2013
08.19

ISC2 Board of Directors 2013

So another year and another ISC2 Board Nomination. I know I’ve been pretty much off the grid the last year, dealing with health and family stuff.. I am still 100% dedicated to the cause and with the new year coming up I’d like to throw my name in the ring again. We came awfully close last year, so let’s see if we can do it again.  My platform is the same and I’d love to join Wim Remes and Dave Lewis to be your representative on the board.

Boris Sverdlik CISSP# 70063 as of 2/2005

Linkedin Profile

 

Thank you again for all your support.

 

Screen Shot 2013-08-20 at 10.48.30 AM

To nominate me for the Ballot:

1) Send an email to  isc2board@jadedsecurity.com pledging your support! THANKS in advance.

2) Subject: 2013 ISC2 Board of Directors  Petition

3) Message Text: I’d like to nominate Boris Sverdlik for the 2013 ISC2 Board of Directors. My E-mail address is on file with ISC2 and my CISSP# is $

 

Platform:

I’m not going to promise things that I may or may not be able to deliver on, but I can promise I will stick to what I believe is a shared vision in the community for a value add certifying body. In order to change perception of the certification and the certifying body we need to change. The platform that  I have is relatively straight forward:

1. The current test does not adequately provide any assurance that the candidate has a firm grasp of real world security as a whole. It is geared towards individuals that are good at memorizing text and being able to test well on the subject. It is very reminiscent of the MSCE/CCNA of the 90s. The format needs to change beyond just being updated with the latest technology. I’d like to see some form of essay driven questions that would truly test the candidates knowledge of real world security problems and identify their logical thinking on how they would address them. This would be akin to the CCIE where candidates are required to actually fix hw/sw problems on Cisco gear to demonstrate aptitude.  This is one of the few ways I feel we can test true knowledge and eliminate the bootcamp mentality.

2. The pre-certification audit process also needs to be updated to provide assurance that the candidate has “real” security experience and to do this we must change the current endorsement process. ISACA requires that candidates have former employers and/or colleagues sign off on the attestation. ISC2 should do the same as this is the only way to attest to experience.

3. CPE requirements should be expanded so that they treat content producers and consumers equally. We produce a daily podcast, yet can only submit one hour of CPEs for the production of the content, while individuals who listen to the podcast can submit per episode. This is somewhat biased and puts off individuals from producing content and contributing to the community. We all agree that to be a good security practitioner you need to always stay up to date on the industry and there are many ways this can be done, outside of vendor driven conferences.

2013
01.07

CFP Friends and Family… pffft

So 2013 is here and while I will not make any predictions I’ve made it a point to make some personal changes. Starting with the new GrumpySec Podcast which is turning into something awesome. We’re 3 episodes in and have had nothing but good feedback. I look forward to working with aricon and making it beneficial to what the community wants.

Also,I’ve made it a goal of 2013 to get back to blogging and while I will try to limit the blogs to more technical and beneficial topics, I’d like to start with one that has kicked up my rage a notch for the industry.

Several of us have asked that conferences become more transparent in their selection process which would provide speakers better feedback on why their talk was or was not accepted. The feedback would certainly benefit the speaker so that they may learn from their mistakes and become better. This is a great first start in ramping up the quality of speakers and cons in general, especially the ones that are in it to generate revenue.

The issue I have is with the friends & family CFP selection process that weeds out good talks for f&f who scrape together talks by grabbing talks that other’s have done at other conferences while adding no real value of their own. Take for example the following two abstracts which were submitted to the same conference. One was done previously and one was accepted for the conference in question.

 

Which would you select?

Abstract X

“Defense In Depth” is considered by most to be a useless marketing trope that vendors used to sell you more boxes with blinky lights that showed you were “serious” about security. Forget that the boxes may or may not do what was advertised, may not provide usable data, or even fail open when they crap the bed.

Instead we decided to build The Perimeter. Higher walls, bigger locks, more money. That didn’t work. The Perimeter Is Dead, Long Live The Perimeter!

So what do we do now? What amazing boxes with blinky lights do we need to convince our bosses to fund next quarter?

