Last week, I got my copy of All Yesterdays (not the used Amazon versions, as the pricing algorithm is failing hilariously). I’ve been a fan of Darren Naish’s work since I discovered Tet Zoo years ago. It turns out that in addition to writing amazing articles on the cladistics of extinct crocodilians, he is also good at writing about paleo art.
You might think that paleo art is art done by prehistoric people, but no. In this case, it is art done to provide imaginative reconstructions of life from fossils. I imagine that most people these days are aware of the belief that many of the two-legged dinosaurs were feathered. However, as it often turns out, things are more complex than that. This book explores the history of dinosaur art and, along the way, draws on what we know about natural history, camouflage and mating habits of contemporary species.
So why am I posting this review on a blog that is (more or less) focused on information security?
Well, in addition to this book being about pretty pictures of dinosaurs, it is also about an industry working over time to make guesses about the truth, analyze their mistakes in the face of new evidence and, through a constant stream of screw ups, come closer and closer to consensus. As they’ve done this, everyone has had to constantly adjust to the shifting truth.
In effect, it is a book about evolution … the evolution of species … the evolution of understanding … and the evolution of the understanding of evolution, so to speak. This happens in all industries, but the younger the industry is, it seems, the less we like to acknowledge that we don’t have all the answers. In Information Security, we don’t like to be wrong and we particularly don’t like to be wrong in front of other people. This is understandable, as when we make a mistake in security, people could get hurt. However, when we don’t get a chance to discuss our mistakes as a community, we don’t get a chance to improve.
Today, there is some discussion in the community, but mostly within closed mailing lists and at conferences. Unlike in the realm of paleo art, our mistakes tend not to be public, so there are fewer eyes on them and fewer opportunities to get better. Fortunately, there are more hackers than professionals who draw dinosaurs, so we do get an advantage of numbers. Still, there is ample room for improvement.
This book explores the problems that arise from:
Taking a superficial view of evidence
Not comparing logical conclusions to examples of modern data
Avoiding analysis and basing beliefs on the misguided work of others
Looking strictly at hard evidence and ignoring behavior
Today is a sad, and dangerous day. As you may have heard, Hostess is looking to go out of business. While it is likely that some of their bigger brands (Twinkie, Wonder Bread) will live on, it is the end of an era. While I never personally consumed much of their product line, as my mother would not let me (You can’t have a Twinkie, here’s an apple), I mourn with the rest of my generation over the loss.
However, unlike the mainstream news media, I am also deeply concerned about the fate of others in the wake of this decision … specifically due to the lack of Hostess Fruit Pies!
Without this powerful tool, how will we ever survive?
Fortunately, most of our super heroes have contingency plans. DC heroes team up to become the Justice League to solve big problems. Marvel heroes team up to form the Avengers, first fighting among each other and then solving problems. Even the independents work up a good crossover now and then when they have to.
The question is, do you?
In IT in general and in Security in particular, we are highly dependent on a complex web of relationships and dependencies. This can be as simple as needing Microsoft to release their patches so we can protect ourselves. (Which you should do, as this month’s fixed some important issues.) Or it can be as complex as having systems dependent on Dell’s management appliances which are dependent on third party technologies.
Do you know which technologies you are dependent upon? How would you react to their sudden unavailability or to a problem in their supply chain? Do you have a contingency plan or will you have to figure things out in the moment?
Sadly, most people I talk to are in the latter category.
When you choose your vendors, it’s not enough to know if they can do the job today. You also have to know if they’ll be there for you tomorrow and to have a plan in case they’re not. All too often, I see companies who waste far too much time assessing vendors based on the “ideal” technology and no time at all looking at how it integrates into operations and loosely-coupling their technology to other systems.
I’m constantly visiting companies with networks that employ expensive technologies that don’t meet my clients’ needs, while cheaper and better technologies remain unused. This isn’t just annoying, this is potentially catastrophic to the business. For a case study, look at Hostess. Specifically, look at the strike document. In 2009, technology was not refreshed, which helped to put them into the position they’re in today. Granted, they had other problems. However, whether we’re talking flow-improvement like Document Management or monitoring and control like Anti-malware or UTMs or DLP, technology serves as a multiplier.
