring? DOD has not done a great job of defending its own networks. There are “starkly different needs and purposes for intelligence gathering and computer security.” Bruce McConnell, who was at OMB for 15 years and was chief of the information policy and technology branch for many years, went further when he told House lawmakers, “It is impossible for DOD to balance the needs of security and monitoring.”

Secrecy

Thompson stated in his letter to Chertoff that he had tried without success to get more details about the initiative on at least four previous occasions. Alan Paller, director of research at the SANS Institute said Einstein and TIC account for only about $100 million or so in spending. It is interesting to consider how the government will spend the rest of the $30 billion earmarked for the Cyber Initiative. That information is classified and likely remain so, according to Paller.

“My sense is there is a general consensus that the problem is big enough that not spending this money would be considered catastrophically negligent,” Paller said. “What has happened is that people in power have gotten a glimpse into what is happening and now they’re pushing the government to respond.” But a continued shroud of secrecy could pose some problems, Paller added. For instance, he said that not fully disclosing all of the attacks against government networks could make it harder to justify the huge investment being planned for the Cyber Initiative.

Conclusions

Many ideas behind the Trusted Internet Connections Initiative are based on good soundly accepted security principles. The Einstein program may turn out to be the best security initiative the government has ever implemented. Still, many questions are being raised about the tactics and possible leadership.

During the Senate Homeland Security and Governmental Affairs Committee Hearing on the Fiscal 2009 Budget for the Department of Homeland Security, regarding the virtual border fence, Secretary Michael Chertoff stated “I would say it is a partial model for the future. I think that it was a concept. We wanted to make sure that, A, there’s the basic concept functionality work and, B, the thought was to give the contractor an opportunity to present something that essentially thought out of the box, that wasn’t just a follow-on to the traditional way of doing business.”

The past has many lessons. Christopher Spencer invented the repeating carbine rifle in 1860. There were good and the bad aspects about the Spencer rifle, depending on your point of view. It was a seven shot repeater. This allowed an experienced man to shoot all seven shots in about fifteen seconds. For the soldier who possessed such a rifle, this was fantastic. The Army, however, was reluctant to purchase the Spencer early in the Civil War. The thinking was that the available wagon transportation would be incapable of delivering the additional ammunition the soldiers would shoot when given a repeating firearm. It was only when President Lincoln intervened after test firing the Spencer in 1863, halfway through the war, that the rifle was introduced into the union army. Bertram Barnett, from the Gettysburg National Military Park, writes, “Often, Federals with Spencers fired only one shot together to simulate a volley of musketry and waited for the Confederates to advance. When they did, the Unionists unleashed the other six shots in a rapid fusillade of fire that devastated the Southern lines.” One Confederate expressed the most convincing point of view, in terms of the usefulness of the Spencer, when he stated, “There’s no use fighting against such guns…”

The lesson to be learned is that when better technology is available, it can prove most effective. Sometimes, when doing long term planning, one has to factor in technology that might not currently exist. It is reasonable to expect certain advancements during certain time periods. The Einstein program with limited data from 15 agencies that does not include full packet inspection in real time, appears to be similar to the DHS’s virtual border fence, in that it provide only a basic concept of functionality work. While the enhancements seem significant, they might be based on reasonable technological advancements that will occur in the next five years. The government certainly would prefer to be fighting their security war with the latest technologies. In addition to avoiding fighting tomorrow’s cyber war with the previous war’s weapons, DHS also needs to make sure they are not fighting with the generals who can only think to use the previous war’s strategies. At the very least, it seems prudent to address the concerns already being raised in order to insure the best possible strategy combined with the proper personnel. Key people need to have the required clearances. Otherwise you are fighting tomorrow’s war with soldiers who can’t even see the battlefield. Soldiers fighting blind, even with the latest and greatest weaponry, are frightening and dangerous to friend and foe alike.

SANS maintains the @RISK bulletins, which summarizing the most important vulnerabilities and exploits identified during the past week. Today, I was looking at the summary of updates and vulnerabilities and rather than seeing the individual vulnerabilities, I saw just the numbers. Look at these numbers since the beginning of the year:

What you should notice is the pattern where the largest number of important vulnerabilities and exploits are occurring.

NIST defines a vulnerability as, “a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.” There are alot of web centric vulnerabilities in the above table. NIST publication SP 800-30: Risk Management Guide for Information Technology Systems defines risk as:

Risk is a function of the likelihood of a given threat-source’s exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization. To determine the likelihood of a future adverse event, threats to an IT system must be analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT system.

