Security Minded - from Kai the Security Guy

Is Kai Axford Speaking at TechEd 2008?

The short answer is YES!

However, I'm not going to be confined to a single breakout room like I was last year. (ESPNism: "You cannot stop him, you can only hope to contain him.") If you remember, we had such a huge amount of folks wanting to get into the session I did with the FBI that we had to turn some away (fire codes and all that). For my follow-up Q&A session, the room they gave us was incredibly tiny and many missed out on some great info. Based on your feedback, that's going to change....

I suggested to the all-powerful TechEd Content Team that we already have PUH-LENTY of the dreaded and feared Microsoft "Death by PPT" lectures going on, so my suggestion was that we need to breathe new life into the way we do sessions. As you remember, I just spent the past week sitting through a bunch of sessions at RSA 2008 and I started to get "tired head" really fast. (I do have to give major kudos to those of you who suffer as monotone speakers drone on while feeling the need to read every single bullet point they can put in a slide deck. I just don't see how you do it.)

To end the glut of monotonous breakout sessions, I submitted and was approved to do the following at TechEd 2008.....

The Tech-Ed 2008 Security Show

You have spoken and we have listened. You like your colleagues, yet do not feel compelled to shoulder-to-shoulder in cramped quarters with them. I am also a man of moderate girth and like my room. "Why don't you move more sessions to the Expo Hall like you did for Marcus Murray's hacker sessions last year, O Microsoft TechEd Masters?" Well, my IT Pro brothers...that's exactly where Kai is headed! I'm going to be delivering not one, not two, but FOUR sessions on the TechEd Online stage!!! You can pull up one of those sweet little beanbag chairs they had last year, and relax....and be prepared to be enlightened as we make this event fun again. "Okay Kai...I've got my beanbag chair...I've got wireless connectivity...and I'm sufficiently fueled with abundant amounts of sugary snacks and carbonated beverages....but what is this new Security Show you speak of?" Well take a read at the abstract, and then I'll tell you a little about each program:

Does Oprah talk about Botnets?! Gonna hear Tyra use the words "data leakage"? Come watch “The Security Show”, with your host, Kai Axford!! It's fun! It's cool!!

Join Kai as he interviews security experts onstage about today's hot topics, getting the audience involved in the action! This series sets a new standard for doing TechEd!! Come and get your money’s worth! Join us from 1:00PM to 2:00PM Daily!

(The following episodes are proposed and are still awaiting final approval):

• Episode 1 - Meet The Feds!
• We welcome the gun-toting cybercrime team of the FBI, as they sit down and discuss the threats that they are fighting today, provide best practices and techniques for stopping the bad guy, and give you some insight into the deep dark world of computer crime. Get the straight 411 from the guys who fight it daily!

Back by popular demand, I'll be bringing Agent Allyn Lynd from the FBI's Cybercrime Squad back to Orlando, so he can scare inform us as to what is going on in the criminal world. If you want to know about the "underground shadow economy" and who's doing what to whom, and how they're doing it, Agent Lynd is the guy to ask. My plan is to get Agent Lynd to give us an overview of the threat landscape and then take it the audience for questions.

• Episode 2 - Stopping James Bond
• Espionage. Secret squirrels. Ninjas. Call them what you will, but yesterday’s international spy is today’s insider threat. Join us for an in-depth discussion with some of the top counterespionage experts in the world, as we hear about how these bad guys are stealing your intellectual property right out from under your noses, and more importantly….how to prevent it.

Well, my original idea was to have a former KGB or GRU intelligence operative come and show us exactly how economic espionage is conducted. However, it's not like I can just call up the Kremlin and ask them to send someone over. The group I reached out to had previous commitments, so they were unable to send anyone. Then I thought, we've all seen how this stuff is done...it'd be nice to hear from the guys who fight this stuff. So I've got a guest speaker from a government organization that deals with this threat daily. They're going to come in and tell you the real deal and how you can protect yourself and your business.

• Episode 3 - Gates, Guards, and Guns
• Today we’re going to be joined by the folks responsible for helping keep the Microsoft IT environment free from physical harm. Believe it or not, physical security of the datacenter is just as important as the other layers of defense-in-depth. Join us as we talk about new topics in the area like IP video surveillance and the convergence of InfoSec and Physical Security. Bring your tin foil hats!

I did a whole webcast series on Defense in Depth and one of the areas we got a lot of questions on, was the area of physical security. As IT Pros we typically don't think much about this other then the whole "laptop lock" or reminders to lock the server closet. With the advent of IP surveillance and more and more stuff moving to a digital format, we need to be concerned not only with what is being captured, but where the captured data is being stored and transmitted. I'm hoping to get the guys who do protect the Microsoft campus to come in a talk about this very important aspect of security.

