An Information Security Place

I have been using Windows Live Writer for a few months now, and I love it.  It lets you build blog posts offline since it is installed on your PC.  It pulls down your blog settings and lets you see what your posts will look like before publishing (though it is sometimes off a bit with the preview).  It lets you insert pictures and uploads them auto-magically for you (no more uploading to your site then linking to them - or worse, linking straight from someone else’s site!).  But it has always had a major shortcoming - no support for categories!

I try to make sure all my posts are categorized correctly, even to the point of creating TOO MANY categories.  But when I use Live Writer, I have to go into Wordpress and add the categories after I have published the post.  That sucked!  But lo and behold, Live Writer now supports categories.  This is too sweet. 

AND, it now allows you to set a publish date for your posts.  If you write a few blog posts at a time, this allows you to publish them at a certain date and time.  Very nice!

It does have some little gotcha’s right now (it is in BETA 2), so read over those.  But so far I am having no issues.  Here is the link to the release notes and a download link.  ENJOY!

Vet

OK, I was going to leave this one alone, but it is just bothering me so much. A couple of weeks back, I wrote a blog post about a comment I had left on a post by Douglas Schweitzer’s at his Computerworld blog. Douglas said in his post that a bot was “essentially just another term for an infected computer.” I took issue with this and wrote a comment as such, then I posted the comment on my blog. I also noted that I wasn’t slamming Douglas in any way. I just felt the error needed to be corrected. Douglas argued on his blog that it was semantics, and that is probably true to a degree, but oh well. I let that go (actually I tried to post another comment on Douglas’ blog, but I think I put too many links in to prove my point because it never popped up - probably looked like spam).

But then out of the blue I get a comment tonight from somebody named David. He says, “And how many computer security books have you written? That’s what I thought…”. My comment to David was:

What the hell does that have to do with the price of tea in China? Do you worship Douglas or something?

Now, I realize that was probably not the most constructive of comebacks, but this really pisses me off. I guess my correct statement about what a bot is does not count because I have never written a book about security. How utterly moronic and completely stupid can you get? That is like saying you have to write a book on weather before you can say a tornado breaks stuff!

If it is because I was correcting someone that has written security books before, that is just as stupid. Writing a book does not make you infallible.

Vet

There is a site out there called CitySec where security professionals all over come together to plan gatherings for information security professionals in their individual cities.  These are not conferences.  They are just ways of sitting own with other security professionals to burn off some steam and network.

Anyway, I am going to start putting an effort towards getting a gathering in Houston, TX.  Each one of these gatherings have individual names (Boston gathering is called BeanSec, Phoenix is called SunSec… you get the idea).  There was a thread started on it before I going down this path, and they wanted to call it HoMeSec (Houston Metro), but there has been no responses lately.  So unless those individuals have any issue with it, I am going to rename it to BayouSec (Houston is known as the Bayou City).  I was going to call it SpaceSec since Houston is also called Space City for NASA, but I thought any security professionals that one day end up on a moon colony might take issue.

So, if you live in the Houston Metro area and would be interested in taking part, let me know.  I am not promising this will be done in the next couple of weeks, but I am going to put some cycles towards getting it done in the next couple of months.  Let me know if you have some ideas and want to help out.

Vet

I was interviewed for the RSA podcast on Monday.  Listen to it here.

Thanks to Paul and Autumn for the time.  I had fun.

Vet

Looks like my good friends over at StillSecure are doing a great job.  Read this review.  Awesome accolades go to Martin and Mitchell.

Vet

 Due to my bad judgement, I have not been to the dentist in quite a while (I won’t say how long it has been), and I am dreading going back (I have an appointment today).  As I was pondering the pain that will be my payment for poor decision-making, I started thinking how going to the dentist is a lot like getting a security assessment performed.

First of all, if you have never been to the dentist or haven’t been in a while, you need to have a BIG cleaning and checkup done to ascertain the health of your teeth (cavities or other dental maladies) so the dentist can determine what direction your treatment needs to take.  It is the same with a security assessment.  If you have never had one, or it has been a while, you need to have one performed so the strength of your security program can be established (a gap analysis is like finding cavities).

