Monthly Archives: July 2020

Check ALL Your RFC 1918 Ranges…

Let me set the scene: a customer asks about being able to track users that bring up unauthorized VMs on Windows machines. He explains that he’d like to look at the 192.168.0.0 RFC range to see how many addresses we see in that range. That’s OK by me, all I have to do is add that to the scope of the networks we track…

At that moment, we only looked at 10.0.0.0/8. I added the 192.168.0.0/16 range and we watched the new devices pop up into the discovery window.

And then we watched as those devices started to churn… the IP addresses stayed the same, but the MAC addresses kept changing. Loads of Netgear, Arris, Cisco-Linksys, Belkin, TP-Link devices… what was causing all this?

The horror! The horror of the home networks!

And then it dawned on us: these were all teleworker home networks bleeding into the corporate network estate! The traffic to and from 192.168 networks wasn’t supposed to be routable, but here it was, coming and going and getting picked up on the SPAN session monitoring north-south traffic at the datacenter gateway.

192.168.1.1 and 192.168.0.1 were the addresses that changed MAC addresses most frequently. No surprise there, as those are default gateways on oh-so-many home networking products. 192.168.1.254 changed less often, as that was the default gateway on Arris routers used for AT&T broadband networks (I used to have one, so I know) and only a handful of other home devices. I saw Nest controls, Roku streamers, gaming systems, the works. And all of this was exposed to the customer network, and all of the customer network was exposed to these environments.

Granted, there was going to be a mess as far as being able to route to any endpoint for much time, but the IP addresses that were less commonly used were also the ones with the most persistent MAC addresses and connections. The biggest concern was that the customer did allow any guest traffic on the wired network – but here were untold numbers of guest devices, the kind that don’t usually show up on BYOD networks!

Moral of the story? Those teleworker devices for home office networks are part of your perimeter. Make sure you keep an eye on those points of entry, as well as the big one you pay the ISP for.

Security for All Sizes: Remote Management and Monitoring

I remember the first remote management and monitoring (RMM) solution ever, the venerable and wonderful “ping”. We would use it all the time to see if a remote host was up and responding. And then, one day, someone wrote a program for Windows, Whatsup, and the world was changed forever. With that program, we admins could enter multiple IP addresses and that tool would ping them all day and night! It could even be set up to generate alerts.

We thought we had it made until someone asked, “Hey, I know I can ping the SQL server, but is it responding on TCP 1433?” At that point, we knew both that we needed more in our app and that there would be other admins, with other network ports, who would make similar requests. And so began the development of RMM tools.

At small companies, RMM may very well be not much more than a shareware ping/telnet suite that checks for hosts being up and responding on critical ports. It may involve learning multiple suites of RMM tools, roughly in conjunction with the trial period for one tool ending and a download for the new tool being complete. Most of what goes on is just monitoring, not management (does that mean they consume R_M products?), as there are few enough systems to manage where ssh and RDP sessions to the several devices that need management are sufficient.

Once we get to a medium company with multiple sites, that SSH/RDP solution for everything simply fails to scale. It’s time to lay some money out and actually pay for an RMM solution that will track those uptimes as well as do some kind of configuration management. Everyone makes demands of that config management solution – will it do rollbacks? Will it do point-in-time recovery? Will it track changes made outside the product? Will it enforce certain configuration parameters? Will it integrate with the helpdesk ticketing system?

The answer to all of those questions is either “no” or “yes, at an additional cost.” Nobody rides the RMM train for free.

And it’s not like that RMM will magically never make mistakes. We’re still in a garbage in, garbage out world. More than once, I was working on a project to integrate our routers and switches with a tool by pushing code to them with the RMM solution… only to have that code get overwritten because a different team pushed a change with an outdated template. So what’s the policy and procedure for undoing a change that was done in error? I found that part out the hard way as I waited for the next change window to get my changes put back into the environment.

I’ve seen RMM tools that can’t push version-specific code. Well, they can, but they don’t keep track of versions, so it’s a guess or a logic problem to figure out which devices are on which version. One solution I came up with was to push one line of code to all devices, knowing that it would fail for devices on the older version. The next push checked the config to see if that line I previously pushed was in the config. If so, skip the device. If not, then push a line of code compatible with the older versions. Would I have preferred that the tool have the intelligence to do a version check and then push the appropriate line of code, all in one go? Yes. Yes, I would. The biggest irony to me in this particular case was that the RMM tool was made by the vendor of the devices that the tool couldn’t track the version on. Very disappointing…

And then there’s RMM at the large corporation. Thousands of switches and routers, some on very dodgy Internet connections, all of them being monitored. This means the poor sap with the on-call phone is constantly answering when the NOC calls in to say that the Dakar site is down. Or the Guadalajara site. Or the Noida site. Or the Ho Chih Minh City site. Or the Chengdu site. Or the Narvik site. Or the Deadhorse site. And the NOC guy reads out the entire device name and IP addressletter and number by letter and number, so one has to sit and wait through it all before saying, “Acknowledged. Please open a ticket with the ISP.” I can’t remember a happier day than when the policy was finally re-done so that the NOC would just open the blasted ticket on their own without requiring acknowledgement from engineering.

