Skip to main content

Posts

Showing posts from 2014

The Growing Divide: InfoSec Practitioners vs. Climbers

The Problem In our current age, where sound bytes, marketing reports, and short term quarterly focus rule the day, it’s getting tougher for the average corporate IT Security team to sort through the useless noise. One line of thought, which is particularly misguided and out of touch, is the belief that IT Security needs to be a “partner with the business”. What does that mean anyway? If you ask a dozen CISOs, you will likely get many different answers none of which the adversary would care about. Despite that, it has been the rallying cry for the types of vendors and consultants that focus on manipulating the C-suite to further their interests. What follows, will explain in detail why this concept is diverting IT Security from its true purpose of protecting the business in a narcissistic attempt to make heroes (aka promotions, bonuses, etc) out of paper IT Security leaders (aka PISOs) The Reality First things first, I’m a realist ™ . There are both positive and negative c...

Response to Anup’s post “The Three Most Common Myths in Enterprise Security”

I don’t disagree per se with anything Anup’s is saying, however upon reading this I was concerned. I think that people that have been doing this a long time have a clear understanding, but I believe the target audience of Piss-Ohs (Paper CISOs) needs more detailed guidance. Myth 1: We can patch our way to security Even with the full understanding that you can’t patch your way to security, you are in fact negligent if you are not pursuing a target state of everything in your org patched on a regular approved cycle, including emergency patching for critical s , with all of your legacy issues managed from a risk perspective. And by that I mean, leadership is fully aware of the risk and have either chosen to accept it or look at alternate solutions going forward. From my perspective, legacy solutions should be run in a virtual sandbox environment such as ThinApp, to allow the end user desktop to be fully patched. Some people have also gone the VDI route with varied success rat...

Lessons from Crumpton's Art of Intelligence

A few months ago, I finished reading Henry Crumpton's book, The Art of Intelligence: Lessons from a Life in the CIA's Clandestine Service . It was simply amazing and I highly recommend it for all the insights it adds to hidden conflicts the public will never fully understand. I will not be writing a review of the book however, but try to mirror some of the key points from the book into what we see today in the information security spectrum. While I would never attempt to equate the life and death struggles of patriots to the things we do in InfoSec, I believe in drawing from other realms to further our understanding of problems. Diverse Backgrounds (pg 64) "There was an overwhelming consensus, according to James, that whether in operations or analysis, the best officers were usually those who had accumulated a broad range of diverse and enlightening experiences prior to joining government service. These men and women developed more open, more empathetic views of othe...