Archive

Archive for the ‘Uncategorized’ Category

The 3 Immutable Rules Of Presentations…

April 27th, 2015 2 comments

There are three immutable rules that pertain to presentations*, even more so important if one’s presentation is in front of several thousand people, live:

  1. Never present with kids
  2. Never present with a live demo
  3. Never present with animals

Not doing one outa three ain’t bad 🙂

My 2015 RSA Security Conference keynote was very special to me.  Besides violating two of those three rules, it was a deeply important and even more deeply personal experience.

My non-profit, HacKid, was a participating organization in RSA’s amazing partnership with The Tech Museum of Innovation and the Cyber Security Safety Village.

It was only fitting then, that I used the wonderful community outreach of my employer, Juniper Networks, to do something very different, actionable and useful with my time on stage.

I was lucky enough to find a willing co-pilot to help me talk about the next generation of security riffing off the lyrics of The Who’s “My Generation.”  You’ll have to watch the video to see who.

You can watch the video below or find it directly, here.

Below is a blog that I wrote and cross-posted from Juniper’s website:

If cyber security in the last two-and-a-half decades has taught us anything, it is that it’s painfully obvious that the tools, tactics, techniques and procedures employed by adversaries bent on causing us harm both professionally and personally have outpaced our ability to successfully defend ourselves.

While there has been progress and innovation in the use of technology products as the frontline of defense, there’s a very important aspect often overlooked in the totality of the solution space.

The “people” element has always been mentioned as an area of focus for cyber security. But beyond technology, we have not done enough to ensure that security and privacy are not eroded for the sake of convenience, putting people at greater risk.

When we have attempted to address the “people problem,” we have often relied mostly on awareness (theory). In the face of sophisticated methodologies of abuse and attack – and frankly some very basic ones – we expect people to make the right decision in the face of complex and confusing events (practice). This is a disaster – or breach – waiting to happen.

Over the last few years, a number of initiatives and organizations have been established to address this issue in a meaningful way, but with a twist and caveat: Rather than focus on adults – the developers and professionals of today – these initiatives and organizations have focused on reaching out and educating children, who are literally the “next generation” and frontline of protection against cyber-attacks.

One thing we have learned is, when dealing with children, it’s not enough to just raise awareness about proper cyber security hygiene and behavior. It’s not enough to simply tell them what not to do – that’s too overwhelming and overall, it’s the wrong model. We must build creative and constructive means, in which they are able to actively contribute toward a more secure world by helping build a better one.

Children love to learn and are inherently curious, imaginative and don’t come with predisposed limits on how things have to function. They are built to push limits and we should harness that.

Without a doubt, today’s children are far more technically advanced than in the past – even at the young age of three or four-years-old. To expect them not to do something just because we told them not to – especially when it comes to computers and mobile devices being used to learn, entertain and engage – is simply unrealistic.

The sophistication and capability that today’s kids have for grasping complex topics is amazing. Furthermore, just because they’re children, we shouldn’t assume they’re unaware and incapable of understanding deep issues like security and privacy.

When it’s related to them in a meaningful way, light bulbs go on.

As such, the new focus is to educate children on how things work and in some cases how to break them, so they have a better understanding of why not to do something – and how to fix things that are broken. This is the true definition of “hacking,” learning and finding creative solutions to big, hairy problems. The reality is that if you don’t understand how adversaries attack and break things, it is generally much more difficult (if not impossible) to defend yourself, detect or fix what is broken.

When it comes to children, we should complement their natural and inherent friendliness towards learning something new. We should tap into their creative ingenuity and turn it into something good. All of this provides us a tremendous opportunity to not give up privacy and security for the sake of convenience by simply changing the way we integrate security versus bolting it on.

That said, it is likewise important to discuss and establish boundaries and constructs around “hacking” to ensure that activities are governed appropriately with respect to legality, morality and ethicality.

These conversations and guidelines do a lot toward short-circuiting the normal knee-jerk reaction of what it means to introduce children to “hacking.” We have “hackathons” to allow communities of interest to come together to solve large social problems. We have companies that focus on “hacking” and “hackers” to develop innovative new platforms and services. “Hacking” isn’t always a bad thing… and in many cases when we think about the culture and approach needed to secure our systems and create resilient, rugged and secure code, hacking is an appropriate word.

