(Away from) Home for the Holidays

2016 will be the first time I’m away from the U.S. for Thanksgiving, Christmas, and New Year’s Eve.

Many years ago I spent both Canadian Thanksgiving and U.S. Thanksgiving around Toronto. Another year I think I was in Austria and Germany at the end of November.

Regular readers and PVC Security podcast listeners know I moved to Tokyo this month.

I don’t particularly care I’ll miss Christmas and New Year’s. I could do without both. Christmas to me means traffic jams and hypo-consumerism. New Year’s is mostly an opportunity to screw up one’s sleep schedule. Unless the calendar is forgiving, all too soon one returns to work.

I used to volunteer to work those holidays, I liked them so little. I won’t miss them here.

Thanksgiving? Well, that’s another thing entirely.

I love the weather in New England and Michigan this time of year. I love well cooked turkey, stuffing, potatoes, gravy, rolls, green beans, etc. I love pumpkin beer (though it’s creep earlier and earlier reduces the draw for me). I love watching football.

Most of all, I love spending it with my family. It can be just me and the kids. It can be the whole clan or something inbetween.

I wonder how I’ll do that day here. Some of my colleagues and friends here have already volunteered to take my mind off of it.

Stay tuned!

Week ending 092516

Quick hits as I re-ramp up my Week Ending posts.

  • Holidays in Japan while I’m back in the States.
  • Great feedback from the client about our work.
  • Wish I’d attended @Derbycon.
  • I’ve been back in Detroit on my return from Tokyo. Spent time with my kids, fun time talking about Tokyo and getting sushi (their idea) and my impending move.
  • A great guest joined us on @pvcsec – Marcelle Lee.
  • Professionally I connected with some new folk and a bunch of friends & colleagues.

My latest Thursday, 20160908

It’s a rainy, hurricane #Tokyo today. Yesterday was earthquake Tokyo.
@edgarr0jas and I recorded @pvcsec #EP78. I edited and uploaded #EP77 but the show notes are slow going. Someone deleted last week’s run sheet. No @timothydeblock or @cmaddalena or @infosecsherpa, sadly.
I’ve been diving into #blockchain and #fintech during breaks working on a client deliverable.
I can’t help but chime in on the @apple announcement: I’m glad I bought my iPhone 6s+ a few weeks ago. I think there might be a run on them (https://apple.news/AtodeT67IQiKYmKB2s3fvvA).
Big security day today, product and provider oriented. @Dell finished their @EMCcorp acquisition ( http://www.wsj.com/articles/dell-closes-60-billion-merger-with-emc-1473252540), @HPE sold their enterprise software to @MicroFocus (whomever they are; http://reut.rs/2ckMx4c), and @Intel spun off @McAfee Security (http://www.wsj.com/articles/intel-nears-deal-to-sell-mcafee-security-unit-to-tpg-1473277803).
Oh, and I’m playing around with http://www.dayoneapp.com.

Busy

I like busy.

Describing this week as “jam packed” epitomizes the understatement. I shall spare you, Dear Reader, from the run down. Yet I felt energized, more than at any time in recent memory.

I’m mentoring several people, officially and otherwise. I finally made it back on PVC Security Podcast for the first time in weeks (months?). I stepped in last minute to help an account team respond to an Request for proposal, an experience I’ll write in detail once the dust settles. I interviewed prospective IBM employees. I attended training. Of course, I continued supporting my current client engagement with aplomb. I traveled about 6,000 miles.

That is a jam packed week by any account. Home front items require my attention. Perhaps I can parlay this energy into the required action.

My colleague, unofficial mentee, and new friend Andrew and I toured (read: wandered somewhat aimlessly in) Brussels. I’ll write about it over on ESG soon. Tomorrow, Ghent!

How To Tell If A Job You Want Is Out Of Reach

Ed Rojas and I discussed interviewing on a couple of recent PVC Security Podcasts. The Muse recently posted an article about how to measure if a job you want is realistically within your ability:

There it is.

Posted on the job board of your dream company.

A job that is totally amazing. A big step up from the job you’ve currently got. And, yes—maybe just ever-so-slightly out of your reach.

Should you apply anyway? Or would it be a total waste of your time—and theirs?

This four-question guide can help you decide whether to go for it or hold back. Grab your pen and get ready for a healthy reality check.

Give the article a read. Let me know your thoughts in the comments.

RDRDS, or Five Points of Security Architecture

There’s a concept that gained some traction not too long ago, called anti-fragile. The idea is to make things that can withstand a certain level of abuse without failing. Bend, don’t break is the easy way of thinking about it.

I think the concept of anti-fragile is a good one, but it is too limiting. I prefer RDRDS – Redundancy, Diversity, Resiliency, Depth, and Simplicity – or Five Points of Security Architecture.

