This post repurposed and amended from a recent dispatch on Infosec Island.

Coming soon, either “Social Media is my Job Pimp” or “The Mobile Security Arms Race” Feel free to vote in the comments below. And now, without further ado…More than 88 Lines:

For those of you without an insatiable addiction to 80s punk, goth and new wave, the title of this post is inspired by the ’80s classic by The Nails — 88 Lines about 44 Women.  This song was the first thing that came to mind when the folks at Infosec Island asked me to join their band of security crazies as a regular contributor.

Flattered to be sure, given that I’ve only begun to cut my baby teeth in this space as a former vendor marketing hack.

Now, before you stop reading, one thing you should know is that my background (visit me on LinkedIn) has trained me all too well to take the tangled mess of Cyber, rootkit detection and eradication, Application (In)Security, common exploits, etc. and turn it into something that end-users actually understand and want to avoid.

With that in mind…and with your indulgence…here are my observations after nine whole months in the IT security sector–  88 lines about less than 44 weeks in Infosec. Let’s start with my Top 5, which, given my tendency to drone on, may end up being 88 lines.

1. From Week 1 to present, you have all sufficiently scared the holy hell out of me with how real, lucrative and mostly unavoidable cybercrime/cyberwar/cyber espionage is for targeted companies and people. Good show!

Any thoughts on taking your act on the road to senior citizen homes, community-sponsored events on online safety, schools, etc? Layer 8 (aka people for the uninitiated) needs you! It’s time to take what you know to the street and quit telling each other what you already know.

I’ll offer myself up as your first community leader in my hometown of Portland, Oregon… I’ll just need your brains and a help with a curriculum that makes sense. Help me help you!

I know millions of people even more ignorant than I on the perils of Internet stupidity. And they need to be reminded daily, not once a year in a thin public service announcement or press release by DHS during Cyber Security Awareness Week.

2. Information security isn’t about you. It’s about protecting the weak from the valley of darkness. Be the Shepherd, not the self-congratulating rancher. You can be smart, revered and successful without being a prick.

Call up your alma mater and offer your skills or consulting advice for free. Help a newbie gain his stripes in the industry (thanks @falconsview @jackdaniel @BrianHonan @DeathwishDuck @Wh1t3Rabbit @TripwireInc @andrewsmhay @briankrebs and so many others!).

Celebrate the fact that somebody actually respects you enough to ask for your guidance. And then give it away…freely.

3. I love that people in the IT security community are so far out in front on the usage of social media tools like Twitter to not only engage with each other, but use it as a means of revealing new threats, testing theories and furthering the global #infosec community.

I know the medium is also used for evil on the social engineering front, but those leveraging it for good will prevail. Expose the shitheels at the speed of “Send.”

4. Cloud computing has got to be the dumbest, most innocuous name for something so vital and potentially dangerous.

Can we please call it what it is: A Digital Data Trailer Park susceptible to methed-out dudes breaking in to steal your valuables, with more-than-occasional, seemingly targeted, natural disasters that may put you in the bread line and delivering a nagging, persistent gut ache and brain traffic  that circles the unanswerable question “Is my valuable data secure?”

C’mon you’re doing this to save $. Is it worth it? Are you sure?

5. And this is probably the most crystal clear and personal observation over the last 40+ weeks in infosec.

Like security itself …it’s a never-ending journey that unearths painful truths, nerve-wracking challenges to your beliefs and confidence, and it keeps its clutches in you with the lure of fighting the good fight or making an obscene amount of money and wreaking a new kind of havoc on the world if you’re donning the black hat.

Damn you, Infosec. I’m hooked. A reluctant data security junky with a dangerous amount of semi-informed knowledge, eager to fight alongside you. I’m not going anywhere.

For better or worse. I’ll be taking what you know and sharing it with the computer users getting pummeled by their own laziness or uninformed mistakes… until further notice.

Until next time.

@MarkAEvertz

Heckling the dumb in the land of Lost Wages

This blog is inspired by Paranoia by Black Sabbath.

Las Vegas was full of a whole different kind of sin last week.  (Is SYN too on-the-nose for you IT security vets? SYN…ACK! ACK! ACK!)

SANS Network Security 2010 was the first of hopefully many conferences/classes for me to learn about the best and worst in the world of IT security. Great presentations. Eye-opening exercises. Plenty of career-enhancing connections. And more than a little chest puffing.

