donderdag 17 november 2016

Dear Matt Harrigan, I apologize.

Dear Matt,

We never met and while I know of you, I don't personally know you.

Earlier this week some "friends" of you made the horrible decision to screenshot a few Facebook posts of yours and take them out of the space you trusted, into the public domain. The aftermath was ugly, not unexpected, but -in the end- undeserved.Yes, I thought it was funny. I may have thought it was sad as well. I was one of those guys that tweeted about it, and passed judgement.

What I didn't think about was the fundamental point that people you trusted took content you shared privately and plastered it across the internet. That action alone hurt you personally, your family, your colleagues, friends, and investors. It is, without doubt, one of the lowest things a "friend" can do.

It is easy for me to sit here, see something funny and amplify for whatever reason I may have at that moment. It is also easy to recognize that I maybe should not have been that trigger happy but say nothing. But I will not do that.

While I do not know you, I have heard very good things about you. I am sure that you will land on your feet with the support of the real friends you have and your family.

I sincerely apologize and I wish you the best.

Cordially,

Wim Remes


dinsdag 27 september 2016

Consulting for charity

It's been a while since I posted here and while I have some blog posts in the works, I wanted to make this a quick one (Q4 is upon us ... we got work to do too!).

When I got to my gym today, there was a lady that asked me if I wanted to join the 24hr hour walk/run for a cancer charity. Imagining that the nightly hours would be the hardest to fill I opted to walk between 1am and 5am CET in the morning of Sunday October 9th.

Now, it'd be one thing to ask you to sponsor me for this walk. I want to make it more fun though, so let's do something different. Here's the deal :

[1] You send me one information security related question + your phone number + proof of payment for a donation no less than $50 to the charity of your choice to wremes [at] gmail [dot] com.

[2] When I start walking, I will give you a call (remember, it's 1am til 5am CET) and we'll discuss the topic you handed me (security related!!!) for no more than 10 minutes. If I can't reach you I will try a second time but not a third.

It will keep me busy and together we can spread the karma!

Are you in?


donderdag 17 december 2015

Take my crypto from my cold dead hands

As much as our society today relies on technology, very few people actually understand how it works. This isn't only reflected in the fact that many of us geeks spend the holidays fixing random computer/smartphone/tablet problems during the holidays but also in the fact that legislators are making assumptions about technology that are ridiculous, if not asinine.

I've heard from several people that calling things ridiculous (or asinine) is not conducive to dialogue. "We need to meet them where they are", they say. "We need to talk in their language", they say.

I have the benefit of playing my euro card. My euro card allows me to be direct, maybe somewhat rude, and to the point. I don't play it often because I like to get along with people but I play it when it is needed. At this point, it is needed.

This week I find myself in the United States and I happened to watch the Republican presidential debates. The candidates were, among other things, adamant about the fact that a government should have access to encrypted communications. It's a debate that has been ongoing for a while now and it always boils down to the same thing : Encryption hampers law enforcement from doing their job. Encryption should be weakened so law enforcement can do their job.

My good friend Meredith Patterson already covered the technical impossibilities of weakening encryption here : https://medium.com/@maradydd/four-impossible-things-before-key-escrow-85478d949502#.cufwnrnph

My questions for today are : When did we become lazy? When did we we forget to use science to our advantage rather than our detriment?

Our society has made great strides forward thanks to encryption, and despite of it. The fact that you, today, can do bank transactions, exchange personal and health information, submit online taxes, etc. without having your data compromised is thanks to the advances in encryption. If done right, and not everybody is doing it right, your data is safe and you won't be running to the bank for new credit cards every week or you won't have your personal data exposed in the next breach.

It is the same encryption that is used for good, that could be used for bad. There isn't a single argument one can make that would justify weakening the encryption we use for good. Enabling a government, or any actor for this matter, to intercept or read encrypted data from bad guys weakens encryption for the good guys too. There is no way around that.

Now, the argument is that this is a new problem. This isn't true. It is a lie used by people that don't understand technology and that refuse to acknowledge our history.

The scytale was an encryption method used by the Greeks as far back as 300 B.C. It allowed confidential communications between parties and relied on a piece of paper wrapped around a stick. There is not a single piece of evidence that the Greeks considered to ban access to paper and sticks from the general population because they could use it to send hidden messages.

More recently, during World War II, the Germans used a thing called an enigma machine to encrypt messages. This made it insanely difficult for the allied troops to know what was going on. In fact, they considered they might lose the war due to this. At no point did any of the governments consider to ban encryption because the Germans were using it. At no point did the legislators, in that era, become stupid. No, they relied on science and technology to resolve the problem. They hired a guy called Alan Turing to enable them to read the Enigma-encrypted messages. Technology helped them win World War II.

