Pages

Monday, April 28

Focus

I've written before about maximizing your core efficiency.  It was a good article, but I thought I could make it better.  It seemed to me that there was something missing.  I had points in the article, but not inspiration.  Not things that kept you going.  Let's see if I can fix any of that.

When I wrote before I talked about focusing on your job.  You were hired to do a job.  Maybe several jobs, but that's what you were hired to do.  All the other stuff is cruft.  If you maximize your efficiency and performance of your job, not only will everything else fall in line, but you will have more time to do whatever else you like to do.

Be calm.  Assess what you need to do.  Let's take a job that I have some experience at.  Since I am an IDS guy by trade, let's look at a typical IDS analyst's job.  What is the analyst there to do?  Pause here when reading this article.  Think for a second.  What is the analyst there to do?  Many of you will think of all the things that you do as an analyst or as a security professional.  You review logs, you review IDS's, you do pro-active scanning, you might even do a little penetration testing.  You probably write some documentation, SOP's, procedural documents, and the like right?  Am I am about right here?  Okay, so that's what you do during the day.  But what is your job?  If I asked you to describe what you do in one sentence or less in as few words as possible, what would you say?

I said this to a room of analysts one time.  We all gathered in a conference room and we sat around the table and I was given the task of organizing these individuals into a team.  I asked this same exact question, and we went around the room.  I heard some descent answers.  One liners.  

I said, "My job is to catch the bad guy."  That's it.  That's my job.

I stood in front of about 200 system administrators one time giving a speech about security, which, even though it should be part of every system administrators job, it's often put on the back burner.  But here I was giving a speech to a packed room.  I made another statement that day, it's a point blank in-your-face statement.  

"The bad-guys are already in your network, right now, as I stand here and speak, they are in your network.  Now what are you going to do about it?"

Think about that for a second.  Am I right?  Some of you will say no, I'm wrong, and go back about your business.  But I am saying it for a reason.  The Bad-Guy IS in your network, right now.  Still think I am wrong?  You aren't paying attention to security.  When I mean you aren't paying attention, I don't mean that you aren't reading the mailing lists and such.  I mean you aren't paying attention.  I am not going to explain to you what I mean about the Bad Guy being in your network, that's for you to figure out.  If you think I am wrong, it's also for you to prove that I am.  At this point you may be thinking that I am being a bit cocky.  No, I am being brash for a point, take the time to think what I mean.  

The Bad-Guy is in your network.  What are you going to do?

Your job as a network security analyst is to catch that bad guy.  What are you going to do?  Let's take it a bit bigger and look at security from a department perspective.  

Let's say you are a security department head for a corporation.  Not big, not small, or huge, or tiny.  It doesn't matter.  The difference between a 100 person startup company and a multi-trillion dollar organization is complexity.  The security of it is no more less or more secure, or no more or less important.  It's just more complex.  

Do not be afraid to roll up your sleeves on day one.  
Be honest with yourself, your employees, and your supervisors.  Don't be afraid to tell them the truth.  Even though the truth may not be what they want to hear.  The person hearing that truth will value you more for it in the end.  I didn't say blunt, or rude.  I said truthful.  You don't have to be an a** to get people to understand you.  You also don't have to tell people the whole truth to your point across.  Get in there and get dirty.  
When I go to a customer's site, on the first day I like to have a meeting with everyone I can.  Management, support staff, analysts, forensics, etc.  Sit them down and clearly state what we are all going to accomplish during this time.  

Don't lump too much into one time period.
Often times I am only on site with a customer for 4 or 5 days.  Sometimes I am onsite with customers for 4 or 5 months.  There is going to be a certain amount of things you can accomplish during this time period, and there are going to be things you won't be able to accomplish sometimes.  Don't stress over it, it's just the way the chips fall.  There is more time available, if it's truly important, I can come back.

Don't beat around the bush.
I kinda already said this up above, but face your challenges.  Putting them aside and procrastinating about projects, no matter how small or large, will only make them get worse.  The small ones will get bigger, the big ones will get monumental.   You've laid out your tasks, now get to it.

