Author: Ron Woerner

Careers, Concepts, Security Education, Security Management

Why Aim for the Ground? Teaching our kids the right computer skills

Posted on by Ron Woerner

We’re in a national crisis. Many kids know how to point and click, but they don’t know how the underlying technology works or worse yet, basics on how to keep themselves and their information safe online. This leads to bad choices. To make it worse, most teachers lack resources to teach technology to teenagers. In a talk at DerbyCon 2014, Professor Phil Fitzpatrick explains why our kids need to learn fundamental computer skills in a fun and ethical way; through education and competitions like CyberPatriot. It’s a discussion of why high school students should learn more than just simple computer applications and what security professionals can do to help.

Below are are problems as we see it:

–  The general public understands that most jobs out of high school, are based in knowing and having IT skills. Yet, most parents hand off their kids starting in 6th grade assuming all areas of education are covered, especially technology.
–  High schools are trying to answer the call for more IT workers by adding technology classes to their curriculum. However, they don’t have a lot of room for a variety of courses because of school year length, teaching expertise and availability, and their nature of school environment.
–  Kids only need to take one technology course to graduate and they look for the easy “A” rather then what will help them with their careers.
–  Schools are challenged with keeping the curriculum and technology up to date to meet current needs.
–  High schools are more concerned with getting students ready for college or working by teaching necessary life skills.

There are solutions available:

–  Establish technology academies in schools that teach a variety of cyber skills, not just what’s on the computer science AP test.
–  Provide courses in application develop, systems and network administration, database management, and cybersecurity.
–  Encourage teachers to build their knowledge base on different computer skills needed by industry.
–  Use grants to ensure technology is up to date.
–  Promote competitions and clinic like US CyberPatriot (http://www.uscyberpatriot.org/).
–  If you’re an IT or Cybersecurity Professional, become a mentor. These kids need someone with experience to help guide them in the journey. They’re not looking for an expert, just someone who cares. AND it’s very rewarding for the mentor.

Lastly, educate yourself. Here are some links to get you started:

–  Cybersecurity’s hiring crisis: A troubling trajectory – http://www.zdnet.com/cybersecuritys-hiring-crisis-a-troubling-trajectory-7000032923/
–  Developing the Next Generation of Cyber Leaders – http://www.serco-na.com/docs/materials/2012-cisse-nextgencyber.pdf
–  DoE: Science, Technology, Engineering, and Math: Education for Global Leadership – http://www.ed.gov/stem
–  Cyber-Security, IAS and the Cyber Warrior – http://www.cisse.info/archives/category/29-papers?download=297:p11-2012
–  High School 12-Week Cybersecurity eLearning Pilot – http://www.cisse.info/archives/category/29-papers?download=295:p09-2012
–  Secure Coding Education: Are We Making Progress? – http://nob.cs.ucdavis.edu/~bishop/papers/2012-cisse/seccode.pdf
–  Where are the STEM Students? – http://www.stemconnector.org/sites/default/files/store/STEM-Students-STEM-Jobs-Executive-Summary.pdf
–  ACM: Toward Curricular Guidelines for Cybersecurity – http://www.acm.org/education/TowardCurricularGuidelinesCybersec.pdf

Also see the previous post, “Hacker High – Why we *need* to teach hacking in school.”

Please help be part of the solution by promoting cyber education in your community.

Security Education

Before You Hit Your Head Against a Wall

Posted on by Ron Woerner

As both an educator and a security professional, I often see people who get frustrated.  It could be with a school or work assignment.  To help reduce frustration, here are some words of advice:

  • DON’T PANIC. This is my first rule of incident response. Getting all worked up never solves the problem. Take a deep breath or a time-out if needed and then proceed.
  • Understand “Who Owns the Headache?”  So often, we get frustrated with things outside of our realm of control. Basically, we try to fix things that we can’t because we don’t have control or “Own the Headache.”  Acknowledge what you can control and what you can’t.  Only focus on the things you can.
  • Research it. Ask yourself: Is this information available from an Internet source (iow, Google it)? One thing hammered into me when I was in ROTC was “use your resources.” You don’t need to know everything. You just need to know how to find the information and then use it intelligently.
  • Look at the problem from a different perspective. Is there another way to solve the problem? In computers, there’s usually at least 2, if not many more ways to solve any problem. That’s why I don’t usually have a set answer in mind. You may think of something I haven’t that works just as well.
  • Take a time out. Step away from the problem for a little while. Sometimes they resolve themselves, as in the case with bellevue.edu being down. Sometimes, it will give you a chance to think about it and think it through. This also gives your subconscious some time to process and develop a solution. (Have you ever had a “duh, I should’ve thought of that” moment?)
  • Ask someone. A person is also a resource (see use your resources above). First try a fellow classmate or colleague. I love it when students work together and help each other to solve problems. The student’s who collaborate get bonus points in my book. It’s truly a win-win for everyone. This is also part of my personal mantra, “By helping each other, we’re all smarter/stronger/better.”
  • Ask good questions. If no one else has the answer (about an assignment), then ask your professor or your boss. If something’s not clear, then ask for clarification. In today’s world, it’s not the answers you have, but the questions you ask. Come up with good questions, then be bold and ask them.

The idea is to prevent frustration, which inhibits learning and growth.

Coach Ron
“Every man…should periodically be compelled to listen to opinions which are infuriating to him. To hear nothing but what is pleasing to one is to make a pillow of the mind.” St. John Ervine

1
Security Education, Security Management

Hacker High – Why we *need* to teach hacking in school

Posted on by Ron Woerner

This rant is in response to Quinn Norton’s opinion piece from May 20, 2014, “Everything is Broken.”  (Link: https://medium.com/message/81e5f33a24e1)

<rant>

I have a simple solution that’s hard to implement: TEACH HACKING IN HIGH SCHOOL*! Yes, you heard it right. We need to teach our kids all about technology. Including how to break it and how to fix it. It’s incredible how little they really know. To them it’s PFM (Pure Frickin’ Magic). We won’t solve this problem with our adults. That’s why we need to get the kids involved. The problem is that they think they understand technology, but it’s only how to use it. Many (most) are clueless about systems & network administration as well as security. “Dad, the computer’s broken again…” I don’t think this is just my teenage kids.

The curriculum development is easy; adoption is hard. This is for three reason:

1.  Cyber isn’t included in the common core curriculum, so they don’t have time to teach it as a primary subject. They try to teach it on the side with limited affect. The problem is also with our government officials who don’t see cyber as important. A fun study would be to see how many government leaders are proficient in technology. My hypotheses is that it’s less than 10%.

2.  We don’t have teachers qualified to cover it and the good computer folks don’t want to take the huge pay cut. [At my daughter’s middle school, cybersecurity is taught by history and English teachers… I’ve volunteered many times to come into their classrooms and hear crickets…] It’s often that the teachers don’t know what they don’t know and are afraid to look ignorant if they ask for help. [NOTE: There are some fantastic teachers out there doing great work. This doesn’t apply to them. The problem is that they are the minority. They are also limited by what they can do and what they can teach.]

3.  There’s no standard curriculum for Information Technology or cybersecurity. It’s up to the teacher to develop his/her own, which is therefore based on his/her knowledge. (See #2.) Local school boards are responsible for deciding what’s included in their schools curriculum, but they don’t seem to understand cyber. Another fun study would be to see how many school board members are proficient in technology. My hypotheses is that it’s less than 20%.  We need a standard cyber curriculum for the teachers to work from.  It should be broad enough to allow flexibility for the teachers, yet cover primary topics of how the technology works.

We need to find a way to teach IT and cybersecurity to our kids starting in elementary school and then throughout middle and high school. The problem is that we’re blocked by adults who don’t understand the necessity.  The solution is out there people.  For example, see staysafeoneline.org and stopthinkconnect.org.  We just need to use it.

Help spread the word that we need to TEACH HACKING IN SCHOOLS. Talk to your local school board and elected officials.

*NOTE: I use the broad definition of hacking, meaning developing a curiosity on how things work. It’s not the malicious kind. When teaching hacking, ethics must be included. The intent is to keep the kids out of the orange jumpsuits (even if it’s the new black).

