The Work of Luck – Design Monday

Archive for the ‘Security’ Category

The Work of Luck – Design Monday

Posted by

It is the final task of an implementation. The stakes are high. One of your people hits a wrong button. The entire system comes crashing down. My question: Is this good luck, or bad?

For an answer and inspiration, I look to Massimo Bottura. Bottura is a chef and restauranter. At his Michelin 3-star restaurant, Osteria Francescana, a similar situation played out. The pastry chef, Taka Kondo, was platting the final course. One tart slipped. Smash! And to Kondo’s surprise and relief, Massimo Bottura burst out laughing. Good luck! The Oops! I dropped the lemon tart was born. The dessert has become legend.

You can hear Bottura tell the story himself at the video below. For now, I want to turn to the question of how to get lucky. So many things must go right when deploying technology, we can use all the luck we can get.

One factor in seeing the opportunity in accidents is associative barriers. High associative barriers lead to functional fixedness. By contrast, people with low associative barriers tend to find connections and opportunities others don’t. I’ve previously covered techniques to get beyond functional fixedness: discuss an item without naming it, and discussing what an item does rather than it is. (See Play with the spaces between the words.) Here, let’s cover building new associations.

New associations can prime us to turn accidents into good luck. It provides a larger net for catching ideas. The exercise is simple. List the assumptions. Imagine what would happen if the opposite were true. We can (and probably should) do this at multiple stages in designing security capabilities; from the vision to our assumptions about the organization, the security function, the security controls, the tools, and our assumptions about implementation. For example:

  • A tart from a Michelin 3-star restaurants is carefully plated and perfectly constructed.
    • It is messily deconstructed. Innovation: Oops! I dropped the lemon tart.
  • The authenticating security credential is a person’s ID and password.
    • A person can authenticate without a password. Innovation: passwordless.
  • A security perimeter is enforced by the network, that is, by a firewall.
    • A perimeter is enforced regardless of network. Innovation: Zero Trust.
  • Defense-in-depth necessarily means having deep control coverage.
    • Defense can be achieved with only a few controls. Innovation: attack path.

The other factor in finding the opportunity in accidents is time. Rushed people don’t get lucky. Stressed people don’t get opportunities. The psychology of stress and time shows people develop tunnel vision and repeat well-known and practiced techniques. The same is equally true for rushed and stressed projects and initiatives. The same goes for rushed and stressed teams and operations. This is an anathema to getting lucky, of course. We’re highly unlikely to see possibilities and to take them on when in this state. Buffer time and down time create the space for getting lucky.

“Leave a free space for poetry. Leave a free space from obligation. You have to be ready to see what others don’t even imagine,” Massimo Bottura says in the video below. He could be speaking directly to us about designing security capabilities. “Make visible the invisible.”

Massimo Bottura tells the story behind Oops! I dropped the tart.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

Mies and IBM Plaza: Knowing When More is More – Design Monday

Posted by

The building came into view. My vantage point was on the Chicago River. It was Valentine’s Day. Now Chicago natives had warned us about the cold February winds. But there my wife and I were, on a river tour of Chicago’s architecture. Frozen to the ship’s deck, we looked up as the IBM Plaza came into view.

Ludwig Mies van der Rohe designed the building in the 1960s. Mies came from the famed Bauhaus school, another of my favorite sources of inspiration. In fact, Mies was the last director of Bauhaus. He moved from Berlin to Chicago in 1937 to head the architecture department of Illinois Institute of Technology. There’s a direct line from Bauhaus to Second Chicago School of architecture. Specifically, in minimizing ornamentation in favor of emphasizing building materials themselves.

It was this modernism which drew IBM to Mies van der Rohe. But there was a problem. Many, in fact, with the building IBM wanted. Computing technology of that age was notoriously hot and power-hungry. Moreover, computer engineers were at a premium, which meant a large workforce with little patience for waiting on elevators. Every minute counted. Moving to the ground, the lot was an oddly shaped. Triangular. It sat partially atop of a train line which restricts the foundation needed for a skyscraper. And to top it off, the site had an agreement to provide storage for the Sun-Times. That’s a lot.

“Less is more” was popularized by Mies van der Rohe. Boil down architectural requirements to the essentials. In cybersecurity, we’ve embraced less is more. You see it in concepts like least privilege, least trust (aka Zero Trust), economy of mechanism, and limited security blast radius. You see it in my security principles; like when I discuss building Roombas not Rosies. Less is more is a reminder to take a minimalist approach.

