The Security Beard: 2016

Tuesday, November 29, 2016

AWS re:Invent - Day 1...

Greetings from Las Vegas! Today is the official start of the AWS re:Invent 2016 conference, and it is already off to a great start.

30,000 attendees are expected to gather at the Venetian and Sands Expo center for 3 days of all things AWS cloud.

Cryptzone has a huge presence at the conference, with over a dozen people attending, including most of the executive team. We are in booth 1918 on the show floor, so stop by and say hello. I will personally be there for quite a bit of the show, or out roaming the floor. If you are looking for me, check there first, and if I am not there, the guys at the booth will be able to find me.

If you are at the conference, and looking for a solution for pretty much anything that is cloud related, this is the place to be. There are hundreds of exhibitors, representing the best in class that AWS has to offer.

This conference is also one of those that brings out the world’s experts at AWS and cloud computing. Some may seem a little scary, but I promise, they are the absolute best at what they do and are here to figure out better ways to help solve your cloud challenges. Don’t be afraid of chatting with them before a session or at one of the meals.

I don’t intend on writing a huge blog every day, but I will share some of the things I find particularly interesting as the show continues. You can also follow me on Twitter - @CloudSecChris – where I will be giving almost constant updates.

Stay tuned!

Monday, November 28, 2016

Cyber Monday Shopping Security Tips...

This blog originally appeared on the Cryptzone blog site. You can find the original here.

Cyber Monday will be the largest online shopping day in history according to a recent Adobe Digital Insights report. Thanksgiving Day will show the fastest growth, reaching $2 billion in online sales (15% YoY growth), Black Friday will reach $3.05 billion (11.3% YoY growth), and Cyber Monday will hit $3.36 billion in online sales (9.4% YoY growth).

Guess what? The bad guys also know that you want to spend money online, and Cyber Monday is a big day for them as well. While Cryptzone is not going to directly protect you from credit card fraud, as a security company, we believe in sharing tips and tricks to make everyone more secure, especially during this holiday season. Here are a few tips to consider before you order the latest video game or electronic device online today or this holiday season:

Always choose a reputable site. There are soooooo many great e-commerce sites available to choose from. Chances are that you may have ordered from one before. Stick to sites that you know or have done business with previously. Many “brick and mortar” companies have websites offering great deals as well.

If it sounds too good to be true, it probably is. If you decide to travel off the beaten path to find that epic deal, you may not be getting what you want. Worse, you may not get anything at all. Make certain to do a little research about the product and the company that you are buying from before passing along your credit card information.

Beware email and text messages. There are lots of scams this time of year from bad guys supposedly coming from reputable retailers asking you to verify or update your personal information. Be very cautious clicking on links that ask you to enter additional information. It is always a good idea to manually go to a website directly, or, better yet, call the retailer, if you need to update your personal information.

Use a credit card with fraud protection. Check with your credit card company about their fraud protection policies. Most credit cards have some level of protection associated with them, but it is better to know exactly what those limits are. Also, if possible, use a credit card instead of a debit card to make online purchases. Generally speaking, a credit card will offer you greater protection and security, while your bank’s debit card will impound your funds while they conduct a fraud investigation.

We hope you have a wonderful holiday season, and remember to be safe and smart with your celebrations and purchases!

Wednesday, November 23, 2016

Geek's Guide to Things to See At AWS re:Invent 2016

NOTE: I have received ZERO compensation for any of the businesses listed here, nor are they “officially” recommended by anyone else besides myself. Also, I originally wrote a very similar blog for another conference earlier this year. But the recommendations are still very valid, and worth sharing again.

I know that you are likely at AWS re:Invent next week, and it is about time to finalize your conference schedule and what to do when you are not at the conference (when you are not visiting the Cryptzone booth, of course!). If you are looking for something apart from computers and conferences to do, Vegas has it all. You can always look to the free “What to Do In Las Vegas” magazines for shows and other attractions, but I thought I would recommend a few things off the beaten path and more tailored to the crowd that will be attending the re:Invent conference – things that don’t require taking out a second mortgage or testing your luck with a one armed bandit.

Obligatory Free Stuff: Fountains, Gardens, Water Shows, and Volcanos.

