This post repurposed and amended from a recent dispatch on Infosec Island.

Coming soon, either “Social Media is my Job Pimp” or “The Mobile Security Arms Race” Feel free to vote in the comments below. And now, without further ado…More than 88 Lines:

For those of you without an insatiable addiction to 80s punk, goth and new wave, the title of this post is inspired by the ’80s classic by The Nails — 88 Lines about 44 Women.  This song was the first thing that came to mind when the folks at Infosec Island asked me to join their band of security crazies as a regular contributor.

Flattered to be sure, given that I’ve only begun to cut my baby teeth in this space as a former vendor marketing hack.

Now, before you stop reading, one thing you should know is that my background (visit me on LinkedIn) has trained me all too well to take the tangled mess of Cyber, rootkit detection and eradication, Application (In)Security, common exploits, etc. and turn it into something that end-users actually understand and want to avoid.

With that in mind…and with your indulgence…here are my observations after nine whole months in the IT security sector–  88 lines about less than 44 weeks in Infosec. Let’s start with my Top 5, which, given my tendency to drone on, may end up being 88 lines.

1. From Week 1 to present, you have all sufficiently scared the holy hell out of me with how real, lucrative and mostly unavoidable cybercrime/cyberwar/cyber espionage is for targeted companies and people. Good show!

Any thoughts on taking your act on the road to senior citizen homes, community-sponsored events on online safety, schools, etc? Layer 8 (aka people for the uninitiated) needs you! It’s time to take what you know to the street and quit telling each other what you already know.

I’ll offer myself up as your first community leader in my hometown of Portland, Oregon… I’ll just need your brains and a help with a curriculum that makes sense. Help me help you!

I know millions of people even more ignorant than I on the perils of Internet stupidity. And they need to be reminded daily, not once a year in a thin public service announcement or press release by DHS during Cyber Security Awareness Week.

2. Information security isn’t about you. It’s about protecting the weak from the valley of darkness. Be the Shepherd, not the self-congratulating rancher. You can be smart, revered and successful without being a prick.

Call up your alma mater and offer your skills or consulting advice for free. Help a newbie gain his stripes in the industry (thanks @falconsview @jackdaniel @BrianHonan @DeathwishDuck @Wh1t3Rabbit @TripwireInc @andrewsmhay @briankrebs and so many others!).

Celebrate the fact that somebody actually respects you enough to ask for your guidance. And then give it away…freely.

3. I love that people in the IT security community are so far out in front on the usage of social media tools like Twitter to not only engage with each other, but use it as a means of revealing new threats, testing theories and furthering the global #infosec community.

I know the medium is also used for evil on the social engineering front, but those leveraging it for good will prevail. Expose the shitheels at the speed of “Send.”

4. Cloud computing has got to be the dumbest, most innocuous name for something so vital and potentially dangerous.

Can we please call it what it is: A Digital Data Trailer Park susceptible to methed-out dudes breaking in to steal your valuables, with more-than-occasional, seemingly targeted, natural disasters that may put you in the bread line and delivering a nagging, persistent gut ache and brain traffic  that circles the unanswerable question “Is my valuable data secure?”

C’mon you’re doing this to save $. Is it worth it? Are you sure?

5. And this is probably the most crystal clear and personal observation over the last 40+ weeks in infosec.

Like security itself …it’s a never-ending journey that unearths painful truths, nerve-wracking challenges to your beliefs and confidence, and it keeps its clutches in you with the lure of fighting the good fight or making an obscene amount of money and wreaking a new kind of havoc on the world if you’re donning the black hat.

Damn you, Infosec. I’m hooked. A reluctant data security junky with a dangerous amount of semi-informed knowledge, eager to fight alongside you. I’m not going anywhere.

For better or worse. I’ll be taking what you know and sharing it with the computer users getting pummeled by their own laziness or uninformed mistakes… until further notice.

Until next time.

@MarkAEvertz

This blog post inspired by Welcome to the Machine by Pink Floyd. Refurbished from Dec. 21, 2010 post for @TripwireInc

Someone recently posed this question to me and a few cohorts here at Tripwire, the IT security company where I work:

What are your Top 5 IT Security Events for 2010?
At first, I responded with RSA, Blackhat, Infosecurity Europe,  B-Sides, etc., then realized the question attempted to get at incidents or interesting developments in the last year. That task proved to be much harder.

