16 May 2013

What is a Security Auditor?

I’m often faced with a moral dilemma: what do I tell people when they ask me what I do? The easy answer is to tell them that I’m a hacker. This makes me appear interesting and usually invokes a good conversation but is it true? Not really. My job title is IT Specialist but if I say that, it does not speak to the fact that I am largely focused on security, not providing IT services. I suppose I could go with IT security auditor but again, I feel that I am skirting the truth. I am not, technically, an auditor (see my job title). My role, however, is closest to this final title: IT security auditor. That raises the question “What is the role of an IT security auditor?”

Maybe it would be best to start with what it isn’t. An IT security auditor is neither a hacker nor a penetration tester. The term hacker is often used incorrectly, especially in the media, where it is often used to describe malicious individuals targeting critical systems. In actuality, a hacker is simply someone who tinkers with computers, networks, or other electronic devices, often taking them apart to learn more about them. A penetration tester, or pen tester, is a security professional who breaks into networks using any means necessary, in order to identify holes in security. Pen testers usually run exploits that they find on the Internet or that they create themselves against a network, computers, or software. These exploits can bring a system down in a variety of ways, including crashes and unintentional information exposure. Pen testers use these and other sophisticated methods in an effort to mirror those used by sophisticated attackers or seen in sophisticated malware.

IT security auditors, by contrast, typically look at broader spectrum controls and do not run packaged exploits against the networks they test. IT audits are typically designed to identify ’low hanging fruit’ or easily identifiable weaknesses in systems, networks, or operations. The end goal of an IT security audit is not to breach a network and pull out sensitive data. Instead, it is to help identify controls that, when implemented, will protect against unsophisticated attacks. This is why an IT security audit and a pen test can compliment each other; one is more narrowly focused, yet deep, and the other is more broadly focused, and only goes a little below the surface. As the Annual Verizon Data Breach Investigations Report points out, most victims of breaches are targets of opportunity and most of the attacks are not highly sophisticated. In other words, identifying and implementing simple or intermediate controls, or removing the ’low hanging fruit‘ can significantly increase an organization’s security posture.

A lot of emphasis is placed on attack sophistication. Sophistication, however, is a fuzzy concept. A truly sophisticated attack should use only the resources necessary to achieve the end goal. Thus, writing, testing, and running exploits do not necessarily equate to a sophisticated attack; indeed, too much time spent on these activities can simply be wasteful. Instead, sophistication should be viewed in terms of attack success, attack detection, and overall effect. Regardless of the attack vector, did the attacker achieve his goal? In other words, did a system, network, or data breach occur? Or, if the goal was to cause a crash, did the crash occur? If the answer to any of these questions is yes, then a sophisticated (or sophisticated enough) attack has occurred.

Breaches can happen through password guessing, password cracking, social engineering, phishing attacks, authentication bypass, physical access, or any number of other vectors, and can be carried out by expert attackers and newbies alike. The objective is not sophistication but success.

Many attacks go undetected for months or even years. Some of these attacks result in exfiltration of data and others do not. Some of them are present for long periods of time but the purpose is unknown. Regardless, undetected unauthorized access to systems for any period of time, regardless of sophistication, is a successful attack in and of itself. For this reason, IT security audits should focus on detection methods such as logging, reviewing, and intrusion detection techniques.

Lastly, the effect of an attack can range from almost no impact on personal, business, or financial operations to complete devastation. Depending on the organization, a blemish to reputation as the result of an attack can cause more damage than the attack itself. For these reasons, it is not pragmatic to look only at the sophistication of the attack itself. One must also look at the lasting effect of the attack. It can take days, weeks, months, or even years for some individuals and organizations to recover from a successful attack. Thus, it is important for security audits to assess the response and recovery process, including compensating and recovery controls, following an attack, not simply the detective and preventive controls.

All things considered, attack sophistication as it is typically portrayed is not the key concern for IT security audits. Instead, audits need to look at the entire picture, focus on simple and intermediate controls, including detection, and be sure to address response and recovery in order to minimize overall effect. Whether the attacker be a state-sponsored cyber gang with disposable resources or a script-kiddie sitting in his mother’s basement eating cold pizza and punching keys, we should not ask “How sophisticated was the attack?” but “What is the effect?” Additionally, a good security audit ends with practical, cost-effective, and useful recommendations that address the cause and not the effect.

