Andrew Hay

By now, everyone has heard about the malicious DNS hijacking of twitter.com by those clamining to represent the “Iranian Cyber Army”. Seeing this news spread, journalists have invented an enemy and laid blame based on…facts? No…wait…facts are defined as “Knowledge or information based on real occurrences”. Unfortunately folks, the only thing tying this back to “Iran” is the name of the gropu responsible for the redirect and the subsequent message announcing the “attack”.

This is sensationalism plain and simple. Here are some examples of the sensationalist headlines and some excerpts from the articles:

Iranian hacker attack: What will it cost Twitter?

Thursday night’s cyber attack against the Twitter microblogging service was no routine assualt to bring down a website. It was a sophisticated online blitz –perhaps part of an online Iranian cybercampaign – that could prove costly for social media networks.

A “blitz”…wow…sounds dangerous. “Part of an online Iranian cybercampaign” to what, prevent Americans from sending important updates like “LOLZ, dude failed hiz last exam big time.” thus, disrupting national security?

Twitter Hack: Part Of Broader Iranian Strategy

The attack last night on Twitter was clear retribution for the role that the service played during the [post-Iran election] demonstrations, and the role that it continues to play today. We have spoken to a number of sources overnight who have told us that the Iranian Cyber Army, unlike other groups with similar national monikers, is a group name that is to be taken literally ie. it is an Iranian government group. Little is known about how the group operates, but previous attempts to shut off Iranian citizens from Twitter and other web services demonstrate that Iran has the capability and will to use almost any means to control the flow of information on the web both within and outside of its own borders.

“Clear retribution” based on…..well, you remember the elections right and how it pissed off the Iranians….well they have computers…..and the attackers called themselves “Iranian” so…BOOM…there you go! We’ll put this one in the FACT column for sure.

I could have gone further with this post but the other articles I found were just too stupid note.

Today’s interview is with Michael Santarcangelo. Affectionately known “Santa” to his friends, Michael truly is a catalyst when it comes to changing how people think about information security. He’s helped me throughout my security career and has talked me down during my pre-exam “freak out” sessions on more than one occasion.

Q: Tell us a little about yourself.

I love to learn, connect, and share.

I am a catalyst.

I used to state, apologetically, that I was a “jack of all trades, master of none.” Then I would explain I was a renaissance man – less apologetic. But a few years ago I realized that I am a catalyst, and I no longer apologize.

I’m direct. Candid. And with a good knowledge of self, I am what you see. After watching people tell lies, play games and “work angles” early in my career, I decided against that approach. As a result, I am me.

In my practice, I connect with people, ask questions and share stories that shift thinking and create situations that inspire behavior change. I focus on the positive – acknowledging the good work of the users, amplifying their actions and revealing to them they have the power – and the responsibility – to act to protect information.

Q: How did you get interested in information security?

I asked too many questions.

I was working with Accenture (back in the days before it was Accenture) and on a project where I kept asking questions – about things like pricing spreadsheets being kept on shared drives. This was before “security” existed, so my reward for asking the question was to figure out a solution. When I did, the partners would take me out to nice dinners. It was perfect – I worked around the clock, got fed and learned.

In two years, I probably worked roughly 4-5 years worth of hours, but it was worth every minute. From there, I joined the newly formed global security team and the rest has been a great experience.

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

My formal training is Policy Analysis (now called policy analysis and management) from the school of Human Ecology at Cornell University. It’s hard to explain why I chose the major when I did – but looking back, it was a perfect fit for me. In fact, I think more people need to study and become human ecologists.

Human Ecology is considered a “hard social science” – the power is in the blend. The foundation is economics, statistics and other “hard science.” It’s then amplified and improved with the addition of sociology, psychology, business, personal finance and other elements that allow human ecologists to draw on multiple disciplines to solve complex problems.

This translates into the tools and experience to understand policy, economics, people and technology. Better, I can then analyze and explain what I know in an applied way – to get results matched to the situation. And I continue to learn!

As to the balance of my learning – I am curious about everything and am a lifelong learner. Every topic literally fascinates me, and I learn from anyone any everyone.

At one time was a top-rated lead instructor for the CISSP® — and even helped refine and improve a substantial portion of the Common Body of Knowledge. That experience allowed me to develop deep and broad PRACTICAL skills in the entire field of information security (spend enough years explaining leads to as many years doing). As a result, I have good knowledge of the field – especially the fundamentals — but also the realization that my niche now is to connect the right people together while focusing on the human element.

