Rick’s Playground

For the past one month, I probably spent half of my free time in playing Starcraft II on the Battlenet. While I am trying to pull back a bit and get back to the usual IS research stuff I am doing, I just find the two (Information Security & Starcraft II) are amazingly similar in multiple aspects.

In the Information Security world, we always look at People, Process and Technology while in Starcraft - Resources, Troops and Technology are the threesome to win a game. As in both case, an optimal balance of these three factors are the key to successfully manage an enterprise information security or defeat your opponent in a Starcraft 1vs1 game.   Also an objective and adaptive strategy are fundamental in both cases.  As an IS professional, we need to keep a close eye on the current threat landscape, the emerging threat and allocate resources (your budget) accordingly. In Starcraft, scouting and intelligence about your enemy’s strategy is the used to decide how you want to use your minerals and gas.

At the tactical level, a complimentary mixture of your troops are the most basic micro techniques in Starcraft. Similarly in the Information Security, I am a strong believer of multi-layers/tier implementation and diminishing returns of investment in single type of Information Security controls. A single type of IS security controls can only reduce the overall risk to a certain percentage and subsequent return of investment in the same type of control will decrease and reach a plateau. In one of the recent talks I have attended, Dr Peter Tippett from Verizon Business also illustrated this by using the example of safety belt in car safety controls. A nylon safety belt will reduce the probability of fatal car accident by 50% while a high-cost titanium safety belt will only reduce another 3%. Instead, an airbag at a fraction cost of a titanium safety belt, will reduce the risk much more significantly.

Just like Starcraft’s micro (unit controls in battles) and macro (resource planning, map controls etc)management, there are also micro and macro in Information Security. We need Risk framework, Governance, Strategy, Measurements and Metrics etc at a macro level, but we also need micros such as vulnerability research, code analysis, log monitoring, intrusion signature developements,  reverse engineering. Lacking either one will neither win you a Starcraft game nor will protect your enterprise information effectively.

I have to admit that the recent malwares like Storm, Conficker have really impressed me - the various top-notch feature implementations and the strong skills and knowledges demonstrated. If you still think the malware developers are the bunch only knows to package published vulnerability POCs and inserts the payloads into the out-dated templates, you probably are still living in the pre-2004 era.  yeah, that’s not very long ago, but long enough for the information security industry to get rid of a bunch of old concepts and ideas.. Here is the original description from SRI about the Conficker worm - Conficker Write-up .

One of the quoted paragraph from this write-up realy sends a chill down the spine for most infosec folks.

“Finally, we must also acknowledge the multiple skill sets that are revealed within the evolving design and implementation of Conficker.  Those responsible for this outbreak have demonstrated Internet-wide programming skills, advanced cryptographic skills, custom dual-layer code packing and code obfuscation skills, and in-depth knowledge of Windows internals and security products.  They are among the first to introduce the Internet rendezvous point scheme, and have now integrated a sophisticated P2P protocol that does not require an embedded peer list.  They have continually seeded the Internet with new MD5 variants, and have adapted their code base to address the latest attempts to thwart Conficker.   They have infiltrated government sites, military networks, home PCs, critical infrastructure, small networks, and universities, around the world.  Perhaps an even greater threat than what they have done so far, is what they have learned and what they will build next.”

While we - the infosec folks are happily talking about nice-looking process, management, frameworks etc.. indulging ourselves in various fanciful security solutions which are full of marketing hoohaaas. We seems to forget about the fundermentals. Probably we need some form of wake-up call - before it is too late.

What do you think of when you see the pinky pig ? And the balance
is tilt to the pinky pig !!

http://www.iss.net/

Oink..oink...

An article from CSO online and I can’t help but blatantly post it here to share with all my friends in the Information Security Industry.  Information security is a very young industry and we need people to have faith in what we are doing and the value we create. It’s sad that we see a lot of people leaving during the good years to pursue greater monetary gains and also people who are forced to go when the economic crisis strikes. I heard one of the veteran mentioned that “All of us want to quit the InfoSec industry but realized that it has sucked us in !” Hope this quoted article can help us survive in the current economic recession and keep the passion and faith in the professional to which we have dedicated our career.