Still, we were blessed in that we had nearly every switch under management. This did have one side effect, however… we wouldn’t believe a switch existed if it wasn’t in the RMM tool until we saw it listed as a neighbor on another switch and pinged it. That’s when we discovered that some switches couldn’t be brought into our RMM tool because they didn’t support the SNMPv2. Or because nobody could remember the password to get local access and nobody had the nerve to take it to ROMMON mode to break into it. Or because the local support contract kept that gear out of our global tools.

Those problems were relatively straightforward compared to getting gear from specialty vendors into the RMM tool. Not all of them had the same implementation when it came to reporting, even things as simple as disk space and CPU usage. For disk space, does the vendor report total available space, across all volumes, or will it send an alert when one particular volume hits 95% capacity? Will it report overall CPU utilization or will it fire an alert when one of 16 CPUs goes over 90%? The answer is, of course, “It depends.” That means that alerts from some vendors actually aren’t alerts, they’re more like transient conditions of no great importance. It also means that some vendor gear could be in an alert state, but it doesn’t actually report it as such, given how it implements a particular SNMP MIB.

At all companies, there’s the issue with keeping the tools up-to-date. The day that the tool is launched for general use is such a bright, shining moment in the history of the progress of humanity, with all the devices that need monitoring in that tool, right where they should be. Within a very short time – overnight, in some cases – the information in it is obsolete. New devices aren’t added and decommissioned devices are showing red because nothing is reporting back at that IP address… and then they go green again when that IP is re-used, but we just haven’t realized yet that it’s a security camera now, not a loopback address.

Finally, there’s the issue of access. Even at the small company, not everyone who wants to know if a system is up will have access to the RMM dashboard. At larger and larger companies, access to that dashboard can get limited to the point where even the network engineers can’t look at it… or the tool is so cumbersome, there’s severe mental pain involved in getting information out of it.

And that’s why, even at a massively huge global megacorporation, I still got plenty of use out of running a shareware app that would ping a list of devices, so I’d know if they were up… it wasn’t an official tool with management and headcount assigned to it. It just ran on my desktop and running it meant I wouldn’t have to open a service ticket to ask someone if they could check to see if the RMM had a green dot by my device or not.

Understanding Security: The Spy

First of all, let’s take a look at an actual spy:

That’s John Walker, who was a US Navy Warrant Officer from 1967 to 1985. 1985 was when the FBI found out he had a second career passing cryptographic information to the USSR. And you know what they say about moonlighting without telling your employer…

And you know what, he looks like one of us! This is not James Bond, not Austin Powers, not Jack Ryan, not any of those guys. This is the AIX guru that sits two cubicle rows over. One of us.

The difference between Walker here and a security guy is only in what information is gathered and who it is passed on to. That’s what a spy does, after all. All that Hollywood stuff is just that – make believe for the movies.

If you want a real spy movie that shows the security side of things, watch a 36-minute US Army training film from 1969 about counterintelligence work. It’s set in West Berlin and goes through the steps of gathering intelligence and then using that intelligence to develop operational plans. https://www.youtube.com/watch?v=E3hAUTGm1D8

I watched that short film and it totally clicked with me. The heroes of the film are guys that look like me and my co-workers, doing things me and my co-workers can do. Namely, gathering information and following up on leads. To be sure, the baddies, like Walker up there, also look like me and my co-workers… after all, it’s the admins that outsiders want to turn to working for them, right? But I digress. Gather information, follow leads, document everything, that’s us.

An important note in the film is that an intelligence operation in which information is passed up to a superior is a successful operation. Think about that. We may think what we have discovered may require immediate action, but it’s not always our call to make. We inform the decision makers and leave it at that.

For what it’s worth, the film underlines the importance in gathering information in such a way as to not alert the target – this helps me to deal with the urge to act immediately. Now, there are routine checks that we do for compliance and such, and I’m sure clever attackers will learn to avoid those patterns, but when we run a check and find something out of the ordinary, we report on the details and then coordinate with other groups to see what kind of follow-up is needed.

In current terms, coordination with other groups often means coordinating data from different systems. Putting all the data together helps to build a complete picture of activity. Packet captures, DNS traces, all that fun stuff – assemble it to show the whole story as far as we can tell. That’s what counterintelligence agents do… and what we do in security.

It’s pretty easy to take old-school information and translate it into updated ideas, especially since the core best practices and procedures remain the same. There are plenty of other training films out there to watch where you get to see how any person, with proper training and expectations, can do security work. You don’t have to be James Bond and you’re not fighting Dr. No. Everyone involved is human.

Thanks to these old training films, when I hear the word “spy”, I don’t think of James Bond. I think of me.

Understanding Security: The US Space Program

“But you said you wouldn’t glamorize the security profession!” I hear some of you thinking. How do I hear you thinking? Let me tell you about the sensors in my company’s product… But seriously, I can’t really hear you thinking and I’m not really glamorizing the security biz. That being said, it’s very much like the US space program, once you take the program in its totality.

Start with the executive sponsor speech after some big events have made headlines. Stuff just happened and we have to take this matter seriously. We don’t do this because it’s easy, we do it because it’s hard. Let’s get a budget together, a project office, and some staff that are willing to make “risk” their middle names.