Any time I’ve been asked to cobble together a list of “Top anythings”,  it has always been  akin to “What are your Top 5 bands or movies?” By that, I mean,  they usually change George Costanza-style  on the drive home (video) (ohhhhh, I should’ve said < Insert obscure, uber-hip band name here>).

With that in mind, here are my Top 5 IT Security Stories/Incidents worthy of consideration in no particular order, with a detailed rationale for each of my choices. Agree? Disagree? Think of one on the drive home? Fire away in the comment section.-ME

The “Stuxnet Effect” on Cyber Security
In 2010, “Stuxnet”

1. Captured media and global governmental attention because it was the first high-profile case of a dramatic shifting of war from on-the-ground to the cyber world. While the republics of  Georgia and Estonia had illustrated this shift first in 2007, the Stuxnet attack in the Spring/Summer of 2010 brought the new battlefield home to the U.S. Government because it attacked Command and Control (SCADA) systems responsible for regulating the energy grid.
2. Showed, through its combination of four  Zero-day attacks  that very talented, coordinated and probably state-financed groups can wreak global havoc on really old equipment. Some energy grid systems are 50-80 years old and rife with vulnerabilities that are ripe for  current attack methods or modern advancements in  malware development.
3. Taught an important lesson: If you are a target of  this type of attack, it will happen and it is next to impossible to prevent.
4. The countermeasure for high profile targeted attacks such as these is to return to the basics of info and system security:
   1. Protect (monitor all systems around the clock for up-to-date patches and configurations across the entire IT infrastructure)
   2. Detect patterns of behavior that are suspicious using a correlation of suspect log events, system changes and near real-time alerting of configuration errors that attackers exploit
   3. Resolve compromises as fast as possible with the ability to find the breach and return systems to a secure state by combining a pre- and post-breach cyber forensics program and automating the system baselining process.
5. Another key lesson with Stuxnet that will hopefully have a lasting impact was the realization that an attack of this kind in one place is a global event that will require a global response and the cooperation of governments and businesses around the world.

Security & Compliance in The Cloud
Much like the concept of cyberwar in the Stuxnet example, “The Cloud” is here to stay. Your first clue is “The” in “The Cloud.” It’s kinda like Madonna, Cher, Prince or The Hoff. (No, not that “Hoff” ). Love ‘em or hate ‘em, once they’ve attained “The” status,  they’re not going anywhere. Why?

1. The Cloud  is largely perceived by business users as a lower cost, environmentally responsible alternative to cash- and energy-sucking server farms that are holding an exponentially growing deluge of data that exceeded the storage available in 2007 (See image).
2. Large cloud providers like Amazon have rushed to become PCI compliant in an effort to protect sensitive data, namely cardholder data, but the cautionary tale here is that providers, particularly small and medium businesses using The Cloud to cut corners and save money have to realize that they have a responsibility to secure their own systems and sensitive data as well or it can be compromised where it lives in their environment and on user systems
3. One other critical issue that security experts point to is that by storing sensitive data in one place, and sometimes in a shared environment with other companies, they have unintentionally created a very rich singular target for a patient, deliberate and well financed cyber crime organizations.
   
4. The key, and this is certainly true of where Tripwire is working to address security in the cloud, is to monitor the critical systems, infrastructure and sensitive data stored with cloud service providers, alert on high-risk behaviors in the public, private and hybrid cloud environments and resolve anomalies on demand to guard against cyber attacks of this kind.

Cyber forensics as an emerging industry

OK…I have to admit, I see a David Caruso spin-off here in our future, complete with aviator shades, IT-flavored one liners (“His Java Script didn’t have a happy ending”) and a screaming Who song (in my Top 5, btw).  Not sure if that’s a good thing or a bad thing,  but that digression aside, for me, the driving factors behind cyber forensics are:

1.    Rapid evolution of attack methods and malware have created the need to approach threat detection beyond the old signature-based model of known vulnerabilities to real-time behavioral analysis of anomalies  in an IT environment across systems, files and security controls already in place (firewalls, anti-virus, security policy frameworks like CIS, etc.).

