Monday, September 9, 2013

(ISC)2 Board of Directors Endorsements

Major Endorsements

Jack Daniels @jack_daniels - Information Security Researcher for over 20 years
Jericho @attritionorg - Maintainer of the Security Charlatan List for 10+ years
Boris Sverdik @jadedsecurity - Also running for (ISC)2 board, maintainer of dontclickshit.com

Plus over 200 CISSP and SSCP members of (ISC)2

Candidate of the Members

Shouldn't the (ISC)2 board of directors have a candidate on the ballot at the request of its members?  All 5 ballot names current on list are there at the request of the current board of directors, not because the over 80k members asked for them to be there.

Email Now!

Simply email hackajar@gmail.com with your name, member ID and a quick note endorsing Robert Imhoff for Board of Directors.  That's it!

Thursday, September 5, 2013

(ISC)2 Board is ready for change

Change Starts Today

The (ISC)2 Board of Directors has the power to make your CISSP certification count.  So why haven't they done anything about the creep into irrelevance of this important certification?

Send an email to hackajar@gmail.com with your CISSP number and name as it appears on your certificate and a note that you support Robert Imhoff for board of directors.

Make them put a candidate on the ballot that is ready to make the tough decisions. 

Robert Imhoff-Dousharm

Friday, August 23, 2013

Women in Information Security

TL;DR

Many changes and improvements have occurred in the last 10 years which has enabled the Information Security profession to be a more welcoming place for women.  It continues to make improvements every day to further this welcoming atmosphere.

Op-Ed: Women are succeeding in InfoSec

In the Information Security profession, diversity comes second only to having the requisite technical skill set.  It has to.  Diverse viewpoints enable security professionals to see a problem before a hacker does, and fix it before it can be exploited.  This need for diversity makes the current landscape of the Information Security Industry – also known as White Hats, Black Hats, Hackers, Security Researchers, among others – a hotbed of opportunity for career minded people of both genders.

Unfortunately, this diversity is not always evident in Information Security.  Security Conferences, where security professionals gather; are where the lack of diversity is often most visible. A majority of speakers and panelists are male. Globally, only 9% of speakers/panelists are female. At the same time, the majority of conference attendees are also male.

Where many argue that drastic changes are needed, I believe many of these desired changes are already underway. Thirteen years ago, the first conference I participated in was an almost exclusively male gathering. The women present were accompanying a male attendee. Today, the number of woman attending conferences is increasing year over year and they are active participants. The average age for attendees is increasing too.  I believe that the community that, not long ago, was known as an immature bunch of boys is growing into a more balanced and self-regulated community. Recent initiatives at these types of conferences include entire sections dedicated to working with kids, and throwing M80 dynamite in hotel pools isn't as common as it used to be. While many women testify that the community improves itself continuously, their attendance - often on their own budget - is a testament to the lessons we as a community have learned.
At the same time the number of women in security jobs is increasing.  I have witnessed this myself during my tenure at a Fortune 500 company in Silicon Valley.  While working on their internal security team, made up of 60 people across the globe, 40% of the staff was female (well above industry averages).  This was especially noticeable in the Audit & Compliance division, where women actually outnumbered men.  In fact, the present Chief Information Security Officer at that company is female, as was her predecessor.  Investing in diversity grew dividends for the business.  My personal growth and understanding of Information Security, business and risk management, would not have occurred if not for the consistent feedback from everyone, women and men alike.  In turn, I have shared my knowledge without discrimination. It is how we as a community work and how we collectively get better. Better at what we do and better at who we are.

Change is happening in education as well.  Women are now outpacing men in college degrees issued in Science, Technology, Engineering and Math (STEM), although not in Computer Science. Not just yet.  STEM degrees are the core of the Information Security industry.  In response, many professional security organizations like (ISC)2 have started offering scholarships to encourage women to enter the Information Security industry. This helps in bridging the gap, and I can only hope to see more influx of such initiatives. 

It pays to be in Information Security.  The average salary for junior level positions sits at $60 - $90k USD year, with senior positions topping out at $250k.  According to research by Dice.com – a technology job driven careers sites – the pay gap between women and men in IT has virtually disappeared.  This means that not only are there careers waiting for anyone who wants them – with year over year demand increasing by 27% for the last 10 years – but while staying intellectually challenged, one won't go hungry either.

