I saw in the news this morning that lulsec had posted online about 26,000 passwords from a few porn sites. Article here.
We have seen large dumps of passwords from sites before, and I've blogged about password audits that I've done (with permission) to gauge the effectiveness of a password policy change. And what we've seen is pretty much the same thing from every dump. Thousands of crappy passwords, very low use of multiple character sets, short passwords, etc.
But I have noticed that in all of these password dumps (except mine) we don't get any data about how many passwords were not breakable. How likely is it that we're only seeing the passwords that fall to a dictionary attack? I guess I wonder if we're dragging the bottom of the ocean and concluding that the ocean is made up entirely of muck.
Showing posts with label security. Show all posts
Showing posts with label security. Show all posts
Monday, June 13, 2011
Wednesday, August 25, 2010
I Love Boobies and Information Security
If you work in Information Security, or any form of security for that matter, you're probably used to noticing things. Maybe we just pay a little more attention to the details around us. And if you're working on a college campus, maybe you've noticed the number of people wearing bracelets that say "I love boobies" or "I heart boobies."
Turns out that it is part of a breast cancer awareness campaign and it seems to be quite effective. How effective? So much so that one day while working up in my office I saw three customers in a row come in with the bracelet on. It seemed so rare to me that I asked one of them why there were so many people with the bracelet on. Interestingly, she didn't know of any organized campaign to get people to wear the bracelets and didn't realize that so many people were.
So I decided I should take a moment to figure out how many of our female students on campus are wearing these bracelets. Male students are kind of irrelevant because breast cancer isn't a major concern for them and they probably love boobies for reasons not associated with cancer. So I wanted to know what percentage of female students on campus are wearing this particular kind of bracelet.This is where reading Douglas Hubbard's book on How to Measure Anything comes in handy. There are some people who would instantly tell me that I wont know unless I take a census of the female students on campus or at least survey about 1000 of them. But since I've read Hubbard's book I know that I don't need as much information or precision as my gut first tells me. I also know that the best way to go measure something is to go out and do it.
So I walked out the door of my building and counted 30 female students at random as I walked from one building to another. If I was able to get close enough to a woman to observe both of her wrists then she was counted, otherwise not. Out of 30, I saw one girl wearing such a bracelet. This very simple observation is enough to tell me that I can be 90% confident that the percentage of female students on campus wearing such a bracelet is between 8% and one one-thousanth of a percent (one observation divided by 7817 female students). I actually decided that I wanted to have more precision so I made a few more observations whenever I had to walk from one building to another.
So there you have it. With a few really simple observations my uncertainty about the number of female students with this bracelet on has been reduced and I can express the measurement as a number. If someone were to ask me, I could say that between one and five percent of the female students on my campus are wearing the bracelet. If the people behind the bracelet were hoping to have ten percent of college girls wearing them then without spending any money or any tremendous amount of time I could tell them that it is unlikely that they met their goal. If the goal was 3% I could tell them that they are close but that additional study is necessary to get a better answer.So what does this have to with Information Security? Mostly it's just a demonstration that it isn't hard to measure things when you deconstruct the problem and measure it. If we wanted to measure the effectiveness of the I heart boobies bracelets, we have to deconstruct it to find out what the observable characteristics are. In this case, number of students wearing the bracelet. So what if you wanted to measure the effectiveness of your information security awareness program?
First, you have to deconstruct it down to the observable characteristics. If you want to know whether it worked or not, what might you see? One idea that jumps into my head is the number of unattended workstations left unlocked might go down. Sweet. I can observe that, and using the same technique that I used to measure boobie lovers on campus I can get an idea of what percentage of office computers are left unlocked. Or you could send a phishing email to several randomly selected people and count how many answer it. Take before and after measurements and see if there is a noticeable improvement in the numbers.
So what can boobies tell us about Information Security? You can have a lot of fun looking at and measuring things you cant touch.
Tuesday, July 13, 2010
Writing down passwords - yes I am OK with that
The other day I read this article on Threatpost.com:
http://threatpost.com/en_us/blogs/why-you-should-write-down-your-passwords-070610
http://threatpost.com/en_us/blogs/why-you-should-write-down-your-passwords-070610
The article is making the case that in these times people have so many passwords that we can't reasonably expect them to remember them all. It also makes that case that malware is so pervasive that we can't expect passwords to be secure even in password management software like Keepass.
There are things that I like about this article, and things that I don't like about it. The main thing I don't like is that there are a lot of statistics thrown about without a whiff of citation. On the other hand, the advise is sound, and something I have been recommending as one way of remembering passwords.
Yes, I agree that we're probably safer if people can just remember their password, and that's why I advocate that users select pass phrases that are easy to remember, but difficult to crack. for a while my password was 'My password is awesome!' Tell me that you can't remember that. But some people just aren't going to do that, so the next best alternative is to write it down.
See, to me, it seems that it doesn't matter so much if you write down your password. What matters is where you keep it. Working in higher ed, you have to be pragmatic and realistic in the advise that you provide and the audience you're dealing with. Let's face it, PhD's are really well educated in a single topic and seem unable to learn anything else. So trying to teach them to remember all their passwords is a fool's errand. Shame seems to work much more effectively. So try shaming them into realizing that they're not the first person to think of hiding their password under their mouse pad. What I tell people is that if you keep your password in your wallet, then someone would have to steal your wallet to get your password. You're very likely to realize that your wallet is missing shortly after it disappears. You're very unlikely to notice if I lift up your keyboard and copy down your password. It also seems unlikely that I can steal your wallet, write down your password, and return your wallet. Possible yes; but unlikely.
This is an actual photo from my office by the way. No, it's not my machine.
Monday, February 22, 2010
The Google Suckage Ratio
Sometimes we security people find ourselves in the uncomfortable position of having to buy software, services, or hardware to enhance our security. And in many cases we really don't know a whole lot about the vendors that we have to purchase from. Let's say, for example, that we need to purchase some vulnerability management software. There are some big names out there, like Nessus, Qualys, and nCircle but how do you choose which one to purchase.
I'm not going to go through the whole purchasing decision process. I would hope that part of your selection process involves developing a matrix of qualifications, assigning a weight to those qualifications, and assigning a score to each vendor. You should also put in some guidelines for each qualification so that multiple reviewers will give come up with roughly the same answers for the same product (inter-rater reliability).
One of the things that you might want to consider when you're making the decision is how favorably the company is viewed by others. After all, if the general consensus is that a company sucks, then you probably don't want to invest a big hunk of money with them. But how do you go about doing that? You can talk to a few friends of yours, but you're taking an awfully small sample to base your opinion on. You can also talk to references provided by the company, but there is going to be a high degree of selection bias in that approach. The approach I would like to consider is the Google Suckage Ratio.
It's dead simple the calculate the Google Suckage Ratio. Simply go to Google and type in a company name, like nCircle and look at how many results you get back. Now type the company name followed by "sucks." Take the total number of company sucks results and divide by the total number of company results and you get a Suckage ratio. You may be tempted to put the whole thing in double quotes, but I have found that you can get a staggeringly low number of hits. Instead we're going to look for the company name surrounded by a negative adjective.
| Company | Company Sucks | Company mentions | Suckage |
|---|---|---|---|
| nCirlce | 26,700 | 189,000 | 14% |
| Nessus | 156,000 | 921000 | 17% |
| Qualys | 20,100 | 226,000 | 9% |
There are a couple more considerations we should make so that our measurement is more reliable. When we do these searches, we should exclude the names of the other vendors that we're considering. After all, it may be a discussion board where people agree that nCircle is awesome and that Nessus sucks. So I ran the searches again with exclusion. Here is a sample search string: Nessus -Qualys -nCircle. I have also found that if you reverse the order of the excluded terms you can get a different number of hits.
One question that was brought up when I was discussing this with some co-workers was whether or not we need to consider every negative adjective out there. Do I also need to search for 'Nessus Blows' and 'Nessus really sucks'? I decided that the answer is no because I'm really trying to compare these companies to each other using the same measurement tool. In other words, I'm not saying that 9% of Qualys users are unhappy, I'm saying that the ratio of bad press to total press is higher for Nessus, about 50% higher (9 divided by 17). In theory, if we added in company name blows then we would still see about the same ratio between Qualys and Nessus.
Now I'm not saying that I endorse this method yet, only that I am intrigued by the idea. I would love to know if this is pure crap that I am suggesting here. I would also like to point out that I am not the first person to suggest doing this, but I don't know who is. One of the things that gives it credibility is the fact that Google has indexed so much of the Internet. When you dip into Google you're taking a very wide sample of the Internet.
Friday, November 28, 2008
Are Copyright Violationson the Rise?
Lately I have had to deal with more copyright takedown requests than ever before. In fact, at the start of 2008 I had not received a single takedown notice for my University in the whole time that I have worked here. Compare that to this semester (August to Present) where I have received 10. However, I still must admit that 10 takedown requests is small potatoes compared to some other schools out there.
I suspect that the primary reason that my University receives so few takedown requests is that we have outsourced the Internet service in our residence halls to a local ISP. I suspect that most of the student downloading happens in the residence halls. This is probably good for the students as well as the University. It seems to me that if legislation keeps moving in the direction that is has been going then University students wont have the same legal protection as customers of other ISPs. For example, there was a lot of lobbying going on when the Higher Education Opportunity Act reauthorization was being considered in congress. You can bet that the RIAA was trying to force Universities to block file sharing and acadmically punish file sharers in some way (in addition to whatever civil and criminal penalties may apply). Now they have successfully pushed a law in Tennessee that will require schools to police their networks for copyright violators. All of these measures will cost money, and I think that one way to easily avoid some of the cost is for other schools to start offloading the Internet service in their residence halls to other companies.
So there is my hypothesis: schools that outsource the Internet service in the res halls receive fewer copyright takedown notices than schools that do not. I guess the next step would be to try to find other schools that follow our practice. If I ever hear from anyone, I'll update this post.
I'd like to know what other schools do when they receive takedown notices. Right now we're locking out the Active Directory accounts of the student when we get a takedown notice. Then we have the student come talk to us in IT and have them sign a form indicating that they are aware of the University policies regarding file sharing and that illegal file sharing may also result in civil or criminal action. The form does not require them to admit any guilt nor does it indicate any promise not to do it again. After they sign the form we turn their account back on and tell them that if they get caught again they will have to deal with our Student Affairs department. This arrangement seems to be working well for us. We don't end up with a ton of students on academic probation and it doesn't create an incredible workload for any of us. There are some other issues that we need to work out though, such as what we're going to do if we get any Early Settlement Letters from the RIAA. If you've got a moment, please share your thoughts.
I suspect that the primary reason that my University receives so few takedown requests is that we have outsourced the Internet service in our residence halls to a local ISP. I suspect that most of the student downloading happens in the residence halls. This is probably good for the students as well as the University. It seems to me that if legislation keeps moving in the direction that is has been going then University students wont have the same legal protection as customers of other ISPs. For example, there was a lot of lobbying going on when the Higher Education Opportunity Act reauthorization was being considered in congress. You can bet that the RIAA was trying to force Universities to block file sharing and acadmically punish file sharers in some way (in addition to whatever civil and criminal penalties may apply). Now they have successfully pushed a law in Tennessee that will require schools to police their networks for copyright violators. All of these measures will cost money, and I think that one way to easily avoid some of the cost is for other schools to start offloading the Internet service in their residence halls to other companies.
