Monday, May 24, 2010

Horses for courses: On being a consultant

I know this title might sound really funny/wanky/whatever, but I have wanted to write it for awhile, from my perspective of transitioning from in-house security to being a security consultant. Most of my mates in security have been consultants almost exclusively or never worked security at a single organisation as permanent staff for sometime. Also, I don't know if anyone reading this hates the "suits" (I know I did at one point) - but I'm going to write from my own experiences and hope that people takeaway something from this. I've been a consultant now for about seven months - enough time to get a feel for it. I think there's a few things I've learned.

Wayback when I first started in I.T, part of what I liked (apart from the tech) was the fact that the techs got to pretty much work whatever hours they wanted and the dress code was pretty liberal (this was back in the late 90s btw). At one point, I made it a mission statement to see how far I could get in my career wearing tracksuit pants and I used to sneer at those who turned up wearing suits.

Anyway - fast forward to today. I wear a suit and tie every day (except for Fridays generally). I don't know if I'll ever get used to it. I get home and change back into my tracksuit gear every day. But what I have learned is that being a consultant is actually a honor. As twisted as that may sound to some, its the truth.

As security consultants, we're called in typically when there is massive pain in an organisation. Conflicker outbreaks, systems hacked, credit card breaches, impending audits, project failures, skills shortages - you name it. We get pulled into hairy situations and we're expected to solve them.

As a consultant I have a sense of professional pride to what I do. We help customers to deal with that pain, drawing upon our own experiences - what we know technically, what we've seen in the field, what we know to work (as well as what doesn't), leveraging our own skills and drawing those from our employer or those of our client as needed. Every site, every situation represents a new puzzle that needs to be solved. I tell my manager to throw me into any situation that comes up. I love that challenge and I get a kick out of helping people in these situations.

One of the things I really enjoy about consulting is that I've been in-house security for so long, that I feel I am able to empathise with the client. I've sat in their shoes, I know their pain. I know what its like to have no budget, no direct purchase authority, being understaffed or underskilled for some of the challenges, being chucked into the deep end and expected to swim. It seems like a hopeless war that can never be won (certainly not something I care to return to, that's for sure!). There is almost no situation I don't think I've haven't scene I can't help deal with. From having to champion security requirements, find sponsors, internal mentors, budget, deal with auditors - the whole bit. But no matter where I go, I know I can help.

However, what has suprised me is that not many consultants have had the same or similar experience I have - having seen something a consultant has proposed, implemented it and seen it through to completion. So I guess I have a very different perspective on things, which is why I try to take a very pragmatic view on consulting and security. 

Some people aren't suited to consultancy either. I've met some people who are technically brilliant but aren't able to reconcile that expertise with real-world scenarios. Like consultants who recommend disabling wireless on the CIO because its "not secure". Or consultants who tell clients that they're wasting their time on T&M engagements because the client isn't giving them "challenging work". This attitude sucks and its these people who gives consultants - and in fact entire companies - a bad name. You know what? The simple fact is that this work isn't for everyone and that's fine. It takes all sorts to make the world go round.

Personally speaking, I think consulting is a worthwhile experience for just about anyone, even if you come to realise quickly you hate it and you hate dealing with client's directly. Awesome, move into vulnerability research, programming, engineering - hell, move onto professional writing if that's what you want to do! Just whatever you do, move onto anything that doesn't revolve on having excessive client contact.

Personally (for now at least!) I love the work. I have had the good fortune of working very closely with some brilliant consultants and managers lately and they constantly inspire me to lift my game. It is their professionalism, attention to detail and watching them apply their skills to helping clients that has really rubbed off on me. It is they who have really drilled it into my head what it means to be a consultant, the difference between being correct and being pragmatic and what it truly means to have a sense of pride about your work.

I remain skeptical of some companies recruiting people straight out of uni into consulting or even before they graduate. I personally think you need real world experience. Granted there are exceptions (and I can think of a few) but unless the person has some serious skills, then there is something fundamentally NQR about getting a n00b to walk into an organisation and tell them how to suck eggs. I know managers that will not recruit people into consulting roles unless they have a consulting background or extensive experience in security - and that I think is a good policy to maintain (although others may disagree).

