An Information Security Place

I went to a mini-conference on PCI DSS today in Dallas (it was put on by a vendor partner of ours, but was surprisingly vendor agnostic).  Anyway, I got some impressions from the speakers that I would like to share.

One of the keynote speakers was Bob Russo, the General Manager of the the PCI Security Standards Council.  He was a good speaker, and he obviously knows the subject matter very well.  One of the things he and an audience member discussed were manufacturers claiming PCI compliance in their products.  He really seemed to disdain that practice, and he was quick to point out that no technology can equal compliance by itself.

He also mentioned the new PED (PIN Entry Devices) standards that are coming out soon. Also, the PABP (Payment Application Best Practices) standard is becoming PA-DSS, which is Payment Application Data Security Standard.  I don’t have much to reflect on those.  Just thought they were interesting.

What a lot of people were griping about is that they still had to meet the individual card standards as well as PCI DSS, and they were wondering when it would all become one.  Mr. Russo did not have an answer for that, but he did not try to avoid the question.  He acceded that it was a good question.  He simply did not know.

There was a lawyer from the FTC there to discuss the law and how it applied to these standards.  Basically, she just stood there and said we should follow best security practices with all our data, and if we don’t we could get in trouble with the feds.  Fairly boring all around.  She read off of a script and never moved from behind the podium (obviously not a trial lawyer).

Anyway, I wasn’t especially moved by anything that was said, though there was some good discussion between speakers and audience.  Just thought I would share and see if anyone had some comments.

Vet

There is a client of ours that I just picked up (I just got assigned to a couple of extra account managers).  Supposedly we had been trying to get them to have an assessment done for a while.  Well, their website got defaced the other day. Now they want a security assessment done in the worst way.

Ahhhh, the power of pain!

Vet

Hello,
How is your day?My name is Mr Mark Brown , I would be very interested in offering you a part-time paying job in which you could earn as much as $3000 in a month. This job would be based on contract and commission terms, it is a part-time job and it would involve quite a lot of trust and honesty. If you would be willing to include a good-paying, part time job to your  daily list of activities,then this would be beneficial to you.
The job does not entails alot. I am in charge of recruiting who will be working for me. I am a somewhat multi talented man and I do quite alot of traveling and get to meet quite a lot of people.I work with the Department of Agricultural and Rural Development in the PLANT RESEARCH INTERNATIONAL Wagenigen UR (PRI). Our Company PRI specializes in strategic and applied research in plant genetics and reproduction,  genomics,proteomics, metabolomics, bioinformatics, crop protection, crop ecology and agrosystems, serving both government and industry.
JOB DESCRIPTION………
I do freelance consulting for the institute which gives me very much time to do my own work which is basically being a freelance researcher who is on contract basis with the research institutes to do research projects anywhere in the world. In a couple of weeks time, I will begin a  research project in the tropical regions of west Africa regarding rare and vulnerable plant species and this would be commencing very soon.
This is an innovation to the Flora of Benin which was done on November 7 2006.I have just been granted a funding to head the project and I am looking forward commencing very soon.
My fundings are from the United States counterparts who sent me the bunch of payments mostly in US checks/Money order respectively.Getting an accountant in United States or opening an account would have been my  best choice but I have a deadline to meet and taking any of those choices would cost me time and a whole lot of other requirements.
So presently, I am looking for an someone who can receive my funds assuming you will be able to deal with cash. I would be willing to employ you on contract basis to be my payment representative/ bookkeeper in US as you will be keeping detailed records of what you receive from me; this way I could issue and make these money orders/certified checks  out to you, you could cash them, withdraw 10% of the total amount on these money orders as your commission and then send the rest back to me through Western Union wire transfer when required by me.Bear it in  mind that we would be dealing with quite a handful of cash and you will be making up to $3000 per month just working with me in a short period of time.
ALL YOU HAVE TO DO……
I would issue out my funds over to you which you would cash them, then transfer the cash over to me wherever I might be at that point in time as I would be traveling a lot. This job is totally risk free and on the up and up. You would enjoy the benefits of easy contact, and low hours, you would only be working for me only once you receive the  money orders, since that’ll be when you would cash them,and send the cash over through western union and you keep a commission base of 10%.Read the details of this job and then get back to me for more information. If  you are interested, Kindly email me back so we could make concluding arrangements after which I will notify you on when the job will commence.

