Wednesday, November 27, 2013

LinkedIn ethics

[TL/DR version: Is it ethical to "connect" with an interviewer on LinkedIn during the hiring process?]

As a professional and a contractor, my name is my most important asset. So therefore ethics are everything to me. This is especially important because of the fact that I am an Information Security professional and usually have access to information that is confidential. I need to be trusted.

When I first started with LinkedIn, even if I knew all of the interviewers for a job application, I wouldn't look at their profiles. I could - but I wouldn't.

Eventually, after reflection, I did look at their profiles but wouldn't refer to anything in them lest they think I was spying on them.

More recently, it has become so normal to "research" the interviewers to the point that if you don't look them up in LinkedIn then you are seen to be uninterested. Some employment agencies actually supply the LinkedIn profiles or URLs as part of the job specification.

My question is simple - is it encouraged/discouraged/ethical/unethical to send a LinkedIn Connection request to an interviewer? When is good to do it? Is it unfair advantage? If you land the job, could it be seen as cronyism? Or is LinkedIn professional enough that your contacts are not necessarily your friends.

If the interviewer accepts, what is the protocol? Can you talk directly to them while they are deciding on the position? Should you take that opportunity to talk to them maybe making yourself more human and more of a person than a "candidate"?

Many articles on "how to land that perfect job" (on LinkedIn, it is usually "X things you are doing wrong in job interviews and how to fix them") usually promote the idea of a "follow up" which cements you in the interviewer's mind and makes you their preferred candidate. Can you use LinkedIn to do the same?

One other thing is that some of the people I have met while looking for work have been the most interesting and insightful people and are certainly the type that I want to add to my list of contacts. I usually wait until I hear how the decision went and then send a request.

Am I being over cautious?
Am I shooting myself in the foot while all the other candidates are jumping in as fast as possible to make a good impression and I seem uninterested?

Or, am I doing the right, ethical thing?

Tuesday, June 4, 2013

Slideshow: A Practical Example to Using SABSA Extended Security in Depth Strategy


A Practical Example to Using SABSA Extended Security-in-Depth Strategy from Allen Baranov

Following on from my last post, this is a practical way of using the extensions I proposed for the Security in Depth part of SABSA.

It gives an example of creating a Firewall Standard using the extensions.

I found this to be easier to do with a presentation than explaining it on the Blog so there you go.

Please let me know if you have any comments on this process.

Also, note that I am still looking for a job preferably in Information Security Management, Compliance or Information Security Architecture. Have a look at my linkedin profile for more information - http://au.linkedin.com/in/allenbaranov

- Allen Baranov

Monday, May 20, 2013

A more positive and comprehensive SABSA Strength-in-depth Strategy

[Extending SABSA's Strength-in-Depth Strategic Controls]

SABSA is brilliant. In one short week, I had my head expanded to exploding point. I highly recommend it to any Security person who is looking to understand more how what they do impacts on a Business. 

What is very interesting is that Business people understand risks. That is what they do. They understand governance and they also understand (to complete the GRC triad) compliance. They may just not understand  IT specific Risks, controls, etc. Usually IT is structured that the Business talks to the CIO or some form of "Business Specialists" who represent IT to the Business. But, the CIO usually doesn't understand risks and the Specialists almost certainly don't. IT is not keen to wheel out the Security guys to talk to Business but SABSA is a useful tool to help all three parties - IT, Business and Security to talk positively and come up with real solutions.

One of the really clever features of SABSA is that when it comes to "Attributes" which are basically "things the company would want to have" - they are all positive. "We want to put these controls in place so we don't fail our Audit" is not as good as "If we implement these controls, we will be totally compliant". "If we don't fix the authentication issues, someone may hack us and change stuff" is not as good as "If we fix the authentication issues, we will have a higher level of comfort around the integrity of our financials." A Business person hearing that will hear "blahblahblah..comfort..integrity..financials" and will give you at least some time to explain the "blahblahblah". Brilliant. 

All fired up after the course, I was thinking about how to write Standards so that they would have a similar level of positivity in their descriptions. The first Standard I turned to was the Firewall Standard. I then looked at the SABSA Strategy-in-depth sheet and it was obviously a "Prevent" control. (Or Preventative, even.) But that is the default state of a Firewall and has the same effect as unplugging the cable from the Internet router. You are essentially preventing everything... this is very safe... but not very useful, obviously. So, we open rules for traffic that is allowed. This is necessary and fits in with the whole SABSA features of "business driven" and "risk and opportunity based". So, for this to work - there should be a positive to each of the negatives for the Strength-in-depth controls. 