Never say anything you aren't sure of, and if you do, make sure the people you are telling that something to knows that you aren't sure.
If you are going to make a statement, make it.  But be right.  Better to not open your mouth and let people think you are an idiot, then to open your mouth and remove all doubt.  If you don't know the answer, and you have to give an answer, give them your best guess, but make sure they know it's your best guess and that you'll get a better answer for them shortly.  Then go get the darn answer.  Don't be afraid to ask for help if you need it.  You don't know everything, no one does.  But collectively a problem that seems like a mountain can shortly become a molehill.

What are you good at?  Make that list, then delegate the rest.
What are you good at?  IDS?  Packets?  Cisco devices?  Windows host based security?  Focus on that, become the absolute best you can be at that specific task.  Delegate the rest until you are the best at #1, then learn your #2's.  If you aren't good at Cisco devices, don't act like you are, find someone that is, hook up with them, learn from them if you can, and move on.  Do what you are good at.

I consider myself to be good at a several things, packet analysis, public speaking, explaining complex things in layman's terms, and teaching others.  I know I am not good at configuring firewalls, can I do it?  Yes, but that's not my core.  I know I am not good at writing documentation, can I do it?  Yes, but that's not my core.  But stick me in front of a large audience of technical people, CEO's, CFO's, and janitors, I can make sure everyone in that room gets my point, and am well understood.  I wasn't born with that, I had to learn it.  When I was first asked to stand in front of people and give speeches, teach, etc.  I sucked at it.  I was horrible.  But I was forced to do it, hundreds of times.   I use the old horse analogy.  If you fall off, get back on.  I wasn't good at teaching or public speaking at first, but I had to do it, so I did it, and I learned.  I didn't take courses at teaching or presenting, but I read books, I watched the masters at work, and I learned.  Now I am pretty confident and pretty good at it.   If you want me to come give a talk at your organization about security, etc.. my contact info is at the top of the blog.  (It says "Contact").  Let's talk.

Now, get a piece of paper (virtual or physical) and draw a line down the middle so that you have two columns.
On the left column, make that "I'm good at this" list.  Then make a separate list of things you wish you were better at on the right.  Take all the time  you need to do this.  Even if you aren't good at making lists. (put it on the right.)

Now look at your left column.  Really?  Are you really good at all those things?  REALLY GOOD?  Any you can concentrate better on?  Anything in there that you wrote down that you probably should have in the right column?  In your column of things I wish I was better at?  Go ahead, erase them and move them over to the right.  

Now how many things do you have on the left?  Probably 5 or 6 things.  Maybe 10.  Your right list should be much longer.  Now, what are your next steps to get better at the things on the right?  Anything you can do easily?  Get to it.

I'll make this a two or three part series.  So expect another post along these lines shortly.


 Subscribe in a reader

Sunday, April 20

Software Update -- Did Apple Do Enough?

As I posted on the ISC --

I've been reading alot of articles recently about Apple's Software Updates. A couple of weeks ago, we talked about this in the ISC podcast, about Safari being automatically checked for installation if you have Apple Software Update installed. Apple Software Update is Apple Inc.'s piece of software that keeps Quicktime, iTunes, and Safari updated on your Windows Machine. It obviously does a lot more on our Apple's.

Now, I am an Apple user, an AVID Apple user. I own no less then 15-20 of their products, and an avid Apple defender. But even I said that Safari being automatically checked and enabled for download and installation on Windows machines was going a step too far. I don't mind if it was there for download, but automatically checked? Meh.

Now, I don't have a Windows machine, so I haven't been able to experience this myself, but apparently Apple issued an update to Software Update last week that moved Safari down to a block called "Optional Downloads", instead of being labeled as an update. Well, it's a great step, but I still am of the opinion that Apple didn't go far enough. Safari is still checked by default!?

