8 Dirty Secrets of the IT Security Industry – CSO.com

Bill Brenner  wrote an article that covers some security consulting in general and PCI DSS in particular.

The Information Security triad: CIA. Second ve...
Image via Wikipedia

Do make note of points 1,3, and 6.
I particularly appreciated the subtext of the wording of #1.

Vendors don’t need to be ahead of the threat, just the buyer.

We all know the story of the two campers and the bear, but this is an interesting variation. We’ve just discussed Mr Carr screaming about how he wasn’t told by his security staff that there were more threats.

Yes but … Its not the security staff that set the budget or make the buying decisions. Look: it says “buyer”, not “customer”.

How often have you had your security advice over-ridden for anyone of a number of reasons? Its not you doing the BUYING is it.

And why do you think that the saleswomen wear suits and talk in that stupid language using terms like “solution” (oh-ho, watch out, here comes Les…) and “bottom line” and other stuff that has nothing to do with InfoSec.

‘Cos it isn’t YOU doing the buying.

At best they throw you a bone since you might be an ‘influencer’ – more salesman-speak. (But ‘influencer’ is too close to ‘influenza’ which is why they don’t get too close to you…)

Mean while, you’re talking to your manager about all these nasty things like threats and the possibility of embarrassment in the press and lawsuits, while that nicely dressed saleslady is talking sweetly about nice things such as profit and success and such like.

Marcus J. Ranum
Image via Wikipedia

Lets face it, the game is semantically rigged against us.

Like Marcus Ranum says,

Given a choice between dancing pigs and security, users will pick dancing pigs every time.”


“Oh look http://pics4.city-data.com/cpicc/cfiles34082.jpg hey, that’s neat, I didn’t know they could do that….”

Enhanced by Zemanta

One In Two Security Pros Unhappy In Their Jobs


Well? Are you?

You’d think most professionals in a hot industry like IT security would
feel content and challenged technically and creatively in their jobs —
but not so much. According to the results of a new survey that will go
public next week at Defcon in Las Vegas, half of security pros aren’t
satisfied with their current jobs, and 57 percent say their jobs are
neither challenging nor fully tapping their skills.

Like most reports on survey, this is journalism at it worse. Continue reading One In Two Security Pros Unhappy In Their Jobs

Security Posture Assessment resources

No, I don’t think this is a good start.
Its ignores such fundamentals as policy, change management, awareness, management reporting, risk assessment and risk tolerance …

And much like that. Continue reading Security Posture Assessment resources

Technology does not fix process

A number of people outside InfoSec have pointed this out to me and I thought I’d pass it along with a couple of observations.

The first is of course the (ISC)2‘s motto “Security Transcends Technology” and the second is Marcus Ranum‘s comment:

“If you think that technology can solve your problems then you
don’t understand technology and you don’t understand your

Continue reading Technology does not fix process

Does the Certified Ethical Hacker add value to a CISSP

A young colleague asked about the value of the CEH certification. Would it “Add Value” to his existing CISSP? The syllabus looked interesting to him and he wondered how prospective employers would view this.

This was my reply:

There are TEN domains to the CISSP’s CBK. People come to security from
many walks of life and fields of endeavour and information security has
many facets beyond protecting networks and hosts from malicious attack.

There have been times in my career when the work covered by the CEH
would have been relevant, but back then neither the CEH not the CISSP
existed. But even back then I realized that the real problem was not
the networks or the hosts or the system administrators.

Each decision you make, each certification and specialization you focus
on leads you down a career path. I’ve often criticised “reactive mode”
security. The same I’d apply to your career. Is this a proactive move?
Is there a career plan here? Where do you see yourself in five or ten
years? How long do you expect to be doing Pen Testing?

Many of us took the CISSP not as a learning exercise but to validate our
already existing skills and experience. You can read in the archives
tales of people at the seminars that pre-dated “boot camps” who wrote
the books that the exam questions were based on. I mention this
because of the way you have worded your question. Are you interested in
the CEH as a validation of your experience or do you expect the course
to teach you Pen Testing? If the latter, then I’d think again.

But ultimately it boils down to the issue of your career. Many of the
older members of this forum, and older CISSPs in general, have very
diverse backgrounds. There is an old joke about a Phd being a ‘delta
function’, you know more an more about less and less. Many career moves
are like that. I mention this because I, and others, feel there is a
point in a career where it is the width of experience, the 20-20
peripheral vision, the understanding of context, the ability to avoid
Errors of the Third Kind, that employers value.

