Hiya ... now that election season at (ISC)2 has started again, some of you may ask the very valid question "I voted for this Belgian guy and I didn't see much happening ... why should I vote for this or that new petitioner. It won't make a difference anyway."
While I do understand that the members that supported me in my succesful bid for a board petition deserve at least a status report, I'm caught between a rock and a hard place here. As a board member you do sign an NDA (Non Disclosure Agreement) that doesn't allow you to specifically discuss board matters outside the board room. With 13 different people on the board, trust is a basic component to get things done. I can personally subscribe to this NDA and that's why I signed it. It's very similar to maintaining a relationship with my customers. If we don't have that basic sense of confidentiality, we won't get much done.
First off, I'm one person among thirteen. Anybody that has googled the term "representative democracy" understands that in such a system, which (ISC)2 clearly is, a single person can not make a change. Assuming that the current composition of the board represents the membership, there is always at least a majority required to make a decision. That means that if I would submit a motion (read Robert's Rules of Order if you want the details on how making a decision actually works ...) I will need to convince at least 6 others to support that motion (depending on what kind of motion it is and when it is submitted, it can require a 2/3rd majority and sometimes even an unanimous vote).
So, what did I do in the past year?
While I've been a member for quite some time, I (like most of you) didn't get closer to the organisation than submitting AMFs and CPEs before I decided to run a petition. My first task (as I interpreted it) was to learn to understand the organisation. There is a clear difference between a board (member) and management. As a board member I am not responsible to run the organisation. The board (as representing the members) own the certifications and does set out the strategy for the organisation. Management is responsible to execute that strategy. I build relationships with my fellow board members, members of the management team and members of staff. This included learning from board members with more seniority than me, spending time with members of the management team to understand their challenges and listening to members of staff to learn how they interact with you, the members.
So, now that I 'understand' the organisation, I can start functioning as a board member, right? Not really :-) A board votes on issues presented to it. Issues are presented as motions by ... committees. In short, committees is where most of the work is done. There are standing committees and ad hoc committees. As a board member you can volunteer to be part of a committee. I personally volunteered for the nominations committee and the ethics committee as I understood both were important to execute on the platform I presented in my petition. I later joined that strategy committee and the foundation committee.
Now, here comes the tricky part. I don't see myself as a critical cog in any system. I may have my low self-esteem to blame for that but you see, everything will work perfectly without me. I'm not one to tout my own horn and take credit for anything that a system I'm part of has achieved. Another part is that whatever decision was made, it's not my task to implement and/or communicate it.
Based on my involvement in those committees mentioned above I think we have developed a well-balanced slate for this yeas elections, I stand behind every decision the ethics committee has made in cases presented to it, I'm happy with the new strategy we have developed (and that's in the process of being implemented, remember not by the board but by management) and I totally love the (ISC)2 Foundation and the difference it will make. In that regard I feel I made a difference in my first year, but I'm also conscious that this is not my work alone.
If today I'm writing this blog post, it is to support all members that have decided to run a petition to be included in the ballot for this years elections. Every member has a right to do this and if the member wants to make a difference, what holds them back? I think, if you are a member and one of the petitioners represents your thoughts with his or her platform, this person deserves your vote regardless of what you think of me or any other board member.
Again : this is MY story and doesn't represent the view of the board as a whole, any other board member or (ISC)2 as an organisation.
I would love to name the people within or outside the organisation that I've worked with to make change happen. This has included people with personal questions, organisational questions (e.g. how can non-profit orgs automatically submit CPE's for attendees?) and building bridges across different parts of our industry and organisations. Those people know who they are and what little or big difference my efforts have made. I'm not one to claim victory but I am one that won't stay in a role where I believe I can't make a difference. If I'm no longer a board member at (ISC)2 it will be because either my term has ended or because I have decided that my presence does not yield value for the membership anymore.
woensdag 29 augustus 2012
maandag 30 juli 2012
Job offers from hell
Everybody gets them once in a while : job offers that make you cringe.
While processing my personal inbox this evening, I ran into this little gem :
Now, I'm not necessarily looking and normally I hit delete on this kind of messages with the quickness but something set me off on this one so I graced the sender with a nice response :
While processing my personal inbox this evening, I ran into this little gem :
Hi Wim
A global IT service provider are recruiting for a senior project manager who has experience around IT Security / Network Infrastructure project delivery, $location based role. Permanent. Very strong package
Do you happen to have Prince2 or PMP?
