Take your pick of great strategic thinkers: George Washington, Carl
von Clausewitz, Garry Kasparov, Lord Nelson, Napoleon Bonaparte, Sun
Tzu, Herman Kahn, etc. Now, sit them at a table and have them look
over reams of InfoSec incident responses. Assuming you’ve accomplished
this time and culture travel they’ll already be well familiar with
Homer Simpson and, if we’re lucky, they’ll compare us favorably to
Homer’s professional accomplishments.

Mmmm… more blinky lights…

I find it’s useful to consider three contemporary fields in particular
when pondering InfoSec strategies and our future: Defense, Economics,
and Healthcare. And all three fields have grasped nonlinear
preventative and swarm tactics in a way InfoSec would be wise to
consider. And, like InfoSec, all three also have their snake oil
salesmen and demons to satiate.

Recently Meredith Patterson (@maradydd) tweeted about an opinion piece
in The New York Times (1) on Healthcare:

“If high touch medicine offers additional monitoring and services, how
can it save money? Arnold Milstein, now a Stanford professor,
identified physician groups that were above average in quality but
treated patients for 15 to 20 percent less money than average.

How did they do it? By preventing emergency room visits and subsequent
hospitalizations.”

I’d argue this approach is missing almost entirely in Enterprise
Security plans. Conceptually everybody talks about preventative care
(e.g. configuration/patch management, security life-cycles) and rapid
incident response. However, we discharge the patient as soon as
possible with a new gizmo hanging somewhere and pat ourselves on the
back. Only to be revisited by misery a short time later to do the
InfoSec triage over again.

Organizations need to invest in strategic longterm care of their
assets. Every response should be pervasive and prompt a re-examination
on existing architectures, controls, training, etc. Don’t scoff, it’s
really not that difficult. Your team has likely considered every
nuance in their minds more than once. Actually addressing them isn’t
as intensive each subsequent time. And, like the study (2) The New
York Times opinion piece covered, you’re going to see a cost savings
and quality improvement across your Enterprise.

When I broach this topic I usually get a range of responses but they
all circle one issue: Nobody cares about the longterm because they
won’t be there. That’s not frequently true, it simply can’t be,
because professionals need to have an accomplished and tangible record
to move on in the first place. And usually a significant body of work
to progress your career. Such a body of comprehensive and responsible
work, as I suggest above, would produce more data and metrics. It also
gives your colleagues and team more confidence in your leadership
abilities. In the respect you have for their body of work. There is
nothing an InfoSec professional hates more than to see their hard work
squandered.

Do you want your team to look at you as a Homer Simpson or a Lord Nelson?

(1) http://opinionator.blogs.nytimes.com/2011/11/16/saving-by-the-bundle/
(2) http://content.healthaffairs.org/content/28/5/1317.abstract

Homer Simpson is awesome and is © 20th Century Fox

The news today that Hezbollah's June claims of uncovering numerous CIA
agents in their ranks, Lebanon, Libya, Iran, Syria, etc. is being
confirmed by "unnamed" sources among some half-named sources. And this
is making plenty of news in the US today but what of Iran? Why didn't
Iran capitalize on this more in June and since? Basically because Iran
doesn't think this was a significant victory if a victory at all.

It would seem at least some Iranians believe the US used "idiots"
intentionally to take Hezbollah and others off of the "true"
operational pathways. This is somewhat curious to me because it really
attributes a degree of strategic forethought to the US leadership. At
the same time many of these same people have berated the US for the
levels of stupidity in not understanding the Egyptian Spring, Afghani
tribal politics, or Iraq. Had anybody in this circle been tied to say,
a captured American "hiker", then it would have been a completely
different (and victorious) story. While I read and listened to the
back-and-forth in this particular chatroom two things occurred to me:

- Iranian armchair geopoliticians have their conspiracies
diametrically opposed to one another

- The Iranian "grip" on the Internet and media is more effective than I thought

It's the latter point that was more bothersome to me. Indeed it does
appear that many people inside of Iran that were familiar with tools
like Tor actually do believe, and repeat emphatically, that various
sources of software inside of Iran include countermeasures and
poisoned versions of various anonymity and anti-censorship tools. This
had come up on one of the Tor lists fairly recently and when pressed
for sample or details, nothing came of it. I also dismissed it. Now
I'm seeing/hearing it from people that should know better and again,
when pressed, they are afraid to get involved or provide evidence. And
simultaneously they had a degree of faith in this video/voice/text
chatroom? However, this time I'm having a harder time dismissing the
initial claim entirely.

