Proper Security “Flow” Begins at C-Level

Water

Everyone knows that water “typically” doesn’t flow uphill. The same gravitational forces that dictate water flow also drive waves, currents, tides and even waterfalls, making water a very powerful, albeit sometimes punishing and destructive element of nature. It has the ability to wear away at land masses, erode even the most solid of objects and can evolve into a very real and imminent danger, such as when tidal waves, typhoons and hurricanes batter the shore.

Yet water’s effects can also be healing, relaxing and calming. Hydrotherapy is commonly used to treat injury, or other system imbalances in the body. The sight and sound of waves crashing on a beach, rain falling in a forest, or water flowing over the rocks in a creek bed can help to bring focus to the mind and carry one’s thoughts away from stressful situations. I’m always amazed at how such random sights and sounds can distract from everything else around me.

Water is a building block of life. Science has shown that all cellular organisms contain water, and physical life cannot exist in its absence (at least in the sense that humans understand). Water supplies nutrients, it hydrates and it nourishes.

Water permeates and penetrates, saturates and combines with other elements and materials to produce a variety of substances. Additionally, water can be found in various states of matter. It can be a solid, a liquid or a gas and, in each state, it has its benefits.

In the natural realm, one might say water is “ubiquitous”.

Security

Like water, a strong security mindset is a powerful force. Driven by proper motivations, it brings about positive change. Security permeates an environment, mixing with other ideologies to help lay the foundation that everything else rests upon. It builds and creates strategic boundaries, effective barriers and trusted solutions for ensuring safety of data and the individuals who both own and utilize that data.

It can exist in various states or configurations, whether they be hardware or software, physical or logical. Providing it is correctly implemented, security is always changing to accommodate the conditions around it. An effective security posture may appear different in every environment, making each implementation unique in its own way.

A true security mindset can be somewhat calming, in that it understands and accounts for change. While change often brings new challenges, knowing that proper policies and procedures, analysis and monitoring, corrective action and continuing security-related training are in place helps to ease the mind of company leadership. Knowing this, strong company leaders will strive to drive home their security mindset to the rest of their organization.

Leaders with a lack of understanding in areas of security, however, often succumb to fear when they realize that their organization exists in a state of complacency. Their comfort levels become extremely low (as well they should), and they tend to try to drive initiatives in which they have no background or formal experience. While their efforts intend to provide the appearance of security, their environment is at constant risk of attack.

The Cycle

Going back to our discussion of water, we know that it flows downhill or falls, with gravity. Often times, water picks up nutrients and minerals along its path, allowing it to provide benefit when it reaches its final destination. The same holds true in security.

But contrary to the physical realm, where “sea level” is at the bottom of the flow, organizational “C-level” begins at the top. The concept remains the same however in that, just like water, in order to benefit from a good security plan, that plan needs to begin at the top.

As it progresses, it begins to accelerate, but it also picks up further knowledge and experience as it flows downward throughout the organization. Business units, engineering and security departments, and other individuals can take what was envisioned, lend their knowledge to it, and contribute in a meaningful way, by providing feedback to the policy and decision makers. Just as water cycles occur (evaporation yields condensation, which yields flow, which eventually yields new condensation and the cycle begins anew), security ideology continues to revolve. Unlike water, however, which essentially starts anew during evaporation, security continues to build.

Taking the above into consideration, upper management needs a firm grasp of the state of their organizational security posture, including a working understanding of, at a minimum, the risk factors that exist within their environment. They need to understand that learning is a never-ending process, when it comes to information security. Additionally, they need to have a willingness to listen to, acknowledge and implement recommended policies and solutions from their management and security teams, and ensure that they appropriately convey security ideologies in their every day associations with their staff. If this flow is handled appropriately, a company will come out of the cycle with a solid security posture, which is able to evolve and adapt as the need arises.

Closing Thoughts

In closing, with our 20,000 ft overviews of water and security behind us, let’s reiterate the importance of “C-level”, with regards to security. The involvement and interaction of C-level executives is crucial to the overall success of a company’s security efforts. If they convey a weak security posture, the downhill progression can be both destructive and devastating. However, if executives value the security mindset and convey the principals and behaviors to their staff that are needed to achieve their organizational security goals, the result is most often a strengthened corporate security posture, destined for success.

Red versus Blue - What to Do? What to Do?

Red versus Blue - What to do?  What to do?
Security’s been lacking, they've let hackers through.

