DLP and Business Needs

Well it’s been a while and I wanted to write an entry about something that I’ve been dealing with lately. Data Leak Prevention or DLP.

Most non-IT people know about DLP only when the IT organization contacts them to let them know they did something they shouldn’t have. For those of us that have to deal with the policies, the alerts, and sending those notices, it can be more complicated. You start with crafting the policies based on corporate standards, other organization requests, and maybe some good ideas. The alerts start coming through, and you take action where appropriate.

The issues start to happen when something triggers an alert-only policy and you notify the appropriate group, and they ask “well why was this not blocked?”. You begin to describe what policies monitor items versus the ones that block. You try to explain that you can’t block everything, the business still needs to get work done! An example of this is where you block a Word document from being sent from the company. Someone takes that document, scans it to create a .tif file and sends that out. The other organizations that don’t understand the technology will expect that file to be blocked as well…”Well it’s the same document!” Other issues can arise if someone is authorized to use USB devices, but you’re expected to block them from taking specific data that you’re notified about after the fact.

Like other security solutions, the promise of “Data Leak Prevention” is not perfect. The business expects DLP to work flawlessly and as those of us in the infosec community know, there is always a way around any restriction. Implementing DLP requires someone who understands the business needs to set up the policies and tweak them as appropriate. It also requires someone to monitor the alerts and either send a notification, escalate as appropriate, or update policies to catch something that was not getting the visibility it should. What can be the most difficult is trying to translate this process to business customers who tell us what they want to see or know about.

Has anyone had any success explaining the nuances of DLP software to the business? If so please note and share some suggestions.

Security Job Titles Revisited

So I had an another thought along the lines of Security Job Titles. I threw out a tweet regarding the “Team Lead” title. There are a number of people that I’ve discussed this with at my day job and the opinion varied between a manager-in-training and the most technical of the team. While I think my coworkers are pretty knowledgeable, they don’t necessarily know what goes on outside our company so I thought I’d ask what others thought: “Team lead: top techy on the team or manager in training…and why?” Here are a few of the answers I’ve gotten from followers on Twitter:

While they left off the “…and why?”, I can understand the line of thinking. Others were definitely in a similar mindset but provided some additional detail:

  • @securityninja – “For us it is generally management as well as lead techy, we are line managers for the team and all others in it”

Two people came close to what I would assume when someone tells me that they are the “Team lead”:

  • @rogueclown – “manager in training. i’m surely biased, but i’d still like to spend my time dealing with cranky computers, not managing people.”
  • @georgiaweidman – “id say the one with the best skills for managing regardless of whether job title is tech or business side. case by case basis”

There were also those that pointed out that someone else shouldn’t choose for the individual and I completely agree:

  • @jjarmoc – “either, sometimes both. But forcing good techies into management roles is often a mistake.”
  • @DSchwartzberg – “I believe it’s up to the individual. Why-because any role you take can be what you make of it. Criticism comes with the outcome”

I think that when it comes down to it, the title is going to vary based on the company. Some organizations may see it as the most technically capable person on that team, where others may see it as a mid-level management layer to keep the day to day operations going. One suggestion I can offer is to split the title in two: Tech Lead / Team Lead. One for the most seasoned/knowledgeable, the other for the area manager.

The one thing that I’m getting out of all this is that a job title can’t tell you what a person is capable of or what they do day-to-day. Leave me a note and tell me what you think. Are job titles a convoluted jumble of words or something you should fight for and own as part of your career?

Security Job Titles

I was seeing job postings the other day through one of my email blasts that I receive and it got me thinking. Who comes up with these job titles? When I worked for a small CPA firm and I was allowed to choose my own title, I chose “LAN Administrator”. It fit my job fairly well, I was responsible for the servers, the network, the PCs, etc. I moved to the helpdesk, and for a while I was a “Helpdesk Analyst”. A title that also makes complete sense. After a year or so though, HR decided to change our titles in IT. I got changed from the “Helpdesk Analyst” to a “Systems Software Engineer Analyst”. I had never engineered anything but a good case of loathing for users at that point.