Now, although the presidential debate I watched tried hard to prove me wrong, I don't think that people - in general - have become more stupid. We need to understand that encryption is necessary for our society to thrive. We need to acknowledge that turning back the clock has never helped a society to make advances.

If we are forced to live in a society that fears technology, the bad guys have won. If we are forced to live in a society that fears encryption, the bad guys have won. Our leaders (and I'm not sure if we call them that today) have a duty to protect us. You don't protect your house by taking out the locks.

Today I take a stance in this debate. You can come and take my encryption from my cold dead hands.

zaterdag 14 november 2015

of the CISSP, infosec licensure, and how we bring things upon ourselves

[Disclaimer: this post represents my personal opinion. It does not represent the opinion of any past, present, or future employers, clients, or associates.

I was looking forward to a quiet Saturday evening. I'm traveling tomorrow to be on site with a client on Monday. I did not count on Ed Bellis being active on the twitters and coming up with this jewel of a tweet :

CISSP certification requirements baked into contracts make me chuckle.

It put my brain in gear.

Straight out of the gates Ed makes 100% sense. Why would certain (security-related) tasks described in a contract require a CISSP? If anything, we know there are skilled people out there without any formal education or certification. We also know that there are some pretty unknowledgeable people out there holding multiple Masters degrees and dozens of certifications. Certifications do not guarantee knowledge. Why then would clients choose to require them in contracts?

The single question from Ed actually kicks a lot of hornet nests. More than he actually thinks, I believe. Ed, as far as I understand, is a bit shocked that he -as a known expert in our field- can not work on the contract he mentions because he does not hold a CISSP. He's probably as qualified as people holding the cert, if not more. Why would companies be so stupid to keep him out of the game?

I'm certain it is not personal, Ed ;-) Companies have been burned more than once. They have payed dearly on projects they awarded to players in our markets that promised them the world, and then horribly failed. Companies bring in inexperienced consultants, make junior people "learn on the job" (and the time paid for by their clients). We know it happens. We all hope it goes away. Obviously it won't. In the mean time, the clients play poker and they are cutting their losses.

Our industry doesn't, yet, have a form of licensure. There is no obvious way to tell bad players from good players. There isn't a real bar of entry. To save some of my Saturday night I will not debate whether licensure is a good or a bad thing and if a bar of entry is needed. I've had the privilege of discussing the topic of licensure with a diverse subset of my peers and I have not made my mind up yet. I'd encourage everybody to explore the topic and ponder on it for a while. I'd be happy to engage with you.

So here I am, putting myself in the position of the client. I need outside expertise for a security project. Let's say that 1 out of 5 of my previous security projects have failed because the partners I worked with under delivered, went over budget, etc. etc. I have payed dearly for that. The obvious choice is to go with a different partner, but how do I tell which is the good partner? I have no way of doing that. Do I roll a dice and dive into the deep with a new unknown? I don't want to take that risk. What are my options?

If I want to vet every individual consultant that is going to be on my contract, that is going to cost me a lot of time. I may still not be able to validate all their experience and don't remove any of the risk. Sure, there are capable people out there but my previous experience tells me to remain cautious. What else can I do?

There is an organization out there that validates the fact that their certificate holders have at least 4 years experience in the industry. That is awesome, because now I can just check for their certificate and I know that they've been around for a while. Do they guarantee success? No, but they are not straight-out-of-school theory monkeys. At least there is a bigger chance that in the 4 years they have been around, they have seen some things and done some things that are relevant to the work they're supposed to be doing for me.

Is there a down side? Obviously. I know that there are very smart people out there without the certification that I require them to have. I am consciously choosing to not have them on the contract. Is that stupid? From their perspective probably yes. But here I am, choosing between vetting every candidate myself or relying on that certification that comes with at least 4 years of experience. Economically, I win more by doing the latter. You can argue your competence until pigs start flying, but you can't argue economics.

Now, in closure, we have to consider why we have come this far. Our industry is full of solution and services providers that jump on every opportunity to "do security", and fail at the cost of our clients. The theory of the lemon market has been repeated ad nauseum in talks, podcasts, and discussions over the past ten years (if not more). Do you truly expect your clients to sit by and do nothing? This then brings us back to the discussion on licensure. Historically, licensure has been introduced in professions for various reasons. Often they are introduced by government, to push out quacks and charlatans. Very few professions have been able to successfully introduce licensure themselves. Is it time for our profession to consider an attempt at licensure? And, if so, what would that look like?