Are you open to exploring new opportunities?
Now, I'm not necessarily looking and normally I hit delete on this kind of messages with the quickness but something set me off on this one so I graced the sender with a nice response :
Hi (redacted),
you said :
"Do you happen to have Prince2 or PMP"
I'm having a tough time taking this question seriously. You are looking for a senior project manager and immediately equal that level to the possession of a specific certificate that proves nothing but the fact that a person was able to pass an exam. I've seen my share of Prince2 and PMP certified 'senior' project manager trying to lead IT Security projects and will vehemently disagree to any assertion that the cert would've helped them to succeed in the projects they were involved in. On the contrary, understanding (information security) risk, advanced people skills and technical prowess set apart the men from the boys (or the women from the girls). I would never ever consider a job offer from an organisation that isn't even remotely in touch with reality (understanding you're the middle man here, don't hesitate to forward this email to your client as a matter of education).
Cheers,
Wim
woensdag 6 juni 2012
The sense or nonsense of changing your password
By now everybody has caught on to the (presumed) LinkedIN breach, except the people at LinkedIN themselves but they're probably digging through their treasure trove of social big data in the cloud. However, the most heard comment today must've come from several people saying that it doesn't make sense to change your password because the attackers could just get it again. While not an invalid point, I believe it's the worst advice to give.
There are three main components to this attack :
1. finding the vulnerability enabling the attacker to extract the data.
2. extract the data
3. crack the password
Assuming your password was cracked, the attacker has succesfully performed all three steps. If you change your password now, the attacker will have to perform step 2 and step 3 again. Given that this was a wake-up call for you, you probably chose a much more complex password and thus making step 3 much much harder for the attacker. Even though the vulnerability was not fixed (yet), changing your password does make you safer.
A good analogy would be your seatbelt (I know it's old but it works ...). After a minor crash, you may finally make a habit of wearing your seatbelt. There is obviously still a (big) chance that you'd die in a major crash but it will be much less likely.
Update :
Someone remarked that, if the attacker still has access to LinkedIN, step 1 and 2 become unnecessary. Especially if the attacker has access to the plaintext stage of chpass. Obviously, we don't know how they got owned so any theory goes. I'm placing my bet on SQLi but in case it is worse than that, I might go back to my rolodex :-)
Rock on,
/W
There are three main components to this attack :
1. finding the vulnerability enabling the attacker to extract the data.
2. extract the data
3. crack the password
Assuming your password was cracked, the attacker has succesfully performed all three steps. If you change your password now, the attacker will have to perform step 2 and step 3 again. Given that this was a wake-up call for you, you probably chose a much more complex password and thus making step 3 much much harder for the attacker. Even though the vulnerability was not fixed (yet), changing your password does make you safer.
A good analogy would be your seatbelt (I know it's old but it works ...). After a minor crash, you may finally make a habit of wearing your seatbelt. There is obviously still a (big) chance that you'd die in a major crash but it will be much less likely.
Update :
Someone remarked that, if the attacker still has access to LinkedIN, step 1 and 2 become unnecessary. Especially if the attacker has access to the plaintext stage of chpass. Obviously, we don't know how they got owned so any theory goes. I'm placing my bet on SQLi but in case it is worse than that, I might go back to my rolodex :-)
Rock on,
/W
maandag 4 juni 2012
a few honest questions about Flame ... answer 'em
While I invited some of the most vocal people on the issue of #flame to our humble podcast tonight, nobody actually stepped up to the opportunity to openly discuss the issue. Too bad, so I'll put out the random questions that are floating around my head right now that I can't find a good answer to. If you have additional questions, I'm happy to add them to the list.
1) Microsoft, WHAT THE F- HAPPENED THERE ??? You're practically the only vendor that I've read sensible documentation on how to build a reasonably secure PKI infra from and now you come telling me that FOR ALL THESE YEARS any customer with a Terminal Services License was able to sign code, create MITM certs, etc.? If this actually was malware created by a "western intelligence agency" (see question 6 ;-)) you were pretty much thrown under the bus at terminal velocity. Here's a *hug*
2) Infosec community, WHAT THE F- HAPPENED THERE ??? We're there when Google updates the certs blocked by Chrome to cry wolf on a forged gmail.com cert because that kills people but we succeed in missing a flaw that should be blatantly obvious in a product of a vendor that is probably the most scrutinized in the world? (obviously, part of that blame is mine. I'm ashamed for the lot of us.)
