For those of you who saw the post titled “Conflict of Interest” it was supposed to be saved as a draft so I could complete it later on. Not sure what happened but it somehow was published so I took it down for now. I’ll finish it up and re-publish at that time.
What ever happened to professional courtesy?
This is a bit of a rant and has nothing to do with Information Security so if you want to move on I’ll understand.
I’ve noticed lately that professional courtesy has taken a nose dive. Some examples from both work and outside of work.
At work I deal with colleagues from all over the world. Different time zones, different business units, different teams within IS, and different levels within the company (peers, Middle Management, Upper Management, etc). I’ve noticed that lots and lots of my queries go unresponded to. I’ll send an email to someone in another company requesting information about an application, issue, or whatever and “crickets”. So I’ll send a follow-up. More crickets. At first I attributed it to the fact that they didn’t know who I was or my role. But once I escalated it I’d get a response. I also attributed some of it to the cultural differences in regards to roles. I’d request something from someone who may be a level or two above me and in their culture I was stepping out of bounds. Fine, but please let me know that I should follow the “chain of command” and who I need to communicate with. Don’t just ignore me.
This has continued and as of late it has become an issue with people here in the US as well. I’d reach out to someone for information and nothing. I’d follow-up and nothing. Even other IS staff that support different LOBs are jumping on the ignoring band wagon. People who are supposed to be on my team from a IS perspective have decided that they don’t need to respond to request for information, joining calls, providing input or resources when requested. Why? I do bathe daily and brush my teeth. I even use deodorant and most of these people aren’t even in the same office as I am. I’m very careful to respond to those who reach out to me and I’m careful to be professional, courteous, nice, helpful, etc…. so what is going on? I’ve also noticed that when I pass people in the hallway they don’t speak. This has been going on around here since before I got here but it bothers me. I’d say hi and they would keep walking w/o a word or maybe they would mumble something in response. If I don’t say anything then they surely don’t. It just seems to me that if you pass someone that you work with it would be polite to at least pretend to be friendly. I’m not asking you to stop and have a conversation or buy me lunch. Just smile and say Hi.
Outside of the office I’ve been involved with InfoSec groups for a few years. I was one of the leaders of the Atlanta NAISG chapter and when I moved to Cincinnati I got involved with OWASP and took over as the chapter lead in late 2011. Last year we had a great year in terms of getting quality speakers to come in to town and speak to us. I was very disappointed in the attendance but understand that people have priorities that don’t always allow them to participate in things that they may want to do. So we reached out to the membership with requests for what do you like, don’t like, what can we do differently, can you speak, who do you know that can speak, etc… For the most part we received little to no response and this didn’t surprise me in the least b/c I know that this type of request has a very low response rate. As we wrapped up last year and started to prepare for this year things got very busy at work and home so we kept putting off planning. We decided to not meet in January and plan for February. Then we delayed it to March, April, etc…. To date we have not met yet in 2013.
I decided a couple of weeks ago that we are going to have a June meeting regardless of how busy things are. So I started reaching out to various companies to see if they had interest in joining the meetings and to find out if they had anyone who may be interested in speaking to the group. As I said last year we brought in 8 out of town speakers and only had 2 that were local. I really want to get more local speakers and thought some of the local companies and consulting firms may have people that can speak. “Crickets”, Again I’m getting no response. Not even a “Thanks but no thanks”, “Let me check and get back with you”, nothing.
So what is wrong? Why have people allowed themselves to become rude? Am I being too sensitive to this? I’d be curious as to what the rest of you are seeing.
The Disclosure Debate Continues….. (part 1,453, 769) to be continued
Here we go again. Another security researcher who apparently thinks that he knows best because his feelings were hurt by Microsoft. Before I go any futher let me say that I don’t know Tavis personally but I do know that he is uber smart and does a lot of good for the security community.
Over the years I’ve thought a lot about responsible vs. irresponsible disclosure. I’ve written about them from a “look what this goob did” to why I feel that there are very few valid cases for disclosure without a fix being available. (unfortunately I don’t have time to search for the posts I’ve written about it to link) I know that many in the community feels that disclosure is necessary and actually makes us more secure because they can then be aware of vulnerabilities and put work arounds in place until a patch is released. The problem with this argument is that most companies and almost no “normal people” not only don’t have to means to do this but also wouldn’t do it if they could. In business security and IT teams are already in over their head with work and having to find the time to research these things and then test and deploy a work around is just more on their already over full plates.
So now that Tavis feels that Microsoft is the big evil software giant he has decided that the PC’s of 99.9% of windows users being open to attack is an acceptable response. I’m sure he feels that if he found the vulnerability that others have found it also so why not. It doesn’t matter that this will be in Metasploit probably before this blog is posted. Which makes this available to every hack in the world who wants to be the next big name hacker. It doesn’t matter that whereas a few people may have had this and that they would have targeted a few people now the likelihood of lots of others being targeted has gone up by orders of magnitude.
