Posted December 9th, 2010 by rybolov
Nope, we’re not going to talk about ego trips, hidden agendas, or complete irresponsible transparency. This blog post is about some of the fallout inside the Government security teams.
The powers that be would like to remind you that downloading classified documents off the Intertubez does not make them unclassified. An anonymous source that I talked to last week gave me the info that they were busy tracking their users’ browsing behaviors so that if you (the hypothetical you) went to WikiLeaks and downloaded a classified document, the InfoSec goon squad would show up outside your cubicle to shred your hard drive because you had just been responsible for a classified spillage–ie, your unclassified desktop now has classified material on it and as per procedure the only way to deal with the situation is to overwrite your hard drive and reimage it. I have a couple thoughts about this:
- Where were the InfoSec goons when their users were getting drive-by malware from questionable sites?
- If it’s on TV, it’s not a “secret” anymore.
- Don’t our InfoSec teams have something better they can spend their time doing other than being the WikiLeaks monitor?
And then there’s the Ambulance Chasing Department. According to a different anonymous source, the vendors have descended upon the State Department hawking their security solutions, including this gem of a webinar. Not quite sure what the webinar is on, except that they’re targeting you to sell something.
From: Prism Microsystems
Sent: Wednesday, December 01, 2010 10:01 AM
Subject: Webinar: Prevent “WikiLeaks-type” Data Loss
Webinar: How to Prevent “WikiLeaks-type” Data Loss in Government Networks
Following the most recent publication of classified documents by WikiLeaks, government agencies are reviewing current provisions for protecting classified and top secret data – they are also researching best practices and alternative methods to monitor, prevent, and document data loss.
Attend this webinar to learn:
- how the leaks happened
- telltale signs of a leak
- what you can do to prevent them
Leak picture by jillallyn.
Posted in Rants | 4 Comments »
Tags: government • infosec • pwnage • security
Posted November 22nd, 2010 by rybolov
There has been a fun evolution at hacker conference for the past couple of years: the inclusion of hackerspaces. Hackerspaces fit nicely into the hacker ethos. But I’ve also heard grumblings via the tubes about the relevance of projects that they bring to hacker conferences, something along the lines of “Why has every security conference turned into a Maker Faire” (TM OReilly or somebody like that). The behind-the-scenes info is that each hackerspace has their own feel and what kind of projects they’re “into” and you get what the local hackerspace brings. While I consider hackerspaces booths at security cons to be pretty awesome, I have some suggestions for steering things back on track.
Things I would like to see in a petting zoo (yes, an “Evil Petting Zoo” and this is by no means an exhaustive list):
- RFID widgets and software
- Mag stripe readers
- Barcode readers/writers (Duh, I can help out here)
- Wifi stupid pet tricks
- WRT Routers
- Smartcards and readers/writers
- Single-board/mini computers
Of course, if you’re into any of these and have the hardware, software, or know-how, there is nothing keeping you from teaming up with hackerspaces at conferences and bringing some of your toys. Sharing is caring, y’alls. =)
Posted in Hack the Planet, Rants, Technical | 1 Comment »
Posted November 22nd, 2010 by rybolov
Considering that it’s a secondary source and therefore subject to being corrected later in an official announcement, but this is pretty big. Requiring the Departments and Agencies to consider cloud solutions both scares me (security, governance, and a multitude of other things about rushing into mandated solutions) and excites me (now cloud solutions are formally accepted as viable).
However, before you run around either proclaiming that “this is the death of serverhuggers” or “the end is nigh, all is lost” or even “I for one welcome our fluffy white overlords”, please consider the following:
- A “secure, reliable, cost-effective cloud option” is a very loaded statement very open to interpretation
- They already have to consider open source solutions
- They already have to consider in-sourcing
- They already have to consider outsourcing
- “Cloud” more often than not includes private clouds or community clouds
- Isn’t this just another way to say “quit reinventing the wheel”?
- Some Government cloud initiatives are actually IT modernization initiatives riding the bandwagon-du-jour
- Switching from Boeing, Northrup, and SAIC beltway bandit overlords to Google, Amazon, and SalesForce cloud overlords still mean that you have overlords
Posted in Outsourcing, Rants | 2 Comments »
Tags: cashcows • cloud • cloudcomputing • fedramp • google • government • itsatrap • management • moneymoneymoney • scalability
Posted November 2nd, 2010 by rybolov
Catching you up here with some of the Gov 2.0 kids. Steve Radick wrote an interesting blog post about Government 2.0. And I’m thinking “damn, right on!” Now don’t get me wrong here, sometimes I’m critical of the Gov 2.0 crowd because it seems like about half the time they’re throwing technology and data at people seeing what will stick instead of asking the non-IT program managers what information they need to have to do their job right. But in this case, Steve’s blog post does have relevancy for Government IT security folks.
