My Oh My, PCI!

In my work, I’m often engaged with merchants in different verticals, doing PCI assessments. This  frequently involves assisting them with their PCI Self-Assessment Questionnaires (SAQ). It’s an interesting process because the merchants run the gamut from Level 2 through 4, size-wise, in terms of annual number of transactions. Visa defines these merchants as less than or equal to six million transactions annually.

With the larger merchants or enterprises, say a University or Corporation, I’ll often find a well-organized PCI compliance group. They usually treat completing their SAQ like it’s a Report on Compliance (ROC), reserved for Level 1 merchants (6 million + transactions annually) and often appreciate the need (not a requirement) to have supporting evidence for each of the control questions in the 12 PCI Requirements. This supporting evidence includes network diagrams, cardholder environment diagrams, router and firewall Access Control Lists, system build checklists, change management checklists, various screenshots, access control, domain policy, policies and procedures, and many other items. all of these are items I’d request if I was doing an on-site audit.

The smaller merchants, on the other hand, have problems ranging from understanding what the PCI-DSS is and why they have to do a SAQ (because their Acquiring Bank says so) to, more importantly, truthfully answering the control questions. Because the SAQ process is a self-assessment, merchants who don’t understand what the Requirements mean, or are asking, are tempted to simply answer ‘Yes’ to the more-technical questions because they simply don’t know. I’ve found that the latter is often because they have outsourced IT staff and can’t afford the time and cost to engage them in answering the technical questions. Or, they are the IT staff, as well as the Business Owner, especially true for the very small merchants.

Compounding this lack-of-resources problem, in some cases, are the payment application vendors. They often provide their client, the merchant, with their Payment Application Data Security Standard (PA-DSS) Implementation Guide. This tells the merchant basically, ‘if you installed it correctly and did this and that the right way, this is how your application meets PCI requirements’. I usually ask merchants if they have their PA-DSS and while many do, many do not and need to call their vendor. Having the PA-DSS while completing a PCI SAQ is invaluable because it helps answer sections of Requirements 3, 4, 7 and 8 in particular. Remember though, you’ll only see a PA-DSS Implementation Guide with payment applications, not payment hardware like a swipe terminal.

So, a part of my time is engaged in bootstrapping the merchants who need it, by providing basic education on what the PCI Requirements are all about. I’m soft of a ‘tour-guide’ to the PCI-DSS and as a PCI-DSS Qualified Security Assessor (QSA), feel that this is appropriate. In a sense, I’m raising security awareness and hopefully, helping these merchants become not just compliant, but more secure. I work with them to help translate what the technical jargon means and why it matters.  During the Remediation phase, I offer suggestions as to how they can meet the control objectives and minimize their compliance burden.

For those merchants who complete their SAQs without assistance from consultants like myself, or in-house resources like a PCI Security Standards Council-trained Internal Security Assessor, I’ve found myself wondering how real their SAQs actually are, in terms of security truth versus wishful thinking and best-guesses. And, since their acquiring, or merchant banks are accepting these SAQs annually, I’m also interested in whether or not these banks follow-up with the merchants. Do any of the banks ever find themselves thinking ‘Seriously?’ when they review the SAQ?

While my job is focused on compliance, be it PCI, GLBA, or HIPAA/HITECH, my overarching goal is security.

And that’s what it’s all about, for all of us.

Be well.

Bill Wildprett


Keeping it Real

2012 has been a very busy year for me, so far. Last winter I took and passed the ISACA Certified Information Security Manager (CISM) exam and in February, got a plane ride to Orlando to attend PCI-DSS Qualified Security Assessor (QSA) training from the PCI Security Standards Council.

I’m currently reading Christopher Hadnagy’s excellent book on social engineering; even if you weren’t in our profession, this book would be a fine resource because we all use social engineering to influence others. I wholeheartedly recommend his book and website at www.social-engineer.org!

Currently, most of my time is spent working to help merchants with their PCI-DSS compliance. I once thought I knew something about the PCI-DSS, but it’s like the iceberg, a LOT is under the surface. I’ve come to rely upon the outstanding Navigating the PCI DSS v2.0 document from the PCI Security Standards Council. It explains what the intent of the requirements are, which helps when you’re trying to translate this to a non-technical audience.

Recently, I decided to challenge myself in a different direction by volunteering to be the Communications Director for the ISACA Puget Sound Chapter. Being a member of a Board of Directors is a good-thing, career-wise and it’s nice to be involved in helping one of the professional organizations I belong to.

That’s it for now gentle readers!

Be well, and Be Happy.


Change is good.  Sometimes it can be painful and it may take a while to get some perspective and realize you’ve grown.  It’s all part of the process and I’ve learned to embrace or at least accept it.

What’s new?  I did a stint as an incident response handler earlier this year, then moved into SOX compliance and finally fell into a wormhole and emerged as an IT Security Auditor.  Not a stretch per se, but my information security talents have been stretched, in a good way, growth-wise.

So now I’m immersed in GLBA/FFIEC compliance engagements and have eyes on PCI-DSS and NERC-CIP work.  I’m thinking about adding another certification, possibly a CISM.

I’ve recently seen some friends in our industry brutalized by bad management, and then upon abrupt exits, become reborn and renewed, with a new sense of purpose and drive infusing their love of infosec.  In the past, many people helped me when I was ‘dazed and confused‘; if you find yourself able, reach out to someone and ask them ‘what’s the good word?’  Shower them with positivity and possibility!

Always keep moving and remember, even when you go one step forward, two steps back, you’re still making progress…

image courtesy of Impact Lab

Peace y’all


2010 Rearview Mirror

January is a time of reflection and renewal, thinking about the past year and the present one.  We use this time to measure ourselves and set or renew goals, pointing our inner compass needles towards our own True North.

Looking back, 2010 was a successful year for me.  I didn’t get to do some things or attend all the conferences I wanted, but other items were handily accomplished and some good work got done!

Foremost, I partnered with IOActive, Consciere, and Insyndia to do consulting work.  This led to interesting security audit, risk assessment and vulnerability assessment work and I was fortunate to meet and work with some great people.  Shouts-out to Erin Jacobs, Glenn Kaleta, David Baker, Tab Pierce, and Joel Scambray in particular!

I also earned my CISA which gives me a stronger understanding of formally auditing information security environments.  Now, I’m thinking of how to use this new-found knowledge and where I’ll go next.