Second, after the initial cleaning and checkup, the dentist can work up a treatment plan to help get your teeth back to a healthful state (if there are major problems).  In the same way, a good security assessment will include a remediation plan.  If all you get out of a security assessment is the problems that were found, then you paid good money for next to nothing.

Third, most recommendations say that a dentist visit every 6 months to a year is good practice.  If you don’t have any serious issues, the dentist can just perform a regular checkup and cleaning to keep your teeth healthy.  Remember, even if you have thick enamel and your gums are healthy, you can still have problems caused by neglect.  If you start eating more sugar for some reason, you have made a change in your eating habits that could affect your teeth.  In the same vein, it is generally accepted that some sort of security assessment be done once a year, even if that is done internally to make sure your security program is healthy and has kept up with any changes in your environment.  Even if your overall program is strong, and you have very good policies and procedures in place, a change in the environment can render the most ingenious policy obsolete.

Fourth, you should brush and floss your teeth everyday to keep your teeth healthy.  Similarly, you should also do spot checks of your security environment fairly regularly and perform preventative maintenance (patching, firmware updates, etc.).

There’s my crazy analogy for the day.  Remember me as I writhe in pain this afternoon.

Vet

Another one bites the dust.

Vet

Douglas Schweitzer is a fellow Computerworld security blogger.  Most of the time Douglas’ posts are pretty good.  But I want to point out an error in his latest post.

Douglas is attempting to answer the question, “What is a bot?”  Here is his answer:

For those of you unfamiliar or unsure of the term, a bot’s essentially just another term for an infected computer.

Well, actually, that’s wrong.  Here’s my comment to his post:

Actually, it is a common misconception that a bot is the infected computer. The bot is the program that is infecting the computer. Actually, a bot is not necessarily malware. Bots can have legitimate uses, such as spiders that crawl the web for a search engine. Basically, a bot is a program that performs menial tasks that a human doesn’t want to perform or is unable to efficiently perform (even if that means attacking a network or sending spam).

The term “bot” is taking on the same negative connotation that the term “hacker” is taking on, and that is unfortunate. At least a bot doesn’t have feelings.

So I’m not not slamming Douglas here.  Just clearing up a common mistake.

Vet

It is kind of good timing that Martin asked a bunch of to post how we got into security.  I was in Dallas yesterday driving to a client site.  I was a little early, so I decided to drive around to find a place to grab breakfast, when I started looking around and got a weird feeling that I had been on the road before.  I was close to DFW airport, so I figured I might have been there sometime.  Then I looked to my left and recognized the hotel.  Lo and behold, it was the hotel where I attended CISSP boot camp 5 years ago.  It was kinda strange to see it after that long.  I know it is just a hotel, but I am a very sentimental person (I think my sentimentality actually borders on illness), so it was cool.

Vet

Martin asked a few of us how we got into security, so here’s my story:

Just like so many 80’s kids, my fascination with computers started with WarGames (Mitchell knows about this - Tron had a lot to do with it as well).  I guess that contained a little bit of foreshadowing since it was all about security, though I didn’t get the distinction back then.  I just knew I wanted to do stuff like Matthew Broderick.

But as far as how I fell into security, I started in general IT like most people.  When I was a senior network administrator, my group got to install a new firewall to replace an old Unix box that a propeller head had put in for us (we were beefing up our 384k connection to the Internet to a full T-1).  I remember seeing the old Unix FW and being fascinated by the logs running across the screen, though I had no idea what it all meant.  Anyway, I don’t remember who the firewall vendor was that we installed, but I do remember that it was NOT CheckPoint (we fought for CheckPoint, though we didn’t know why - we just knew that CheckPoint was the best, which it was back then).  I got my first real glimpse at security then (I was really fascinated by NAT, if you can believe it).  So I started looking at security a little closer, and I had to make the effort to do it since back then security was not baked into the network in any way.