Everyone has an eye on the pilot programs, but not everyone understands the science behind the project. In fact, probably the only people who fully understand the complexity of the work are those directly connected to it in design and implementation groups. Management is pretty much there to make sure things get done and that they get numbers to prove that things got done.

When a major milestone is reached – that first site comes online! – everyone is ready to send congratulations and have a little party. But after that, interest wanes. People begin to question if we’ve gotten enough out of the project and if money wouldn’t be better spent elsewhere. If there should be a failure, there’s a big chance that the project budget gets cut or the whole thing is paused for a year or more while everyone takes a step back to figure things out. The project could even get shelved at that point.

What keeps the project from getting cut or canceled entirely? Information, my friends. Information. If the project can consistently produce streams of actionable information, it can stay alive. If upper management comes to depend on that information, then the project will become an institution, more or less. It will be operationalized and staff will be put in place for daily tasks and routine maintenance and changes. It will never have as much excitement as that first site coming online, but it will still keep chugging along and will be useful.

Some staff may talk about scaling the project out to truly massive scales. Budget-minded officials will be the first to throw cold water on those dreams. People familiar with the limits of the technology being used will also diminish excitement for the project, as they question if it really will scale out like that. Voices calling for tighter integration with existing systems will win in budget discussions because what was once risky is now a sure thing, and it’s safe to play things conservatively. That’s especially true when budgets and staff are big.

You stare at a screen all day, solve some tricky problems, engineer solutions, pray to God nothing goes wrong, hope the budget doesn’t get cut, and nobody really knows who you are or what you do. Are you in Mission Control or the Security Team?

Understanding Security: Get Your Metaphors Right

Forget any analogies dealing with pitched battles. Security professionals are not generals, foot soldiers, commanders, admirals, missile base commanders, gunfighters, or X-wing squadron leaders. Thinking that we are such things puts us in the wrong frame of mind, where we expect a conventional conflict. Even if such a conflict is edged in trickery or clever deception, it’s simply not how things work in information security. We’re more in a world of trickery and clever deception, sometimes edged with conventional conflict, if anything.

If we want comparisons to professions, we need to look at spies, pest exterminators, librarians, cattle ranchers, and forest rangers. These are people who manipulate knowledge, guard assets, and who deal with hidden threats. If you still want military metaphors, I’ll allow people clearing minefields, sentries, codebreakers and intelligence analysts (although those are technically spies), and military police. Let’s get rid of the glamour and focus on the dirty work, OK?

There are two major reasons to come up with the right metaphors and examples for cybersecurity. One is so that we get ourselves into good habits of mind for dealing with threats. Two is so that we can use real-world explanations to help people outside of the profession understand that we don’t simply identify all the PCs running “Hacker.exe” and then blow them up.

I’ll even dare to say that much of our profession has a connection to organizations that make us all uncomfortable. While I don’t want the NSA to harvest all of my data, I’m perfectly ready to recommend massive data harvesting to organizations wanting to improve security. While I’d hate for my wife and kids to spy on me, I’m always advocating that we set up as many sensors and data collectors as possible in a customer environment, even getting PCs to report on each other.

In other words, you know you’re a security professional when you read 1984 to get ideas about doing your job better.

Now, not everything in this series will go dark like that. Then again, dark is what we all deal with, so don’t be surprised to find metaphors in that region. They may not necessarily be the metaphors you want to share to explain the profession to others, but they could very well be the metaphors that unlock the habits of mind you need to improve your focus.

Security for All Sizes: When Vendors Fall Out

When a security pro gets different vendor solutions to work with each other, it’s a cause for celebration. Unfortunately, most security stories seem like they’re written by George R.R. Martin and they don’t resolve to “happily ever after” conditions. Yes, things can run well for a while, even a good long while, but there comes a day for many a partnership where the parties involved part ways and their products no longer play well with each other.

This isn’t just something in an update breaking a functionality. That gets fixed with a call to tech support and developers writing a hotfix. This is the kind of breakup that gets announced on page 23 of a vendor website or which is mentioned quietly by a sales account manager that can’t renew licensing on an integration package. The vendors, for strategic or other reasons, are no longer on speaking terms.

Vendor A releases a product that competes directly with vendor B.

In this scenario, vendor A launches its new product and has a clear choice: adopt our product or do without the integration. This move is possible only if A has a big market share. It doesn’t have to be a dominating share, just a big one. It doesn’t even have to be in the security area – maybe A was eyeing a way it could get into security, and saw this as its market entry opportunity.

At a small company, they’re all ears if A’s solution is cheaper to implement than B. If that cost reduction is achieved by discounts over both the old A product and A’s competing product, so be it. Cheaper is cheaper. If the competing product from A delivers most of what they get from B, then the small company can learn to live without the features from B that they no longer will get.

If A’s solution isn’t cheaper, then the small company will learn to live without the direct integration. Maybe some whiz writes a PowerShell script that produces a cool CSV or something to help bring data together, but such whizzes are rare to find at small companies. And if they’re found at small companies, chances are they’re producing code to improve profitability.

Alternately, if there’s a vendor C that does integrate with B – and is cheaper than A – then maybe it’s time to drop A altogether.

At the medium-sized company, it’s more likely that they’ll do a bake-off between the competing products and use features in combination with pricing as determinants about which product they go with. It’s less likely that they’d drop one or the other entirely all at once, but when the products come up for lifecycle renewal, they can make a switch at that time.

