Piety

What is the meaning of innocence in a world that tramples the innocent
And lifts up the self-righteous?
All around us we see humble and honest people
Pushed to the bottom of the pile
While those that would manipulate others and the world around
Succeed and prosper. Is there a reword in this humility?
Is the comfort in  piety the solace and serenity that will bring joy to the lives
Of these individuals? What of the after?
Will they be those that prosper and flourish?
Where is the balance?
Where is the judgment? Is it in each of us?
I ask this to find this balance in myself. My search is to find my own piety
Of which I have lost.
I search now to find peace and fairness.
Where are you?

Value of a parachute

A number of years ago I went through an exercise with a book called "What Color is Your Parachute?" It walked me through the process of figuring out what kind of people I liked to work with. What kind of industry I liked to work in, It covered all sorts of topics of this sort. When all was said and done it helped me to redefine my career and start down a new path. I find that this is a process that is worth going through on a regular basis as our goals in life change and our situation in life changes as well. I also find that the value of this parachute is un-measureable. Being adrift in a career or in life is a costly and painful place to be. having the support or knowledge of where you want to go in your life and knowing what your motivators are helps to drive you with everything you do. It helps make every action you take in every aspect of your day that much more rewarding.

When I did my first parachute I was a single professional looking for a good group of people to work with. While money was important to me it was not my primary motivator. Today I am a family man and income if a motivator for me as I need to be able to support my family. Benefits: health insurance, vacation, commute, and flexible schedules, all come in to play where I was more concerned about tuition benefits and co-workers before. I also find that my parachute is also looking to community and other aspects of my life where as before it was almost entirely job focused. I am now looking at what other aspects of my life need to be entwined into my career. My interests have changed and It is more important to consider what it is that my job is supporting.

As I think about all of this I realize just how important it is to look at my security and my focus as I shape my life moving forward. Our economy, our world is in a dynamic and exciting time. For many, myself included, it is full of stress and anxiety. This is an important time to look at where we are and where we want to be. Use this time to build the platform to be ready for what tomorrow will bring. Know yourself as best you can for only then will you be able to land on your feet as you step forward into this new era.

God's guidance

I often wonder how we manage to get through a day. I work in security and struggle with much of what i see around me. I have become a security engineer and have come to realize that I would be better suited in a smaller organization where i can focus on a broader spectrum of security issues. I have a family facing countless struggles but none that any other family might not face and I personally feel ill prepared to guide them through this chapter of our lives; yet they are needing guidance. i find myself apathetic to many aspects of my life. I drift through initiatives that require drive and motivation. With all of this I reach out now calling for the grace of God to lend his graceful guiding hand. With his guidance perhaps I may find new life, wisdom and enthusiasm to drive me forward with life's offerings. I challenge each of you to invite God to guide you through your challenge today.

What is the big threat

I still contend that all of the technology in the world is no good if we do not address the biggest threat that we face. Every organization faces it. It is an issue inside of security teams as well as throughout the rest of every organization. We need to address the mind-set of the user base. We need to change the way people view computers and how we use them. We need to change the way people interact with the data that we use, create, and manipulate every day.

People are very cavalier with data and computers. they have no problem moving data to the most convenient location and moving it back again. They download data from a production server to their local laptop to take home for an evening of data crunching and then upload it into the corporate database in the morning. They connect their personal SmartPhones to the corporate network, synchronizing personal and corporate mail systems and calendars. Corporate data can find itself left on the back seat of a car or in the overhead compartment of an airplane. A presentation containing confidential information can be loaded onto the pocket sized device of an individual and can land in the hands of a pickpocket on the train. With all of this mobility Users insist on ease and convenience. They rebel against encryption which slows down their system's performance or ask for an extra password. They object to security measures that prevent corporate data from being loaded onto mobile devices or local systems. Any system that might interfere with their old habits or personal method of doing business is not tolerated. Loopholes, shortcuts, and other failings in the security systems eventually lead to the break down in the system and vulnerabilities show up. People use these critical systems for personal pleasure further exposing the corporate data to other vulnerabilities and eventual breach.

If we have learned anything from history it is that every security measure will be broken with time. MD5 has been broken with collisions. 64 bit encryption keys are not strong enough. Every aspect of security is a fluid battle, back and forth between the good guys and the bad. No technology is going to be the great panacea that will win this war. The biggest vulnerability facing industry are those caused by incidental exposures; critical data sent clear text over the Internet or left on a laptop, servers left exposed to the public network, or passwords left posted in public view. If we do not get people to change the way they treat the data and reduce the initial exposure, reduce the number of opportunities for the bad guys, then all of the technology in the world will never make a difference. I once saw a picture depicting the most secure network. It showed a bunch of people  standing around looking at a computer locked inside of a room with no way in. This is not the dynamic I am suggesting. I acknowledge that we need to work with the data. But we also need to respect the data. People need to be cognisant of what they are doing. Think about the exposure they might be placing on the data with their actions. Think about the safeguards that have been put in place and be sure that they work inside of them and watch for events that look out of the ordinary. In today's age every computer user should have some level of training provided by their employer so that they are aware of what normal computer performance should look like. They should all be aware of security issues and threats. We are all part of the security systems protecting our networks.

