(Just to let everyone know, I haven’t forgotten about the Infosec/Professional Cooking string – I’ve been both very busy and very sick the past few weeks.  I also don’t want to just put something down and post it.  As the last post, I want to really bring the analogy together and I’d rather hold off a bit and do it right than lose it just before I bring it across the finish line.)

(Oh, and just another quick note on terms – I know that some people out there have an issue with any use of the term “cyber.”  With all the issues out there I think this one is perhaps the most worthless.  Personally I don’t care what we call it but it appears that “cyber” has caught on and therefore I will use it until another word tends to dominate.  Arguments and debates over semantics serve no purpose other than to distract us away from the real issues.  If you really want to debate that then let me know and I’ll start another thread for that.)

After seeing a tip from Bob Gourley on an article over at Government Computer News (GCN) I went over to read it.  Bob, and his blog, CTOVision are great sources to keep abreast of the goings on of the federal government especially from the National Security/Intelligence Community perspective. 

The article, entitled “Cyber threat calls for flexibility in command model, general says” offers great insight into the problem of cyber warfare as well as the general problems that everyone faces with threats from the Internet.  The article is rather short but it brings up a lot of issues that would take a great amount of space to really explore. 

Running the risk of oversimplifying things let me say that the issues that we face with the Internet both from a Cyberwar as well as a Cyberthreat perspective is that it are never static.  Attacks can come from anywhere and most often not directly from an attacker.  A device or network that is safe today won’t necessarily be so tomorrow or even five minutes from now.  Now I’m no military strategist by any stretch of the imagination but to the laymen it appears that the natures of cyber warfare and cyber threats are more akin to guerilla warfare than a traditional battlefield. 

The article talks about how the command and control structure should be established within the U.S. Military to deal with the threat.  It cites Lt. General William Lord, Chief of Warfighting Integration and Chief Information Officer of the Office of the Secretary of the Air Force.  One of the quotes I find most telling:

“We need to operate without heavy restrictions.  There are enormous restrictions in the offensive domain.  The biggest problem isn’t the enemy, the biggest problem is us.”

There is so much contained in that short three sentence quote that we could talk for days. 

The problem is that Cyberspace is global as well as local.  It involves both the physical devices that transmit information in the electromagnetic spectrum and the electromagnetic spectrum itself.  There are physical boundaries (network, national, and international) in some respects but in others there are no boundaries at all.  Any action taken within this realm has the potential for global ramifications.  Achieving cyber superiority may not be as easy and straightforward as it seems. There are a confusing array of laws and international agreements that deal with the free flow of communications between countries.  These add layers of complexity to an already complex issue. 

We have hemmed ourselves in with the laws and agreements we have made and have chosen to operate by a code of conduct that our adversaries do not have to follow.  This is how we have chosen to organize ourselves as a society and there is no doubt that it sometimes puts us at a disadvantage when pitted with an adversary who rejects our conventions.

I don’t believe that we can ever eliminate all risk or all threats.  I believe that these are just part of the world we live in.  We can chose to manage them and we can find ways to reduce them to levels with which we are comfortable (acknowledging that comfort levels can also change over time.)

As the article suggests, we must above all else remain flexible in order to meet the challenges that face us.  We must be learn to fight the next war, not the last one.

Tags: Bob Gorley, CTOvision, Cyberspace, Cyberthreat, Cyberwar, diplomacy, electromagnetic spectrum, GCN, Lt. General William Lord, risk, threat, USAF

If you are a subscriber to the Cutter IT Journal you can check out my article in the August 2009 issue.  If not you can find out more information at the following link:

http://www.cutter.com/content/itjournal/fulltext/2009/08/itj0908a.html

 

I’m also trying to get a link to a PDF version of the article and will post it here as soon as I do.

 

Just an FYI – I don’t earn any income from the Cutter IT Journal so if you do decide to purchase a subscription I won’t benefit in any way from it.  Basically I get a free subscription by having my article accepted for publication that is about it.  That said I’ve enjoyed this issue so far (aside from my article of course) so if you do decide on purchasing a subscription you will probably enjoy it.

Tags: Compliance, Cutter IT Journal, information security, Privacy

A while back I posted a link to the Quadrennial Homeland Security Review (QHSR).  The 2^nd National Dialogue opened September 1^st and will run to September 9^th.  This is another chance to provide your opinion on any number of Homeland Security concerns – one of which is cybersecurity.  This dialogue has refined the original dialogue into objectives and they are asking our opinion in prioritizing these objectives and providing feedback on how they may be achieved.  I urge everyone out there – regardless of political persuasion or creed to provide informed constructive feedback.  

You can find the second dialogue at http://www.homelandsecuritydialogue.org/dialogue2/

Thanks

Tags: homeland security, QHSR, quadrennial homeland security review, review

I’ve been a bit lax with the blog lately and for that I’m sorry.  The reason will be clear in a few weeks when I hope to be able to make an announcement.  For now though I’d like to just provide my apologies.

This post started out as my commentary on two recent articles that appeared in CSO Magazine concerning the data breach at Heartland Payment Systems (“Heartland CEO on Data Breach: QSAs Let Us Down” and “SQL Injection Attacks Lead to Heartland, Hannaford Breaches.”) 

