What a special day, I am happy to share a guest-blog from one of my favorite assessor’s and dear friend Michelle Klinger (@Diami03 on Twitter). She has agreed to add content on Security Sociability from her perspective as a PCI-DSS QSA and information security professional.

-SecBarbie

Inside the heart of a QSA

by @Diami03

One of my true passions as an assessor is when clients actually thank me at the end of an engagement for identifying their weaknesses and then the periodic communications thereafter when they seek my security know-how as they evaluate new initiatives.

For those who do not know who I am, I am a disillusioned, frustrated, confused security professional. Oh, so we have met?! What’s making me feel hopeless, you ask? I must have forgotten to mention I’m a security professional that is also a QSA. Makes sense now, doesn’t it?

I’ve been recently feeling a crisis of info sec faith. For those of you who follow me on Twitter (@diami03), you may have noticed my ire at performing PCI assessments on the rise. To get some perspective, understand I am a security assessor by heart. I enjoy meeting clients who are truly interested in securing their environment, helping them identify security gaps, and then brainstorming about remediation solutions. I had been performing security assessments for the past 5 years using various security industry standards for guidance, my favorite being ISO27002. In those 5 years, the rates of compliance based assessments, most notably PCI, were on the rise but I was able to satisfy my information security fix with those clients who just wanted to understand their environment and to secure it.

Sadly, those days are long gone. Now I’m left with a checklist and a list of clients a mile long who are waiting in line to be branded as PCI compliant. Gone are the clients whose sole concern was for all of the information they housed. No longer am I able to assist clients understand their environment and help steer them down the path of information security righteousness. No, those days are long gone. Now I’m told to mind my business. If I make a security recommendation based on an observation, and I am unable to point to a PCI requirement mandating it, then I’ve committed an act of blasphemy.

Fine, with all that said, what’s my point? I’m not really sure I have one, other than to exorcise these feelings of impotence and publicly restate my commitment to security and not just a checklist babe. I also thought I might shed some light on the internal battle some QSAs are feeling which you might not be aware of. Although many of you have a negative view of QSA assessors, which I blame the PCI QSA process for, understand that there are a few of us silently screaming but unable to be heard. This is my silent cry!

I get it, not everyone is happy in their jobs. As was made clear in the 2009 Dark Reading article, “One in Two Security Pros Unhappy in Their Job” we are not all 100% satisfied in our current positions, and “that IT security pros feel they could be doing more.” For now I’ll continue doing PCI assessments because, quite frankly, I like the idea of being able to pay my mortgage every month. I would like to make one thing clear however, that I do not plan on just sitting back and letting the problems fester, but am attempting to raise awareness by giving talks, writing blog posts, and sharing my frustrations and suggestions for change with the industry.

SecurityBSides in San Francisco on March 2nd and 3rd held at Parisoma was an experience that those in attendance will not soon forget. This is not for the reasons of Andrew Hay’s opening slide with his pink dress, but for a community of security professionals sharing and collaborating in a fresh new way from the vendor is king conference that was across town. What makes this conference so very different is the interaction at a granular level that the attendees can have with the speakers and sponsors. Not only are the actual talks much more interactive, but the sponsors who are in attendance can actually interface with the attendees and understand their needs as well as have the opportunity to convey their message in a conversation, not an expo-floor 5 minute pitch.

Some of the talks that were covered over the 2 days of the event are listed here.

Media coverage of SecurityBSides here.

Thank you to the vendors & volunteers that made this event possible!

Upcoming SecurityBSides Events:

March 13, 2010 - BSidesAustin – “Keep Security Weird” – Coinciding with SxSW Interactive

April 24-25, 2010 - BSidesBoston – weekend after SOURCE Boston.

July 29-30, 2010 - BSidesLasVegas – coinciding with Black Hat / Defcon

Here are some highlights from SecurityBSides San Francisco acquired using the ancient art of screen capture from the Flickr streams of Jack Daniel and Vissago.

<Fade IN:>

A few weeks back, I was sitting in my office in the middle of a meeting with one of my Directors and my phone rings. It came through as one of our trunk lines, so I knew it was a transfer form the receptionist, I was in a good mood, so I answered it. Low and behold it was my first call from a Rapid7 Sales representative (First that I actually answered that is). Knowing that Rapid7 recently acquired Metasploit, I gave the gentleman a listen. He talked up the RSA party, HD Moore, and the products that Rapid7 is currently marketing compared to some of the competitors. All in all, it was a perfectly fine conversation and I did walk away with some value add. My only critique was that it was pretty long, and I’m pretty busy to spend that much time talking about a product that we aren’t yet seeking a new vendor for.

<Announcers Voice:> Later the same day

I receive another call from a Rapid7 sales representative who had no idea that I had just spoken with a gentleman earlier! I might have been a little curt on the phone, but please refer back to the fact that I am actually extremely busy, and had already invested 40 minutes on the phone with the previous representative.

Later the same day I asked my twitterverse for information about Rapid7 products, because I trust my colleagues who have used them more then I could EVER trust a demo. Thanks to the great social community of Security Twits I gathered a great deal of information. Additionally, I learned from someone close to internal Rapid7 that Rapid7 follows all the Rapid7 mentions on twitter... what fun would a day be without throwing a #Rapid7 after some tweets?

<evil-grin>

In all seriousness, Rapid7 is doing some very positive things for the industry in regards to sponsorship of the SecurityTwits event at SourceBoston, employing some AMAZING researchers, and advancing the MetaSploit project with commercial funding!

Rapid7, please work on a sales team lesson in positive versus negative social media networking. Here are my examples of Rapid7 Negative Social Media Marketing:

LinkedIN

• Requests to professionals who they have never met or never worked with:

TwitterNames Ommited: “ Anybody know what’s the bright idea with Rapid7‘s sales team suddenly trying to join people’s networks on linkedin??”

“ Ok @Rapid7, your salespeople’s newfound relentless addition of my linkedin have grown irritating & bothersome. Please DIAF.<- Ah :”

• The February 16th slew of LinkedIN Spam from “Business Developers” that most of my colleagues received. Not cool!

Twitter:

• Rapid7 twitter feed is just a Press Release reel, there is no interaction with the community, same can be said for the Facebook page!

Notable mention:

Having the “JR” account reps monitor twitter for Rapid7 mentions — Boiler Room meets Rapid7!

+

The RSA Party!

I’m sure everyone is thrilled that Rapid7 is hosting a party at RSA. But again, this is another marketing fail. They might not want to use the acronym “VIP” as it generally doesn’t mean invite everyone in the world, post it on twitter, then brag about having 1,000+ people at the party.

In case you didn’t RSVP… you can do so here http://www.rapid7.com/forms/rsarsvp.jsp

Come on Rapid7, you can do better then this!

I’m sure you are a great organization, it sure looks as if your employees have fun working there, but I have to say that Rapid7 Sales and Marketing gets the *first ever* Official SecBarbie FAILBarbie award of the month for doing bad all by themselves!

If you have been living under a rock somewhere and somehow haven’t heard about this revolution known as SecurityBsides, well, perk up folks! With SecurityBSides San Francisco being the second large-scale un-conferences that compliments a large corporate conference, the proposed talks are already shaping up to be something so very special to our industry! This is an un-conference that is completely powered by the people, so if you haven’t yet voted for the talks that you would like to hear, do it or don’t complain!

Here is my short-list of talks that I think are going to be wonderful

*Some are not yet picked to present, so if you agree, vote often!

The Great Compliance Debate: No Child Left Behind or The Polio Vaccine

Panel Discussion: Joshua Corman , Jack Daniel (@jack_daniel) , Anton Chuvakin (@anton_chuvakin) , Andy Ellis (@CSOAndy), a surprise guest

How to Design and Develop Your Own Security Event

Stacy Thayer, Ph.D. @stacythayer

My Life on the Infosec D-List

Andrew Hay

Hacking the Sales Cycle

Gal Shpantzer

Being Inbred Isn’t Just a Problem for Hillbillies.  Groupthink and the InfoSec Industry

Vikram Phatak

Risk Management – Time to blow it up and start over?

Alex Hutton

What kind of self-serving person would I be if I didn’t put a shameless plug in for the Gender Panel: Unicorns, Clubhouses, and Ruffled Feathers: Women in Security:

Rounding out the panelist this year will be:

Jennifer Jabbusch – CISO of Carolina Advanced Digital, Inc.

