Live Data In Dev, Live Data in Test

One of the more recent examples of poor development policies was the compromise of Patreon's test environment, in which they used live data, apparently. This is a bad practice for many reasons, but it's a practice that still happens often.

---

Live Data In Dev, Live Data In Test

I had a cool dream to build a cool site.
I coded it hard, with all my might.
When I decided twas time for a test,
I wanted the data I knew that was best.

Live data in dev, live data in test.
Why settle for data that's anything less?
I had to be sure that it's all working fine.
And I'd tested it all completely online.

I sent out the link to my friends in QA.
Worried a bit about what they may say.
But bringing in Infosec wasn't a thought:
Only later they found what a mess I had wrought.

Live data in dev, live data in test.
Why settle for data that's anything less?
I had to be sure that it's all working fine.
And I'd tested it all completely online.

My friends in QA were happy, they said.
I migrated to live sans feelings of dread.
My dev and test servers? I'd keep them around
In case there were unforeseen bugs that were found.

One of those bugs was the QA account:
Password of "QA" and a live data mount,
Still active within my development host,
Discovered by hackers and shared on a post.

Live data in dev, live data in test.
Why settle for data that's anything less?
I had to be sure that it's all working fine.
And I'd tested it all completely online.

All of that data has flown all away!
The old morning papers have so much to say.
Pastebin and reddit have made many copies
Someone has even wrote it to floppies.

Infosec's asking me what I was thinking.
Using live data; had I been drinking?
"No," I explained, "I was doing my job,
Though not any more," it dawned with a sob.

Live data in dev, live data in test.
Why settle for data that's anything less?
I had to be sure that it's all working fine.
And I'd tested it all completely online.

Upon My Eyes - Goodbye, Higher Ed

My time in higher ed infosec is coming to an end as I have accepted a job with The MITRE Corporation.  I look forward to moving into a different realm to continue to fight the good fight while working for the public interest.

With this poem, I say goodbye to my peers throughout higher ed, but these songs will not end.  As I move on to this next chapter in my career, I hope to continue to sing and dance to the beats of the digital beatings we withstand fighting the bad guys and bad coders.

---

Upon My Eyes

Upon my eyes,
the hex of a million flows
has rolled and roiled,
data and intention drifting by
on waves of light and electron.

Upon my eyes,
the hopes and desires of young minds
seeking to learn the proud and profane
have danced to the beats of a million
stolen songs.

Upon my eyes,
the works of the brilliant and inspired
have exploded like cascading meteors
to illuminate a world
hiding in the dark
just for glimmering moments.

Upon my eyes,
the digital curses
of the low and sinister
have left scars,
having shrieked and stabbed
into the flesh of the unprotected and undeserving.

Upon my eyes,
grown tired from hours
of watching and counting and hoping,
the Internet played its inscrutable game
while I could only cheer and howl.

Upon my eyes,
the warm glow of hope left a soothing balm,
comforting my eyes
and giving them the strength
to open again.

SPC 2015 - Five to Ten

Christopher Buse, the CISO for the State of Minnesota, gave an interesting keynote to end this year's SPC.  One take-away I got from his talk is to plan, be patient, and remember that change can take time.

---

Five To Ten

Five to ten years, five to ten years!
How many years will it take?
So many problems, so little spend.
The flour but none of the bake.

We have all the problems, never a fix.
We know the bad issues are here.
We try different process, we try different tricks;
No way we do it this year.

Climbing the mountain of business and risk,
We do it one step at a time.
The dangers are present, opportunities missed.
Our methods themselves are a crime.

We have to be patient, and we have to be smart;
Build service and not just the tech.
We have to speak calmly and speak from the heart
While steering the ship from a wreck.

Goals should be settled and metrics be set:
We measure our progress gone by.
Steady and slow, the challenge is met;
Be strong and try not to cry.

Opportunities come, but watch them with care.
They move much more quickly than we.
Stay open, stay hungry, and take on the dare
Of learning and listening with glee.

It may not move quickly, it'll never be fast
But time that we spend means a lot.
We'll find out that after five to ten past
We'll have so much more than we've not.

SPC 2015 - CISO HULK

CISO HULK NEW TO JOB.  CISO HULK MUST SING AWAY PAIN.

---

CISO HULK

HULK GET JOB IN INFOSEC
CISO ROLE IN HIGHER ED
HULK IS MAD BUT HULK IS SCARED
HULK NOT KNOW WHAT IN FOLKS' HEAD

HULK SEE YOU THINK YOU GET MAIL
BARRISTER NO KNOW YOUR NAME
HULK SEE KIDS USE P2P
HULK SEE THIEVING FACEBOOK GAME

HULK DID RESEARCH, BUT NO MORE
FISMA RULES RUIN ALL HULK GRANTS
HIPPA RULES, THEY MAKE BAD TOO
HULK RESEARCH LIKE HIS TORN PANTS

HULK SEE HOLES IN ERP
HULK FIND BAD WEB CROSS-SITE SCRIPT
SQL GET INJECTION
THAT WEBSITE, LIKE SHIRT, IS RIPPED.