So I changed jobs to work at my first true VAR, and the first three days I was in a NetScreen firewall class.  That got me hooked on NetScreen and the idea of a hardware firewall instead of a server software firewall.  I started getting more and more into designing security architectures and installing firewalls (NetScreen, CheckPoint, and PIX).  Then the VAR I was working for started a partnership with Enterasys, and I got deep into their Dragon IDS product.  They also had the first real production 802.1x products (as far as I know, anyway – I am open to correction there), and I was just blown away by port-level authentication.  It really opened a whole new world for me, and I knew that there was real meat in security that the typical network guy could chew on.  Before that I really thought security was relegated to the uber-geeks with long hair and pasty complexions in dark rooms.

So even though Enterasys ended up sucking, they had some great vision and were really pushing the envelope on baked-in security.  That got me more into security, and my boss at the time really wanted the company to have a security practice.  So he took me and two other guys from our Dallas office to a CISSP boot camp, and we knuckled down and passed the test after a week of brain pounding.  Though the test was fairly brutal, we all passed, and that is really where I started designating myself as a security professional instead of a network guy.  The rest is history.

Vet

I did a couple of lunch talks about IPS with Top Layer on Tuesday (Houston) and Wednesday (Dallas).  And while I enjoyed the talks and meeting customers, I realized (though I knew this before to a degree) that I REALLY like talking in front of a group like that.  I enjoy giving a presentation and seeing people nodding their heads (from agreement, not boredom ).  Heck, I thought this would bother me, but I even like it when they are looking at me in confusion or disagreement, because at least I know they are listening.  I think it comes from liking to be the one that is looked at as the authority on a subject. 

I really just enjoy communicating.  That is why I blog.  But I also like to be in front of a group like that.

Vet

OK, I know I said I was going to bed, but then I saw this post at mcwresearch.com.  Michael, you have earned your first OJ award.  Congrats!

Vet

OK, now that I am settled in my hotel room in Dallas, I have some time to respond to Alan’s post calling me a hooker (like I said to Alan, at least he called me high-priced).  I will also be responding to a comment left by a reader who goes by the name of Shaneo.  You can read that comment here.

The first thing that strikes me about Alan’s and Shaneo’s comments is that they seem to think that selling products is what makes a person bad.  Either that, or they think I was making that implication.  Alan says:

To me Michael sounds a bit like an expensive call girl talking down on a lowly street walker.  At the end of the day they are both working girls, who work hard for the money, but they are what they are.  As long as Michael is putting the food on the table by selling products to customers, whether they be from a line card that Accuvant offers or from a specific vendor, he is selling nevertheless.

Shaneo says it like this:

You make me laugh! A VAR is still always a VAR - a sales engine. If you were an Independent consultants and didn’t sell any product, then I could support some of your statements.

…don’t put yourself so high and mighty above all the rest…When your a part of the food chain.

I seriously do not get why they think that because I sell products that I am a whore.  My point was never that selling a product was a bad thing.  In fact, my point in the original article wasn’t even to attack vendors, though I’ll admit I was harsh on the vendors (not apologizing, just admitting ).  My point was that I, as the trusted adviser to the client, need to make sure that their expectations are managed so that they can make the right decisions.  I made that point by saying that vendor marketing departments often try to make their products look like they can solve all ills and the client often buys what the marketing department says because they WANT to believe it. 

When Alan asked me in a comment what I would do if I worked for a vendor, I told him straight that I would have to look hard at the vendor before I made a decision “because of the situations I would be in that would require me to sell a product that was not a good fit”.  Do I think every vendor will try to sell something even if it is not a good fit?  No.  And I believe Alan when he says, “It is not some sort of pump and dump scheme over here.” But I also know that it is extremely hard for a salesperson (VAR or vendor) to turn down a sale, and it makes it doubly difficult when you are feeling pressure from above.  So the temptation is there to push the product whether it is a good fit or not.