Juniper Networks Supports Code.org

This is why at this year’s RSA conference, Juniper Networks announced an extension of its grant to Code.org, which will enable the development of new high school computer science course, intended to be advanced placement (AP), to allow students to learn about cyber security and secure coding. Code.org is a non-profit dedicated to expanding participation in computer science by making it available in more schools, because every student in every school should have the opportunity to learn computer science. It is committed to the notion that computer science and computer programming should be part of the core curriculum in education, alongside other science, technology, engineering, and mathematics (STEM) courses, such as biology, physics, chemistry and algebra.

Juniper and the Juniper Networks Foundation Fund are proud to make this commitment and expect it to be the first step in making cyber security a fundamental element of learning to code and learning to code securely. We’re starting at the high school level and hope to spur activity by other businesses and organizations to partner with Code.org and ultimately, develop programs that include kids at the middle school and elementary school level as well.

Your support and help doesn’t have to come via financial grants or funding (although that definitely helps). Your time is just as valuable. If you’re able and interested, volunteer to teach at your kids’ school or help Code.org recruit new teachers in your community to teach Code.org’s courses.

Join Juniper Networks, the Juniper Networks Foundation Fund, and Code.org at www.code.org and help develop and establish the true “next generation” of cyber security.

Mike Mimoso over at ThreatPost did an awesome write-up which you an find here.  Bank InfoSecurity also did a nice interview with me on this and other topics.

Thanks for reading…and for finding your way of contributing.

/Hoff (AKA @Beaker)

*With apologies to W.C. Fields (and H/T to my old friend Bob Antia)

Categories: Uncategorized Tags:

Attribution is the new black…what’s in a name, anyway?

February 26th, 2015 No comments

Attribution is hard.  It’s as much art as it is science.  It’s also very misunderstood.

So, as part of my public service initiative, I created and then unintentionally crowdsourced the most definitive collection of reality-based constructs reflecting the current state of this term of art.

Here you go:

  • Faptribution => The process of trying to reach PR climax on naming an adversary before anyone else does
  • Pattribution => The art of self-congratulatory back patting that goes along with attributing an actor(s) to a specific campaign or breach.
  • Flacktribution => The process of dedicating your next press release to the concept that, had the victim only used $our_software, none of this would have happened. (Per Nick Selby)
  • Maptribution => when you really just have no fucking idea and play “pin the tail on the donkey” with a world map. (Per Sam Johnston)
  • Craptribution => The collective negative social media and PR feedback associated with Snaptribution (Per Gunter Ollmann)
  • Masturbution => When you feel awesome about it, but nobody else gives a flying f$ck (Per Paul Stamp, but ‘betterized’ by me)
  • Snaptribution => naming the threat actor so quickly you can’t possibly be right but you are first. Also known as premature faptribution. (Chris Wysopal)

May you go forth with the confidence to assess the quality, scope and impact of any attribution using these more specific definitions.

/Hoff

Categories: Uncategorized Tags:

On the Topic Of ‘Stopping’ DDoS.

March 10th, 2014 11 comments

The insufferable fatigue of imprecise language with respect to “stopping” DDoS attacks caused me to tweet something that my pal @CSOAndy suggested was just as pedantic and wrong as that against which I railed:

The long and short of Andy’s displeasure with my comment was:

to which I responded:

…and then…

My point, ultimately, is that in the context of DDoS mitigation such as offload scrubbing services, unless one renders the attacker(s) from generating traffic, the attack is not “stopped.”  If a scrubbing service redirects traffic and absorbs it, and the attacker continues to send packets, the “attack” continues because the attacker has not been stopped — he/she/they have been redirected.

Now, has the OUTCOME changed?  Absolutely.  Has the intended victim possibly been spared the resultant denial of service?  Quite possibly.  Could there even now possibly be extra “space in the pipe?” Uh huh.

Has the attack “stopped” or ceased?  Nope.  Not until the spice stops flowing.

Nuance?  Pedantry?  Sure.

Wrong?  I don’t think so.

/Hoff

Categories: Uncategorized Tags:

An Ode To Glass

May 18th, 2013 1 comment

hoff-glassGoogle Glasses reviewed, often spiced with profanity
A technology, profound, previews dystopic humanity

Augmentation, extension, lensless optics you blink through
Winking gestures, #hashtagged pictures, an earpiece you talk to

It gives you directions, sends you tweets, you’ll hangout!
Wifi and bluetooth, “PEACOCK!” its users all shout

“Don’t diss the tech, man,” the fanbois decree
You’ve nothing to fear…except privacy

They’re a curious bunch, these intrepid explorers
While last week’s cool toys now lay dusty and choreless

Want lunch? Movie review? Need directions? A clue?
You needn’t ask, they’ll just Glass it for you.