• Episode 4 - A Conversation with Steve Riley
• You know him! You love him! Now hear the wisdom of Microsoft security visionary and world traveler, Steve Riley, as he pontificates on all things security. Steve has delivered some of the best sessions in TechEd history, with his informative and engaging style. You’ll be shocked and amazed, but you won’t be sorry you joined us.

A lot of you are familiar with Microsoft's Mr. Riley and the unique views he brings to the world of information security. I'm going to try and get him to come and join us for a chat, but in the event that he has some prior commitments, rest assured we're going to have someone that you want to hear. We want to be sure it's worth your time! It will absolutely not be some guy up there pitching some Microsoft product to you. If you want that, I'll need to re-direct you to the other sessions.

My goal for these episodes is ZERO PERCENT Powerpoint and 100% discussion and audience Q&A!!!!

RSA 2008 - Day Last: Underground Online Crime

Well, I'm sorry for the delay in posting, but I didn't get home until after 10:30PM on Friday night, but American Airlines did get me home and given the issues with the MD-80s recently, I'm just happy to have made it. Even got bumped to First Class which is always nice.

I had the chance to attend only 2 sessions before I had to jet off to SFO to catch my flight, but the sessions were pretty good ones and one's that I think just about any of your reading this would enjoy, or at least find somewhat interesting.

The Bad Guys

The first session I sat in on was titled "Organized Online Criminal Enterprises: Profile of Who, Where and How" given by Dmitri Alperovitch, a Director with Secure Computing Analysis. He really covered a lot of information and details as to who is actually committing the online identity theft, stealing credit card info ("carders"), etc. Typically as an IT security guy, I tend to focus on the HOW, not so much the WHO, like my friends in the FBI. Today, I learned how a 24-year old kid form the Ukraine named Dmitry Golubov (aka "Script") had setup a hugely operation known as Carderplanet.com, which had tons of forums and served as a fence for those looking to buy or sell stolen credit cards. Now this kid ended up getting caught, but after some local politicians took his side, saying how he was a "pawn of the system" or some crap, he was able to get off without conviction. Here's a post on an old Listserv that Script posted to advertise his work:

FORUM.CARDERPLANET.NET

- My name is Script, I'm a founder of forum.carderplanet.net and i can provide you with excellent credit cards with cvv2 code and without it

Minimum deal is a USD $200.00.

- USD $200.00 - there are 300 credit cards without cvv2 code ( visa + mc ) - USA (included credit card number, exp. day. cardholder billing address,zip,state).

- USD $200.00 - there are 50cc with cvv2 code ( visa +mc) USA (included credit card number, exp. day. cardholder billing address & CVV code from the back side of the card).

Also i can provide cards with SSN+DOB. COST 40$ per one. Minimal deal 200$ - Also i can provide Europe credit cards, France,Germany +UK and many other contries around the globe. r

- All credit cards with good exp day and it's work also so good. I'm accept payments through Western Union, E-Gold, WebMoney,direct deposit,cash in bag.

Now here's the real kick in the pants.....this same kid is now running for office in the Ukraine, and if he gets elected, he becomes completely immune from any type of prosecution!! His platform is to "eliminate corruption from government". Nice, huh?

You can even check out the great whitepaper that Kaspersky Labs put together this year that shows some of this stuff in great detail. The picture below is from a site that sells botnets for hire.

We also learned about Roman Vega (aka "Boa" of Boa Factory infamy) who ran one of the biggest CC theft operations. We learned about Maxim Yastremsky (aka "Maksik") who is one of the guys involved in the whole TJX debacle. We even talked about the 3 guys, one of which was Younes Tsouli (aka "Irhabi 007") that used stolen identities and money to subsidize a terror cell for Al-Qaeda....proof that this isn't always about the money...it's also about human life. Good reminder when we're burning cycles to do our jobs. Keep up the good work everyone...what you do matters.

RSA 2008 - Day 3: Breakfast with the MSAT and Cruising the Expo

Who Doesn't Like Breakfast?

Sort of a slow day here at RSA today. My guess is that all those parties sort of took their toll on the majority of the attendees. I got up early to catch up on some schoolwork (yes....the quest for the elusive MBA continues, even when I'm traveling.....) and then headed down for breakfast with Thomas Dawkins, the guy on my team who handles Microsoft's partnerships with the industry associations like ISSA, ISACA, ASIS, etc. He also is single-handedly responsible for the creation of one of the best security tools you'll find: The Microsoft Security Assessment Tool. If you haven't had the opportunity to check out this tool....go get it...it's one of the most comprehensive security business tools you will find. Here's the summary from the download site:

The Microsoft Security Assessment Tool 3.5 is the revised version of the original Microsoft Security Risk Self-Assessment Tool (MSRSAT), released in 2004 and the Microsoft Security Assessment Tool 2.0 released in 2006. Security issues have evolved since 2004 so additional questions and answers were needed to ensure you had a comprehensive toolset to become more aware of the evolving security threat landscape that could impact your organization.

