Policies, Procedures and Politics

In the United States, you might have noticed that we have an event going on. Theoretically, the purpose of this event is to decide the direction the country for the next four years. As is often the case with these discussions, many claims are being made by both sides. Of course, there are then claims upon claims and discussion and action start to spiral out of control. Luckily, we have a document that we’ve created over the years to help keep things on track.

The Constitution of the United States, the Bill of Rights and associated Amendments serve as a reference and a guideline for how to run the country. They break down as follow:

  • Constitution of the United States, accepted in 1787 – 4,601 words
  • Bill of Rights, adjustments to the constitution in 1791 – 731 words
  • Amendments since 1791 – 2,615 words

This means that in the two hundred and twenty five years that the United States has existed as a country, over four hundred million people, their rights, responsibilities and very lives have been guided by under 8,000 words. In general, it’s worked pretty well.

I make this post with two reasons in mind.

1) If you are going to engaging in political discourse within the US, please take the time to read the 8,000 words (and 7% of that is filler like headers and names). It’s only about 12 pages of text (24 double-spaced), and it will help you to uncover lies and arm you to educate the uninformed.

2) If we can run a country for over two centuries with a policy document that is 12 pages long… that most people don’t bother to read, how many do you think read your information security policy manual?

 

For those that don’t want to bother clicking the links above, below is the text of the US Constitution and all amendments. Please, read it over lunch. You, and the country, will be better off.

Read the rest of this entry »

So you want a new job… adapted from a presentation.

Introduction

This post details the techniques that many people, including myself, have used to find the jobs that we love. However, it is not for everybody. This process requires time… time to think about who you are and what you want. This is a long game and if you’re going to win it, you have to be able to focus on the process.

This means that if you have a job that you can tolerate for a while and want a better one, this is for you. If, however, you are unemployed and out of savings, this is probably not the best path. If you’re in this situation, you are probably better off finding a job that is tolerable. Once you have that, this process should help you on your next search.

If you have just been laid off, this process might be right for you and it might not. This will only work if you can take the time to understand yourself. In Western culture, we tend to derive much of our identity from our occupation. (Just look at some of our last names.) Thus, if we lose our job, we also lose our position in society and our identity within our own minds. It would be best to deal with those issues first. If you have saved up enough resources to do the self analysis and then go through this process, go for it. However, if savings are slim, it would be probably be better to get any job you can, get yourself stable and then start down this path.

Leaving

First of all, you must understand why you want to leave your current job. Common reasons include wanting to do more important work, to make more money, to gain more respect and to gain additional flexibility with regard to how, when and where you work. You may wish to move to a new city or find an organization with a culture that fits you better. You may also not be running to something, but running *from* something. If you are in a situation where legal, moral or abuse issues are driving you to seek another situation, what you need will be very different. Knowing this will help you evaluate new opportunities.

In addition to knowing what you want, it is important to know who you are. I have turned down several offers in the course of my career that would have been perfect for the person that I once was. I’ve turned down offers that involved more traveling that I want and offers that would require me to move to a city that I don’t want to live in. Knowing what is right for me has helped me know when to focus on improving what I have and when it’s time to move on. The following questions should help you determine what you really want to do with your life.

  • What do you love?
  • What do you hate?
  • What would you do for free?
  • Do any moral issues limit your options?
  • What are your short-term goals?
  • What are your long-term goals?
  • What’s your primary goal in looking for something better?
    • More money?
    • More responsibility?
    • Less responsibility?
    • Different work environment?
    • More flexibility?

Visibility

Next up is working on your visibility. This includes things like creating a personal website. Buy your own domain, it looks better that way. As you do work, try to be public about it. This means writing articles, releasing code (when you can) and being generally active on mailing lists. Tie this activity to your web site. The goal is to own the search engines. If you check out my personal site, you can see that I list some articles, some papers and some fun stuff. I also post my resumes, so they get caught up in the interest that my other posts drive. All of this improves Search Engine Optimization (SEO). You can also drive some of this traffic by posting links in social media, but remember that the goal of social media is to be social. You’re more likely to get a job from someone you know via social media than via a link you posted on social media.

The key here is to be as public-facing as you can. For most jobs/careers, being publicly visible is more of an advantage than it is a drawback. This post is very tech focused, as that’s where my personal experience is. However, the more visible you are in (almost) any industry, the more likely you are to be noticed by others. There’s going to be information out there about you anyway. The more of it that created by you, the harder it is to find anything negative that someone else might put up about you. (It does, of course, help to minimize the amount of stupid stuff you do in the public eye.)