So there is my hypothesis: schools that outsource the Internet service in the res halls receive fewer copyright takedown notices than schools that do not. I guess the next step would be to try to find other schools that follow our practice. If I ever hear from anyone, I'll update this post.
I'd like to know what other schools do when they receive takedown notices. Right now we're locking out the Active Directory accounts of the student when we get a takedown notice. Then we have the student come talk to us in IT and have them sign a form indicating that they are aware of the University policies regarding file sharing and that illegal file sharing may also result in civil or criminal action. The form does not require them to admit any guilt nor does it indicate any promise not to do it again. After they sign the form we turn their account back on and tell them that if they get caught again they will have to deal with our Student Affairs department. This arrangement seems to be working well for us. We don't end up with a ton of students on academic probation and it doesn't create an incredible workload for any of us. There are some other issues that we need to work out though, such as what we're going to do if we get any Early Settlement Letters from the RIAA. If you've got a moment, please share your thoughts.
Tuesday, October 21, 2008
NDSU IT Security Conference for K-20: Day 1
Tonight I am blogging to you from exotic Fargo, ND. One thing that I complain about frequently is the lack of Information Security conferences in the Midwest. Sure we might get one now and then in Chicago, but for the most part I think the Midwest gets ignored. I think the SANS institute considers this part of the world "flyover territory" because just about everything they do is on the east coast or in Vegas. Well if people wont bring the party to the Midwest, then North Dakota State University decided to just throw their own party. Thus, you have the IT Security conference for K-20. This is particularly nice for me because the conference focuses on IT security in education.
So far the experience has been mixed to be quite honest. My hotel room is great, and the rate was outstanding. I'm also really pleased that the elevator is fast. I'm the kind of person who doesn't want to waste my life waiting for the elevator, and I guess the people of Fargo feel the same way. On the other hand, the slot for putting my key card in the door of my room is really small and I miss a lot. That's irritating.
My main complaint for the day has been crowding, but that eased up in the afternoon. I went to a morning session on using Wireshark and Seccheck to identify and clean up malware infections. For some reason the room was completely packed, and the word on the street was that people who had signed up for one of the other pre-conference sessions sneaked into this one. So I didn't all of the materials and I had to sit next to a guy that kept making fun of me for using a Mac. I don't mind that he was making fun of me, but I was trying to listed to the woman give her presentation, not listen to some Santa Claus looking old man brag about his Dell D630 like he's running the Porsche of laptops. Other than the crowding, the presentation was pretty good. It was nice to get a refresher on using Wireshark, and I even picked up a couple new tricks. I also remembered some tricks that I had forgotten. I was a little disappointed though because I thought the presentation was going to discuss detecting malware using wireshark, and instead we were really using wireshark to verify that a machine was doing suspicious stuff. It is unlikely that I am going to sniff all of my network traffic and then go through it with a fine-toothed comb looking for weird activity, so I'm not sure that it is fair to say that you're detecting problems with Wireshark. The Seccheck stuff was pretty interesting too. With Seccheck you can get a report of the executables running on your machine and automatically run them through Virustotal. It was interesting, but to be honest if I have a machine that is infected with something, I'm just going to re-image it. She did mention that sometimes with servers or machines running specialty software you can't just re-image though.
The keynote speaker was Seth Fogie from Airscanner corp talking about evangelizing information security to your communities. This was a very good presentation. I think I came away with a few ideas worth exploring. He talked about the way that information security is branded and sold right now, and he sounded very much like the authors of New School of Information Security in that he was not fond of using Fear, Uncertainty, and Doubt to get things done. Then he went into some of the creative ways that people have been getting the message out about information security and described why these alternate techniques are better for us in the long run. The only downside was that the room was very crowded and there wasn't a place for everyone to sit.
After lunch I went to a presentation on Risk Management, and I was not terribly pleased. First of all, it was standing room only which really irritated me. Eventually they got more chairs in there, but I was already upset about how crowded the earlier sessions were. The speaker was talking about the basics of Risk Management, much of the same material that I go over when I talk to security classes on my campus about risk management. I was disappointed, however, that she didn't address some of the impossible problems that come with using Annualized Loss Expectancy. For example, how do you know that you have listed all of the possible threats that are faced by your assets, or even that you have listed all of your assets. Then there is the question of how to reliably record the value of your assets, and the probability that these threats will come to fruition. I asked her about this stuff at the end of the presentation and she admitted that ALE has some problems, and that's why she doesn't use it. Let me say that again, she gave a one hour presentation on the merits of using ALE, and she doesn't even use that system herself. OMG. Worst part was that she never did tell us what she does use that is superior to ALE. I had to leave right away after that because I wanted to get a decent seat in the next session.
The last session of the day that I went to was John Weaver of JBW group. I've had the opportunity to hear John speak before and he was very good. This presentation was also quite good. There were a lot fewer people in the room, and he allowed the presentation to turn into a discussion group rather than a lecture. That was a nice change of pace by the end of the day. We talked about some of the changes that came with the new version of PCI and some of the strengths and weaknesses of the PCI Data Security Standard. I was also able to pull him aside afterward and pick his brain about ISO vs. ITIL.
Anyway, I skipped the social hour and went across the street to the steakhouse and had a big prime rib. I'm so stuffed now. I'm going to play on my laptop for the rest of the night and then try to get some sleep.
So far the experience has been mixed to be quite honest. My hotel room is great, and the rate was outstanding. I'm also really pleased that the elevator is fast. I'm the kind of person who doesn't want to waste my life waiting for the elevator, and I guess the people of Fargo feel the same way. On the other hand, the slot for putting my key card in the door of my room is really small and I miss a lot. That's irritating.
My main complaint for the day has been crowding, but that eased up in the afternoon. I went to a morning session on using Wireshark and Seccheck to identify and clean up malware infections. For some reason the room was completely packed, and the word on the street was that people who had signed up for one of the other pre-conference sessions sneaked into this one. So I didn't all of the materials and I had to sit next to a guy that kept making fun of me for using a Mac. I don't mind that he was making fun of me, but I was trying to listed to the woman give her presentation, not listen to some Santa Claus looking old man brag about his Dell D630 like he's running the Porsche of laptops. Other than the crowding, the presentation was pretty good. It was nice to get a refresher on using Wireshark, and I even picked up a couple new tricks. I also remembered some tricks that I had forgotten. I was a little disappointed though because I thought the presentation was going to discuss detecting malware using wireshark, and instead we were really using wireshark to verify that a machine was doing suspicious stuff. It is unlikely that I am going to sniff all of my network traffic and then go through it with a fine-toothed comb looking for weird activity, so I'm not sure that it is fair to say that you're detecting problems with Wireshark. The Seccheck stuff was pretty interesting too. With Seccheck you can get a report of the executables running on your machine and automatically run them through Virustotal. It was interesting, but to be honest if I have a machine that is infected with something, I'm just going to re-image it. She did mention that sometimes with servers or machines running specialty software you can't just re-image though.
The keynote speaker was Seth Fogie from Airscanner corp talking about evangelizing information security to your communities. This was a very good presentation. I think I came away with a few ideas worth exploring. He talked about the way that information security is branded and sold right now, and he sounded very much like the authors of New School of Information Security in that he was not fond of using Fear, Uncertainty, and Doubt to get things done. Then he went into some of the creative ways that people have been getting the message out about information security and described why these alternate techniques are better for us in the long run. The only downside was that the room was very crowded and there wasn't a place for everyone to sit.
After lunch I went to a presentation on Risk Management, and I was not terribly pleased. First of all, it was standing room only which really irritated me. Eventually they got more chairs in there, but I was already upset about how crowded the earlier sessions were. The speaker was talking about the basics of Risk Management, much of the same material that I go over when I talk to security classes on my campus about risk management. I was disappointed, however, that she didn't address some of the impossible problems that come with using Annualized Loss Expectancy. For example, how do you know that you have listed all of the possible threats that are faced by your assets, or even that you have listed all of your assets. Then there is the question of how to reliably record the value of your assets, and the probability that these threats will come to fruition. I asked her about this stuff at the end of the presentation and she admitted that ALE has some problems, and that's why she doesn't use it. Let me say that again, she gave a one hour presentation on the merits of using ALE, and she doesn't even use that system herself. OMG. Worst part was that she never did tell us what she does use that is superior to ALE. I had to leave right away after that because I wanted to get a decent seat in the next session.
The last session of the day that I went to was John Weaver of JBW group. I've had the opportunity to hear John speak before and he was very good. This presentation was also quite good. There were a lot fewer people in the room, and he allowed the presentation to turn into a discussion group rather than a lecture. That was a nice change of pace by the end of the day. We talked about some of the changes that came with the new version of PCI and some of the strengths and weaknesses of the PCI Data Security Standard. I was also able to pull him aside afterward and pick his brain about ISO vs. ITIL.
Anyway, I skipped the social hour and went across the street to the steakhouse and had a big prime rib. I'm so stuffed now. I'm going to play on my laptop for the rest of the night and then try to get some sleep.
Monday, September 29, 2008
Externalities in IT Security
One of the whims that I've been on lately is trying to apply economic concepts to the practice of Information Security. I'd like to share with you a problem that has been plaguing me for the last few months and an economic approach that might help to fix that problem.
Near the end of every semester, and often around midterm time, professors are asked to provide their students with their grades. Most professors don't want to make their students wait until the official grade shows up on their transcripts and so they post them. Everyone seems to know and agree that grade data should be anonymous, so the grades are not posted by student name. However, there is less understanding that student IDs are also considered non-public information and so posting grades by Student ID is also not acceptable. So every semester, I end up finding grade data posted by Student ID, and in some cases that grade data is put on a web server and the data is then indexed by Google. Hijinks ensue.
So far the approach to combating this problem is to send out messages to all the faculty around the end of the semester reminding them not to post grade by Student ID. However, based on the fact that I keep on having to clean up these messes, I can conclude that the emails are not being read, are being ignored, or the message is being forgotten. Another possibility is that the message is being read and understood, but each professor perceives that the benefit of posting the grades by Student ID outweighs the penalty and thus make a conscious choice to break the rules.
Regardless of what is happening, we can be certain that the way we're dealing with the problem right now is not effective. So I started thinking about the problem like a junior economist, and I decided that this is an example of a negative externality. An externality is an impact (either good or bad) felt by someone that is not involved in the event that caused the impact. A classic example is air pollution. When you buy a product from a factory the factory gets money and you get a product. The factory may also produce smog as part of the production process. I however, got nothing but extra smog. The factory has imparted a negative externality upon me. In the case of posting grades, the professor enjoys a convenient way of posting grades, and the student get their grades faster. However, the university could find itself in violation of federal law (FERPA) and the IT department may have to spend time cleaning up the mess. Posting grades by Student ID imparts a negative externality on the rest of the University.
So how do we deal with externalities in the real world? Well in the case of negative externalities, we can impose government regulation or we can apply taxes. In the case of improperly posting grades online, there is already government regulation in place, but the regulation is against the school, not the individual professor. I believe that we should move the cost closer to the professor. It is well understood in the insurance industry that risk should be assigned to the party that is most able to mitigate it. In this case, the cost of posting grades improperly should be assigned to the group that is most able to prevent it from happening, which is the professors themselves.
