Is it really OK to say ‘No’?

*EDIT* The person who started the term “our job is to see the iceberg, not steer the ship.” was @randomuserid on July 10th. Thanks to him for allowing me to attribute the quote to him. *EDIT*

As information security professionals we often get the stigma of being “the department of no”. We tend to rain on everyone’s parade who doesn’t take a second and think “huh…you mean validating input would be a good idea?” We’re the ones trying to make sure that the rest of the IT departments are looking at potential attack surfaces, and always being the road block can wear on your psyche. You start to feel bad saying no so often and want to say yes. You feel that if you don’t, you’ll start to lose respect and people will stop bringing ideas and projects to your group for review. So you start saying “Ok…but what if you add this” or “Have you considered this?”

This works for a while. People see you as an enabler and a business partner. You are the one that can make sure that their app/project/program is successful, as well as reduce the risk. You’re finally in a Win-Win, right? But what happens when you *have* to say no? Where are you left when there is no choice but to say “Really….No. You can’t put your application with the un-encrypted customer payment database out on the internet as world-readable. I don’t really care how much time/money you saved by doing it that way.” (I hope no one has ever had to have that conversation in real life)

We all know it’s a business decision on what risk to accept and what to mitigate or transfer. Sometimes you need to step back and say “Ok, it’s your deal but we warned you.” Other times you need to stand in front of that bus and get run over. When you have to do each is a personal decision and can include regulatory requirements, your personal feelings or even your professional reputation.

I wish I knew who tweeted it first, but someone in my stream the other day said something akin to “It’s our job to see the iceberg, not steer the ship”. I believe this is how we need to see things. Our job isn’t to run the business or set direction, our job is to tell the ones at the helm that building a boat out of tin foil is a bad idea.

I think we need to change the sign on the door from “Department of No.” to “How does this affect our risk-posture?” and realize even then sometimes you need to say “Just…No.”

Is privacy worth the loss of opportunity?

As information security professionals we have to admit that our industry is a hot commodity right now. Everyone knows someone who is or was recently looking for a new job, or who is at least weighing their options. Living in this hyper-connected world, we know people all across the globe who work in our field. What we don’t always know is who is actually looking versus who is looking behind the scenes.

Privacy is a huge issue to most of us in the infosec community. We are always discussing it, preaching it, or trying to protect it. Where this hits home though is when you’re contemplating making a career move. You want the industry to know that you’re considering your choices, but you don’t want “the wrong people” to know (read: your current employer). There are many reasons to review the job market. A main one would be that you want to know what you’re worth. You want to know that you’re being paid fairly for the job you’re doing. A sensible employer knows this, and shouldn’t fault you for it. If you’re doing it on company time, that’s a different story, but posting discussions on job boards and discussing with friends in the industry is just talk.

The issue of privacy comes into play when you’re using social media. If you use Twitter or Facebook, and any of your coworkers or employers follow you, they may see this as you trying to find a new job. You may be looking for a new job, or you may just be gathering market data for your next review. This is where you may strike a balance between “Do I put myself out there, or leave less to explain at work?” While this is a personal decision that many of us make, I would consider one question if you are looking to make a move: Is the privacy you covet worth losing the opportunity you may find?

You could do the networking thing. You could find out that a friend of a friend of a next-door neighbor had heard of a job…but if you post your resume, network, and let everyone know that you’re curious, I believe you’ll have more opportunity to find that information or even that great job than if you try the whisper net. True, you may get the question at work of “So…I heard about your post…”, but if you don’t, you could lose out on a bigger raise or a job where you’re excited to go to work every day. Something to think about in this hot market we call Information Security careers.

Stupid users or stupid us? Yes.

Today while working I noticed that I was starting to drift into the “stupid users!” thoughts. What causes us to do this? Yes I understand that you may not know how to reboot your system, although the methods haven’t changed much in the last decade or so, but that’s not the point. We as IT Professionals can start to run down this path of “Well what do you mean you don’t know how to configure your local firewall!? It’s on your computer!” Many times we work inside of a larger organization who’s main business is something other than IT. You’re going to be dealing with people who are very smart in what they know. They may be someone who is a banker, or a doctor, or a lawyer. They are very good at determining what is going on in their profession. What they are not proficient at is knowing how configuration files should look, or how to write a batch script, or why when they go to a website all of the sudden you want to reload their computer.