</rant>

[This rant reflects my opinion and not necessarily the views of my employer. ]

Concepts, Online Safety Tips

Stop the Insanity – Use Multifactor Authentication

Posted on by Ron Woerner

Albert Einstein defined insanity as, “doing the same thing over and over again and expecting different results.” Isn’t that exactly where we are today with passwords? We keep using the same method for protecting ourselves online, but it’s not working. How many times this year have you had to change your password because of a breach?
Well let’s see… There was the heartbleed bug forcing users to change passwords on numerous sites… Michels… AutoNation… Spotify… and now eBay… All in the last 4-5 months.

This is a royal pain for anyone, but especially the uninformed user. Many use the same password across sites. When there’s a breach, they receive a notification to change their password. But it’s not only for that one site/service. It’s for all of the others where they used that same password. Now, this poor user needs to remember which sites had that same password. Then they need to go to that site, find where they change their password and enter a new one. It’s a lot of work. Oh, and “Who wants my account anyway?”… Let’s be honest, most people won’t go through the trouble…

The bottom line is that PASSWORDS SUCK! There’s just no other way to say it. They’ve sucked for years, but yet they’re still the major form for authenticating ourselves online. They’re cheap and easy for both the user and the service provider.
Yet time and time again, we see they’re not safe. Passwords alone don’t provide the level of protection needed on the world wild web.

There is hope! Many online sites are now providing multi-factor authentication. This allows users to easily secure their accounts using with the standby password (something you know) tied to a second factor: something you have (a physical token, chip, fob, or phone), something you are (your voice or fingerprint) or somewhere you are (your home location). Adding this second factor provides you with added security and will save you the hassle of having to change your password when the security is invariably breached on the site.

StopThinkConnect (http://stopthinkconnect.org/) has made it very easy for users to learn more. They’re new site (http://stopthinkconnect.org/campaigns/details/?id=460) and campaign “Two Steps Ahead: Protecting Your Digital Life” provides a single place to learn how to enable two-factor authentication. But Wait! There’s more!* This one site has links to many other popular sites (e.g., Google, Outlook, Facebook, Tumblr, Twitter, etc.) where you can easily setup two-factor authentication. It’s easy and convenient right from this one site.

UPDATE: There’s one other site you need to be aware of: http://twofactorauth.org/.  It’s a crowdsourced site started by a researcher from Iowa State University.  It’s a comprehensive list of what websites and services use 2-Factor Authentication (2FA) and which ones don’t.

Please, help stop the insanity. Take the time to set up two-factor authentication. Share this with others. Let’s move together to a more secure tomorrow.

*Sorry, if I sound like a infomercial. It really is a great site.

1
CTF

Lock IT Down @ CYBER++

Posted on by Ron Woerner

Cybersecurity is one of the hottest career fields today.  Getting into it takes education and experience.  Basically you need practice to hone your skills in securing IT infrastructure systems.  This month, you get that chance to practice.

Bellevue University is hosting the CYBER++ Lockdown Competition on April 26, 2014 as part of the Nebraska Science Festival.  This is a cyber defense competition designed to test your science, technology, engineering, and mathematics skills in a safe, virtual environment. It’s free and open to all high school and undergraduate college students in the Omaha, NE area.  In this competition, teams of 2 to 4 students along with a mentor/coach will match wits to fix vulnerabilities and toughen systems security. No prior cyber security experience is needed. Prizes will be awarded to the top scorers in each category.

Name of Event:     CYBER++ Competition

Date/Time:             Saturday, April 26, 2014, 8:30 am – 3:00 pm

Location:                     Bellevue University, Educational Services Building, 1000 Galvin Rd South, Bellevue, NE 68005

Open to:                      All High School and Undergraduate College Students interested in Cybersecurity.

Cost:                             FREE! (Breakfast & Lunch will be provided to registered contestants)

For more information and to register, go to http://www.bellevue.edu/cyberplusplus/.

This event is being conducting with support from US CyberPatriot, the AIM Institute, the Nebraska Science Festival, and Bellevue University.

Sign up your team today and please help spread the word about this great event.

