Lock IT Down @ CYBER++

Cybersecurity is one of the hottest career fields today.  Getting into it takes education and experience.  Basically you need practice to hone your skills in securing IT infrastructure systems.  This month, you get that chance to practice.

Bellevue University is hosting the CYBER++ Lockdown Competition on April 26, 2014 as part of the Nebraska Science Festival.  This is a cyber defense competition designed to test your science, technology, engineering, and mathematics skills in a safe, virtual environment. It’s free and open to all high school and undergraduate college students in the Omaha, NE area.  In this competition, teams of 2 to 4 students along with a mentor/coach will match wits to fix vulnerabilities and toughen systems security. No prior cyber security experience is needed. Prizes will be awarded to the top scorers in each category.

Name of Event:     CYBER++ Competition

Date/Time:             Saturday, April 26, 2014, 8:30 am – 3:00 pm

Location:                     Bellevue University, Educational Services Building, 1000 Galvin Rd South, Bellevue, NE 68005

Open to:                      All High School and Undergraduate College Students interested in Cybersecurity.

Cost:                             FREE! (Breakfast & Lunch will be provided to registered contestants)

For more information and to register, go to http://www.bellevue.edu/cyberplusplus/.

This event is being conducting with support from US CyberPatriot, the AIM Institute, the Nebraska Science Festival, and Bellevue University.

Sign up your team today and please help spread the word about this great event.

Concepts, Security Education, Security Management

My Security Bookshelf

I recently was asked, “What books, article, websites, blogs, or videos do you recommend for those just beginning in Cybersecurity?”
It’s a great question with many answers. Too bad you can’t just come to my office and look on my bookshelf…

There are many reading and viewing options for cybersecurity.  The challenge isn’t the lack of material, but the overabundance (which is a good topic for another blog post).
The following resources are great for all levels of cybersecurity professionals.

Blogs & websites:

– Bruce Schneier on Security: https://www.schneier.com/
– Dark Reading: http://www.darkreading.com/
– CSO Online: http://www.csoonline.com/
– Threatpost: http://threatpost.com/


– RSA Conference 2014 On-Demand Sessions: http://www.rsaconference.com/events/us14/downloads-and-media/video-index
– TED Talks Playlist, Who are the hackers? – http://www.ted.com/playlists/10/who_are_the_hackers.html
– TED Talk, Bruce Schneier: The security mirage: http://www.ted.com/talks/bruce_schneier.html
–  Cambridge Ideas, Professor Risk (Dr. David Spiegelhalter): http://www.youtube.com/watch?v=a1PtQ67urG4


– “The Cuckoo’s Egg,” Clifford Stoll,
– “Secrets & Lies,” Bruce Schneier
– “The Art of Deception,” Kevin Mitnick
– “Spies Among Us,” Ira Winkler

Book Reviews & Commentary:

– At the 2014 RSA Conference, Rick Howard of Palo Alto Networks  gave a talk titled, “The Cybersecurity Canon: Must-Reads.” You can also find the list of his favorite cyber/security books on his Terebrate blog at http://terebrate.blogspot.com/2014/02/books-you-should-have-read-by-now.html.

– Ben Rothke, a well-known security guru / speaker / writer, provides numerous book reviews for RSA including The Best New Books from RSA Conference 2014.  You can see all of his RSA blog posts at www.rsaconference.com/blogs?keywords=rothke.

The time you spend on these resources will be well spent in developing yourself as a cybersecurity professional.  If you have one you think is missing, please provide a reply or email me.

Human Aspects, Online Safety Tips, Security Education, Security Management, Threat Modeling

My Tweets from the 2014 RSA Conference

The RSA 2014 Conference took place in San Francisco February 24-28.  It’s the top gathering of information security and risk professionals in the world with over 25,000 attendees.  I had the privilege to attend (and lead a CISO panel).  While I was there, I used twitter (@ronw123) to record my thoughts of the sessions and events.  Below is a snapshot with commentary:

Security Awareness and education was a common theme throughout the conference.  The industry is finally realizing it’s about the humans and people will always be the weakest security link

@ddkirsch: Heard at #RSAC — Even my Mom knows that #HTTPS isn’t a plural of HTTP. #ITsecurity” < too bad
so many moms, dads, & kids don’t

Chris Hadnagy (@humanhacker & Social-Engineer.org) talked about, “Social Engineering: When the Phone is More Dangerous than Malware.”  