Now where Accuvant comes into play is that we look at the product that the client is asking about, and since we are the trusted adviser in the situation, we have the leeway to tell them the truth.  If we don’t, then we can lose that status.  Not a good idea for a company that leads with services, not product.  And Alan, you asked, “if Accuvant did not have a product that was a good fit, would you send the customer to EnPointe, Cadre, Fishnet or another VAR?”  Actually, yes, I would.  And I can speak for most, if not all, of Accuvant when I say that they would as well.  That may be hard to believe, but I think you know me well enough to know that I ain’t jerking you around.  In fact, we have contracted with competitors before for stuff that we could not do because of lack of resources or whatever (and no, we did not make them wear Accuvant shirts and not tell anyone where they were from).  We have done that because we place our customers first.  If the competitor gets in and steals the business, then obviuosly we weren’t doing our job in the first place, and we deserve to lose the customer.

Alan also says:

Michael here is another example you site.  The vendor who is upset with you for bringing in his competitor in a deal.  Of course he is.  You would be too.  In fact you are upset by it and you even say that your dander was up because the vendor admitted he wanted another reseller in there.  You wouldn’t mind the vendor suggesting another reseller? See the point.

Well Alan, I see the point you are TRYING to make, but you actually miss it.  Read my paragraph again:

 But what really got my dander up was that I knew that the guy had not brought me in to the client.  In fact, the client requested Accuvant (the client and I were old friends - we had worked at another reseller together).  And in the course of the conversation with me, the sales guy got so flustered that he actually admitted that he had suggested another reseller first (a big mistake on his part that essentially killed his argument, no matter what my argument had been).  This was just pure and simple dishonesty, and it irked me tremendously.

Go to the end.  I wasn’t upset because he suggested another reseller.  I was upset because the vendor was dishonest about saying that he had brought me to the deal when he had actually suggested another reseller first.  That is what makes me wary of vendors.  I have seen that kind of dishonesty time and time again, both from the reseller POV and the client POV.

Another Alan quote:

As long as you are getting paid to put products in at the customer, whether you make and sell them or just sell them, you still sell.  As long as you sell, you are as guilty or innocent, moral or immoral as anyone else in the food chain.

This goes back to my original question.  Why does selling make me guilty or innocent or immoral or moral?  That makes no sense.  It is not the act of selling that makes a person bad.  Guilt and immorality come into play when the sales person or the marketing department or whomever makes false statements to make a sale, and that applies to the VAR or the vendor.  And I know plenty of VARs who sell based on the best spiff that month.  But everything I have seen from Accuvant since before I worked here and after I have been here 9 months tells me that we don’t follow that kind of crap.  Have we had people collect on spiffs before?  Hell yes.  But it was not the driver behind the business.  And if you don’t believe we are on the up-and-up, just ask a customer (thanks again, LonerVamp).

Alan again:

First of all Michael assumes that only someone like a VAR would tell the customer that a case study or lab result are “done in pristine situations”. Why would a vendor be disqualified from saying that?

They’re not.  But do they?  It is not in their interest to do so.

Mr. Shimel again:

Then he talks about telling the customer the truth about how long it takes to install the product. Do you think a vendor is going to lie about this?  Especially if the vendor is selling install professional services along with the product.

Because it is often a bait-and-switch.  Alan, I have seen this so many times it is impossible to name them all.  In fact, one of your competitors in the NAC space does this very thing.  In all honesty, I don’t think the sales person is actually lieing.  However, when he says the product installs in 30 mintues (OK, I exaggerated by saying 5 minutes), he is not telling the full truth.  Does the product physically install in place in that amount of time?  Yes.  They are specifically trying to counter Cisco NAC because they have seen the uber-pain people have gone through trying to implement CleanAccess.  But it takes time to determine the business behind the need for the product, create the policies to fit those needs, get the agent installed on all the workstations, etc.  And yes, a security manager or administrator worth his salt will know the intricacies involved and will know that is a shortsighted claim.  But the fact that he says it and uses it in every sales call creates the need for me to manage the customer’s expectations and let them know all of the other details if installing a product like this.

And if you don’t believe that this is a problem, let me tell you that I have had to convince customers numerous times that getting this product (and others whose salespeople make similiar claims) installed is not just plugging in a couple of patch cables and letting rip.

