The following excerpt is from The Five Dysfunctions of a Team: A Leadership Fable
I wonder how many of you recognize traits like these on your own team(s), past or present. I can certainly point to these as being core reasons various teams I’ve been on or led have been ineffective and unsuccessful. The book seems like a good, short read, too.
When team members do not trust one another, they are unwilling to be vulnerable within the team. It is impossible for a team to build a foundation for trust when team members are not genuinely open about their mistakes and weaknesses.
Failure to build trust sets the stage for the second dysfunction. Teams without trust are unable to engage in passionate debate about ideas. Instead, they are guarded in their comments and resort to discussions that mask their true feelings.
Teams that do not engage in healthy conflict will suffer from the third dysfunction. Because they do not openly surface their true opinions or engage in open debate, team members will rarely commit to team decisions, though they may feign agreement in order to avoid controversy or conflict.
A lack of commitment creates an atmosphere where team members do not hold one another accountable. Because there is no commitment to a clear action plan, team members hesitate to hold one another accountable on actions and behaviors that are contrary to the good of the team.
The lack of accountability makes it possible for people to put their own needs above the team’s goals. Team members will focus on their own career goals or recognition for their departments to the detriment of the team.
A weakness in any one area can cause teamwork to deteriorate. The model is easy to understand, and yet can be difficult to practice because it requires high levels of discipline and persistence.
and persistence.
By now, many non-IT and non-Security folk have heard of Firesheep, a tool written by @codebutler which allows anyone using Firefox on unprotected networks to capture and hjijack active sessions to popular social media sites (and other web sites). The sidebar/extension puts an attactive and easy-to-understand GUI over a process that “real” security people have been using for as long as there has been http-based sessions.
I’ve been using Firesheep quite a bit in non-echo-chamber demos to help illustrate some of the core issues facing enterprises and individual users. A big question that comes out of each demo is “what can I do to safeguard my access to Facebook?”. I provide quick guidance on-the-spot to interested individuals and wanted to share what I communicate to them here both to help a broader audience and get feedback on other steps users can take to safeguard their connections.
The first action I tell users to take is an anti-action: if at all possible, never use free/unsecured Wi-Fi connections. While there are ways of grabbing sessions and other data on wired or secure Wi-Fi networks, the means to do so are beyond the capabilities of most Firesheep users. The danger is still present and you should always consider how much you trust the network you are on when accessing anything on the Internet, but the risk is greatly diminished.
If users are unable or unwilling to follow that first action (and even if they do avoid insecure networks) I then instruct them to ensure that all services they access always use “https“ (SSL/TLS) which encrypts the communication and prevents tools like Firesheep from working. It still – much like the first action – doesn’t stop determined & skilled attackers.
I then caution users on smartphones and tablets to also make sure any applications they use also communicate over SSL. This is far too easy to overlook and can leak data just as easily as a web browser. Tablet & smartphone users can also switch to only using 3G connections to make it that much more difficut for otherrs to eavesdrop.
Finally, I suggest using a virtual private networking (VPN) service such as PureVPN to secure all their connections – not just browser sessions – on public networks (secured or otherwise). SSL/TLS connections are potentially susceptible to what is called a man-in-the-middle (MITM) attack [SANS Reading Room (PDF)] and one way to mitigate that threat is to use a VPN to secure all network communication using a more robust/holistic solution. PureVPN (and other, similar good services) are not free, but $5.00-10.00USD per month is not much to pay for personal data security on-the-go.
For some reason, even with that general guidance, the whole concept of someone hijacking their Facebook account really scares folks and many end up asking specific question on ensuring their Facebook access is protected. This usually involves walking them through how to check to see if SSL is enabled by Facebook’s service and also how to monitor access to their Facebook account.
Unsurprisingly, Facebook does not make setting SSL as a default an easy task. It’s unintuitively not under any “privacy” settings. Instead, you need to navigate down to account settings and poke around to get to the right areas. The screen captures below show the navigation sequence. You’ll notice that this account does not have security enabled since it’s the one I use for demos (I do not have a personal Facebook account).
You’ll also notice that you can have Facebook send you an e-mail when there is an access to your account from an unknown device and also review recent activity on your account. This gives you the ability to be in control as much or as little as you desire.
I usually close with guidance on securing your home Wi-Fi network. Many users still have an aging 802.11b/g router that barely does wired-equivalent-privacy (WEP) security. Even newer Wi-Fi equipment with Wi-Fi Protected Access (WPA/WPA2) may not be enough as you or someone else in your house most likely handout the access password to any guest you allow in the residence. Any malware on their systems now has the potential to infect other systems on your network and you have also given the keys to your local security to someone you may not fully trust. Many of the newest Wi-Fi access points – such as Apple AirPort Extremes and Netgear N[3|6]00s – provide for the ability to setup both a protected internal network and as open of a guest network as you want. I still suggest ensuring that the guest network be secured as you may be liable for any actions taken from your network (protected or otherwise).
Being safe[r] on the Internet is much lke being safe[r] when driving a car. You need to make sure the fluids are at the right levels, that the tire pressure is sufficient for the driving conditions and that you wear your seatbelt before leaving the driveway. If you don’t regularly perform those tasks you run the risk of significant problems out on the road. You need to get in the habit of doing similar checks when navigating in potentially dangerous network territory as well. It doesn’t help that Facebook cares not a whit about your privacy or security and will seemingly randomly change your settings if it benefits them (or if they are just their usual incompetent selves). Want proof? You have to be diligent in the maintenance of all Internet security settings to ensure your consistent, personal online safety.
If anyone is experiencing the “Are you sure…” problem when trying to upload media to your WordPress blog, it’s usually due to a wonky plugin. In my case it was “Google Analytics 3 codes for WordPress”. Hopefully this helps others who are searching for a resolution to the problem.