2.    A desire to be proactive on IT security rather than reactive to breaches. Cyber forensics enables pre-breach analysis that can identify risks  and in most cases guard against a breach.  In addition, it improves incident response by delivering post-breach analysis for reporting purposes and identifies how sensitive data or systems were compromised to harden the environment against future attacks.

3.    Technology advancements that enable real-time, continuous monitoring, alerts based on suspicious occurrences and automated, intelligent resolution: Tripwire’s behavioral approach to detecting threats includes monitoring the IT ecosystem around the clock for incidents that weaken a company’s security posture, correlating suspicious log events and suspicious file changes in near real time to identify threats faster and on-demand remediation of any configuration errors in the environment that contributed to the breach.

SMBs taking a big-boy beating on the cyber attack front

1. Recent reports are pointing to a growing trend that cyber attackers are seeing the complex traps being set for them in the enterprise space with seven layers of security defense, complete with firewalls, IDS, IPS, Access management, threat behavior analysis via the correlation of file changes and suspicious log events, etc., and opting  to go for the easy pickings in the education, nonprofit and SMB sectors.
2. In complex DDoS attacks or  sophisticated botnets, these easier-to-access servers and machines are being used to attack larger targets en masse or providing simple, unfettered access to the sensitive data available and letting attackers collect data from a multitude of weakly guarded targets Examples include Zeus and its financial account access-stealing malware that continues to plague non-enterprise organizations.
3. While an IT budget vs. mission or security budget vs. headcount seesaw will always be at play in these cash-strapped and often technically challenged environments, it’s important to keep hammering on the fact that attackers see them as the path of least resistance for obtaining social security numbers, health records, financial accounts and/or an entire zombie army of machines poised to do their dirty work because  they are mostly likely  misconfigured  or poorly managed. All security do-gooders need to band together in the years to come to stem this rising tide.

Recent news feeding my fire on this trend:

Education sector most affected by malware

AmeriCorps Security Breach

SMB Cloud Is A Hacker’s Paradise

Cyber Criminals Now Target SMB Bank Accounts

Security industry consolidation
Point solutions like Arcsight (now a part of HP) and even larger security luminaries like McAfee (now a part of Intel) got gobbled up by larger mega corps to build out their portfolio in the white-hot security space.  In fact, according to my fingers and toes, in the last 5 years alone, 26 smaller companies Tripwire used to compete with head-t0-head are now part of the machine. In my view, this changes the landscape in two ways:

1. Security solution buyers will be tentative in buying yet another technology to throw into their security mix and seek out comprehensive security suites to address a multitude of their security and compliance challenges related to protecting sensitive data and critical systems.
2. Security solution providers, in their efforts to meet this buyer desire and address a complex threat landscape, will find themselves partnering with former adversaries to create super solutions in the security space built on providing better visibility into true threats, real-time detection and rapid resolution to avoid cataclysmic breaches with massive data losses.

I can hear you all now. What about Aurora? (Ohhhhh! Jerk Store!) What about WikiLeaks? What about…? Share your wisdom and defend it in the comments section below.

I hope you had an incident-free holiday. Welcome to 2011.

Heckling the dumb in the land of Lost Wages

This blog is inspired by Paranoia by Black Sabbath.

Las Vegas was full of a whole different kind of sin last week.  (Is SYN too on-the-nose for you IT security vets? SYN…ACK! ACK! ACK!)

SANS Network Security 2010 was the first of hopefully many conferences/classes for me to learn about the best and worst in the world of IT security. Great presentations. Eye-opening exercises. Plenty of career-enhancing connections. And more than a little chest puffing.

I do have to say that while I moved from blind victim (on the casino floor and off)  to keenly aware malware target after my week in Vegas, I hopped on the plane home thinking that some of the most talented security practitioners, penetration testers, and provocative presenters the IT world has to offer didn’t do much to change my perception held since the days of Y2K that those who make and break the rules on the Interweb are separated at birth or at least genetically aligned with Nick Burns, Your Company’s  Computer Guy. Brash. Caffeinated. Eager to prove worth. Equally fired up for the putdown of the uneducated.