Once I earned the opportunity to join the National Speakers Association, I took the responsibility of being a professional speaker seriously. Professional speakers are hired to get results – so now I dedicate a good portion of time to mastering – and teaching others – the tradecraft of effective communication. I believe the real challenge for most security professionals is communication – and developed some seminars and support materials to be refined and improved in 2010.

As a human ecologist, I’m finally in a place to blend my skills to enhance my skills. In the process of my learning, I connect and share. The cool aspect of this is that the more I share, the more I learn.

Q: What did you want to be when you grew up? Would you rather be doing that?

I always wanted to run a business that helped people. I love what I do – and the way we’re about to do it, so I’m thrilled.

Q: What projects (if any) are you working on right now?

I am in a constant state of thinking, which means I have some projects going on. The big project is just starting – we have rented our house out (instead of selling it) and are heading out to travel North America by RV for the next few years.

We have dubbed our effort “Catalyst onTour” – as we will continue to meet our clients, literally, where they are to influence change.

Beyond traveling to meet, learn, listen and share, we have a different approach to seminars we’re going to unveil in 2010, as well as a few other ways to change the way people protect information that need a bit more time to distill and prepare.

Q: What is your favorite security conference (and why)?

I haven’t really found one that compares to the conferences I have experienced in professional speaking circles. I do enjoy the “hallway” interaction that happens at the security conferences and will advance some small suggestions for the future.

In the meantime, when we travel the country, we invite people to come to our house, enjoy a beverage and sit around the fire to catch up – real campfire chats. I hope you and I get to sit around the fire in 2010.

Q: What do you like to do when you’re not “doing security”?

First and foremost is time with my family. In that process, we like to learn, engage, share – lots of reading, museums, etc.

Q: What area of information security would you say is your strongest? What about your weakest?

As a former CISSP instructor who devoted 6+ years to developing and improving the profession, I have an unusual breadth and depth – and interest set. My strength is absolutely in applying what we know in a way that works in harmony with the power of people – the so-called elusive human element.

My weakest is programming; I understand and appreciate programming, but I’m not a coder and don’t want to be. However, that doesn’t mean I don’t like application security… since it requires people. Just don’t ask me to code or look for application vulnerabilities.

Q: You’ve spoken to people all over the country about managing risk. What, in your experience, is managements most common misconception of “risk”?

I think the biggest misconception of risk lies with security professionals – and what I call “risk reaction.” Our focus, our thought process leads to situations where we see and realize things before others, and that leads to a state where we focus on threats, vulnerabilities and risks more than others.

I think we have a lot to learn from business leaders, decision makers and influencers about the real risk of the organizations.

Q: Tell us a little bit about your book and how it ties into your philosophy on life and security.

When I wrote Into the Breach: Protect Your Business by Managing People, Information and Risk, I had started to look deeper into some of the notable breaches happening – and asked a simple question, “what if breaches are only symptoms?”

The reality is that breaches – which take a lot of attention and capture a lot of money – are only symptoms. If we continue to do what we’ve been doing, we’ll keep getting what we’ve been getting.

My book is for executives to reconsider the challenge with a strategy for their success.

The central element is that individuals must take responsibility for their actions, and be held accountable. I think this is true in life as well as security – so this book does capture some initial thinking on my approach to a lot of things.

What I enjoy is learning about how people who have implemented the guidance not only solve their “security” challenge, but how they adapt it to do more. It excites me, since that was the purpose.

I have more information about the book and a special offer here: http://www.securitycatalyst.com/into-the-breach/team-inspiration-edition/

Q: What advice can you give to people who want to get into the information security field?

Ask questions. Seek answers. Share.

This is part of the reason we started the Security Catalyst Community. And that’ll be coming back stronger in 2010 – with a mentoring component. I’m a fan of the journeyman process, and a bit leary of people who have advanced degrees in security/assurance – but lack the practical, hands-on approach marked with scars, mistakes and the essential components of learning.

To be clear: I think cert programs and advanced degrees are important.

But I evaluate practitioners and professionals on what they can do – including how they can connect with real users/people and communicate. Those that have had their feet to the fire perform better than others.

So if someone is asking for advice, I suggest they find a blend:

• get a mentor
• get broad and diverse experience
• get advanced schooling in the area of their passion/interest

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

website: http://www.securitycatalyst.com
phone: 518.207.3453
email: securitycatalyst@gmail.com
twitter: twitter.com/catalyst
linkedin: linkedin.com/in/securitycatalyst

Well it looks as though the stars have aligned and I’ll be heading to my very first ShmooCon! I’m really excited as I get to see friends and colleagues I either haven’t seen in a while or that I’ve yet to meet in real life. If you’er going to be there then come find me and say “Hello”.