They look down when they speak and up when they Glass
Don’t take offense, they’re not being an ass

There’s two planes of existence, “outside Glass” and thus “through”
They live on one side, on the other, there’s you

The worldwide web at you pupil-tips, it sounds quite the perk
Til you end up all cross-eyed, like Steve Martin’s “The Jerk”

Glassdebating on Twitter…it seems to last for hours
Those in technorapture post pics of themselves in showers

The experience, transcendent, it seems quite zen
But the users seem to be just middle-aged white men

We’ve already got Aspies, the socially inept
Now we’ll bear witness with those with whom you’ve slept

They’ll be segregated seating; “Glass OK” and “No Glass”
The have’s and the have-not’s, it’s gonna be crass

As social interaction becomes more and more abstracted,
people wearing Glass will converse with others much distracted

Are you recording?  Is that thing on?  Are you Googling me as we speak?
At first it seems quite quaint, a parlor trick for geeks

And then as comfort and fashion sense collide and people will withdraw,
alas some good technology, will not seem cool much more

You’ll pull out a smart phone, look like a T-Rex
While a Glasshole whispers snidely “Bet he still codes in hex!”

Those who hold out will proudly boast along with loud retort:
“Hey man, I’m not tethered, this ain’t Minority Report!”

“OK Glass” is a statement, a command, so stop hating.
To some it’s a class thing, a tech thing, to some it’s berating

If your perspective is at just one end of the spectrum,
the schism of your prism could have you kicked in the rectum

At the end of the day, it’s a magnificent tool
some think it obtuse, some think it quite cool

For me and my smartphone with my old school connection
I feel no need for this UX inflection

I have some serious things I’ll say about this after being accosted for my opinions — which I actually researched by having Adrian let me use his Glass.

I’ll talk about that soon.

Oh, and if you haven’t seen these:

and

…you really ought to 🙂

Enhanced by Zemanta
Categories: Uncategorized Tags:

InfoSecFail: The Problem With Big Data Is Little Data

June 26th, 2011 1 comment

(on my iPhone while my girls shop…)

While virtualization and cloud security concerns continue to catch the imaginative pause of pundits everywhere as they focus on how roles and technology morph yet again, a key perspective is often missing.

The emergence (or more specifically the renewed focus and prominent feature) of “big data” means that we are at yet another phase shift on the Hamster Security Sine Wave of Pain: The return of Information Centric Security.

(It never really went away, it’s just a long term problem)

Breach after breach featuring larger amounts of exfiltrated information shows we have huge issues with application security and even larger issues identifying, monitoring and protecting information (which I define as data with value) across it’s lifecycle.

This will bring about a resurgence of DLP and monitoring tools using a variety of deployment methodologies via virtualization and cloud that was at first seen as a hinderance but will now be an incredible boon.

As Big Data and the databases/datastores it lives in interact with then proliferation of PaaS and SaaS offers, we have an opportunity to explore better ways of dealing with these problems — this is the benefit of mass centralization of information.

Of course there is an equal and opposite reaction to the “data gravity” property: mobility…and the replication (in chunks) and re-use of the same information across multiple devices.

This is when Big Data becomes Small Data and the ability to protect it gets even harder.

Do you see new and innovative information protection capabilities emerging today? What form do they take?

Hoff

Categories: Uncategorized Tags:

OpenFlow Is the New “Cloud…”

June 24th, 2011 4 comments
Categories: Uncategorized Tags:

RealityOps…

June 23rd, 2011 No comments
Categories: Uncategorized Tags:

George Carlin, Lenny Bruce & The Unspeakable Seven Dirty Words of Cloud Security

January 26th, 2011 1 comment
George Carlin
Cover of George Carlin

I have an upcoming cloud security presentation in which I map George Carlin’s “Seven Dirty Words” to Cloud Security challenges.  This shall accompany my presentation at the Cloud Security Alliance Summit at the RSA Conference titled: Commode Computing: Relevant Advances In Toiletry – From Squat Pots to Cloud Bots – Waste Management Through Security Automation”

I’ll leave it as an exercise for the reader to relate my 7 dirty words to George’s originals:

Scalability
Portability
Fungibility
Compliance
Cost
Manageability
Trust

Of course I could have modeled the talk after Lenny Bruce’s original nine dirty words that spawned George’s, but seven of nine appealed to the geek in me.

