Monday, December 10, 2007

Spiritual IT Security.

Some duality, some overlap, some scientific methodologies.

Monitor and surveil both your IT and personal "outputs" i.e. what you or the network or system generates and redistributes in to the interconnectedness; be it social, personal or techincal.

*Then*, and only then, base your controls, processes, methodologies and frameworks or risk assessments upon empirical evidence.

No wonder it's so hard to listen to a system or network, when we don't even listen to ourselves.

Monitor the outputs. Control the inputs. Refine the processes.

Thursday, December 06, 2007

Tell it like it is boys



Spotlight: Cyber Terrorism Roundtable with Sami Saydjari, Marcus Ranum, Dean Turner and hosted by Nicole Greco. Discussion on cyber warfare, cyber terrorism, cyber defense with interviews by Mikko Hypponen and Andrew Colarik. Key issues on Estonia, China, Russia. Aired in November 2007.

And here is a snippet from one of Gunnar Peterson's posts I heartily agree with:

"If you want to make a bunch of acquisitions, outsource a ton of work, send a bunch of projects overseas, have multiple reorgs, connect up a ton of historically siloed systems, hook everything to the web and THEN GO ON A QUEST FOR CERTAINTY - well good luck to ya, mate. I think your time is better spent finding ways to lower your risk of permanent loss than trying (pretending) to achieve some semblance of certainty in that environment." From http://1raindrop.typepad.com/1_raindrop/2007/11/dhandho-infosec.html

Tuesday, November 27, 2007

Note on Virtualisation and RANT

Virtualisation lowers certain overheads and increases flexibility and modularity.

Virtualisation does not address SECURITY until whole system images are checksum'ed and rotated in a defensive time-based security method/model, including the abstraction layer and hardware playing a key role in defenses as well.

I have mused over this before here http://bsdosx.blogspot.com/2006/11/machine-and-service-integrity.html

As Theo De Raadt mentions over at http://kerneltrap.org/OpenBSD/Virtualization_Security;

"x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection. Then running your operating system on the other side of this brand new pile of shit. You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes."

On a side note, I'd like to repeat the below, courtesy of me;
"Everything will be a server, client and fast cache. The P2P model will win. It's the only thing that can. More "zeroconf" is needed. There seems to be no margins for error, tolerances or defensive programming anymore. What gives someone the right to call themselves a software "engineer" anyway?"

I'll post shortly on my new idea regarding regulation of business IT and an IT TAX to force enumeration, visibility and accountability.

Some time soon, I'll get back to IT security. Currently I am working in other areas and departments and re-learning about the human side and realities in which we all operate. The disconnect is massive. The cowboys operating in IT Security are very disheartening to me. The idiots and "old-guard" on both sides of the fence worry me. So many people have no clue of the complexity, and will never grok it. We need to simplify and innovate.

We need to regulate our "industry" somewhat without stifling innovation. Perhaps the Universities should take some of the blame in turning out ignorant coders who don't understand networking or security.... perhaps, perhaps not..... it remains to be seen. I can only talk from experience, and my experience in Uni taught me nothing; other than I hated coding and ignored my networking lecturer. I got a degree in Computer Science, I crammed before all exams, some days not even knowing what exam was on that day until I asked my colleagues. All Comp Sci did was pique my curiosity, I might as well have stayed in the Uni bar *all* the time. This might just be my personal version of "learning" at Uni (I like to call it regurgitation), but 99% of my tech was learned on the job ;)

How did I become so bitter and twisted? Am I really? Surely I am an optimist at heart?

Once we see the COMPLEXITY we harken after SIMPLICITY in all matters in life.

Sunday, November 18, 2007

Damn straight... but sorta' bendy

From Drazen comes this snippet of a quote from Computerworld interviewing the legendary Frank Abagnale of 'Catch me if you can?' fame:

"Computerworld Staff: Is there anything we can do to make illicit computer-related activity a less attractive pursuit for young people?

Frank Abagnale: There are about four reasons why we have crime to begin with. One of them is, of course, that we live in an extremely unethical society. We live in a society that doesn't teach ethics at home, a society that doesn't teach ethics in school because the teacher would be accused of teaching morality. We live in a society where you can't find a four-year college course on ethics. I have three sons who went through graduate school; only the one who went to law school had a course even offered on ethics. So today you have a lot of young people who have no character, no ethics and they find no problem in defrauding somebody or stealing from somebody or cheating somebody. Until we change that, crime is just going to get easier, faster, more global, harder to detect.

Computerworld Staff: Any thoughts on how we can bring that change about?

Frank Abagnale: I think you need to bring character and ethics back into schools, and you certainly need to bring it back into colleges and universities as part of a curriculum. Only about half of Fortune 500 companies even have a code of ethics or code of conduct. The ones that do have one publish it every five years on an inside page of their annual report to appease their shareholders. So, obviously, there's no big effort out there to bring about that change. Rutgers just finished a five-year study that found that 56% of MBA students cheated.

There are really no con men anymore like there were in my day, because you really don't have to associate with anyone. You don't have to be well dressed and well groomed and well spoken. Everything's done on a computer; there are no witnesses. So even if you know who's doing it, you probably don't have the ability to go capture them. Chances are you have no idea what they look like; they can sit in their pajamas and commit all these crimes."

There seems no mandatory or enforceable cost anymore for performing an act that is detrimental to the health of the net or its component systems. Our super-organism(internet) is being eaten from the inside out while we don't realise nor appreciate the symbiotic relationship we have created between man and machines.

Who is held accountable and how, when we can't even agree upon nor incentivise actions to help protect our immediate and more fragile internetwork, the green planet we call home. I had a few ideas here: Some cud, but I still wonder about the fact that there are too many humans, just ask Mr. Malthus!

Wednesday, October 31, 2007

Process begets process...

"Time was when we could just re-cable the server ourself, and not have to pay some idiot $100 to move the thing", was heard across the room today in a large clients office, and oh did it ring true... however as organisations mature -> processes place a framework around work carried out and services are measured via uptime and other SLA's....no more adhocracy, only at the wiki level!

Measure.. hmmmmm.. that's a funny word in IT isn't it... 'MEASURE','MEASURE'...M-E-A-S-U-R-E

# measurement: the act or process of assigning numbers to phenomena according to a rule; "the measurements were carefully done"; "his mental ...
# standard: a basis for comparison; a reference point against which other things can be evaluated; "the schools comply with federal standards"; "they set the measure for all subsequent work"
# how much there is of something that you can quantify
# any maneuver made as part of progress toward a goal; "the situation called for strong measures"; "the police took steps to reduce crime"
# bill: a statute in draft before it becomes law; "they held a public hearing on the bill"
# determine the measurements of something or somebody, take measurements of; "Measure the length of the wall"
# meter: (prosody) the accent in a metrical foot of verse
# quantify: express as a number or measure or quantity; "Can you quantify your results?"
# have certain dimensions; "This table surfaces measures 20inches by 36 inches"
# musical notation for a repeating pattern of musical beats; "the orchestra omitted the last twelve bars of the song"
# measuring stick: measuring instrument having a sequence of marks at regular intervals; used as a reference in making measurements
# place a value on; judge the worth of something; "I will have the family jewels appraised by a professional"


So I text myself sometimes when particular thoughts cross my mind;

"First you need visibility/surveillance, and then accountability of packets, flows and data objects, then comes valuation of said data objects, services and supporting infrastructure... now we can have meaningful conversations about risk and IT security"

Hmmmmm... sampling, measuring, identifying.... what's your IT footprint? What's the last IT related report you looked at, what did it measure and what did it really say about your organisational IT footprint?

