Digital Pearl Harbor

Date

[Digital|Cyber] Pearl Harbors The three words combined has the power to make the population of security defenders growl in contempt.  There’s a good reason for this.  It’s symbolism and obvious American political connotations instantly put into play fear, uncertainty, and doubt tactics. A military perspective has validity …

more ...

Applying Liddell Hart to Infosec

Date
I believe infosec- particularly incident response- is a realization of competition through digital venues. Similarly, military thought is focused one of the most serious levels of competition: War. There’s a series of similarities here that goes beyond simple analogies but of mutual usefulness.  A lot of lessons we, as …
more ...

Patterns for Successful Incident Response

Date
What are themes and strategies that make up successful detection and response operations?  This has been a question in my head for the last several days.  This post is an attempt to generate discussion and dialog on that.  Here is my stab:
  • A genuine desire to champion a sustainable security …
more ...

Social Disclosure

Date
Limited disclosure.  Responsible disclosure.  Full disclosure.  These are varying level of loose expectations or cultural norms that certain circles of communities in the security industry respected.
We’re so beyond that point.  Security “researchers”, vulnerability buyers, software vendors, universities, the press, government and everyone in between are fragmented.  Fragmented on …
more ...

shmoocon 2011

Date
I’ve been attending shmoocon since 2005.  I enjoy it for a few reasons.  It whips me out of complacency and reminds me why I enjoy what I do.  It’s a chance to remove the organizational weight that you carry during the day and allows you to refocus on …
more ...

Compliance Programs and Friction

Date
I have a shiny new hammer in my hand (friction) and everything looks like a nail.
How do compliance programs
using compliance plans as overt intel for adversary to scope RoE.
fisma, et al.
more ...

secops superiority

Date
$brainstorm = 1; // I reserve the right to contradict myself repeatedly and leave gaps.  you’ve been warned.

I want to combine my last posts, Cause and Effect and Clausewitz and DiD.  Indeed, it was originally one post that I chopped up in order to provide some focus to each topic …
more ...

random tidbits

Date

Also, this reliance on properly designing systems is funk.  They are too complex and deployment will immediately offer deviations from the schema.  That proof is in the pudding.

mental image:

Executing a security program is like playing tetris.  The game speeds up as you go and you have nothing you …

more ...


CIA Triad

Date
Let’s start with a list:
  1. “Our new company policy must protect Confidentiality, Integrity, and Availability”
  2. “The goal of information security is the protection of the CIA Triad”
  3. “Before we design this architecture, we need to assess the Risk of Availability, Integrity and Confidentiality”

Where did the concepts of the …
more ...