/Hoff

P.S. George looks remarkably like Vint Cerf in that picture above…uncanny.

Enhanced by Zemanta
Categories: Uncategorized Tags:

Virtualization & Cloud Don’t Offer An *Information* Security Renaissance…

May 11th, 2010 No comments

I was reading the @emccorp Twitter stream this morning from EMC World and noticed some interesting quotes from RSA’s Art Coviello as he spoke about Cloud Computing and security:

Fundamentally, I don’t disagree that virtualization (and Cloud) can act as fantastic forcing functions that help us focus on securing the things that matter most if we agree on what that is, exactly.

We’re certainly gaining better tools to help us understand how dynamic infrastructure, amorphous perimeters, mobility and  collaboration are affecting our “craft,” however, I disagree with the fact that we’re going to enjoy anything resembling a “turnaround.” I’d suggest it’s more accurate to describe it as a “reach around.”

How, what, where, who and why we do what we do has been dramatically impacted by virtualization and Cloud. For the most part, these impacts are largely organizational and operational, not technological.  In fact, most of the security industry (and networking for that matter) have been caught flat-footed by this shift which is, unfortunately, well underway with the majority of the market leaders scrambling to adjust roadmaps.

The entire premise that you have to consider that your information in a Public Cloud Computing model can be located and operated on by multiple actors (potentially hostile) means we have to really focus back on the boring and laborious basics of risk management and information security.

Virtualization and Cloud computing are simply platforms and operational models respectively.  Security is as much a mindset as it is the cliche’ three-legged stool of “people, process and technology.”  While platforms are important as “vessels” within and upon which we build our information systems, it’s important to realize that at the end of the day, the stuff that matters most – regardless of disruption and innovation in technology platforms — is the information itself.

“Embed[ding] security in” to the platforms is a worthy goal and building survivable systems is paramount and doing a better job of ensuring we consider security at an inflection point such as this is very important for sure.  However, focusing on infrastructure alone reiterates that we are still deluded from the reality that applications and information (infostructure,)  and the protocols that transport them (metastructure) are still disconnected from the cogs that house them (infrastructure.)

Focusing back on infrastructure is not heaven and it doesn’t represent a “do-over,” it’s simply perpetuating a broken model.

We’re already in security hell — or at least one of Dante’s circles of the Inferno. You can’t dig yourself out of a hole by continuing to dig…we’re already not doing it right.  Again.

Two years ago at the RSA Security Conference, the theme of the show was “information centricity” and unfortunately given the hype and churn of virtualization and Cloud, we’ve lost touch with this focus.  Abstraction has become a distraction.  Embedding security into the platforms won’t solve the information security problem. We need to focus on being information centric and platform independent.

By the way, this is exactly the topic of my upcoming Blackhat 2010 talk: “CLOUDINOMICON: Idempotent Infrastructure, Survivable Systems & Bringing Sexy Back to Information Centricity”  Go figure.

/Hoff

Reblog this post [with Zemanta]
Categories: Uncategorized Tags:

Security: In the Cloud, For the Cloud & By the Cloud…

May 3rd, 2010 1 comment

When my I interact with folks and they bring up the notion of “Cloud Security,” I often find it quite useful to stop and ask them what they mean.  I thought perhaps it might be useful to describe why.

In the same way that I differentiated “Virtualizing Security, Securing Virtualization and Security via Virtualization” in my Four Horsemen presentation, I ask people to consider these three models when discussing security and Cloud:

  1. In the Cloud: Security (products, solutions, technology) instantiated as an operational capability deployed within Cloud Computing environments (up/down the stack.) Think virtualized firewalls, IDP, AV, DLP, DoS/DDoS, IAM, etc.
  2. For the Cloud: Security services that are specifically targeted toward securing OTHER Cloud Computing services, delivered by Cloud Computing providers (see next entry) . Think cloud-based Anti-spam, DDoS, DLP, WAF, etc.
  3. By the Cloud: Security services delivered by Cloud Computing services which are used by providers in option #2 which often rely on those features described in option #1.  Think, well…basically any service these days that brand themselves as Cloud… 😉

At any rate, I combine these with other models and diagrams I’ve constructed to make sense of Cloud deployment and use cases. This seems to make things more clear.  I use it internally at work to help ensure we’re all talking about the same language.

/Hoff

Related articles by Zemanta

Reblog this post [with Zemanta]