Leading in a do-oacracy ... afterthoughts

There's nothing like arriving in Las Vegas and Chris Nickerson roping you into a panel at BSides titled "Leading in a Do-ocracy". The panel was posted in the "I am the cavalry" track and the abstract of this panel looked like this:

What is a "do"-ocracy, and what does it take to lead one? While some people stand back and gawk at problems, others jump in to do something about what they see. Explore some common traits of do-ocracies, why they inspire others, and how leaders emerge. Learn from the successes and the failures of our panelists, and hopefully spark ideas within yourself that you can bring to a do-ocracy of your choosing or making.

Moderated by Tim Krabec, the panelists were Tod Beardsley, Beau Woods, Chris Nickerson, and myself. Nothing is better for a panel than an audience with an opinion and I can say I was happy that Keren Elazari decided to "give it to us" and become our fifth panelist. You can watch the panel here :







Now, being on a panel about leadership feels strange to me. I don't think I'm particularly knowledgeable on the subject and I don't see myself as a leader. Then again, we live in a world where everybody and their mom are keynote speakers on "leadership", "how to lead millenials to success", and other very interesting subjects. The funny part is that it is always very hard to track back any form of leadership experience in those peoples resume. Furthermore, most recently we have seen the advent of courses with super-awesome titles like "How to evolve from a middle manager to a middle leader". I kid you not, I wish I was though.



Let me be very clear, and this is my (very strong) personal conviction, some aspects of leadership can be adopted, maybe even faked, but leadership is not something that can be taught or learned.



Now, I do understand that some people might see me as a leader of some sort (Chris, I'm looking at you!) and I can't deny that I've been studying leadership in various forms since I was very young. I've also discussed the subject with people that, at some point in my life, were mentors to me. So here are the things I consider to be true about leadership.



Be the servant leader



Nothing makes a leader like quoting from some old book that most of the audience members have never read or, better, heard about. When it comes to servant leadership the Tao Te Ching gives a fairly good description :

The highest type of ruler is one of whose existence the people are barely aware.
Next comes one whom they love and praise.
Next comes one whom they fear.
Next comes one whom they despise and defy. 

When you are lacking in faith,
Others will be unfaithful to you.
The Sage is self-effacing and scanty of words. 

When his task is accomplished and things have been completed, All the people say, ‘We ourselves have achieved it!’

A leader rarely leads from the front. He's among the people doing the same work and at the disposal of the people, serving by the grace of the people. I guess what I'm trying to say is that leading in a do-ocracy is not about choosing the topics and gathering people around you to do them. It is about finding the topics that are important to the people and become part of the group, working in the trenches with them while not holding back on sharing knowledge, cycles, and sweat.



Understand your level



I've only recently become aware of the "5 levels of leadership" and it kinda hits home. Now, you have to understand that it takes all kinds of leaders to achieve success. A level 1 leader is not necessarily a bad leader, a level 5 leader might not be what you need in some circumstances. We, humans, like to think that we have to achieve the highest level and try to be who we are not to get there. For me, understanding your level of leadership is an important step of understanding where you can be most effective in helping to achieve goals. Here's those 5 levels:



1. Position - People follow because they have to.

2. Permission - People follow because they want to.

3. Production - People follow because of what you have done for the organization.

4. Person Development - People follow because of what you have done for them personally.

5. Pinnacle - People follow because of who you are and what you represent.



You can easily apply these levels to the people around you. You will quickly come to the conclusion that most people fall somewhere between level 2 and 4. You'll also realize that, as I said before, you know very few people that have evolved more than 1 level in their leadership abilities. That is what I mean when I say leadership can not be learned or taught.



Kaizen and continuous improvement



something, something, Six Sigma, black belt, Deming, Toyota.



I've read countless blogs and books on the Kaizen methodology. Moreover, I studied Kaizen before DevOps people started using Kanban boards to divorce yourself from responsible design and formal architecture. You can do that too and I'll not go into detail about what Kaizen means here.