All they know is that something inside the box you gave them is holding up their work. They want it fixed and they want it fixed now. You getting frustrated at them is not going to make them any happier. Now I don’t want anyone to get the wrong idea, because after working on the helpless desk for over five years I know that sometimes you can’t just keep taking the beating they’re giving to you. The idea is to get them working, off the phone, and out of your life as fast as possible. You may not know how to fight a court case, underwrite an insurance policy, or treat a patient, but they do. If you can work together and get the problem solved faster it’s going to go a lot easier on everyone.

Let’s all try to stop calling them “stupid users” and maybe they’ll stop calling us “stupid IT”.

Treading water in the sea of knowledge

So I had this thought last night watching a video from SecurityTube (which is now my new video hangout place) about burp proxy. SecurityMoey mentioned it to me, I’ve talked about it in my presentation at BsidesDetroit, I’ve said it to people, but I haven’t done it myself lately…

Unplug.

When you’re swimming, you can only power-stroke so long before you become exhausted. You need to get out of the water, dry off, sleep, eat, de-prune yourself, etc. You get to the point that you can spend forever in the water until the only thing you can do is float or tread. The same is true for learning. I would assume this is the reason for summer break for school kids. They need time where they can “just be”. You need time where you aren’t constantly learning. You need to let your brain idle for a bit so you can go back at it with renewed vigor.

I started to realize that I wasn’t taking my own advice. I needed to take a step back, and watch a movie, play a game, or just sit and have a conversation with my family. So while I ordered a few new books, and I updated all my tools to play with, I think tonight will be a no twitter, no computer, no tech evening.

Anyone seen my towel? It’s time to dry off for a bit.

BsidesDetroit – ConBlu, first try at presenting

 

I just got back from the BsidesDetroit trip and my first shot at giving a talk. I was wired for this trip for about a week before I went, worried about what would happen with me giving my first talk. Also, on the drive home I think I came down with “ConBlu”. Not the “ConFlu”  sickness most people talk about when they go to a conference and shake hands/hug a lot of people. This is more of a slight letdown that you get when you have to leave after having the chance to hang out with people who really “get you”. The people who are as geeked out as you are when you “pop a box” for the first time. You start to wish for next year’s conference as you’re walking to your car to leave.

On to my first try at speaking. I hadn’t tried to give a presentation since sophomore year in college. While I haven’t had the chance to watch the video and see how I did, I did get plenty of feedback on my first try. Many people felt that the topic was definitely good, and something that needs to be addressed in Information Security. For those of you who haven’t followed me lately, I collaborated on a talk with Len Isham on “Infosec Flameout”. My angle on the issue was that I was burned out in my current job, but I was working myself even harder trying to change careers.

Len and I worked on the slides and content for a couple months prior to the event, but Len wasn’t happy with how his part was going, so he spent a day or two before the event completely re-doing his slides/talk. My portion was about my career, how I got burned out, and what I have tried to do about it. Len’s was about socially engineering your career after you decided where you wanted to go.

When we first started going through the talk via Skype , I hit about 13 minutes for my section. I wanted to be closer to 20 or so, leaving time for questions at the end of the hour. Len & my wife both said I needed to slow down because I was talking too fast. The second try through it, I got just over 19 minutes. I was happy with how I was pacing myself and I liked how much detail I was giving for the time-frame.

So we start our talk, and I was definitely speaking too fast. I was very nervous and realized it too late, ending up with only about 9.5 minutes after hitting my last slide. Len realized this as well as he got up to do his talk, and he was able to stretch it out so we hit about 35-40 minutes total for both of us. The great thing about the people attending (and our industry as a whole) is that people attending were willing to share their thoughts and what they did to stave off burnout. By the time we finished the discussions, it was about 7 minutes before the hour. It actually turned out great with how everyone chimed in.
With all that said, I definitely need to slow down if I’m going to present again. I had a couple people suggest that I submit to DerbyCon with just my portion. I would definitely have to expand on everything in my talk. Hindsight is always 20/20 they say, and I think I needed to do the slides a little different for next time, as well as give quite a bit more information on what caused my burnout at different times in my career and how I worked through them. I guess I’ll mull that over in my head a bit and think on it.