Even from the Chicago River, you can feel the minimalism of the IBM Plaza. The exposed vertical beams, the glass and steel materials on full display. Less is more. But it’s more than it seems. The building has more than double the elevators of a comparable building. The cooling system is similarly over-powered. Designed by C.F. Murphy, the HVAC is tuned for 1970s era computing. Mies also made several floors to be taller to support raised flooring, and reinforced to support the weight. The building is subtly shifted back to make use of the lot, with weight shifted back onto a strong foundation. This feature explains the open pillars in front and allowed Meis to neatly avoid the question of the railway. Less is more? If anything, much of the IBM building is overdone.

Less is more is not a call for doing less. It is a reminder to save our energies to do more where it counts. It is a reminder to pour the savings into solutions for the problem at hand. When we save resources for priorities, less isn’t loss.

IBM moved into IBM Plaza in 1971. For more than three decades, the building was the Chicago office of the tech giant. “The building was declared a Chicago Landmark on February 6, 2008 and added to the National Register of Historic Places on March 26, 2010.” Today, the building at 330 North Wabash is known as the AMA Plaza. It stands as a testament to Ludwig Mies van der Rohe’s ability to balance less and more.

The design lesson: More of what matters is more.

The floating foundation of 330 North Wabash, Chicago. Photography by Ryan Cramer.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

CyberScoop: Security professionals lose central watering hole with demise of Peerlyst

Posted by

For years, the Peerlyst social network has been a resource for software developers looking for a job or cybersecurity enthusiasts wanting to host meetups across the world. But on Aug. 27, the website will shut down, Peerlyst founder Limor Elbaz said Monday, citing financial pressure.

Excerpt from: Security professionals lose central watering hole with demise of Peerlyst

Cybersecurity professionals lamented the end of the platform. “I took the news hard,” said J. Wolfgang Goerlich, an advisory CISO at Duo Security who has posted nearly 700 times on Peerlyst. “With the Peerlyst going away, we’re losing a central watering hole. The conversations may continue over LinkedIn and Facebook groups. But the loss of a dedicated security social media site will be felt for some time.”

The site also let users plans their own offline meetups in various cities in Asia, Australia, Europe, and North America.

Read the full article here: https://www.cyberscoop.com/peerlyst-shut-down-infosec-professionals/

Wolf’s Additional Thoughts

I was an early adopter of Peerlyst and a regular contributor. I end up the 22nd most popular user on the site which boasts of serving “70% of security professionals around the world and the site ranks higher than the majority of security companies.” Also? Peerlyst once put my face on the side of a bus during the RSA Conference. So I’m a little biased.

There is tremendous value in community. Apple itself got its start at the The Homebrew Computer Club. I spent many years and cut my teeth as a top poster in the Citrix online community, back in the early 2000s. And in the last decade, more people than I can count had their careers launched through my local security community, MiSec.

I’m sad to see Peerlyst go and am grateful to Limor Elbaz, Evgeny Belenky, and the entire Peerlyst team. Thanks to them for the memories and connections.

To you the reader, I ask this: what community will you build?


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

Balance depth with economy of mechanism – Design Monday

Posted by

We spend far too much time talking about defense in depth and far too little time talking about economy of mechanism.

As a design inspiration, look to Alfred Heineken. Not a designer, Heineken was a brewer and a businessman.  In the 1950s, modernizing the look of the Dutch brewing company, Heineken made two changes to the beer’s logo. He dropped the upper-casing and then, to be playful, he tilted the e until it resembled a smile. Simple.

Defense in depth suggests more controls and more tools are better. However, this complexity comes at a cost. In a study performed by Cisco, the number of vendor tools was directly correlated with the downtime from a security incident. Security teams using one vendor averaged four hours or less of downtime, while teams managing more than 50 averaged more than 17 hours of downtime.

I suspect the downtime is driven by the team’s confusion when responding to incidents. It fits my personal experience, and reminds me of what Donald A. Norman wrote in Living with Complexity. “Modern technology can be complex, but complexity by itself is neither good nor bad: it is confusion that is bad. Forget the complaints against complexity; instead, complain about confusion.”

Economy of mechanism suggests implementing the fewest controls and fewest tools to mount an adequate defense. We have a finite cognitive throughput from people doing the work and people securing the work. We have a finite budget. After we have the requirements and possible tooling options, ask how we can achieve the same results with less. Ask again, and again.

Find the letter e, tilt it a bit, and smile.

Heineken’s smiling e logo, photography by Heineken.