The tool employs a holistic approach to measuring your security posture by covering topics across people, process, and technology. Findings are coupled with prescriptive guidance and recommended mitigation efforts, including links to more information for additional industry guidance. These resources may assist you in keeping you aware of specific tools and methods that can help change the security posture of your IT environment. There are three assessments that define the Microsoft Security Assessment Tool:

• Business Risk Profile Assessment
• Defense in Depth Assessment (UPDATED)
• Mid-Market Security Core Infrastructure Operations Assessment (NEW)

The questions identified in the survey portion of the tool and the associated answers are derived from commonly accepted best practices around security, both general and specific. The questions and the recommendations that the tool offers are based on standards such as ISO 17799 and NIST-800.x, as well as recommendations and prescriptive guidance from Microsoft’s Trustworthy Computing Group and additional security resources valued in the industry.

After completing an Assessment, you will gain access to a detailed report of your results. You may also compare your results with those of your peers (by industry and company size), provided that you upload your results anonymously to the secure MSAT Web server. When you upload your data the application will simultaneously retrieve the most recent data available. To be able to provide this comparative data, we need customers such as you to upload their information. All information is kept strictly confidential and no personally identifiable information whatsoever will be sent.

Like I said....good stuff.

The Expo: Day Last

When you speak at as many conferences as I do, you tend to get a bit jaded with the overwhelming amount of vendors that seem to be trying every single gimmick to get you over to their booth. I know these companies pay a LOT of money for the spaces that they get, and the want to maximize the traffic that moves near their area. It's all about marketing, I s'pose. This year I saw a lot of Guitar Hero III, booth babes, security game shows, whack-a-virus (like whack-a-mole) and tons of other lights and shiny objects. Of course, the big vendors (Microsoft included) had the prime real-estate, but it was good to see some of the smaller companies, as well as non-profits and colleges getting some room as well. Good turnout, but I really didn't want to spend another day wandering through the cavernous Expo Hall with over 2,000 security vendors. I decided to head back to my room to get some actual work done.

Tomorrow is the last day for me here (unless American Airlines cancels my MD-80 home to Dallas, which means I'll enjoy another day in San Francisco). I plan on hitting the sessions on virtualization security, as well as one on the criminal underground and the recent threat landscape there. It should be a good one. Oh yeah.....one of the BEST THINGS about RSA is that ALL...of the session decks are handed to you on a 2GB USB device when you register. You always have all the slides, so if you miss a session or want to email the speaker later....you can. Genius!

NBC's The Office started back up tonight, so that was not to be missed as well!

RSA 2008 - Day 2: Windows vs. Linux, PLUS Insider Threat Experts, and The Parties

Day 2. I'm a but wore out since I was up into the wee hours trying to get my new video blogging mess figured out. The process that I thought would be (encoding and uploading).....wasn't. But the part that I thought would be easy (quality of the HD stream).....was. Still trying to work out exactly why the .WMV looks and plays great, but the 30 fps playback in Silverlight looks like some chopped up mess. Could be the encoding was messed up, could be the 1,000+ security people on the hotel Internet connection, or that my Dell D820 is sputtering. I'll work on resolving this later, but the first test was partially successful.

The Sessions

For Day 2 at RSA, they flipped the daily agenda and today have the breakouts in the morning and the keynotes after lunch. This would have been ideal, had I not been up til 1:30AM fighting with Silverlight. I started the day by sitting in on my buddy Jeff Jones session entitled Linux vs. Windows Security: Updating the Debate. Jeff and Professor Richard Ford, from the Florida Institute of Technology, and an avid Linux user delivered the session. They had a really polite (and often humorous) discussion about the number of security vulnerabilities, the concept of vulnerability severity,  and talked about things like Days of Risk. It was a great session and for those of you who want to have this discussion, Jeff is always ready and willing to do so.

Immediately after that session, I moved over to attend the session conducted by U.S CERT entitled Risk Mitigation Strategies: Lessons Learned from Actual Insider Threat Attacks, which was delivered by two of the smartest people in the world on the topic, Dawn Cappelli and Andy Moore. They've been conducting research on this topic since the late '90s and they have a wealth of knowledge in the area. You know this is a huge area of interest for me, since I think too often we focus our attention (and budgets) externally, when we have data walking out the front door.  It seems as security pros we want to focus on the cool and sexy attacks, but really spend very little time mitigating the "low hanging fruit".

Gettin My Party On!

