30 March, 2007
29 March, 2007
Basically they said what the heck are you talking about.
It was part of a discussion I had with a counterpart and I thought it was a great quote.
Now I am going to say something a bit odd. "Transforming Negligence to Non-Compliance" is not a bad thing. It is a good thing and one of the only ways to get things rolling in an organization that is truly out of touch with its security risk profile.
Think of it as several stages of organizational growth.
Perhaps a counter part to Grossman's 5 stages of security grief.
It is just a nacient thought process for me so if anyone wants to expound or make it better feel free I'll be happy to point to you.
So here are the first few steps.
"Security by Self delusion" where institutional practices and political momentum make it virtually impossible to point out real security risks.
"Lethargic Negligence" - the problem is just too big to address for every fire I put out a dozen pop up. This isn't always intentional negligence (though for some people [mostly comfortable managers] it might be) but it always stands in the way of needed changes.
Transformation from Negligence to True Non-Compliance - This comes from a realization that something must be done and taking the responsibility for acknowledging that fact at a senior organizational level.
Maturing from Compliance to true Security. This stage is necessary if you ever want to prevent slipping all the way back to security by self delusion.
Proactive risk management - The actual practice of identifying true business concerns and risks of impacts and placing true security around them.
Any organization cycles through these at one time or another. Usually they are at slightly different stages for different parts of their security architecture as a whole. Their firewalls might be good but their OS's and Application Security is crap or their OS and App security fine but the linkage between their business controls and their IT SoD is crap. The worst organizations will institutionalize the Self Delusion model and actually swear and sign off that every thing is fine. After all "I have a Policy for that".
So how do you move up. I imagine it is a bit different for every organization. It will always involve some politics. As a matter of fact if you wanted to you might be able to call these the "political layers of info security".
The key to moving beyond "Security by Self Delusion" is visibility. True visibility not the pseudo transparency provided by 20,000 pages of attestation saying "yea we have a policy for that". True visibility is gained by actually identifying what is open in your firewalls. How good or bad is your patching process not just on the "managed" machines but on all of the ones connected to your network. As well as dozens of other specific facts. Get the whole picture then draw conclusions. Lets be honest here FUD might not be totally out of place if things are bad enough and it is based on facts. You achieve this by actually having the guts to run vulnerability scans, pen tests and even things as simple as port scans. If your organization is so resistant to transparency that they won't allow that how about a honey pot and some open sniffers. Outbound IDS's might help as well.
I know there is a lot of talk about how Vuln scans are not of value or IDS's are useless. That might be partially true in a healthy security environment or in one where IPS or even stronger protections are in place but if your organization is mired in the "Security by Self Delusion" mode they serve as one potential way beyond.
So what happens when senior management finally realizes that they have a problem and not just one but an entire systemic failure? Well Denial, Despondence, Anger, blame all of the not so fun reactions. Yes they often shoot the messenger. I am not able to tell anyone how to maneuver around these ones. What I will say is that if you have the facts and avoid placing individual blame (can be really hard if it is justified especially if someone is intentionally obfuscating issues) you can probably survive the series of back flashes. At this point the best bet is a series of tactical solutions that provide strategic benefit. Gain control (indirectly) of the Firewall and IPS rulesets, facilitate cross system visibility, HIPS, Identification of critical data, ... Every organisation will have different tactical needs but pick a few and fix them as best that you can.
Now is the tricky part. The gut reaction of senior management will be to say "Great we're ok. Now let's move on to more important things" That is fine to an extent after all the real business of IT is to facilitate the real business but you also have to put structure in place to maintain and improve the other real issues that didn't seem as painful but might very well carry more risk. You have to put in place a Governance and Policy structure that actually has some teeth but doesn't cripple the company. This is where you start transforming Negligence to Non-Compliance.
I am going to have to try to finish this tomorrow.
28 March, 2007
27 March, 2007
23 March, 2007
21 March, 2007
I wonder how well the data will balance against the pay out information. It strikes me that a "mistake" on unrecoverable data like this would be an ideal way to cover the loss of quite a bit of money.
