October 3, 2002 Thomas Waszak, CISSP Black Hat Briefing Asia 2002.

October 3, 2002October 3, 2002

Thomas Waszak, CISSPThomas Waszak, CISSP

Black Hat Briefing Black Hat Briefing Asia 2002Asia 2002

Introduction and BackgroundIntroduction and Background U.S. Army; Sigint, Humint, SOCOMU.S. Army; Sigint, Humint, SOCOM

Corporate experience – messaging specialist, Corporate experience – messaging specialist, private investigator, network admin, principal private investigator, network admin, principal consultant, director of professional services.consultant, director of professional services.

Currently with Washington Mutual Bank’s Currently with Washington Mutual Bank’s Information Security Technology Solutions Group – Information Security Technology Solutions Group – Information Security Special Projects Leader/CSIRT Information Security Special Projects Leader/CSIRT InvestigatorInvestigator

Participated or lead many different types of Participated or lead many different types of InfoSec projects for many corporations in different InfoSec projects for many corporations in different industries.industries.

Disclaimer Disclaimer I am not representing Washington Mutual Bank.I am not representing Washington Mutual Bank.

All views and opinions I share with you today are All views and opinions I share with you today are my own and do not necessarily represent the my own and do not necessarily represent the policies of my employer.policies of my employer.

Re-evaluation and improvement of travel security Acceptance of travel inconvenience U.S. Homeland Security concerned about the national infrastructure President Bush issues executive order to improve critical infrastructure Disaster recovery and business continuity big winners of corporate acceptance Physical security also a big winner of corporate acceptance

Changes Since September 11thChanges Since September 11th

Initial fear of follow-on cyber attacks No published or publicized terrorist cyber attacks – back to sleep Corporate attitudes towards Information Security have not improved since September 11. Any additional corporate emphasis on Information Security related to mandated government requirements of GLBA and HIPPA.

Waning Interest and Corporate Waning Interest and Corporate Lip Lip ServiceService

YES!!!! things are getting worse each day.

The Computer Security Institute recently (2001) surveyed 503 corporations: 90% detected computer security breaches in the previous 12 months (BTW 10% are liars) (Up from 70% in 1999) 80% suffered financial losses due to computer security breaches (Up from 74% in 1999) 40% detected system penetration from the outside (Up from 25% in 1999)

Status Quo for Corporate Security – Status Quo for Corporate Security – Should we care?Should we care?

Companies lose money and go out of business Billions and billions of dollars lost every year

Cloud Nine – British ISP DOS’ed out of business Barings – Nick Leeson Exodus – Almost ordered to remove client servers from the Internet because of a competitor complaint. Microsoft – Passport privacy violations. Court required implementation of security program.

All resulting security changes were isolated and not wide spread.

Bad Things Happen But No Real Bad Things Happen But No Real ChangeChange

One of, or a combination of, three things must happen before corporate attitudes about security will improve:

Change must provide economic benefit. Public outrage must demand it. Governments must mandate it.

No Change Unless:No Change Unless:

Change will be a long time coming unless a cyber related catastrophic attack occurs: Titanic syndrome – all three conditions met Digital 9/11 Barings could have been a Titanic event if computer security issues had been more prevalent. (Complete, total, sudden, and immediate failure. Billions of dollars

lost, millions of people affected)

An Unwanted And Painful Nudge An Unwanted And Painful Nudge

Say I told you so.Say I told you so.

It’s hopeless so let’s sit on our hands It’s hopeless so let’s sit on our hands and wait for the digital Pearl Harbor and wait for the digital Pearl Harbor and be prepared to ….and be prepared to ….

Information Security Professionals have a fiduciary responsibilityInformation Security Professionals have a fiduciary responsibility It’s easy to get discouraged but most of us are up for the challengeIt’s easy to get discouraged but most of us are up for the challenge

… … Or let’s do the best we can to Or let’s do the best we can to make things happen without the make things happen without the unwanted and painful nudge…unwanted and painful nudge…

IT Vendors – for producing products with shameful security deficiencies and for denying security problemsIT Vendors – for producing products with shameful security deficiencies and for denying security problems Security vendors – for confusing the issues, for rushing to release immature products in order to be the first Security vendors – for confusing the issues, for rushing to release immature products in order to be the first

to release the next better mouse trap.to release the next better mouse trap.

But first….we must understand who’s But first….we must understand who’s to blame for this sorry state of affairs, to blame for this sorry state of affairs, and why?and why?

Business managementBusiness management – for not taking pre-incident intangible risks serious enough. – for not taking pre-incident intangible risks serious enough.

Information Technology ProfessionalsInformation Technology Professionals – for consistently putting uptime and network speed at a much higher – for consistently putting uptime and network speed at a much higher

priority than security. And for always pretending that they know as much about security as we do.priority than security. And for always pretending that they know as much about security as we do.

