[SecurityRatty] tag: grant

What's Happiness Got to Do With It?

Wed, 29 Oct 2008 07:00:44 +0000

Gartner's own John Pescatore has issued a 12 world post:

The best security program is at the business with the happiest customers.

Happiness? Really? That's the measure of program effectiveness? I would see those 12 words and raise them one word (13 if you're scoring at home):

There's a fine line between happy customers and playing piano in a bordello.

I mean the people running hedge funds and derivative books at AIG, Lehman and friends had lots of happy customers for the last decade!

To me the happy customer is a classic IT copout "we just did what the "business" asked". Like we're just a bystander or something. Its our job to create business value and be business like. We should seek to empower out customers, not make them happy.

Please understand I am not that guy who says IT security has to be the "bad cops" who deny everything the business wants to do. Just saying it is our job to raise the bar where we can. Raising the bar does not always create super happy customers in the short run, but it does empower companies.

Unfortunately, playing piano in the bordello is what a lot of security groups do and even big analyst firms. The path of least resistance ain't always the way. Here is an example. I was at a client many years ago, they wanted to build a big Identity Management solution, so of course they wrote a big RFI got responses from Sun, IBM, Oracle and friends. The bids were in the $3-5 million range. Pretty big projects for an Infosec team. So what do you do? Call up a big analyst firm and get some advice, right?

A week goes by and we get an audience with the "guru" from the Big Analyst Firm. The client has pretty detailed requirements, what systems they want to connect to, what use cases they are looking to solve for, and so on. We anxiously await the knowledge the analyst is about to transfer to us. His response was as follows - "what kind of shop are you? IBM shop? Oracle shop?" "Ummm...we are a huge company we have everything." "Well if you are more of a IBM shop you should go with them. If you are more of a Oracle shop you should go with them." That was the extent of a 30 minute conversation. True story.

Of course, the one value proposition of the Big Analyst Firms is that they supposedly can tell you what everyone else is supposedly doing. There is some value in this I grant you. And it does make for happy customers because even when you force your customers to change, you can say "Well geez, I know its hard but the Big Analyst Firm says that everyone is doing it." But is this security improvement?

Back in 2004, I went to a great security conference, it was Information Security Decisions (they are back in Chicago next week). It was in Chicago, downtown on the river. Tom Davern even took us all out on a boat for lunch one day. Anyway, there was one truly great talk there. It wasn't Fred Cohen debating Gary McGraw on application security which was outstanding (in which Fred uttered the memorable line "I agree with Gary everywhere he agrees with me." (Gary won the debate, his best line - "We know how to win the software security war, but we don't know how to manage the peace" still the problem today actually)) It wasn't Pete Lindstrom showing his security metrics framework (which is still a great starting point). it wasn't Dan Geer's fireside chat.

The truly great talk, though, was by the now departed Robert Garigue. It was called "Its the End of the CISO as I Know It, (And I Feel Fine)." The whole end to end talk was wonderful, there are several things in there that I still use every single day like the separate security models for Infostructure and Infrastructure but the point I want to talk about is the CISO role.

Garigue talked about the two most prevalent CISO models - the jester and the bad cop. The jester CISO

Sees a lot
Can tell the king he has no clothes
Can tell the king he really is ugly
Does not get killed by the king
Nice to have around but…how much security improvement comes from this ?

The jester has happy customers! At least for awhile.

Again I grant you bad cop is not the way to go either (and while this already long post could read harsh on John Pescatore's pithy summary, I give him a lot of points for saying that security needs to be customer conscious).

We have all seen bad cop CISOs who

Changes happened faster that he was able to move
Did not read the signs
Good intentions went unfulfilled
A brutal way to ending a promising career
Sad to have around but…how much security improvement comes from this ?

Obviously these models of CISOs are not solving our information security problems. Instead Dr. Garigue points us to Charlemagne as a better model

King of the Franks and Holy Roman Emperor; conqueror of the Lombards and Saxons (742-814) - reunited much of Europe after the Dark Ages.
He set up other schools, opening them to peasant boys as well as nobles. Charlemagne never stopped studying. He brought an English monk, Alcuin, and other scholars to his court - encouraging the development of a standard script.
He set up money standards to encourage commerce, tried to build a Rhine-Danube canal, and urged better farming methods. He especially worked to spread education and Christianity in every class of people.
He relied on Counts, Margraves and Missi Domini to help him.
Margraves - Guard the frontier districts of the empire. Margraves retained, within their own jurisdictions, the authority of dukes in the feudal arm of the empire.
Missi Domini - Messengers of the King.