IF YOU ARE INTERESTED IN THIS OFFER FILL THE APPLICATION FORM BELOW:
Full Name..
Full Contact Address..
City:.
State:…
Zip Code..
Gender:……..
Age: ……..
Marital status:….
Home/Mobile phone#:.
Id Number:……….
Current Job:……..
Nationality:……..
Country:…………
Thank You.

Mr Mark Brown.

Plant Research International(pri)
<link removed>
Droevendaalsesteeg 1
Location de Haaff (building 107)
6708 PB Wageningen
The Netherlands

Vet

From ThinkGeek.

Vet

I had a discussion the other day with one of the sales guys I support.  His contention is that it is the sales person / account manager that matters most in the customer relationship.  Basically, SE’s come and go, but the important thing is if the AM stays the same.  They are responsible for the relationship.

While I tend to agree with that, I also know that when I was in the trenches, I was particularly interested in the engineer because I needed to know that he / she could provide a sound solution and back it up with support (or get the support I needed).  The AM was good for lunch, and there was the occasional AM that was fairly technical.  But on the whole, I had problems if an engineer quit one my VARs because I would essentially have to retrain the new VAR so they were knowledgeable about my environment.

So what do you think?  Answer the poll on the right bar if you get a second.  And I consider this poll entirely scientifically accurate, by the way.

Vet

I saw this article this morning about Fortinet making a deal in Cook County, Illinois.  I don’t know how big this one is, and I know this is probably sponsored, but Fortinet seems to be making some big headway.  I have had some clients talking to me about their stuff.  I know a couple of guys that recently moved over there.  I know Richard Stiennon moved over there a while back.

Any opinions?

Vet

There’s a new security blog out there, and this one is another Accuvant employee (so you know it is going to be good). 

His name is Jim Broome, and his blog is called Jim’s Bloggyness.  Jim is an Assessments Team Lead at Accuvant, and he is one smart dude.  Here’s his profile:

Jim Broome, an information security industry veteran with over a decade of experience in the field, is a Principal Consultant with Accuvant?s assessment team and also acts as the technical lead for the assessment practice area.

Accuvant is a leading national security consulting organization that designs and executes strategies to address its clients? complex information security challenges. Jim?s role is to provide world class security consulting services to Accuvant clients while still providing technical leadership to the assessment team as a whole.

Experience

As one of Accuvant?s more seasoned assessors, Mr. Broome, has performed a number of consultative engagements including enterprise security strategy planning, risk assessments, threat analysis, application assessments, network assessments and penetration testing, and wireless security assessments for a large number of fortune 500 clients. These clients represent a variety of markets including manufacturers, telecommunications (cellular and traditional), public utilities, healthcare, financial services, and state governments.

Prior to joining Accuvant, Jim was a Principal Security Consultant for Internet Security Systems and a member of the X-force penetration testing team. At ISS, he was responsible for providing technical leadership to the Western Region consulting practice while performing his day-to-day duties of performing network assessments and penetration testing. Prior to ISS, he was the Director of Network Operations for Cavion.com, a managed service provider exclusively for credit unions. At Cavion.com, Jim was responsible for managing the network operations staff and security organization while maintaining 99.999% uptime.

Notable Accomplishments

With a been-there-done-that attitude, Jim is a constantly sought after consultant, due to his extensive level of knowledge in most areas of security implementation and management from both a technical and managerial level. As one of the original authors of several training programs including Checkpoint Software?s CCSA/CCSE program, Jim is a well regarded security/technology instructor and mentor to many administrators and IT management organizations.

Since coming to the Accuvant organization, Jim has been responsible for establishing and standardizing many of the solutions and techniques employed by the Assessment practice. This provides our clients with a level of consistency that is unparalleled in the industry and establishes Accuvant as the premiere security services company.

