Month: February 2010

Information Security D-List Interview: Joshua Corman

joshToday’s interview is with Joshua Corman. I was introduced to Josh at SANS Network Security in San Diego, CA in the fall of 2009 by Dave Shackleford. He’s a great guy with lots to say about lots of different things.

Q: Tell us a little about yourself.

I’m 34 years old. I live with my wife and 2 daughters in New Hampshire [Live Free or Die].

Security pros didn’t initially know what to make of me – some still don’t. I’m technical, but no l33t. Business savvy, but not a marketing wonk. Mostly, I’m a very effective translational bridge between the super technical and the rest of the world. I was at a BlackHat many years back sitting with some guys from Lehman Brothers. I could understand WHAT was just covered, but could also help them understand WHY it mattered and HOW it impacted their day jobs. Unfortunately, that mix of technical acumen, business savvy, and strong communication skill is far too rare in our industry. In fact you and I probably know all of them.

I am passionate about Security – I see it as both a technically interesting/challenging space, and also a sacred trust / higher calling. I am candid and direct – firm, but fair – critical, but not to be negative. I can sometimes be mistaken as negative, because I start by identifying a problem – but I am a fierce optimist in my actions and in my drive to affect positive evolution. I am big on intellectual honesty. I am a huge advocate for the security practitioner.

I wrote my “Unsafe at Any Speed: 7 Dirty Secrets of the Security Industry” for a few reasons:
1) I felt the “trusted security advisors” had been increasingly abusing that trust.
2) I felt that we had ceased to keep pace with the evolutions in this space.
3) I saw how hard things were getting for the CISO +/- community and no one seemed to be looking out for them
4) I think part of me was trying to get fired… so I could get a breather from Security for a bit.
5) I saw several peers quitting security – and decided maybe I should 1st speak up and try to change things.

Well, I didn’t get fired. And my candor was very appreciated. For some practitioners, I put crystalized what was on the tips of their tongues or just beyond their reach. For others, the discussions fundamentally changed the way they looked at their work. I half expected backlash from some of the vendor community, but none of them could refute anything I was saying – because it was true – and it was fair. In fact, much to my surprise, some of the vendors were very happy that I started this ongoing dialog – they actually agreed.

Beyond being cathartic, the process gave me a renewed conviction and confidence that these challenges [although huge] were possible to fix – as long as we are candid, critical, ask the tough questions, challenge us to evolve, and get people talking.

Silence, Willful Ignorance, and Blind Spots are/were killing a space I am passionate about – so I wanted to motivate us to do just the opposite.

We’ve got to evolve – and we haven’t been. One of the biggest threats to our evolution at the moment seems to be the overall affect PCI DSS is having – but don’t get me started on that… [yet].

Q: How did you get interested in information security?

Well. I have always loved the heros of ancient mythology and modern mythology (comics) – so I’ve always wanted to fight bad guys. My father worked for Digital, so I’ve been around computers since I could walk – and was fascinated by the early viruses. My 1st adult job was at Cabletron, a network company. I got a lot of foundational knowledge and value there, but one of our partners came in one day [Intellitactics] and gave us a “Security Primer”. I knew that day I had to get into Information Security full-time. I joined a start-up doing Behavioral Anti-Malware and was hooked. We were later acquired by ISS [Internet Security Systems] – which gave me more access and breadth. And they were later acquired by IBM where I helped drive the Cross-IBM Security Strategy and had exposure to just about every topic in the market.

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

As an undergrad, I initially studied Micro/Marine Biology. I got kind of bored with it, but I was happy to be infused with the metaphors, models, and scientific methodologies. Any fan of Dan Geer knows how useful biology can be in the field of IT Security. I ultimately got my degree in Philosophy. I liked trying to solve insolvable problems. It was great practice for IT Security. Also, I knew that sound logic, analytical structure and writing skills would suit me for anything I tried to do.

Q: What did you want to be when you grew up? Would you rather be doing that?

I wanted to be a Marine Biologist and train dolphins. I love the sea – always have. Over time though, I wanted to write and direct films. Still do!

