SANS Security Leadership Essentials – MGT512

I’ve taught this class for a number of years now and it has always been one of my favourites. It was usurped for a time by “Implementing and Auditing the CIS 20 Critical Controls” (SEC566) as 512 became a bit dated and I found 566 to be a bit more relevant. However, that all changed this year when a significant re-write was completed and the new version of the course went live. Frank Kim and other contributors have done a great job of bringing this back to be a true essentials course.

I’ve taught a couple of classes already and have a bunch more lined up this year so I thought I’d take some time to give a run-down of the new material and let you know what to expect. This class has quickly risen in the popularity ranks once again and it’s a great opportunity for people in a variety of roles to get a thorough introduction to security and management principles. Stay tuned for the next 5 posts to learn more about this great class.

Day 1
Day 2
Day 3
Day 4
Day 5

Join me for this class, next in New Orleans, Louisiana

The times, they are a changin’

It’s World Password Day and there seem to be a lot of posts suggesting that the end is nigh for passwords. I’m here to burst that bubble; Passwords may be going away, but not anytime soon, and so we still need to make sure that we’re taking care of all of the ones we have.

Passwords are still around because the user experience is really good. We know that to get into our favorite apps and websites, we need a username and a password. We memorize the passwords so that we really don’t have to do anything other than type it in to the box. We don’t need to go searching for a USB thingy to plug into our computer, we don’t need to go and get a code from some other device, we don’t need to find that book that we write them all down in. Username, same old password, done. The problem is, we’re not machines and we don’t have computers for brains. Therefore we take short-cuts; We use simple passwords and instead of choosing one for each site, we re-use the same simple passwords over and over again. This makes the experience even simpler but leaves us open to major breaches of our privacy and information.

Companies don’t help. Make sure the password is at least 8 characters, has at least one capital letter, one lower-case letter, one number, and one special character. You have to change it every two months and you can’t re-use the last 10 passwords you used. Oh yeah, don’t use your name, your pet’s name, your favorite sports team’s name, any variation on the company name, your mother’s maiden name, and no repeating characters. Passwords are hard and we’re really good at making the whole process harder.

There is a better way though and it isn’t the disappearance of the password (although that would be great). Times are changing because of the understanding that length is the most important characteristic of passwords, not complexity. Your password needs to be long, but memorable, and you should use a unique one for each service that requires one. Humans are good at remembering long, but simple things. It’s all that complexity stuff that tries our brains.

How hard is this to remember? “apple\Spiders2puppies” Not hard, and that’s a 21 character complex password (Pro Tip: Don’t use that example as your password). Variations of this for each different site or app are just as secure, but different.

Still don’t want to have to remember all of those passwords? Sign up for a password vault service like LastPass, 1 Password, DashLane, or a free local password saver like KeePass. The advantage to these tools is that they are integrated into your browsers and automatically fill in your passwords in addition to allowing you to generate completely random passwords. I only know the password to my manager, I have no idea what my passwords are for the vast majority of sites and apps I use. Of course, you should also use 2 factor authentication, also referred to as two-step verification. That’s another post on its own though.

So in honour of World Password day, go sign-up for a password manager and change all of your passwords. If not a service, at least change all of your passwords using the premise that length is most important. You’ll be glad you did and your online life will be easier and more secure. How often do we get to say that?

End-to-End WhatsApp: An Opinionated Series on Why Signal Protocol is Well-Designed

Here’s a good look at what the Signal protocol is all about.

“WhatsApp recently announced that client communications are now end-to-end encrypted using Open Whisper System’s “Signal Protocol” (previously Axolotl). This has received quite a bit of press lately due to WhatsApp’s massive user base, along with the controversial going dark debates. Less importantly, the crypto-nerd in me loves Signal. Because of all of this, I thought I would write a blog series on some of Signal’s design decisions that I feel are well-designed.”

Source: End-to-End WhatsApp: An Opinionated Series on Why Signal Protocol is Well-Designed

It’s About Privacy Not Morality

ashley_madison

When it was announced, back in July, that the Ashley Madison site was hacked, like many, I thought about the fact that a bunch of people would be getting their just desserts. However, when the data was leaked (and continues to be leaked) a couple of days ago I started to think more about privacy than karma. All the jokes about those affected by the Ashley Madison breach are distracting us from the fact that people’s lives are being negatively affected by a criminal act over which they had no control. People who had an expectation of privacy, Ashley Madison bragged about it a lot, lost that because someone else decided that a cheating spouse deserves less privacy than someone else. Today it’s a site that caters to people who have different morals from many of us (or none at all depending on your point of view), tomorrow it could be the site you’re using to find a new job while still working the one you have.

Data breaches are happening so often these days that people are trying to group them into which ones are more serious than others. Is stealing nude photos from a celebrity’s phone worse than stealing credit cards from an adult website? If you shop at Target are you more deserving of having your credit card information stolen than if you shop at Neiman Marcus? Most people would scoff at those comparisons and say; “They’re all bad.”. So why do we think that people who signed up for Ashley Madison, whether they used it or not, are more deserving of losing their privacy than those who’ve signed up for Match.com?

We’re losing our privacy, or ability to have any, at an alarming rate these days. Tying privacy to morality, socio-economic level, social status, or anything else means that someone will always consider us undeserving of it. Everyone needs privacy and no one but the person requesting that privacy should get to decide whether they “deserve” it or not.

SANS 566 Coming to Toronto

After a great time in Nashville (minus all the problems caused by snow the week prior) I’m heading to Toronto to teach another round of 566. If you are looking to implement or audit the 20 Critical Controls, you need to register for this class. The SANS material is excellent and gives you plenty of tools to start the process on your own. The Toronto course runs April 13-17, details here.