This article is part of a series on designing cyber security capabilities. To see other articles in the series, including a full list of design principles, click here.

SDxCentral: Debunking Cybersecurity Myths

Posted by

Of all the cybersecurity myths about small to midsized businesses, the most damaging is the widely held believe that SMB leadership doesn’t take security and data privacy seriously, says Wolfgang Goerlich, Advisory CISO at Cisco Duo. This myth must be stamped out immediately, he said. And while it’s myth No. 8 in a new Cisco report, “it really needs to be myth one.”

Excerpt from: Cisco Debunks Cybersecurity Myths

“Maybe that was true 10 years ago,” Goerlich said. “The executive teams of these organizations are taking security and data privacy very seriously. Every other myth downstream is effected by that awareness and visibility at the top.”

Cisco’s latest security report, based on a survey of almost 500 SMBs, aims to debunk myths about smaller companies’ security posture and threats. This is important because the security industry has traditionally been biased against SMBs, perpetuating the myth that they don’t prioritize cybersecurity, the report says.

To come up with the 10 myths debunked in the report, Cisco compared responses from SMBs (250-499 employees) versus larger organizations with 500 or more employees. It shows that SMBs face the same threats and potential damages from an attack and they take security preparedness every bit as seriously as their larger counterparts.

Read the full article: https://www.sdxcentral.com/articles/news/cisco-debunks-cybersecurity-myths/2020/05/


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

Dark Reading: OS, Authentication, Browser & Cloud Trends

Posted by

New research shows cloud apps are climbing, SMS authentication is falling, Chrome is the enterprise browser favorite, and Android leads outdated devices.

Excerpt from: OS, Authentication, Browser & Cloud Trends

Application integration is up across most key categories. The number of customers per cloud app is up 189% year-over-year, and the number of authentications per customer per app is up 56%.

The massive spike in cloud applications means any given employee has at least two or three cloud apps they use to do their jobs, says Wolfgang Goerlich, advisory CISO for Duo Security. “It was a big explosion of shadow IT,” he adds. “It really got away from a lot of the organizations.” Some people often use the same applications for personal and business use, driving the need for businesses to enforce their security policies for cloud-based applications and resources.

Read the full article: https://www.darkreading.com/cloud/security-snapshot-os-authentication-browser-and-cloud-trends/d/d-id/1335262

Wolf’s Additional Thoughts

IT history repeats itself.

The organization moves slow to provide employees with tools and technology. Consumer tech fills in the gap outside of the office. People get savvier and more experienced with tech. People innovate with what they know, to get done what they need to get done.

The organization notices people doing things in an innovative yet ad hoc way. Work is done to standardize tech use. More work is done to secure the tech use. The wild ways of people, the wilderness of shadow IT, is tamed and brought into the light.

We’re at this point now. That’s what the numbers show. But tamed IT is slower than shadow IT. If the past has taught us anything, it is that the cycle will repeat.


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

Microsoft Valuable Professional (MVP)

Posted by

Microsoft has recognized my work in Cloud Computing security with a 2017-2018 Microsoft Valuable Professional (MVP) award. I’ve long relied upon the guidance and advice from MVPs. It’s a fantastic program. I’m honored to now be included, specifically under Enterprise Security.

Hybrid cloud security: 8 key considerations

Posted by

Hybrid cloud should strengthen your organization’s security posture, not diminish it. But that doesn’t mean improved security is a default setting. While security fears are declining as cloud matures, security remains an ongoing challenge that needs to be managed in any organization. And a hybrid cloud environment comes with its own particular set of security considerations.

 

1. Ensure you have complete visibility.

Too often in modern IT, CIOs and other IT leaders have blind spots in their environments, or they focus too narrowly (or even exclusively) on their on-premises infrastructure, says cybersecurity veteran J. Wolfgang Goerlich, who serves as VP of strategic programs at CBI.

Now that companies and their end users can use hundreds of cloud-based apps, and multiple departments can spin up their own virtual server on an Infrastructure-as-a-Service platform, complete visibility across private cloud, public cloud, and traditional infrastructure is a must. A lack of visibility, says Goerlich, snowballs into much greater security risks than are necessary.

2. Every asset needs an owner.

If you lack 360-degree visibility, you probably lack ownership. Every piece of your hybrid cloud architecture needs an owner.

“A key tenet in IT security is having an owner identified for every asset, and having the owner responsible for least privilege and segregation of duties over the asset,” Goerlich says. “Lack of visibility results in a lack of ownership. This means, quite often, hybrid cloud environments have loosely defined access controls and often are without segregation of duties. Excessive permissions introduce risk, and unowned risk is unaddressed risk.”