When I moved to the Security Administration area, my title changed to a “Systems Software Engineer Specialist”. Again, complete and utter nonsense. I was a security administrator. Create accounts, grant rights, revoke rights, delete accounts, rinse, repeat. The only thing I was specializing in was creating copy/paste emails to send to users who were impatiently waiting to get Microsoft Visio.

Within a couple years I get promoted to a “IT Security Specialist”. Hmm…ok, at least this is a little closer. We were no longer called “IT Security” but working in Information Security, I at least had “security” in my title! Then HR comes in and says they are going to change things again. They were going to have “HR Titles” and “Internal Titles” because HR titles needed to match other jobs in the industry while our internal titles would closer match what we actually do. I was skeptical and it turns out it was warranted. It took them until I was promoted again to finally take hold. My HR title became “IT Security Sr Specialist”, while my internal title became “Vulnerability Management Senior Specialist”. While I’m trying to get more into the Vulnerability arena, it’s a very small part of what I do. I still do governance of the Security Administration area, I do some vulnerability scans, some security awareness, and a host of other “who can we get to do this” tasks. Someone who is a level above me at our company is listed as a “IT Security Sr Tech Specialist” yet my job is much more technical than that person.

I considered consulting our HR group on this issue but I didn’t think I would get very far, so I reached out to my friend @HackerHuntress and asked for her opinion on my confusion. She talks with job seekers as well as hiring managers on a daily basis. Her response cemented my opinion that job titles are really not geared towards what a user does and more on being able to gauge a salary band the user can fit into.

I asked her a couple questions including if she saw the title discrepancy and if so where, any tricks for our friends out there trying to find a job and deciphering the job postings, and if she thinks HR would ever get in the game and match titles to what we actually do. Her response was very informative in that she has seen the job title game played mostly at companies with internal security practices. (Think F-500 companies that do their own security but don’t do security as a service). Her comment to this was “Most companies, though, go the “security specialist” or “security analyst” route. In my experience a security analyst can be anything from a firewall engineer to a QSA.” She doesn’t hold out any hope that HR will ever get to the point that they are lining up with what the security individual is doing because most don’t know what the user’s responsibilities even are.

On the topic of how to assist our friends still looking for jobs, she said to talk to recruiters & hiring managers. Getting as close to the person as you can who is doing the hiring will help you in determining what you are getting into at that company. You may be listed as the ‘Security Guru’ in a large company but if all you’re doing is making sure everyone is swiping their ID badge as they walk in, it may not be the job for you.

Secureholio
-Chief Cook & Bottle Washer

GrrCON & DerbyCon

Although this is quite late, I think I need to write a post on the amazing time that I had at GrrCON and DerbyCon.

Well I started out the long weekend with a trip up to the speaker dinner for GrrCON (They actually wanted me to present something! Joke was on them! 😉 hehe). Grand Rapids is around two hours from my house so it wasn’t a long trip to start. Dinner was good, and I had some good conversations with David Schwartzberg, Nick Percoco, and Rafal Los in addition to the organizers & presenters of the conference. What I was not aware of was that the person I was staying with that evening lived an hour outside of the Grand Rapids area. We didn’t leave the dinner until after midnight local time so sleep was hard to come by for the day of my talk.

When I got to GrrCON and finally downed enough coffee and sugar to stay alert the rest of the day, I proceeded to wander the floor. I spoke to a few vendors, said hi to some friends, and even caught a few talks before it was time for me to speak. My talk on Infosec Flameout seemed to go over well, and although I didn’t quite make the times that I did in practice sessions, I hit a respectable 17 minutes for a 25 min talk. This left time for some audience participation & questions, and there were quite a few great comments from some of the attendees. I not only was able to reconnect with some people I knew, but create some new friendships that have been really beneficial as well.