Now what I do to write these posts is basically sit down and let it just flow out of me.  I then go back and do a little clean up as needed.  Sometimes the clean up needed is so much I just trash the post.  Other times I realize that a concept that came up late post is really what the post should have been about in the first place.  That is the case this time.  So I’ve basically thrown out three quarters of the pontificating (which you really didn’t want to hear anyway) and focused on the analogy that information security is much like professional cooking. As I put this together I glanced down at the word count and realized that this was growing to be much more than the simple post that I initially envisioned.  So what I’ll do is break it up into a few parts to try and get my point across.  Let me know if I was successful. 

How did I come up with this analogy?  Well it was mainly sparked by a comment made by Heartland CEO Robert Carr in the first article mentioned above.  That comment was:

“The audits done by our QSAs (Qualified Security Assessors) were of no value whatsoever. To the extent that they were telling us we were secure beforehand, that we were PCI compliant, was a major problem. The QSAs in our shop didn’t even know this was a common attack vector being used against other companies. We learned that 300 other companies had been attacked by the same malware. I thought, ‘You’ve got to be kidding me.’ That people would know the exact attack vector and not tell major players in the industry is unthinkable to me. I still can’t reconcile that.”

In this first part I’m going to set up the analogy and then dive into it within the subsequent posts. 

While I’ve been critical of some of the statements that Mr. Carr has made in the past I basically think that he has done a great job in responding to the crisis his company is in.  True he may have been forced into this response by circumstances but I’m not going to look a gift horse in the mouth.  A CEO of a major corporation has finally come to realize the importance of information security in the daily operations of his company.  However you look at it that is a good thing.  That he has become proactive in advancing our cause is an even better thing. 

What concerns me though is Mr. Carr’s statement.  He may be doing the right thing but I don’t want him to do it for the wrong reason because in the end it won’t help us out, it may even hurt us. 

You see Mr. Carr’s statement smacks of “missing the forest for the trees.”  He seems to understand that he must do something but doesn’t really understand the real reason behind it.  So this is my effort to try and shed some light onto the subject.  Will Mr. Carr ever read this?  Who knows but that really isn’t important as long as this helps someone.  So if this makes sense and you want to use it go right ahead.  (Just give me credit in some way.)

Let me take a stab at reconciling the issue.  The QSAs didn’t necessarily fail.  They audited to a known and accepted standard.  PCI DSS didn’t even necessarily fail; it is what it is a standard.  What failed you was the commonly held assumption that compliance equals security. 

When push comes to shove, SQL injection has been around for a long time so the fact that systems are still regularly found to have input validation issues is surprising.  Since we can’t blame the QSAs should we blame the developers?  We could but again we’d be missing the forest for the trees.  These are but symptoms of the problem.  How do we get at the problem?  In trying to get a handle on this I’ll try my hand at a little analogy.  That being that Information Security is a lot like professional cooking.  I’ll illustrate this by first focusing on how recipes are a lot like standards (Part Two) and then I’ll move on to broaden the image by relating what we do in information security to working in a professional kitchen.

Tags: Compliance, CSO Magazine, Data Breach, developers, Heartland Payment Systems, information risk management, insider threat, PCI, PCI DSS, professional cooking, professional kitchen, QSA, recipes, risk management, Robert Carr, SQL Injection, standards

Have you ever left a meeting frustrated that you didn’t get your point across?  Have you ever wondered why other people don’t “get it” when it comes to security?  I certainly know that I have and it was a moment like this that initially caused me to look at the problem differently.  I decided to turn the question around and began asking myself what I was doing that got in the way of other people getting it.

That was about 10 years ago and since then I have learned quite a bit about communicating effectively.  That isn’t to say that I don’t backslide on occasion or that I’m some sort of expert in effective communication.  I’m not but am lucky to know someone that is.  His name is Michael Santarcangelo and if you live near enough to Fairfax, Virginia you have a treat in store for you.

In addition to being a lifelong security professional, Michael is a professional speaker (as in member of the National Speakers Association and not some guy who gets to speak in public occasionally like me).  That means that he has refined the ability to communicate effectively and quickly something that is very important in these days of bullet point meetings and decreased budgets. 

Michael has put together a program to teach others to effectively communicate the value of security and is just about ready to roll it out in an upcoming 15 city tour.  All he needs to do is give it a test run and that is where this amazing opportunity comes in. 

On Saturday July 25^th (This coming Saturday), Michael will be giving a preview of the Communicating the Value of Security Seminar at George Mason University in Fairfax, Virginia.  He has worked with GMU and their Cauldron project to deliver this seminar.  Better still since it is on a Saturday he is offering a pool party and BBQ for the attendees and their families (provided courtesy of Cauldron).  The price is $12.75 per person/family. 

That means that you can pay to attend the seminar and then have your family meet you for the pool party and BBQ for only $12.75.  Now where are you going to be able to feed your family for that price?  I use to live in the DC area and can tell you that you won’t fine anyplace around where you could feed a family of four for under $15.  Even if you consider yourself a master communicator, you can always pick up a tip or trick and at this price can you afford not to go?  The normal seminar will probably be quite a bit more expensive and probably won’t include BBQ and a pool party. 

Check out Michael’s site for a description of the seminar and a link on where you can register.  Please spread the word too.   It is always important to support those in our community that are working to make our jobs easier and Michael is definately one of those.

Tags: communication, corporate culture, Free BBQ, Michael Santarcangelo, perception, Prioritization, risk management, security awareness, Trust, value of security