Anyway, while we all have our challenging days, consulting is one of those things where every engagement represents a new challenge, a new problem to solve, a new company that you can help. In some cases you may not be able to bring about effective change - that might be something only the client can do themselves. But at least each site offers you a new experience you can learn from. Or as someone once put it to me "you get to see all the companies you DON'T want to work for". :)

Hey, horses for courses.

I guess my point is find what it is that everyone - be they consultants or not - need to find what they enjoy and embrace it, master it and take pride in it.

- J.

PS: I promise I won't keep writing about this fluffy stuff and I will try to post something with a bit more depth soon. But this blog is about my travels through my infosec career and I think this transition is a big part of it that should be covered.

Friday, May 21, 2010

AusCERT 2010 in Review

Well its the day after AusCERT 2010. I thought I would post some of my thoughts and feedback on the event since I now have my own soapbox upon which to rant. Having said that, its been three years since my last one and round #4 by my count. So I think I'm an AusCERT veteran by this point. But I would definitely welcome feedback/thoughts from others who attended.

The Good
There seemed more sponsors to AusCERT than ever before. Yay for AusCERT! Also, the Royal Pines is a great venue and the catering as always, is awesome. Please keep it here!

Several talks need to be shouted at as big wins in my book. I realise at least one or two of these may be controversial to some, I'd like to shout them out:

Stranger in a Strange Land: Reflections of a Linux Guy in Microsoft Windows , Cyber Intrusion: A Government Case Study , US Secret Service: Cell Phone and Embedded Technology Forensics , Black Hat, White Hat, Gray Hat, RedHat: What Dr. Seuss Forgot to Tell You About the Computer Hacker Community 2.0 , The Rules of the Internet, and the Browsers That Break Them , A history of Microsoft exploit mitigations , Professional Vulnerability Research and Analysis  (my personal favorite), John Stewart (CSO for Cisco - Closing Address).

These guys had really good presentations - everything from showing things previously unseen, treated as dark arts, providing unique insights into particular issues or even for just inspiring people to look at things a little differently.

Of particular interest to me was the Professional Vulnerability Research and Analysis talk. I also wished I made Setting the scene in vulnerability work but for some reason I wound up in the wrong room listening to a McAfee talk about APT (again.... APT... sigh...). Vulnerability Research is regarded as the blackest of black arts within infosec IMHO - and its really refreshing seeing industry professionals peeling back the hood and showing everyone what makes it tick. Chris, if you're reading this - I want to see a one day training seminar. Thirty minutes didn't do your presentation justice. Also, I'd like to call out Daniel Grzelak and Paul Theriault for their talk which highlighted some of the newer and evolving web security threats. With HTML 5 still being thrashed about, this talk gave a good highlight of things to come.

The Bad
The speakers were shafted. Straight out shafted - the end. Their "gifts" given very crappy looking metal wallets that were completely impractical for anything beyond storing cigarettes, with the AusCERT logo. I can't even say that they'd function as paperweights because they seemed too light. AusCERT need to lift their game and provide speakers decent presents. Would a bottle of wine and/or a voucher for a security book from the book stand be too much to ask?? On this count, I thought AusCERT were very, very cheap. Without the speakers, they have nothing. They need to recognise this and pay due recognition.

Secondly, the talks are way, WAAAAY too short. It seemed each slot was 35 minutes, with 5 minutes allocated for questions. When I see talks like Chris Spencer's (which is one of the most detailed talks given at the event) on a topic of great interest then it seems to me that they do the speakers and the audience an injustice. Black Hat goes for approximately an hour and 15 minutes, allowing plenty of time for setup and Q&A. I would suggest that AusCERT needs to find a happier medium.

