Steve Riley on Security : blogging

Blog relocated again

Steve Riley — Thu, 20 Aug 2009 01:02:00 GMT

Just a quick update, to make sure everyone knows. I've moved my blog from MSInfluentials to WordPress.com. Please update your aggregators/bookmarks/favorites to http://stvrly.wordpress.com. I've posted the reasoning for my move, as well as a description of my personal foray into the cloud, over there.

Comments, administrivia, and the future of the “infosec professional”

Steve Riley — Thu, 16 Oct 2008 01:29:13 GMT

Back when the spam was spiraling out of control, I configured my blog to close comments after 90 days. I’ve removed the limitation now, for two reasons: the spam is under control, and I wanted to reply to a comment made to my post on IPsec/IPv6 direct connect.

On 13 August, jcorey asked about how to deal with those who firmly believe that the only answer to any security problem is to inspect everything at the edge. This is an important question, and I wanted to give Joe an answer. (You might have to scroll down when you click the previous link, it seems that linking to individual comments is broken.)

Today, 15 October, I wrote a little thesis as an answer to his question. I’m calling it out in a separate post because I want to make sure those of you with aggregators that don’t update when posts receive new comments still have a chance to reply with your thoughts. I’ll also repost it here:

jcorey-- You've nailed the biggest obstacle to deploying something like direct connect. Many security professionals have been taught that there simply is, and never will be, a process or technology that allows you to trust anything that originates from outside your corpnet. These professionals cling to this belief, and have been the cause that allowed the whole “detection” market to bloom.

Let me be clear: this total lack of trustworthiness is no longer absolutely true. Of course there will be times when unknown machines will be used by known and unknown people to access your information. But what about one particular subset -- known humans, with known portable computers -- can't we do something better than treat them as toxic invaders?

Indeed we can. And that's what I'm proposing with direct connect. The technology -- managed, of course, with the right processes -- exists so that you can extend the trust to known computers even though you don't trust the network they're connected to. This is because you have mechanisms that:

1. Allow you to configure the machine according to your requirements (domain join, group policy)

2. Dictate computer and user authentication requirements (IPsec policies, smart cards)

3. Limit what the users of these machines can do (UAC, non-admin, Forefront Client Security, Windows Firewall, even software restriction policies)

4. Validate the health of machines initiating incoming connections and remediate if necessary (NAP, System Center Configuration Manager)

5. Limit the threat of attacks against stolen computers (domain logon, smart cards, BitLocker with TPM)

With the robust authentication, validation, configuration, and control mechanisms available to you, I simply don't see that there's any need to fall back to “detection” now. Detection technologies were -- and remain -- necessary for the times when we have no clue about the health of client computers and when we had no way to gauge the intent of the users. But it is truly reflective of a head-in-the-sand mentality to assume that this is a complete description of what's capable today.

You know, someone once asked me what it takes to be a security professional. I answered that there are two primary elements: become a networking/packet wonk, and be willing to change your opinions when the right evidence comes along. Indeed, I suspect that many security folk have forgotten the need to keep their wonikness updated, which in turn makes them resist new ideas regardless of the strength of the evidence. I'm not very proud of what I just wrote, because I loathe generalities, but I'm not sure what else to think here. Sigh.

Joe’s question is important and strikes at the foundation of what it means to be a security professional today. I’m eager to continue this conversation, because it’s reflective of what I sense to be a radical shift in our jobs—we are, or should be, no longer the wolf-crying propeller-head who sits in the basement and twiddles with the firewall. Instead, our job should be defined as one who’s charged with protecting the organization’s information from attack, while maximizing its utility to authorized users, according to the principles of least privilege. Your thoughts?

Who is "dodacrazy" and what is a "montize buddy"?

Steve Riley — Fri, 12 Sep 2008 01:53:55 GMT

Check this out:

http://blogs.technet.com/steriley/archive/2008/06/25/directly-connect-to-your-corpnet-with-ipsec-and-ipv6.aspx#3122377

Hey Steve you and your montize buddy Scott will soon have your hands full after the federal officers come down on your data scams and as for your educational acts i'm not buying it and if others are willing to trade your data for their profits guess there are fools born everyday tunnels oh I see drug dealers right Stevo

Normally I delete spam from my comments, and have occasionally deleted mindless ranting criticism (I encourage vigorous discussion of ideas, but won't allow personal attacks). However, this guy's comment is just...weird.

