The Moscow Rules for InfoSec Professionals

everyone enjoying b-sides all right thanks for coming my name is jen fox we're going to talk about the moscow rules a little bit about me professionally over the years everything that i've done has been hey oh nice what yeah thanks yeah thanks hp um has been some version or or other of doing translations so translating between the the business and the technology between information security and information technology between stakeholders and and project people and it's been a vital and consistent skill throughout these are my office assistants in their in their usual sort of helpful spot the the tabby cat she's a cat tour too she's destroyed at least one machine and several presentations so she's the one to watch out for

uh this is i really love uh detroit graffiti for one and this is actually i don't know who the writer is on these but these detroit tigers are all over town and i just really liked them and wanted to share them i love canning it's one of my favorite life skills as is uh lock picking who's been to the locksport village all right who's uh who tried the competition all right someone did and so so love picking love collecting and you never know when a good life skill is going to come in handy right yeah or something anyway so anyway we're here to talk about the moscow rules how many of you have heard about the

moscow rules or heard of them before not too many people so this is a set of rules that is said to have been used during the cold war by western agents operating in in the east specifically in moscow and these were things that they would do to keep their their lives and their missions safe so that they could do and do what they needed to do this is a set of 10 rules if you do a little research you'll see lists of up to 40. but this is a good base set and when i first saw these at the international spy museum in washington dc which is a really interesting place i saw this on a poster and realized this

is what i do when i met consulting engagements this is like my standard operating procedure so so now we'll talk about it uh the name was of the presentation was about achieving dayton to secure the enterprise and they taunt for those of you who you know weren't around in the 80s it's a slackening of tensions or an easing of tensions and that's important because like these guys these old timey guys um they're they're busy tugging in opposite directions and so they're going nowhere and so you don't have to necessarily get along completely it doesn't have to be about kumbaya necessarily but when you're doing this you can't you can't get stuff done and like for those of you who are in who are

in ben 10 talk this morning it takes all of us all of us need to be able to work together in order to secure stuff and to secure our enterprises and our information and and our users so we'll take a a run through the the rules and look at a case study so yeah we all think what we know grump we all think we know what grumpy cat's all about right um ask questions learn to ask questions about things it's very easy to jump to conclusions uh pay pay attention to what what your instincts are telling you about a situation and if you're not very good not everybody feels comfortable with their level of uh instinct on reading

people learn more about body language to get a sense for whether something is going well or not and you can you can adjust this one i would argue it should be phrased everyone is under opposition control when you look at it from the perspective of other people's goals we all have goals things we're trying to achieve so we're trying to do things to get our project done maybe you're trying to implement some new new controls or new things in a department somewhere the people in that department also have goals and it's to get their job done and anything that they get measured on for their next evaluation they don't want to have that screwed with

and if the thing you're trying to put in place screws with their ability to get their next raise you're going to you're you're going to be in a deadlock how many of you have had that sort of occasion where you're you're talking maybe you're talking about someone to have that moment when you stop and say they're behind me aren't they right lots of us yeah it happens it's awkward so this is about that and also about just consulting manners i mean if especially if you're doing consulting you're at a client site maybe you just talked to someone you think is a complete idiot it happens i save your comments for when you're you're not right there you don't know

if the person the other person in the elevator is the the idiot's best friend golf partner they go to the same church you have no idea and it got and it goes back it gets back around fast so prince charles may have had his own reasons for not not wanting to blend in i mean there's times when you don't right but it pays when you're trying to build bridges to learn about culture pay attention to the culture of a place or the the jargon especially for those of us that do consulting so maybe you go into a business briefly fairly briefly and uh they have they have their own lingo for for different things they do

so it's important if you're trying to gather information and develop that rapport to learn more about their language and their culture how many of you either do pen testing or have competed in a capture the flag so a few people when you're getting ready to to do that how many scans do you expect to do one more than one and once you've done your scans and you're ready to try to do exploits do you just say yep sql injection and i'm going to be done or you've got you've got a bunch of tools in your tool kit right so same when you're dealing with people have more than one way to deal with them this is the the overlap with social

engineering while the talk is not principally about social engineering the moscow rules definitely have an overlap and developing rapport is one of the the best things you can do to get things get things going pets are like the best social engineers ever and sometimes it's tempting to engage negatively you want to use that only on special occasions okay sometimes baiting people works to get certain types of information out or break something loose but it shouldn't be that maybe your first approach especially if your goal is to build some bridges build relationships because you may you may need to have those in place later