Security's place in an organization

Security sits in many different places in an organization. The larger the organization the larger and more autonomous security tends to be. In smaller corporations the roll of security often seams to be placed with networking or placed in the hands of the system administrator in charge of anti virus or LDAP/Active Directories. These roll clustering trends so often are due to budgets. As corporations grow the ability to fund a security entity grows; first within these same departments and then more prevalently inside of IT. In mid sized organizations you may actually find a security staff person or two. Commonly these individuals will report to the CIO or CFO. Much like the large organizations where you will find entire security departments reporting to a CIO or CFO.

The question becomes where does security fit in these organizations. I had a manager that once told me that security never brings good news. He was right. Security has become the necessary evil in every organization.  They are an expense nobody wants to put money toward. An extra step in every project that nobody wants to take. Security is the entity that delivers all of the bad news of breaches, viruses, and vulnerabilities. They are also the new expert that informs all of the other segments of It on changes, updates and modifications that need to be made to their infrastructure. But security is also a user, a drain on resources. They have appliances in the fabric of the network that require updates and cause downtime. They require the services f the networking and server administration teams for maintenance on the security equipment. They require assistance from the help desk to deploy their client applications. an they require assistance from administration to deploy and enforce their policies.

So what is the role; where is the place for security? Are they the new manager for the network? are they the new cop on the campus? Should security be broken up into different groups that report to different sections of the organization; engineering to networking and analysis to the CIO and Intel to the CFO? I would suggest that perhaps it is a culture change that an organization needs to go through as a whole. Security should function as a big facilitator. I would propose that in a perfect world Security would not manage any equipment but rather that would all be left to the Server administrators and the networking group. Where security needed a new appliance they would order it and that would be left to IT to get and put in place. Patches would be managed by IT. and Security would not be a part of IT. IT should report to the CIO who should report to the CEO. Security should report to the CFO who should report to the CEO. Or there should be a CSO who reports directly to the CEO. but security needs to be separate from IT and as such needs to be a customer of IT. They should also be the IT consultant.

What am I implying. You could almost have billable hours going both ways; expectations on both sides of the equations. Security has systems in the IT infrastructure; severs appliances, PC's. These all require service and that service should come with expectations. Likewise security has knowledge that they possess and gain from experience and from their equipment that they need to provide IT. Their equipment also provides capabilities that they need to share with IT. Security can provide a service of which IT should have an expectation. This same service cascades out to the entire organization. this is where security can play the role of facilitator. One of the key services that security provides is to facilitate It in providing a more secure product and to facilitate the user base in the organization to demand and support the implementation of a secure product from IT. Providing services such as this help to reduce the bad guy image of security. Enabling the rest of the organization to produce secure solutions reduces the number of times that security has to inform the company of bad news.The more IT can feel like they are partners in these solutions the better things will perform. The more autonomous security is and the more customer based their relationship is with IT the more successful their mission will be.

Every organization faces resistance to the mission of a security program. Autonomy of security inside of an organization, separation from IT, helps with the success of that mission.

role based access

In an ideal world access to our critical assets would be decided by roles. By the function that each individual carries in their business application. There would be a set list of job classifications that would be defined; buckets that employees could be dropped into, and these would define security access to the network resources. This theoretical model works great on paper but when applied to true functioning business applications there are too many off shoots from those given role definitions, too many crossover roles between these job buckets, and too much change and shift on a continuous basis for a theoretical model such as this to apply and be truly secure.

 

Does that imply that a model such as this has no place in security? By no means. Strong theory will always lead to a better security design, and the narrower the definition of security access is for each individual the better the security will be for the entire organization. While you may need to shape and design you security model with flexibility to the needs of the business, the original design needs to be based on sound theory.

The biggest mistake

We all know that times are tough.We have heard about the housing crisis. We have heard about the banking crisis. We see every day at our jobs the strain on our own companies. As security specialists we need to be aware of the impact this is going to have on the vulnerability space. Our job is to ensure that these strains do not increase the vulnerabilities on our networks. Unfortunately often these times will increase the numbers, opportunities, and likelihood of internal threats to a network. The stress on an individual pushes them to fin opportunities to get ahead and when the ship is going down they often feel as though they have nothing to lose. So often companies, when they feel the need to tighten their own belts, tighten the noose around their employees. While this is a quick and easy place for a company to save some money, it is important for us as security professionals to advise administrators to find ways to keep the moral up among employees at the same time. Often you will see employers do things such as increasing the amount of auditing done to time keeping and payroll, or restrict vacation and sick time that employees have justifiably accrued. While these steps may give the appearance that they will save money, and they may catch one or two people that cheat on their time, they will draw down on moral and may insight that one person to breach internal security rules and compromise the network; costing the company much more then they might have saved.

Moral is an important asset to foster in a company. Loss of moral is often harder to get back that you might think.While there are little things that a company may do to save a dollar here or there in tight economic times, the need to way them against the tangential cost incurred by side affects of those cost saving measures. Even if a disgruntled employee does not breach security, loss of moral inevitably will drive away good employees and loss of talent always hurts a company. As security professionals we need to look at the risks to a company. We do not stop at the dollar amount but look beyond to the impact that a program, strategic plan, or application to the impact it has on the security of the data and network of the organization. Our job is to advise the stake holders of these impacts.