Skip to content

This is a continuation of part 1 of my series on personal codes of conduct.

 

Maxim 3: Your most important asset is your name.

Of all the things you carry as an Information Security professional, and as a human, is your name. Your name carries your reputation. Think of any famous person's name. What image does that conjure? What do you automatically think when hearing that name? Is that person pretty? Talented? Caring? Aloof? Cruel? Crazy? Think about how most people view that person. The views are filled with the bias of personal experience. However, Those images are cultivated carefully. Now think of your boss. Think of your employer. Think of your best friend, or your significant other. How are they viewed, by you and the world at large? What behaviors do they exhibit to cultivate that reputation?

As you think of the good and bad of it, their history and how that has affected their reputation comes to mind. One malicious act carries more weight than all the good they may have done. Have they repented? Have they worked tirelessly to rebuild their reputation? Are there people who still think of them as bad or untrustworthy based on that event?

<Aside>

I have a problem with this in modern discourse. Look at the political arena or social media. When one side wants to prove someone is bad, they have to go in the way back machine to find one prior bad act (usually inappropriate speech as a younger person). And this is used - mostly wrongly - to excoriate that person. Social media takes away that passage of time making such words ever present, even if the person who used them is no longer here. It's one thing if the attitude hasn't changed. But if the person no longer exhibits that behavior, they grew as a human. They are greater than their past self. There is no greater achievement.

</Aside>

Corollary: You can destroy your reputation in an instant. Be warned.

Think about Infosec explicitly. The example of Terry Childs is perfect. He locked out the city to prove a point about the security of the network, and potentially in defense of a malicious insider. He took it to an extreme, but his actions have ensured that no one but the most desperate of need would hire him to do any job that carries a burden of trust, or responsibility. I have often received calls from network contacts to ask if I know their applicant and what I can tell people about them. Sometimes I have glowing reviews, sometimes I have very little to say either way. Only three times have I ever directly said, "Do not hire this person. I can't tell you why, but I would expect lots of time spent with HR // disciplinary measures // zero productive work." My name carries trust. I go out of my way not to torpedo someone unless they have a series of behaviors that are disruptive and dangerous. I account for the passage of time. Between them and I, the value of my recommendation comes down to both our names.

 

Maxim 4: Title does not equal mastery.

We've all met that person. They have certifications galore (MCSE anyone?), or held a job title for a while. You interview them, and they talk a good game. You hire them on, only to find out they couldn't admin their way through the drive thru at a McDonalds. It's especially frustrating with technical certs, where (in theory) a level of mastery must be demonstrated to get the certification. If you are old enough, you remember the days of the certification mills in the XP/7 days. These people were trained to take a test, and could then pass the test.

I worked with several at a previous job, where they all have a slew of Microsoft certs, and I had an Associates degree in Computer Networking Systems. They "took a chance" on me as I didn't have the credentials the others had. We were all on the same project duty, migrate a series of systems from Win 2K to Win 2K3. The process would take 8-9 hours depending on transfer speeds. Sometimes they would have problems with the process, or didn't understand what to do when basic errors cropped up. They had been there for a month, and I was brought on because they couldn't find a fourth otherwise. Within the first week, I had found ways to increase my productivity so I could finish the process in 6.5-7 hours every day, three of which were just waiting for transfers to complete. The processes weren't difficult. The scripts may have been intermediate to advanced, but the process was rudimentary. One guy quit because it was "too hard." Another left for an opportunity from a buddy. We still finished the project on time.

We chase the titles, as early on they get us past HR. However, without the mastery, that bluff doesn't last. I disagree with talking heads that say certifications are a waste for new Infosec talent, as those talking heads already have the mastery, and it is tied to their name (see maxim 3). They don't need them. Just remember that the certifications are a means, not a goal, on the path to continued excellence (see maxim 2). You can build upon mastery much easier than building upon certs and titles.

 

Maxim 5: Never lash out in emotion.

In Infosec, even when people despise how you "get in the way," you are their rock. If you are calm, everything is ok. You may be a pain in their ass, but there's no reason to worry. Subconsciously, they understand that you carry a burden of knowledge, an awareness of what can really go bad. If you are calm, then everything is all right.

If you, security, the rock on whom they are forced to trust, the one with secret knowledge, are all worked up, how screwed is everyone else?

Think of the reputation of your team (maxim 3 - these reenforce each other. There's a lesson there). The expectations that come with that. Think of what security means to everyone. Do you think we're just people? We can have bad days? Imagine if the CIO when running down the hall grunting. What would you think if the CEO was walking around with slumped shoulders? Assume your boss, or your CFO was screaming at people. What crosses your mind? How much does your foundation shake?