That is the problem with this type of irresponsible disclosure. The mindset is protect the few at the expense of the majority. Maybe a job in federal government is a possibility for the future.
ATM Security (and really learning from the past)
First let me say that I’m not saying that there is not a security model around ATM deployments. ATM security varies greatly depending on lots of factors. You have the hardware that they run on and the underlying OS. Most are run on PC type hardware and the OS varies from OS/2 (yes there are still some out there running OS/2) to Windows (I have no proof but I’d not be surprised to see a few that are still on NT but mostly XP and Win7 with some CE based) to various flavors of Linux. Then you have the vendor software (this includes old versions as well as various different configuration variations and features). Then you have any additional software that may have been added by the FI. This software may be from a 3rd Party or it may be written by the development team within the FI.
Then on top of all of this there are the “standard” things that impact security. Thankfully most are not internet connected. At least by design. Of course here is where deployment mishaps can bit you. If they are on the same network as the rest of your systems then you are asking for problems. Just as in SCADA systems that are supposedly air gapped such security measures are only as effective as the monitoring and enforcement that they go through. A rogue system plugged into the wrong (or right) port can suck all of the air out of a gap in a heartbeat.
You also need to think about things such as How is it configured? Look at the hardware configuration and settings, the OS settings, various security policies, other network policies that are applied to each system. What additional agents is it running for management, security, etc..
There are lots of other things that go into ATM security that can have a big impact on ensuring that it is as secure as possible. I’m going to stop here b/c my intent was not to give a primer on ATM security because I don’t know enough to give more than the basics. If you want to talk true ATM security you need to go elsewhere.
What I did want to talk about is the fact that the recent ATM heist of $45 million dollars should have never happened. Why you ask? Because this same basic attack took place a few years ago. RBS WorldPay was hit for $9 million using this same basic attack back in 2008. The attack wasn’t identical but it was close enough in nature that the lessons learned should have resulted in security improvements and controls that would have stopped or at least alerted the banks to this attack much quicker. What obviously didn’t happen was a true root cause analysis to not only find the root cause but to then learn from that and make changes. Then you also need to take what you learned from the RCA and think about how else could this attack have happened or what else could they have done using similar techniques.
We focus so much on the problem that we often fail to find and fix the root cause and if/when we do we feel that we have gone over and above and stop there. This is a problem. There is so much more that we can and should do to take our work and program to the next level. We have to take what we learn and apply it but we also have to see what else we can learn from it. Security researchers are good at this. The bad guys are too. They take what we learn and use it against us. We get all excited about finding and fixing the root cause then we think that it would make a great papere and conference talk. We make it all fun and pretty and show the world. Then the world takes it and slaps us in the face with it because they were willing to learn more than we are.
This is one of the big jobs of security that is so often overlooked. Our job is to secure but we also need to drive change within our program and within the way that our business does security. Our industry is reactive in nature and we are striving to be more proactive and this is one way that we can. We have to go beyond thinking about what technology will make us proactive and think about what else can we learn from what we have already learned. Yes, this takes time and resources that many teams are already lacking in. It also takes someone who is good at thinking like this. It’s not something that will come easy to most of us but it is a necessary skill that has to be developed and implemented within our programs. We can’t keep playing catchup forever because there comes a time when you get so far behind that you will never catchup because catchup also involves cleanup and that takes more and more time. If we spend just a little extra effort in our analysis we can make changes that will have a positive impact with less resource consumption. Just as in software development it is easier and cheaper to prevent bugs than to fix them it is easier and cheaper for us to prevent incidents than to fix them.
Biting the hand that feeds you
Seth Godin has some wise words for us here. It’s easy to get caught up in our own little cause and forget the impact that our actions have on others. We see this most notably in the actions of groups like anonymous. It probably happens more frequently on forums and blogs that people comment on. Nasty comments, name calling, threats, snide remarks that are meant only to tick others off. None of it is productive outside of giving ourselves a false sense of satisfaction.
It can happen at work as well. Not gossip, water cooler talk, or trashing other teams or businesses but things that we do that can honestly hurt the company. When we focus only on our own goals. When we push our agenda without regard to how it impacts others. When we defend our own territory when it may be better to yield it to others. Security is still fighting the stigma of being “Dr. No”. We are still seen in many circles as being the inhibitor of progress instead of the enabler or at least being willing to work towards a solution.
I’ve often talked about how we as security need to reach out to others and build relationships. Do things that foster a sense of teamwork. Be helpful by taking time to teach secure concepts informally to customers and those who work on technology teams that are within the company. The IT teams, the developers, the testers, the Business Analysts, and others. We are all working towards the same overall goal of making the business successful but we often fight against each other instead of working together.
