On June 11, 2010, after a lengthy period of rumor and speculation, Cisco Systems officially pulled the plug on the Cisco Security Agent, their host intrusion detection system (HIDS) and host intrusion prevention system (HIPS) solution. There were no official reasons given, or at least officially documented, making the situation ripe for hypothesis, backlash, conspiracy and general discussion on the direction Cisco was heading in the security industry as well as the direction of security in general. So what are the reasons they canned it? And what is the direction of security in general? I'll address both soon (look at that foreshadowing in an attempt to keep the reader, well, reading ;) I should be in media). But first a brief history ...
Cisco acquired the technology from Okena on January 24th, 2003 after a failed partnership with HIPS application provider Entercept in 2001. Entercept eventually got bought by McAfee the same year. Both were considered "behavior-based" intrusion prevention systems that relied not on typical string-based identification (a la your typical Anti-Virus application which needs to be updated frequently in order to be armed against recent malwares), but rather behaviors and configurable policies that were deemed "acceptable" to the system. For example, unknown applications are not allowed to capture keystrokes, or be allowed to write into the memory space of another application, or be allowed to perform a buffer overflow. Due to the nature of this behavior, both CSA and Entercept had the default ability to prevent "zero-day" attacks, or attacks on systems exploiting vulnerabilities previously unknown to the white and grey hat security industry.
Static attack signatures, such as anti-virus/malware and intrusion detection/prevention signatures are always a day late and a dollar short. They typically rely on the white hat discovery of an attack which exploits a known vulnerability. In the anti-virus world, that discovery leads to the processes of disassembly and reverse-engineering in an effort to determine what the code is attempting to do how it is attempting to accomplish its goal, including such stealth tactics as polymorphic code and encryption. I started my career disassembling virus code in the early 90s, and while the tactics have significantly improved, they have not actually changed very much. And the delta between the discovery of a new piece of malware and the global introduction of a signature or set of signatures that will detect said new malware typically averages in the timeframe of "weeks." That delta inherently leaves a very large, open door for malware to continue to infect vulnerable systems. And the business model behind AV and IDS/IPS subscription recurring revenue has not surprisingly trumped actual security and applications that can actually prevent both the known unknown as well as the unknown unknown attacks. Case in point, while some of the Entercept technology still exists in McAfee's HIPS offering, they clearly are not trumpeting their potential to prevent zero-day attacks as much as they rely on the continuing revenue generation that floats their stock value. In other words, ACTUAL security is not profitable, and until revenue from piss poor AV signature subscriptions quells they will continue to sell those subscriptions. Thank you Dell, etc.
Fine, what about Cisco and CSA? Cisco effectively torpedoed one of the most effective host based security solutions available, although that security came at a high price with its well known overhead installation and administrative costs (especially when implemented by clients themselves and/or non-specialized CSA vendors gunning for a sale). CSA is essentially a rootkit on par with some of the best malicious Windows and Unix rootkits known to man. A shim sitting just above the kernel, it has the ability to see all ingress and egress kernel communication, which, on any and all computers, is virtually EVERYTHING. An unknown application attempting to modify the Window registry? Denied. An untrusted application recently downloaded and residing in a browser cache attempting to capture keystrokes and communicate as a client to a remote IP address? Denied. From a policy perspective, a user in marketing attempting to copy a file containing a social security or credit card number to removable media? Denied. A member of HR or the CFO? Allowed provided the user supplies a justification. A watermarked document containing Intellectual Property attempting to be transfered via Instant Messaging? Denied. Regardless of the scenario, they are all logged and auditable, and able to be pushed to a centralized Security Event and Incident Management (SEIM) solutions, such as Cisco's MARS (next on Cisco's ax list), RSA's enVision or the highly flexible and agile Splunk.