This would certainly qualify as a material deficiency in SOX speak. At least in some attestations I have seen. Good thing it is a government if it was a company the entire executive team would be hauled before a Congressional subcommittee and sent to jail. So who is that here? The Governor and staff? Somehow I doubt that anything like that will happen here though. Of course it shouldn't happen. It probably is a mistake but it does show how SOA requirements could be misinterpreted.
20 March, 2007
NT 4.0? "Deterministic, hard real-time operating system"? Huh? "The PLC is fundamentally a box or computer with a processor. "???
The article is dated March 2007 but if this is recent and a legit take then it shows exactly what we have to worry about, albeit unintentionally.
Don't get me wrong there is a place in many industries for properly developed "PC based" systems (whether Windows Linux or other OS) to directly control processes but I have to wonder if the author of this ever developed and implemented a truly complex integrated control environment.
Woefully uninformed and simplistic.
I have to assume this was written years ago and just dug up or perhaps relabeled. If so it shows how we got to where we are from a security perspective in the SCADA and DCS world. If not it shows very well how far we have to go.
It really gives a good glance at the state of censorship on the web. There are a lot of gaps, all of the blank countries makes it look like there is a lot of data that they still need to gather but it seems pretty neutral in terms of who is getting the finger pointed at.
I will say that they are very absolute in terms of mentioning any form of stopping traffic. I am an enthusiastic supporter of free speech on the Internet but I also want some level of protection for my children when they are on publicly supplied computers. I know that all filtering mechanisms are flawed but I am sure that most library's and universities would be willing to turn off the filter if someone is doing research on breast cancer or even something that might be questionable provided they are an adult. Also I am not aware of any coordinated effort in the US or Canada to actively block sites unless it involves minors.
I also noticed that political hacking seemed to be counted as censorship in some instances but not others. I would like to see the criteria that was used to elevate it to the level of mention. There were certainly instances within the US of attacks on sites specifically because of what they said. These instances include attacks on political sites that were not mentioned. Perhaps it would be best to focus on government initiated censorship unless the attacks are particularly egregious.
It is striking how significant the documented censorship is in some countries.
All in all an interesting site.
19 March, 2007
Of course if I was the first class passenger I would hope I would be a bit more sympathetic. I like BA probably one of my favorite airlines so even though it would have creeped me out I wouldn't dump them in the future.
I have mentioned it before in a post about fuzzing but he has even more detail now.
I am not sure where the project is going now that Eric is no longer directly in the picture but am sure that properly integrated into a testing regimen it will be quite beneficial. (correct me if I am wrong here he might be still doing stuff I don't know about I have been out of that loop)
16 March, 2007
It is possible that this incident was an irregularity in the way it was handled both from Sony customer service and from Service Net but the way the calls and questions seemed scripted and the excuses that were provided to me imply otherwise. Obviously what follows is my opinion but it is an opinion based on my experience dealing with them.
My attempts at escalating the issues within the call trees and even directly with the people I was able to get on the phone met consistently with dead ends. I am convinced that their business model is to receive a cut of the extended warranty money and then do whatever they can to not provide any service that costs them money. If that means that they make excuses and refuse to escalate to the decision makers within the standard contact paths then so be it. I wouldn't even be surprised if the CS people on the phone are compensated based on how many calls they handle without incurring additional expense to Service Net. Their choice of questions asked and manner of interpreting them implies to me that their primary focus is to use semantics to get out of meeting their contractual obligations. The fact that they have such prominence on an "adjudication" group at their web site implies to me that they place more focus on shirking responsibility than fixing customer issues.
I bought this laptop in a store and purchased the $~500 extended warranty with accidental damage because I wanted the additional protection that I mistakenly thought it offered. For that matter the entire reason I spent the premium on a Sony laptop instead of saving the money and going with another company was because I believed I would have better service. I have 6 kids and it was not unreasonable to assume that some significant accident would happen to it over the course of 3 years so the accident insurance would have made sense if it was reasonable to expect it would be honored. In the end even when all I wanted fixed was a $5 to $20 part they tried to weasel out of that and used the fact that they were two separate entities to redirect responsibility (or at least make the call short).
It wasn't until I put up a blog post and got dozens of hits from addresses in Japan that I got any semblance of help. Shortly after that I got contacted and the issue was taken seriously. The address I got contacted at was my blog email address and not the one I left several times with the various customer service people we called. You'll have to forgive me if I have trouble believing the issue would have been satisfactorily resolved without the blog. So I guess blogging is the real hero here.