The fear of a kaboom is one side of the coin, both bad. Emotions are about control (see young Spock in the 2009 Star Trek). An adversary, even (and more likely) one working for the same institution, will work to get you to pop off. When they do, they exhibit control in a situation where you can't. To anyone else, who shows better they can handle whatever the argument is about? Who is better equipped to handle the strain of what needs to be done? Who is more likely to rupture, cause an incident, or walk out? People are going to test you. In Infosec, we carry one of the greatest burdens of performance of any role in the institution. That's the price of the role. Don't let emotions taint that burden, and how people see you carry it (#3, yet again).

 

Maxim 6: At some point, you will lose.

Corollary: You can be absolutely right and still lose. Be prepared.

Axiom: Just because you lose, doesn't mean you have to like it.

 

Tell me if this sounds familiar. You have an obvious gap in your institution's security. Maybe it's a vulnerability (having unsupported .Net for legacy apps), maybe it's a capability gap (not logging relevant windows events). There is an obvious fix that takes time, money or training. The damage that can come from this security risk is quantifiable. It may be widely exploited. You make a solid case why you need X to fix Y, as an issue with Y will cost $Z. This can't be refuted, and everyone accepts this as both truth and fact.

Then the decision makers say no. They're willing to accept the risk rather than create a new app. Their financial priorities place new office furniture above training to fix an issue. Or worse, they won't spend the money on a new capability, because an existing tool says they can do it (albeit with the need for several custom virtual machines).

And you are left wondering how someone so dumb is higher up the food chain than you.

Most of the time, this is your bias getting in the way. As techs, we don't see the operating budget as a whole (usually). We don't know revenue streams. We don't see risks outside of our own. We don't have to deal with the wants of external customers. We don't see the choices they have to make. They can be ignorant or self serving. My belief in humanity tells me they are more likely dealing with the world as it is (#2), and they understand the value of their name (#3), and wouldn't be willfully acting against that.

 

Think about your rules as an Infosec professional. I still have (currently) seven to share. Stay tuned.

Codes of Conduct at conferences make me angry. They make me angry the same way I have to be given warning that this coffee is served hot, and not to use the chainsaw on my genitals. These exist because somewhere, a grown human being did something to warrant the need for warnings like this. Perhaps it is my work environment, or the people with whom I choose to spend my time. I have worked hard to make sure I am not spending time with people who need to be told that peanut butter contains peanuts. I do not like the way as an attendee I am impugned by default simply for attending.

The part I really hate? They're needed, and there should be one for the staff as well (Captain Crunch, and those who kept boys away from him instead of dealing with the issue, for example).

In life, individuals should have their own code of conduct. The idea is to regulate their own behavior based on the environment in which they exist. This harkens back to simple ideas like putting There Be Dragons on a map. Depending on who you are, your code of conduct may say to stay away from physical threats, or to train to be better able to face them. A baker's may contain a maxim about early to bed and early to rise, as the goods need to be fresh when people wake up. A politician may (but generally doesn't) treat every mic as hot, and that what they say around recording equipment will be broadcast and transmitted. It is no different in Information Security.

As my career as evolved, I have - so far - built up a list of eleven maxims that apply to a career in Infosec. These eleven maxims, in structure akin to Gibbs' Rules in NCIS, have guided me through my career, and kept a light on in dark places where all other lights go out (audit check box security). Everyone should have their own set of rules that applies to their life and their work. As one thinks about it, they should be written down. I've developed these over the course of a decade. If I thought about it, I'd probably have more, but they cover wide areas, and generally apply to life as well as Infosec.

Maxim 1: Give your adversary every opportunity to make a mistake.

I came up with this idea whilst spending leisure time years ago playing a certain collectible card game. In this game, each color of card lent itself to a specific strategy. One of the most popular, focused on control, and took a very different understanding of the game. The most common way to defeat someone is to reduct their life total from 20 to 0. Some tried to do this as fast as possible, some tried to do this by surviving to the mid game and playing a nigh unstoppable strategy. The control player took a very different tack. They would let an opponent exhaust their resources over the course of a long game. The opponent's strategy would become clear early on, and the control player just had to survive. They knew that an opponent could blast them for 19 in one shot, so long as their life total didn't go to zero. The difference between 20 and 1 was negligible in compared to the difference between 1 and 0. The opponent understood the nature of the control player's strategy, but the factor of the unknown always stood in the way, and in a long enough game ultimately led to mistakes. It was the job of the control player to capitalize on each and every one of these. If the control player ended the game at 1, and the opponent 0, the control player still won.