What will 2011 bring?  As I chart this year’s course, I intend to visit new shores, make new acquantances, and continue to grow as a person and infosec professional.  I welcome the journey and it’s challenges!

Be well friends…

by Bill Wildprett, Suspicious Minds blog, Copyright 2011

No, I’m not thinking about porn or any other nasty stuff, just reflecting that like during Fall when we clean our house gutters, it’s appropriate to think about how we think and remove clogs and other impediments.

For me, that means diversifying my security readings and practices and thinking about where I might have blinders on.  This was brought home recently from someone I respect, Pete Herzog the Founder of ISECOM and the OSSTMM.  I had asked Pete via email if any of the Smarter, Safer, Better seminars would be on the West Coast (none yet); he kindly responded with information about who I could contact who might sponsor them and also gave me a backhanded compliment about passing the CISA exam, saying ‘now we’ll have to teach you the right way’ in essence.

I wasn’t offended but my curiosity was piqued.  My mind had been wrapped around earning a CISA for continued competence and professional respect; was my thinking so constrained by my learnings?  So, I’m resolved to read the OSSTMM Version 3 and work to use it.  I’d read through (read, skimmed) Version 2.2 a while back but hadn’t immersed myself.  From other authors, now I understand it as possibly a paradigm shift in how to think about security assessments, at least for me.

Another mental dustbuster for me has come from reading The Black Swan by Nassim Nicholas Taleb.  I’m not finished with the book, a testament to how well-written and insightful it is.  I find myself lingering over it and re-reading sections prior to moving on.  This is partially because ‘NNT’, as he refers to himself, is one deep thinker!  This tome takes some time to absorb and digest.  Taleb discusses extreme outliers, huge events that are completely unforeseen and that subsequently shake our foundations, institutions and psyches.  9/11 is one such event.  The salient idea is not to focus on prediction of such events but to build sufficient robustness against negative Black Swan Events and to take advantage of positive ones.

My challenge and task is to apply this modality of critical thinking to the domains of information security, along with that of the OSSTMM.

Like more physical exercise will clean the arterial plaque from your personal system, it’s important to floss your brain or defrag your mind, however you want to put it and at least recognize that you might need to.

Peace friends!

by Bill Wildprett, Suspicious Minds blog, Copyright 2010


After waiting two months to the day following the Certified Information Systems Auditor exam (CISA), I just learned that I PASSED!

Now I need to submit my Application for Certification to ISACA and wait another two months (so they say) for it to be approved before I can use my new certification title.

Reviewing my test scores by subject area told me that I didn’t do as well in some areas and better in others.  So, more studying is in order…

Oh Happy Day!  🙂

by Bill Wildprett, Suspicious Minds blog, Copyright 2010

Image courtesy of Pentax Salon

The other night, while my wife and I were walking Daisy, we  had an ‘incident’ to respond to.  Not computer related, but the principles of incident response still apply.  Someone decided that abandoning three month-old kittens on the road down from our house was a good idea ~ ‘surely someone nice will give them homes!’

If we ignored their plight, the outcome would go three ways:

  1. Someone else might rescue them.  Although, since it was after 10:00 P.M. this was unlikely.
  2. They’d be hit by cars.
  3. Wile E. Coyote and his brethren would enjoy their company.

So,  we rescued them, sheltered them overnight and in the morning, off to the Humane Society (with a donation) they went since we just can’t accommodate three kittens with our golden retriever.

Reflecting on this episode, I thought about how I’d been taught about incident response by SANS Institute instructors.  The acronym I learned is PICERL; Preparation, Identification, Containment, Eradication, Recovery, Lessons-learned.

We were prepared because we had cardboard boxes to hold them and a crate at home for the night.  We identified the problem, contained the kittens and eradicated the threats that night (no, we didn’t kill any coyotes).  Recovery happened in the morning and Lessons-learned are ongoing (expect the unexpected and assume breach are two of them).

The takeaway on this is that strange things happen and we can use our training, even very IT security-specific, to manage the event.  Security is about doing the Right Thing, at the Right Time, for the Right Reasons ~ this incident was no exception and was definitely security-related, at least in the physical sense as far as the kittens were concerned.

by Bill Wildprett, Suspicious Minds blog, Copyright 2010

The calendar says its Summer although here in the Pacific Northwest, we’re not sure ~ its a cool Summer, which makes it fine for reading security books in the hammock or doing laptop stuff from the deck.

So what’s cooking?  I re-encountered a tool I first learned about from Russ McRee’s Toolsmith column in the September 2008 ISSA Journal ~ Practical Threat Analysis.  I’d looked at it before, but not in enough detail so have embarked on using it for a deeper understanding.

The 2010 Verizon Data Breach Investigations Report is out and its chock-full of good statistics and commentary.  I especially like the partnership with the U.S. Secret Service and the shared incident data.  Another nice tool from Verizon Business is VerIS, the Verizon Incident Sharing Framework which presents how metrics are captured and used in preparation of the DBIR.

I took the Certified Information Systems Auditor (CISA) exam on June 12, 2010 and am patiently waiting to learn my fortune or fate!  The process stimulated a new appreciation of ISACA Auditing Standards, Procedures and Guidelines  and CobiT 4.1, prompting me to send the former to FedEx for printing and to order the latter in book form from the ISACA Bookstore.  My wife picks it up and says “Can’t you find a good novel to read?  Its Summer!”

I guess you had to be there to appreciate it…

Cheers mates!

by Bill Wildprett, Suspicious Minds blog, Copyright 2010

It’s a cool, rainy Spring here in the Pacific Northwest, a fine time to stay indoors and read instead of cleaning gutters, gardening, mowing the verdant expanse out back, etc.,

Reading and study efforts have been and are focused on preparing for the June 12th CISA exam first and foremost.

Following that, here’s what’s top-of-mind for me:

OSSTMM 3 updates

Security Tools Screencast Demos from SearchSecurity.com

Never Eat Alone – Keith Ferrazzi: Building personal networks isn’t about how many connections you have in LinkedIn, it’s about maintaining and growing relationships in meaningful ways.

As the old saw goes, ‘All Work and No Play…’ so breaks in the ‘Blue Room‘ are taken with Daisy:

One Happy Golden!

As information security professionals, a common refrain we hear is how difficult, but essential it is to communicate the whys, hows, and whats of security to management, other business units, partners, vendors, customers, etc.,  Whether its meaningful security metrics or why compliance is just the beginning of the whole security process, better communication can yield better results.