In this talk I will posit that, more than likely, you actually have (or can easily get) most (if not all) of what you need to create an effective, pragmatic, and resilient security program. I will show that by changing our thinking, our perception of “Fail vs. Win” we can provide real value to our business.

Abstract Y

It seems everywhere you look there are analysts and product/service providers promising you the magic bullet when it comes to securing your environment and lowering your risk. While some products might be better than others, nothing will help you with the basics which seem to be where most of us are still failing. The presentation will focus on the concept of keep it simple stupid. It will dive into learning your environment and more importantly correlating that to maintaining the profitability of your organization. It will show you how to bypass all the blinking lights and build a cost effective security program that will inherently lower your risk. I will be also be releasing the formal framework.

2012
11.13

SecZone 2012…

Just a few short weeks left until Security Zone 2012 in Cali Colombia and the excitement is just building up. I am honored to of been chosen to present this year and I can’t wait. Ask anyone wh0 attended last year “What was your favorite conference of 2011?” and the overall response has been Security Zone.

Edgar and his crew have done a top notch job of bringing everyone together for a world tour in a truly exotic location to some. The speakers selected are awesome, from Andy Ellis Keynoting to Wim Remes and Ian Amit to David Kennedy and Chris Nickerson just to name a few.  I can’t wait for what is sure to be a learning opportunity and an overall great time..

Big thanks to Edgar Rojas and  Security Zone 

Come see me present http://www.securityzone.co/conference.html#boris

2012
08.22

Edit: UPDATE!!

Thank you for all of the signatures received thus far. I will be sending out individual e-mails with a thank you as well as a request for a reply confirming your signature.

Spoke to @wimremes this morning and just got a call from @secwonk who is also on the board. It turns out that the webform is not compliant with the voting process as it can lead to fraud. To submit your vote, please send an e-mail isc2board@jadedsecurity.com with your Full Name and CISSP number in the body of the message. This will be enough to count as a signature. THANK YOU all in advance..

 

 

 

 

 

 

 

 

 

Update:

The four horsemen of the Impeding Infosec Apocalypse

 Don’t forget there are four spots available. We all desperately need your signatures to get on the ballot

Dave Lewis aka @Gattaca Vote Here

Scot Terban aka @Krypt3ia Vote Here

Chris Nickerson aka @indi303 Vote Here

Boris Sverdlik aka @Jadedsecurity send an e-mail to isc2board@jadedsecurity.com

I know you must be all shocked to see this and frankly so am I. Wim Remes truly believes that bringing fresh blood to the board is working in a positive way to drive change for the better. Seeing that Dave Lewis is running (Vote for Dave) makes me feel that instead of sitting on the sidelines and bitching about it I should join the fight to drive change at ISC2.

I’m not going to promise things that I may or may not be able to deliver on, but I can promise I will stick to what I believe is a shared vision in the community for a value add certifying body. In order to change perception of the certification and the certifying body we need to change. The platform that  I have is relatively straight forward:

1. The current test does not adequately provide any assurance that the candidate has a firm grasp of real world security as a whole. It is geared towards individuals that are good at memorizing text and being able to test well on the subject. It is very reminiscent of the MSCE/CCNA of the 90s. The format needs to change beyond just being updated with the latest technology. I’d like to see some form of essay driven questions that would truly test the candidates knowledge of real world security problems and identify their logical thinking on how they would address them. This would be akin to the CCIE where candidates are required to actually fix hw/sw problems on Cisco gear to demonstrate aptitude.  This is one of the few ways I feel we can test true knowledge and eliminate the bootcamp mentality.

2. The pre-certification audit process also needs to be updated to provide assurance that the candidate has “real” security experience and to do this we must change the current endorsement process. ISACA requires that candidates have former employers and/or colleagues sign off on the attestation. ISC2 should do the same as this is the only way to attest to experience.

3. CPE requirements should be expanded so that they treat content producers and consumers equally. We produce a daily podcast, yet can only submit one hour of CPEs for the production of the content, while individuals who listen to the podcast can submit per episode. This is somewhat biased and puts off individuals from producing content and contributing to the community. We all agree that to be a good security practitioner you need to always stay up to date on the industry and there are many ways this can be done, outside of vendor driven conferences.

