Tuesday, June 14, 2016

FIRST 2016 - Innovation

Today's keynote at the FIRST conference discussed the importance of innovation in security products and services. Not everyone is a fan of such things.

_______

Innovation, you say?
It's easy to say.
Harder to do when you're spending your day
Fighting the fires and calling out liars
And answering calls from your C-level criers.
We barely have time to kick all the tires
On products we buy
Whenever we try
To solve all our problems
When the budget is high.
(Sometime we barely can even ask why.)
Often we're choosin'
Tools that are proven
By peers who have shown
That they're really worth usin'
And are ones that risk management ain't refusing.
We'd like something new,
Innovation that's true,
But it's rare that it's something we'd purposely do.
Radical changes we often eschew.
Innovation is something, I guess, that we fear.
It's something, I'd say, you'll never find here.

Monday, June 13, 2016

FIRST 2016 - Tabletop Exercises

Performing tabletop exercises to practice and learn more about incident response processes of an organization and to improve those processes is an excellent thing to do. Kenneth van Wyk gave an excellent presentation on how to run tabletop exercises.

_____

Fledgling stretches wings
Learning how to make them work.
SOC testing new tools.

A confident hawk
Dives to catch its fleeing prey.
The IDS fires.

Unseen in the trees,
Trappers wait with heavy nets.
A tabletop drill.

How will the hawk eat
When it's wings and beak are bound?
Prepare for the worst.

Hawk learning to hunt
While tied to the rocky ground.
SOC will be ready.

No matter the wind,
The rain, or the predators.
Business must go on.

FIRST 2016 - The Vulnerability Lifecycle

CERT/CC presented a workshop on coordinating vulnerability disclosure. Understanding the vulnerability life cycle helps when developing a corporate vulnerability management process.
_____

Vulnerabilities live, those wee nasty things.
And all through their lives, oh, the mess that they bring!
First they're discovered through various methods,
Researchers probing and using their big heads
Or accidents happening by users at play
That leave them amazed or completely dismayed.
Once it's discovered, it's time for disclosure,
Which may cause a vendor to lose their composure.
This process requires so much c'ordination
Which reduces the impact and bad situations.
Before things are published, we look for a fix:
Remediation through patches or similar tricks.
Deploy out the changes and work toward removal
Of bugs or the process that earned disapproval.
Not much of a life! Vulns are no fun.
Though they seem to be smiling as they yell and they run

Sunday, June 12, 2016

FIRST Conference 2016

Many of my InfoSec peers have come to Seoul to attend the 28th Annual FIRST Conference. It should be a fun, busy, and illuminating time! It is my first big conference since leaving my higher ed crew. I hope these folks will party as hard.

______

Welcome to FIRST!
It's time to get funky.
We've all got some problems
On our backs like a monkey.

Criminals trying to get all our goods.
(Some of them organized, some are just hoods.)
How do we share the intelligence gathered?
What are the details we found really mattered?
What are the tools that we all kinda need?
Who can we turn to when we start to bleed.
Red teams and training and policy work,
Pressos that aim to eat through the murk.

Let us get started. Just dive in and go.
Listen and share, help community grow!

Thursday, March 10, 2016

Boston Security Camp - Afternoon Session

From the afternoon session of the BC Security Camp.

REN-ISAC

REN-ISAC watches,
Threat sharing flows through their hands,
Tall trees grow stronger.


APT Experiences

Even an oyster,
Old, rotten, may have a pearl.
Must open a phish.

VirusTotal shrugs
At the malware file we found.
Wolves howl outside.

IOCs popping.
The APT evolving.
Wounded lamb crying.


Creating a Good Business Relationship Between IT and Treasury for PCI compliance

One good data breach.
Storm water breaks through a dam.
Beavers must rebuild.

Follow the money.
Stars pointing to Treasury:
A PCI map.

Sharing the burden,
Huddling against the winds
Of attestation.

Database Security

The harsh thunder booms
When audit arrives, seeking
Your database logs.

A giant mountain,
Oracle databases.
Their logs are lava.

Information flows
Meta information grows.
DBA hair grays.

Boston College Security Camp - Morning Haiku

I have the privilege of attending this year's Security Camp hosted by Boston College. This morning's presentations inspired some haiku.

Security Camp.
Talks around the camp fire.
Ghost stories, epics.


Moving to the Cloud - Resistance is Futile

Somewhere in the Cloud,
Raindrops form from falling ice.
Your data in tears.

Backups in the Cloud
Backing up backed up data.
Clouds, rain, ocean, clouds.

Acquiring clouds
And claiming them to be yours.
A game for sad fools.


Information Stewardship Governance Program 

Stewarding data,
Each piece led across the Styx
Or to calm prairies.

Understand your data:
A wolf knows all paths traveled
By each pup and prey.

Acorns stored by squirrels
Remain hidden all winter.
Come spring, they grow large.