The Strip can overwhelm the senses – from lights to smells to sounds. And the casinos have to pull you in somehow, so many offer free shows and attractions that are worth seeing. If you make your way down to the Bellagio, the Dancing Fountains are a Vegas “must see” attraction. While you are there, my wonderful wife would have me tell you to pop in and visit the Bellagio Conservatory, which rotates several times a year with the seasons. Next to the Venetian is the Wynn Las Vegas, and behind that man-made mountain of pine trees is actually a pretty cool water show at the Lake of Dreams. Lastly, across the Strip at the Mirage, the Volcano erupts several times every evening, usually on the hour. While not quite Yellowstone, it doesn’t have the sulfur smell that you have to put up with to see the real thing…

Get Your Geek On: The Toy Shack and Antiquities
http://lasvegastoyshack.com/
http://www.antiquitieslv.com/

If you make your way to Downtown Las Vegas (the Deuce bus picks up right in front of the Venetian, and I think it is $8 for a 24 hour pass), make certain to check out the Toy Shack. They specialize in sci-fi and vintage toys, especially from the 80s. Very cool Star Wars and GI Joe selection. But bring $$$.You will need it. A little closer to the Venetian at the Caesar’s Forum Shops is Antiquities. They have an awesome selection of exclusive memorabilia such as signed movie posters, but also have a good selection of loose action figures in the back of the store.

Serious Reading: Bauman Rare Books
https://www.baumanrarebooks.com/

On the second floor of the Palazzo shopping mall is my favorite store / museum in all of Las Vegas: Bauman Rare Books. This is not Barnes and Noble. This is where you come to find that signed first edition or extremely rare copy. They also have one-of-a-kind historical artifacts (I don’t know what else to call them) for sale – they had an original copy of the Declaration of Independence for sale there at one point, and currently have a copy of the Nuremburg Chronicles on display (printed in 1493). If you hit it big (and I mean real big) on the tables or slots, you might be able to afford something from this store. But it is free to have a look, and Rebecca Romney (store manager) will be happy to show you around.

Pinball Wizard: The Pinball Hall of Fame and Museum
http://www.pinballmuseum.org/

I have no idea why this place doesn’t receive more exposure, but the Pinball Hall of Fame (PHoF) is maybe one of the coolest things in Las Vegas. They have over 150 playable pinball games – all in one place! Entrance to the PHoF is free, and all of the proceeds from the game play go to charity. Even if you are not a Pinball Wizard, this place is worth a look. It is a little ways from the conference, but the website has a decent map and bus routes.

Old School Vegas: The Neon Museum and Fremont Street Experience
http://www.neonmuseum.org/

Make your way back to Downtown Las Vegas in the evening – the table game minimums are much more reasonable and the slots are far looser (if that is your thing). The canopy that hangs over Fremont Street downtown is part of the Fremont Street Experience – a 5-8 minute show that starts on the hour after dark, and synchronizes to really good music. Worth seeing if you never have. While you are down there, a block off of Fremont Street is the Neon Museum. This is the place all the old casino neon signage comes to rest, and it is especially cool at night when it’s all lit up.

I hope these suggestions help you journey out on the town. There are sooooo many more things to do in Vegas that I didn’t have space to list - look me up at the Cryptzone booth (Booth #1918) while you are at the conference and we can compare notes!

See ya there!

Tuesday, November 22, 2016

Geek's Guide to Where to Eat While At AWS re:Invent 2016

(no url… it’s a secret)

Yeah, not so much anymore, as it is sooooo good. Secret Pizza is in the Cosmopolitan Casino and Resort, a few block south of the conference. They are known to have some of the all-time best pizza anywhere, so maybe it is worth the visit. To find it, go up to the restaurant floor (third floor). At the left of the Jaleo restaurant, there is a narrow hallway with album covers lining the wall. Go down this hallway to the pizza place.

Best Spot for Breakfast: Hash House A Go Go
http://www.hashhouseagogo.com/

I am not really certain how best to describe the Hash House. The food there is incredible, and the quantities are huge. If you are a “breakfast is the most important meal of the day” type of person, this is your place. And while their ingredients are as fresh as they come, this place is not for the “healthy” types. It is always voted as one of the best breakfast spots in pretty much every location where they have a restaurant.

Best Restaurants for Those on a Budget: White Castle and Denny's at Casino Royale
http://www.whitecastlevegas.com/
http://locations.dennys.com/NV/LAS-VEGAS/200141

Probably not what you consider gourmet dining by any means, especially when there are so many awesome options in Las Vegas. But there are times that you just want to eat and then get back to the conference (or tables), and the Casino Royale, located right next to the Venetian, actually has some pretty decent low cost options. White Castle moved there a couple of years ago, and their sliders are of special renown (I personally think their crinkle cut fries are the best). The Denny’s has just been completely remodeled, and also happens to be the most profitable Denny’s in the world. Again, maybe not where you want to take a prospective customer, but a person’s gotta eat, right?

I hope these have been interesting for you. The next part of this series will be a brief list of things to see and do while at the re:Invent conference.

See ya there, and make certain to stop by the Cryptzone booth at the conference – Booth #1918

Thursday, November 17, 2016

AWS Data Compliance: 4 Tips for Decreasing Audit Times...