So my proposed solution is that we should work out an estimate for the cost of cleaning this up per record and then start billing departments when we have to clean up these messes. In fact, I believe that we could even make this a largely symbolic fine of $1 per record. In most cases a department will be charged less than $50. However, when a dean or department head has to open up their budget and fork over money for something then they might put more pressure on their professors to follow the rules. If the expense went north of $100 then it is almost certain that professors would be pressured to create unique identifiers for their students rather than post grades by Student ID. I'd like to know if anyone else out there has an opinion about this scheme and if other people have had to solve similar problems.
Near the end of every semester, and often around midterm time, professors are asked to provide their students with their grades. Most professors don't want to make their students wait until the official grade shows up on their transcripts and so they post them. Everyone seems to know and agree that grade data should be anonymous, so the grades are not posted by student name. However, there is less understanding that student IDs are also considered non-public information and so posting grades by Student ID is also not acceptable. So every semester, I end up finding grade data posted by Student ID, and in some cases that grade data is put on a web server and the data is then indexed by Google. Hijinks ensue.
So far the approach to combating this problem is to send out messages to all the faculty around the end of the semester reminding them not to post grade by Student ID. However, based on the fact that I keep on having to clean up these messes, I can conclude that the emails are not being read, are being ignored, or the message is being forgotten. Another possibility is that the message is being read and understood, but each professor perceives that the benefit of posting the grades by Student ID outweighs the penalty and thus make a conscious choice to break the rules.
Regardless of what is happening, we can be certain that the way we're dealing with the problem right now is not effective. So I started thinking about the problem like a junior economist, and I decided that this is an example of a negative externality. An externality is an impact (either good or bad) felt by someone that is not involved in the event that caused the impact. A classic example is air pollution. When you buy a product from a factory the factory gets money and you get a product. The factory may also produce smog as part of the production process. I however, got nothing but extra smog. The factory has imparted a negative externality upon me. In the case of posting grades, the professor enjoys a convenient way of posting grades, and the student get their grades faster. However, the university could find itself in violation of federal law (FERPA) and the IT department may have to spend time cleaning up the mess. Posting grades by Student ID imparts a negative externality on the rest of the University.
So how do we deal with externalities in the real world? Well in the case of negative externalities, we can impose government regulation or we can apply taxes. In the case of improperly posting grades online, there is already government regulation in place, but the regulation is against the school, not the individual professor. I believe that we should move the cost closer to the professor. It is well understood in the insurance industry that risk should be assigned to the party that is most able to mitigate it. In this case, the cost of posting grades improperly should be assigned to the group that is most able to prevent it from happening, which is the professors themselves.
So my proposed solution is that we should work out an estimate for the cost of cleaning this up per record and then start billing departments when we have to clean up these messes. In fact, I believe that we could even make this a largely symbolic fine of $1 per record. In most cases a department will be charged less than $50. However, when a dean or department head has to open up their budget and fork over money for something then they might put more pressure on their professors to follow the rules. If the expense went north of $100 then it is almost certain that professors would be pressured to create unique identifiers for their students rather than post grades by Student ID. I'd like to know if anyone else out there has an opinion about this scheme and if other people have had to solve similar problems.
Sunday, September 28, 2008
What can the Minnesota Vikings teach us about Information Security?
Since I grew up in Minnesota, I am honor bound to love and root for the Minnesota Vikings. Anyone that grew up here and doesn't root for the Vikings is a traitor. I know some of them, and even though I love them, I believe they should turn themselves in and accept their punishment.
We Vikings fans are used to disappointment, and I was certainly disappointed after today's game with the Tennessee Titans. However, it got me to thinking about football and what the Minnesota Vikings can teach us about information security.
Now anyone that has read this blog with any regularity knows that I enjoy comparing information security with other disciplines. I also have a few good sports metaphors and I think this is a good place to unveil them. In information security, I view passwords, patching, and policies as the building blocks of any good program. You could compare these skills to blocking, running, and passing in football. What makes these building blocks important is that no matter what kind of awesome plays you put together, it will fail if you don't have these building blocks in place. One of the lessons that we can learn from the Minnesota Vikings is that even if your running and blocking is in good shape, you will fail to win games without a passing game.
Another lesson that we can learn from the Vikings comes from play calling. Our enemies are constantly changing tactics. So even if you've got your fundamentals down, you will fail to win games if you keep calling the same three plays over and over again. You have to keep studying the tactics used by your enemies and figure out how you're going to defend against new threats.
Another lesson we can learn from the Vikings is from the fan response. Sure we all love the Vikes, and we want them to do well. But if they start to play poorly we'll trash them and call for the firing of the coach and the benching of the quarterback. Not everyone will agree that these are good moves, but the fans want to see some heads roll.
This leads to another observation. In the end your fans want good things for you. If you can give them even a glimmer of hope that you're getting the job done then they will cheer for you up on the mountaintops.
Football has a million statistics to help measure the performance of teams relative to each other. Information security needs to do that also. Just sayin'...
All this has lead me to believe that we should have something similar to an offensive and defensive coordinator. The offensive coordinator would try to develop new ways to attack threats before they can affect the organization and the defensive coordinator would develop the plans for responding to the bad things that still manage to happen.
We Vikings fans are used to disappointment, and I was certainly disappointed after today's game with the Tennessee Titans. However, it got me to thinking about football and what the Minnesota Vikings can teach us about information security.
Now anyone that has read this blog with any regularity knows that I enjoy comparing information security with other disciplines. I also have a few good sports metaphors and I think this is a good place to unveil them. In information security, I view passwords, patching, and policies as the building blocks of any good program. You could compare these skills to blocking, running, and passing in football. What makes these building blocks important is that no matter what kind of awesome plays you put together, it will fail if you don't have these building blocks in place. One of the lessons that we can learn from the Minnesota Vikings is that even if your running and blocking is in good shape, you will fail to win games without a passing game.
Another lesson that we can learn from the Vikings comes from play calling. Our enemies are constantly changing tactics. So even if you've got your fundamentals down, you will fail to win games if you keep calling the same three plays over and over again. You have to keep studying the tactics used by your enemies and figure out how you're going to defend against new threats.
Another lesson we can learn from the Vikings is from the fan response. Sure we all love the Vikes, and we want them to do well. But if they start to play poorly we'll trash them and call for the firing of the coach and the benching of the quarterback. Not everyone will agree that these are good moves, but the fans want to see some heads roll.
This leads to another observation. In the end your fans want good things for you. If you can give them even a glimmer of hope that you're getting the job done then they will cheer for you up on the mountaintops.
Football has a million statistics to help measure the performance of teams relative to each other. Information security needs to do that also. Just sayin'...
All this has lead me to believe that we should have something similar to an offensive and defensive coordinator. The offensive coordinator would try to develop new ways to attack threats before they can affect the organization and the defensive coordinator would develop the plans for responding to the bad things that still manage to happen.
Saturday, September 6, 2008
Private investigator licenses for digital forensics
A few days ago I posted about the growing trend to exclude people from the digital forensics field if they are not members of a law enforcement agency. I guess that I'm not the only person that feels that way since the American Bar Association has passed a resolution urging all the states to avoid the folly of requiring private investigator licenses for people practicing digital forensics. I quote:
In these states a license may be required: Massachusetts, Nevada, New York, Arizona, Arkansas, California, Connecticut, Hawaii, Iowa, Kansas, Maine, Maryland, Minnesota, Montana, New Hampshire, New Jersey, New Mexico, Ohio, Oklahoma, Oregon, Tennessee, Utah, Vermont, West Virginia, and Wisconsin.
So already in 64% of states it is either illegal to perform digital forensic work without a private investigator license, or there is some ambiguity and doing so might open you up to trouble down the road. I fear that the trend has already gone too far.
I can only guess what the arguments are in favor of licenses. I honestly can't find a website where someone has claimed that this is a good idea. There seems to be almost universal agreement that this is a bad idea, except in the state legislatures of our country.
RESOLVED, That the American Bar Association urges State, local and territorial legislatures, State regulatory agencies, and other relevant government agencies or entities, to refrain from requiring private investigator licenses for persons engaged in:There was also a great breakdown about states which require a license, and states where there is some ambiguity about requiring a license. Here are the states the most definitely require a private investigator license for digital forensic work: Illinois, Texas, Michigan, Georgia, Rhode Island, South Carolina, and coming soon North Carolina.
computer or digital forensic services or in the acquisition, review, or analysis of digital or computer-based information...
The traditional role of private investigators is significantly different from that of a computer forensic or network testing professional and may licensed private investigators have little or no training in these areas.
The public and courts will be negatively impacted...because not all licensed private investigators are qualified to perform computer forensic services and many qualified computer forensic professionals would be excluded because they are not licensed.
In these states a license may be required: Massachusetts, Nevada, New York, Arizona, Arkansas, California, Connecticut, Hawaii, Iowa, Kansas, Maine, Maryland, Minnesota, Montana, New Hampshire, New Jersey, New Mexico, Ohio, Oklahoma, Oregon, Tennessee, Utah, Vermont, West Virginia, and Wisconsin.
So already in 64% of states it is either illegal to perform digital forensic work without a private investigator license, or there is some ambiguity and doing so might open you up to trouble down the road. I fear that the trend has already gone too far.
I can only guess what the arguments are in favor of licenses. I honestly can't find a website where someone has claimed that this is a good idea. There seems to be almost universal agreement that this is a bad idea, except in the state legislatures of our country.
Monday, September 1, 2008
Digital Forensics: Nerds need not apply
When I first got my job as an information security professional, I took a great interest in digital forensics. I felt that there was a lot of science in digital forensics, and I felt that it was an area where there were still a lot of discoveries to be made. So I took a couple classes on forensics, and I started reading a lot of books. I started running experiments of my own and developing the procedures that I would use to respond to incidents on my network.
This was all very valuable to me, and I do believe that my information is more protected now that we have documented procedures in place to respond to incidents. But I was hungry for more. I wanted to learn more about forensics, I wanted to be involved in more investigations, mysteries, and experiments. It takes a lot of work to keep up on the various digital forensics techniques, but I was willing to do the work because I really liked what I was doing. A few months ago I gave my first presentation at a national IT conference and it was on computer forensics for universities.
But it seems like things are getting harder. It is a lot of work, but I can keep up with the new developments in registry analysis, memory acquisition, and network forensics. What I can't get past is the forces in the industry that seemed determined to shut me out. For example, there are some great forensic conferences each year where outstanding new information is presented, but you can only show up if you're connected to a law enforcement agency. In April Microsoft released COFEE, a USB thumb drive that dramatically cuts the time necessary to gather evidence from a Windows machine. That's all I know about it though, because it was only released to law enforcement agencies. Sure, you can find it on the Internet, but I shouldn't have to steal knowledge. Last month I read about this on the Windows Incident Response blog:
So I'm starting to feel like I should just give the whole forensic community the finger. Clearly they don't want any of us non-law-enforcement nerds gaining any of their sacred knowledge. You have to be chosen to join their forensics priesthood and everyone else is a dirty protestant. Am I wrong about all of this? Am I blowing the problem out of proportion?
This was all very valuable to me, and I do believe that my information is more protected now that we have documented procedures in place to respond to incidents. But I was hungry for more. I wanted to learn more about forensics, I wanted to be involved in more investigations, mysteries, and experiments. It takes a lot of work to keep up on the various digital forensics techniques, but I was willing to do the work because I really liked what I was doing. A few months ago I gave my first presentation at a national IT conference and it was on computer forensics for universities.
