Coding Skills and Security Administration

Do coding skills help you with the general routine and daily security administration of computer systems and networks?

Yes. Regardless of the fact that ‘scripting’ which is (used to be) a crucial skill to manage computer systems and networks, coding skills is not only fundamental to understanding the details of computer security, but also fundamental to the security administration of computer systems and network.

Cyber security ecosystem is more than CIA and describing it on the paper. In order to understand the elements of computer security we need to be fully skilled with the fundamental of computer science which is truly software and hardware.

I am not telling you need to learn machine language and assembly because that is for someone dedicated to deal with lowest level of security like finding flaws and writing patches for operating systems and kernels, but one still need more than basic level of at least some scripting languages like PS (PowerShell), WSH (Windows Scripting Host), Bash, Python… to handle the security administration if not digging into details.

Some other coding skills helps your setup, configure, troubleshoot and generally operate smoother than other admins:

Java: knowing Java even if you wouldn’t want to write one single line of code is crucial because there are hundreds of thousands of utilities and backend systems coded purely with Java so it is so easy to understand them once you master Java.

JavaScript: you may find it funny how HTML with JavaScript can help you in security administration. Once you start digging into security aspects of many applications you will find HTML crucial and super helpful.

PHP: it is helpful if you are dealing with web apps in general. There are millions of web apps running with this powerful language.

SQL: any knowledge around any flavor of SQL is so helpful and if you deal with databases regularly then it is a must to know how to code SQL directly or via a host interface like PHP.

I personally put Python as a must only if you want to develop as well. In other words, knowing Python is very helpful only if you are going to specifically develop for a customized environment and integrate other systems and utilities.

What I can tell you generally is specialty is of course very important with any aspect of computer science that you are going to be the subject matter person for it, but whether we like it or not, it is critical to know about all fields of computer science to be able to manage a tech environment sufficiently.

For example, one can’t be an expert with networking if doesn’t have full knowledge of SSH so probably won’t be able to fully operate a network securely if is not capable of administration part. Coding skill is not a preference, it is critical to security administration.

Tech Staff Justifies Incompetence!

Have you ever listened to your tech team trying to justify all the tasks left behind, delayed or procrastinated?

Do you have an IT team brining excuses for every project there are facing and try to blame everything except the root cause?

Then you are not alone! Here is a known list of IT staff excuses. Knowing the pattern and reasons behind help us managing our team smarter:

Lack of resources: we do not have enough resources!

The best of the best excuses ever, a generic excuse for all types of failure and when staff wants to show how much they are busy and swamped with everything, how much they are doing their best and the only problem why bunch of tasks and projects are delayed is that because there is not enough resources.

Actually, the best description here is lack of resourcefulness!

False positives, false negatives: cannot trust the data!

A trick to overlook an alarm and justify the reason to ignore it. Imagine you have probably missing patches, nodes which have not got their malware updates, software which has been screaming for a reason…and staff simply ignore it just because there has been some instance of false positives.

Tool limitation: we need better tools!

Being tools oriented at the first place is a flaw within most tech staff and no surprise that they want to blame tools rather than blaming themselves of not having knowledge of using tools, or choosing right tool.

Spontaneous nature: IT is so dynamic!

A very clever way of justifying every single failure. Of course, you won’t blame them for breaking things and fixing things just by luck if you believe that the nature of IT operation is being spontaneous.

Later this week/month/year!

The classic way of accepting and procrastinating, a very well-known pattern of ignorance when there is no other way around. Simply saying they are going to do it this coming week which it may end up not done for a year.

No budget: needed money!

It is hard to debate when the subject is money. Staff brings a solution which requires money. No one challenge the validity of solution, but everyone accepts the need for money so it turns super easy to rely on money and have it handy as the excuse.

The legacy: that is not what I put there, it was there before I join!

It means I won’t take ownership of something that someone else configured. Interesting, because when you are hiring them, they are going to fix everything messed up by a previous person but then everything changes.

Dedicated staff: our team is tiny!

Dedication is really good to have but in reality, we face departments where people at least have a secondary or tertiary hat to wear. Talking about size of a team is ignoring human intelligence and ignoring the fact that we have actually technology taking care of many aspect of our duties so especially as a tech savvy we need to able utilize technology to handle the quantity and we could handle the quality.