The conference itself was awesome. I loved the venue, it was well laid out, there was quite a bit to do in the conference center itself, as well as having the hotel right there. The different tracks in different rooms made it easy to have hallway-con, as well as two tracks, a teaching area, and a lock-pick village. I really loved the set-up and the Detroit team did a great job with putting it together. The talks were awesome! The great thing about this industry is that people are willing to share their knowledge. I didn’t get to meet everyone I wanted to, and I didn’t get to see all the talks I wanted, but I got two classes in (Metasploit & Armitage), and saw quite a few really good talks.

The only issue I had with the con personally was with the hotels (Marriott & Courtyard by Marriott where I stayed). Both were very pricey and provided nothing I wanted for it. Breakfast for both hotels was extra, as was wi-fi in the Marriott.  I have some ideas to take back to my work which I’m sure my boss is going to appreciate, and maybe I can get him to pay part of the hotel. I guess I’ll see how good my social engineering skills are 😉

You’re wrong…and so am I

This is going to be a short post.

Watching the echo chamber in the last couple days as well as watching “Builder vs Breaker” from BsidesChicago on Ustream makes me realize…we’re all wrong. There are so many diverse views from all areas of the world in our profession, you’re going to have someone that disagrees with your “facts”. You could say “the sky is very blue right now” while living in the US, but someone in Europe could say “Actually it’s currently black and the stars are really out tonight”.

No matter what you believe someone believes the opposite and is willing to debate with you, and this goes for pretty much anything:

  • Certifications are good / Certifications are bad
  • Pentests are needed / Pentests only find known vulnerabilities
  • Company A / Company B

What we need to realize is that we are going to have differing opinions and we need to listen to others even when we think they’re dead wrong. You may just realize that your “facts” weren’t as solid as you thought.

Irish Obsession

Alright so this is going to be a non-infosec post, so if you read me for that, you may want to go write some code or pop a box.

So I was texting with my wife about a tweet that Dave Shackleford made about a job in Vienna, Austria (my wife’s favorite country because of the Sound of Music movie). I was teasing her about how she wouldn’t mind going back to Austria (we were there last year) and how I want to move to Ireland. Now neither of us speaks German and that would definitely be an issue with moving to Austria. She also is a sunshine person (she gets moody when it’s cloudy/winter) so either country would be difficult for her to live in as well.

So with the overkill on the back story, it got me thinking on being obsessed with everything Irish. When we took our (4 years late) honeymoon there last year, I was on cloud 9 for 13 days. We were immersed in Irish culture, history, music, and people. I couldn’t get enough to the point that I was showing our 1000+ photos to anyone that would sit long enough to watch. We made the decision to go back this year when my parents and sister started talking about going. We’re now taking almost 2 weeks to go back in September.

I started thinking about all of this and how I’ve wanted to learn more about Ireland for as long as anyone in my family could remember. I used to think that my Grandfather’s parents or something must have been from Ireland with how we always used to say we had Irish ancestry. I actually got into the Ancestry site and found out I have to go back 5 generations on either side before I hit the Emerald Isle. I only have to go back 4 before I hit Germany on my maternal side. So it turns out that I’m not as Irish as I’d assumed as a child. With that in mind, it makes it a little strange that I have such an affinity for Irish Culture. My wife has been known to tell people asking me if I’d like (some “Irish” thing), “It’s Irish, he’ll love it”. Why that is, I have no idea. My family is definitely not “just off the boat” from Ireland or anything. I am proud that I have it in my heritage, but my family has been in the USA for generations, and I can also trace back to Germany, Wales, England, France, and possibly the Netherlands. If someone were to ask me where I’m from, I’m not going to say I’m an “Irish American”, I’ll just say I’m from the United States. I was actually offended for our tour director in Ireland when one of the old men on the trip told him “Well I’m as Irish as you are!” when he was born in New York somewhere.

I bought 4 different CD’s of Irish music while we were over there to add to the half dozen Celtic cd’s I had, and from the time we made the decision to go again, I’ve been conversing with @SecurityNinja, @BrianHonan, and @mckenna1977 about a tweet up while we’re over there. I just wish I knew where the obsession comes from. The time that I spend researching different folklore or history takes away from getting better with Infosec, but maybe it is just a diversion that I need at the time to let my brain cool off.

Not sure if this is normal or strange, thoughts? Anyone have a similar situation?