I guess that the key take-away from Kaizen is that success is measured by the quality of your output. To me, it means these things:

• You can not do ALL THE THINGS. You might want to do them but you can't do all of them WELL. Pick the things wisely and apply maximum effort. There is only one speed : Go!
• Don't be a pussy and accept criticism. This is a big one! When you're doing stuff, people will come out of the woodworks and criticize you. It's cool and don't qualify them as detractors because they're saying something you don't like. All feedback is GOOD. Feedback shows that people care. Feedback allows you to steer where you are going (or not). The moment people stop giving feedback is not the moment where you're doing the right thing. It is probably the moment where you should consider abandoning your efforts because the people no longer care and you're merely doing this for yourself. 
• Focus on your outputs and ensure that they are of the highest quality possible. Quality is not measured in the number of retweets and likes, those are dumb metrics. Quality is measured in how people apply your outputs to do other awesome things. It is measured in how people appropriate your shit and make it even better or apply it to do something completely different.

I'm sorry that this has become such a long post. I hope it is helpful to some of you. We all have a limited time out here and we can't all make a dent in the universe. We can do our best to leave this world better than we entered it. The badges and accolades we can receive are nice, but they mean nothing when the worms are nibbling on our toes. 

Do right, do with empathy, and do selflessly, but most importantly DO! 

Or don't, but then please get out of my way.

Changes to the (ISC)2 Bylaws : Your vote is important

Note 1 : This post is only relevant if you are (looking to become) a member of (ISC)2 

Note 2 : As a member of (ISC)2 you might not care about voting on any matters related to (ISC)2. In this case, your vote is important. Even if you don’t care, do vote. This post exist to raise your awareness of such.

Note 3 : I was an (ISC)2 Board member from 2012 until 2014. I am currently not a Board member or in any way involved in the matters at hand. This post represents my personal view and not that of the (ISC)2 Board of Directors, any individual Director, or the organization.

On August 7th (ISC)2 management notified the membership of a special meeting that will be hosted at the (ISC)2 headquarters in Tampa, Florida. At this meeting there is currently one agenda point: 

“To approve of (ISC)² modifying the (ISC)² bylaws currently in effect since July 17, 2004 and replace them with the proposed amended and restated bylaws.” 

--VOTE HERE--> https://www.isc2.org/SpecialMeetingVote/  <--VOTE HERE--

As a member, I will vote in favor of these new bylaws and in this post, I shall explain why.

Bylaws, for any corporation, are basically the operational blueprint of the corporation. This means that they put into writing how the corporation is run, by whom, who bears which responsibility, etc. etc. They don’t change often and the (ISC)2 Bylaws have not changed since 2004. 

When I was Chairman of the Board in 2014, I specifically created a Bylaws committee that was tasked to review, and potentially amend, the (ISC)2 Bylaws. In that sense, the special meeting is a direct result of my actions back then.  I am actually happy to see that the Board has continued to work on this topic and is now proposing changes that are important for the membership. And those changes are GOOD!

For starters, the preamble to the Bylaws has changed significantly. While the strategic mission of the organization has moved from a product focus to a member focus back in 2012, this is now also reflected in the Bylaws. It is set in stone.

Many of the changes are cosmetic in nature or change wording to be current. I will not delve into those specifically. Then there are specific changes that relate to how the Board functions. One example is the following :

13. Action Without a Meeting/Written Consent. Directors may vote without a meeting if
(i) the vote being taken is in writing;
(ii) all Directors (100%) consent in writing; and
(iii) each Director’s consent is included the Board records. Consent may be given by
electronic means. Such consents shall be treated for all purposes as a vote at a meeting.
14. Telephonic Participation in Meetings. Other than during executive sessions, Directors
may participate in any meeting by means of a conference telephone call or similar
communications equipment by means of which all persons participating in the meeting
can hear each other at the same time. Participating by such means shall constitute
presence in person at such meetings.  

This greatly improves the efficiency of the Board. Where it gathers 4 times a year, decisions can not always wait for the next Board meeting to take place. These provisions make it possible for the Board to make decisions without an in-person meeting, allowing them to be more agile in their actions.