I took the lazy way out that evening and drove home to sleep in my own bed before heading down to Derby for the remainder of the weekend. The ~4 hour drive wasn’t too difficult and I was there in time for some of the talks on Friday evening. The two conferences definitely had some differences also. Where GrrCON was held in a conference center and had a more traditional feel, DerbyCon felt more like a bunch of friends hanging out at a hotel. Derby also seemed a little more hectic because of the amount of people in the setup at the hotel lobby.

The talks that I was able to catch at both events were pretty decent and I only walked out on one. I’ve listed each (except for the one I walked out on to protect the innocent) below if you want to watch them when they’re posted. Next year the organizers have also ensured that the two conferences are on different weekends so you can attend both. I will definitely be trying to go to both if possible. Guess that depends on if I can save enough pennies!

As I stated in my talk at GrrCON, networking with the community is incredibly important. You need to have friends, contacts, whatever you want to call them. They are invaluable for advice, help with finding a job, or just someone to bounce an idea off to see if you’re on the right track. So next time a conference is near you, get out there and get involved!

Talks at GrrCON:

  • House of Cards – How not to Collapse when Bad Things Happen – Rafal ‘Wh1t3Rabbit’ Los
  • Punch and Counter-punch with .Net Apps – J Wolfgang Goerlich
  • Mobile Attacks: What will the future bring? – Nick Percoco

Talks at DerbyCon:

  • Jayson E. Street – Securing the Internet: YOU’re doing it wrong (An INFOSEC Intervention)
  • James Arlen – Doubt – Deceit -Deficiency and Decency – a Decade of Disillusionment
  • Robert (Arch3Angel) Miller / Boris Sverdlik (JadedSecurity) / Rafal Los / Heather Pilkington /Krypt3ia – Bring your own doom or sane business decision
  • Michael Schearer – Flex your right constituion and political activism in the hacker community
  • Benjamin Mauch – Creating a powerful user defense against attackers
  • Boris – You Can’t Buy Security. Building an Open Sourced Information Security Program
  • Andy Cooper: Why Integgroll sucks at Python..And you can too
  • Chris Jenks: Intro to Linux system hardening

How I learned about file encryption

So a week or more ago I mentioned on Twitter that I would tell the horrible encryption failure I had when I first found out about how to encrypt data. When I first moved into Information security years ago, I learned about how you could encrypt data and no one would be able to view it without the key.

So I was running Windows XP at the time and I decided to play with the Windows EFS on my home machine. I encrypted my local “personal data” folder, and moved it off to secondary storage.  I was able to view it, open it, move it back and forth, etc. The time came to reload my machine. I was careful to move and verify all my data on the secondary storage, verified I could access it, open it, etc.

I proceeded to DBAN the local drive, reload the OS, install the applications, and when the time came to move the data over, I couldn’t open it. I thought “Hmm…that’s odd…” I proceeded to try to re-copy the data over to the local drive, and check a few of the attributes of the file before realizing that I had encrypted the files before moving them. I moved them to a NTFS drive, which meant it kept the encryption intact when I copied them to the external drive. I did my best google-fu to try to find any way to get this data back. The “personal data” contained family photos, my resume, web favorites, etc., so I was definitely not happy about losing it.

I even went so far as to ask a coworker to call in a favor to a friend at Microsoft. The reply was there was no backdoor/master key to get the data back again. I was learning a hard lesson in encryption really fast. Although I knew the passcode for the key, I was unable to retrieve the data. The good thing that it did was make me want to learn more about file encryption and what can/can’t be done with it.

I learned about file versus whole disk encryption, as well as where keys are stored. I also learned to be sure that no matter what, you move the keys if you’re going to wipe a drive! If I can offer anything to anyone about file encryption it would be to completely understand how it works before you play with live data when you have no other copy.

Also…if anyone breaks 256-AES EFS I’d like to chat with you 🙂

Information Addict

Part of the Information Security profession is staying abreast of the news and events in the technology world. You need to know what attacks are going on in order to know how to defend against them. When you start out in this industry you feel like you’re always behind, always trying to catch up. You read everything you can get your hands on, hoping that you don’t miss something important. The problem with this is that it consumes all your free time. After a while, you begin to see what you can pass over or just skim. New virus comes out? Great, there’s a update against it right? I can skip the part about how it was discovered on one machine on the other side of the world.

