2 out of 10 Lego Characters Agree: Cemetary Plus Toxic Waste = Zombies

Posted August 22nd, 2007 by

Cemetary Plus Toxic Waste = Zombies

Similar Posts:

Posted in Zombies | 1 Comment »

The “C-Word”

Posted August 17th, 2007 by

Yes, I think I got Rob Newby hooked on saying the “C-Word”.  Now if he says  in on the BBC and I get a recorded version of it in my email, I’ll die happy.

I would like to think I was the first person in the world to use this phrase, but then again, I like to think I started the whole “Long Tail of Security” that people have been talking about this week thanks to Mark Curphey.

Another phrase that I want to popularize in addition to the “C-Word” is “C*mpliance” as in how it’s a dirty little word to say around me.  This isn’t entirely my idea, I got it from the Hashers who use the word “r*nner” to describe those daffy people who think that if they don’t go faster, the beer will be gone before they get there.

It’s the little things that make me happy sometimes.  Having people start talking like me is one of them.  =)

Similar Posts:

Posted in Odds-n-Sods, The Guerilla CISO | 10 Comments »

More Security Controls You Won’t See in SP 800-53

Posted August 16th, 2007 by

AC-23 Self-Destructing Mobile Devices
The organization equips all mobile devices with self-igniting devices so that they are destroyed upon command.

Supplemental Guidance:
Contrary to what Adam Shostack believes, data breaches are not good for the US Government. Therefore, it is of the utmost importance that we not allow a data breach ala VA, TSA, and others.

Control Enhancements:
(1) The organization configures mobile devices to be destroyed when they are outside of a government facility. (2) The organization configures mobile devices to be destroyed when they are outside of arms reach of the registered owner. (3) The organization configures mobile devices to be destroyed at random to discourage users from putting data on them.

Low: PS-9 Moderate: PS-9(1)(2) High: PS-9(1)(2)(3)

Similar Posts:

Posted in FISMA, Odds-n-Sods, The Guerilla CISO | 4 Comments »

Standard Maturity

Posted August 15th, 2007 by

Earlier this week, I got a 3-year-old System Security Plan (SSP) in the mail from one of my customers wanting me to update parts. My first response was “cute, we don’t really do that free-form style of document munging anymore,” followed up with “how do you expect me to discuss that ‘during an earthquake the building might have more load on it than it is designed to hold'” and then “What value do we get out of this exercise?” The translation into non-government speak is the following:

  • The format is free-text
  • The SSP was a rehash of contractual requirements and how they were satisfied (not a bad idea for a start, but it doesn’t answer the rest of what we need)
  • The SSP was written before we had a catalog of controls (SP 800-53)
  • Most people nowadays use the catalog of controls as the outline for most of the SSP

For its time and place, the SSP was correct, but it seems so quaint 3 years later. Naturally, this got me thinking about maturity of information security standards. What I’ve seen is that for any kind of a standard, there is a cycle:

  • Initial Release: Standard is published, everybody has a look at it.
  • Early Adopters: Something nobody wants to be. These people waste tons of effort because once they go in a direction, the standard will change. Bottom line is lost time, effort, and money to be an early adopter. Reminds me of the old saying “How can you identify the true pioneers? They’re the ones with the arrows sticking out of their backs.”
  • The Intermediaries: These people get to help write the implementation guidance for the standard. They are similar to the Early Adopters except they are more careful and don’t commit to large changes unless they have them adopted into the guidance.
  • The Hoi-Polloi: Once the standard is mature (or perceived to be mature), the rest of the masses will commit to the standard.

Now the trick here is to be one of The Intermediaries because they get to come in and help define the standard. If you make the standard, then you automagically have achieved “compliance”. I think the big difference between being an Early Adopter and an Intermediary is how much time and effort you have to spend to teach the enforcers of the standard what your “Level of Pain” is and where you’re having problems doing what it is they’re asking you to do.

In the case of my aforementioned SSP, it bordered on Early Adopter and Intermediary. but how do you conform to a standard that’s still being written? It’s an interesting conundrum, and one of the contradictions of security in the government that we discuss when I teach.

Strangely enough, this cycle applies to just about any technology or standard, underlining my core belief that security is no different. My thought for today is this: if life imitates art, and security imitates life, then does security imitate a subset of art?

Jokingly, I think it’s more like the Kübler-Ross Grief Cycle (copied from changingminds.org):

  • Shock stage: Initial paralysis at hearing the bad news. “They want us to do what?”

  • Denial stage: Trying to avoid the inevitable. “This doesn’t really apply to us, we just make Frobulators, not Thingamajigs.”

  • Anger stage: Frustrated outpouring of bottled-up emotion. “No fscking way are we going to do it, you can’t penalize us enough to compensate for us not doing it.”

  • Bargaining stage: Seeking in vain for a way out. “How about if we give you a SAS-70 instead?”

  • Depression stage: Final realization of the inevitable. “How are we going to get this done, it’s too much, too expensive, the end is NEAR!!!”

  • Testing stage: Seeking realistic solutions. “So what level of compensating controls can we discuss?”

  • Acceptance stage: Finally finding the way forward. “OK, we might as well get a project started.”

Similar Posts:

Posted in FISMA, Odds-n-Sods, The Guerilla CISO | No Comments »

All We Wanna Do Is Eat Your Brains

Posted August 15th, 2007 by

Funny zombie song from Jonathan Coulter turned into a video.  It’s highly viral and addicting, you’ll be singing it for weeks to come.

Similar Posts:

Posted in Zombies | 2 Comments »

More Tollroad Follies

Posted August 14th, 2007 by

Article from AP/MSNBC about “E-toll devices used to prove cheaters ‘took the off-ramp to adultery'”. Sensationalist subtitle aside, the metric they give are the following:

  • Illinois: ~30 subpoenas or court orders the first half of this year, ~50% for divorce cases
  • 4 states only provide information in criminal cases

It’s hardly what I would call a serious problem, but still a problem if it’s your records that they want to get their hands on.

Now the simple lesson is this: If you’re a cheating heart, use a tinfoil hat for your E-ZPass or take the back roads. =)

Similar Posts:

Posted in Odds-n-Sods | 2 Comments »

« Previous Entries Next Entries »

Visitor Geolocationing Widget: