I got an email and a voicemail today from somebody selling compliance products.

The introduction was “I got your contact information off a Security Focus email list.  Buy our products.”

Obviously, the  sales guy didn’t read my blog and what I really think about compliance.  I think there are greener pastures out there to find. =)

Voicemail, however, is a disturbing trend.  Usually we play this little game where they send me email, I flag it as spam, and it goes away.  Now they’re calling me leaving voicemail.  What next, flowers at work?

Spammers beware:  If you start buying me presents, I’m getting a restraining order.  =)

• Puzzles v/s Mysteries
• Even Better Spam
• More Vendor Craziness
• Some Thoughts on Comments to My Blog…
• Once Again, I’m not a Bank!

I have one project that I’m looking to staff out in the East side of the beltway. It’s my secret little project that I have to turn loose into the world because I’ve done all I can do for it. It’s now time to turn it over to a decent information security manager and influence the outcome indirectly. Before you ask, no, this isn’t working directly for me, but it’s somebody inside my circle of customers.

Also my long-term goal (over the next year) is to hire somebody to work in Salt Lake City as a generalist security manager and responsible on-site adult. I figure I should start looking now because it’s going to be a long time to find somebody who lives in or wants to live in Utah and who knows how the US Government does security.

• Been Off Teaching
• Some Thoughts on POA&M Abuse
• Sprinkling on the Magic FISMA Fairy Dust
• The MSSP Blues
• OMB Wants a Direct Report

I may be still somewhat sick, but I’m not dead yet.  I took an evening this week, severely medicated myself, and fished the Great, Green, Greasy Potomac River.

The water was about a foot high and a little discolored.  Not too bad, but give it a week and maybe it will be really good.  In the knee-deep water, I could see plenty of baitfish but no crawfish.  They estivate during the winter, and I guess it’s still a little too early for them.  No matter, an estimated 75% of a smallmouth’s diet is crayfish, so I figured they wouldn’t mind if I dropped one on top of them, they would still bite it out of reflex.  I tied on a Skip’s Dad and cast out into the current.

I fished the bottom of Langley Island next to where Turkey Run trickles into the Potomac.  I always liken smallmouth fishing to steelhead fishing.  When you’re standing in waist-deep water and casting into a little bit deeper current that’s about walking speed, that’s where you’ll find both the steelhead and the smallmouth.

I landed a couple of nice redbreasted sunfish and lost about a dozen fish, I think at least one was an average-size smallmouth.  I had to “super-size” the weight on the fly because I just didn’t think I was getting down deep enough.

I quit when it started to get dark (the park police are stupidly anal about locking you in after dark, but stupidly lackadaisical about letting you wade in the river), I broke off my fly in a tree, and my reel seat came unglued and slid off the back of the blank.  I shrugged, figured it was a sign that I’ve had enough fishing for a day, and slogged my way back up the hill to the car.

Not bad for my first time out to this spot of the river this year.

• Friday Flyfish Picture #4
• Friday Flyfish Post
• Friday Flyfishing Post
• Pike
• Skip’s Dad

I don’t think we should attach the word “requirement” to any controls in a framework or catalog of controls. I wish we could use the word “needs” instead.

While it’s a subtle distinction, it implies that there needs to be some wetware involved in order to translate the catalog of controls into real requirements that an engineer (security or otherwise) can build to. Until we do that, we’re only frustrating the people who have to implement.

• Some Random Thoughts on C&A SOPs
• In Search of a Better Catalog of Controls
• An Open Letter to NIST About SP 800-30
• Always Behind
• Opportunity Costs and the 20 Critical Security Controls

Bottom Line Up Front: Even if on an organizational basis, the risk is acceptable, on a personal basis, there is no such thing as an acceptable risk.

We have these great Information Assurance frameworks. They’re scalable, modular, and they do work if you know what you are doing.

Then they all fall short in one thing: acceptable risk that is not acceptable. We teach people how to determine if a risk is acceptable. There are several formulas to use. It’s part of the CISSP CBK. At its heart, it’s a cost/benefit/risk comparison. Rationally, we know how to do this as an organization.

However, on a personal level, we live in a risk-avoidance, zero-defects society. To an individual, taking a risk means that you might have personal repercussions, and that is not acceptable. The end result is that we’re back to risk avoidance, which takes us back to the neolithic era of risk management.

So we’re stuck in this dual-standard security world with no end in sight. How do we fix it? I’m not sure, but somehow in order to have effective risk management, you need to establish a culture where it’s OK to fail occasionally.

• Ack! With the Mandates!
• Core Belief #4 — Compliance is a Dead-End
• An Open Letter to NIST About SP 800-30
• The Long Tail and Security Posture
• Some Comments on SP 800-39

I’ve been sick for 4 days now. It’s not fun, except for the fact that in-between bouts of feverish shaking and having out-of-body experiences, I’ve been wasting time playing Guild Wars and Battlefield 2 on my Linux workstation at home courtesy of Cedega.

But today, I figured it out… I’m becoming a zombie!

This is how it all starts–a long illness, then after I die off, I come back as a zombie. I’m not sure how I got the infection, but I think it was crawling through the storm drain tunnels of Falls Church with about 150 of my “closest friends” on Thursday. Think about it: tunnels, sewage, darkness, rats, water–it practically screams zombie infection!

I gave my wife a standing order to shoot me in the head immediately after I die. That’s the only way to stop the zombification and the subsequent eating of her brain. Of course, she’ll have to borrow a weapon, the 2 firearms I own haven’t been fired in this century.

Anyway, I’m adding a kooky zombie category over at the right and from time to time I’ll post something about zombies. It’s a subject that needs to be explored more in the future. That is, of course, if I don’t turn into one myself as previously described or I don’t wake up in the morning and wonder what kind of crazy, demented babbling I am capable of on my death/zombification bed.

What does this have to do with information security? Well, not much except for the fact that everything I know about physical security I learned from watching zombie films:

• Intruders always find a way to infiltrate the building perimeter.
• Avoid contact with other peoples’ body fluids.
• Cameras and alarms won’t protect you when you’re getting your brain eaten.
• Shooting intruders in the head is the only way to be sure they won’t come back.
• It’s hard to act tough when you’re being mauled by 20 zombies, even if you have a shotgun.
• Who needs social engineering when you can eat the guards?

• The Next Pandemic
• Wednesday Zombie Post–The Zen of Zombie
• Wednesday Zombie Post-How Zombies Work
• Wednesday Zombie Post–Zombies on Uncyclopedia
• Wednesday Zombie Post–Humans v/s Zombies