Our clients definitely think it has become worth it to value 4 years of validated experience over X years of self-claimed expertise. Whether you like it or not.

dinsdag 10 november 2015

The plans I have for ISC2, its membership, and the industry

[This post is primarily meant for ISC2 Members but it might be interesting for security people in general, as I think what we need to do is not limited to a particular organization within our industry. It is a fight we need to fight together. For better or worse.]

You can read about the general idea behind my campaign for the ISC2 Board of Directors here.

You can read about what I've already done in my first "tour" on the Board here.

The past is the past. Between November 16th and November 30th, ISC2 Members vote for 4 new directors and they will have their work cut out for them. As much as you may believe that being a board member is a job without responsibility and a token position, it definitely is not. To my own detriment, I take this uncompensated responsibility very seriously and I want to make a difference. First and foremost for the membership, but also for our profession and our industry.

1. ISC2 needs to represent our interests. Left, right, and center.

I've said this before and I'll say it again : In all the important debates about information security - whether they are held in Washington DC, in the European Parliament, or anywhere else - ISC2 is absent and silent. As the organization that represents the largest amount of security professionals in the world, we can not afford to leave our voice unheard. On topics such as securing the Internet of Things, Export Control, and other legislative issues involving information security, we need ISC2 to be vocal and taking the responsibility to inform all parties without bias.

How can we do that?

The first step is engaging the membership. ISC2 will need to leverage the active membership it has to keep a finger on the pulse on all things information security around the globe. This can happen through a closer relationship between the organization and the chapters. The structure we built through the chapters is our biggest asset to create one voice that represents members, and industry, globally.

Secondly, ISC2 needs to strengthen its relationships with peer organizations in the industry. This has happened over the last few years, but I strongly believe we can do more. At this moment our profession is represented by "cavaliers seuls" and does not have the credibility it should have.

Third, we need to engage individuals outside the membership to weigh in on topics that ISC2 doesn't traditionally have a lot of credibility in so the organization can represent a balanced opinion, educate policy makers, and positively influence society.

One of the topics at hand is security research related to exploit development and export controls. Here I call for the immediate creation of an advisory council that has the ability to help the organization form the language on much-needed global education on the topic. The members of this council do not necessarily need to be ISC2 members. They need to be recognized experts on the topic that are willing to devote their time to doing the right thing.


2. We need to define what Security Engineering means.

[I understand that Engineering is a term some people are passionate about. I am not trying to find an alternative to the formal engineering science. I am open to suggestions to replace engineering with a better term.]

Some of my friends have heard me talk about this topic for a while now. It is something I wanted to kickstart in my first term on the Board, but that didn't happen because there were other priorities. I want to make it a priority in my next term, if allowed.

Security today is no longer a tale of firewalls and antivirus. As we build and use technology that influences our very lives, security is present on every level of those technologies. Starting at the hardware level, over the network and operating systems, through to the database and application technologies.

Saying that a single certification covers all of those areas is a lie. Fact is that we have no way to identify and recognize the security engineers that organizations so sorely need.

What I want ISC2 to build is a certification track that is aligned with engineering principles to provide certifications that allow us to educate, train, and certify those security engineers.

This will not be a certification that you can go to a bootcamp for and pass. The people that go through the whole track, eventually, will be the people organizations can rely on to build a secure IoT, secure vehicles, secure web technologies, secure ICS environments, etc. etc.

It is something we are missing, and it is something we sorely need. I will make it my priority from the moment I rejoin the board.

3. Make a more efficient Board of Directors

Without a doubt the most frustrating part of my first term on the Board of Directors was the significant amount of time we, as a Board, spent on managing ourselves. This Board's time should be spent on the strategic issues affecting the organization and its membership.

Currently the Board has 13 members while the ISC2 Bylaws prescribe a minimum amount of 7 members. There is no way for the members to evaluate the effectiveness of the individual Board members and make an informed decision on whether they are representing their interests. From my personal experience, not all Board members contribute to the common goals and in many cases the number of uninformed opinions actually detract from the tasks the Board has.

There are 3 things I want to achieve here :

1. I want the Board to reduce it's number of members to 9 over the next 3 years. That is 2 more than the Bylaws prescribe and 4 less than there are now. This will considerably lowers the cost related to the Board by itself. It will also force the Board members to be active because in a larger board, there is more room to hide in the shadows of those that do the work. Additionally, it forces the Board to rely on other members for the committees. This also feeds the leadership pool that the Board draws from, which is needed with the new and stricter term limits.