Yeah....well...after last night's video experience, and then working the Microsoft Info Booth for 4 hours, I was about all pooped out. I did manage to swing by the Security Bloggers party at Jillian's. Very well attended and I had no idea there were so many people who blog in this area. Bruce Schneier from BT Counterpane was there, as was Ira Winkler. I've known Ira for a few years and we see each other in speaker lounges at conferences or in the First Class lounge at the airport. After spending some time mingling amongst the illuminati of the security blogging world (your author excluded)....I hopped in a cab to attend an amazing event at the German Consulate, sponsored by the German Federal Office for Information Security and hosted by Dr. Udo Helmbrecht. I got the opportunity to mingle with some really great security minds here as well. The host was amazing and I really enjoyed being around the German community again. After about 90 minutes at this event, I was wore out! I decided to pack it in and head back. I had invites to another 3 or 4 parties tonight, but I want to be really fresh for tomorrow's sessions, since it'll be the first full day of sessions I can attend. RSA is absolutely about attending sessions and learning a ton, but it's also about networking with some great people.

I'm off to bed! Big fun day tomorrow!

RSA 2008 - Day 1: Craig Mundie and Omarosa

I got up nice and early and managed to drag myself over to the convention, to be sure I wouldn't miss Craig Mundie's keynote where he announced the new End-to-End Trust vision we've been hearing about internally for a few weeks. Craig delivered the keynote in a "fireside chat" format with Chris Leach, who is the CISO at Affiliated Computer Services (ACS). For those of you who may not know Mr. Leach, Chris is well known in the security community and earned tremendous respect during his tenure as the CSO at BankOne during the 9/11 attacks and recovery thereafter. The discussion was really around the concept of this concept we refer to "I + 4A" which stands for "Identity + Access, Authentication, Authorization, Access Control and Audit" which are the 5 major security elements that help establish trust. The whitepaper is designed to get people to engage us on opening up a dialog to discuss the concepts further. You're not going to get any "Microsoft marketing" in this whitepaper. It really is platform and vendor agnostic. We are looking for comments and we have opened up a public forum for your feedback. Please take a moment, read through this and let us know...is this on the right track or where does this concept need to be revised? I'll be covering this topic at several customer focused events in the next few months, so when you see me.....let me know what you think!

"Is that who I think it is...."

So I'm diligently manning the Microsoft info booth today when I see someone we think was Omarosa from "The Celebrity Apprentice" walk by. We argued whether it was or was not her, so I hopped out of my seat and went to find out. Sure enough, one of the booths had hired her to do some press. I managed to get over to the booth and since no one else was around, got practically dragged over by the vendors to get a picture taken with her. I found out later she even stopped by the Microsoft booth to discuss a technical issue she's having with her computer. I happened to be "off the clock" for a few hours, so I didn't get looped in, but I'm sure we'll get it fixed for her.

Market Yourself!

The only session I managed to get to today (I have a job too!) was the one entitled "PROF-107: Managing Your Own Security Career".

The session abstract: "Careers in information security are often difficult to navigate with the industry changing more and more radically every year. This session will address important skills, traits and knowledge that a security professional needs – not just the usual stuff (like “get certified”) - but the real-world knowledge that teaches you how to have the job that keeps you challenged, growing and well compensated."

Lee Kushner and Mike Murray both did a great job of explaining the unique role that security careers cover. They discussed how we are in one of the most competitive roles in the entire world, and one that demands a great deal of focus and staying current. I especially liked the piece they did on Recession Proofing Your Career and how we think that in the security business we can't be put out on the street, because we're so valuable. Newsflash! Security isn't that special anymore, and it's too often getting rolled into other orgs. We're no longer bulletproof. They spent a good deal of time talking about Taking Ownership of your career, because no one is going to do it for you. Don't expect your boss to do it for you, they said...he's too busy managing his own career. Finally they talked about Personal Branding and How to Market Yourself. They even answered the age-old question "What certification should I get?" The answer:  Whichever certification you feel will allow you to connect with the people that you want to know, and establish the brand that you hope to establish. It's not about certs, titles, or degrees. It's about getting into a position that you feel is a good fit. As Lee Kushner stated, "There are ton of security jobs. Most of them are bad jobs no one wants. The trick is finding the good ones."

Tomorrow I have to spend a few hour sin the Info Booth, but will hit a bunch of session in the morning! Stay tuned!

The End to End Trust Vision: Microsoft's Framing of the Discussion and Call for Dialog Around Security

You've been sitting around asking yourself, "Okay okay...I heard Bill Gates announce the whole 'trustworthy computing' concept back in 2002... What's next Microsoft? How do we solve the future security problems as an industry?"

As you know, the Internet has transformed the way many of us live today. Social networking represents the new town square; blogging has turned citizens into journalists (even Kai gets to pontificate on a world stage now!); and e-commerce sites have spurred global competition in the marketplace. But as the Internet has become more integral to our daily lives, it also has become a magnet for crime, and many people now feel that security and privacy on the Internet are at unacceptable levels. Despite progress countering this with technology and process improvements, the full potential of the Internet has yet to be realized yet most people believe that security and privacy on the Internet are at unacceptable levels.

Microsoft believes the time is ripe for broad public dialog about how to build a roadmap for Internet security and privacy. We must work together toward a more trusted Internet that enables things like online child safety, secure and private transactions, a robust critical infrastructure and true, Anywhere Access – while mitigating more insidious issues, such as data and identity theft.

