Security Education, Security Management

Hacker High – Why we *need* to teach hacking in school

This rant is in response to Quinn Norton’s opinion piece from May 20, 2014, “Everything is Broken.”  (Link: https://medium.com/message/81e5f33a24e1)

<rant>

I have a simple solution that’s hard to implement: TEACH HACKING IN HIGH SCHOOL*! Yes, you heard it right. We need to teach our kids all about technology. Including how to break it and how to fix it. It’s incredible how little they really know. To them it’s PFM (Pure Frickin’ Magic). We won’t solve this problem with our adults. That’s why we need to get the kids involved. The problem is that they think they understand technology, but it’s only how to use it. Many (most) are clueless about systems & network administration as well as security. “Dad, the computer’s broken again…” I don’t think this is just my teenage kids.

The curriculum development is easy; adoption is hard. This is for three reason:

1.  Cyber isn’t included in the common core curriculum, so they don’t have time to teach it as a primary subject. They try to teach it on the side with limited affect. The problem is also with our government officials who don’t see cyber as important. A fun study would be to see how many government leaders are proficient in technology. My hypotheses is that it’s less than 10%.

2.  We don’t have teachers qualified to cover it and the good computer folks don’t want to take the huge pay cut. [At my daughter’s middle school, cybersecurity is taught by history and English teachers… I’ve volunteered many times to come into their classrooms and hear crickets…] It’s often that the teachers don’t know what they don’t know and are afraid to look ignorant if they ask for help. [NOTE: There are some fantastic teachers out there doing great work. This doesn’t apply to them. The problem is that they are the minority. They are also limited by what they can do and what they can teach.]

3.  There’s no standard curriculum for Information Technology or cybersecurity. It’s up to the teacher to develop his/her own, which is therefore based on his/her knowledge. (See #2.) Local school boards are responsible for deciding what’s included in their schools curriculum, but they don’t seem to understand cyber. Another fun study would be to see how many school board members are proficient in technology. My hypotheses is that it’s less than 20%.  We need a standard cyber curriculum for the teachers to work from.  It should be broad enough to allow flexibility for the teachers, yet cover primary topics of how the technology works.

We need to find a way to teach IT and cybersecurity to our kids starting in elementary school and then throughout middle and high school. The problem is that we’re blocked by adults who don’t understand the necessity.  The solution is out there people.  For example, see staysafeoneline.org and stopthinkconnect.org.  We just need to use it.

Help spread the word that we need to TEACH HACKING IN SCHOOLS. Talk to your local school board and elected officials.

*NOTE: I use the broad definition of hacking, meaning developing a curiosity on how things work. It’s not the malicious kind. When teaching hacking, ethics must be included. The intent is to keep the kids out of the orange jumpsuits (even if it’s the new black).

</rant>

[This rant reflects my opinion and not necessarily the views of my employer. ]

Concepts, Security Education, Security Management

My Security Bookshelf

I recently was asked, “What books, article, websites, blogs, or videos do you recommend for those just beginning in Cybersecurity?”
It’s a great question with many answers. Too bad you can’t just come to my office and look on my bookshelf…

There are many reading and viewing options for cybersecurity.  The challenge isn’t the lack of material, but the overabundance (which is a good topic for another blog post).
The following resources are great for all levels of cybersecurity professionals.

Blogs & websites:

– Bruce Schneier on Security: https://www.schneier.com/
– Dark Reading: http://www.darkreading.com/
– CSO Online: http://www.csoonline.com/
– Threatpost: http://threatpost.com/

Videos:

– RSA Conference 2014 On-Demand Sessions: http://www.rsaconference.com/events/us14/downloads-and-media/video-index
– TED Talks Playlist, Who are the hackers? – http://www.ted.com/playlists/10/who_are_the_hackers.html
– TED Talk, Bruce Schneier: The security mirage: http://www.ted.com/talks/bruce_schneier.html
–  Cambridge Ideas, Professor Risk (Dr. David Spiegelhalter): http://www.youtube.com/watch?v=a1PtQ67urG4

Books:

– “The Cuckoo’s Egg,” Clifford Stoll,
– “Secrets & Lies,” Bruce Schneier
– “The Art of Deception,” Kevin Mitnick
– “Spies Among Us,” Ira Winkler

Book Reviews & Commentary:

– At the 2014 RSA Conference, Rick Howard of Palo Alto Networks  gave a talk titled, “The Cybersecurity Canon: Must-Reads.” You can also find the list of his favorite cyber/security books on his Terebrate blog at http://terebrate.blogspot.com/2014/02/books-you-should-have-read-by-now.html.

