Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

Archive for the ‘CISSP’ Category

OFFICIAL STATEMENT On (ISC)2 and The Freak Power Ticket

with 2 comments

;

Recently I added my name to the candidate list of ISC2 board members in the running this year. After a flagging showing thus far and some tweet conversations I am getting some impressions that people have some odd notions about ISC2 and perhaps my running. So I wanted to clear the air some and to set the record straight for those unable to navigate sarcasm or irony. I am running partially as a serious effort and partially as a farce. Now, this may escape some and I would encourage those who don’t get the motives or means to go look up Hunter S. Thompson’s run for Sheriff in Colorado for a little better understanding of my meaning.

I am running for the board while knowing that we, “The Four Horsemen of the Infosec Apocalypse” have little to no chance of getting on the board in the first place. Why do we have little to no chance?Because the org is an ossified bastille on a hill of old guard founders who don’t want the boat rocked at all. That’s why. All of us are undertaking not only a battle with little chance of winning in the first place (we all pretty much agree on this) but then, once inside, were any to make it, would surely be voted down on the changes we would like to make to this org.

All of us, all the horsemen, are seeking to change the org for the better because in some way we think we can and should. Others, like @errattarob feel that the org just needs to be burned to the ground and loathes it for its very aegis as it stands. I would agree with Robert, but, I don’t think that the org just needs to burn, instead perhaps there is a minuscule at best chance that some change can come with the right group of people rattling cages.

Oh god.. Does that make me a Pollyana? Crap…

Anyway, look, yeah, I am taking this all tongue in cheek, but, like Hunter, I do have a reason and that reason is not just for the LULZ. If I were on the board I would try to make things better. Short of that though, were there no way to effect change, then I would make their lives as miserable as possible. Why? Because they are doing all of us a disservice with the way things are run now. The very least of these things is the way that ethics are handled within this org by the old guard in place. Just look at the players here..

Do you really think any of us has a chance here? I mean, c’mon, we get 500 signatures and then the BOARD votes on who they want on it? WTF kind of election process is that?

EDIT: MEA CULPA, I did not read the bylaws and was misinformed. The voting is done by the masses via email evidently. MYBAD… So, the rest of my screed still applies, but I wanted to correct this factual error. At least the masses can vote for whom they want.

Vote for the horsemen… If not me, then the others. I am doing this on a lark really, but, it’s for a bigger point here. Those of you who take the ISC and CISSP seriously need to seriously look at your org. You need to take that rather large stick out of your asses and your fingers out of your ears and really LOOK at it all. Do you think that any of us with this certification really are good at what we do because we took that test and adhere to some crap ass ethics rules that the board ignores when they see fit?

Get over yourselves.

If that’s your gig, and you think everything in ISC2 is nirvana inc… So be it.. Continue on your way.

If you want change and effectiveness to this org and this certification.. VOTE for one or all of us.

“FREAK POWER!”

K.

;

TEXT

Written by Krypt3ia

2012/08/26 at 13:19

ISC2 BOARD CANDIDACY

with 4 comments

XXX

Ok, so after a flurry of tweets about the candidacy of others, my name got thrown in there like so much pasta being chucked at a wall. Well, it stuck in my case and I decided to run. I am not promising much but what I do promise is this:

“I plan to be me, which is to say the same bastard unafraid to say what he thinks and to call bullshit where I see it.”

So, if you think that I can get in there and stir up some trouble, and maybe make some changes then VOTE FOR ME in this petition. If not, then at least vote for @jadedsecurity or @indi303 or @gattaca because, even though we are now labeled the “Four Horsemen of the INFOSEC Apocalypse” *catchy huh? Thanks JAVVAD!* I suspect that any one of us could stir some shit up.

In the end.. Quite your bitchin out there and do something about it. VOTE!