Cisco is a hardware company that historically buys software when it envisions and defines a logical business model around it. They certainly were not following the AV vendor business model with CSA. Hell, in an effort to get CSA labelled as an "anti-virus" application so organizations could place that audit check mark next to that "anti-Virus" requirement they integrated the open source Clam-AV into CSA. This feature addition thereby mitigated the one major shortcoming of the product - it could clearly prevent malware from doing its evil duties (thereby essentially eliminating the NEED for AV from a security perspective) but it couldn't quarantine and remove potentially infected files. So by the release of CSA 6.x Cisco was touting a statistic that has resonated with every PCI-DSS Qualified Security Assessors (QSA) that I have personally dealt with; CSA "satisfied" 9 out of the 12 PCI-DSS compliance requirements. Now, from a 30,000 foot view, it sure did. From an infosec professional's perspective, no it didn't (details, details). But compliance is not security. I have personally seen many a QSA interview a client of mine that, once they were shown that my client's PCI assets were not only properly segmented from the rest of their non-PCI assets but also that they were also running CSA, essentially told my clients that they were doing a great job and that CSA was the primary reason they were getting such high marks. Clearly a misdirected slap on the back of a fantastic HIPS solution in an effort to show compliance high scores. CSA deserved better as an actual security (vs. compliance) solution.
This post is getting longer than anticipated (i.e. a glass of wine and a large fire in the fireplace is in my immediate future) so I am going to break this up into multiple posts. Summary so far: CSA (now officially dead) and other behavioral based HIPS solutions perform spectacularly well against known and unknown attack vectors when implemented properly despite static-signature vendor apprehension to present said technology as primary security solutions (due to revenue business models) and compliance auditor overzealousness. But Cisco doesn't fall into either of those categories. So why did Cisco kill CSA? And how did that decision effectively summarize the death of HIPS in general? What are our current alternatives? Which direction is Cisco heading in their vision for security? How realistic is that vision and how does it hold up against the rest of the industry's vision for security.
Saturday, November 27, 2010
Monday, November 15, 2010
TSA's slippery slope is already an avalanche
This is getting ridiculous. Infosec guru Schneier wrote about it in his 2003 book "Beyond Fear" and has made it a regular topic on his blog for good reason (e.g. http://www.schneier.com/blog/archives/2005/04/failures_of_air.html). A huge challenge in successfully enforcing security policy is identity, including in regards to airport security. Removing your shoes, 3 oz bottles and, more recently, full body x-ray scanners are all reactionary countermeasures that do not address the real problems (but certainly have garnered a very large budget). I will not beat a dead horse and bring up the scores of stories of the TSA harassing children, old ladies and your everyday american and non-american world traveler. Instead, I will focus on the last few weeks. Since the introduction of the full body scanners we have seen the TSA harass not only passengers but pilots as well. Yesterday, Forbes contributor Art Carden published a well thought out essay on why we should abolish the TSA and today in a Fox News interview TSA chief Mo McGowan said his organization had every right to and would violate US citizen's 4th amendment rights to justify the ends of "securing" airports and airline travel. This is my two cent plea for our government to a) give some teeth and substance to top security positions so that b) we can actually attract and retain Infosec and Risk professionals that understand the security issues in said positions.
Pilot denied access to plane for refusing full body scan and grope-down, supported by fellow pilots:
http://www.expressjetpilots.com/the-pipe/showthread.php?39523-Well-today-was-the-day
This is, well, illegal, and quite disturbing:
http://www.ourlittlechatterboxes.com/2010/11/tsa-sexual-assault.html
Detailed account of passenger declining body scan and the new and improved grope-downs with video:
http://johnnyedge.blogspot.com/2010/11/these-events-took-place-roughly-between.html
Forbes - abolish TSA for obvious reasons:
http://blogs.forbes.com/artcarden/2010/11/14/full-frontal-nudity-doesnt-make-us-safer-abolish-the-tsa/
TSA chief says we will if need be violate our citizens 4th amendment protections:
http://www.youtube.com/watch?v=Ni4GVWvT2Zs
Atlantic's Jeffery Goldberg's fantastic idea for November 24th's National Opt-out day - KILTS!!!