For the large company, it may come down to a question of how big A is. If A is truly huge, then it’s bye-bye B and hello A if the company IT leadership wants to standardize on A. If the leadership, however, is wary of A’s size, then it keeps B and A is a non-starter. These are decisions that come down to executive strategy and have little to do with price or features. Not to say that price and features will be mentioned in conversations about keeping or switching, but the underlying rationale will be the large company’s overall relationship with big vendor A.

So why wouldn’t A compete with B if A didn’t have a big market share? It would be because A doesn’t just integrate with B. A integrates with lots of other vendors and, because it can’t control the market, bills itself as being comfortable in multi-vendor environments.

And if A has a miniscule market share, competing with B is what is commonly known as a “mistake” and will result in A going out of business or withdrawing its competing product.

Vendor A terminates an exclusive partnership with B, is now working directly with C

This scenario assumes a tight integration between A and B, more so than what is normally offered in an exposed API or a SQL transaction query. Maybe the two companies were drawing closer to each other, with a merger likely, but things changed and now A is with C, not B. This can happen regardless of A’s market share – provided that C is at least as big as B if A is itself small.

In this scenario, pricing is not likely to be a factor. C will likely cost about as much as B, once the per-endpoint licenses are tallied up. This will come down to a question of features and whether or not A+C is, overall, better than A running side by side with B. If yes, then B will be on its way out to make way for C. The only companies keeping B will be the ones that didn’t do any testing and that won’t talk to sales teams.

If no, then the executives at A will have some hard pondering to do when they lose revenue on their software that integrates with B, and there being lack of sales for integration with C to make up for it. How could something like this come to be? Easy. People lie to executives, especially so to executives that want to be lied to. If A’s leadership is surrounded by mediocre sycophants, A will make some huge blunders.

Vendor A cuts integration with B because support costs exceed revenue

No hard feelings in this scenario. There just simply aren’t enough people using B to justify the support costs of keeping the connector between A and B up and running.

At the small company, it just means lower overall cost to drop renewal on that product. Since there’s no other product that does B’s job that integrates with A, there’s no compelling story arising out of this scenario to justify replacing any product… unless there’s a cheaper product that does A’s job that integrates with B… Absent that, the company learns that integration is a fleeting thing and may well make a decision to not integrate other products because they don’t want to get burned again.

The medium company may make the same choices, perhaps choosing to have all security systems pump information into a data lake and then try and make sense of things. There’s a good chance that the lake will always be there, but few will swim in it.

At the large company, an interesting mathematical problem emerges: would subsidizing support with a custom agreement be cheaper than living without the integration? If yes, then while the rest of the world lives without the connection, the large company will keep it going… and going… and going… and going… to the point at where, ten or twenty years down the line, some new person is shocked to see that software still running somewhere! Think it can’t happen? Just ask Microsoft how many Windows 3.11 support contracts they still have with major customers…

My Musical Use Cases

My recommendations are mostly instrumental because I find vocals often interrupt my train of thought. Every now and then, though, there are words that act as spells in a way, and they help me to focus my mind on the task at hand.

So, my list:

For the Attack:

“Tune Down” by Chris Joss… this is a slow, methodical piece that I first saw on “Better Call Saul” as Mike Ehrmentraut set up surveillance of a target house. This is the kind of music that goes with cracking safes, passing information with sleight of hand, and other devious things. Chris Joss’ catalog has lots of songs in this category that really help me cook up plots and plans. In the same vein, I’d also recommend…

“Danger Musicians at Work” by Syd Dale… it sounds like an action theme from the 60s because it IS an action theme from the 60s! Syd Dale was one of a few composers who worked with the BBC to create stock programme music. You can find his work in compilations, along with other gems that make you sound like a cool spy or cunning criminal. Now, if you want something heavy, might I recommend…

“King of the Road” by Fu Manchu… the lead track from their Hell on Wheels album. It has a great beat, drives forward like a massive engine with very little soloing to distract you from its ultimate delivery. Stoner/desert rock is great in this regard, as it lets a body think as the music plays.

For the Defense:

“Hang Up Your Hang Ups” by Herbie Hancock… this is music for street cops in NYC in 1975. It’s music for tracking down and catching up with hustlers, jive turkeys, and crooks in general. You want the big funky horns to keep up your spirits and the driving guitar and percussion to keep you methodical and meticulous. You’re looking for clues, so you need the right tunes to get your head in the right space. Which reminds me of…

“Strong Arm of the Law” by Saxon… for the headbangers out there. You know you want to shout out to the red team, “STOP! GET OUT! We are the strong arm of the laaaaaaaaaw!” Yeah, bust those punks! Now, if you don’t want to go metal, there’s always…

“Relevee” by Delia Rodriguez and Gavin Russom… Very electronic, very trance, very good for moving through the matrix and busting Mr. Anderson. I swear, this song gives me the ability to connect to the network through my keyboard and I get gigabit speeds to my mind…

For Vendor-Induced Rage:

“Policia” by Sepultura… nothing like Brazilian punk-metal for getting your voice up, ready to tear into the salesweasel that sold you a product that is failing miserably as it falls far short of its marketing-fueled hype. Sepultura’s “Crucificados Pelo Sistema” is another great growler of a tune. Now, if you prefer something more industrial, might I show you to…

“Attak Reload” by KMFDM… yeah, this one’s angry… opens with “We’re gonna make you sorry / For every word you say” and goes from there. You may have to work with that vendor’s product, but it doesn’t mean you have to *like* it. If you need something softer than the above two, perhaps you might try…

“Chale Chalo” by AR Rahman, from the Lagaan soundtrack… this one is about channeling anger into victory. If you’ve ever seen Lagaan, you know exactly what I’m talking about. And if you haven’t seen Lagaan, you should. On the surface, it’s about a British officer that is trying to triple the tax on an Indian village, but it’s really about trying to cancel a contract with a vendor or risk having to break the budget on a professional services contract. Seriously, watch it that way if you can’t get into it with the standard plot.

For Building Systems:

“Master of the Universe” by Hawkwind… get the live version from the Space Ritual album and spin it on constant repeat. Like stoner/desert rock, Hawkwind’s pioneering space rock epic drives the mind forward with the music creating a space where the brain can work magic in summoning up demons to bend to your will. I find this music particularly helpful when creating and troubleshooting VPN issues, along with PKI work. If Lemmy’s bass playing isn’t your thing, then let’s listen to…

Goa Trance (multiple artists, tracks come and go, can’t recommend one track in particular)… Sparse instrumentation, constant beats, phased transitions, this is the dark chocolate of electronic music, and it’s stayed true to its core competency since it first emerged about 20 years ago. It’s also great stuff for taking on mountain roads, just sayin’. But if you want something analogue, there’s…

“Machine Ma Bwindea” by Ekambi Brilliant… You can find this guy along with some other great funk musicians on the Africa Seven page at Bandcamp. If you like this one, be sure to also check out Tala AM and Sookie, two other great African bands. This one’s a lyrical piece, but because I don’t speak a word of Congolese, they don’t distract me. And that chorus is just so fun to sing along with!

For that Plane Trip:

“Gimme a Sign” by Nigel Hall… heck, get the whole album and treat yourself to an authentic musician who knows how to interpret a song, whether or not he wrote it. You want something that has a good beat to it, so you can follow along in case you’re like me and can’t wear headphones for long periods of time and those plane noises get into the mix. If you don’t want funk, then there’s always…

“Jet Airliner” by Steve Miller… a good, familiar song is great on a plane because the mind already knows where to fill in the notes and tones that get blocked by plane sounds. And, hey, this one’s topical! I like it because it’s a song about being on the road and enduring those times when we can’t be exactly where we want to be. But if you want to be more adventurous than classic rock, how about…

“Kerosene Dreams” by Drive by Wire… my hat goes off to this Dutch foursome with a great female vocalist. It’s a band in the stoner/desert vein of music, so it also does well for other tasks. But if you think the bands these days can’t rock like they used to, then you need to head to Bandcamp and check out bands like Drive by Wire and their fellows. You’ll be pleasantly surprised.

When You Have to Write Reports or Documentation:

I like to every now and then start off with a random prison work song. In the Southern USA, prisoners were segregated by race and then made to go work at clearing land, breaking up rocks for a road, or other intensive manual labor. The black work groups would make up songs to work to. In the songs, they could vary the speed so as to help out workers that were having trouble keeping up with the initial pace of the song. Look a few up on YouTube and find your favorite for that hard task that you just have to do. I suggest “Hammer Ring” or “Grizzly Bear” as good starting points. Now, for the more conventional tunes…

“Deacon Blues” by Steely Dan… this band always helps my writing flow. I can put on just about any of their albums and get into a writing mood, but Aja and Gaucho do the best job. Writing is a contemplative thing for me, so I need something not so hard or intense as what I may have suggested previously. Which brings me to…

“Spaceman” by Journey… before Steve Perry was brought in, Journey was a great rock band that delivered some beautiful instrumental-heavy tunes on their first three albums. This one is from their third album, Next. If you think they sold out on Escape, you should go back to the albums without Perry for a much less commercial set of truly deep cuts. If you want an even deeper cut, then there’s…

“Joy” by John McLaughlin and Shakti… it’s a fast instrumental with John McLaughlin doing some amazing acoustic guitar work. You’ll have to listen to all 18:12 of it, but it’s an incredible piece that is well off the beaten path, musically speaking.

When You Have to Build a Slide Deck:

“Lost Highway” by Wo Fat… some heavy blues-metal from my home town of Dallas. While I have to think to do documentation, I have to argue with my “productivity suite” when I build a presentation deck. Friggin’ text boxes! Yeah, I need something that shouts and growls along with me as I suffer through marketing-mandated branded color schemes, and this tune is one of the best for it. The whole album is great, in case I slip and just let things keep playing. Speaking of anger management tunes, I also got…

“Fast Love” by Honeymoon Disease… Swedish bands have a way of always finding a pop sensibility to slip into whatever music they’re doing, and I love what Honeymoon Disease can do with 70s-vintage hard rock. Think Heart meets ABBA for a short visit and then heads over to Motorhead for drinks and that’s this band. Great for me against the machine. I’ll complete my trio of rebellion with…

“Sabbath Bloody Sabbath” by Black Sabbath… the riff at the beginning says it all and I’m ready to tackle the stupid image that pasted into my presentation all wrong.