Concepts, Security Education, Security Management

My Security Bookshelf

Posted on by Ron Woerner

I recently was asked, “What books, article, websites, blogs, or videos do you recommend for those just beginning in Cybersecurity?”
It’s a great question with many answers. Too bad you can’t just come to my office and look on my bookshelf…

There are many reading and viewing options for cybersecurity.  The challenge isn’t the lack of material, but the overabundance (which is a good topic for another blog post).
The following resources are great for all levels of cybersecurity professionals.

Blogs & websites:

– Bruce Schneier on Security: https://www.schneier.com/
– Dark Reading: http://www.darkreading.com/
– CSO Online: http://www.csoonline.com/
– Threatpost: http://threatpost.com/

Videos:

– RSA Conference 2014 On-Demand Sessions: http://www.rsaconference.com/events/us14/downloads-and-media/video-index
– TED Talks Playlist, Who are the hackers? – http://www.ted.com/playlists/10/who_are_the_hackers.html
– TED Talk, Bruce Schneier: The security mirage: http://www.ted.com/talks/bruce_schneier.html
–  Cambridge Ideas, Professor Risk (Dr. David Spiegelhalter): http://www.youtube.com/watch?v=a1PtQ67urG4

Books:

– “The Cuckoo’s Egg,” Clifford Stoll,
– “Secrets & Lies,” Bruce Schneier
– “The Art of Deception,” Kevin Mitnick
– “Spies Among Us,” Ira Winkler

Book Reviews & Commentary:

– At the 2014 RSA Conference, Rick Howard of Palo Alto Networks  gave a talk titled, “The Cybersecurity Canon: Must-Reads.” You can also find the list of his favorite cyber/security books on his Terebrate blog at http://terebrate.blogspot.com/2014/02/books-you-should-have-read-by-now.html.

– Ben Rothke, a well-known security guru / speaker / writer, provides numerous book reviews for RSA including The Best New Books from RSA Conference 2014.  You can see all of his RSA blog posts at www.rsaconference.com/blogs?keywords=rothke.

The time you spend on these resources will be well spent in developing yourself as a cybersecurity professional.  If you have one you think is missing, please provide a reply or email me.

1
Human Aspects, Online Safety Tips, Security Education, Security Management, Threat Modeling

My Tweets from the 2014 RSA Conference

Posted on by Ron Woerner

The RSA 2014 Conference took place in San Francisco February 24-28.  It’s the top gathering of information security and risk professionals in the world with over 25,000 attendees.  I had the privilege to attend (and lead a CISO panel).  While I was there, I used twitter (@ronw123) to record my thoughts of the sessions and events.  Below is a snapshot with commentary:

Security Awareness and education was a common theme throughout the conference.  The industry is finally realizing it’s about the humans and people will always be the weakest security link

@ddkirsch: Heard at #RSAC — Even my Mom knows that #HTTPS isn’t a plural of HTTP. #ITsecurity” < too bad
so many moms, dads, & kids don’t

Chris Hadnagy (@humanhacker & Social-Engineer.org) talked about, “Social Engineering: When the Phone is More Dangerous than Malware.”  

Wow! Even @humanhacker got caught w/ phishing. It can happen to you. There are no stupid users, just uneducated
ones. @SocEngineerInc

@humanhacker @SocEngineerInc showing stats from . Scary. But there’s hope. 🙂

Jack Jones (@JonesFAIRiq) had a great presentation titled, “Ending Risk Management Groundhog Day.”  He didn’t even realize that there was a running panel from 2008-2010 that I was on with the name “Security Groundhog Day” (2008, 2009, 2010).  Jack is the father of FAIR and provides great ideas for proactively using risk management practices to manage security.

Get off the “Hamster Wheel of Pain.” Stop repeating past errors. @JonesFAIRiq @alexhutton [Note: I’ve learned
that this comes from “The Phoenix Project”]

@JonesFAIRiq “Policies need to be clear, concise, and useful… & written to a 9th grade level.”

@JonesFAIRiq “We’re really good at fixing symptoms, but not root causes.” #1problem is asking the right questions about risk.

Info Risk Mgmt Groundhog Day. Dude… Really… Again. It’s déjà Vu all over again.