– Ben Rothke, a well-known security guru / speaker / writer, provides numerous book reviews for RSA including The Best New Books from RSA Conference 2014.  You can see all of his RSA blog posts at www.rsaconference.com/blogs?keywords=rothke.

The time you spend on these resources will be well spent in developing yourself as a cybersecurity professional.  If you have one you think is missing, please provide a reply or email me.

Human Aspects, Online Safety Tips, Security Education, Security Management, Threat Modeling

My Tweets from the 2014 RSA Conference

The RSA 2014 Conference took place in San Francisco February 24-28.  It’s the top gathering of information security and risk professionals in the world with over 25,000 attendees.  I had the privilege to attend (and lead a CISO panel).  While I was there, I used twitter (@ronw123) to record my thoughts of the sessions and events.  Below is a snapshot with commentary:

Security Awareness and education was a common theme throughout the conference.  The industry is finally realizing it’s about the humans and people will always be the weakest security link

@ddkirsch: Heard at #RSAC — Even my Mom knows that #HTTPS isn’t a plural of HTTP. #ITsecurity” < too bad
so many moms, dads, & kids don’t

Chris Hadnagy (@humanhacker & Social-Engineer.org) talked about, “Social Engineering: When the Phone is More Dangerous than Malware.”  

Wow! Even @humanhacker got caught w/ phishing. It can happen to you. There are no stupid users, just uneducated
ones.
@SocEngineerInc

@humanhacker @SocEngineerInc showing stats from . Scary. But there’s hope. 🙂

Jack Jones (@JonesFAIRiq) had a great presentation titled, “Ending Risk Management Groundhog Day.”  He didn’t even realize that there was a running panel from 2008-2010 that I was on with the name “Security Groundhog Day” (2008, 2009, 2010).  Jack is the father of FAIR and provides great ideas for proactively using risk management practices to manage security.

Get off the “Hamster Wheel of Pain.” Stop repeating past errors. @JonesFAIRiq @alexhutton [Note: I’ve learned
that this comes from “The Phoenix Project”]

@JonesFAIRiq “Policies need to be clear, concise, and useful… & written to a 9th grade level.”

@JonesFAIRiq “We’re really good at fixing symptoms, but not root causes.” #1problem is asking the right questions about risk.

Info Risk Mgmt Groundhog Day. Dude… Really… Again. It’s déjà Vu all over again.

Presentations on risks and threats are now commonplace at the RSA Conference. Here are thoughts on talks by Adam Shostack (@adamshostack), Pete Lindstrom (@SpireSec), and Andy Ellis (@csoandy).

@adamshostack talking New Foundations of Threat Modeling. Asking & answering 4 questions about threat modeling and the right ways to find good threats. [Note: He has a new book out on Threat Modeling.]

@SpireSec just mentioned the Hand Rule (see en.wikipedia.org/wiki/Calculus_).
So few security / risk professionals know anything about it.

@SpireSec – Being a contrarian in security makes you normal. Meaning we seek the truth even if it may hurt.

@csoandy: The true problem of a Prisoner’s Dilemma Scenario is that it disregards the Game Manager.” < tying Game Theory to security

NIST released the first version of the Framework for Improving Critical Infrastructure Cybersecurity on February 12, 2014.  Of course, this generated a few comments:

The NIST Cybersecurity Framework, Here we are *again* writes @georgevhulme, Engage
#infosec

News from #RSAC – DHS working with MS-ISAC on offering managed security services to state/local gov’t who adopt Cybersecurity framework.

The National Cyber Security Alliance (NCSA) held a twitter session where they asked pointed questions on encouraging kids to StaySafeOnline.

@StaySafeOnline & others are great! The material is there. It’s getting it out to people who need it the most. #securitychat #ChatSTC

Should there be a license to drive on the Information Superhighway? IOW: Required Education? #securitychat #ChatSTC

We need to challenge more Cybersecurity professionals to get out and educate. Make it required for certifications? #SecurityChat #ChatSTC

@STOPTHNKCONNECT #securitychat #ChatSTC A7: Reach the kids at their level. Don’t talk down to them. Challenge them to teach their parents.

Of course, one of the hot topics was NSA Surveillance: 

“Understanding NSA Surveillance: The Washington View #RSAC” < what’s legal may not be wise – said by both Hayden & Clarke

We need a real debate at #RSAC on the NSA, not pontificating and opinions. High School Debate did it last Nov. see bit.ly/MZJVrQ.