Yes, it depends on your age – which you didn’t mention – and other
factors. Context is, as I keep saying, everything.

Maybe one day I’ll go back an finish my degree in Social Anthropology.
All in all I feel understanding people and the social dynamics of
organizations is more relevant to communicating and effecting the
changes needed to bring about good security practices. But that’s me,
my context an my career objectives.

You need to make it clear what are yours before you can say whether a
CEH – or any other certification for that matter, is relevant to you.

As Robert Heinlein said:

A human being should be able to change a diaper, plan an invasion,
butcher a hog, conn a ship, design a building, write a sonnet, balance
accounts, build a wall, set a bone, comfort the dying, take orders, give
orders, cooperate, act alone, solve equations, analyze a new problem,
pitch manure, program a computer, cook a tasty meal, fight efficiently,
die gallantly. Specialization is for insects.

Reblog this post [with Zemanta]

Why applications have security bugs


It was this comment to the posting that caught my attention:

Some of us idiots used to think that any devs who weren’t aware of buffer overflow before the Morris worm would be aware of it after the Morris worm. But in fact, your posting almost points out why many devs remain blissfully unaware:

“we developers were trained to focus on and typically only ever focused
on how legitimate users will use the product”

Close. Developers who want to have good jobs have to get trained to focus on how their managers pretend the product will be used. Anyone who thinks as far out as actual end users will get canned for not being
a team member. Anyone who thinks even further out about actual end misusers will be sued for being a hacker. But yeah, you explained it.
Thank you.

Long time readers will know that the Morris worm is my poster-boy for complaining that modern schools don’t teach defensive programming.

It seems I’m not alone.

Reblog this post [with Zemanta]

Politician hit by lost documents


We can all see what went wrong here.

1. He should have gone by car and not the train.
2. He should have had the documents on his laptop
3. The laptop should have been tethered in the trunk of the said car.
4. The documents should have been clearly labelled
“*Not* about the F-35”
5. His laptop should have had its patches and AV up to date.

Just one question.

What’s with this “hit by”?
That headline is trying to make out that the documents were the guilty – and actively so – party.

Well, perhaps that not the fault of the journalist, perhaps that’s the stance the politician is taking 🙂

Reblog this post [with Zemanta]

Vulnerability Management – The Next Fad?

The article is at


but I find it ominous.

Vulnerability management may be the next big thing in terms of IT
security strategy, but deriving the maximum value out of your efforts
requires hard work and a comprehensive plan, industry insiders

Well at least the author admits its not the next “Silver Bullet“!

Speaking at the SOURCE Boston conference this week, scanner maker
Tenable Security’s Carole Fennelly outlined some of the best practices
that organizations should observe as they attempt to identify and
remediate security weaknesses that exist throughout their IT systems and

Well that sounds good, but where does it lead to?
Personally I find it deceptive and not a good use of resources.
At the bottom, its too much like reactive fire-fighting.

We’ve discussed – or at least some of the more outspoken of us security blogers and professionals – of techniques for compartmentalization, being proactive in protection and using architectural and strategic decisions rather than ‘bug-hunting’.

We all know that you’ll never find the last bug, but its often easier to build things so that the effect of bugs, or failures, or attacks, is minimized.

What makes me despair though is when the old shibboleths get spouted:

“Organizations need to create asset lists that define their critical
business systems to help prioritize their efforts;

Without wanting to sound like I have it in for Ko-ko and his little list (heck, I have my own to-do list and GTD page), this is still reactive rather than proactive. In the last 15 years I’ve seen such revolutionary concepts as firewalls and DMZ become accepted by the mainstream, but the we can still see many people “don’t get it”. As evidence of this I would point towards the PCI documents. Implicit in them is the subtext that there are IT shops that are too stupid (or recalcitrant) to implement very basic good practices without being lead though them by the nose.

… they need to have the
support of different internal groups to create these lists that will
help them mitigate their most critical problems,” said Fennelly,

I wonder. Many security practitioners, and I think a lot of IT, would say that the most critical problems are not technical ones but rather have to do with people, management and strategy.