Anyhow, random rambling musings of the evening. Cheers, -Ali

Anybody who knows me also knows that I have ridiculously thick and
fast growing facial hair. I've kept it a manageable goatee for most of
my life but every November I participate in Movember events. This year
I tried a different style of facial hair known as either "The Mexican"
or "Fu Manchu".

http://lockerz.com/s/155222904

My first mention of this was online via Twitter and the response was
mild and supportive. And that ended the positive reception. In the few
days since I've lost count of how many "friends" and professionals
have commented that I look "Mexican" and I should get rid of it. More
than once I was told it's "unprofessional" and, again, "it looks
Mexican"..

So I decided to ask somebody I trust from a Fortune 100 company if
this facial hair would really be a deciding factor for a position. An
excerpt of the conversation quoted to the best of my memory a few
hours later:

Him: "Yeah, of course, it looks low-class and hoodlum."

Me: "Are you talking customer-facing or just generally?"

Him: "It doesn't matter, it wouldn't go over well with
upper-management. I just wouldn't hire the person."

Me: "Even me?"

Him: "*pause* Well, I guess not, I know you though. That's not a good
comparison."

I'm honestly more than a bit taken aback. I get dressing
professionally and being clean. I understand pretty people do better.
If this happens to a professional man for facial hair that wasn't, in
my opinion, unusual.. then what the heck do women go through?!
*boggles* -Ali

More-so in the past three months than I remember at anytime since the
'great cryptography wars' of the 90s, InfoSec has become overrun with
Fear, Uncertainty, and Doubt (FUD). Marketing pitches have somehow
moved beyond guarantees of protection against APTs straight into
Dragon Tear Mace. We're on the verge of bottoming-out and
reconstructing our collective industry souls. The next three years
will be exciting times for our industry.

And the first major breakthrough will be finding our pariahs.

Every major movement has a pariah moment that, whether remembered or
not, change the approach of The People radically and quickly. In
environmental activism it came from Bjorn Lomborg ("The Skeptical
Environmentalist") and in military projection/geopolitics it came from
Thomas P.M. Barnett ("The Pentagon's New Map"). You can endlessly
debate the staying power and nuances of the messages but the bottom
line is that the ~way~ people thought about problems changed
significantly w/ Lomborg and Barnett.

You may not remember it well but take a good look through Google News,
LexisNexis, and Factiva. You'll notice the same, roughly, three-year
cycle whereby a small vocal group of "thought leaders" responded that
Lomborg and Barnett were idiots, naive, or liars. Then it slowly crept
into The Economist, NY Times, WSJ, etc. And finally, while
simultaneously dismissing their contributions, people started sounded
more-and-more like Lomborg and Barnett. In Lomborg's case it went so
far as institutional character assassination later rebuked/reversed by
larger Government investigations.

I think it beneficial to concentrate on Lomborg for the moment. In
particular these three books which he wrote or edited:

The Skeptical Environmentalist (2001)
Solutions to the World's Biggest Problems (2007)
Global Crises, Global Solutions (2009)

Specifics on each book's details or proposed solutions is not the key
takeaway. The key takeaway was that Lomborg and contributing authors
proposed using resource and fiscal economics balanced against
measurable metrics of human well-being as the basis for ~all~ big
decisions.

OK, so a bunch of you are going: "I do that! This is old news! Pfft,
tell me something I don't know!"..

Yeah, you're probably right. I'd wager most of my Twitter friends
actually think similarly to this already. And have for quite some
time. However, the InfoSec Industry as a whole does not. And we need a
voice or a few voices to totally shatter the "thought leaders" of
yesterday. Of today even. Who decided who these so-called thought
leaders are? Where was this committee convened? Consider for a moment
that encryption, courtesy of Bruce Schneier, is still quite frequently
considered the end-all of security. It's been nearly two decades since
"Applied Cryptography" and even Schneier can't shake this Ghost of
Security.

