Northeast Security Leaders Summit

By Kees on April 25, 2012 9:10 AM | No Comments
I visited the Northeast Security Leaders Summit in the Roosevelt Hotel in New York City yesterday. The summit is an industry-sponsored one-day event that looks to bring together CISO-level individuals to talk about a range of topics. While I was a little sceptical going in, I have to say that I was not disappointed. The topics on the program were fairly interesting, decent speakers presented, and the overall ambiance was very good.

While, in a group like this, I expected to hear a lot about how Cloud is going to change the landscape and <fill in the rest for yourself>, the term was not mentioned once. I am not sure if that means that the Cloud-hype has passed and it has moved into business-as-usual, or that it had not made it to the radar of the group that we had together yet, but it was interesting (and refreshing) to not year Cloud in every other sentence.

One recurring theme that kept on hearing here, and also at SOURCE Boston last week was how Big Data is going to change the surface of the infosec space again. We'll see how that goes. Also mentioned frequently was the whole bring-your-own-device movement. Personally, I feel that we cannot stop it from happening (even if we wanted to), so we might as well deal with it. It is time to move away from putting the focus of our security posture on devices anyway; how about we look at people for a change (or, heaven forbid, focus on data!)?

A topic that (surprisingly) came back a few times was the relevance of good metrics to make security decisions. While infrastructure teams have a fairly simple metric of success (uptime), security teams do not really have anything that takes that role in our field. Mostly, the point was made that the current way of thinking about success in security revolves around trying to measure the absence of something (data and/or system breaches), but since it is impossible to prove a negative, proving good security by focusing on the absence of bad things is going to be hard.

Dr. Mike Lloyd of RedSeal Networks postulated an interesting thought. One way to measure success in cyber security depends on having wide-spread adoption of cyber insurance. If enough people have cyber insurance, breach information will be known by insurance companies, who have been historically good at using actuarial data to determine risks. Hence, if everybody has insurance, and the insurance companies parse that data, a measure of success in information security could be 'anything that reduces my insurance premiums'. Interesting concept, for sure.

Another point that Lloyd made, and that I have heard before, is that using metrics may lead to a focus on the wrong things. If you metrics track activity (busyness, as he calls it), you will become more active. If your metrics track posture, your posture will improve. Picking what to measure, or rather, what to manage, is indeed an important decision to make.

There were some other discussions also. One presenter stated that information security should not be seen as a business enabler, rather information security should be viewed a business facilitator. To illustrate the difference between enablers and facilitators, his example was that an IT department is indeed a business-enabler, since it provides business units with the tools and techniques to do something and add value. The information security role guides the use of that technology through risk analysis and by providing direction to maintain the risk at acceptable levels. In that role, it also provides value (i.e., information security should not be seen as merely a cost center), but it doesn't actually enable business to take place.

All in all, it was a day well spent. The fact that I met some very interesting people, that lunch was very good, and that there was an open bar at the end did not hurt either. The only drawback is that I did not win any of the drawings ;)

Teaching Cyber Security

By Kees on March 11, 2012 9:39 AM | 1 Comment
4178670540_066ff33d83.jpg
Photo by James F Clay. From Flickr. Licensed under Creative Commons.

(Disclaimer: although I do not work for government, I will use the term cyber security when I speak about general computer security, network security, information security, or application security topics. Cyber security is as good a term as any, and since most people at least have some form of gut reaction to the term, I'll use it. When I talk about specific sub-disciplines in the field, I will use more focused verbiage).

Lately, I have been thinking quite a bit about teaching cyber security to college students (graduate and undergraduate) as well as to people who are active in the cyber security field and who are looking for professional development and/or training. 


The discussion more-or-less started last year, at SOURCE Boston 2011, where a panel discussed questions like

- Is there a role for higher education in information security research?

- Is information security mature enough to be teachable?

- What skill set should information security faculty possess? 

One of the topics that came up over and over is that people do not see much need in textbook knowledge, but do place a lot of value on hands-on skill development.

Although I spent a lot of time in school, and I have been exposed to countless hours of classroom style teaching, the courses that stand out the most are the ones in which I was made to work hard, address realistic problems, and put relevant skills to the test. Now that I am on the other side, I have to admit that I find myself teaching lecture-style all too often. 