Today at RSA 2008, Craig Mundie, announced our proposed security vision to open that public dialog. It's called End to End Trust. Understand this is more than just technology. Enabling End to End Trust requires that we continue to build on technology progress and align those innovations more closely with social, economic and political forces.

Action Items for You!

Step 1) Read Scott Charney's End to End Trust whitepaper (23 pages) and decide what you think about it this direction...

Step 2) Post your comments on the forum and be prepared to discuss! Click here to join the discussion!

Where's Kai? RSA Conference 2008!!

Well...if you're an IT Security Professional, you owe it to yourself to make the journey to the annual RSA Conference at least once in your life. It's the world's biggest security conference and many a great new announcement is made here. This year, it's my turn! They have some awesome speakers here! They got Craig Mundie, our Corporate VP; Michael Chertoff, Dept of Homeland Security Chief, author Malcolm Gladwell, and a bunch of others.

I just got in, and I'm currently unpacking, but it looks like we'll have a fun-filled week. I forgot how nice San Francisco is in the Spring! It's Opening Day for MLB's San Francisco Giants (sans Barry Bonds) and the local protesters are enjoying this day (literally as I'm typing) by scaling the Golden Gate bridge to hang a huge Free Tibet banner.  Ahhh Spring! Well, this week is all about learning what the future of security looks like and seeing all the latest and greatest technologies involved. I can't wait. You are probably wondering what I'll be doing, and no, it won't be mu usual speaking gig. I'm actually going to be staffing the event to help answer your questions, as well as blogging and doing some screencasting for the event, assuming no technical issues and everything Keith Combs showed me works. (BTW, if you're wondering, I managed to get a slot by mentioning that I can lift heavy things. We do what we have too <sigh>.)

If you're in the Microsoft area, please come on over and say hello! I love to hear what's going on in the real security world from those of you who live it! If I'm not around, please catch me when I'm running around the Moscone Center, as I love to sit and chat. Since I'll be staffing, the sessions I attend will be varied, but I'm going to try and hit the majority of ones that deal with Internet crime and insider threat, as well ones that deal with the business of security. I'll report back each night with a few posts about each of the sessions I attend. Also, be sure to check out the Microsoft RSA 2008 blog, where my buddy Jeff Jones will be doing the same for keynotes and the sessions he attends.

Secure Code through the Eyes of an IT Pro

I'm not Michael Howard. My software development background consisted of struggling through my two C++ classes in my undergraduate MIS program. Sure, I managed to convince my professors that I knew what a virtual function was and how it all worked, but I never really felt the "Call of the Code" like Michael, Bill Steele, or Joe Stagner did. These guys are superheroes. So you can imagine my surprise when I was approached by the HelloSecureWorld.com team, to do a video for their website. Was this a cruel joke? Was I going to have to relive the pain of seeing another "Error Compiling Source" message again? Would I be forced to end my statements with a semi-colon?

Fortunately for the world, I was simply asked to pontificate on my thoughts around the importance of writing secure code. I can absolutely attest that as vendors continue to harden both operating systems and applications, the new attack points are going to be those "custom" applications that are being written inside your organizations. Most of you have heard some Microsoft AppDev security guru talk about the Microsoft Secure Development Life Cycle (SDLC) and how we implement this internally. The proof is in the pudding! Compare the number of vulnerabilities in Windows XP after 1 year to those of Windows Vista. Compare Windows 2000 to Windows Server 2008. Compare any application server to SQL Server 2005. SDLC works! But what about your developers? Are they following a strict SDLC themselves, or is security merely "sprinkled in" with a quick username/password option at the very end of the development project? Hear me loud and clear: Security needs to be baked in at every step of the process! If it's not, bad things will eventually happen.

......but I digress.....when the HelloSecureWorld.com folks approached me, I told them I'd do the video....but only if I could do it THRU THE EYES OF JOE, THE IT PRO!!!

Who's the guy who gets the call when the code craters the messaging server? You do!

Who's the guy who's got to call his wife because he's gonna miss dinner AGAIN? You!

Who gets to miss the kid's pee-wee football games because a SQL Injection attack just ported all your company's PII out to the Internet? YOU!

So please.....take a moment and check out this insightful video that (hopefully) captures the pain you experience when your devs write non-secure code. As painful as it is, watch the WHOLE video...to the end.

Pimp my Ride...or Inbox: Check out Xobni

Bill Gates referred to them as the “the next generation of social networking” and touted them as a great plugin for Microsoft Outlook. If you're into plugins and tweaks, this is a really sweet little deal. In case you're wondering where Xobni got their name....it's "inbox" spelled backwards! They got the Task Pane all maxed out in pure brilliance.