Here is the good news… great news actually. Lomborg and Barnett had to
come from the proverbial left field to make their impact. Our change
is evolving internally due to a pervasive awareness of bigger issues
(e.g. environmentalism and geopolitics) by practitioners in InfoSec.
Our pariahs are already in place but not well recognized outside of
our community. (I'm going to avoid naming names, unless asked
directly, simply because it'd be unfair of me to singularly nominate
some people.)

So here is what I'm proposing..

Take the community models that have driven InfoSec's greatest changes
of the past decade. In particular a fairly new entry into the
community, PTES (Penetration Testing Execution Standard), and base an
outreach program on that model. An informal to semi-formalized
committee of peer reviewing open Wiki publishing InfoSec practice
ideals. Things that can translate to Congressional Hearings, DoD
Acquisition Guidelines, Insurance Riders, Mainstream Media, etc. etc.
Explicitly not built upon an existing certification or standards
group. Not ISC, not Jericho, not SANs, nobody.. something more organic
and peer driven.

A group like this can take public perception and discussion in a
better direction than either Anti-virus or new-fangled Anti-Dragon
Tear's APT Conan Swords. A group like this can hold enough weight to
temper the FUD of a few whoring repetitive messages in the press. CNN,
Christian Science Monitor, Fox, etc. need a more balanced message? We
got it. Congress needs more reasonable perspective? We got it.

Yes? Can't this be done in a community driven, organic, and
professional way? I do indeed believe so!

So who wants put their name in the hat as a prospective Pariah? It'll
be the most fulfilling skewering you ever get. -Ali

Just thinking out-loud and have not contacted the BSides people (as
required) per their very clear and helpful instructions. It came up
today because a group I've worked with was offering up conference
space and telling me stories of small-ish conferences they host w/
Busch Gardens trips on the side. And immediately #BSidesBeerSides
imprinted on my brain. However, I can think of many places better than
Busch Gardens to take speakers and attendees but having that family
friendly option is always good. Rambling, -Ali

A lot of people reacted the same way when the news came out that Los
Zetas had (unknowingly?) released the Anonymous captive they had, then
actually knew they had, and Anonymous (again) called off #OpCartel.
Which might be on again.

You'd be forgiven for getting mixed up and I'm confident I still am.
Oh yeah, so a lot of people went..... Say what?! Los Zetas released
somebody alive?!

(UPDATE: Meanwhile The Grey Lady updates their coverage at
http://www.nytimes.com/2011/11/05/world/americas/in-mexico-facts-blur-as-onli...
..)

So I decided to do some digging because some discussions on IRC
indicated Los Zetas actually has released prisoners in the past and
participated in swaps. However, I can find nothing to corroborate this
in the tsunami of Los Zetas news. Quite simply, the only people being
released by Los Zetas alive seem to be the upwards of three hundred
prisoners broken out of Mexican prisons w/ the help (alleged) of Los
Zetas. In news between 2008 and mid-2011, and looking across multiple
cartels and operations across Latin America, there seems to be no
reason to believe Gulf, Sinaloa, La Familia, New Republic, Beltran
Leyva, etc. (much less Los Zetas) made a habit of releasing much of
anybody alive. There does appear to be affiliated kidnap and ransom
releases further down into South America but I'm not seeing much tied
to the numerous Mexican drug cartels.

So here is my thought now... is this a lose-lose-lose for Anonymous
regardless? Even if they release nothing and back off #OpCartel
completely the coverage of this issue has been insane.

If you goto news.google.com and select "past hour" you'll notice the
Spanish language sources alone was in the 600 - 1200 range. A majority
of that is syndicated distribution of sorts but regardless, it's a
huge amount of very loud coverage. The question becomes, when it comes
to drug cartels, is there no such thing as bad press? And as this is a
compelling storyline for many, does Los Zetas have something to gain
by continuing it in a traditional fashion w/ Anonymous?