http://www.theatlantic.com/national/archive/2010/11/tsa-opt-out-day-now-with-a-superfantastic-new-twist/66545/
Pilot denied access to plane for refusing full body scan and grope-down, supported by fellow pilots:
http://www.expressjetpilots.com/the-pipe/showthread.php?39523-Well-today-was-the-day
This is, well, illegal, and quite disturbing:
http://www.ourlittlechatterboxes.com/2010/11/tsa-sexual-assault.html
Detailed account of passenger declining body scan and the new and improved grope-downs with video:
http://johnnyedge.blogspot.com/2010/11/these-events-took-place-roughly-between.html
Forbes - abolish TSA for obvious reasons:
http://blogs.forbes.com/artcarden/2010/11/14/full-frontal-nudity-doesnt-make-us-safer-abolish-the-tsa/
TSA chief says we will if need be violate our citizens 4th amendment protections:
http://www.youtube.com/watch?v=Ni4GVWvT2Zs
Atlantic's Jeffery Goldberg's fantastic idea for November 24th's National Opt-out day - KILTS!!!
http://www.theatlantic.com/national/archive/2010/11/tsa-opt-out-day-now-with-a-superfantastic-new-twist/66545/
Stuxnet - Really? Wow.
security pros disassembling and analyzing the Stuxnet code have discovered that it was designed to specifically target SCADA components made by companies in IRAN and Finland, and only those operating at high frequencies, that are mostly used in nuclear facilities. Once it discovered those, it was designed to change the operating frequencies of them, which affects the associated motors, at short intervals over months, thereby disrupting the systems over lengthy periods of time.
i.e. targeting non-regulated, non-uranium enrichment systems used for full nuclear production.
Register link: http://www.theregister.co.uk/2010/11/15/stuxnet_jigsaw_completed/
i.e. targeting non-regulated, non-uranium enrichment systems used for full nuclear production.
Register link: http://www.theregister.co.uk/2010/11/15/stuxnet_jigsaw_completed/
Saturday, November 6, 2010
US Offensive vs. Defensive Security and our economic disadvantages
Today's article in the Washington Post on the Pentagon's Cyber Command requesting more authority to perform international cyber attacks in an effort to protect US interests and assets in my mind brings to light the inherent flaws of our existing US Cyber Defense "strategies".
First, some background. US Cyber Command (USCYBERCOM) was formed in May 2010 with a general mission to protect DoD cyber assets (.mil), improve US cyber attack capabilities and support DoD missions in cyberspace (i.e. disrupt enemy systems prior to military sorties, etc.). Note, USCYBERCOM does NOT protect non-military/DoD assets, including our federal government infrastructure. Which leads us to the Department of Homeland Security (DHS). Such tasks (protecting .gov) are the responsibility of the DHS, which, apart from the fact in many people's view it is one of the most bloated and ineffective government agencies to date (albeit born with good intention, but simply put, everyone has an ego), has just last week created another crap storm of bad publicity for itself when DHS Chief Janet Napolitano announced that NSA cyber-spooks would be participating hand in hand with the DHS in civilian cyber-security incidents. Not that I technically disagree with the concept in certain circumstances which have been properly vetted, but 4th Amendment, anyone?
Regardless, USCYBERCOM is both the strategic and tactical cyberspace arm of the DoD charged with both defending .mil and DoD assets as well as developing and then implementing offensive capabilities against foreign entities which have been assessed to pose a threat to US. The DHS is, on paper, the technical equivalent of USCYBERCOM for the federal government charged with protecting .gov assets. So who is responsible for defending our civilian assets, such as critical economic verticals like our finance, medical and manufacturing sectors?
Drum roll ...