For more information on IT security auditing, look into CISSP and CISA resources, such as:

11 May 2013

Gender Imagery in Film, Pt. 6: Conclusion (Child Sacrifice and Supposed Female Dominance)

Interlaced into the aforementioned circumcision incident, the viewer is hit with the most devastating blow of the film: She watched her son fall out of the window to his death, and did nothing. The flashbacks to the prologue are cut at a different time and a different angle, revealing new information for our digestion. Even if we were sympathetic throughout the journey as She tortured her husband, identifying, even commiserating, with her internal psychological struggles, we are now left feeling like the carpet was pulled out from under our feet, leaving us dumbfounded and foolish for having even attempted to make a connection with her pitiful soul. She makes Disney’s Maleficent look like an innocent little angel – for what kind of wickedness it must take to watch your child die and not even make an attempt to stop it. On the contrary, it appears that she even gained pleasure at the moment in watching the event unfold before her – possibly provoked by the same boorish drive that led Abraham to nearly sacrifice his son, Isaac.[1]

Between the violent content of most modern action films and the images of trauma and catastrophe that the mainstream media displays, it is quite easy for the typical moviegoer to tolerate and even get pleasure from violence in film. Von Trier was not shocking anybody by depicting a woman who beats up her husband and consequently not leaving his mark on the viewer’s mind. Like Cruella de Vil and her nastiness toward puppies, the way to truly make She a hated character was to have her embody the unthinkable. Once this information is brought to light, She loses all likability, and von Trier’s goal of equating woman with all that is wicked and vile has been accomplished.

Left to her own devices, the Antichrist will reject nature, and her natural position as subordinate to man, and turn to a practice of dominance over all. Viewers can begin to see this unfold in Chapter Two as She becomes more deeply driven into her own mania. At the same time, the surrounding environment becomes increasingly more hostile toward He, visually tying her trip down the slippery slope toward iniquity to the effects on man in the world. Acorns begin to pelt the cabin, He begins to get bitten by some large beetle-like bugs, baby birds get eaten alive by ants and other birds of prey, and as the chapter progresses toward the next chapter, we begin to see the forest literally begin to fall apart. A wide panning shot of the forest floor shows the son, dressed in the same pajamas as in the beginning of the film, carrying his teddy bear, and glowing, walking, presumably, away from his mother – perhaps indicating that he is attempting to escape her dominance. It provides another new insight into the child’s death – that maybe the son was actually attempting to escape his own situation

In Chapter 3, He discovers from the autopsy report that the bones in his son’s feet were deformed and then finds numerous photographs amongst his wife’s study materials that show his son’s shoes on the wrong feet. In a reversal of the practice of feet binding of women, She has instead exerted her influence over her son by binding his feet. It is unclear exactly why She bound her child’s feet, but it can be certain that it was done purposely, further lending credence to the notion that the son was making an attempt to escape his mother’s power. Upon learning of this torture, He feels the whole of the forest’s acorns pelting his flesh – he has come to realize that his wife is the architect of destruction – and he is afraid.

She continues to enact dominance over her male counterparts further into Chapter Three, primarily through sex, even making an argument that her husband doesn’t love her because he refuses to hit her during sex. In a drastic display, She runs into the woods and, again associating her ties with nature, masturbates violently while wrapped up in the exposed roots of giant tree. He follows her out, compelled by her sexual urges, and engages her in sexual intercourse, while also folding to her wishes to hit her. As they perform, limbs of immobile bodies are seen knotted like branches into the tree – the seemingly dead arms signify yet another connection between her sexual drive and the deaths of the many.

Afraid that He is going to leave, She attacks him with a block of wood, even smashing his penis, knocking him unconscious. Again, driven by sex, unable to refrain, she proceeds to masturbate him until he ejaculates blood onto her clothing. She then proceeds to drill a hole in his leg and, roughly mimicking the crucifixion, inserts a metal rod attached to a heavy round drum, fastens a nut to the other side, and disposes of the wrench. He is left, quite literally, anchored down and prevented from leaving her. However, he does make an attempt at escape by dragging himself into the woods and hiding in a hole in the ground. Pulling away from the Adam and Eve myth and moving toward the tale of Jesus, the rod in the leg symbolizes the torture and crucifixion of Jesus, while the husband’s escape mimics the New Testament tale of the via dolorosa, or “way of suffering,”[2] as Jesus supposedly dragged himself and his cross, essentially, to his grave. While in the hole, He sees one of the three beggars, the crow, and for fear that the crow will expose him, he attempts to beat it to death. The crow is resurrected and She digs him out of his “tomb.” Once more, Antichrist is connecting the end of paradise to another aspect of religion and life – he, like many prophets and scribes before him, makes a connection between the Old Testament and the New Testament, however factually unsubstantiated and horrifically arrogant it may be.

In the end, Antichrist puts forth the notion that had Adam destroyed Eve, women would not have suffered over 2 millennia of hate and violence. On the contrary, woman would have been free to reclaim her position alongside man as a co-leader over nature. Ultimately, it is man’s job to free woman, as He freed his wife from her own torment, thus releasing a multitude of faceless women back into civility. As a man, director von Trier created a piece of art, aimed at other men, that allows them to affirm their own internal misogyny and to reestablish the social rules by which they live their lives. As Sturken and Cartwright note, “In the history of art, the fact that paintings were geared toward male viewers had as much to do with the commerce of art as it did with the social roles and sexual stereotypes of men and women”[3] – the same would hold true for moving picture media, as the most common method of conveying social meaning today. It is clear that the movie is intended to have male spectators, as the male part is characterized by rationale and seen, though very blasé, to be the film’s hero, and in turn the hero over nature, life, and misogyny. If a woman were to adapt a male looking gaze, she may well end up as She had, upon assuming the male gaze over her study materials: detesting herself and women alike for the “wrongs” of which they supposedly committed.