Recently, I’ve had the pleasurable opportunity to learn more effective ways of communicating professionally.  I attended a series of seminars and workshops sponsored by Paul Anderson from ProLango Consulting.  Paul specializes in career development and training, with an emphasis on using LinkedIn & Twitter to find opportunities, résumé optimization and advanced interviewing techniques.

I learned about how people communicate via words (7%), tonality (38%) and physiology (55%) and the essential elements in building rapport with hiring managers, co-workers, spouses, etc.,  Generally speaking, people are primarily visual, auditory or kinesthetic when they talk – everyone is all three but we all have a dominant type.

Visual people look up when speaking, speak faster and use phrases like “I see, what you mean”.  Auditory people look from side-to-side, speak slower and say things like “That sounds good to me”.  Kinesthetic people look down and may make physical contact with you as they speak.

Paul’s experience as a hiring manger at Microsoft and Expedia and his consulting work reveal that on average, recruiters take 7 seconds to review a résumé and hiring managers take 45 seconds to decide whether or not to hire.

His teachings focus on being able to build rapport effectively by matching and mirroring body language and tone of voice, then asking key questions designed to illustrate expertise and elicit the ‘pain points’ of the other party, in an attempt to find their need(s) so you can link them to your experience/product/service.  Finally, techniques to overcome objections while closing are taught.

Résumé optimization is about identifying the corporate values and desired employee traits mentioned in a job description, then fine-tuning the top-half of the 1st page so it speaks concisely in two to three sentences of how you’ll solve their needs and problems, not an ‘elevator pitch‘ of what you’ve done before, specifically.  A bullet list of core competencies relevant to the position’s requirements follows before the experience, education, and professional associations sections.

All of this was refreshing and enlightening; much of it grounded in basic common sense and how good salespeople work.  The concept behind building rapport is to become very quickly similar to the person you’re conversing with so they think: ‘I like me, they’re like me, so I like them’.

It isn’t about simple mimicry, it’s about listening closely, asking good questions, and filling their need with your expertise and experience.

So, give this a try when you’re next trying to sell security, interview for a job, or persuade someone.  Become like them in body language and vocal tone to build rapport ~ you may be pleasantly surprised by the results.

by Bill Wildprett, Suspicious Minds blog, Copyright 2010

<!–[if !mso]> <! st1\:*{behavior:url(#ieooui) } –> Hawai’i

Dragon’s Lair, Pt 2

The denials, now from the aforementioned Chinese schools (Shanghai Jiaotong University and Lanxiang Vocational School), are expected, but without foundation given the proof uncovered by Joe Stewart, a malware specialist with SecureWorks.

Mr. Stewart reverse-engineered code from the Hydraq trojan and, according to the NY Times, ‘determined the main program used in the attack contained a module based on an unusual algorithm from a Chinese technical paper that has been published exclusively on Chinese-language Web sites.’

For a much more detailed analysis beyond the scope of the Times article, jump to the original SecureWorks blog post by Mr. Stewart where he explains the basis of his conclusions about the unusual CRC algorithm.  As he says, “This information strongly indicates the Aurora codebase originated with someone who is comfortable reading simplified Chinese…In my opinion, the use of this unique CRC implementation in Hydraq is evidence that someone from within the PRC authored the Aurora codebase…”

I had fun hypothesizing about the evil genius of backdoors inside the source code of pirated copies of Windows (take the tin hat off now!), but this argument concludes that  someone or some group (PLA?) in the PRC is behind this.  As Mr. Stewart recognizes, this could still be the work of others, intent on blaming the Chinese government, but he refers to Occam’s Razor and its classic argument that the simplest explanation is probably the best one.

On the other hand, the counter argument, and some compelling evidence, has been raised in this blog piece.

To play the Devil’s Advocate for a moment;  say the U.S. government was behind this, to throw suspicion on the PRC for political and economic reasons, and to fight-back against the “persistent campaign of “espionage-by-malware” emanating from the People’s Republic of China (PRC)”, as Mr. Stewart describes it, who would be helping the U.S.?

As I stated before, maybe we’re doing it or maybe others are doing it for us.  If we’re doing it, we’re doing it directly or using inside assets.  If someone else is doing it for us – who?  My money is on the Israelis.  Israel has plenty of sharp coders and the Mossad is quite capable, as recent news has shown.  And, they’ve done this before.  If not Israel, what other nation would be likely to help the U.S.?  England,  Canada or Australia probably.

Then there’s the voice that says, ‘everyone’s doing it, so why worry?’ Sadly, all too true…  Most likely, we’ll never really know the answer.

by Bill Wildprett, Suspicious Minds blog, Copyright 2010

The Dragon’s Lair?

An excellent article in the N.Y. Times on February 18th stated that two Chinese schools, the Shanghai Jiaotong University and the Lanxiang Vocational School were involved in the recent online attacks against Google and dozens of other U.S. corporations.  These conclusions come from research by various security researchers, the NSA, and U.S. defense contractors.

There are multiple possibilities to consider here and more detailed information is required before making any final conclusions.  One the one hand, it appears to be obvious ~ yes, it’s the Chinese government/military working with or sponsoring patriotic student hacking activities.

On the other hand, perhaps not.  An important part of the covert Intelligence function and process is the dissemination of dis-information for various reasons, be they political, economic, strategic, etc.,  As the Times article speculates, this may be a false-flag intelligence operation led by another nation-state.

To do this successfully, you need insiders who work for you who can plant the trail of ‘bread crumbs’ that lead back to the source of origin or you need outsiders who can co-opt internal resources to make it look like the attacks came from the schools.  For the latter, you’d need to control individual servers or a botnet from within China to do the attacks, with just enough hard-to-find, but incriminating and hard-to-spoof pieces of evidence to prove the assertion.

Think about who might do this, why and how?

Image courtesy of scienceblogs.com

If you put the tinfoil conspiracy theory hat on, is it possible that pirated copies of Microsoft Windows could be involved?  That’ would be almost too perfect.  A completely new twist on the meaning of Trojan Horse!  The news that there was a completely undiscovered flaw in IE6 that was used for the attacks is plausible, but is it probable?  Are we talking undiscovered, or simply unrevealed?

I’m not a forensics expert or CS grad, so am more than curious about how you’d prove, absolutely, that the attacks came from specific machines, not just IP addresses.  We can’t use the Evil bit to solve this conundrum.