Note: I’m not very good with names/faces (just ask Rob) so just look for the guy who looks like the following picture and introduce yourself (P.S. beers make him calm and approachable):

The for Detect and Eliminate Computer Assisted Forensics (DECAF) counter intelligence tool was specifically created around the obstruction of the well known Microsoft product Computer Online Forensic Evidence Extractor (COFEE) used by law enforcement around the world. From the DECAF About page:

DECAF provides real-time monitoring for COFEE signatures on USB devices and running applications. Upon finding the presence of COFEE, DECAF performs numerous user-defined processes; including COFEE log clearing, ejecting USB devices, drive-by dropper, and an extensive list of Lockdown Mode settings. The Lockdown mode gives the user an automated approach to locking down the machine at the first sign of unusual law enforcement activity.

DECAF is highly configurable giving the user complete control to on-the-fly scenarios. In a moments notice, almost every piece of hardware can be disabled and pre-defined files can be deleted in the background. DECAF also gives the user an opportunity to simulate COFEE’s presence by sending the application into a ‘Spill the cofee’ type mode. Simulation gives the user an opportunity to test his or her configuration before going live.

DECAF can perform the following things to effectively complicate the forensics process:

• Contaminate MAC addresses by spoofing MAC addresses of network adapters
• Kill processes by performing a quick shutdown of running processes
• Shutdown computer on the fly
• Disable network adapters, USB ports, floppy drives, and CD-ROM drives
• Disable Serial/Printer Ports
• Erase data using quick file/folder removal (Basic Windows delete)
• Clear logs from the event viewer
• Remove torrent clients
• Clear cookies, cache, and history from the system

This tool was designed specifically to combat COFEE but could be updated in the future with more advanced features. One thing that I do not believe this tool is able to do, at this time, is alter the MAC times of files. This tool may fool, or at least complicate, the analysis performed by automated tools, but using proven timeline analysis techniques as a starting point should continue to be an effective first step in the forensic analysis process.

The DECAF tool can be found here. I encourage you to download it and see how much it changes your own forensic analysis techniques.

Today’s interview is with Brian Honan who lives in Dublin, Ireland. I’ve known Brian for a couple of years now and he is never shy to chime in with his ideas. He is also the first person to offer to help if you come to him with a problem.

Q: Tell me a little about yourself.

I am an independent consultant based in Dublin Ireland specialising in the area of Information Security. I have worked for myself for over 5 years now and previous to that held numerous senior management roles both at the technical and business levels, so I like to think that I have a good broad view as to where information security can support the business. I also set up Ireland’s only CERT team, IRISS-CERT www.iriss.ie, due to their being no other body in the country providing such a service. I enjoy writing and have published a book on the ISO 27001:2005 Information Security standard, I am the European Editor for The SANS NewsBites and also write for numerous industry publications.

Q: How did you get interested in information security?

Way back in the late 80s I worked in a the IT support function of a large Irish financial company. PCs were relatively new and I was the “lucky” one tasked with supporting them. Back in those days PCs ran PC-DOS and adding connectivity cards for networks or mainframes required a lot of “hacking” around with the hardware and the operating system. This helped build up my curiosity into how systems and networks worked as I battled to connect PCs to the various business platforms in the organisation. Then one day some of the PCs got hit with a computer virus. In today’s terms it was fairly benign, but back then it was a major issue and there was very little support available. Indeed, finding an anti-virus product was difficult. As a result of that first outbreak I fascinated with the motives and skills shown by the virus writers. That fascination spawned my interest in security as I looked into ways to make the systems I was charged with more secure.

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

I do not have a formal third level qualification in IT. Rather my qualification is in Personnel Management. Over the years I have amassed various industry certifications from organisations such as Microsoft, SANS, ISACA, Citrix, HP, IBM etc.

Whether or not those qualifications added value to my information security career is hard to quantify. It is difficult to know whether or not you got a particular role purely based on the number of acronyms you have on your CV. However, I would say that they have added value to me personally in that they confirmed to me that I was competent in the technologies I worked with. It was good to have a third party confirm your own skills. I am a firm believer in rating someone based on their ability to do the job in a professional manner and I have worked with many talented people who did not hold any official information security certifications. So if anyone is looking to seek a certification my best advise is that you do so for your own selfish reasons and not because it is the latest and greatest certification that is appearing in the job adds.