After Dealing with Another Stupid User Trick:

“Fight the Power (Part 1 & 2)” by The Isley Brothers… the first line is, “Time is truly wasted…” and that’s how I feel after I get off a call where we spent hours going in circles because someone lied, didn’t know what they were doing, or simply refused to reboot the system. I had to turn off security protections “just for troubleshooting” and they didn’t do a damn thing to get that root cause… “Time is truly wasted… you got to fight the powers that be…”

“Volver Volver” by Vicente Fernandez… a song of love, lost love, and a burning desire to return, even though you know it only means pain and loss when you get back to your desire. That’s this mariachi epic, and it’s how I feel as I go back over and over to do the same troubleshooting on the same system that can’t be patched because of crappy production code. I know the Spanish, so it works for me. But if you need something in Russian, there’s…

“Вот и Все Дела! (Now That’s All!)” by Валерий Александрович Кипелов (Valery Kipelov)… a song of love, lost love, and good riddance. The chorus ends with lines that translate, “I’ll go the left, you go to the right, that’s the end of it!” Great guitar solo from Сергей Константинович Маврин (Sergei Mavrin), formerly of Aria. Trust me, it’s worth putting the lyrics into Google Translate and singing along with them. By the end of the song, I’ve finished the documentation to close the case and that’s the end of it!

For Relaxation and General Unwinding:

“Every Picture Tells a Story” by Rod Stewart… a great song for exhaling, and the drum break after the first stanza is priceless. After that, it’s time for…

“Ooh La La” by The Faces… this track features Ron Wood on vocals, and even though they’re rough sounds, they’re perfectly suited to the song. You may have heard it in recent commercials or at the end of the Wes Anderson film, Rushmore. It’s another song for sitting back and closing your eyes for a short while. Then, we have…

“Fire and Water” by Free… so sue me, all the tracks from this section come from early 70s British rock, but they all are my go-tos for letting go. Paul Rogers’ vocal and Paul Kossoff’s guitar work take me away and send me sailing, I like it. But, OK, if you want something different, I’ll stay in the same time period and give you something American…

“Post Toastee” by Tommy Bolin… it’s always the right time for this song. I never, ever skip over it when it comes up on my shuffle. It’s so fun and friendly and comfortable, I don’t want it to end, but I understand as it fades away. So, yes, include this one on the mellow playlist. If you need something from this century and *not* a rock song, then I’ll add in…

“Manbai” by Natacha Atlas… Atlas’ vocals are enrapturing on this very chill, liquid drum ‘n’ bass track, masterfully mixed by Nitin Sawhney from Transglobal Underground. So what if it’s in Arabic? It’s great for relaxing, and you said you wanted something different, didn’t you? 🙂

Security for All Sizes: Security Training Considerations

Mandatory Security Training: the crux is the circular logic of the “mandatory” part. It has to be mandatory so that we all do it, but because it had to be made mandatory, we all know that we’re going to hate it. The fact that it’s security training doesn’t really impact the whole “mandatory” thing. If I get into pottery and start watching YouTube videos on how to wedge clay, I’m happy to watch those videos because I want to know more about something that makes me excited. Force me into a pottery class, however, and I’m playing the video through on double speed with the sound muted so that you have a record that I completed the video.

And that’s what most people do with anything mandatory. Game the system, find a weak spot, then exploit the weak spot to reduce the overall drudgery and/or misery of the experience. I spent 16 years in a classroom, so I know all about avoiding the mandatory stuff, both as a purveyor of the mandatory and as a victim of the mandatory.

I have the worst news for the biggest companies: the majority of your training is no more than ticking a box, I’m afraid. Smaller companies can have the best success, provided they have the right person doing the training.

Why do smaller companies have the best shot at success? It’s due to both their size and constrained budget. If their IT person is a patient soul, there will be lots of personal interaction on all kinds of topics, security included. One of my best experiences with training came from something that happened while I was at lunch. I locked my PC and walked out to get something to eat. While I was out, a co-worker reached out to me with an issue regarding her sound card. My out of office status came up on her screen, and that solved her problem. My status? It was a line from The IT Crowd:

Her next two responses were, “I’ll try that” and “Thanks that worked”.

When I got back from lunch, I realized that my OOO had taken care of an incident ticket. Really, it was my co-worker who had trained herself that took care of the ticket. I went back to talk with her about the experience and why power cycling actually did resolve most issues, and the rest of her group listened in. By the end of the day, the rest of the company was talking about it – and when they called in, they always prefaced it with how they had turned it off and on again and the problem still happened.

My call volume dropped off by a massive amount and the staff were ready for more insights on how to use their tech better. I would say something like, “never click on an attachment you didn’t ask for” and whoever heard it would help spread the message. When I showed up to work at PCs that needed attention, I did my best to include at least one security topic in the conversations that happened as we traversed the vast expanses of time required to update vendor software packages.

We were all working for the same company and we all had a vested interest in the survival of the company, so we were interested in knowing how to protect and better utilize its resources. Nobody made security training mandatory. We just all happened to be interested in it at the same time.