It’s interesting to speculate about all this and it certainly will be interesting to follow.  Will we ever know the Truth or just read stories; it’s like an Information Security version of the Allegory of the Cave

Later friends!

by Bill Wildprett, Suspicious Minds blog, Copyright 2010

Some very interesting research came to my attention the other day, courtesy of the ISC2.org CISSPforum on Yahoo Groups, pointing to an article in Scientific American that discussed why flattery is effective.

The research, by Elaine Chan and Jaideep Sengupta at the Hong Kong University of Science and Technology and reported first in the Journal of Marketing Research, showed that while most people can spot obvious flattery and attempts to influence them, on an innate subconscious level it actually works!

The study showed that while participants explicit attitudes rejected marketing come-on’s, their implicit attitudes were more positive and could be used to predict future behavior.  This susceptibility to flattery may stem from the basic human need to feel good about oneself, referred to as illusory superiority or the above-average effect.

In testing whether or not the motive to self-enhance was related to insincere flattery, the researchers showed that, in the words of Scientific American, “those of us who could use a little pick-me up to begin with are particularly vulnerable to the message behind a smooth sales pitch”.

So, how does this relate to information security and why is it important?  This all goes back to social engineering and the ability to market towards or convince other people to do what you want them to.  Knowledge of these behavioral responses can be applied to social engineering as part of penetration testing and taught as part of security awareness training.  On the converse, look for this to be used in phishing attempts.

And what about security product marketing from vendors?  We all know about FUD, but should the F stand for flattery instead?  ‘Yes, this new Intrusion Detection/Prevention System does make me feel sexy!’ Probably not, but more likely about being told how much more secure you’ll be, which translates internally to how good of a security person you think you are.

The takeaway ~ keep your BS filters on high and understand that at some basic level, like Fox Mulder, you want to believe.  Doing so may open you to accepting more risk…

Food for thought.

by Bill Wildprett, Suspicious Minds blog, Copyright 2010

I’ve been following the news about the Google hacks and ‘Operation Aurora‘ as McAfee called it, for a while.  There’s a plethora of online articles about this and why China would do this, which the PRC government denies pro forma.  It’s about nationalistic young Chinese and about PRC government, economic and military strategic interests.

An excellent source of discussion has been The Dark Visitor website, focused on Chinese hackers and also the SecurityMetrics.org mailing list.

From that, I learned the term Advanced Persistent Threat (APT), used by Mandiant and their M-unition blog.  One of the best comments came from Richard Bejtlich’s TaoSecurity blog; Richard explained what APT is and why it is dangerous.

The long and the short of it is that, in this case, the PRC will use any means whatsoever to obtain information to their advantage.  The usual resource constraints of time, money and people simply don’t matter, nor do ethics as we think of them.  Some have stated that these attacks against Google, Adobe, and according to McAfee, 32 other companies in the technology, financial and defense sectors, are only about malware and the quest for money.

In a sense, this argument is correct, but the financial motivation is different.  Yes, it’s about money because money is about power and the ability, long-term, of the PRC government to retain it against the tide of capitalist democracy.  In other words, as long as the PRC leaders can keep growing their economy, their entrepreneurial class makes money,  and the middle-class gets something, they’ll continue to stay in power.  They have a very vested interest in this odd form of trickle-down economics ~ political survival long enough to ensure their continued relevance and Chinese economic dominance sooner than later this century.

So, if it means the theft of intellectual property, commercial secrets, software, whatever from wherever, that is what China will do, and as their leaders see it, must do, if they are to not just catch-up, but succeed.  As the Mandiant M-unition blog puts it:

“No target is too small, or too obscure, or too well-defended. No organization is too large, too well-known, or too vulnerable. It’s not spy-versus-spy espionage. It’s spy-versus-everyone…

…The APT’s goals are twofold:

  • to steal information to achieve economic, political and strategic advantage.
  • to establish and maintain an occupying force in their target’s environment, a force they can call on at any time…”

It used to be French and Russian intelligence organs we worried about, as far as stealing corporate secrets went.  APT is a whole ‘nother ball game, without umpires and a playbook available to one side only.  Expect other nation-state actors to play the same game; it’s similar to the whack-a-mole the West is playing with Iran over nuclear weapons development where they deny everything vehemently while building enrichment centrifuges as quickly as possible.

The 800-lb Dragon has been around for thousands of years and is feeling re-born and contentious.  Witness the lashing-out and dissing of the West at the Copenhagen Climate summit, criticism of U.S arms sales to Taiwan, the Dalai Lama’s upcoming meeting with President Obama and China’s growing assertiveness in other areas.

Some have commented that criticizing China on this is racist; that opinion is disingenuous and is meant to deflect honest inquiry.  APT isn’t about race; it’s about the means, intentions and long-term motivations of an adversary ~ even one who tries not to seem adversarial, is a key trading partner, owns your debt, etc.,

APT, from China and other actors, will not go away.  This is the new reality and we’d all better begin to pay attention and think how to combat it.  That means working to understand the psychology behind it.  APT crosses the domains of information security, economics, psychology, politics, sociology and more.  It is ultimately about the maintenance of power, its true raison d’etre.

I’ve been thinking about Security Awareness and different ways of teaching it as a mindset.  We infosec folks think about it all the time, cultivating it as part of our general focus on situational awareness; the general public, corporate and government leaders, SMBs – not as much, perhaps.

It’s only when some epic breach like TJX, Heartland, or the recent Google hacks happen, that most people go ‘Huh?’  Security people channel their inner Homer Simpson and go ‘D’Oh!’

I’m sure other security professionals have thought about how effective security in general was approached and taught during World War II; citizens were reminded in public places that ‘Loose Lips Sink Ships’ and that ‘Careless Talk’ cost lives.

So, if we were going to use this approach today, what would we say?  What would resonate and be graphically memorable?

  • Lost Laptop – Work Stop
  • Data Breach – Painful Teach
  • DLP Works for Me!
  • Stolen Data in Motion, Crosses the Ocean

What would you suggest, dear reader, to teach staff to lock Desktops when they’re away from their office?  Or to not store unencrypted corporate data on USB drives, laptops, netbooks, PDA’s etc.,?

The posters above are courtesy of the New Hampshire State Library and Eyewitness to History.  The latter site has an excellent list on how to safeguard information from the enemy, the Ten Prohibited Subjects and more.