so time and place for for action everything has its time and place uh this one it also relates to to this one you want to be able to be able to go back and talk to people again later so so do a good job the uh this one probably the the story that i like best about this is how many of you have been in a meeting like a staff meeting or something and you've got the the boss and a bunch of bosses in the room with their their other people well everyone all down the ranks and they say who feels comfortable here that they can go to go to their boss and talk to them

two of you do most of you don't most people in the room aren't going to if that's the information you want that may not be the time and place to ask it if you want an honest answer from people miller's law this is george miller a cognitive psychologist and miller's law is one of my favorite things i've learned of recently it's a close adjunct to assume nothing in order to understand what someone is telling you you have to first accept that what they're telling you is the complete truth and then ask yourself what is it true of how many times have you gone to someone and said hey i need you guys to make this coding change

hey hey mr developer can you just write this script and they say i can't do that what what might that mean how what's a way that you could interpret that i don't know how i can't do it now yeah not for you

we have really really robust uh change change management processes here and this is outside that that channel we know that's never the answer yeah right so i don't know i don't know how and i don't want to admit it there's a lot of different things that could mean how many of you have had either been on a consulting engagement or you've had a boss ask you to put together do some research put together some recommendations you do that you give it to them and they do something completely completely else they do whatever they were going to do anyway it had nothing to do with your recommendations how many of you had that happen lots right and how many of you at some

point or another when that happened felt really insulted and irritated and felt like why did why they even bother asking if they weren't even going to take my advice right it's really easy to go there and that's ego suspension gives us an alternative to to that so this is heather and doug and they have three weeks to go into an organization and look at how protective health information flows through it who touches it and and what generally what's what's going on with it so the first thing they do is they meet with their project sponsor and they ask them about the usual few questions why why do you need to do this project and he said well we need to comply with

fill in whatever you know whatever the most recent thing is the final omnibus rule or cms is coming or ocr is coming so that's the that's kind of the usual thing and you mr sponsor complete this question or this sentence i'll consider this project to be successful if it's on time and and if i find out about anything that might potentially blow up so i can fix it before it's a breach or something that's very expensive or embarrassing for us that's a certainly a good outcome for him and since this guy's from the compliance department they ask him what kind of a relationship since we're going to be out here representing you or saying that you're

the one who sent us what kind of relationship do do you think that you have with the rest of the organization and he kind of pauses for a while and says i think we have a pretty good relationship with the rest of the company what is it yeah that's right so what is that what is that true of what might it be true of

so maybe he maybe he actually does think he has a good relationship maybe he knows he doesn't but he doesn't really want to get into that with the consultants who just walked in the door he doesn't want to like taint them with any of any of his baggage

do you think they might say because that way it's not you know it's more or less hopefully they have to come out with well they're going to say this or that because it's going to be harder with your question because now that people are going out there and they're going to get slammed

and so far all we know is this one we only have this one data point and it really at one point it's not it's a it's just that it's a point so maybe we can add it to other things other data points we're going to collect and see a pattern later but so far it's like it's just sort of an interesting thing we can't really assume anything one way or the other it could have meant a lot of things so before heather and doug dive into actually talking to people and going out and asking questions they're going to take some time and they're going to do their research they're going to do review any documentation

that their sponsor has already provided for them so they can be a little bit more familiar with the departments what the the company thinks it does what it what it thinks it that it knows they're also going to do a little open source intelligence gathering they're going to look at what kind of jargon if they can discern that you're also going to set up some questions in advance because they want to be really deliberate and really think about what their what they're asking and what they're trying to retrieve and gather so this is the set of base questions so they're going to have a set of questions they're going to ask everybody and they're also going to have some

specialized questions for different job functions this these last two what kinds of things make your job easier what kinds of things make your job difficult are variants of the pair of questions i've been using for years and these don't always seem like they're necessarily going to to yield information they seem like random questions really unrelated what does this have to do with protected health information who cares who cares what makes the the customer service reps job easier but from a rapport building perspective when you start asking people what do you like best about your job what do you what do you like best about doing customer service what's best for you about processing claims or

working with patients then they start they start talking and they see that you're listening and they start talking more and then when you get around to what do you like least about your job what part of your job could disappear tomorrow and and you'd never miss it the floodgates open they tell you all kinds of things much of which will not be in your report but you've built some some really good rapport at this point and they're and they're willing to to talk and they're feeling more like they have a relationship with you so understanding as you go in uh any of the any of the jargon that you could pick up helps so that as they're talking about

what they do you're not interrupting them to ask them what is that what does that word mean what does it mean when you say that also understanding the department objectives so going back to the idea of what do people get evaluated on what are the metrics that they're going to be measured against because that's what they're going to care about it's what they're they're going to either get praised or punished based on whether they meet or don't meet that stuff and that's again echoing ben 10's talk they're much more interested in that than they are ever going to be in compliance or following information security process or procedures and they care about whether they're going to get a raise this year