When I left that small company and started working at Global Megacorporation, I could still have moments like that with my immediate co-workers and people I worked with directly on issues, but there were too many departments and too many physical sites for me to be able to reach everyone. So, the question is, can we get personalized training for everybody at a big company? Does it scale out well?

The answer, sadly, is no. Even if local education was part of every IT job description, there simply aren’t staff at every location. Added to that is how most of those big corporations also have outsourced IT – and these are people who, at the end of the day, don’t work for the company that’s using their services. They may be friendly and supportive and all that, but they simply won’t have the same attachment to their customers’ firms that the customers themselves could possibly have.

On top of that, it’s a huge, impersonal company, right? There are going to be a lot of people that work there who simply just. don’t. care. They plan to show up, do as little work as possible for as much pay as possible, and then go home. It’s not the entire company, by any means, but there are enough of them to where training has to be made mandatory if it’s going to get done at all.

This crowd of just-don’t-cares will then do everything they can to avoid or ignore the training. If there are no click blocks, they will finish that 37-slide deck in 37 seconds or less. If there are click blocks, then they’ll click, watch a cat video on YouTube, and then turn back to click again. Put a test at the end, they’ll circulate a list of answers. There are psychometric tricks and tips to utilize to minimize those numbers, but we won’t eliminate them.

And then, one fine day, one of these guys trying to do as little work as possible clicks on the wrong link, and the company gets a malware outbreak to go along with that cat video. Every security professional knows it only takes one misstep, and we simply can’t stop all the just-don’t-cares that are bound and determined to make those missteps all along the way.

Now I need to look at the mid-sized companies and this is one case where they’re either more like a small or large company, depending on size. They are transitioning from that small, informal group where everybody mostly cares into a larger, less caring mass. What can be done?

My answer may not be budget-friendly up front, but it saves costs down the road. Keep those trainings personal. Use classrooms, if you have to. Make it where the training is a conversation, where peers that pay attention will follow up with the just-don’t-cares that snoozed through it all and make them to where they care, or at least hear the lesson.

When people do things as a group, they will praise and encourage those that uphold their common values and pressure those that don’t so that they conform. That’s human nature, and it’s what has a better chance of working than an unhuman, automated, mandatory watch-and-click training. The biggest reason is that it involves repetition over time through conversations, and that simply doesn’t happen with an experience that is unshared, through a screen. If the training must be uniform and automated, then have it delivered in a group format. Have local teams watch the training together, discuss it, and then go on to the inevitable test that exists at the end. But it’s that discussion afterward that is going to make that training part of their work lives and not just a tick in a box on an audit.

Security for All Sizes: How Big Are Your Vendors?

There are some amazing ideas out there in vendorland, but not all ideas are backed by the same kinds of companies. This impacts how those ideas, those vendor products, will fare in your environment.

Of course, I’m going to sort vendors into three size categories: small, medium, and large. How they intersect with customers that are small, medium, and large will also come into play. Here goes!

Small vendor, small customer: Small customers tend to also mean “small budgets”, so they’ll go with a small vendor if it looks like it can *almost* deliver the performance of a more expensive product from a bigger vendor. If it can match the big guy or beat it, even better. Price is king in the initial purchase decision. After that, there’s a good chance that the small company gets some excellent tech support – it’s likely that the entire development team is also taking turns fielding support calls. Now, there may be features that never get implemented and the product may never stretch to cover additional areas or integrate with other products, but in a best case, it’ll be a stout little mountain pony that gets the job done.

Small vendor, medium customer: Maybe someone heard good things about the small vendor and wanted to try it out in a bigger environment. Here, there’s an expectation that it will play well with other apps and systems. While the small customer may have re-done some things about its environment to accommodate its budget-friendly solution, the medium sized customer will not have that much flexibility, as it’s likely other systems are dependent upon things staying exactly as they are for them to function. If that vendor’s product can’t fit into the bigger environment, it’s out. There’s also the consideration of scalability. Is there a management dashboard for the product? Does it integrate with syslog? What are the upper limits of the vendor’s software and/or hardware? How many widgets are needed to make all this work, and will all those widgets work with each other?

Small vendor, large customer: Is this vendor on the list of approved vendors? If not, will it still be around after that process is completed? For the large customer, the vendor has to be something that looks to be capable of being around for the long run. Large customers don’t like having to buy a different solution in the middle of a system lifecycle because the vendor went out of business. Can the vendor provide follow-the-sun coverage? Can the vendor produce features that are required for specific customer environments? How big is that dev team, anyway? The product may be amazing and best in its class, but if it can’t scale its internal resources to meet the demands of the large customer, it’s not even a consideration as they choose products.

Medium vendor, small customer: This vendor may still be budget-friendly, but it’s unlikely that any special requests from the small company are going to be incorporated by the vendor unless other companies are asking for them. It’s also likely that the small company may have enough for the initial purchase, but might decide to not renew support until there’s a major outage – meaning that small company may be using an unpatched version of that gear because it is forced to accept the risk due to budget concerns.

Medium vendor, medium customer: The vendor is no longer small, but an up-and-coming firm that’s maybe ready for prime time. If so, maybe it “dropped its pants” in purchase negotiations in order to break into a larger tier of customers. Your firm, possibly with a handful of other firms, is commanding all the attention of this vendor – until it can land a larger customer. The good news is that it may very well answer all your questions about integration and interoperability. The bad news is that it may possibly be peaking out at this point and won’t be able to mature its product properly to keep up with your business.

Medium vendor, large customer: This can happen from time to time… and it’s usually to get leverage on a larger vendor during contract renewal negotiations. If it performs well enough to not only beat the big guys at their own game, but also well enough to justify a purchasing decision that can ruin the discounts the firm may be getting on other gear from that bigger vendor, then it’s a keeper. If that happens, the medium vendor may be poised to get a lot bigger, but it will also be pounded with requests from that large customer to develop features that take it beyond being a cool tool and into becoming an enterprise solution. This might break the medium vendor if it can’t keep up with the demands from its biggest customer – as those demands may well mean leaving behind the founders of the company and their culture.

Large vendor, small customer: What I said for the medium vendor/small customer applies here as well, with even more emphasis on the small customer’s lack of voice and likelihood of coasting along with unpatched gear. The big vendor always has a bigger customer, and that’s the one that’s going to dictate how development team hours are allocated.

Large vendor, medium customer: Nobody ever got fired for buying the large vendor, but they do cost a lot for support, don’t they? Is this where, in order to have the features and power of the large vendor’s gear that the medium company has to contemplate outsourcing in order to keep a handle on costs? It doesn’t matter if it was a small company that got big or a big company that stayed big – the costs will increase. At the same time, your firm may as well be a small firm as regards its ability to leverage new features. So, yes, it does everything you might need it to do now, but that may well be that.

Large vendor, large customer: Here’s where the large vendor meets its match in terms of demands for scalability and support and new features. The challenge to the large vendor is whether or not it’s able to move quickly enough to deliver to those demands. It’s a large firm, itself, and can’t move as quickly as it used to do. It’s also got so many customers that it’s inevitable that when it releases a new feature, it’s bound to break something, somewhere. Maybe that medium-sized vendor can deliver a solution that won’t break things for its largest customer, but there are no sure things if your firm is one of a vendor’s largest customers. Test carefully and upgrader beware…

So, just as most of you suspected, those great little apps you see in the tiny booths on the fringes of the security conferences may stay in those tiny booths or eventually vanish. It breaks my heart, but I’ve even seen some firms that had medium-sized booths fade from the scene. They might keep a small and dedicated group of customers, but they’re also victims of how those customers themselves might fade away. Once a company can rise above the churn of the violent waters where small and medium sized companies swim, it risks becoming a dinosaur that can’t adapt itself to changing long-term trends. Just let someone who did IT from 20+ years ago get to talking about Banyan Vines, OS/2, Sun Microsystems, Digital, and Novell, and you’ll realize that no firm is so big that it can’t crumble away.

At least with the bigger companies, you have a better shot at getting a complete product lifecycle before they totally fade from the scene…

The VPN Is Down: What Is Your Plan B?

Plan B is Plan A, with an element of panic. – John Clarke

Multinational corporations have sites around the world – that’s how they get to be mulitnationals, after all. These multinationals have to link up their sites around the world. Internet lines are cheaper than MPLS circuits, so how about setting up VPNs on local Internet lines for secure communications? Costs are cut, people are happier, and the VPNs keep things secure.

But then, an event happens in one of those nations that makes the leaders of that nation decide they are going to decrypt all traffic or, failing that, block encrypted traffic outbound or inbound. They set up rules on the routers that handle their nation’s connections to the global Internet and that’s that. Now that low-cost VPN simply will not come back up because the maintenance traffic required to set it up and keep it going is being blocked. After all, the terrorists / rebels / armed opposition / coup leaders / coup victims / journalists / other assorted enemies of the state use VPNs to get their information, and it’s not like there’s a special protocol for business-only VPNs.

And if there was one such, it would also be blocked, just in case an enemy of the state worked at a place with a B2B VPN.

So, the VPN is down. What are your options?

1. Plain text transmissions. OK, this is a joke, really. I mean, yes, technically, it is an option, but hardly a realistic one. Let’s look at the others.

2. Data transit via mail or courier. Erm, all right… but that’s going to be slow, and there’s no guarantee that it won’t be intercepted at the border and opened up there. At least it would only be a few border guards and any industries connected to the state security apparatus that sees that information instead of the whole world… but, my, is it ever slow. And costly.

3. Provision an MPLS circuit. Well, this is fast and secure, once it’s set up. But provisioning one of these takes time and planning. How much more time and more planning during a time of national emergency, I can only imagine…

Looks like that’s about it. This is not a case where engineers pull out reference materials and troubleshoot or rebuild things to solve the problem. This is a technical problem emergent from a political reality and, hold on… I have another option…

4. Political appeal. This might be the fastest, cheapest, and best solution. Have a contact person with the national government work out some sort of arrangement. Now, if this is a government that is willing to cut off all privacy in order to haul in enemies of the state, there may be some sort of content filtering and alerting required for your network to get that VPN back. Or, in other words, the government may well require that it be notified if any of your employees are doing things that would get them on the list of enemies of the state. Citizen employees will be arrested and foreign employees will be deported, so this option goes with some very strict reviews of what’s on that very recently updated acceptable use policy.