4. Financial Transparency is what we have all been asking for. ISC2 collects annual dues and has a responsibility as every responsible 501(c) to be transparent with accounting.

So Vote for Boris Sverdlik aka JadedSecurity

 

2012
07.31

And just like that Security Summer Camp has come to another end.. We do it every year, a week of Friends, Talks and debauchery among the security industry which can often times outdo a college frat party.  This year was somewhat different for me than in years before in that I had actually managed to get to BlackHat and remember why I have come to loathe the conference more and more than in the past.

I remember when BlackHat meant that it was time to see things that we would only hear about on IRC and other non conventional means. Sadly, this is no more. As others have pointed out BlackHat is now the new RSA. It represented RSA as much as any other corporate sponsored conference.  Vendors were set up with their RFID scanners ready to stalk you post conference with all their wonderful spam… Good thing for me a certain colleague had allowed me to scan his card with my phone, and even better yet I was able to replay it for all.. Thanks Martin ;)

There were some interesting talks, but nothing like it used to be.  The main problem to me anyway was the ambience of vendors and the proliferation of FUD that we as an industry have been subjected to more and more in recent times. Hallway con was where it was at for the majority of the conference. I had bounced between the Galleria and the SeaHorse for the majority of the event and as usual had nothing but interesting conversation with old friends as well as new ones.

The upside for being in Vegas for BlackHat, is that BsidesLV runs concurrently..  BSidesLV and BSides in general always tend to be much better events. The attendees are rarely the industry vendor mouthpiece types and this alone makes the conference enjoyable. I had attended more talks at BSides than I have at other conferences combined this year.  Johnny Cocaines open discussion forum on ethics was probably the most enjoyable to date.  The room had almost cleared when he had said that this was going to be a discussion as opposed to a talk. The people who stayed got to enjoy a great roundtable type of debate.  Obviously it being in the underground track precludes me from discussing the details, but I can say I hope we see more of these types of talks. I even got to do a last minute lightening talk on my upcoming presentation which I thought went fairly well..

The venue for BsidesLV is small and as such can feel cramped, but @banasidhe worked her magic once again keeping everything in check.. I personally really enjoyed it and would take it over Blackhat any time..

Next up DefCon, well what can I say about DefCon that hasn’t been said already? Well, let me think.. oh yeah.. You kinda suck! First off WTF is up with wireless village being set up in a closet? Really?? I remember when all of us sat around conference tables tinkering with wep cracking and the likes. With all of the wireless technologies now being researched are we seriously supposed to be able to converse in such a small room? It was smelly and overall pretty bad experience. The SecCTF and other contest rooms had literally 10x the size. Why were we limited? Ok Rant off for now..

Overall it wasn’t a bad year for DefCon, some really good talks combined with some really shitty ones. Hallway Con Once again takes over for most of the event. I did go to see a bunch of sky talks as well as some others. Dave Kennedy and friends tore the roof off their presentation with Bananas and a video with hundreds of shells popping up thanks to their SCCM hack.  Some other notable talks were around javascript bots which was hilarious from what I had heard. Overall, I would of went to more talks if the lines weren’t atrocious.  I guess with 15K people, you should expect not to get in to see the talks you want to..

I was also at the last minute asked to wear a mankini during the Comedy Jam/Fail Panel for Charity. While I would rather not post any pictures, I do have to say it was great to be on the panel with such an interesting bunch of characters. @rmogul kicked ass with his TSA talk, Larry Pesce talk on fail was just perfect.. It was a blast serving waffles to the hungry masses with McKeay and Jack Daniel.  I hate to admit it but @myrcurial had almost made me cry on stage when he was talking about how many people are/have been effected by cancer.  I’m so happy knowing that @Wendy451 @gattaca’s wife and others have beat their battles and not looking forward to my own..  I’m so proud of our communities persistence in supporting the causes that plague us all. THANK YOU!

The Elitism that everyone has talked about is apparent, but it’s apparent in all circles not just ours. As some had said no one wants to flip the bill for 15K people, so there might be some parties you just might not get into. However it’s not always about the parties.. It’s about meeting people, learning new things and hanging out with old friends. If it wasn’t for our podcast, I wouldn’t of gotten a ninja networks invite despite all of our contributions to the industry. It is a friends and family thing and there isn’t anything wrong with that. You want in, then as Timay (303) and @jericho had said during their talk on the CISSP. You need to be Bad Ass at what you do and you will get noticed.  Get out of your shell and start meeting people and engaging conversations.