Q: What projects (if any) are you working on right now?

I could tell you, but I’d have to… Aside from a brand new job at The 451 Group, I do have 2 Security related initiatives cooking. One has to do with the supply side of vulnerabilities. Most of this market is focussed on the symptoms versus the underlying disease. We’re fighting the heads of the Hydra – not its heart. Another effort has to do with the good versus evil side of Security. Security is both a market – and a higher calling. Most do not realize the awesome responsibility that comes with Security. There are very bad people, doing very bad things. Too few of us recognize this – or are willing to rise to meet this sacred duty. What draws some of us to this problem space is somewhat akin to what draws people to be firemen, soldiers, EMTs, etc. E.g. Rich Mogull was an EMT. It is a space in need of Protectors. Some of us are drawn to this because we have a need to serve our fellow man.

Q: What is your favorite security conference (and why)?

Tough one… I’m growing sick of most of them. This space evolves so fast, but the conferences remind me how little we [collectively] are evolving. Of the bigger shows, I guess I dislike DefCon least of all. Some of these smaller shows are a lot more relevant. I really enjoyed webcasts I saw from SOURCE Boston, DojoCon, and BruCon. I’m super excited to do our PCI Debate at ShmooCon in January. I see PCI as a very serious threat to this space. Mike Dahn and Anton Chuvakin disagree. Hopefully we’ll break records for the sale of ShmooBall

Q: What do you like to do when you’re not “doing security”?

There’s life beyond security?!? [kidding]
I love movies. I love music. I love to cook. I especially love my 2 daughters. My personal time often involves 2 or more of these. Then there is also my lovely wife’s Honey-Do list… I had been playing Ice Hockey, but fell out recently due to too much travel. I miss it, I’m hoping my new job lets me get back into it.

Q: What area of information security would you say is your strongest? What about your weakest?

Hmmm. Good question. Tough question.

Strongest: I really feel like I’ve always groc’d the Malware threat domain. But I’ve really moved beyond that. I feel like I’m strongest at pattern recognition. I’m able to see the tectonic plate movements and see where things are going. Most of my higher value contributions in the last few years are looking at the macro issues in the Security space. I don’t look at what people just did – I look at WHY they did it, and predict what is likely to happen next – with pretty good accuracy. I think we’ve got a complex [and highly sub-optimized] ecosystem, so I’ve been paying attention to the major forces that shape it – evolution in Threat, Compliance, Technology, Economics, and Business Priorities. When you see the patterns, you can predict what will happen next, what will work and what will not, and see how we’re failing over-all – as well as figure out how to evolve to approach a better equilibrium.

Weakest: I’d have to say “Identity & Access Management”. In the grand scheme of things, I know it is super important. That said, I’ve always found it incredibly boring. I’m just being honest. Recently though, I’m starting to pay more attention to it – for at least 3 reasons 1) As we embrace clouds, this space gets even more important. 2) I’m eager to see us combine disparate controls for greater security. E.g. WHO accessed WHICH data, via which APPLICATION, on which SERVER, etc. and 3) One of my analysts Steve Coplan has some real mastery and passion for the space, and together we’ve been seeing some of the roles it could play in the future. I mentioned cooking… as an individual ingredient, I’ve been bored by this space – but in the right soup, it plays a critical role.

Q: What do we, as a society, need to do in order to make information security more important?

Very good question.

I’d like to see more varied educational backgrounds enter our field. The most interesting angles I’ve seen often come from the people with atypical fields of study. The new thinkers bring us Economics, Psychology, Sociology, Communication skills, Biology models, Philosophy, etc. Security is far too focussed on technology. The People, Process, and Technology trinity put technology LAST. I think until we’ve embraced and involved people-at-large, we’ll be fighting up hill. I often refer to my mother-in-law in speeches. If my mother-in-law can get it – or carry a security mind-set or “ready stance”, we won’t have so hard a time getting some of our security agendas to make progress. That’s just an example. In general,

Security folks speak in security tech/elite terms. If you want to get executive support, you need to speak their language. If you want a more engaged and aligned government participation, meet them at their level. If you want to take a bite out of eCrime and attacks on the unwashed massed in the “leper colony” of our mother-in-laws PCs, we need to use pop culture and accessible means to raise their ThreatIQ – even 1%. The people who say End User education doesn’t work are usually vendors who want to sell technology or people who suck at educating/communicating. Lame, 10 year old, annually mandatory Flash training doesn’t work – correct. I’ve written about positive examples before – maybe I’m due for this topic again. Quick example though: My hairdresser told me how she saw a Facebook quiz asking 20 questions. She skimmed them and realized that many looked like the kind of personal data that her bank might ask her for security questions. She was so proud that she didn’t fall into answering it. I made her 1% more skeptical – but that’s where it starts. You were with Shackelford and I at SANS when I said he and I should do a series of YouTube videos for the masses… “You can learn a lot about Security from [fill in the blank] – e.g. a Zombie Uprising”. Social Engineering WORKS… how come only the bad guys use it? We have a lot of untapped room for progress if we can make a Stop, Drop, and Roll-like campaign for Internet Safety.

Q: You mention PCI quite a bit in Twitter. What is your feeling on its effectiveness? What needs to change?

Where do I start… I’ll try to be brief. I am very concerned over the unintended consequences and impacts Compliance is having on our space. This is a BIG issue – probably the most central issue in our entire industry. Compliance is the #1 driver of security in our space right now. We have come to fear the auditor more than the attacker. You and I know Compliance != Security. One can be compliant and far from secure. The issue is that the world has conflated the digital dozen of PCI DSS for credit card PII data with industry best practices for all security. People are spending on mandated security – and little else. It was meant to set the minimum starting line, but in a down economy and overly costly/complex market – it’s become the finish line. This is not the intent – but it is the result.

I’ve compared PCI to the No Child Left Behind Act for Security – and the analogy holds very well (rybolov prefers “No Merchant Left Behind”). As an industry, we need to be VERY careful and VERY deliberate about the role compliance should and shouldn’t play. Compliance cannot keep up with [or be an effective proxy for] the evolutions in threat or technology – not with 2 year cycles and minor changes. Jack Daniel put it well, “Security is 2+ years behind threats, and compliance is 2+ years behind security”. But this is just ones issue with it. What’s good is we’ve started some ongoing Adult, Rational debates on this. There is a 2 part podcast debate with CSO and NetSecPodcast. We debated this at ShmooCon and there is a [controversial] video that will be posted soon [we hope]. We’re also doing another panel Wed March 3rd at Bsides San Francisco… maybe even DefCon! The Southern Fried Security Podcast interviewed me this week on this topic. I think it airs as a special episode this Saturday. The important thing is the rational discussion with people from diverse, informed perspectives. It’s advanced my thinking and theirs – we need to keep going. It affects our whole industry.

Q: I saw you launched “Rugged” and the Rugged Manifesto at www.ruggedsoftware.org. What is the goal?

Software is modern infrastructure. Unlike steel and concrete, this digital infrastructure is not nearly as reliable. We’ve done a decent job developing tools and frameworks and evolving how we respond to weak software… but we’ve really failed to reach the non-security community. Rugged is a meme – a contagious value set – aiming to make non-security folk understand and value Rugged Software. I was also a little sick of our industry saying developers are lazy – so not true. Developers are talented, professional problem solvers. We’ve done a poor job raising awareness getting people to see why they should care about Rugged software. “Security” has not worked. Rugged is something non-security people are understanding. Programmers can want to be Rugged and write Rugged code. Buyers can demand Rugged Software, etc. We’ve had huge excitement thus far. Oh… and by the way… clearly security vendors stand to benefit from Rugged getting traction, as more people need help becoming Rugged. If all we do is get 1-5% more people to their 1st OWASP meeting – or first Top 10 list… this is how change starts. Last point, there are lots of critics in our space – so there have been some “haters” already. My response is… we all claim we want better security – and for more people to care about security. Is Rugged perfect? Heck no. Is there good intent – and possible promise in it? Yes. I’m asking people to latch onto the good. shrdlu and jjx put it well in their blog posts. Its a baby meme and needs support – but its worth nurturing and pursuing. So decide if you want to help make it better – or tear it down. I’m hoping for the best in our community to be their best and add their influence in a positive direction.