I have been lucky that much of what I do is in the public eye, but this has been a progression. Writing white papers, helping with marketing documents, working on open source projects and such all help get your name out there. If you do create public-facing documents for your current company, make sure that they are appropriate to be released. A document that is created for a prospect may need be cleaned up before it’s ready to be shown to someone else. This also applies to items that you may wish to adapt from a forum/mailing list post and turn into an article or blog entry. As you work on this stuff, build a portfolio of items that you can show off in an interview. Then, before the interview, hire a freelance editor to review the portfolio and make sure that there are no stupid typos or grammar issues lurking therein. This can be pricey, but a few hundred dollars spent to fix your mistakes will likely be made up in your first paycheck at the new job.

Lastly, line up freelance work to do in the evenings and weekends. This raises funds to help with the job search (less debt makes it easier to take greater risks) and helps you learn more quickly. I mostly do freelance work in the publishing and education industries (editing, writing questions, etc), but there are many options out there.

 

Resume

So, about the resume… you should focus on two areas. First, each point should link to a story. These stories are what you’d tell in a job interview. They should be written to generate interest, whether in someone browsing on your site or in sitting in front of you. Remember, the resume is primarily a tool to get people to talk to and about you. Secondly, the resume is a tool to get you past the HR filters. This means that you need to write it to match database queries. They have to list your skills and use all the terms that HR is going to use when they search it.

A few SEO tips (Google “SEO” for many many more):

  • Put the name in bold at the top. You want a search for “obscure skill” to link to your name, not “Security Resume.pdf”.
  • Similarly, name the file “<Your Name> – <Prime Skill>.<whatever>”.  For example: “Josh More – Security.pdf”.
    • Recruiters & HR people get lots of resumes. Make yours easy to find.
  • Place any certifications you have at the top. This is what a lot of HR folks are going to search for.
  • Don’t use an objective, use a profile. We’re used to them on social media sites, and they support SEO-happy keywords.
  • Keep each bullet to one line. Keep your writing short and pithy.
  • If you have more than five certifications, put them all on your online resume. You’ll need them to turn up in searches.
  • Printed or emailed resumes need to be shorter and more targeted. Consider limited certifications to just those that are directly applicable so you don’t come across as a distracted learner.

 

Squishy Skills

Once you get in front of someone, you have to be good at talking to them. This is social stuff and those of us in technology are usually pretty bad at it. Tough. If you know you’re bad at something and don’t fix it, you’re lazy and don’t deserve a better job. Fix your social skills by working on them. Books can help (see end of this post). After that, you need practice. Preferably, you need practice in two areas: one-to-one discussion and one-to-many.

For one-to-one, you’ve got to talk to people. Consider volunteering for events in your area. If you run a table with someone, you get to practice talking during the slow times. You can go to lunch or business after hours events. It’ll be uncomfortable at first, but after a few times, you’ll get a lot better at it. In my field, I’ve volunteered for events like Software Freedom Day, CCDC and for local nonprofits. Not only does this provide good practice, but it gives you the ability to get good references from people outside of your current job.

For one-to-many, you need presentation practice, I like BNI and Toastmasters. These groups get you out of your comfort zone, so you can improve much faster. You can also practice meeting and getting along with strangers at various groups. Look for a local Linux or programming user group. If you’re in the security field, look at Infragard, ISSA and your local CitySec group. Most of these groups are desperate for speakers and are very welcoming of people regardless of experience level.

Any time you build skills you run the risk of someone, like your boss, noticing. In my experience, this risk is significantly lower than most people think. Yes, you’re changing and growing as a person. However, it’s the people that like you that pay attention to you. If you were surrounded by people that liked you, you’d probably not be looking for a new job. The fear of “My boss will find out I’m looking and fire me” is almost entirely FUD (Fear, Uncertainty and Doubt) that is promoted by bad bosses because it keeps their people in line. Most people aren’t watching what you do in your off hours because it takes time and TV is more interesting.

If you’re really worried about this, you have to use squishy skills to play your boss. Find a way to make it their idea that you get involved. Saying things like “I was chatting with a friend about <Problem> and they recommended that I work up a presentation for the <Topic> user group, but I’m not sure. Would you mind if I talked about how you helped the team find the solution to this problem?” If you just do a little bit of ego stroking, you can usually get permission. Then, once you have permission, it’s easy to stretch it: “This other group wanted to hear my presentation too” and “The group asked me to write a blog post about it”.  Then, when you’re regularly presenting and blogging, you can slowly stop asking for permission and shift towards informing your boss about what’s going on.

 

Targeting

Remember, you never use a resume to open a door. You use it to drive conversation. You get in through the window. No one is watching the windows. The rest of this post is on picking a window and getting through it.

First, you need to pick some companies/organizations to target. To do this, consider your industry experience. Even if you don’t have much experience outside of your industry, consider peripheral industry types. For example, if you work in a bank, you could look at other banks, credit unions, collection agencies and loan administration groups. If you want out of your industry entirely, look for industries with similar roles. This may mean that it will take you two steps to get your dream job… one lateral move to another industry and then a leap within that industry to where you really want to be (like a knight in chess).