Are pithy slogans and eye-catching graphics enough?  Do we need Quentin Tarantino to make a movie?  I’m re-reading NIST SP 800-50 and thinking about this more.  There are all sorts of posters out there too:

In fact, it’s a niche industry!  But, how effective are posters at increasing lasting security awareness with true stickability?  Some very interesting insights and research were assembled by Ross Anderson and mentioned on the ISC2.org blog on 11/15/09, titled Psych and sec‘.  These papers and articles on psychology, behavioral economics, social attitudes towards risk, security usability, and more, remind us of the academic contributions other disciplines bring to security awareness.

What do you think?  Do security posters work in your organization?  Is there enough user-centered design in security mechanisms, or not enough?

I read a great post by Will Irace on the Cassandra Security site and I agree with him ~ it’s all about trusting people and educating/training them to do the ‘right thing’ and why.

Later friends…

Bill Wildprett

Blog On!

I’m happy to report that Suspicious Minds is now seen on the following blogs!

Not to be a social butterfly, but to quote Dan Schwabel, it’s ‘not who you know, but who knows you!’ It’s part of my personal branding strategy.

So, it helps keep me motivated to write blog entries.

Bon Annee, mes amis! 🙂

I sit, dumbfounded with amazement after reading that insurgents in Iraq have been intercepting Predator drone video feeds and that the Pentagon has known about this for a year now.

According to the Wall Street Journal, Department of Defense officials knew about this vulnerability back in 2004 when the possible risk of Russian or Chinese signal compromise came up.  While the DoD officials thought it possible that nation-state actors could do this, they vastly underestimated Iraqi insurgents.

My favorite quote from the article:

Officers at the time weren’t concerned about adversaries intercepting the signals in Iraq or Afghanistan because drones weren’t yet common there and militants weren’t thought to be technically sophisticated.

The underlined emphasis is mine.

Helloooo!  Anyone see an obvious need for encryption?  Now we learn that the Dod is working on encrypting video feeds from Predators, Reapers & Ravens, in Iraq and Afghanistan.  Sure, an added layer of encryption will slow the feed speed down an bit, thus increasing latency, but to think that the enemy isn’t sophisticated enough, so why bother is flat-out naive and borderline stupid.

Once upon a time, none of us knew about IEDs.  That unsophisticated enemy adapted pretty quickly, forcing our troops to adapt in return;  despite cell phone jammers, etc., the enemy still uses IEDs,  all too often to horrible effect.

So why on Earth wouldn’t you want to deny any real-time situational intelligence you have from your adversary?  This is basic Poker 101 ~ don’t let ’em see your cards…

The DoD argument is that encryption is complex and there are all sorts of signals, lots to do, etc.,  They say that now the drone video feeds are encrypted, but other video feeds such as the Remotely Operated Video Enhanced Receiver ( Rover) and the Scan Eagle drone still aren’t encrypted.

Cryptography means ‘Hidden Writing’ in Greek (kryptos, “hidden, secret”; and γράφω, gráphō,).  At the risk of an obvious Bad Pun, given the prior military use of cryptography from ancient Sparta forward, and in particular, during WWII in conjunction with the Brits, it’s Enigmatic why this happened.

A classic Epic Fail.  Shock & Awe indeed…

O Botnet, Where Art Thou? Yes, like an Odyssey worthy of Homer or a George Clooney movie, the saga of the Conficker botnet continues.  The Most Excellent folks at Shadowserver have posted an update today.

While Conficker fell off the media radar, Shadowserver has been following it:

  • “As recently as late October 2009, the number of systems infected with the A+B+C variants topped seven million.”
  • “Currently, there are over 12,000 ASN’s that have at least one Conficker IP in their network space.”
  • The Conficker stats and charts page can be found here: http://www.shadowserver.org/wiki/pmwiki.php/Stats/Conficker

Like the Bogey Man and the Monster Under the Bed, we Know it’s There, but what is It Doing?  One thing the data shows is that overall, its presence is dropping, its previous  high was6.5 Million, estimated in October 2009 at 7 Million, and now declining, thanks largely to serious eradication efforts, including ongoing domain registration by the Conficker Working Group.

A very interesting piece on SearchSecurity.com brings us up-to-date on the hunt for the Conficker authors.  The article quotes Mikko Hyppönen from F-Secure speaking about how the worm’s authors used the MD6 cryptographic hash to sign the worm, including updating the hash after an MD6 weakness was found.  Also, the worm was able to work-around disabled Autoplay initiated on Windows systems.

The counter-attacks by security researchers will influence botnet developers as they morph their capabilities and attack surfaces in response.  While Conficker seems to be contained and has become the inverse of Top of Mind, you should still Pay Attention, just because…

Peace & Love Y’all!

Growth as a Process

It’s a great time to be a security professional, always so much to keep learning and to do!  I’ve been working on personal and professional growth, looking for ways to define myself as a consultant and differentiate myself from the ‘Big Guys’.

I’m all about providing excellent customer service and really becoming a partner with my clients.  Part of the process is identifying who your target market(s) are and what they really need.  To this end, my friend and career mentor Mike Murray turned me on to an outstanding book ~ ‘Book Yourself Solid’ by Michael Port.  I haven’t finished reading all of it yet because it is a process-oriented work, with lots of exercises and a workbook.  I simply cannot say enough about how helpful this book (and the companion website) is; it’s all about what it truly means to be a service professional and strategies for romancing your potential clients into ongoing fruitful relationships.

It all just resonates so much with me ~ do what you said you’d do, listen first, ask lots of questions, act with integrity and purpose, provide stellar service, be helpful without any expectations.  Whether you’re in business for yourself, or an employee, the principles and guidance are the same.

Read this book!

Other than that, I’m studying CISA materials for the exam next June and am re-reading NIST SP-800-53 and SP-800-53A.

Be well people!


As I’ve said before, one of the main things I love about information security is the need to keep learning ~ the field keeps expanding, Big Bang-like and it behooves one to stretch themselves, out of their comfort zones and in new directions.

Friends of mine had been recommending I learn more about IT auditing, to gain a better perspective on how controls are applied, and why.  To that end, I took a three-day Certified Information Systems Auditor (CISA) training course from CertTest in early November.