If you are an IT professional, chances are that you are dealing with audit and compliance pressures. I penned this blog for Cryptzone to discuss some simple ways to decrease your audit exposures in your AWS cloud. You can find the original post here.

When we talk to customers about their greatest concerns about moving workloads to the cloud, inevitably one of the top barriers is compliance-related activities. They feel they have an understanding of the technology, how it works and how it will be implemented. But they still have concerns about how they will deal with audit / regulatory compliance issues. In addition, companies are always looking for ways to decrease the time and complexity of their audits.

The bad news is that moving workloads into the cloud will nearly always increase the complexity of an audit, thus increasing the time it takes to conduct the audit. How complex the audit will be is determined by many factors, some of which can be controlled by the enterprise, but some that are inherent to auditing in the cloud. The good news is that there are steps that a company can take to decrease the complexity of the audit, and hopefully decrease the amount of time auditors spend evaluating your cloud infrastructure.

Companies considering moving their workloads to the cloud should keep the following audit tips in mind:

1. Understand The Auditors

Before a company embarks on their workload migration to the cloud, consult the auditors that will be evaluating the cloud environment. Many of the large auditing firms have finally released guidance about how best to implement cloud solutions, and can share the controls that they will be using to evaluate workloads in the cloud. Many times, it is far easier to implement these standards at the very start than to try to retroactively remediate a particular control.

2. Understand The Regulations

Just as it is important to understand those that will be evaluating the environment, it is also important to understand the specifics of the regulations that govern your company. For example, there may be regulations about where a company’s data can be stored (because of the sensitive nature of the data). Most of the cloud providers (including AWS) have the ability to control where workloads will be hosted, but it is important to fully understand how data locality will impact your cloud solution. AWS already has evaluated many of the common regulatory standards, and provides guidance how to best implement a cloud solution within their environment.

3. Decrease Scope

While most auditors will never suggest that they would prefer to audit less (they are usually paid by the billable hour), they will also admit that decreasing the systems that are part of an audit will generally decrease the cost, time and complexity of an audit. Companies should consider how systems are connected and develop an architecture that minimizes the possible devices that are in an audit scope. AppGate for AWS embraces this concept. It is a Software-Defined Perimeter solution that delivers highly granular access control, reduces audit scope and provides detailed logging of user access and activities to efficiently feed audit request data needs.

4. Tools / Logging for the Cloud

Companies should take advantage of tools and capabilities specifically designed for the cloud infrastructure to decrease audit complexity. Logging from cloud resources should be collected by a centralized and easy-to-manage log management tool. Security tools should have robust logging and event capturing capabilities. These tools should be able to correlate important events and generate reports for auditors to use as evidence of control compliance.

While certainly not a complete list, companies that use these suggestions before and after implementing their workloads in the cloud will find that their audit times will significantly decrease, and the brain damage that comes with dealing with compliance regulations will decrease as well.

As IT Professionals, regulatory compliance has become a major facet of our job responsibilities. But we should not let it intimidate us from taking advantage of the benefits of moving to the cloud.

You can find more information about Cryptzone here. The Forrester Research whitepaper “Forrester – “No More Chewy Centers: The Zero Trust Model of Information Security” can be found here. You can also read additional Cryptzone blogs by going here.

Tuesday, November 8, 2016

The Day After...

I was hoping this day would come. I know it is still early, but - like I said - I'm hopeful!

Thursday, November 3, 2016

Why Cloud Security Expert Christopher Steffen Joined Cryptzone...

Apart from the title being slightly self serving, I wanted to share this first "official" blog that I wrote for my new company Cryptzone. You can see the original post here, and you can learn more about Cryptzone here. Enjoy!

Over the weekend, I shared how excited I was to join the Cryptzone team as a Technical Director. I wanted to share a few insights into my move, and why I chose Cryptzone as my new home away from home.

Technology: There are literally thousands of technology companies out there, and many of them have a focus (or at least pay attention to) the issues that I particularly like to advocate: information security and compliance. Cryptzone is a company dedicated to these issues, and takes a unique approach to all of them. AppGate is the industry leader in the emerging Software Defined Perimeter (SDP) space, providing security solutions with identity centric security controls to the enterprise while protecting resources from internal and external threats. Security Sheriff is a product that helps enforce compliance and data security policies for many of your compliance controls. Compliance Sheriff provides users with a means to monitor online content for potential compliance issues across digital environments – keeping information safe, appropriate and within regulatory guidelines. These products are leaders in their respective spaces, used by private and public sector customers to address security and compliance needs.

Innovation: If you follow the information security industry at all, you know that there are dozens of security products to address every potential security concern an enterprise may have. Cryptzone may have been dismissed before as just another vendor in the already crowded security software space.

Until you actually look at what they do.