"Prevent" was easy - the opposite is "Allow". So, working from this - a Firewall Policy is a combination of negative and positive controls that allow good traffic flow and prevent bad traffic flow. Restating that - "We have a Firewall with a policy/rule-base/control-list that blocks bad traffic so as to allow good traffic to enable good business transactions". 

Spam-control - "We prevent spam at the border and allow good mail to flow inside our network to make management of mail more efficient, cost effective and keeping staff motivated."  

I chose to group these actions as "Enforcement". 

That was quite easy... what about "deter"? Well, deter is informing "users" of what not to do and what the consequences may be. The opposite is informing user what they can do and informing them of the benefits of connecting. My choice of word for this is "invite" and the group is "negotiate". This can cover more than just MOTDs and logon warnings. Once you add the positive aspect to it, it can cover Acceptable Use Policies and Terms and Conditions. 

The interesting thing is that once you define "Negotiate" and "Enforce" and add in the positive aspects - they also flow easier - once you negotiate that someone may use a certain system - you remove the enforcement that denies them access and allow them to access the system within the limits of what was negotiated. 

So, those are the first two controls in the strategy - the easier two. The others are "contain", "detect and notify", "evidence and track","recover and restore" and "assure". My feeling is that "assure" is the odd one out. It is almost a meta function of this process. In programming terms we would have an API that feeds what we are doing into the next level for assurance. "The Firewall is blocking all bad traffic and allowing all good traffic" is assurance. So for each control we need to consider "assurance" but I don't believe it deserves a category all of its own. 

Moving along, I have had some difficulty in working out the positive aspects of the other controls. "Contain" is like an adhoc post-breach denial of a certain type of traffic or user or system. This could fall into "Enforcement" as "Post Breach Enforcement" which would have the positive being "allow known good traffic or system or user to operate without being influenced by known bad traffic which is contained (denied access to the known good systems)." 

I have grouped "Detect and notify" into "Activity Monitoring". If it is a good transaction then it should be detected and the service can be performed on it. If it is a bad transaction then it should be detected as such and the correct person should be notified in a predefined timespan. 

"Evidence and Track" can be done for all traffic. This is "Traffic monitoring". Bad traffic should be recorded and analysed. Good traffic should be baselined and services improved accordingly. I have called this "Traffic Monitoring" but I think it can be used for all types of actions. However, I believe it to be more general than Activity Monitoring which looks at a specific event in depth, whereas this applied to a more broad stream of activities. "Activity Monitoring" would notify of a user locked out of their account. "Traffic monitoring" would notify of a number of strange attempts to guess passwords across the organisation. 

"Recover and Restore" is very important but I haven't applied a positive aspect or generalisation to it just yet. I think it deserves more thought. 

So, in summary - here is my list with the original SABSA strategic controls - my generalised groups and the additional positive strategic controls. 

This is still a work in progress so any comments or creative criticism would be appreciated. 

I haven't used this model in any practical applications but I am keen to as soon as possible. 

Thursday, May 9, 2013

If you know nothing else about Information Security... know this!

[The best advice you can get (today anyhow)]

Information Security, like any other profession or specialisation has a lot of technical confusing terms and jargon. It has tools that only experts can use and statistics that only the same experts can read. It creates a brotherhood (and sisterhood) of professionals and this is fine.

But, also like other professions, Information Security has its borders of knowledge and its dark scary patches. "Thar be dragons!" Or pirates, or the end of the earth. Or (back to Security) APT. Or super skilled haxors with l33t everything. The guys that can escape jails and sandboxes. They can string single characters together to create small but dangerous stack attacks where there is no stack. And evade DEP and take over phones that don't allow even good programs to do naughty things.

These are the stories that Information Security professionals tell each other. These are the stories they tell their kids over camp fires and only at night and slowly and carefully. Each. Word. Leading. To. The. Next . Scary. Word.

But the reality is quite different. Most doctors that I know, even GPs and only the good ones, have specialities and other interests (not Golf..) because, although they have been through many years of medical school, most of their patients are either suffering from a cold or flu and require either pain killers and cough syrup or antibiotics. The more interesting patients may suffer from allergies to penicillin but that is where it ends.

So it is with Information Security. While we worry about super-great hackers - the two biggest highest profile breaches of recent times have been via a Firewall backdoor in the Playstation network that relied on people not digging in their Playstations' code. And a trojan email sent to some non-technical staff at RSA Security that led to them recalling their entire product range and their devices used to break into some US government departments.

Verizon comes out each year with a report on major breaches across the world. Every year it tells the same story - they are opportunistic and not targeted and they are generally (68% in the 2013 report) easy.

So, if all Information Security is, is a lot of flu... what is the Vitamin C equivalent?

Websense is a company that specialise in border control systems. They are the guys you swear at when you can't browse Facebook at work. They also block a lot of nasty sites and can block secret documents leaving an organisation. They have a lot of systems out there keeping people browsing what they are allowed to. A lot. They gather a lot of information too. Like, what version of Java people are running. They published this pie chart recently:



This is the spread of different Java versions that are used around the world, mostly in organisations but also by home users (and office staff who take their PCs home). The interesting thing about this pie chart is that if you are running anything but the version coloured dark blue at the top right or the thin red line next to it - you are at risk of downloading malware automatically. Let me rephrase that in my campfire voice - if you are not in the 5% of people running the latest version of Java in your browser, you can get infected by any number of types of malicious software (most that are out to steal your money or files) AUTOMATICALLY (fire crackles). You don't have to do anything to get infected, the website does it for you. More than that, your antivirus won't know about this "transaction" until it is too late. 5% of people in the world are safe from this. Simply because they are running the latest version of Java (which is free to upgrade.) That right there is your vitamin C. Patching Java (which 95% of people don't) will protect you from the flu. It won't protect you from interesting attacks but those are less likely to find you.

Do online attackers actually use Java? Yes, they all do, from guys looking to steal money, game credits and information to large Government agencies to groups like Anonymous and Lulzsec. Why? Because its easy to attack and works against 95% of all browsers. Why wouldn't they use Java exploits?

Advice? Patch Java. And flash too. And Microsoft software. Then sleep happy.

And go camping.


Friday, October 5, 2012

What if - trams actually turned into rhinos?

Anyone who has spent enough time in Melbourne would have caught a tram and would have probably seen this poster:


It is a warning on the how dangerous it could be to be hit by a tram published in the interests of passenger safety by Yarra Trams.

My brain did a bit of a wobble and came up with this question:

"What would happen if magically each of the trams in Melbourne were to turn into 30 actual rhinos?"

The numbers worldwide of rhinos are scary. They are so close to being extinct so lets quickly look at them:

According to http://www.savingrhinos.org/rhino-facts.html :


  • Javan Rhino - population is less than 60 individuals. Most of these rhinos are the Indonesian Javan Rhino subspecies. The Vietnamese Javan Rhino subspecies consists of 5 individual animals and may not recover. The Indian Javan Rhino is extinct.
  • Sumatran Rhino - population less than 275 individuals, with poaching on the rise
  • Black Rhino - population 3,725. West African Rhino species declared extinct in 2006. From 1980 until 2006, 14,000 were slaughtered by poachers.
  • Indian Rhino - population approximately 2,400, a conservation success story - but poaching is on the rise due to regional political instability
  • White Rhino: Northern White Rhino - it was reported on June 17, 2008 that the last 4 individuals were killed by poachers. Southern White Rhino - 14,000 surviving, due to conservation efforts
So if 1 Melbourne tram turned into 30 rhinos.... it would only take 2 trams for Melbourne to have half of all the Javan Rhinos in the entire world. 

It would take 10 trams to turn into 30 rhinos each for Melbourne to have as many Sumatran Rhinos as there are in the world. 

It would take only about 120 trams for Melbourne to have as many Black Rhinos as there are in the world.  Poachers have killed about 500  trams worth of rhinos recently leaving us with only 120.

There are about 466 trams worth of White Rhinos left in the world. 

Yarra Trams have a rolling stock (according to Wikipedia) of 487. So if each of these had to change into 30 real rhinos that would leave Melbourne with 14610 rhinos. 

The population of Rhinos would almost double! That is how few of these iconic and beautiful animals are left. 

