Oops!

Security is a wide area and there are all sorts of experts – not one master set of skills that you can find on any single resume.

A few years ago ~1994 I was at dinner with Mr. X. (Don’t want to embarrass him cause he still claims he is the smartest of us all.) I had only been in the field about 10 years and was learning, as we all still are every day. He told me, “I know everything there is about security….” ad nauseum. NONE OF US DO! (I choked on my Ratatouille but kept PC-ish and moved my plate to another table.)

The error here is with DHS PR. Someone used the media term “security expert” (sans definition) and off we go in the wrong perception-description; just as we have allowed the media to blame every security incident on ‘hackers’ – clearly a massive nom-de-guerre error by any standard.

Once we allow them to lock in the term “security expert” as a catch-all for anyone who can find the ‘on’ button or push Defrag or even do slick coding hacks, we are in trouble. No more than a company can run on one set of expert skills, security itself (like any vertical technical discipline) is a highly granulated suite of skills that must be integrated.

A CND/CNA (Computer Network Defense/Attack) suite of expertise includes, at a broad stroke, many skills needed to deploy an “information army”:

- Mapping People
- Cracking People
- Coding (CNA & CND)
- Reverse Engineering
- Social Engineering
- C3I
- Sniffers
- Readers
- Research
- Moles
- Analysts/Synthesizers
- Manufacturing (CNA)
- Distribution (CND/CNA)
- PR (techie and accurate, not PC)
- Education
- Awareness
- Perception Management & PsyOps
- Failure Modeling
- Process Control
- Reconstitution
- DR
- Layered Technical Management
- The interdisciplinary expertise needed from psychology, neural behavior, etc. (Security is not technical, solely, now is it?)

No one can do it all. No one has all of these skills. Period.

I worry much less about DHS acquiring 1,000 people with skills than I do about them finding the right management who understands security, the temperament of the geek community, and can last more than a handful of months in a culture designed to fail.

There are millions of people with the varied skills that a well-organized information army needs. There are decidedly fewer people who know how to, or have even thought about how to, taxonomize the skills and organize them (skills and people) like a true business.

Get a free download of ‘Information Warfare’ at: http://www.winnschwartau.com/downloads.html and take a look at Chapter 16.

- What is severe? Who decides?
- Can the Internet – even the U.S. portion – actually be turned off?

I’ve seen various discussions on these points, but for now let’s pretend they don’t exist. There are other issues:

1. We teach home and business users that if they think they are infected with malware to disconnect their Ethernet or wireless connection immediately to stop the propagation. No one has a problem with that. It makes sense.

2. On 9/11, we shut down all air traffic in a matter of hours. No one had a problem with that. (Being stuck in Fargo, though, might have been a hassle. Think the Steve Martin movie ‘Planes, Trains and Automobiles.’

Unplugging from hostility is not a new concept. The fundamental question in this case is which is worse: Disconnecting for a time and reconstituting with control, or allowing an attack to continue while we try to combat it and using the Net at the same time?

This returns to the question of what is “severe.”

From my view, disconnecting is a must-have option that should be on the table at all times. It makes sound engineering sense. In complex systems, isolation, analysis, repair and reconstitution (reconnection) is the only way. How else can you figure out what’s really wrong and how much damage has been done? Power companies have done it for years. The tacos did it in 1991 when the SS7 switches collapsed. Lasted a few hours. Should the feds decide to unplug the banks or should the collective wisdom of the Fed Reserve and leading financial institutions make that decision in a defensive step of self-preservation?

The problem I have with the majority of what I hear is the fear mongering of nationalization by technically ignorant politicos with media access and an agenda. The question should be how we properly plan for such an eventuality, instead of merely spreading unfounded fear.

Photo Credit: Kirk Lau

Back in 1987, Congressmen Glickman and Valentine were the point men on the CSA, Computer Security Act of 1987. (This is the committee that told me cyberwar was a figment of my imagination.) One major goal of the Act was called “C2 by ’92.”

In the old security parlance of the Orange Book, C2 security was good enough for “sensitive but unclassified” information. Big push. Big initiatives. Big goose egg of security tongue wagging.

So DHS is downplaying this sensitive but unclassified hack as, “no information can be posted on Homeland Security Information Network (HSIN) that would cause anything more than minor damage to the homeland security mission.”

I am sorry. No, they should be!

Any data leak is potentially monstrous. So this data was C2. Fine. Then another C2-level hack here and another there… and you glue together all of the data from these hacks and suddenly the amalgamated data is MJ-12 (alien technology) secret. OK, you get the point.

Data in isolation may seem worthless, but a cut, a snip and a paste later you’ve got yourself a database worth boatloads to the bad guys.

What is even worse is that these days, the flipping DHS can’t practice Security 101 and avoid getting hacked? It’s not that hard… if you let the geeks do their jobs.

I find it immeasurably embarrassing that the guys and gals who are supposed to protect us can’t even protect themselves to the most minimal standards.

Of course the public information doesn’t say whether the situation was caused by a poorly configured machine (of what OS, by the way), unpatched vulnerabilities or the same type of criminal stupidity that allowed the details of Obama’s Helo to get into the hands of the Iranians.

Come on people: every bit of data is valuable. Just because you don’t see that doesn’t make it any less true.