Recently, we have seen attacks on the information security community. Pointing out fundamental and structural flaws is one thing. Gutting a community that, over more than a decade, has made great strides forward is of a completely different and questionable level to say the least. With the growing importance of information security in the world comes great responsibility. A responsibility I am sure our community and industry will take up and honor. 

As we keep focusing on a healthy, diverse and cooperative future while learning from our past, I am confident that a positive and inclusive industry is the common goal that keeps us together.

References:

Information Security Job Growth Part 1
Villanova University

When Geeks Attack
Marie Claire

Spotlight on Women in Tech
Dice.com

Information Security Scholarships for Women
(ISC)2

Tuesday, August 20, 2013

Robert Imhoff for (ISC)2 Board of Directors

TL;DR

I am running for a seat on the (ISC)2 Board of Directors.  To support this initiative, please help by nominating me for a spot on the ticket this Fall!

To achieve this goal, I will require 500 nominations from my peers - all certifications offered by (ISC)2 accepted.

Ready to help?  Great!  Here is what to do:
  1. Compose an email from email address on file with (ISC)2
  2. TO: hackajar@gmail.com
  3. Subject: I Nominate Robert Imhoff for (ISC)2 Board of Directors
  4. Body: Insert your full name as it is on file with (ISC)2 and you exact Certification Number
  5. Send it away!  I will respond promptly when it is received!
  6. Follow me @hackajar on twitter
  7. Spread the word! Link other (ISC)2 Members to this post and encourage them to nominate me!

What is the problem with current Board of Directors?

The current impression of Information Security professionals with (ISC)2 certifications is very poor.  So called "serious" security professionals and hackers consider these certifications laughable.  While on the "enterprise" side, questions are being raised about the value of these certifications over SANS and ISACA ones.  It has been four long years of mediocre handling of the situation that has driven these important certifications into just "a checkbox for recruiters".

The current board seems to be focusing more on assisting professionals with CPE credits, vendor based webcasts, and growing local chapters, but not focusing at all on the "brand" of having a CISSP, SSCP or other certification.  While all of these areas are important to an organization, they: 1) Mean nothing if the certification is rendered pointless 2) Create a sense of isolationism mixed with a "Them and Us" culture of those with (ISC)2 certifications, and those without.

Who am I to solve this problem?

After spending 13 years working in Information Security field in all aspects and industry verticals, simply put, I have the diverse background to give (ISC)2 what it desperately needs: the collective knowledge of its members.  Without making this too much of a resume, here are some key highlights to my strong position:
  • 5 Years of programming experience
  • Top Secret clearance working with the NNSA
  • Published research in Credit Card Fraud and GPU Password Cracking
  • Experience in Fortune 500, Semiconductor, Networking, Hardware, Software and Start-Up companies
  • Co-Founder of the largest independent fundraising body for the Electronic Frontier Foundation
  • Co-Founder of the only Information Security member of NCWIT

What is the Platform?

Push forward a three-point plan to enhance the value of certifications maintained and issued by (ISC)2:
  1. Require partial re-testing of all members who have a certificate in good standing every 6 years.
  2. Require more transparent view of how money is spent by (ISC)2; force organization to either draw down overfunded accounts through industry benefiting programs, or lower yearly dues to members.
  3. Require (ISC)2 to design better recognition system for community members that create positive change for Information Security; ensure a better system is in place to report members that deviate from Code of Ethics.

About me and (ISC)2:

Member Name: Robert Imhoff-Dousharm
(ISC)2 CISSP Number: 112747
Member Since: June 30, 2007
Member Exp: June 30, 2016
Member Email: hackajar@gmail.com

Tuesday, May 14, 2013

Ex"Zact"ly what we don't need

Zact Mobile is the devil...

...in the details.  What seems like a great idea in a land of vendor lock-ins, might actual be the worst solution to the current mobile phone market yet.

What is ItsOn Inc?

Best described by an AllThingD article, 
Imagine a world where one could buy a day of streaming video, or a week’s worth of Facebook
You heard right, ItsOn plans to offer application based mobile phone service OEM options to big service providers like AT&T, Sprint and Verizon.  This means, with an application, a service provide could effectively charge you for only Facebook usage.  Don't browse web? Don't pay!  Only stream Hulu+? Pay just for that service.

What is Zact?