Google’s new do-it-yourself two-factor authentication (Google Authenticator) enables you to setup stronger logins on your linux system. Nick Wilkens (@nwilkens) has a good/quick tutorial up on his company’s blog for acquiring, compiling and setting up Google Authenticator for ssh sessions.
NOTE: On the Ubuntu VPS I was doing testing on, I had to add the libpam0g-dev & libpam0g packages to get Google Authenticator to work.
I’m pointing out the obvious (if you’ve read either Google’s link or the tutorial), but the Authenticator comes with a PAM (pluggable authentication module) library that literally just drops into any pam configuration file. This means you aren’t limited to the ssh integration, which opens up many possibilities (one of which is mod_auth_pam for Apache which I haven’t tried yet).
I would argue that there is limited value from the ssh integration as most folks probably have certificate login enabled. However, one area that I can see being of interest is in securing use of su to root. If you have more control over who has the ability to perform full privilege escalation, your system is that much less at risk from being usurped or accidentally broken (there’s actually a whole company built around that concept).
Detractors will point out that VPS setups would still be at risk from hosting admins having virtual disk image access and may further point out that even a locked cage in a hosting data center can be bolt-cut, but I would argue that the whole point of engaging in such a pursuit would be to reduce risk to your environment (not eliminate risk).
I will say that securing root su with two-factor authentication while doing nothing to secure sudo is pretty much pointless. If you have no restrictions on sudo, anyone who gains control of an account that is allowed to sudo with superuser privileges will be able to bypass your two-factor su config (and could compromise the integrity of your system even without root su access). Also, if you have more than one user who needs access to root su, you will be sharing the authenticator setup with them.
I still believe this is a worthwhile exercise even with those caveats, especially since it’s so simple to setup/teardown. After getting the Google Authenticator installed, issue google-authenticator from your root account. Transcribe and secure the QR code URL, secret key, verification code and emergency scratch codes in the event you have problems with you digital authenticator app (I keep the scratch codes on a small piece of paper that is always with me and stored securely at home as well).
Use manual input or the QR code scan to add the account to your authenticator app and then make the following addition to the /etc/pam/su config file:
I have mine before all the session configs.
When you issue your “su –” command you will be prompted for both the code and the root password:
I’ll be experimenting with integrating Google Authenticator with various administrative login systems (e.g. WordPress, Drupal) and maybe even as a generic auth module for various web app frameworks and would be interested in any other uses you have for Google Authenticator
You were right…(UPDATED with PK talk appearance )
Speaker: Jennifer Bayuk
Based on work for Stevens Institute of Technology.
How do professional systems engineers work?
History:
Reference: Stevens Inst. “systems thinking”
Use systemogram to show what systems are supposed to do (very cool visualization for differing views of “security systems thinking”)
applied that systemogram model to a real world example of Steven’s school computer lab
Shows the “Vee Model” (her diagram is more thorough – GET THE PRESENTATION)
Advantages of this approach include:
Must advance and move beyond threat->countermeasure insidious cycle.
Traditional requirements process involves gathering functional requirements, interface definition and system-wide “ilities” – need to get it in before the interface level (high-level “black box”)
The major vulnerabilities are at the functional decompositional level
Many security vulns are introduced at the interface level as well
Unfortunately, it’s usually put at the system-wide level (as they do with availability ,etc)
What Do Security Requiremens Look Like Today?
V&V: Verification: did we build it right? Validation: was it built right? (akin to correctness & effectiveness)
There are more similarities than system architects really want to believe or understand.
Much of security metrics are really verification vs validation
Validation Criteria
Speaker: Jared Pfost (@JaredPfost)
Framing: IT Security Metrics in an Enterprise
If metrics are valuable, why aren’t we measuring them. Virtually no research on them.
The Chase
Bottom line: which metrics impact actual loss?
Make a Difference?
When you provide visibility into the efficacy of your environment it drives behaviour. (Even if it’s not necessarily the behaviour you wanted…at least they make a risk-based decision)
Metrics are too hard to get now :: get vendors to improve metric repots
Actions
It’s crucial to effective compliance initiatives to have solid, real metrics that define program success.
Speaker: Alfonso De Gregorio
How do we build a future in software security?
/me: the slides that will be posted have a ton of detail that Alfonso sped through. you’ll get a very good feel from them
Metrics are the servants of risk management and RM is about making decisions
we have incomplete information about # & severity of vulns
software products are highly defective and have no accountability
Bugs & Carrots
discussion around what software vendors are incented to do/why
features > security
bug fix > vuln fix
time to market > test/verify
M&Ms
(Markets & Metrics)
we need to put a cost on the software flaws with laws/regs & change in liability models
create feedback mechanisms (/me: open group work on security architecture?)
investment metrics to-date have challenges, especially in severity and probability of events
market-based metrics would provide a different context (e.g. stock market pricing)
create an infosec security market?
info function / incentive function / risk balancing function efficiency – all factors in creating a vulnerability market
/me: make a table with bullets above as rows and factors list as columns to do a comparison
suggests an Exploit Derivatives market (future’s contracts for vulns)
[side-talk: discussion about derviatives vs future and how the profit incentives may be conflicting]
[side-talk: why will make software companies pay attention to what seems to be a market that only makes speculators rich?]
[side-talk: is this legal? can we get this baked into contracts?]
[side-talk: degraded convo down to responsibility of software companies]
[side-talk: interesting analogy to the airline industry needing to be in the oil futures market to software companies needing to be in this potential vuln/exploit market]
another example is weather derivatives
cites two examples of how prediction markets can incent change
cites tradesports.com and a FIFA predction market