Presentations on risks and threats are now commonplace at the RSA Conference. Here are thoughts on talks by Adam Shostack (@adamshostack), Pete Lindstrom (@SpireSec), and Andy Ellis (@csoandy).

@adamshostack talking New Foundations of Threat Modeling. Asking & answering 4 questions about threat modeling and the right ways to find good threats. [Note: He has a new book out on Threat Modeling.]

@SpireSec just mentioned the Hand Rule (see en.wikipedia.org/wiki/Calculus_).
So few security / risk professionals know anything about it.

@SpireSec – Being a contrarian in security makes you normal. Meaning we seek the truth even if it may hurt.

@csoandy: The true problem of a Prisoner’s Dilemma Scenario is that it disregards the Game Manager.” < tying Game Theory to security

NIST released the first version of the Framework for Improving Critical Infrastructure Cybersecurity on February 12, 2014.  Of course, this generated a few comments:

The NIST Cybersecurity Framework, Here we are *again* writes @georgevhulme, Engage
#infosec

News from #RSAC – DHS working with MS-ISAC on offering managed security services to state/local gov’t who adopt Cybersecurity framework.

The National Cyber Security Alliance (NCSA) held a twitter session where they asked pointed questions on encouraging kids to StaySafeOnline.

@StaySafeOnline & others are great! The material is there. It’s getting it out to people who need it the most. #securitychat #ChatSTC

Should there be a license to drive on the Information Superhighway? IOW: Required Education? #securitychat #ChatSTC

We need to challenge more Cybersecurity professionals to get out and educate. Make it required for certifications? #SecurityChat #ChatSTC

@STOPTHNKCONNECT #securitychat #ChatSTC A7: Reach the kids at their level. Don’t talk down to them. Challenge them to teach their parents.

Of course, one of the hot topics was NSA Surveillance: 

“Understanding NSA Surveillance: The Washington View #RSAC” < what’s legal may not be wise – said by both Hayden & Clarke

We need a real debate at #RSAC on the NSA, not pontificating and opinions. High School Debate did it last Nov. see bit.ly/MZJVrQ.

Last, but hardly least is my frustration in the opening keynote of attendees spending their time on their devices and not meeting others.

Listen #RSAC peeps! Stop playing with your phones and start meeting someone new. The greatest minds in Cybersecurity are
here.

These are my quick, but not complete thoughts. No doubt they will lead to many blogs in the future.

Security Management

Perfection is the destination, not the starting point

Posted on by Ron Woerner

Preface: This post is not directly related to security. It’s something for all professionals to consider.

It’s the start of a new day. The sun is shining, birds are singing, and we have a fresh start. We have time to smell the roses and ensure everything goes our way (Zip-A-Dee-Do-Dah!). Yet how often do our mornings actually start like this?

More often our days start frenetically as we rush to our jobs and other activities.  We miss critical details that may or may not make a difference.  It’s really the same with anything new.

Many of us want things to be perfect when we start something, whether it’s a new day, a new job, or a new project.  There are those who won’t even start until everything is in line according to their plans. The expectation of perfectionism isn’t realistic and really hampers our efforts. This leads to the title of this piece: “Perfection is the destination, not the starting point.”  Being perfect is something to strive for, not to start with.

If you wait to start anything until whatever you’re doing is perfect, you’ll start nothing. Or To take from Jeff Bullas’ blog Are You Waiting to be Perfect?, “If you don’t start then nothing will happen…. it is that simple.”  Or as Leo Tolstoy puts it in Anna Karenina, “If you look for perfection, you’ll never be content.”

It’s unrealistic not to expect something to go wrong or at least not be exactly like we want.  It’s better to embrace life’s imperfections and know when “good enough” is really what you need. This sets the level of expectations for everyone, even (if not especially) ourselves.  Admitting our propensity for errors demonstrates our humanity and shows that we are real.  It’s a paradox that when we allow for our weaknesses, it demonstrates our strengths.