ISMS is Not equal to Real Security!

Is having an information security management system equal to actual security? 

No! Having an information security management system is not an indication of quality of security controls. Management systems are easier way of administration in a standard and systematic way, but they do not necessarily an indication of security control effectiveness. 

As an example, ISO 27001 as one of the most popular information security management system to date, has no effect on the quality of your controls, as there is no judgement on implementation quality, effectiveness and type of security controls. It is just the judgement of logic. 

This is no surprise though comparing to any other management system like ISO 9001 famous Quality where you can find thousands of firms holding to that certification with lowest quality of products. You will find same number of firms holding tightly to their ISO 27001 certification as an indication of “presence of quality security” but literally are at the lowest bracket of information security effectiveness in practice. 

Let’s say one has a system to fully manage firewall within an enterprise, all the rules are justified, reviewed and approved by head of your technology department (which FYI you could barely find such a well-managed system, but still let’s pretend it’s not a big deal). Does it mean firewall rules are technically security and configured in a way that address organization concerns?! 

However, an information security management system, whether globally recognized like ISO 27001 or organically internally created by your organization could be the best tool to approach your security program; it is all about execution and understanding of information security elements ‘particularly in regards to your business’. 

Simple Sign of Security Program Has Already Failed

The simple sign is your Trust and Confidence: Do you have faith in your security program?  

For a moment be honest and ask yourself: am I confident with my company security program? Do I have faith in our security team? Do they really know what they are doing? Does my information security officer worth pay 300 grands? How can I say my IT department is really at the top of security trends? Ami paying too much or less for security budget?  

Why I Do Not Trust in My Security Program?  

If your answer to any of above questions is shaky, you hesitate to answer, or just do not know that answer, or for any reason you are not sleeping peacefully at night, then your security program already failed!  

Has Your Security Program Stuck?  

But that is not your fault directly, not even your team, no one to blame from your side! The only thing to blame is “market”. Unfortunately, market pushes you and many top managers of security teams within big corporations to spend money on things that would not improve the security posture, otherwise you would sleep peacefully just like those who do not have any online presence.  

Market pushes us to spend and at the same time not have a peaceful mind; today is about a new trend, tomorrow even before catching up with yesterday “message” you attend a webinar and you face a new challenge, all true, but all irrelevant.  

Why with hundreds of thousands spending on my cybersecurity initiatives, still I do not feel confident?!  

You or your technology team do not have even enough time to catch up with emails and whitepapers full of useful info, let alone choosing and implementing what exactly you’re looking for. Even a week after implementation you realize there was better solution or you wish you would purchase another solution or just waited one week to buy the new one just arrived at your mailbox!  

Sounds familiar? Then you are not alone among majority of information security managers, engineers and architectures. Simply blame the “market”! Market is constantly pushing us to spend and still not being confident. Does it sound like something wrong? There has to be a different way. It does not make sense; it is not that much complicated!  

The trick is simply getting out of this sanity and leave the market flow and pass you! You won’t lose anything, do not worry. Step back, stop, relax and research more. There are very simple ways with less effort and less budget with more confident outcome. Simpler than you could imagine!

The Only Reason A System Has Not Been Hacked!

Real hackers do not randomly find a flaw in a system. There is a systematic approach to hack a system!

Regardless of size and type of an online entity and its online presence, a giant company with ten thousand of employee, or a home user of the Net, the only reason a system (may) have not hacked or taste the bitter part of internet is because it has not been targeted! 

Hack proof, and resistance…are you kidding? systems are mainly vulnerable to basic penetration testing! A system enough mature to resist targeted attacks is literally a piece of “Art of Security Management” rather than a collection of sophisticated security tools or staff. 

Once you are targeted you could truly measure the strength of your security measures and experience shows that we could barely stay safe after being actively targeted. However, targeting process may take years but once a malicious actor put your name on the list, you need to find way to response and faster ways for recovery. 