When you’re pondering lateral moves, you should think, not about what you want to do, but what sorts of industries you can to work in and how your current job would blend into that industry. For example, if you do system administration in the Finance sector, you may not be working with the same applications if you move to Health Care, but you would be using similar operating systems and doing similar operations tasks. If you’re doing programming work, you might not use the same libraries, but the languages would be similar.

Once you know your possible industries, pick your geographic area and make a list of all the companies in each target industry. Resources like your local metro area’s _Book of Lists_ and the annual newspaper’s list of “best places to work in <City>” can be helpful here. This will likely result in quite a lot of options, so you’ll need to narrow them down.

I like to first narrow by stability. Look at how long the organization has been in business and what you can determine of their customer base. Look at total number of customers and whether there is a single “megacustomer” that provides most of their revenue. In the latter case, the risk is higher because if that customer leaves, it’ll gut the company on the way out. Then look at the reputation. Talk to competitors, customers and search legal databases to see how often they’ve sued or been sued. You want to make sure that your dream job doesn’t vanish out from under you, so take your time here.

If the list is still too big, look a the technologies that you like. Identify the companies that make each technology and call the person that manages their partner program. Ask that person which other companies in your target area work with their technologies and, in their opinion, which would be the best to work for. It is surprisingly easy to get this information.

If you need to narrow it further, use the tools you have.  Talk to friends about the companies on your list and see what you learn. Use tools like LinkedIn, Google, Bing, Google Groups, Mailing lists, RapLeaf and Maltego to build a “profile” of notes for each company. Then rank them and start with your favorite.

 

Getting In

Now for the fun part. Use LinkedIn, Maltego and eSearchy to build a list of the people who work for that organization and try to sort them by department. For the department you’re targeting, learn what you can about them (Google, Bing, Facebook, LinkedIn, etc) and see if you can map out their interests. See if you have a friend in common or a friend of a friend who can make an introduction. See if you have shared interests and if you can manage to bump into them at a user group. Don’t do anything illegal to get information, but if the information is out there you might as well use it. Think of this as shopping for a boss. Learn as much as you can about the person you want as a boss and about their bosses.

Now search the web site and for their name across all other websites. Look for areas of improvement in their products and services. Forums are excellent sources of information. So are press releases and newsletters. Take the time to figure out their primary competitors and figure out where they fit. Make a feature chart if you can and map out where they may be lacking when compared to the competition and where the industry as a whole is lacking. See if you can come up with ideas to fix things, open up new markets and make the company more “sticky” with respect to their customers.

Remember the squishy skills I said you’d need? This is where you use them. Get an introduction to your hopefully-new boss. Go with friend-of-friend if you can, but if you can’t, see if you can identify a former or current employee to introduce you. People like to be helpful, so let them. A cover letter may or may not help this process. If you are successful in getting a personal introduction, you don’t need a letter. However, if the best you can do is find out the name of the new boss and what they’re looking for, a cover letter is very important.

If you must write a cover letter, keep it simple. Leave your hopes and dreams out of it. Focus on how you’ll help your new boss. Talk about what you think their problems are and how you think you can help. Identify things you’ve done in the past to solve similar problems. Remember that the less you explain *how* you solved them, the more likely you are to be invited in to discuss that process. The goal of the cover letter is not to get a job or to completely explain yourself… it’s to get an appointment.

Once you get the appointment, be prepared to work very hard for a few weeks.

 

Personal Branding

Review your website to make sure that it conveys what you want to the person you’ll be talking to. If you’ve been maintaining it and pruning out comment spam and informality, this should be easy. Next, you’ll need a business card. You can generate your own and have it printed at a local print shop, but if you have a friend in the industry, see if they’ll help you out. Ideally, your business card will be awesome, but if you can’t make it awesome, make it memorable. Think of titles like “Hopeful Job Candidate” or “Revenue Booster”. Think of putting other information on the card like hobbies. This makes you seem more personable and creates additional connections in the target’s brain so they’ll remember you better. Do not use one of those free services. They usually put their name on the back of the card, which splits the brand and makes you look cheap.

Then, update and spell check your resume. Then contact your friends and create a page of references to have ready in case the company asks for them. If time allows, create some blog entries that are written with your target’s customers in mind. Fill enough of your blog/site so that only new content exists on the first page.

Now, pull out your portfolio. Get some folders from your local office supply store and build everything out. You’ll want to have any public handouts, flyers, pamphlets, whitepapers etc in one pocket. Put your list of skills, references (optionally) and resume over top of them, leaving the other pocket empty.  If you get a folder with a spot for a business card, put that in the right spot.

Now you get to fill the other pocket.
Targeted Portfolio

Remember that competitive review you did? Make it look all pretty, put it in the target’s colours and print it out. It goes in the empty pocket.  Remember the research you did on what the company can do to fix problems or add functionality? Write that up too, make it look pretty and put it in the empty pocket.  Consider writing a strategy paper for a new business endeavor, filming yourself presenting and putting it on DVD or coming up with a list of potential clients. Put all of this in the empty pocket. Think of what could be combined with the existing product that could increase revenue through upsells or feature enhancements.

The goal is to have at least five items that show that you are a smart person who is willing to work hard and help out the company. This way, one half of your portfolio is about you… what you’ve done and who are.  The other half is about what you will do… if they hire you. The fact that if they don’t hire you, you might do the same for their competitor is one that you’re best off letting them realize themselves.

If time permits, search your network for someone at the same level as your hopeful new boss. See if they’ll meet with you, perhaps over lunch, and review the portfolio to give you feedback.
Private Portfolio

Finally, build a private portfolio. This would be documents that you don’t want to leave behind and ones that you wish to reference during the meeting. Have a copy of your resume in there, as well as anything that is somewhat sensitive. The most sensitive would be the total compensation calculation.

When the discussion turns to money, it’s tempting to just ask for 10-15% more than you’re making now, but that’s risky. If you take a 10% raise, but give up vacation days or a cell phone stipend, you might wind up with a loss. Make a spreadsheet that lists your current salary, any education and certification maintenance costs, software and hardware costs, benefits like vacation and health insurance and financial considerations like 401K matches, stipends, commissions and bonuses. Figure out how much a vacation day is worth and add that in. Finally, if you’re moving to a new city, figure out what the cost of living adjustment is and adjust your final number by that percentage.  This allows you to directly compare any offer they give you and counter with something made of real numbers.

Now you’re ready to climb in the window and your tools are ready.

 

Interview

Interviews are hard. We only tend to do a few of them in the course of our lives. Naturally, we’re going to be bad at the process so we have to practice. I like to practice with audio books. Listen in the car and, after each question, pause the CD and respond. You’ll look like an idiot talking to yourself in the car, but if you’re going to look like an idiot, it’s better to do it on your own than in the interview itself. Remember not to memorize the answers. You just need to be assured that you *have* the answers and practice flowing through them and not saying “um” and “uh” too much.

When it is time to go to the interview, pre-drive it the day before. This prevents getting lost from being a problem. Also, allocate lots of time. Arrive in the parking lot at least half an hour early, but don’t go inside until about 10 minutes before the interview. Once there, you will be asked to sit. Don’t, it’ll make your clothes wrinkly. Stand and read the company literature. Then have the rest of the day open. If things go well and they bring more people in for you to meet, you could spend all day.  I have had seven, eight and nine hour interviews… that were originally scheduled for one hour. Basically, dedicate the day and be flexible. If they want to go to lunch, go to lunch (don’t order anything messy).

Then the interview(s) will start. When you’re in them, try to ask questions. The interviewer should talk at least as much as you do. Remember, if you did your research, you know more about them than they do about you, so drive the discussion to their passions. If they like programming, answer their questions in terms of programming. If they like their family, spend time talking about yours. Giving factual answers is only 10% of the interview process. The rest is building rapport. Build rapport over time and leave the interview with them more interested in you than when it started.

As you talk, take mental notes. Use the documents you created to illustrate your ideas, but if you guessed wrong, correct the documents in front of them. Then, when you come back for the second (or third…) interview, update the docs and give them the fixed versions. If you have to build a brand new document, do so. The goal is to show learning and improvement, the same way you would in the actual job.

At the end of the interview, try to either close the deal (get a job offer) or get an advance (discussion with a higher-level person or group). Get an appointment, thank them for the opportunity for further discussion, and leave. Don’t stay too long past the “next step” decision, it’s not likely to help and it could hurt. Leave things on a high note.

If you can’t get this, start over with the next company on your list.

If the interview was successful, you’ll have some TODO items. Email the interviewers back with answers to things you couldn’t answer at the time. Include links if appropriate. Send personalized hand-written thank you cards too… but spell check them first. This will give you a nice follow-up that they’ll receive just as they were starting to forget about you.

Loop through this process until you get and negotiate an offer.

 

Notice

Once you have the job, consider the notice process. For some jobs, giving a two week notice is sufficient. For others, you need more so they can find a replacement and you can train them. If you are a billable resource, consider negotiating a corp-to-corp rate so your current company can pay your new company for your time in case something isn’t covered by the time you leave. This can be used as leverage to renegotiate any non-compete that might be in place. Yes, these are generally viewed as unenforceable in a court of law… but who wants to go to court?

When these preliminaries are done, write down the fact that you’re leaving, the status of any projects you have, the length of the notice and, if applicable, any corp-to-corp rates. Put this in the form of a business letter, set up an appointment with your boss, walk in and hand it to them.  They may give you a counter-offer. In almost all cases, you don’t want it. If they threaten you, get a lawyer involved. Otherwise, serve your remaining time and then escape to your shiny new job.