The event brought IT security neophytes like me together with a cadre of command-and- control smarties to seemingly perpetuate inferiority complexes, self-proclaimed guru statuses, cyber terror bed wetting and group basking in schadenfreude for middle school years gone wrong.

That’s not to say that instructors and classmates in total weren’t welcoming, helpful or accommodating. In fact, it was a lot like speaking broken Spanish in an English accent while on a week-long sabbatical in Cancun. “Oh..look, he’s trying. Isn’t that cute? Bien Bien, Pobrecito.”

Layer 8 is People! It’s People!

But what stuck with me more than a corn syrup-soaked “Ctrl” key was the rampant use of the word “Stupid” when referring to people who use computers…business or personal keytappers.  “End Users” – Layer 8 in a Seven-Layer Security Model—are perpetually on the outside looking in through a technically opaque window of safe and sane computer usage.

OK, admittedly, “End Users” like me, mom, dad, my Facebook and LinkedIn buddies and eager-to-assist Tweeps, aren’t doing ourselves any favors in the IQ elevation process when we send money to Nigeria or naively become money mules despite an email rife with typos and the hard-to-fathom promise of a few hundred bucks for a few minutes’ time.

That being said, it would be cool if The Lords of LAN and WAN would drop a few non-malware laden breadcrumbs of Internet security  wisdom to make our computers, companies and governments a little smarter at spotting the worm on the hook.

Ya feel me:

• Person who plugged in the USB Flash Drive into your Energy Grid SCADA system to unleash Stuxnet?
• The poor sap at the DoD responsible for the worst U.S. military data breach with another shiny, yet polluted USB stick?
• My LinkedIn faithful who just got to meet ZEUS up close and personal?
• My Twitter comrades who saw a virus take down their character-challenged world, not by clicking on something they shouldn’t, but by simply mousing over linked text?

Let’s just agree now.  Nobody benefits from stupidity.

Stupid may seem like job security at first for the SysAdmin or his bosses who know all the answers. That is until he or she gets chewed out when a Distributed Denial of Service attack — unleashed when the uniformed click on “Funny Video.exe”attachements in their work Outlook account—keeps the boss from sending an important e-mail.  Let’s all take a page out of the stupidity-killing handbook of Chris Hadnagy, operations manager at Offensive Security,  and his Social Engineering 101 Q&A with CNet Senior Writer  Elinor Mills earlier this summer.

Another guy to lean on is former Washington Post reporter and IT security demystifier Brian Krebs who always manages to do his job without the slightest bit of condescension.

I’m pretty sure all of us in IT security are only as smart as our least informed coworker, which may just be the person signing your checks. Or your recently socially engineered Halo 3 cohort and IT security pal. See you in the shadows.

This Post Inspired By….the band “Security Threat” and their song Refusal (on Blip.fm)

EXTENDED VERSION OF POST ON TRIPWIRE.COM posted on 6/28/2010 : With Comments/responses

With apologies to the ghost of Hunter S. Thompson, I write this as one of Hunter’s favorite words for a person who was fresh meat in battle, “Rube.”  Thompson’s battle theaters were politics, war, corporate malfeasance, sports culture and media as infotainment.

Personal and Professional Data Deluge

My new battlefield is IT security and compliance automation. My first tour of duty was the Gartner Security & Risk Management Summit 2010 (Participant threads on Twitter here: http://bit.ly/9EmuJB ). I prepped for this  summit by carnivorously cutting my teeth on data breach stories past and present, IT security spending trends, and leaching off the minds of Infosec’s (Information security) indentured servants,  on the battles between “white hats” and “black hats” on the Wild Wild Web, and discovering other ominous terms out of Sci-fi novels like“Cybersecurity,” “Bots,” “APTs,”  and “Widening Attack Surfaces”

Jerry Bruckheimerwould have blushed, to be sure.

