I will be speaking on the professional development trends in malware at the annual NetSecure conference put on by IIT. Hopefully some of the readers can make it out. It is a great event. The info is below:

IT Security and Forensics Conference and Expo
http://www.cpd.iit.edu/netsecure08
Wednesday, March 26, 2008
Illinois Institute of Technology in Wheaton, Illinois

Join us for NETSECURE’08: The 6th Annual IT Security and Forensics Conference and Expo. This multi-track technical conference is attended by 200+ IT professionals and will promote the open exchange of IT security and forensics information. Register now at http://www.cpd.iit.edu/netsecure08

Current Conference Presentations Include:

* “Annual CompTIA security research: Trends and strategies for information security” Carol Balkcom - CompTIA

* “Cellular Wireless Key Managament” Alec Brusilovsky - Alcatel-Lucent

* “Microsoft Security - Growing up and Enterprise Ready” Cordell Crane - Microsoft

* “Microsoft Security - Hands on approach with tools for Threat Modeling, Code Review and Discovery” Ken Anderson - Microsoft

* “Professional Development Trends within Malware” Michael Davis - Savid Technologies

* “Network Security: What You and Your Skills Are Worth” Bob Fanelli - Robert Half Technology

* “Securing Windows - A Monumental Task?” Mike Fekety - Performance Technologies

* “Building a Secure Storage Internet” Chris Gladwin - CleverSafe

* “Do the Work Once: Harmonizing Compliance and Security Objectives” Bonnie Goins

* “The Role of Penetration Testing in Security Audits” Jeff Groman - Akibia

* “Penetration Testing: Let me probe your ports” David Kennedy - SecureState

* “Combating Insider Threats on Databases” Carl Kettler - Application Security, Inc.

* “Computer Security at Fermilab” Frank Nagy and Tim Rupp - Fermi Lab

* “Building a Linux Custom Firewall” Venkat Nandam

* “Security and Control Issues within Relational Databases” David Ogbolumani - SunGard

* “Data: How much is there, and where is it at?” John Pascoe - FBI Regional Computer Forensics Laboratory

* “Best security practices for Voice Wireless LANs” John Poust - IEEE ComSoc

* “Virtualization Security and Best Practices” Rob Randell - VMware

* “Out-Of-Band authentication using a real-time, multi-factor service model” Andy Rolfe - Authentify

* “Fighting Spam: Tools, Tips, and Techniques” Brian Sebby - Argonne National Laboratory

* “SSH” Hemant Shah

* “Multi-Factor Authentication Solutions: An Overview of Regulations, Vulnerabilities, and the Latest and Best Authentication Options” Bob Thompson - Catalyst

* “A New Model for Business Contingency Operations” Raymond Trygstad - Illinois Institute of Technology

* “Identity and Access Management” Kevin Wang - Crowe

Details:

Date - Wednesday, March 26, 2008

Attend - $95 (includes breakfast, lunch, cocktail party, and conference tote bag and materials)

Exhibit - $325 (includes 2 free attendees)

Sponsor - $300-750 (includes 1-2 free attendees)

Register - www.cpd.iit.edu/netsecure08

Location - Illinois Institute of Technology’s Rice Campus in Wheaton, Illinois

Sponsors Include:

High Tech Crime Network (HTCN), Authentify, Inc., Microsoft, onShore Networks / Fortinet, SunGard Availability Services, IBM Rational, Project Leadership Associates, Robert Half Technology, Other World Computing, SecureState, CTH Technologies, Inc., Security Services & Technologies, Catalyst Technology Group, Inc., Equivus, W.W. Grainger, Inc., CIMCO Communications, CIMCOR, Inc., Hegemony Consulting, Neohapsis, Inc., X-Ways Forensics, CompTIA Security+ Certification Program, Savid Technologies, Inc., ChicagoCon / The Ethical Hacker Network, UniForum, IEEE, and CPD.

I saw this image on Veracode’s blog and is very true! Sadly though, many managers take the number of WTFs, start yelling WTF (Who the F**k), and placing blame rather than realizing that it is usually the process and lack of developer education that causes problems not the developer themselves. I have seen that when an effective Secure SDLC is implemented and blame is not thrown around, you really do get a reduction in security bugs.

Source: http://www.veracode.com/blog/?p=77

I had a discussion about IT consulting methodology while speaking about Risk Assessments at Northwestern University when a thought popped into my head regarding how the traditional IT consulting methodology is flawed.
The traditional IT consulting methodology is usually comprised of the following components:

• Assessment
• Planning
• Pilot
• Execution
• Documentation

This process has a corollary in the pure application development world referred to as waterfall development. Waterfall development is a process in which you take a set of requirements, build a plan, have a team of developers go off and write the code, test the code, and then release the product.