Yours,

Dr. Krypt3ia

Written by Krypt3ia

2012/08/23 at 13:29

Posted in CISSP

INFOPOCALYPSE: You Can Lead The World To The Security Trough.. But You Can’t Make Them Think.

leave a comment »

“Dark, profound it was, and cloudy, so that though I fixed my sight on the bottom I did not discern anything there”

(Dante Alighieri; The Inferno)

The current state of the Security “Industry”

It seems that once again people who I have acquaintance with in the security industry are wondering just how to interface with corporations and governments in order to build a base of comprehension about the need for information security. The problems though are myriad with these questions and the task to reach people can be a daunting one, never mind when you have groups of them in hierarchies that comprise some of the worst group think in the world (AKA corporations)

Added issues for the “industry” also surround the fact that it is one at all. Once something moves from an avocation to a profession, you have the high chance of it becoming industrialised. By saying something has been made industrialised, implies to many, the cookie cutter Henry Ford model really. In the security world, we have seen this from the perspective of magic boxes that promise to negate security vulnerabilities as well as teams of consultants who will “securitize” the company that is hiring them with magic tools and wizardry. The net effect here is that those paying for and buying into such products and services may as well be buying a handful of magic beans instead.

Now, not every company will be efficacious in their assessments nor live up to the promises they make for their hardware/software solutions. Many practitioners out there and companies really try to do the right thing and do so pretty well. However, just as in any other business, there are charlatans and a wide range of skilled and unskilled plying their arts as well. Frankly, all that can be said on this issue is “Caveat Emptor”  It’s a crap shoot really when it comes to goods and services for security solutions. The key is though, to be able to secure yourselves as a company/entity from the standpoint of BASIC security tenets up.

Often its the simple things that allow for complete compromise.. Not just some exotic 0day.

So we have a cacophony of companies out there vying for people’s dollars as well as a news cycle filled with FUD that, in some cases are directly lifted from the white papers or interviews with key players from those said same companies seeking dollars. It is all this white noise that some now, are lamenting and wondering just how do we reign things in and get a stable base to work from in an ethical way to protect companies and individuals from information security meltdowns. More so it seems lately, the question has been how do we reach these people in the first place? How do we actually get a meaningful dialogue with the corporate masters and have them come away with the fundamentals of security as being “important”

Unfortunately, I think that there are some major psychological and sociological hurdles to overcome to reach that point where we can evince the response we all would like to see out of those C level execs. I have written about them before, but I will touch on them again later in this piece. Suffice to say, we all have a tough row to hoe where this is concerned, so, I expect there to be no easy answer… Nor really, any satisfactory conclusions either.

“It is a tale Told by an idiot, full of sound and fury, Signifying nothing”

(Shakespeare; MacBeth)

Security Joan of Arc’s and their Security Crusade:

Joan De Arc was a woman ahead of her time. She wore men’s clothing and lead the French in battle against the English and to victory, all as a teen girl. She later was burned at the steak for heresy and just recently made a saint many years later. I give you this little history lesson (link included) to give you an idea of who you all are in the security industry lamenting over not being listened to. You too may be ahead of your time, but, just as she was, you too will not be listened to because your ideas (to the listeners) are “radical”

Now, radical is a term I am using to denote how the corporate types are seeing it. We, the security advocates, do not see these concepts as radical, but instead as common everyday things that should be practices (complex passwords, patching effectively, etc) They (the client) see these things as impediments to their daily lives, their bottom lines, and their agenda’s both personal and corporate. There are many players here, and all of them have agenda’s of their own. This is a truism that you must accept and understand before you rail against the system that is not listening to your advice.

Here’s a bit of a secret for you.. The more ardent you seem, the more likely you will be branded a “Joan” The perception will be that you are a heretic and should not be listened to. Instead you should be marginalised in favour of the status quo.. After all, they have gone about their business every day for years and they are just fine! The more you rail, or warn with dire tones, the more you will be placed at the back of the mind.

Think Richard Clarke (I heard that chuckle out there)

Though Joan inspired the French forces to battle on and win more than a few battles, she eventually was burned at the steak. Much of this was because of her unique nature and fervour. Much as yours may do the same to you… Without of course literally being burned at the steak and you all must learn this. I think you have to take a page from the hackers playbook really and use the axiom of being a “Ninja”

The subtle knife wins the battle.

 

“If the Apocalypse comes, beep me”

(Joss Whedon;Buffy the Vampire Slayer)

What’s the worst that could happen really?

