Why Rules-Based Training Isn’t Enough: Building Muscle Memory for Effective Phishing Prevention

It’s been quite a while since my last post but I got inspired by a recent discussion about the effectiveness of phishing training for employees. The person I was speaking with was frustrated that no matter how many phishing simulations they did, their employees were still clicking on the next phish.

Phishing attacks can be quite sophisticated, and it’s more important than ever to ensure that employees are trained to spot them. However, simply providing employees with a set of rules or policies or making them watch a video each time they click on a simulated phish is clearly insufficient which got me thinking, how do we help employees build muscle memory and prevent phishing attacks?

I love analogies so please humor me while I try to explain why rules-based training isn’t enough using the example of making a peanut butter and jelly sandwich.

The rules for making a PB&J sandwich are simple: use two pieces of bread, creamy or crunchy peanut butter, your favorite flavor of jelly, and a knife.

But anyone trying to teach a child how to make a sandwich knows the rules aren’t enough. You need to show them the process:

1. Lay both pieces of bread on a plate or paper towel.
2. Open the peanut butter container.
3. Use the knife to scoop peanut butter from the container.
4. Use the knife to spread the peanut butter on one or both pieces of bread.
5. Use a clean paper towel to wipe off the knife.
6. Use the knife to scoop jelly from the container.
7. Use the knife to spread the jelly on top of the peanut butter.
8. Place the two pieces of bread together with the peanut butter and jelly in between them.

As you can see, the process is much more complicated than the rules and even includes decisions about things that aren’t even called out in the rules! The same goes for phishing training. It’s not enough to give employees a stack of policies or have them watch a training video. They need to walk away with a detailed process they can understand and follow to build muscle memory.

To drive this point home, let’s use another analogy. Imagine your child is learning to drive. You give them the rule book from the DMV, and they read it cover to cover. Then, you take them to get their learner’s permit. As you leave the DMV, you hand them the keys and say, “You’ve learned the rules, and you’ve watched me drive for the past 15 years. You should know how to drive, so take us home!”

How well do you think they’ll do? Good luck getting out of the parking lot without hitting something! They need someone to walk them through the process for months until they build enough muscle memory.

The same goes for phishing, teaching a developer how to build code securely, or any other type of training. You start with your policies and standards but if you don’t take the time to build out standard operating procedures, employees are left to figure things out ad-hoc.

Rules-based training is not enough. Employees need a detailed process they can follow to build muscle memory. Only then will you see a real change in behavior and adoption.

Disagree or have another thought? Please let me know in the comments and let’s discuss!

CISSP Blog Post 2, Domain 1: Security Controls

Credit: Post based on CISSP course presented by Dennis Lee, November 2018

After last week’s blog on Risk Analysis, let’s consider some criteria on selecting countermeasures to mitigate risks.

1. Perform a cost/benefit analysis
2. Determine accountability of the countermeasure – who’s in charge of the safeguard?
3. Don’t rely on design secrecy as the only form of protection. Security through obscurity alone is not enough.
4. Ensure countermeasures are universally applied – especially for tools used in monitoring. You must apply them fairly & consistently to all employees and/or customers.
5. Provide a defense in depth – multiple layers of protection – don’t rely on just one countermeasure!
6. Apply the least common mechanism – don’t always place all solutions in one location. I.e. try to eliminate single points of failure & recognize that you don’t always get the best of breed from all solutions.
7. Get acceptance from your employees and/or customers – users always struggle between security vs. convenience.
8. Minimize human intervention – for things that can be automated (e.g. anti-virus updates)

So what types of controls are available? Control types include:

• Technical / Logical (e.g. a network firewall or a captcha puzzle)
• Physical (e.g. a security fence or camera)
• Administrative (e.g. Reviewing logs)
• Preventative – goal is to stop unwanted activity or behavior (e.g. Intrusion Prevention System (IPS))
• Corrective – goal is to mitigate an incident & reduce damage (e.g. a fire extinguisher)
• Directive – administrative control focused on management aspects (e.g. requiring managerial approval)
• Deterrent – controls focused on consequences
• Recovery – controls focused on restoration
• Compensating – an alternative when the best controls are not available or feasible (e.g. using an Endpoint Detection & Response (EDR) solution to monitor OS files vs. using a traditional File Integrity Monitoring (FIM) solution)

