Oct 18

Riverstone’s Fall 2014 class outing!

Riverstone class fall 2014

2014 Fall training class outing. Even had the President of the ISSA-NoVa chapter stop by to talk to the class. (Thanks again Alex… and that’s an awesome pose! Hahaha!) Lots of connections, lots of fun! The infosec/hacker world better be watching out for this group. I’m personally teaching this course so for those recruiters and companies that are familiar with my training program, you are really going to want to grab these folks ASAP! This is a group full of free thinkers and IT rebels!

– mind.

Facebooktwittergoogle_plusredditpinterestlinkedinmail
Oct 18

BIG NEWS: Announcement of an open source test engine

Spray painting Riverstone Project shirtsSo in our efforts to continually grow our free training capabilities and support, The Riverstone Project team has decided to create a free open source testing engine that everyone and anyone can use to take and create custom made exams.  The first edition of this testing engine should be available within the next two weeks!  We will work on adding more functionality and platform compatibility in later versions.  We are extremely lucky to have Greg “Big-G” developing this tool.  And best of all, he is doing this project out of pure kindness…  that’s right, FREE!  He is an incredible programmer (amongst his many other IT talents) and is a huge supporter of the Riverstone Project.  Please welcome him to the Riverstone family!  The Riverstone Project would like to thank Greg for all of this and we encourage our students and sponsors to make use of tool!  Stay tuned for the latest news and download of the new Riverstone Project test engine!

– The Riverstone Project Team

Facebooktwittergoogle_plusredditpinterestlinkedinmail
Sep 24

Who’s Asking the Tough Security Questions?

$p!k3 and mind.

 

Picture this scenario:  you, your spouse, and family are standing in front of your recently completed home.  You spent years saving, planning, and building the home of your dreams.  As the sun sets on the first day in your new home, your smart-aleck kid asks, “How do I turn on the lights?”  Just then you realize you didn’t install any electricity in the home of your dreams… now turned nightmare.  This is exactly what has happened to many   project managers, acquisition managers, and/or developers when it comes to information security.

 

You spend months, sometimes even years, planning, designing, developing, and deploying the business solution that will save the organization loads of money and make you a star, only to find out, hopefully from someone within the organization and hopefully not from an outside attack, that you did not plan for the security of the information and/or the information system.  An example of this happened at a government agency recently.  I will speak very generically about this to protect all involved.  An application was deployed that solved a legitimate business need.  It had a good amount of users and worked well for approximately one year.  Employees of the agency started to report an unusual amount of identity theft issues.  Investigators traced the source of these issues back to this application.  Users had personal information, including their bank account information, compromised which caused numerous fraudulent transactions.  Once the agency discovered this problem, the application was taken offline, security was added, and they re-implemented the application while looking for a replacement.

 

So what’s the problem with adding security later in the process?  Well let’s go back to the house scenario… image the cost associated with running electricity to the house that is totally completed, then installing the electrical panel, running the electrical lines from the panel to every room, fixture and outlet, tearing out drywall, making holes in the studs and the joists, wiring, installing the fixtures and outlets, and finally reinstalling/repairing drywall, and painting.  The extra time and labor costs would be enormous.

 

Like the home scenario, an application or system reprogramming will set the project back in both money and time, essentially, going back to the drawing board.  For example, imagine trying to retrofit security into an application’s code.  You would need to work through the SDLC all over again, but this time with security in mind.  This means creating security feature requirements, analyzing security best practices, reviewing the attack surface, running through threat modeling, and you haven’t even started to think about manual code reviews, code scanning tools, pen-testing, etc.  Considering that you basically have to review the entire application from scratch and purchase security development tools, the cost would obviously put you over your initial project budget, if you hadn’t already surpassed it …  not to mention the time involved in fixing the problem.  And we all know that time = money!

 

So obviously, like electricity in the house, information security must be included in the planning process, but whose responsibility is it and exactly how do they go about including it in the system development lifecycle (SDLC) of a system or application?  First, let’s start with the “who” problem.

 

You would hope that anyone requesting a new piece of hardware or software (system) would be concerned about the security associated with that system, but in a normal situation, individuals rarely are so knowledgeable; they just want to improve their business performance by purchasing the new system.  When the requested system gets a project manager, surely they would know and ask about the system’s requirements for security; but sometimes no.  After the assignment of a project manager, hopefully an Information System Security Officer (ISSO) is designated and they would require security to be included in the SDLC.  Next, if there is code development required for your system, the developer should be versed in and use secure coding practices in addition to any of the security requirements that are identified for the system, but in most cases, if it is not written in the requirements document or statement of work, security is overlooked. If the developer doesn’t ask for security, the last line of defense may be the acquisition officer.  Chances of that person adding security requirements are better if they are from the new school (versus the old school), but how often is that the case?  If that does not happen… basically you’re screwed. Call the electrician and start ripping out the walls.