Themselves. Individually. With no coordinated strategic direction what-so-ever. Each individual organization in each of our primary business verticals is responsible for defending their own assets in whatever manner they deem appropriate. Sure, we have numerous regulatory compliance standards out there like PCI-DSS, etc., but they are all scattered, focused on specific industry variables and in most cases either are ridiculously vague and/or have no teeth. Compliant does not equal secure. Now, I am certainly not the first security geek to either point that out or the fact that security is subjective. Or even the fact that security is subjective because it is associated, from an investment perspective, with loss (Prospect theory). We even have an entire security solution subset called Data Loss Prevention to make sure, in case anyone had any doubts, that security is indeed associated with loss. And any investment, whether a gain or a loss, eventually boils down to an individual's status quo.
In black and white terms, the security of the entire non-military US economy is reliant on the individual subjective decisions of each and every individual strategic decision maker (CxO) of each and every company in both the public and private sector that does not do business with either .gov or .mil. And, more than likely, a decent percentage of those that also do business with .gov and .mil as well.
While the direction of this commentary may appear as if it is moving towards a diatribe about whether or not the government and/or the military should be as involved in protecting US economic assets in cyber-space as it was in protecting our US economic assets in our cities during the cold war, with all of our missiles set up, ready to launch at the slightest hint that Russian missiles might be flying towards our private sector institutions huddled conveniently together said physical locations, it is not.
It is about the need for discourse between civilian and government institutions, both public and private sector, both DHS and USCYBERCOM, to develop a unified defensive strategy with the end goal of standardizing how we can successfully protect our civilian economic resources as well as we can protect our non-civilian .gov and .mil resources, are thereby (hopefully) removing the subjectivity out of the "protect our nation's economy" security problem. No doubt, it is a daunting task, fraught with politics, lobbyists and egos. But a necessity nonetheless.
The US has fallen behind our existing cyber-adversaries from a defensive perspective in many ways. The sheer number of reported data theft/loss incidents in the civilian public and private sectors sourcing from international entities appears to be growing exponentially, and the attacks are becoming more targeted and therefore more difficult to protect against every day. The US government counters that lack of a national set of defensive strategies and tactics with an overwhelming superiority of offensive strategies and tactics. However, in this case, a good defense is not at all a good offense, especially when all indications point to the fact that our existing cyber-adversaries have been lifting our corporate trade secrets right from under our noses since at least the early 2000s. Aurora was niche, Stuxnet may have been even more niche, even if wasn't technically "targeted" at US assets. And those "unknown, unknown" threats are the threats we as a nation need to be afraid of and develop strategies to protect against, together, civilian, government and military.
USCYBERCOM asking for more authority to begin, essentially, hacking campaigns against our current known cyber-adversaries illustrates how far behind we are from many of those threats. Those adversaries do not need to ask for permission or lobby congress to get this done, since it already being done by either nation-states who understand that "cyberwar" includes the defensibility of their nation's public economic infrastructure or by highly funded organized crime units who are above the law to begin with (let alone our own allies). Our nation's technological advantages combined with a complete lack of civilian sector security strategies, tactics and standards puts the US at a very large disadvantage :
It is cheaper to purchase stolen trade secrets that will reduce the technological chasm the US currently holds over most of the rest of the world than it is to develop said technology on your own as a small international startup. And look how easy we have made it for our civilian corporate trade secrets to be stolen.
First, some background. US Cyber Command (USCYBERCOM) was formed in May 2010 with a general mission to protect DoD cyber assets (.mil), improve US cyber attack capabilities and support DoD missions in cyberspace (i.e. disrupt enemy systems prior to military sorties, etc.). Note, USCYBERCOM does NOT protect non-military/DoD assets, including our federal government infrastructure. Which leads us to the Department of Homeland Security (DHS). Such tasks (protecting .gov) are the responsibility of the DHS, which, apart from the fact in many people's view it is one of the most bloated and ineffective government agencies to date (albeit born with good intention, but simply put, everyone has an ego), has just last week created another crap storm of bad publicity for itself when DHS Chief Janet Napolitano announced that NSA cyber-spooks would be participating hand in hand with the DHS in civilian cyber-security incidents. Not that I technically disagree with the concept in certain circumstances which have been properly vetted, but 4th Amendment, anyone?