However, the most important change in this document is related to the Board Member term limits. When I joined the Board in 2012, one of the key elements that drove my platform was the membership’s objection to seeing the same people sitting on the Board all the time. Some Board Members have been, thanks to the flexible term limits in the 2004 bylaws, almost continuously on the Board since 14 years. The new bylaws will make this impossible, as they state :

Term Limits: “Service” means occupying any position as a Director of (ISC)². Service as a Director may not exceed six years in any ten year period; provided, that all Directors currently serving in office as of the effective date of these Bylaws may complete their duly elected or appointed term of Service. No one may serve as an appointed Director more than once, regardless of the duration of their appointment. An appointed Director may stand for election by the Members to a term subsequent to appointed service, subject to the term limitations stated herein 

Previously they stated the following :

Term Limits: No member may be elected to the Board more than twice in any seven year period.

Now you may ask why this is such a huge difference. My anwer here is two-fold :

• First and foremost, this forces the Board to be on the lookout for new blood all the time. Where under the original terms, a Director had to wait only 1 year after 2 consecutive terms to run for election again, the wait is longer now and searching for new, talented Directors is an important task to guarantee continuity. It also allows the Board to get new ideas on board. This is key for the organization and the membership.
• Secondly, however, it forces the Board into transparency. Under the original terms, there was always somebody there that knew (of) the history of the organization and the Board. Somebody that could clarify based on their personal knowledge. There was no immediate incentive to document or organize. With these new terms, the Board is obligated to maintain a formal history and to no longer rely on individual knowledge. It does not need to be argued that documentation leads to accountability, and that too was one of the key points that underpinned my platform to become a Board member back in 2012.

In that sense, this single meeting is the culmination of (more than) 3 years of effort to affect change. I can not discount the work that was done by Board members before I joined or the work that was done after I left. What is important is that we are finally there and you, as a member, can acknowledge this by voting “YES” for these important changes. 

I hope that you can find the time to confirm your vote and support the Board to continue their work for the membership.

8 reasons why you are not a cyber soldier

Most recently I entered a twitter "debate" that wasn't really a debate at all. While the person that initiated the debate seemed to be looking to get consensus on the definition a certain term, their goal turned out to be getting confirmation of their definition of the term. Where their definition was firmly rooted in the military and CI world. I generally get annoyed by debates that are not debates but I get more annoyed by military jargon in our industry.

In recent years the security industry has started to use more and more military terms in its jargon. To a point where it really is becoming ridiculous, if not dangerous. While there certainly is state-level hacking activity going on. However, for many people in our industry that have a responsibility to solve hard security problems for organizations that shit is not relevant.

I'll repeat : "THAT SHIT IS NOT RELEVANT!"

I get it. As kids we already liked to play soldier, with wooden sticks being our automatic rifles and our friends being the willing enemy that we blew to smithereens while yelling PEW PEW PEW. The internet is our playground and we still like to be soldiers.

Personally, I like to refer to James Mickens' excellent column in USENIX' ;login:logout of January 2014

The “threat model” section of a security paper resembles the script for a telenovela that was written by a paranoid schizophrenic: there are elaborate narratives and grand conspiracy theories, and there are heroes and villains with fantastic (yet oddly constrained) powers that necessitate a grinding battle of emotional and technical attrition. In the real world, threat models are much simpler. Basically, you’re either dealing with Mossad or not-Mossad. If your adversary is not-Mossad, then you’ll probably be fine if you pick a good password and don’t respond to emails from ChEaPestPAiNPi11s@virus-basket.biz.ru. If your adversary is the Mossad, YOU’RE GONNA DIE AND THERE’S NOTHING THAT YOU CAN DO ABOUT IT. The Mossad is not intimidated by the fact that you employ https://. If the Mossad wants your data, they’re going to use a drone to replace your cellphone with a piece of uranium that’s shaped like a cellphone, and when you die of tumors filled with tumors, they’re going to hold a press conference and say “It wasn’t us” as they wear t-shirts that say “IT WAS DEFINITELY US,” and then they’re going to buy all of your stuff at your estate sale so that they can directly look at the photos of your vacation instead of reading your insipid emails about them. In summary, https:// and two dollars will get you a bus ticket to nowhere. Also, SANTA CLAUS ISN’T REAL.

So this post could be about threat models again but I feel that is way too much work a week before Security Summer Camp (pro-tip : bring a Nerf gun and shoot at everyone that uses military terms in their narrative!). Instead I hereby provide 8 reasons why you are a security professional instead of a cyber soldier. Here goes!