The quote above really made me chuckle in thinking about this article and the problems surrounding the premise. This I think, is the epitome of some people’s attitudes on security. Most folks just go along their days oblivious to the basic security measures that we would like them to practice as security evangelists. The simple fact is that like other apocalypse scenarios, people just have not lived through them and been affected by them to change their behaviours accordingly. What solidified this for me recently was the snow storm last October here in New England that caught so many people flat footed. They simply had not ever really had to rely on their wits and whatever they had on hand before like this. When the government and the corporations (CL&P) failed to provide their services to the populace, the populace began to freak out.

Its the same thing for information security. Whether it is the government or the corporations that supply us all, both are comprised of people who all pretty much lack this perspective of being without, or having really bad things happen to them. 9/11 comes the closest, but, that only affected NYC and DC directly (i.e. explosions and nightmarish scenarios with high casualties) In the case of corporations, you have lawyers and layers of people to blame, so really, what are the risk evaluations here when it is easy to deflect blame or responsibility? For that matter, it was inconceivable to many in the government (lookin at you Condi) that terrorists would use planes as missiles… Even though a month before a report was handed out with that very scenario on the cover.

The core of the idea is this. Human nature on average, and a certain kind of psychology (normative) that says “This can’t happen to us” We all have it, just some of us are forward thinking and see the potentials. Those forward thinkers are likely security conscious and willing to go out of their way to carry out actions to insure their security. Things like storing extra food and water as well as other things that they might need in case of emergency. These can be life of death deal breakers.. Not so much for information security at your local Acme Widget Corp. In the corporate model, they have the luxury of “It’s somebody else’s problem” So, these things are usually not too important to them unless that person making the decision is cognisant of the issues AND responsible for them. Unfortunately, as we have learned these last 10 years or so, responsibility is not their strong suit.

So, on they go.. About their business after you, the security curmudgeon has told them that they need to store food for the winter..

But the grasshoppers, they don’t listen… Until they are at your door in the snow begging for food.

 

“More has been screwed up on the battlefield and misunderstood in the Pentagon because of a lack of understanding of the English language than any other single factor.

(John W. Vessey, Jr.)

How do we communicate and manipulate our elephants?

Back to the issue of how to communicate the things we feel important. This has been a huge issue for the security community for a couple of reasons.

  1. The whole Joan of Arc thing above
  2. The languages we speak are.. Well.. like Tamarian and theirs are corporate speak.

We, the security practitioners, often speak in metaphor and exotic language to the average corporate manager. You have all seen it before, when their eyes glaze over and they are elsewhere. We can go on and on about technical issues but we never really seem to get them to that trough in the title. Sometimes you can get them to the trough easily enough by hacking them (pentesting) but then they think;

“Well this guy is a hacker… No one else could do this! What are the chances this is going to really happen? Naaahhh forget it, it’s not likely”

So there is a bias already against doing the things that we recommend. Then comes the money, the time, and the pain points of having to practice due diligence. This is where they turn off completely and the rubric of it is that unless they are FORCED to carry out due diligence by law or mandate, they won’t. We all have seen it.. Admit it.. It’s human nature to be lazy about things and it is also human nature to not conceive that the bad things could happen to them, so it would be best to prepare and fight against them.

So, how do we communicate with these people and get them on the same page?

I have no answers save this;

“Some get it.. Some don’t”

That’s the crux.. You have to accept that you as the security practitioner will NEVER reach everyone. Some will just say thank you and good day… And you have to accept that and walk away. As long as you have performed the due diligence and told them of their problems.. You have done all you can. You can try and persuade or cajole them… But, in the end, only those who get it or have been burned before will actually listen and act on the recommendations you make.

“The greater our knowledge increases the more our ignorance unfolds”

(John F. Kennedy)

The Eternal Struggle

There you have it. This will always be the case and it will always be the one thing that others seeking to compromise corporations and governments will rely on. The foolishness of those who do not plan ahead will be their undoing..

Eventually.

All you can do sage security wonk, is calmly and professionally explain to them the issues and leave it to them to drink.

K.

Modern Day Witch Hunting by CISSP Members Minus The Ergot

with 2 comments

From Jaded Security

Back in 1692 a bad growing season (wet and cold) likely gave rise to the Salem Witch Trials due to a small fungi called ‘Ergot‘ In the 20/20 hindsight of some detective work on the history of the incident, one can then at least forgive some of the things that happened then due to poisoning and hallucinations from Ergotism. Today though, I wake up to see that Jaded Security has been accused of something akin to witchcraft in the CISSP world by someone who apparently is using the kings English to do it.