Regardless, USCYBERCOM is both the strategic and tactical cyberspace arm of the DoD charged with both defending .mil and DoD assets as well as developing and then implementing offensive capabilities against foreign entities which have been assessed to pose a threat to US. The DHS is, on paper, the technical equivalent of USCYBERCOM for the federal government charged with protecting .gov assets. So who is responsible for defending our civilian assets, such as critical economic verticals like our finance, medical and manufacturing sectors?
Drum roll ...
Themselves. Individually. With no coordinated strategic direction what-so-ever. Each individual organization in each of our primary business verticals is responsible for defending their own assets in whatever manner they deem appropriate. Sure, we have numerous regulatory compliance standards out there like PCI-DSS, etc., but they are all scattered, focused on specific industry variables and in most cases either are ridiculously vague and/or have no teeth. Compliant does not equal secure. Now, I am certainly not the first security geek to either point that out or the fact that security is subjective. Or even the fact that security is subjective because it is associated, from an investment perspective, with loss (Prospect theory). We even have an entire security solution subset called Data Loss Prevention to make sure, in case anyone had any doubts, that security is indeed associated with loss. And any investment, whether a gain or a loss, eventually boils down to an individual's status quo.
In black and white terms, the security of the entire non-military US economy is reliant on the individual subjective decisions of each and every individual strategic decision maker (CxO) of each and every company in both the public and private sector that does not do business with either .gov or .mil. And, more than likely, a decent percentage of those that also do business with .gov and .mil as well.
While the direction of this commentary may appear as if it is moving towards a diatribe about whether or not the government and/or the military should be as involved in protecting US economic assets in cyber-space as it was in protecting our US economic assets in our cities during the cold war, with all of our missiles set up, ready to launch at the slightest hint that Russian missiles might be flying towards our private sector institutions huddled conveniently together said physical locations, it is not.
It is about the need for discourse between civilian and government institutions, both public and private sector, both DHS and USCYBERCOM, to develop a unified defensive strategy with the end goal of standardizing how we can successfully protect our civilian economic resources as well as we can protect our non-civilian .gov and .mil resources, are thereby (hopefully) removing the subjectivity out of the "protect our nation's economy" security problem. No doubt, it is a daunting task, fraught with politics, lobbyists and egos. But a necessity nonetheless.
The US has fallen behind our existing cyber-adversaries from a defensive perspective in many ways. The sheer number of reported data theft/loss incidents in the civilian public and private sectors sourcing from international entities appears to be growing exponentially, and the attacks are becoming more targeted and therefore more difficult to protect against every day. The US government counters that lack of a national set of defensive strategies and tactics with an overwhelming superiority of offensive strategies and tactics. However, in this case, a good defense is not at all a good offense, especially when all indications point to the fact that our existing cyber-adversaries have been lifting our corporate trade secrets right from under our noses since at least the early 2000s. Aurora was niche, Stuxnet may have been even more niche, even if wasn't technically "targeted" at US assets. And those "unknown, unknown" threats are the threats we as a nation need to be afraid of and develop strategies to protect against, together, civilian, government and military.
USCYBERCOM asking for more authority to begin, essentially, hacking campaigns against our current known cyber-adversaries illustrates how far behind we are from many of those threats. Those adversaries do not need to ask for permission or lobby congress to get this done, since it already being done by either nation-states who understand that "cyberwar" includes the defensibility of their nation's public economic infrastructure or by highly funded organized crime units who are above the law to begin with (let alone our own allies). Our nation's technological advantages combined with a complete lack of civilian sector security strategies, tactics and standards puts the US at a very large disadvantage :
It is cheaper to purchase stolen trade secrets that will reduce the technological chasm the US currently holds over most of the rest of the world than it is to develop said technology on your own as a small international startup. And look how easy we have made it for our civilian corporate trade secrets to be stolen.
