Here is Jen Fox’s recommended reading list from her Moscow Rules talk:

Advanced Interviewing Techniques: Proven Strategies for Law Enforcement, Military, and Security Personnel. John R. Schafer and Joe Navarro. 2010, Charles C. Thomas. [I got a lot out of this book. It approaches from a different angle than most of us will in our jobs, and because of that covers some different territory than other books.]

Confidential: Uncover your competitors’ top business secrets legally and quickly—and protect your own. John Nolan. 1999, Harper Collins Publishers [This book is out of print, unfortunately. A very informative read about information elicitation techniques.]

It’s Not All About “Me”: The Top Ten Techniques for Building Quick Rapport with Anyone. Robin Dreeke. 2011, Robin K. Dreeke. [Straightforward book about ten techniques for building rapport. I would say this book is a great starting point on this reading list.]

Learning From Strangers: The Art and Method of Qualitative Interview Studies. Robert S. Weiss. 1994, The Free Press. [A book from the sociology discipline, where there is extensive experience in interviewing/observing for information gathering.]

Please Understand Me II. David Keirsey. 1998, Prometheus Nemesis Books. [As a Myers-Briggs nerd, this is my go-to reference for MBTI personality typing info. I’ve been using this as a reference for years. Excellent for dealing with bosses, coworkers, significant others, kids.]

The Definitive Book of Body Language. Allan and Barbara Pease. 2006, Bantam Books. [Good book; there are also a number of others to choose from on the topic of body language. I understand Joe Navarro’s books are good.]

This is a guest post by Jennifer Fox following her presentation in August 2012.

In a 2006 IBM Global CEO Study, 765 CEOs, executives and public sector leaders were interviewed on the subject of innovation.  Of those participants:

“Nearly 80 percent of CEOs studied rated business and technology integration of “great importance,” while less than half felt that their organizations were “integrated to a large extent.” Most have simply been unable to integrate business and technology to the desired extent. These CEOs find the lack of integration to be a real source of frustration. Though they would like to improve the current situation, they feel unable to do so.”

If you’re the CIO, these numbers should concern you.  Where does the problem—and solution—lie?  According to the IBM whitepaper one of the three fundamental issues is language and communication:

While there are undoubtedly many causal factors responsible for the separation of business and IT, one fundamental reason is language. Quite simply, many IT leaders don’t speak “business”; they speak technology. Business leaders, on the other hand, speak the language of the business. The combination leads to ineffective communication and can be a root cause of the less-than-optimal returns that many companies realize on their IT investments. Moreover, recent surveys by Gartner and McKinsey & Co. highlight the communication gap as a major reason for CEOs’ dissatisfaction with IT.2”

The shortcoming of Business/IT alignment is that it continues to view IT as separate from the business rather than an interested and vital partner.  The only way to mitigate the Us-Them mentality is if technology staff learns about the business, understand its life and language, and work as an interested and proactive partner rather than a disconnected service.

It is the CIO’s role to begin the fusion of business and IT, starting with conversations to genuinely understand the business, its market, needs, etc.  Not simply from a data perspective but from a holistic IT-is-really-part-of-the-business perspective.  And then have another conversation, and another, and another.

There are some concepts used in the competitive intelligence community that you can use to get critical conversations started.

The first concept is suspension of ego.  You’re from the IT department; other staff from your company will already know that you’re smart, so you don’t need to spend the conversation proving it to them.  Listen, learn about the person you’re talking to, and don’t worry about impressing them with being right, clever, connected, etc.  While this is a simple idea, it can be difficult to put into practice.

Direct questions. ”OK,” you think, “I’ll go ask!”  The difficulty with using direct questions is twofold.  First, a direct question is only useful if it’s the right question.  How hard can that be?  By asking a direct question instead of an open-ended question, you’ll find out the answer to your question, and nothing more.  You may even miss the exact information you need to inspire a great value-added idea.  Think of it this way: if you’re looking into a room through a window that has been covered with paper, a direct, pointed question is like poking a pinhole into the paper.  Yes, you have a view into the room now, but it’s limited.  Asking an open-ended question is like cutting a hole into that paper; you have much greater visibility into the room, allowing you to notice things that would have gone unseen through the pinholes.

Second, direct questions have a tendency to put people on guard, even if you thought the question wasn’t particularly contentious.  Social Engineering 101 tells us that if people are put on guard by questions, they aren’t going to supply good information.

Data response questions.  The other type of question that most people are very comfortable asking is a close relative of the direct question – it’s the question that asks for a simple data response (“What’s your sales goal for this quarter?”)  While this may be an interesting data point, a point is all that it is.  This style of question is appropriate in other types of fact-finding interactions, but it won’t get you closer to learning about business goals and concerns.

Open-ended questions.  These take more patience to work with, but yield more interesting results.  It may take more time to get the information you are looking for, but this type of question also opens the door for you to find out other information you may not have been aware of.

One technique commonly used in information elicitation is called backward chaining.  This technique has the information seeker ask a series of questions, starting three or four steps removed from the specific information you’re interested in.  For example, if you want to find out the true goals of your C-level counterparts, rather than directly asking about their goals for the company—the official ones of which should be well known—you could start by talking about a relevant current event and work in from there.