Andrew Hay – 2008 “Security Thought Leader” award winner by SANS Institute / Security Blogger / InfoSec Professional

Lisa Lorenzin – Crazy smart solutions architect for an organization that I’m not sure if she’s listing (you have google, figure it out yourself)

Gurdeep Kaur – Author of controversial SANS Reading Room Paper “Women in IT Security Project Management”

Michelle Klinger – Full time QSA, defender of all things saucy and womanly.

To quote the weather channel

“The storm may reach the top 3 of all-time in the Washington, D.C., area and may rival the record of 28″ from the

“Knickerbocker” storm of 1922.”

I am taking a little break in the festivities to let you all know that it has officially snowed pretty hard at ShmooCon VI. My flight has been canceled for Sunday, so with any luck at all I will be arriving back in Chicago (aka, the land that can handle 6″< of snow) sometime early next week.
With that, I have to say that the spirits of all the con goers is absolutely amazing! Trash-bag sleds are being used as well as certain individuals who have snowboards and snowshoes. The content of the event has started out with a bang, and the actual tracks tomorrow look exceptionally promising!

Thank you to @quine ‘s employer for hosting the Securitytwits meet-up this afternoon, it was VERY enjoyable! Syngress held a very nice happy-hour meet-up, and the DC949 party was absolutely killer! Festivities are still commencing as I type, but sometimes one must just call it an evening!

Notice I said people, not women.

If you are interested in speaking on a panel at SecurityBSidesSF about Gender (Unicorns, Clubhouses, and Ruffled Feathers: Women in Security) and how it is impacting our industry by sharing diverse stories that have shaped your career, and tips for how as an industry we can improve, please contact me!

Gurdeep Kaur who wrote the paper on “Women in IT Security Project Management” has agreed to sit on the panel to discuss her findings and her experience that prompted the research. Also Jennifer Jabbusch will be speaking again as she did on the original panel at SeucrityBSidesLV.

I am looking for 3 more panelist to make up a 5 person panel.

- A Facebook Privacy Memoir Part I

Facebook is so lovely, you can learn about what your friends who you don’t have time to keep up with are doing, look at their pictures, watch some of their videos and generally cyber-stalk them with their permission. Opps, we call that ‘being social’ not stalking now. In the last few years people have really enhanced the art of the me-me using social networks such as Facebook under the guise of “maintaining transparency”. This does beg the question, how much is too much?

In the last year Facebook has come a long way when it comes to the privacy settings, and nearly everyone is hiding something from the general population so we do have a start for some security.  If you want to be ubber technical about it, you can use friend lists and play with your privacy settings to create different views for each segment of your life, but who has time for this? Just like any system, add more complex controls and the users who should be using them the most will not.

I have used firewall graphical interfaces that are less complicated then the Facebook privacy settings. This is mostly due to the privacy settings for Facebook are not all in one place. There are the Privacy settings in the drop down, but then you have to customize your photo privacy settings in a whole different screen. Now add in the option to great groups for your contact and manage the settings by those groups as well. All of the technical minded people might think this is a piece of cake, but my aunt who isn’t that technical, can barely handle navigating from one profile to the next much less the privacy settings! Yet, she has no problem posting pictures, tagging me on the pictures, and sharing them with her friends.

As a Christopher Burgess wrote in his Cisco Security Blog about ‘Security – Who is Responsible’

“ When we wish to use an automobile, we are required to go through a number of steps even before we get the vehicle rolling.  During the drive, we adhere to the rules of the road (drive on the appropriate side, use our signals, stop at red-lights, go when green, etc.).  When the engine light illuminates, the brakes start to screech, or the steering pulls too far left, we take note and either perform the required maintenance or we take it to the garage shop for service. We correct. The mechanic isn’t sitting in the backseat providing telemetry surrounding your vehicle’s operation, and unless my grandmother is in your backseat, you’re probably not being told how to steer, accelerate or brake.  You are responsible.  All of these actions are the responsibility of the operator—the user.  You, the user, will decide “How do I maintain my vehicle and operate it?”  When you violate motor vehicle laws (and are caught), what occurs?  You receive a ticket and tickets carry consequences.  In the US the consequences might include a monetary fine, points on your license and, for some, a mandatory trip to court.  With choices and actions come consequences.

In the online world, we have the same basic responsibilities for security as a driver has in the physical world for safety.”

The unfortunate fact is that there is no education on the do’s and don’t of social media for people such as my aunt, nor would millions of high school students who are competing for the largest friend list and posting every little moment of their life even listen it it was! So here are my two tips for Facebook and a link to Cracked’s 10 Commandments of Facebook.

Don’t friend ANYONE you don’t know, and deny friend request if you don’t know them!

Don’t friend anyone you don’t know if you post anything to your Facebook that you wouldn’t post on a pubic or work bulletin board! You don’t really know who is on the other side of the profile.

If you don’t know the person, deny the friend request promptly! Unfortunately there is a bug in Facebook right now that allows people who request you as a friend to see your live feed while the friend request is pending. As of right now, there is not a privacy setting on the live feed. This is bound to change soon, but it is good measure to always deny friend request until you know that person.

Unless part of your job is using Facebook, don’t update your Facebook from work!

You don’t know who is really on the other side of your ‘Friends’, so unless part of your job is social media, don’t update your Facebook status from work. Wait for lunch, or after work. This is ESPECIALLY important if your organization doesn’t allow access to Facebook.

The 10 Commandments of Facebook

Until next time….

There is a paper in the SANS Reading Room titled “Women in IT Security Project Management” by Gurdeep Kaur that I came across this morning thanks to a friend of mine. After reading this paper it is clear why I get together with some of the most wonderful women in security to do the gender panels. This piece is actually written by a women, which is surprising as some of the rhetoric could likely be found in a piece from the late 1960′s when gender equality in the workforce in the United States was just in its fetal state.

The paper is written in such a way that the author questions if women possess the critical leadership skills to be successful in IT Security and Project Management, she brushes upon the decline of women entering the IT field, then the paper just gets all kinds of messy! She speaks to ‘Building a strong foundation’ and encouraging girls to stay engaged in the Science, Technology, Engineering, and Math. YET, she then digresses into a generalization about parents influence in their children’s behavior. WOW! Really? My parents bought me my first computer when I was 7, I have a friend who’s parents were government intelligence and she played with crypto when she was young. Both my friend and I were cheerleaders but somehow managed to still love science and math despite this author’s claim that during puberty that we would need additional encouragement. I call hogwash! This is where the paper just starts to spin down and where it becomes easily identifiable that the author is not using as much data to create a fair representation, but rather to justify her position and behavior.

I would like to formally invite the author to be part of our panel in March at BSidesSF during RSA Conference if she would like to defend her points, especially those in the 3 section of her paper. You all will just have to read it to understand that I don’t have enough time to pick apart all that I disagree with.

I am absolutely confused as to why SANS would actually post this to the reading room, this type of rhetoric belongs only in blogs.

Most asinine quote from the paper:   “It’s important to prove expertise with an industry certification.”

I just received this email…..

http://www.bankinfosecurity.com/articles.php?art_id=1874&rf=102309eb

Erin,

My sales engineer forwarded the following article to review this morning. It discusses a security breach that occurred at ChoicePoint, the fines and civil penalties that were incurred as well as consumer compensation that was awarded. It all started with a security monitoring tool that was disabled, databases were breached, customer information was stolen. And the entire situation could have been avoided if logs were regularly reviewed.

I thought you may find this to be an interesting article to review. I wouldn’t be doing my job if I didn’t provide you with security news and reviews.

Thanks
Rob

Okay… really…… the last sentence… I am very much tempted to write him back and give him a job description. Something to outline what I expect to see in regards to news and reviews on a daily basis(for example…. something a little more up to date). I mean… it is his job, right?

One might ask why would a Techie-geek security management person like myself would go to #140 Conference in New York? There are lThe security reason of interest to myself and to my organization is related to information leakage through twitter as well as furthering social education about new technology risks. 

What is #140Conf : You can check it out in the words of Jeff Pulver on his ideas of creating the conference.

Having just spoke of the issue of adult social networking education last week, I feel that this will be a fantastic opportunity to get to the grass roots of how viral social networking can change personal brand definition and how information leakage impacts organizations. The magnitude of people getting fired, expelled from schools, and socially blacklisted due to lack of some forethought when using twitter is absolutely amazing, couple this with what information can be distributed with malicious intent and we have one powerful medium. Security Awareness needs to be outreached to better educate everyone on the impact of what they say today on the life they will live tomorrow. 

Please look forward to my photo-blog that I will be uploading daily through my trek through the #140conf jungle, as well as the recaps of key topics.