Read the full article:

Hybrid cloud security: 8 key considerations
https://enterprisersproject.com/article/2017/7/hybrid-cloud-security-8-key-considerations

Enterprisers Project: Expert advice on securing hybrid cloud environments

Posted by

Hybrid cloud should strengthen your organization’s security posture, not diminish it. But that doesn’t mean improved security is a default setting.

Excerpt from: Hybrid cloud security: 8 key considerations

Ensure you have complete visibility. Too often in modern IT, CIOs and other IT leaders have blind spots in their environments, or they focus too narrowly (or even exclusively) on their on-premises infrastructure, says cybersecurity veteran J. Wolfgang Goerlich, who serves as VP of strategic programs at CBI.

Now that companies and their end users can use hundreds of cloud-based apps, and multiple departments can spin up their own virtual server on an Infrastructure-as-a-Service platform, complete visibility across private cloud, public cloud, and traditional infrastructure is a must. A lack of visibility, says Goerlich, snowballs into much greater security risks than are necessary.

Read the full article: https://enterprisersproject.com/article/2017/7/hybrid-cloud-security-8-key-considerations


This post is an excerpt from a press article. To see other media mentions and press coverage, click to view the Media page or the News category.

Viewing cached credentials and clearing cached credentials in Windows 10

Posted by

This article applies to Windows 10 Anniversary Update (Version 1607). For previous versions of Windows, please see the earlier article.

What are cached credentials?

Windows 10 caches and stores usernames and passwords for Active Directory domains, other computers, apps like Outlook, websites, and FTP sites. This makes it easier to authenticate as you don’t have to type in the username and password every single time. But it does pose a risk of those credentials getting misused.

Where are Windows 10 credentials stored?

Active Directory credentials. Domain credentials (usernames and passwords are stored on the local computer’s registry as salted hashes. This is under HKEY_LOCAL_MACHINE\Security\Cache, found in the %systemroot%\System32\config\SECURITY file.

Generic credentials. You can view Website and Windows credentials by launching the Credential Manager (credwiz.exe).

Internet credentials. You can view Internet usernames and passwords in the Internet Control Panel (inetcpl.cpl). Run inetcpl.cpl, go to Content, scroll to Autocomplete, click Settings, and click on Manage Passwords.

When do Windows 10 cached domain credentials expire?

Unfortunately, Windows domain credentials don’t expire in the cache. Within Active Directory, expiration is set on the user object. But if the credential is still valid in Active Directory, the cached copy will still work.

It is possible to control how many credentials are cached using the group policy: Interactive logon: Number of previous logons to cache (in case domain controller is not available)


Designing CyberSecurity | Weekly Blog Series

Designing and architecting security? Join our weekly conversation on what hackers can learn from artists and designers.


How to reset Windows 10 credentials? How to remove Windows 10 credentials?

Active Directory credentials. Open the registry to HKEY_LOCAL_MACHINE\Security\Cache, grant your user account read/write access. Close and reopen the registry to have the access control take effect. Zeroing out the NL$x binary value will clear the cached credential.

Generic credentials. Open the Credential Manager (credwiz.exe to view Website and Windows credentials. Select and remove the passwords you wish to clear.

Internet credentials. Open the Internet Control Panel (inetcpl.cpl), go to Content, scroll to Autocomplete, click Settings, and click on Manage Passwords. Select and remove the passwords you wish to clear.

Outlook email. To view and clear Outlook passwords on Windows 10, first use the Credential Manager instructions above. Then, download the SaveCredentials.exe tool and follow the directions here.

Windows Live Essentials. To view and clear Windows Live Essentials passwords on Windows, first use the Credential Manager instructions above. Find the SSO_POP_Device. This credential provides Single Sign-On (SSO) access for the Post Office Protocol (POP) when accessing a variety of Microsoft email platforms (@hotmail.com, @msn.com, @outlook.com, etc).

Why bother clearing Windows 10 credentials?

The main reason people follow this article is to troubleshoot cached Windows credentials, Active Directory credentials, domain issues, or problems with apps like Internet Explorer and Outlook. Removing the passwords from Windows allows it to reset and fix authentication issues.

The other reason? Well, security. A common tactic from penetration testers to red teamers to criminals is to gain access to cached credentials. From there, they may be replayed to connect to IT systems, or cracked and reused as part of a larger attack. To prevent this, minimize the data stored on your computer and minimize the likelihood of it being stolen or copied.