Saturday, September 15, 2018

Took the CRISC this morning

What a clusterf**k.

OK, this is all my fault so don't take my above statement as a reflection on ISACA or the testing center.  There were a number of issues at play here:

1.  I registered for the test back in March / April and then completely forgot about it.  I got busy with GIAC exams, Blackhat, Defcon, car accidents etc.

2.  When I got the reminder a couple days ago I was like well I didn't study so I'll blow it off.  Last night I was talking with a friend and he was like, "hey, you might as well take it.  It's paid for"  So last minute I decided to, but being a dumb ass I didn't double check the times and since I knew it ended at 12:30 I thought it started at 9:30.

3.  When my alarm went off this morning I didn't immediately get out of bed.  It wasn't until I got an appointment reminder that I realized the test was at 8:30 not 9:30.  Then it was rush rush rush.

Fortunately the testing center wasn't too hard to find and was relatively close so I made it on time.  Also fortunately over the course of my career I have been a project manager, worked in quality assurance, sat on a risk committee, and taken a class in risk managemnt, and read a few books on the subject as well as the NIST series of publications - so despite being an idiot who forgot about the test and didn't study I did have a good grounding in the subject and managed to pass.  Sometimes I manage to do OK despite myself.

Monday, September 10, 2018

Agile Security Management - is that a thing? Should it be?

I just finished reading the updated version of "Adventures of an IT Leader" by Robert D. Austin, Shannon O-Donnell, and Robert L. Nolan.  I don't strictly work in IT any more (Information Risk Management) and I am not an IT leader, but what the hell it's a free country, and I have to keep tabs on what the management types are being taught to stay ahead of the game.

Anyway...

In one of the chapters the main character (who looks like a James Bond villain on the cover), is discussing project management with his subordinates and the discussion turns to Agile Project Management, which as many of you (yes, you, my imaginary readers) know I am not the biggest proponent of - mainly because I think it often gets used in cases where the traditional waterfall approach would be a better fit.  In this chapter of the book nine principles of agile project management are laid out.


  • Deliver Something Useful
  • Cultivate Committed Stakeholders
  • Employ a Leadership-Collaboration Management Style
  • Build Competent Collaborative Teams
  • Enable Team Decision Making
  • Use Iterative Feature Driven Delivery
  • Encourage Adaptability
  • Champion Technical Excellence
  • Accelerate Throughput

(Other places I see 12 totally different principles, since these were the nine in the book these are what I went with)

As I was reading I was wondering if these principles could be applied to the security arena?  I know most of you are thinking of course they can, I tend to agree.  The second question is are we?  Again, I know you are saying, "What, don't try to be stupider than you actually are Chad!  Of course we are!"

Really?

Let's start with principle one "Deliver Something Useful".  What do you deliver that's useful?  Reports?  Metrics?  How much impact do you think those actually have?  My guess, industry wide, is minimal (I am not trying to attack anyone's individual work if you took it that way, that want my intention).  To me something useful would be an easy to understand framework that IT can work within to ensure secure delivery of services.

"Wait", I hear the annoying voices in my head screaming, "What about ISO 27000, NIST, and CoBit?".  Well if those work for you more power to you.  If they don't you have to have something.  Something that is easy for IT to understand and follow.  Something that encourages cooperation instead of making security the enemy.

This same sort of exercise applies to all nine principles.  Or maybe not, maybe I am just blowing smoke out my butt.  Iterative Feature Driven Delivery could easily be do all the foundational controls of the CSC Top 20 and then go back and and do the next set.  It could also be update your framework quarterly as security and IT processes improve.  The idea is to return to first principles of security and close some of the holes that are caused by mistake, inattention or lack of caring.

Anyway, that's where I am at on this.  If you have ideas (assuming anyone besides the 27 extra personalities in my head ever reads this) I would be happy to hear them.  Also if you know of someone who has already done some work on this point me to them.

Saturday, August 11, 2018

BlackHat and DefCon

I am currently on my 9th day in Vegas for BlackHat and DefCon, and just thought I would check-in.

This was my first BlackHat, and given the cost, unless work is paying, most probably my last.  I took two training classes - Windows Enterprise Incident Response and Absolute SCADA, Red Team Edition.  Both classes had pretty good content, but bu the end of the four days I was exhausted.  The classes were long and the rooms were freezing.  It also doesn't help that I am an idiot and barely understood the big words.  BlackHat ended with briefings and the Business Hall. They charge and extra $2000 or so for the briefings (which is bullshit) so i didn't attend any of those, and the vendor hall was just a vendor hall.  I did get a yo-yo so there's that.

This is my second DefCon, and what can I say?  Based on my vast previous existence of one, it's DefCon, lots of lines and Goons screaming,  I didn't get any training but i have visited a few villages.  The ICS village seems to have a lot more interest this year, Blue Team Village seems to be getting off to a good start and I will be visiting the Vintage Tech Village today.

All in All it's a pretty good time.


Monday, July 30, 2018

GCIP Complete

Passed the GIAC GCIP exam this morning, so I now hold every certification in the ICS Track from SANS.  I'm still clueless but I am certifiably clueless.  I have to admit that this was by far the hardest GIAC test I have taken.  If you know anything about NERC-CIP you will understand why.  Everything is just completely convoluted.  Anyway I passed so suck it world.

Sunday, July 29, 2018

Trump - "I am Shiva, Destroyer of Worlds!"

Instapundit quotes a piece from the Financial Times, in which the Director of the European Council on Foreign Relations ponders Trump:
My interlocutors say that Mr Trump is the US first president for more than 40 years to bash China on three fronts simultaneously: trade, military and ideology. They describe him as a master tactician, focusing on one issue at a time, and extracting as many concessions as he can. They speak of the skilful way Mr Trump has treated President Xi Jinping. “Look at how he handled North Korea,” one says. “He got Xi Jinping to agree to UN sanctions [half a dozen] times, creating an economic stranglehold on the country. China almost turned North Korea into a sworn enemy of the country.” But they also see him as a strategist, willing to declare a truce in each area when there are no more concessions to be had, and then start again with a new front.
For the Chinese, even Mr Trump’s sycophantic press conference with Vladimir Putin, the Russian president, in Helsinki had a strategic purpose. They see it as Henry Kissinger in reverse. In 1972, the US nudged China off the Soviet axis in order to put pressure on its real rival, the Soviet Union. Today Mr Trump is reaching out to Russia in order to isolate China.
I think there may be a little ( a smidgen perhaps) of truth in this statement, but I don't think it is nearly as organized a philosophy or strategy as this article implies.  In fact I wish it was true, I am a free trader, but I am an American first, and so I of course wish that America was operating from a stronger position.  I also agree that China strongly wishes to knock us down a few pegs, I would not be averse to us instead displacing them from their perch in Asia and allowing a friendlier country to rise.

Friday, July 27, 2018

A completely unnecessary update - GIAC GCIP on the horizon

Still studying for the GIAC GCIP.  I'm sure I am going to pass, but the score may not be what I want.  (I take the test on Monday morning)  After that it's all about packing up for BlackHat / DefCon.  I didn't manage to get any training at DefCon this year so I will just hang out in the ICS and Blue Team Villages.  I am taking two classes at BlackHat though Windows Enterprise Incident Response by Mandiant and Absolute SCADA Red Team Edition

Next year I am looking at breaking out of the ICS rut and trying this course Advanced Infrastructure Hacking - 2018 Edition (of course it will be the 2019 edition then)

There are No Secrets (James Mickens)