Monday, October 15, 2007

Some fun...










Was surfing here, http://xkcd.com/ and added it to my RSS feeds http://syndicated.livejournal.com/xkcd_rss/profile ;) Actually came from the FUNSEC mailing list but my mate Wade had sent me one of the comics before.

Monday, October 08, 2007

'Meta' or 'Metta' security....

Basically I'll let Mr. Bejtlich summarise from his 'Three Wise Men' of security, practically all there needs to be currently known about the state of play in and around the IT Security Industry and IT Security Risk areas. On the shoulders of giants and all that!

http://taosecurity.blogspot.com/search?q=three+wise+men

Dan and Marcus are definetly on my list, though I haven't really read this Ross Anderson guy, however Richard himself is on my list, along with Rob Thomas from Team Cymru.

On another note, to save you signing (or reading about signing up) for tonnes of bullshit, please find below a great 'Point:CounterPoint' from Bruce Schneier and Marcus Ranum. DRM/Copyright.. nah...

Erm, hopefully without getting in trouble and making others spend 5 minutes signing up to read the below, here it is in all it's glory.

Bruce Schneier

Point: To the average home user, security is an intractable problem. Microsoft has made great strides improving the security of its operating system out of the box, but there is still a dizzying array of rules, options and choices users have to make. How should they configure their antivirus program? What sort of backup regime should they employ? What are the best settings for their wireless network? And so on.

How is it possible that we in the computer industry have foisted on people a product that is so difficult to use securely, it requires so many add-ons? It's even worse than that. We have sold the average computer user a bill of goods. In our race for an ever-increasing market, we have convinced every person that he needs a computer. We have provided application after application--IM, peer-to-peer file sharing, eBay, Facebook--to make computers useful and enjoyable to the home user. At the same time, we've made them so difficult to maintain that only a trained sysadmin can.

And we wonder why home users have such problems with their buggy systems, why they can't seem to do the simplest administrative tasks, and why their computers aren't secure. They're not secure because home users don't know how to secure them.

At work, I have an IT department I can call if I have a problem. They filter my Net connection so I don't see spam, and most attacks are blocked before they get to my computer. They tell me which updates to install. And they're available to help me recover if something happens to my system. Home users have none of this support.

This problem isn't going to go away as computers get smarter and users get savvier. Next-generation computers will be vulnerable to different attacks, and next-generation attack tools will fool users in different ways.

This isn't simply an academic problem; it's a public health problem. In the hyperconnected world of the Internet, everyone's security depends in part on everyone else's. As long as there are insecure computers out there, hackers will use them to eavesdrop on network traffic, send spam and attack other computers. We are more secure if those home computers attached to the Internet via DSL or cable modems are protected against attack. The only question is, what's the best way to get there?

I wonder about those who say "educate the users." Have they tried? It's unrealistic to expect home users to be responsible for their security. They don't have the expertise, and aren't going to learn. And it's not just user actions we need to watch; computers are insecure out of the box.

The only way to solve this problem is to force the ISPs to become IT departments. There's no reason they can't provide home users with the same level of support my IT department provides me, or a "clean pipe" service to the home. Yes, it will cost more, and require changes in the law to make this mandatory. But what's the alternative?

In 1991, Walter S. Mossberg debuted his Personal Technology column in The Wall Street Journal with the words, "Personal computers are just too hard to use, and it isn't your fault." Sixteen years later, it's doubly true when it comes to computer security.

If we want home users to be secure, we need to design computers and networks that are secure out of the box, without any work by the end users. There isn't any other way.



Marcus Ranum


CounterPoint: I'm sure that many of the things Bruce points out about computers at some point or another applied to automobiles or any other technologically interesting and complex device. There was a time, in the early days of the automobile, when any idiot could go 75 miles per hour with no requirement for training, safety equipment or sobriety. As Bruce says, eventually that kind of thing becomes a public health issue and then society begins to enforce constraints. Question is, do society's constraints make a difference, or does time cure these ills?

When I was growing up, there was just one kid in my entire high school who had a computer. Today, it seems every kid 8 and older is a Windows sysadmin. And some of them are better at it than you might expect. That's because they grew up doing it, and the human brain appears to be able to integrate amazingly complex tasks as "normal" as long as we're introduced to them early enough. Bruce, I think the problem is not with all the home users--I think it's with the adult home users.

I see the generational distinction most clearly with my parents. My father still writes using an old Underwood typewriter. My mom has adopted a computer, but she's exactly the kind of user you're worried about--she clicks "OK" on anything, and seems to be trying to collect spyware. Thinking about it, most of the generation before mine is pretty uncomfortable with computers, and I was one of the early experimental kids who grew up networking on the ARPANET and BITNET. Does that have something to do with the fact that I have always had a good grasp of the concepts of transitive trust and distributed systems? I think it does; I think the analytic parts of our brains, if given a task early on, are able to make sense out of all kinds of insanely complicated things.

"Educate the user" is an old mantra in security, and its uselessness is one place where Bruce and I agree. I think, though, that building simpler systems is not the answer. The answer is to let the current user population die off! It's going to happen, anyhow.

Forcing ISPs to support home users, or re-engineering computers to be simple enough for us old coots to understand, completely misses the point. At the point where enough customers want simple-to-use Internet terminals, a market will develop. Arguably, it already has--witness the evolution of handheld PDAs and centralized "no spam" managed free email services. The complexity of the Internet and software administration is getting absorbed into the IT infrastructure of Google, Yahoo and MySpace.

I'm not demanding that Detroit make cars that are simple enough for me to repair; I choose to buy vehicles that are usually reliable, and I outsource the repair work to the mechanic up the street. Perhaps what we're doing is shifting complexity around in our lives: I never learned how to fix a transmission, but I can still scratch-bake a firewall with a custom filtering reverse Web proxy in a weekend. I've seen home users who can't manage a Windows XP upgrade, but who can successfully instrument-land a jet fighter.

Bruce, when you and I are old coots sitting on the porch, you'll be amazed to see the current generation of kids nimbly navigating their way through software and system configurations that completely blow our minds. Relax; it's just what progress looks like from our side of the hill. Will the future be more secure? It'll be just as insecure as it possibly can, while still continuing to function. Just like it is today.

Saturday, October 06, 2007

Monday, September 24, 2007

5 years from now!

Stuff to think about:

- PCI DSS(Payment Card Industry Data Security Standards) QSA (Qualified Security Assessor)
- NetFlow/IPFIX (Crannog/NetScout/Arbor) as networking/security is increasingly about context/relationships/visibility.
- Normalization/baselining tools a la PeakFlow, SourceFireRNA
- Visualisation and Modelling (Opnet)
- IDS/Rootkit detectors for virtualised environments.(Watch this space... BluePill/F-Secure )
- Security Metrics(emerging/huge future as currently un-quantifiable!) and audit via Skybox / Algosec
- Digital Signage, MCAST/P2P distribution JOOST style.
- Infrastructure/solutions to facilitate SoaS(Software-as-a-Service) e.g. Salesforce/Joomla/Atlassian(Confluence)/GoogleApps/Zimbra/Zoho, virtual offices whereby nodes act as client/cache/server and don't backup locally but more to Web Services akin to AWS(Amazon Web Services),S3,EC2. Managing a virtual customer's DNS and aggregating management of their services has potential?
- Mobile and mobility gateways, 3G(HSDPAv2) vs WiMAx back-haul for project offices/satellite sites and SME/SOHO
- Location based services and GIS(Geographic Information Systems)
- Identity Management via OpenID/Cardspace(InfoCard) hosted services.
- Thin clients (Neoware)
- Fixed Mobile Convergence(Still a while off!) Engin / MyNetPhone / SIP/IAX/Asterisk

Web 2.0+ has as many solutions as problems, a new middleware-tier('internet-service-bus' if you will!). Businesses will increasingly want more audit/control and lower operational overheads and greater security via thin-client computing utilizing the browser as the platform of choice, also generating secure local host based flows for compliance and reporting. Thin clients and infinitely scalable distributed computing/storage is on the way. If you don't run the data-centre processing/storage nor have the power, you'll want to control the gateways/reporting/auditing/caching and own/re-sell/manage as much of the local infrastructure/bus and back-haul as possible!

Regulatory and compliance requirements will always have a perceivable effect, especially in the financial services sector.. but with breach disclosure laws on the way in Oz the security -> landscape/consulting/auditing/accountability/visibility aspects of networks/services are not going to allow organizations to keep their heads in the sand for much longer.

Sunday, August 12, 2007

Monitoring and visibility, old'y but a...

From :http://www.schneier.com/crypto-gram-0107.html#5
"Without monitoring, you're vulnerable until your security is perfect. If you monitor first, you're immediately more secure."

"Monitoring should be the first step in any network security plan. It's something that a network administrator can do today to provide immediate value. Policy analysis and vulnerability assessments take time, and don't actually improve a network's security until they're acted upon."

"It's specious logic for a CIO to decide to wait until his network is stable, he understands his security, and all his patches are up to date. It'll never happen. Monitoring's best value is when a network is in flux -- as all large networks always are -- due to internal and external factors."


From the ensuing comments:

"However if you insist on war as the metaphor, here are two thoughts along those lines. First, the war, if that is what it is, is surely a guerrilla war. The entities being attacked are large, visible, slow-moving and part of the power structure. They have much greater resources than the attackers, but no effective way to apply them. The attackers and few, dispersed, hidden and have few resources. But what they have is the free choice of when and where to attack.

To fight guerrillas it is necessary to a) identify them; i.e., distinguish them from civilians and b) control some resource that is essential to their survival. Given the Internet as it exists today, I don't see much hope of doing either of these. If the authorities decide to employ broadly targeted, draconian measures, they will find like the British in America and the Americans in Vietnam, that the collateral effects on innocent civilians are simply unacceptable.

My second thought about hacking as war is that the situation can be compared to that in many wars, but most especially the American Civil War. While some people were busy fighting and dying, war profiteers made fortunes selling rotten food, unserviceable uniforms and non-working weapons. With a market full of snake oil security, bug-ridden applications and vendors who are more interested in suing or prosecuting people who reveal security problems than fixing them, this seems like the kind of war we are in."


Nice segway to this post by Bejtlich re: Schneier and Cyberwar;
http://taosecurity.blogspot.com/2007/04/taking-fight-to-enemy-revisited.html

Thursday, August 09, 2007

ROI or NPV?

If you understand the acronyms above, maybe have a trek over here : http://financialcryptography.com/mt/archives/000939.html

otherwise you may want to move quickly on :)

Thursday, August 02, 2007

Time to think the unthinkable

So the problem as quoted many times before is, "how to demonstrate that
security practices are both working and effective?".

As in most production network and system footprints, the goal posts,
risks and processes are ever moving and changing. How do we measure
security and track a risk management program effectively without making
comparison to some baseline or standard configuration?

The answer is we don't. There isn't any and there never will be for
*your* IT footprint.

So, you ask, what can we measure when trying to prove the unprovable?

The answer lies in making a comparison to something, but to what? Other
organisations perhaps? Too tough it seems, as they don't have nor share
relevant data or reports for obvious reasons. Each IT footprint and
business is built on similar building blocks but is fundamentally
different as the "superorganism" morphs, grows and responds to different
traffic and needs constantly.

What is required is a clone. A sometimes inferior and sometimes superior
clone of the organism. A test subject if you will.

I am not talking about development systems or sub-models of the organism,
but a live fully functional version of the entire entity, which can
assume many states at a whim.

With todays focus on virtualisation and seemingly never ending
processing and storage, surely we could construct a clone of our
business residing all in memory on a single or distributed platform.
This is what we would perform change management upon and measure
against. Think of it, not as a "honey-net", but a "honey-org".

Yeah, yeah, needs X memory and won't be perfect, but better than nothing
and the "honey-org" could be constantly updated from the live management
systems.

With a form of total information awareness we could build a clone of our
systems, nodes and processes - exclusively in software, running on
lower spec hardware perhaps. Here, only time becomes the key factor.

Using something akin to enterprise management systems the information
and images could be gathered to build a clone of our organisation or
enterprise in as much detail as possible which would facilitate a form
of testing that would see us able to demonstrate what would, and does
happen, if certain policies or changes are not enforced.

Three, is the magic number. A production network, a clone network, and
whatever other development or model systems are required.

This would not address physical security in tandem with virtual
security, nor would it be able to fully simulate all users or business
processes, but it is what we are approaching with products like Cisco's new provisioning platforms, Opnet's modeler and risk management via Skybox. The ability to then generate traffic and incidents is also required. SmartBits, IMix, VA and fuzzing till your heart's content including session replay all in one go? Easy huh?

The main problem today is we don't know enough about our environments.
We need to know more. We need to build a fully virtual infrastructure to fully understand our real infrastructure. We may be still quite some
distance away, but in extrapolating the possible futures, this seems to
me to be the only way of demonstrating the "what if" scenarios!

Open up the virtual infrastructure to the net. Offer up your virtual
systems to the bad guys. Transparency is the key both for the bad guys
and the good guys if we really want to make progress. Perhaps.

In theory this is what we pretend to do with "Change Management" today, though the results are more often than not guessed at, divined from experience and faith and are totally subjective.

Yes it is time to slow down the rate of change, make a copy, offer it up
or strip bits away from our clone to see where and how the security
dollars are really being spent. Gimme' a clone, drop it in the lions
den, and I'll give you, at least in part your ROSI(Return on Security
Investment).

Thursday, July 12, 2007

Zen and back again...

What follows are some "modern" haiku (interspersed with images *to come*) which are based partially on my notes over the past few months, and also, to a degree upon, some of my experiences in this wonderfully calm and quaint Rinzai Zen Temple outside of Kyoto.

Traditional or formal haiku should not only have a 5-7-5 syllable count, but should be composed during a pure moment of Zen which reflects and invokes an empathic experience in the reader. Also present should be a characteristic of, or reflection on, a season by virtue of an appropriate subject or action. Due to the pace and disconnectedness from nature of today's society I have dispensed with some of the more traditional aspects, in the hope of evoking in the reader a similar experience to mine. There are perhaps more messages than moments in the below, and of course some information technology!


dayshopping

Many distractions,
information overload.
Where is the wisdom?

food

Internal battles.
Elephant for dinner.
Morsel at a time.

gate

Physical struggle,
gateway to inside, not out,
receiver go deep.

protector

Faith in science,
No moral compass found here.
Perhaps in Zen?

zendo2

Arrogant mind.
Our attachments and desires.
Wake up time.

