Given some recent conversations I’ve had on the topic of “What’s Hot and What’s Not in the World of Security”, I thought it would be timely to write a series of blogs on “Free Stuff”. And I’m not talking about the big bag of security chotchkies you picked up at the last RSA convention- a person can only use so many rubber penguins! - I’m talking real, useful, save-your-business, move-you-closer-to-five-nines kind of free stuff.

Business Continuity Planning and Security go hand in hand. If you’re familiar with CIA (no, not the government agency!), then you know that the “A” is for “Availability”. Good security is making sure that your data is always available when you need it to be. If I’ve said it once….You can spend all the money you want on tools and technology -and yes, they are critical! -  but they mean nothing unless you’re also implementing a couple of simple, common sense ‘best practices” that cost you nothing! I’ll start with one of my favorites; something that you can start doing today without waiting for the next budget cycle or equipment forecast! Of course, you might want to run it through your change management process just be on the safe side ;-)

But first, a little trip down geek-memory lane. I remember how excited we all were when our Digital Tru64 UNIX Alpha Server hit the three year mark without any down time! All up- all the time. Pretty impressive! Three years with no problems or interruptions at all, just kept on ticking! Impressive! TSC – that was the system name though I have no idea what meaning, if any, the acronym had - was the primary in a two node active/passive cluster and it was where we kept all of our important documentation and everything else we needed to keep our business going. Three years. Never down. Maybe TSC meant “The Super Computer”. Who knows.

Now, looking back through a wiser (and older) set of eyes, I ask myself: “What the heck were we thinking?!!” Did we never even consider what would happen if it did go down? Would it come back up? Would the backup server take over? Was the backup server even working as we assumed it was out there quietly in the shadow of “The Super Computer”? Would we lose valuable data? Was there some hardware ‘thing’ that might have been teetering on the brink until it went through a power down? We had no idea what would happen in the event of an unplanned outage because we were so excited about seeing how long it would keep running! For all I know – it’s STILL running! But we weren’t security people – for us it was the thrill of infinite uptime! - we never considered the security implications of how prepared we were -or were not - for an unexpected outage!

Well this is a simple problem with a remediation that is easy and free and applies to anything in your environment that you consider (and hope) to be redundant: You need to schedule regular reboots. No, not only for when it’s necessary for a software update. I’m talking Regular! As in monthly! WHAT??

It’s critical that you proactively test your redundant system’s, firewall’s, router’s, etc’s ability to fail over and/or come back after an outage. Test your cluster failover to shake out potential issues with your secondary. In fact, trade off active/passive roles every other month. Unplug your primary power supply to make sure the backup backs it up! Don’t let the first test of your redundant environment be in an emergency! If you don’t test it, it may NOT be redundant at all!

While it might seem like a contradiction to suggest that you take “stuff” down to ensure that it stays up, it just takes one failure of redundancy to understand why it makes perfect business sense! And while it does mean that you’ll never get to break “The Super Computer’s” record, you’ll be that much closer to achieving the availability your business demands! And, what makes it all the better, it’s free stuff!

I recently read an article in one of the Security eRags I subscribe to, that asked the question: “What are the Most Overrated Security Technologies?” According to the author, Bill Brenner, Senior Editor of CSO online, Anti Virus Software, Firewalls, Identity and Access Management/Multi-factor authentication, and NAC, are all antiquated, obsolete, useless, worthless, dead…..you get the picture.

 It got me to thinking.

It was not more than a week ago that I was trying to download some freeware, as many of us often do (I have no idea what is was!) when up popped my antiquated, obsolete, useless, worthless, dead Symantec Antivirus telling me that the file I wanted to grab was hostile, saving me a lot of time and anguish and maybe even worse. Thanks, Symantec! A “Security expert” quoted in the article argues: “But it won’t stop a zero-day attack”. Ok, but will it stop the other 10 gazillion malware attacks out there? Yes! So tell me again how it’s antiquated, obsolete, useless, worthless, and dead.

 I run a personal firewall on my home system- (an antiquated, obsolete, useless, worthless, dead firewall) On occasion, I look at the log files to see what’s been going on and am always impressed to see how many port scans have been logged: Hundreds and hundreds. True, I don’t have any unnecessary or unsafe ports open in the first place, but that doesn’t mean that the average computer user out there who doesn’t do security for a living, is as cautious. (If you don’t believe me, go ask your Aunt Betty if she made sure to shut down her Telnet listener before jumping onto the Net…..).