You can also combine controls, for example:

1. Preventative + Technical = IDS or Firewall
2. Detective + Administrative = Reviewing logs, reporting on penetration tests
3. Corrective + Physical = Fire Extinguisher

CISSP Blog Post 20, Domain 4: Network Firewalls

Credit: Post based on CISSP course presented by Dennis Lee, November 2018

09/06/2020 – Edit: I am starting to publish a series of blog posts on topics related to studying for the Certified Information System Security Professional (CISSP) exam. I am updating this post first but I’m changing the name of the post as well to help folks better identify where this post falls in the series. I’m also adding in illustrations!

It’s been quite a while since my last post so here’s hoping I can keep the momentum going!

In this post, I’m going to walk through the four different types of firewalls and what they are best used for.

The four types of firewalls, from most basic to most complex include:

1. Static Packet Filtering Firewall
2. Stateful (aka Dynamic) Inspection Packet Firewall
3. Circuit Level Proxy Firewall
4. Application Level Proxy Firewall

Static Packet Filtering Firewalls
Static Packet Filtering Firewalls are the most basic type of firewall. The only type of filtering you can do is allow or block specific IP addresses and ports from entering or existing the firewall. I.e. you can block computers on your network from accessing Google’s DNS service by creating a block of any outgoing traffic to 8.8.8.8:53 (TCP & UDP).

Benefits: Cheapest option, fast to apply rules

Drawbacks: Limited filtering abilities, cannot scan or inspect inside a data payload

Static Packet Filtering Firewall

Stateful (aka Dynamic) Inspection Packet Firewall
Stateful or Dynamic Inspection Packet Firewalls provide all the functionality of Static Packet Filtering Firewalls, plus they “inspect” and allow or block based on connection states. For example, the firewall can watch a TCP handshake being performed and determine if it is executed normally, or if there’s a denial of service (aka a SYN flood) attack occurring and then automatically block the incoming traffic, keeping your internal machines from being overwhelmed.

A typical TCP handshake occurs when a SYN request is sent from one machine to another, the second machine sends back a SYN and an ACK acknowledgment back to the requesting machine. The original machine then sends an ACK acknowledgement back completing the handshake and allowing communication to begin. If the original machine doesn’t send a second ACK acknowledgment and instead just continues to send a stream of SYN requests, the firewall will realize that the handshake is incorrect and block the flood of incoming SYN requests.

Benefits: Stronger filtering capabilities, retains (logs) state information about a connection for further offline analysis

Drawbacks: More expensive system, slightly slower filtering, still cannot inspect inside a data payload, requires static rules to allow unsolicited inbound traffic (e.g. email incoming to an email server)

Stateful Inspection Firewall

Circuit Level Proxy Firewall
Circuit Level Proxy Firewalls provide all the aforementioned functionality of both the static packet filtering and stateful inspection packet firewalls. In addition, they provide Network Address Translation (NAT) and Port Translation.

Benefits: There is no direct contact between client and external server, internal IPs are hidden from external systems, malformed packets are dropped and not forwarded onwards

Drawbacks: Requires a minimum of 4 packets per round trip (e.g. client sends packet #1 to firewall, firewall repackages into new packet #2 & sends to external server, external server sends reply packet #3 back to firewall, firewall repackages into new packet #4 and sends to internal client), more expensive system than the previous two, still cannot inspect inside a data payload.

Proxy Firewall – Circuit Level

Application Level Proxy Firewall
Application Level Proxy Firewalls do everything the last three firewalls can do and in addition, can inspect inside data payloads! The firewall does this through proxies that are written for each service that’s required to pass through the firewall “air gap”. A proxy is a piece of software that’s customized to each service (e.g. HTTP, SMTP, FTP, etc.) and is able to unpack the data packet and inspect the data inside, and filters the content based on proxy rules.