========================================================

November 04, 2008

When meeting someone new and describing my background in this industry I often say “I’ve seen the best of times, I’ve seen the worst of times and most of what falls in between.” I’ve been recruiting in Information Security long enough to have experienced the heady times of the dot.com boom and the dark days that followed after it all came crashing down. I’ve also been here as the industry has grown and evolved—sometimes as a result of and sometimes in spite of significant difficulties. This evolution leads to adaptation, and it’s the ability of people to adapt and rise above one challenge after another that makes our industry so dynamic.

Given what I do, communicating with and connecting people, I’ve offered both a shoulder to cry on and kick in the pants to those that need it—especially in uncertain times like the ones we’re facing. I don’t enjoy either situation. For the purpose of this column I wanted to offer some sound advice to those Information Security professionals who are concerned about the future of their jobs. Think of it as a general checklist of things that you probably should be doing all the time but need to devote some time and consideration to right now, especially if your future is uncertain.

First, know your differentiators. Understand what sets you apart from your peers and how you can use these qualities to best advantage. Similarly, think about your personal “brand”. If you had to describe to another person who you are, what you do and most importantly what problems you can solve, how would you do it? Develop a personal branding statement that will allow you to do this whether it’s in the elevator with your boss’s boss or on a job interview.

For example, I was speaking with a candidate who had very strong application security skills. She also had a great sense of humor and was a natural communicator. She was frustrated because she was falling behind in her work due to the number of times she was personally requested to sit in on IT project meetings. I laughed when I heard this because she didn’t realize what she was saying. The result was one more critical differentiator that strengthened her personal brand. So now, when somebody asks her what makes her stand out, she’ll tell them “Although my primary focus is application security risk assessment, I’m the person my company relies on to bridge the gap between business and security requirements and who gets everyone work and play well together.”

Second, find ways to leverage your differentiating qualities to add greater value to your current organization. By demonstrating the ability to provide solutions and solve problems important to your company you may just save your job, or at least postpone your departure. So find out what the hot buttons are—not just within security but with other areas of IT and within the business you support. There may be hidden opportunities where your perspective and experience could make a difference.

Third, work on strengthening your relationships with your management as well as other stakeholders or clients you support. Communication is key to accomplishing this. Developing an active and open rapport with others will help you better understand the big picture of what’s going on around you. It will also help you keep your cool and make informed decisions about your options while rumors at the water cooler are flying.

And finally, be ready to embrace change beyond your control. From a career perspective this means having your “personal marketing documents”, AKA resumes, references and professional certifications up to date. It also means communicating your interests and intentions to everyone you know who might be able to help you. This includes re-connecting with your recruiter, any mentors, past co-workers or clients with whom you’ve had positive experiences with in the past. It also means taking the time to catch up on the industry at large through reading trade journals, attending networking events and increasing your participation with industry organizations. Get the word out to your associations, organizations, friends and family that you are on the job market.

Lately, not a day goes by that someone doesn’t ask me what the future holds for our industry in these tough economic times. The truth is, nobody can tell. It’s a fact that in the short term, supply will likely outstrip demand especially for the most senior roles in our industry. The best and only way to adapt to change of this nature is to be prepared—mentally, materially and socially. We should know that we’re in for a marathon and not a sprint. Yet despite the challenges ahead I’m confident that our industry will continue to grow and thrive. We just need to put less stock in the markets and more stock in ourselves. ##

Jeff Combs is Practice Lead, Security and IT Risk Recruiting at Alta Associates.

========================================================

(This post does not have any answers, just my personal ranting )

Recently I have attended a few risk management conferences mainly for financial institutions. The most common question asked was “what’s the risk management framework used by your institute?” Then it was usually followed by a round of discussion on Basel II or COSO ERM (Enterprise Risk Management). For IT folks, the topics will revolve around the risk management in IT govenance, COBIT or ITIL. However when it comes to the point of implementation, it becomes an evasive topic and most of the time I hear people complaining about the difficulties in implementing all these established frameworks etc.

