Is your information security crushed by the org chart?

Funny cartoon. It's understandable that some organizations definitely wouldn't want their shortcomings broadcast for all the world to see. I am more focused on the first sentence, "Information security is a major priority at this company." That statement is heard a lot when you are a penetration tester and even when you are a "blue teamer" for a company. There are times when the best cyber security team can be stopped cold by an organizational chart. If the team is not properly positioned inside the organization and given the authority to implement policies and controls then nothing happens. Let's look at some examples I have witnessed in the past.

At many places there is no CSO or CISO to this day. At times this put the infosec nerds reporting to the CIO. The CIO is most often concerned with things working or availability. In addition he/she will develop a technological vision for future services and offerings within a company and how to make things better and/or faster. While this person may consider security as a component of their job, it is not their sole purpose and balance may be difficult to achieve. In one organization I saw a CIO who had been moved from either accounting or HR and made the CIO. They had no relevant technology experience yet had been placed in charge of all technology. At that point in time IT within the organization was stagnant and falling behind the technological curve. They had a security group, but no CISO so security suffered the same fate as IT in general. In a different institution I have seen the CIO report to a department head and not to the leadership of the company. Any c-level personnel should have the eyes and ears of the top two individuals or governing board of an organization. Without that, this CIO was effectively just a middle manager with a fantastic salary and title yet no actual authority. I know some folks hold to the idea that people can effectively wear multiple"hats" and have even seen that work in smaller businesses. My experience with larger companies has shown that trying that simply enforces the status quo, which may be their goal and that's fine, and does not foster effective internal communications and relationships. In the simple diagram below I have shown the c-level folks as equal peers reporting to the number 2, as a minimum, within this organization. I have seen other examples where security reported to the CFO or was incorporated into internal audit but those models were short-lived examples. I would love to get some examples from the real world with success stories.

Smartphones: Destroying your perimeter one device at a time

Sounds like an overstatement, I know. Smartphones are incredibly powerful devices that open up a world of possibilities for communications versatility on a tiny platform. Consider this statistic: "...48% of employees are allowed to use their personal smartphones to connect to corporate systems – on the flip side, 70% of employees are permitted to use their company-provided smartphones for personal business."   -

That's not a security-minded practice. I have been listening to C-level decision makers this year in conferences using phrases like "If you can't beat them, join them." "We must learn to work with social networks because this upcoming generation expects it." These are interesting perspectives and quite a shift from the website blocking and strict rules we all experienced just a few years ago. Perhaps they decided breaches were still happening then so why keep fighting the tide. Whatever the decision, the smartphone is the most significant piece of your enterprise that is walking around in someone's pocket, getting lost on the subway, or stolen. If you allow these devices to connect to your enterprise, are you fully aware of the device's capabilities? I don;t mean what the manufacturer said it can do, although that's a great place to start, I mean what is it actually capable of? Do you know if the security features touted by the vendor can be bypassed? Over the past several weeks there have been vulnerability reports issued for iPhone and Android Platforms. The last time I tested an iPhone the encryption was purposely defeated by the operating system kernel. If you allow Android phones they were designed to be flexible and open platforms, security was not the primary consideration. What kind of threats can this pose to your organization? My phone is the Google Nexus One running the latest, 2.2, OS. In addition to the phone's native capabilities, I have rooted it and installed a custom ROM. Performing these actions has given me complete control of the phone's hardware and allowed me to install Ubuntu 9.10. Once I had the Linux distro stable I installed nmap, OpenVas, and metasploit. I also installed etterrcap, wireshark, and a few other tools before running out of space but you get the idea. My phone was now as weaponized as a pen testing laptop. The only downside being storage and the typing was terribly painful.

I know your users will bug you until you must allow whatever platform they think is the coolest, I mean the one that makes them the most productive when not at their desks. As you implement these devices the risk they pose should be considered carefully and the platform should be thoroughly tested. If your organization is not capable of hacking on the devices, it may be worth the investment to contract an outsider so you know exactly what you are getting.