But it seems like things are getting harder. It is a lot of work, but I can keep up with the new developments in registry analysis, memory acquisition, and network forensics. What I can't get past is the forces in the industry that seemed determined to shut me out. For example, there are some great forensic conferences each year where outstanding new information is presented, but you can only show up if you're connected to a law enforcement agency. In April Microsoft released COFEE, a USB thumb drive that dramatically cuts the time necessary to gather evidence from a Windows machine. That's all I know about it though, because it was only released to law enforcement agencies. Sure, you can find it on the Internet, but I shouldn't have to steal knowledge. Last month I read about this on the Windows Incident Response blog:
I received an email from AccessData the other day in my work inbox, advertising something called the National Repository for Digital Forensic Intelligence, or NRDFI. ... The AccessData email said that NRDFI is a "knowledge management platform for collecting and sharing digital forensic information." The email goes on to say that the repository has been seeded with over 1000 documents - examiner tips and tricks, whitepapers, digital forensic tool collections, etc.There is also the trend of states making it so that you have to have a Private Investigators license to perform digital forensic work. In my state, that means that I have to have 6000 hours of work experience with a government investigative service or law enforcement agency. EDIT: I should point out that my state hasn't passed such legislation as other states have done. But if my state should go that route then I would need the 6000 hours with an investigative agency.
Sound interesting. Too bad it's completely off-limits to non-LE such as myself, those who have an interest and desire to contribute, but are not sworn officers.
So I'm starting to feel like I should just give the whole forensic community the finger. Clearly they don't want any of us non-law-enforcement nerds gaining any of their sacred knowledge. You have to be chosen to join their forensics priesthood and everyone else is a dirty protestant. Am I wrong about all of this? Am I blowing the problem out of proportion?
Tuesday, August 19, 2008
Information Security Jedi: Form II Lightsaber Combat
The most elegant and beautiful of the basic forms of lightsaber combat was form II. This form emphasizes clean moves, parries, and thrusts rather than the blocking and slashing of other forms. There is a discipline within information security that can claim the title of being so beautiful and so difficult to master: risk management.
A master of risk management meticulously calculates the probability of some event happening, the damage that can be done from that event, and how much effort the organization must put into mitigating that threat. No wasted movements, no throwing money at the problem to make it go away. If some event manages to do damage to his information, he can rest assured that he put precisely the right amount of effort into stopping that event and go on with life. Practitioners of other forms might beat themselves up for not preventing it from happening.
There are several hallmarks of form II information security combat. The form II practitioner is more likely to develop and use metrics to measure the effectiveness of the controls that have been put in place. This person is also likely to use finance and statistic tools like normal curves and Net Present Value to estimate what must be done to protect the network. Although regulatory compliance is not strictly related to risk management, you will often find that masters of form II are well versed in PCI, HIPPA, Sarbox, GLBA, and other regulations that affect their organization.
Form II is not without its weaknesses. Principle among them is that there is little focus on developing a deep bench of security controls. Once your numbers have justified a control to mitigate some risk, it is difficult to justify more money to mitigate that same risk. This is typically the domain of form III lightsaber combat.
Practitioners of form II are typically senior manager types or security professionasl that come from an accounting or finance background. The accounting and finance field lends itself to the deep analysis required for mastering form II.
As an information security Padawan, I feel that I haven't come close to mastering any of the basic forms of combat. However, I feel that I am strongest in form III. I have only recently become aware of the power and elegance that comes from form II. I intend to study form II more carefully and start trying to incorporate form II into my combat style and possible even master the form.
A master of risk management meticulously calculates the probability of some event happening, the damage that can be done from that event, and how much effort the organization must put into mitigating that threat. No wasted movements, no throwing money at the problem to make it go away. If some event manages to do damage to his information, he can rest assured that he put precisely the right amount of effort into stopping that event and go on with life. Practitioners of other forms might beat themselves up for not preventing it from happening.
There are several hallmarks of form II information security combat. The form II practitioner is more likely to develop and use metrics to measure the effectiveness of the controls that have been put in place. This person is also likely to use finance and statistic tools like normal curves and Net Present Value to estimate what must be done to protect the network. Although regulatory compliance is not strictly related to risk management, you will often find that masters of form II are well versed in PCI, HIPPA, Sarbox, GLBA, and other regulations that affect their organization.
Form II is not without its weaknesses. Principle among them is that there is little focus on developing a deep bench of security controls. Once your numbers have justified a control to mitigate some risk, it is difficult to justify more money to mitigate that same risk. This is typically the domain of form III lightsaber combat.
Practitioners of form II are typically senior manager types or security professionasl that come from an accounting or finance background. The accounting and finance field lends itself to the deep analysis required for mastering form II.
As an information security Padawan, I feel that I haven't come close to mastering any of the basic forms of combat. However, I feel that I am strongest in form III. I have only recently become aware of the power and elegance that comes from form II. I intend to study form II more carefully and start trying to incorporate form II into my combat style and possible even master the form.
Thursday, August 14, 2008
Pointsec for PC: WIL vs SSO vs NLA
One of my major projects for the year was leading classes on how to install and administer Pointsec for PC. One of the areas that we always spend a lot of time on is the difference between Windows Integrated Login (WIL) and Single Sign On (SSO). This also leads to quite a bit of discussion on the merits of each option.
Today I was looking at some of the older blog postings and I noticed that a few weeks ago someone had posted a question in the comments section. I'll quote from the comment:
The biggest advantage to using Windows Integrated Login is that you have configured Pointsec to be nearly transparent to the end user. The user will be pleased that he is able to log in at the same screen that he always did using the same password that he always did. There isn't anything new to learn and there aren't any scary screens that he hasn't seen before. However, you're sacrificing security to gain that usability. Consider this, if your computer boots directly into Windows without going through the Pre-Boot authentication then you're opening yourself up to any attack that could penetrate your Windows machine. Time is on your attackers side in this scenario. For example, let's say that I steal your computer and it is configured to use WIL. I might decide to leave it shut down in a drawer for six months to see what vulnerabilities are released. After a really good remote vulnerability is released, I can boot up your computer (which hasn't been patched in six months) and attack it over the network with some newer exploit code. A perfect example is the winlockpwn tool, which takes advantage of firewire's weak security model. Even if a patch were released, I now know that your computer is vulnerable to this attack, so I win.
Single Sign On is much more secure than WIL, but of course security comes at a price. With SSO the computer actually boots into a Pre-Boot Environment, a 32 bit super bare-bones operating system. Once the user has successfully authenticated in the Pre-Boot Environment then Windows is loaded. The security of the Pre-Boot Environment comes from it's stripped down nature. Obviously you can't use Windows exploits against the system because Windows isn't running yet. You can't really use any network attacks against it because the network stack is barely functioning. Firewire isn't active, so you're not going to be using that tactic to get into the system either. Single Sign On also securely caches the credentials that the user logs in with so that he doesn't have to log in twice. All this security comes at a price though. For one thing, you have to make sure that your users don't freak out when they see a new screen to log in to. That means that you're going to have to invest in training. It's also possible for the passwords to fall out of sync, which can be difficult for users to understand. If you change your password from within Windows, then Pointsec will automatically updated the Pre-Boot Environment Password, but if you have your password reset at the server then you still have to log in one time with the old password. Users might not understand that a password reset at the server doesn't magically make it into the Pointsec local database.
Is there a way to strike a balance between these two options? Well, maybe. Network Location Awareness is a feature that was added to Pointsec around version 6.2. The idea behind NLA is that you only need the added protection of the Pre-Boot Envionrment if your laptop is in an unsafe location. So you provide Pointsec with some IP addresses on your local network. When the computer boots Pointsec will attempt to reach these IP addresses, and if it is successful then it will bypass Pre-Boot authentication and load Windows. If not, then the user will have to authenticate in the Pre-Boot Environment.
You of course will have to decide which of these options works best for you. Do you need the enhanced security of SSO? Do your users have enough political power to force you into using WIL? Are they too easily confused to deal with NLA? One thing I've never heard is someone complaining that Pointsec gives you a lack of options.
Today I was looking at some of the older blog postings and I noticed that a few weeks ago someone had posted a question in the comments section. I'll quote from the comment:
What is your view in the WIL vs. Pre-boot debate? In light of the cold boot and firewire tools recently posted, do you believe Pre-boot is better? Or will it just encourage users to leave their machines turned on to avoid the inconvenince of the pre-boot login?The answer to this question largely depends on the culture of the organization that you work for and how much power the IT department has in the organization. But before we get into the political side of SSO and WIL, let's talk about the technical merits.
The biggest advantage to using Windows Integrated Login is that you have configured Pointsec to be nearly transparent to the end user. The user will be pleased that he is able to log in at the same screen that he always did using the same password that he always did. There isn't anything new to learn and there aren't any scary screens that he hasn't seen before. However, you're sacrificing security to gain that usability. Consider this, if your computer boots directly into Windows without going through the Pre-Boot authentication then you're opening yourself up to any attack that could penetrate your Windows machine. Time is on your attackers side in this scenario. For example, let's say that I steal your computer and it is configured to use WIL. I might decide to leave it shut down in a drawer for six months to see what vulnerabilities are released. After a really good remote vulnerability is released, I can boot up your computer (which hasn't been patched in six months) and attack it over the network with some newer exploit code. A perfect example is the winlockpwn tool, which takes advantage of firewire's weak security model. Even if a patch were released, I now know that your computer is vulnerable to this attack, so I win.
Single Sign On is much more secure than WIL, but of course security comes at a price. With SSO the computer actually boots into a Pre-Boot Environment, a 32 bit super bare-bones operating system. Once the user has successfully authenticated in the Pre-Boot Environment then Windows is loaded. The security of the Pre-Boot Environment comes from it's stripped down nature. Obviously you can't use Windows exploits against the system because Windows isn't running yet. You can't really use any network attacks against it because the network stack is barely functioning. Firewire isn't active, so you're not going to be using that tactic to get into the system either. Single Sign On also securely caches the credentials that the user logs in with so that he doesn't have to log in twice. All this security comes at a price though. For one thing, you have to make sure that your users don't freak out when they see a new screen to log in to. That means that you're going to have to invest in training. It's also possible for the passwords to fall out of sync, which can be difficult for users to understand. If you change your password from within Windows, then Pointsec will automatically updated the Pre-Boot Environment Password, but if you have your password reset at the server then you still have to log in one time with the old password. Users might not understand that a password reset at the server doesn't magically make it into the Pointsec local database.
Is there a way to strike a balance between these two options? Well, maybe. Network Location Awareness is a feature that was added to Pointsec around version 6.2. The idea behind NLA is that you only need the added protection of the Pre-Boot Envionrment if your laptop is in an unsafe location. So you provide Pointsec with some IP addresses on your local network. When the computer boots Pointsec will attempt to reach these IP addresses, and if it is successful then it will bypass Pre-Boot authentication and load Windows. If not, then the user will have to authenticate in the Pre-Boot Environment.
You of course will have to decide which of these options works best for you. Do you need the enhanced security of SSO? Do your users have enough political power to force you into using WIL? Are they too easily confused to deal with NLA? One thing I've never heard is someone complaining that Pointsec gives you a lack of options.