The same is true in Infosec. The difference between Reconnaissance and Command and Control is negligible compared to the difference between Command and Control and Acting on Objectives. Up until an adversary starts doing what they intended to do, they can still be caught and any damage is a learning experience. Much like that collectible card game, the adversary has a limited bag of tricks, based on the bias of their own experiences. If an adversary gets stopped trying to send in a spearphishing e-mail, there's strong odds that they will try again. If an adversary runs an nmap scan to see what's accessible from the system they now control, once they move to a neighboring system, they will likely do the same thing rather than check the system registry for RDP targets the usual user of that account engages regularly. Does an adversary pull credentials from active memory versus offline SAM cracking (turn on LAPS, please). Some have a wide skill set and tool set, but that variety can also be an indicator. Institutional defenders should have solid visibility in their networks to be able to see these anomalies. Whether you stop them at the Delivery phase by blocking the e-mail or have the user report it as a phish, or you prevent the compromised system from downloading the malware or attacker toolset from Command and Control, you still win the engagement. An adversary need only trip up once, so long as you are ready to capitalize on that mistake.

Maxim 2: We deal with the world as it is.

Corollary: We work to create the world we want.

One of the hardest parts of being poor, is explaining to your kids why someone else has something you can't have: vacations, a new car, designer clothes, or the latest iPhone while you have an old LG. Most people fall into the trap of whining about how it is unfair, and thus there is no point to trying to compete in a world where the scales are so far tipped against you. In doing so, there are a myriad of mistakes being made. First, a person is measuring themselves against an impossible standard. You can't compare outcomes when the starting positions are different. Fair or not, the mindset should be about making one's situation better, and living better than one did the previous day, not benchmarking oneself against others. Second, They automatically assume the one against whom they benchmark themselves didn't make sacrifices (wise or otherwise) to be in the situation they are in, i.e. how deep in debt do they have to be to maintain that lifestyle. Third, people take on a nihilistic approach. I can't get to where that person is unless I win the lottery or a miracle happens, so I won't work to make incremental changes that will improve my situation over time. Daddy I want an Oompa Loompa now!

In Infosec, the hardest things to do are to go to conferences or events and network with peers and hear that they have their own pen test squads internal, and they don't outsource code reviews, etc. What kind of resources do they have in play? Even better, listen to how leadership tries to benchmark themselves against industry peers from a purely spending standpoint without looking at a capability standpoint. I remember working for an ICS company where the budget for IT was baselined against their top competitor. They only spend 3% on IT, so we only spend 3%. That was the only metric. The maturity of IT, and what they defined as IT, wasn't even a factor. They may have been comparing apples to apples, more likely apples to rutabagas, or potentially apples to oil filters.

The right thing to do is to measure where you are now, where do you want to be, and how do you get there. Build a plan based on on where you need to be and the resources available, not to push management based on what Google has.

---Aside---

I had taken the SANS Threat Intel class last year. In that class, it was mentioned that a best practice was to take a senior, mid level, and junior team member from the SOC and IR to work as part of a team doing threat intel for a time. Then rotate with another senior, mid level, and junior, to give fresh perspectives and everyone a shot. All while having enough people left to run the SOC and IR functions. With the exception of the guy from Google in the class, everyone had this glazed look like they don't have that many people in Security, much less in varied disciplines with a rotational capability. People were measuring themselves against the resources the instructor had at his day job (a well known very large silicon valley firm), and measured themselves (incorrectly) as wanting. Apples to oil filters.

---End Aside---

When benchmarking against these other companies, we don't see the differences. Are we established and they are new with no controls and flush with VC money? Are they beholden to one or two investors who demand a certain image, or that they work in an area of expensive real estate like San Francisco? Are they blowing their budget on marketing without investing internally? (Google PCI.net, their stadium naming rights, and their Super Bowl ad). Remember, just because they're trying to make us think they're holding four aces, doesn't mean we're not playing chess. A great hand in their game can be worthless to us.

Nihilism is a danger to an Infosec professional. Our education can easily take us past the capabilities of our controls, and much like a kid who understands calculus being forced to sit in an advanced algebra class, we can lose interest and become stunted. This is where personal responsibility comes in. The goal should be to maximize the capability of the current controls, while continually educating yourself to be able to justify the better controls and how they will be of value. Like the student stuck in class, we shouldn't fall into the trap that we can only learn and experiment on company time. Yes they should invest time and money into your education. So should you.

Nine more maxims to go. To be continued ...

