Nice posting at Emergent Chaos on Social Security Number Purges. Imagine that. I see people who collect SSNs around DC like they’re candy.
Need to get into a building, we collect your SSN, like terrorists don’t have them, and like you can’t lie about what yours is. Come to think of it, I did that for 6 months at one site and nobody caught on. =)
Posted in Odds-n-Sods, The Guerilla CISO | 
No Comments »
I’m an engineer at heart. I love technology and I love to build. I can’t really understand the operational mindset, which is a weakness I have to work around at times, considering I’m managing security for an operational division.
Back in November, I spent a month building $3Million worth of equipment. The reason? It was the biggest risk to my organization at the time–failure to meet a delivery deadline. As a side benefit, I know what each and every device does.
In fact, if I haven’t done anything techie in a week, I start to get antsy. I go home and rearrange my linux partitioning scheme just to move data around.
There’s a lesson in there: Get out of the office and into the Data Center at least once a week, even if you’re a total wonk.
Common sense, right? But you would be surprised how many security people don’t get out of their cubicle and go see the technology. One of the critical failings of how we do security in DC is that because there is a shortage of people with hard skills, we send in the people with soft skills such as financial auditors, technical writers, and quality assurance. Don’t get me wrong, there is a place for these people in security as long as they adopt a security mindset, but overall your security staff need to have some sort of technical background.
Question is, how do you get your non-technical staff into the technology? Believing in practical solutions and advice, I have a couple tactics, techniques, and procedures for you:
Of course, none of this is really a new idea, it’s basic career development activities for a junior security staff member. I guess that’s the topic for a later post. =)
Posted in Technical, The Guerilla CISO, What Works | 4 Comments »
I’ve been a bad little CISO. I should know better. But hey, how can I maintain my BOFH credentials if I don’t do something bad from time to time?
Anyway, let me explain it all.
Inside my area of responsibility (aka my job scope) there are several networks. One is a closed network that we use for management and monitoring of our customers. Another is our corporate network. A third is our guest network where all you can do is access the outside world.
So what we wanted to do was to add a wireless access point to the guest network. That way our guys can stay connected between meetings. Not all too uncommon of a use-case.
Corporate IT has a solution they roll out everywhere. If I give them a cost center, they would give us a completely wide-open WiFi AP with a essid of “guest”. It’s the only solution that they would support.
I have 20 or so customers. They have varying levels of security savvy depending on how mature the organization is. Some of them believe in “Security Through Level of Pain”–in other words, they make it so hard to ask for permission that nothing ever gets done.
Now, with some of these clients, they think that they own my building. That’s not necessarily a bad thing, but if I have a wide-open “guest” AP in my building, then they all think that I have broken their security policy which says “no WiFi”. Even though eventually I can explain how the wireless is not connected physically, logically, or even tangentially to their network, their gut reaction is to make me take it down. I have yet to lose a disagreement over things like this, but 20 customers later, they’ll wear me down to the point where I need to go home and sleep. That’s very much in the spirit of “Security Though Level of Pain”.
If I have WiFi in the building, it has to be WPA2, no questions asked. I can justify that to the government, it makes my life oh-so-much easier. I ran a waiver through my boss and his boss that documented the security controls around how I wanted the design to be.
I talked to the guy from Corporate IT. I explained to him who I was and what I wanted to do. I explained the waiver and what the risks are. His answer was that he needed approval through management. However, he wouldn’t tell me who “the management” was. The only saving grace in this conversation was the fact that he didn’t remember my name. =)
I got a forwarded email a couple of days later from the Corporate IT guy asking our data center manager who could authorize a wireless connection (I had already authorized it with a waiver, remember?). I had a quick conversation with the data center manager that went along the lines of “Yeah I know about that, it was me.”
Rather than pull teeth, I bought 2 Linksys SoHo APs and wired them to the guest network. It’s not perfect (if you go from one side of the building to the other, you lose your association and have to do stuff like reconnect via VPN), but I set it up with WPA2 and it’s on the guest network where all you can do is get to the Internet. One sits in my office, the other sits in a closet between two conference rooms. Everybody who needs to use the APs knows how to do it.
Hi, my name is “Mike” and I’m the owner of two rogue wireless access points.
I’m also a Guerilla CISO.
Posted in Technical, The Guerilla CISO | 4 Comments »
Liquid Matrix Security has a good blog post on interview questions. I filled out my answers because out of all the surveys that I’ve read over the past couple of years (If you read your daughter’s email, you’ll see she gets one of these every week), this one is the most fun that I have seen so far.
Posted in The Guerilla CISO | 1 Comment »
Somebody in SE Virginia has been spreading my name around, and now it feels like I have a new fan club down there.
We have a couple data centers and projects in the Hampton Roads area (Norfolk, Chesapeake, Hampton) . They got my name from another one of our data centers that I interact with regularly.
Now I’m getting emails from people I’ve never met before looking for help with this FISMA thing or help with a DR/COOP proposal. I even fielded one call about clearances while I was looking for bits of fur at the local flyshop. I think the more I help them out, the more calls I get from that area.
Which brings up my personal consulting policy. If it takes up less than 30 minutes or so of my time, I’m always free for a call or email. Any amount of time over that, you need dedicated help and probably need to contract somebody to do it.
I still get the occasional call from people I taught a year ago asking for help with a particularly tricky problem. It’s nice to feel needed from time to time. =)
Posted in The Guerilla CISO | 1 Comment »
Personnel turnover has to be the bane of life as a contractor in the DC area. As soon as you get somebody hired and trained, they’re out the door, taking the life of the project that they started with them. I think the average is less than a year.
I’m really rare. I’ve worked with the same company for 4.5 years. That’s an eternity in the environment I’m in. Granted I took a “little vacation” to “someplace sunny” in 1994, but still, I came back.
There are a couple of reasons that we have such a high turnover rate in the area:
Like I say all the time, there are 2 job markets for me as a security professional: DC and the rest of the world.
As for why I’ve been at the same place for over 4 years, well, I hop around from project to project and site to site inside the company. In some ways, I’m letting the staffing burn rate make opportunities for me.
Posted in Rants, The Guerilla CISO | 1 Comment »
« Previous Entries Next Entries »
Posts RSS
Subscribe via Email