What’s new?  I did a stint as an incident response handler earlier this year, then moved into SOX compliance and finally fell into a wormhole and emerged as an IT Security Auditor.  Not a stretch per se, but my information security talents have been stretched, in a good way, growth-wise.

So now I’m immersed in GLBA/FFIEC compliance engagements and have eyes on PCI-DSS and NERC-CIP work.  I’m thinking about adding another certification, possibly a CISM.

I’ve recently seen some friends in our industry brutalized by bad management, and then upon abrupt exits, become reborn and renewed, with a new sense of purpose and drive infusing their love of infosec.  In the past, many people helped me when I was ‘dazed and confused‘; if you find yourself able, reach out to someone and ask them ‘what’s the good word?’  Shower them with positivity and possibility!

Always keep moving and remember, even when you go one step forward, two steps back, you’re still making progress…

image courtesy of Impact Lab

Peace y’all

Looking back, 2010 was a successful year for me.  I didn’t get to do some things or attend all the conferences I wanted, but other items were handily accomplished and some good work got done!

Foremost, I partnered with IOActive, Consciere, and Insyndia to do consulting work.  This led to interesting security audit, risk assessment and vulnerability assessment work and I was fortunate to meet and work with some great people.  Shouts-out to Erin Jacobs, Glenn Kaleta, David Baker, Tab Pierce, and Joel Scambray in particular!

I also earned my CISA which gives me a stronger understanding of formally auditing information security environments.  Now, I’m thinking of how to use this new-found knowledge and where I’ll go next.

What will 2011 bring?  As I chart this year’s course, I intend to visit new shores, make new acquantances, and continue to grow as a person and infosec professional.  I welcome the journey and it’s challenges!

Be well friends…

by Bill Wildprett, Suspicious Minds blog, Copyright 2011

For me, that means diversifying my security readings and practices and thinking about where I might have blinders on.  This was brought home recently from someone I respect, Pete Herzog the Founder of ISECOM and the OSSTMM.  I had asked Pete via email if any of the Smarter, Safer, Better seminars would be on the West Coast (none yet); he kindly responded with information about who I could contact who might sponsor them and also gave me a backhanded compliment about passing the CISA exam, saying ‘now we’ll have to teach you the right way’ in essence.

I wasn’t offended but my curiosity was piqued.  My mind had been wrapped around earning a CISA for continued competence and professional respect; was my thinking so constrained by my learnings?  So, I’m resolved to read the OSSTMM Version 3 and work to use it.  I’d read through (read, skimmed) Version 2.2 a while back but hadn’t immersed myself.  From other authors, now I understand it as possibly a paradigm shift in how to think about security assessments, at least for me.

Another mental dustbuster for me has come from reading The Black Swan by Nassim Nicholas Taleb.  I’m not finished with the book, a testament to how well-written and insightful it is.  I find myself lingering over it and re-reading sections prior to moving on.  This is partially because ‘NNT’, as he refers to himself, is one deep thinker!  This tome takes some time to absorb and digest.  Taleb discusses extreme outliers, huge events that are completely unforeseen and that subsequently shake our foundations, institutions and psyches.  9/11 is one such event.  The salient idea is not to focus on prediction of such events but to build sufficient robustness against negative Black Swan Events and to take advantage of positive ones.

My challenge and task is to apply this modality of critical thinking to the domains of information security, along with that of the OSSTMM.

Like more physical exercise will clean the arterial plaque from your personal system, it’s important to floss your brain or defrag your mind, however you want to put it and at least recognize that you might need to.

Peace friends!

by Bill Wildprett, Suspicious Minds blog, Copyright 2010

Now I need to submit my Application for Certification to ISACA and wait another two months (so they say) for it to be approved before I can use my new certification title.

Reviewing my test scores by subject area told me that I didn’t do as well in some areas and better in others.  So, more studying is in order…

Oh Happy Day! 

by Bill Wildprett, Suspicious Minds blog, Copyright 2010

Image courtesy of Pentax Salon

If we ignored their plight, the outcome would go three ways:

1. Someone else might rescue them.  Although, since it was after 10:00 P.M. this was unlikely.
2. They’d be hit by cars.
3. Wile E. Coyote and his brethren would enjoy their company.