 

Resources

This article is the result of years of reading, learning and thinking. The following books and people were instrumental in helping me understand this process and sharing it with you. Please consider them if you want more information:

Books

  • Don’t Send A Resume by Jeffery Fox laid out the bones for this process.
  • Brag – The Art of Tooting Your Own Horn Without Blowing It by Peggy Klaus taught me how to talk about myself without sounding like an arrogant ass.
  • The Science of Fear by Daniel Gardner discusses the reasons that people act the way we do and how fear is used to manipulate us.
  • Google Hacking 1 & 2 by Johnny Long shows how to use Google (and other search engines) to uncover the information that you really care about.
  • What The CEO Wants You To Know by Ram Charan explained the language that people use in business and why it matters.
  • How To Win Friends And Influence People by Dale Carnegie teaches social skills to people that didn’t bother to pick them up the first time around.
  • The Last Lecture by Randy Pausch helps with understanding what really matters in life.
  • Selling The Invisible by Harry Beckwith explains marketing to non-marketers and why what’s obvious to us isn’t obvious to others.
  • Spin Selling by Neil Rackham finally explained sales in a way that didn’t seem sleazy and full of tricks.
  • Let’s Get Real Or Let’s Not Play by Mahan Khalsa is about the process of identifying when you’re at the point of diminishing returns and how to get out.
  • Sales Bible by Jeffrey Gittomer explains sales in ways that work, but does feel a bit sleazy at times.
  • Getting Things Done by David Allen introduces a method time management so you can do more in less time and stop playing catch-up all the time.
  • Getting To Yes by Roger Fisher and William Ury is about negotiation in a way that matters and works, not just one upsmanship.
  • Good to Great by Jim Collins discusses what businesses need to be successful.
  • The Innovator’s Solution by Clayton Christensen and Michael Raynor explains why disruption is as powerful as it is and how to take advantage of that fact.
  • The One Thing You Need to Know by Marcus Buckingham is actual about several things… but you need to know them anyway.
  • Better by Atul Gawande is a book on improvement. It’s by a surgeon, but the lessons apply to other fields too.
  • Orbiting The Giant Hairball by Gordon MacKenzie is about when corporate culture goes horribly wrong and how to deal with it.
  • Last Chance To See by Douglas Adams talks about figuring out what matters and doing it, a humorous book about a serious subject.
  • Visual Explanations by Edward Tufte helps with conveying your message in a way that is easily and immediately graspable
  • Made to Stick by Chip and Dan Heath helps with crafting your message in a way that is extremely memorable.
  • Presentation Zen by Garr Reynolds gets beyond presentations that don’t suck and into presentations that are actually pretty great.
  • Surely You’re Joking, Mr. Feynman by Richard Feynman is about life and learning and identifying what matters.
  • Tesla by Margaret Cheney explains that brilliance alone isn’t enough.
  • An Unquiet Mind by Kay Redfield Jamison talks about overcoming self limitation by identifying and accepting it.
  • The Complete Greek Tragedies edited by David Grene and Richard Lattimore reminds us that no matter how bad things are, others have had it much worse.
  • The Art of Living by Epictetus shows how life hasn’t changed much since ancient Roman times and suggests that we should stop re-inventing the wheel.
  • Meditations by Marcus Aurelius is a business book… about running the Roman empire.
  • Outliers by Malcolm Gladwell talks about why some of our problems aren’t our fault and how to deal with that.

People

  •  Mike Wagner has personally helped me understand pretty much everything I know about branding and public speaking.
  •  Mike Sansone  has personally helped me leverage the Internet to help me get where I want to go.
  •  Mike Colwell  has helped me understand business by building a community of knowledgable people to leverage.

Tools

  • Inkscape is a tool used to create powerful graphics at zero cost.
  • LibreOffice is a word processing and spread sheet tool that you can use at home for free.
  • Maltego by Paterva helps you find information all over the Internet to gather data for analysis.

There are, of course, many others, but I consider these my core resources.

Horsing around at SchmooCon

Last weekend I attended ShmooCon, a yearly security conference held in Washington D.C. Today I want to explore several common themes I noted in many of the great technical presentations at the conference.

1) Operations

For many years, the community has been saying that security is facing an operations challenge, not simply one of just technology and cash flow. Simply put, most people aren’t following our advice. Administrators aren’t reviewing logs, systems are still unpatched and users are still running as administrators. Risk increases every day when people don’t do the right thing; this is the fundamental reason most people get successfully attacked.