So many "sheeple",
asleep at the wheel.
How to de-program?

Input and output,
constantly processing them.
Who does the work?

Watching the watcher.
One of us is a tool.
Wield with respect.

Bits in, bits out.
Quality information,
computer mind?

Symbiotic "we".
Both need constant attention,
unplug the machine.

All is nature,
what can we not control?
Begin with yourself.

Symmetry desired.
Where is the fun in that?
Let's remain human.

Dirty fingernails.
Ground is moist and warm.
Food from the womb.

Dappled sunlight,
much potential energy,
free-wheeling downhill.

Sooner or later,
worry grips the mind, draining.
How much is enough?

Half full, half empty.
Begin again. A new cup.
Paradigm shifting.

Summer decisions.
Experience of last year.
Life's moving goal posts.

Mind management,
herding cats, bees and mice,
welcome to the zoo.

Energy in thought,
our most prized possesions,
content and intent?

True nobility,
Improve upon former self,
ad-infinitum.

Criticise, gossip,
matter not when others speak,
self-judgement.

No unhappiness,
curious, energetic,
spirited, joyful.

All basic questions,
unanswered, never stupid.
Reluctant probing.

Form expectations,
plain as the nose on your face,
perceptions altered.

Too young, too old.
Deceive oneself, just do it.
Too rich, too poor.

Control your thoughts,
failure, no courage to try.
Nothing more, nothing less.

Future shock, peak oil,
adaptational breakdown.
Disease of change.

Ogburn culture lag.
Rate of human response,
obsolete people?

Premature future,
incompetent neurosis.
Avalanching change.

Death and permanence,
Suffocating complexity.
Impermanent rise.

Bleeding edge I.T.
Security, assurance,
nowhere to be found.

Always hurry forward,
Moulded mass education,
de-school society.

Early adopter,
enumerate the pitfalls.
Risk or reward?

Guaranteed future.
Where is the fun in that?
Step to the unknown.

Neural feedback loops,
"Thin slicing" situations,
partial involvement.

Avoid human ties,
flow through of people slowing down.
Nomadic children.



Sunday, June 24, 2007

Kyoto and the art of human maintenance

Heading for some 'Rest and Realization' on Tuesday. Back soon.

Damn straight

Creativity expert Sir Ken Robinson challenges the way we're educating our children.


Thursday, June 21, 2007

Dear Sirs..

Another bold question if I may. The topic is trust. The subjects are sheeple and computer systems. The framework is IT Security. The context is always changing. The goals are the same. Intent is irrelevant. Miscreants abound.

Excuse me arguing by analogy, but this online age verification system to access movie trailers, sums up many of the major issues and ignorances in IT Security.

This morning, the New York Times has a nice story on gateways to online movie trailers that contain adult content. Trailers online will be preceded by colored tags, just like the green one you see in theaters that indicates the preview is acceptable for anyone watching. A yellow tag indicates the trailer may include PG-13ish content and a red one indicates an R-rated trailer, as it does in theaters, though red tags are rarely used in theaters.

The trailers that appear on the studios' movie sites, the story said, also have time of day restrictions, ostensibly viewable only between 9 p.m and 4 a.m.

More here

http://blogs.csoonline.com/dirty_trailers_cheap_tricks


As the depth, pace and breadth of technology increases, no one can be expected to be an expert in all systems and subsystems they either use, interface with or build upon. Knowing what's going on 'under the hood' is becoming increasingly abstract and esoteric, especially to the standard consumer of computing resources. The issue is compounded by depth of code, system complexity, legacy systems, and third party drivers and modules, which are either knowingly or unknowingly part of a solution. Users require protection from both themselves and others while interfacing with systems or when having their information stored or utilised.

Unfortunately global systems span geo-political boundaries. Global systems which can be highjacked and used to attack more innocents.(Unfortunately systems will continue to be or will become vulnerable over time!) And I am talking about any node here; routers, switches, firewalls and traditional endpoints.

I am leaning towards the belief that more services should be available to end-users in their local cloud. Not necessarily mandated, but available - depending upon the environment. This is a highly complex and potentially volatile area, and arguments abound, however the question should be 'what's effective?'. DAMN -> fast, reliable and cheap. Though I like reliable!

How can you trust unmanaged systems and users? (also known as an information processing nodes!). See previous post.

How can you trust managed systems and users?

How can you trust infrastructure nodes?

Expect them all to fail. Expect them to be compromised. Expect to lose trust in them.

Now where does that leave us?

Let's look at the enforcement points on a simple systems trust model again... See previous post. (I like to think of the diagram as the equivalent of a Feynman diagram for IT Security, tee hee!)

So some stuff to think about. Here's a new acronym/phrase for you akin to SOA(Service Orientated Architecture).

SOV(Service Orientated Vulnerability) can be a compound or blended vulnerability.
SS(Service Surface) interface, network, user, back-end etc
IS(Interface Surface) subset of the above and takes in to account multiple new input vectors as the future interface will have more than one API/endpoint/processor per endpoint utilising new input devices and virtualisation.

Fun, fun, fun.

Every node will be a client.
Every node will be a server.
Every node will be a cache.

So now, do you trust the node, or introduce another trusted node to watch the node.

This could go on ad infinitum. At some point you hope there are enough checks and balances to watch the watchers.

Can we checksum people, anyone?





Schneier gets credit for leading me to the age verification system... http://www.schneier.com/blog/archives/2007/06/age_verificatio.html

Thursday, June 14, 2007

User awareness my ass

question

Symbiosis

If one doesn't separate the human from the endpoint system e.g. which is what client side security is really all about, then - and only then - will we make progress in the IT security battle. The human, peripherals and machine comprise the client side endpoint which needs to be protected in its entirety! Now let's think about Integrity, Availability and Confidentiality again.



Aside: Lines are being blurred between the conceptual client and server roles each day. Service orientated enterprise architectures are only a minor part of the puzzle... Let us never forget the users, administrators, operators and developers as part of the overall puzzle. (Or is it a mystery?)

Dorky is right!

IT Security needs more than this Open University style waffle.



I prefer the 'Look Around You' approach to learning ;)

Wednesday, June 13, 2007

A text from the ether

I got this message via text from a friend today:

"How many wasted thought cycles do we have each day, each month, each year, in a lifetime? How does fear rule our actions, control our thoughts, overrule our instincts, and dictate our emotions? Are we conditioned how to act and react? Are we bred to slave over data in the workplace? Have our minds been turned in to computers? Have our bodies been bred to consume? Are we drugged from childhood? Are we awake and if we were, how would we know?"

And here is a nice TED talk from Tenzin Bob Thurman (Uma Thurman's Dad!), who became a Tibetan monk at age 24, about a topic I would refer to as 'enlightened self-interest':

On my tech mind.

- Complexity Crunch
- Feedback Loops
- Change Management
- Reliability(Integrity)
- Loosely Coupled
- Mobile
- Everything is a client, everything is a server, everything is a cache
- Distributed content inventories
- Intelligent packets
- Metrics
- Quality of information

Sunday, June 03, 2007

The Blue Packet


This is a great post from a site I like about the mobile Telco industry. It made me laugh out loud. Things that evoke an audible response from you are special, whether good or bad!