2. I want the Board to develop transparent communications about the performance of the Board in general and individual Board members specifically. Just like you know about how your representatives in government perform (absence, voting record, involvement in committees, bills proposed, etc.), ISC2 members have the right to know what their Board and its members do (or don't).

3. I need the membership to become more engaged with the Board of Directors. With 100000 members, we have a lot of brainpower, great ideas, and unlimited motivation to do positive work in our industry. Without the contribution of the membership, the Board can not be efficient. If I make it back to the Board in 2016, I will do my utmost to bring the Board to the membership and the membership to the Board.

I hope you are with me, because I am going all in on this one.

dinsdag 20 oktober 2015

One (ISC)2

Today I am kicking off my campaign for the (ISC)2 Board of Directors elections. You can find the slate here : https://www.isc2.org/board-slate/default.aspx

I'm excited to see so many good (and new!) candidates on the slate but obviously I'd like for you to cast a vote for me. I am proud of what was achieved during my first term on the board, between 2012 and 2014 and I would love to build on that momentum in the 2016-2018 term. I don't want to spend too much time on past achievements but I think they are important to know :

- David Shearer, who was at that moment the COO of (ISC)2, was selected as the new Executive Director after a thorough evaluation process. He took over from Hord Tipton on January 1st 2015.
- The (ISC)2 strategy was refocused on the membership, away from a pure focus on certification and training.
- The CISSP CBK and the exam based on it were reviewed and changed considerably. Reorganized domains and 40% more (and more technical) content were the results. The new certificate was launched in early 2015.
- As Chairperson of the Board I established the Bylaws committee. This committee focused on reviewing the (ISC)2 Bylaws, which were last changed in 2004. Earlier this year, the board brought the new bylaws before the membership. These new bylaws would establish stricter term limits, ensuring that the board sees a more constant influx of new blood and new ideas that would benefit the membership.
- During my first term (ISC)2 became more engaged with the security community. This happened through the support of BSides events and through the organization of (ISC)2's own Secure events. Not to forget the yearly Security Congress.

Obviously I am extremely proud of these achievements and, again, it would be my privilege if the membership decided that I can help build on that.

The core idea behind what I want to achieve is, as the title of this blog post doesn't try to hide, "One (ISC)2".

I believe in an organization that allows the members to collaborate, that provides a platform to share ideas and experiences, and that supports members learning from eachother. This will require an investment from the organization but also from the members themselves. The organization should bring the global membership together to achieve this.

I believe in an organization that represents security professionals when it comes to the bigger debates and initiatives in our profession. Most recently there have been very important debates in our industry about the use of strong cryptography, about regulation of security software and hardware, and about security in the Internet of Things. I believe an organization that represents a large amount of security professionals should be more present in these debates, through its members and by unifying the message the membership believes should be sent.

I believe in an organization that brings together professionals globally. Our profession is very fragmented and more often than not this leads to heated arguments. Whether we are incident responders, CISOs,  penetration testers, or anything in between, we are security professionals first. We share a common goal to make this world more secure and I believe (ISC)2 has the ability to drive this goal much harder than it currently does.

One (ISC)2 is the organization I want to help build during the next 3 years and I hope I can count on your support to do that. More details on what I want to achieve in which domains will be shared here over the next few weeks. In the mean time please motivate every (ISC)2 member that you know to engage in the pre-election discussions and choose the candidates that they vote for carefully.

I would look forward to serve the membership once more.

If you have any specific questions or remarks about me, my candidacy, or the future of (ISC)2, please do engage.    


zondag 16 augustus 2015

Leading in a do-oacracy ... afterthoughts

There's nothing like arriving in Las Vegas and Chris Nickerson roping you into a panel at BSides titled "Leading in a Do-ocracy". The panel was posted in the "I am the cavalry" track and the abstract of this panel looked like this:


What is a "do"-ocracy, and what does it take to lead one? While some people stand back and gawk at problems, others jump in to do something about what they see. Explore some common traits of do-ocracies, why they inspire others, and how leaders emerge. Learn from the successes and the failures of our panelists, and hopefully spark ideas within yourself that you can bring to a do-ocracy of your choosing or making.
Moderated by Tim Krabec, the panelists were Tod Beardsley, Beau Woods, Chris Nickerson, and myself. Nothing is better for a panel than an audience with an opinion and I can say I was happy that Keren Elazari decided to "give it to us" and become our fifth panelist. You can watch the panel here :







Now, being on a panel about leadership feels strange to me. I don't think I'm particularly knowledgeable on the subject and I don't see myself as a leader. Then again, we live in a world where everybody and their mom are keynote speakers on "leadership", "how to lead millenials to success", and other very interesting subjects. The funny part is that it is always very hard to track back any form of leadership experience in those peoples resume. Furthermore, most recently we have seen the advent of courses with super-awesome titles like "How to evolve from a middle manager to a middle leader". I kid you not, I wish I was though.