HULK MUST BUILD INFOSEC JOB
HULK ASK BOSS FOR LOTS MORE CASH
HULK NO GET, HULK MUST GET BY
ALL THIS STUFF JUST MAKE HULK SMASH

SPC 2015 - HEISC Information Security Guide

HEISC, the Higher Education Information Security Council has created an Information Security Guide to assist Higher Ed CISOs develop and grow their security programs.  It's good food.  Check it out.

---

HEISC Information Security Guide

HEISC!  HEISC!  Say it twice.
Working to help and give you advice.
They made up a helpful and detail-filled guide.
Come on along for a game-changing ride!

Fourteen domains, the editors scribed;
Getting you started with wisdom they tried,
Managing risks and closing up gaps,
Giving direction and warnings on traps.

Offering models and frameworks galore,
External sources for raising the floor.
Mapping out standards from ISO to NIST,
Accounting for PCI, HIPAA's real gist.

How do you monitor, log, and review?
How do you know when your data's all true?
How do you monitor contracts and laws?
How do you deal with software that's flawed.

This guide will help you, HEISC has done good.
Managing risk will be done like it should.
Doing awareness?  Policy growth?
This guide will help when you're mapping out both.

Fear not The Cloud.  It helps you with that.
If it can't help you, I'll eat up my hat.
Take a quick look, you'll like what you see.
An infosec guide that is offered for free!

SPC 2015 - NIST Risk Rap

The Ohio State University has developed an impressive Information Risk Management program.  I plan to steal a lot of it.

I plan to rap about it too.  Oh, look.  There it is.

---

NIST Risk Rap

Do you wanna know how to manage risk?
Lemme rap a bit 'bout a thing called NIST.
Hundreds of pages, hundreds of rules.
Gonna be adopted by so many schools.

It comes from a Federal agency,
Makin' up the standards, all for free.
(Well, also bought through Federal taxes,
But never mind that, it's the least of fact-es.)

I'm talkin' about one: eight hundred five three.
A nice long list specifying what be.
Giving you the standards, giving you controls.
Ammo for fighting your faculty trolls.

But don't stop there, gotta take the next step:
Architect it out like an Imhotep.
Makin' up the metrics, makin' up the forms,
Leading stake holders, embracing new norms.

Assessments help, but keep them scoped small,
Otherwise the hill just becomes too tall.
Create yourself a process sustainable.
Keep your change goals all attainable.

If you build it right, risk will drop like beats.
Risk management: a most awesome of feats.

Word.

SPC 2015 - How To Sell Security

I sat in on William Perry's talk entitled Rethinking and Simplifying Security: A Best Practices Roadmap.  One of his points was the need to develop a good value proposition for any security program change you make.

This idea drove me to haiku.  (Yes, one can haiku.  Verb all the things.)

---

How To Sell Security

Only the greenhouse
Survived the plague of locusts.
The gardener planned.

An angry gray goose
Chases the red, hungry fox:
Her chicks protected.

Frightened zebras run
Lion is dazzled, confused;
Until one falls back.

SPC 2015 - These Numbers Are The Devil

I co-presented a seminar called PCI Program Frameworks: Learning to Cope with Compliance this morning.  We had an excellent group of engaged participants.  I hope they got something good out of it.  They did get a poem out of it.

---

These Numbers Are The Devil

These numbers are the devil.
They hide in shaded veils.
They grace the backsides of billboards.
They travel on whispers through the air.
Whispers themselves,
They sour the best of intensions:
A vapor that slips through cracks and open doors,
Seeding hearty vines of complexity.

Those numbers live and grow and multiply.
They feed on the food of commerce.
To silence them would be a fool's games,
As their echoes travel far and wide.

No, these numbers must be counted
And counted on
And welcomed, but not without rules or cages.
These numbers are the sighs of sleeping tigers,
Dreaming of the free places they have known.

SPC 2015 - At The Bar

Welcome to the EDUCAUSE Security Professionals Conference 2015.

---

At The Bar

Before the deep dive into tech tracks and panel discussions,

Before the keynotes and coffee lines and vendor smiles,

Before we get our badges and drink tickets to trade,

We sit together, sip, and talk away the miles.

We travel from coast to coast or beyond the glistening seas.

We travel from our institutions, varied, flawed, and driven.