Yeah so…

…maybe you’re smarter, or have been in infosec longer, or perhaps you had someone help you along. Those are all really great things to have. What they are not is a license to lord it over everyone else or use it as a personal ego trip.

There are a lot of great people in this industry. There are ones that are trying to help people like myself get to where they want to be because it’s better for the industry as a whole. If you are not helping others learn you are part of the problem. There are those who help by creating blog posts on how to use tools or provide targets for those of us trying to learn to use the tools. Those are the people who are the “rockstars” of this industry. Not the ones that discovered the latest 0-day du jour.

Jayson Street made a comment when we were hanging out before Thotcon that hit the nail on the head. There are people out there who say “I broke it. You’re welcome.” They don’t care if anyone can fix it, they don’t care if anyone else learned from it. They are just there to beat their chest and inflate their own ego. That’s not helping anyone.

There are quite a few people out there that want to help others out and want to answer questions or give advice. Unfortunately those are also the ones that are often berated and put down because someone disagrees with their thoughts or feels they are only talk. Bringing attention to security is what we need and what we want. If we can get more people to care about security our job will be that much easier.

Will I ever be the top pen-tester in the world? No. Will I ever be on the cover of a magazine for how brilliant I am? Probably not. The reason I want to take this road is because I want to make the company I’m working for just a little bit wiser on what their risks are, so they have the knowledge to make a decision. It’s not a grandiose goal and I will probably never get rich off of it, but I’ll love going to work and I’ll do my best to help out those that come to me for knowledge and advice.

So to the @jaysonstreet @elizmmartin @ben0xa @securityninja @jwgoerlich @coolacid and @davienthemoose of the world, thank you for your insight and encouragement from a guy trying to start anew in this arena.

Burgers & Steak

So this has been said in a few different ways, but I figured I’d throw my twist on it. I was thinking today about the fact that you make choices in life. In your career, in your love life, in everything you make sacrifices of what you could do for what you want to do. The best way I could describe it is the differences between Burgers & Steak.

The premise is “hmm…well I could order the burger, or I could pay extra for the steak”. Now extra could be money, it could be time, it could be giving of yourself, whatever it is for that particular situation. In the instance of food, you’re weighing the taste of a steak and the extra money of a steak versus an (usually) inexpensive choice of a burger. While the burger tastes just fine, you want a juicy steak now and then.

In the realm of love, you could try to keep after the “steak” of a high-maintenance person who wants all of your time, money, love, etc., or you could eat a burger and be perfectly content with something that is satisfying and doesn’t bankrupt your wallet, time, emotions.

In work it’s a little different. You could say that you want the “steak” job. You want to be the ultimate (insert job here, CISO, Pen-Tester, Evangelist, Coder, etc.). The thing is, you need to sacrifice for that. You need to reduce other areas of your life to be able to devote that much (time, money, passion, etc.) to that pursuit. This is perfectly fine if you’re willing to move the time/money/passion to this part of your life. Your other areas of life are going to be affected though.

In your career you could chose the path of the “burger” though, and try for a little more balanced approach. You could still get the same “meat”, meaning you could be in that type of a job, but not the best or the “rockstar” (I hate that term). You would be the CISO, or the App Sec person, or whatever you chose, but you wouldn’t be the best at it. What you gain out of this is that the other areas of your life will be enriched by the extra time you spend in those areas. Your relationship will be stronger, you will be better at the guitar, your pet will remember who you are, etc.

The reason I bring this up is this is the week after Thotcon and BsidesChicago. I met a lot of ridiculously smart people the previous weekend. The kind of people that, even after being in IT for 13+ years, you feel like you’re the new guy. You start to get a little discouraged because you want to be that good. You want to be able to come up with things they come up with, or be able to discover new things like they do. The thing is though, that perhaps you may not be as good at coding as the next person because you took that weekend with your significant other to walk the dogs and just lay around. It’s not a bad thing, it’s the choices we make. It’s what you value and how you approach it. The burger is not a bad thing. It’s filling and a lot of times it’s comfort food that we need because it knows just how to pick us back up to make us happy. This is advice for myself even more than anyone else, but:

“Just be yourself. You’re not that person you just talked to, you’re you, and they have had different experiences than you have. Live your life and make the decisions you’re going to make. They make you who you are and why people love you.”