3) AV companies, WHAT THE F- HAPPENED THERE ??? So yeah, samples dating back to 2010 (unsigned, I've learned by now) didn't trigger any of the automated triage systems you employ. If we had triage systems like that in disaster situations ... WE WOULDN'T NEED TO BE LOOKING FOR SURVIVORS !
4) AV companies, WHAT THE F- HAPPENED THERE ??? Everybody's pushing out Flame-related content front, left and center but it doesn't even sound like you're all speaking the same languages. Is there actually any communication between you guys? Or is it each to their own and everybody trying to outrun eachother?
5) AV companies, WHAT THE F- HAPPENED THERE ??? So, Kaspersky got some major DNS providers to work with them and sinkhole domains identified to be related to the Flame malware. So, are you guys aware of those actions? Do you guys tip each other off? Wouldn't it make sense TO DO THIS TOGETHER? WTH are y'all spending resources on analyzing that piece of malware and one of you is jokingly redirecting all C&C traffic to their own servers. Seriously, last time I checked you needed a court order or you needed to be the US government to sinkhole domains.
6) US gov, Israel, WHAT THE F- HAPPENED THERE ??? Nope, I don't believe you guys are actually behind this one. You're scratching your head in disbelief and are actually happy that people are attributing you with the leet skills needed to pull this one off ;-)
1) Microsoft, WHAT THE F- HAPPENED THERE ??? You're practically the only vendor that I've read sensible documentation on how to build a reasonably secure PKI infra from and now you come telling me that FOR ALL THESE YEARS any customer with a Terminal Services License was able to sign code, create MITM certs, etc.? If this actually was malware created by a "western intelligence agency" (see question 6 ;-)) you were pretty much thrown under the bus at terminal velocity. Here's a *hug*
2) Infosec community, WHAT THE F- HAPPENED THERE ??? We're there when Google updates the certs blocked by Chrome to cry wolf on a forged gmail.com cert because that kills people but we succeed in missing a flaw that should be blatantly obvious in a product of a vendor that is probably the most scrutinized in the world? (obviously, part of that blame is mine. I'm ashamed for the lot of us.)
3) AV companies, WHAT THE F- HAPPENED THERE ??? So yeah, samples dating back to 2010 (unsigned, I've learned by now) didn't trigger any of the automated triage systems you employ. If we had triage systems like that in disaster situations ... WE WOULDN'T NEED TO BE LOOKING FOR SURVIVORS !
4) AV companies, WHAT THE F- HAPPENED THERE ??? Everybody's pushing out Flame-related content front, left and center but it doesn't even sound like you're all speaking the same languages. Is there actually any communication between you guys? Or is it each to their own and everybody trying to outrun eachother?
5) AV companies, WHAT THE F- HAPPENED THERE ??? So, Kaspersky got some major DNS providers to work with them and sinkhole domains identified to be related to the Flame malware. So, are you guys aware of those actions? Do you guys tip each other off? Wouldn't it make sense TO DO THIS TOGETHER? WTH are y'all spending resources on analyzing that piece of malware and one of you is jokingly redirecting all C&C traffic to their own servers. Seriously, last time I checked you needed a court order or you needed to be the US government to sinkhole domains.
6) US gov, Israel, WHAT THE F- HAPPENED THERE ??? Nope, I don't believe you guys are actually behind this one. You're scratching your head in disbelief and are actually happy that people are attributing you with the leet skills needed to pull this one off ;-)
vrijdag 1 juni 2012
Forensics Training courses
yesterday I posted a question on Twitter to see what other training offerings there are out there in the area of computer forensics, beyond what we know is a quality offering from SANS. Not because I don't like SANS but because I kinda knew everybody would start sending me SANS links and since I know their offering, I was mostly looking for others. Here's what people came up with :
- EC-COUNCIL CHFI : http://www.eccouncil.org/Computer-Hacking-Forensic-Investigator/index.html
- Tigerscheme has malware and forensics courses : http://www.tigerscheme.org/qualifications/Tiger_Digital_Forensics_Certified_Incident_Handler.pdf
- CERT CC offers such a course : http://www.sei.cmu.edu/training/P107.cfm
- 7Safe offers such a course : http://7safe.com/forensic_investigation_course-technical_hands-on.html
- CFE is such a course : http://www.digitalintelligence.com/training/cfe.php
- TrustWave Spiderlabs offers personalized forensics training (no link to training curriculum available) : https://www.trustwave.com/spiderLabs-services.php
maandag 30 april 2012
I'm looking for you ...
Let's see if this internet thingy really works ... Dear Claire, I'm looking for you.
This all may seem really silly but it is kinda important to me to follow through on this one. While my friends and I were standing outside the Shelbourne hotel in Dublin, Ireland on Saturday April 21st you and your friends came out, ready to party. While the conversation we had was short and could be regarded as random chatter, I remember you asking if the kids you worked with as a clinical psychologist could really do those things with computers they claimed they did. We discussed it some further and I promised you to get you in touch with local hackerspaces to see if those kids could channel their energy in a more 'positive' way. Obviously, I didn't write down your email address, neither did I leave mine at the reception desk as you asked. You carted off into the night and there's a slim chance I'll ever know how to follow through on my promise ...
Here goes, if you know who you are and remember this conversation, get in touch through email at wremes[at]gmail[dot]com ... if not, at least I tried :-)
Cheers,
Wim
This all may seem really silly but it is kinda important to me to follow through on this one. While my friends and I were standing outside the Shelbourne hotel in Dublin, Ireland on Saturday April 21st you and your friends came out, ready to party. While the conversation we had was short and could be regarded as random chatter, I remember you asking if the kids you worked with as a clinical psychologist could really do those things with computers they claimed they did. We discussed it some further and I promised you to get you in touch with local hackerspaces to see if those kids could channel their energy in a more 'positive' way. Obviously, I didn't write down your email address, neither did I leave mine at the reception desk as you asked. You carted off into the night and there's a slim chance I'll ever know how to follow through on my promise ...
Here goes, if you know who you are and remember this conversation, get in touch through email at wremes[at]gmail[dot]com ... if not, at least I tried :-)
Cheers,
Wim
woensdag 28 maart 2012
regulatory capture in infosec, by example
Note :
I have the utmost respect for the people to be named in this blogpost. I also have friends working for the companies to be named. This is in no way a hate or flame post but with the attention of legislators drawn to all things cyber our industry too will see regulatory capture emerge. I believe it is important enough to point out how it works and why it is bad.
Regulatory capture, as defined on wikipedia :
On March 26th, Richard Bejtlich, CSO of Mandiant, testified before the U.S.-China Economic and Security Review committee. The full text can be found here. While an interesting read in itself, it is an interesting and textbook example of how regulatory capture manifests itself. I will illustrate this by quoting paragraphs from the full text. You're free to form your own opinion by reading the text as linked above.
Mr Bejtlich starts by introducing himself :
At this moment, this is no longer a personal testimony (which was also maybe never the intention but we are missing that context). Everything the committee hears from now on can, and should, be interpreted with the understanding that commercial interests are at stake. He continues to illustrate what Mandiant does, defines what they regard as APT (it's China, obviously) and how Mandiant detects APT actions. From there on it reads like a long blogpost on the latest M-Trends report. Even the case studies are very similar to those in the report. While I don't doubt the data used to build the report, the methodology used to interpret the data isn't known. I also don't have the faintest idea about the sample size. As the audience has no evidence to compare the M-Trends findings too, for the rest of the testimony the findings are the only truth. It goes downhill to where percentages are stated to illustrate the seriousness of the situation. Percentages, without any view on the sample size, are meaningless beyond the point of making your own truth.
Then there comes an interesting passage :
Again, I am not criticizing Mandiant in particular. The technology they have developed is rad and if applicable to your situation I would suggest to check them out. Knowing what and who I know within the organisation, I'm also convinced that their services are top-notch. The text as published merely serves as a perfect illustration of how regulatory capture works. I believe it becomes more and more important that we become aware of what it is and how it works. It remains to be seen how the testimony is interpreted and what the committee decides to do with the information.