Also, depending on which type of rhino the trams turn into would probably determine how the city itself would react. 

White rhinos are pretty relaxed ("no worries") and would generally just stroll around looking for some grass to eat like some large, grey, horned cows. They would do this in herds of about 15 - so a tram would yield 2 herds. 

If the trams turned into Black Rhinos then Melbourne would have a bit of a problem. It would have a quarter of all Black rhinos in the world which would be an amazing thing for conserving this magnificent beast (if only!) but these are very angry and aggressive animals. They will charge for no reason and they can show what their horn can be used for (not decoration or medicine). They are also territorial and will fight each other. They can also run at speeds of about 50Km/h. On top of all of this - the city would be impossible to get out of because the roads would be blocked by huge beasts, there would be no trams, and walking and cycling would be dangerous. 

But at least the people of Melbourne would be privileged  to see this beautiful beast before it is relegated to zoos or killed off totally.

White Rhino just chilling at the State Library of Victoria

(hat tip to http://what-if.xkcd.com/ for making me think strange thoughts)

Monday, October 1, 2012

IT vs Business (The War We Don't Even Know We Are Fighting!)

[IT is out to kill the business - Business is out to kill IT. We all win!]

My dad has essentially worked for 2 companies in his 50 or so years in business and had he not emigrated, he probably would have stayed at one. I worked at 2 companies in just my first 5 years of full time employ. And this is not strange. No one viewed me as unstable or a "job hunter". It is just the way it works.

"Knowledge workers" moving companies is not something new with the average length of service to one organisation being about 3 years. I've heard that this is tending toward 2 years or even 1 year. Where will this trend lead?

It was only when I started compiling my most recent CV that I realised just how busy I had been over the 4 years that I was employed at my previous employer. But I still managed to have spare time. It would have been amazing if I could have done what I was doing but for 2 companies at the same time with both paying me for the output. Or even better - doing half of what I was doing but for 3 companies with another person doing the other half for 4 companies. There is only so many ways an "ISO 27002 compatible Antivirus standard" can be written and only so many variables that can be manipulated. All companies need to patch and all need to do so in the same time period so an "ISO 27002, Cobit and ITIL compatible Patching Process" would be almost identical for all of them.

Good thinking Allen, but there is a word for this - "Contractor". Exactly. And my employer had many contractor. And Australian businesses seem to have many more. But my argument is that the trend toward using more contractors can actually get to the point where there are no permanent employees in a company.

None.

I love the word "company". We are so used to using it that we never actually look at the word itself. "Corporation" is the same. A bunch of like minded people coming together to keep each other "company" and do something positive. So... lets explore that. A loosely joined "web" of people coming together and using technology to collaborate on a set of ideals. This sounds like a web-board. I haven't seen one yet but I could certainly label the idea of a "cloud company" as "plausible". Crowd sourcing an entire company including funders, workers, salespeople, delivery people, cleaners, security (the physical type...do we even need them if there are no premisses?), management, etc. And since everyone is a contractor, SLAs are important and everyone is measured. You don't need layers of management - you just need clear outcomes. If the whole thing falls apart then everyone just leaves. If it works then the whole process is repeated. There is no workplace and no work hours. There is no receptionist but there may be someone hired to communicate with the outside world and they would need to be available during office hours. (Or this could be outsourced and have a follow-the-sun communication plan) - imagine a company that is working 24 hours and that can be contacted at any time.

The interesting thing here is "who owns the intellectual property?" The general processes and procedures and "intellectual property" such as "patch management", "how the phone should be answered", "how is the product packed" and "how fast should it be delivered" could belong to the individual contractors. The IP that I am interested in is the "core IP". The recipe for the product, the design of the product, the trademarks etc.

So, using technology and IT, it is possible to have a company with no "company". No buildings, no desks, no "office hours", no front desk, lawn to mow, delivery vehicles, office. Just a technologically connected bunch of like minded people with a single outcome. The technology is available, we just to use it and companies have been dipping their toes into this slowly. This is something that doesn't happen overnight. But it is happening. One benefit is that the "employees" can work on a number of projects all at once. Or not. It is their choice but using facebook to waste time waiting for the end of the day is no longer an issue.

So... IT is out to kill Business.