It’s not just about getting in to the parties it’s also about mingling once you are there. Keep networking and your invites will come.  To be honest almost every party that I had attended, I ended up just chatting with friends. The best talks I had all weekend were in the smoking area by registration and not in any party wehre the music is way to loud to hear yourself think.

Finally, I’d like to thank my followers for posting these all over the ATMs at the RIO.. It brought me nothing but laughs…

2012
07.30

First I’d like to thank @ISDPodcast @EFF and more so @ThemsonMester for getting me a @ninjanetworks badge, as apparently I’m not cool enough to get one on my own. More on this in another post..

I was kind of disappointed that none of the cool features seemed to of worked on the phone, but the idea of bringing back a party line was awesome.. Many thanks to Facebook, Zygna and Ninja Networks for throwing the party and coming up with the idea… The phone itself is a HTC ONE V, which is the prepaid version that Virgin Mobile has available for purchase. It’s slightly out of date spec wise, but what can you ask for when it’s free..

I have pulled down all of the apps separately and have to recompile them, because most overwrite the stock applications, such as NinjaLaunch. The launcher itself is a customized ADW implementation that is appropriately named com.android.launcher. I was able to install it on a non rooted galaxy S3, by simply installing the APK but your mileage may vary. Also, if @ninjanetworks ever gets back to me on the licensing I’ll post the rom.

For the lucky few that did get the phone, you will be happy to know that the phone has already been rooted, but the bootloader is locked. In order to get to any of the settings all that was required was pulling up the IDE app in an area where the phone couldn’t connect to any of the pre-installed wireless access points.

Once in IDE, I had configured it to use my MiFi and was now able to access the internet through the download dropbox icon. I went a step further and navigated the file system to re-install the Play Store (PhoneSky.apk) using the file browser in IDE. Then using the play store installed Launcher as well as a task manager that would let me break out of ADW at will. For Some reason GO launcher was not able to overwrite the home button. Either way, I didn’t want to overwrite the rom until after the con..

In order to back up the rom you have a few options (if you have the SDK INstalled) The full how to can be found here

1) Plug the phone into the USB port, and run
adb backup -apk -shared -all -f filename of the backup
The screen will then prompt you to put a password in for the backup file. This should only take a few seconds.

2) The simplest way to backup the Rom is to install the Clockwork Recovery Mod and in recovery navigate to backup/restore. Make sure to run Fix permissions in CWM or it will fail. The directions for installing CWM can be found here

Once you have backed up the rom, you have to unlock the boot loader. I’m not really sure why it was left locked, considering this seems to be a developer model, but the process is fairly simple.. You do need to sign up for an HTC Dev account in order to upload your token and receive the unlock file. Select Other as your model…

More Directions on unlocking the boot loader can be found here

Finally once the boot-loader has been unlocked then all that’s left is installing a new rom. The directions are fairly straight forward. Copy the download rom onto the sdcard reboot into recovery mode either by holding power and volume down button or running fastboot reboot-bootloader. Use the volume buttons to navigate to recovery and select by clicking the power button.

Download Rom from here

First, make sure to wipe data/cache to factory reset

Then install the rom by selecting install from zip file and navigating to the rom you have downloaded.  I have had some problems getting CyanogenMod 9 Alpha working, but the Vanilla and Sense roms work fine.

Hopefully I will have a chance to recompile all of the apps from the original Rom tonight, and if so will post.  Enjoy your free dev phone :)

2012
07.21

So I have tried to keep my comments and rage limited to Twitter, but with this last echo chamber pile up on Security Awareness, I felt an obligation to put my asshole (opinion, .02) out there once again. @Krypt3ia and @iiamit  have both posted their rebuttals “Throwing out the Baby with the Bathwater”  and Security Awareness and Security Context – Aitel and Krypt3ia are both wrong? respectively  calling each other wrong of course, but where’s the excitement without debate. I mostly agree with my stabby counterpart on this topic..