Wow! Even @humanhacker got caught w/ phishing. It can happen to you. There are no stupid users, just uneducated

@humanhacker @SocEngineerInc showing stats from . Scary. But there’s hope. 🙂

Jack Jones (@JonesFAIRiq) had a great presentation titled, “Ending Risk Management Groundhog Day.”  He didn’t even realize that there was a running panel from 2008-2010 that I was on with the name “Security Groundhog Day” (2008, 2009, 2010).  Jack is the father of FAIR and provides great ideas for proactively using risk management practices to manage security.

Get off the “Hamster Wheel of Pain.” Stop repeating past errors. @JonesFAIRiq @alexhutton [Note: I’ve learned
that this comes from “The Phoenix Project”]

@JonesFAIRiq “Policies need to be clear, concise, and useful… & written to a 9th grade level.”

@JonesFAIRiq “We’re really good at fixing symptoms, but not root causes.” #1problem is asking the right questions about risk.

Info Risk Mgmt Groundhog Day. Dude… Really… Again. It’s déjà Vu all over again.

Presentations on risks and threats are now commonplace at the RSA Conference. Here are thoughts on talks by Adam Shostack (@adamshostack), Pete Lindstrom (@SpireSec), and Andy Ellis (@csoandy).

@adamshostack talking New Foundations of Threat Modeling. Asking & answering 4 questions about threat modeling and the right ways to find good threats. [Note: He has a new book out on Threat Modeling.]

@SpireSec just mentioned the Hand Rule (see en.wikipedia.org/wiki/Calculus_).
So few security / risk professionals know anything about it.

@SpireSec – Being a contrarian in security makes you normal. Meaning we seek the truth even if it may hurt.

@csoandy: The true problem of a Prisoner’s Dilemma Scenario is that it disregards the Game Manager.” < tying Game Theory to security

NIST released the first version of the Framework for Improving Critical Infrastructure Cybersecurity on February 12, 2014.  Of course, this generated a few comments:

The NIST Cybersecurity Framework, Here we are *again* writes @georgevhulme, Engage

News from #RSAC – DHS working with MS-ISAC on offering managed security services to state/local gov’t who adopt Cybersecurity framework.

The National Cyber Security Alliance (NCSA) held a twitter session where they asked pointed questions on encouraging kids to StaySafeOnline.

@StaySafeOnline & others are great! The material is there. It’s getting it out to people who need it the most. #securitychat #ChatSTC

Should there be a license to drive on the Information Superhighway? IOW: Required Education? #securitychat #ChatSTC

We need to challenge more Cybersecurity professionals to get out and educate. Make it required for certifications? #SecurityChat #ChatSTC

@STOPTHNKCONNECT #securitychat #ChatSTC A7: Reach the kids at their level. Don’t talk down to them. Challenge them to teach their parents.

Of course, one of the hot topics was NSA Surveillance: 

“Understanding NSA Surveillance: The Washington View #RSAC” < what’s legal may not be wise – said by both Hayden & Clarke

We need a real debate at #RSAC on the NSA, not pontificating and opinions. High School Debate did it last Nov. see bit.ly/MZJVrQ.

Last, but hardly least is my frustration in the opening keynote of attendees spending their time on their devices and not meeting others.

Listen #RSAC peeps! Stop playing with your phones and start meeting someone new. The greatest minds in Cybersecurity are

These are my quick, but not complete thoughts. No doubt they will lead to many blogs in the future.

Security Management

Perfection is the destination, not the starting point

Preface: This post is not directly related to security. It’s something for all professionals to consider.

It’s the start of a new day. The sun is shining, birds are singing, and we have a fresh start. We have time to smell the roses and ensure everything goes our way (Zip-A-Dee-Do-Dah!). Yet how often do our mornings actually start like this?

More often our days start frenetically as we rush to our jobs and other activities.  We miss critical details that may or may not make a difference.  It’s really the same with anything new.