(see affidavit above.. Ironic huh)

Now, I am not personally familiar with Mr. Hugh Murray CISSP but I am told he is a relatively good guy, perhaps a bit on the aged side and leaning toward a “Hey you damn kids get off my lawn” stage in life, but generally ok. However, this little accusation and flinging of screen names linking Boris to Abhaxas (the alleged FL voting hacker) without ANY real proof is a bit much Mr. Murray.

Got some proof Mr. Murray? Because if you don’t you are just making yourself culpable in a legal action against you for slander.

Anyway, back to the CISSP ethics violation. I honestly don’t think you can call anyone out on this presentation at Bsides and I would like to outline some reasons why.

The failure of ISC and the CISSP with regard to ethics and the security business:

So, the whole point of ethics in the security business is to act ethically with the data we are charged to protect, its protection by proxy of what we are supposed to be teaching our corporate sponsors, and generally doing ethical business. However, what the CISSP, like the SOX regulations fail to do is really deal with the issues where the rubber meets the road. In SOX reg’s you have a simple paragraph on actual network/computer security, and in CISSP, you have;

Code of Ethics Preamble:

  • Safety of the commonwealth, duty to our principals, and to each other requires that we adhere, and be seen to adhere, to the highest ethical standards of behavior.
  • Therefore, strict adherence to this Code is a condition of certification.

Code of Ethics Canons:

  • Protect society, the commonwealth, and the infrastructure.
  • Act honorably, honestly, justly, responsibly, and legally.
  • Provide diligent and competent service to principals.
  • Advance and protect the profession.

Yeah, it’s about as good as the SOX section 404’s controls checks on technical security. Really, the CISSP code of ethics equates more to the Bushido code than it does to anything relevant in todays digital security space.

  •  Frugality,
  •  Loyalty, 
  •  Martial arts mastery,
  • and… Honor unto Death

At least in the 17th century, the Samurai took their code seriously enough as to commit seppuku when they had lost face. Today, just how many of the CISSP’s out there, including those who are running the program are willing to be so honour bound to their code?

In a sea of ethics violations by major companies *cough* Wall Street *cough* you sir are going to get bent over a presentation that covers the potential for gaming a system and how to, by proxy, spot it?

Really?

Platitudes Mr. Murray… Might I remind you that you have broken your own trust with them using the accusation that Boris is in fact Abhaxas without any real proof?

Consider yourself reminded.

Information Security, Hacking and Pen-testing: The Triumvirate of FAIL:

My second point here is that the code of conduct put forth by ISC2 says that CISSP should not consort with hackers, perform hacking, or generally go against the ideal that they have set forth from their ivory tower. I say to you (ISC2) that your thinking in this matter is clouded considering the very nature of what we, ‘the security industry’ is trying to do… Well, at least the subset of people who are doing the real work of penetration testing, reverse engineering, and other areas that ISC2 feels a little twitchy about as it may be portrayed as ‘unethical’

Let me remind you that attending conferences with hackers does not an unethical person make. As Boris pointed out, the conferences, though shunned by you, are also used as CPE credits that you allow.

Just how is that ethical? It is in fact rather dodgy in my book.

How about you re-think your position and clear your collective souls and allow for these salient facts:

  • If I attend a hacker conference, it does not mean I am taking part in any unethical behaviour. I am in fact learning from others who likely also, are not performing unethical acts.
  • To properly perform the duties of a CISSP and protect the information and systems we are tasked with, one must be able to think and sometimes act (with the legal permission of the client) as an aggressor. This means *GASP* sometimes hacking or breaking systems.
  • Ethically then, the reporting of vulnerabilities and findings jibes with the aegis of the code, so why get all bent on how you got it in the first place? Especially when there are legal agreements, documents, and processes out there to do so?

Certainly Mr. Murray needs to get with the times as well as perhaps get personal feelings out of the way before making accusations against someone (WITCH! BURN HER!) because that, would be the ‘ethical’ thing to do.

And so, I leave you now to ponder your giri Mr. Murray. Retract your witch hunt and think about your actions the next time before you grab your Malleus Maleficarum and robes.

K.

 

 

Written by Krypt3ia

2011/07/15 at 13:52