In many ways, this flaw in operations is like having a horse. You build a great stable. You put in lights and a heater. You put nice locks on the doors. You build out the plumbing system so the horse can have fresh water and then finally … you buy a horse and put it in the stable.  Sadly, most companies get to this point and then, after spending tens of thousands of dollars on their horse, decide spending $100 on oats is too expensive and just toss scraps into the stable as time permits.

Sadly, we live in a world full of dead and starving horses.

2) Separation of Targets

Fortunately, not every business is as behind as most we see. There are many businesses doing security right. They are investing money to protect assets, training employees and seamlessly running operations. These companies are succeeding, and as a result, the gap between “good” and “average” is widening dramatically.

To get back to the horse metaphor, we no longer have a single race. Instead, we have two. In the first, people are riding their horses much as you’d expect. In the second, businesses have invested in security but not operations, dragging their dead and dying horses around the track. These races work very differently and therefore are attacked differently.

If your operations are failing (as in #1 above), your horse may not be worth much. However, if an attacker can get a nice pile of dead horses, they can sell them for glue. In other words, these are the low-level attacks we see every day zeroing in on credit cards, ACH transfers and customer data. Attackers focus on bulk theft and you are just a convenient target.

However, if you have good security AND good internal operations, you’re in a different race. A horse thief focusing on live horses is going to have more options than one who raids the graveyard. The attacker who selects a company with good operations will see greater value from a successful attack. If your company is investing in day-to-day operations, odds are you have some juicy intellectual property to protect. This is where these attackers focus.

In either case, if you’re behind more than half the horses in the race (i.e., below average), you’re going to lose. Remember, the attacker just has to win once… you have to deflect the attacks constantly. The attackers are targeting the easiest in each category first, so as horses vanish from the race, you have to keep improving to stay above average.

3) Defensive Intel Sharing

Finally, there is the true value of an event like Shmoo. The value isn’t in the sessions (though they are great), but in the discussions in hallways and over meals. This is where security people get together and share ideas as to what techniques work to defend against these attacks. We brainstorm and share intelligence. This helps us protect our own little corners of the world better.

To beat the horse metaphor to death, it is as though an international team of horse rustlers (hackers) specialize in stealing horses (your business). Some are great at stealing wagons and have no idea what horse they’ll be getting. Others team up and have one person good at riding horses, one at distracting jockeys and maybe a large animal vet to determine how best to use the newly-stolen horse. They share ideas with other teams as to what has worked and what hasn’t, thus they constantly improve.

At Shmoo, we share ideas that keep our horses from being stolen. It could be as easy as putting better locks on the stables, or as ridiculous as using velcro saddles to keep the jockeys firmly seated. In many cases, it is about small improvements … ways to feed the horses more cost-effectively, or the ability to keep an extra set of eyes on people approaching your stable.

In other words, going to Shmoo isn’t likely to help you, but it will certainly help me help you. Now, let’s talk about your horse.

 

(Originally posted on RJS Informer)

Password Security and Schools

For those who don’t know, when attackers successfully breach a system, they often share the information they find publicly on the internet. For those on the illegal side of Information Security, this awards them the satisfaction of adding another notch on the scoreboard and further shames those who have poor security. For people like me on the legal side, we receive the ability to gather passwords used in the real world and analyze commonalities, variations and patterns. For this reason, I have several automatic searches that notify me when certain information gets leaked.

Recently, I was alerted to a situation that occurred at the George Washington Middle School in Ridgewood, New Jersey. I won’t link to the actual leaked data, but suffice to say it contains enough administrative information to access their systems. I did not verify this to the point of logging in, but it certainly looks correct and the leak has already been plugged, thus illustrating the sensitivity of the information revealed. Besides the data mentioned above, the leak also contained usernames and passwords for 246 sixth graders.

You’d think with 246 young students, you’d see 200, perhaps even 225 unique passwords, right? And if default passwords were created for them by a network administrator, you’d hope all 246 were unique. When analyzing the data, however, there were only 34 unique passwords. 34!

Here they are:

  • glasses = 13 (5.28%)
  • finish = 12 (4.88%)
  • button = 12 (4.88%)
  • dinner = 12 (4.88%)
  • oranges = 12 (4.88%)
  • apples = 12 (4.88%)
  • letter = 12 (4.88%)
  • stormy = 12 (4.88%)
  • gentle = 11 (4.47%)
  • cupcake = 11 (4.47%)
  • winter = 11 (4.47%)
  • butter = 11 (4.47%)
  • carpet = 11 (4.47%)
  • joyful = 11 (4.47%)
  • summer = 10 (4.07%)
  • middle = 10 (4.07%)
  • friday = 10 (4.07%)
  • person = 10 (4.07%)
  • football = 10 (4.07%)
  • people = 10 (4.07%)
  • soccer = 10 (4.07%)
  • butter32 = 1 (0.41%)
  • butter27 = 1 (0.41%)
  • dinner20 = 1 (0.41%)
  • letter38 = 1 (0.41%)
  • summer17 = 1 (0.41%)
  • summer83 = 1 (0.41%)
  • winter34 = 1 (0.41%)
  • apples74 = 1 (0.41%)
  • letter28 = 1 (0.41%)
  • Password = 1 (0.41%)
  • summer22 = 1 (0.41%)
  • letter48 = 1 (0.41%)
  • winter64 = 1 (0.41%)

Note the right hand column. Those are the passwords that are truly unique. This means that of 246 passwords, only 13 of them are not like the others. Of those 13, only one wasn’t based on the shared list. And even that one was the always original “Password.”

