So, in my daily work I have been Architecting Security solutions for years. Now ... abstractly speaking, architecture is a defined activity. We have customized it often to suit different development theories over years...depending on how your company does things. My company has been embracing Agile for a couple years now, and based on several other project successes is pushing it throughout the organizations.
Here is the first lesson I have learned ... you will never have time to learn every aspect of the process in time to start your work.
I think this is a typical case among anyone in IT. You are always being introduced on the fly to new technologies / processes / and tools to enable you to do your job.
That said, the internet is an abundant resource for finding base information on new development methodologies...and it can give you some very basic information. The thing about agile is the definition schematics. These are all new words to me, Squads, tribes, guilds, sprints , story points, backlog, etc.
Now, as much as you can learn through reading, my first implication is that .. the critical challenge is not the tooling, structure and process alone. Its a process of thought. more and more I keep finding myself accidentally thinking about a code release....traditionally as in full code releases and going back to the individual environments to update the full code. Agile demands that you think iteratively...try, try, try, try, over quick time periods and eventually you will get to a successful release. This allows you to take an iterative approach in smaller chunks to show progress, it also allows you to quickly learn and improve something without taking months to get there. The critical piece here is to work in manageable sized chinks. this way you can fail small things quickly and recover quickly to get it right.
This brings another interesting approach to things.... DEV/OPS. now Dev/Ops is different than agile, however it is often used in conjunction as they are complimentary activities. I will explore this later in later blogs.
a first glimpse.
ME: dont we have to come back to datacenter ABC in Month 3 because all the dev code will just be closing then
ME: grrrrrrr... nevermind. next time just say "its DEV/OPS dumb@$$"
HIM: its DEV/OPS dumb@$$
ME: eventually i will get my head around this :)
Wednesday, April 12, 2017
Tuesday, October 25, 2016
a simple mans RISK VIEW
In the run up to the 2016 General Election, one of the most popular topics is email / CyberSecurity. Taking away the individual positions of the candidates, what we are learning is how NOT to perform good security. Meaning that, the effect of a "disclosed" email in this construct is BAD for a politician. Too many folks keep saying "private communications". Things done in computer systems should never be viewed as Private.
However......most folks are overlooking a primary activity here.... Classification of your systems for your risk.
One of the Primary baseline functions associated with Good CyberSecurity, is understanding the risks associated with your Asset. In this context the asset is EMAIL SYSTEM
Systems should be classified as to their importance in your operations. If email and the content of the email are critical to your operations ... you should know that, and thus protect them that way. Its not too different than how you treat your place of residence.
you do not lock the door to your apartment necessarily to keep the people in ... but to keep people out. But the lock is there to protect something... Papers, Money , electronics, etc. The lock you buy should be deployed relative to the VALUE of the thing your protecting.
Conversely, you may have other functions that secondarily protect those assets, such as... an alarm system, renters insurance, etc. These are countermeasures that can be affected by things like Cost, Complexity, and the true VALUE of your asset.
This paradigm is no different in the Business world. You identify whats important, you assign it a value , you understand your threats, design your countermeasures, understanding that the countermeasures have a cost, and you accept any remaining risk.
Doing the math on an activity like this is of PRIMARY IMPORTANCE to Good Security as it lays out your risk appetite. Try this one yourselves folks. you will be amazed with the results.
However......most folks are overlooking a primary activity here.... Classification of your systems for your risk.
One of the Primary baseline functions associated with Good CyberSecurity, is understanding the risks associated with your Asset. In this context the asset is EMAIL SYSTEM
Systems should be classified as to their importance in your operations. If email and the content of the email are critical to your operations ... you should know that, and thus protect them that way. Its not too different than how you treat your place of residence.
you do not lock the door to your apartment necessarily to keep the people in ... but to keep people out. But the lock is there to protect something... Papers, Money , electronics, etc. The lock you buy should be deployed relative to the VALUE of the thing your protecting.
Conversely, you may have other functions that secondarily protect those assets, such as... an alarm system, renters insurance, etc. These are countermeasures that can be affected by things like Cost, Complexity, and the true VALUE of your asset.
This paradigm is no different in the Business world. You identify whats important, you assign it a value , you understand your threats, design your countermeasures, understanding that the countermeasures have a cost, and you accept any remaining risk.
Doing the math on an activity like this is of PRIMARY IMPORTANCE to Good Security as it lays out your risk appetite. Try this one yourselves folks. you will be amazed with the results.
Tuesday, October 18, 2016
Clinton Emails and the Saga of "Mishandling Classified Information" - Opinion
Clinton Emails and the Saga of "Mishandling Classified Information"
MPD Opinion Piece
It should be made clear that there are many interpretations of the relevant US Code, most have been determined that "INTENT" is a key aspect to the code, as made VERY CLEAR in section (a) Whoever knowingly and willfully communicates, furnishes, transmits, or otherwise makes available to an unauthorized person, or publishes, or uses in any manner prejudicial to the safety or interest of the United States or for the benefit of any foreign government to the detriment of the United States any classified information—
As an Information Security Professional , over the last months I have been privately asked my opinion on this issue by many colleagues and clients, and i have shared them privately, as I would for anyone who asks. I have decided to publicly disclose my OPINION, based on several requests.