The Software-Defined Perimeter paradigm is a radically different approach to network and identity centric security. The entire AppGate concept is different enough – authenticating the user before they have access to ANY resources at all – that it often takes a couple of explanations to get it, even to the most seasoned security or network professional. Once they *DO* understand the concept, the first question usually is “Where has this been all my life?” I can happily share examples of the technical overview with you, but it blew my mind the first time I saw it. Enough so that I knew then that I was EXTREMELY interested in the revolution that was SDP and Cryptzone.

Message: Cryptzone is unique in the security industry. Often you hear the tales of doom and gloom that accompany most security services and product sells – buy our stuff or your company will be hacked out of existence! The fear marketing happens at nearly every company, and I guess it must work, to some extent. Cryptzone takes a different approach – providing a security solution and support to a customer partner trying to address security and compliance challenges to protect their enterprise. REFRESHING!! As an industry, I think we need to move away from the scare tactics and focus on solutions. While I was able to do this to some degree in my previous professional endeavors, Cryptzone embraces the concept.

Culture: I walk into a room with co-workers for the very first time, and the first comment that I was greeted with was “I had better step up my beard game.” No, I do not make employment decisions based on the beards in the room (though that may not be a terrible criteria), but it speaks to the welcoming and collegial atmosphere of the company. My previous professional experiences have varied – from the large, Fortune 50 technical company, to the small manufacturing company, to the small financial services company, to the public sector. Each has been different, and each has their positives and negatives.

Cryptzone is an established “start-up”, though it is different than any start-up I have seen or been a part of. It is established and funded, has mature products, industry leadership and all of the usual infrastructure that you would expect from a well-run company. Yet there is definitely a start-up vibe – excited, driven, innovative, and fun. I have been immediately embraced as a person, not just another employee, engaged at every level about my ideas and suggestions. It is the dream of every person to work in an environment where they are valued. Cryptzone convinced me of this on the very first day (actually long before that).

I blog ALL THE TIME – this is the first of MANY blogs that I will create for Cryptzone. I am planning a series on a recent Forrester Research report that you should be able to read soon, as well as thought leadership content on Cryptzone and information security topics.

You can find more information about Cryptzone here. The Forrester Research whitepaper “Forrester – "No More Chewy Centers: The Zero Trust Model of Information Security" can be found here. You can also read additional Cryptzone blogs by going here.

Saturday, October 29, 2016

On to the Next Adventure...

As you may have heard, I have left HPE as part of the reorg / downsizing that you have read about in the news. I feel that I can post to The Security Beard again!

I wanted to share a quick blog that I posted to my Medium earlier today about my exit from HPE, and a little about my new position.

You can find the original here...

The two constants of the universe – change and taxes. And while I could go on for days about taxes, especially in this contentious political season, I thought I would share some thoughts on the changes that are going on with me.

Friday was my last day at Hewlett Packard Enterprise. It has been my distinct pleasure to work for this organization for the past two years, serving as the Chief Evangelist for Cloud Security. I have appreciated the opportunity to offer nearly unfettered advice about the information security topics that are interesting to me – security awareness and regulatory compliance. And some of you must think so too, as those blogs and podcasts received tens of thousands of views. Your consideration of some of these topics, and your support on the various social media platforms has been greatly appreciated!

I wish nothing but the best for HPE. CEO Meg Whitman is doing her best to shape and focus the company as the dominant player in the server market, removing the miscalculations and distractions that had been acquired by some of her predecessors. The merger of the consulting services to form a company with CSC and the sale of much of the software assets to Micro Focus will go a long way to accomplishing that goal.

These changes also bring changes to how the company is organized. For months, there have been plans for the personnel changes that would be needed to run this tighter ship, and one of those changes is how and what we evangelize as a company. It is not that HPE doesn’t think that cloud security is important – far from it. It is that the company is refocusing its efforts on hardware solutions. So in the grand game of musical chairs, I was one (of many) left without a chair when the music stopped.

While I may no longer work at HPE, I am NOT fading off into the sunset…

I am proud to announce that I have accepted a position as the Technical Director of Cryptzone.

Cryptzone is a company that is focused on bringing paradigm shifting security solutions with identity centric security controls to the enterprise, protecting resources from internal and external threats.

And I get to talk about it!

I won’t go into too much more here, except to say that software defined perimeter solutions are just now starting to draw significant attention from the tech industry, and Cryptzone is far and away the premier solution for those interested in this security solution.

Alexander Graham Bell once said:

When one door closes, another opens; but we often look so long and so regretfully upon the closed door that we do not see the one which has opened for us.

I have no regrets for my time at HPE, and am charging full speed through this open door!

Stay tuned…

Tuesday, September 20, 2016

Security vs Compliance...