What's the big deal? It's just an update, or even an optional download. Well, that's fine except that Safari was checked even on machines that didn't have Safari installed on it. Apple wasn't the forcing the download on people, but it sure wasn't making it obvious that it was an optional download.

So my question is, did Apple go far enough? I don't think they did, I would like to see it unchecked by default as an optional download. I don't mind if Apple offers the Windows users a better browsing experience. ;) But I do mind if they make the browser seem like it's a part of an already existing installation.

The problem wouldn't be so bad, but I know at some point in the near future someone, whether it's Apple or some other agency , will report that Safari as "x" amount of market share, which me, as an Apple guy will say "Yeah! We have "X"!". But will it really be a real metric?

Joel Esler

http://www.joelesler.net


 Subscribe in a reader

Monday, April 14

News on the Podcast


I've received alot of positive feedback on the podcast.  Thanks for listening, apparently we're doing something right, Apple has featured us on the "New and Notable" list on iTunes.  So I am sure we might pick up some subscribers on that.  That's awesome.  I'm glad to see that it's being so well received.

 Subscribe in a reader

For those of you with Twitter

If you don't have twitter, just ignore this post.  Or if you have twitter, and you don't like John C. Dvorak, skip it too.

If you follow anything about John C. Dvorak (famed journalist that writes for alot of publications, most notably PC Magazine -- Recently quoted saying dump Microsoft all together and buy a Mac...  (okay, that was off-topic)) you'd know he doesn't do much of anything that is the new social networking/web 2.0 stuff.

Well, he recently joined twitter, presumably to give Leo Laporte something more to talk about on TWiT.  (Which, yes, I listen to.)  Anyway, if you are a twitter user, and you enjoy Dvorak's rantings as much as I do (hey, it's funny!), add him right here.

 Subscribe in a reader

News on the Podcast


I've received alot of positive feedback on the podcast.  Thanks for listening, apparently we're doing something right, Apple has featured us on the "New and Notable" list on iTunes.  So I am sure we might pick up some subscribers on that.  That's awesome.  I'm glad to see that it's being so well received.

 Subscribe in a reader

For those of you with Twitter

If you don't have twitter, just ignore this post.  Or if you have twitter, and you don't like John C. Dvorak, skip it too.

If you follow anything about John C. Dvorak (famed journalist that writes for alot of publications, most notably PC Magazine -- Recently quoted saying dump Microsoft all together and buy a Mac...  (okay, that was off-topic)) you'd know he doesn't do much of anything that is the new social networking/web 2.0 stuff.

Well, he recently joined twitter, presumably to give Leo Laporte something more to talk about on TWiT.  (Which, yes, I listen to.)  Anyway, if you are a twitter user, and you enjoy Dvorak's rantings as much as I do (hey, it's funny!), add him right here.

 Subscribe in a reader

Wednesday, April 9

iTunes is borked

Someone im'ed me this evening and told me that the new podcast episode was not up on iTunes.  Apparently if you are subscribed you'll get the new one, but it doesn't show up in the iTunes screen right away.  Wierd.  For a direct link to our podcast through our own XML go here.  It'll always be there ;)

 Subscribe in a reader

iTunes is borked

Someone im'ed me this evening and told me that the new podcast episode was not up on iTunes.  Apparently if you are subscribed you'll get the new one, but it doesn't show up in the iTunes screen right away.  Wierd.  For a direct link to our podcast through our own XML go here.  It'll always be there ;)

 Subscribe in a reader

Killbits

I have been getting a ton of hits through Google about people looking for further information on ActiveX KillBits.

Killbits are basically a way to stop IE (or anything based on IE) from calling an ActiveX bit to call another program.  Like, for instance, say you want to stop Yahoo Jukebox (as detailed recently in the most recent MSFT patches) from starting up when someone clicks on a link or something in IE, with the link telling IE to launch the Jukebox.

Well, you can prevent this from taking place by setting a "killbit" in the registry, which will basically prevent a program from being launched from within IE.  Detailed instructions are right here on MSFT's website.  You can do this globally across an enterprise as well by using a GPO for Windows.  I suggest a read of that website for your Killbit needs.