Benefits: Can inspect inside data packets! Can even inspect inside encrypted payloads provided you have the requisite certificates to un-encrypt the payload and re-encrypt before sending onward.

Drawbacks: Most expensive option, much slower to filter data, not all services have proxies written and may require custom coding or a generic UDP/TCP proxy to essentially bypass the proxy filtering capabilities (i.e. it can’t scan inside the payload) and allow traffic through on a specific service port.

Proxy Firewall – Application Level

Personal Tips: How to keep your information secure

Disclaimer: Even the tips provided below cannot completely protect you. Work to develop your Security Mindset. Always remember, if you’re unsure if something is secure, ask!

In this post, I will highlight how a “Security Thinker” thinks, I’ll cover different avenues of attack including physical, personal, & digital attacks. Finally, I’ll spend a little time on how you can protect your data.

Becoming a “Security Thinker”

Ever picked up your car from the dealer after an oil change? The conversation probably went something like this…

Me: “Hi, I’m here to pick up my car…”
Customer Rep: “What’s your last name?”
Me: “Beck”
Customer Rep: “Got it, I see you in my list. I’ll have them pull your car right out front.”
Me: “Thanks!”

Great customer service? Or a massive breach in validating the real owner of the car?

How about this product?

SmartWater is a water-based, clear solution “paint” which is brushed or sprayed onto property, drying totally invisible. Each bottle contains the owner’s unique forensic formula (PIN) which is logged into a secure database so recovered property can be traced. The paint transfers to a thief’s clothing and skin, providing microscopic forensic evidence to prove the presence of the suspect at the time of the incident.

Let’s think about this for a second. Here’s a fun scenario…

I have a bottle of SmartWater and I’m over at your house. I really like your new TV… when you go out of the room to get me a beer, I brush a little on under the front corner. The next day, I call the cops to report that you stole my TV – and I have proof!

Good security product? Or easy way to legally steal?

Hopefully these stories highlight how a “Security Thinker” should think.

Avenues of Attack

Social Engineering refers to someone using psychological manipulation to get information from someone else. For example, you are working in a call center & someone calls and says “Hello, this is Yosef from IT, I’m working from home today and can’t log in, can you help me?” If you know Yosef, you may recognize that the person on the line isn’t him. Probably, you won’t know Yosef from Adam & if you are not careful, you may provide sensitive information without realizing it. To help protect yourself, here are a few tips:

• Take off your employee badge or put it in your pocket when you leave the office. Anyone eating lunch next to your table can potentially gain all sorts of valuable information by looking at it such as the company you work for, your name, & even potentially your employee number & your title.
• Do NOT share matters related to work, such as campaigns, products, services, complaints, or customers with people you don’t know.
• Do NOT let unknown individuals into your office or a client’s office. Piggybacking is not allowed!
• Double/triple check requests for confidential information – especially e-mail requests! A follow up phone call is good practice.

Another potential avenue of attack is your mobile devices. Now a days, your phone can potentially give someone access to your credit cards, your bank accounts, your social media accounts, and a variety of other information such as confidential documents, etc. Don’t forget your laptop or data thumb drive either! For all of these devices, follow these tips to be safe:

• Use a login password.
• Set password program to wipe your device if your password is improperly entered X number of times. Note – this may not be practical if you live with toddlers who like to press random buttons…
• Setup a program to remotely wipe your device in case it’s stolen.
• Encrypt your devices! Good encryption programs include Windows BitLocker, Apple LionVault, & GnuPG
• Try not to leave mobile devices in your car unattended – and NEVER leave them in plain sight!

With regards to your phone, another avenue of attack is through software:

• Only download apps that have been downloaded many times before (e.g. 1 Million+)
• Understand the permissions that an app is requesting – does your flashlight program really need access to the internet?
• Watch for battery to start draining quicker than normal – this may indicate that an unwanted app is running in the background.
• Turn off features you don’t need such as: NFC, Android Beam, Bluetooth, picture geo-location tagging, & automatic uploading of pictures to Social Media sites.