I have the utmost respect for the people to be named in this blogpost. I also have friends working for the companies to be named. This is in no way a hate or flame post but with the attention of legislators drawn to all things cyber our industry too will see regulatory capture emerge. I believe it is important enough to point out how it works and why it is bad.
Regulatory capture, as defined on wikipedia :
In economics, regulatory capture occurs when a state regulatory agency created to act in the public interest instead advances the commercial or special interests that dominate the industry or sector it is charged with regulating. Regulatory capture is a form of government failure, as it can act as an encouragement for large firms to produce negative externalities. The agencies are called "captured agencies".Whenever legislation (or any regulation for that matter) is made, there are parties that have a significant economic interest in the affected area that will try to influence how exactly that law is worded. Sometimes these parties strive to minimize the impact of that particular legislation on their business practices, often through lobbying or otherwise influencing our representatives. Regulatory capture happens when such parties succeed in influencing the legislation process to their benefit. There are ample examples (see the wikipedia entry) of how government agencies have been subject to regulatory capture. There have been, however, few examples pertaining to our industry, until this week.
On March 26th, Richard Bejtlich, CSO of Mandiant, testified before the U.S.-China Economic and Security Review committee. The full text can be found here. While an interesting read in itself, it is an interesting and textbook example of how regulatory capture manifests itself. I will illustrate this by quoting paragraphs from the full text. You're free to form your own opinion by reading the text as linked above.
Mr Bejtlich starts by introducing himself :
I am Chief Security Officer at Mandiant, a private company that provides software and services to detect and respond to digital intrusions.
At this moment, this is no longer a personal testimony (which was also maybe never the intention but we are missing that context). Everything the committee hears from now on can, and should, be interpreted with the understanding that commercial interests are at stake. He continues to illustrate what Mandiant does, defines what they regard as APT (it's China, obviously) and how Mandiant detects APT actions. From there on it reads like a long blogpost on the latest M-Trends report. Even the case studies are very similar to those in the report. While I don't doubt the data used to build the report, the methodology used to interpret the data isn't known. I also don't have the faintest idea about the sample size. As the audience has no evidence to compare the M-Trends findings too, for the rest of the testimony the findings are the only truth. It goes downhill to where percentages are stated to illustrate the seriousness of the situation. Percentages, without any view on the sample size, are meaningless beyond the point of making your own truth.
Then there comes an interesting passage :
APT groups use the level of sophistication required to achieve their objective. For example, in
2011 Mandiant observed an increase in the usage of publicly available malicious tools by APT
actors.
This one isn't related to the point I'm trying to make but as a legislator this would trigger the following thought: "Let's ban the possession, production and use of "malicious" tools."
I'm convinced that this was not the message Mr. Bejtlich wanted to convey. I believe that, as defenders, the ban of such tools would set us back lightyears.
At the end of his testimony, Mr. Bejtlich runs into the end zone. He isn't here to inform, he's here to sell a product. More precisely he's here to propose that technology, conveniently produced by the company he works for, be required to be used ... by law :
To this end, I recommend Congress consider the integration of an “are you compromised” assessment into any new requirements levied on specific industries. These assessments should occur no less frequently than once per year, although true continuous assessment on a 30-day cycle is much more effective in my professional judgement and experience. By requiring processes and technology to answer the “are you compromised” question, regulators, Congress, and other appropriate parties will, for the first time, gather ground-truth knowledge on the state of security in selected industries. Without knowing the real “score of the game,” it is unreasonable to expect real progress in digital security.This, my friends, is a textbook example of attempted regulatory capture. We have seen innovation in our industry stall by regulatory requirements in the past years. So much that the technologies that thrive are those that accomodate a particular compliance use case. While the positive effect for the commercial entity involved is obvious, the negative effect on the profession (and the entities that are subject to the legislation) are immense.
Again, I am not criticizing Mandiant in particular. The technology they have developed is rad and if applicable to your situation I would suggest to check them out. Knowing what and who I know within the organisation, I'm also convinced that their services are top-notch. The text as published merely serves as a perfect illustration of how regulatory capture works. I believe it becomes more and more important that we become aware of what it is and how it works. It remains to be seen how the testimony is interpreted and what the committee decides to do with the information.
Abonneren op:
Posts (Atom)