Thirdly, the transport situation was unacceptable. As someone that didn't stay at the Royal Pines, there were only two buses that were departing from our hotel. A whole group of us (at least 8 from DD) were waiting at the bus at the correct time. When I tried to board I was promptly kicked off (presumably because it was full but I was never told directly why) at which point they drove off - with no bus forthcoming. This was a very crappy handling of the situation. I seem to remember a time when buses used to run regularly and this was never an issue. Why was it an issue now? I feel they should pay the $30 cab fair we incurred as a result.

Fourthly - and this is something that hasn't been vocalised before but I will come out publicly and state this. There has been an ongoing 'rumor' that AusCERT has always shown particular favor to talks given by sponsors. This has never been more prevalent than it was this year when five talks from Stratsec were accepted and one training seminar. SecureWorks were accepted for three talks. Seriously - WTF?

Now I will be the first to shout out how awesome the Stratsec crew are, having worked with a good chunk of them for a good length of time and proud to call at least two of those that presented my friends. They know their stuff and they had a wide array of topics, all timely, relevant and illuminating. But seriously, FIVE talks from the one sponsor? When talks are being knocked back by non-sponsors and five talks are selected from one, it is clear there is a problem. I would like to stress that this is a failing on AusCERTs behalf and certainly no reflection on their (Stratsec's) capability. In the past I know of people who have had their talks knocked back and yet, sponsors given the slot for presenting almost the same talk in a non-vendor slot. Also, I'd like to add that this criticism isn't because I didn't get to speak (so don't think it sour grapes). There were a number of factors at work on that front (and mostly my own fault):
  1. I didn't present my synopsis by the due date (I was told by staff in Dimension Data I could use our vendor slot which would be guaranteed),
  2. Dimension Data cancelled their sponsorship this year,
  3. By the time I submitted my presentation to AusCERT, I was talk they'd already found someone to talk on my topic.
I also know of people whose talks were not formally accepted until the last minute and then given the worst timeslots. I personally don't have a problem with one talk in a sponsor slot and another in a non-sponsor slot. But to throw out too many slots to multiple sponsors in non-sponsor slots reeks.

AusCERT organisers need to lift their game, be more objective and more fair in assigning their talks. They also need to consider variety and people other than sponsors. While I could name names I certainly won't, but they know who they are. If they're reading, they should be vocal and voice their concerns to the powers-that-be.

The Indifferent
Attendees seemed to consist of mostly Queensland local councils and businesses. I did not see many businesses from Sydney or Melbourne unless they represented security vendors, consultancies or professioanl services firms. Some did come, and I did see a lot of the usual education, federal government, defence and law enforcement crowd, I just didn't see a lot of businesses. Is AusCERT losing its relevancy to these audiences? That said, the attendees were around the 1000 mark - which was about where it was when I last attended. Wierd.

Too many talks just plain sucked. In some cases, it was blatantly nerves/first time speaking. Can't blame that, those people deserve kudos for having the balls to step up and do something.

However, some people presented talks that blatantly did not match the description. Richard Steinnon's talk 'Titan Rain, the inside story of Shawn Carpenter' was a prime example. The talk stated (amoungst other things): 'Attendees will learn the methodologies the Chinese used to steal critical data on the Mars Lander and military data from US research labs. They will also learn the techniques the Shawn employed to back track the hackers and use their own tools against them.' This is a blatant lie. Certainly the author needs to share a measure of blame for an ill fitting description for his talk, but again, the blame rests on AusCERTs shoulders. Why wasn't this picked up in QA? Did any QA of the talks take place? I know that sponsor talks aren't usually QAed - but this only led to further questions - like, are sponsors that present in non-vendor streams QAed? What is the QA process? Again, yet another thing that must be fixed on the AusCERT side.

Part of my view is that too many of the talks are now becoming non-technical in nature. While I am certainly not as technical as some, I like to have a balanced view of things. In years prior there used to be a technical and non-technical stream. This is no longer the case. Now the talks seem to blend and in many ways, become more watered down. Is this a result of popular demand and market forces? Quite possibly - I simply don't know, but I certainly hope this trend isn't going to continue.

