I was recently out camping in a rather busy campground. Nearby was a group of teenage girls, wrangled by mothers who overall lacked the necessary training in crisis management to keep a lid on the brood. At the same time, I was working on a deadline to get a couple pieces written, and I have to say, the challenge was immense. The noise generated by the group of 12 or so girls seemed ebb and flow at rates rivaled only by large crowds at major sporting or entertainment events.
June 2009 Archives
I've tried to be patient, I really have. I've now booked hotels 6 times with hotels.com. Of those times, only 2 worked out correctly. The final straw came in the last 24 hours as I tried to book my last hotel for the vacation that starts, well, today. The web site had a major fault last night, the primary customer care was completely unable to find the reservation anywhere in their system. They sent me to the "other" customer care office (other one?), which last night informed me to give them a couple hours, that system was down.
Through various conversations and interactions it's come to my attention that I've never really properly introduced myself. By now, if you've read this blog at all, you've probably come to realize that I'm rarely challenged for words. So, forgive this indulgence while I delve into a little bit about who am I, where I've come from, what I've been doing, and so on. In so doing, I hope to give you a glimpse of who I am without providing detailed enough answers that would allow you to bypass passwords on all of my various accounts. :)
Trust. It's a fundamental precept of civilized society. Whether we like it or not, we must trust people we both know and don't know. To fail to do so would result in a complete breakdown in the fabric that is humanity. You trust the engineers who designed your car, your mechanic who worked on its engine, the engineers who designed the roads you drive, and the people around you who are in the same situation as you.
Trust. It's also a fundamental tenet of online life; one that is far more easily betrayed. If it is in human nature to trust, then so it is also in human nature to be duped by those who cannot, in fact, be trusted. In real life, we're often far more perceptive to cons than we are, or can be, online. The loss of the slightest nuances of non-verbal communication can mean the difference between simple understanding and total misunderstanding.
Since I'm catching up on my book reviews... forgive me for totally geeking out for a couple minutes to talk about my latest reading obsessions... I'm sure most of you will chuckle, chortle, laugh, or roll your eyes... but I'm guessing a few of you will appreciate this little missive... :)
In addition to regular books (fiction and non-fiction), I've also been exploring the world of graphic novels to help lighten the reading load. Sometimes you just need to break out the cake reading to give your mind a break, ya know? Toward that end, I've found two series that have provided a great break from thinking. :)
I made quick work this week of The New School of Information Security by Adam Shostack and Andrew Stewart. This seminal work brings together all the bits and pieces that have been rolling around in my head for nigh on 10 years now. They've defined the "new school" in a manner that many of us have been talking about for ages. It's a break from the operations-driven, bottom-up, break-fix approach to something much more strategic and sensible.
That being said, I was a bit disappointed by the book, having heard all the hype. Really, I think the work is targeted more to people outside the industry than it is to people in the industry. Freshly minted CISSPs would benefit greatly from reading this book, as would those who think that infosec belongs in ill-conceived silos. Technology is not infosec, and infosec is not technology. Neither is compliance, for that matter. The sooner the world comes to understand and accept this, the sooner we'll be able to truly revolutionize this industry.
Conclusion: Buy and read this book. If you've been in the industry for a while and "get it" then this will seem like a good cursory summary. If you're new to infosec, or if you're living in a deluded world of silos, then read it and take it to heart. No bad will come from learning and accepting the lessons offered.
I finished reading Ari Juels' Tetraktys this week. Ari is Chief Scientist at RSA Labs, so brings a lot of tech cred to the table. This book is his first official work in the non-fiction realm, and it's definitely worth a read. I look forward to more from him.
In general, this book is typical of a first fiction work in that it has a degree of awkwardness. However, I think there's a lot of potential for the lead character, Ambrose Jerusalem, to grow into a series a novel that far exceeds Dan Brown's Dr. Robert Langdon, and is perhaps on-par with peak Tom Clancy's Jack Ryan. None of which is to say that Juels has written an action novel by any means. Just that the character has good sustainability potential.
Update: Jules Polonetsky at The Future of Privacy Forum wonders "Could Bozeman Montana city officials be prosecuted for Facebook snooping?"
Well, well, well. My adopted home state is in the news late this week, and for good reason. Apparently the geniuses at town hall in Bozeman decided that, as part of their "background check," they would not only ask what sites people were on, but also what their usernames AND passwords were (see good aggregation of media coverage here). While I can certainly understand and appreciate a desire to compel full disclosure of online activities that may negatively impact the city, this is clearly a case of people just not understanding fundamental privacy practices.
Life sure can be a doozy of a thrill sometimes. And then there are those times when you try to swallow the elephant whole and you get smooshed. The trick, then seems to be in eating that elephant one bite at a time (neverminding just how odd that sounds). This is the lesson I've learned in the past few weeks. As such, a few brief missives on mistakes that I've made thus far in my quest to build a security program.
When I was studying Physics in college, one of the more common tricks was to take a problem with weird units and use various conversions to get the equation into something with units you knew how to handle. For a basic understanding of this treatment consider a story problem where you're told that you need to travel X kilometers at a constant rate of Y miles-per-hour in a straight line, how many seconds will it take you to get there? Convert mph to kph, then kph to kps, and viola! you can pull the answer out of your hat with basic arithmetic.
Information security oftentimes has this same general quality about it. Think of the whole cloud security scene as a primary example. Yes, it is absolutely new technology representing new challenges. However, that being said, it's also using a lot of old technologies, and there are known good ways to solve many of the "new" problems presented. Fundamentally, it all devolves back to the traditional C-I-A model (as much as people might hate that). What I find most interesting, though, is how often the elephant in the room seems to be ignored.
A couple weeks ago I attempted to provide a new analogy for how much of risk assessment seems to be performed these days (see "Dowsing Your Way Through Enterprise Risk"). That post received a lot of comments, but it seems to have missed the mark completely. Looking back now, it's a poorly written post that lacked clarity of point and purpose. So, allow me to recast the article in a different light.
Apologies if you've seen the same post more than once... it should shake itself out here in a day or so... somehow my ATOM feed (used by Feedburner) got corrupted, which I finally fixed Tuesday PM. Cross your fingers that things won't just keep posting over and over and over again. Looking at trying to upgrade some stuff this weekend to address some of these issues.
I don't care what anybody on the pro-PCI side of the argument says, PCI is absolutely a distraction. How do I know? Because I've just realized that I've been completely distracted by it in my new/current position. For those who don't know me too well, I'm currently the Director of Security & Compliance for a small-ish tech firm in Phoenix, AZ. This position was newly created, and the first task handed to be on the way in the door was to get a suitable PCI remediation plan in place for our merchants (yes, we have 4).
When I started this job back in February, I immediately tackled the remediation plan project, and along the way concluded that it really needed to be framed as part of an overall security roadmap. So, I delved into the massive amount of details that is PCI DSS, as well as overloading my brain thinking about the bazillion things that are components of a full-fledged security program. The result? Complete paralysis from the sheer volume of work required across the board. "How in the world are we going to get this done? We don't even have a budget or staff right now!"