Stratigos CEO quoted in Vox

January 10, 2020 Comments off

Stratigos Security Founder and CEO, Beau Woods, was quoted in a Washington Post story, The US killed Soleimani. What will Iran do next?.

In the medium term, Iran may try to disrupt the US election in November, Woods also noted. Tehran has already shown an ability to interfere in America’s democracy.

Stratigos CEO Mentioned in Washington Post

August 8, 2019 Comments off

Stratigos Security Founder and CEO, Beau Woods, was mentioned in a Washington Post story, Hackers are going after medical devices — and manufacturers are helping them.

“Medical devices are lifesaving and life preserving, but they also can have flaws that could put someone’s life at risk.”

Beau Woods, Founder and CEO

Stratigos CEO mentioned in Washington Post

May 28, 2019 Comments off

A tweet by Stratigos Security Founder and CEO, Beau Woods, was referenced in a Washington Post story, Security pros divided over NSA’s responsibility for Baltimore hack.

Stratigos CEO quoted in The Verge

April 4, 2019 Comments off

Stratigos Security Founder and CEO, Beau Woods, was quoted in a Verge story, Health Care’s Huge Cybersecurity Problem.

“If systems are disrupted over the internet, by an adversary or an accident, that can have a profound impact on patient care.”

Beau Woods, Founder and CEO

Stratigos CEO joins Council on Foreign Relations panel

January 17, 2019 Comments off

Stratigos Security Founder and CEO, Beau Woods, joined a panel discussion at the Council on Foreign Relations, titled Hacking and the Internet of Things. Woods appeared alongside Niloofar Razi Howe, Former Global Chief Strategy Officer, RSA Security LLC, and Robert K. Knake, formerly with the US National Security Council, moderated by Craig Timberg, National Technology Reporter, Washington Post.

Stratigos CEO featured in Council on Foreign Relations podcast

June 2, 2017 Comments off

Stratigos Security Founder and CEO, Beau Woods, sat down for a podcast with Micah Zenko, from the Council on Foreign Relations. Listen now: The Need for New Cyber Thinking: A Conversation with Beau Woods

Top Technical Mitigation Strategies (from the Australian DSD)

June 2, 2015 Comments off

There are few solid pieces of empirical evidence on what works in security. The Australian Defense Signals Directorate (DSD) Strategies to Mitigate Targeted Cyber Intrusions is one of those. We at Stratigos Security think a lot of what they do. So does just about everybody else who has come into contact with the documentation.

This post examines some of the assumptions, implications, and a conceptual framework to better understand the document. Let’s start with some of the stated background and assumptions.

  • Investigation based – That the mitigations are a result of analysis of investigations carried out by the DSD, primarily in the government sector.
  • Adversary focused – That the mitigations are meant to counter adversarial attack.
  • Targeted attacks – That the adversaries are motivated to target the victim organization, specifically.
  • High value information – That the adversaries’ objective is to steal intellectual property, national defense secrets, or other highly sensitive documents.
  • Exhaustive application of mitigations – That mitigations will be applied to 100% of systems, not just a subset.

There are 35 total mitigations listed, almost all of which are specific technical controls. At Stratigos Security we tend to like to bundle technical controls into a higher level framework. This is more digestible for our clients, and allows for a better understanding of why these mitigations work. That’s the key to long-term success in design, implementation, operation, and maintenance of a security program.

Stratigos has aligned most of these mitigations into a few core objectives. In doing so, we seek to harmonize them so each builds on the others. The set works together much better than the sum of each of the individual ones. Our objectives are as follows, as well as examples of mitigations from the DSD document.

  1. Execute only trusted code – Authorized software packages, components, and functions are defined and enforced.
    • Whitelisting
    • User application configuration hardening
    • Restrict administrative privilege
    • Workstation and server configuration management
  2. Ensure code is trustworthy – Software is free from known defects.
    • Patch applications
    • Patch Operating System vulnerabilities
  3. Ensure trusted input – Information and commands are legitimate, meaningful, and non-malicious.
    • Host and network firewall
    • Email and web content filtering
    • Education and awareness
  4. Manage access – Access proceeds only through known mechanisms, which validate authorization and identity.
    • Multi-factor authentication
    • Enforce a strong passphrase policy
  5. Contain failure – Security failures in one system or network segment do not affect other systems or segments.
    • Network segregation and segmentation
    • Anti-Virus
    • Host and network IPS
    • Operating System generic exploit mitigation
  6. Eliminate anomalies – Causes of unknown and unexpected events are identified and eliminated, as appropriate.
    • Logging of successful and failed system events
    • Logging of successful and failed network events
    • Capture network traffic