Dave Aitel had posted “Why you shouldn’t train employees for security awareness” to the CSO Blog. Which by the title alone will probably confuse a majority of the CISO’s out there. Dave talks about how Security Awareness is no match against RSA, Shady Rat and all of the APT nonsense we have all ranted about.  He goes on to say that your users have no responsibility over the network which is only a half truth. Yes your users don’t have any operational responsibility over your network, but they damn sure are accountable for what happens to your environment or at least should be.  I know the whole “Don’t Click shit” (Sorry Ian, It’s not stop clicking shit as you wrote in your rebuttal) is more of a humorous way for us to deal with our frustrations, but the underlying truth is there is fundamental truth to infections being introduced by end users.

Dave had made an interesting comment about the vulnerabilities found in some of the training software used by many of his clients. This leads me to believe he has absolutely no idea what an awareness program is and equates it back to the CYA computer based training solutions that regulated organizations throw at their users once a year and forget about it.  This does not make an awareness program Dave, this is similar to a CISSP Boot Camp (Yes, I had to throw that in here). A Security awareness program is focused on training, reinforcement and integrating security responsibilities into the organization.  That is a security program Dave, and coming from both Offense and Defense I can damn well state that it works when layered on top of other security controls. It is not and will never be that silver bullet.

Dave had mentioned that only technical controls stop his social engineering attacks and I’d like to ask what technical controls are in place to prevent one of your users from disclosing their credentials or exposing their machine to an attacker through a phish? Are you selling some unicorn cream that can be applied to the endpoint? Or perhaps some fairy dust that will stop the user from disclosing your IP over the phone? Let me guess DLP?

You had suggested the following 7 things that organizations should do instead of wasting their money on employee training… Well, let me take time time to address each one..

1) Audit Your Periphery

While auditing your environment is a good process, audit is after the fact. This will not stop you from the Rat. Implementing Change Control Procedures, Access Controls, segregation of duty, and maybe even I don’t know Secure Coding Training??

2) Perimeter Defense/Monitoring

Perimeter Defense is also a good compensating control, but when your administrators start adding rules and such because I dunno, maybe No one told them that this is bad.. I’m hoping you don’t think Perimeter security is a magical concept. Intrusion Detection is almost never rolled out properly because the primarily goal of your organization is to make money. Most of the time and IDS is just about checking a box and sufficing a requirement. If you don’t classify the data, then you really don’t have any idea what you should focus your resources on?

3) Isolate & Protect Critical Data

This is one of the points where I agree with you. This should be the very first step in your Security Program. Identify your data, Identify where your data lives, and how important it is to the business.  This is where the majority of companies fail, not in training and awareness programs.

4) Segment the Network

Again totally agree.. Endpoints should never live on the production segment. All access should be through choke points that can be tightly controlled. Treat all endpoints as they were hostile (My Self Serving statement, More on this at You Can’t Buy Security Coming to a country near you)

5) Access Creep

Access Creep or Access Controls are a big part of protecting your organization. However, this naturally comes after classification of your Data. How do you know who should have access to what if you don’t where it is?

6) Incident Response

To me Incident Response is one of those funny things that people think they want but have no idea how to implement. How do you implement an incident response program if you don’t have any processes around training your users in identifying incidents? Magic? How do you know if you have a root kit if you don’t have any build standards? I’m hoping you see the points I’m trying to make.

7) Strong Security Leadership

Strong Security Leadership is definitely a big part of the security program, however I don’t think I have seen a CISO in the last 10+ years who has had sole responsibility to pull the “Kill Switch”. The decision is a shared business decision and the CISO has responsibility to syndicate the risks and make every body at the table aware of them. If you don’t build security awareness into your operating model, then how do you personalize the risk to the stake holders? I’m stopping this because??? Are you going to use fancy calculations and pull out your ALE Formulas?

In closing, Security Awareness/Training programs are not a once a year watch this video, or use this app initiative. It is the integration of the security mindset into the fabric of the organization.

As Ian had pushed one last self serving statement so will I. Go check out “You Can’t Buy Security” coming to DerbyCon, T2infosec and Security Zone 2012.

2012
07.14

Another day, another password hack and yet another reason not to reuse passwords..  Here is a simple bash script to generate strong passwords.