In all the analyses I’ve done, this is by far the worst.  There are a handful of possible scenarios here. Ignoring the possibility this is completely fabricated (the usernames of the children make that seem somewhat unlikely), this is either a set of passwords that were generated for children or by children. Given how evenly matched the passwords are in distribution, it seems more likely there was a list of 21 “default” passwords that were generated and then the students were asked to change them. Given the passwords on the right hand column, it seems as though the instructions were “add two numbers to the end of your password to make it secure.”  The password of “Password” matches a username of “Username,” so it’s probably a header or a default value and can be ignored.

So, what’s wrong here?

First, selecting passwords in this way means if someone knew their password and wanted to try to get into other accounts, they’d be able to get into at least 9 other accounts and possibly as many as 14 … and that’s with doing no work at all. If you look at word pairs you get summer/winter, apples/oranges and soccer/football. This raises the number of breached accounts with inside knowledge to 25. Now, if you decided to attack this system with a default word list, it would take about a day to get hits on most of these. If you had a list of usernames, you could easily gain access to every account on this list in a day.  In some systems, it would take as little as a minute to crack each account.

So no one expects sixth graders to be security geniuses, but sad to say, habits get set early. Assuming the right hand column contains passwords that people changed, only 12 students changed their passwords as instructed. If we assume they were given instructions, this means we can expect 4.88% of people to follow directions. If personal experience indicates anything, sixth graders are even more likely to follow directions than adults, so in an average organization, we can assume less than 5% of people will follow best practices … and they’ll probably do the bare minimum required of them.

Now take a minute and think what this would have looked like if the following changes were made to the system:

  • Users are assigned completely random passwords
  • The system required passwords to be at least 12 characters long.
  • The system required passwords to have a mix of upper case, lower case, numbers and punctuation

What would happen?  First, the student would probably write his or her password down somewhere. Now that code is as safe as a locker and/or the student’s resistance to bullying.  Maybe there’s a better way.

What if the system were set up to allow users to register themselves and had a password complexity rule. Suppose it had to hit a specific score of something like 100, where the scoring worked this way:

  • base starts at 0
  • Upper case character base+10
  • Lower case character = base+10
  • Number = base+10
  • Punctuation = base+10
  • Space character = base+10
  • Score = base * length of base

If someone wanted to use a basic word like “winter,” the system wouldn’t accept the password. “Zoologists” on the other hand, would be accepted. If you wanted something shorter, you could go with “like2″ to obtain your required score of 100 (a base of 20 * 5). This is the basic idea of password scoring. You could decide for yourself what metrics to use, but by raising the threshold score and weighting various characters differently, people are driven to select their own passwords.

Using the rules above, suppose you wanted a specific score of 1000. “Jooxiepa8da X1Zaode!” would work, but so would “Ask not what you can do for your country.”  Which is easier to remember?

This is how you generate passwords to meet an arbitrary security threshold that are easy to remember and hard to crack. Since people don’t follow directions (5% change rate) and write down hard things to remember, this is one of the best systems you can implement. Sure, multifactor systems are better, but I don’t think sixth graders would be very good at keeping track of their magic “log me on” device. So instead of teaching them horrible password security from an early age, maybe we should implement a system that understands that humans, of whatever age, are human.

In fact, maybe we should do this in business too.

 

 

(This article original posted at the RJS Insider)

Security Certification 3/3 – Doing and Teaching

This post is part 3 of a series.  Please see posts 1 and 2.

So you’ve learned something. Congratulations. Knowing is half the battle. Sadly, the other half involves actual fighting. This post is on how to fight… or, in this case, demonstrate that you know stuff. (Which is a lot like fighting if you leave all that tedious stuff about hitting people.)

I like to follow the old cliche “Learn One, Do One, Teach One”. So you’ve learned something. The next step is how do you do something with it? Since we’re talking about security, the best option would probably be to stop a bad guy. Sadly, that’s not always feasible. Fortunately, you have some options.

Doing

One thing I strongly suggest is joining an open source project. I used to suggest starting one, but it seems that whenever I said that, someone would run off and make a new network scanner. We have enough of those.