Script-kiddies are giggling, their phishing uncaught.
Someone's opened their email, without even a thought.

Antivirus averted, the firewall’s a bust
and their passwords were stolen, a violation of trust.

Protections were few - no IDS, IPS, or SIEM.
Their reactive analysis proved only a dream.

Now the CEO’s yelling. IT’s grasping at straws
‘cause they’d simply been dwelling, ignoring the laws.

Their posture, unhealthy, their planning was ill.
Now they’re looking for talent with just the right skill,

education and training, but where to begin?
The red team the blue team - do they pull from within?

Consider your goals kids and what training to pursue.
Red versus Blue - What to do?  What to do?

The past seven or eight years, it’s been fairly common for high-school and college students alike to hit me up for IT career advice and direction - particularly in the security realm.  Most of these kids are young and driven out of a desire to earn the ‘big bucks’, but they’re uncertain as to the proper direction to follow, the classes to take or even the school / training to attend.  Additionally, each student has different strengths, goals and ambitions, as well as differing desires and needs for learning, knowing that not all students ‘learn in the same way’.

It’s difficult to give them one specific answer, because I’ve never attended college nor have I gone through ‘formal’ education, in order to do what I do.  Much of what I’ve learned and accomplished was driven by my personal fancies, dreams, ambitions and the goal of always trying to be among the first to do and discover new things.  Add to the mix that the information security world is a very large, continually growing space and you have a recipe for mass confusion, if the conversation begins blindly, from the student’s perspective.

As I sit down and talk with each of them, the biggest, most important question I lead with is, "What do you WANT to be doing in ten to twenty years?"  I ask them to consider, first and foremost, where they want to be (location, professionally, financially) and what their NON-professional goals are.  Quite honestly, the security industry can be extremely taxing on even the most seasoned veteran infosec people.  I want aspiring students to understand that because of the way the field changes, because of the attitudes and stressors that they'll encounter, because they'll quite literally NEVER be able to stop learning and adapting in this field, they need to decide, first and foremost, on their willingness to commit to their goals, wholeheartedly.  This isn't to say that with the right effort and time, life won't all come together nicely.  Just that, more often than not, if a person wants to succeed in both their professional infosec career AND their personal life, their schooling (whether organized / formal courses or self-teaching, seminars, books, videos, CBT's) will likely be much more taxing than their primary / secondary education has been or ever will be and it will likely impact their personal life and 'free time' much more than they'd anticipate.

Once that's been put to bed, assuming the person hasn't run away realizing that the glamorous portrayal of hackers and infosec geeks in the media (untrained / uneducated 'whiz kids', hacking merrily away) isn't the reality they've come to expect, I'm usually asked, "OK, what courses should I take and from where?" This is followed by, "What school should I attend or can I be all self-study, like you?"

<cough> Ahh, how I love loaded questions! </cough>   (They all hope for a straight / simple answer)

As previously noted, I've attended ZERO college, so I can't speak for formal secondary education, specifically which school to attend.  I could be biased and refer them to some of the schools where my professional colleagues teach, but in all honesty, as I've not taken their courses or those of the others in their departments, I can't speak for the quality of their teaching.  Will I mention them in the discussions?  Absolutely!  Especially if their outside activities (infosec community activity and involvement, conference speaking, tool development, etc) have shown me that they know their stuff.  But otherwise, I can't recommend any one over the other from a 'personal experience' point of view.

With regard to 'what to take', this discussion could go a number of directions.  Depending on WHERE a student chooses to attend, the course offerings and programs might differ entirely, from one college to the next.  Additionally, different courses and programs might be geared to one discipline versus another and therefore the student has to make at least an initial career decision (knowing this could change in the future) on what 'part' or role they want to play in infosec, because whichever program or path of study they choose, it needs to benefit their career progression and prepare them to dive in.

This leads us to Red Versus Blue - What to Do?  What to Do? - or even Purple (or White, Gray, Black... but we'll delve into those areas another time)

Ultimately I ask students to really think about the following question.  I ask them for their first, gut response, then we discuss a bit and I follow up with them again after our chat, to see if their thoughts have changed or if their initial answer(s) still stand.  The question is:

"If you were to picture yourself in 10 years, would you want to be in an upper management role (where you're managing the overall security posture and practice of your organization), or would you prefer to be a team leader or member, working on hardware and / or software security and protection, versus trying to break those protections in order to help assure a secure environment?"