Last, but hardly least is my frustration in the opening keynote of attendees spending their time on their devices and not meeting others.

Listen #RSAC peeps! Stop playing with your phones and start meeting someone new. The greatest minds in Cybersecurity are
here.

These are my quick, but not complete thoughts. No doubt they will lead to many blogs in the future.

Security Management

Perfection is the destination, not the starting point

Preface: This post is not directly related to security. It’s something for all professionals to consider.

It’s the start of a new day. The sun is shining, birds are singing, and we have a fresh start. We have time to smell the roses and ensure everything goes our way (Zip-A-Dee-Do-Dah!). Yet how often do our mornings actually start like this?

More often our days start frenetically as we rush to our jobs and other activities.  We miss critical details that may or may not make a difference.  It’s really the same with anything new.

Many of us want things to be perfect when we start something, whether it’s a new day, a new job, or a new project.  There are those who won’t even start until everything is in line according to their plans. The expectation of perfectionism isn’t realistic and really hampers our efforts. This leads to the title of this piece: “Perfection is the destination, not the starting point.”  Being perfect is something to strive for, not to start with.

If you wait to start anything until whatever you’re doing is perfect, you’ll start nothing. Or To take from Jeff Bullas’ blog Are You Waiting to be Perfect?, “If you don’t start then nothing will happen…. it is that simple.”  Or as Leo Tolstoy puts it in Anna Karenina, “If you look for perfection, you’ll never be content.”

It’s unrealistic not to expect something to go wrong or at least not be exactly like we want.  It’s better to embrace life’s imperfections and know when “good enough” is really what you need. This sets the level of expectations for everyone, even (if not especially) ourselves.  Admitting our propensity for errors demonstrates our humanity and shows that we are real.  It’s a paradox that when we allow for our weaknesses, it demonstrates our strengths.

“The journey of a thousand miles begins with a single step” and that step doesn’t need to be perfect; it just needs to be there. An organization’s culture needs to embrace this concept and allow employees to be willing to step out and start.  Guy Kawasaki’s book, The Art of the Start: The Time-Tested, Battle-Hardened Guide for Anyone Starting Anything he encourages entrepreneurs to make meaning, make mantra, and get going. It’s a definitive guide for anyone starting anything.

What do you need to start?  Are you waiting for it to be perfect before you do?  Don’t. It’s okay to be human.  If you never start anything, you’ll never go anywhere.

[Note: This is being cross-posted on IBC Viewpoints.]

Security Assessments, Security Management

What’s in Your [Security] Wallet?

No, this isn’t a blog about the credit card you use or identity theft. This is about the tools you have on hand as a security professional.

Like any tradecraft, Security Professionals should have a set of tools, in this case applications, that they keep handy for when they need them. Fortunately, there are many security tools readily and freely available that fit nicely on a 2-4Gb USB thumb drive. These tools have a variety of purposes to help the IT or Security professional diagnose and troubleshoot problems. A quick note before I dive into my tools of choice, sectools.org contains an almost complete set of security apps that should be known by all security professionals.

  • Windows SysInternals (http://technet.microsoft.com/en-us/sysinternals) – This is the toolbox for Windows. Maintained by Mark Russinovich, these are the applications not included with the Windows Operating Systems, but should be. The tools that I use most are Process Explorer, Autoruns, and Zoomit.
  • Wireshark (http://www.wireshark.org/) – Wireshark is an open-source network analyzer that works on many platforms. You can use it to look into network packets for both security and troubleshooting.
  • Firecat (https://addons.mozilla.org/en-US/firefox/collections/clausv/firecat1_5_plus/) – This is a collection of add-ons for Firefox that allow you to (A) safely browse and (B) test the security of a web application.
  • NMap (http://nmap.org/) – Nmap is the network scanning and security auditing tool. Often featured in movies, this open-source application is used for network inventory, managing service upgrade schedules, and monitoring host or service uptime.
  • Backtrack / Kali (http://www.kali.org/) – This is a Linux-based operating system that comes complete with most security tools. You need to install it on a clean thumb drive and boot from it.

A couple of quick notes:

  • These are just a small handful of good tools, but there are many others out there. If there’s one you think I missed, please reply to this post with your favorite. A caveat is that the tool must have a useful, free or open-source version readily available. It also must be small enough to fit on a thumb drive.
  • Neither I nor my employer are directly associated with these sites and tools. As always, use at your own risk.

What’s in your (security) wallet? Do you have a favorite tool that you keep in your security tool belt? Let us know.