What washed up on the beach

A few observations after wringing out the jet lag and the PowerPoint deluge from my brain:

• A random sampling of attendees at sessions and lunch tables revealed that at the end of the day “Security” centered on protecting personally identifiable and critical business data and infrastructure from being taken, taken over, lost or peppered with unauthorized access.
• Security, IT or otherwise, is measured day-by-day, hour-by-hour and is a life-long journey, not a destination
• “Absolute security” is not only impossible – it can be as harmful, if not more harmful, to a organization than a full-blown breach
• Fear, Uncertainty, Doubt and Dread (FUDD) is the prevailing mood
• John Ashcroft being self-deprecating was uncomfortable for both of us
• I left more insecure than when I got there

Audit Fatigue, Breach Fatigue & the “Red Bull” of Knowledge

When I say insecure, I mean to say that once you dive into the vernacular of threat vectors, the data that points you toward the fact that great harm can come from something as seemingly as innocuous as a worm and that organized crime prefers data theft over illegal drugs as its most profitable illicit enterprise – human nature dictates that you’ll feel more than a little spooked.

And yet…despite evidence to the contrary…the more I talked to people on the front lines of protecting personal and business critical information and IT infrastructure from Black Hats, well-intentioned white hats and IT admins with baseball caps or no hats at all, the more I came to realize that they want to put FUDD out to pasture with knowledge.

A survey of people whose names I’ve forgotten, but faces I might recall, resoundingly said they were not only experiencing audit fatigue from having to pore over data logs until they were blind from seeking out suspicious needles in a stack of less suspicious needles–but  were also well worn of data breach horror stories (3.4 million search results on Google as of this writing).

One woman from a well-known insurance company told me flat out: “I don’t need to be scared into taking action. I just need to know what I can do to stop it,” pausing briefly, then continuing, “and how to convince my boss that we need to do it.”

So, for her and the others I listened to, spoke with or spied on, I’m going to hunker down in my IT Security foxhole to find the “HOW?”and continue my battle to neutralize the FUDD.

I heard over and over that Goal #1 was to protect data with the visibility to find threats before the breach, the intelligence to take decisive action and the automation to both keep operations up and running and securely use data through automated security controls to get business done. Find out more on how Tripwire does this here.

A post that stuck with me in the last couple of weeks:

Guest Commentary: Matt Olney on Lieberman cybersecurity bill

Stay vigilant, my friends.

ME

Comments from Tripwire.com

• Scott Anderson 1 day ago

  2 people liked this.

  Praise for any posting that weaves together Hunter S. Thompson and former AG John Ashcroft — not to mention FUDD. Gents Yin and Yang make good bookends for the broad issue of IT security. And, though I wish it weren’t the case, it’s likely that Fear of the economic consequences of IT insecurity will rule the day, despite the fatigue and thousand yard stares. Fear is a good motivator, always has been. It’s about channeling it and transforming the FUDD…

  Flag

  You liked this.

Scott,
Thanks for the praise. Surprisingly easier to weave that thread than I thought. Point well taken on fear being a good motivator. I’ll admit, fear always shakes me into action. That said,  I always end up having to course correct or  recognizing way too late the opportunities I left on the table to prepare for future heartache by being too haphazard and reactionary at the outset of any attempt quell immediate insecurities. I suspect the human beings that make up the IT Security Panopolis are in much the same spin cycle. I encourage deep breathing exercises and then leaning on the people, processes and technologies that have fought a similar battle before and survived or thrived.
Thanks for reading and your comment. Keep it coming!
Mark

• Carri Bugbee 1 day ago

  2 people liked this.

  Mark, that’s the most entertaining piece about IT security I’ve ever read. You’ll do the industry some good! But I sure wish the font on this page wasn’t so small. Was this blog designed by 20-somethings? I suspect that’s not your target audience. And when I increase the font size, it just bleeds off the left column.Keep neutralizing, my friend. Just don’t make me squint.

  @CarriBugbee

Carri,
Thanks for reading and particularly for your comment. Exhilarating subject matter that changes with the wind, that much is for sure. I haven’t seen any 20-somethings in my neck of the woods, but I’ll  be sure to surface the need/desire for a squint-free user experience.
Keep reading and sharing!
Best,
Mark
@MarkAEvertz