Monday, November 1, 2010
The long tail of security postulation
So, I attended David Kennedy (Rel1k)'s and SA Ryan MacFarlane's co-presentation entitled The Long Tail of Security at the 8th annual Information Security Summit in Cleveland, OH the other week and was pleasantly blown away by it. I've never met Ryan prior to this, but I once tried to hire David after he got out of the service (not successfully) in the early 2000's. He has since gone on to surpass most front line security professionals I know, even in passing. Regardless, their collective presentation was incredibly eye opening and even gave one the opportunity for a full on <facepalm> moment that you yourself didn't connect the dots these two were laying out so very succinctly.
The 30,000 ft view is this : in 2006 Wired editor Chris Anderson put out a book called The Long Tail, in which he outlines the idea that a full on sales and marketing paradigm shift is occurring, in which those who are able to sell "less of more" will outshine traditional sales and marketing ideologies that focus on what is current and hot. Where WalMart does not carry our household favorite Bad Brains records, Amazon surely does. And the very volume of niche products like Bad Brains records, Harlan Ellison novels and Three wolves/One moon T-shirts that Amazon does carry, no matter how small the market, will enable Amazon to sell "less of more."
Follow the link to David's site, it fully illustrates the relation of that concept to information security and specifically malware. WalMart is your popular Anti-Virus application that concentrates on the hot and new, while completely neglecting anything niche, unpopular or previously unknown (e.g. Stuxnet). However, where Amazon fills the role of ample supplier of niche and unpopular items, there is no equivalent security product or solution on the market today that can successfully protect against that "long tail" of security niche attacks. One of David and Ryan's conclusions was that, as an organization who may require third party penetration testing, how can you be sure that your selected pen-testing organization is actually testing for the "long tail" vulnerabilities and exploits? Not surprisingly, there is not really a fool-proof way to determine that, and no semblance of an answer was therefore given. Just try to do your due diligence when selecting your pen-testers.
About halfway through their presentation, as they were scaring the living pants of most of those in attendance (David, if you are not aware, is also the author of the Social Engineering Toolkit, and was more than happy to perform live demonstrations of attacks that yielded command prompt level and/or keystroke capturing attacks that would have completely rendered all anti-virus applications useless), an attendee asked him point blank <paraphrasing> Well what CAN we do. Isn't there something on the market that can protect our networks from such niche attacks? </paraphrasing> David quickly responded that, no, there is nothing on the market currently that can prevent such low level, niche attack vectors. There was much whispered discussions all around me at that point, which David then chuckled and said that there was one product that could have prevented the majority of such attacks, but that it was no longer being sold. Said product was the Cisco Security Agent. Being an avid fan and rabid supporter of said product I chuckled back and soon raised my hand. I asked David, since you brought it up, how did CSA fair against your low level, niche attacks, in which he basically replied that they would not have worked.
For those unfamiliar with CSA, it is essentially a rootkit. A rootkit that intercepts every system, network, registry, and whatever call to the kernel and performs both policy and behavior assessments on the data going to the kernel to determine if that call should be allowed. This will serve as a great segue to what will probably be my next post, but it is my opinion that Cisco killed an amazing security product and control due to poor revenue and an idea that all computing will eventually reside in the cloud so why worry about host-based controls? Only that reality will play itself out when?
Regardless of that possibly unnecessary CSA tangent, Kennedy and MacFarlane's analogy appears on the surface to have some serious teeth and makes a lot of sense. So when can we expect the information security's version of Amazon?
The 30,000 ft view is this : in 2006 Wired editor Chris Anderson put out a book called The Long Tail, in which he outlines the idea that a full on sales and marketing paradigm shift is occurring, in which those who are able to sell "less of more" will outshine traditional sales and marketing ideologies that focus on what is current and hot. Where WalMart does not carry our household favorite Bad Brains records, Amazon surely does. And the very volume of niche products like Bad Brains records, Harlan Ellison novels and Three wolves/One moon T-shirts that Amazon does carry, no matter how small the market, will enable Amazon to sell "less of more."