Take time to get to know your business and the team’s that make it work. Find out how they do things and work with them to do it more securely. Learn from them so you can do your job better. Build relationships so that you can accomplish your goals while helping others accomplish theirs. As you do this I believe that you will find that you have more in common with them than you think. Your will refine your goals and help them refine theirs so that they have a common denominator. Improving the business.
Episode 100 of the Southern Fried Security Podcast
I remember back in 2009 Martin and I were both facing career changes. I was in the middle of a lay-off and Martin had elected to take a early leave from his job. H was still working but we were both trying to figure out what the future held for us. We talked about starting our own consultancy and decided that starting a podcast may be a good thing to do with our time as well. The consultancy gig never got off the ground, something about liking to eat on a regular basis, but the podcast took.
It’s been a little over 3 years since we recorded episode 0. We decided to invite our friend Steve “The News Yankee” Ragan to join us we haven’t looked back. It’s been a lot of fun and I’m really glad that we decided to do this. In the 3+ years we’ve added 2 new voices to the crew. Joseph “Sparkles” Sokoly and “Jet Set” Yvette Johnson have added their own unique perspective and snarkiness to the show. We’ve been nominated for the best security podcast 3 years in a row and that makes us proud and happy. We don’t do this for the recognition but it’s always nice to know that people listen and like what you have to say.
Well here’s episode 100. It’s about 1 1/2 hrs long but hopefully well worth it. We had a blast recording it and taking a stroll down “Redneck Lane”. Hope you enjoy it as well.
You can find it on ITunes and here. Oddly enough our website doesn’t link to it. I’ll get Sparkles right on that. Enjoy!
So What?
Everyday there are more and more flaws discovered and discolosed in software that impact us all. Whether it’s an application that you install on your system or a website that you visit or a patch that you didn’t install around every corner there seems to lurk a nasty problem waiting to pounce on you. Most people don’t think about it until it happens to them or when they occasionally hear about it on the news. They go through their day doing their internet thing hoping that nothing bad happens to them.
When this happens in the workplace it’s often a different story than when it happens at home. When it happens at work people often look for someone to blame. Either it’s desktop ops b/c they didn’t install the patch, or it’s the QA team b/c they didn’t finish testing the patch quick enough. Maybe it’s security’s fault b/c they didn’t do a good enough job in their job. Often the developers get blamed b/c they wrote shoddy code. Rarely do the users take responsibility for their own actions. It’s not their fault that they fell for the phishing attack or were on a compromised website for personal enjoyment. Rarely does the business take responsibility for not acting quickly enough on the information provided to them by security or even a customer.
Part of this whole blame mentality rests with the fact that the business often doesn’t take incidents seriously. To them it’s easier to let it slide than to take real and actionable steps that will correct, or at least mitigate the problem. They create policies but don’t enforce them. They allow insecure practices to continue without consequence.
This is what a former coworker called the “So What?” syndrome. When we would try to enforce policy and the users refused to comply we would talk about the audacity of their attitude. Then he would so “So What?” That was the reason that they didn’t take it seriously. So what if they don’t comply? Nothing happened to them. They didn’t get called into their managers office and told to comply. They didn’t get dinged on their performance eval for writing sloppy code or doing insecure things. They didn’t get written up, warned, or fired. So What?
His point was that there were no consequences for their actions so they had no incentive to comply. Businesses don’t take a hard enough stance on issues to make a difference in most cases. What we need is consequences. If developers know that they will be negatively impacted for writing insecure code then they are more likely to learn how to code in a more secure manner. They are more likely to not rush a release. They are less likely to grab old code for reuse w/o ensuring that it is up to snuff. I know. I know. They often don’t have the clout to delay releases and to say “I didn’t complete this item on time b/c i wanted to ensure that it was secure.” I do understand that but that doesn’t mean that consequences won’t improve their work. The same goes for those who work in other areas of the business. If they know that looking at porn will get them fired or at least have a negative impact on their performance evaluation then they are less likely to do it. If they know that using company email for personal business will get them disciplined then they are less likely to do it.
Years ago I worked with a guy who took a new position as a Senior VP with a company. It came with lots of perks, company car, country club membership, bonus incentives, etc, etc, etc…. Two weeks later he was called into the company Presidents office and let go because he spent 10 minutes, after hours, looking at porn on the company PC. No questions asked, not chance for excuses. Just go home. Extreme? Maybe, maybe not. Effective? You bet. You know good and well that everyone else in the company got the message. Everyone else knew that if they didn’t follow the policies that were in force that they may be next.
I’m not saying that every company should enforce a zero tolerance policy when it comes to security incidents but I am advocating that people be held responsible for their actions. I’m advocating that there be consequences for patterns of insecurity that impact the business. When this happens we will see things improve. It won’t be overnight and it won’t eliminate issues but it will go a long way to improving the state of security in business, at home, on the internet in general.
