The Security Catalyst

It is hot today is Upstate NY; the same is true for some forum discussions taking place this week:

• Is Management the Real Security Problem?
•  How to deal with a “poison pill”
• Using CAPTCHA
  

If you enjoyed this post, make sure you subscribe to my RSS feed!

Read the rest of this entry »

If you enjoyed this post, make sure you subscribe to my RSS feed!

The forums are off to a roaring start this week - with some insightful discussions. Sure, thinking this early in the week can be scary, but it sure pays off!

• What are the ethical standards/requirements for security bloggers? [IN PREP FOR TUESDAY]
• Help me test my new Firefox add-on
• Printer Dots and Privacy - cause for concern?
• Sen. Schumer Kills Bank (unintended consequences and the way security is considered)
• CISSP - on it’s way out, or not. Or both? (the discussion continues!)

Join the in the Discussion!

The Security Catalyst Community

Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share). If you have not yet registered, please remember to use firstname.lastname as the standard.

If you enjoyed this post, make sure you subscribe to my RSS feed!

This is a question that has been kicked around quietly, and now it is the focus of the August Security Roundtable. We are recording on Tuesday (pondering using a live-feed) and I want your feedback. 

Show Prep Outline

If you enjoyed this post, make sure you subscribe to my RSS feed!

It’s been a brisk week in the forums, and here are some hot topics:

If you enjoyed this post, make sure you subscribe to my RSS feed!

• gmail remote sign out - is this brilliant or rife with unintended consequences?
• Checking the Validity of your Security Tools
• Windows 2008 PKI infrastructure and smart cards
• Most communities don’t use SSL for authenticating members… should they?
• SecTor 2008 - Toronto, Canada

Join the in the Discussion!

Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share). If you have not yet registered, please remember to use firstname.lastname as the standard.

If you enjoyed this post, make sure you subscribe to my RSS feed!

 

 Standard Podcast [68:41m]: Play Now | Play in Popup | Download

If you enjoyed this post, make sure you subscribe to my RSS feed!

(after reading that title, are you singing the theme to Love Boat yet? If you are, and you miss the program go watch a full episode now: http://www.cbs.com/classics/the_love_boat/)

The book is being printed (finally!). The preview copies are being mailed out. And we have been in the same spot for a few weeks now. It is time to load up the coach and head back out on the roads! Our “ship” is not as big as the Love Boat, but the adventures never cease, and we’re ready for the next one.

What was initially conceived to be the “Campaign Across America” has evolved into the more appropriate “Catalyst onTour.” We have the “tour bus” and a desire to see as much of the country as we can. Unlike a rock band going on tour, we have more of a grass-roots approach and a powerful message: each of us makes a difference when it comes to protecting our information, our identities, our children. As the tour rolls on, we seek to bring that message of optimism and support door-to-door. Seriously.

To better explain the Catalyst onTour concept, approach and benefits to business, families and even potential sponsors we are in the process of setting up the catalyst onTour website (hopefully before we leave again in July; it’s next after we update the book website). Minimally, this site will allow you to keep in touch and join (if only virtually) our efforts through writing, pictures, audio and video – and ask questions, make suggestions and otherwise get involved and make a difference!

The July/August Route
RVs are fluid. So the final route is a bit up for negotiation right now (and quite frankly, if you’re on the way and would like to work with me, you can easily influence the route). We expect to leave near the end of July and may actually start with a brief stop in Hershey, PA (home of Hershey Chocolate and Hershey Park). Then we’re heading toward Las Vegas. After our stop in Arizona, we may head up the West Coast into California, or we may head back East across Texas, into Tennessee, Georgia and then back up North to New York. Then again, anything can and does work when in an RV (try doing that in a plane!).

Tour Leg Anchor Events
This tour leg is currently being anchored by two events with fixed dates:

• Black Hat in Las Vegas for some semi-private events: August 4-7
• Sierra Vista, AZ (private event) week of August 11 - 15

Potential Cities and Stops Along the Way
While we have traveled the length of Route 80 before (though not on this trip), this will be an exciting opportunity to see some new cities (and welcome the family to some new States). Potential stops include:

• Des Moines, IA
• Omaha, NE
• Denver, C)
• Phoenix, AZ

On the way home, we have a lot of options - so if you are somewhere between Arizona and Upstate NY - let us know and we will try to work something out. We are currently planning to circle back to Upstate NY during the first week of September. This gives us a few weeks home before setting out on a series of speaking engagements and client working sessions, a potential trip to Orlando and whatever else influences some onTour segments.
In the meantime, if you want to get an advance copy of the book, learn more about how the tour can help you meet your goals (for example, awareness), raise your profile or even energize your team before the fall… give us a call (800.996.8351) or send me an email (securitycatalyst /shift-2/ gmail.com).

Technorati Tags: catalyst, catalyst onTour, blackhat

If you enjoyed this post, make sure you subscribe to my RSS feed!

The last article in this series explored the top three reasons why group have a tendency to reinvent the wheel (read it here, or the entire series started here). And now, some solutions:

Beyond the frustration caused by an approach that simply recreates the wheel, the result is often a solution that is not trusted and therefore readily cast aside in favor of the next offering. To put a stop to this cycle requires taking a different approach. Success has to be based to fundamentals and sound principles.