At this point, you’re probably thinking “But Mr Rybolov, how the heck does this relate to IT security and the Government?” and you’re definitely right to ask. Well, way back in the halcyon days of last year, I came to a realization that tactical and technical security solutions come from the bottom and that compliance and regulation come from the top. I even built a model about it. One of the implied problem areas is that if your management model goes “top-down”, then it gets filtered through bureaucracy.
I was at an AFCEA awards banquet trying to pretend that I wasn’t really a reformed infantryman (think “professional troll”) when Roger Baker gave an awesome talk about “practicing random acts of defiance of the bureaucracy”. I think there’s a bit of genius in that statement. It’s one of the reasons why I blog: as a regular Joe not in the Government, I’m reasonably free to talk about the successes and failures of my friends in the Government where they can’t.
Hence my grand unified theory on life, the universe, and everything else: the InfoSec career field is a lot more like soccer or law enforcement than football and the court system–sometimes we depend on the most junior people who are operating semi-autonomously within their assigned sector. But my point (I know, you’re wondering when I’ll get there) to this whole post is that if we’re going to have a decentralized industry, we also bear the responsibility to train our folks to operate independently and to have the skillset to be well-rounded enough to work in a wide variety of situations.
Posted in Rants | 2 Comments »
Tags: compliance • government • infosec • management • security
Posted September 29th, 2010 by rybolov
Ah yes, I’ve explained this about a hundred times this week (at that thing that I can’t blog about, but @McKeay @MikD and @Sawaba were there so fill in the gaps), thought I should get this down somewhere.
the 3 factors that determine how much money you will make (or lose) in a consulting practice:
- Bill Rate: how much do you charge your customers. This is pretty familiar to most folks.
- Utilization: what percentage of your employees’ time is spent being billable. The trick here is if you can get them to work 50 hours/week because then they’re at 125% utilization and suspiciously close to “uncompensated overtime”, a concept I’ll maybe explain in the future.
- Leverage: the ratio of bosses to worker bees. More experienced people are more expensive to have as employees. Usually a company loses money on these folks because the bill rate is less than what they are paid. Conversely, the biggest margin is on work done by junior folks. A highly leveraged ratio is 1:25, a lowly leveraged ratio is 1:5 or even less.
Site Assessment photo by punkin3.14.
And then we have the security assessments business and security consulting in general. Let’s face it, security assessments are a commodity market. What this means is that since most competitors in the assessment space charge the same amount (or at least relatively close to each other), this means some things about the profitability of an assessment engagement:
- Assuming a Firm Fixed Price for the engagement, the Effective Bill Rate is inversely proportionate to the amount of hours you spend on the project. IE, $30K/60 hours=$500/hour and 30K/240 hours = $125/hour. I know this is a shocker, but the less amount of time you spend on an assessment, the bigger your margin but you would also expect the quality to suffer.
- Highly leveraged engagements let you keep margin but over time the quality suffers. 1:25 is incredibly lousy for quality but awesome for profit. If you start looking at security assessment teams, they’re usually 1:4 or 1:5 which means that the assessment vendor is getting squeezed on margin.
- Keeping your people engaged as much as possible gives you that extra bit of margin. Of course, if they’re spending 100% of their time on the road, they’ll get burned out really quickly. This is not good for both staff longevity (and subsequent recruiting costs) and for work quality.
Now for the questions that this raises for me:
- Is there a 2-tier market where there are ninjas (expensive, high quality) and farmers (commodity prices, OK quality)?
- How do we keep audit/assessment quality up despite economic pressure? IE, how do we create the conditions where the ninja business model is viable?
- Are we putting too much trust in our auditors/assessors for what we can reasonably expect them to perform successfully?
- How can any information security framework focused solely on audit/assessment survive past 5 years? (5-10 years is the SWAG time on how long it takes a technology to go from “nobody’s done this before” to “we have a tool to automate most of it”)
- What’s the alternative?
Posted in Rants, What Doesn't Work | 3 Comments »
Tags: accreditation • auditor • C&A • cashcows • certification • compliance • economics • fisma • government • infosec • management • moneymoneymoney • pci-dss • publicpolicy • security
Posted August 17th, 2010 by rybolov
Reference: Thought-Terminating Cliches. They’re such a ugly things and all over the security industry and need to die, mostly because these things are so obvious that they need to die so we can introduce new ideas.
Just starting a collection, feel free to add more:
- Compliant doesn’t mean secure.
- You can always go above the minimum baseline.
- You don’t know what you don’t know.
- Security is a journey, not a destination.
- We all know that $Foo is dying/dead/failing/stillborn.
- There is no silver bullet.
- It’s security, it’s supposed to be hard.
Posted in Rants | 7 Comments »
Tags: infosec • management • security