Here are some Social Media tips for staying safe:

• Be an adult. Don’t talk to strangers!
• Don’t post information you don’t want others to know
• Don’t friend strangers just to collect “friends”
• If you get a friend request & you think you’re already friends with them, check!
• Remember that you don’t know for sure who’s really on the other end of a chat

For any of your computing devices, always make sure that you are keeping up with the latest security updates – this is for both your operating system & any software / apps. This is especially true for any programs that access or interface with the internet!

• If you are on Windows, security patch updates include fixing vulnerabilities that Anti-Virus programs may not catch! Don’t postpone & if you have updates set to update automatically, shut your device down fully at least once a week to allow updates a chance to fully install.
• Updating software includes updating any plug-ins – these may not update at the same time as the main piece of software. For example, if you’re running the Mozilla Firefox browser, you need to keep your add-ons & plug-ins up to date yourself.
• Hopefully everyone already does this but don’t open e-mail attachments from people you don’t know! Always make sure your anti-virus program scans an attachment before you open it. Also, keep in mind that file extensions can be changed! A simple TXT file may actually be an executable file that will damage your computer!
• Do NOT rely on anti-virus to keep you safe! If you don’t know what your anti-virus is prompting you to do try Googling/Binging the message &/or ask a friend!
• Passwords: Do NOT share them! Do NOT use the same password for personal & work access. Make your passwords looooooong! Anything under 12 characters can be guessed by a computer program in just a couple of hours. If someone wants to get into your account they probably can but don’t make it any easier for them than you have to.

Protect your Data!

Data comes in all types & sizes, it can be your SSN, your phone number, address, contact list, work documents, financial information, etc. Tips for protecting your data include:

• Log out of websites & IM services when you leave your PC
• Instead of doing a simple delete of computer files that have sensitive information – use a shredding program (such as Eraser – http://eraser.heidi.ie/)
• Shred your physical papers, credit cards, CDs, envelopes, receipts, etc. Anything that has sensitive information should be destroyed before putting in the trash.
• Backup your data! Use hard backups such as making copies on an external hard drive, backup to the cloud (top rated backup program is https://www.code42.com/crashplan/)

Remember! Just because you’re paranoid… doesn’t mean they aren’t out to get you! 😉

Managing SharePoint List Permissions

I typically don’t do a lot in Microsoft SharePoint, however on my current project I’ve been working on building out a little site that has required learning some new things about it. In particular, I had a main site, with multiple lists on the site. I also have multiple groups of people setup and I wanted to ensure that each group can view the main site, but then can only view their specific list.

So it turns out that if you create a group at the site level than it automatically overrides permissions at the list level, even if you tell a list to not inherit permissions from the parent site. What you have to do is create a group at the site level but do not select any of the permission levels, just create the group without any permissions. This will create the group with “Limited Access” permissions that does not allow them to view or do anything.

Then, you go to the specific list you want to grant the group permissions to and add the group there, granting them permissions directly at the list level. In my case, I gave them “View Only” permissions because it allows users to view lists and look at documents attached to the list.

Finally, in order for users to view the main site (but not any lists below the main site), create and add them to a Visitor’s group that you grant “Read” permissions too. This restricts them to view the site, but not view any lists (besides the specific ones you grant permissions too).

Hope this helps!

The two Microsoft help articles I referenced are:

Remove users and groups from site access – Windows SharePoint Services

Customizing user access to a SharePoint list or library – SharePoint Server

Heartbleed’ing – what do I do?

With the Heartbleed bug in the news recently, a lot of folks have asked me for advice on what to do.

First off, here’s a quick description of what Heartbleed is:

Wikipedia states: Heartbleed is a security bug in the open-source OpenSSL cryptography library, which is widely used to implement the Internet’s Transport Layer Security (TLS) protocol. This vulnerability, classified as a buffer over-read, results from a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension, the heartbeat being behind the bug’s name.