Q: What advice can you give to people who want to get into the information security field?

Hmmm. You need to bring your “P’s” or don’t bother. We need Passionate, Principled, Purposeful, Protectors (nod to Clint). This space is HARD, it is thankless, and it will suck the life out of you if you don’t “bring it”. We’re over our quotas for whiny, mopey, entrenched, sedentary, defeatists. Lead, follow, or get out of the way. Also, you need to be able to thrive on change. In a space that changes CONSTANTLY, our current ranks are often incapable of changing. Yes, “change == risk”, but guess what folks… we’re surrounding by it. Do the Evolution! So we need fresh blood – and if you fit the bill, please join the ranks.

Q: What advice do you have for technical people who want to move into an analyst or researcher role?

I will say that we need fresh voices and people will to dialogue and tackle the tougher, central issues. I think too often the Analyst community is simply reflecting the “Consensus of the Uninformed” or echo’ing what a vendor told them. So selfishly, I’d like people with intelligence and passion [who may not even like analysts] to consider joining the ranks.

In fact, I’m hiring – right now. I need someone who wants to help me cause the right kind of trouble in exactly the right and necessary spots.

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

Twitter: @joshcorman
BLOG: http://cognitivedissidents.wordpress.com/
Email: jcorman@the451group.com
skype: joshcorman
AIM: joshcorman
LinkedIn: http://www.linkedin.com/pub/joshua-corman/2/840/5b0

Information Security D-List Interview: Erin Jacobs

ErinToday’s interview is with Erin “SecBarbie” Jacobs. Arguably the “social butterfly” of the D-List, Erin can easily debate compliance issues, plan the nights party schedule, and argue gender issues in the field with a perfect stranger, all while ensuring everyone is involved and having a good time. I hear she can also leap tall buildings in a single bound but she can’t outrun trains like she used to.

Q: Tell us a little about yourself.

I often play a little Jekyll and Hyde on the internet. By day I am a CSO in financial services and have played this role for over 9 years in two different organizations, and by internet I am a security evangelist, apple fangirl, and social butterfly. If you follow my tweets then you would also know that I have 2 dogs and 1 parrot, and I would have more but with my hectic travel, they are enough!

Q: How did you get interested in information security?

Geek from birth, been programming since I was 7, and running social bulletin boards since I was 13. When I was in High School, a group of us used to make a game of defacing each other’s BBS’s ANSII pages. Fast forward through college, corporate software development, consulting, and IT Management and I ended up back in information security through a friend of mine. I was always just excited that there is actually a career track for doing what I used to do for fun.

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

I have a Bachelor in Business Management with a minor in computer science, I have an alphabet soup of certs, and have relied heavily on self-learning. I feel the only thing that truly adds value is hands on experience. Too many people have advanced degrees, multiple certifications, etc, but can’t DO information security. They just don’t have the grasp of the actual functionality of security initiatives. There best lessons are often learned in failure, and academia cannot teach those. I find value in education, but taught by those who have actually attended a classroom called life.

Unfortunately, unless you have the schooling and certifications, you won’t make it past HR in most organizations!

Q: What did you want to be when you grew up? Would you rather be doing that?

I want to be a princess…. I think I am, but I really wish I had that snazzy castle with the moat around it, and a fire-breathing dragon would be nice too!

Yes, I would rather be doing that, but who wouldn’t. In the meantime, I have plenty of jesters on Twitter to keep me amused!

Q: What projects (if any) are you working on right now?

More Gender Panel talks, Compliance on Paper talks, some cute hacking project that involves gym equipment…. and a few other this and thats.