Maybe the years I have spent in security are making me cynical, but it seems that management tends to spend too much time looking back. They never realize the risks that are developing due to a changing environment. They want to fight the last war. History is littered with the disastrous results of those who followed that path. One of the most famous is provided by France in the aftermath of World War I. France adopted all these fortifications to prevent the Germans from repeating the August 1914 invasion that resulted in four years of bloody trench warfare. So the German generals developed the blitzkrieg, which was a new and terribly effective form of lightning fast warfare that simply went around and over the Maginot Line. If history teaches us anything, it is that only looking to yesterday’s method of attack is a losing defense. How much effort in your organization is going to address the various areas of vulnerability listed in the table above? It is definitely a different vulnerability listing than what we would have had in 2005. Not radically different, but changing.

Please do not misunderstand, you have to cover the tried and true. We are all familiar with the Gartner research report declaring intrusion detection system (IDS) technology had gone beyond the “peak of inflated expectations,” was rapidly sliding toward the “trough of disillusionment,” and would be obsolete by 2005. What I am saying is that companies that believe that today’s security technologies and practices will keep their corporate assets safe and secure while they sit back and relax, are as mistaken as Gartner was about IDS.

The IT Governance Institute (ITGI) released the IT governance Global Status Report-2008. The report describes its purpose as “From July until October 2007 a survey reaching members of the C-suite was conducted to determine their sense of priority and actions, as well as tools and services needed, relative to IT governance, as well as their need for tools and services to help ensure effective IT governance.” It is an interesting report. The key findings from a security point of view is that members of the C-suite feel that security issues are not as serious as they were in 2005. The reason security issues are not perceived as the most significant problem anymore is because the respondents feel the situation surrounding the problems has improved.

Now, companies are doing much more in general to deal with security issues. IT governance and standards help organizations govern their IT resources. It is important to realize that some vulnerabilities are being addressed much better than others. Do we need to be more concern about the “other” vulnerabilities, especially since the “other” vulnerabilities tend to be in new technologies? From SANS Risk bulletin, the vulnerabilities most organizations are not addressing are occurring at a faster rate. Our defenses are not strong and hackers are an agile lot. They are adjusting. As the role of IT within a corporation increases, the potential resulting impact of an incident increases. Hacking is transitioning to a capitalistic model with financial rewards, and serious threats are developing. Are companies at less risk now then they were in 2005?

Christofer Hoff, Chief Security Strategist, Architect, and CISO at Unisys did a series of posts on “Security and Disruptive Innovation.” The posts were from a keynote Chris gave at the Information Security Decisions conference. Chris did a great job addressing problems folks within the security community are facing. The keynote highlighted several areas of emerging and disruptive technologies, addressing how these technologies should be “embraced, addressed, and integrated into the security portfolios and strategic dashboards of all forward looking, business-aligned risk managers.”

Galileo once said, “All truths are easy to understand once they are discovered; …the authority of a thousand is not worth the humble reasoning of a single individual.” I think there is a reason that many true geniuses, like Emilie du Chatele, seem to operate outside of the established doctrines of thoughts. Emilie was certainly outside of the Jesuits controlled French education system. And we have all heard the stories of how Reverend G. B. Engle found a seven year old students to be too inquisitive, so he whipped him every time he asked a question. The good reverend also belittled Thomas Alva Edison, calling him “addled.” When Nancy Edison, brought her son back the next day to discuss the situation with Reverend Engle, the reverend made her so angry with his rigid ways that she withdrew her son from the school. Fortunately Edison’s inquisitive mind was not beaten into submission.

I do not advocate basing one’s security on untrusted methodologies. That would be irresponsible business. We can all agree, despite what the last salesperson might have said, that there are no absolute security solutions. Businesses need to base their security on what is proven to work. IT Governance and standards provide a solid framework to build upon. My argument is against this complacency that seems to be setting in. Does compliance brings about complacency? Matthew Lewis wrote an excelent paper, “IT Security and the Curse of Complacency,” where he discusses “the ‘curse’ of complacency in this regard, and the pitfalls associated with perceiving security as a selfdeprecating function, as opposed to the ongoing process.” Security is a journey, not a destination. Businesses need to allow room for innovative thoughts and solutions, such as gentic fuzzing, Spatial-Temporal Correlation and Similarity, Aspect-Oriented Programming (AOP), etc.” I have no idea if these new approaches are viable solutions, but I know we need to be listening. We need to question how we are addressing, not just today’s way of doing security, but the impact that disruptive innovation will have on the security of our business.

The ITGI report does state that while the respondents felt that security issues have improved, they believe these issues have priority; taking precedence over staffing and service delivery issues, which are at the top of the Compound Problem Index (CPI). While their outlook might be a tad optimistic, due to their stylish rose colored glasses, the C-suites say they are listening. Maybe we can all learn something from the three year old Uno, who became the first of his breed to win best in show at the Westminster Kennel Club Dog Show. He is an inspiration to all of us who feel out gunned and are tasked with accomplishing something that have never been done before. Security professionals and C-suites only have to deal with hackers, auditors, stockholders, etc., but never poodles. I for one, am glad about that. My white hat is off to Uno who proved how much can change in three years. There is hope for us all.