In plain(er) English – this means that websites that use a certain version of encryption (aka OpenSSL), are vulnerable to sharing encrypted information with anyone who queries the website in a certain way. A website’s address that starts with https:// (note the “s”) use SSL to encrypt the transaction of data back and forth between the website and your browser.

To find out if a website is affected, you can use a bunch of different tools to check the version of OpenSSL used by a website. The easiest one that I’ve come across is LastPass’s Heartbleed checker available here.

When you plug-in a website it will tell you if the website uses OpenSSL & if so, if it’s safe to use the website or not. Here’s a screenshot of what the checker tells you about yahoo.com:

As you can see, LastPass says that Yahoo used to use the problematic OpenSSL but has since fixed it on their website and that it’s now time to change any Yahoo passwords that you may have.

If a website hasn’t updated their OpenSSL to a fixed version, there’s really no point in changing your password – I would recommend minimizing or ideally not using the website until it has been fixed. If possible, contact the website & tell them that you are not using their website until they get it fixed.

Hope this information helps explain what Heartbleed is & what to do about it – stay safe!

~Yosef

Can’t remember your PIN? Here are some tips for choosing a new one!

In today’s era of computers, the numerical password or PIN is incredibly easy for a computer to guess. That being said, here are some ideas to make the number you choose harder to crack and easier for you to remember.

First off, a computer can guess any numerical PIN less than 11 digits long in about 2 seconds thanks to the power of iterative guessing.
The best way to protect your PIN is to enable a time out on whatever device you have. For example, on your phone or tablet, if someone enters the wrong PIN more than X number of times, it wipes the device’s data, or it makes you wait a minute between each try, etc.

Next, try using the following methods to pick a PIN that’s difficult (for a human) to guess, but that you can remember:

• Make your PIN as long as you can. This will depend upon your device & your memorization abilities. Assuming you can use all 10 digits (0 – 9), a 4 digit PIN gives you 10^4 or 10,000 possible combinations. 5 digits gives you 100,000, etc. The longer the PIN, the harder to guess.
• Don’t use a number someone else would know (such as your birthday).
• Use the keypad on your phone to spell a random word that you will remember. E.g. NAME = 6263).
• Make a sentence out of numbers. E.g. using the first letters of each word in “This Sentence Is Awesome!” gives a PIN (on a phone keypad) of 8742.
• “Encrypt” your password by appending another number to it. E.g. if your birthday is July 19th, choose a PIN of 0719 and then tack on another number (such as the last 4 of your phone number) to give you: 07191234
• Don’t use a common PIN – 10% of PINs equal 1234, another 10% are 0000 and 1111. That means that 20% of the time, I can guess your PIN using those 3 numbers. A number like 2580 looks random but it’s the 22nd most common PIN. Why? Because it’s straight up & down on a phone keypad. Be unique – don’t follow the herd.
• Use sports players jersey numbers. This doesn’t work for me because I’m not a sports guy, but for those of you who are – just concatenate the jersey numbers of your favorite players together. E.g. Babe Ruth (3) + Lou Gehrig (4) + Yogi Berra (8) could give you a PIN of 030408.
• Choose a number you like such as your birthday and then subtract or add another number you like. So your birth year might be 1955 and your wedding year might be 1978. The difference is 23. Subtract 23 from your birth year to get 1932. To make it even harder to guess, reverse the numbers to get 2391.
• For a bank card, use the assigned random PIN and memorize it.

Helpful? Got tips or tricks of your own for remembering PINs? Share in the comments below!

~Yosef

What I learned during the TAG Cyber Attack & Business Continuity Simulation

Georgia’s Governor Nathan Deal proclaimed February 25th, 2014 to be “Business Cyber-security Day in Georgia”.

As part of the initiative, the Technology Association of Georgia (TAG) ran a Cyber Attack & Business Continuity Simulation, which I attended. It was an amazing presentation, not only of content but also of coordination.