Link ( also in image ) : http://the.taoofmac.com/space/blog/2004/11/08

Tuesday, May 29, 2007

Friday, May 25, 2007

Ack, Ack, Ack

Just wanted to reiterate something from Wade's blog:

Watch your thoughts: They become your words.
Watch your words: They become your actions.
Watch your actions: They become your habits.
Watch your habits: They become your character.
Watch your character: It becomes your destiny.

OSX'ers... please don't create a monoculture!

Well there is an argument out there that the security framework of OSX/BSD's is far superior to that of Windows - however - aside from the MOAB Month of Apple Bugs ( which incidentally didn't have an unassisted arbitrary remote code exploit - which was wormable ) it's nice to see some of my trusted analysts chime in.

"Apple running OS-X is the clear operating environment of choice today for most
normal users and most businesses, especially for notebook computers."

Report here from Fred Cohen and Associates: http://all.net/Analyst/2007-06.pdf

Saturday, May 19, 2007

How to assign value to digital objects and flows

This may be my next programming project. As a wise man once said, "You either code, or you don't!". Hmmm.. I think it was me actually. As a student of life once said, "...

Anyway here's the new pitch. A statically linked, cross platform binary to implement my 'Doobies' implementation of information evaluation in an enterprise. It takes advantage of multicast DNS and unicast DNS, thus the paths are already there! The client shoots off reports every so often to the 'reporter' which is the first entry in the 'value' subdomain, under 'reporter.value.companyx.com'.

Building blocks for client: Zeroconf, Netconf, BeePy, mDNS , nProbe and for some unknown reason, maybe resiliency?.. DHT's come to mind as does Anycast !

My head hurts ...


The web is about to explode all over again, and I mean in a 2002/3 CodeRed/Slammer/Nimda/Blaster/Nachi type of way. With services like Dapper and the new flavours of mashup AJAX'y type apps - it's hard to get your head around how information will be mangled by consumers, hobbyists and MISCREANTS.

I believe soon everyone will be running their own OpenID servers or will require SSO services to reduce the identity overheads of all these network-centric services. No one has addressed the old issues of domain ownership and transferral though. These are generally rooted in silly things like confirmation by fax, whereby no one bothers to check the calling parties number. Don't get me started on headed notepaper.

I used to "dis" the Jericho Forum, but the web is morphing from the inside out. Combine this with mesh, mobility and multicast/p2p and the funny thing is... we need to secure even more rather than less in enterprises. We've known this for a while. Anyone who throws out their firewalls yet might as well take the doors off their houses too. Decommisioning is expensive at all levels and hard to do well. Legacy kit and issues abound.

However, the paradigm has already changed. It's still the Internet and World Wide Web, just there's more of it and the information is being atomized and made even more malleable and 'remixable'.

This scared me today, though I had heard of the previous incidents of self-replicating XSS ...

Funny thing is, all these open API's are creating another type of wider monoculture built on more layers than just TCP/IP.

Doobies.

I have joked before about units called 'doobies' but the idea is simple and flexible. Assume secure DNS. Use DNS as the dynamic database that it is - to create a sub-domain that relates to value. Each organisation may have different values/exchange rates to their own countries currency unit.

Once you breakdown your traffic to objects and flows and start quantifying different types, you can then assign arbitrary amounts to atomic entities to begin with and tweak from there.

value.companyx.com

dns-flows.value.companyx.com
dns-packets.value.companyx.com
dns-records.value.companyx.com
customer-ssn.value.companyx.com
customer-address.value.companyx.com

This could get very complicated very quickly, but could also be as basic and simple as one wanted. Using either any part of IPv4 address space or just BOGONS/Martians RFC1918/RFC3330 current values are resolved and could have huge scope depending on the organisation.

This value is your 'dooby' value. Devices report back, or are queried, on how many of each type of object they have processed or stored in an interim. Devices then supply flexible stats and can consult a central value database.(Kinda like SNMP/RMON only better, unless I am missing
something!)

DNS is ubiquitous. Kernel hooks to a special accounting/reporting client is required.

Device processed x times type y 'doobies'. What is the current 'dooby' exchange rate for my organisation?

Maybe you could re-use SNMP but I think the centralised DNS store of current values is more flexible.

Thoughts, this is just a beer mat type scribble idea on my behalf.

Thursday, May 17, 2007

Horse and cart? Cart and horse?

Donal to Securitymetrics mailing list.

(snippet)

Is not our problem that of assigning value to digital objects and/or their contents? First we need a good handle on our objects.

So intrinsic in 'Security Metrics' I posit are 'Non-Security Metrics' of sorts ;)

Are we putting the cart before the horse?

(snippet)


Basically the thrust here is that we are trying to measure security and risk without actually fully measuring the playing field, players and game to begin with. This is self-defeating as we only then sell FUD. One must first assign a value to digital objects no matter how hard that may be. I have suggested interim value units in the past that can be susequently assigned dynamic financial values on a per organisation basis. This could be achieved with DNS ( though DNS is a target in itself! )

"Security metrics deal with risk and risk is not about security - it's about the utility of content." ( From a highly respected individual in the field. )

So how do we measure our content and track it in the first place?

We cannot assign a value to something if we don't know it's actually there, what it is exactly... how many of them there are and where etc. Flexible real time distributed content inventory is required. This harks back to my emerging belief in a form of 'Total Information Awareness' and digital surveillance of networks. Distributed endpoint file/object indexing, keylogging etc. This then also raises issues regarding the security of said goldmine of information.

Yes, I am steering back towards the 'network computer'... thin everything!

Wednesday, May 16, 2007

Watch the bits go bye!

More Infosec stuffing:

Haven't brushed up on 'information geometry' yet ;) but this reminds me of what I was trying to map out with raw real data here:
http://static.flickr.com/47/174233556_2c39eb159b_o.jpg

Long rambling post lives here if anyone is interested, but very network centric and is garrulous and overblown: http://bsdosx.blogspot.com/2006/06/byo-rfc.html

Basically, should we be mapping everything real time at the data object and/or flow level from an operational perspective. Could every managed node actively stream back data? Should there be secure management covert channels ( Think Sebek http://www.honeynet.org/tools/sebek/sebek_intro.png ) to constantly feed back a nodes state, message passing and flows?

When you think about it, are nodes too independent and not surveilled enough? Rather than configure something to monitor/watch them (Openview, IDS, Argus), assuming initial trust, could they *constantly* advertise/disseminate statistical/session data that could be base lined (other than syslog/SNMP traps etc)? Am thinking initial zeroconf and MANETS style operation here, or MMORPG gaming clients? libkstat on steroids?

I know Verdasys have Digital Guardian, CA have Audit... but will Enterprise Digital Rights Management scale, or does it have the same problems as PKI.

Surveillance and Adhocracy scale. With utility computing, servers will move and be re-purposed and the clients are already on the move.

Tuesday, May 15, 2007

Future, past and present.

I'm brewing a post about the future, as I think we are somewhat
entrenched in the past and present.

For the moment the powers that be are waking up to support the object
level security model, until reductionist thought strikes again :) I
guess we'll always have data at rest, data being utilised and the
resulting message passing or flows.