So for productive advice. I have run successful service centers before so perhaps they should listen.
If I was a manager at Service Net I would
- Make sure there is a clear escalation path for customer complaints that is known to the call center people.
- Before any possibly disgruntled customer gets off their first phone call they know what that path is.
- Customers should never be told in a service call that there is no further point of contact beyond the person speaking especially if they have only spoken to two people and neither of them could resolve the issue.
- I would add a process at the end of all calls where the customer is asked if their needs and expectations were met and if the answer is no I would have someone contact them the next day.
- Make sure Customer Service Reps do not provide contradictory information during the call or provide multiple different reasons for disapproval. (that happen to sound like grasping for straws to avoid work)
- I would increase training for the Customer Service team and the management team that runs them.
- Extensively audit customer calls for the last several months to determine if this is systemic or just an irregularity.
- If the audits show it was an irregularity contact to customers that were effected and apologise (both the client companies and direct customers).
- If it is systemic have a massive overhaul.
Then again the focus of my call centers was actual customer service and not limitation of liability so perhaps they don't really need to listen.
If I was a company that was trusting in Service Net to provide customer service to me I would
Quick note here this company services many customer service accounts including Dell, CDW, FuJitsu, Sirius, Toshiba and several others. It is possible that customer service problems with any of these companies are due to this one source.
- Request a log of all calls related to my account for the last three months and call and ask the customers if they were happy with their service.
- Randomly perform customer service test calls to ensure they are properly treat customers that view them as supporting my (the company calling) brand.
- Audit their practices and books associated with the account.
If I was a customer I wouldn't bother to buy extended warranties or accidental coverage. Here is why.
The other day on my drive in (1 hour + each direction) I added up all of the Sony products I have purchased in the last few years. 2 Large flat screen TV’s (50 something and 40 something inches) one wall hanging LCD TV, a stereo, three small TV’s, 2 PSP’s, a DVD player and my laptop. All in all close to $20,000. I am not sure how much of that money went to extended warranties. My guess is close to $2000 perhaps more.
Next time I will just put that $500 in savings. Over time I will clearly be better off.
In any case I will probably never willingly or directly buy a Sony product again unless it is truly needed and there is no other vendor. I certainly won't buy their extended warranty. I am certain that at dinner conversations over the year I will be happy to talk about how crappy their customer service is as well so perhaps the lost revenue won't be limited to me. Yes I will try to make it funny and not angst filled. No use ruining dinner.
So now I am done. I don't intend to bring this up again unless something else happens bad. Blogging should pick back up over the next few days until I am back to normal.
12 March, 2007
09 March, 2007
08 March, 2007
07 March, 2007
Via Molten Eagle
Digg this Post
Unfortunately the real threat from the Iranian theocracy has nothing to do with its Navy (if we could only be so lucky).
The real threat is that by using a nuclear weapon as a deterrent to retaliation (either economic or military) they can extend and increase their funding of terrorism with impunity. Unlike the terrorism of Anarchism (with a big A from the late 1800's and early 1900's) or even the terrorism of the IRA the Iranian terrorism has a realistically achievable goal (indeed it has been quite effective in Lebanon). That goal is the Dhimmification of non Muslim countries and reduction in prominence of non Shia Islamic Theocracies relative to Iran itself. If we (Europe and the US) are lucky the latter will take precedence but I wouldn't count on it. Both of these processes have already started even without the bomb as a deterrent to retaliation. They will only escalate (substantially) if they publicly get the bomb (it is remotely possible that they already have it which is why the kid gloves are on).
Europeans will be at the greatest risk in terms of substantial change to their existing environment in this scenario. With their large and demographically monolithic Islamic communities they are ideal breeding grounds for this kind of strategy. At this point these communities lean toward other regional variants of the belief system but I suspect that would change if there is less restricted actions on Iran's part. Even without specific belief changes (which are unlikely) alliances, actions (in the form of increased aggression to the European indigenous population) and meme systems can change. In many cases Europeans are already being forced to alter their liberal belief systems to avoid violence or the threat of violence. Imagine if they didn't have the ability to stop funding and intentional state action that was intended to facilitate this violence. The tilt point isn't that far aways so something has to be done soon or the only two alternatives are extreme levels of violence or functional Dhimmi status (probably coupled with extreme violence to maintain it).