In the interest of time, I won’t go through the other antiquated, obsolete, useless, worthless dead technologies that the author mentions in the article, but suffice it to say, I don’t agree with him and here’s why:

 Almost unanimously, the detractors of these technologies are self-described “security experts”. One even claims that he’s never ever used anti-virus and has never gotten a virus! Bravo! I’ve never taken heart pills and have never had a heart attack (knock on wood) but what does that prove? Lucky maybe? Maybe in the AV case, it only proves that he has a little more malware-awareness (and time) than most people have. Guess what fella – not everyone is a “security expert”!

For the average computer-using-Joe-Blow, every little bit helps. “Defense-in-depth” means that you throw everything you can at would-be attacks. It’s irresponsible to imply that the average Joe should take down those firewalls, remove those virus detectors, stop using multi-factor authentication. What about passwords? Overrated? .Let’s just stop using those too. In fact, these antiquated, obsolete, useless, worthless, dead tools are often the only thing protecting the average person, and even the average company, from attack.

“Security Experts” sometimes forget that not everyone lives and breathes security. To those security-challenged Joe-Averages, their computer is a means to an end and security is just one of those things that is most often out of sight out of mind, like a car alarm or a smoke detector. (By the way, they are both reactive technologies, a big negative according to Bill and his article. But aren’t they pretty handy when your car is being stolen or your house is on fire?) And what’s so bad about "reactive" anyways? Defense, by definition, is reactive! And we all understand that even the strongest defense may not be enough at some point, but that doesn’t mean these "antiquated, obsolete, useless, worthless, and dead" technologies don’t do a pretty darn good job at what they’re intended for!

So, to those “Security Experts” out there who can apparently leap tall buildings and ward off all manner of malware without tools and expect everyone else to do the same, I say….”What’s your IP address?” To everyone else, don’t expect anything to keep you completely safe. Defense in depth means just that: Use whatever is available to you to safeguard your data, no matter how antiquated, obsolete, useless, worthless, or dead someone else says it is. It makes no sense to throw out the baby with the bathwater just because someone tells you it’s an ugly baby, especially if it's the only baby you've got!

And if, after all is said and done, you get the urge to tear down those (fire)walls, ask yourself this “Do ya feel lucky?Well do ya?”

Read Bill's article for yourself and you decide:  http://www.csoonline.com/article/571263/What_Are_the_Most_Overrated_Security_Technologies_?source=CSONLE_nlt_update_2010-03-11

I’m very fortunate to have this platform to share my thoughts on what’s “hot” and what’s “cool” in the world of technology, so I wanted to use a small corner of the platform to pass along some big “props” to a good friend of mine and ‘fellow’ Security Consultant in HP’S MultiVendor Systems Engineering (MSE) group, John Wieland.

Yesterday, John accomplished what lesser-mortals (like me!) only dream of accomplishing: he passed his second CCIE exam! 

If you’re not up on your industry certification acronyms, CCIE stands for Cisco Certified Internetwork Expert, and it comes in seven flavors: Wireless, Routing & Switching, Design, Service Provider, Storage Networking, Security and VoIP.

John is CCIE certified in Security and as of yesterday, VoIP as well!

If you’re not impressed yet, how about this: having two CCIE certifications is a little like having two Olympic Gold Medals (without the picture on the Wheaties Box). It’s like having two Super Bowl Rings (without the bruises) or two platinum albums (do they still call them platinum ‘albums’?).    

So what’s the big deal you ask? Well, it’s simple. You don’t wake up one day, decide you’re going to go become a CCIE, pick up a book and a mocha-frappa-latte-chino at the local book store, thumb through it (the book, not the a mocha-frappa-latte-chino), take the test and get the big prize. This isn’t one of those “take-a-boot camp-get-a-cert” things.

The CCIE takes a lot of very hard work (we’re talking months and months if not years and years of hard work) and tremendous dedication to make it through. It takes a lot of smarts, a lot of drive, but mostly, it just takes a lot of very hard work. Props to those who have what it takes to run the marathon and cross the finish line, and big props to those who circle back around to the starting line and do it again!