1. Your business card does not mention your military rank and you do not measure your status by the number of stripes you have on your shoulder. 
2. You do not have to salute a superior when you pass by them in the hallway. 
3. Whenever a security requirement is requested, you do not reply with "SIR YES SIR!"
4. You wear A&F t-shirts, button-up shirts, or a polo to work instead of a military uniform.
5. Instead of living on (or near) a military base, you are living in a suburb with neighbors that have ordinary jobs. You probably drive a SUV and you worry about what kind of meat you'll throw on the BBQ next weekend.  
6. Your family does not live in fear of a sudden deployment where their beloved family member (you) may very well never return from.
7. On your way to work you do not have to worry about IEDs of any sort. Neither do you have to be concerned about a bunch of insurgents barging into the SOC where your comfortable office chair is located and where the scarf in the team colors of your favorite football (or soccer) team indicates "your" spot.
8. You do not have to regularly clean your (cyber)weapons and train with them. Neither do you have to get up at 4am without notice to run a course around the data center in full gear.

All jest aside, being in the military is serious business. I have nothing but respect for people that have taken the responsibility to defend their country. The truth is that being a security professional is also very serious business these days. We don't get anywhere if we keep throwing around war-related terms, hollowing them out in the process. 

Our industry is young. Especially when we compare it to other industries. Military terms, without doubt, carry a meaning of urgency that is often not needed in day to day conversations and operations. Do we want to make ourselves a laughing stock or do we want to keep the seat at the business table that we have earned in the past few years? I don't think we'll make it by turning into our own Big Green Weenie.

Edit

I almost forgot that my good friend Kyrah wrote an excellent Master's Thesis titled "Wargames in the fifth domain" which is worth a read if you desire to go beyond the marketing value of "cyber".

The majority of cyber attacks that we have seen do not qualify as acts of war. Why then should we deal with them using a military framework? A military response is unlikely to solve any of the actual problems. What is needed is a civilian approach.

omgSAPpwnage but then again not really ...

Disclaimer: I don't work for SAP. This is a personal blog and none of it represents the opinion of any entity other than myself.

That said, I ran across the following article today:
http://www.infosecisland.com/blogview/24531-Top-Three-Attack-Vectors-for-SAP-Systems.html

It is titled "Top Three Attack Vectors for SAP Systems" so I was expecting a list of (at least three) direct attack vectors against SAP Systems. Once again, as is the case for many articles on security subjects nowadays, I was disappointed. I can only hope to provide some perspective here from experience and my own insight into the problems surrounding corporate ERP systems.

The top three, as listed in the article and accompanied with comment by yours truly is as follows:

Pivoting Between SAP Systems, where the attack begins with a system with lower security to a critical system in order to execute remote function modules in the destination system

So an attacker is able to gain access to SAP Systems AFTER they have compromised (part of) the supporting infrastructure and and is then able to compromise other connected systems? You don't say! I fail to see how this is a direct problem with SAP systems. If you're not able to prevent OR detect compromises before they reach SAP systems, there isn't much that's stopping an attacker from getting there right? There isn't a big need for vulnerabilities in an SAP system to achieve this either. It's like saying you are able to send text messages in my name when I unlock my phone and hand it to you.

Portal Attacks, where backdoor users are created in the SAP J2EE User Management Engine and an attacker obtains access to SAP Portals and Process Integration platforms and their connected, internal systems

Uh?What? "where backdoor users are created"? Wouldn't you say all bets are off when an attacker is able to do this? Show me a remote and unauthenticated vector for an attacker to do this and I'm happy to put this on # 1 though.

Database Warehousing Attacks through SAP proprietary protocols, where an attacker executes operating system commands under the privileges of a particular user and by exploiting vulnerabilities in the SAP RFC Gateway to gain access to the the SAP database

Again, there is an assumption of prior compromise (including gaining access to credentials) to get to a point where this is possible.

I'm not saying that SAP doesn't have security issues. There are advisories released by the SAP Security team and patches are made available regularly that organizations should apply.