Careers, Concepts, Security Education, Security Management

Breaking into Security

One of the common questions I am asked is, “How do I get a job in information security?”  Infosec continues to be a hot career field with many job opportunities.  Therefore, we continue seeing people who are interested, but don’t know the steps it takes to gain employment in information security.  This blog post answers the question, “How do I break into (the) security (career field)?”

A few years ago, I was asked a similar question of how I got started in security.  It all started as a computer science major at Michigan State University. I was also in Air Force ROTC.  This combination allowed me to start developing my security mindset.  As a military intelligence officer, I learned about data classification and safeguarding sensitive information. I left the Air Force for a job as a UNIX systems administrator where I learned how to apply technical controls to protect the systems and its data. As a junior security analyst, I learned the importance of policies and awareness. The combination of technical and managerial experience led me to security management roles. (You can read more about my experiences here: Me and my Job: Ron Woerner, Bellevue University, SC Magazine, April 2011)

To become a security professional, you need a mix of experience, knowledge, and abilities. It’s not generally an entry level career field, because you need time to develop yourself as a security professional who understands the many aspects of cybersecurity. The security community has a vast number of articles on breaking into the security career field.

This reminds me that everything old is new again. Many of the articles I mention above were written a few years ago. Things really haven’t changed over the years.  The career path still requires education, training, experience, and persistence.

As an extra, added bonus, here’s a 3 ½ minute Ted talk from Richard St. John: 8 secrets of success http://www.ted.com/talks/richard_st_john_s_8_secrets_of_success.html (Watch for his explanation of CRAP).  It’s great, general information on how to succeed in any career.

Concepts, Security Management

Is it time of Security Rating of Software and Systems?

One of the fundamental papers in the Information Security industry is “The Protection of Information in Computer Systems” written by Jerome Saltzer and Michael Schoeder in the mid-1970s.  This paper defines eight design principles to ensure the safety, security, and functionality of computer systems and applications.  It’s timeless as those principles still apply today. If you haven’t seen it yet, Adam Shostack of Emergent Chaos does a great job in his blog of explaining the Saltzer and Schroeder Design Principles and equating them to something almost everyone can understand: Security in Star Wars.

One of the ideas that come out of it is the concept of “work factor” and the fire/safety ratings on safes.  Safes are classified by Underwriters Laboratory for their ability to protect their contents from both fire and burglars.  It’s the degree of protection that safe will protect its contents. There are both construction and performance requirements.  The former defines the minimum specifications for the container. The latter defines how long the safe must withstand a burglary attempt.  You can read more about it here: http://www.maximumsecurity.com/safes/pc/Burglary-Fire-Rating-Guide-d92.htm.

This idea isn’t new. A DARPA research report from 2001 presents it from a scientific standpoint: “Adversary Work Factor as a Metric for Information Assurance.” In this paper, Schudel and Wood present the hypothesis, “that adversary work factor is a quantifiable metric that yields valuable insights into the relative strengths and weaknesses of modern complex information systems.” The authors go on to develop an approach for observing and reporting adversary work factors for information systems.

It’s time we used the same approach in Cybersecurity. The UL rating system is a standard that’s long been in use in the physical world. Why not begin to follow it in the cyber world?  The IT industry should consider creating construction and performance standards for all computer systems and applications. An unbiased, standardized security work factor rating would allow consumers to understand the safety of an application or system to determine if it fits into their risk appetite.

Why reinvent the wheel?

Human Aspects, Online Safety Tips, Security Education, Security Management

Security for the Real World – Password Policies

Passwords suck.  They always have; they always will.  But we’re stuck with them.  They are the cheapest and easiest means of user authentication.

With passwords, come the ubiquitous password policies.  This post addresses two of them seen at most organizations*:
1. Thou shalt not share they password.
2. Thou shalt not write down thy password.

* “Thou shalt” isn’t usually used in policies.  I’m using it for effect.

There are many problems with these rules.  First, they are almost impossible to enforce, unless it’s a really small organization or you have a large police force.  Second, they are often violated by the top echelon in the company.  How many CEO’s share their account with their admin?  Are you going to tell the CEO that he’s violating the company policy?  That’s a CLM (Career Limiting Move) if you ask me.

Rules like the ones above are to protect the organization, not the employee.  They cannot be enforced, except when something bad happens.  Then, the enforcer can point to the policy and report the violation.  I call it a “speed limit” policy, which are good to follow, but aren’t continually nor consistently enforced.