How to do it?

A key part of the solution is to enter into deliberate discourse (note: this is a central theme of Into The Breach and a topic I am passionate about). More voices with an opportunity to review, consider and contribute have the potential to lead to a better product. For this to lead to a better product requires a strong leadership team with enough expertise to guide and the skills to help facilitate and negotiate the final result.

Instead of starting with a blank slate, it is a good practice to build on the success of others. When it comes to strategies that protect information, we have plenty of choices – frameworks like ISO 2700x, PCI, FISMA, etc. However, limiting the solution to a narrow set of industry standards may not yield the best results. Sometimes, real progress comes at the intersection of industries (to gain more insight on this approach, consider reading: The Medici Effect) – leveraging how the medical, engineering or other industries have dealt with and handled challenges may bring valuable insight to the effort at hand.

The advantage to building on the validated and transparent work of others is the ability to avoid conjecture and “gut feeling.” This is the challenge: there are few shortcuts to spending the time to outline, think, plan, distill, check, cross-reference. This is an area where transparency really provides a benefit.

When the group of professionals is assembled, here are three steps to harnessing the collective power, building on the wheel (instead of building a new wheel) and reaching a point of success:

1. Capture and distill frameworks (or solutions)

Start by presenting a model to work from, based on an existing solution. In general, individuals and groups struggle to create but excel at editing and revising. With this in mind, selecting an initial framework or set of solutions to present to the group acts as a strawman [http://en.wikipedia.org/wiki/Strawman]. This has the added benefit of allowing people to beat on the framework(s) instead of each other.

The frameworks or solutions can either be selected in advance or decided by the team. Allowing the team to decide may provide for more diverse results but requires more time and a stronger facilitator (who possesses deep subject matter expertise). Stronger frameworks and solutions are those that have already been publicly validated and are more transparent. This suggests the “heavy lifting” has already been done and the team can focus on refining and tailoring what already exists from multiple sources into the solution required.

More important that just compiling a list of viable frameworks and solutions is how they are captured and processed. As the elements are suggested, reviewed and documented, look not only for the similarities, but also the distinctions between them. Working to understand why specific elements were either included or excluded may also reveal key insights that aid the development of a stronger solution. Note the intended audience and users of the solution and how it is received. It may be useful to note the level of maturity, too (since that provides some insights).

This process generates a lot of discussion – this is good, and leads to the second point.

2. Capture and distill the running dialogue

More important, perhaps, than the solutions selected in the last step is the running dialogue that occurs as part of the process. Yet few organizations take the time or make the effort to capture that solid gold value.

Ultimately, the discussion – the true process of negotiation and coming to a common understanding – is precisely what allows a group to build the final product. While the discussion is natural, here are three important questions to ask, answer and record during this process:

a. What works — and why?

b. What does not work — and why?

c. How is this applied — and why?

Look for specifics. This is an area where people tend to rely on “truthiness” – which, to a certain extent, may be okay. In the overall discussion, however, guide people back to more concrete grounding by asking more questions to ensure everyone shares a common understanding (which is not necessarily the same as a common opinion!). The next segment will explore the benefit of capturing this conversation and making it available in the future.

As the conversation continues, there is one more step to increase the overall value.

3. Capture and distill references

The value of having experts together in a room is their collective knowledge – informed by experience, training and a vast array of resources. Therefore, it is incredibly valuable to regularly ask this group to cite the references they find of value.

As the discussion rages on (if you have been part of a working group, rage is definitely the right word), asking people to take the time to cite the references that support their assertions returns focus to the fundamentals.

Not only does this improve the overall framework, but this also improves how it is applied and verified (as we will explore in the next sections).

Bottom Line

Bring together a small, tight team that works well together. Welcome as many voices into the process as reasonable. Take the time to distill and overlay what already works.

How this Applies to Trustmark

When Trustmark gets this right, it will essentially be an overlay on the entire industry – explaining where, how and why the different control families and control objectives can be met. This is important, since it allows for additional regulations or efforts to be acceptable without prescribing a set way of working. But whether working on Trustmark or a new process to protect information, following these steps leads to a stronger - and more trustworthy - result.

Up Next: the second challenge facing Trustmark and similar efforts is in how the solution is applied. We examine this challenge with potential solutions before moving on to the final challenge of how the solution is measured and verified.

If you enjoyed reading this article, please take a moment to either subscribe to the RSS feed (www.securitycatalyst.com/feed/) or sign up for free updates by email. Use the buttons below to print this article or share this with friends and colleagues that will benefit from this.

If you enjoyed this post, make sure you subscribe to my RSS feed!

As we roll into Monday (and after a holiday weekend in the US), there are several interesting posts ready for your comments, and plenty of insight to make your week even easier! Take a look at:

• Forensic Analysis Applications
• Privacy Alert - ISPs putting “ad service” boxes in the click stream is bad!
• Interesting Article (comments and insights wanted)
• In search of statistics for average time to resolution of infected website
• Favorite command shell tools
• Most Corporate Blogs are Failures. What can we learn from why?
• Targeted/Focused Attacks

Join the in the Discussion!

Your participation is your currency (means no charge to join) - the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share). If you have not yet registered, please remember to use firstname.lastname as the standard.

If you enjoyed this post, make sure you subscribe to my RSS feed!