I believe that my qualification in Personnel Management has given me a unique insight into the field of Information Security. While being knowledgeable in the technical aspects of information security, one of the key elements in Information Security is people. Knowing what motivates and drives people is invaluable when designing information security programmes. Also being aware of the Human Resource and Industrial Relations that are integral when dealing with people is also invaluable when making key decisions in relation to information security issues.

Q: What are some of the issues, specific to Ireland, that you run into from a security perspective?

Ireland is a small country with a population of around 4 million people which tends to lead to an attitude that “we are too small for anyone to hack us”. Unfortunately this is not the case and to help address the issue I established Ireland’s first CERT team, The Irish Reporting and Information Security Service (IRISS www.iriss.ie). In the year that we have been operational we have been very busy dealing with numerous issues, primarily shutting down phishing sites hosted on compromised Irish based websites.

The other main issue I see is that many companies believe that information security starts and ends with the deployment of a firewall and some anti-virus software. They tend to forget that technology is only one part of the puzzle and they need to also ensure the other elements of people and processes and also properly dealt with.

Finally I often come across the problem where companies’ do not understand their legal obligations under the Irish Data Protection Act and there is also a lack of awareness, especially within the SME sector, of the PCI Data Security Standard (PCI DSS).

Q: Do you think that computer users in Ireland are more or less susceptible to information security exploits or malware? Why?

I don’t think that Irish computer users are any more or less susceptible to information security exploits or malware. I would say they are as equally susceptible as users in other countries. But the problem is not just at the user end, I think overall as a profession we have failed to properly educate end users on how to deal with the various threats that are out there. This is not just a failure in how we educate end users against the various security threats but also in the technology we use to defend ourselves, the underlying technology used on our networks and our computers, and finally how we tackle international crime.

Q: What do you find is the hardest security concept to explain to senior management? How do you approach it?

The biggest challenge I find is explaining that information security is not just a technology problem but a business problem and needs to be dealt with in the same way as any other business problem. I find the best way to deal with this is to explain information security problems in the terms of the risk they pose to the business. When the business can see the potential bottom line impact a security threat can pose either in terms of Euros or reputation then they tend to pay more attention.

Q: What did you want to be when you grew up? Would you rather be doing that?

At one stage when I was growing up I started my own band and had ambitions of becoming a rock star. There are times when I am in the middle of an ISO 27001:2005 audit or other information security project that I think would I rather be doing this or be in a 5 star hotel room with a bunch of groupies?

Q: What projects (if any) are you working on right now?

I am working on a number of customer projects assisting the achieve ISO 27001 compliance/certification. I am developing a ISO 27001 based risk management product that I hope to launch in 2010. Running the IRISS-CERT is keeping me busy, especially as we hope to soon become accredited with TF-CSRIT and FIRST. I have a number of writing opportunities that I am exploring, one of them will be blogging for Infosecurity Adviser http://www.infosecurityadviser.com/. There are also a number of other projects I am working on in relation to cloud computing and managing the security around that area.

Q: What is your favorite security conference (and why)?

Being based in Dublin the better security conferences require me to travel. So I am selective about which ones I go to as I want to ensure my time is well spent. So it would not be fair for me to pick one conference over another. I would though recommend local chapter meetings of the ISSA, ISACA and here in Ireland the Irish Information Security Forum. Local meeting provide a great opportunity to meet and share experiences with your peers while also getting to attend some good presentations.

Q: What do you like to do when you’re not “doing security”?

Relaxing with the family.

Q: What area of information security would you say is your strongest? What about your weakest?

My strongest would be in the areas of information security management, developing information security programs, designing and architecting a secure network infrastructure. My weakest area would be in application security – I never had the patience to write or examine code and have the utmost respect for those with skills in that area.

Q: What advice can you give to people who want to get into the information security field?

The best advice I can give is to communicate. Working in this field can be very challenging, fun and rewarding. But be warned that many businesses and organisations see information security as a necessary evil so don’t be surprised when the business doesn’t put the same priority to issues as you do. Learn to communicate to the business in terms they can understand. Communicate with your peers and others in the field, that way you can learn from them and they can learn from you. The bad guys who are trying to attack your systems are sharing information with each other, so those of us defending our systems need to also share information so we can better defend ourselves.

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

My Email is brian.honan@bhconsulting.ie
My company website is www.bhconsulting.ie
My twitter handle is @brianhonan
My own blog is www.bhconsulting.ie/securitywatch
My Infosecurity Adviser Blog http://www.infosecurityadviser.com/view_profile/brian_honan/752/
My book “Implementing ISO 27001 in a Windows Environment” can be found here: http://www.itgovernance.co.uk/products/2207