The simulation was of a fictional company (The Logistics Company, aka TLC) and how it would respond to different attacks on its systems. There were seven attacks carried out during the simulation. There were roughly 30+ people involved with the simulation and the entire event was broadcast to multiple locations around the US as well as to Kuwait. Making it more interesting, the people involved hold the same positions in their real companies as the people they were portraying in the simulation. The people playing the C-suite in the simulation, are really C-suite executives in their respective companies, the lawyers in the company are really corporate lawyers in the real world, etc.

In addition, due to the Governor’s proclamation, the entire event was hosted at Dobbins Air Force Base and included participation from the Georgia Air National Guard, the Cobb County Police/911 department, the GBI, as well as the FBI.

There were five cyber attacks, one physical attack, and one social engineering attack.

In reverse order, the social engineering attack was left until last and was more informative vs. something that the business needed to directly respond to in the simulation. An outside resource recruiter informed the business that she had been approached by a Chinese company to try & poach recruits from TLC’s supply chain division. She was approaching TLC because she had become suspicious after following up with each of the recruits to see how their interviews had gone with the Chinese company and been told that the interviews were all one way with the Chinese company asking all the questions & not following up to actually hire any of the interviewees.

The end result was, the Chinese company was trying to gather intel about TLC for a variety of potentially nefarious reasons. I assume the logical response of TLC would be to warn/train its employees about how to respond to strange recruiting requests. Obviously, TLC cannot mandate that their employees don’t talk to recruiters at other companies, but they do need to be aware that every time they talk to someone outside the company, the information could be used to hurt TLC.

The physical attack proved very interesting to me because it helped me realize the role of police and other emergency response personnel in an emergency. The fictional attack was two ex-employees sabotaged the company’s data center (it turned out to be their backup data center, so it wasn’t as large of a crisis as it could have been). The employees went and destroyed cooling towers as well as backup generators so the data center had to be taken down immediately or risk frying all the equipment.

The immediate business response was to call 911. After which, they realized it was their backup facility and it did not hurt their primary data center. They then quickly made arrangements to back up their main facility to a third-party data center. In real life, the backup would take a while to accomplish but so long as their primary facility didn’t go down, it would not hurt their day-to-day operations.

The problem with the immediate business response was, as soon as the police arrive at a potential crime scene, the business loses all control of the scene until the police allow them back in. Therefore, if the business needs access to computers, data, etc. they may lose access to all of it until the police finish collecting the evidence they need. This can potentially hurt the business even more than the actual damage if they cannot complete in-progress business at the time of the crime.

The cyber attacks ranged widely in nature (I forgot what the fifth one was):

• An international hacker encrypting the business’s data files & demanding a ransom
• Disgruntled employees installing Raspberry Pi’s to override PLC (Programmable Logic Controller) instructions to disrupt a sorting & packaging facility
• Hackers disrupting the shipment routing system and sending critical shipments of organ transplants to random addresses
• The DoD finding out that routers shipped by TLC included malware which was spying on the data flowing through the networks

All of the cyber attacks were pretty complicated and included potential damage to the business’s brand image in the marketplace (especially when the critical organ transplants were not delivered on time), as well as complications involving contracts and insurance policy questions. The main lesson learned here was to ensure that your legal team is involved in preparing your business continuity planning to ensure that you are not breaking contracts with suppliers, clients, or insurance policies depending on how you respond in an emergency situation. There may be SLAs, legislation (such as HIPAA or other privacy laws), or other contractual agreements which you may be bound to regardless of what has happened to your company.

The three main points I got out of the simulation were:

1. Having a single page listing all important phone numbers is better than any 8 inch thick binder full of amazing plans, because the binder will get left on the shelf during an actual crises.
2. The act of planning is almost more important than your response in a situation. The act of planning forces you to organize and think through your response so that you at least do something instead of freezing in an emergency situation.
3. It’s important to have a good response team put together – but even more important is to have all of them in communication during a crisis. Get the key decision makers in one room, or on one conference call. No one leaves until the crisis is over. If they need information, send out others to collect it. Keep your decision makers in the loop at all times so they can respond as soon as the situation changes.

