My house in DC was broken into. More specifically my garage, which is behind my house, was broken into and a few things stolen. Other than the asshole move of keying my car, nothing of great value was lost. All the same the process got me thinking about my life as an InfoSec professional and the similarities of our homes to our enterprises. I will use my home as an allegory to how we handle our digital worlds and what I learned. ...
Shameless exploit of meme I know... I can’t take it anymore! I lurk on irc.freenode.net and /r/netsec and have seen a few too many mornings now that some person is safe, they used Tor. There is a big misunderstanding in what Tor actually does and protects. Here is my log in the fire to help explain the technology. Lets start with the basics… ...
OMG THIS DUDE IS AT THINK COFFEE! Sometimes we get a little too focused in on what the root of a vulnerability is. I find myself thinking this a good bit with the advent of geolocation tagging and “check-ins” as the security world runs around with hair on fire. Rather than accept that our tools and users will be GPS connected and tracked, we take the extreme of labeling it all bad. By doing so we have removed what is a valuable tool to our folks. We can all agree that geolocation unfettered is a bad idea, but can’t we agree that geolocation in and of itself is not? ...
I am not one to get on the blog and add to the argument over some stupid post from another tech pundit, but this one is too much to pass on. The reason I am tossing my hat in here is that I am now seeing SECURITY PROFESSIONALS adding to the crowd with the death knell of OpenID. Seriously? Let me start with this example from my morning routine. I logged into my Facebook account with ClavID instead of the standard Facebook authentication mechanism. A little known Facebook feature is the ability to use OpenID providers to login instead of the email+password. I do this because ClavID supports secure multifactor authentication so instead of a simple user+pass, I have user+pass+token. Many of the websites I frequent support OpenID and in all of those cases I remove their ability to store my authentication information. ...
Someone in /r/netsec posted a question about what advice us old sages would have for a new ISSO. The below was my response that I hope is useful to my readers in a two-fold way. ISSO that are coming into the field Managers that are trying to hire or understand your staff Without further ado… Whatever industry you are in there are policies that dictate compliance. Learn them. PCI, DIACAP, NIST, FIPS, ICD, DCID, JAFAN, NISCAP, etc. Learn the policies NOT in your industry as background knowledge. It will help make you a better decision maker. Document everything. If it isn’t written down it doesn’t count. Security practice without policy is fictional Embrace your geek system admins. Find the weird guy with the binary clock and buy him lunch. Without the support of your admin staff you will die on the vine Being an ISSO means that you are upward reporting, downward enforcement. Present well and be consistent with your message. You are no ones friend and therefore must form alliances to ensure your success. Also don’t dress like a hippie unless your company encourages that. Most days the ISSO is in a weird in between place where you aren’t a suit and you aren’t a sysadmin LEARN THE ARCHITECTURE. You will loose the respect of your teams as soon as you incorrectly state how SSH, PKI, IPSEC, or any other key security terminology works. If you are the ISSO of a group that does mostly web apps you better know web services inside and out. Security guys must know it soup to nuts Be humble, but be firm. You are the enforcer and dictator of all that is securing 1’s and 0’s for your teams. Accept that since you are new you will not know everything. Let people see that you are humble and willing to hear both sides before making a ruling Get active in your local security groups. Hackers, B-Sides, Con’s and whatever else can serve as an excellent networking tool for you to see how your peers are practicing security The fact you came to /r/netsec shows you are trying to learn. Keep learning. Subscribe to mailing lists and RSS feeds and block out portions of your day to read them. You are there to ensure someones ass or data doesn’t get stolen/chewed. As the ISSO you are expected to be ahead of the curve Compliancy sure feels good, but without it actually enforcing good security it will only make you feel good. Let your company or group get hacked and see how much leeway you are given for an ATO or compliance checkbox If you cant recite port #’s out of memory or explain basic PKI, MFA, Defense in Depth, packet theory, or how different protocols work then you need to move along. Study up quick or write your resignation and hand it over. Security has no time for people who lack basic knowledge. Eventually it will catch-up with you Good luck and welcome to the community!