This is the way forward! Find software security champions in the architecture and development groups,help them understand the real security issues. They will find solutions you have not thought of. Same for DBAs, same for business analysts even. Its all about beating the bushes, education, and decentralizing security services. Specifically, he points out this important mandate for IT security

Knowledge of risky things is of strategic value

How to know today tomorrow’s unknown ?
How to structure information security processes in an organization so as to identify and address the NEXT categories of risks ?

To me this is our mandate and measure of effectiveness. Empower our customers, educate, and create business value. If I am a CISO I don't want 20 people reporting to me who do firewall ruleset changes. I want one champion in 20 different groups - development teams, architects, DBAs, business analysts.

A concrete example, infosec can continue to go along with the herd and follow the "what everyone else is doing architecture" meanwhile developers are connecting every single thing in your business to the Web. I have been doing integration and new technology projects for a long time, and let me tell you - Change does not always create happy customers in the short run. But the chart below shows that information security is maybe more concerned with not causing waves rather than adapting.

How long can developers evolve, connect everything and security people not change anything? Herb Stein said, "things that can't go on forever, don't. "At some point these chickens are coming home to roost, there is a yawning gap between rapidly evolution connecting the enterprise and the 13 year old and counting security architecture that "Everyone else is using" and when those chicken come home to roost you may not have happy customers then. Here is my 12 words:

The best security program is at the business with sustainable competitive advantage.

OWASP European Summit - Portugal

Wed, 15 Oct 2008 14:27:22 +0000

Portugal/Algarve - 4th - 7th November 2008

Setting the Web Application Security Agenda for 2009: OWASP Invites You to Join Our Summit in Portugal

http://www.owasp.org/index.php/OWASP_EU_Summit_2008

With the theme ‘Setting the AppSec agenda for 2009′, the OWASP Summit will be a worldwide gathering of OWASP leaders and key industry players to present and discuss the latest OWASP tools, documentation projects, and web application security trends. Join us in Portugal in just a few short weeks! This venue hosts a diverse selection of training courses along with technical and business tracks, making it THE place to learn about web application security and the resources OWASP has available for use today.

OWASP is a not-for-profit organization with the purpose of supporting the Web Application Security community around the world, and has granted $250,000 USD for web application security research. In addition to over 40 presentations from the OWASP Leaders and grant recipients, the OWASP Summit will host multiple Working Sessions designed to improve collaboration, achieve specific objectives and identify roadmaps for OWASP projects, chapters, and the OWASP community itself.

To facilitate this event, OWASP is investing $150,000 USD which will be used to cover air travel and accommodation expenses for OWASP leaders, active contributors, and select key industry leaders. With their confirmed presence, the OWASP Summit will provide a relaxed but professional environment to meet, discuss, influence and contribute to OWASP projects.

There are still funds available! If you are interested in attending and you meet the profile of the current OWASP supported attendees (see list here: http://spreadsheets.google.com/pub?key=pAX6n7m2zaTVLrPtR07riBA) contact Paulo Coimbra (paulo.coimbra@owasp.org). Please note that you should do so only if you meet the paid attendance criteria (see herehttps://www.owasp.org/index.php/OWASP_EU_Summit_2008_paid_participation_rules) and are unable to get corporate support to attend this event (for other corporate sponsorship opportunities see http://www.owasp.org/index.php/OWASP_EU_Summit_2008_Sponsors).

The OWASP Summit will also host a large and diverse selection of training courses, covering multiple OWASP specific and Web Application Security Topics.

The remarkable impact of OWASP is made possible only by the collaboration of many dedicated people and organizations worldwide. In that spirit of cooperation, OWASP invites all its members (who have 20% discount + 1 VIP Ticket) and interested individuals and companies to attend this thrilling event. Please join us and help to set the Web Application Security Agenda for 2009!

Please see below for additional details about the OWASP Summit or visit the OWASP Summit website: http://www.owasp.org/index.php/OWASP_EU_Summit_2008.

Projects

OWASP projects selected for Summit presentation include new documentation and innovative tools to help developers, architects, and security specialists ensure that applications are secure:

Application Security Verification Standard,
Code review guide, V1.1,
Ruby on Rails Security Guide v2,
Securing WebGoat using ModSecurity,
Testing Guide v3,
GTK+ GUI for w3af project,
Access Control Rules Tester,
AntiSamy .NET,
Live CD & DVD Project,
OpenPGP Extensions for HTTP,
Orizon Project,
Python Static Analysis,
WebScarab-NG,
And many, many others.

Working Sessions

Expecting the presence of the application security industry key players, the Working Sessions will cover a wide range of issues such as:

OWASP Top 10 2009,
Browser Security,
Web Application Framework Security,
Enterprise Security API Project,
Best Practices for OWASP Chapter Leaders,
OWASP Documentation Projects,
OWASP Tools Projects,
OWASP Education Project,
OWASP Strategic Planning for 2009,
OWASP Certification,
OWASP Winter of Code 2009
Two-way Internationalization of OWASP Content
And many more.

Training

These 2-day, 1-day or 1/2-day training courses cover a wide range of OWASP specific and Web Application Security Topics:

OWASP Top 10 - What Developers Should Know on Web Application Security
Uncovering WebScarab’s Secret Treasures
Securing WebGoat with ModSecurity
Secure Programming with Java
Advanced Web Application Security Testing
Building Secure Web 2.0 Applications
Building Secure Web Services
Building Secure Web Applications with OWASP’s Enterprise Security API (ESAPI)
Classic ASP Security using OWASP tools
Web Application Assessments
Hacking Owasp Orizon Project v1.0
Ajax Security
Practical Penetration Testing: Think Like an Attacker to Stop Attacks
Linux Software Exploitation
Web server/services hardening using SELinux

Main Contact:

Kate Hartmann
OWASP Operations Director
9175 Guilford Road, Suite 300
Columbia, MD 21046, USA
Phone: +1-301-575-0189
Facsimile: +1-301-604-8033
Email: kate.hartmann@owasp.org

Verizon helps customers get a knack for NAC

Tue, 12 Aug 2008 03:00:00 +0000

Verizon Business is offering to help its customers deploy and manage network access control (NAC) technologies that grant users access to networks based not on their IP addresses, but on a combination of their identities, end points and behaviors.

College Teacher Shows Students How To Be Hackers

Sun, 03 Aug 2008 09:19:22 +0000

In a windowless underground computer lab in California, young men are busy cooking up viruses, spam and other plagues of the computer age. Grant Joy runs a program that surreptitiously records every keystroke on his machine, including user names, passwords, and credit-card numbers.

Metro Round-Up: Cablevision Update; Springfield (Mich.)

Fri, 01 Aug 2008 10:49:43 +0000

Cablevision says it's already spent $20m towards its plan to build out Wi-Fi across its operating territory: The cable firm has $300m budgeted to put Wi-Fi in place for its higher-tier subscribers at no cost across Long Islands and parts of New Jersey and Connecticut, as well as New York City and Westchester County. Cablevision thinks their network will be good enough to replace cell phones across their coverage, which ties in with the quadruple play many cable operators are aiming for: data, voice, video, and mobile.

Springfield, Mich., puts in its first antennas for a city-wide network: The network is being built with a $750,000 grant from a state development corporation to extend access and improve the business climate. Access will cost $10 per month for residents after an initial free period while the service powers up.

Just so you know it is not me

Thu, 17 Jul 2008 04:37:10 +0000

I know many of you think I am like a pavlovian dog the way I respond to Richard Stiennon's anti-NAC vitirol. After my last article, I really decided to just lay off Richard. But just to show you that it is not me, I wanted to point out Richards recent attack on Grant Hartline, CTO of Mirage Networks. Grant blogs and put up an article regarding the latest exchange between Richard and I. Both Richard and I commented. Check out Richards expective laced reply that I think shows just how unhinged he has become on this subject. Richard rambles and stumbles taking shots at anyone he can. I am telling you, he is really losing it.

In the meantime based on this, I am going to change my prediction on the great debate and say Joel Snyder in 2!