Ultimately, the final statement of Antichrist, and in turn, on Eden and life, is that everything that was once beautiful is no longer – and this is the fault of Eve. Von Trier’s morality makes women out to be immoral and malevolent and in turn removes himself and his male counterparts from any blame. This attitude can be easily summed up through Nietzsche’s view that in every artistic morality, “man adores part of himself as God and to that end needs to diabolicize the rest.”[4] We no longer require the Bible to tell us that women are the destroyers of paradise, because we have Lars von Trier. Let Antichrist serve as a warning of the effects of religious fear-mongering. In the words of the late, great comedian, George Carlin, “The Christians are coming, and they are not pleasant people.”[5]

[1] HarperCollins, Genesis 22:1-24
[2] HarperCollins, John 19:17-37
[3] Sturken and Cartwright, 79.
[4] Nietzsche, 152.
[5] Carlin, 8.

Extenuating Circum Stances, Pt. 1: Introduction

As the father to both a daughter and a son, I was struck by the oddity that, while I was asked by several people, including medical personnel and non-medical, interested parties, whether or not I was going to have my son circumcised, not a single person asked if I was going to have my daughter circumcised. Indeed, some people assumed that I was having my son circumcised without asking, as if leaving him uncircumcised was not an option. What is the basis for this assumption? Is it based on social, political, economic, religious, medical, or a combination of factors? And why is there not a similar assumption, or even a question, regarding circumcising our daughters? In order to answer these questions, an examination of circumcision must account for social, economic, religious, cultural, and other factors that have shaped the history and development of the practice, and the controversies that ensue, along the binary lines of gender.

While routine male circumcision is not seen as medically necessary by most medical associations in the world – more on this to come – routine, non-medical circumcision rates in the United States remain high. In fact, routine male circumcision remains the most common surgery in the United States[1] with over 1 million boys being circumcised each year. There is a decline in routine neonatal circumcision; the Centers for Disease Control and Prevention released a report in 2011 that showed a drop in newborn male circumcision from 62.5% in 1999 to 56.9% in 2008 using data from the National Hospital Discharge Survey.[2] Still, the United States stands alone as the last medically advanced nation to routinely perform this surgery on infants. In this sense, male circumcision is a uniquely American phenomenon with a complex history that intersects religious, social, political, economic, and scientific domains. The primary arguments for the widespread continuation of circumcision today tend to come from religious and social points of view, while the arguments against come primarily from scientific views, but economics also finds itself playing a unique part in the reduction of circumcision, particularly in the Western U.S., where immigration of Mexican and other Latin American individuals is high and some states have removed Medicaid coverage of the surgery.[3]

When it comes to the female genitals, however, the United States stands nearly as a whole at the opposite side of the spectrum. The majority of the world’s female circumcision occurs in Africa and several countries in Asia and the Middle East. The World Health Organization has estimated that about 101 million girls aged 10 and older have undergone female genital cutting (abbreviated FGC) in Africa alone.[4] The practice is largely encouraged for religious and social reasons, including ensuring chastity and proving the sexual purity of a girl to her husband. In the West, most opponents of FGC belie any notion of social benefits, insisting that the consequences for FGC far outweigh any possible benefits. And this is the essence of the controversy, what I refer to as “The West versus the Rest,” though, admittedly, this may not be the most accurate description. The debate over FGC is not simple by any means; on its surface it is a about female genitals, but deep down it is about culture, ideology, social status, and, indeed, gender relations.

For the purposes of remaining as neutral as possible while discussing the practices, controversies, and analysis of both male and female genital modification surgery, I have chosen to refer to both practices with the phrase “genital cutting.” While male circumcision is rarely referred to as male genital cutting (MGC), this phrase will be used to avoid confusion and to better compare it to the genital cutting practices of FGC. FGC, meanwhile, will be used to avoid underrepresenting the risks, procedures, or complications resulting from cutting female genitals (i.e., female circumcision) or overstating the horrors typically only associated with the more sever forms of FGC (i.e., female genital mutilation, or FGM). As will be discussed below, different groups prefer different terms depending on the specific cutting practice and its significance to their ideology or tradition.
[1] http://academicdepartments.musc.edu/surgery/divisions/pediatric/procedures/circumcisionhttp://academicdepartments.musc.edu/surgery/divisions/pediatric/procedures/circumcision
[2] http://www.cdc.gov/mmwr/preview/mmwrhtml/mm6034a4.htm?s_cid=mm6034a4_w
[3] Bell 2005:129
[4] http://www.who.int/mediacentre/factsheets/fs241/en/index.html