To those who persevere, we applaud you.  

And so, in the famous words of Denver Bronco’s owner Pat Bolan: “This one’s for John!”  Big congrats, John!!! Well done. Well done indeed!

Now take some time off before you circle back around for the hat trick!

-----------------------------

While I’m on the subject of Industry Certifications (and I still have some platform left!), my students will tell you that if I’ve said it once, I’ve said it a thousand times, “Stop relying on boot camps”.  No offense to those who provide them – they offer a very valuable service to people in the industry who want to refresh their knowledge before taking an exam; the key word being “refresh”. But sadly, I’ve spoken to too many clients who decide that they ‘need’ a certified person in ‘xyz’, so they pick the first unlucky sap whose head pops up over the cube walls, send her off to a week-long boot camp that offers the certification exam on Friday afternoon, and, if she’s successful, believe that they are much better off than they were the week before! They expect the person with the newly acquired acronym by their name to be the expert on whatever it is the letters stand for!  

So here’s my advice: STOP DOING THAT!  You’re wasting your money and your time, possibly putting your business at risk, and you’re not accomplishing what you were most likely hoping to which is to have an expert available.

If you’re looking for deep expertise in a specific technology, you’re not going to teach it in a week! You need to buy it ready-made, or invest the time and money to grow it. Real expertise isn't like instant oatmeal! You need to train for it, or borrow it or buy it or hire it, but you can’t get it from a box or from a week long boot camp! Now let me say, I’ve been through a few boot camps in my life: one in the military and one more recently for law enforcement (of course they like to call it an Academy, but we all know a boot camp when we see one!). The former was sixteen weeks and the latter was six months, and neither let me out the front door pretending that I was an expert at anything they taught me!  Both bootcamps were followed up by even more longer and harder training with even more focus and even then they still called us ‘rookies’ - not ‘experts’ - when we were done. The bottom line is this: expertise comes from experience and experience comes with time. It also comes from a lot of hard work, and a lot of ‘doing’. You wouldn’t get your wisdom teeth pulled by a dentist who only spent a week at dentist boot camp would you? So why would you trust your information infrastructure to someone who got his ‘expertise’ from a week of force-fed-facts in a classroom?

Again: boot camps - good. Instant gratification -bad. Don’t not invest in the boot camp; just don’t put all of your eggs in the boot camp basket and expect to get a prize hen out of it in five days!

And while we’re at it, don’t confuse acronyms with skills. If you’re buying expertise for either the long term or the short term, ask for credentials. Ask for experience. Ask what lies behind the letters. 

Get references and make sure you get what you hope you’re going to get! You can’t afford to bet your business on fictitious or misleading credentials! If you have the time to grow your own, a wise investment in training and a lot of patience will get you what you need. In the short term, rely on trusted partnerships with people who’ve been around the block a few times and can show you what’s behind the curtain.

Appropriate use of boot camps: wise. The quest for instant gratification: risky. Funding or finding true expertise behind all of those letters: priceless.

For information on HP's Security Expertise, go to http://h20219.www2.hp.com/services/us/en/always-on/security-overview.html

And, you can read more about the CCIE Certification at http://www.cisco.com/web/learning/le3/ccie/index.html

Sometimes people don’t understand ITIL and IT Service Management concepts simply because they’ve never experienced the concepts in an IT environment, and that disconnect won’t allow them to “get it.”  Through my 8+ years of ITIL training, I’ve often referred back to my days of waiting tables in a restaurant to understand the concepts.  Using that model, I invite you to join me as I begin a series called Café ITIL.  

Many people love to cook, and they assume they will enjoy running a restaurant, because it gives them the opportunity to do what they love.  New restaurants open all the time.  It is one of the top categories for new businesses.  However, it is also one of the top categories for failed businesses.  Similarly, techies and technical managers assume that if they like and understand computers, they can do just fine at managing IT for a business.  Unfortunately, because they are not a stand alone business, it is not easy to tell when an internal IT department fails.

We’ll take a look at ITIL v3 concepts and processes and try to gain an understanding of them as if we were opening a new restaurant chain, Café ITIL.  Hopefully, this will help shed some light on how we can improve how IT departments are managed.  If it helps you create your business plan for a new restaurant, so be it.

I welcome your comments and insights as we go through this series.

