They are written by *security experts* and they say effective security is as easy as:
Running su -c ‘yum update’ every week.
Picking a good password.
Blocking everything from China.
The only way to respond to these articles is:
The truth is SECURITY.IS.HARD!
When an *expert* writes an article based on the premise that effective security is achievable by following a canned security framework they devalue the whole security industry. Implementing security in any organization is about performing the unique risk analysis and that cant be achieved through a checklist.
So the next time you see one of these listicles just say…
“Mr.Gamblin this is your sixth year in the role of my father. How do you think this year has gone?” – My son during my imaginary yearly performance review.
Most holidays are set aside to celebrate an event that happened in the past while father’s day is mostly a day to celebrate what was accomplished in the past year.
It is impossible for me to celebrate without stopping and thinking about the past year. The easiest way to do this is to go straight to some classic performance review questions and apply them to my parenting skills. So here are the five questions I asked myself this morning:
“What went well this year and what might have gone better?”
“What can I do differently next year?”
“What are the most important goals for the coming year?”
“What knowledge or skills do I need to develop to meet my goals in this job?”
“In the past year, what achievement am I most proud of?”
Overall I think I did a good job this year but being a dad is one of the few roles in my life where I do not mind and actually expect to get a few “needs improvement” and no “exceeds expectations” because I am the one setting the expectations and I can never do enough for my son.
I spend a lot of time dealing with risk at my job.
I spend a lot of time dealing with how to communicate risk at my job.
I spend a lot of time dealing with how to accurately communicate risk at my job.
I put together this risk statement flowchart to help make sure I include all the information necessary when communicating risk. If I dont have something in every box I know my job isnt done.
Last December I visited my Doctor for my yearly checkup and he told me I was getting a “little husky” and that I was over 200 pounds for the first time.
That was a wake up call. I had always thought of myself as “athletic” although I had slowly went from a waist size of 30 to 34 over the last 10 years.
So I made a goal to try to be under 160 pounds by June 1st.
After reading online I decided the best was to do that was follow these 3 rules:
Only eat 1000 calories a day. Go to the gym 3 or 4 times a week. No excuses.
It wasn’t easy and I knew I had a lot of work to do. I used to eat 1000 calories at some (OK most) meals and I hadn’t routinely been to the gym to workout in years.
I gave up eating much pasta and bread. I stopped eating candy. I started to run and lift weights again. It worked.
I still have some work to do as I would like to add back about 15 pounds of muscle mass and get under 10% body fat but it is nice to feel “athletic” again.
“I am useless by myself.
My success hinges entirely on the people in my life.”
I was challenged this weekend to think about this statement and decide if I really believed it or not. It was such a thought provoking statement that I wanted to share it and not overly pollute it with my own thoughts.
I wrote Bad Actors this weekend to automatically generate a list of known bad IP addresses. My plan is to use it to do data mining with against my ELK stack but It might also be handy for firewall and IPS rules or any other use you could come up with.
I had a friend recently tell me about how he was using a tool called rPlay to airplay his apple devices through his raspberry pi. As a guy who is always looking to save $67 I decided to give it a try.
After configuring it I couldn’t get it to work and after some investigation I found an error message that rplay couldn’t connect to test.vmlite.com on port 9080. Since I practice egress filtering on my home network I wasn’t surprised that it didn’t work.
After a network reconfiguration I was now rPalying to my office TV. I was actually impressed by how well it worked.
I was also running tcpdump port 9080 -i eth0 -w 9080.pcapat the same time to see what was so important that my raspberry pi had to talk to test.vmlite.com.
Come to find out it was so that it could do this:
According to the Unofficial AirPlay Protocol Specification rPlay is basically forwarding everything you do while using rPlay to a server running off a residential DSL line in California.
I would suggest if you need to airplay you stop using rPlay and do yourself a favor and spend the $67 on an Apple TV.
We have all been asked that question during a job interview and went on to talk lie about how much we love new challenges and how well equipped we are to handle them.
Most people hate challenges. We strive for easy, stable and guaranteed results. Challenges are hard, unpredictable and always have a chance of failure.
Here is a quote from Muhammad Ali that I have been thinking about recently:
It’s lack of faith that makes people afraid of meeting challenges, and I believe in myself. -Muhammad Ali
If you want to be successful everyday you have to look for new challenges and accept them.
You also have to be willing to fail and failing hurts.
Are you ready to accept new challenges or are you just going to keep playing it safe until your next interview?
One of the take aways from my talk is that security professionals should always think CISSP when they are communicating. Not this CISSP (which is great) but they should think this CISSP when the communicate:
Clear
The single biggest problem in communication is the illusion that it has taken place. – George Bernard Shaw
How many times have you thought you communicated something clearly only to see it blow up in your face because the words you said and the words they heard weren’t the same.
Making sure your communication is clear is on the most valuable communication skills you can work on.
Informative The more informative your communication is the more persuasive it will be. It is why I am a big fan of the PoC||GTFO concept. You will be amazed at how fast you can get things moving if you can show someone a proof of concept of a bug.
Simple
sim·ple ˈsimpəl adjective easily understood or done; presenting no difficulty.
When you communicate do you make sure you have done all the calculus of the problem and left the easiest problem available?
Succinct I was talking to a marketing professional a few weeks ago and he average executive reads the first 3 lines of an email. If you are sending the CIO a 3000 word email on a XSS bug you found you have wasted 2900 words.
Passionate
“I have no special talents. I am only passionately curious.” -Albert Einstein
“You have to be burning with an idea, or a problem, or a wrong that you want to right. If you’re not passionate enough from the start, you’ll never stick it out.” ― Steve Jobs
If you make sure your communication is clear, informative, simple, succinct and passionate you will be amazed t home many more doors will be opened for you.
I had lunch with a mentor last week and he closed lunch with this thought and it has been stuck in my head ever since:
There are two choices you are constantly making in your life, you either change things or accept them.
We make that choice hundreds of times a day and most of the time we don’t even realize it. Do I pick up my sons toys out of the living room or do I accept the mess? Do I help the lady with a flat tire or do I accept it so I can get to work on time? Do I say something about a problem at work or do I accept it so I dont make waves? Do I volunteer in my community or do I accept it as is?
The truth is anytime you notice something that you want to change and don’t you have accepted it. We all have excuses on why we don’t try to change things and I have tried all the mental gymnastics to disprove his quote but I cant.