This is a blog I initially published on the HPE Grounded In The Cloud blog. You can see it here.

A good friend and colleague once said: “You can have security without compliance, but you cannot have compliance without security.” While that may be a bit simplistic, it does hold a measure of truth. But the question for many IT manager and executives is which one should come first. The simple answer is that you can have both, but it may require you to shift the paradigm.

There has been several occasions when I have been asked about this (as recently as last week at the HPE Protect security conference), so let me share some of the questions, as well as potential answers...

You can find the remainder of this blog here:

https://community.hpe.com/t5/Grounded-in-the-Cloud/Compliance-in-the-Cloud-Security-vs-Compliance/ba-p/6900359#.V-FB1vkrKbg

Monday, September 19, 2016

Data Locality - A Solution?

This blog originally appeared on my Medium site on April 26, 2016. It was also shared with a number of different LinkedIn groups, and generated hundreds of comments.

PREFACE: While I believe that this is already understood, please understand that the opinions expressed in these stories / posts / blog / whatever you want to call them — are mine, and not necessarily the opinions of my current employer, future employer, former employer, or anyone else that has (or does, or will) contributed to my income or livelihood.

To get everyone up to speed (and this is a repeat of the summary I have provided before) — In October 2015, European Court of Justice invalidated the Safe Harbor agreement, requiring the European Commission to revisit the regulations between the EU and the United States. In February 2016, the EU and the US had reached an agreement (called the Privacy Shield) to address the concerns that invalidated Safe Harbor. Two months after approving the Privacy Shield, regulators in the EU have come out and stated that the agreement still did not provide adequate privacy guarantees to European Internet users. Specifically, the concerns revolve around how data is stored and used by social media and search companies. The end goal of the European regulators is to have an agreement in place that forces US based companies to treat and protect data much in the same way that it is treated by the EU countries.

In short, the Safe Harbor and Privacy Shield regulations make up a portion of the laws and controls that are central to the conversation about data sovereignty. Data sovereignty, then, is the discussion around how data that has been converted into some digital form is covered by the laws and regulations in which it is located.

So, with that out of the way…

I was fortunate enough to sit on a panel a few weeks ago on the topic of data sovereignty. The same occurred again last week, this time, in New York. Both panels — and specifically the panelists that spoke with me — were excellent. An idea was presented at the first panel, and discussed again at the second, around the sub-topic of data locality: specifically how, and more importantly — where — data is stored, and the requirements and regulations that differ depending on the country in which the data is stored.

Let me start with a non-technical narrative (one that my mother can probably understand) — a simple Master padlock, probably much like the one you had on your locker in high school:

Author’s note: never keep both lock keys in the same place…

Not a complicated device —pretty much everyone has used a padlock at one time or another. You insert and turn the key, and the locking hasp unlocks. To relock it, simply engage the hasp back into the padlock. As long as you engaged the lock correctly and didn’t lose the key, your locker remained relatively secured (I am sure there are many high school locker tragedies, but you get my point).

When school was over for the year, you could take the lock off of your locker and could use it during the summer for your camp foot locker or the locker at the pool. The lock would still work fine, despite the change in location, so long as you had the key. Regardless of where you took the lock, the lock would function as you would expect it to — so long as you kept the key.

If you were like most, and took the lock home after the school year, only to find it in a junk box years later with your 9th grade Trapper Keeper, you would likely not remember the location of the key, rendering the lock useless. A padlock without a key is useless.

In summary:

You can use your padlock to protect things (like your locker or camp foot locker), regardless of the location.
The lock would work fine, regardless of the location, so long as you had the key.
The padlock without the key — regardless of the location — is useless

Applying the narrative to the technical world, and specifically the data sovereignty discussion:

Nearly all data (the lock) has the ability to be encrypted (the key). Regardless of the location where that data is stored (high school locker or camp foot locker), so long as the data remains encrypted, the data remains protected. Put simply, if the data is encrypted correctly, and the key is kept secure, does it really matter where the data is stored? Isn’t the data useless without the encryption key?

In summary:

You can use encryption to protect your data, regardless of the location.
The data would be protected, regardless of the location, so long as you had (and properly protected) the encryption key.
The data without the encryption key — regardless of the location — is useless.

One of the major components of the data sovereignty / data locality debate is WHERE data is stored. But shouldn’t the discussion be more about where the encryption keys for the data is stored and not the data itself? Properly encrypted data is practically useless without a method of decrypting the data(*).

Establishing controls for encryption key management are information security 101 best practices. So the narrative for data protection should be around how encryption keys are stored, where keys are stored, and how the data is being used once it is decrypted. Where encrypted data is being stored will make very little difference from a technical perspective.