“The journey of a thousand miles begins with a single step” and that step doesn’t need to be perfect; it just needs to be there. An organization’s culture needs to embrace this concept and allow employees to be willing to step out and start.  Guy Kawasaki’s book, The Art of the Start: The Time-Tested, Battle-Hardened Guide for Anyone Starting Anything he encourages entrepreneurs to make meaning, make mantra, and get going. It’s a definitive guide for anyone starting anything.

What do you need to start?  Are you waiting for it to be perfect before you do?  Don’t. It’s okay to be human.  If you never start anything, you’ll never go anywhere.

[Note: This is being cross-posted on IBC Viewpoints.]

Security Assessments, Security Management

What’s in Your [Security] Wallet?

Posted on by Ron Woerner

No, this isn’t a blog about the credit card you use or identity theft. This is about the tools you have on hand as a security professional.

Like any tradecraft, Security Professionals should have a set of tools, in this case applications, that they keep handy for when they need them. Fortunately, there are many security tools readily and freely available that fit nicely on a 2-4Gb USB thumb drive. These tools have a variety of purposes to help the IT or Security professional diagnose and troubleshoot problems. A quick note before I dive into my tools of choice, sectools.org contains an almost complete set of security apps that should be known by all security professionals.

  • Windows SysInternals (http://technet.microsoft.com/en-us/sysinternals) – This is the toolbox for Windows. Maintained by Mark Russinovich, these are the applications not included with the Windows Operating Systems, but should be. The tools that I use most are Process Explorer, Autoruns, and Zoomit.
  • Wireshark (http://www.wireshark.org/) – Wireshark is an open-source network analyzer that works on many platforms. You can use it to look into network packets for both security and troubleshooting.
  • Firecat (https://addons.mozilla.org/en-US/firefox/collections/clausv/firecat1_5_plus/) – This is a collection of add-ons for Firefox that allow you to (A) safely browse and (B) test the security of a web application.
  • NMap (http://nmap.org/) – Nmap is the network scanning and security auditing tool. Often featured in movies, this open-source application is used for network inventory, managing service upgrade schedules, and monitoring host or service uptime.
  • Backtrack / Kali (http://www.kali.org/) – This is a Linux-based operating system that comes complete with most security tools. You need to install it on a clean thumb drive and boot from it.

A couple of quick notes:

  • These are just a small handful of good tools, but there are many others out there. If there’s one you think I missed, please reply to this post with your favorite. A caveat is that the tool must have a useful, free or open-source version readily available. It also must be small enough to fit on a thumb drive.
  • Neither I nor my employer are directly associated with these sites and tools. As always, use at your own risk.

What’s in your (security) wallet? Do you have a favorite tool that you keep in your security tool belt? Let us know.

Concepts, Security Assessments, Threat Modeling

Threat Modeling – What’s the worst that can happen?

Posted on by Ron Woerner

A threat is defined as “a person or thing likely to cause damage or danger.”  Threats are all around us, but we shouldn’t treat all threats as equal.  Too often we fail to identify threats because they aren’t readily apparent or we consider them to be too small.

Threats and vulnerabilities are both part of the overall risk equation.  While organizations are getting better at identifying and fixing weaknesses, many still don’t understand the potential threat landscape.  We’ve all heard, “Oh no one would ever want to attack us. We’re so small and our systems have no value.”  I can hear Target saying that about their HVAC systems. Malicious hackers can use anything connected to a production network in order to gain access.  It shouldn’t be assumed that a small target means it can’t be hit.

All organizations should conduct assessments to understand the multitude of threats they face both in and out of their cybersystems. Threat modeling is still a new arena in security, but it’s gaining in prevalence.  In CSOOnline (http://www.csoonline.com/), George V. Hulme has an article, “Can threat modeling keep security a step ahead of the risks?” where he makes a case for more effective threat modeling. He references how a CISO uses threat modeling to understand the organization’s risks, prioritize security spending, and focus security efforts.

Adam Shostack is also calling for increased threat awareness.  In his book coming out on Feb 17 called, “Threat Modeling: Designing for Security”  he explores various threat modeling approaches, explains how to test system designs against threats, and learn effective ways to address threats that have been validated at many top companies.

What does this mean for you?  As security professionals, we conduct threat modeling throughout our career.  That’s why we take the time to study threat modeling and apply it.