Sad part is, it's tough to get into the Beta...you got to get an invite. You, good sir, are in luck....click on the button on the left pane of my blog and you should be good to go!

Anna Bot

At Microsoft, we have a team of both internal and external vendors who spend their entire lives creating presentations for speakers like me. While the material is not always perfect, it is often a huge time saver. Unfortunately the material is not always applicable to what I'm going to be speaking on. I'm not saying it isn't good....I'm saying it's not always timely enough or pertains to the topic I'm being asked to speak on.

This means I usually spend a great deal of time culling through existing decks or researching material to build them completely from scratch. This can involve anywhere from 30-40 (or more) hours of research and dumping it into a PPT deck, followed by many more hours of fighting with Powerpoint. After that, if you like to do demos like I do, you now need to start building VMs and demos. The majority of time I'm not onstage or getting to the venue (via plane, taxi, car, or dugout canoe)...I'm in the process of creating content....all because I want you to have something that you could simply download of TechNet on your own.

As a true multi-tasker, I usually have 2-3 presentations I'm working on at the same time. One of the sessions I'm currently working on is Botnets. I think it's a huge security concern and the opportunity to really understand them and how they work, and what they do is important to defeating them.

I've seen many crazy things out there on the Internet, as many of you have, but I had yet to see an attack vector with it's own video. Check it out....it's actually pretty good.

Book of the Month Club: Influence: Science and Practice, by Robert Cialdini

I've been meaning to get back to the Book O' The Month club idea for awhile. My buddy Matt started the idea, and I'm glomming on, since I think it's a good one.

Mitnick Recommended

The book I just finished is entitled "Influence: Science and Practice" by Robert Cialdini. Before I dive into the why you need to read this book, I wanted to quickly cover the funny circumstance of how I came to read this book. As many of you know, I'm currently pursuing my MBA in Information Assurance (aka "computer security"). I've already completed all the security requirements for the degree, but still have the core business classes to complete. One of those mandatory classes is Marketing Management. If you have ever seen me speak at a conference, you know I tend to use Sales and Marketing people as the butt of my jokes, as they are often a thorn in the side of the IT Dept (which I'm sure is mutual). Before you start flaming me with comments about the importance of the Marketing department, let me quickly add: I know. My wife is a Marketing professional of 10+ years and was a Marketing Manager at Microsoft, among many other roles. I also happen to work in the Marketing Communications (MarComm) arm of the Trustworthy Computing Group at Microsoft. I fully understand the importance (and the love of my life is quick to remind me lest I forget).

Last year, I attended an INFRAGARD conference where Kevin Mitnick spoke. he highly recommended reading this very book! Of course, I always wanted to get around to it....but never seemed to find the time...until it showed up on the Required Reading list for the Marketing Management course. I was even reading it at an ISSA conference recently, and had 3 people come up to me inquiring or commenting about this book. Isn't payback fun?

Weapons of Influence

This book explores the reasons behind the fixed action patterns we seem to do automatically in life, or as the author calls them, the "Click, Whirrr" actions.  He identifies several principles including: reciprocation, commitment, social proof, liking, authority, and scarcity. I'll cover the last one scarcity, briefly. Why is it that when there's only 1 Tickle-Me Elmo doll left at the toy store, that everyone wants it? Did it get more valuable all of a sudden? Why is that you're out shopping for a gas grill and the salesman tells you, "Darn...we just sold the one you were looking at." (in which case you're very sad, cuz you love BBQ, and you DO wish you had bought one last week when you were here!) but he comes back a few minutes later, saying that after some digging around, he was able to locate another one....if you want it. Well, of COURSE you want it!! You better get it because there probably aren't anymore! Why do stores mention "for a limited time only"? One reason: They're leveraging the Principle of Scarcity on you. Collectors know this all too well...the less of something there is, the more it's worth.

Kai, Why Do I Do What I Do?

This book not only explains the things that you do, and why you have an overwhelming, sometimes automatic response to things, but it also explains with great examples, why you do them.  Do you ever wonder why the folks at Costco give you free samples? Sure...they want to demo how good the smoked salmon is....but they also want to put a feeling of "Well darn....I did take that free sample...maybe I'll just toss it in the cart this time." Welcome to the Principle of Reciprocation. "This is our gift to you sir. Would you be willing to make a donation of $100?" No way! "How about a smaller donation of $5?" Well...sure...it beats the heck out of $100......BAM...hello Rejection Then Retreat technique from the same principle.

Why Do I Care as an IT Security Person? 

The best part of this book is that it provides you techniques to defend yourself against these tactics!!! My wife is always telling me that for someone who jokes about marketing, I'm about the most easily marketed too person she's ever met. Case in point:

Kai: Sweetie...this <Insert Geek Toy of Choice> is the best one out. We need to get it.

Wife: How do you know it's the best?

Kai: Because everyone I know uses it (Social Proof), Keith recommended it (Authority), and it's the only one left on the shelf (Scarcity). It's pretty obvious, isn't it?