The main problem of the waterfall model is its inability to adapt. The waterfall project is split into separate stages and forces developers, project managers, and the end user to commitments to an outcome early on, even before the team knows how they will implement something. Changes in the waterfall project are expensive, very expensive because everything has to stop and basically start over in many places. We have seen over the past 20 years that this process doesn’t work. We see how applications consistently fail to function or perform as expected. Essentially, this means the waterfall methodology is not good for projects that have changing requirements or requirements that are not well defined or understood. Sounds like your standard IT project to me.

So why would we apply this process to IT consulting and especially to IT Security? The main reason is that the waterfall consulting methodology, if you will, does serve one purpose well – it can estimate costs rather easily because the methodology assumes everything is known upfront. Are initial costs estimates so important that organizations are willing to jeopardize the schedule and success of a project? I don’t think so. Budgets should be means to an end. Would you really consider sacrificing or diminishing the ends to hit some estimate of the means? On-time delivery and successfully meeting the changing requirements is much more important that a specific exact cost estimate. Plus, how many projects actually meet their initial budget?

The alternative approach that has emerged for us came from our IT Security practice, where the traditional methodology was completely inadequate to keep pace with the tools, threats, and techniques. The approach is quicker, iterative, much more agile and able to incorporate new learning. Now, remember, we’re talking about real IT Security here, not just the application of the latest tool, patch, or window-dressing. When we talk security, we’re not talking about the usual FUD hysteria followed by a sales pitch, we’re talking about a “bit’s eye view” of the data flow – where is it vulnerable, where does it linger, who is authorized to alter its flow, etc. We find this Agile Service Delivery , applied more broadly to IT Consulting projects, and even application development, will reduce cost, time, and increase success of critical long term projects.

Can we take the next logical step and apply this approach more broadly than just technology? Yes. The new enterprise is concerned with protecting, optimizing, and leveraging their data. To achieve those objectives the same iterative approach has been adopted through the implementation of frameworks such as ITIL that demand constant measurement and reassessment.

My post last week about Iron Mountain losing a backup tape from GE Money and losing the information on 650,000 consumers wasn’t the full story. Robert McMillan, IDG News Service, announced today that 230 different retailers had information on the tapes and it has been confirmed the tapes were not encrypted. There is just no excuse for lacking backup encryption in enterprises today.

If you don’t have backup encryption right now, stop what you are doing and get your Backup Admin in your office and get a project plan together to get encryption on your backups.

From where we are sitting, things are changing. IT buyers are starting to understand that what technology needs to “support” is the fastest and most efficient way for the company to create and deliver value.   It’s not enough for developers to know how the tech tools work; they need to be able to connect with the managers who decide the value the tools should be used to create.  IT projects on this landscape have some distinctly different characteristics than they did in the era of “back-office big iron.” Below is an incomplete list of some of these characteristics.  If you have ideas or additions to this list, please send them over.

• Connect, don’t build – Back in the day, there was really a decision to be made about whether to build new functionality in-house or to buy a package and customize. That’s occurring much less now, given the proliferation of special-purpose software engines, stacks, connectors, config templates, etc. available on the network.  Microsoft is not the only giant to have decided that the future is not software-AS-a-service, but rather software-AND-services, sometimes a little thicker on the client, sometimes on the server.  The emerging default strategy is becoming “connect, don’t build.”  As high-speed network connectivity has become more ubiquitous and reliable, this strategy is taking root in some expected places (Amazon’s S3 storage service; SalesForce App Exchange) and in some not so expected places (Amazon’s Elastic Compute Cloud, where processing itself can be scaled up or down as needed).

• There is no perimeter – If you question whether the behavior preferences of knowledge workers today are really all that different from the era of back-office “big iron,” look at the discipline of data security.  Back when accessing remote files or logging into your desktop remotely was still slightly exotic, strengthening the “perimeter” of the infrastructure made some sense.  But now, with workforces more dispersed, applications themselves decentralized, near-real-time data feeds informing corporate dashboards with timely performance stats, how would  you even define “inside” and “outside?”  

• Iterate – Software companies certainly didn’t invent the concept of launching 80% (60%?) products and iterating their way to full-featured releases, but they may have  perfected it.  Now that  so much business innovation is offered and delivered (and consumed!) via technology, corporate reputations rest not just on launched products, but on their whole  value-creating mechanism itself – how fast do they correct minor flaws, what is their response to customer service issues for their product, how respectful are they of their own installed base of previous versions, etc.   Iterative loops minimize the errors in the final software; the emerging best practice for large-scale projects is to build the project plan as a series of small pilots, for exactly this reason. In many cases now, iteration is largely done “without a net.”  Releases that might once have stayed in private beta for months are now released to carefully warned enthusiasts, and passion drives the feedback loops. Ever noticed how long a new Google app is “in beta?”   