ERP hold a lot of your most valuable assets and they deserve your attention but the article as it is presented does not provide any credible evidence that attackers can arbitrarily access SAP Systems without going through considerable effort before. Moreover, the 3 vectors as presented are easy to address by doing the basics in your supporting infrastructure:

• Identity Management, Access and Authorization.
• Intrusion Detection, Log Management & Analysis, ...
• Network & Host Monitoring
• Systems Hardening
• etc. etc.

If we're going to continue letting media drive our agenda (driven by PR companies and organizations interested in pushing a product (yeah, most of the content is provided by an organization pushing an SAP vulnerability scanner/tool) rather than looking to solve the hard underlying problems in security and how organizations should address  those, we're pretty much doomed.

Security is not sexy. Security is not solved with tools. Security is hard work and while I appreciate the idea behind putting it on the agenda with urgency, I'm pretty much tired of the flash fires that detract us from doing what is actually needed.

open letter to the ISC2 Membership

Disclaimer

I was an ISC2 Board Member from January 1st 2012 until December 2014. I am an ISC2 Member in good standing. I am, at this moment, not working for ISC2, with ISC2, or in any other fashion associated with ISC2. This letter represents my personal opinion only. It does not reflect the opinion of any organization I have been, am, or will be associated with.

That said ...

Good morning, good evening, or good night,

As an ISC2 Member, there is a big chance that you will find yourself in San Francisco, California next week. I understand that your agenda is full of awesome events, some professional and some a little less so, I think it is important to realize that the events in and around the Moscone Center are the ideal venue to interact with the organization you are a proud member of, and with it's Board members.

While I am sad to learn that ISC2 is not organizing a townhall meeting this year, there are still plenty of opportunities to meet them, get to know them, and to let them know how you feel as a member. 

ISC2 will be on the expo floor at booth #108 and #109. Additionally, there is a member reception on Wednesday April 22nd that you can RSVP for. There are undoubtedly alternative venues where you will run into representatives of the organization, especially the board members (<- it makes sense to familiarize yourself with their faces if you aren't already). 

As a member, first and foremost, we all have engaged ourselves to be part of, and contribute to, the membership. As such we bear a responsibility to want better for us. While I am personally not going to be in San Francisco with you, I would like to take the time to suggest some questions you can ask to your Board members in case you meet them or if you find yourself at a venue where you can interact with them.

Before I kick off, allow me to make one suggestion. In the event that you run into a member of ISC2 staff or a member of management, please take the time to give them a hug and thank them for the work they do every single day for you.

1. The ISC2 Bylaws are 10 years old. As the primary document that governs the organization and its Board, I feel it is up for a thorough review. As an example, what was a mostly US-centric organization in 2004 is now a fully international organization with a global membership. What are you, as a Board, doing to govern yourself in order to make this organization successful? What are you, as a board, doing to keep our Bylaws up to date with todays reality? How can I, as a member, help with that?

2. As a member, I believe that ISC2 misses a lot of opportunities to provide value to its membership. What are you, as a Board, doing to ensure that the organization is able to develop initiatives that benefit the membership? What can I expect over the next few months and years as a member? How can I contribute to that?

3. As a member, I believe I am under-informed about what the organization does. Your last publication of annual meeting minutes happened in 2014, your last annual report was published in 2012. What are you, as a Board, doing to inform the membership about the organization, it's financial health, the strategic initiatives, and how I can become more involved to contribute to the success of the organization and us as the membership?

Now obviously, you will be challenged in San Francisco. I am the first to admit that there's more opportunity to be distracted than there is to stay focused. I also believe that as an ISC2 member, you owe it to yourself to ask these, and more questions. 

If you choose not to, I'd suggest you spend $85 in one of the awesome establishments you can find and consider to skip your next AMF payment.

In any case, enjoy the opportunity to spend time with your peers at RSAC and thank you for your contributions to make this digital world a safer place.

Sincerely,
Wim

7 things in regards to conference calls

1. Being on time is being too late. You join conference calls 5 (FIVE) minutes beforehand, any later is too late. There can be some technical issues y'all need to root out.

2. Use a freaking phone. Most every conference call system has local/international dial-in numbers. Don't use Skype or other VoIP Systems. 

3. If you use a mobile phone, USE A FREAKING HEADSET.

4. There is NO REASON to use speakerphone functionality. NONE!

5. Use a phone that you can mute. We're not interested in what happens in your open space office or your living room. You can unmute yourself when you need to speak. At any other time, MUTE! MUTE! MUTE!

