Information Security is a long game..
Updated: Jun 11, 2020
Originally Published - 12/1/15
As I was thinking about a graduation speech I had been invited to give, I became a little thoughtful and realized that I had been aware of information security from a young age - so I'll fill in some history.
•I Saw the first computers “hacked” in retail stores - This was the time when the first home computers were available in retail stores in the UK. These were systems like the BBC model B, Sinclair Spectrum, Commodore 64. What I saw was that anyone could walk up to a terminal and enter their own code.....many a machine displayed "Joe was here".
•Caught my first virus in from a college computer - simple boot sector virus but I learned that anyone could become infected very easily.
•Saw the business challenges of data not being where you expected it after unknowingly deleting files - during a simple operating system upgrade for an enduser I managed to overwrite work files stored in the c:\windows directory.
•Web code I had written “broke” behind a load balancer due to poor session management - first time as a web developer and had to learn the intricacies of session handling between multiple servers.
•Subject to my first system ‘hack” - A Colleague knew the admin password for my laptop and continually had fun at my expense until I realized that my admin credentials had been compromised.
•Witnessed the first server that I was responsible for be Compromised - a windows based FTP server was sitting outside the firewall, alone and forgotten until it was compromised by someone distributing warez and saturating our internet connection.
•Developing a "PAAS" platform for a hosting company I see value in locked down standard builds - lots of scripting and Altiris images used to build something repeatable and manageable at scale.
•Used my first Unix hardening scripts, “Titan”, and appreciated shutting off unneeded services - all of a sudden I ask myself - why do those un-needed services need to be running?
•Performed first Common Criteria evaluations and appreciated the “Elegance” of the process - it took a few months of poking around the edges but one day all the pieces came together, the multiple extensive documents, the functions, the depth of thought that had gone into the process - beautifully elegant in concept - horrible in practice.
•Created my first “MD5 Hash” to enable integrity checking of distributed software - I realized that trust was everything, and distributing a file that could be infected and then redistributed would seriously damage our reputation. A simple, 3 minute process could help to mitigate that risk.
•First presentation to a CISO of a fortune 100 company (quickly followed by first smack down by a CISO of a fortune 100 company) - Walking in and talking about numbers of IDS events promptly got me "Why are you telling me this ?" I learned to turn data into actionable information very quickly.
•Witnessed poor authentication in an old forgotten web application enable the take down of a large shared infrastructure - a simple misconfiguration of multiple sites to using the same credentials allowed the compromise of the old site to impact all the others. Simple fix but hours of outage.
•Responsible for Info Sec teams protecting hundreds of customers -
•Built and certified a “Federal Cloud” IAAS platform - took a Zen based Federal Cloud platform through the GSA Cloud BPA - the precursor to FedRAMP. I was able to take the lessons learned in the Common Criteria, years of technical expertise and my team and get the project completed, however I also recognized that, like the Common Criteria, Federal Compliance is not a technical challenge.
•Focused on wireless 802.11 security hardware and software development and develop road map with security built in from day 1 - if you know what the requirements are (Common Criteria) then building those into the road map from day 1 is straight forward and achievable on time and in budget. However fundraising pressures can re-prioritize the requirements.
So apart from feeling nostalgic - what do we take away from this about Information Security and Security Leadership ?
•It's about Understanding Business Challenges – not just technical data
•Security Awareness is critical for Users to avoid the simple things like viruses & malware
•Have security in the conversation early & often with your organizations Risk Takers as it can smooth development and enable the security costs to be built in from the beginning.
•Where is your data ?
•What old forgotten applications are still alive ?
•What forgotten devices lurk inside or outside the firewall?
•Process & Standards
•Have value when implemented properly
•Value is reduced when implemented too “Elegantly”
Next I'll explore some thoughts about the relationship between Risk Reducers, Risk Takers and Users.