This narrative is still evolving: there is no case law or legal challenges (that I know of) presenting and defending this perspective (yet). But there likely will be, and provided that technically minded jurists litigate the case, a reasonable (and logical) technical solution will find that data locality is irrelevant, so long as information security best practices around key management are enforced.

And I welcome further conversation about this specific concept: does it really matter where encrypted data is stored?

As for the data privacy and data use concerns at the center of the data sovereignty debate — well, we still have a long way to go on that front.

(*) Yes, I fully understand that there are some NSA / government types with massive compute that can probably break 256 bit encryption on demand, but I am not likely trying to protect my data from them. Nor *CAN* I protect my data from them…

World Password Day — Password Best Practices…

This blog originally appeared on my Medium site on May 5, 2016.

To “celebrate” World Password Day, I thought I would take a moment and share some information about password best practices. But first, a quick story:

During a recent security audit by a company, it was found that an employee was using the following password:

“MickeyMinniePlutoHueyLouieDeweyDonaldGoofySacramento”

When asked why she had such a long password, she rolled her eyes and said:

“Duh! The password policy says it has to be at least 8 characters long and include at least one capital.”

Yes, this is a nerdy security joke (or is it really a joke?), but we all struggle with the multitude of passwords that we have to remember on a daily basis. Despite that, it is still important to create passwords that are complex (strong) enough to thwart would be hackers. Here are some guidelines to consider when creating passwords:

● Passwords should be a minimum of eight (8) characters in length and use a mix of upper case, lower case, numerical characters and special (punctuation) characters. The industry best practice is to use at least three of these types of characters.

● Passwords should be changed on a regular basis. For very sensitive accounts or very exposed accounts, you should consider changing the password every 90 days (this is the best practice). Some accounts can probably stand to be changed a little less often, but it is often better to change all your passwords at the same time (or at least I find it is easier to keep them straight that way).

● Make an effort NOT to reuse your previous passwords. Reusing passwords makes it just that much easier for the bad guys to guess it. Also, try to make it a completely new password. How many of you have changed your passwords from “Password123” to “Password234”? You know you are out there… ;-)

● Consider what information is available about you on the Internet (think social media pages here). Creating a password that is your child’s name and their birthday is probably not the best. Pet’s names, family names, and special dates (birthdays, anniversaries, etc) are all pretty high on the list of things that I would try if I needed to “guess” your passwords.

● Patterns are not so great either. How many of you have the password “qwertyuiop[“? Can you guess where that came from? You would be amazed how many people use it. Along those lines, how many of you have an iPhone password that is “12345”? You know who you are, and I know several of you that use this as their password.

Passwords are generally a pain, and as we continue to expand our lives on the Internet, they will become more and more necessary for everyday tasks. As complicated as they seems to be, following some simple steps can make them more manageable, while keeping your personal information and privacy secure.

What Happens When The Empire Fails at Information Security…

This blog originally appeared on my Medium site on May 4,2016 in celebration of Star Wars Day.

To celebrate Star Wars Day, I thought I would share a few ways in which Information Security best practices where not adhered to by the Empire, and enabled the Rebels to win.

To be clear: I do not support the Empire, the Sith Lords nor any other types of scum and villainy. Nor am I trying to portray the Rebel Alliance is a weird, Force wielding, Galactic Hacker consortium or something. But had the Empire not been so lax in their security controls, Emperor Palpatine and his buddies might have been able to bring their “order and peace” to the galaxy.

Social Engineering: Social engineering is an attack that uses human interactions and plays on human weaknesses to break established security procedures.

Scene: Luke and Han, dressed as Stormtroopers, escorting Chewbacca to the prison block (Star Wars IV: A New Hope).

Lots of things going on here. First, no one wants to mess with a Wookie. So other were less likely to get involved when they saw that the Wookie was being escorted by two (only two) Stormtroopers. Luke and Han knew that if they looked like they knew what they were doing, they could walk around in plain sight without being questioned by anyone. Even after arriving at the detention block, the supervising guard did not suspect them as being bad guys, and only questioned them on a matte of paperwork. Sure, everything fell apart at that point — one of the security controls finally kicked in. But Luke, Han and Chewie were able to walk pretty much anywhere they wanted on the Death Star by exploiting social engineering flaws.

Lesson: People — not just the bad guys — exploit social engineering gaps every day. When was the last time you piggybacked someone into a controlled building? The really bad guys know this as well, using our politeness (holding a door open for someone) against us. It is extremely hard to break those habits, which is why your security guys are constantly reminding you about them. Who knows if the guy you are holding the door for is coming to blow up the building (or the Death Star)?

Identity and Access Management: Identity and access management is the system used by entities to allow and prohibit access to resources controlled by the entity.