Astute readers will notice that there is a large gap between the objectives and the underlying mitigations. The mitigations are tools, or supporting technologies, that help achieve the objectives, but they do not ensure the objectives will be achieved. This underscores one of the major mistakes most organizations make when they go to implement such a set of mitigations. It’s worth going back to the background and assumptions and identify some of their consequences. Of course this is far from an exhaustive list.

  • Limited applicability – These mitigations come from investigations of Australian government organizations. Other organizations may have different experiences.
  • Accidents are excluded – Security risks which result not from adversarial attack, but from accidents are not included. (One of the most common is data breach caused by theft or loss of a mobile device, laptop, or backup tape.)
  • Mobile devices are specifically excluded – The mitigations apply to workstations and servers, but not to mobile devices.
  • Governance, process, personnel are poorly covered – The mitigations do not include non-technical approaches, which can significantly affect security, risk, and cost.
  • Alternate risk mitigation – Risk mitigations available to corporate entities – such as insurance – are not available.
  • Cost considerations – Corporations typically require some measure of value justification, associating costs and risks to profitability, rather than to national security or human life.
  • Impacts – Impacts should be analyzed in the context of the specific solution in the proposed environment.
  • Implementation quality – Poor implementation of the mitigations would result in reduced effectiveness.
  • Implementation completeness – Implementing mitigations to fewer than 100% of systems would change effectiveness and cost estimates.

Knowledge of the underlying assumptions, their consequences, and unstated assumptions is key to implementing them appropriately. You can only fill in the missing pieces when you recognize they exist, and where. Some of these missing pieces can help you greatly reduce cost, not just add more to the shopping list.

But we’re diverging from the point here. These six objectives are not the only ones that can be derived from the Australian DSD’s guidance. They have worked for our clients and they allow a fairly complete mapping to the 35 mitigations. This superset also naturally aligns to strategic initiatives to develop processes to take full advantage of these tools. Maybe we’ll add more on that in a future post.

How to Write a Great Resume

February 16, 2015 Comments off

Lately we’ve working with people to help them improve how to present themselves. Some of the people we know well as great security consultants present themselves very poorly. This is to be understood, as most of these folks have reputations that speak much louder than resumes. But it always helps to have a version of you on paper that will wow anyone who doesn’t already know you by reputation.

I always like to see a submission knock me over with why the candidate not just qualified, but why I’d be an idiot for not hiring them. Make me want to shelve all the other resumes and call this person as fast as my fingers can dial. To do that, a resume must focus not on what the candidate did, but why I should care, then support those claims through the story of their history. 

A “perfect” resume is one where as I read over it I get more and more excited. Every new line adds to the perceived quality and relevance of the candidate. No lines leave me wondering why I care or asking if it’s a liability. There is a clear progression and/or I can see how all of the experience contributes something to the value presented.

This can only mean a document specific to whatever you’re looking for. That is, what you want to do rather than what you have done. Highlight leadership, strategy, and management experience and skill building. It doesn’t matter as much what you did (tasks, technologies, responsibilities), as how you did it, and why you were successful. But these need not be created each time for each job you apply for – that’s what the cover letter is for.

The cover letter can make or break a candidate, write a custom one each time. Often this is all a hiring manager ever reads, and it can be the quickest way to the top of the stack or the bottom of the bin. Treat this as a roadmap to your resume. Bring out specific highlights from your career that are precisely what the role calls for, in the way it’s been written. Shorten the distance between job requirements and your qualifications to near-zero. Reuse and customize your best bits from other cover letters, but make sure it is specific to the job you’re applying to.

On your resume you might lead with 3-5 bullets that highlight your best outcomes and experience. 