Anyway onwards and upwards.

a) Van Jacobson (Research Fellow at PARC) talks about new paradigms
and security problems from the network up. Jump to 38 minutes in, as
the start is a history lesson, albeit frames the old paradigms and
ensuing discussion extremely well.


http://video.google.com/videoplay?docid=-6972678839686672840

Thanks Wade. Props to http://www.blog.wi.id.au/

b) Also, when looking at things like new paradigms for computing.
[Stargate replicators anyone]?

Neil Gershenfeld (MIT Director for Bits and Atoms) The beckoning
promise of personal fabrication.

http://www.ted.com/index.php/talks/view/id/90


"We don't need to keep having a digital revolution"


Personal note: I especially love the fact that the Google video is
subtitled and that at the time there was a person signing for the
deaf. We need to cater for all walks of life as per the colour blind
discussions on visualising data. It shouldn't just be about 'survival
of the most adaptable'. Is Future Shock and technology going to
implement an unconscious eugenics program?

Monday, May 14, 2007

The Holy Grail?

"Loosely coupled, rich internet applications and media delivered via infinitely scalable and secure utility computing to mobile thin clients in mesh environments."

I invite suggestions for my description. I invite comments and criticisms.

Note: Must keep to one sentence though ;)

Sunday, May 13, 2007

Time for a smile.

This kid breakdancing is the first thing in a while to make me laugh out loud, enjoy!



Another brief smile is here.

Maybe there is something weird in the ether today, but here is another one.

Saturday, May 12, 2007

Infosec the video.

Video Link

forward-thinking

Rob Thomas has been a hero of mine ever since reading him on the First.org private lists. He founded (http://www.cymru.com/) Team Cymru. He features in this video, along with Richard A. Clarke.

Good to see the Department of Homeland Security training up the United States Secret Service. Geo-political boundaries anyone?

Rob first opened my eyes to the fact that something like a GSR ( Cisco 12000 Series Internet Routers ) could be 0wned and used to bounce or generate malicious traffic. Can you actually imagine a box with multiple OC-48 ( and above ) POS interfaces ready to do some miscreants bidding? “im4 g0nn4 p4x0r j00!”

More ForwardEdgeII training videos!

Friday, May 11, 2007

I love it...

Just re-read one of my links to recent testimony given by Dan Geer to the US Department of Homeland Security's Sub-Commitee on Emerging Threats, Cybersecurity, and Science and Technology.

Quote from page 2:

"Information security is perhaps the hardest technical field on the planet."

F**kin' A.

(I, or even he may seem biased, but those in the know will wholeheartedly agree.)

Q.E.D.

Wednesday, May 09, 2007

Collections of quotes.

I had emailed these around recently, you gettin' any warm and fuzzies?

The religion of the future will be a cosmic religion. It should
transcend personal God and avoid dogma and theology. Covering both the
natural and the spiritual, it should be based on a religious sense
arising from the experience of all things natural and spiritual as a
meaningful unity. Buddhism answers this description. If there is any
religion that could cope with modern scientific needs it would be
Buddhism. (Albert Einstein)

A human being is part of the whole called by us universe ... We
experience ourselves, our thoughts and feelings as something separate
from the rest. A kind of optical delusion of consciousness. This
delusion is a kind of prison for us, restricting us to our personal
desires and to affection for a few persons nearest to us. Our task
must be to free ourselves from the prison by widening our circle of
compassion to embrace all living creatures and the whole of nature in
its beauty. The true value of a human being is determined by the
measure and the sense in which they have obtained liberation from the
self. We shall require a substantially new manner of thinking if
humanity is to survive. (Albert Einstein)

The most beautiful and most profound experience is the sensation of
the mystical. It is the sower of all true science. He to whom this
emotion is a stranger, who can no longer wonder and stand rapt in awe,
is as good as dead. To know that what is impenetrable to us really
exists, manifesting itself as the highest wisdom and the most radiant
beauty which our dull faculties can comprehend only in their primitive
forms - this knowledge, this feeling is at the center of true
religiousness.
( Albert Einstein - The Merging of Spirit and Science)

Reality cannot be found except in One single source, because of the
interconnection of all things with one another. (Leibniz, 1670)

All things are parts of one single system, which is called Nature; the
individual life is good when it is in harmony with Nature. (Zeno)

But also really like Wade's quote page [ http://tumblr.wi.id.au/ ]as it has a similar theme.

Saturday, May 05, 2007

Game theories for the World

Should we all be playing non-zero-sum games?

In the words of author Robert Wright (TED talk), "players with linked fortunes tend to cooperate for mutual benefit", and "All the salvation of the world requires is the intelligent pursuit of self interest in a disciplined and careful way".

Moral evolution is required via appreciation for the interconnectedness of all things.

I have been thinking for quite some time now that games like Sim City are required as part of a more subtle education system to help to teach kids about interdependence and how societies and civilisation actually works. Also, if kids aren't creating entertainment any longer and just consuming entertainment while mimicking the wrong role models , surely as a society we are responsible for re-architecting how they perceive society and should introduce different paradigms to their learning and living. We have indeed outsourced almost all thought, decision making and learning to the mass media while demonstrating mostly the negative traits of human nature such as greed, intolerance and lack of discipline. We breed autonomic consumers.

Personally I believe we should be getting kids to game with things like Sim City, A Force More Powerful and FoodForce . Imagine a multiplayer non-zero-sum game akin to Command and Conquer where the only answer was to negotiate and collaborate rather than mutual assured destruction. Let them play it out over the course of a term in teams and hopefully like WOPR they would come to realise the best strategy!

We are either unconsciously breeding a new generation unequipped for the present/future day or we can consciously adapt to the increasing rate of change in the world and move out of the outdated and inept mass-industrialised focussed educational structure to a more modular digitally orientated autodidactic framework.

"Welcome to the internet my friend."

Friday, May 04, 2007

Wednesday, May 02, 2007

Good things, when short, are twice as good.

If you know anything about information security, claim to, or even have a passing interest; then this 3 page PDF document will reinforce, refresh, and explain concisely the issues we face.

"The Committee on Homeland Security's Subcommittee on Emerging
Threats, Cybersecurity, and Science and Technology will hold a
hearing entitled "Addressing the Nation's Cybersecurity Challenges:
Reducing Vulnerabilities Requires Strategic Investment and Immediate
Action." Witnesses include Dr. Daniel E. Geer, Jr., Principal, Geer
Risk Services, LLC; ........."
....

Dan's testimony is here:

http://geer.tinho.net/geer.housetestimony.070423.PDF

Security metrics, expertise supply, increasing risk due to intelligent attacks, information sharing (my personal favourite) and accountability as opposed to access control.

Note: You may be interested also in some of Dan's other publications:
1. "Data Loss Prevention" [http://www.verdasys.com/pdf/dlp_whitepaper.pdf]
2. "Securing the Point of Use" [http://www.verdasys.com/pdf/SecurePOS.pdf]
3. "Convergence" [http://geer.tinho.net/ieee.geer.0606.pdf] of physical and digital security.
4. "The Evolution of Security" [http://geer.tinho.net/acm.geer.0704.pdf]

Monday, April 30, 2007

Pull up those bre[e|a]ches...

In response to a post of Drazen's, quoting Peter Benson on Disclosure Laws; http://beastorbuddha.blogspot.com/2007/04/disclosure-laws-impacts-and-things-to.html

I offer the rant below.


