Sunday, January 13, 2019

Aurora Generator Tests - INL

I am planning on attending the Dragos ICS training class this year and so I have been going through their recommended reading list.  One of the items on that list is the test footage from Idaho National Labs Aurora Generator Tests, in which the INL showed that a cyber attack could cause physical damage to an installation.

It's only just over a minute long and doesn't show a lot, but this is the beginning of Stuxnet.

Tuesday, January 01, 2019

Report on the 2017 Equifax Breach

The House Oversight Committee released a report on the 2017 Equifax Data Breach a couple weeks ago.  I just got around to reading it and it is pretty scathing, although couched in governmentese.  I highly recommend reading it no matter who you are, and if you work in the Information / Cyber Security field it should be mandatory that you read it.


2019 Resolutions

1.  I didn't get to Dubai in 2018 so I am going to put that on the list again for 2019
2.  Read at least one (1) book per week.  Fiction / Non-Fiction doesn't matter.  At least 5 must be books I wouldn't ordinarily read.
3.  Read at least one (1) SANS whitepaper per week
4.  Pass CISM exam in May.
5.  Pass CISA exam by September.
6.  Rebuild my Bug Out Bag (for earthquake preparedness not because I expect a government downfall or something)
7.  Blog at least once per week.

Sunday, December 16, 2018

Been awhile since I posted

Don't feel ignored I haven't been posting much on twitter or facebook either and I deleted my google+ account.  I think those are all the accounts I have so...

Anyway, today's post - I was looking at the defcon page and they have announced the theme for defcon 27 - "Technology's Promise" and they have posted a bunch of suggested source material 

To get you in the proper mindset, here's some media to sample:
Star Trek TOS - because the series is based on a future Earth that has learned to manage itself, make working alliances with neighbors and turn its attention to the disciplined exploration of the broader universe. Also LCARS is still cool.
Asimov's Robot series - a future where humankind has built AI android tech that supports rather than supplants humanity, and (usually) behaves itself admirably.
BioShock - a genuinely thought-provoking game about the promises and limits of tech-based utopia.
Kraftwerk, Com Truise, Tangerine Dream - the beautiful sounds of our neon future, rendered in the gorgeously synthesized tones that can only come from the fruitful marriage of human and machine.

so let's ignore the fact that LCARS is from Next Generation (Barf!) and just consider the sources.  I have read or seen all of these and listened to Tangerine Dream and Kraftwerk.  I am not sure these are the best choices.  I would chose something like Charles Sheffield's Jupiter Series or Jerry Pournelle's  Exiles to Glory.  Although these series start in somewhat dystopian states technology allows people to thrive and succeed.

Oh Tangerine Dream is a good choice though:

Saturday, September 15, 2018

Took the CRISC this morning

What a clusterf**k.

OK, this is all my fault so don't take my above statement as a reflection on ISACA or the testing center.  There were a number of issues at play here:

1.  I registered for the test back in March / April and then completely forgot about it.  I got busy with GIAC exams, Blackhat, Defcon, car accidents etc.

2.  When I got the reminder a couple days ago I was like well I didn't study so I'll blow it off.  Last night I was talking with a friend and he was like, "hey, you might as well take it.  It's paid for"  So last minute I decided to, but being a dumb ass I didn't double check the times and since I knew it ended at 12:30 I thought it started at 9:30.

3.  When my alarm went off this morning I didn't immediately get out of bed.  It wasn't until I got an appointment reminder that I realized the test was at 8:30 not 9:30.  Then it was rush rush rush.

Fortunately the testing center wasn't too hard to find and was relatively close so I made it on time.  Also fortunately over the course of my career I have been a project manager, worked in quality assurance, sat on a risk committee, and taken a class in risk managemnt, and read a few books on the subject as well as the NIST series of publications - so despite being an idiot who forgot about the test and didn't study I did have a good grounding in the subject and managed to pass.  Sometimes I manage to do OK despite myself.

Monday, September 10, 2018

Agile Security Management - is that a thing? Should it be?

I just finished reading the updated version of "Adventures of an IT Leader" by Robert D. Austin, Shannon O-Donnell, and Robert L. Nolan.  I don't strictly work in IT any more (Information Risk Management) and I am not an IT leader, but what the hell it's a free country, and I have to keep tabs on what the management types are being taught to stay ahead of the game.


In one of the chapters the main character (who looks like a James Bond villain on the cover), is discussing project management with his subordinates and the discussion turns to Agile Project Management, which as many of you (yes, you, my imaginary readers) know I am not the biggest proponent of - mainly because I think it often gets used in cases where the traditional waterfall approach would be a better fit.  In this chapter of the book nine principles of agile project management are laid out.

  • Deliver Something Useful
  • Cultivate Committed Stakeholders
  • Employ a Leadership-Collaboration Management Style
  • Build Competent Collaborative Teams
  • Enable Team Decision Making
  • Use Iterative Feature Driven Delivery
  • Encourage Adaptability
  • Champion Technical Excellence
  • Accelerate Throughput

(Other places I see 12 totally different principles, since these were the nine in the book these are what I went with)

As I was reading I was wondering if these principles could be applied to the security arena?  I know most of you are thinking of course they can, I tend to agree.  The second question is are we?  Again, I know you are saying, "What, don't try to be stupider than you actually are Chad!  Of course we are!"


Let's start with principle one "Deliver Something Useful".  What do you deliver that's useful?  Reports?  Metrics?  How much impact do you think those actually have?  My guess, industry wide, is minimal (I am not trying to attack anyone's individual work if you took it that way, that want my intention).  To me something useful would be an easy to understand framework that IT can work within to ensure secure delivery of services.

"Wait", I hear the annoying voices in my head screaming, "What about ISO 27000, NIST, and CoBit?".  Well if those work for you more power to you.  If they don't you have to have something.  Something that is easy for IT to understand and follow.  Something that encourages cooperation instead of making security the enemy.

This same sort of exercise applies to all nine principles.  Or maybe not, maybe I am just blowing smoke out my butt.  Iterative Feature Driven Delivery could easily be do all the foundational controls of the CSC Top 20 and then go back and and do the next set.  It could also be update your framework quarterly as security and IT processes improve.  The idea is to return to first principles of security and close some of the holes that are caused by mistake, inattention or lack of caring.

Anyway, that's where I am at on this.  If you have ideas (assuming anyone besides the 27 extra personalities in my head ever reads this) I would be happy to hear them.  Also if you know of someone who has already done some work on this point me to them.

Saturday, August 11, 2018

BlackHat and DefCon

I am currently on my 9th day in Vegas for BlackHat and DefCon, and just thought I would check-in.

This was my first BlackHat, and given the cost, unless work is paying, most probably my last.  I took two training classes - Windows Enterprise Incident Response and Absolute SCADA, Red Team Edition.  Both classes had pretty good content, but bu the end of the four days I was exhausted.  The classes were long and the rooms were freezing.  It also doesn't help that I am an idiot and barely understood the big words.  BlackHat ended with briefings and the Business Hall. They charge and extra $2000 or so for the briefings (which is bullshit) so i didn't attend any of those, and the vendor hall was just a vendor hall.  I did get a yo-yo so there's that.

This is my second DefCon, and what can I say?  Based on my vast previous existence of one, it's DefCon, lots of lines and Goons screaming,  I didn't get any training but i have visited a few villages.  The ICS village seems to have a lot more interest this year, Blue Team Village seems to be getting off to a good start and I will be visiting the Vintage Tech Village today.

All in All it's a pretty good time.

Aurora Generator Tests - INL

I am planning on attending the Dragos ICS training class this year and so I have been going through their recommended reading list .  One o...