Many of us want things to be perfect when we start something, whether it’s a new day, a new job, or a new project.  There are those who won’t even start until everything is in line according to their plans. The expectation of perfectionism isn’t realistic and really hampers our efforts. This leads to the title of this piece: “Perfection is the destination, not the starting point.”  Being perfect is something to strive for, not to start with.

If you wait to start anything until whatever you’re doing is perfect, you’ll start nothing. Or To take from Jeff Bullas’ blog Are You Waiting to be Perfect?, “If you don’t start then nothing will happen…. it is that simple.”  Or as Leo Tolstoy puts it in Anna Karenina, “If you look for perfection, you’ll never be content.”

It’s unrealistic not to expect something to go wrong or at least not be exactly like we want.  It’s better to embrace life’s imperfections and know when “good enough” is really what you need. This sets the level of expectations for everyone, even (if not especially) ourselves.  Admitting our propensity for errors demonstrates our humanity and shows that we are real.  It’s a paradox that when we allow for our weaknesses, it demonstrates our strengths.

“The journey of a thousand miles begins with a single step” and that step doesn’t need to be perfect; it just needs to be there. An organization’s culture needs to embrace this concept and allow employees to be willing to step out and start.  Guy Kawasaki’s book, The Art of the Start: The Time-Tested, Battle-Hardened Guide for Anyone Starting Anything he encourages entrepreneurs to make meaning, make mantra, and get going. It’s a definitive guide for anyone starting anything.

What do you need to start?  Are you waiting for it to be perfect before you do?  Don’t. It’s okay to be human.  If you never start anything, you’ll never go anywhere.

[Note: This is being cross-posted on IBC Viewpoints.]

Security Assessments, Security Management

What’s in Your [Security] Wallet?

No, this isn’t a blog about the credit card you use or identity theft. This is about the tools you have on hand as a security professional.

Like any tradecraft, Security Professionals should have a set of tools, in this case applications, that they keep handy for when they need them. Fortunately, there are many security tools readily and freely available that fit nicely on a 2-4Gb USB thumb drive. These tools have a variety of purposes to help the IT or Security professional diagnose and troubleshoot problems. A quick note before I dive into my tools of choice, sectools.org contains an almost complete set of security apps that should be known by all security professionals.

  • Windows SysInternals (http://technet.microsoft.com/en-us/sysinternals) – This is the toolbox for Windows. Maintained by Mark Russinovich, these are the applications not included with the Windows Operating Systems, but should be. The tools that I use most are Process Explorer, Autoruns, and Zoomit.
  • Wireshark (http://www.wireshark.org/) – Wireshark is an open-source network analyzer that works on many platforms. You can use it to look into network packets for both security and troubleshooting.
  • Firecat (https://addons.mozilla.org/en-US/firefox/collections/clausv/firecat1_5_plus/) – This is a collection of add-ons for Firefox that allow you to (A) safely browse and (B) test the security of a web application.
  • NMap (http://nmap.org/) – Nmap is the network scanning and security auditing tool. Often featured in movies, this open-source application is used for network inventory, managing service upgrade schedules, and monitoring host or service uptime.
  • Backtrack / Kali (http://www.kali.org/) – This is a Linux-based operating system that comes complete with most security tools. You need to install it on a clean thumb drive and boot from it.

A couple of quick notes:

  • These are just a small handful of good tools, but there are many others out there. If there’s one you think I missed, please reply to this post with your favorite. A caveat is that the tool must have a useful, free or open-source version readily available. It also must be small enough to fit on a thumb drive.
  • Neither I nor my employer are directly associated with these sites and tools. As always, use at your own risk.

What’s in your (security) wallet? Do you have a favorite tool that you keep in your security tool belt? Let us know.

Concepts, Security Assessments, Threat Modeling

Threat Modeling – What’s the worst that can happen?

A threat is defined as “a person or thing likely to cause damage or danger.”  Threats are all around us, but we shouldn’t treat all threats as equal.  Too often we fail to identify threats because they aren’t readily apparent or we consider them to be too small.

Threats and vulnerabilities are both part of the overall risk equation.  While organizations are getting better at identifying and fixing weaknesses, many still don’t understand the potential threat landscape.  We’ve all heard, “Oh no one would ever want to attack us. We’re so small and our systems have no value.”  I can hear Target saying that about their HVAC systems. Malicious hackers can use anything connected to a production network in order to gain access.  It shouldn’t be assumed that a small target means it can’t be hit.

