December 2013 wrap-up

Archive for December, 2013

December 2013 wrap-up

Posted by

Quick round-up of things that has been happening:

We competed in the RuCTFe event last weekend. David Schwartzberg from Barracuda has a write-up: Moar Security War Games. “The team of ethical hackers is called MiSec, short for Michigan Security, and were testing their metal against 173 teams spread across the planet. The team captain, Wolfgang Goerlich, asked if I would join the MiSec team to deploy a Barracuda Web Application Firewall (WAF) and Barracuda NG Firewall in front of a highly vulnerable Linux server.”

VioPoint continues to grow and we are in the final stages of build a new Security Operations Center. Metromode did a brief piece: VioPoint doubles space and adds jobs in Auburn Hills. “If timing is everything, then the leadership team at VioPoint thinks it has the right ingredients for a significant growth spurt. ‘We have the right people and the right services and we’re going at the market at the right time,’ says Wolfgang Goerlich.”

BSides Columbus accepted a talk from Mark Kikta and me: Rapid Fire Threat Modeling. Everyone is talking about threat modeling. But when you get down to it, few are doing threat modeling. The reasons are simple: modeling can be complicated, there is conflicting information, and it is not clear what to do with the finished model. This session presents a pragmatic threat modeling exercise that can be accomplished in an afternoon. We will review how to find sources for threat models, communicating the findings, auditing and assessing the available controls, and driving change within the organization. In sum, this talk presents a practical approach to rapidly getting the most from threat modeling. (January 20, 2014. Columbus, OH)

ConFoo accepted my software development lifecycle talk: SDLC in Hostile Environments. What happens when end-users have the motive, opportunity, and skillset to attack our software? When two hacker conferences hosted a six week capture-the-flag contest, organizers learned first-hand how this impacts the software development life cycle (SDLC). We will discuss wins and losses, successes and failures, and hard lessons learned. (February 24 – February 28, 2014. Montreal, Canada)

MiSec events in December

Posted by

The next two weeks are packed with MiSec goodness. I thought it best to do a roll-up blog post, rather than my normal Tweet shout-outs.

Concise Courses: Wednesday, December 11th, 12pm
FedRAMP: How the Feds Plan to Manage Cloud Security Risks
Presented by: Steven Fox (@securelexicon)
Online here:


North Oakland ISSA: Wednesday, December 11th, 6pm to 8pm
Practical Threat Modeling
Presented by: Wolfgang Goerlich (@jwgoerlich) and Mark “Belt” Kikta (@B31tf4c3)
Baker College
1500 University Drive
Auburn Hills MI 48326


OWASP Detroit: Thursday, December 12th, 7pm to 9 pm
Susie the Useful SOC Puppet: A blue-team bedtime story.
Presented by: Jeremy Nielson (@jeremynielson)
First Center Building
26911 Northwestern Highway
Southfield, MI 48033


RuCTFe: Saturday, December 14th, 5am to2 pm
Online Technologies Corporation (OTC) of Ann Arbor
5430 Data Court, Ann Arbor, MI 48108

Holiday dinner: Wednesday, December 18, from 7 pm to 10 pm
Rochester Mills Beer Co
400 Water Street
Rochester, MI 48307
Tickets here:

Friday Books and Talks 12/06/2013

Posted by

Here are some of the books and talks that I enjoyed this week, in no particular order.


Your Survival Instinct Is Killing You
Retrain Your Brain to Conquer Fear, Make Better Decisions, and Thrive in the 21st Century
by Marc Schoen

“Thanks to technology, we live in a world that’s much more comfortable than ever before. But here’s the paradox: our tolerance for discomfort is at an all-time low. And as we wrestle with a sinking “discomfort threshold,” we increasingly find ourselves at the mercy of our primitive instincts and reactions that can perpetuate disease, dysfunction, and impair performance and decision making.”

“Your Survival Is Killing You can transform the way you live. Provocative, eye-opening, and surprisingly practical with its gallery of strategies and ideas, this book will show you how to build up your “instinctual muscles” for successfully managing discomfort while taming your overly reactive Survival Instinct. You will learn that the management of discomfort is the single most important skill for the twenty-first century. This book is, at its heart, a modern guide to survival.”