and when you're really prepared yep

by yes everybody's jobs easier you absolutely are more secure

definitely definitely also by doing a lot of prep work in advance you can be more efficient in your time with people and be respectful of the fact that you're taking them away from whatever it is they're actually being paid to do and and then perhaps when you need to go back for clarifications you're you're welcome to do so because you didn't take too much advantage of their time sorry they're ready to go their sponsor has set up a kickoff meeting with the department managers so the managers know what's going on they know about the project they know to expect you and they get the grumpy manager who says yeah so you're the third set of people

to come in here and ask about what my department does how many people have been on that project it is not a great way to start so instead of being yeah the oh consultants they're here to help us you you are now branded as one more set of consultants who's going to come in here and waste my time and give us absolutely nothing and waste the company's money so all they can do at this point is just promise that they can be sympathetic you know we're sorry that sounds really really frustrating we we understand we will we promise to be as efficient as we can with your staff's time and so that was not really the place to

get into engaging negatively even though it might be tempting or it might be a reflexive action when you have somebody who's being really contentious fact is heather and doug need the cooperation of those managers in order to get their project done in order to deliver something of value for their client so here he is guess who their first meetings with this guy so he's waiting he's at the threshold of his office he's waiting right there in the door here look i've got two binders this has everything you guys need you don't need to talk to my staff he i even dusted the binders off for you so so they thank him they and say we're wow

thank you that i bet this is a lot of really good information we really appreciate this and we still really need to talk to your people that's real that's our project so he says all right fine they'll be ready for your visit so do you think uh grumpy manager is that is that about heather and doug is that the attitude does that have anything to do with them no he's got stuff to do people have been through his department three times what else might it be true of so he's got he's got his his big binders of everything you need to know about my department what that what might that be be true of

maybe maybe he might he might feel like he's got some really good documentation

he's really good at his job and b he's put a lot of effort into putting that documentation together for you to be protective of his staff's time right that may very well be his interpretation about he's a really good boss yes yes yes

which makes a good information how we say we do it we want to know that for that the sure thing i usually say to them is thank you this is going to be very helpful i may have additional information that i need after reviewing this and that's how i keep the door open that i'm going to still ask right right so it could be really good documentation that could actually be the truth you know maybe he just doesn't want people rummaging through his department that's very likely to he doesn't know what he doesn't know definitely always even more more documentation

is

he might be really proud of it yeah um

thick

you know you know i really appreciate or you know just kind of usually at that point they'll start talking about how much time they put yes so now they actually get to go talk to some of the staff and one of the things that i've learned over the years is maybe 50 percent of the time the staff actually know you're coming good half the half of the time you show up and they say and you say hi i'm here to ask you some questions about about what you do and then this is who they think you are right and uh yeah and so then then how how much information do you think they're going to feel comfortable giving you if that's

who they think you are

so so so always leading with you know making sure that they know who you are and what you're what you're there for helps and asking them if they have any questions so that they can if there's something that's on the person's mind that you can clear up before you start asking some questions it can really go a long way for setting people at ease and they go through they ask the prepped questions these last two these two quotes are real quotes from me using especially the what do you like best and what do you like least about your job and when somebody says i feel like i'm being interviewed for a magazine what level of information do you think

you're getting from someone like that good right i mean somebody says wow someone's actually they're asking me questions they're paying attention and that doesn't happen to a lot of people especially at staff level positions unfortunately or no one has ever asked me that before um

and that was the first thing i would say when i walked in is that whatever he had we are not going to use any names we are not going to tell them that so-and-so said this and we show them there's no place on this piece of paper for your name i usually do lead with that it actually that i tend to i don't i don't attribute quotes to to sources something a project like this usually part of the deliverable is going to be here's a list of the people i the the individuals that have talked to you so they know who who you got gathered information from right back and sometimes we even have to cleanse it

because we don't have enough people we don't want to put direct

i've had that too and i i stand fast on on that one um also actually in this in this case this was someone who was just really happy that again someone was paying attention and taking interest in in them and what they thought about and what they what they cared about unlike these guys so uh assume nothing is really really big with this one even though the manager said sure they're gonna know you'll that they'll know all about this oh really don't assume that and if they think you're the bobs they're they're not going to give you the level of information you probably need to to do your job so working on the the rapport building