What I'm saying is... I'm not sure Anonymous and Barrett Brown can
just walk away from #OpCartel even if they want to. They might be
done-and-done but Los Zetas sets the rules and the pace in this
engagement.

I have said elsewhere and before that organizations like Los Zetas
operate more like Nation States in African war-torn regions than
anything most are familiar with. That's my longtime perception
although I won't claim any expertise. The thing about that is though,
you don't touch Nation States unless you're one. It's part of the club
rules. You can kick and scream and moan (e.g. WikiLeaks) but you just
don't touch.

I think this story gets a lot louder before it goes away. Cheers, -Ali

In the opening barrage
(https://www.infosecisland.com/blogview/17677-EntSec-Not-Business-Relevant.html),
I suggested the greatest sin of security professionals is not using
their skills to produce better product for the Enterprise. Both
internal and customer deliverable product. My second point, and the
topic of this post, was stated as "Security needs to provide product,
service, and visibility to the core business" and in retrospect that
was possibly the worst way of saying "Security needs to be a selling
point for all products and services"..

Now that we've decided we're going to engage our skill set through
side-channels to help our Enterprise deliver better product, increase
our business relevance, and integrate ourselves into the development
lifecycle we're going to ~market~ our new-found Enterprise Religion to
the outside world. Marketing and Engineering won't like this, I can
almost promise that. However, when those same exact people are
customers elsewhere they fall prey to market-speak about security like
the infamous 'Military-grade encryption' gambit. So it's time we take
back our own marketing and talk about security and privacy as we
expect our own family members and professional counterparts to
practice it.

I don't know a better way of expressing this than through hypothetical
examples...

Lets say you're Zerocks and rolling out a new multi-function
copier/printer/fax/bagel toaster. Don't be afraid to talk about how
you've integrated security into the development lifecycle. Right on
the one/two page PDF put information on where they can find out about
your privacy policy for support, your security contacts for reports
and questions, your downloads for security errata. Just like the total
page lifecycle and failure rates are stated, make sure your security
message and availability is provided. You work 24/7, monitor your
email, stay up hoping not to see your company name on Pastebin.. let
them know exactly how hard you work for their security. Everyone is
going to suffer escapes, and just like technical incident response,
it's how you communicate and make yourself available to customers that
defines how they'll react to you in the future.

Now you've moved on to Jawbohn and you've created a new-fangled
bluetooth enabled health recording device. What's the security model?
How do you wipe the device? Is your on-line portal for syncing to say,
Nyke, tested regularly for vulnerabilities? All of this needs to be
clearly documented, turned into standard work, and integrated into the
marketing and support workflows across the Enterprise.

Insist on it. Insist.

I'd go so far as saying if you're interviewing for new employment talk
about these ideas and see how receptive a new employer is to raising
the visibility of their Enterprise Security department.

If you get pushback, approach it from the same perspective that
Engineers would for an Industrial product. Have you increased fuel
efficiency? Interval between regular maintenance? Etc.

In reality you've done exactly those type of improvements through your
integrated security lifecycle and participation discussed in the prior
post. Start, with humility, to take credit for it and communicate it
pervasively. This stuff matters to customers, it really does. Now, I
know that Sony and others have seemingly gotten away with massive
escapes, but that tide has shifted. It may not have reflected in stock
prices yet, but if you wait until it does, you've waited too long. It
can be a competitive advantage now and, in particular, with the key
tech and privacy savvy influencers of families, Universities, and
classmates. Respect of a brand can carry with someone through decades.
It's my belief that if you influence through Enterprise Security that
you will attract a better breed of customer and customer loyalty. This
is a worthy selling point and worth marketing. And you still don't
have to shave or put on shoes to do it.

We need a bigger piece of the proverbial pie, we simply must have it
(1), and I hope you agree that my rambling musings can help you slowly
get a bigger cut for your Enterprise Security department.

Cheers, -Ali

(1) Daniel Geer and Peter Kuper:
http://geer.tinho.net/ieee/ieee.sp.geer.1109.pdf