Anyway, in the immortal words of Forrest Gump:

And that’s all I have to say about that.

I’m going to bed.

Vet

One of the Accuvant founders (Dan Burns) sent out a link to this little video gem.  It comes from CRN.  I watched it, and I promptly blew OJ out my nose.  So here’s the prize, CRN.  You earned it!

Vet

Judging by Alan’s comment to my Managing Expectations post, I think he is a little aggravated with me for picking on vendors.  It probably had something to do with this comment:

…the marketing departments of companies typically make it sound like their product can cure world hunger and make you a sandwich at the same time it is keeping your network totally secure (and it does all that in a nice little 1U appliance that takes five minutes to install and configure). 

Or maybe this:

So as the sales person and sales engineer (often the same person), it is imperative that the expectations for a product are managed up front.  If the customer calls you in and says that the brochure for XYZ Security Widget says that it can perform a certain function, you have to be able to explain if the claim is true or not.  You have to make it clear that often case studies are done in pristine situations.  And you also have to clarify that the “setup” of the widget (yes, the one that takes only five minutes) in a network often means that it was simply screwed into a rack, plugged into the network, and assigned an IP address.  There is usually little to no configuration done on the widget, and it is absolutely worthless in this state.  You have to enlighten the naïve customer by telling him that trade rag product reviews are often rigged (it sucks, but it is true).

I was going to respond in the comments, but it got long, so I thought it was worth a post. OK, here goes.

Alan,

To answer your “what would I do working for a vendor” question, I would honestly have to look long and hard at a vendor before I would go to work there.  Not because they are all a bunch of ” lying no-goodnicks”, but because of the situations I would be in that would require me to sell a product that was not a good fit.  I have interviewed a few times with vendors.  One interview stands out because they asked me what I would say to a client if our product was not a good fit.  I said that I would tell the client it was not a good fit, and the interviewer’s jaw almost hit the floor.  He couldn’t believe I would say that.  But how could I not and stay true to my morals?

I know I give vendors a bad rap, but I have a good bit of experience with them on the customer side and reselling side (this is not my first go ’round as a reseller).  And many, if not most, push their product on everyone, no matter if it is a fit or not.  And then they get aggravated at me for telling the customer the real deal.  Since more often than not Accuvant is the trusted adviser at clients, I am not going to listen to grief from the vendor when I step in as a reseller and try to protect my customer.  I just can’t afford to let a client buy something that is not a good fit.  If I do that a couple of times, I am no longer a trusted adviser.

As an example, I spent 30 minutes on the phone with a vendor sales guy a couple of weeks ago on this very thing.  He was griping at me because I was bringing in a competitor of his into an account he thought he had brought me in on.  The reason I was bringing someone else in was because my client has an internal policy that they have to bring in at least three vendors of any one product before they can make a purchase.   I explained that I could not refuse the customer, especially if he was specifically requesting that I do all the work.  Again, if I don’t help my client, then my status as a trusted adviser gets hurt or lost.

But what really got my dander up was that I knew that the guy had not brought me in to the client.  In fact, the client requested Accuvant (the client and I were old friends - we had worked at another reseller together).  And in the course of the conversation with me, the sales guy got so flustered that he actually admitted that he had suggested another reseller first (a big mistake on his part that essentially killed his argument, no matter what my argument had been).  This was just pure and simple dishonesty, and it irked me tremendously.

I am not saying that all vendors are dishonest.  And I know that vendor product sales make up a huge amount of our revenue at Accuvant.  But I would rather not be put in a situation where I have to choose between making my boss angry by not selling the product or convincing the customer that the product is what he needs when I know it is not.  I just don’t know if I can work in the situation.

Having said all of that, I would really love to hear your deeper opinion on this matter.  Obviously you have had a lot of experience working for vendors, and I want to hear your side on this and how you handle this kind of thing, what you teach your sales people, etc.  I have heard that the vendor side of the house is great, so I want to know what the argument from your side is so I can keep from limiting my options for future employment.

