Andrew Hay

After working with my contact at SANS for the last few weeks it’s finally official! From Thursday, April 5, 2007 to Thursday, June 7, 2007 I will be leading the Security 504: Hacker Techniques, Exploits and Incident Handling track here in Fredericton, New Brunswick, Canada.

I see this as a really big deal for the following reasons:

• The population of Fredericton is only around 48000 which is is the size of most big city suburbs. Trying to get this type of training is not easy in Fredericton, let alone the rest of Atlantic Canada.
• Most organizations in New Brunswick are unable to send their employees for formal training due to the cost of hotels, flights, meals, etc. Having a local training option will drastically reduce this roadblock to quality training.
• I get to give back to the security community, gain valuable teaching experience, and meet local people in the security field (this is a personal bonus for me!)

If you live in Fredericton, or the surrounding areas, and want to know more about this training sessions then please take a look at the following links:

• The SANS Institute – http://www.sans.org/
• About the Mentor Program – http://www.sans.org/mentor/about.php
• Mentor Program FAQ – http://www.sans.org/mentor/faq.php
• Security 504: Hacker Techniques, Exploits and Incident Handling – http://www.sans.org/mentor/details.php?nid=3026
• Registration Information – http://www.sans.org/registration/register.php?conferenceid=3026

If you do register please don’t forget to enter “MENTOR RECRUIT” into the Comments section during their online registration.

Also, if you’d like to learn more about the instructor (me) then please check out my About page and Resume. I look forward to seeing everyone there!

As I picked up my latest copy of Information Security Magazine I found myself wondering what Tom Hanks was doing on the cover. On second glance I noticed that this wasn’t Tom Hanks but rather Eric Bangerter from the University of Wisconsin Credit Union.

This mistake made me think of two things:

1. How could my eyes possibly be that bad?
2. Why doesn’t the security industry have champions on Hollywood?

The first item really isn’t the basis for a good article so I’ll stick with the second item.

Animals have Paul McCartney, Buddhism has Richard Gere, Scientology has Tom Cruise (or maybe it’s the other way around), the UNHCR has Angelina Jolie, and PETA has Pamela Anderson. Who do we have? The security industry does not have a famous face to market the importance of implementing security measures in the home nor in the enterprise. Granted, we have such pioneers as Martin Roesch of Snort and Sourcefire fame, Bruce Schneier the author of such greats as Applied Cryptography, Secrets and Lies, and Beyond Fear, Kevin Mitnick the well known social engineer, author of The Art of Deception and The Art of Intrusion, and Radia Perlman one of the most respected names in security and networking, to name a few.

Even though these people are incredibly well known in the security industry I suspect that none of them would be met at the airport by 10000 screaming fans who are there just to hear the person say something life changing. I’ve been thinking about who should be approached for several days now and I’ve short listed a few people:

• Harrison Ford – who wouldn’t listen to this great actor from such timeless films as Indiana Jones, Star Wars, Blade Runner, and most recently Firewall (not ‘timeless’ but helped put him on the short list due to its content).
• John Travolta – his attention grabbing cool demeanor in such films as Pulp Fiction, Get Shorty, Face/Off, A Civil Action, Swordfish, and Be Cool ensured that he would make this list.
• Speaking of cool what about Jack Nicholson? This man has done it all from The Shining to Batman to As Good as It Gets to A Few Good Men to One Flew Over the Cuckoo’s Nest. When Jack speaks people listen.
• What about Catherine Zeta-Jones? This Welsh beauty commands the screen with her sly wit and sultry delivery. I’d be hard pressed not to listen to EVERYTHING she told me.

I’m sure I could go on listing people forever but I wanted to put some names out there. Who would you like to see represent the security community from Hollywood? Before answering ask yourself this question…“Who would make security cool enough that you’d be embarrassed not to care about it?”

I received a hilarious email posted to the security-basics mailing list this morning that I had to share:

I was in a bar in San Francisco where my English accent has a habit of stimulating conversation with total strangers, in this case it was with a webmaster (sadly not webmistress) of a dubious website hosted in Amsterdam (I don’t think I need to expand on the nature of the site;) I mentioned that I was passionate about Information Security, whereupon, he proceeded to tell me his root password, as he was so proud about how hard it would be to crack! If this was an isolated incident I wouldn’t mention it.

However, these instances are becoming ever more frequent, is it my trustworthy face or are others experiencing similar errors of judgement?

Special thanks to Andy Cuff, the originator of this email and CEO/Founder of The Taliskar Security Wizardry site, for making my day.

The illustrious Shon Harris has stated in her latest article for SearchSecurity.com that:

Not only should the networking group and security group have distinct and clearly defined tasks and responsibilities, but they should also have separate chains of command.

which I agree with completely. Her next comment, however, is another story:

Problems can occur when sharing the same chain of command. For instance, let’s say someone in security informs a network administrator that there is an unsafe rule set on the firewall. This traffic setting, though, may have been implemented by the network administrator to support a business need or a user’s particular preference. There is a chance then that the administrator may rank the network concerns more of a priority than the security issue and ignore the information.

This sounds like a documentation or process failure to me and not one related to the sharing of the same chain of command. If the rule is required to fulfill a business requirement then it should be documented as such and made available in times of need (like for auditing purposes).

Her final point suggests introducing an intermediary, in the form of a security engineer, to help open the communications channels between the two groups:

The network lab manager and the CSO should perform their duties separately. If the CSO needs help, then a security engineer should be hired to properly arrange the responsibilities.

I’m not sure if this is the right approach or not. Hiring a subordinate to manage the channels between two groups may result in a power play for the engineers favor. Also, there is nothing in the article suggesting to whom this security engineer would report, which may cause even more internal conflict between the two groups.

A better suggestion might be to hire an experienced security project manager who has experience in both networking and security. This person could have a dotted-line to both the CSO and network lab manager for these types of issues and could report directly to the COO to eliminate the aforementioned conflicts.

One final thought…

If these two groups cannot work together during the course of a regular business day what hope do they have of handling an incident when it occurs in a timely and organized manner?

P.S. Hopefully the ’security gods’ don’t strike me down for crossing Shon Harris…love your book…

Both Richard Bejtlich and Harlan Carvey have expressed their concerns with the recent SANS NewsBites issue in which the new Certified Malware Removal Expert certification is announced:

Does anyone on your staff do an excellent job of cleaning out PCs that have been infected by spyware and other malicious software. We are just starting development of a new certification (and related training) for Certified Malware Removal Experts and we are looking for a council of 30 people who have done a lot of it to help vet the skills and knowledge required for the certification exam and classes. Email cmre@sans.org if you have a lot of experience.

I understand their concerns with this certification but their comments did make me think of something: “If we don’t need training on this topic what topics do we need training on?”

So these are my questions to you, the security community:

• What security related topics have not been covered in formal training yet but you feel should be?
• What topics require revised or better content?
• How would these topics be best presented? (i.e. self-paced-training, instructor led online training, instructor led classroom training, etc.)

I would appreciate all of your comments and suggestions. If you do not wish to post your comments or suggestions to the blog then please feel free to email me directly at andrewsmhay@gmail.com. Perhaps we can even work together on getting these topics into some formal training.