You are currently browsing the category archive for the ‘security’ category.
Some friends of mine were recently speaking on a cyber security panel at a non-computer-geek conference. While they got a higher than expected number of attendees, it was still lower than they would have liked. While watching some of the other panelists crash, burn, and then bury themselves at the center of the earth, they came up with a list of pointers for making cyber security talks more palatable based on specific failures they saw (whether humorous or serious). They were off-the-cuff, but I thought they make up a good list. This is part 1. Comments? Thoughts? Additions? :)
- Talking over your audience’s head is mean. No one cares how smart you are unless you can make them just as smart on your topic in 20 minutes or less.
- Speaking of 20 minutes. Stay on the time clock. Wasting 15 minutes of someone else’s time is presumptuous and rude.
- Having a Slide Extravaganza doesn’t make you a good presenter. Slides are talking points, nothing more. By the 98th slide, your audience will hate you.
- Engage. If people opt to read their horoscope on their l33t Droids rather than watching you in person, your presentation sucks.
- Tone. If you have a terrible voice, amplifying it on a microphone is just plain mean. Record yourself ahead of time and listen to it. Adjust accordingly.
- Hair Matters.
- Thanking everyone for thanking the thank you people gets redundant. Appreciation is one thing – but it’s not the academy awards.
- Pick one point. Maybe two. Not 438. Your audience is not Neo. They will not be able to learn Kung Fu
- Relevance. Know the audience and have a backup plan if no one can relate to what you’re talking about. Otherwise, you’re just filling space.
- Smile. If it’s supposed to be a joke and you frown, your audience might not get the cue to laugh
- If you smile while you make a joke, and the audience still doesn’t laugh, see “know the audience” (or “talking over your audience’s head”).
- Look nice. There are enough cave trolls in the audience. Give people something better to look at.
- Be a wingman. If one of your colleagues is getting ogled by above-mentioned cave troll – be sure to intervene on her behalf. Especially if the cave troll is of unspecified gender
- Don’t let friends sit in the back row and make you laugh unless they’re part of your shtick. Especially on a panel when it’s not your turn.
- Bring pillows. If you’re going to put people to sleep, they may as well be comfortable.
Well, I’ve been waiting awhile to be able to write this (see future post). Finally, I can:
It’s always interesting dealing with the somewhat schizophrenic nature of government messaging. While I understand the constraints, the risks, and the realities of trying to run a free-for-the-private sector service that actually DOES something in the government, it was always a little disheartening to hear (or read) people suggest that the government wasn’t doing anything for some of our cyber security problems, that it didnt have the services available, or “Well, I heard DHS started ICS-CERT, but I think they shut it down?” And, with the media so often just not getting it – and people so often not doing basic research – this happened more frequently than it should. So, now that I’m in the role of customer here (and not on the floor there), I can finally say:
If you’re an asset owner, a vendor, a service provider, a customer, or otherwise a stakeholder in private sector or government critical infrastructure / key resources, you should be aware of CSSP and ICS-CERT (ICS-CERT has been functioning, in its current form, since earlier this year).
To start with: The Control Systems Security Program (CSSP) is an offering out of Homeland Security which:
“attempts to…reduce industrial control system risks within and across all critical infrastructure and key resource sectors by coordinating efforts among federal, state, local, and tribal governments, as well as industrial control systems owners, operators and vendors. The CSSP coordinates activities to reduce the likelihood of success and severity of impact of a cyber attack against critical infrastructure control systems through risk-mitigation activities.”
This includes providing a FREE cyber security assessment tool, onsite assessment visits, and the well-run Industrial Control Systems Joint Working Group (ICSJWG) and its associated conferences. CSSP also provides a variety of free-training in Control Systems Security, both locally in DC as well as, for it’s hands-on Red/Blue Team training, in Idaho Falls.
Then, providing a tactical operational arm to the more strategic CSSP, ICS-CERT is a fully functioning free CERT service for your CIKR organizations. ICS-CERT will, as part of its mission:
- Provide onsite fly-away technical incident response
- Perform digital media analysis on media potentially affected by an incident
- Coordinate the responsible release of vulnerabilities (involving third party researchers, vendors, etc.)