This is where our colors come into play.  An upper-level manager, who is responsible for all areas of the corporate security strategy, generally falls into the purple (mixed red / blue) category or leans more in the direction of blue.  Blue is typically thought of as cool / 'safe' and the team members are dedicated to protection - auditing and analysis, hardening systems, building solutions or monitoring existing solutions.  Red is considered to be hot / 'dangerous', and the team members are typically your attackers - penetration testers, malware experts, social engineers or even 'hackers'.

What differentiates the two colors is typically the work they're performing, as well as what I call their 'known' approach.  What do I mean by this?  Well...

While it's not always the case, more often than not, blue team activity is typically more relative to 'known' information and issues.  As they build protections, IDS / IPS, deploy antivirus or what have you, they're following known procedures and best practices (at least, I HOPE they are) in order to watch for and protect against known problems.  They're protectors and, by nature, protectors will try their best to prevent 'the unknown', but are obviously much better suited to deal with 'the known'.  More often than not, at least from many of the companies and environments I've seen, their approach takes a turn for the reactive side.  But every now and then, I'm excited to see a proactive blue team, trying to think more ahead of the eight ball (visible, easy to reach and eager to be put to work), rather than sitting behind it, where their activity might be less noticeable and success might be harder to obtain.

The red team, on the other hand, tend to be more proactive and are always looking for the newest 'unknowns', methods, exploits, vulnerabilities and ways to attack.  (This isn't to say they won't take complete advantage of a 'known', if the blue team isn't on top of their game, however).  While their purpose is still to act as an 'enabler' (and ultimately often additional educators) for the blue teams to be able to resolve their problems, because they try to remain one or more steps ahead of the curve, they tend to be more aggressive with their education and training, and are always on the lookout for the 'cool' or 'exciting' blog posts, newsfeed, IRC discussions and videos, showing the latest and greatest methods for exploitations.

Now that I've discussed Red and Blue (and Purple), it's often at least a BIT easier for the students to begin making some decisions.

In either case (red or blue), typically there will be a need for some sort of programming language.  Even if the student never becomes 100% proficient in a language, the ability to at least follow along, in general, with a program's flow or execution is a needed skill.  Depending upon specialization (red team might include web application hacking, for instance), specific languages such as Python, Ruby, Javascript, HTML or even shell scripting (BASH) will be more useful than others, so those discussions come into the mix.  Alternatively, for 'operating system' / client-side application hackers, there may be more need for C++, Visual Basic or .Net experience.  In either case, an understanding of Assembly is also a good 'back pocket' skill, even if only at a high level.

Along with programming, both red and blue teams also need at least a reasonable awareness of the latest applications and operating systems, as well as a solid understanding of networking fundamentals.  In any modern environment, there may be a mixture of Windows, Linux and OSX devices, and these may be connected via wired or wireless networks, throughout the organization.  In addition, routing protocols and topologies are important to gain an understanding of both inter- and intra-office communications, as well as internet connectivity.  As such, topics of study in college might include classes on one or more of the operating systems, especially Linux if available, as on one hand it's very similar to Mac OSX and on the other many security tools and distributions are built on and using Linux.  Beyond the OS, networking courses, such as the various Cisco certifications that many schools now offer (or other vendors' courseware, if applicable / offered), should be a staple of any information security curriculum.

Technical classes aside, other courses that would be extremely useful for information security professionals are psychology (useful in understanding how various people 'think', as well as understanding social engineering, phishing, etc), language / writing (it is VERY important to be able to communicate findings, whether to a company or to the infosec community as a whole) and mathematical courses, including statistics, since analysis skills are a big commodity in the industry.

All of the above said, students need to make those 'final' decisions.  First of all, which pieces of what I've already provided fit into their long term goals and plans?  Based on those pieces, which courses and programs will suit their needs and best prepare them for their careers?  Which schools offer the best packages and curriculum in order to accommodate all of the courses and are the instructors well known and active enough (whether in the community or by reputation), such that the students feel they can get the most from the experience?  Finally, dear students, do you think you CAN (and do you WANT to) do all of this learning on your own, or do you feel a collegiate program is better suited to prepare you?

I'll be the last to profess that only a college degree will get you somewhere in life.  I'm living proof that it can all be accomplished without one.  But as a married father of 4, who just had a wife progress through nursing school in her mid-to-late thirties, I'll also be the last to say it's an easy ride if you go it on your own.  The commitment and time required are difficult to substantiate and I can honestly say that, while I'd do it all again, it definitely would've been an easier road to have traveled before the married life.