1) Install TrueCrypt http://www.truecrypt.org/

2) Create a hidden volume. Pick a strong passphrase you will not write down and use a keyfile

3) Mount the volume

4) Run the Script

I’ll port it to Python this weekend, or maybe even something more platform independent. Also, don’t forget to set Auto Dismount to 15 minutes, so you don’t leave it up and running.

[code]

#!/bin/bash
#
#
# For Resiliency I keep the volume in multiple places, but for ease of use
# of use, I suggest keeping it on dropbox. Set TrueCrypt to unmount after
# 30 minutes of idle.

echo "Hello, "$USER". This will generate your password. Please make sure you have mounted your truecrypt volume with your password file"

echo -n "Please enter the path to your encrypted vault file [ENTER]: "
read vaultfile

echo -n "Please enter the patch to your encrypted mount, this will be used for temp files [ENTER]: "
read encmounts

echo -n "Enter the website or application that this password is for and press [ENTER]: "
read site

grep -i $site $vaultfile

if [ $? == 0 ]; then

echo -n "Do you want to create a new password for this existing account? (yes or no): "
read update

if [ "$update" == "yes" ]; then

echo -n "Enter the user ID you will be using and press [ENTER]: "
read name

echo -n "Enter maximum password length characters can the password be [ENTER]: "
read counts
sed "/$site/d" $vaultfile > $encmounts/tmp ; mv $encmounts/tmp $vaultfile

curl -s http://www.bing.com/news?q=$color > $encmounts/temp

newpass=`md5 $encmounts/temp | awk '{print $4}' | openssl sha | cut -c 1-$counts|sed -e 's/[a-z]/A/' -e 's/[0-9]/#/'`
echo $name $newpass $site >> $vaultfile
# rm $encmounts/tmp
exit 1
elif [ "$update" == "no" ]; then

echo "Goodbye"
fi
fi

echo -n "Enter the user ID you will be using and press [ENTER]: "
read name

echo -n "Enter maximum password length characters can the password be [ENTER]: "
read counts

curl -s http://www.bing.com/news?q=$color > $encmounts/tmp

newpass=`md5 $encmounts/tmp | awk '{print $4}' | openssl sha | cut -c 1-$counts |sed -e 's/[a-z]/A/' -e 's/[0-9]/#/'`
echo $name $newpass $site >> $vaultfile

rm $encmounts/tmp

echo "Goodbye"

[/code]

2012
07.10

BYOD… Too Big for Twitter

First I’d like to say that I’m really glad that we have Twitter, a place to vent and share our ideas and opinions..However we all know opinions are like assholes and everybody has one..  I’d like to thank @Wh1t3rabbit @wgragido @mattjezorek @krypt3ia @arch3angel  @grey_area @dewser and I’m sure there are others that I have missed for the long winded tweets and conversations we’ve had over the BYOD topic. So with that let me put my asshole out there on the BYOD topic…

There has been some confusion in what BYOD is and what it isn’t according to the tweets I have been able to follow. BYOD (Bring your own device) is the latest in buzzwords that product vendors have introduced over the last few years. It shouldn’t be any difference than the remote access we have provided to our users for years.  Some argue that productivity will increase if users can use their own “Insert iDevice” here to perform their jobs. This may or may not be true, but as security professionals our job is to enable the business to continue being profitable while minimizing risks /cissp_speak_off

So where is the disconnect? Why are some for and some against the concept that essentially has been around for at least the last 15 years? It comes down to the fact that organizations are starting to realize that they aren’t even in a good position to provide remote access, let alone support new technology. How can you possibly provide remote access when you don’t implement the basic controls such as data classification, role based access, centralized logging, intrusion detection?? We all complain about introducing new risks? Are we really introducing new risks?

Let’s look at how most organizations have their corporate network rolled out? Production access is usually granted on blind faith based on the whole “I trust my Lan”. How can you put so much faith into equipment that you have purchased? Is it because you have extensive control of those systems? In most cases you do not. Do you know what type of data users have on their workstations? If their is sensitive data in use on the endpoints, do you require two factor authentication and encryption to that endpoint? Why not? It’s the same data that you are trying to protect in your production environment, why should the endpoint be any different? Oh because you bought the equipment. It’s because you can control what sites the user accesses, you can control data leakage with that shiny DLP device right? You have that NAC thing rolled out right?