TSA's "signature-based " security

Infosec analysts have long been lamenting the shortcomings in signature-based security items like traditional antivirus. It would seem that the TSA has somehow managed to latch onto this philosophy even though it isn't working well in IT. Let's take a look at how the TSA is mirroring this with their decisions.
I recently went through security at FLL in Ft. Lauderdale security. As usual I was singled out and moved through secondary, or extra, screening. I would say this happens to me 90% of the time and always has. I don't complain and understand the gate agents are just doing their jobs and I would hope that most folks don't vent on them, they are not the problem. So I get taken out of the metal detector (md) line and moved to the "nekkid machine" (backscatter xray). I am not shy so the backscatter doesn't offend or bother me, while I am in there, I asked the agent if I could see the picture since it was such a hot topic. She stated that the pictures were displayed somewhere remotely and that I had to go stand on the footprints and await instruction. While I was standing there a very professional male agent began to recite the standard pat down procedure that might be necessary if the xray revealed that necessity. HE then got the call in his secret service earpiece that I needed to be physically inspected. He performed the pat down just like a cop would and off I went. Altogether it was 10 minutes to get through the line and the TSA folks were great. The problem is that most of this still seems like the illusion of security.
I say this based on a couple of different thoughts or observations. First, I know that I have zero desire to take over a plane. This skews my perception of the procedure but I understand they can't know that about me. I have noticed that there is some discrimination taking place as they cannot preform this same procedure on a Muslim woman. In order to be ethnically sensitive the agents have been told only to check their head and neck areas. We have now arrived at the root of the problem. When you give preferential, or discriminatory, treatment to any group you are doing it wrong. If the plane is in danger then we must put our foot down and say search people regardless of their ethnicity. If you want to do some research and pick the culture(s) that would attempt this type of attack you might become much more efficient. Or don't, I don't really care but you are wasting your time giving me a leg massage.
The TSA signatures are as follows:

Someone once hijacked a plane with a gun = no guns allowed on a plane and everyone has to walk through a metal detector

Someone had a device in their shoe = I have to see everyone's feet at security and put my shoes in a bin ( or not in a bin depending on the airport)

Someone had a few ounces of "bad" stuff = I can only have enough shampoo in my bag for three days AND I have to have everything in a ziploc as if the stuff can be verified visually.

Someone uses a printer cartridge to form an IED = no more printer cartridges

What will happen when someone has a bomb surgically implanted or hidden in an orifice? I don't want an answer really. The point is that these actions and reactions don't quite seem to add up, and over time the reactions seem to escalate. Currently you are allowed to carry enough stuff onto a plane (electronics, liquids, shrapnel) that none of the above measures would stop. I don't want to post any combinations but I can certainly have 7 3oz bottles of almost anything under the sun, a significant amount of batteries, a number of other "toiletries", and keys or other small pieces of metal.

These reactions seem similar to how IT security has decided to work. We wait for a threat to surface then ban a symptom and wonder about how to kill the root cause. Alternatively if there is a compliance or regulatory mechanism we check off the boxes for the least amount of money possible and call it a day. This is tough since most of our companies are trying to make money and security can be very expensive. For the IT security world, I would like to see more technical people getting promoted into management positions with budgetary authority. For the TSA, I have no idea what the right answer might be but good luck and don't follow the signature-based model.

Cyber Security Forum Initiative - Stuxnet Project

I recently had the privilege of collaborating with about 30 other InfoSec professionals to learn more about the Stuxnet worm. The results of our work can be viewed here:

One of the more exciting pieces of work is a video created by Joel Langill from EnGlobal. In the video Joel infects an actual Siemens WinCC PCS7.



Cyber Security vs. IT Police/Harassment where's the balance?

This is an interesting and sensitive topic and I will readily admit there probably isn't a "one size fits all" answer. With that in mind, I wanted to relate my thoughts based on experiences with both balanced and unbalanced cyber security programs with respect to playing big brother instead of defending their enterprise.