Q: Do you see the gender issue as being a barrier in the information security space? Why or why not?

Gender is a problem in the information security space, there are statistics showing that there are very few women-owned tech and high-tech firms, corporations such as Apple (Executive Management) don’t have a single woman in their management team. I don’t believe that this is because the men are scaring all the women away, I’m sure there is still some gender friction at times, but this is a bigger issue! As a whole, we are loosing young women from entering the Information Security field. The gender panels are held to start to answer the question of what we can do. The panels are never about ‘men bashing’ they are about the cultivation of women in the information security space.

Q: You deal with compliance on a daily basis. Do you think we’re any closer to seeing “compliance” as something more than a check box or a risk avoidance technique?

Oh-boy! I have to reference Avatar in this. Compliance is the human race, and nature is security. The humans have no connection to nature, and neither does compliance to security.

Just because we can check things off a list doesn’t bring us any closer to being less insecure. Perhaps if they no longer allow the loophole of “In Scope” and “Out of Scope” the two concepts might make headway. I could go into a tirade on this, but to sum it up with:

We need to wipe the slate clean and start measuring actual risks to organizations based upon their line of business against known threats and making realistic compliance metrics based upon solid framework.

Q: What is your favorite security conference (and why)?

Black Hat/Def Con – Sometimes this can be a stressful week, but it’s like a family reunion each year! The networking is great, talks are generally a lot of fun, very energetic, and I have always left with a great deal of new knowledge and less brain cells.

Q: What do you like to do when you’re not “doing security”?

I feel like I’m always ‘doing’ security, but when I am unplugged, I’m an avid motorcyclist, musician, amateur photographer, and social butterfly!

Q: What area of information security would you say is your strongest?

Social Media Information Leakage, Compliance, Management, and Regulatory Audit.

Q: What about your weakest?

Cryptography, it is on my list of side-project to learn how to decrypt more effectively, but I always bow to those who I know that are fantastic at the art of crypto!

Q: What advice can you give to people who want to get into the information security field?

NETWORK-NETWORK-NETWORK! The people you know are just as important as what you know! If you have a strong base of people with different expertise, you will have a vast resource of knowledge for when you need expert opinions! Also, never burn bridges in InfoSec, it’s entirely too small of a community!

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

BLOG: www.secsocial.com
TWITTER: @SecBarbie

secbarbie

Information Security D-List Interview: Rob Fuller

robThe final interview of this week is with Rob “Mubix” Fuller. I first met Rob at RSA 2009 and we hung out the whole conference. Interviewing Rob was difficult as he doesn’t (and isn’t allowed to) talk much about his day job but I did manage to get some information out of him.

Q: Tell us a little about yourself.

I’m a United States Marine assigned to 1st Civ Div. I have an amazing family, I’m a extremely proud father and I love what I do for a living, not much more to tell.

Q: How did you get interested in information security?

You can find the long drawn out story of that on Episode 9 of the grmn00bs podcast, but it boils down to `init 6`, game genie hex editing, being an open relay for Korean spammers, and Hak5. http://www.grmn00bs.com/2009/12/16/podcast-episode-9-when-they-were-n00bs-with-rob-fullermubix.

Q: We see a lot of ex-military getting into private information security roles these days. In your opinion does a military lifestyle foster the learning required for a long term career in information security?

That’s a really tough question to answer. I think that it really depends on which country’s military you are talking about and which section/service/faction of that military the member is from. Everyone has different experience in the military. However, my personal experience in the United States Marine Corps definitely altered my battle mindset, and increased my strategic awareness.

Q: What is your educational background (e.g. formal schooling, certifications, self-learning, etc.) and did it add value to your information security career?

I don’t really have any certifications that I would like to mention, I think they are useless unless you are job hunting and I absolutely love my job. I would however like to scream great praises to muts and chris over at Offensive Security. The Pentesting with Backtrack (used to be OffSec 101) course was amazing. It sparked a fire in me that revitalized my thirst to learn that has been going strong for now almost two years after I took the course. When it comes to self-learning, I’m not really sure how to classify or answer that other than… yes.