 

Now for the $64,000 question: how is security included in a new system?  That answer is easier than you think. Ask for it.  Require it.  As mentioned above, someone has to include it in the requirements statement from the very beginning. Whatever bells and whistles are required to satisfy the business need of the requesting business function, don’t forget to include security.  What?  You don’t know how, what to ask, or what to include?  Well that answer isn’t too difficult either.  The National Institute of Standards and Technology (NIST) has done all the research for you.  They have documents that cover just about every aspect of technology and the secure deployment of that technology.  (NIST Special Publication list) If you want the full list of security features that need to be included in a system:  SP 800-53 rev. 4.  If you want to review how to include security in the SDLC then review: SP 800-64 rev. 2.  Other important documents to aid you in the development of a new system are the risk management framework guide: SP 800-37, deploying a web server, email server, firewall, wireless solution, and even the hot issue of mobile devices (in draft).  See the links included.  I think you get the picture.

 

Speaking of pictures, now picture yourself sitting in front of the CEO of your company, or in front of the executive director of your agency, answering questions about an information security breach.  Hopefully, those questions are about how your system was the only one in your organization that did not have information compromised.  You will be the star of the organization- an example of how security should work.  Otherwise… we don’t want to even think about that alternative.

 

So take some time to analyze the security of the systems within your organization.  Is there security in place?  Do the users have access to only what they need in order to accomplish the mission?  More importantly, are they restricted from what they do not need to know? Remember Wikileaks?  Are there any new systems coming online?  Is security included in every step of the SDLC?  Is there an ISSO?  Do they know what they are doing?  These are just a few of the questions that need to be asked.  Is someone asking them?  You can ask them!

 

$pIk3 and mind.

Facebooktwittergoogle_plusredditpinterestlinkedinmail
Sep 16

The days of “NO!” are long gone… or they should be!

image

mind.

I am involved in a lot of meetings with executives and other IT professionals and before any actual productivity occurs, I have to spend time convincing everyone that the sky isn’t falling in on our information and information systems.  After everyone is settled and the meeting begins, the mere mention of BYOD, the cloud, shadow IT, or wireless brings about a very strong response of “oh, no, those technologies are extremely dangerous, they should never be implemented in this environment.”  What?  I can understand, somewhat, how a non-IT-savvy executive might say this, but from IT professionals, that should never happen.  New technologies and innovations should not be shunned or kept out of organizations that would most likely profit (or at least increase their profit) by implementing them.  Where is this coming from?

Let’s clear some things up.  First, the IT industry has spent the better part of the last 20 years promoting cybersecurity through scare tactics.  Media outlets thirst for a breach, any loss or even potential loss of information, and they splash it in the headlines.  Reporters try to make a name for themselves by finding a story and over sensationalizing it.  Even though the mainstream IT industry has only been around for the better 20 years there are still naysayers that want to tell us how bad it is.  Now, after so many people have become the victims of data loss and identity theft, we have reached a point that most people have at least some idea or are somewhat concerned about the security of their information.  However, these scare tactics also worked on our IT security folks and they pounded down the security Kool-Aid.  It still surprises me how many IT professionals say “no” to new technologies without the slightest hesitation.  How did this happen?  Well, if you cry wolf long enough…

One problem is that we no longer look at the benefits of emerging technologies.  We immediately jump to “it’s so dangerous.”  Well I’m here to say STOP IT!  Stop freaking out your IT security folks.  It is probably making you LESS secure.  Let me give you an example: I recently walked into an environment where pen-testing was a no-no.  I understand that pen-testing is not always the best solution for every environment; however this was not of those situations.  Even though it was something the organization could have benefited from, you could not mention it without the security folks or management turning 18 different shades of green.  The result of the effort: no pen-testing allowed and … continued vulnerabilities and risks to information and information systems.