A good cyber security program must be able to respond in a timely fashion when personnel incidents occur. The logging and tracking of data is essential in order to prevent scenarios where verbal opinions are pitted against each other (he said/she said). These situation are quite unreliable since emotion can be injected into the scene. As an example let say you have two employees, employee1 and employee 2. If employee 2 approaches the designated representative with allegations of wrongdoing by employee 1, the designated representative should be able to use a clearly defined process to obtain the evidence required to investigate the incident. This process should have adequate separation of duties, accountability checks, and safeguards that prevent any one individual ( or single group within an organization) from misusing or abusing this ability. This speaks to "who is watching the watchers" within your organization. I once sat in a meeting where a group member stated "Once a month I run a script on instant message chat logs looking for dirty words." While I agree that I am not to use company resources for things like that, my response to that statement was "why?" Unless someone is complaining about productivity or harassment, that evolution seems like a waste of time and the attempt to impose your moral stance on others. I later learned that many others had nicknamed this person "the hall monitor" and the comment made much more sense.
In a perfect world, this monitoring would not be possible without initiating an investigation into alleged behavior and no one individual should have access to "police" the IM logs. So, how does this work with social media? Your employer absolutely reserves the right to observe what you post in a public forum in order to assess how your thoughts and actions can potentially impact their business. Additionally, a clear policy (from HR not IT) should be in place defining what is acceptable and what is not. Now we get in to the HR side of things. Your HR department exists to make your organization better by finding the right personnel for your organization. Additionally, they may define certain policies concerning the interaction of personnel within your organization. In some cases, HR departments have become an overarching group responsible for any type of internal governance or policy. I believe this is a mistake and that the governance of a resource should be under the purview of the resource owner. For example, IT resources should be governed by the CIO, financial resources should be the CFO, etc.. This governance is compromised and ineffective if the c-level personnel are not reporting to the heads of the enterprise or the governing body of the enterprise. I point this out having observed a few instances of IT security personnel handing over volumes of data to HR personnel in the past. Handing over web proxy data, when there is NOT an active investigation, would fall under my big brother/waste of money category. I categorize it this way for two reasons; one if the supervisor or other employee has not complained then this is not necessary and you are simply satisfying your curiosities about whether some individuals are on FaceBook as much as you are at work (they are). Two, HR personnel are unlikely to be aware that the HTTP protocol is stateless and those statistics are somewhat meaningless. I know the company that sold you that proxy software or device told you differently, but that was probably the sales dude while the technical guy sat silent. Without completely observing netflows, keystrokes, clicks, and the registry key "TYPEDURLS" you are doing a bit of guessing. An HR person is possibly doing a lot of guessing if the proxy stats alone are handed over. The job of IT/Cyber security should exist to defend an enterprise against threats (internal/external) in cooperation with other groups (IT, HR, ???). This defense can include the analysis of evidence collected from various sources some of which are not under the purview of your security personnel. This separation of duties allows for a balance of power within your organization. The security team should NOT be responsible for "spying" or observing behavior on an individual basis when there is not an active investigation. While this is a delicate balance I believe you can sum up your role with the following statement: "How does make safer from internal and external threats?"  followed by "Are there loopholes negating causing to actually be less secure?" I will follow with my tried and true removable media example observed in multiple environments:

" does not allow external (privately owned) removable media to be used in conjunction with company-owned assets." This is a good policy yet is just an exercise in writing if there is not some technical control to enforce it. Now this becomes further moot if you have the following:
" users may connect personal assets via the virtual private network (VPN) when working remotely." You have just allowed that removable media to the assets needed by the user. I can already hear "but we have via the VPN to prevent the badness." Outstanding, did you test that, does the user need that capability, why isn't that same mechanism used with your equipment so that the whole policy isn't needed?

How do you restore the balance if your organization is not functioning correctly? Start at the top, someone allowed this to happen and possibly encouraged it. Draw out what the program should look like and the processes that should accompany it. Demonstrate how the technical controls will enforce your policies and make your program better internally and less of a target externally. Ensure your personnel are up to date in their training and skillset. If YOU are not up to date and cannot recommend the correct technical control, GET TRAINING. This stuff isn't rocket science and you are not benefiting anyone by not understanding the full scope and impact of your position. Cyber security is a constant learning process; that's why the best conferences are training where the individuals give and take from each other in open forums trying to understand the gaps in what they have tried. Best of luck finding the right balance for your organization.

Electric Vehicle vs Gas

I keep hearing that it takes "a lot" of power to charge one of these things. With that said, I have also heard that no matter what and electric vehicle is cheaper to operate than a gas-powered vehicle. Can someone explain how much it will cost to charge one of these dudes? I currently spend about $250 in gas every month for 2 non-efficient vehicles. Based on ten cents per kilowatt hour, what would this vehicle cost me assuming I only charged it at home?