Wow, that was pretty cool!  I learned a lot of new stuff and reviewed things like NIST SP-800-53 and ISO 27002 that I knew something about, but not in the same depth.  So, I’m now embarked on a study cruise towards the June 2010 CISA exam from ISACA.  Maybe I’ll work as an IT auditor, maybe not, but either way, I’ll know a lot more about the business side of the proverbial ‘house’ and it’s GRC drivers.

All this dovetails with my ongoing study of CobIT 4.1, NIST SP-800-53, and the ISO 27K series ~ I’m focused on becoming the best Governance, Risk Management & Compliance professional I can be!

If you have any helpful hints, suggestions, study advice, please ping me.

Shouts-out and props to Dave Cannon at CertTest for being an awesome and inspiring instructor!

And, I ate some Serious ‘Que at the Hard Eight in Irving TX with my CertTest classmates…

Later friends!

Technorati Claim



An update on the status of the Conficker botnet, courtesy of ShadowServer and the Conficker Working Group, via Dark Reading, shows the botnet currently at 5.5 Million compromised (by the A & B variants) machines, mostly in Brazil, China andVietnam.

As I’ve posited before, these are un-patched systems running unlicensed copies of Windows.  From the Dark Reading article: “Microsoft, meanwhile, says of all of the attacks exploiting the MS08-067 vulnerability, Conficker accounts for more than 3 million threat reports versus about a half million for all other vulnerabilities exploiting the bug…”.

To mitigate against the inevitable future use of the Conficker botnet, perhaps Microsoft could provide a one-time system scour and patch available only to IP addresses from the afore-mentioned countries.

How best to compel licensed users to apply patches when released?  This tricky issue is problematic for business users who require patch testing prior to production deployment, although patch testing is vastly more robust than it used to be, hence less likely to disturb production systems by creating a new incident to respond to.

It’s the SOHO and SMB users who need help.  What to do, what to do?  Forcing automatic system OS and applications patching on the second Tuesday each month, even if Automatic Updates is turned off might work, but is that degree of invasive action necessary, required, and prudent?

Aye, there’s the rub…

More user education, without fostering FUD, like those smarmy Apple ads.  In addition to the ‘I’m a PC‘ Microsoft ads, how about also promoting safe computing by having the actors say something about regular patching, like “I’m a PC AND I always use Automatic Updates, just because I like being sure“.

It couldn’t hurt!  😉

It lurks among us, waiting for who-knows-what to do exactly that.  It lurks, in the Microsoft Windows realm, because it’s the only viable environment to propagate in.

The smug ones pontificate about how safe they are with their Macs or Linux ~ that’s immaterial because the World is Windows, for better or worse and we need to learn about and from Conficker for the future’s sake.

An interesting piece in the N.Y. Times discussed how Conficker continues to morph following the advances or missteps of it’s adversaries.  The article also speculates that the original purpose of Conficker may not be financial, but state-sponsored.  It’s as if a five million zombie botnet, at current counts, sprang into being for no obvious reason.  Waledac spambots are one thing, financial gain from selling AV scareware is another, but is that all there is?

Anyone or group sophisticated enough to create Conficker and keep abreast and ahead of the Conficker Working Group, etc., must have a purpose and intent(s) in mind ~ we just don’t know yet what it/they are.

Calling Dr. Evil…

If somehow, the ‘good guys & gals’ could take over the Conficker botnet, the harnessed computing power could be used for good, like SETI research at least.  😉

Given the Microsoft emergency patch on October 23, 2008 and the media press during late March/early April 2009, this begs the question of why so many Windows machines remained un-patched long enough to continue the infection spread.  Variant C disabled Windows Update and blocked AV software lookups.  Perhaps the use of pirated copies of Windows has aided the worm’s spread; as unlicensed copies, my understanding is they are incapable of running Windows Update.

It may be another proof of concept and a way to test the waters, stimulus-response style.  In this chess match, there are vested interests watching the process and reactions on both sides of the aisle…


Summer Reading List

Ah Summer!

I recall the halcyon days of Summers past, when my teachers assigned reading lists, with the hope of broadening my mind and preventing recursive learning.  They needn’t have worried about me; I’m a compulsive book-a-holic and used to stalk the Bookmobile more frequently than the ice-cream truck…

This summer, besides the daily security reading via online newsletters, magazines, and blogs, I’ve added the following books:

I’ve finished the first and am marching through the second, saving the heavy-lifting tome for last.

I like the approach and arguments put forth by Adam Shostack and Andrew Stewart; we need a New School of thinking about information security, moving away from the FUD promulgated by many vendors and security practioners, and focused instead on objective measurement via empirical means and on multi-disciplinary thinking, particularly from the perspectives of economics, psychology, and sociology.

Following on that line of thought, I’m enjoying Andrew Jaquith’s book.  My academic training was in economic geography, statistics, and resource management, so I’ve been deeply immersed in data modeling and measurement before.  I’ve also done a fair amount of evaluation work, mostly post hoc.

I completely agree that we need better ways to measure information security risks; how to quantify and qualify them and how to present them cogently to our funding sources, i.e., management.

As Bruce Schneier said, “Security is not a product, it’s a process.” So too, is the collection, refinement and presentation of our empirical data to management.  You’ve got to have the ground truth if you want to make better decisions.

The last book is interesting to me, in light of the so-called North Korean ‘cyberwar’, the previous electronic adventures in the Republic of Georgia and Estonia, and the essential reality that the Internet and software is our primary infrastructure now, after concrete.  After I wade through this impressive work, it will take it’s place next to Sun Tzu and Carl von Clausewitz.

As the current Administration in Washington D.C. keeps shedding cybersecurity personnel the way our bodies slough-off skin, my hope is that the President might read this book and really put some impetus into finding and retaining a cybersecurity ‘czar’ who reports directly to the President, with sufficient funding, authority, and autonomy to make a difference!

Keep On Keepin’ On Folks…

Kimchi, Part 2

Following this story, ShadowServer has an excellent write-up on the self-destructing nature of this botnet.  Interesting pieces of information:

  • The botnet size is around 200,000
  • Most of the compromised machines are in South Korea, although computers in four other countries were used
  • The botnet appeared virtually overnight
  • Compromised machines are set to begin overwriting essential files on their hard drives today, July 10, 2009

Cyberwar, according to the Rand Corporation, is about “disrupting or destroying information and communications systems”.