I love this kind of topic, merely to highlight the macro and micro issues. One must look outside ones own discipline to find answers, as sometimes becoming too specialised does not allow one to 'see the forest, for the trees', more often than not.

I would like to try and answer the issue if I may with some history, a dash of the present and a dab of the future.

History:
This is what's starting to happen in our society and industry in terms of complexity and economics http://dieoff.org/page134.htm . Even though this paper is focussed on natural ecosystems and civilizations; the internet and composing networks are a wonderfully rich representative ecosystem existing in our civilization.

As complexity increases there is increased energy needed in any system. This either produces new paradigms which address diminishing marginal returns, or the system collapses under the weight of trying to address the complexity. Thus what is required is either non-reductionist thought to address the complexity, e.g. "Defense in Depth" (which happens to be extremely costly), or a reduction in complexity and type of energy required in trying to solve the problems, resulting in a new paradigm or paradigms. To introduce the next paragraph I thought I'd quote Marcus Ranum (http://www.ranum.com/) "Your job, as a security practitioner, is to question - if not outright challenge - the conventional wisdom and the status quo. After all, if the conventional wisdom was working, the rate of systems being compromised would be going down, wouldn't it?"

Present: Quality and Cost Benefit Analysis

Sometimes when you have been travelling along a certain path, there are a few signposts as to why you are potentially lost.
http://www.ranum.com/security/computer_security/editorials/master-tzu/

http://www.ranum.com/security/computer_security/editorials/dumb/


Future:
Personally I believe the tools and processes are out there, but the enumeration of the problem is somewhat incorrect and being hampered by the 'old guard' of IT who actually don't really get it! They are suffering extreme forms of 'Future Shock' (http://en.wikipedia.org/wiki/Future_Shock) "too much change in too short a period of time"... This is in fact a wider social issue that is very hard to address as people are afraid to challenge the status-quo or can't affect change within their existing roles. This must happen more quickly rather than allowing a generational 'breed out' of the less savvy CIO's, CTO's, CSO's and below, as things are speeding up and not slowing down. This will only occur with economic motivations. Economics is based on theories of scarcity and the perceived value of goods and services. We are having huge issues in evaluating data over it's lifecycle and putting a price on the ensuing issues and costs of a breach, disclosure or unintended manipulation of data.

As Grace Murray Hopper, USN (Ret) points out;

'Some day, on the corporate balance sheet,
there will be an entry which reads,“Information”;
for in most cases, the information is more valuable
than the hardware which processes it. '

Dan Geer re-introduces this in his wonderful paper "The Shrinking Perimeter: Making the Case for Data-Level Risk Management", which argues for object level protection and data valuation, which opens with the previous quote. (http://www.verdasys.com/pdf/ShrinkPerim.pdf )

Another interesting topic is that of time and physics at play in our new world. Time based security and convergence argues for new paradigms. (Convergence, Dan Geer http://geer.tinho.net/ieee.geer.0606.pdf) and highlights new effects of this highly connected information based economy.

To understand the infrastructure and ecosystems out there, one must constantly sample and baseline traffic in the face of constant change. Some change is valid, some invalid. One cannot manage what one cannot measure, and change management is at the heart of it all. Metrics need to be standardised upon and individual nodes or systems need to become simpler e.g. more easily defined and controlled.

MTTR (Mean Time To Repair, http://en.wikipedia.org/wiki/Mean_time_to_repair) for example, requires that one actually knows something is at first broken and/or performing incorrectly (be it malicious or benign!).

Even though technology changes, the challenge of information management stays the same.

Sampling and surveillance, tied to regulation and compliance? Whose pocket gets hurt and what can they then do about it? Does a public shaming exact the financial penalties warranted or is public memory short lived when entities change and reform as different companies?

I do believe it's the start of building a baseline awareness. But honestly, without a form of Total Information Awareness, massive indexing and far reaching information asset management, how do you know:

a) what you've lost
b) when you've lost it
c) how you've lost it
d) how not to lose it again

Where does the burden of liability fall and how big is the carrot or stick?
Hopefully we don't start to litigate. http://www.ranum.com/security/computer_security/editorials/lawyers/index.html

I am beginning to be more optimistic with good folks like SA (http://www.security-assessment.com/) on the case!

Thursday, March 29, 2007

Spring has sprung, the grass has riz, I wonder where the RFID ...

I recently got a new ePassport with an RFID chip installed. I would have gotten a legacy passport sooner had I been actively following Ireland's rollout schedule for ePassports. As I only provided the minimum amount of information e.g. old passport, photos and basic identity information, I am not currently deeply worried, however the potential to:

a) read my information
b) write new information
c) clone my identity
d) at some future time add more biometric information
e) remotely fingerprint the passport nationality

led me to re-read some work being carried out on RFID security and the encryption algorithms and key material being used or not used as the case may be. The term PKI ( Public Key Infrastructure ) has been bandied about, however who owns and controls the root key(s) and how is the local key derived. What is the key strength, who owns or controls them? Can I read my own info? How secure is their BAC ( Basic Access Control ), not very it seems? Issues abound in passports, credit cards and building or system access cards whereby proximity readers are employed.

Right now I would like to disable the chip completely, but I believe this to be a crime. Maybe I can coax it to gently fail? What is the MTBF ( Mean Time Between Failures ) for the RFID chips in Irish passports? The UK ones seem to be fairly short. http://www.theregister.co.uk/2007/02/07/nao_epassport_report/

Passports cloned at BlackHat : http://www.wired.com/science/discoveries/news/2006/08/71521

Bruce Shneier commentary http://www.schneier.com/crypto-gram-0610.html#3

Tools and Information from RFIdiot http://www.rfidiot.org/

NO2ID.net http://www.no2id.net/

Electronic Frontier Foundation http://www.eff.org/Privacy/

RFID Security and Privacy http://www.rfid-cusp.org/ Also, 1G Vulnerabilities in Credit Cards

Potential misuse via a targetted IED ( Improvised Explosive Device ) http://www.youtube.com/watch?v=-XXaqraF7pI

Paper on RFID card security : http://www.riscure.com/2_news/200604%20CardsAsiaSing%20ePassport%20Privacy.pdf

Basic countermeasures !
( Thinking about reducing skimming attempts through shielding! )
RFID SHIELD http://www.rfid-shield.com/
DIFRwear http://difrwear.com/

Tuesday, March 13, 2007

The Elves and the Shoemaker ( Part 1 )

Q. When is your reality not your reality?
A. When it's somebody else's?

So excuse the existentialism for a moment and permit me if you will, to step back from the issue to elaborate more clearly my opinion of the forces at work at a deeper level. At no time in history has the rate of change, the terms of reference and the paradigms been so extraordinarily different as they are currently, especially for knowledge based/information economies, or other businesses and organisations that rely upon or use Information Technology.

As William Gibson said, "the future is already here , it's just unevenly distributed".

For some this creates an exciting, ever-changing, ever-learning environment in which one can in some ways actively contribute and watch the future unfold in 'realtime' like never before. In no other discipline (I use the term 'discipline' lightly ...) is this rate of change as pronounced as it is in Information Security/Protection/Assurance ... where one must be constantly abreast of new technologies and engaged in a never-ending cyber arms race in an effort to help defend an organisation's assets from malicious attack or unintended breaches in data and service integrity, confidentiality or availability. A mammoth task even in smaller organisations.