What's a "montize buddy Scott"? I know lots of Scotts, and once even admired a particular "Montgomery Scot." But "montize"? Maybe it's a new kind of malt.
I don't believe I'm perpetuating any data scams, none that I know of, anyway. If any of you, my readers, feel that I'm scamming your data, I guess I haven't concealed that fact well enough. Oops, sorry! We'll have to add another item to the constantly-growing list of data breaches.
While it's true that some of my conference appearances aren't free, no one is certainly forced to buy any of my "educational acts." A lot of my presentations you can download for free!
I never look in tunnels for my supplies, they're too dark and you can never be totally certain of what you're getting.

Thanks, dodacrazy, for a good Thursday morning laugh!

Tweet!

Steve Riley — Fri, 27 Jun 2008 08:52:18 GMT

The other day an office mate asked, "Do you twitter?" Sorting through the various snarky remarks that immediately popped to mind, I replied that I didn't think anyone would find my routine bits all that interesting. He suggested otherwise: that it would be a convenient place to record quick ideas. So I am now indeed twittering. Check out the link on the right of this blog. For those using an RSS/ATOM aggravator, you'll want http://twitter.com/statuses/user_timeline/15237105.rss.

Playing around with my blog

Steve Riley — Wed, 26 Sep 2007 21:40:21 GMT

In the right-hand column I've added a new section with four interesting bits of info for you:

A ClustrMap, that shows the locations around the world where people read my blog from. I registered the thing back in December 2006, but just figured out how to add it to the blog software a few days ago.
My bookmarks from del.icio.us. I just started this yesterday and I've put in some links that many of you ask about. I'll update it from time to time, enjoy.
The current Homeland Stupidity threat rating. Yes, it's intended to spoof the Homeland Security national threat level, which as we all know doesn't provide anything actionable for ordinary citizens. This website has some good commentary that'll make your blood boil.
Technorati stuff--authority display (which isn't working, maybe it takes a while?), reaction counts and link, and a button for you to add me to your Technorati favorites.

As time goes on, I'll probably add more. Hope you find this useful.

My blog is not a forum for advertisements

Steve Riley — Sun, 01 Oct 2006 08:17:00 GMT

It's bad enough that the blasted spammers pollute the value of blogs and open forums by hijacking them with their nefarious comments for questionable pharmaceuticals claiming to extend particular body parts. I have recently received, only via private email so far, exhortations to explore mostly unknown security products claiming to magically eliminate a variety of security pains. (OK, I'm exaggerating. I doubt magic is involved.)

I've continued to endure the spam and have kept my comments open and unmoderated indefinitely. Fortunately, Telligent is putting some additional anti-spam measures in place. But folks, please don't use my blog to sell me or anyone else any products, ok? That's what your own web sites are for. :)

This is a test...this is only a test.

Steve Riley — Sat, 02 Sep 2006 11:12:00 GMT

Ah, it's a wonderful Saturday afternoon here in Singapore. I just finished up some customer meetings in Bangkok and Manila this week, and TechEd Asia starts next week in Kuala Lumpur. So I'm hanging out Singapore for the weekend, spending some time with friends and relaxing between events.

Thought I'd give the new Windows Live Writer a try, to see how well it integrates with the Telligent blogging system used by TechNet and MSDN. I'll post this now and take a look at the results.

[...time passes...]

Well waddya know it works! I guess maybe I'll stick with this for a while then. Sure beats the built-in Telligent editor.

F*#$!@g spam!

Steve Riley — Wed, 31 May 2006 22:31:00 GMT

Yeah, it's been a while since I've written a post, and I have some ideas I'll get to once the prep work for TechEd this year settles down a bit.

But look -- why in the world do the freaking spammers have to start targetting blogs now? I keep my comments open and unmoderated because I'm generally opposed to censorship. I really don't want to have to switch to moderated comments. But I'm getting a bit tired of the spam that appears here.

We all keep drowning in the stuff because spam works, obviously. Why? Because somebody, somewhere, is actually buying penis enlargement pills! <grumble grumble> If it's you, do us all a favor: please stop!

www.steveriley.ms is down

Steve Riley — Mon, 08 May 2006 07:41:00 GMT

That web site runs on WinISP, an experimental ISP hosted for Microsoft employees to use for testing. WinISP is having problems of late, as many of you have written to me in emails. I'm looking for a new home for my PowerPoints and recordings; once I find it, I'll post a note here in the blog. Sorry for the inconvenience, folks...

Yes, I'm alive

Steve Riley — Wed, 12 Jan 2005 23:53:00 GMT

And am finally gonna start posting some things here, starting with many of my recent presentations. Please see http://www.steveriley.ms and click the "Presentations" link in the left side column. There you'll find PPTs for most of the sessions I've delivered in the past couple years. If you need something you can't find, just let me know.

BTW, a friend of mine in New Zealand set up that web site a while ago for me. He's Nick MacKechnie, a technical account manager in Auckland. Thanks Nick!