1. Discussion of a related current event or economic issue
2. Discussion of the industry
3. Discussion of competitors in your space
4. Discussion of company strategy
5. Your objective: Discussion of your CXO counterpart’s “what I would really love to see” list

This develops a ‘natural’ progression of conversation, during which you are developing a rapport with your counterpart and focusing the thought and discussion more and more specifically toward your goal of finding out what’s really important to them.

Using technology to propel your company’s growth is a win-win for all involved—business people who want to achieve their goals and technologists who want to leverage the best that the computing world has to offer.  Communication is the first step onto the path to winning.  These concepts and techniques can help you get started today.

References:

“Igniting innovation through business and IT fusion.” (Part of the CIO Implications series)  IBM Global Services whitepaper, October 2006.

Nolan, John.  Confidential: Uncover your competitors’ top business secrets legally and quickly—and protect your own.  1999, Harper Collins Publishers.

Derek Thomas writes:

Greetings friends, we are in the initial stages of creating a Misec Capture the Flag proving ground. We have been consistently in the top 30% of the competitions that we have entered and I would like to go higher! I think the proving ground is perfect for honing our CTF skills individually and as a team.

The goal is to create a portal that we can upload basic CTF challenges along with an article that describes the fundamental use of tools needed to solve the challenge and the basic thought processes that one would go through. Our hope is to release a challenge on a bi weekly basis, but that may change based on the amount of submissions.

Our secondary goal is to use the challenges that are submitted to the proving ground in a CTF that we host or co-host sometime in the next year. If you register for our CTF portal then you will not be able to compete in our hosted CTF but you will get to compete on our team for CSAW, RUCTFe, GITS, and so on.

We encourage everyone to join no matter what your skill level, and we encourage everyone to submit but it is not a pre-requisite. More than one person can submit a challenge as a group as well. We would like the submissions to be anything that you might see in a challenge.

ZTango has been working day and night to create the site that we will be using and it is coming along great. For now I would like anyone that has blogged about one of the challenges that they have previously solved to send the link to ctf-submissions@michsec.org if you don’t mind having it cross-posted in the CTF Proving Ground. Please let us know if you have any ideas or would like to help in any other way.

To whet your appetite for CTF challenges, check out our teaser challenge at http://ctf.michsec.org/web01

Steven Fox will be offering his Branding your Security Team workshop on September 15, from 10 am to 4 pm. The training is free and requires a workshop ticket from Eventbrite.

Branding your Security Team – Connecting with Customers through Compelling Experiences

What does your security team stand for? How does it add value to its customers? How does it drive value within itself? Most managers and customers ask these questions in some form; they want to know what your team will do and why they should interact with it. Unfortunately, most IT security teams approach their answer from a context alien to those whom they serve – leaving them puzzled and frustrated.

This workshop focuses on branding techniques that will aid in reframing your team’s value proposition into a context familiar to your internal customers. While a brand can be created by an individual or team, its success depends on how it is positioned by its target customers.  While the vagaries of organizational behavior make it hard to control positioning, this workshop will highlight a five step process to define your brand, promote it strategically, and influence its positive perception within the company.

1) Create – Attendees will be presented with a security team’s branding statement which is in conflict with its customers.  They will create a new statement via a reframing exercise utilizing a customer profile document.

2) Connect – We connect to people through stories.  Thus, attendees will learn the basic structure of a story and use this to write a compelling case study that conveys their new brand statement.  This story will be shared with others and discussed to explore how it resonates with the target customer and conveys the team brand.

3) Rehearse – Rehearsal allows the team to internalize the details of their brand, freeing it to deliver the value it represents.  Attendees will learn efficient rehearsal techniques they can use with their teams.

4) Deliver – Step 2 formed a connection with your customer – a short-lived relationship that will fade if left unenforced.  This step focuses on the security team’s ability to earn the customer’s trust by serving their needs consistently and professionally while reinforcing its brand message.

5) Follow-through – There is where you make your story a reality.  Attendees will learn the power of service follow-through to strengthen your brand, especially when mistakes are made.

Workshop materials will be made available in advance of the workshop so attendees can prepare. The workshop will be held on September 15, from 10 am to 4 pm, and requires a workshop ticket from Eventbrite.

Chris J will be offering his Linux hardening workshop on August 11, from 10 am to 4 pm. The event is free and requires a workshop ticket from Eventbrite. Chris writes:

One of the questions to come out of the Rats and Rogues Career Panel podcast was what as an industry can we do to help those coming up in the ranks behind us. At the time Security Moey and Elizabeth Martin dropped Mock InfoSec interviews.

That was great, I think helping people with interview skills is a big plus. But it doesn’t solve the first problem. Getting or having the skills you need to get the interview. So how do we fix this?

The Michigan Security community (aka MiSec) has and answer for that. MiSec is starting a series of workshops / classes. Some of these will be open source based, which should be able to be taken by any Information Security group and taught at their location without the original instructor.