The Blame Game…The Blame Game…

Information Security ProfessionalsInformation Security Professionals – The sorry state of – The sorry state of

information security is as much our fault as anyone’s because we:information security is as much our fault as anyone’s because we:

The Blame GameThe Blame Game

Often fail to effectively partner with and Often fail to effectively partner with and communicate with our corporate management, communicate with our corporate management, business, and or technology people.business, and or technology people.

Often forget that the purpose of information Often forget that the purpose of information security is to protect existing money, and to security is to protect existing money, and to safeguard revenue streams. It’s purpose is not safeguard revenue streams. It’s purpose is not to lock down every single desktop computer.to lock down every single desktop computer.

Information Security Professionals –…because we:Information Security Professionals –…because we:

The Blame GameThe Blame Game

Sometimes get wrapped up in minutia when Sometimes get wrapped up in minutia when we should be looking at and seeing the bigger we should be looking at and seeing the bigger picture.picture. Sometimes alienate our user communities by Sometimes alienate our user communities by acting like the secret police instead the fire acting like the secret police instead the fire department.department.

The Blame Game.The Blame Game.


Fail to understand the business our corporation Fail to understand the business our corporation is in.is in. Sometimes fall in love with technology and Sometimes fall in love with technology and force the problem to fit the technology instead force the problem to fit the technology instead of forcing technology to solve the problem.of forcing technology to solve the problem.


Sometimes allow our technology bigotry to Sometimes allow our technology bigotry to cloud our judgment and impair our objectivity. cloud our judgment and impair our objectivity. (Novell/Microsoft/Unix Bigot)(Novell/Microsoft/Unix Bigot)

Sometimes waste our energy fighting small Sometimes waste our energy fighting small tiny security problems instead of focusing on tiny security problems instead of focusing on the big issues that matter the big issues that matter the most.the most.



Sometimes undermine our credibility by Sometimes undermine our credibility by making the mistake of using too much or making the mistake of using too much or exaggerated FUD. exaggerated FUD. Usually spend too much time preaching to Usually spend too much time preaching to the choir rather than the choir rather than trying to convert the trying to convert the massesmasses



Try to show business and IT people that we Try to show business and IT people that we are cool and understand business by rushing to are cool and understand business by rushing to make poor business and security decisions. make poor business and security decisions. “We already own $30K of junk that doesn’t “We already own $30K of junk that doesn’t work. Let’s not loose our initial investment of work. Let’s not loose our initial investment of junk that doesn’t work and so lets buy $300K junk that doesn’t work and so lets buy $300K more of it. more of it. That way we’ll have enough junk to That way we’ll have enough junk to spread around everywhere.”spread around everywhere.”



Try to force a square peg in a round hole by Try to force a square peg in a round hole by trying to quantify the unquantifiable with trying to quantify the unquantifiable with quantitative analysis. Show me a strong quantitative analysis. Show me a strong advocate of the liberal use of quantitative advocate of the liberal use of quantitative analysis, for information security business analysis, for information security business case’s.case’s.


Blame Game Reality.Blame Game Reality.

Relax, It’s not really ALL of your fault….Relax, It’s not really ALL of your fault…. But, you can do an awful lot more than you would thinkBut, you can do an awful lot more than you would think

An Information Security Professional must rise above the fray and understand everything and everyone.An Information Security Professional must rise above the fray and understand everything and everyone.

We Need an Attitude Adjustment – We Need an Attitude Adjustment – Learn To Enjoy And Appreciate Learn To Enjoy And Appreciate Stupid People Stupid People Remember that your company is in the business of making widgets and not in the security business.Remember that your company is in the business of making widgets and not in the security business. Your mission is to analyze, notify, and advise. It is a rare situation where you are obligated to care more than Your mission is to analyze, notify, and advise. It is a rare situation where you are obligated to care more than

your CEO does.your CEO does.

Tips, Summary, and, Final Words Tips, Summary, and, Final Words

It will always be easier for you to understand management, IT, and business.It will always be easier for you to understand management, IT, and business. Don’t let security vendors confuse your people.Don’t let security vendors confuse your people. Document Document Document and protect yourself – Document Document Document and protect yourself – live by the paper trail live by the paper trail

Tips, Summary, and, Final Tips, Summary, and, Final Words Words Manage perception. Protect your credibility.Manage perception. Protect your credibility. It’s not worth losing sleep It’s not worth losing sleep It’s painful being stupid but sometimes it isn’t painful enough or as painful as it should beIt’s painful being stupid but sometimes it isn’t painful enough or as painful as it should be

Tips, Summary, and, Final Tips, Summary, and, Final Words Words

Thank YouThank You

Tips, Summary, and, Final Tips, Summary, and, Final Words Words All Your Base Are Belong To UsAll Your Base Are Belong To Us

October 3, 2002 Thomas Waszak, CISSP Black Hat Briefing Asia 2002.

Documents

corporate security

homeland security

computer security issues

computer security institute

resulting security changes

real change slide

corporate lip service

corporate attitudes