We travel from our day-to-day to take the time to ponder.

We sit together, sip, and share what each is given.

We smile to the waitstaff who bring our chips and beer.

We smile at the stories of battles won and lost.

We smile at the notion that our worlds are quite the same.

We sit together, sip, and disregard the cost.

In the morning, we awaken and coffee is our drink.

In the morning, we will seek the truth among the murk.

In the morning, we'll devise the evening's social fun

When we sit together, sip, and celebrate the work.

Passwords For Nothing

Time to get the creative juices flowing for this years EDUCAUSE Security Professionals Conference.

The following is to the tune of "Money for Nothing" by Dire Straights.  I like to image Knopfler riffing through the whole thing.

---

Passwords For Nothing

I want my, I want my IRC.
I want my, I want my IRC.
I want my, I want my IRC.
I want my, I want my IRC.

Now, look at that CISO, that's the way you do it.
You play the hax up that were on TV.
That ain't working. (Nothin's gonna do it!)
They get your passwords for nothing, get your creds for free.

No, that ain't working.  AV just won't do it.
Lemme tell you, them guys ain't dumb.
Maybe get a password through a phishy message.
Maybe get a shell with injection.

We got to install UTM software.
Custom snort sigs: deliver me-e-e-e!
We got to move these bad IP packets
We got to install crappy AVeeeee!

The little malware with the logger and the screen caps?
Yeah, buddy, that's on your phone.
The little malware's got an IRC bot.
The little malware is a pesky drone.

We got to install UTM software.
Custom snort sigs: deliver me-e-e-e!
We got to move these bad IP packets
We got to install crappy AVeeeee!

We got to install UTM software.
Custom snort sigs: deliver me-e-e-e!
We got to move these bad IP packets
We got to install crappy AVeeeee!

I shoulda learned to code things in python.
I shoulda learned to code in C.
Look at that backdoor, he's got it, sitting in the web dir, man.
This hacker's no fun.

And what's up where? What's all that? Some cloud-based service?
It looks to be designed by a chimpanzee.
No, that ain't kosher.
That's the way you do it:
If you want all your data given out for free.

We got to install UTM software
Custom snort sigs: deliver me-e-e-e!
We got to move these bad IP packets
We got to install some crappy AVeeeee!

Now, listen here.
Now, that ain't workin'.  Awareness just won't do it.
Your playin' catch-up with an APT.
That ain't workin'!  A vendor just won't do it.
Passwords for nothing, get your creds for free.

Passwords for nothing, and you creds for free.
Passwords for nothing, and you creds for free.
Passwords for nothing, and you creds for free.
Passwords for nothing, and you creds for free.

I want my, I want my IRC.
I want my, I want my IRC.
I want my, I want my IRC.
I want my, I want my IRC.

On The Wire, I Can See

So much is there, right before our little nosy eyes when we have a sniffer and the will to use it.

---

On The Wire, I Can See

On the wire, I can see
Traffic not destined for me.
In the air, sans SSL,
I enjoy your little show and tell.
In the middle of your session,
I sniff the bits of your connection.
On my screen I see your porn
And private conversations borne
On wings of packets insecure,
While on your end you are so sure,
In ignorance of my leet skills,
While you bank and pay your bills.
With greedy eyes I thank you for
The warning boxes that you ignore.
Until you get all VPNed,
I'll see the stuff you get and send.

These Are a Few of Our Favorite Things

It's been busy lately, but we're having fun, right?

ETA: Compare and contrast with the previous "Favorite Things" by Brad Judy.

---

These Are a Few of Our Favorite Things

Denial of service and passwords worth guessing.
Phishing complainers and route map addressing.
Tuning our IDS until it sings.
These are a few of our favorite things.

Outdated software and websites attacking.
Hackers who troll us on pastebin while snacking.
Campus-wide firewall: all that it brings.
These are a few of our favorite things.

Authentication that uses two-factor.
Assessing risks from networking a tractor.
Cutting your lawn over IPSEC strings?
These are a few of our favorite things.

On the WiFi!
In the colo!
No budget? So sad.
I simply rely on my luck so that I don't feel so bad!

PCI, HIPAA, and FISMA is knocking.
NIST helps to make all your systems more rockin'.
Coping with madness the auditor flings.
These are a few of our favorite things.

PII scanning and AV a-lookin'.
P2P fileshares with movies a-bookin'.
Use of our logins by criminal rings.
These are a few of our favorite things.

Expiring passwords with lots of complex'ty.
Filtering spam chunks with images sexy.
Websites that bounce like they're all made of springs.
These are a few of our favorite things.

On the WiFi!
In the colo!
No budget? So sad.
I simply rely on my luck so that I don't feel so bad!