So,  we rescued them, sheltered them overnight and in the morning, off to the Humane Society (with a donation) they went since we just can’t accommodate three kittens with our golden retriever.

Reflecting on this episode, I thought about how I’d been taught about incident response by SANS Institute instructors.  The acronym I learned is PICERL; Preparation, Identification, Containment, Eradication, Recovery, Lessons-learned.

We were prepared because we had cardboard boxes to hold them and a crate at home for the night.  We identified the problem, contained the kittens and eradicated the threats that night (no, we didn’t kill any coyotes).  Recovery happened in the morning and Lessons-learned are ongoing (expect the unexpected and assume breach are two of them).

The takeaway on this is that strange things happen and we can use our training, even very IT security-specific, to manage the event.  Security is about doing the Right Thing, at the Right Time, for the Right Reasons ~ this incident was no exception and was definitely security-related, at least in the physical sense as far as the kittens were concerned.

by Bill Wildprett, Suspicious Minds blog, Copyright 2010

So what’s cooking?  I re-encountered a tool I first learned about from Russ McRee’s Toolsmith column in the September 2008 ISSA Journal ~ Practical Threat Analysis.  I’d looked at it before, but not in enough detail so have embarked on using it for a deeper understanding.

The 2010 Verizon Data Breach Investigations Report is out and its chock-full of good statistics and commentary.  I especially like the partnership with the U.S. Secret Service and the shared incident data.  Another nice tool from Verizon Business is VerIS, the Verizon Incident Sharing Framework which presents how metrics are captured and used in preparation of the DBIR.

I took the Certified Information Systems Auditor (CISA) exam on June 12, 2010 and am patiently waiting to learn my fortune or fate!  The process stimulated a new appreciation of ISACA Auditing Standards, Procedures and Guidelines  and CobiT 4.1, prompting me to send the former to FedEx for printing and to order the latter in book form from the ISACA Bookstore.  My wife picks it up and says “Can’t you find a good novel to read?  Its Summer!”

I guess you had to be there to appreciate it…

Cheers mates!

by Bill Wildprett, Suspicious Minds blog, Copyright 2010

Reading and study efforts have been and are focused on preparing for the June 12th CISA exam first and foremost.

Following that, here’s what’s top-of-mind for me:

OSSTMM 3 updates

Security Tools Screencast Demos from SearchSecurity.com

Never Eat Alone – Keith Ferrazzi: Building personal networks isn’t about how many connections you have in LinkedIn, it’s about maintaining and growing relationships in meaningful ways.

As the old saw goes, ‘All Work and No Play…’ so breaks in the ‘Blue Room‘ are taken with Daisy:

One Happy Golden!

Recently, I’ve had the pleasurable opportunity to learn more effective ways of communicating professionally.  I attended a series of seminars and workshops sponsored by Paul Anderson from ProLango Consulting.  Paul specializes in career development and training, with an emphasis on using LinkedIn & Twitter to find opportunities, résumé optimization and advanced interviewing techniques.

I learned about how people communicate via words (7%), tonality (38%) and physiology (55%) and the essential elements in building rapport with hiring managers, co-workers, spouses, etc.,  Generally speaking, people are primarily visual, auditory or kinesthetic when they talk – everyone is all three but we all have a dominant type.

Visual people look up when speaking, speak faster and use phrases like “I see, what you mean”.  Auditory people look from side-to-side, speak slower and say things like “That sounds good to me”.  Kinesthetic people look down and may make physical contact with you as they speak.

Paul’s experience as a hiring manger at Microsoft and Expedia and his consulting work reveal that on average, recruiters take 7 seconds to review a résumé and hiring managers take 45 seconds to decide whether or not to hire.

His teachings focus on being able to build rapport effectively by matching and mirroring body language and tone of voice, then asking key questions designed to illustrate expertise and elicit the ‘pain points’ of the other party, in an attempt to find their need(s) so you can link them to your experience/product/service.  Finally, techniques to overcome objections while closing are taught.

Résumé optimization is about identifying the corporate values and desired employee traits mentioned in a job description, then fine-tuning the top-half of the 1st page so it speaks concisely in two to three sentences of how you’ll solve their needs and problems, not an ‘elevator pitch‘ of what you’ve done before, specifically.  A bullet list of core competencies relevant to the position’s requirements follows before the experience, education, and professional associations sections.

