InfoSec Poetry and Hacker Haikus

Archive for the ‘General’ Category

InfoSec Poetry and Hacker Haikus

Posted by

I just read “Hackers Can Sidejack Cookies” in The New Yorker. The hacker poetry made me smile and then made me think. Blogs are to ballads like tweets are to haiku. I have been wondering what best to post on Twitter. Perhaps I’ll start posting daily ‘hacker haiku’ that summarize InfoSec themes and ideas.

Here is my first stab at a hacker haiku. This is in regards to cloud service providers and the need to build controls and a perimeter-less security model.

Clouds form on the horizon

Redefine security
Perimeter-less

Patience and Persistence

Posted by

Within time, within budget, that is my credo. I do not like my projects to run late. Yet in IT, some things often do run late. So it was today that I emailed a colleague to say that the computer I was updating was running about fifteen minutes longer than I expected. He pinged me back to say that patience was a virtue. To which I responded with my old family saw: patience is for those who cannot have it RIGHT NOW.

The timing was great, incidentally, as the update finished at the same time as my email. So I could have it right now. Good deal.

But that got me thinking about patience. I am not what one would consider a patient person. Patience brings to my mind a content bearing of a delay.

Yet so many saying revolve around patience. Take the Chinese proverb: “patience is power. With time and patience the mulberry becomes silk.”

I wouldn’t call that patience. It isn’t like you are waiting for the mulberry to become silk. No, not at all. You are actively engaged in the process. You are steadfast and firm, consistently working toward the goal. You are persistent.

Patience is waiting. Persistence is building. Now persistence, persistence is a virtue.

Information overload – how a day turns into a week

Posted by

So how real is information overload? Sure we all hear about it. But can information overload be measured?

Over the past couple months, I did a couple of tests to measure information overload in my field.

The first test that I did was to determine how long it would take me to read an average day’s news. I took a vacation in June and left my RSS feeds on auto pilot. After 20 days, I had 11,907 articles waiting for me. Fair enough. That works out to 595 articles per day. I wrote a quick script to scrape each article and get a word count. The average words per article were 724.

595 articles per day = 11,907 articles divided by 21 days
430,780 words per day = 595 articles multiplied by an average 724 words
2,153.9 minutes = 430,780 words divided by my reading speed of about 200 words per minute
35.9 hours = 2,153.9 minutes by 60 minutes per hour
4.5 days = 35.9 hours divided by 8 hours per day

Result: It takes four days to read one day’s news in theory.

The second test that I did was to actually read one of the day’s news. I picked the day that I returned. I dumped out all articles. I read each one, and checked into the details where appropriate. For a couple articles that were hands-on, I duplicated the work on my computer or on my lab.I set the goal of not just reading but actually understanding and learning from each article.

Result: It takes six days to read a day’s news in actuality.

Information overload in IT and InfoSec is very real. That is the bottom line. There is more coming at us that we can possibly catch up with. In my case, each and every day, I fall a week behind.

Effective Presentation Techniques

Posted by

As a company that trades on the open market, we have many rules and regulations to follow in regards to employee trading. Part of this is a yearly training session on trading compliance and the systems we provide. I sat thru this a few weeks back. It was the normal session about not accepting cash or large gifts, and not trading stocks that the company is currently researching or holding, et cetera.

At the end of the presentation, the head of the compliance team stood up. She thanked her staff for the presentation and thanked all of us for coming. Then she pulled out a newspaper. She described the company in the news and how similar it was to ours in size, focus, and culture. She then read from the paper. This company had a compliance lapse. The SEC fined the company millions of dollars, and fined the person who executed the trade over a hundred thousand. The room fell dead silent.

I thought this was a particularly effective technique to reinforce the idea that the rules we follow really do matter.

German YouTube Videos

Posted by

These crack me up. Who says us Germans don’t know how to have fun?

 

German Sports
http://www.youtube.com/watch?v=Fzt9CGSEn8o&feature=related

 

German Dancing
http://www.youtube.com/watch?v=Oa13vrk_SnI&feature=related

 

German Women
http://www.youtube.com/watch?v=ehN0hbwr1nQ&feature=related

 

German Engineering
http://www.youtube.com/watch?v=cuGu5NfHseg

 

And, of course, VW’s “tuned by German engineers” videos:

http://www.youtube.com/watch?v=cv157ZIInUk

http://www.youtube.com/watch?v=0I0WfnhVs2s

5 ways to explain IT security non-technically

Posted by

Looking to explain defense-in-depth and layered security to a non-technical audience? Here are five comparisons that drive the idea home.

 

1) Medieval castles

Castles are a well-used trope for explaining security. Castles have large grounds for seeing the enemy at a distance. They have moats, walls, and various battlements. Once inside, a court yard serves as a spot to aggregate the enemy and surround them from above. These layers can be explained with comparisons to their modern digital counterparts (for example, court yards compared to firewalled screened subnets).

 

2) Automobile safety

Cars and trucks are a good touch point. Modern vehicles have a number of security systems that we can compare with. The tires need the proper pressure and proper tread. Brakes need to be in good condition, too. Automated systems for tires and brakes, traction control and ABS, can be compared to automated IT security systems. Then there are crumple zones, airbags, seatbelts, and so on.

 

3) Stacked pyramid

A pyramid chart is ideal for showing the relationship between various security layers. Visually, it makes an easy to follow presentation. The typical layers, top to bottom, would include the firm’s data, data protection, end-point protection, network security, Internet/Intranet/Extranet security, compliance, policies and procedures, and finally the firm itself. The security at each layer can then be pulled out and investigated further.

 

4) Concentric circles

Circles within circles are another easy visual for showing the relationship between security layers. Like the stacked pyramid, this makes for an easy to follow presentation. For example, starting with the outside world (both physical and Internet) and working the way in thru perimeter security, network, host security, and all the to the firm’s data.

 

5) Onions and ogres

If you think about circle upon circle, layer upon layer, what is the first thing that comes to mind? Onions. An onion model is much like a concentric circle model. The added benefit is that some humor can be derived by tying the talk to Shrek.

Shrek: For your information, there’s a lot more to ogres than people think.
Donkey: Example?
Shrek: Example… uh… ogres are like onions!
Donkey: They stink?
Shrek: Yes… No!
Donkey: Oh, they make you cry?
Shrek: No!
Donkey: Oh, you leave ’em out in the sun, they get all brown, start sproutin’ little white hairs…
Shrek: No! Layers. Onions have layers. Ogres have layers. Onions have layers. You get it? We both have layers.