I do have to say that while I moved from blind victim (on the casino floor and off)  to keenly aware malware target after my week in Vegas, I hopped on the plane home thinking that some of the most talented security practitioners, penetration testers, and provocative presenters the IT world has to offer didn’t do much to change my perception held since the days of Y2K that those who make and break the rules on the Interweb are separated at birth or at least genetically aligned with Nick Burns, Your Company’s  Computer Guy. Brash. Caffeinated. Eager to prove worth. Equally fired up for the putdown of the uneducated.

The event brought IT security neophytes like me together with a cadre of command-and- control smarties to seemingly perpetuate inferiority complexes, self-proclaimed guru statuses, cyber terror bed wetting and group basking in schadenfreude for middle school years gone wrong.

That’s not to say that instructors and classmates in total weren’t welcoming, helpful or accommodating. In fact, it was a lot like speaking broken Spanish in an English accent while on a week-long sabbatical in Cancun. “Oh..look, he’s trying. Isn’t that cute? Bien Bien, Pobrecito.”

Layer 8 is People! It’s People!

But what stuck with me more than a corn syrup-soaked “Ctrl” key was the rampant use of the word “Stupid” when referring to people who use computers…business or personal keytappers.  “End Users” – Layer 8 in a Seven-Layer Security Model—are perpetually on the outside looking in through a technically opaque window of safe and sane computer usage.

OK, admittedly, “End Users” like me, mom, dad, my Facebook and LinkedIn buddies and eager-to-assist Tweeps, aren’t doing ourselves any favors in the IQ elevation process when we send money to Nigeria or naively become money mules despite an email rife with typos and the hard-to-fathom promise of a few hundred bucks for a few minutes’ time.

That being said, it would be cool if The Lords of LAN and WAN would drop a few non-malware laden breadcrumbs of Internet security  wisdom to make our computers, companies and governments a little smarter at spotting the worm on the hook.

Ya feel me:

• Person who plugged in the USB Flash Drive into your Energy Grid SCADA system to unleash Stuxnet?
• The poor sap at the DoD responsible for the worst U.S. military data breach with another shiny, yet polluted USB stick?
• My LinkedIn faithful who just got to meet ZEUS up close and personal?
• My Twitter comrades who saw a virus take down their character-challenged world, not by clicking on something they shouldn’t, but by simply mousing over linked text?

Let’s just agree now.  Nobody benefits from stupidity.

Stupid may seem like job security at first for the SysAdmin or his bosses who know all the answers. That is until he or she gets chewed out when a Distributed Denial of Service attack — unleashed when the uniformed click on “Funny Video.exe”attachements in their work Outlook account—keeps the boss from sending an important e-mail.  Let’s all take a page out of the stupidity-killing handbook of Chris Hadnagy, operations manager at Offensive Security,  and his Social Engineering 101 Q&A with CNet Senior Writer  Elinor Mills earlier this summer.

Another guy to lean on is former Washington Post reporter and IT security demystifier Brian Krebs who always manages to do his job without the slightest bit of condescension.

I’m pretty sure all of us in IT security are only as smart as our least informed coworker, which may just be the person signing your checks. Or your recently socially engineered Halo 3 cohort and IT security pal. See you in the shadows.

This Post Inspired By….the band “Security Threat” and their song Refusal (on Blip.fm)

EXTENDED VERSION OF POST ON TRIPWIRE.COM posted on 6/28/2010 : With Comments/responses

With apologies to the ghost of Hunter S. Thompson, I write this as one of Hunter’s favorite words for a person who was fresh meat in battle, “Rube.”  Thompson’s battle theaters were politics, war, corporate malfeasance, sports culture and media as infotainment.

Personal and Professional Data Deluge

My new battlefield is IT security and compliance automation. My first tour of duty was the Gartner Security & Risk Management Summit 2010 (Participant threads on Twitter here: http://bit.ly/9EmuJB ). I prepped for this  summit by carnivorously cutting my teeth on data breach stories past and present, IT security spending trends, and leaching off the minds of Infosec’s (Information security) indentured servants,  on the battles between “white hats” and “black hats” on the Wild Wild Web, and discovering other ominous terms out of Sci-fi novels like“Cybersecurity,” “Bots,” “APTs,”  and “Widening Attack Surfaces”

Jerry Bruckheimerwould have blushed, to be sure.