Wednesday, August 13, 2008
Information Security Jedi: Form 0 Lightsaber Combat
I'm going to put my Star Wars nerd cap back on and talk about the parallels between information security and the star wars universe. In previous posts on the topic I introduced the concept that in our world, information is like the Force. Our tool kits become our lightsabers and how we choose to use those lightsabers can be compared to the various forms of combat used by the Jedi.
We cannot neatly tie each form of lightsaber combat to a discipline in the information security field, but there are a couple that do fit nicely that I'd like to point out. In this post, I'm going to talk about Form 0 lightsaber combat.
For the Jedi, Form 0 was not a form of lightsaber combat in the typical sense of the word. It has no attack forms because Form 0 is a term used for the defensive techniques a Jedi used to avoid lightsaber combat. It was the art of finding alternate means of solving a problem.
This is a very noble and important skill for a Jedi to have, but it doesn't really have any place in the world of information security. I mean, if someone is going to steal your data you're not likely to have an opportunity to talk them out of it. What do we call it when someone doesn't secure a system and instead tries to prevent anyone from attacking it to maintain security? Well I call it Security by Obscurity, and it is the bane of information security professionals everywhere.
I'm not going to spend any time talking about Form 0 in the information security world because it is completely useless to us. It doesn't help us to meet any regulatory compliance, it certainly doesn't help to keep anything secure (since by nature it is a lack of security mechanisms) and it isn't very effective since it is pretty much assured that someone is going to work their way through your obfuscation. It was the same way for the Jedi. Form 0 was great for avoiding conflict, but if someone swung a blaster around to a Jedi, he or she would quickly pull out their lightsaber and use a different form.
In the toolkit of a Form 0 practitioner expect to find lawyers that will sue anyone trying to research their product. Form 0 masters might use defensive techniques such as running services on non-standard ports, or changing file extensions so that it isn't obvious what the file is for.
We cannot neatly tie each form of lightsaber combat to a discipline in the information security field, but there are a couple that do fit nicely that I'd like to point out. In this post, I'm going to talk about Form 0 lightsaber combat.
For the Jedi, Form 0 was not a form of lightsaber combat in the typical sense of the word. It has no attack forms because Form 0 is a term used for the defensive techniques a Jedi used to avoid lightsaber combat. It was the art of finding alternate means of solving a problem.
This is a very noble and important skill for a Jedi to have, but it doesn't really have any place in the world of information security. I mean, if someone is going to steal your data you're not likely to have an opportunity to talk them out of it. What do we call it when someone doesn't secure a system and instead tries to prevent anyone from attacking it to maintain security? Well I call it Security by Obscurity, and it is the bane of information security professionals everywhere.
I'm not going to spend any time talking about Form 0 in the information security world because it is completely useless to us. It doesn't help us to meet any regulatory compliance, it certainly doesn't help to keep anything secure (since by nature it is a lack of security mechanisms) and it isn't very effective since it is pretty much assured that someone is going to work their way through your obfuscation. It was the same way for the Jedi. Form 0 was great for avoiding conflict, but if someone swung a blaster around to a Jedi, he or she would quickly pull out their lightsaber and use a different form.
In the toolkit of a Form 0 practitioner expect to find lawyers that will sue anyone trying to research their product. Form 0 masters might use defensive techniques such as running services on non-standard ports, or changing file extensions so that it isn't obvious what the file is for.
Tuesday, August 5, 2008
Information Security Jedi: Lightsaber combat
It's been a while since I wrote about my observations comparing information security to the Force and its practitioners to the Jedi and Sith. I've talked about the information that we protect and how that can be likened to the Force and how the toolkit that we use to protect or exploit information can be thought of as our lightsabers. So now we should take a moment to talk about lightsaber combat. This introduction will kick off a series of posts about the various forms of lightsaber combat.
The Jedi and Sith both mastered different styles of lightsaber combat. Their chosen style was a reflection of their teaching, their physiology, and their personalities. All Jedi were trained in the basic forms of lightsaber combat but very few of them mastered each form. I believe that it is the same for the information security practitioners of today. There are several ways of defending information and exploiting information, but few people have mastered all of them.
This is a realization that came to me when I was reading about the various forms of lightsaber combat. I saw that some of the forms were similar to some of the disciplines in the information security field. I've mentioned before that I am a lowly Padawan in the world of information security, and I confess to sometimes feeling overwhelmed by the various ways that things can go wrong. Sometimes it seems like there are a million things that you need to know if you're going to be an information security professional. But then I realized that even the Jedi Masters were not masters of every form of lightsaber combat. Surely I cannot be expected to master risk management, penetration testing, forensics & IR, and industry compliance. Much like the Jedi Masters of old, I will attempt to learn each discipline of the information security industry, but I will only attempt to master two, possibly three.
I will not attempt to draw a direct comparison between each form of lightsaber combat and a discipline in the information security field, but there are a few interesting parallels that I will explore in future posts.
Form 0
Form II
The Jedi and Sith both mastered different styles of lightsaber combat. Their chosen style was a reflection of their teaching, their physiology, and their personalities. All Jedi were trained in the basic forms of lightsaber combat but very few of them mastered each form. I believe that it is the same for the information security practitioners of today. There are several ways of defending information and exploiting information, but few people have mastered all of them.
This is a realization that came to me when I was reading about the various forms of lightsaber combat. I saw that some of the forms were similar to some of the disciplines in the information security field. I've mentioned before that I am a lowly Padawan in the world of information security, and I confess to sometimes feeling overwhelmed by the various ways that things can go wrong. Sometimes it seems like there are a million things that you need to know if you're going to be an information security professional. But then I realized that even the Jedi Masters were not masters of every form of lightsaber combat. Surely I cannot be expected to master risk management, penetration testing, forensics & IR, and industry compliance. Much like the Jedi Masters of old, I will attempt to learn each discipline of the information security industry, but I will only attempt to master two, possibly three.
I will not attempt to draw a direct comparison between each form of lightsaber combat and a discipline in the information security field, but there are a few interesting parallels that I will explore in future posts.
Form 0
Form II
Tuesday, July 15, 2008
Symantec Antivirus: the Jar Jar Binks of Information Security
Earlier this week I published a post where I talked about an adventure I had once with a worm that was spreading around my organization and how we dealt with it. In that post I made a comment about Symantec Antivirus being able to detect the virus and tell you that you were infected, but it wasn't doing anything to stop the spread of the infection. This leads me to this post.
I firmly believe that antivirus technology vendors are the Gungans of the information security world. They talk funny and they're really only good for distracting an attacker while you do something worthwhile. And if antivirus technology vendors are Gungans, then Symantec Antivirus is Jar Jar Binks! You know how much any self-respecting Star Wars fan hates Jar Jar Binks? Well that's how much I hate Symantec Antivirus. Much like Jar Jar Binks it takes up a lot of space, makes a lot of useless statements, annoys the shit out of you, and makes you wonder why anyone would intentionally put it on their computer (or in their movie).
Recently a bunch of my coworkers were bitching about Symantec Antivirus, and how each version of it is heavier than the last and just as useless. This lead me to create Black Fist's First Law of Symantec Antivirus:
Consider this as an excersize. If you do not run antivirus software on your computer, what is the probability that you will become infected with malware? I would say for the average user the answer is .8. So we can say that in a five year period, that average unprotected user would contract malware four times. Each time you have to clean up the infection, which probably costs $50. Norton 360 costs about $80 right now, plus you have to pay for a subscription so in five years you'll probably spend $120 on protection. Here is where you get the breakdown in value, I believe that even with antivirus installed, you still have only reduce the probability from .8 to .5 maybe? By that math, you're going to spend $120 to get $75 of savings.
I know that I'm not the only one out there that believes that antivirus is not very effective. I'd like to know if my analysis is too extreme, or if you think I'm spot on. Remember, I'm still learning about information security, and whenever I buck conventional wisdom I feel like I should be open to the fact that I might be wrong. I'll revise my opinion when suficient evidence comes to my attention.
EDIT: Here is a link to an article that shows at least one group of people agree with me on this one. The article makes the claim that using a whitelist of approved applications rather than a blacklist is more effective, and I agree with that. It also says that whitelisting hasn't caught on because it is relatively new technology which I believe is not true. http://www.darkreading.com/document.asp?doc_id=158750&WT.svl=news1_5
I firmly believe that antivirus technology vendors are the Gungans of the information security world. They talk funny and they're really only good for distracting an attacker while you do something worthwhile. And if antivirus technology vendors are Gungans, then Symantec Antivirus is Jar Jar Binks! You know how much any self-respecting Star Wars fan hates Jar Jar Binks? Well that's how much I hate Symantec Antivirus. Much like Jar Jar Binks it takes up a lot of space, makes a lot of useless statements, annoys the shit out of you, and makes you wonder why anyone would intentionally put it on their computer (or in their movie).
Recently a bunch of my coworkers were bitching about Symantec Antivirus, and how each version of it is heavier than the last and just as useless. This lead me to create Black Fist's First Law of Symantec Antivirus:
For any version of Symantec Antivirus, X: Symantec Antivirus X-1 was better.Someone else followed this logic all the way back and discovered this great truth:
Symantec Antivirus Version 0 (meaning no Symantec Antivirus at all) is best.The problem with antivirus software is that there is so much malware in the world that they can't possibly keep up. They regularly purge their signatures of old malware that has become rare on the Internet, which leaves you exposed to a certain degree. The really nasty stuff is the zero day malware that they wont have signatures developed for yet. When slammer came out in 2003, it spread around the Internet in 30 minutes! How can a reactive software package hope to protect you from that? In fact, the only reason I even run antivirus at my organization is because if we didn't someone would probably accuse me of being negligent. I honestly do not believe that it provides me with value anywhere near the cost of the safeguard.
Consider this as an excersize. If you do not run antivirus software on your computer, what is the probability that you will become infected with malware? I would say for the average user the answer is .8. So we can say that in a five year period, that average unprotected user would contract malware four times. Each time you have to clean up the infection, which probably costs $50. Norton 360 costs about $80 right now, plus you have to pay for a subscription so in five years you'll probably spend $120 on protection. Here is where you get the breakdown in value, I believe that even with antivirus installed, you still have only reduce the probability from .8 to .5 maybe? By that math, you're going to spend $120 to get $75 of savings.
I know that I'm not the only one out there that believes that antivirus is not very effective. I'd like to know if my analysis is too extreme, or if you think I'm spot on. Remember, I'm still learning about information security, and whenever I buck conventional wisdom I feel like I should be open to the fact that I might be wrong. I'll revise my opinion when suficient evidence comes to my attention.
EDIT: Here is a link to an article that shows at least one group of people agree with me on this one. The article makes the claim that using a whitelist of approved applications rather than a blacklist is more effective, and I agree with that. It also says that whitelisting hasn't caught on because it is relatively new technology which I believe is not true. http://www.darkreading.com/document.asp?doc_id=158750&WT.svl=news1_5
Thursday, July 10, 2008
Information Security Jedi: Lightsabers
Over the last couple of weeks I've been making comparisons of the information security profession and the Jedi of the Star Wars Universe. I've talked about the Force, the Jedi, and the Sith. Today I'd like to talk about the primary weapon of the Jedi and the Sith, the lightsaber.