helps a lot in that circumstance so uh to to liz's point earlier they find out that some of manager one staff process the same information three times manually and there's a lot of undocumented exceptions to the the process they're not too surprised but manager one might be that they're those things are not in his binder so they've seen some things they've they've heard quite a few things they've seen some things that impressed them they've seen some things and that have not impressed them but they wait until they're out of the client's site they wait till they're back at their home base or wherever you know not where there's other people before they start making their

commentary about whether they thought that he was he was an idiot or whatever because you really don't know you don't even know if you're having dinner afterwards and kind of debriefing you don't know if the people in the booth next to you know it's a really small world and it doesn't doesn't take much that that somebody else who was on who's on the pta with his wife or you have no idea so they wait and that's the don't look back you are you're never alone so now they they're developing some confidence in their process and they're rolling through all their staff interviews it's going beautifully and now they're going to go talk to somebody who's a subject matter expert

who is put forth as this is the person you really need to talk about talk to about what goes on in our in our case rooms um she knows she knows it all and to to facilitate i just scheduled the meeting for you guys with her in the conference room does anyone can anyone think of and what might be an issue with having having these kinds of meetings in conference rooms

oh yeah that's that's one yep partially um that if they're they're out of their own their own context and so for some people it won't make any difference at all for other people it can seem intimidating so there's two of them there's one of her she's being called into a conference room what is this really about yeah i know you said that this isn't about you said you're not the bob's and so they start they go through their their their routine they do their little who's on first thing and now they're asking her hey tell us what you like best about your job and they're getting nothing nothing at all so what it's not working what do they do

she is clearly physically she's clearly really intimidated by the by the whole thing so they try to dial it down a little bit step back they get try to do some little self-effacing things try to say well we know this can be really intimidating uh sometimes it's hard to remember things they're still just getting nowhere so they've got they just they've got to cut bait at this point they're not going to get anything more they still are gracious and thank thank her for her information for her time and hey can we do you think we could come and observe you in a couple days in the in the case room on on surgery day and so and uh and and she says sure

so having a variety of techniques in this case it still didn't help them in many cases it may have yeah dialing it down or trying a different approach might have gotten gotten things going in this case it still just didn't and it was clearly just they weren't she's supposed to be an expert we're obviously getting nothing we need to to uh just stop for for today so a couple days later they go to the case room where everyone really who's going to work at an operation goes beforehand to get all the information about the the case they see the medical records uh the the x-rays all the stuff and they're watching and she's like a

totally different person she is clearly in command she is in control of this room and all the information and people are really looking to her to know what they need to do who they're who they're working on what which which of the all the doors that uh that they need to to go through to to go to the right place and have the right person and uh so when there's a lull in the the action heather and doug ask her questions and now she can tell them all kinds of things and partly because they can point to hey you know on that monitor what is that what's what's going on in the monitor up in the

corner and then she can tell them hey when you handed them when they're asking questions about the you know that folder you handle what is that and she can tell them all all about that so even though she seemed like that she'd been billed as an sme the first time they met her she was really kind of withdrawn and mousy and just didn't seem to have an awful lot of expertise it seemed like she didn't know much of anything based on her answers being on your your home turf and actually having access to the things that you use can it really helps people jog their memories it makes them more comfortable to to talk about what they're doing plus

if you're really looking at how a process works and you're working with people who really are smes they're they're really expert in what they do so much stuff is just the equivalent of muscle memory they don't even think about a lot of the little details because they've done the things so many times that it's stuff that would have gotten glossed over in a simple hey tell me what the steps are to your process there's a ton of stuff they don't even think about anymore because they know it so well so your mission should you choose choose to accept it is assume nothing or at least work on it that's one that takes a lot of practice

work on figuring out uh markers or hallmarks of what other people's goals are or what other people care about and see how you can make whatever you're trying to do have dovetail or support what their what's important to them and what they're trying to do look at your your the culture and the environment sometimes you want to blend in sometimes you don't but choose yeah make it you know choose to choose that yourself expand your skill set some of the recommended reading here is from a lot of different disciplines i understand that the confidential book by john nolan is out of print now but if you can find a used copy it's it's a very good book

there's a robin drake's book is really good any of you who went to chris heding's social engineering class this week that's one of the the books that you guys looked at uh this is actually a sociology book about qualitative interview studies and body language there's actually a lot of really good books about body language and books from other disciplines information security is a relatively young discipline and but we have a lot of overlap skill-set-wise in um other professions that have been around for a really long time the first the first text for for law enforcement and military personnel there's generations of knowledge in that field sociology generations of knowledge about how how people work and interact

same with psychology so thinking thinking outside of stuff that's strictly information security and look look at what other disciplines might have an analog to the kind of thing you're trying to do those are the rules again does anyone have any questions thanks for your time everyone

and they didn't even have to time me out that went fast

so

you