Daniel Solove on the New FISA Law

Mon, 14 Jul 2008 08:08:40 +0000

From his blog:

Future presidents can learn a lot from all this -- do exactly what the Bush Administration did! If the law holds you back, don't first go to Congress and try to work something out. Secretly violate that law, and then when you get caught, staunchly demand that Congress change the law to your liking and then immunize any company that might have illegally cooperated with you. That's the lesson. You spit in Congress's face, and they'll give you what you want. The past eight years have witnessed a dramatic expansion of Executive Branch power, with a rather anemic push-back from the Legislative and Judicial Branches. We have extensive surveillance on a mass scale by agencies with hardly any public scrutiny, operating mostly in secret, with very limited judicial oversight, and also with very minimal legislative oversight. Most citizens know little about what is going on, and it will be difficult for them to find out, since everything is kept so secret. Secrecy and accountability rarely go well together. The telecomm lawsuits were at least one way that citizens could demand some information and accountability, but now that avenue appears to be shut down significantly with the retroactive immunity grant. There appear to be fewer ways for the individual citizen or citizen advocacy groups to ensure accountability of the government in the context of national security. That's the direction we're heading in -- more surveillance, more systemic government monitoring and data mining, and minimal oversight and accountability -- with most of the oversight being very general, not particularly rigorous, and nearly always secret -- and with the public being almost completely shut out of the process. But don't worry, you shouldn't get too upset about all this. You probably won't know much about it. They'll keep the dirty details from you, because what you don't know can't hurt you.

Help EFF Continue the Fight Against Warrantless Wiretapping!

Thu, 10 Jul 2008 10:18:03 +0000

Got this in a email this morning, makes me sad, maybe you can help,,,
I feel as if my concerns are not being given adequate
attention with my elected officials.
Especially the ones I voted into office.

Dear Friend of Freedom,

In a move that I can only describe as cowardice, Congress
just passed legislation meant to immunize telephone
companies for their illegal, disloyal, and irresponsible
behavior. EFF has been fighting against telecom immunity,
and we need your help to bring the fight to the next level:

http://secure.eff.org/wiretapping

Two and a half years ago, EFF sued AT&T on behalf of its
customers, seeking to hold the telecom giant responsible
for its craven complicity in the White House’s illegal
warrantless wiretapping program.

Since then, the phone companies and their allies in
Washington have spent tens of millions of dollars lobbying
Congress to grant them retroactive immunity. They ran
ridiculous fear-mongering attack ads against any politician
who dared to oppose them. President Bush threatened to veto
any bill that allowed EFF’s lawsuit to continue.

Yesterday, Congress completely capitulated to the
President’s threats and voted to let the telecoms off the
hook. If the telecoms are not held accountable, the
administration will remain unchecked in its warrantless
wiretapping of innocent Americans. This must stop!

We need your help to take the fight to the next level.
We’re going to challenge Congress’s unconstitutional grant
of immunity in our case against AT&T. We’re going to fight
for a congressional repeal of immunity in the next
Congress. And we’re going to file a new lawsuit against the
government, challenging its warrantless surveillance
practices, past, present and future.

Now, more than ever, we need your support!

http://secure.eff.org/wiretapping

The fight for civil liberties would never have come this
far without your help. We can’t give up now. Help EFF
today!

Sincerely,
Shari

–
*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*~*
Shari Steele
Executive Director
Electronic Frontier Foundation
454 Shotwell Street
San Francisco CA 94110
http://www.eff.org/

Membership & donation queries:
membership@eff.org

All other queries:
information@eff.org

Silicon Valley's Wi-Fi Situation

Wed, 09 Jul 2008 06:11:40 +0000

The Palo Alto Weekly exhaustively examines its city's and Silicon Valley's state of public Wi-Fi: The paper looks at the failures of various networks around the valley, the current state of Wi-Fi plans, and how a non-profit, WiFi101, is building (with a grant) a new effort that could be a model for how to offer free service for those without Internet access.

The Weekly also mentions Palo Alto considering fiber to the home, which the city incorrectly calls "Fiber to the Premise" (not "premises") in their request for proposal. Palo Alto installed an early city-owned fiber ring in the mid-1990s. That 40-mi. ring cost just $1.9m (in 1996 dollars) to build. The new effort would be entirely funded by partners, who would receive certain assets and contracts to anchor the project.

Dreamhost Review Updated

Fri, 04 Jul 2008 13:39:49 +0000

It came to my attention that my Dreamhost review was a bit dated and had wrong information based on changes that Dreamhost has made over the last year. I've updated it to reflect some of Dreamhost's new polices, my experiences and how the discount codes differ from when I last updated it (1/31/2007). I've also have five limited discount codes to give away that grant the following: 2TB disk and 20TB bandwidth, gives $150 off a 5-year signup or $200 off a 10-year signup. Contact me if you want one of my five one time use codes.