A lightsaber is essentially a laser sword that will pass cleanly through almost anything except for another lightsaber and certain exotic metals. It was used almost exclusively by people that were sensitive to the force because it was not very easy to use. Without proper training the lightsaber could be fatal to the person using it. And even if the person was able to use a lightsaber without killing himself it is hard to use it effectively unless you have the reflexes of someone strong with the Force. With all of these limitations, you might wonder why anyone would use this weapon. Well, in the hands of someone who is well trained and strong with the force, there is no finer weapon. It can slice through almost all melee weapons with no effort whatsoever, and it can be used to deflect blaster shots. A skilled Jedi could even throw the lightsaber short distances making it into a ranged attack weapon. It was elegant, small, lightweight, and became the very symbol of the Jedi order.
The lightsaber was as much ceremonial as it was functional. One of the major tasks of a Jedi or Sith apprentice was to construct a lightsaber. The apprentice would spend a significant amount of time building the lightsaber hilt, selecting the perfect crystal, and using the Force to improve the efficiency of the device. The shape, size, and weight were often determined by the species of the owner, and the style of lightsaber combat favored by the owner. I'm going to spend some time in the upcoming weeks talking about forms of lightsaber combat because that was what really sparked my interest in comparing the Jedi to information security professionals. For now, lets just say that there are different ways to use a lightsaber depending on your strengths, weaknesses, and goals.
For the information security professional, it is the tool kit that becomes his lightsaber. Think about it, you spend a great deal of time selecting which tools you want to assemble. Some of them are pretty standard, like nmap or nessus, and others are more specific to the work you do, such as the sleuth kit. An information security professional carefully decides which tools he is going to master, which ones he will keep a working knowledge of, and which ones to discard. This becomes the lightsaber of the information security professional. It is this toolkit that will be used to defend the information of the organization.
Using the lightsaber of information security, our Jedi can redirect attacks that are aimed at them, and in some cases, prevent attacks from occuring just by making his or her presence felt. An information securty Jedi will spend as much time practicing with his or her lightsaber as any Jedi did in the Star Wars Universe.
How does this comparison help you with your career? Remember that the set of tools that you use is the very weapon of your trade. Work hard to master the utilities in your toolkit, and remember that you probably don't have room for everything. If you become a master with your lightsaber, you will find that you don't have to use it as much, which will help you to advance in your career, and when you do have to use it you will be able to put down problems much more quickly.
As an example, I would point to my early days as a security Padawan. We had a worm spreading around our campus and we needed to eliminate it. As with most malware, Symantec antivirus was able to detect it, but wasn't doing anything to prevent machines from getting infected. I had one individual working with me who is much more experienced with the tools of information security, although IT security is not his full time job. I attaked the problem by gathering a sample of the malware, and installing it in an isolated virtual machine. I then used tools like filemon, regmon, and wireshark to find out what the program was doing on the wire. I discovered that after a machine was infected, it would make a DNS request for a particular host. I then set up a rule in snort to look for any DNS requests for that host and used the alerts to identify machines that were infected. My co-worker examined packet captures and looked for common elements among the machines. He determined that the worm was making use of a bug in VNC that was just under 1 year old. He then used nmap to scan our entire IP space for machines listening on the VNC port, and then ran the results through Nessus to find out which machines were vulnerable so they could be updated.
We each took a different approach to solving the problem, and while both were effective, his mastery of tools allowed him to put down the problem much faster and in a more proactive way. We were able to patch machines that hadn't been infected yet, which is always the best way to fix a problem. Thus his mastery of the lightsaber allowed him to eliminate an attack more quickly and was also able to prevent some attacks from happening at all.
A lightsaber is essentially a laser sword that will pass cleanly through almost anything except for another lightsaber and certain exotic metals. It was used almost exclusively by people that were sensitive to the force because it was not very easy to use. Without proper training the lightsaber could be fatal to the person using it. And even if the person was able to use a lightsaber without killing himself it is hard to use it effectively unless you have the reflexes of someone strong with the Force. With all of these limitations, you might wonder why anyone would use this weapon. Well, in the hands of someone who is well trained and strong with the force, there is no finer weapon. It can slice through almost all melee weapons with no effort whatsoever, and it can be used to deflect blaster shots. A skilled Jedi could even throw the lightsaber short distances making it into a ranged attack weapon. It was elegant, small, lightweight, and became the very symbol of the Jedi order.
The lightsaber was as much ceremonial as it was functional. One of the major tasks of a Jedi or Sith apprentice was to construct a lightsaber. The apprentice would spend a significant amount of time building the lightsaber hilt, selecting the perfect crystal, and using the Force to improve the efficiency of the device. The shape, size, and weight were often determined by the species of the owner, and the style of lightsaber combat favored by the owner. I'm going to spend some time in the upcoming weeks talking about forms of lightsaber combat because that was what really sparked my interest in comparing the Jedi to information security professionals. For now, lets just say that there are different ways to use a lightsaber depending on your strengths, weaknesses, and goals.
For the information security professional, it is the tool kit that becomes his lightsaber. Think about it, you spend a great deal of time selecting which tools you want to assemble. Some of them are pretty standard, like nmap or nessus, and others are more specific to the work you do, such as the sleuth kit. An information security professional carefully decides which tools he is going to master, which ones he will keep a working knowledge of, and which ones to discard. This becomes the lightsaber of the information security professional. It is this toolkit that will be used to defend the information of the organization.
Using the lightsaber of information security, our Jedi can redirect attacks that are aimed at them, and in some cases, prevent attacks from occuring just by making his or her presence felt. An information securty Jedi will spend as much time practicing with his or her lightsaber as any Jedi did in the Star Wars Universe.
How does this comparison help you with your career? Remember that the set of tools that you use is the very weapon of your trade. Work hard to master the utilities in your toolkit, and remember that you probably don't have room for everything. If you become a master with your lightsaber, you will find that you don't have to use it as much, which will help you to advance in your career, and when you do have to use it you will be able to put down problems much more quickly.
As an example, I would point to my early days as a security Padawan. We had a worm spreading around our campus and we needed to eliminate it. As with most malware, Symantec antivirus was able to detect it, but wasn't doing anything to prevent machines from getting infected. I had one individual working with me who is much more experienced with the tools of information security, although IT security is not his full time job. I attaked the problem by gathering a sample of the malware, and installing it in an isolated virtual machine. I then used tools like filemon, regmon, and wireshark to find out what the program was doing on the wire. I discovered that after a machine was infected, it would make a DNS request for a particular host. I then set up a rule in snort to look for any DNS requests for that host and used the alerts to identify machines that were infected. My co-worker examined packet captures and looked for common elements among the machines. He determined that the worm was making use of a bug in VNC that was just under 1 year old. He then used nmap to scan our entire IP space for machines listening on the VNC port, and then ran the results through Nessus to find out which machines were vulnerable so they could be updated.
We each took a different approach to solving the problem, and while both were effective, his mastery of tools allowed him to put down the problem much faster and in a more proactive way. We were able to patch machines that hadn't been infected yet, which is always the best way to fix a problem. Thus his mastery of the lightsaber allowed him to eliminate an attack more quickly and was also able to prevent some attacks from happening at all.
Wednesday, June 25, 2008
Information Security Jedi: Dark Side Beings
I've been running a series of blog entries comparing the practice of information security in our world to the Jedi order of the Star Wars Universe. In my previous post I talked about the light side beings of the Star Wars Universe, namely the various ranks of the Jedi order. This time I'd like to talk more about the dark side of the Force and the beings that make use of it.
The dark side of the Force is basically the evil side. It is the side of the force that is associated with anger, aggression, fear, and suffering. The powers of the dark side are typically attack oriented. For example, a Jedi might master battle techniques that focus on rallying the troops, healing people, or enhancing their own physical abilities. A dark side being might master battle techniques such as choking an opponent, shooting lightning at an opponent, or literally draining the life from an opponent.
So who were the dark side beings in the Star Wars Universe? Well there were several. The dark side equivalent of the Jedi order would be Sith, which has many parallels with the Jedi. But if you thought the Jedi were few in number, then you'll be shocked at the small number of Sith. Most of the time there were only two of them because of the Rule of Two. It turns out that when Sith really enjoy killing the hell out of each other, so when you get Sith in sufficient numbers they start killing each other and they can't focus on killing Jedi. So a bad dude named Darth Bane made up a rule that there would only be two Sith at a time. The Master and the Apprentice. That way they could focus on killing Jedi and they wouldn't spend as much time killing each other.
There were other dark side users that a Jedi had to fear besides just the Sith. The dark side of the Force tempts everyone that is sensitive to the Force, and the stronger you are with the Force, the stronger the call of the dark side will become. So one thing the Jedi had to deal with were other Jedi that fell to the dark side. They didn't formally join the Sith, but they did become corrupted and became a threat to the galaxy.
You see, the thing you have to know about the dark side is that if you give in to the temptation to use the dark side, then the call of the dark side becomes even stronger. Since you gave in to the dark side at the previous level of temptation, you now face an even greater probability of falling to the temptation a second time. And a third, and a fourth and so on. Eventually, a person can become addicted to the power of the dark side. Then some Jedi has to say "hey man, that's not cool! You need to quit with all the dark side stuff." The the corrupted Jedi says "hey screw you man, you don't know me!" Then they fight, and one of them dies.
Then there were people that were sensitive to the Force but had never been formally trained in the ways of the Force. So they usually developed a few powers that made them a threat to other beings in the galaxy and the Jedi would have to come in and deal with them.
Now that we've talked about the dark side users in the Star Wars Universe, let's talk about the dark side users in the information security field. I think it's best to work from the bottom up on this one, so lets look at the force sensitive dark side users that have not been formally trained. I think it's not a stretch to compare these to the script kiddies that we have to deal with today. Script kiddies discovered that they have some interest in information security, but without guidance they have turned to the dark side of the Force to learn more about information security. Another untrained dark side user is the curious user on your network. They go snooping around and might damage systems in the process. For the most part, a well trained Jedi or Padawan should be able handle a script kiddie, but it would be foolish and arrogant to stop seeing them as a threat. A script kiddie can and will hurt you. They will develop more skills and because they are addicted to the dark side, they will destroy your networks just to prove to themselves that they can.
What about the dark Jedi; the ones that were once followers of the light and became corrupted? I think this is the information security professional that starts using the dark side to police the networks that he was assigned to protect. Have you ever been tempted to search a users private folders for contraband without following proper procedure? Maybe that worked for you, so now you start gathering tcpdumps of people's computers without permission (which is an illegal wiretap). Soon you've become a security threat that needs to be dealt with. Sometimes a dark Jedi can be redeemed, other times they have to be fired.
Now we start talking about the really serious threats, the Sith. In the Star Wars Universe there were only two of them at a time, but in our world there is an army of them. I like to think of the Sith Apprentices as the professional hackers that create malware, run botnets, and steal identities. They are only interested in gaining more power and money, just like a Sith lord, and they are very powerful. They will use elements of the Force not used by the dark Jedi and they will use every avenue of attack available to them. They will destroy your network if they believe that they can make more money doing so. Also, don't let yourself be fooled into thinking that a Sith Apprentice is less of a threat than a Sith Master. A well trained Sith Apprentice can be nearly as powerful as his Master, and should be dealt with as carefully as the master.