 Subscribe in a reader

Tuesday, April 8

Podcast Episode 2 available tomorrow

Our second podcast at the internet storm center should be available tomorrow, we recorded the second portion of it tonight, and I am sitting here listening to it to make sure it sounds nice and clean, so we should have it up on iTunes tomorrow.  I need to get a pop blocker for my mic, I have a couple red peaks in this record...  Here's the link were you can subscribe.

 Subscribe in a reader

Podcast Episode 2 available tomorrow

Our second podcast at the internet storm center should be available tomorrow, we recorded the second portion of it tonight, and I am sitting here listening to it to make sure it sounds nice and clean, so we should have it up on iTunes tomorrow.  I need to get a pop blocker for my mic, I have a couple red peaks in this record...  Here's the link were you can subscribe.

 Subscribe in a reader

Monday, April 7

GTD in Leopard, with Mail.app and iCal, redux

Remember that blog post I had like three months ago about GTD with Mail.app and Leopard, and iCal, and to-do's etc?  

Well, I found this article over here that basically expands on upon the point, I thought it was excellent, if you are a GTD person, check it out.

 Subscribe in a reader

Thursday, April 3

MSFT Tuesday for April 8, 2008

Looks like 5 critical and 3 important according to this link.  We at the Internet Storm Center will be recording our podcast that night, so we'll be cramming the info for these.  Two podcasts to record in the next few days!  

 Subscribe in a reader

MSFT Tuesday for April 8, 2008

Looks like 5 critical and 3 important according to this link.  We at the Internet Storm Center will be recording our podcast that night, so we'll be cramming the info for these.  Two podcasts to record in the next few days!  

 Subscribe in a reader

Snort releases version 2.8.1

Last night Sourcefire released version 2.8.1 of Snort.

Check out the changelog here.  Download it here.  Feature updates include:

* Support for target-based attribute tables
* Ability to read multiple PCAPs from the command line
* Support for GRE encapsulation for both IPv4 and IPv6
* Support for IP over IP tunneling for both IPv4 and IPv6
* An SSL preprocessor to allow the ability to ignore encrypted traffic
* Update to HTTP Inspect to identify overly long HTTP header fields
* Updates to IPv6 support



 Subscribe in a reader

Quicktime, Frontrow, and iTunes updates

Hey everyone, check out the new updates that Apple put out last night.  Security updates for Quicktime.  Then some other updates (probably compatibility with Quicktime) for Frontrow and iTunes.

I can't find the article right now because Apple's link is broken on their security site, but apparently there are like 11 vulnerabilities that this patches.

UPDATE:  I found it. Apple, fix your site.  kthnkx.

 Subscribe in a reader

Quicktime, Frontrow, and iTunes updates

Hey everyone, check out the new updates that Apple put out last night.  Security updates for Quicktime.  Then some other updates (probably compatibility with Quicktime) for Frontrow and iTunes.

I can't find the article right now because Apple's link is broken on their security site, but apparently there are like 11 vulnerabilities that this patches.

UPDATE:  I found it. Apple, fix your site.  kthnkx.

 Subscribe in a reader

Tuesday, April 1

Apple having an iPhone shortage

Stores across the US are selling out of the 8Gb and 16Gb iPhones according to AppleInsider.  Could this mean that the 3G iPhone is coming soon?  That's certainly what the rumors sound like.  I heard another rumor this morning that said that the manufacturer in Taiwan has received an order from 10 Million 3G iPhones.

Well see soon I guess?

 Subscribe in a reader

Apple having an iPhone shortage

Stores across the US are selling out of the 8Gb and 16Gb iPhones according to AppleInsider.  Could this mean that the 3G iPhone is coming soon?  That's certainly what the rumors sound like.  I heard another rumor this morning that said that the manufacturer in Taiwan has received an order from 10 Million 3G iPhones.

Well see soon I guess?

 Subscribe in a reader