Wife: But how do you know it's the best and not just good?

Kai: Look at the box...it says so.

(Go ahead an laugh...you've been there too. This is why I love my wife and why God has put her with me....it's a safety boundary for my long term financial solvency. Still not sure what I bring to the table.)

...the bottom line is that this book explains the techniques that Social Engineers use to gain access to your secrets. It explains how we go through life with this "automated response" to stimuli without ever realizing that someone else is using it against you. We should be aware of why we do what we do and not just go through life in a series of "Click...Whirr" moments. It's a pretty easy read and one that will certainly having you realize that marketing is certainly getting in the last laugh.

So get it today.....it's probably the last one left.

The End of an Era: Brett Favre to Retire

Stunned. Shocked. 

I can't believe that the heart of my beloved Green Bay Packers is hanging up the cleats. Regardless, I completely respect and understand Brett's decision to retire. He holds all those NFL records, 3 MVPs, and a Super Bowl title. All I can say is Thank You Brett Favre for the years of memories (and near heart attacks). God bless you and your family for the fun and excitement you've delivered over the years! You'll always be the heart of the Green Bay Packers to me.

Why Windows Vista is Better than Your O/S

Today is a big day for Microsoft's Trustworthy Computing team! It's the release of the Windows Vista One Year Vulnerability Report composed by my good friend and teammate, Jeff Jones. First let me just put to rest any kind "of course it's favorable...it's written by Microsoft" kinda stuff that I know several people reading are saying to themselves right now. If he was just some shill for Microsoft....would he be a blogger for CSO Magazine?

Let me tell you a little about my experience with Jeff Jones and his research. Jeff Jones' methodology is sound. (Read that again.....out loud.) When I first came to this team in 2006, I was one of the first people to say, "Who's going to believe this, Jeff? You work for Microsoft.....of course it's favorable." Jeff quickly sat me down and explained that he would gladly put his data up against anyone who wanted to contest his research methods and findings. He's also quick to point out where Microsoft falls behind. Here's another "little known fact" about Mr. Jones. Jeff is one of the loudest voices inside Microsoft about our vulnerability reporting. It's Jeff who will storm into a VP's office and say that we should err on the side of being MORE critical of our security accounting. Jeff Jones' integrity is above reproach.*

Read the guide and get the facts. Quit listening to what the fear mongers are telling you. Read it and come to your own conclusions. Microsoft software is not perfect......no software is....but I think you'll agree that Microsoft is absolutely on the right track..

(P.S. If you enjoyed this....then you'll also enjoy the Microsoft Security Intelligence Report, which is chocked full of data points as to what is really going on out there!)

*Jeff Jones is however not without his faults....he spends far too little time playing World of Warcraft, instead choosing to be a slightly above average Texas Hold'Em player and Media Center geek. That is unto itself....a sad commentary.

UPDATE: Read what Jesper Johansson has to say on it. Jesper has a Ph.D. so he has also taken the data and come to some conclusions. Interesting.

It Was A Good Run....

Well....as you can imagine it has taken me some time to get over the fact that my beloved Green Bay Packers football season has come to an end. I appreciate all the emails, text messages, and phone calls concerning my well being. Contrary to many reports, I was not on "suicide watch" but it was not a very pleasant evening at Casa del Axford. I especially want to apologize to my lovely bride for her patience and understanding during my emotional crisis. She puts up with a lot from her crazy Packers husband and she is truly a gift from God.

The loss was especially painful as they were given numerous opportunities to beat the New York Football Giants, yet seemed to squander each of them. How can Al Harris (who's going to the Pro Bowl) allow Plaxico Burress to punk him like a little kid out there??!! How can our running offense just completely dry up and blow away in a week? How does a professional football player not simply FALL ON THE LOOSE BALL AND ENSURE HIS TEAM A WIN!!?!?!?

Many of you will quickly call out my lack of attention paid to Brett Favre....especially for his game-losing interception in OT. Here's the deal: It's the same gunslinger mentality that got us to the NFC Championship game. It was the same kind of pass that won the game against Denver in overtime. You live by the gunslinger......you die by the gunslinger. Simple as that.

Thank you Green Bay Packers for a great season and for not having to have me cash out my 401(k) to go the Super Bowl!

Not your Mama's Webcasts: Kai does the Defense in Depth Webcast Series

Hopefully you were able to join me for a terrific two weeks of webcasts!! In 8 sessions we covered every layer of the security model known as "defense in depth". For those of you who missed out on the great fun we had, here's a way to go and check out the recordings. I did the best that I could to ensure that things didn't get dull and we avoided the "death by PPT" issues. I even tried to add some guest stars and some slick demos, as well as a segment called "What's on Kai's Mind?". Check them out....you won't be bored!

The reviews are in! Hear what your peers had to say!