Infosec_Samurai

Infosec, and life, is ultimately based on one principle: personal responsibility. This principle is the cornerstone of all aspects of successful, sentient life. Everything that happens that is successful comes down to someone taking personal responsibility for something. Is the network secure? Someone took responsibility to build a perimeter. Someone took responsibility to tune the firewall rules. Someone took responsibility to set up logging, build an asset list, define priority systems, doing user education, configure e-mail protection, setting up A/V and EDR, setting up whitelisting, and – most importantly of all – tuning it all to the environment. In Infosec, we carry the burden of everyone’s responsibility, as our behavior and education and engagement spread out to everyone else. Ultimately, we are responsible for what happens on our networks, no matter who clicks on what. Every time we take responsibility to answer a question, tune a rule, or check on a reported phish, we demonstrate our willingness to put in the effort, and we make the institution we defend incrementally safer.

Personal responsibility begets ethics. It begets a code of behavior. More importantly, it shows a pattern of behavior and a standard. Good leaders notice. Users who care notice (everyone cares to some degree). Over time, one or more of the following will happen:

  • Others will start holding themselves to your standard, lest they look bad. You become patient zero for an improvement in culture.
  • People become more forgiving. If you make an error, or forget something once, people won’t then bring the hammer down on you. They recognize you are human, and realize this is the outlier, not the trend.
  • Leadership clearly identifies your value and invests more in your compensation and training to keep you around as long as possible.
  • You find out leadership and the users don’t care after all, but this clears up any imposter syndrome you have, and you can put together a clear concise resume full of measurable wins to move on to a better job. If you can demonstrate measurable value, good companies will extend an offer.

Understanding the nature of personal responsibility in people’s lives, the principle of working to change what one can for the better instead of whining about the unfair disadvantages and lack of equal outcomes in situations, is very comparable to taking a HUMINT course, or really learning about nutrition and calories. You can’t unlearn it. It will color every interaction you see, and every choice you make. It is Neo’s red pill. When Cypher understood the horrors of the real world, he wanted to go back. The laws of nature say it’s impossible.

Sometimes a coincidence is a coincidence. The other day when I went home, I was thinking about food, and I took the personal responsibility to skip the fast food and go to the grocery store. I then skipped the junk and loaded up on produce and meat. As I’m approaching the checkout line, I observe a situation that I can't help but view through this frame. I see the police and the store manager dealing with an elderly man. This man had been abusing the staff. I don’t know what his life is like. What I do know is some of the staff is afraid of him. He had been abusive. I don’t believe this was warranted. He made a choice to take his issues and be abusive to the staff. He was then banned from every one of this chain’s stores in the state. He thought it was unfair, and he made a stink about it. The parallels between this, and security professionals who abuse their users are all too common. They call their users stupid. The take punitive actions against uneducated users. They rail against the decisions of the business and those who make those decisions. Then they get fired. And it’s the shitty company, It’s the whiny users. It’s the underinvestment in technology. It is everything except their own behavior. Even worse is when that behavior isn’t addressed until someone goes to HR. Management is then forced to find a replacement, and the bad blood towards security was let sit that much longer.

Even when we deal with environments like that, our good work puts a shine on the most important asset we have. Our name. And everything that our name carries with it. In bad environments especially, take the responsibility to make yourself stand out by contrast. It will be noticed.

 

@infosec_samurai

Nobody wakes up one day and is a fresh Information Security professional. There is an idea you can follow the specific path and get here. There are many paths to becoming an Infosec Pro. This doesn't mean a rockstar or hero. An Infosec Pro is someone who does Infosec for a living. To get here, you will have to face trials. Ask any Infosec Pro, and they will tell you their history is littered with challenges, strife, and undocumented networks. Whereas all Infosec shares the common history of these trials, they are as individual as the people who slogged through them and persevered to be Infosec.

My first job in IT was in a call center that managed the user wireless experience in over 2000 hotels. The call center had no real visibility into the environments, and we had to try to talk the user through their issues on the phone, at the mercy of their ability to describe their problems in a technical fashion. Hotels underfunded their networks and let us be the bad guy when people couldn't connect. These were the hotels and nationwide chains that charged under $100/night. We had a few nicer hotels, but their gear worked and the wireless network was properly signal mapped (this is in the days of G, no G+, and certainly no N - some hotels still had B wifi). I moved from level I to level II support in three months, earning agent of the month and agent of the quarter status more than once. However, there was no difference in treatment or pay between the people who took 30+ calls a night, and those who took 5 calls. Management expected the turnover, but were still whiny as if those leaving for greener pastures had betrayed them. In an environment like this, you either learn to work with people, or to maim people, or you lose faith in humanity and end up working the fry station at a Burger King.