• Insulate – Really the watchword of data security in this age of content-led innovation.  This is what replaced the concept of perimeter security – “jacketing” the content itself with access provisions, permissions, encryption, proprietary formatting, etc that protect it from falling into the wrong hands at the wrong time, in the wrong form, for the wrong duration.

• If you cannot prevent it, you must detect it – The essential follow-through of any data technology professional today.  Not every threat can be identified and not every breach proactively defended.  What can occur, though, is intelligent and creative sensing of intrusion, with or without disturbance, and protective isolation of the most sensitive data.

What IT Consulting learning are your feedback loops bringing you?  Come to http://www.whatevercompliance.com/it-consulting/the-next-threshold/  and add them to the list.

An article posted at Illinois I.T. Association talks about the new IT Consulting thresholds and how the IT consulting paradigm is changing. What do you think? What are some of the changes you are seeing in the IT consulting model? Please post your comments below.

I have been an avid user of Desktop Search tools since their inception in 2003/2004. I have used Lookout, Google Desktop Search, MS Desktop Search, and now a user of X1. These tools have gotten progressively better over the years with the exception of Google Desktop Search which was built to destroy hard drives as it does nothing but thrash your hard drive.

For example, I have 4.5 GB of email. I pretty much save everything and use search to retrieve emails. I don’t organize very much except in high level buckets like Company name etc. I had to move from Microsoft’s Desktop Search, which is integrated into Vista, to X1 because the indexing was severely slowing down my laptop. A 5400RPM hard drive that is constantly being accessed is death to a power user like myself. X1 though seems to handle things VERY well and integrates into Outlook with the use of an integrated tool bar. (FYI, go get X1 if you haven’t tried it yet)

I recommend Desktop Search to everyone because it allows you to stop focusing on “where to place this email” to “what was the content of the email about”. Searching for partial phrases, parts of attachments etc, that your mind remembered from months ago will find the email thread in less than a second. An amazing time saver.

Why is this important? It got me thinking that Desktop Search is a great example of the move to content from rigid structure. Google is the leader with their “we want to index everything” approach to business and you can see how it is paying off financially but introducing many security related concerns. Security is going to move into this content focused world as well. The next few years we will see more application “vulnerabilities” that are exploited by social engineering the user (which is a content change right) such as malware and phishing do than bypassing of a program’s structure such as a buffer overflow. The ability of an application to contain Malicious content will become the vulnerability.

Malicious content, sadly, is much harder to detect than a structure violation. Structural violation can be compared against a baseline or standard where anomalies are easily seen. Malicious content, however, is all about intent - something that humans have had a hard time analyzing for thousands of years. You may think some content is malicious and others may not so who gives the deciding vote?

The Indexing and Searching of Content is changing the world and you should start recognizing the high risks of the content within your applications, databases, and file servers.

I commonly am asked questions such as “Do you prefer COBIT or ITIL?” or “We really like the benefits of framework X but there is so much more readily available for Y, what do you think?”

In 2007, the Global Information Security Survey, which represents 5,555 overall respondents covering all regions of the world had the following to say:

It looks like ITIL is out on the top. I think this mostly due to the fact that ITIL has a lot of literature available in the market and there are many people that have used it so it is easier to implement for some organizations.

Source: CSO Magazine

From http://www.echannelline.com/usa/story.cfm?item=22254

Step inside the mind of your prospective customer — the buyer of IT services and products — and you’ll see every possible flavor of fear, uncertainty and doubt (FUD).You’ll see fear of switching from the evil they know (their existing VAR) to your business. You’ll see the natural doubt any buyer has against a new (and untested) salesperson. You’ll see uncertainty from the misinformation your competitors use to cloud the buyer’s mind and get a foot in the door. Spend enough time inside your prospective customer’s brain and you’ll see that FUD is the direct result of not having enough information to make an informed buying decision.

So how do you overcome the FUD? How do you remove FUD from the transaction? We spoke to VARs and buyers of IT services about these questions and we’re delighted by the overwhelming response we received.

According to Tiffani Bova, research director at Gartner (www.gartner.com), worldwide IT channel sales, programs and alliances, “one way to remove the FUD factor in the sales process is showing prospects that you understand their business better than your competition, have done similar work for other companies like theirs, use the technologies internally yourself, and build a strong reputation around ’service after the sale.’ These activities go a long way especially in the SMB space.”

Michael Davis, CEO of Chicago-based Savid Technologies (www.savidtech.com), removes FUD by offering a pilot program for all projects. “If it doesn’t work, we will take it out and charge them nothing. This forces us to test products internally before we sell them, that’s why we don’t have 500 products partners. They don’t all work and we only want to sell what will work.”