We security professionals talk about the CIA triangle – confidentiality, integrity, and availability. Availability is often overlooked. RDRDS addresses that. Integrity is also covered in this scheme, in that the systems that data rely upon need not just make sure the data is available but that it remains unaltered, either intentionally or otherwise. RDRDS helps assure that because it’s built into the concept and the quality of those systems is known in advance of their use.

Operationally, availability is critical. When I was a network manager I mostly lived in the operations world. When systems fail the phone starts ringing. Focusing on operational issues becomes a simple math problem in many organizations, and we should take advantage of it. Is the cost of implementing and maintaining these redundant systems worth it? How many minutes of downtime pays for these systems?

When I talk about RDRDS, what do I mean?

Redundancy

  • Duplication of components or circuits to provide survival of the total system in case of failure of single components.

Firewalls are the canonical examples of security tools deployed in a redundant configuration. In most organizations they are a pair of nodes in a cluster, although 3 or more nodes and multiple clusters are not uncommon.

We want critical systems to be redundant. By redundant, I mean they should keep running in the event of any specific element failing. This is typically handled via clustering, secondary paths, and load balancing among other tools.

Diversity

  • The quality of being different or unlikeness.
  • A variety.
  • Diverse types or examples.

Diversity basically boils down to not relying on a single thing: vendor; technology; or philosophy. Lacking diversity limits the value of redundancy.

Diversity also means avoiding single points of failure in a system. For example, having a server with two power supplies plugged into the same power circuit is an example of having redundancy (two power supply units) but a lack of diversity (one power circuit). Purchasing two data circuits from different providers when they both come in on the same cable through the same conduit is another example.

Resiliency

  • the physical property of a material that can return to its original shape or position after deformation that does not exceed its elastic limit.
  • an occurrence of rebounding or springing back.

Resiliency deals with the margins, the exceptions, the extremes in a system. How well can the system handle not just peak loads but also a lack thereof and return to a normal state?

It also talks to the ability to get the system back up and running after an event, such as a fire. Resiliency can also be described as scalability, the ability to shrink and grow as needed. Also elasticity, the ability to bend and flex but not break.

The concept of anti-fragile I think mostly touches on resilience, though to an extent it encompasses all of the concepts here.

We want systems that are properly sized and can handle peak loads without falling over. We want them to load balance or calculate the relative cost between possible paths. It should be possible to isolate and route around broken components. A modular and distributed design provides resiliency, plus provides additional benefits when it comes to upgrades and maintenance and the like.

Depth

  • Strength held in reserve, especially a supply of skilled or capable replacements.
  • A team with depth at every position.
  • The degree of richness.
  • Complete detail.
  • Thoroughness.

Defense In Depth (DID) is a common mantra in the industry since the 90’s, maybe earlier. What does depth provide us? If we stack all of our assets at the perimeter then how does that help us when something gets inside anyway? Think about the internal malicious actor. Layering security throughout the infrastructure, thereby not placing all of one’s eggs into one basket, provides depth as well as diversity.

Depth can also address third party connections as well as upstream issues from suppliers, partners, vendors, and so on.

Information Sharing and Analysis Centers (ISAC) data and broad threat intelligence adds to depth. CERTs and the Internet Storm Center (ISC) and other third party threat intelligence vectors also enrich depth.

From a personnel perspective, making sure that the one professional with all the institutional knowledge documents it so that she can take an uninterrupted vacation is also part of depth.

Simplicity

  • The quality or state of being not complex, or of consisting of few parts.
  • A freedom from complexity or intricacy.

Modularizing systems, like deploying a log management solution that the Security Incident & Event Monitoring (SIEM), operations monitoring, and other systems tie into. In networks, separating the access, distribution, and core layers.

Gap analysis helps with simplification. Compartmentalization of systems without compartmentalizing data, thereby allowing maintenance and potential component replacement without losing fidelity of data sources is valuable.

Above all, avoid introducing artificial complexity.

What does all of this mean from a security perspective?

There are several basic questions that need answers before you can proceed with RDRDS/the Five Points:

  1. Should security systems fail open or closed? By this we mean in the electrical engineering sense – failing open means that the circuit is broken and traffic stops flowing. Failing closed means that the circuit isn’t broken and traffic continues to flow.
  2. What are the security thresholds?
    1. How long can the IDS/IDP be down?
    2. How long can notifications from the SIEM be down or delayed?
    3. What is the cost per minute of downtime?
    4. What is the sensitivity of the data?
  3. What is the comfort level with F/OSS (Free/Open Source Software) as secondary systems?
  4. What are you trying to protect?

There are other questions, and we will flesh those out as the concept is developed. Your comments and questions are welcome here, at hashtag askpvcsec, or email [email protected].

By the way, these Five Points can apply to any system – servers or databases or IT or applications or personnel or finance or anything.

Postscript

Due to an error on my part, I lost track of what dictionaries I pulled the various definitions from. I will endeavor to cite them appropriately.