Software Identification Tags

What should be patched when
Vulnerabilities drop?
Ask the wind and hope.

Browsing undergrowth,
Doe wishes she knew what's there,
Eating, not searching.

XML flowing,
Tagging the world that it knows.
Each leaf on each branch.




Wednesday, January 6, 2016

CVE Haiku

CVE is a useful bit of infrastructure under the US IT sector's vulnerability management machine. However humble, it is still inspirational.


CVE Haiku


CVE counting.
How many motes of pollen
Drifting o'er a field.

A home for problems:
The tree becomes much greater
When we name the leaves.

No one can tell you
What's vulnerability.
Is each fear unique?

Monday, October 5, 2015

Live Data In Dev, Live Data in Test

One of the more recent examples of poor development policies was the compromise of Patreon's test environment, in which they used live data, apparently. This is a bad practice for many reasons, but it's a practice that still happens often.



Live Data In Dev, Live Data In Test


I had a cool dream to build a cool site.
I coded it hard, with all my might.
When I decided twas time for a test,
I wanted the data I knew that was best.

Live data in dev, live data in test.
Why settle for data that's anything less?
I had to be sure that it's all working fine.
And I'd tested it all completely online.

I sent out the link to my friends in QA.
Worried a bit about what they may say.
But bringing in Infosec wasn't a thought:
Only later they found what a mess I had wrought.

Live data in dev, live data in test.
Why settle for data that's anything less?
I had to be sure that it's all working fine.
And I'd tested it all completely online.

My friends in QA were happy, they said.
I migrated to live sans feelings of dread.
My dev and test servers? I'd keep them around
In case there were unforeseen bugs that were found.

One of those bugs was the QA account:
Password of "QA" and a live data mount,
Still active within my development host,
Discovered by hackers and shared on a post.

Live data in dev, live data in test.
Why settle for data that's anything less?
I had to be sure that it's all working fine.
And I'd tested it all completely online.

All of that data has flown all away!
The old morning papers have so much to say.
Pastebin and reddit have made many copies
Someone has even wrote it to floppies.

Infosec's asking me what I was thinking.
Using live data; had I been drinking?
"No," I explained, "I was doing my job,
Though not any more," it dawned with a sob.

Live data in dev, live data in test.
Why settle for data that's anything less?
I had to be sure that it's all working fine.
And I'd tested it all completely online.

Wednesday, August 12, 2015

Upon My Eyes - Goodbye, Higher Ed

My time in higher ed infosec is coming to an end as I have accepted a job with The MITRE Corporation.  I look forward to moving into a different realm to continue to fight the good fight while working for the public interest.

With this poem, I say goodbye to my peers throughout higher ed, but these songs will not end.  As I move on to this next chapter in my career, I hope to continue to sing and dance to the beats of the digital beatings we withstand fighting the bad guys and bad coders.



Upon My Eyes


Upon my eyes,
the hex of a million flows
has rolled and roiled,
data and intention drifting by
on waves of light and electron.

Upon my eyes,
the hopes and desires of young minds
seeking to learn the proud and profane
have danced to the beats of a million
stolen songs.

Upon my eyes,
the works of the brilliant and inspired
have exploded like cascading meteors
to illuminate a world
hiding in the dark
just for glimmering moments.

Upon my eyes,
the digital curses
of the low and sinister
have left scars,
having shrieked and stabbed
into the flesh of the unprotected and undeserving.

Upon my eyes,
grown tired from hours
of watching and counting and hoping,
the Internet played its inscrutable game
while I could only cheer and howl.

Upon my eyes,
the warm glow of hope left a soothing balm,
comforting my eyes
and giving them the strength
to open again.

Wednesday, May 6, 2015

SPC 2015 - Five to Ten

Christopher Buse, the CISO for the State of Minnesota, gave an interesting keynote to end this year's SPC.  One take-away I got from his talk is to plan, be patient, and remember that change can take time.


Five To Ten

Five to ten years, five to ten years!
How many years will it take?
So many problems, so little spend.
The flour but none of the bake.

We have all the problems, never a fix.
We know the bad issues are here.
We try different process, we try different tricks;
No way we do it this year.

Climbing the mountain of business and risk,
We do it one step at a time.
The dangers are present, opportunities missed.
Our methods themselves are a crime.

We have to be patient, and we have to be smart;
Build service and not just the tech.
We have to speak calmly and speak from the heart
While steering the ship from a wreck.

Goals should be settled and metrics be set:
We measure our progress gone by.
Steady and slow, the challenge is met;
Be strong and try not to cry.

Opportunities come, but watch them with care.
They move much more quickly than we.
Stay open, stay hungry, and take on the dare
Of learning and listening with glee.

It may not move quickly, it'll never be fast
But time that we spend means a lot.
We'll find out that after five to ten past
We'll have so much more than we've not.