Similar to the RM domain, implementation difficulties were constantly mentioned during my last conversation with a couple of Business Continuity folks.  It brings me to the questions - what’s the use of all these frameworks when they are not properly implemented? Are we spending too much efforts in coming out with these framework and methodology?Is it the time for the industry to channel some attention or resources to the implementation for these established frameworks?

I just read from ISACA’s Information System Control Journal that ITGI (IT Governance Institue ) has identified a gap in the current array of risk management framworks for IT: there is no known framework that includes both a holistic look at risk management and, at the same time,  provides adequate depth and details when covering IT. I just hope this ‘depth’ and ‘details’ are refering to the implementation aspect as well.

References and Resources: CONSTRUCTION OF AN IT RISK FRAMEWORK

This is absolutely ridiculous that a Singapore based company is trying to charge patent fees for web pages linking image to contact information. This is not the first time we hear that companies intend to charge patent fee for commonly known technologies. Just a few months ago, someone in China filed patent application for booting Linux OS through USB devices.

Claiming itself as “pioneers of visual search technology”, Vuestar Technologies started issuing invoices to various SME(Small/Medium Enterprise) websites owner to demand annual fees from s$500 to s$10000. It is such a blatant act of bullying - the company stated that they are not going after government agencies and big boys. Vuestar’s patent–tagged under publication number 95940–appears also to have been granted in Australia, New Zealand and United States. The company’s website shows no business related activities other than requesting people to pay for their license. Local lawyers urge clients to practice caution and seek legal advice before reaching any settlement with the claiming firm.

This scene is very similar to the domain squatters back in 90s. However Patent squatters are more aggressive and they like to use loopholes in current patent systems and obtain greater financial gains. But this also makes poeple ponder how did these patent squatters manage to get their applications accepted in the first place.  

Links: http://en.wikipedia.org/wiki/Vuestar_Technologies

These three terms (let’s use a short form “PPT”) are very popular among the InfoSec folks nowadays. They were mentioned at least in 4 of the conferences I attended last week. If my memory doesn’t fail me, my first encounter of the usage of these three terms in InfoSec arena was 5 years ago. I was attending a certified information security practitioner course conducted by a Singapore based institute. (I was sponsered for winning an on-line hacking competition :D) I can still remember that DBS internet banking fraud was used as an illustration of vulnerability in business process.

I guess no one will try to argue the validity of PPT in infosec because there are plenty of examples illustrating failed attempts to solve infosec problems with isolated approaches. Among the conferences I attended last week, one is about Vulnerability Management, one is about Enterprise security practices, one is about IT Governance and the other is about Technology Innovation in Banking.

In the VM talk, the idea of staged gap analysis from PPT aspects is a good structured approach besides the usual PPT oriented vulnerability remediation. The Enterprise security talk was not very interesting except the analysis of impact of web 2.0 (or Enterprise 2.0 - usage of web 2.0 in enterprise environment). The speaker from the IT Govenrnance talk listed few obstacles and hurdles encountered from PPT aspects when pushing information security to LOB (Lines of Business). I like this one very much because this guy showed that he had hands-on practical experiences instead of just big talks and I can actually relate my current challengers in my workplace to his examples.

I will write more about technology innovation in Banking in separate posts because this is the newest portfolio I take up and I am really excited about this global initiative in my workplace. Again we can always use PPT to draft some structured approach on doing innovation, but where is the fun when everything is structuralized?

Surprise, surprise, surprise! I can’t launch my newly baked VMware server 2.0 Beta on my Ubuntu 7.10 console. vm-anywhere patch? dependency issue? in-compatible customized kernel? But there is no error message and it just asks me to read the man page. Everything works fine when I use the web-ui … mmmm… . May the force be with you and my star-war heroes/villain’s chat cleared all my questions.

Quoted from Linux Mag http://www.linux-mag.com/id/4403
============================================

We take you now to the Planet Virtual, where two combatants are already engaged in mortal combat. Laser swords drawn and at the ready, and facing each other on opposing levitating anti-gravity platforms hovering over a fiery river of molten metal, the opponents utter their final words.