Let me be very clear, and this is my (very strong) personal conviction, some aspects of leadership can be adopted, maybe even faked, but leadership is not something that can be taught or learned.



Now, I do understand that some people might see me as a leader of some sort (Chris, I'm looking at you!) and I can't deny that I've been studying leadership in various forms since I was very young. I've also discussed the subject with people that, at some point in my life, were mentors to me. So here are the things I consider to be true about leadership.



Be the servant leader



Nothing makes a leader like quoting from some old book that most of the audience members have never read or, better, heard about. When it comes to servant leadership the Tao Te Ching gives a fairly good description :

The highest type of ruler is one of whose existence the people are barely aware.
Next comes one whom they love and praise.
Next comes one whom they fear.
Next comes one whom they despise and defy. 
When you are lacking in faith,
Others will be unfaithful to you.
The Sage is self-effacing and scanty of words. 
When his task is accomplished and things have been completed, All the people say, ‘We ourselves have achieved it!’


A leader rarely leads from the front. He's among the people doing the same work and at the disposal of the people, serving by the grace of the people. I guess what I'm trying to say is that leading in a do-ocracy is not about choosing the topics and gathering people around you to do them. It is about finding the topics that are important to the people and become part of the group, working in the trenches with them while not holding back on sharing knowledge, cycles, and sweat.



Understand your level



I've only recently become aware of the "5 levels of leadership" and it kinda hits home. Now, you have to understand that it takes all kinds of leaders to achieve success. A level 1 leader is not necessarily a bad leader, a level 5 leader might not be what you need in some circumstances. We, humans, like to think that we have to achieve the highest level and try to be who we are not to get there. For me, understanding your level of leadership is an important step of understanding where you can be most effective in helping to achieve goals. Here's those 5 levels:



1. Position - People follow because they have to.

2. Permission - People follow because they want to.

3. Production - People follow because of what you have done for the organization.

4. Person Development - People follow because of what you have done for them personally.

5. Pinnacle - People follow because of who you are and what you represent.



You can easily apply these levels to the people around you. You will quickly come to the conclusion that most people fall somewhere between level 2 and 4. You'll also realize that, as I said before, you know very few people that have evolved more than 1 level in their leadership abilities. That is what I mean when I say leadership can not be learned or taught.



Kaizen and continuous improvement



something, something, Six Sigma, black belt, Deming, Toyota.



I've read countless blogs and books on the Kaizen methodology. Moreover, I studied Kaizen before DevOps people started using Kanban boards to divorce yourself from responsible design and formal architecture. You can do that too and I'll not go into detail about what Kaizen means here.



I guess that the key take-away from Kaizen is that success is measured by the quality of your output. To me, it means these things:



  • You can not do ALL THE THINGS. You might want to do them but you can't do all of them WELL. Pick the things wisely and apply maximum effort. There is only one speed : Go!
  • Don't be a pussy and accept criticism. This is a big one! When you're doing stuff, people will come out of the woodworks and criticize you. It's cool and don't qualify them as detractors because they're saying something you don't like. All feedback is GOOD. Feedback shows that people care. Feedback allows you to steer where you are going (or not). The moment people stop giving feedback is not the moment where you're doing the right thing. It is probably the moment where you should consider abandoning your efforts because the people no longer care and you're merely doing this for yourself. 
  • Focus on your outputs and ensure that they are of the highest quality possible. Quality is not measured in the number of retweets and likes, those are dumb metrics. Quality is measured in how people apply your outputs to do other awesome things. It is measured in how people appropriate your shit and make it even better or apply it to do something completely different.
I'm sorry that this has become such a long post. I hope it is helpful to some of you. We all have a limited time out here and we can't all make a dent in the universe. We can do our best to leave this world better than we entered it. The badges and accolades we can receive are nice, but they mean nothing when the worms are nibbling on our toes. 

Do right, do with empathy, and do selflessly, but most importantly DO! 
Or don't, but then please get out of my way.