Differentiate or Die
Survival in Our Era of Killer Competition
by Jack Trout

“In today’s ultra-competitive world, the average supermarket has 40,000 brand items on its shelves. Car shoppers can wander through the showrooms of over twenty automobile makers. For marketers, differentiating products today is more challenging than at any time in history yet it remains at the heart of successful marketing. More importantly, it remains the key to a company’s survival.”

“In Differentiate or Die, bestselling author Jack Trout doesn’t beat around the bush. He takes marketers to task for taking the easy route too often, employing high-tech razzle-dazzle and sleight of hand when they should be working to discover and market their product’s uniquely valuable qualities. He examines successful differentiation initiatives from giants like Dell Computer, Southwest Airlines, and Wal-Mart to smaller success stories like Streit’s Matzoh and Connecticut’s tiny Trinity College to determine why some marketers succeed at differentiating themselves while others struggle and fail.”


Why Leaders Eat Last
By Simon Sinek

“In this in-depth talk, ethnographer and leadership expert Simon Sinek reveals the hidden dynamics that inspire leadership and trust. In biological terms, leaders get the first pick of food and other spoils, but at a cost. When danger is present, the group expects the leader to mitigate all threats even at the expense of their personal well-being. Understanding this deep-seated expectation is the key difference between someone who is just an ‘authority’ versus a true ‘leader.'”

Risk management circa 2018

Posted by

This past Tuesday, I was out at Eastern Michigan University speaking with information assurance students. The prof invited me to visit his Risk-Vulnerability Analysis class and asked that I give my Practical Risk Management talk.

Practical Risk Management was a talk I had given widely in 2007-2008, describing my efforts to stand up a risk management practice for a financial services firm. The case study covers aspects that I found went surprisingly well, and aspects that I found were surprisingly hard. Since five or six years had passed, I had expected to have to significantly revise the slide deck. Clearly, lots has changed, right?

Surprisingly, no.

The areas we wrestled with last decade remain challenging for clients and organizations today. I found little had changed. On the bright side, that fact simplified my revisions to the slide deck for Eastern Michigan University. On the down side, of course, that means we continue to struggle.

Why? In part, it is because of the seductive simplicity of the Risk = Asset * Vulnerability * Threat formula. Find the values, plug them in, multiply, and prioritize. Easy, right?

Easy, except asset management and valuation is tricky. Few organizations have a reliable hardware and software inventory. Fewer still have automated audits and the ability to see, immediately, when the inventory changes. This matters as such changes are often an indicator of compromise. Few organizations, too, can tie assets to business processes and provide financial valuation on impact. The question of what we have and why it matters is elusive.

And vulnerability management? Putting the dependency on an accurate asset inventory aside, vulnerability management is not quite a slam dunk either. True, software such as Qualys takes the grunt work out of the process. Automation can also shift from annual assessments to continuous vulnerability assessments. Yet the real difficulty in vulnerability management continues to be driving the remediation efforts. Thus we see many vulnerability management programs with tens of thousands of open vulnerabilities.

Threat management has made some progress. In 2008, my chief concern was a lack of threat intelligence and information on what actual attackers were using to achieve actual objectives. Today, we have better information sharing (ISACs, CERTs). We also have services like Risk I/O that map vulnerabilities to threat intel feeds. Tighter integration goes a long way towards prioritizing on realistic risks. Nevertheless, as evidenced by penetration test results, the gaps in asset and vulnerability management, combined with control weaknesses and architectural security concerns, offer the motivated threat actor a variety of ways to compromise an organization.

Five years of time, with not much progress to show for it. This has me saving a copy of my slide deck to give again in 2018.

What changes can we make to obsolete my Practical Risk Management talk? Simple. We can beef up and automate asset management. We can shift from the technical aspects of vulnerability management to the social aspects, facilitating remediation efforts with other departments. Finally, we can more tightly integrate threat intel with vulnerability management and begin doing regular red team assessments to identify architectural and control concerns. In three broad strokes, we can make a dent technical aspects of risk management and enable us to get out of the weeds.

Asset management. Vulnerability management. Threat management. Three areas, three programs, three ways to make a significant difference between now and 2018. The clock is ticking. Let’s get this done.