Halfway through my time in Grist Mill Enterprises, I took a second job doing similar support and engineering for a business that did wifi in non major franchise coffee shops. The router/firewall combinations were advanced and capable for such small devices, but the GUI was simply a more visual CLI. You needed to understand the way it handles it's rules and routing. This hardware was commonly used by smaller ISPs. The customer support was easier. The engineering challenges harder, and I had no guidance. Like many small businesses, it failed, as sales wasn't selling (reoccurring theme in my career).

This was a stretch where I was putting in 60-80 hours working, and going to school full time. It sounds hard, but with no family or significant other, it wasn't impossible. It was a learning opportunity, and the beginning of understanding how culture affected the ability to get things done. A negative culture someplace pervaded the attitude of everyone. Even the highest performing people would be worn down, or leave for a better, be it money or environment. Irony was always bosses who treated their staff as expendable always got upset as if there was some great betrayal when someone left, as if they should have stayed a beast of burden until it was time to turn them into steaks. The worse they treated people, the bigger the explosion and cries of Judas.

And then 2008 happened.

I spent time bouncing between short term contracts since no one wanted FTEs (full time employees) on the payroll. I did side work, and at times my income was low enough to qualify for unemployment // underemployment benefits. I learned Contract to Hire meant Contract without the contract pay rates (the carrot on the stick is made of wax). I learned that when you are getting started, certifications do matter - anything to differentiate yourself. I learned in a sellers market, any promise of loyalty from a contracting company is worth less than a half eaten saltine. I kept my nose to the grindstone, working for small to mid size IT service companies, major retailers both online and brick and mortar, and worked as an independent repair consultant, while doing side work for the coffee shop people.

Then I landed at a major ICS manufacturer, working in the SOC. This was the first job with Security in the title. Working for a worldwide company as a SOC analyst, you get a diverse view of the world. I had to learn to work with not only different people in isolated business units, but with people in cities all over, on nearly every continent, language barriers and all. There were many lessons:

  • You speak to people in Brazil versus Argentina very differently, both in tone and attitude (and language, of course).
  • Chinese engineers have as much worry about the NSA as Americans do about APT 1 and 3.
  • Almost nobody wants more than a minimal presence in Russia.
  • Indian IT has a hierarchy that nearly mirrors a caste system.
  • Everyone targets offices in Dubai and the UAE. Everyone.
  • If you have to deal with foreign tech support, do it very early or very late. If you are lucky you get Malaysia. They speak better English than most Americans, and strive to be helpful.
  • Bureaucracy is bureaucracy is bureaucracy. Everyone, everywhere deals with it. It simply differs in type.
  • For all business classifications, lots of places deem Israel as European. Hence EMEA (Europe, Middle East, Africa). Lots of land, small quantity of time zones (comparatively).
  • In big enough environments, the various security teams are isolated from each other, and especially from other IT teams. This creates tension.

Here I had some great teammates and mentors, and I had people who were all that is wrong with Infosec. You learn to deal. I also learned to deal with people all over, and really started applying my knowledge of culture in IT and Infosec, and how it affects perceptions. I was able to get things cleaned up, and get resolution from groups others merely let sit as a repeat annoyance, because "those guys are just <derogatory comment> and their part of the environment will never be clean." Why do they behave a certain way? What do they have the power to do? How can I help augment that power? If I do more legwork, can I make their job easier?

When you need to use someone in another country whose language you don't speak, and they don't speak english, who has far less technical acumen than you, to hunt down a problem on a system you have never seen, in a location you will never go, in the hands of a user whose culture causes issues, and you succeed, it sends a message of reliability, and that together we can actually fix the issues we face. Suddenly you and this person aren't different. You are a team getting the job done. That is the ultimate foundational building block - the same blood in the same mud, and you succeeded. When you internalize that, everything becomes possible.

In most cities, there's that handful of employers who, once they are on your resume, open every door in the market. Suddenly, companies that wouldn't return my calls had recruiters calling repeatedly. It was a night and day shift. This led to another opportunity as a mid sized firm, which I eventually left to get to where I am now, coming up on three years.  Those lessons of culture, and common successes have been the cornerstone of what I've helped build at my current employer. Difficulties are minimal across teams, and very rarely due to personality issues anymore.

What does all this mean? Despite most major talking heads in the industry who followed nearly identical paths into Infosec (military/3 letter agency into private enterprise), their path isn't the only one. It's great for specialists. We generalists come up very differently. Try everything. Learn your passion. The path isn't supposed to be straight. And above all, learn about how to deal with people, their frustrations and their passions. Your users should be your biggest allies.

Only if you put in the work.

@infosec_samurai