All organizations should conduct assessments to understand the multitude of threats they face both in and out of their cybersystems. Threat modeling is still a new arena in security, but it’s gaining in prevalence.  In CSOOnline (http://www.csoonline.com/), George V. Hulme has an article, “Can threat modeling keep security a step ahead of the risks?” where he makes a case for more effective threat modeling. He references how a CISO uses threat modeling to understand the organization’s risks, prioritize security spending, and focus security efforts.

Adam Shostack is also calling for increased threat awareness.  In his book coming out on Feb 17 called, “Threat Modeling: Designing for Security”  he explores various threat modeling approaches, explains how to test system designs against threats, and learn effective ways to address threats that have been validated at many top companies.

What does this mean for you?  As security professionals, we conduct threat modeling throughout our career.  That’s why we take the time to study threat modeling and apply it.

Careers, Concepts, Security Education, Security Management

Breaking into Security

One of the common questions I am asked is, “How do I get a job in information security?”  Infosec continues to be a hot career field with many job opportunities.  Therefore, we continue seeing people who are interested, but don’t know the steps it takes to gain employment in information security.  This blog post answers the question, “How do I break into (the) security (career field)?”

A few years ago, I was asked a similar question of how I got started in security.  It all started as a computer science major at Michigan State University. I was also in Air Force ROTC.  This combination allowed me to start developing my security mindset.  As a military intelligence officer, I learned about data classification and safeguarding sensitive information. I left the Air Force for a job as a UNIX systems administrator where I learned how to apply technical controls to protect the systems and its data. As a junior security analyst, I learned the importance of policies and awareness. The combination of technical and managerial experience led me to security management roles. (You can read more about my experiences here: Me and my Job: Ron Woerner, Bellevue University, SC Magazine, April 2011)

To become a security professional, you need a mix of experience, knowledge, and abilities. It’s not generally an entry level career field, because you need time to develop yourself as a security professional who understands the many aspects of cybersecurity. The security community has a vast number of articles on breaking into the security career field.

This reminds me that everything old is new again. Many of the articles I mention above were written a few years ago. Things really haven’t changed over the years.  The career path still requires education, training, experience, and persistence.

As an extra, added bonus, here’s a 3 ½ minute Ted talk from Richard St. John: 8 secrets of success http://www.ted.com/talks/richard_st_john_s_8_secrets_of_success.html (Watch for his explanation of CRAP).  It’s great, general information on how to succeed in any career.

Concepts, Security Management

Is it time of Security Rating of Software and Systems?

One of the fundamental papers in the Information Security industry is “The Protection of Information in Computer Systems” written by Jerome Saltzer and Michael Schoeder in the mid-1970s.  This paper defines eight design principles to ensure the safety, security, and functionality of computer systems and applications.  It’s timeless as those principles still apply today. If you haven’t seen it yet, Adam Shostack of Emergent Chaos does a great job in his blog of explaining the Saltzer and Schroeder Design Principles and equating them to something almost everyone can understand: Security in Star Wars.

One of the ideas that come out of it is the concept of “work factor” and the fire/safety ratings on safes.  Safes are classified by Underwriters Laboratory for their ability to protect their contents from both fire and burglars.  It’s the degree of protection that safe will protect its contents. There are both construction and performance requirements.  The former defines the minimum specifications for the container. The latter defines how long the safe must withstand a burglary attempt.  You can read more about it here: http://www.maximumsecurity.com/safes/pc/Burglary-Fire-Rating-Guide-d92.htm.

This idea isn’t new. A DARPA research report from 2001 presents it from a scientific standpoint: “Adversary Work Factor as a Metric for Information Assurance.” In this paper, Schudel and Wood present the hypothesis, “that adversary work factor is a quantifiable metric that yields valuable insights into the relative strengths and weaknesses of modern complex information systems.” The authors go on to develop an approach for observing and reporting adversary work factors for information systems.

It’s time we used the same approach in Cybersecurity. The UL rating system is a standard that’s long been in use in the physical world. Why not begin to follow it in the cyber world?  The IT industry should consider creating construction and performance standards for all computer systems and applications. An unbiased, standardized security work factor rating would allow consumers to understand the safety of an application or system to determine if it fits into their risk appetite.