If you choose the wrong technology, it will multiply your problems. If you don’t choose the right technology, the firms that do will multiply their profit and leave you in the dust.
When most people hear that we do assessments, they think vulnerability scans and penetration tests. And yes, we do those. However, most of our clients find a lot more value in our vendor assessments, disaster recovery assessments and strategy assessments. These focus on security AND the business. After all, security means nothing without a business to protect.
If Hostess had learned that lesson in their first restructuring attempt, perhaps they’d have lasted longer and a contingency plan of liquidating the entire company would have stayed … a contingency plan. As for me, I’m going to take a long lunch and stock up on fruit pies. After all, you never know when Spider-man might come-a-calling.
And if you haven’t downloaded our very own RJS Smart Security comic book yet, click here!
It’s no secret that cyberspace has quickly become the world’s next battleground. The United States and Israel were widely speculated to have delivered a mighty blow to the Iranian Nuclear Program with the Stuxnet Virus and now Iran has fought back attacking the web sites of American financial institutions, Bank of America and J. P. Morgan Chase.
Despite the magnitude of these web-based attacks, I don’t think the public necessarily understands how devastating cyber warfare could become. With nearly all business featuring some sort of online component and so much of our day-to-day activities utilizing web-based technology, a cyber terrorist could effectively cripple everything from bank accounts, telecommunications, medical facilities, utilities, transportation … you name it. Perhaps this is why U.S. Secretary of Defense, Leon Panetta offered a rather dire warning last week:
“The collective result of these kind of attacks could be a cyber Pearl Harbor,” warned Panetta. “An attack that would cause physical destruction and the loss of life, an attack that would paralyze and shock the nations and create a new profound sense of vulnerability.”
I bet that quote got your attention! The reality of such an immense attack can certainly be debated, but the question of whether the United States is ready and able to protect its interests is certainly a topic that should be at the forefront of any discussion regarding terrorism and world war.
Heather Roff, a Research Fellow with the Eisenhower Center for Space and Defense Studies at the United States Air Force Academy, penned a great post this week for the Huffington Post that discusses the conclusions we can draw from Panetta’s speech and how prepared the United States is to defend it cyber borders.
We’re all familiar with old school consultants. These are people hired at $20/hr and rented out for $150/hr. It’s good business, if you can get it. All too often, however, the work is neither enjoyable for the consultant nor useful to the client. After years of trying and failing to make the old model work, I decided it was time to throw it out and start over. Thankfully, RJS agreed. As of today, we are one year into the process of reinventing security consulting.
The fundamental difference is that we’ve fully embraced the fact that the idea of 100% security is a trap. You can never be completely secure, so why base a security project around the idea that you can be? Instead, we focus on achieving a measurable improvement over “today.” Different businesses have vastly different security needs, so once you shift the goal away from “find and fix all the problems” to “strike a balance between defense and response,” myriad solutions become available.
Having a large number of solutions is great, as we can select the one that fits your company’s unique situation the best. But remember, it’s not perfect and will need constant attention to avoid “analysis paralysis” and to stay current with new security trends. To combat this, we look at the second key difference: time-bound tasks, or as we call them, security sprints.
With anything you do, there is one resource that completely vanishes — time. Other consulting approaches focus on minimizing either money or an amorphous concept of risk. The catch with those is to clearly pre-identify “risk reduced” or “money saved,” time is required. Since time is billed, it can cost a significant amount of money to identify how much money you’re saving!
Want to know how much more secure a project will make you? Pick a small project that can be done in a week or two, do the project, then measure. There’s no guess-work, no scope-creep and most importantly, no spending more money than required to improve your defenses.
This process affords another advantage we did not anticipate. In many cases, security fails because the people put it in place to manage it are often not those responsible for maintaining it. Since security tends to weaken over time as attackers constantly improve, it is imperative that people explore alerts, identify what they mean to the business and take appropriate action. When the people who must manage the systems are not involved with the initial configuration, they tend to lose a lot of time tracking false alerts or worse, missing legitimate issues.
Since our consulting process is time-bound and focused on helping improve security after we leave, we work on a lot of small projects. These projects are designed so that, when done, they can be absorbed into the business’s existing operations. We then come back for iterative tuning engagements and, over time, help maximize the business’s use of technology. This avoids the common problem of security being “someone else’s” issue, while minimizing the disruption that new technologies can cause.