From their web site, Zact - a product introduced by ItsOn Inc. - Zact will, 
Customize your no-contract plan by creating your unique mix of minutes, text and data. Share your plan at no additional cost, and even set parental controls if sharing with kids.
That is to say, if you only want to watch 30min. of video this month, they can bill you for the data service and not any voice or text, and that video can be billed as a slice of data, not a large 1 or 2 Gig plan.  This micro billing approach should fit into your exact phone habits, and - they say - will create a lower monthly bill for you.

They plan to use this service to demonstrate to the big guys how to leverage their core goal, application based payments.  But first, they will limit it to the standard three - Voice, Data and SMS.

What is Net Neutrality?

Here is the exact text from the Wikipedia entry for net neutrality  wich cites no less they three references to support this blanket statement,
Net neutrality (also network neutrality or Internet neutrality) is the principle that Internet service providers and governments should treat all data on the Internet equally, not discriminating or charging differentially by user, content, site, platform, application, type of attached equipment, and modes of communication
Interesting!  Here is a principle, set forth by regulation and FCC policy, that clearly states any type of application throttling, prioritization or discriminating is prohibited by law.

Devil You Say?

Yes, by shrouding themselves in a cloak of consumer choice, ItsOn have found a way to backdoor Net Neutrality principals.  While they claim this will provide consumers with "choice" it actually erodes all  that Net Neutrality principals have built up in the last 10 years.

TL;DR

Back dooring of Net Neutrality being attempted by ItsOn and Zact Mobile Service, under guise of consumer choice and savings.

Tuesday, April 23, 2013

Palo Alto Networks and PAP

Firewalls, Evolved

It is no secret that Universal Threat Management (UTM) or the Palo Alto Networks Next Generation Firewall (NGFW) model is the clear winner for the current generation of firewalls in the market.  If you are still only using your firewall to block ports, implement Stateful Packet Inspection and support VIP rules, you are behind the times!  Inspecting egress traffic for known bad URL's and IP addresses, blocking sites based on policy groups and carving out usability of online applications are a must have these days.

Palo Alto Networks

Started in, no surprise, Palo Alto California in 2005, this company set out to flip the firewall world on its head.  When a group of engineers at Juniper were turned down to spin up a division to research the future of firewall technology, they took their ideas and left.

Skip ahead to July 2012, where we witnessed one of the most successful network hardware IPO's in over a decade unfold before our eyes.  Proving that UTM/NGFW firewall model was not only a great idea, but here to stay.

What's in a password transmission protocol?

Password Authentication Protocol (PAP) was introduced in 1992 as part of RFC 1334.  This RFC addressed the need for Point to Point (PPP) access between networks.  In the RFC, it is explicitly mentioned that PAP is an insecure protocol.  Further, they actually recommend attempting to negotiate CHAP first before PAP is attempted as a failover option.  However, the simple implementation of PAP has allowed it to persist in our authentication servers for many many years.

It was not until May of 2005, when Windows Server 2008 and Vista were released, that the last of the production desktop Operating Systems fully purged PAP as a usable option.  Finally!  A protocol that was replaced from within its own RFC and superseded by no less than 10 different open and closed authentication standards (see MS-CHAP, EAP, PEAP, TLS, TTLS, etc.) was dead at last.

Palo Alto and Radius

Establishing a Radius server connection with Palo Alto Networks firewall is a pretty routine affair.  You setup a shared secret on your Radius server, you assign it to the client IP address of your Palo Alto management interface, then you tether your security rule checks and policies.  Simple right?  What happens when everything keeps failing to authenticate? I was able connect, but kept getting errors that policies never matched my requests from Palo Alto.  The reason?  The Authentication Protocol never matched a rule.  What protocol should I use?  A quick call to Palo Alto Network support answered this quickly - Use PAP for all Radius requests from a Palo Alto Networks firewall to any Radius server.  

It worked!  Using PAP did in fact solve my support issue.  However, it opened up another concern:

Why is Palo Alto Networks - the network firewall company founded in 2005 - using an authentication protocol that has been deprecated before the company even existed?

I have since put in several support tickets and discussed this issue with my assigned Sales and SE representatives from Palo Alto.  While everyone agrees this is extremely insecure, especially for a Firewall company, they always note that there is no current interest in fixing the issue.

If this is disconcerting to you, I suggest you contact your Sales and SE peeps at Palo Alto and demand, as I have, to have this glaring oversight fixed.