Also, while I like Max Kilger's talks and found him animating and engaging and the topics highly interesting, I found that he threw around numbers far too whimsically. He often did not clearly cite his references, how he arrived at these numbers and started jumping straight to conclusions. At the very minimum, he should have pointed out where a copy of the research could be found so the audience could see for themselves. While this is a nitpick of an otherwise brilliant view of things, I felt it smacked a twinge of bad science.

The Gala Dinner was apparently a let down (thankfully, I didn't attend). Dinner at the Royal Pines pales when previous years have seen it held at the Australian Outback Spectacular, Seaworld, Movieworld, etc. While Jimeon as the entertainment and the meal got the thumbs up, the entertainment afterwards got cained. While I must stress I wasn't present for this, I don't know anyone that did attend that liked it. However, take that for what you will.

Lunch on the last day was at a different timeslot to every other day. Umm... why??

Vendor sponsored events for two nights in a row also wound up at the same venue. Again, why?? This is not AusCERT's fault and I'm sure it was coincidence, but this was disappointing. Then again, it might have been that I was drinking there on the Sunday night, making Tuesday night day number #3 at the same venue...

Finally, the SMS feedback system - I don't think it worked out well over the paper system provided in years prior (although I hear they had a different electronic system last year). I say stick with pen and paper, or otherwise provice an online URL that people can access. Sod the SMS system.Charging people for their opinion is the height of rudeness.

Parting Thoughts
Seems like the sponsorship dollars were down this year on most. Yet, while there were seemingly more sponsors, the money didn't seem to go as far. Transportation was terrible, the entertainment lacklustre, quality of many of the talks seemed rather weak. Overall, the organisation just didn't seem up to scratch from previous years. I don't know whether it is a case of being spoiled in years prior or I'm just dreaming. Some of this I'm definitely not - infact most of what I've written here I can say is based on concensus feedback of numerous attendees I've spoken with. While I wouldn't say it was a failure or a waste of money (as there was value to be had) - there are many areas for improvement that simply need to be looked at urgently. 

I would go so far as to say that if my experience repeated itself again, I would probably not attend. Based on the attendees I saw, I also feel that there is a very real risk that AusCERT is losing its relevance to private industry. More effort needs to be maintained to ensure its relevancy, stronger support in local security professional groups (AISA, OWASP) and actively drumming up support for talks long before the official request for papers goes out.

I welcome feedback from anyone who attended on this - sorry for taking so long.

- J.

Sunday, May 9, 2010

Facebook’s Gone Rogue; It’s Time for an Open Alternative

Worth reading. No -- mandatory reading.

I hope some outfit comes up with a new solution that is private by default, fully modular and allowing users to customise every aspect of their profile to precisely define exactly how MUCH they want to share and with WHOM. Better yet, how about a system which uses Facebook's own APIs to support seemless export of all your own profile data into this new system (either that or script it up). Imagine being able to use Facebook's own tools to eliminate itself from the market. That would be a nice touch.

But of course, all this information costs money to store it right? So there is clearly an economical problem - but that's solvable. Want to make money with targeted advertising? No problem. This new Facebook insists that all ad networks and affilitates send THEM the ads and relevant metadata. New Facebook then filters ad delivery to the end user directly. Bingo - user data isn't shared. You then just focus on making enough money to sustain the service and ensure that user information is considered sacred. No fancy ass crap about exposing APIs to mine for data, no changing of default privacy settings, etc.

I'm pretty sure that users could live with targeted advertising if they knew that their information wasn't being shared and their privacy being taken seriously.

Now who wouldn't sign up for a service like that?

- J.
PS: On a side note, this is how you get security to be seen as a business enabler.

Tuesday, May 4, 2010

Saturday, May 1, 2010

Wall of Shame: Accountability

This is, perhaps the most telling and damning reason why security fails.

In one of the documentaries I saw recently, there was an ex-CIA guy who basically said (and I'm paraphrasing here) that "we could solve the worlds security problems TODAY, if people wanted. All they needed to do was make organisations criminally liable for poor security". The crux of the message being is that people don't implement security correctly because at the end of the day, they don't perceive that they have to. Or more specifically, they don't see why it should be their problem.