• Kai Axford starts off this series with a lot of energy and enthusiasm. This was a very informative and frankly eye-opening session. I'm going to watch the whole series!
• Working on policies right now, thanks Kai!!
• Folks at Microsoft - keep Kai Axford happy and keep those webcasts coming. Kai takes the often dry topic of security and makes it strike home with his descriptive and colorful examples and approachable manner. Even my non-tech parents would be able to understand this, and yet it's helpful to tech person like myself as well - an excellent balance.
• I really enjoy Kai's lively and down-to-Earth presentation style!
• An informative and enjoyable webcast. Kai Axford is a dynamic and engaging presenter - definitely on my Top 10 list!
• Fantastic information! This series just keeps getting better. Please bring it on.

Security—you hear about it every day. Being responsible for information security can be a daunting task, so where do you begin? From the design of acceptable use policies to preventing insiders from stealing data, the job can be a challenging one. Join Senior Security Strategist with the Microsoft Trustworthy Computing Group Kai Axford, as he explores each layer of Defense in Depth during this eight-part webcast series. Kai shows you how mitigate the new risks in security and may have you rethinking the methods you’re using. He also spends time talking about your hot topics of the day.

TechNet Webcast: 2008 Defense in Depth Security Series (Part 1 of 8): Why Does Security Matter? (Level 200)

In the first session of the series, we discuss risk and the impact of security on the business. We look at some popular methods to assess risk and identify the need for an overall security strategy. We also explore why you should care about information security, how to measure the success of your program, and how to prove it to your boss using the concept of Return on Security Investment (ROSI). Learn how security impacts the cash flow of your business. Bring your CFO to this one!

TechNet Webcast: 2008 Defense in Depth Security Series (Part 2 of 8): All Bark and No Bite (Level 200)

In our second session, we take a look at what is considered to be the most important aspect of information security: security policies. We discuss the policies that exist within your company and how to strengthen them. After all, what good is a policy if it is not enforceable? We also investigate the most cost-effective way for you to increase the security posture of your business. What is it? You have to tune in to see! You will not be disappointed.

TechNet Webcast: 2008 Defense in Depth Security Series (Part 3 of 8): Gates, Guards, and Guns (Level 200)

Today we look at an aspect of information security that is often overlooked by technical folks. It is the physical security aspect of our job. Are you aware that every year at DEFCON there is a lock picking contest? In this session, we dive into various techniques and methods that we should be considering when it comes to providing physical security around our datacenters. We discuss some of the recent trends in this area, such as IP video surveillance, and also discuss resources that can assist you in coming up with a good overall physical security plan. (No locks were harmed in preparation of this session.)

TechNet Webcast: 2008 Defense in Depth Security Series (Part 4 of 8): Living on the Edge (Level 200)

In case you are not aware, the Internet is not a safe and happy place. Have you thought about all the other branch offices and partners you are connected too? Bad things are going on and you would like to do what you can to keep them out in the wild. In today's session, we look at some of those risks, and also discuss some technologies you should be considering when looking at securing the perimeter. You know about Intrusion Protection Systems (IPS), Intrusion Detection Systems (IDS), and firewalls, but are they doing any good? Is the DMZ as we know it today…dead?

TechNet Webcast: 2008 Defense in Depth Security Series (Part 5 of 8): Keeping Your House in Order (Level 200)

We start the week by discussing a problem that is close to your heart: your network. But how can we even begin to take on that challenge? What are some of the things on the horizon that we need to be aware of? In this session, we look at technologies and concepts such as IP Security (IPSec) Domain Isolation and Network Access Protection (NAP). We also look into some practical things that you should be doing right now to protect one of your most valuable assets.

TechNet Webcast: 2008 Defense in Depth Security Series (Part 6 of 8): Save the Box, Save the Network (Level 200)

Servers. We all love them. Wouldn't it be so much easier if we simply did away with everything else? There is no argument that the multitude of desktops, laptops, and mobile devices has created headaches for the IT security professional. Just when you lock down a desktop, the sales guy gets a new laptop, and then a new mobile phone. We cannot (legally) eliminate the users, but join us to see what we can do to stay ahead of the risks!

TechNet Webcast: 2008 Defense in Depth Security Series (Part 7 of 8): If You Build It (Securely), They Won't Come (Level 200)

Grab the caffeine and pizza! Today we step into the dark underground of AppDev and discuss methods for securing applications that run inside your infrastructure. As we harden the network and hosts, the bad guys are looking for other ways in, and often it is the applications being written by your own developers. Do your developers have the time and tools required to build their applications securely, or is security merely an afterthought? What tools are available to assist them? We show you today. No coding required.

Got data? Sure you do, but how much? Where is it? How is it protected? What is it worth to you? Which is the most important? If you could save only one database, which would it be? Answers to all these burning questions, as well as some closing thoughts from Kai, are going to be covered in this final session. You do not want to miss this electrifying and intense final webcast!