Certifications and Training

Jim is a Certified Information Systems Security Professional (CISSP); Checkpoint Certified Security Engineer (CCSE); NetScreen Certified Security Associate (NCSA); ISS Certified Engineer

Professional Education

BS in Computer Information Systems from Trinity College and University

Welcome to the blogosphere Jim.

Vet

OK, I am not going to take credit for this (especially since no one credited me with starting it), but there sure do seem to be a lot of posts here lately about whether or not we are making a difference as info sec folk.  I wrote a post early Monday morning about whether security nirvana existed and where we are going with all this product selling.  Andy wrote about my post and asked where the leaders were (and thought he insulted me by making it sound like I was not a leader - which he did not and I am not).

But then I see this one from Rich which is referencing this post (which came before mine, so there you go) and it is followed up by Hoff’s declaration that information security should be called information survivability. 

Sheeeeessshhhhh.  Do you ever have one of those weeks when you wonder if it is worth it? 

Vet

Vet

I know, I know.  I can answer that question with a resounding “NO” and get on with things.  But seriously, what does it take to even approach security nirvana?  I mean really, there are so many people spouting theories about where we need to go to make the Internet secure.  Then there are a bunch of frickin’ criminal scum suckers over in Russia and China and America and wherever doing everything thing they can to keep fifteen steps ahead of us trying to plug the holes.  And then I take a closer look to see if we really are even plugging the holes (selling product sure as hell doesn’t do it). 

Seriously folks, I know the answer to the question.  But how can we keep going down this road if we can’t even approach a state where we don’t have to look over our cyber shoulder every night and day?  What are we fighting for?  Where did the fight turn into a battle for money instead of a battle for security?  I also know we live in a capitalist society.  I AM a capitalist.  Nothing wrong with making a buck.  But I feel like such a cog among a bunch of cogs.  Where the hell is the wheel??  

I know I sound depressed.  And maybe I am a little.  Maybe it is just because it is 12:35AM right now.  But I just feel like so many of us have lost sight of what it takes to make things secure.  Products have a fit in security.  But with so many of us pushing product after product after product and not looking at security overall, where are we getting to?  When did the industry turn into a churn and burn machine?  This feels like a uphill battle, both ways, in the snow.

I know Alan will probably call me a young, naive punk again (OK, he didn’t call me a punk), but sometimes I have to stop and make sure SOME of my ideals are still there.  otherwise I just become a big glob of compromise, picking up the lint and dirt on my way to security hell…

Vet

I have always been hesitant to use friends within companies as a means to getting business.  I just think it is a very dangerous move and can kill the friendship along with the business deal if something goes south. 

I have had two instances of this happen this week.  One involves a former coworker of mine.  She now works for a fairly big organization here in Houston, and I knew that if I could get them as a client, it could have some nice rewards.  However, I just did not want to start asking her to setup appointments and all that for fear of seeming like I was using her.  So I stayed away.  I knew that she was somewhat aware of what I did and what Accuvant did, so I decided to just let things fall where they may.  Well, she actually contacted me a couple of weeks ago through our former boss (she couldn’t find my contact info - said the cat ate it).  And now it has turned into a full-fledged opportunity to do some business for them, and I just have a great feeling about the gig.  They need a lot of what we provide as far as services and products, and her coworker (the security guru) seems to really want to meet with us. 

And then there is another company down here in Houston that is just an absolute monster.  They are all over the US and Canada, and Accuvant has been trying to get in there for some time now.  But we just could not get them to give some love.  Well, I have a friend that also works at this company at a very high level in security, and I knew I could probably get in the door.  However, the same thing applied.  I just don’t want to be that person who tries to use my friends for gain.

Well a few weeks ago someone approached me about a possible PCI opportunity.  He had a client that needed some PCI scanning services.  He had met one of the Accuvant founders at an event and learned what we do (we are QSA certified, are certified scan vendors, and we do PCI gap analysis work) and thought we would be a great fit.  There had been a couple of people he had brought in before us, and they had fallen flat on their face.  We walked in, and now we have the business.  Granted, PCI scanning is not huge money.  But we proved ourselves by impressing the very friend that I refused to use.