Q: What did you want to be when you grew up? Would you rather be doing that?

A father. I was an odd kid, by the time I was a teenager I knew that I wanted a family, and that really was the only vision I had for my life. One might say that is thinking small or short sighted, but I pose to anyone who thinks that to ask any parent on the planet what their greatest accomplishment in their life is.

As far as job/career, I always knew I would be doing something with computers. I didn’t care what then because I knew that it would be constantly moving and growing. That is what really draws me to computers and more specifically security these days.

Q: What projects (if any) are you working on right now?

I’ve got one big project that I’ve been working on for a couple months now. I’m currently debating on how to release the details, but I have a ways to go before I have to decide anything. Some of the projects that I’ve done in the past is starting up a project called FireTalks, which is happening again at ShmooCon this year, along with the annual Podcasters Meetup. Grecs from NoVAInfoSecPortal.com will be running the FireTalks this year (http://www.novainfosecportal.com/2010/01/06/shmoocon-2010-firetalks/) and Tim Krabec from http://smbminute.com/ will be championing the Podcasters Meetup this year (http://www.podcastersmeetup.com/)

Q: What is your favorite security conference (and why)?

ShmooCon. I could name a number of reasons, but I think the brass tax truth is that it was my first one. But to put it all in perspective, I’ve only really been to RSA, DefCon, Phreaknic, and ShmooCon.

Q: What do you like to do when you’re not “doing security”?

At the fault of @cktricky I’m currently addicted to Call of Duty: Modern Warfare 2 (Steam). But spending time with my family is always on the top of my list. Other than that I don’t really have any others

Q: What area of information security would you say is your strongest?

I’d love to say Penetration Testing, Information Gathering, Reverse Engineering, or Exploit Development. However, a talent that I’ve always had out weighs all of those. Extraction. I can read or listen to something and extract what is important. To try and clarify, I’ve always been ‘the guy’ that knew what was going on, where things were, or how to do something. For example if you need a piece of software to do $function, I knew the best one to use, and the best way to get it.

However, this ‘feature’ is also a bug, it makes it extremely hard for me to read technical books since my mind will throw out what it doesn’t think is important (ie something that “will be explained in chapter X”). In other words, I have to understand every word or I can’t go past it. I only recently found that reading backwards (sort of, chapter count backwards, 12, ,11,… 1) works for me.

Q: What about your weakest?

Hands down it’s Cyptography and Exploit Development. Higher math kills me, Chris Eng has been a huge help there, with his presentation on Cyptography for Penetration Testers (http://video.google.com/videoplay?docid=-5187022592682372937#). But I am still extremely far of from just comprehending anything but the basics. Exploit Development is my current field of study, but each day of study I realize how very little I know.

Q: What advice can you give to people who want to get into the information security field?

First and foremost, checkout Dave Shackleford’s post titled: One for the n00bs over at http://daveshackleford.com/?p=277. He’s pretty much said everything I would say. But I would like to drive home the point that since security is still so new, you have an up hill battle to get people to adopt “security”. Just last year, my time deploying VMware data centers came in extremely useful when a client wanted to dispute some findings in a Vulnerability Assessment. However cliche it is to say, security _professionals_ are required to be jacks of all trades. Basically at a minimum, par experts in every piece of gear in their purview. So getting back to the point, get the experience, and security will just kinda.. happen.

Q: Our industry has a lot of people who tend to “grandstand” for the press and peers. Can you offer any advice on how to avoid falling into this mindset?

Nope, I think the people who would fall into that mindset need to learn the hard way, myself included.

Q: How can people get a hold of you (e.g. blog, twitter, etc.)

Twitter at @mubix, my site Room362.com of which I share with a few folks now (always looking for help on a permanent or guest basis), mubix@hak5.org and (503)-406-8249

As a special part of this interview I’m going to post the following picture. For those of you who know Rob you can ask him about the meaning at Shmoocon this weekend.

2waters

Scroll to top