Feeds:
Posts
Comments

Archive for the ‘Books’ Category

No, I’m not thinking about porn or any other nasty stuff, just reflecting that like during Fall when we clean our house gutters, it’s appropriate to think about how we think and remove clogs and other impediments.

For me, that means diversifying my security readings and practices and thinking about where I might have blinders on.  This was brought home recently from someone I respect, Pete Herzog the Founder of ISECOM and the OSSTMM.  I had asked Pete via email if any of the Smarter, Safer, Better seminars would be on the West Coast (none yet); he kindly responded with information about who I could contact who might sponsor them and also gave me a backhanded compliment about passing the CISA exam, saying ‘now we’ll have to teach you the right way’ in essence.

I wasn’t offended but my curiosity was piqued.  My mind had been wrapped around earning a CISA for continued competence and professional respect; was my thinking so constrained by my learnings?  So, I’m resolved to read the OSSTMM Version 3 and work to use it.  I’d read through (read, skimmed) Version 2.2 a while back but hadn’t immersed myself.  From other authors, now I understand it as possibly a paradigm shift in how to think about security assessments, at least for me.

Another mental dustbuster for me has come from reading The Black Swan by Nassim Nicholas Taleb.  I’m not finished with the book, a testament to how well-written and insightful it is.  I find myself lingering over it and re-reading sections prior to moving on.  This is partially because ‘NNT’, as he refers to himself, is one deep thinker!  This tome takes some time to absorb and digest.  Taleb discusses extreme outliers, huge events that are completely unforeseen and that subsequently shake our foundations, institutions and psyches.  9/11 is one such event.  The salient idea is not to focus on prediction of such events but to build sufficient robustness against negative Black Swan Events and to take advantage of positive ones.

My challenge and task is to apply this modality of critical thinking to the domains of information security, along with that of the OSSTMM.

Like more physical exercise will clean the arterial plaque from your personal system, it’s important to floss your brain or defrag your mind, however you want to put it and at least recognize that you might need to.

Peace friends!

by Bill Wildprett, Suspicious Minds blog, Copyright 2010

Read Full Post »

The calendar says its Summer although here in the Pacific Northwest, we’re not sure ~ its a cool Summer, which makes it fine for reading security books in the hammock or doing laptop stuff from the deck.

So what’s cooking?  I re-encountered a tool I first learned about from Russ McRee’s Toolsmith column in the September 2008 ISSA Journal ~ Practical Threat Analysis.  I’d looked at it before, but not in enough detail so have embarked on using it for a deeper understanding.

The 2010 Verizon Data Breach Investigations Report is out and its chock-full of good statistics and commentary.  I especially like the partnership with the U.S. Secret Service and the shared incident data.  Another nice tool from Verizon Business is VerIS, the Verizon Incident Sharing Framework which presents how metrics are captured and used in preparation of the DBIR.

I took the Certified Information Systems Auditor (CISA) exam on June 12, 2010 and am patiently waiting to learn my fortune or fate!  The process stimulated a new appreciation of ISACA Auditing Standards, Procedures and Guidelines  and CobiT 4.1, prompting me to send the former to FedEx for printing and to order the latter in book form from the ISACA Bookstore.  My wife picks it up and says “Can’t you find a good novel to read?  Its Summer!”

I guess you had to be there to appreciate it…

Cheers mates!

by Bill Wildprett, Suspicious Minds blog, Copyright 2010

Read Full Post »

It’s a cool, rainy Spring here in the Pacific Northwest, a fine time to stay indoors and read instead of cleaning gutters, gardening, mowing the verdant expanse out back, etc.,

Reading and study efforts have been and are focused on preparing for the June 12th CISA exam first and foremost.

Following that, here’s what’s top-of-mind for me:

OSSTMM 3 updates

Security Tools Screencast Demos from SearchSecurity.com

Never Eat Alone – Keith Ferrazzi: Building personal networks isn’t about how many connections you have in LinkedIn, it’s about maintaining and growing relationships in meaningful ways.

As the old saw goes, ‘All Work and No Play…’ so breaks in the ‘Blue Room‘ are taken with Daisy:

One Happy Golden!

Read Full Post »

It’s a great time to be a security professional, always so much to keep learning and to do!  I’ve been working on personal and professional growth, looking for ways to define myself as a consultant and differentiate myself from the ‘Big Guys’.