Why reinvent the wheel?

Online Safety Tips

Protecting Yourself in an Insecure Cyberworld

A friend of mine recently asked for 5 quick tips for people to protect themselves from cyberfraud and identity theft.  While there are many great ideas out there on the sites listed below, here are the five I promote:

  • Watch your credit card. When paying with a credit or debit card, pay attention to who has it and where it’s going.  It’s easy for the waiter/waitress or cashier to steal the information when they take it out of your sight.  Most identity theft occurs with the physical card and not online.
  • Keep track of your charges.  Know each time you spend money especially with credit and debit cards.  This will make the next steps easier when you check your statements. You won’t need to rely on your memory as much (“What’s this charge?” and “Did I make it?”). While this is mostly important for payments made by credit or debit card, it also applies to cash.
  • Pay attention to your statements.  At least once a month, go through all of your bank and credit card statements to ensure all transactions are credible.  It’s so easy to get lazy and neglect reviewing what’s being charged in your name.  With electronic statements, you can do this multiple times a month.  This allows you to catch potential problems earlier.
  • Be careful when using public wi-fi.  It’s a great convenience that so many places allow us to connect to the Internet using their free wi-fi.  Keep in mind though that it’s like yelling in public; it’s not secret.  Malicious hackers can “sniff” the airwaves and steal your information.  I don’t recommend using public wi-fi for anything sensitive.
  • Use strong passwords and keep them safe.  Passwords are our keys to our identity and personal data.  Choose and use the wisely.  Don’t use the same password for all websites. That’s the same as having the same key for your house, car, office, safe, etc.  Use different passwords especially for sensitive areas like your financial institutions.  Microsoft has a good, online password checker to help you select strong passwords.

Below are some of the websites* and resources you can use to learn more about keeping yourself and your family safe online:

What tips or sites do you have?  Please share using  the comments.

* These sites are not associated with Bellevue University. They are provided for your reference. Use at your own risk.


Human Aspects, Online Safety Tips, Security Education, Security Management

Security for the Real World – Password Policies

Passwords suck.  They always have; they always will.  But we’re stuck with them.  They are the cheapest and easiest means of user authentication.

With passwords, come the ubiquitous password policies.  This post addresses two of them seen at most organizations*:
1. Thou shalt not share they password.
2. Thou shalt not write down thy password.

* “Thou shalt” isn’t usually used in policies.  I’m using it for effect.

There are many problems with these rules.  First, they are almost impossible to enforce, unless it’s a really small organization or you have a large police force.  Second, they are often violated by the top echelon in the company.  How many CEO’s share their account with their admin?  Are you going to tell the CEO that he’s violating the company policy?  That’s a CLM (Career Limiting Move) if you ask me.

Rules like the ones above are to protect the organization, not the employee.  They cannot be enforced, except when something bad happens.  Then, the enforcer can point to the policy and report the violation.  I call it a “speed limit” policy, which are good to follow, but aren’t continually nor consistently enforced.

Here’s the key to making those policies work: make the user responsible for his/her account.  The policy statement would then be, “All users are responsible for protecting their login credentials from unauthorized access like they would protect any other corporate asset.”  This puts the onus on the user.  If someone gains unauthorized access to the user’s account because he/she didn’t follow the rules, then the user is accountable.  They are guilty until they can prove themselves innocent.  If someone (like the CEO) wants to share their account, they can as long as they realize that’s it’s them who will be held responsible for any actions taken by the other party.

With so many passwords to remember, people need to write them down.  Telling people not to just isn’t realistic.  Some use a password vault application.  Others use a piece of paper.  Both are fine as long as it’s rigorously protected.  It’s fine for people to write down their passwords as long as they store it in a very safe location.  My mom has a piece of paper with all of her passwords on it in a desk drawer in her apartment.  I’m fine with it, since I may need it one day as her power of attorney.  Her apartment is in a secure facility, so the risk is minimal.  There’s a lot bigger risk of her becoming incapacitated and me not having access to her accounts.

That’s what it comes down to: understanding RISK and establishing Accountability.  What are the risks associated with the actions?  Who’s responsible?  Answer those and you make a cognitive decision that’s both realistic and enforceable.