6. Be in a place where you work. Real office, home office, hotel room. Those are about the only places where you should be to do a conference call. Bar, playground, movie theater, your car, amusement park, casino, massage parlor, the gym? HELL NO! 

7. Be prepared. This should be a given but especially in a meeting where you can't see eachother, being prepared is not only courtesy, it is a must.

 

(ISC)2's "Vulnerability Central" - what it is and what it isn't

[disclaimer: until December 31st I was a member of the (ISC)2 Board of Directors. My posts here are my personal opinion and not necessarily shared by any of the current Directors or the organization]

[disclaimer 2: I've personally written cve-search, a tool that enables you to do much of the same. Most of the recent development has been done by Alexandre Dulaunoy. You can find cve-search here: https://github.com/wimremes/cve-search. The goal of cve-search was to enable local lookup rather than using the internet. Alexandre has done an amazing job in adding features and functionality. I'm still amazed how open sourcing my crude script made it into such an awesome tool.]

(ISC)2 has recently launched "Vulnerability Central", a service for members at no additional cost that provides a feed of vulnerabilities and other information that they could use to stay up to date on recent vulnerabilities, threat reports, etc. etc. The service is offered through a company called Cytenna about which I unfortunately have not found much information apart from the fact that they exist and the following statement on their website:

"Cytenna was originally conceived in the research laboratories of InferLink Corporation. We are constantly innovating to provide our clients with better ways to connect the dots in an ever-rising sea of information."

Today I browsed through the functionality offered through the (ISC)2 portal and here is what I found:

• The initial information feed (mostly composed of CVEs but it also contains data from other sources) is well laid-out. When clicking on an item, the information displayed is very much summarized. You'll have to click on the external links to get more information. That seems a bit weird because most of the information is public so it would make sense to incorporate it in the Vulnerability Central UI.
• Filtering, it does it. One of the most important features of a this type of tool is customization. This can be done by editing your profile. You can basically tell the tool to filter only the information that you want to see based on keywords and keyphrases. This is good. I'd appreciate some more granularity or even different profiles (I could be a consultant working with/for different clients). One thing that hit me on the main page is that I can filter by "Show starred". It took me a while to understand what that meant and how I could "star" an item. Unfortunately I have to first open an item and then star it. I can not star items on the main page. This partially breaks the usefulness of the star feature. What is positive is that I can easily switch between filter modes (all, profile, starred). This would become even more powerful with the support of multiple profiles or filters.  
• I have to log in with my (ISC)2 credentials. This is understandable because it is a member benefit but at the same time it limits the usability of the tool. If I want to use it, I'm restricted to the website and in a time of APIs and mobile applications that greatly limits how I can consume information. Support for API keys would be a definite plus here.
• Vulnerability Central doesn't only provide vulnerability information, it also has a "News" and "Reports" section. Unfortunately those are hidden at the bottom of the page. They should have prominence at the top of the page. The "News" section provides links to security-relevant articles and the "Reports" section centralizes links to vendor and independent reports.
• The information seems to be fairly up to date. I have not done extensive analysis of the accuracy but given that it is mostly based on public information, I think there should be no problem there.
• There currently is no ability to export data sets. This should be #1 on the feature road map without any debate. If I am only able to consume the information on the website, its value drops to 0 immediately. Need.That.Yesterday!

Now I am sure that the usefulness of this new member benefit depends on how well you have built out your own information feed over the past years. It is by no means a panacea for your security information needs and in its current version it is by no means perfect.

Apart from my own tool, I am a big fan of www.cvedetails.com and OSVDB. Both offer similar functionality based on different data sets.

However, this tool is now available to 100,000 members across the globe. If you are a member, you should explore it, use it and provide (ISC)2 with your feedback. What is good and what is not? What feature are you missing and how can it be more useful to YOU? If they listen, Vulnerability Central has the potential of turning into a must-have tool in the chest of (ISC)2 members and even change how you work today.

The beauty of being part of a membership organization is that you directly benefit from the contributions of fellow members. The downside (or should I say opportunity?) is that your fellow members count on you to do the same.