I’m all about providing excellent customer service and really becoming a partner with my clients.  Part of the process is identifying who your target market(s) are and what they really need.  To this end, my friend and career mentor Mike Murray turned me on to an outstanding book ~ ‘Book Yourself Solid’ by Michael Port.  I haven’t finished reading all of it yet because it is a process-oriented work, with lots of exercises and a workbook.  I simply cannot say enough about how helpful this book (and the companion website) is; it’s all about what it truly means to be a service professional and strategies for romancing your potential clients into ongoing fruitful relationships.

It all just resonates so much with me ~ do what you said you’d do, listen first, ask lots of questions, act with integrity and purpose, provide stellar service, be helpful without any expectations.  Whether you’re in business for yourself, or an employee, the principles and guidance are the same.

Read this book!

Other than that, I’m studying CISA materials for the exam next June and am re-reading NIST SP-800-53 and SP-800-53A.

Be well people!

Bill

Read Full Post »

Ah Summer!

I recall the halcyon days of Summers past, when my teachers assigned reading lists, with the hope of broadening my mind and preventing recursive learning.  They needn’t have worried about me; I’m a compulsive book-a-holic and used to stalk the Bookmobile more frequently than the ice-cream truck…

This summer, besides the daily security reading via online newsletters, magazines, and blogs, I’ve added the following books:

I’ve finished the first and am marching through the second, saving the heavy-lifting tome for last.

I like the approach and arguments put forth by Adam Shostack and Andrew Stewart; we need a New School of thinking about information security, moving away from the FUD promulgated by many vendors and security practioners, and focused instead on objective measurement via empirical means and on multi-disciplinary thinking, particularly from the perspectives of economics, psychology, and sociology.

Following on that line of thought, I’m enjoying Andrew Jaquith’s book.  My academic training was in economic geography, statistics, and resource management, so I’ve been deeply immersed in data modeling and measurement before.  I’ve also done a fair amount of evaluation work, mostly post hoc.

I completely agree that we need better ways to measure information security risks; how to quantify and qualify them and how to present them cogently to our funding sources, i.e., management.

As Bruce Schneier said, “Security is not a product, it’s a process.” So too, is the collection, refinement and presentation of our empirical data to management.  You’ve got to have the ground truth if you want to make better decisions.

The last book is interesting to me, in light of the so-called North Korean ‘cyberwar’, the previous electronic adventures in the Republic of Georgia and Estonia, and the essential reality that the Internet and software is our primary infrastructure now, after concrete.  After I wade through this impressive work, it will take it’s place next to Sun Tzu and Carl von Clausewitz.

As the current Administration in Washington D.C. keeps shedding cybersecurity personnel the way our bodies slough-off skin, my hope is that the President might read this book and really put some impetus into finding and retaining a cybersecurity ‘czar’ who reports directly to the President, with sufficient funding, authority, and autonomy to make a difference!

Keep On Keepin’ On Folks…



Read Full Post »

One of the main reasons I love information security is that there’s always something new to learn, or re-learn.  I got started around 2001 when, working as a systems manager with a db full of SSNs, realized I needed to know more about breaking into my systems if I was going to defend them.  This led to some serious SANS Institute training, earning my CISSP cert, and having a great time swimming in a sea of knowledge!

So what do I do to keep up?  I read and re-read the monthly ISSA journals,  Secure Computing magazine, Information Security magazine, and the ISC2.org Journal of Information Security.  I joined ISACA earlier this year, so am adding their publications to my nightstand.  There are various and sundry email subscriptions like SearchSecurity, TechTarget, and Shadowserver.  The Association for Computing Machinery journal arrives quarterly.

As part of my ongoing gap-analysis and searching for a new safe harbor, I work on learning more about my profession and focus on certain elements in it.  Among them:

Books I’ve been reading:

The first book is by Fyodor himself, so I had to give it a read and use it as a desktop reference.  The second is by Ed Skoudis & Tom Liston; I’d read it a few years ago, but turn to it for refreshers.

Then there are blogs!  Some of my favorites are:

I think if I don’t make time to keep reading and doing, I’ll fall behind – our industry is still young and growing fast as the threat horizons expand.  It’s hard to keep up, but I’m tryin’…

Peace y’all.

Read Full Post »