The term cyberwar has been ballyhoo’d by the media although it’s been in use for years along with ‘Netwar’; latest news from South Korean intelligence organs is that a North Korean Lab 110 was responsible.  If so, previous stories about a North Korean ‘Hacking Academy’ have substance, and with all it’s connotations, it is disturbing this  happened so quickly with specific geographic localization in origin and targeting.

From a Disaster Recovery/Business Continuity perspective, the advantages of distributed web hosting by providers such as Akamai is significant in mitigating DDoS attacks.

From a historical perspective, that approach was basically the original raison d’etre of the Internet when first conceived by DARPA and then ARPANET.  Protection from communications loss after nuclear attack by using distributed node computing.

This may be an early phase of a cyberwar campaign; it is at least an experiment of sorts, complete with the lab cleanup phase.   Pay attention to this story as more information becomes available ~ there will be applicable lessons for multiple perspectives.


Kimchi Anyone?

I’ve been following the media interest in the recent and ongoing DDoS attacks against South Korean and U.S. government websites.  The alleged perpetrator is North Korea, but proving it absolutely will be difficult.  The current word is that a 100K node botnet was involved, with computers located in South Korea, China and the U.S.

John Bambenek from the SANS.org Internet Storm Center commented that ISPs and end-users bear partial responsibility for allowing/having un-patched systems, thereby enabling botnets.

While ISPs can do more to filter traffic to end-users,  part of the problem from the end-users in Asia is the prevalence of pirated copies of Windows XP & Vista, unable to use Windows Update for automated patching.

From the standpoint of information warfare, what might this mean?  A few things to consider as possibilities:

  1. It may or may not be North Korea.  It could easily be the Chinese military using North Korea as a proxy, knowing that we have little leverage against them, and using this attack as a ‘proof-of-concept’ for the future.  Test and refine after analyzing the response.
  2. If it is the Chinese military, what is their motivation other than tactical and strategic preparation?  Given the level of Chinese government ownership of U.S. debt, hurting our economy, for example, by disrupting the power grid, works against their economic interests, unless they deem it necessary in the future.
  3. If it is North Korea, what do they hope to accomplish?  The attacks didn’t take-down either the South Korean or U.S. governments, just a few websites overall.  Simple braggadocio or ‘testing-the-waters‘, like their missile launches and nuclear program?
  4. Could this be an exercise the U.S. government/military commissioned?  This scenario isn’t far-fetched and falls within the realm of FUD.  If your goal is to increase spending and awareness of information security in government, having a ‘straw man‘ somewhere else is useful.  Especially if they are known to be belligerent, rant frequently against us, and their ‘great leader’ appears somewhat psychotic.  A very convenient bogeyman.  The compromised targets were government agency websites including the U.S. Treasury and Federal Trade Commission, while the Pentagon and White House were unaffected.  Make smoke and noise, but no fire.
  5. Botnets are comparatively easy to rent for a specific time and purpose, in this case a DDoS against US. and South Korean government websites.  Conceivably, they may also be virtualized.  Think about cloud-level botnets available on-demand.

The story linked to above says that code is being analyzed by experts and foreign language-fluent investigators are roaming Internet chat rooms, looking for braggarts.  A strategy I’d expect to continue any dissemination of disinformation campaign would be to plant ‘talkers’ in the appropriate IRC channels; this furthers the promotion of the straw-man function and lends credence to the originating purpose.

Events may be exactly what they are purported to be, or something else entirely.  As information security professionals, think about the possibilities and motivations of any adversary’s  actions, beyond the obvious and easy answer.

Food for thought, and more to chew on later…


We’ve all read about how Security Awareness training is required and how it doesn’t seem to work too well.  A recent study by the Ponemon Institute lends credence to the latter aspect and underscores the need for more stringent Data Loss Prevention policies and procedures in organizations. The study, released on June 10th and sponsored by IronKey surveyed 967 individuals across a broad spectrum of industries.

From the IronKey website:


  • The majority of respondents admit to serious non-compliant workplace behaviors that place their companies at risk. Such behaviors include the insecure use of USB memory sticks, use of Web-based email, sharing passwords, turning off security settings and more.
  • According to the study, 69 percent of employees surveyed said that they copy confidential or sensitive business information onto USB devices, while only 13 percent of respondents said their companies have a policy that allows this, showing a 48 percent non-compliance rate.
  • 61 percent admitted to copying confidential or sensitive business information onto USB devices, and then transferring the information to another computer that is not part of the corporate network.
  • Over half of the respondents said that they download personal Internet software to their company computers, which significantly increases the risk of introducing viruses, worms and other malware into an organization’s network.
  • 58 percent of the respondents said that their companies do not provide adequate training about compliance with data security policies, and about the same number said the data security policies are ineffective.
  • Approximately half of the survey participants said their corporate data security policies are largely ignored by employees and management, and that the policies are too complex to understand.
  • Compared with a similar study conducted by Ponemon Institute in 2007, the rate of non-compliant employee behavior appears to be getting worse over time.

So, with these in mind, what is our take-away and what do we do to change this reality?

  1. Organizations must do more to educate employees and contractors about the critical value and essence of protecting corporate information, from the standpoint of compliance risk and cost, loss of public and client confidence in the organization, and support for the organization’s core values.
  2. Organizations must implement more effective and comprehensive Data Loss Prevention policies and procedures.  USB sticks, while very handy, shouldn’t be allowed to connect to client computers unless there is a confirmed business need, e.g., conference presentations, corporate travel, work in conjunction with another tool like a laptop or notebook in the field, etc.,  It’s far too easy for employees to use USB sticks as neo-sneakernet technology for telework.  Convenience must be trumped by Security here because the risks from device loss, data loss, and introduction of home-brought malware back to the organization are too great to ignore.
  3. Similarly, organizations must enact stringent endpoint controls, specifically user account rights, which prevent users from installing unauthorized software.  Too many users run as Local Admin on their desktop or laptop computers.  Establish a base operating system image for deployment across the organization,providing software tools to user groups via policy.  For example, an organization can provide an image for Windows XP or Vista which includes Office as a base, then selectively through Group Policy, allow certain users or groups to use additional software on an as-needed or per-use basis.
  4. Endeavor to educate users about the costs of compliance breaches during security awareness training.  Sharing organizational and industry-specific metrics about compliance cost can be eye-opening – Security Managers must do more to evangelize management about how expensive it is to be non-compliant.  Perhaps, tying corporate bonuses and raises to compliance breach awareness might be beneficial ~ when users have a financial stake in the outcome, they tend to pay more attention…
  5. The overall problem is getting worse and people are complacent.  Make security policies easier to understand by employees and friendlier to teach.  Seek out new and innovative ways to teach security awareness, for example, teach employees about the home vacation security guide by ISECOM and about how to keep their children safe online ~ in other words, make security awareness PERSONAL!  This consciousness-raising will transfer to the workplace if done correctly and compassionately.  Teach employees how to protect themselves and how to protect you, because you are their ‘bread & butter’.