I am not considering persistent threats where you have been hacked for years before even you realize. Remember, not all malware activity is supposed to be noisy and obvious. Hence, targets remain totally open to adversaries for months and years before they could even detect anomaly so let’s talk about hidden-side of being victimized and APT later. 

What does it mean to be targeted? 

It is not as simple as it sounds but briefly, it means adversary simply profiles you/your business for a relatively longer time and uses every aspect of your online presence to have what I call BB or brighter blueprint of a cyber entity. 

Attacker creates an enhanced “vision” of a cyber target and s/he uses every single direct or indirect possible object to picture the target. At the end, or somehow in the middle of this process, attackers know your system way better than yourself! And that’s where they land the attack. The result depends on the purpose and motivation, could be destructive or hidden with minimal impact which is scary because then they nest somewhere within your system as long as they need. 

The truth is, if a system has not been hacked, that’s not because it has a solid security posture, it is only because it has not been targeted. 

Stay secure, 

One Strategy to Win the Cyber-security Battle: Change the Focus!

Sales pitch force us to worry about things that are not so important; Change your mindset to win the battle!  

“Battle” would not be the right term if we didn’t have a market full of competition to sell cybersecurity products rather than focusing on the right and real way of defense. In other words, focusing of what really cyber criminals are up to, rather than pretending that we are securing our networks!  

So let’s admit it is actually like a battle ground when sales guys reach out to you and want to convince you to accept a risk they are anticipating with your business and you have this relation with a dozen of firms out there and literally everyone says: all other products are crap, ours is so and so! And in the meantime, you are in a real unfair battle with cybercriminals where you’ve never been able to catch up.  

We do not need to be part of this battle, but it is only possible by changing mindset and direction! I know it is so hard and even scary to go a different direction when all the market trends are pushing you to believe something else. I know it sounds insane to forget about EDR when all pros say it’s a panacea, it scary to uninstall Application control or whitelisting solution from your server. Should you avoid and ignore critical patches? Would it be madness to forget about dual-factor authentication and not having a PAM solution, especially when you have money and human resources to spend on these?  

Any solution may or may not fit to your business but cybersecurity is not all about implementing new solutions, what if I tell you that you could still be incredibly secure with the same sort of security products in 90’s?!  

The first step to win the battle with both sides of adversaries and sales is just to change the focus from being tools-oriented to rely on techniques, from implementation of new solutions to find the solution natively in your systems. I am not talking about native security tools of any OS necessarily; I am diverting your mind to a totally different world where understanding and picturing your cyber security posture automatically brings the solution with itself!

Does Technology Solve Our Problems?

Real issues are not going to be solved bY any of those known internet applications!

Currently it does not but technology could solve our problems if two factors considered: 

  • Definition of ‘Problem’
  • Justifying practical ‘Application’

The former seems so obvious but that is actually the root cause of why technology is not able to solve our problems. You see how major aspects of technology are focused on ‘things’ that are neither a problem, nor an issue, or even a basic consideration. 

Internet does it really justified to solve our problems? The answer is no because first we are misleading ourselves with unreal problems and things that are more wanted than needed, and more a matter of convenience than a matter of reasonable living.

As an example, transportation, social media, advertising… even fast communication are not real issue. Comparing to other side of same stories like fossil fuel, introversion and lack of communication. When you do not have transportation, focusing on Uber and Lyft is more insulting than funny. When people are getting more and more introvert, talking about your virtual friends is ridiculous. When delivery of an important message to appropriate people is being distracted by many political and ethical issues, focusing so much on advertising is like ignoring the entire word of ‘humanity’. 

internet does not really justified to solve our problems

Real problems are not part of, or addressed by Google, facebook or instagram. Real issues that all of us facing are not going to be solved by Amazon, because shopping online is not the real deal that we want to focus on right before Christmas eve. Cyber Monday should not be a concern and first thing in the morning when you turn your radio on. Apple latest iPhone is not going to be a tiny positive factor in any aspect of real life. And we are not going to die if Paypal decides to change its privacy policy, or Twitter decides to delete out tweet.

You see that definition does matter because if the problem was really how you could faster load facebook pages, or how to have a video with more viewers on YouTube, then yes, all those internet trends and application would frankly be toward solving our issues. But the real deal is different, and that’s why most of internet applications are going wrong direction. 