Some believe FUD need never really be an issue.

“In the initial sales process, the easiest way is to never sell at all - at least in the classic sense of sales. If the customer perceives you as someone taking a genuine interest in their problem rather than a sales rep hunting for a commission, the sale more or less completes itself,” said Kaustav Mitra, president of Mitra IT, a Los Angeles-based systems integrator.

But FUD exists beyond the sales call. Any new engagement has elements of FUD in installation, integration, support and service. Towner Blackstock, software services manager for CIS Consulting (www.cisinfo.com), a Charlotte, North Carolina VAR of Sage Software, reduces installation and integration FUD by emphasizing the importance of training. “Classroom instruction is essential to a successful implementation and rapid ROI. When clients neglect training on new software, frustration builds, confidence lags, and they spend more money on onsite support,” said Blackstock.

Blackstock also believes operations software can’t succeed without good hardware and networks. “That’s why we started our own IT group that specializes in software installation. This eliminates a lot of finger-pointing between vendors and allows our application consultants to focus on implementation. Even if a client doesn’t purchase our hardware, we have the in-house expertise to troubleshoot system issues.”

In the support role, having someone who is always available can minimize problems. Although it seems overly simple, Savid’s Michael Davis provides clients a contact list containing complete contact information for all employees. “Everyone in our company understands they must be available to all clients whenever they need them. All of our clients understand that not only are we available to them whenever they need, but we have an open door policy. You don’t like the way something is heading/running, call me or meet with me and let’s figure it out. In the end, the client is not always right but they are always right about what they want and how they want it.”

From a buyer’s perspective, Fred Held, a Los Angeles, California buyer of IT services in his role as principle of a private equity and management company, believes the VARs who focus most on overcoming relationship FUD are the ones most likely to succeed. “As someone who has hired many VARs in his career, I’m looking for the little things such as VARs that cost slightly more per day but the number of days they work is much lower. VARs that are available by telephone any time of day any day of the week and they are happy to hear from you. VARs that check to make sure what they installed is working well and the front line is happy.”

While removing FUD from the transaction is a good strategy for getting in the door, it remains a viable sales tool once you have established a relationship with the customer. Coley Perry, sales manager for Solution Partners (www.solpart.com), a Naperville, Ill.-based technology staffing and consulting firm, wants his customers to have just the right amount of FUD. “I want our customers to be so happy that the thought of switching to a new vendor causes fear, uncertainty and doubt.”

Security as the Tipping Point for Tech Infrastructure Consulting

I was thinking today about how current best practices for securing the enterprise and the continuing evolution of the threats is demanding a different perspective on how to build, develop, and secure a robust infrastructure for the a decentralized workforce.

This post is my opinion on how the new kind of IT practitioner is meeting these challenges in a more horizontal way. In fact, the whole idea of “infrastructure” has been undergoing a deconstruction for years, certainly ever since the Internet became a meaningful business environment. It’s no coincidence that one of the fastest way to identify old-think tech folks is how they treat security. And it’s probably true that “as goes security, so goes the rest of tech consulting work.”

It is usually pretty easy to spot the “security guy” that doesn’t actually get security. He is the one that says you need to do X to “protect yourself from the external attacker!” Sorry to tell you but the external attack is dead. We have spent the last 10 years building so many moats around our villages (our networks) that we forgot to realize that the village idiot lives on the inside right next to the king. Security is not just about the external attack. Security is involved in every part of the infrastructure from the WAN to the PDA to the digital camera an employee brought in to upload some photos.

Internal users, whether they are located in your building or not, are more of a risk today than ever before as businesses decentralize and build more mobile work forces, outsource, offshore. The lines that old school security engineers relied upon and used to delineate “security zones” are disappearing. A holistic security plan has always been preached in the universities, books, and training seminars that security engineers and security consulting firms have attended. What has changed is that holistic security used to be a nice to have but now it is a must have. Consulting firms still do not understand the business reasons for a specific security technology, don’t understand the technology itself, and very few work with the customer to ensure the product succeeds at actually reducing their risk.

The village idiot is unable to steal from the village if all the villagers’ doors are locked and windows shut. The new IT practitioner understands this approach and how the various security technologies work together to form a strong infrastructure. It is not about what Product X can do for a specific risk, it is about how that risk reduction affects the other risks within the organization. It’s about balancing the risk with the return.

This change requires a different perspective when building, developing, and implementing secure and robust infrastructure. Organizations must meet the challenges proposed by a holistic security approach and realize that since the advent of the Internet businesses have decentralized their infrastructure without decentralizing the security infrastructure. As the two become more and more decoupled from an architecture and geographic perspective they will actually become closer to each other in regards to the organization’s risk. Neither the technology infrastructure nor the security infrastructure can succeed independently.