Open Source Kernobi: Darth, slow, memory hogging and less functional Web interfaces compared to native Linux software are evil. Why did you remove the native Linux console client from VMware Server in the 2.0 release? We’ve been using it for years and its worked great.

Darth VMware: Evil from your point of view! From my point of view, the Open Source freeloaders and non-paying end-users are evil. You should be lucky that we give you a free Server product, period. And besides, if you don’t like the Web interface, you can always use the Windows-based Virtual Infrastructure client. You want native? Use our free VMware Player or buy VMware Workstation.

Open Source Kernobi: Well, then you are lost! That’s not what we Linux users want! Don’t you remember who and what you started with, back in 1999? Developers and power users need a free server with a native client!

Darth VMware: This is the end for you, My Linux community. I wish it were otherwise.

The fighting continues for what seems like an eternity, with the opponents trading blows against each other, until what seems like a stalemate. Finally, Kernobi opens up his Targus laptop bag, and produces a huge stack of DVDs, containing Linux distro builds with integrated Xen, KVM, and Virtualbox — all native and Open Source Virtualization packages for Linux.

Kernobi: It’s over, Darth. Open Source has the the high ground. Our hypervisors and management tools are catching up to you in polish and functionality, while you lag behind in driver support in your enterprise product offerings, produce bloatware, and alienate the fan base which got your company started in the first place.

Darth VMware: We’ve outgrown your community, Kernobi. You underestimate our power! We have more than 80 percent market share and we’re backed by one of the biggest names in enterprise storage. We can sit on our laurels, force end-users to eat what ever we give them, and we’ll get away with it too.

Kernobi: Don’t try it, Darth. Once the end users get a taste of free and open source virtualization, they’ll want to go to Citrix, Oracle, Red Hat, Novell, SWsoft or any other vendor that will give them support at their enterprise. Your 80 percent market share will shrink like a slice of Bantha bacon hitting a cast iron pan.

And so it went. Well, we all know how that sucky movie ended. Darth got burnt to a cinder and ended up having to wear a permanent sleep apnea mask welded to his face, and Kernobi and the rest of his kind retreated into the safety of their Open Source development model, one day to return and conquer the proprietary villains.

Of course, it didn’t have to end that way if Darth didn’t want to maintain the native Linux client anymore, they could have open sourced it for the community to maintain it themselves. Or better yet, release their entire hosted virtualization product as open source, since their enterprise hypervisor-based version ESX Server and its derivative products are what make them the big bucks anyway.

And as to Darth’s concerns of an open source version detracting from sales of their hosted VMware Workstation product, from which VMware Server shares much of its technology? Well, think of it as free development resources. Red Hat and Novell have been able to make that work for them. People still want to pay for support for a fully regression tested and stable version.

Of course, if I were one of Darth’s competitors and one of Kernobi’s friends — such as the aforementioned Citrix, Oracle, Red Hat or Novell all of which are using Open Source hypervisors as basis for their commercial virtualization products — I’d come out with an easy to install free product that seamlessly and easily converted VMware images over to whatever their native VM file format is, as well as a physical-to-virtual converter utility, with a nice, fast and native Linux GUI front-end. I might write it in a multi-platform toolset like QT, or maybe even Java so the client will run on Macs and Windows too.

Oh yeah, and if they want support and enterprise capabilities, they should charge them for that too. Cause, like, people pay for that. Even the Linux freeloaders, when they go to their day jobs in corporate America.

Jason Perlow is Senior Technology Editor of Linux Magazine. You can send Jason email at jperlow@linux-mag.com.
==============================================

I have just recieved my long waited CISSP and CISA certificates. The happy feeling only lasted for a couple of minutes … Do these certificates really mean any thing? I can’t feel the thrill and any sense of achievement although these two certs were the goals i set for myself 3 years ago when I just graduated and joined a local IT security firm. Maybe they are just a reminder for me to pull away from all the so-call “high level” business talks which are so prevalent in the local IT security industry.