Sith Masters are rare in our world, but not as rare as they are in the Star Wars Universe. A Sith Master is probably the most dangerous black hat hacker you will ever come across in your information security career. So what makes a Master? Well, much like being a Master Jedi, I think a Sith Master is basically a Sith Apprentice that has amassed so much power that he is recognized by Jedi and Sith alike as a Master of his trade. These are truly evil people that will steal the identities of millions of people and sell them for his own personal profit. He builds giant botnets that spew spam across the Internet, threatening to eliminate the utility of this network, just to put more money in his pockets. Just like a Sith Apprentice, these Masters will use any technique available to them to increase their power. The only difference is that they already have incredible power that they can bring to bear. I would like to also point out a particular kind of Sith Master that you should be particularly fearful of. I have mentioned that Sith Masters are the pinnacle of evil in the information security world. As a Jedi you would do well to remember that evil is a point of view, and sometimes you will be viewed as the evil one. Some Sith Masters are government-sponsored hackers that are not necessarily evil people. These hackers have incredible power because they are immune from prosecution and they have the resources of a government to help them identify vulnerable targets and new avenues of attack. I say that these people are not necessarily evil people because they are attacking your network in service to their government. Most of them would probably not drain the savings accounts of retired people just to put it in their own pocket.
Hopefully this information will help you to know your enemy. You should think carefully about the information that you protect and ask yourself what kind of dark side beings you're likely to encounter. Of course, you can never be sure that the person scanning your network isn't a Sith Master, but maybe you don't need to strip search the exterminator if you're only protecting the church mailing list. Remember the lessons of the Jedi Masters that have come before you, and always heed the warning that once you give in to the dark side of the Force, you have started down a dangerous path.
The dark side of the Force is basically the evil side. It is the side of the force that is associated with anger, aggression, fear, and suffering. The powers of the dark side are typically attack oriented. For example, a Jedi might master battle techniques that focus on rallying the troops, healing people, or enhancing their own physical abilities. A dark side being might master battle techniques such as choking an opponent, shooting lightning at an opponent, or literally draining the life from an opponent.
So who were the dark side beings in the Star Wars Universe? Well there were several. The dark side equivalent of the Jedi order would be Sith, which has many parallels with the Jedi. But if you thought the Jedi were few in number, then you'll be shocked at the small number of Sith. Most of the time there were only two of them because of the Rule of Two. It turns out that when Sith really enjoy killing the hell out of each other, so when you get Sith in sufficient numbers they start killing each other and they can't focus on killing Jedi. So a bad dude named Darth Bane made up a rule that there would only be two Sith at a time. The Master and the Apprentice. That way they could focus on killing Jedi and they wouldn't spend as much time killing each other.
There were other dark side users that a Jedi had to fear besides just the Sith. The dark side of the Force tempts everyone that is sensitive to the Force, and the stronger you are with the Force, the stronger the call of the dark side will become. So one thing the Jedi had to deal with were other Jedi that fell to the dark side. They didn't formally join the Sith, but they did become corrupted and became a threat to the galaxy.
You see, the thing you have to know about the dark side is that if you give in to the temptation to use the dark side, then the call of the dark side becomes even stronger. Since you gave in to the dark side at the previous level of temptation, you now face an even greater probability of falling to the temptation a second time. And a third, and a fourth and so on. Eventually, a person can become addicted to the power of the dark side. Then some Jedi has to say "hey man, that's not cool! You need to quit with all the dark side stuff." The the corrupted Jedi says "hey screw you man, you don't know me!" Then they fight, and one of them dies.
Then there were people that were sensitive to the Force but had never been formally trained in the ways of the Force. So they usually developed a few powers that made them a threat to other beings in the galaxy and the Jedi would have to come in and deal with them.
Now that we've talked about the dark side users in the Star Wars Universe, let's talk about the dark side users in the information security field. I think it's best to work from the bottom up on this one, so lets look at the force sensitive dark side users that have not been formally trained. I think it's not a stretch to compare these to the script kiddies that we have to deal with today. Script kiddies discovered that they have some interest in information security, but without guidance they have turned to the dark side of the Force to learn more about information security. Another untrained dark side user is the curious user on your network. They go snooping around and might damage systems in the process. For the most part, a well trained Jedi or Padawan should be able handle a script kiddie, but it would be foolish and arrogant to stop seeing them as a threat. A script kiddie can and will hurt you. They will develop more skills and because they are addicted to the dark side, they will destroy your networks just to prove to themselves that they can.
What about the dark Jedi; the ones that were once followers of the light and became corrupted? I think this is the information security professional that starts using the dark side to police the networks that he was assigned to protect. Have you ever been tempted to search a users private folders for contraband without following proper procedure? Maybe that worked for you, so now you start gathering tcpdumps of people's computers without permission (which is an illegal wiretap). Soon you've become a security threat that needs to be dealt with. Sometimes a dark Jedi can be redeemed, other times they have to be fired.
Now we start talking about the really serious threats, the Sith. In the Star Wars Universe there were only two of them at a time, but in our world there is an army of them. I like to think of the Sith Apprentices as the professional hackers that create malware, run botnets, and steal identities. They are only interested in gaining more power and money, just like a Sith lord, and they are very powerful. They will use elements of the Force not used by the dark Jedi and they will use every avenue of attack available to them. They will destroy your network if they believe that they can make more money doing so. Also, don't let yourself be fooled into thinking that a Sith Apprentice is less of a threat than a Sith Master. A well trained Sith Apprentice can be nearly as powerful as his Master, and should be dealt with as carefully as the master.
Sith Masters are rare in our world, but not as rare as they are in the Star Wars Universe. A Sith Master is probably the most dangerous black hat hacker you will ever come across in your information security career. So what makes a Master? Well, much like being a Master Jedi, I think a Sith Master is basically a Sith Apprentice that has amassed so much power that he is recognized by Jedi and Sith alike as a Master of his trade. These are truly evil people that will steal the identities of millions of people and sell them for his own personal profit. He builds giant botnets that spew spam across the Internet, threatening to eliminate the utility of this network, just to put more money in his pockets. Just like a Sith Apprentice, these Masters will use any technique available to them to increase their power. The only difference is that they already have incredible power that they can bring to bear. I would like to also point out a particular kind of Sith Master that you should be particularly fearful of. I have mentioned that Sith Masters are the pinnacle of evil in the information security world. As a Jedi you would do well to remember that evil is a point of view, and sometimes you will be viewed as the evil one. Some Sith Masters are government-sponsored hackers that are not necessarily evil people. These hackers have incredible power because they are immune from prosecution and they have the resources of a government to help them identify vulnerable targets and new avenues of attack. I say that these people are not necessarily evil people because they are attacking your network in service to their government. Most of them would probably not drain the savings accounts of retired people just to put it in their own pocket.
Hopefully this information will help you to know your enemy. You should think carefully about the information that you protect and ask yourself what kind of dark side beings you're likely to encounter. Of course, you can never be sure that the person scanning your network isn't a Sith Master, but maybe you don't need to strip search the exterminator if you're only protecting the church mailing list. Remember the lessons of the Jedi Masters that have come before you, and always heed the warning that once you give in to the dark side of the Force, you have started down a dangerous path.
Saturday, June 21, 2008
Information Security Jedi: Light Side beings
In my previous post on this topic I talked about the nature of the Force in the Star Wars Universe and I explained why I feel that in our world the closest thing we have to the Force is information itself. I talked about the ways that being strong with "the Force" in our world makes you more powerful and improves your station in life.
I also mentioned that the Force has a light side (which is typically just called the Force) and a dark side. I'd like to spend some time today talking about the beings that use the light side of the force and how that relates to the information security field.
The foremost users of the Force in the galaxy were the Jedi, the protectors of the galaxy and the Republic. Although they were few in number, they were so good at resolving conflict that they were able to keep peace in the entire galaxy without the need for a standing army. And as the title of these posts probably suggests, I am of the belief that information security professionals are like the Jedi of our world. It is our job to protect the information resources of the whole world and there are relatively few us compared to the total number of Information users out there.
Among the Jedi there were several ranks. There were the Younglings which were children ranging from infants to about 12 or 13 years old. The Younglings were taught the basics of the Force in groups. When they reached the proper age, some of them would be selected by a Jedi to serve as a Jedi apprentice, the rank of Padawan. As a Padawan the being would assist the Jedi who was allowed to have only one Padawan at a time. When the Padawan reached a certain level of maturity and understanding of the Force, the Jedi would recommend the Padawan for "the Trials." If the Padawan successfully completed the Trials, he or she would be granted the title of Jedi knight. This usually occurred when the Padawan was in her early 20's. After many years of dedicated service, and after reaching several milestones the Jedi Council may choose to bestow the title of Jedi Master onto a Jedi.
So how do these ranks compare to the information security professional of today's world? Well, not very well it turns out. For one thing, most of us do not have Masters that take us under their wing and teach us everything they know. There is also no set of widely accepted ranks that apply to the information security professional. OK, but there are still some parallels that we can draw between the Jedi and ourselves. For example, many people in the information security field did not start there. I got my start as a Windows system admin, and then moved into a network engineer career. During this time I learned some of the fundamentals of information security, but I was not an information security professional. At this time in my career, I think you could make a good comparison to the Younglings in the Jedi order. When I got my first job as an information security professional, I became a Jedi Padawan.
Some people do start their careers as information security professionals, and that's OK too. Remember that Anakin Skywalker became a Padawan as soon as he joined the order, he never learned with the other Younglings.
So when I got my infosec job I became a Padawan. How will I know when I'm a Jedi? After all, we don't have anything like the trials do we? Well, sort of. We have certification tests, and there are classes that we can take, and there are techniques that we can master as we specialize in our field. That's probably the closest that we're going to get to the trials. I guess you really become a Jedi when most other professionals view you as a Jedi.
What about the Masters? Keep in mind that there were very few Jedi Masters, and not all Jedi would become Masters. In our field I think the Jedi Masters are those rock stars that provide guidance to us all. People like Paul Asadoorian, Larry Pesce, and Johhny Long. These people are content creators that other Jedi turn to for new techniques and guidance on how to operate. I would say that you become a Master when the other Masters say that you're a Master, just as it was in the Star Wars Universe.
How can you use this metaphor in your information security career? I would say that you should start by considering where you are in your career? Are you a Padawan, a Jedi, a Master, or a Youngling? Then you should think about what the role of each of those position is. As a Padawan, I feel that I need to be focusing on earning the respect of my peers, and I'm likely to do that by learning my craft, taking training classes, passing certification tests, and demonstrating that I have the proper knowledge of the Force and resistance to the Dark Side. Remember that we are all tempted by the Dark Side, but as a Youngling or a Padawan you are at particular risk of being corrupted by the Dark Side by engaging in Black Hat hacking. Other required items in the path to knighthood including building your own lightsaber and learning the basic forms of lightsaber combat. I'll talk more about that in another post. Next time I'm going to talk about the Dark Side of the force and the beings that use it.
I also mentioned that the Force has a light side (which is typically just called the Force) and a dark side. I'd like to spend some time today talking about the beings that use the light side of the force and how that relates to the information security field.
The foremost users of the Force in the galaxy were the Jedi, the protectors of the galaxy and the Republic. Although they were few in number, they were so good at resolving conflict that they were able to keep peace in the entire galaxy without the need for a standing army. And as the title of these posts probably suggests, I am of the belief that information security professionals are like the Jedi of our world. It is our job to protect the information resources of the whole world and there are relatively few us compared to the total number of Information users out there.