Vet

One of the biggest things I have learned since I have been in IT is that you have to develop the skill of managing customer expectations (to clarify, the term “customer” means the people for whom you are doing your job - clients, users, etc.).  If your customer believes you can perform a service that you cannot, then you have not done a good job in managing expectations, and you will likely end up dissapointing him and hurting the professional relationship. 

From the sales POV, if a customer believes that a certain product can perform functions that it cannot, then the customer’s expectations have not been managed.  The customer has to know what a product is capable of and how it will fit and perform in his network.  If this is not fully explained, then the sale can turn into a disaster.

This is a hard thing to do when it comes to sales since customers often do research when looking into a solution, and the marketing departments of companies typically make it sound like their product can cure world hunger and make you a sandwich at the same time it is keeping your network totally secure (and it does all that in a nice little 1U appliance that takes five minutes to install and configure).  And whether we like it or not, customers will often believe the claims because they want the claims to be true.  They need a widget that will cure their ills, and many are short-sighted enough to try to find that widget.

So as the sales person and sales engineer (often the same person), it is imperative that the expectations for a product are managed up front.  If the customer calls you in and says that the brochure for XYZ Security Widget says that it can perform a certain function, you have to be able to explain if the claim is true or not.  You have to make it clear that often case studies are done in pristine situations.  And you also have to clarify that the “setup” of the widget (yes, the one that takes only five minutes) in a network often means that it was simply screwed into a rack, plugged into the network, and assigned an IP address.  There is usually little to no configuration done on the widget, and it is absolutely worthless in this state.  You have to enlighten the naïve customer by telling him that trade rag product reviews are often rigged (it sucks, but it is true).  You have to do all of this because you want to maintain the customer as a customer.

You also have to elucidate and educate because you will be trying to sell professional services to install the widget for the customer, and they are going to balk big time when your statement of work says 40 hours instead of five minutes.  And they are going to balk again when you try to sell a training class that takes 4 days and costs $2000 a head.

So if you want to keep your customers, manage their expectations.  Make sure they know what the real deal.  You will help them avoid many unpleasent situations (also, be sure to let them know, in a non-braggy way, what unpleasant situations you helped them avoid - they will appreciate it more).

Vet

I just got back last night from training in Bedford, Mass., this the lack of posting.  I can’t talk about the training specifically now since it is a new thing for Accuvant and a partner, but it was focused around some PCI-specific products.  Interesting stuff, and I will elaborate when possible.

Vet

I found this story at NetworkWorld’s Layer8 blog.  Seems like even residents of virtual worlds (like Second Life) are subject to getting teased, abused, etc.  Most people would call it bullying, but in the cyber world, it is called griefing.

Simple answer.  Unplug, walk up the stairs that lead out of your mom’s basement, and get a first life.  Sheesh…

Vet

There have been a few discussions here and there over the last few months as to whether or not a software vulnerability that causes stability problems but does not allow remote code execution is actually a security flaw.  There were some good arguments on it, and I think us old schoolers who think a DoS attack is still a security problem made our point.  Then I see this post at the Watchfire blog, and I feel the old burn coming back.

Seems like Jonathan Afek over at Watchfire is going to be presenting at BlackHat (congrats).  He gives a description of the presentation.  Here is part of that description:

Just another day at the office started with scanning a web application with a vulnerability scanner (AppScan of course). The scan resulted in an unexpected crash in a Microsoft IIS server. This discovery was really exciting – a crash might mean a new IIS vulnerability.

A more thorough research concluded that we were facing a “dangling pointer bug” and that it might be remotely exploitable for arbitrary code execution. After a while, an already published advisory of this bug was found on the net. It stated that this was a DoS vulnerability and that it couldn’t be exploited for remote code execution.

We thought differently.

First of all, let me say that I don’t see Jonathan arguing that DoS is not a problem, and the advisory that he points to list the vulnerability as critical.  And while I think the presentation is probably going to be very interesting and one I would love to see, it still gives the impression that if the remote code execution is not possible, then there’s not a big danger.  When did availability become the poor cousin in security?  The availability of a service is JUST as important as the integrity.  Plain, simple, end of story.

Vet

This is not good at all.

Vet