Real problems are food, drinking water, population, education, diseases…but not how many restaurants have online vitrines, or how fast and convenient you could order pizza online, or millions of recipes in a PDF…the problem is providing enough resources for a billion of people in lack of basic life resources. 

Enough food for one in nine people on earth just to make sure that they can function. Fighting against global water and waste crisis. Eliminating the risk of malaria to half of the world’s population. Taking care of millions of people with at least one sort of dangerous addiction. You can name it. 

After you believe in real problems of today’s human on the earth, you’ll see how technology is far from helping us to solve those issues. Thousands of scientists all over the world are committed to solve our real issues, but that number is way less than hundreds of millions of people focusing on unreal aspect of life. 

Conquering space for search of what we call inevitable for life, H2O, while we do not have the basic water treatment and culture of consuming drinkable water sounds very naive. Every day we make thousands of chemicals and medications for weight loss while a billion of people do not have enough food to function. We develop all sort of online applications but it’s like all of us are blind and deaf, we can’t see, we can’t hear what is going on before our eyes.

Technology is actually so capable of resolving our real issues. Let’s define and review and digest today’s issues and force technology to handle them for us. Not a cybersecurity professional, or a programmer, but as a human, that is my career to help technology solve human real problems with practical cheap solutions.  

Tools vs. Techniques

Operations fail by focusing on tool rather than technique!

In context of information technology, with all primary operations like system administration, patching and updating, backup and replication, malware protection…and all related sub-tasks, focus on Tools is an enemy of the process!

Defining, developing or choosing a technique in advance is crucial to an IT operation. Then finding a tool to do whatever the technique is dictating, not vice versa. Techniques are also backed up and rationalize by objectives and policies but that is out of scope of this article.

Techniques → Tools

That is the right flow chart: reaching device, gadget, program, software, application, script…or anything like that  only after knowing the method or routine. In other words, we need to define the way we want to do something (process) and what is required (features) and then go after shopping or writing a code to handle that.

Many IT operations fail due to doing this simply in reverse direction: finding a tool just by searching the Subject and then refine the “forced” process based on what tool is dictating, not what we were expecting. Well, sometimes there is no expectation at the first place which is sign of a immature IT practice but that is also behind this short article.

Good IT Exercises: Documentation!

Everybody’s talking about importance of physical exercise and routine workouts these days, and of course that’s the result of 21st century life-style which is forced through technology but how about some technology exercises and routine practices which can help reduce the pressure on tech staff workload and leads us to a healthier IT environment?

Documentation

It will be so easy documenting and actually using it as a powerful tool and a supportive factor in everyday IT dynamic environment. But Only once we realize the application and purpose behind it in addition to simple techniques.

Most of us see Documentation as a hassle, an extra useless job of writing some staff on paper or Word and Excel files, and give a version or revision number, control it (what does it mean exactly?)… and then live it dusty chest or even ends up with some nonconformity because it is not what a reflection of our real world processes…..what is the purpose? why people see this as a hassle and this way it is actually a negative workload. Rather than utilizing it, that utilizes our resources!

The reason task of “documenting” has seen and believed to be a bother for most of IT professionals or even business analysts, is that we are doing it wrong, so no doubt it utilizes resources without any value. The easiest way to describe what is right documentation is explaining what is not. first you should ask:

What is going to be documented and for what reason

If reason is justified as a “Management System”, or “Standard”, or “Certification” then the answer is wrong and you are going the wrong way. You should justify by reasons like: “part of manufacturing process”, “describing system of asset management”, “explaining why product X failed during evaluation”, “document of how an employee is hired”, and so on. But never have the Driver as the Reason.

Documentation is not complicated but just like any other skill, first we need to understand the concept, and then some practice. Mastering this skill would not take more than 1% of your daily duties so let’s see what is the heart of the matter:

Document the logic and purpose of a task or subject rather than describing details of a task. In other words, focus on goal rather than the task. This saves a lot of time wasting on useless information in documents. This is also one of the main reasons users later won’t refer to documents. So we waste time creating them and then force the audience to read but they won’t because content is boring, confusing and only waste of time; no added value or even negative value.