Although I do not enjoy lecture style learning all that much, all too often, I end up teaching that way. Sometimes that is because the topic doesn't really lend itself to hands-on learning, and sometimes it is simply a matter of logistics. However, the teaching style that I prefer most is very light on talk-and-listen and high on hands-on content. When I am able to teach in that style, student evaluations are consistently the higher than in lecture setups.

The concept that teaching through experience is nothing new; we have seen it for centuries in master-apprentice relationships. These days, we call it 'experiential learning' and many colleges are now exploring the benefits of such 'high-impact' teaching methods. 

In our field, experiential learning can take many forms, and I feel confident enough to state that many of the most successful and well-known security professionals who are active in the field presently are self-taught, and have developed their skills through experience and hard work.

So, if, by looking at my own experience, and by listening to others, many people feel that the most effective way of learning is through this experiential learning thing, the questions become:

- What  topics should students be exposed to in school if they are looking for a career in cyber security?

- Of these topics, which are well-suited for experiential learning?

- Of these experiential learning topics, what kind of experience would be useful to acquire the relevant skills?

Note that not all topics are suitable for such hands-on learning. Some topics may not translate directly into actionable skills, but are necessary to build the proper conceptual framework and establish terms-of-reference. As with any topic, basic, foundational skills are needed before practical skills can be developed. The trick is to find the right balance.

In future posts, I will discuss what topics I think students should learn, how well they can be developed into experiential programs, and what techniques we can use to do so. 

Cloud services

By Kees on February 21, 2012 8:15 PM | No Comments

64554kstoyhtqp9.jpg
Image: vorakorn kanokpipat / FreeDigitalPhotos.net

A topic that I have not yet seen addressed much, but which has been a growing pain in my daily practice, is identity management in SaaS environments. We all know the routine: Human Resources calls to terminate all access from user Jane Doe at 3pm sharp. Ideally, all authentication and access is managed via an IdM solution. In practice, there are several, if not dozens, of SaaS web sites that users throughout the organization use, and on which they have created accounts. If you are lucky, these accounts are associated with the organization, but it is not uncommon to find people signing in with their private @gmail.com, @yahoo.com, or @hotmail.com addresses.


Realistically, there is nothing wrong with that. These people are trying to solve a business problem, have found a convenient and cheap way to do so, and don't have to bother anyone to make their work processes more efficient. Unfortunately, from a CISO's perspective, many red flags go up. We worry about the risk of accidental data loss, disclosure or manipulation, leading to reputation damage, intellectual property drain, insider abuse, and many other nasty things that would require the full CSIRT playbook to be activated.

So, when we know about things, and users actually ask us ahead of time, our first inclination is to say "no." Of course, all that leads to, is that the next time, users will simply not ask. So, in the end, we grind our teeth, say "Thank you for involving us," and give them the green light. The concept there is that "at least we know about it."

Of course, this does nothing to solve our problem; an Identity Management infrastructure that took years to build, leading to SSO that finaly works without having to store plaintext credentials, is slowly crumbling as we start engaging with all these vendors who have never heard of techniques like SAML, Shibboleth, CAS, LDAP, or what-have-you.

Finding a way that is flexible, scalable, controllable, and vendor-accepted is going to be an interesting challenge. I do not have good answers to address this issue at the moment, but it has been on my mind a lot. I'm open for suggestions!

Combinatory puzzle

By Kees on January 31, 2012 8:44 PM | 2 Comments

While working on explaining the Enigma machine to a group of students, I needed to do some math to figure out in how many ways 6 pairs of characters can be selected from the alphabet (a-z). Normally this would be fairly straightforward, but there are some complexities:

- The order within each pair does matter, but the order of the pairs does not. 

- Once a character has been chosen as the first character in a pair, it cannot be the same character in any of the other 5 pairs. 

- Once a character has been chosen for the second character in a pair, it cannot be chosen as the second character in anyh of the other 5 pairs.

These restrictions are most easily illustrated by an example:

(a,b) is not the same as (b,a)

(a, a) is allowed

( (a, b) (c, d) ) is the same as ( (c,d) (a,b) )

( (a, b) (a, c) ) is not allowed

( (a, b) (c, b) ) is not allowed

how many different ways to select pairs are possible?

Archives

Search

Latest Tweet

Recent Entries