I hope you see the sarcasm in that last paragraph. Most organizations definitely fail at basics, so the introduction of new technology scares them and so it should. What if you started treating the corporate network as hostile? Wouldn’t life be so much easier from a security perspective if you stopped nitpicking endpoint controls? Call it BYOD, call it endpoint enforcement, call it whatever the hell you want? If it’s done right it should work across all of your platforms and you’re shiny iPads.

Imagine for a second everyone has to VPN in to get to production? Regardless of if you bought the equipment or they did? Regardless of it they are at the office or at home? Who cares? All hostile all the time… In order to do it right you must first get the basics in place. Data classification needs to perfect! Your access control program must also be perfect. If you can’t say that you’ve nailed either, than you aren’t ready for remote access let alone BYOD and/or wireless.. If you have however, then read on. You shouldn’t be introducing any additional risks if you have already gone through the above.

There are several solutions available that will allow you to quarantine devices that are physically plugged in or connected wirelessly into a DMZ where they have to authenticate. We all know NAC fails because of exceptions and misconfiguration and that’s not where I’m going. What if to get production, you have to authenticate to a central enforcement agent such as I dunno VPN??? The VPN solution can then in turn allow you to access only what you need to do your job. If it’s access to sensitive data, then you have to go through additional levels of control which can also be pushed by the choke point.  The point is that a central enforcement solution is the only way to go.

You can do everything from force software installation to perform a vulnerability assessment prior to allowing access. It’s not a question of technology, it really isn’t. The one problem that we keep running into is that user’s don’t want us installing things on their personal devices. It’s the whole entitlement mentality that our users have somehow attained through all of our babying.  That’s the cost of using our resources and I’m sorry to say there must be some compromise.  You have to pay to play!

With all that said I’m not crazy about users replacing corporate owned systems with user owned devices just yet, but depending on the environment it might be a feasible solution. What I am saying is that BYOD is not as big of a deal as everybody is making it out to be.  Get your basics in place and then when your CEO wants to use his new shiny iPad to access the Scada console you can give it to him because you’ve built your environment with the understanding that the host is hostile!

That’s my asshole or my .02 Thanks for reading!

2012
07.10

I know I was pretty active in blogging and being my jaded self, but such is life.. The last year has been interesting to say the least. In a nutshell here’s what’s happened…

  • Took a great new job!! I’m back doing defense but at a place where I can actually drive change. It’s so invigorating doing what I love for an organization that isn’t solely focused on compliance. I still do some offensive consulting on the side, but I absolutely love what I do! This is the view from the office roof deck during Happy Hour!
  • Moved cross country! Just picked up and left NYC for the cloudy/sunny/windy Bay Area.. My commute has gone from almost an hour to about 20 minutes. Each day I get to watch the clouds come in low across the mountain ranges and under the golden gate. We got a great new apartment with a roof deck that has unbelievable views of the sunset and Alcatraz! This place is so amazing and we continue to go exploring every weekend
  • We adopted two great dogs… A Chihuahua Dachshund mix and a Jack Russel something or other.. We were actually told she was a Scottish terrier, But I think they lied
  • I’m speaking at TWO International conferences this year..  I’m pretty excited as I’m doing real talks and not my Don’t Click Shit talk which was originally just a response to the hundreds of “I wrote a MSF Module and I’m 1337″ talks.
Now for the not so Good :(
  • I have to have gallbladder surgery after a couple of really bad sleepless nights, I dragged myself to the emergency room. I was diagnosed with gallstones and now have to have gallbladder surgery.. SUCKS!  I’m holding off until after Defcon, but still sucks!
  • My wife noticed a lump on my neck which she made me go get checked out.. Long story short… After several tests I have been diagnosed with early stage lymphoma. I guess you can have a little bit of cancer… My oncologist is probably in the top 5 in the country, so I’m confident in his approach but who knows. It’s too early to treat, so I just have to wait until it get’s worse. In the mean time I’m on a rinse and repeat testing schedule quarterly.

 

So this is where I’ve been and for now I’m back… Will be posting regularly..