Scene: Luke, Leia, Han and Chewie on the Shuttle trying to land on Endor (Star Wars VI: Return of the Jedi)

The Rebels have stolen (property theft, probably due to lack of physical security controls on the part of the Empire) a small Imperial shuttle and are landing a team on Endor to blow up the shield generator protecting the second Death Star. Apart from using the Imperial shuttle, the Rebels have also stolen a security code that will allow the shuttle to land on the forest moon. There are multiple points that the code could have been rejected, with the admiral even claiming that it was an older code. Eventually, the Rebels are given clearance and allowed to land.

Lesson: Identity and Access Management is a difficult topic for most businesses. Larger business MUST have a solution for IAM in place, as their employees turn around much more frequently than smaller companies. And unfortunately, there are always gaps — the employee who was terminated months ago still has an active security badge, because the two system are not connected, and the administrator of the badge system was not notified (or on vacation or whatever) that the employee was no longer with the company. All business need to have controls in place and audited regularly to make certain that there are as few gaps as possible.

Data Security: Data Security is the methods used by an entity to protect all manners of data from those not authorized to use it.

Scene: Princess Leia and her crew intercept the technical plans to the Death Star (Star Wars IV: A New Hope)

The very first scene in the very first movie (yes, the original Star Wars will ALWAYS be the first movie to me) starts with an epic space battle — the Empire is beating up a Rebel blockade runner that happens to be carrying Princess Leia and the technical plans or the first Death Star. The Rebels had intercepted those plans, and the Princess was in the process of delivering those plans back to her home world when she was captured. The Rebels had been a thorn in the side of the Empire to that point, but now they had the data necessary to severely cripple the Emperor’s plans of galactic domination using the Death Star.

Lesson: The Empire should have done a better job of securing the plans. We don’t know if the data was encrypted or not (another tenant of data security), but even if it was encrypted, it was transmitted using an unsecured methodology, allowing the Rebel Alliance to intercept them (and break the encryption, if necessary). Most companies and entities have intellectual property / trade secrets / military secrets that they don’t want others to have. Not only should that data be encrypted and protected, but the networks and devices that send and store the data need to be protected as well.

Some of these examples are a bit convoluted, and I am sure there are some out there that would like to debate the finer details of exactly what happened in the movie (message me — we can talk specifics ( I had to amend some things for brevity’s sake)). But the point is that Star Wars Day is just another opportunity to remind you (and your employees and everyone else) about the importance information security has on so many aspects of our lives. If Star Wars makes that point a little more enjoyable, then I’ve accomplished that goal!

Enjoy the day, and “May The Fourth” be with you!

The Path to a Cybersecurity Career…

This blog originally appeared on my Medium site on April 18,2016.

For quite a while now, I have been thinking about the lack of real world technical training in colleges and universities. Then, I see the story from CloudPassage that basically confirms what I have thought all along, at least in regards to information security — that most of the top colleges and universities DO NOT pay attention to cybersecurity in any way, allowing today’s computer science grads to receive their diploma without ever taking a class in computer / information security.

(You can read the link or check out the infographic if you choose — I am not going to rehash their study, except to say that it contributes to an alarming trend in the information security industry.)

I belong to several LinkedIn groups on information security, and one of the continued topic is how does one “break” into (no pun intended) the information security career path? As the article above demonstrates, the best colleges and universities will likely not help you. So the best I can do is share with you a few ideas how I think one might be successful in information security, mainly the path I chose to get the InfoSec career that I have.

Johannes factotum (Jack of All Trades, Master of None)

For every aspect of information technology that someone interested in an IT career can learn, there is a parallel subset of information security. Gaining experience in networking, systems architecture, systems administration, database administration and storage infrastructure is a critical starting point. From there, learning physical security, regulatory compliance, and encryption become easier, mainly because you have a foundation to build from. Trying to tackle complicated security controls necessary for some of the various compliance standards is nearly impossible if you don’t have a strong background in the “basics”.

Certifications

Arguably, the moment you start down the IT career path, you should invest in technical certifications. CompTIA offers some excellent, vendor agnostic certifications (thinking A+ and Network+ here), and those will help you get in the door. Once there, you can decide on some vendor specific certs, like those from Microsoft and Cisco. After that, and after you have gained about 3–5 years of experience, you need to decide how to specialize in IT –if it is InfoSec or some other niche specialty that you want to concentrate on. In the InfoSec world, there are a number of specialty security certifications — vendor specific ones from Cisco, Microsoft, and others, and vendor agnostic ones from SANS. But the best general information security certification — and arguably the most difficult one — is the Certified Information Systems Security Professional (CISSP). The CISSP is the “gold standard” of IT certs — respected by pretty much everyone in every business vertical — for the skills that the certification represents. It is a bear to get (at least it was for every single person I have ever talked to about it, including myself), but it opens nearly all of the information security doors.