EDS may have tried to herd cats, but we in Infosec try to repel alien invasions, uncover national conspiracies, protect and serve, and offer matrix style A-team vigilantism served up with a side order of business acumen and a portion of savoir faire. Fun until you realise your noble pursuit of protecting the weak and innocent, fighting the forces of evil and saving the world from itself isn't necessarily shared by all elves. Funny that ... the naivety in thinking that there were no lazy, apathetic IT elves ... the realisation that all the IT elves must do their work to a certain level of quality and assurance for your work to even begin to be worthwhile, measurable, or at least have the other elves believe you when you tell them of the 'dark magic' that counteracts the good elven magic they are so used to (this of course without demonstrating 'dark magic' on production or development systems as we meanwhile wait for the 'dark elves' to try all manner of 'dark magic' until they install 'dark doors' that are practically untraceable ...)

For many in business, even in IT itself, it is easier to allow the elves to get on with their daily magic and then work with the ensuing results, embracing without question the supposed increases in productivity and efficiency.

Most beings work on a macro layer and let the elves create and dabble in even more elven magic to ensure the lower level elves and base magics behave themselves. What we don't know can't and shouldn't hurt us right?

Let's take an administrator, management entity or executive in the Grimm Brothers Ltd. shoe business as a potential test subject. They are constantly worried about profit, share value, productivity and efficiency (as they might be in any business). They don't actually need to fully grasp how the increases in output and efficiency are achieved by the latest and greatest elves and magic, just that they work and work well. Unfortunately conveying and measuring the potential pitfalls and complexity of using this magic is extremely hard to explain to anyone who doesn't have a grasp of the most basic and rudimentary tenets of elven magic. Problems are compounded by the outsourcing of elven work to other cheaper elven lands, or insisting upon the use of increasingly complex and esoteric elven magic - without keeping some local elves in reserve to do quality assurance, vendor management or governance. Somehow all elves should be trusted with all magic and unfortunately unmanageable and unmeasurable SLA's (Service Level Agreements) cannot and do not incur penalties. Increasingly and understandably management want to connect their business directly to 'other' realms in the hope of increased sales and access to more B2E (Business-to-Elf) services ...

Unfortunately these realms also contain both good and bad elves, dark magic ... and all number of mythical and mysterious self replicating evil beasties and other magical creatures.

One mis-spoken elven incantation (depending upon the situation and circumstance) can cause terrible horrors and cripple a shoe business, reducing them back to cobblers. Rumour has it that a certain shoe business continued to make a full month's worth of shoes in the wrong realm without anyone noticing, while the offending bad elf pocketed the money and sold the incantation to other bad elves to use on other similarly connected shoe businesses for fun and profit.

In what I will call 'standard industries', people, resources, inputs/outputs, and the processes in between have, for centuries, been producing products and services with ever more efficient physical world means. Problems were addressed with mainly conventional wisdom and experience was garnered slowly but surely. Information's potential for utility was dictated by its storage, processing, quantity and speed of access. There was time to learn and slowly adapt to changing markets and conditions. Knowledge was passed on and people generally knew what was going on (or at least you could look under the hood and somewhat infer the mechanism and physics of the system). There was no need for knowledge of the other 'realms' or of extra sneaky elven escapades. In fact way back then there were no elves and no magic!

I think society is now approaching the Shoe Event Horizon?

Hopefully this goes some way to highlighting the levels of abstraction, complexity and lack of care in use of even the most basic elven magic ... the fact that elven magic is almost ubiquitous in every aspect of modern society and becoming even more so, should be a warning flag of sorts. I am still a little iffy on how my fridge works ... thermodynamics and all that, but I'm damned sure no other realm's dark elven magic will leak in through my freezer box, monitor me and empty my online bank account.

a) Forest from the trees: Micro vs Macro

Where do IT Security managers/analysts/admins really sit in the hierarchy of the business? Are they perceived as generating value or just scaremongering? Do they actually understand the business themselves? How many cowboys are there currently in this business and do these professionals still have an active foot in the 'real' business generation of value? Are the security vendors only interested in selling more kit? Is it worth building robust products and services with longevity that won't necessarily generate repeat business, entail a support contract or restrict usage and try to enforce over zealous licensing requirements?

Are we generating more complexity every second, introducing more nodes and depth of code rather than reducing it and improving the quality? Is this really an increase in efficiency and manageability? How many layers of abstraction and protocols before one gets to the data object?

b) Understanding the business: Bottom lines and risk management?

I agree that the technically orientated need to understand the business more, but the business guys need to understand the technical aspects of the platforms and systems they employ also. Maybe the security guys need to have security relationship managers facing off to other parts of IT and the business, or would this just complicate matters? Must each security dude/manager be a CSO and CTO in their own right? Are we asking too much or too little?

How can one employ risk management techniques without first understanding the flows and business processes, rather than just the distinct packets and security posture of systems in isolation. How does one map a business that is changing at such a fast pace 'under the hood' as it relates to operating systems, custom code, new rollouts, decomissioning etc. How up-to-date and intergal is your DNS, logging, NTP, routing, host database and asset management? How integrated and aware are your change management and operational monitoring systems? How much confidence do you have in all this information and the dudes, dudettes or elves performing the changes? And is this all required across the board from SME's and up?

c) Culture and generational: Youth vs. Age and wisdom of both?

Who wants the equivalent of a spotty youth or young buck trying to convey a different paradigm of the world to a well established businessperson who has made their mark and 'understands' the business fully? Many questions abound here ... how long has one been in their role, are they keeping up-to-date, do they actually care, is it all too much and how often is 'the changing of the guard' occurring in the higher echelons of a business?

d) Communication and quantification: Describing and conveying risk?

You can't manage what you can't measure. What metrics are available or employed to convey meaning and progress? How do you value your data, systems, IP flows and business systems other than the physical asset values? How do you translate these abstract concepts and systems to other business decision makers? Are analogies a poor substitute for direct real evidence? So at the end of the day, what you are going to communicate precedes the how.

“Some day, on the corporate balance sheet, there will be an entry which reads, 'Information'; for in most cases, the information is more valuable than the hardware which processes it.”
Grace Murray Hopper

Metrics, metrics, metrics ... what, how, where and when to measure? How do you enumerate the risks? Some progress is being made, but we are at a very early stage. Definitions are still somewhat wishy washy, frameworks are like standards... 'the beauty is that there are so many to choose from'.

When IT products and commercial code are more regulated and built with greater tolerances we'll all be in a better place.... see here!

e) Rate of Change and Future Shock: Telescoping, new paradigms and new physics?

A while back on the Security Metrics mailing list I started a debate on the new world physics employed when dealing with Information Security/Protection. Dan Geer had a great paper on the issue of time and the geographic, physical and technical issues faced in cyberspace versus the physical world. I highly recommend it.

Executives, managers and all aspects of business (including elves) are experiencing 'Future Shock'; which is basically a 'culture shock' in our own society and time, where the rate of change constantly removes our terms of reference and leaves us alienated. Are you still trying to ride the wave of information overload and how do you hope to address it? Or are you starved of the quality of data you require to make effective and critical judgements for your life, liberty and the pursuit of business/happiness?

Do we really need more elves and magic right now?