In the end, after a year’s experimentation, we’ve found that a cyclical short-project consulting model has given our clients a level of security far greater than the traditional defense-only approach. While this didn’t surprise us (after all, that’s why we did it), we were surprised to find that these engagements generally came in 25% to 50% lower in cost than the traditional model. We’ve done security assessments, implementations and strategy planning sessions and, in every case, have achieved better security at a lower cost.
Please contact us if you’d like to learn more about our sprint model and how it can help you achieve a better state of security at a fraction of the price.
What would you do if you discovered that attackers had taken over your server and were in the process of stealing all your data?
What would you do if law enforcement came to your place of work and demanded all of your computers as part of an investigation?
What would you do if a tornado hit your building and spread all of your computers across a mile-wide radius?
If you are like most organizations, you don’t have a plan for everything. You can think of security (in an over-simplified way) of having three areas of control: Detective, Preventative and Reactive. We tend to start with Detective. When antivirus was new, it just alerted you when you had a problem. As the technology improved, it became preventative and would stop bad applications from running. Most security technology, in fact, has followed this pattern. Intrusion Detection moved to Intrusion Prevention. Patch Detection moved to Patch Management. Log Analysis moved to full-fledged SEIM systems.
However, this progression ignores a very powerful tool. As an example, here’s a video:
What would you do if you woke up one morning to find a moose in your swingset? Odds are you’d either deal with it yourself or call someone to deal with it for you. Response is key. When things happen, whether it involves an attacker taking over a system, an external agency taking your stuff or a natural disaster, reacting to the situation is important. You can either do it in an ad hoc way, or try to plan everything out.
In general, organizations that trust their people, just let their people do what they need to do. Organizations that do not trust their people, invest in planning and procedures. What’s interesting is that both methods work… though not always particularly well. Sometimes people hide behind policy and avoid doing the right thing. Sometimes, people hide behind uncertainty and avoid doing the right thing.
The problem here is that “right” and “wrong” are not always clear cut. Consider recent occurrences involving United Airlines, Penn State and FedEx. A reasonable response to events like these would be “we can’t trust our people,” and to address the issue by creating policies.
So it would seem that this is a “damned if you do, damned if you don’t” situation, right?
It turns out to err is human… but human error can happen whether or not we are constrained by policy. Using policy to prevent bad things from happening requires not only that you have people who will always follow the policy, but also that you have policies that are 100% correct and written by people who can see the future. Perhaps a better approach would be to use policies as guides that people can refer to when they’re confused. Then, build a culture around the fact it’s okay to make mistakes so long as you’re willing to apologize, attempt to fix things and learn from your error.
Not everything can be avoided. Sometimes you just have to deal.
Unlike you, attackers are not limited by resources, budgets, laws or ethics. They can launch any number
of attacks from anytime or anywhere. This means you have to maintain a strategic balance between defense and response. Learn More
Always stay a move ahead of your opponent.
If you are constantly focused on reacting, you are not taking the time to learn and adjust your security
strategy based on your experiences. Your attackers are constantly evolving, so you must, too … just a little faster. Learn More
Make better use of what you already have.
Before you invest in yet another expensive security project, fine-tune the security products you have in place.
Are your defense systems fully-patched? Have you turned on all the necessary bells and whistles that came with your original product? Learn More
The right security strategy for right now.
The days of defining and executing a rigid multi-year security plan are over. Since attackers are incentivized
for rapid change, you must also adapt to the always-evolving threat landscape. An inflexible security plan will create holes
quicker than you can fill them. Learn More
Part of your team, not instead of your team.
Without a highly-skilled and experienced staff of security experts, it is extremely difficult to remain unscathed
from the many possible attacks waged against your organization each day. Thus, it is sometimes necessary to leverage the knowledge
of others. Learn More
A smart investment for smart growth.
Once your internal operations are working well and you are effectively using what you have, it's time to grow.
But before you purchase another layer of protection, first identify what really matters to your business and create goals you
can measure to see if your next project will indeed be a success. Learn More
About RJS Security
RJS Software provides information management solutions that allow businesses
to improve productivity, make better decisions and save money. Our software helps organizations
streamline data collection, digitize and manage documents, automate work processes and optimize