I’m looking forward to attending next year’s simulation!

The Power of Complaints: Parking Security?

I had a fascinating insight into one of my blind-spots with regards to both security and complaining today that I would like to share.

Here are the facts:

• For the past couple of months I have been working at a new building for one of my clients.
• The building has many different tenants and it has a huge parking deck. One level of the deck has a gated, paid visitor parking area while employees park for free in different, gated areas.
• As a visitor, you enter through a different door and the security guards in the lobby ask all guests to sign in.
• When you sign in, they ask for your name, company you are visiting, time in, & time out.
• When you enter or leave the parking deck, some or all of the gates are sometimes open, allowing anyone to drive through – usually without paying.
• Because I was coming to the building on & off for a couple of months, the desk security began to recognized me and told me that since I was a regular visitor, I didn’t have to park in the paid parking area, I could simply pull up to any of the employee gates, press the intercom and tell them: “Employee trying to get in (or out)”.

Those are the facts. How I interpreted these facts (and was the basis for my complaint) was:

Obviously the building security didn’t have a clue or didn’t care that it was:

• Losing revenue by leaving the gates open
• Not protecting the vehicles parked in the lot by leaving the gates open
• Did not have a way to contact any visitor to the building in the case of an emergency (because they didn’t ask for contact info)
• Had no way to know if a real employee was trying to use the employee parking area!

Based on my view, my conclusion was, the security was inadequate for protecting property or people and therefore was stupid.

As I said, this was my complaint and helping me validate it was, everything making up my complaint was true!

However, I realized that I was being inauthentic because this was only my view and I didn’t have a clue what the view of the people administering the “security” to the building was. Today, I walked up to the lobby security and told them that I was very confused by what the parking and building security appeared to be from my view and I asked them why they did what they did.

This is what their view turned out to be. They are only interested in ensuring that visitors have places to park and that visitors pay for their parking. Therefore they:

• Leave the gates open at random intervals because the visitor lot is utilized by restaurant across the street for random events & those visitors do not have to pay for parking.
• If you come in through the visitor’s door, they ask you to sign in so that they can check your name against the list of employees in the building to ensure that you’re not an employee using up a visitor spot.

As you can see – their security goals are entirely different from what I thought they were trying to accomplish! They are actually trying to protect their visitor spots from building employees! Not the building employees or their vehicles from any external harm!

What I discovered from all of this is that my view, while always true (according to my view), is by definition, not the same view as someone else.
I also discovered that security goals are not always going to be obvious or make sense from the outside and that you need to really ensure that you understand the driving force behind the security measures before attempting to critique them.

Edit: Finally, & most importantly, I discovered that there is always something missing which is causing my complaints and that by looking at them and by figuring out what is missing, I can make my complaints disappear. Finally, I discovered that my complaint was not the truth. Having the complaint in the first place was inauthentic of me because I should not have a complaint about something I obviously didn’t understand, and that by taking action to explore what was possible (such as asking another for their view) made my complaint disappear.

Once I understood that my complaint was based on what I felt should be, versus what actually was, my complaint disappeared!

I enjoyed sharing these awesome discoveries with you & I would love to hear your feedback!

~Yosef B.

Gaining Visibility in Enterprise IT Security

Hi All,

I’m pretty excited to announce that my first paper article has been published! Please check out my article entitled “Gaining Visibility in Enterprise IT Security”, co-authored with a client of mine, Jeff B. (no, his last name is not the same as mine 🙂 ). It was published in the Jabian Journal and is available online here: http://joom.ag/d42X/p60

Here’s the link to the entire contents of this edition of the Jabian Journal: http://www.jabian.com/jabian-journal/jabian-journal-fall-2013-main/

I would love to get feedback on it so please drop me a line or post something in the comments below.

Thanks!

~Yosef