Then we have the other trends which are mostly being driven from the non-IT part of the business. These are Cloud Computing, Consumerisation and BYOD. IT is brought in and asked to manage these but these are all areas where the IT department has had full control and has had to relinquish some of it so that Business can work with the tools that they want and using services that they are familiar with but without the red tape that IT can spin when delivering on an "enterprise ready" solution. Taking this further, is it possible that Cloud services could make it simple for Business to totally bypass IT altogether and put their own solutions together without bothering IT. This could include "I have a new employee in my team. Let me just hook him up with a mailbox and a fileshare" to "I need a way to track my sales staff" to "I need a way to report on the company financials." etc.

Where does that leave IT? Well, in quite an interesting position. There should probably be someone to manage the services even if they are "cloud" or "PaaS". This also leaves IT in the interesting place where they become advisers to Business and architects. "Did you know that you can use this service to monitor your staff? No? I'll just hook it up for you. They offer 30 days for free." etc

So IT ends up being forced to talk "solutions" to business rather than "tech talk" and gradually manages the IT systems outwards until there is no IT department but internal IT consultants offering solutions to business people who own their own IT solutions.

Both of these scenarios are not exclusive - they can both happen. And are happening. And, in fact, feed off each other. The less red tape that business needs to deal with - the quicker they can create flexibility and allow work to be done by contractors. Some companies will take longer to get to "a loosely bound group of like minded people working toward a goal" without the traditional company holding them together but it will come.

This may sound like fiction but ask anyone 50 years ago about whether they would trust someone who moves jobs every 2 years and they would find it difficult to do so. Now it is normal.

So, (you ask) where does this leave Information Security? And I was hopeing that you wouldn't have asked. It is not an easy thing to answer. This movement toward less central control will scatter the IT field (mainly) with concepts such as "Cloud", "PaaS", BYOD, "consumerisation". And IPv6 will just accelerate the change. In all of these cases we end up with less control and more freedom. But the controls don't go away. They just change. In fact, in some cases they get better. In some they get more complex and in some the controls that were important but were overlooked become essential.

The information security team really needs to get more of an understanding of the company and who owns which piece of the process from raw material to money in the bank. Who owns what information and what can be ignored and what is the essence of the organisation - the IP that is so specific that the company is defined by it.

Forget patches and antivirus patterns. Those can be outsourced. Information Security is about working with the company to know itself and how the essence of the company can be protected from those that will do it harm. And we need to do it quickly while the company is still an entity on its own.

Friday, September 14, 2012

HD Moore's Law? How can you tell if you are compliant?

HD Moore's Law is a joke. And not a very funny one either being a pun and having a requirement of being very technical and requiring knowledge of the IT Security community just to get half way to understanding it. It usually requires the user of the term to explain why it is funny and that is a serious faux pas when it comes to jokes.

So, let me explain the joke. :)

Moore's Law is pretty well known. The majority of people know it as "computers will get faster each year" which is close enough to the actual definition as to be useful for making decisions such as "I don't need a PC right now, should I wait a bit?" The answer is "yes, if you wait then for the same amount of money you will spend now, in the future you can get a more powerful PC." Moore's Law.

(The actual law itself was coined by Gordon E. Moore from Intel who predicted that the number of transistors on a chip would double every 2 years.)

HD Moore created MetaSploit which is a framework for creating and running exploits. Being a framework, it is as clever as the person using it and can be used to break into anything with enough time and patience and understanding. However, it can also be used by someone with minimal knowledge and understanding to quickly break into a badly protected system.

This really divides attackers into two camps - dedicated and opportunistic. The controls to protect against both of them are very different but initially an organisation should be protected at the very least against opportunistic attackers. This is HD Moore's Law.

But the exploits available on Metasploit are always changing and the systems that can be attacked are expanding. There are modules available to attack PHP. This means that PHP falls into the "opportunistic" area of HD Moore's Law.

My question...finally....is this....

What level of patch does each and every type of software have to be at to avoid falling foul of HD Moore's Law?

Does anyone know?

Because, jokes aside, (and it wasn't a particularly good one to start with) knowing that an organisation is not at risk from opportunistic attacks would be useful  - more so than knowing ISO compliance or that staff are deleted off the system within .578 microseconds of leaving the organisation.

Then more dedicated attackers can be targeted using the controls aimed at them.