Despite the regulatory landscape of the US, one thing is clear - that lawmakers and organisations are trying to introduce accountability for the actions of businesses everywhere. When the law doesn't work (HIPAA, SOX) then it relies on industry self regulation (PCI-DSS). While there are arguments why this is bad (ranging from the profiteering by vendors flogging solutions that act as the silver bullet to the above, people dodging the whole compliance regime by doing the bare minimum and then tarnishing the compliance regime when all these organisations are pinged for non-compliance after they hacked) - I believe the fundamental notion of compliance is sound. That is to say 'make people take ownership of the problem and fix it.' To date, it has been the single most - if not the only way - I've seen people spend money willingly on security initiatives (other than fear of compromise or actual compromise).

Looking at Australia, our regulatory landscape is simply not there. We're being drafted into the 21st century kicking and screaming by our European and U.S. brethren. For our financial institutions at least, APRA seems to be leading the charge with PPG234, Australian Government has the PSM. But seriously, we're still a loooong way to go. Our global partners don't share our euphemism of "she'll be right mate". Our days of shoddy workmanship are closing. The fact is I often wonder how in the hell anything still works. Is it because we're not targeted - or perhaps the more scary (if not probable) thought that we are and perhaps just lack the basics in being able to even detect it?

There are entire environments going unpatched, Conflicker propagated by administrators unwittingly and then heaping the blame onto others who point out the problem and the root cause. These same no talent ass clowns are the ones that are completely negligent in their duties. Seriously, we need to start treating these so called "I.T. professionals" like we do negligent doctors - loss of practise, fines, negative publicity, jail time.

But do we? Hell no. That would be far too logical.

No, we just bury our heads in the sand, write the incident off that the individual has "learned his lesson" (what lesson exactly can be debated) and we move on. Nothing is done. No formal warning. The world just ticks on in its usual harmony and splendour.

And this is the culture within Australia. The presumption that everything will be right, its not my fault, not my problem, that I'm a "unique and beautiful snowflake" blah blah blah. This same attitude extends to the so many areas of our lives - our finances, our environment, our relationships. The net effect is we take everything for granted and do not value what lies before our face. The sad reality is most people don't until its taken away - and this is my fear for Australia: that it is going to take an incident of incredible proportions before anyone takes security seriously. I thought the Google:China incident was a good start, but then again its too far removed from anyone here in Au. No, it won't be until we've had our own "Digital Pearl Harbour" that people will take security seriously.

However, I've been in information security full time since 2003. That's about 7, going on 8 years (OMG, that long??). I don't think its a long time compared to some, but its a respectable amount I think. Am I naive in thinking this event will come, has gone and I wasn't there, or am I waiting for something that is most likely a non-event? I don't think I've been in the game that long but perhaps long enough to spot trends. The whole compliance thing is the only trend I've seen which has really effectively driven security - from the top down. Not to say that the solutions have been perfect mind you, or that audits are fantastic (I hate them personally) but what can I say, I believe in the approach and the having a top-down approach to any security problem is always a good start.

I have started to run askew from my original point, but my point was that in Australia we have a cultural attitude that is so pervasive within our working environment, it means that it is almost impossible to solve any security problem as long as people don't give a damn (yes, I know this gives me job security but that's not the point). I know that this isn't just an 'Australian problem' and I don't want to sound harsh bashing on my own country, but I've met too many people from too many countries (and seen too many, let alone worked in others) to know that it doesn't have to be that way. We - as a country - need to step up and start taking accountability. We're the fattest nation on the planet, the largest consumers of water per capita and one of the largest airborne polluters per capita in the world. For all the good things we have, compared to so many other countries, how did we let it come to this?? Why is it we have such a hard time setting the example for the right reasons?

Anyway, I'll leave you with this thought:

     Which is the greater evil: forcing people to do the right thing, or watching people avoid doing the right thing if it is easier for them to do so?

- J.