What you start to realize though, is you become addicted to information overload. You follow hundreds of people on twitter, dozens of blogs, you peruse the tech sites, and if there is a lull in the timeline for even five minutes, you start to wonder if you lost your Internet connection. You skim your twitter stream looking for articles to read, glossing over someone asking a question or looking for help. You start to read a longer article with an actual build-up and you get frustrated because they aren’t getting to the point fast enough. What you don’t realize is that “the point” sometimes is the build-up. Journalists get paid to tell a story, so that’s what they’re going to do.

Even those that you look up to in the industry, the ones that you think “wow…they really have it together, how do they keep up?” are skimming too. The ones that follow over a thousand people? Attending DefCon, I found out they see it as drinking from a fire hose as well. They miss things. The humble ones admit it and are willing to talk about it. They try to keep in touch with the people in our industry that matter. They try to stay plugged in as best they can. They are going to miss things, just like we all miss things. What matters is that they are trying, just like you are. When you think you know it all is when you have the most to learn. Keep reading, you never know what you may miss.

Vegas, the week after…

So I’ve returned from Blackhat & Defcon 2012, and I’ve had a week to let it all sink in. I met more people than I can recall, and most of the people on my “must meet” list. I came away with some good and some bad things from the trip, including the city, sites, and people I interacted with.

The trip started off pretty tame, made it to Vegas, deplaned, and noticed that there were slot machines in the airport. Not unexpected, but what was unexpected was the long lines I was to encounter for most of my trip. After I left the baggage claim, there were lines for cabs, lines to check in the hotel, lines for lines. It was crazy. Being someone that doesn’t do well in crushing amounts of people, I was a little unnerved. I headed to Blackhat and my first time in Vegas, first time at a major conference, after the keynote speech ended, there was a mass of people trying to get to their next talk/meeting/vendor discussion. It took me a few days (read: until Defcon) to realize that unless you *really* have to see some talk, if you don’t make it, you don’t. Hallway con is definitely worth it as an alternate. You get to meet quite a few interesting people, and make some connections that continue via social media after the conference. Defcon was definitely a better time for me. I felt more relaxed, I didn’t feel like I was going to wander into the wrong area, and could just soak in the atmosphere.

Another thing that shocked this kid from the South-side of Chicago is the prices for everything. My company put me in the Bellagio for the week, and the food and drinks they had were through the roof! I’m used to hitting the local McD’s if I need breakfast. I went to the local Cafe there, and I could have eaten fast-food breakfast for a week on the cost of one meal. I finally did find some lesser expensive things to eat, but it was a shock to the system.

The big thing that I would tell to someone going to Blackhat, Defcon, or BsidesLV for the first time though, is meet people. I finally got to meet some of the big names in our infosec community and they are an amazing group of people. They were extremely helpful, and even just sitting and talking with them gives you a sense that our industry is heading in the right direction. I won’t name everyone that I was impressed by because there are too many, but the thing that I was most thankful for, was that I didn’t meet any “rockstars”. Everyone was willing to take the time and say “hi, glad you made it”, talk for a few minutes, etc. Even those people who were working at one of the conferences were friendly and approachable. I love this industry and hope to be working in it until someone kicks me out 🙂

Is it really OK to say ‘No’?

*EDIT* The person who started the term “our job is to see the iceberg, not steer the ship.” was @randomuserid on July 10th. Thanks to him for allowing me to attribute the quote to him. *EDIT*

As information security professionals we often get the stigma of being “the department of no”. We tend to rain on everyone’s parade who doesn’t take a second and think “huh…you mean validating input would be a good idea?” We’re the ones trying to make sure that the rest of the IT departments are looking at potential attack surfaces, and always being the road block can wear on your psyche. You start to feel bad saying no so often and want to say yes. You feel that if you don’t, you’ll start to lose respect and people will stop bringing ideas and projects to your group for review. So you start saying “Ok…but what if you add this” or “Have you considered this?”