- Provide timely situational awareness
- Coordinate national response, via its seats in the National Cybersecurity Communications and Integration Center (NCCIC), with US-CERT, NCC, Law Enforcement, and other organizations.
All you have to do, basically, is ask. They’ve assisted, during my tenure, quite a few organizations – large and small – and continue to do so.
(Importantly, ICS-CERT has neither a law-enforcement NOR a regulatory function. Their mission is to assist you in defending yourselves and responding to incidents. Your data is, and remains, yours, in any interaction with them. )
And you thought the government doesn’t do anything for cyber security :)
To contact ICS-CERT:
- Call the ICS-CERT Watch Floor: 1-877-776-7585
- Email regarding ICS related cyber activity: email@example.com
Their website is: http://ics-cert.org
So I was sitting with a group of people recently – experts, as it were – discussing “bad things on the internet”. Someone turned over his shoulder back towards us and asked “So, what exactly is a 0day?” In context, he was asking “Where does the term come from” because, in the conversation, it was being used to describe some exploits that we, as the “good guys”, all knew about – and had for some time. The answer he got disturbed me a bit: “Exploits and vulnerabilities that have not been patched.”
What gives? 0days/0-days/zero days used to mean (generally speaking) those exploits of which neither the vendor nor the “good guys” knew anything about. Ie, “zero days” had passed since a solution -could have- begun being developed. I like About.com’s phrasing:
“A zero day exploit is when the exploit for the vulnerability is created before, or on the same day as the vulnerability is learned about by the vendor.”
A flaw that the vendor and the response community have known about for months but which the vendor hasn’t addressed is NOT a 0day - it’s an unpatched problem :P (There are cases where the time from the issue being known about until the vendor patches it has exceeded, in some cases, a decade.)
I’m trying to figure out how we got to this perceived definition and I wonder if it’s our refusal to come to grips with the fact that there are hundreds/thousands of security flaws running around out there that “the bad guys” know about (and use) that the “good guys” dont have a clue about. We run around patching things like if only we could just reduce the time it takes to patch systems to near-zero that somehow we would be measurably more secure.
If we just write out the truly severe part of the vulnerability window – where there are vulnerabilities and exploits we don’t know about – from our language/definitions, it won’t exist right?
Say you want to buy a car to take your 5 kids and spouse around town. Now, suppose you start looking for a good, safe van with low gas mileage that fits the whole family and is relatively cheap. $20k? sure. Ok, now what if you go out to buy this van….but oh no! All you can find are corvette dealers selling $100,000 cars!!!
Would you buy a corvette? Hells no. You’d wait until you found something that met your minimum requirements: Moving the family around. If you got the vette, you would have gotten something that, even if it fit “some” of your requirements (moving some people around), doesn’t fit enough of them to actually solve the problem. Furthermore, if you did get the vette, you probably wouldnt be able to afford the van so your problem would go on even longer than if you hadnt gotten the corvette.
Welcome to the kind of security that says “we should do more of what we’ve been doing, even though we know the architectures don’t work…because something is better than nothing.“ We can’t continue to add on layer after layer of security at ever increasing cost when no number of those layers, as modeled today, will ever get us to a comfortable place. Getting owned by X% fewer people is still getting owned and doesn’t really change your risk profile unless X is a much bigger number than today’s most common best practices get us.
Nothing is ever perfect, so I’m not suggesting no one should take action until they find a perfect solution. Rather, I’m suggesting we all take a close look at our solution sets and look at how good they’re ever going to get at the end of the day and make decisions appropriately. When selecting a “50%” solution architecture for $Y, dont get caught thinking $Yx2 will get you a 100% solution with the same architecture:)
I normally don’t have much to say here about my day job (partly why you’ve seen more of a focus on art), but I thought (since I’d been previously linking to the DHS Control Systems Security Program pages) that it was worth mentioning that ICS-CERT has its own website these days: http://ics-cert.org
Take a look at it if you’re in the control systems / SCADA and security/emergency space (particularly with regard, but not limited, to cyber).
Edit/Update: Now that I’m no longer there, I do have a brief take on the subject and a summary of information HERE