Constant continuing education

Information security is rapidly changing. The great part is that it is constantly evolving, providing interesting new challenges and directions. The bad part is that it is constantly evolving, proving excruciating challenges and problems. Information security types always have to keep up, through continuing education or self-study. There are great conferences available to get the latest, but they tend to be a bit spendy. Most of the higher end certifications discussed above require you to maintain your certification through continuing professional education (CPE) credits. Keeping track of your CPEs can be a challenge in and of itself, but worth it, considering the alternative is to let your certification lapse (a friend of mine let his CISSP lapse and was punished by having to retake the CISSP exam. The guy had been working InfoSec for 10+ years, and still failed it the first time when he had to retake it).

I hope the major university programs clean up their act when it comes to information security training and education. But even if they do not, the path outlined above requires very little in the way of formal university training, and will lead you to an eventual information security position.
I am not one of those guys that believes that the sky is falling — not even close. But the InfoSec career path is a little different, and those that are trying to become a security professional often have a difficult time navigating their way through the different expectations. But in the IT industry, the demand is extremely high for these kinds of professionals, and shows no signs of slowing any time soon.

Best of luck, and ping me if I can help!

NOTE: I am not a developer, nor do I play one on TV. While the experiences are helpful and the advice is relevant, it is more focused on a traditional IT route, instead of programming. Programmers and developers should concentrate on programming best practices and foundational programming security. Having experience in the “hands on” IT world will only help a developer / programmer better understand the things they are programming for.

Sunday, September 18, 2016

Old Skool...

Welcome to The Security Beard!

There will be a ton of original content coming here in the future. But until then, I wanted to share some of my favorite blogs that I have written in the past few months, mainly from my Medium blog. Stay tuned for some additional content soon!

A friend and colleague of mine recently mentioned that I was “Old School IT” — actually several times. I have been thinking on it most of the weekend, and thought it might be worthwhile to share some of those thoughts.

Let’s start with a definition: In this case, old skool refers to a technology enthusiast that probably has 20+ years experience, and, at one point in their careers, has pretty much seen and done it all when it comes to information technology: system administration, wire monkey, help desk, network Jedi (or Sith, depending on your affiliation), database admin, and/or printer paper filler. You might have even had that title-of-titles: COMPUTER GUY.

In all likelihood, at this point in their careers, they are a specialist or expert — having done many of the various aspects of IT and settled into a specialty (for me it has been information security, or — even more specifically — information security and compliance in the various cloud architectures).

They may even be a member of management — using those skills gained over the last decade plus to educate and train others in the technical field. In some rare cases, the old skool tech has become an executive, using their experiences to drive a technical vision and direction for an enterprise or the industry. In my years of tech, I have been privileged to know and even work with a few of these. It is a truly amazing thing to see experienced technical innovators at work — the right combination of business acumen with technical kung fu.

Now to really age myself — Part of being old skool is remembering and working in a time where technology was NOT ubiquitous, the Internet was a very small collection of web pages, and the only thing that Apple had released as a portable mobile device was a Newton (and no — a Mac Portable does NOT count).

15 years too soon, Steve...

Point being — I remember the trial and error in building computers (jumper combos and dip switches), programming EPROMs, coding using the VI editor in some flavor of Unix and making a Macaquarium out of my Mac SE/30 (still wish I had that thing). Answers came in books and manuals (RTFM), not Google searches (anyone remember setting up Sendmail using the Bat Book?). It isn’t to say that the twenty somethings that are the techies of today are not qualified, but it is a very different beast than it was when I started (one could say the same thing about programming with punch cards or even worse — in Fortran — but I am not THAT old).

Being old skool has made me a better technologist: instead of jumping into management and executive positions with no experience, I have been there and done that in the technical world. I can honestly relate to those that I am talking to at *ANY* level. A significant part of my job is talking to people about cloud security, and I have the confidence and the experience to relate directly to the audience — from the C-Table to the security engineer — because I have been there and done that. For example, when attending a technical conference, which was better: the sessions where someone drones on and on about technology (think PowerPoint of Death), or the sessions led by someone who is a technical expert in his/her subject (think technical demos or just Q/A)?

I never really intended to have a career in the technology industry — it just sort of happened. But I kept coming back to it, despite diversions in politics and non-profits. Sure, it pays the bills. But there is more to it. The constant challenge of learning may not be unique in any particular vertical, but in the technology world, and even more so in the information security and cloud spaces, the technology and uses are evolving right in front of us.

Old skool technologists — then — are those that have evolved as the technology has evolved. They have stayed relevant with their skills, applying their experiences to better understand the next evolution — revolution.

I am proud to be considered old skool…

(BTW — I am not so “old school” as to not know how it is really spelled…)