Firstly. I am NOT a lawyer, nor can I fake it. Secondly. This is MY opinion, not a statement of facts, based on my Professional experience as an Information Security, Compliance and Regulatory professional with more than 20 years in this field.
Now, my Opinion. Hilary Clinton, based on the evidence i have seen and heard cited by the FBI Director, there is no evidence that any Law was broken in her use of a Private email server to conduct her Government position. there also is no clear evidence that at the time of the violations, that information in her email system had been "designated" classified. Although, clearly after the fact reviews can indicate that some content SHOULD have been.
Her use of a private email server to conduct these operations, and the Security of said server, was inappropriate, and very likely inadequate in support of her sensitive position in the Government. That however is not a crime, and does not merit WILLFUL intent.
As any CEO/CIO or executive would expect to hire sufficient technical expertise to perform the operations of critical systems, Hilary Clinton likely hired whom she thought would be an adequate administrative staff. And we can not expect that she had a hands on approach to managing this infrastructure, but had appointed competent manager to oversee. This clearly DID NOT happen. Now depending on ones political alignment this could be skewed to reflect willful disregard, but it IS NOT, and clearly the FBI director understands that any positioning that it was would NOT stand up in court as it that similar position has not held up in the Corporate domain regarding hackers.
There have been many comparisons floated by pundits, social media and others as to the linkage to the General Patraeus conviction. I call this a false narrative, as it is CLEAR from the evidence in the Patraeus conviction that he WILFULLY disclosed "designated" classified material to an "unauthorized person".
So that is my professional opinion. Feel free to disagree only after reading it in its entirety, and PLEASE PLEASE.. be civil to each other
mp.
Information Security Professional Maturity - Unable to Enable
I have spent almost 25 years in various roles of the
Information Security profession, and over those years I have noted that as the
years go by, there is a maturity that develops in InfoSec professionals.
In my early years, I was given the nickname in my office
" the Security Czar ".
Now, early on, my belief in this nickname was one of great pride, it must have meant that I was all knowing. I was always right. I was brilliant. As I learned years later, the nickname came primarily because i was authoritative in my ability to say NO, to pretty much any request that I could justify with my limited set of argument tools: FUD. Now for those of you that are InfoSec professionals understand FUD. Fear, Uncertainty, and Doubt.
Now, early on, my belief in this nickname was one of great pride, it must have meant that I was all knowing. I was always right. I was brilliant. As I learned years later, the nickname came primarily because i was authoritative in my ability to say NO, to pretty much any request that I could justify with my limited set of argument tools: FUD. Now for those of you that are InfoSec professionals understand FUD. Fear, Uncertainty, and Doubt.
As I look back in retrospect, FUD has a place. However it is typically used primarily by
younger InfoSec professionals who do not have the breadth of experience to
justify, or educate their consumers.
As the years went on and I learned through good managers to
do my homework and identify true risks.
This did not necessarily change my Czar focus however, I just got a bit
better at having good, defined reasons for saying no. I was in my Job as the only Security
Professional for a small IT Consulting firm HQ that things changed for me. This was the first time I had ever been hired
to a Security job, when the company expected me to be the all knowing,
thoughtful security guy. I had a dual
role at the time. Clearly I was the de-facto
CSO and more importantly ... about every
3 months I was transferred to the CFO and became the IT Auditor. Now, as I
would learn shortly this is a relatively large conflict of interest, it irrelevant
to the story. Over this relatively short period I learned an incredible
valuable lesson from the finance team. Everything
is about enabling the business under appropriate risk.
This fundamental view change, from unable to enable, happened
almost instantly when acting as the IT Auditor.
I had never done "Audit".
So I read books, blogs, thought about the job from the consumer of the
audit, and most importantly thought, "if I were an executive, what would I
want to know?"
Since that time, I moved on as a Security Consultant,
Architect, Program Manager, Strategist, and Business Unit Leader. This journey .. to me ... led me to
inevitable InfoSec Professional reality.
Tell the truth, to ENABLE your clients, partners, and executives, to
perform their mission with a real understanding of their RISKS. Try to understand, quantify, and demonstrate
risk reduction with FACTS.
I see in young InfoSec Professionals the same early Czar
tendencies I had. I teach them about the
ideas of basing your ideas, recommendations, and guidance on Risk, clearly laid
out through fact driven conversations, gauge your customer RISK APPETITE, and
ENABLE their success. Years of
experience will teach these young professionals to get to this point. Be their voice of reflection reverberating in
their head. That's how you get from
Unable to Enable
New Blogger
New to Blogging here. I have been writing my thoughts on Facebook for several years. I wanted to create a new public forum for my professional thoughts on topics of interest.
Subscribe to:
Posts (Atom)