Browsing articles from "April, 2013"

Do Cyber Exercises Prepare Security Teams For Attacks?

It was recently reported that the so called “Locked Shields 2013″ NATO exercise has finished and lo and behold, the blue team won. Of course this leaves us to question how “real” these exercises truly given the stark reality that security teams in the real world are taking a beating. The blue team victories in these types of events are not uncommon and nor are blue team victories uncommon in the real world either. However, from a simple finger in the wind measurement, it would seem that the blue team victory record in simulated exercises is beginning to approach that of the Harlem Globetrotters versus the Generals.

The problem is that the blue teams are real world, while the red teams are not. Furthermore, the simulated environments offer the blue teams far more control than they actually have in their enterprise this therefore makes the attacks less lethal and the security teams more powerful. Some may argue that the red teams employed in these exercises are real world penetration testers and indeed they are. However, penetration testers and government funded red team members are night and day different.

The Story of an Ugly Sweater (A Lesson in Professionalism)

For many of us “keyboard cowboys” as the ever quotable 90′s flick “Hackers” put it, stepping out behind the flickering monitors is an interesting adventure. Yet, it is an adventure many of us will be forced to embark on as we progress in our careers. Indeed there are many lessons to be learned in these undertakings. One of which can be found within a recent engagement where I was requested to appear in a marketing video in order to provide some thoughts on sophisticated attackers.

Great opportunity right? Absolutely! There was only one problem, I was traveling and did not bring the proper attire to appear in said video. The result was, as one rather stylish marketing professional put it, a version of me that “looked like a rat” or as my own sister put it, “A ragged Mr. Rogers.” Let’s consider the events that lead to such a result in order to identify where I made my mistakes.

I had traveled to the RSA conference for customer meetings and the obligatory annual security industry reunion. Of course, this trip was not quite so simple for me. After arriving at RSA on Monday, I was required to leave late night Tuesday for an engagement in Arizona, before returning to the RSA conference Wednesday afternoon. Furthermore, I would be attending Hacker Snowfest, a gathering of sorts in Tahoe, post RSA. Later, I would See it worked once before!learn I needed to stop by Pulse in Las Vegas and make an appearance at an Executive Business Center meeting in Atlanta, before finally returning home. In other words, I had planned to make a trip to three cities in a week, and ended up making a trip to five. One of those trips required ski attire including a bulky jacket, snow pants, an under layer, ski socks, gloves, and a helmet (which is not to mention my awesome cookie monster t-shirt). All this means is I did a lot of travelling with a lot of extra weight.

Thus, in an effort to reduce weight, I packed “intelligently” for work, especially pertaining to work attire. During the winter, this means wearing a sweater rather than a suit or suit jacket. Sweaters can be great travel business attire since it is presentable, easily packable (foldable and can be ironed), and can be used in both social and business contexts. Additionally, the sweater can be paired with collared shirts and ties. This look has worked well in the past for me (as can be seen by my swagger in the picture to the right) but it is not the look you want to sport in a video. This can be seen as my first mistake, I did not pack for a situation where I could be required to dress more formally. Though this is a simple mistake to make, in a way it violates Rule #5 of my rules for security business travel.

Not having a suit or a jacket left me with a few options, purchasing a new suit or suit jacket (both expensive options and highly time consuming), or putting together an outfit from the clothes I brought with me. I elected to go cheap and efficient by putting together an outfit from the clothes I had with me. The problem was that I figured that any sweater and any collared shirt combination would work (it didn’t). Therefore, I was forced to put together the only two items I had with me that looked somewhat presentable, which happened to be a Michael Kors sweater at Nordstrom Rack (I pop tags) and a $15 collared shirt I keep as a back up in my suitcase.

What does this all mean? It means I looked as thrown together as my outfit was, that I was not comfortable and by not being comfortable it effected my performance, which was acceptable, but not by any means my best. Worst yet, the collective of all of this is all of this is immortalized in a pretty solid marketing video. Which can be seen below.

So what did we learn? When doing something that is recorded and public facing, make sure you are comfortable and professional. In a jam, that may mean springing the extra dollar to ensure that you are, or it may mean passing up on an opportunity. Doing this will establish an ethos and one mistake can live on for a long period of time. As for me, I’ll only make this mistake once.


Take2