I am not saying it is wrong in all circumstances to use friendships for business purposes.  But as a general rule, I just am really hesitant to do so.  And with these two instances, I have found that if you don’t use the friend and you end up getting in and proving yourself and your company anyway, then it is that much more rewarding.

Vet

I had a busy day yesterday, and my feet were hurting by 4pm (on my feet all day AND new shoes).  But the day ended in a good time at the local Houston OWASP chapter meeting.  Jeremiah Grossman presented his Top 10 Web exploits presentation, which was excellent.  And though I had talked to Jeremiah a couple of times via the blog and knew him through others (Martin McKeay), I had never met him face-to-face (though I did learn he was at the blogger’s gathering at RSA - we missed each other somehow). 

Any way, Jeremiah has great stuff.  He does a great job in his presentation, and I learned a lot from it.  Thanks for coming out, Jeremiah.  And thanks to David Nester from SPI Dynamics / HP for running the chapter.  Great stuff.

Vet

My job at Accuvant has been retooled a bit as far as the travel that will be required. Basically, I will be traveling to Dallas a bit more, maybe two days out of the week.  Though I go up there quite a bit now, it is very ad hoc now.  At least this way it will be on a more regular basis (hopefully).  Any way, I made my first official trip under this new system on Monday.  I went up Monday late afternoon for a couple of meetings on Tuesday, and I was going to come back home on Tuesday afternoon.

So I get a call from one of the sales guys on Friday saying the appointment we had setup had been canceled.  Great.  I already had a ticket.  We needed to do something.  No problem, says the sales guy.  We have another client that wants to talk about SIEM.  We can schedule a lunch appointment with him.  OK, I will fly to Dallas for a lunch and a quick talk about SIEM.  Oh well.

Then another sales guy calls who desperately needed an evaluation installation done.  Should be really easy, but we want to hold the hand of the client a bit since it looks like it will be a big sale.  OK, I’ll do lunch, then I’ll head out to the client site.  I’ll move my flight if I need to.  And I will get to sleep in a bit since I don;t have to be at the lunch until…well, lunch!

So I wake up around 7am (after going to bed after midnight since I couldn’t get to sleep after the Cowboys / Bills game).  I start doing some work after getting cleaned up, and I get a call from the sales guy who I have the lunch appointment with.  Looks like the client canceled lunch.  Ooook.  But they still want to have a con call about the project.  So I get on the horn, and we have a good discussion.  Of course, I am thinking the whole time that I could have done this from Houston. 

So we finish up, and I call the client that needs the eval install so I can do a little discovery before I go onsite.  And I wanted to find out if he was available a little earlier since my lunch had been canceled.  So I start talking to the guy, and he goes deeper and deeper into what they need done and what they think the project is going to take.  I start thinking, this is much bigger than the sales guy thought.  So I get in touch with the vendor SE and do some discussion, and he agrees that these people need a lot more than an evaluation.  And I am not the engineer that is going to be working this project because I was just covering for the Dallas engineer who is out of town on training.  So it made no sense for me to go out and do the discovery and try to hand the info off second-hand.  So that deal got nixed as well.

Sooooo, I flew to Dallas, rented a car, spent a night in a hotel, and all I did was talk to the clients on the phone.  I flew home a LOT earlier than I planned.  Oh well.  Sometimes crap happens.

Vet

OK, maybe not a complete success.  We had 8 people show up (including me).  But for the first one I can confidently say that it wasn’t a bust.

If it wasn’t for the AlertLogic guys showing up (they were early, I might add) the gathering would have been sparse.  And Misha dancing on the bar really made the night lively.  OK, he didn’t dance on the bar, but Misha said I should make up stories to draw more people in next time, so there you go.

Harvey Nusz showed up.  Harvey is a good guy and is very active in the security community down here in Houston and does a lot of compliance and security consulting.  Thanks Harvey.

Sam Van Ryder was there.  Sam is a good friend and is a SALES GUY (inside joke from last night) at AlertLogic.  Thanks Sam.

Like I said above, Misha Govshteyn was there.  Misha is the co-Founder & Chief Technology Officer at AlertLogic.  Very cool guy.  Needs to blog more, though.  Thanks Misha.