Screenshots and steps to do something is not usually what documentation is all about. That might be useful for a user manual (I would doubt!) but not as an option for an IT guideline or even procedure, work instruction or policy. Here’s an example:

Let’s say you want to document your backup process, Disaster Recovery Plan, malware response and handling procedure, or how a node is setup and connected to a system in another network segment, how anti-virus agent is deployed….and thousands of other scenarios. Now would you open a Word file and start capturing screenshots of each step?!

It means you might doing in right way if that sounds funny to you, but most IT personnel are so busy that they don’t have time to step back and think about the way things have been done Wrong in the past, and they just repeat the same tools and techniques

Benefits are endless, and the result which is an agile environment will be appealing!

Once documenting become a routine and as a regular exercise the benefits start to show off their positive effects in environment:

  • Less time spending on Documentation! More effective and useful documents!!
  • Refined workflows
  • Effective corporate communication and team elaboration
  • Compliance management in a controller manner
  • Certainty and confidence in changes: an strong and original strong change management
  • Faster, accurate and more effective and meaningful evaluation of future solutions. In other words, re-born of R&D within IT operations which I believe it has been totally forgotten in the fast paced today’s tech world
  • Smooth transition among staffing, team leadership and general daily administration
  • Audit and being audited any time with zero nonconformity or noncompliance
  • Better understanding of current processes and natural automatic and constant training for tech staff and end-users
  • Trustworthy IT team with reasonable full support from top management
  • Smarter internal and external customer relation and interaction
  • Reduced or almost zero anxiety among help desks and system administrators
  • Supporting to any future or ongoing management system and any framework which seeks documentation: ISO standards, Security management systems…

Do you need technical people to compile documents?

You need people that understand the logic of the document Subject, so it is likely that you need technical expertise but not necessarily a technical writer. Of course technical writers can add value but those value are not certainly useful and inline with purpose of documentation. Again refer to User Manual example.

The moment you discover the power of documentation as an integral part of IT management model, you won’t let anything done without it (I have seen this also as an imbalanced approach). But the beauty of it, is more the fact that it is a useful tool for both management and staff, something that is so rare. Stay tuned for IT Documentation Workshop soon.

How Net Anonymity Works?

In practice, most of internet anonymous services are only exposing your net identity in a different manner, even more obvious and only in a noisier way!

Long story short, if your are concerned about so-called ‘Privacy‘, do Not rely on popular techniques and tools of net anonymity!

When you connect to a (Anonymous) VPN service to hide your real IP address, either free or paid, you just enter a private smaller, easier to monitor (of course does not necessary mean ‘eavesdropping’), easier to track part of the larger internet.

Do solutions like VPN really hide our net presence, or they only change our internet footprint exposure to an exclusive state?

That simply means, tracing back to you with each single element of your online movement bound and an integral part to your identity, aka ‘your unique online presence’ and your internet footprint or online signature, is much more easier and precise. Even not considering the fact, that no one can stay 100% hidden forever, or being naturally born hidden, which means you already have some (a lot of) footprint on larger public internet, and now with browsing for example via a private IP, you just consciously connect the dots for data brokers. This is not a fiction and it is actually happening practically when dealing with browser cache, cookies and many other server and client-side elements of your online activity.

Net Anonymity services simply change the scope of your identity exposure to a exclusive, limited and restricted environment which leads to a highly precise identification and a better, realistic version of your internet footprint!

The real Net anonymity is not achievable via popular online services. However, there are certain techniques which can be implemented via free simple tools on a paid dedicated hosting, within an small community, for example your family, or your friends. In a nutshell, it is technically possible to have practical and reasonable anonymous internet identity only via a private entity with a limited restricted ownership:

Get a dedicated physical server online, or set it up with dynamic DNS on your current home internet connection, setup a few application to mimic a fast HTTP and SOCK proxy and then route your peers via VPN or P2P protocols to real world. in this case, the footprint would belong to only that small community, and ‘retain’ and accessible only within that P2P network. With certain techniques, you can send and receive communication completely untraceable to individuals. This can be accomplished if you have an IT guru nearby.