Scanners are useful tools, but they are also the kind of geek toy that can suck you in. This article touches on prioritizing those lists, but I’d say reality is that you have to deal with many things all at once, and getting stuck ‘head down’ with something like this and dealing reactively with the issues it raises will distract you from the more strategic matter that might just sweep away many of these problems.

Reblog this post [with Zemanta]

Couldn’t happen to a nicer buncha guys …

An independent security consultant describes how vulnerabilities in
unpatched releases of the Zeus crimeware kit are being exploited by
hackers in order to steal resources from their fellow criminals. The
security researcher has come across an interesting posting made by a
botnet runner, who asks for help to secure his infrastructure after
being compromised several times by other hackers.


Reblog this post [with Zemanta]

Network Segmentation is Common Sense

On one of the professional forums I subscribe to there was a request for “references” to justify the separation of development and production networks and facilities.  It seems some managers “don’t get it” when it comes to things like change control and undocumented and unplanned changes.  Many guidelines discuss this, but its seems that some key ones like NIST and ISO-27001 do not explicitly mandate it, and some managers use this as a reason to not do it.

Some of us security droids find this frightening.

My colleague Miriam Britt managed to sum up the reasons why one should have separation quite sussinctly and forcefully.  With her permission I have copied her reasoning here and I hope many people will either reference this or copy it to their own blogs.  This kind of straight forward statement needs a wide exposure.

Continue reading Network Segmentation is Common Sense

Make your policy generic, not specific

Some of us security types were discussion policy, login notices and the like.

Someone commetned on a badly written poicy about the use of corporate e-mail and discussion about the company.

… I recently worked at a place that had an weak and over specific email policy.
One day management realizes there are other areas where “contraband communication” can take place – internet groups, blogs, forums, IM, Blackberries, etc. If the policy hadn’t been wrtten to deal specifically with “email” or been more general about the level of technology it would have saved us some hassle.
As it was, our policy development and approval process was too sllw and ciumbersome.

This is a generic issue and not limited to e-mail, IM, etc.

Long ago in a policy development workshop that I was running we thrashed out how to express ACCESS CONTROL so that it was perfectly generic, applied to
everything from the parking lot to the executive washroom, was in language everyone from the Board of Directors to the Janitor could understand. Of
course it applied to computer/network access, and its wording marched the requirement of the ‘restricted access’ logon notices.

I’ve been told the lawyers didn’t like it but the reasons seemed to boil down to the fact that the language was so straight forward and unambiguous that there wouldn’t be enough billable hours if it came to a court case.

If you structure your policy management properly so there is a succinct POLICY STATEMENT and ancillary sections that address

  • Justification
  • Consequences of Non compliance
  • Roles and Responsibilities
  • Who/When/Where/Why Does this Apply?
  • Guidelines for Interpretation
  • Relevant Standards (Internal and External)

and of course

  • Procedures

then its a very effective and efficient way to work.
This is because

a) You don’t need a lot policies if they are “general”
b) It makes them easy to learn and remember
c) You don’t have to keep going back to the board to get picayune changes approved Continue reading Make your policy generic, not specific

Encyclopedia of IT terms

CMP ChannelWeb have an on-line encyclopaedia of IT terms. This is a useful addition to my toolbar for composition, along with a more conventional dictionary.

The definition of ‘information security‘ seems limited to access control, which is very disappointing. The definition for ‘computer security‘ is more comprehensive. Never the less, to a security professional both these definitions are lacking.

What screams out to me, and this is very obviously my bias, is the lack of any mention of INTEGRITY in these definitions. As I keep pointing out, if you don’t have integrity, any other efforts at security, be it information security, or “Gates, Guards, Guns and Dogs” physical security, be it backup and disaster recovery, be it access control, be it 1024-bit SSL, are all going to be pointless.

Its not until we follow a few links at the Encyclopaedia do we come to a mention of Donn Parker‘s six fundamental and orthogonal attributes of security is there mention of ‘integrity’. Even so, that definition has only a like to ‘data integrity‘. There is a separate definition for ‘message integrity‘. While these specific items are important, they are details. What is lacking is a general definition of “Integrity”. Once again, Fred Cohen’s seminal 1997 article on the importance of Integrity comes to mind.

No, a much better reference is Rob Slade’sDictionary of Information Security“, which, of necessity, encompasses many IT terms.

Enhanced by Zemanta