Join a project that uses modules. Metasploit is good. So are SET and NMap. If you’re webby, take a crack at extending w3af. This will force you to understand a system, improve a system and work with others to get your change accepted. In short, it demonstrates everything that a prospective employer wants.

Suppose you’re not a programmer. That’s OK. You can use the tools above to run assessments. Assess your home network to learn how everything works then start calling local non-profit groups. Offer them scan in return for the ability to post a summary of the results online (after they approve the anonymization of the data). Now, there is a bit of risk here, so you might want to investigate error and omissions insurance before hand. At the very least, consider one of the “approval” forms so that you’re protected. Learning the ins and outs of these sorts of assessments demonstrates that you not only have the technical skills, but that you can also use them in a meaningful way.

(Note: Never give anything away for free. This is a scan in exchange for publicly-viewable experience. If you offer to work for free, all you’ll do is get a lot of clients… who also want you to work for free.)

Now, those two paths are all well and good if you’re technical. However, we have some people in this field that aren’t technical at all. There’s nothing wrong with that… but be aware that to be truly successful you have to understand both technology and people. Try to branch out.

If you’re not going to branch out, you can still help an open source project. Documentation on many projects is… well to call it “lacking” would be like calling the Titanic “a boat that encountered a spot of bother”. There’s a lot of need there and a lot of wikis that are fully editable, so get cracking. You might also be able to help with project management, with resolving disputes on mailing lists, or by prioritizing bugs based on user impact. You know, basically doing all the tasks that stereotypical geeks aren’t very good at.

The next step is to promote the fact that you’ve done something. The best way to do this is teaching, and the Internet makes this easy.

Teaching

Teaching is all about sharing knowledge. While the traditional teaching option of holding a class is still viable, it doesn’t give you the same range of exposure as techniques like blogging and vidding. You certainly get a more personal connection by teaching a class and the people consuming your content might absorb it better, but if you’re wanting to build a brand and try to jump into a better job, you have to cast wide. Here are some options:

Basic blogging is much like you’re reading now. Just grab yourself a domain, link it to WordPress and go. The difficulty with blogging is the tendency to lose time to “research”. If you’re new to blogging, give yourself two days (20 hours) of research time on how to blog. A good place to start are the Converstation Archives. Once you’ve done that, build a list of topics and give yourself one hour for each topic. Give yourself 20 minutes to write the content, 20 minutes to edit the content (after waiting a day or so), and 20 minutes to publish the content on WordPress (this includes adding links and images). You can spend more time than that on posts that matter strongly to you (as I did on this series), but be careful not to spend too much time. If you keep trying to make it “perfetc”, it’ll never get published.

Micro-blogging is a lot like blogging, but you say more with less. In the US, Twitter is the most popular micro-blogging platform, but Facebook and Google+ are challenging it. Personally, I find this a very difficult medium. What works for me is to write a blog and then excerpt key phrases from it for micro-blogging purposes. If you’re gifted in this medium, feel free to start here. However, if you use it for professional purposes, please try to avoid the shorthand that’s common in the medium. U wont get jobz talking lik this.

Vidding and podcasting are other techniques that I’m not personally comfortable with, but which work for a whole lot of people. This is as simple as sitting in front of a web camera and talking to an audience that you hope will emerge over time. My attempts at podcasting were all aborted because the editing took too much time. Perfectionism and linear editing do not mix well. I hope to give this a shot again later this year, but we’ll see. It’s very hard for me.

One friend suggests that these techniques are made easier if you have a script.  Granted, you have to practice to make sure it doesn’t sound scripted, but this is very good advice.  I’ll have to try it the next time I give this technique a whirl.

Graphically-intensive content such as infographics and comics is another way to get the message out. I’ve done tons of infographics (few are public) and a fairly large graphic novel that has been “in progress” for the last five years. The trick here is not biting off more than you can chew. If you are skilled graphically, take a shot at illustrating what you’ve done and sharing it with others. This can be a very powerful technique.

There are tons of other methods. If you think I’ve missed something important, please let me know in the comments.

Conclusion

This has been a lot of text… but hopefully this has answered your certification questions at a very high level and explained how to extend your learning. If you do this, you should gain something more directly useful to you than tacking a few letters to your name. Of course, it’s a bit more complex than this in “real life”.

In addition to what I described here, each certification comes with it’s own community which may or may not mesh with your needs. Personally, I mesh well with the SANS community and not very well with the ISC(2) community… but this is extremely personal. There’s no way to know where you’ll mesh without giving it a try, so pick the certification based on what you need to learn and figure out the social aspects once your certification grants you access to a community.

Similarly, the “doing” and “teaching” phases only work if you dedicate enough time to them. Your journey doesn’t end when you get the certification, so if you can’t devote the time from your life to complete the process, you should seriously reconsider whether to even get a certification in the first place.

However, if you can afford the time to learn, do and teach, you should see your professional life advance extremely quickly.