The first of these will be held at 10am on August 11th, and should last for about six hours or so. During that time attendees will be installing and hardening a Linux system from scratch. When we are done, an attendee should be able to install a Linux distro from a network install media, harden the distro, configure Apache, Mysql, and PHP to be secure, set up a mail server, know how to read the related logs, and install a CMS system.

Hopefully we can get someone to help us pentest the systems, so the users can read the logs and see what an attack is like.

To participate you will need a computer with virtualization software set up. I would suggest pre-configuring the client system’s virtual with at least 10 gig, if you have the space 20 gigs.  If you do not have a system with you, you will not get a lot out of the class. This is a hands on workshop.

Software I will be using is Oracle’s VirtualBox with bridged networking set up for the guest OS. You can use whatever you like as long as you know it. If you’re not familiar with virtual software, I would go with VirtualBox. It’ll run on any system. While VMware is a good choice, I haven’t used it recently and won’t be able to help you set up before the event if you run in to problems.

The event is free but a ticket is required. Get your workshop tickets at Eventbrite.

August’s event is on Thursday, August 9th, 2012, at 7 pm. Jen Fox (@J_Fox) is presenting “The Moscow Rules for InfoSec Professionals: Achieve Détente to Secure the Enterprise”.

Abstract: Ever worked at a company with poor relations between IT and business? Ever been on the team that comes in for the second or third try at a failed project? Ever been a consultant or contractor at a company that is suspicious of outsiders? If you answered yes to any of these questions, this talk is for you. The Moscow Rules are said to be the rules used by spies operating in Russia during the Cold War to protect their lives and their missions. This talk adapts the Moscow Rules for the IT professional who needs to have ongoing interactions with the “other side” (business).

For details and location, please either contact us through email (info@michsec.org) or log into our IRC channel (Freenode/#MiSec). This month’s meeting will also be streamed via Gotomeeting, Meeting ID: 725-860-782, Meeting Password: misec.

A sneak peak at what is to come:

• August 11th, Chris J is leading a Linux hardening workshop
• In September, OWASP Detroit returns. J Wolfgang Goerlich (@jwgoerlich) is presenting on .Net security
• September 27-28, the GrrCon conference (http://grrcon.org)
• In October, Jack Crook is presenting on forensics and incident response
• In November, Keith Dixon is presenting on honeypots
• OWASP Detroit returns in December with Kevin Poniatowski covering SDLC

July’s event is on Thursday, July 12th, 2012, at 7 pm. Matt Johnson (@mwjcomputing) presents Breach Stains. Matt will walk us thru a major security incident and provide lessons learned.

For details and location, please either contact us through email (info@michsec.org) or log into our IRC channel (Freenode/#MiSec). This month’s meeting will also be streamed via Gotomeeting, Meeting ID: 792-558-614, Meeting Password: misec.

A sneak peak at what is to come:

• In August, Jen Fox (@j_fox) presents: The Moscow Rules for InfoSec Professionals: Achieve Détente to Secure the Enterprise
• In September, OWASP Detroit returns. J Wolfgang Goerlich (@jwgoerlich) is presenting on .Net security
• September 27-28, the GrrCon conference (http://grrcon.org)

A #misec presentation by Mark Lenigan (niteshad) refutes points from Richard A. Clarke’s Cyberwar book. This talk was given at a #misec meetup on May 10, 2012.

The Social-Engineer.com Social Engineering for Penetration Testers program is a 5-day immersion into the world of a professional social engineer.

We are working to bring this 5-day, hands-on, thrill ride that is filled with information-packed discussion, performance based exercises and live demonstrations to the SE Michigan area.

This class is limited to 22 seats, first come first serve. For more information please go to:

http://www.social-engineer.com/social-engineering-in-penetration-testing-registration/

The #misec community will be out in force at BSides Detroit 2012. From volunteers to speakers to participants, the local information security community has rallied to make BSides Detroit a great event.

Here are some of the highlights:

• Matt Johnson (mwjcomputing) – #misec BSides Dinner on Thursday at 7 pm 
• Len Isham and Scott Thomas – Infosec Flameout: What to Do When You Can’t Stand It Any Longer?
• Derek Thomas (dth0m) – Vulnerability Management: Moving Away From the Compliance Checkbox towards Continuous Discovery.
• Jen Fox – The Moscow Rules for InfoSec Professionals: Achieve Détente to Secure the Enterprise
• Mark Lenigan (niteshad) – Cyberwar: How I Learned to Stop Worrying and Fight the F.U.D.
• J Wolfgang Goerlich – Naked Boulder Rolling
• Len Isham – Career 101: How to Unlock Achievements and Level Up
• Steven Fox – How to Create Social Illusions: A Social Engineering Case Study
• Chris J (rattis) – Intro to Linux System Hardening and Applying it to Your Pentest System
• Keith Dixon (tazdrumm3r) – Overview of Python - Flying Made Simple Without the NyQuil Hangover
• Chris J (rattis) and Justin (Infosec_rogue) will also be podcasting for Rats and Rogues

The full conference schedule has been posted to the SecurityBSides website. Tickets are available at BSides Detroit Eventbrite. We hope to see you there.