There are a variety of security awareness training resources online; here are a few to consider:

As security managers and practitioners, the gauntlet has been thrown down! It’s up to us to raise awareness by management and help find new methods of providing security awareness training, ways that increase the stickiness of the subject across the audience spectrum.  We know we have to speak ‘business’ to management to help them understand why security is important, essential, and a cost-saver, not just a cost-center; now we have to find ways to do the same with awareness training, making it far more than just ‘checking the box’ each year.


I read an excellent post the other day on the ISC2.org blog about the perils of being a security generalist in this job market.  The author, Ionut Ionescu, described his experience of being a broad brush when many employers only seem to want a ‘painter’ who does ‘cutting-in’ work, i.e., a niche specialist over someone with broad experience.

Another fine resource came my way and I’m lovin’ it!  This is Information Security Leaders, written by Mike Murray and Lee Kushner.  The blog is about your career management, particularly in the face of  ‘career incidents‘, be they whatever is about to happen to your job or just did.  Mike and Lee offer a Career Incident Response series on audio – just sign-up and they will let you know when a new one is available.

One piece of advice they give is to keep up with your own security blogging efforts.  I know I’ve been lax, especially last year, but have vowed to work on mine weekly and to try hard to find something worthwhile to say.  A principal benefit to the job seeker is that potential employers can see how you communicate and what your range of interests are.  I have this blog linked from my LinkedIn page and am working on other links to it as it grows.  Good advice here!

A while back, I found a site full of interesting links and tools for web workers.  Much of WebWorkerDaily is geared towards web designers, freelance writers, etc., but there is some seriously helpful stuff and you can get a daily email chock full of new neatness; Bill sez check ’em out!

Later friends…

One of the main reasons I love information security is that there’s always something new to learn, or re-learn.  I got started around 2001 when, working as a systems manager with a db full of SSNs, realized I needed to know more about breaking into my systems if I was going to defend them.  This led to some serious SANS Institute training, earning my CISSP cert, and having a great time swimming in a sea of knowledge!

So what do I do to keep up?  I read and re-read the monthly ISSA journals,  Secure Computing magazine, Information Security magazine, and the ISC2.org Journal of Information Security.  I joined ISACA earlier this year, so am adding their publications to my nightstand.  There are various and sundry email subscriptions like SearchSecurity, TechTarget, and Shadowserver.  The Association for Computing Machinery journal arrives quarterly.

As part of my ongoing gap-analysis and searching for a new safe harbor, I work on learning more about my profession and focus on certain elements in it.  Among them:

Books I’ve been reading:

The first book is by Fyodor himself, so I had to give it a read and use it as a desktop reference.  The second is by Ed Skoudis & Tom Liston; I’d read it a few years ago, but turn to it for refreshers.

Then there are blogs!  Some of my favorites are:

I think if I don’t make time to keep reading and doing, I’ll fall behind – our industry is still young and growing fast as the threat horizons expand.  It’s hard to keep up, but I’m tryin’…

Peace y’all.

RSA 2009 Redux

I was quite fortunate to attend this year’s RSA Conference.   I applied for, and was awarded one of the 24 ISC2.org scholarships to attend, so with that support, it was off to San Francisco for the week.

Like my last two years at RSA, what a fabulous experience it is!  If you aren’t a good networker though, it can be intimidating; the size of Moscone Center and the scope of it all are a bit of a head-rush.

I spent my time mostly between the Professional Development and Hacker Techniques sessions, with some time at the Innovation Sandbox, Crypto Commons and Peer2Peer sessions.

At the Innovation Sandbox, I ran into Dr. Hugh Thompson before his whiteboard session.  Hugh has opened the closing keynotes the past few years with his hilarious and informative ‘The Hugh Thompson Show‘.  After the IS presentations by innovative new companies, I saw him again and chatted him up.  We agreed to get together later in the week and cognate together, visit, hang, etc.,  Hugh was very gracious and gave me an hour of his time, sharing career growth insights, humorous anecdotes, and some ‘wisdom of the ages’.  We also LinkedIn.

I also ran into some of the local Seattle area security folks, which was cool, including David Matthews (City of Seattle), Frank Simorjay (Microsoft), and Dan Kaminsky from IOActive.

My favorite session presentation was Ed Skoudis and Johannes UllrichThe Seven Most Dangerous New Attack Techniques, and What’s Coming Next‘.  ‘Pass-the-Hash, Super-flexible Pivoting, Wireless from compromised client into corporate, Problems with SSL, and VoIP systems among others.  I can’t wait to listen to the session recordings because it was SRO in the room and hard to take notes from the balcony…

I ran into Ed again at the CodeBreakers Bash and we chatted for a bit.  He’s always very approachable and open.  In 2004, I took his Incident handling and hacker Techniques course from the SANS Institute and loved it.

I spent some good time cruising the exhibition floor during lunchtime, vast and crowded.  The swag was tempting, but too much to tote back, so ‘travel lightly’ is always good advice at trade shows…  I did visit with some nice recruiters and focused a bit on GRC software vendors.

The first full day of the conference, it was 93 degrees Fahrenheit outside!  To quote from ‘Young Frankenstein‘ , that’s ‘Abby-Normal‘ for S.F. in April

Some have said that this year, RSA lacked sustenance.  I enjoyed it though.  The opening keynotes were a bit humdrum compared to past years, except for the Cryptographers Panel and Lieutenant General Keith B. Alexander from the NSA.  Melissa Hathaway on Wednesday looked at her notes and talked to us like we were members of the Press Corps – the general reaction I heard was like, ‘Lady, we’re smart security geeks, not journalists.  We don’t need to know that the Administration has been planning to do stuff, just tell US what it is!’ Yawners.

James Bamford’s talk on the NSA was very good.

The opening number rocked!

NB – open the keynote webcast page, then select Opening Ceremony, View Video Webcast, Opening Ceremony Performance