  • Advanced degrees, security industry presentations, OWASP or other community participation and involvement shows you are hoping to be a leader, not just in it for the money.
  • Categorize your experience through the lens of whatever you’re aspiring to so I can instantly see that you can do and have done what you will be asked to do.
  • An outcome you helped generate that ties into the story of your work history, particularly if you can relate a statistic or specific accomplishment.
  • Tell me how I will know you can do the non-technical parts of your job, like communicating to management, working in a team, hitting deadlines, etc.
  • Relate an extracurricular activity to how you can excel at your role, how it relates to security, or makes you a better employee.

Then tell a story with your professional and academic history. Expose a clear narrative, with each plot point building on the next over the course of your career, with the logical conclusion resulting in you having all the prerequisites. Make sure that the story doesn’t get confused and that it all ties into the overall plot line. Career or job changes are twists – if done correctly they strengthen the story. Be your own editor and ruthlessly cut out ancient history and tangential detail, rewrite to make the lines clear to the reader, bridge gaps or multiple short chapters so they don’t distract, and make the major points explicit rather than implied.

Having a great cover letter and resume will reduce your work, not increase it. You’ll cut the time spent looking from weeks to days. You’ll spend less time trolling craigslist, Monster, LinkedIn, and other sources. And you can land a much more competitive role (think about it, would you want to work for someone who accepts candidates who look weak?).

Schadenfreude and Shame in Security

December 23, 2014 Comments off

Hype, opportunists, and bad ideas are getting the spotlight after the massive breach of Sony Pictures. Most of us observers are sitting back and enjoying the schadenfreude of it all. For the general population that’s an understandable reaction; for those of us in the Information Security community it’s shameful.

Rather than take proactive, positive steps, we have sat on Twitter and watched as Sony and the Government have clumsily fumbled the situation. We often think we know what’s best, yet when our expertise would be most useful, most of us lurk in the background, sniggering to each other in our smug superiority.

In abdicating our role as ambassadors of technical literacy, we allow the story to be shaped by others. Often, those who run into the spotlight during these types of events are not experts or advocates for rational approaches, but opportunists promoting a specific agenda. The absence of a voice of reason from our community leaves a deafening silence. But don’t worry, we’ll fill that void with complaints once a solution has been enacted and we see that it won’t work.

Instead, the information security community should be engaging in the media and geopolitical discussions, injecting real solutions to solving systemic issues. We should be raising questions and bringing to light topics such as

  • Opportunism and fear mongering by politicians and our own industry.
  • Vandalism portrayed as terrorism.
  • The inadequacy of traditional investigative methods in cybercrime.
  • Statements, statistics, accusations, and claims made without supporting evidence, references, or credibility that go unchallenged.
  • Pre-determined attribution in hacking and geopolitics.
  • A geopolitical reaction to issues stemming from poor corporate oversight.
  • The hypocrisy of calling an attack on a film studio terrorism, while admitting to attacking military and government networks (hat tip to Jericho).
  • The information security industry taking $75B per year (according to Gartner) from the global economy without reduction in frequency or severity of information security incidents.

There isn’t one way to engage in the discussion, or to bring these issues (or others – and there are many others) out. However, there is a single way to fail at doing it, and that’s to fail to try. We, in the information security community, could have a great deal of influence if we chose to. When the world is powered by computers and software, those who know how to control those technologies have great power. But with great power comes great responsibility. Use it. Wisely.

UPDATE: @MarnixDekker points out that these are not really technology issues. But I counter that’s exactly the point. Why do we build technology of not to solve societal and human scale issues? If we are creating technology to its own end, others will use it as their means. We have seen where that leads, and it’s not a mistake we should be eager to make, nor naive enough to think won’t happen.

Can you be too secure?

July 31, 2014 Comments off

When I hear someone say “you can never be too secure,” I assume they don’t understand the implications of that statement. Perfect security can be seen as the absence of risk. This sounds like a tradeoff most people will want. But that’s not always the case. In fact in most business that’s the opposite of what you really want.

Risk is at the heart of the capitalist system. Without risk there is either no room for profit except through exploitation and collision. So businesses must take risks. If there were no risk competitors could easily enter the market and disrupt the industry.

So risk is necessary; risk is good. There is value in risk just as there is in security. Understanding and undertaking smart risks allows you to balance concerns with ambitions. Balance gives health; imbalance can lead to total collapse.