All of this was refreshing and enlightening; much of it grounded in basic common sense and how good salespeople work.  The concept behind building rapport is to become very quickly similar to the person you’re conversing with so they think: ‘I like me, they’re like me, so I like them’.

It isn’t about simple mimicry, it’s about listening closely, asking good questions, and filling their need with your expertise and experience.

So, give this a try when you’re next trying to sell security, interview for a job, or persuade someone.  Become like them in body language and vocal tone to build rapport ~ you may be pleasantly surprised by the results.

by Bill Wildprett, Suspicious Minds blog, Copyright 2010

Mr. Stewart reverse-engineered code from the Hydraq trojan and, according to the NY Times, ‘determined the main program used in the attack contained a module based on an unusual algorithm from a Chinese technical paper that has been published exclusively on Chinese-language Web sites.’

For a much more detailed analysis beyond the scope of the Times article, jump to the original SecureWorks blog post by Mr. Stewart where he explains the basis of his conclusions about the unusual CRC algorithm.  As he says, “This information strongly indicates the Aurora codebase originated with someone who is comfortable reading simplified Chinese…In my opinion, the use of this unique CRC implementation in Hydraq is evidence that someone from within the PRC authored the Aurora codebase…”

I had fun hypothesizing about the evil genius of backdoors inside the source code of pirated copies of Windows (take the tin hat off now!), but this argument concludes that  someone or some group (PLA?) in the PRC is behind this.  As Mr. Stewart recognizes, this could still be the work of others, intent on blaming the Chinese government, but he refers to Occam’s Razor and its classic argument that the simplest explanation is probably the best one.

On the other hand, the counter argument, and some compelling evidence, has been raised in this blog piece.

To play the Devil’s Advocate for a moment;  say the U.S. government was behind this, to throw suspicion on the PRC for political and economic reasons, and to fight-back against the “persistent campaign of “espionage-by-malware” emanating from the People’s Republic of China (PRC)”, as Mr. Stewart describes it, who would be helping the U.S.?

As I stated before, maybe we’re doing it or maybe others are doing it for us.  If we’re doing it, we’re doing it directly or using inside assets.  If someone else is doing it for us – who?  My money is on the Israelis.  Israel has plenty of sharp coders and the Mossad is quite capable, as recent news has shown.  And, they’ve done this before.  If not Israel, what other nation would be likely to help the U.S.?  England,  Canada or Australia probably.

Then there’s the voice that says, ‘everyone’s doing it, so why worry?’ Sadly, all too true…  Most likely, we’ll never really know the answer.

by Bill Wildprett, Suspicious Minds blog, Copyright 2010

There are multiple possibilities to consider here and more detailed information is required before making any final conclusions.  One the one hand, it appears to be obvious ~ yes, it’s the Chinese government/military working with or sponsoring patriotic student hacking activities.

On the other hand, perhaps not.  An important part of the covert Intelligence function and process is the dissemination of dis-information for various reasons, be they political, economic, strategic, etc.,  As the Times article speculates, this may be a false-flag intelligence operation led by another nation-state.

To do this successfully, you need insiders who work for you who can plant the trail of ‘bread crumbs’ that lead back to the source of origin or you need outsiders who can co-opt internal resources to make it look like the attacks came from the schools.  For the latter, you’d need to control individual servers or a botnet from within China to do the attacks, with just enough hard-to-find, but incriminating and hard-to-spoof pieces of evidence to prove the assertion.

Think about who might do this, why and how?

Image courtesy of scienceblogs.com

If you put the tinfoil conspiracy theory hat on, is it possible that pirated copies of Microsoft Windows could be involved?  That’ would be almost too perfect.  A completely new twist on the meaning of Trojan Horse!  The news that there was a completely undiscovered flaw in IE6 that was used for the attacks is plausible, but is it probable?  Are we talking undiscovered, or simply unrevealed?

I’m not a forensics expert or CS grad, so am more than curious about how you’d prove, absolutely, that the attacks came from specific machines, not just IP addresses.  We can’t use the Evil bit to solve this conundrum.

It’s interesting to speculate about all this and it certainly will be interesting to follow.  Will we ever know the Truth or just read stories; it’s like an Information Security version of the Allegory of the Cave…

Later friends!

by Bill Wildprett, Suspicious Minds blog, Copyright 2010