Obviously other countries in the region with Iran are also at great risk. I am somewhat surprised they are not taking fairly aggressive action right now. They are clearly the most likely to be subject to aggressive military and terror funded actions. Indeed some of them such as Lebanon already are and frankly loosing the battle.
Until recently countries that achieved nuclear weapons have to a certain extent become more mature in their actions. They were less likely to go to open war with their neighbors, they begin reigning back their clandestine activities (especially with other nuclear powers) and in general they have behaved in a more globally mature fashion. I don't know if the is part of MAD or if it is just the ultimate realization of the terrible possibilities and responsibilities attendant with nuclear weapons but it does seem to be true. Although I wouldn't have predicted it this has even occurred with India and Pakistan. Unfortunately even with the maturity and sophistication of the Persian society as a whole with its current leadership I think this pattern is very unlikely in Iran.
Now that I think of it leadership might be the key. Russia, the US, France and China have all had periods of aggression as a Nuclear power even if that aggression might have been muted compared to pre nuclear levels. Right now the political and theocratic leadership in Iran does not inspire me with confidence in their ability to be mature.
The real question is what are the regional powers and European powers (who are at the most risk) going to do about it. The US has chosen to trade (intentionally or not) military strategic advantage (in the form of ownership of the crossroads in Iraq) for political strategic advantage so we are now unable to realistically respond to the threat. Sun Tzu says that seizing the remote crossroads is best done politically so perhaps this was an error. On the other hand we are not one of the countries at greatest risk of a true loss of our identity here.
I suppose we will see how this will play out.
Sorry for the depressing start of the day.
Please Digg this Post
06 March, 2007
I imagine that parts of this quote could apply to many companies.
"This was the first time that my activities uncovered evidence that entities outside Sandia were compromised, and data was being stolen. They were not willing to contact the proper authorities because outside law enforcement would certainly inquire about how the data was obtained -- bringing unwelcome scrutiny upon Sandia."
Fortunately until recently I had never worked at one. Now that I have I can see the the consternation it causes throughout the organization.
To a certain extent this is the ultimate end point of the "Compliance" centric Security management model. Organizations that are very good at "Security by Self-Delusion" may not even have problems with external audit (though internal audit often knows [or at least suspects] the truth). After all they are very good at filling out paperwork and forcing their employees to perform onerous tasks with "Security" as the primary reason for the task. It is also common for the average user to have virtually no control over their computing environment at all causing near complete cessation of information based innovation within the business itself. That is as or more likely to be fatal to a company than any security breach.
Now I will admit that the Sandia case is quite a bit greyer than it might seem. The employee was actually engaged in "Hacking" of some sort and there were probably cases where he could have gotten caught and caused problems for Lockheed completely separate from the issues they were trying to cover up. Without knowing exactly what he did to chase down the data path it is even possible that some of his actions were illegal. Any company would be justified in stopping illegal activities but it appears that the interest in his actions was not in the initial activities but his subsequent work with the FBI.
I am sure that it is rare for most organizations to have to decide between letting an employee go for actively hacking external entities or for covering up internal security failures. It is not however, uncommon for them to have conflicts between disclosing internal security failures in other ways. Indeed it is often politically difficult within an organization to facilitate honest transparency of security issues. At what point does one have to decide if their organization is deliberately deciding not to look at internal issues as opposed to trying to save money or even institutional incompetence. I have to confess that I don't know where that line is. I am inclined to agree with one of my co-workers when he repeats the quote "never assign to malice that which can be attributed to negligence" but when does it not matter?
Well enough of this complaining, back to real work.
That is if they will let me do it.
05 March, 2007
01 March, 2007
Started with Rush Red Barchetta
Three Doors Down
Nine Inch Nails
Then to end it off Lord of the Dance by Dan Tymenski (sp?)
I hadn't heard the last one in a while and am not sure I have ever heard it on the radio before.
I am the heart he is the heartbeat
I am the eyes he is the sight.
I move my feet I go through the motion but he gives purpose to chance
Nice way to start the day.