What washed up on the beach

A few observations after wringing out the jet lag and the PowerPoint deluge from my brain:

• A random sampling of attendees at sessions and lunch tables revealed that at the end of the day “Security” centered on protecting personally identifiable and critical business data and infrastructure from being taken, taken over, lost or peppered with unauthorized access.
• Security, IT or otherwise, is measured day-by-day, hour-by-hour and is a life-long journey, not a destination
• “Absolute security” is not only impossible – it can be as harmful, if not more harmful, to a organization than a full-blown breach
• Fear, Uncertainty, Doubt and Dread (FUDD) is the prevailing mood
• John Ashcroft being self-deprecating was uncomfortable for both of us
• I left more insecure than when I got there

Audit Fatigue, Breach Fatigue & the “Red Bull” of Knowledge

When I say insecure, I mean to say that once you dive into the vernacular of threat vectors, the data that points you toward the fact that great harm can come from something as seemingly as innocuous as a worm and that organized crime prefers data theft over illegal drugs as its most profitable illicit enterprise – human nature dictates that you’ll feel more than a little spooked.

And yet…despite evidence to the contrary…the more I talked to people on the front lines of protecting personal and business critical information and IT infrastructure from Black Hats, well-intentioned white hats and IT admins with baseball caps or no hats at all, the more I came to realize that they want to put FUDD out to pasture with knowledge.

A survey of people whose names I’ve forgotten, but faces I might recall, resoundingly said they were not only experiencing audit fatigue from having to pore over data logs until they were blind from seeking out suspicious needles in a stack of less suspicious needles–but  were also well worn of data breach horror stories (3.4 million search results on Google as of this writing).

One woman from a well-known insurance company told me flat out: “I don’t need to be scared into taking action. I just need to know what I can do to stop it,” pausing briefly, then continuing, “and how to convince my boss that we need to do it.”

So, for her and the others I listened to, spoke with or spied on, I’m going to hunker down in my IT Security foxhole to find the “HOW?”and continue my battle to neutralize the FUDD.

I heard over and over that Goal #1 was to protect data with the visibility to find threats before the breach, the intelligence to take decisive action and the automation to both keep operations up and running and securely use data through automated security controls to get business done. Find out more on how Tripwire does this here.

A post that stuck with me in the last couple of weeks:

Guest Commentary: Matt Olney on Lieberman cybersecurity bill

Stay vigilant, my friends.

ME

Comments from Tripwire.com

• Scott Anderson 1 day ago

  2 people liked this.

  Praise for any posting that weaves together Hunter S. Thompson and former AG John Ashcroft — not to mention FUDD. Gents Yin and Yang make good bookends for the broad issue of IT security. And, though I wish it weren’t the case, it’s likely that Fear of the economic consequences of IT insecurity will rule the day, despite the fatigue and thousand yard stares. Fear is a good motivator, always has been. It’s about channeling it and transforming the FUDD…

  Flag

  You liked this.

Scott,
Thanks for the praise. Surprisingly easier to weave that thread than I thought. Point well taken on fear being a good motivator. I’ll admit, fear always shakes me into action. That said,  I always end up having to course correct or  recognizing way too late the opportunities I left on the table to prepare for future heartache by being too haphazard and reactionary at the outset of any attempt quell immediate insecurities. I suspect the human beings that make up the IT Security Panopolis are in much the same spin cycle. I encourage deep breathing exercises and then leaning on the people, processes and technologies that have fought a similar battle before and survived or thrived.
Thanks for reading and your comment. Keep it coming!
Mark

• Carri Bugbee 1 day ago

  2 people liked this.

  Mark, that’s the most entertaining piece about IT security I’ve ever read. You’ll do the industry some good! But I sure wish the font on this page wasn’t so small. Was this blog designed by 20-somethings? I suspect that’s not your target audience. And when I increase the font size, it just bleeds off the left column.Keep neutralizing, my friend. Just don’t make me squint.

  @CarriBugbee

Carri,
Thanks for reading and particularly for your comment. Exhilarating subject matter that changes with the wind, that much is for sure. I haven’t seen any 20-somethings in my neck of the woods, but I’ll  be sure to surface the need/desire for a squint-free user experience.
Keep reading and sharing!
Best,
Mark
@MarkAEvertz