? What other comparisons do you make when you’re thinking of ITIL concepts?

If you haven’t taken the time yet to review the updated version of the Cloud Security Alliance’s “Security Guidance for Critical Areas of Focus in Cloud Computing V2.1” document, published in December 2009, you really should.  If you’ve not spent a lot of time reading up on Cloud Computing, this document is a great starting point, even providing some thoughts on what you need to do before you consider moving your data to the Cloud.

Not to nag (but what the heck!), if you don’t have time to read the entire document, first of all, make the time! If you’re a security practitioner, or if you’re considering moving your data to the Cloud, it’s ‘must know’ information. Worst case, at least read the introductory section called “An Editorial Note on Risk: Deciding What, When and How to Move to the Cloud”. (You can read the rest later!)  In particular, there’s a short paragraph or two that discusses the need to sketch out your data flow and understand exactly what and where your data is before you decide to send it somewhere else! It reminds me of more than one client experience I’ve had over the last so-many years, and I think this topic cries out for some serious attention!

So begins my first blog!

Understanding how and where your data spends its time is certainly not a concept unique to Cloud Computing. PCI DSS demands that you know the data flow for credit card information. HIPAA demands the same of Protected Health Information, Sox for Financial Data etc. etc. If you don’t know where your data is and where it goes when you’re not looking, how do you know what controls to use or where to put them? How do you know what risks are lurking out there ready to pounce on those little bits? What's your risk mitigation strategy? Any most importantly, why would you even think of adding to the confusion and the risk by introducing another variable in the form of a cloud?

It seems that no matter who I work with, no matter how secure they profess to be, they can never produce a data flow diagram for their most sensitive data. They know they have sensitive data (usually!) and they know it’s out there somewhere, but they can’t say exactly where!

Case in point: On our first day at a client site to conduct a risk assessment, my team and I had a kick-off meeting with employee stakeholders representing the various departments in the company. After they’d taken up three whiteboards to show us the layout of their intranet, we asked: “Can you tell us where your customers' credit card information goes after they hang up the phone or log off of your web site?"

The first person to the board picked up a red marker and confidently drew out the path that the PCI data took through their network from data entry through processing, to storage and on until it was either archived or deleted. “Ta-Da!” and he sat down. Someone else from the group spoke up: “Well, that’s not completely accurate” (I noted the quiet gasp and raised eyebrows in the room!)  This second person went to the board, took up the blue marker, added some detours to demonstrate some other places the data visited inside of the company, and returned to his seat, satisfied with the accuracy of the now colorful PCI data flow diagram. After the third and fourth and fifth people all made their own additions to the map, our kickoff meeting had turned into a heated debate on how it appeared that they had credit card information all over the place and that despite their best intentions, it was mostly unprotected! (I still get this visual of a teeny little data-looking-thingy-guy with arms and legs carrying a big suitcase with postcards all over it, but now that I look closer, I think it’s just that Hamburger Helper hand I have stuck in my mind…. anyways.....) Our employee survey revealed that almost everyone in the company of 800+ people could readily access full credit card information, whether they had the business need or not! (LOTS of raised eyebrows on that one!)

The story gets worse, but I’ll leave it to your imagination and get to the point which is: 

It's about the DATA......Silly! You can’t secure what you can’t find! You can’t say your data is secure, if you can’t say where your data is! And you can’t identify risks to something you can’t keep track of! 

This very basic concept is the foundation of Information Security whether your sensitive information is landlocked or cloud-hopping or traveling around the world in your back pocket with its friends on your thumb drive. And as the Cloud Security Alliance points out, before you can make any decisions on moving your data to the Cloud, you need to be able to identify your risks. If you can’t map your data flow today, don't even think about letting it go anywhere else until you know exactly where it is and exactly what it's been up to.

And if that 'data-as-the-Hamburger-Helper-hand-with-a-suitcase' image didn't do it for you, how about this: Data is like a rebellious teenager. If you don't keep your eye on it, it's going to end up in places you don't want it do be, doing things you don't want it to do. You need to lay down the law! Set some rules and boundaries! And whatever you do, don't even think about sending it out into the clouds until you have it under control! 

You can find the “Security Guidance for Critical Areas of Focus in Cloud Computing V2.1” document here: http://www.cloudsecurityalliance.org/csaguide.pdf