This works for a while. People see you as an enabler and a business partner. You are the one that can make sure that their app/project/program is successful, as well as reduce the risk. You’re finally in a Win-Win, right? But what happens when you *have* to say no? Where are you left when there is no choice but to say “Really….No. You can’t put your application with the un-encrypted customer payment database out on the internet as world-readable. I don’t really care how much time/money you saved by doing it that way.” (I hope no one has ever had to have that conversation in real life)

We all know it’s a business decision on what risk to accept and what to mitigate or transfer. Sometimes you need to step back and say “Ok, it’s your deal but we warned you.” Other times you need to stand in front of that bus and get run over. When you have to do each is a personal decision and can include regulatory requirements, your personal feelings or even your professional reputation.

I wish I knew who tweeted it first, but someone in my stream the other day said something akin to “It’s our job to see the iceberg, not steer the ship”. I believe this is how we need to see things. Our job isn’t to run the business or set direction, our job is to tell the ones at the helm that building a boat out of tin foil is a bad idea.

I think we need to change the sign on the door from “Department of No.” to “How does this affect our risk-posture?” and realize even then sometimes you need to say “Just…No.”

Is privacy worth the loss of opportunity?

As information security professionals we have to admit that our industry is a hot commodity right now. Everyone knows someone who is or was recently looking for a new job, or who is at least weighing their options. Living in this hyper-connected world, we know people all across the globe who work in our field. What we don’t always know is who is actually looking versus who is looking behind the scenes.

Privacy is a huge issue to most of us in the infosec community. We are always discussing it, preaching it, or trying to protect it. Where this hits home though is when you’re contemplating making a career move. You want the industry to know that you’re considering your choices, but you don’t want “the wrong people” to know (read: your current employer). There are many reasons to review the job market. A main one would be that you want to know what you’re worth. You want to know that you’re being paid fairly for the job you’re doing. A sensible employer knows this, and shouldn’t fault you for it. If you’re doing it on company time, that’s a different story, but posting discussions on job boards and discussing with friends in the industry is just talk.

The issue of privacy comes into play when you’re using social media. If you use Twitter or Facebook, and any of your coworkers or employers follow you, they may see this as you trying to find a new job. You may be looking for a new job, or you may just be gathering market data for your next review. This is where you may strike a balance between “Do I put myself out there, or leave less to explain at work?” While this is a personal decision that many of us make, I would consider one question if you are looking to make a move: Is the privacy you covet worth losing the opportunity you may find?

You could do the networking thing. You could find out that a friend of a friend of a next-door neighbor had heard of a job…but if you post your resume, network, and let everyone know that you’re curious, I believe you’ll have more opportunity to find that information or even that great job than if you try the whisper net. True, you may get the question at work of “So…I heard about your post…”, but if you don’t, you could lose out on a bigger raise or a job where you’re excited to go to work every day. Something to think about in this hot market we call Information Security careers.

Treading water in the sea of knowledge

So I had this thought last night watching a video from SecurityTube (which is now my new video hangout place) about burp proxy. SecurityMoey mentioned it to me, I’ve talked about it in my presentation at BsidesDetroit, I’ve said it to people, but I haven’t done it myself lately…

Unplug.

When you’re swimming, you can only power-stroke so long before you become exhausted. You need to get out of the water, dry off, sleep, eat, de-prune yourself, etc. You get to the point that you can spend forever in the water until the only thing you can do is float or tread. The same is true for learning. I would assume this is the reason for summer break for school kids. They need time where they can “just be”. You need time where you aren’t constantly learning. You need to let your brain idle for a bit so you can go back at it with renewed vigor.

I started to realize that I wasn’t taking my own advice. I needed to take a step back, and watch a movie, play a game, or just sit and have a conversation with my family. So while I ordered a few new books, and I updated all my tools to play with, I think tonight will be a no twitter, no computer, no tech evening.

Anyone seen my towel? It’s time to dry off for a bit.