Follow the link to David's site, it fully illustrates the relation of that concept to information security and specifically malware. WalMart is your popular Anti-Virus application that concentrates on the hot and new, while completely neglecting anything niche, unpopular or previously unknown (e.g. Stuxnet). However, where Amazon fills the role of ample supplier of niche and unpopular items, there is no equivalent security product or solution on the market today that can successfully protect against that "long tail" of security niche attacks. One of David and Ryan's conclusions was that, as an organization who may require third party penetration testing, how can you be sure that your selected pen-testing organization is actually testing for the "long tail" vulnerabilities and exploits? Not surprisingly, there is not really a fool-proof way to determine that, and no semblance of an answer was therefore given. Just try to do your due diligence when selecting your pen-testers.
About halfway through their presentation, as they were scaring the living pants of most of those in attendance (David, if you are not aware, is also the author of the Social Engineering Toolkit, and was more than happy to perform live demonstrations of attacks that yielded command prompt level and/or keystroke capturing attacks that would have completely rendered all anti-virus applications useless), an attendee asked him point blank <paraphrasing> Well what CAN we do. Isn't there something on the market that can protect our networks from such niche attacks? </paraphrasing> David quickly responded that, no, there is nothing on the market currently that can prevent such low level, niche attack vectors. There was much whispered discussions all around me at that point, which David then chuckled and said that there was one product that could have prevented the majority of such attacks, but that it was no longer being sold. Said product was the Cisco Security Agent. Being an avid fan and rabid supporter of said product I chuckled back and soon raised my hand. I asked David, since you brought it up, how did CSA fair against your low level, niche attacks, in which he basically replied that they would not have worked.
For those unfamiliar with CSA, it is essentially a rootkit. A rootkit that intercepts every system, network, registry, and whatever call to the kernel and performs both policy and behavior assessments on the data going to the kernel to determine if that call should be allowed. This will serve as a great segue to what will probably be my next post, but it is my opinion that Cisco killed an amazing security product and control due to poor revenue and an idea that all computing will eventually reside in the cloud so why worry about host-based controls? Only that reality will play itself out when?
Regardless of that possibly unnecessary CSA tangent, Kennedy and MacFarlane's analogy appears on the surface to have some serious teeth and makes a lot of sense. So when can we expect the information security's version of Amazon?
Sunday, October 31, 2010
modus operandi
As a diligent information security professional and consultant, I have historically subscribed to the low and slow research theory, that it is better to keep a more stealthy internet presence in an effort to gather and analyze data in the white/grey/black hat arenas and to keep a smaller "profile" for myself. While not completely adverse to public spotlight opportunities, for years it made sense to me that by keeping a low professional profile and not potentially making myself a target for one thing or another at the end of the day gave me the ability to better serve my clients who look to me as a trusted resource to assist them in improving their overall security postures. Which clearly I no longer subscribe to, as evidenced by starting this blog. Without trying to extract the most convenient excuse available, things change. After assessing this long term behavior I have come to the conclusion that there are more benefits both personally and professionally to begin eliciting a more public voice in the industry I have chosen to be a part of.
I hope in the end this blog can be informative and educating, truthful and critical of the information security industry and IT in general, and entertaining. Like most blogs, there will be reposts, links and other things that are not of my own creation in addition to personal opinions and insights with the obvious objective of getting interesting and logical ideas and issues out to more people. So we shall see.
I hope in the end this blog can be informative and educating, truthful and critical of the information security industry and IT in general, and entertaining. Like most blogs, there will be reposts, links and other things that are not of my own creation in addition to personal opinions and insights with the obvious objective of getting interesting and logical ideas and issues out to more people. So we shall see.
Subscribe to:
Posts (Atom)