Johnathan Norman was there as well.  He is one of the AlertLogic smart guys.  Specifically, he is the operations manager over there.  He showed me around their SOC a while back.  And he’ll shoot me for this, but he is a dead ringer for Tiger Woods (except he didn’t have Elin Nordegren with him, which was disappointing to Misha).  Thanks Johnathan.

Jeremy (didn’t get his last name) from AlertLogic showed up with the rest of the team (I told you these guys were everywhere).  Jeremy is another smart guy over there.  He is on the security research team, so he spends his time looking for new bad stuff coming out.  I had some good conversation with Jeremy.  Very smart guy.  Thanks Jeremy.

Ronald Blakemore was also there (he heard about the gig via Harvey Nusz).  Ron is an independent IT compliance consultant, and was one interesting individual.  He has seen a lot of stuff, and he had a lot to say about compliance.  I learned some stuff from him last night.  Thanks Ron.

And last but certainly not least was Randle Moore, owner of Set Solutions.  I have known Randle for a while now via the security industry.  Randle is a good guy and is looking to build his professional services team at Set Solutions, so if you need some work, shoot him a line.  Thanks Randle.

And then there was me.  Of course, I need no introduction.

Thanks guys for showing up.  I think I will try to do this every quarter.  I might actually do a little more next time as far as making it more formal, buying some food (I did buy some appetizer trays last night), etc.  And I am trying to decide whether a weeknight or a weekend night is best for this.  I know Cutaway’s opinion :), but if anyone has a suggestion, let me know.

Vet

REMINDER!!!  BayouSec is tonight at 7pm.  We are meeting at the Dave and Buster’s on Richmond Ave.  The address and phone number is:

6010 Richmond Avenue
Houston , TX 77057
713/952-2233

Come out and have a good time.

Vet

I am going to make another parallel of security to the real world (not that security isn’t the real world, but I couldn’t think of a better term to use).  Of course, this parallel might make some of the guys out there question my manhood, but oh well.

So my wife is a sugar artist.  Basically, this means that she uses sugar as a medium for her art (not too hard so far).  She bakes cakes, she makes flowers from something called gumpaste, makes other creations with royal icing, etc. (she enters these pieces of art in competitions and has won some awards as well - she’s very good).  Anyway, she went to a show this last weekend, and she showed me some pictures of the cakes there.  Now I have become quite a good judge of cakes and sugar art in the last few years, simply because my wife has pointed out things while she made cakes or we looked at other cakes. 

She pointed out one cake in particular to ask me what I thought.  Confident in my abilities, I boldly stated that I thought it was fairly good.  But April quickly pointed out that almost all of the decoration on the cake was made with molds.  The person who made the cake did not do much more than poor some type of sugar medium into a mold, let it dry, then put it on the cake.  Basically that means that the technique in making the cake was not very complicated. So essentially, the advent of molds in the sugar world has made it possible for almost anyone to make a cake that looks really good.  A judge will notice it in competition and take off points since the technique was not complicated, but the cake still looks good. 

So I drew a parallel for April to the security world (and I don’t even think she rolled her eyes when I did it).  I said this was very reminiscent of the script kiddies in the security world.  A long time ago a hacker had to know what they were doing to break into a system (I don’t like using “hacker” to mean a bad guy, but again, lack of a better term).  But some of those same hackers that knew what they were doing started writing tools to automate the work.  Well, these tools got, and people who really didn’t know all the ins and outs of hacking suddenly found themselves having the ability to hack systems.  And these tools have steadily gotten easier to use and more powerful.

So there you have it.  The world of security and the world of cakes coming together in my jacked-up mind.  By the way, the picture is my wife’s cake, and there is no molding going on there.  And she won first place with this beauty.

Vet

I was going to write about this (and here), but I was actually working today and missed it until I got home.  I knew something was going on when I came home and Outlook showed that it was downloading 312 messages (I normally get 50 - 60 in my personal email).  

Sheesh…

[UPDATE]: A forum has now been created for the people in the list that still want to network with each other but don’t want to have their email inboxes filled up.

Vet