Among the Jedi there were several ranks. There were the Younglings which were children ranging from infants to about 12 or 13 years old. The Younglings were taught the basics of the Force in groups. When they reached the proper age, some of them would be selected by a Jedi to serve as a Jedi apprentice, the rank of Padawan. As a Padawan the being would assist the Jedi who was allowed to have only one Padawan at a time. When the Padawan reached a certain level of maturity and understanding of the Force, the Jedi would recommend the Padawan for "the Trials." If the Padawan successfully completed the Trials, he or she would be granted the title of Jedi knight. This usually occurred when the Padawan was in her early 20's. After many years of dedicated service, and after reaching several milestones the Jedi Council may choose to bestow the title of Jedi Master onto a Jedi.
So how do these ranks compare to the information security professional of today's world? Well, not very well it turns out. For one thing, most of us do not have Masters that take us under their wing and teach us everything they know. There is also no set of widely accepted ranks that apply to the information security professional. OK, but there are still some parallels that we can draw between the Jedi and ourselves. For example, many people in the information security field did not start there. I got my start as a Windows system admin, and then moved into a network engineer career. During this time I learned some of the fundamentals of information security, but I was not an information security professional. At this time in my career, I think you could make a good comparison to the Younglings in the Jedi order. When I got my first job as an information security professional, I became a Jedi Padawan.
Some people do start their careers as information security professionals, and that's OK too. Remember that Anakin Skywalker became a Padawan as soon as he joined the order, he never learned with the other Younglings.
So when I got my infosec job I became a Padawan. How will I know when I'm a Jedi? After all, we don't have anything like the trials do we? Well, sort of. We have certification tests, and there are classes that we can take, and there are techniques that we can master as we specialize in our field. That's probably the closest that we're going to get to the trials. I guess you really become a Jedi when most other professionals view you as a Jedi.
What about the Masters? Keep in mind that there were very few Jedi Masters, and not all Jedi would become Masters. In our field I think the Jedi Masters are those rock stars that provide guidance to us all. People like Paul Asadoorian, Larry Pesce, and Johhny Long. These people are content creators that other Jedi turn to for new techniques and guidance on how to operate. I would say that you become a Master when the other Masters say that you're a Master, just as it was in the Star Wars Universe.
How can you use this metaphor in your information security career? I would say that you should start by considering where you are in your career? Are you a Padawan, a Jedi, a Master, or a Youngling? Then you should think about what the role of each of those position is. As a Padawan, I feel that I need to be focusing on earning the respect of my peers, and I'm likely to do that by learning my craft, taking training classes, passing certification tests, and demonstrating that I have the proper knowledge of the Force and resistance to the Dark Side. Remember that we are all tempted by the Dark Side, but as a Youngling or a Padawan you are at particular risk of being corrupted by the Dark Side by engaging in Black Hat hacking. Other required items in the path to knighthood including building your own lightsaber and learning the basic forms of lightsaber combat. I'll talk more about that in another post. Next time I'm going to talk about the Dark Side of the force and the beings that use it.
Wednesday, June 18, 2008
Jedi of Information Security: The Force
Obviously you can't really have a discussion about the Jedi without talking about the Force. In this post I'd like to talk about the nature of the Force and how that compares with the practice of Information Security.
In the Star Wars Universe, the Force is an energy that creates life and is in turn created by life. It surrounds all living things and binds the whole galaxy together. Individuals that are sensitive to the Force are able to tap into this energy to perform various feats, such as gaining knowledge of the future, moving objects, and healing people's bodies.
The Force was known to have two sides: the light side of the Force (which was typically just called the Force) and the dark side of the Force. The Force was associated with being passive, compassionate, and good while the Dark side was associated with aggression, power, anger, and pain.
Obviously in our world there is no such thing as the Force, although there is at least one church that I've heard of where people worship the Force. When we're talking about Information Security we're also not talking about a galaxy and we don't have an energy field that binds us all together. So what would be the equivalent to the Force when we compare the Jedi to Information Security practitioners?
My answer is that information is the Force in our world. Information is something that we all have. It is the one thing I can think of that binds all of our users and computer systems together. Like the Force, information can be used for both good and evil purposes, and if you gather enough of it you can perform incredible feats, even moving objects with your mind.
Like many religious orders, the Jedi were not all in agreement about the nature of the Force. One thing that the Jedi could not agree on was whether or not the Force was a sentient, thinking being, or just an energy field that was part of nature. Make no mistake, all Jedi respected the Force, but not all of them believed that the Force had a will of its own. For the most part, we can say that this is not true of information. I doubt that there are many of us that believe that the information that we hold has it's own agenda and is capable of its own thought, however it should be noted that there are some that believe that information wants to be free, in other words expressing that information is capable of desire at least in a figurative sense.
Another view of the Force that was not agreed upon was the concepts of light side and dark sides. Some Jedi believed that the Force didn't have good and evil powers, there was only the intentions of the practitioner. In this case I think we can again say that information does not have a light side and a dark side. So if we were Jedi of the Old Republic we would have been tossed out for being heretics!
The biggest parallel I see between information and the Force is that in both our Universe and the Star Wars Universe having strength with the Force places you in a higher social status than beings who are not. A Jedi was not likely to end up being a Nerf herder in the Star Wars Universe. In our world humans and apes have nearly identical DNA, and we are far weaker than apes in most physical characteristics. However, because we are able to collect, interpret, and create information better than apes my wife doesn't have to pick bugs off of my body and eat them. Even among humans, we mostly agree that being smart is preferable to being dumb.
One mistake that is frequently made when a person uses a metaphor to explain something is attempting to stretch the metaphor too far or force concepts to fit within the metaphor. I want to try to avoid this by pointing out places where my Jedi metaphor of information security doesn't fit. In this case, I don't think it quite fits that Jedi use the Force for knowledge and defense to protect people and the Republic. Information security practitioners use information to protect other information. Jedi do not use the Force to protect the Force. I'm only bringing this up to point out that my comparison of information to the Force is not perfect. For now, this is what I'm going to go with unless I think of a more appropriate comparison. Now that you have an understanding of the Force as it pertains to information security, we can start talking about the people that use the Force, and what the Force is used for.
In the Star Wars Universe, the Force is an energy that creates life and is in turn created by life. It surrounds all living things and binds the whole galaxy together. Individuals that are sensitive to the Force are able to tap into this energy to perform various feats, such as gaining knowledge of the future, moving objects, and healing people's bodies.
The Force was known to have two sides: the light side of the Force (which was typically just called the Force) and the dark side of the Force. The Force was associated with being passive, compassionate, and good while the Dark side was associated with aggression, power, anger, and pain.
Obviously in our world there is no such thing as the Force, although there is at least one church that I've heard of where people worship the Force. When we're talking about Information Security we're also not talking about a galaxy and we don't have an energy field that binds us all together. So what would be the equivalent to the Force when we compare the Jedi to Information Security practitioners?
My answer is that information is the Force in our world. Information is something that we all have. It is the one thing I can think of that binds all of our users and computer systems together. Like the Force, information can be used for both good and evil purposes, and if you gather enough of it you can perform incredible feats, even moving objects with your mind.
Like many religious orders, the Jedi were not all in agreement about the nature of the Force. One thing that the Jedi could not agree on was whether or not the Force was a sentient, thinking being, or just an energy field that was part of nature. Make no mistake, all Jedi respected the Force, but not all of them believed that the Force had a will of its own. For the most part, we can say that this is not true of information. I doubt that there are many of us that believe that the information that we hold has it's own agenda and is capable of its own thought, however it should be noted that there are some that believe that information wants to be free, in other words expressing that information is capable of desire at least in a figurative sense.
Another view of the Force that was not agreed upon was the concepts of light side and dark sides. Some Jedi believed that the Force didn't have good and evil powers, there was only the intentions of the practitioner. In this case I think we can again say that information does not have a light side and a dark side. So if we were Jedi of the Old Republic we would have been tossed out for being heretics!
The biggest parallel I see between information and the Force is that in both our Universe and the Star Wars Universe having strength with the Force places you in a higher social status than beings who are not. A Jedi was not likely to end up being a Nerf herder in the Star Wars Universe. In our world humans and apes have nearly identical DNA, and we are far weaker than apes in most physical characteristics. However, because we are able to collect, interpret, and create information better than apes my wife doesn't have to pick bugs off of my body and eat them. Even among humans, we mostly agree that being smart is preferable to being dumb.
One mistake that is frequently made when a person uses a metaphor to explain something is attempting to stretch the metaphor too far or force concepts to fit within the metaphor. I want to try to avoid this by pointing out places where my Jedi metaphor of information security doesn't fit. In this case, I don't think it quite fits that Jedi use the Force for knowledge and defense to protect people and the Republic. Information security practitioners use information to protect other information. Jedi do not use the Force to protect the Force. I'm only bringing this up to point out that my comparison of information to the Force is not perfect. For now, this is what I'm going to go with unless I think of a more appropriate comparison. Now that you have an understanding of the Force as it pertains to information security, we can start talking about the people that use the Force, and what the Force is used for.
Jedi of Information Security
One of the things that led to the creation of this blog was a discussion I had with someone a couple weeks ago about the various fighting styles of the Jedi. Yes, I'm talking about the same Jedi from the Star Wars Universe.
It occurred to me that just as the Jedi had different fighting styles and preferences, so to is the case for Information Security professionals. I started trying to categorize the fighting styles of the Information Security professional and I found that some of the styles even match up to the various forms of lightsaber combat.
As I kept thinking about this over the next few days I started to discover more similarities between the Jedi and the contemporary Information Security professional. For example, each Jedi Padawan goes on a mission to find the right pieces and construct his or her own lightsaber much in the same way that a security professional assembles the tool set that he or she will use in the battle to protect information. In the Star Wars Universe there are good and evil practitioners of the force, just as we in the security field have white hat and black hat hackers.
Finally, I thought that there might just be enough material here that I could put it all together into a blog and combine it with some of the other thoughts that I've had as I chronicle my own growth and understanding of information security. In the word of information security I consider myself to be a Padawan learner and as I've compared the practice of information security with the practices of the Jedi I've found that it has led to a greater understanding of the former. It has helped me to accept that even though there is so much that I have yet to learn about information security, there is also quite a bit that I have learned already and even the masters are still learning and improving their craft. I hope my thoughts on the comparison of Jedi and information security practitioners proves to be insightful, entertaining, and light hearted.
It occurred to me that just as the Jedi had different fighting styles and preferences, so to is the case for Information Security professionals. I started trying to categorize the fighting styles of the Information Security professional and I found that some of the styles even match up to the various forms of lightsaber combat.
As I kept thinking about this over the next few days I started to discover more similarities between the Jedi and the contemporary Information Security professional. For example, each Jedi Padawan goes on a mission to find the right pieces and construct his or her own lightsaber much in the same way that a security professional assembles the tool set that he or she will use in the battle to protect information. In the Star Wars Universe there are good and evil practitioners of the force, just as we in the security field have white hat and black hat hackers.
Finally, I thought that there might just be enough material here that I could put it all together into a blog and combine it with some of the other thoughts that I've had as I chronicle my own growth and understanding of information security. In the word of information security I consider myself to be a Padawan learner and as I've compared the practice of information security with the practices of the Jedi I've found that it has led to a greater understanding of the former. It has helped me to accept that even though there is so much that I have yet to learn about information security, there is also quite a bit that I have learned already and even the masters are still learning and improving their craft. I hope my thoughts on the comparison of Jedi and information security practitioners proves to be insightful, entertaining, and light hearted.
Subscribe to:
Posts (Atom)