Photo Credit: Raymond Yee

In fact, a friend of mine, Dave, runs a fairly large construction company in British Columbia, Canada. He is the epitome of the SMB market. He called me with troubles.

His network was at a standstill. His e-mail was down… and he was freaking out. His IT guy, a friend of mine who is not a security person, wanted me involved.

The answer was comparatively simple, inexpensive and workable.

1. Keep your internal data and applications server(s).

2. Keep your existing end-point applications.

3. Use the usual mess of A/V, spyware detectors and so on at the proper places in the internal network.

4. Get rid of your own mail server. Outsource it for like – what – $10 a month? Let them be responsible. If you want your QoS to be higher, pay $100 month. Just admin the user accounts and use a decent client at the end points.

5. Get rid of your Sharepoint server, your internal collaboration servers ad nauseum. Write down a set of specifications and features you want. Search for the SaaS cloud-based product that meets the majority of your needs. (Nothing is perfect.) Outsource it – SaaS – and let them have the headaches.

Dave took my advice. He saved $15,000 on new hardware. He saved dozens of hours of techie time. He lowered his admin time that our friend was handling (to his relief, too). He set up a cloud-based collaborative environment for his back office intranet for $149 month.

He’s happy … and much more secure than ever before.

Should we have a cyber czar or not?

First of all, this is an age-old discussion. Many of us lobbied for national cyber leadership nearly two decades ago, but Congress and the White House said, “It’ll never be an issue.”

Wrong on count one.

Two. This binary thing, from Ms. Hathaway to Obama’s House to the NSA or DHS… this is the modern equivalent of eminent domain, the 19th century national political dynamo that resulted in Native American genocide. This is a political land grab for control… and that is not what we need now.

What we need is leadership. We need the kind of leadership… not control… that will find realistic, real-politick, global sensibilities and balance them against our national (Western?) interests. Not to mention, some 3 million geeks (good hackers, please…) will need to be mollified and included in the process.

I sat with some Fed-types at InfowarCon last month and told them they had to get over the fact that the very people they need to work on national cyber security are the least likely they are to hire… under current policies.

For example: What government security clearance goon is going to approve a metal-detecting, pot-smoking, formally un-educated smelly character to develop technology to bring the Dubai Tower elevators to a grinding halt… and be assured he won’t attack the Sears Tower in response to a billing error?

Those are the folks we need, and only a major re-think of what we mean by leadership is going to allow us to approach national security in the asymmetrical way we must… if we ever expect to successfully defend our cyber-borders.

Photo Credit: Robert Huffstutter

They think the swine… oops… H1N1 might come back in a few months or next season with a potential vengeance, mutated, resistant and the FUD also says that more than a billion people could be caught up in the pandemic.

If this was a computer virus/worm like the Conficker or other hostile code that we know about in advance, we’d start reverse engineering the code and tell folks to behave themselves more than ever.

But H1N1 presents another security issue. Let’s hypothesize that this is all real and that masses of people are going to get sick-sicker-sickest.

How do you, the corporate exec, security guy, or whoever plan for 15-30% of your staff being out with the flu? Some companies use temporal dispersion to avoid having all execs and mission-critical folks sitting in one physical location every day. But will the same rules apply with a pandemic?

I don’t begin to have an answer other than this: every company that has global presence with volumes of online people integral to their business continuity had better get a game plan started.

I’ve always called it Graceful Degradation. Technically this means, “How can I conduct business with certain key portions of my infrastructure broken?”

When it comes to H1N1, Graceful Degradation needs to apply to the human domain of the Integrated Security Triad.

Think about it. Or better yet… assign it to HR and make them come up with a plan!

Where the hell have they been for the last two decades?

Some big announcement from the German government’s Federal Office for Information Security. Crime is on the increase. More viruses, worms and malware. Have they not had the opportunity to participate in this discussion, offer solutions or otherwise help?

We don’t need more FUD or repetition of the obvious. “Hackers can also exploit security breaches on popular web sites…” is not constructive.

Their own studies support that users are clueless, with no A/V, firewall or other reasonable security practices. Then again, they are all probably using Windows.

You gotta figure the blueprints and avionics particulars are damned important, and I would hope, classified information. A defense contractor in Bethesda, MD (not Lockheed according to the media) really screwed the pooch on this one… in many ways.

1. Some idiot decided it was safe and acceptable to download a peer to peer (P2P) sharing program.

2. Some idiot in the IT administration didn’t think about blocking P2P programs from being downloaded, or installed or executed.

3. Some other idiot allowed the mixing of sensitive information with open source software on the same computer.

Oy, they really should know better. I remember a few years back a friend in the intelligence community said the DoJ should prosecute criminal stupidity in IT. That’s a bit of a stretch, but several idiots should certainly have ‘I Am Stupid’ annotated to their HR records and their bio.

So, now there’s going to be a proposed Congressional investigation. How much worse can this get? Do we really want a bunch of questionably knowledgeable lawyers to figure out how to keep peer to peer (P2P) software off of classified or sensitive systems? I think not. They’ll end up trying to ban everything except for MS Office.

The community knows how to avoid this kind of pure malfeasance. The contractor should, too, but it appears they need a major boost in their employee security training, administrative oversight and their security policies.

My question to y’all: What should the penalty be for ‘The Company’ and ‘The Idiots’?