Here’s the key to making those policies work: make the user responsible for his/her account.  The policy statement would then be, “All users are responsible for protecting their login credentials from unauthorized access like they would protect any other corporate asset.”  This puts the onus on the user.  If someone gains unauthorized access to the user’s account because he/she didn’t follow the rules, then the user is accountable.  They are guilty until they can prove themselves innocent.  If someone (like the CEO) wants to share their account, they can as long as they realize that’s it’s them who will be held responsible for any actions taken by the other party.

With so many passwords to remember, people need to write them down.  Telling people not to just isn’t realistic.  Some use a password vault application.  Others use a piece of paper.  Both are fine as long as it’s rigorously protected.  It’s fine for people to write down their passwords as long as they store it in a very safe location.  My mom has a piece of paper with all of her passwords on it in a desk drawer in her apartment.  I’m fine with it, since I may need it one day as her power of attorney.  Her apartment is in a secure facility, so the risk is minimal.  There’s a lot bigger risk of her becoming incapacitated and me not having access to her accounts.

That’s what it comes down to: understanding RISK and establishing Accountability.  What are the risks associated with the actions?  Who’s responsible?  Answer those and you make a cognitive decision that’s both realistic and enforceable.

Physcial Security, Security Assessments, Security Management

Security Convergence – Ready or not, it is here!

The security industry has been talking about the convergence of physical and information security functions for years.  Many act as if it’s a big deal or that it’s a difficult endeavor to accomplish.  I say, ready or not, it’s already here.  Security functions and technology has merged right under our eyes.  Let me explain.

First, let’s define “Security Convergence”.  According to ASIS, it’s, “The identification of security risks and interdependencies between business functions and processes within the enterprise and the development of managed business process solutions to address those risks and interdependencies.”  The key words are risks, interdependencies, and solutions.  It’s critical to review the risks to the business and determine the best methods for mitigation.  Notice that this definition contains no reference to information security or physical security.

Traditional practices have caused many large organizations to create security silos to solve individual problems rather than looking at the best solution to reduce risk.  They separate physical from logical (or information) security without realizing that these groups serve the same purpose: mitigating risks.  More progressive organizations have their security converged and are thus better able to handle common risks.  These organizations are addressing the reality of risk management, which looks at methods to address risks regardless of the form.

Many new or small organizations lack a separate physical security force that is seen in established firms. They will often outsource physical security functions as part of their lease.  They believe it covers all types of risks and ignore others that they cannot address due to time or money constraints.  These businesses would be better served with a converged security function under a single employee who’s responsibility is to address all types of security risks: both physical and logical.  With this, the company is better positioned to manage their security risks in a consolidated function.

One last point on the physical/logical security convergence is that most of the equipment used by physical security, such as cameras and monitoring, badge systems, etc. is already on the network.  The camera system in your facility is most likely on your corporate IP network.  There’s also a strong possibility that’s also true with your badge system.  They are network servers, but are usually managed outside of IT.  This is another case where a converged security function can better maintain critical company services.

Security isn’t something you bolt on and hope it works.  It needs to be incorporated into the fiber of the organization.  A converged security function allows this to occur in the most cost-effective way.

What do you think?  Feel free to comment below.

Security Education, Security Management

National Center of Academic Excellence in Information Assurance Education

In April 2012, the National Information Assurance Education and Training Program (NIETP) office under the authority of the U.S. National Security Agency (NSA) and Department of Homeland Security (DHS) announced that Bellevue University is designated as a National Center of Academic Excellence in Information Assurance Education (CAE-IAE) for the academic years 2012-2017. This is a great accomplishment for the University and demonstrates our continued dedication to not only Cybersecurity Education, but also to the security community. 

The CAE-IAE application, submitted earlier this year passed a rigorous review that was evaluated against a stringent criteria, demonstrating its competency and commitment to academic excellence in Information Assurance education and security practices. The letter received by the University with the announcement demonstrates the quality of our program.  “One reviewer remarked that Bellevue’s submission, ‘demonstrated fine curriculum, expert faculty and noteworthy outreach.’  You are to be commended for submitting such an exemplary application.  Your ability to meet the increasing demands of the program criteria will serve the nation well in contributing to the protection of the National Information Infrastructure. “

Mary Hawkins, the Bellevue University President will be receiving the official certificate of designation signed by the Director, NSA, the IA Director, NSA and the Cybersecurity Assistant Secretary, DHS, at the 16th Colloquium for Information Systems Security Education (CISSE) in June.

An official press release and announcement is forthcoming.