What about the ol’ “that’s how we’ve always done it here?”  Um… then change.  Nuff said!  Just because it has not been done a particular way before does not justify sticking with an insecure process.  We get a lot of this from the “old schoolers.”  So my statement to you “old schoolers:” get with the program or get replaced.  Your VCR has been blinking 12:00 since you bought it, but the rest of us have been using video-on-demand for a while now.  If you want to stay relevant, embrace what is happening today.  It is usually more effective, more efficient, cheaper, and easier.  Stop being so darn stubborn mom!  (But seriously mom, replace the VCR.  I love you).  Someone has to lead the way.  IT professionals have to push these innovations to continue our progression forward with as much force (if not more) than the “old schoolers” are pushing back.  Someone has to do it, and there are many examples in the IT industry of those that have pushed and pushed innovation until “society” changed, Bill Gates, Steve Jobs, and the rest of their contemporaries come to mind.

Look, every new technology has issues we need to deal with, and I am with the “old schoolers” in the fact that we cannot just implement new technology without facing those issues, especially regarding security.  So face them.  Security is one of the major issues today.  We cannot hide our collective heads in the sand and hope the technology goes away.  The fact is more security equals less productivity, and vice versa.  We need to find a balance.  Yes, I do believe we still need to say “no” sometimes, but only after a detailed analysis has been undertaken.  Let us actually look at the security risks, especially in the analysis phase of the system development lifecycle (that is the subject of another paper), find the best controls, and embrace what is going to eventually come anyway.  Educated IT professionals can either be the ones finding the solutions to the problems or we can continue to perpetuate the problem.  BTW, isn’t security all about a risk based approach?  So ask yourself: Does this new technology make the mission more effective, more efficient, less expensive, and can we implement it in a way that will not compromise the confidentiality, integrity, or availability of our information or information systems?  If so, then maybe you should consider the option of first looking at how the new technology can be implemented in a secure fashion while still accomplishing the goal of improving efficiency and/or lowering costs. Trust me, it will keep you and your organization relevant and reflect forward thinking.

Don’t know how to say “yes?”  Well, tap into the great minds of others.  Google uses a wireless network so maybe your organization should google Google.  Or find some of the Ron Ross types of the world who are innovative and forward thinking.  A perfect example would be NIST’s SP800-160 (still in draft) on creating new trustworthy and resilient systems.

Oh, and btw… those “dangerous hackers”, well they ARE using new technologies and they know you aren’t.

mind. and $p!k3

Facebooktwittergoogle_plusredditpinterestlinkedinmail
Nov 27

A story from our founder Casey

Fam_CasEveryone, I want to share a story with you about an experience I had last year. I hope you find the time to read this and I hope you share this story with as many people as you can. As many of you know, I started The Riverstone Project in 2001 to help people, and though I have seen a lot, this one crushed my soul. While delivering food and clothes to the homeless last year, we came across a woman’s shelter. They were so full, they had to turn people away. They let us come in to hand out clothes and food. Now this next part was one of the worst things I ever had to experience: A young girl, about 12 or 13 years old, came up to me right when I ran out of items to give out. In a very sweet and soft voice she said “excuse me mister, I don’t mean to be impolite but I noticed that you were giving away some clothes. I replied “Yes, we are just trying to help out a little”. She then said: “Would you happen to have any underwear? I won’t bother you for anything else mister.” Since I just gave away the last piece of clothing I had, it hit me so hard. I had to tell this sweet young girl “I am so very sorry dear. We ran out of everything”. She then replied ” Oh thats ok mister. It no big deal. Thank you for helping everyone. May God bless you.” I then asked one of the other guys to take over because I didn’t want to face this little girl as my tears started to fill my eyes. I went outside, away from everyone so that I could cry without being noticed. All this poor soul wanted was a pair of underwear. Just the thought of this moment still brings tears to my eyes. Think about it. Have you ever been so bad off that you had to ask someone for underwear? Imagine what that must feel like to be 12 years old and not have anything… not even basic under clothes… and to have to ask someone if they could give you a piece of clothing that is so personal. How embarrassed would you be? Now imagine telling someone who mustered up the strength to ask for underwear “Sorry, I can’t help you”. It hurts me deeply to do this every year. I don’t have the emotional strength to do this. But every year, I try to be strong… to face what I know is going to be devastating for me to experience. Please, think of these people this year. Say a prayer for them. They don’t have anyone. They feel forgotten. But its their holiday season too. Please join me and the rest of the Riversone Project volunteers (if you can) this Thanksgiving so that the homeless know that they are NOT forgotten. Maybe this year will be the year we can say “yes” to an innocent child in need. If you can help us with donations, clothing, food, or your time please contact us via our “Contact” page.

Thank you for your time and I wish all of you the very best this holiday season from the bottom of my heart.

Founder and El Presidente of The Riverstone Project
Casey

 

Facebooktwittergoogle_plusredditpinterestlinkedinmail