Monday, July 28, 2014
An impressive merger. Solves a lot of the open market options
http://mobile.reuters.com/article/idUSKBN0FU23320140725?irpc=932
Friday, June 27, 2014
Risk Management Framework: What lies beneath, and oh, what's this behind your ear? It's your manager's hat!
Yesterday was an important and humbling day. Sometimes you have a job interview and feel really lucky and blessed for the great opportunity that is about to fall in your lap. Whether by previous experience or self assured expertise you go in with the expectation that things are going to go so smoothly that the people you meet will be seeing a lot of you in the future; in meetings, lunches maybe even golf outings.
The IT field is different. I would like to say it's like an iceberg, but global warming has threatened that particular analogy of a constantly dripping source of cold hard data and worldwide implications.
It is not enough to know networking concepts because you've dabbled in it in your bedroom for decades. They want you to know what protocols are currently being used, and they want it deployed their way. More to the point, even if you climbed the holy mountain CISSP, they want you to understand from a MANAGER's perspective, The Risk Management Framework. You can be the best student in the world, a dedicated worker bee, a drone, a fry cook. To be a manager in an IA effort, you are in effect playing manager with a CISO who knows their system best and, though many of them are completely even keeled people who understand the necessity of the process and will do their best to speed them along, you never know when an ego might get tweaked.
The right person for the job in providing Information Assurance has to have a balance of deferential leadership between him/her self and the client, and understanding how to manage and map all the data and documentation coming in.
Here it is folks, straight from OWASP. Dig right in and think like a manager. I wish there was a way to practice this, if you think of one let me know, or hope you are able to stick with a company that will gradually carry you through the process. Perhaps the attitude of thinking like a manager and understanding the RMF above all else is the only thing that will keep you above the stacks and stacks of policies and help you connect the dots all the way home.
The IT field is different. I would like to say it's like an iceberg, but global warming has threatened that particular analogy of a constantly dripping source of cold hard data and worldwide implications.
It is not enough to know networking concepts because you've dabbled in it in your bedroom for decades. They want you to know what protocols are currently being used, and they want it deployed their way. More to the point, even if you climbed the holy mountain CISSP, they want you to understand from a MANAGER's perspective, The Risk Management Framework. You can be the best student in the world, a dedicated worker bee, a drone, a fry cook. To be a manager in an IA effort, you are in effect playing manager with a CISO who knows their system best and, though many of them are completely even keeled people who understand the necessity of the process and will do their best to speed them along, you never know when an ego might get tweaked.
The right person for the job in providing Information Assurance has to have a balance of deferential leadership between him/her self and the client, and understanding how to manage and map all the data and documentation coming in.
Here it is folks, straight from OWASP. Dig right in and think like a manager. I wish there was a way to practice this, if you think of one let me know, or hope you are able to stick with a company that will gradually carry you through the process. Perhaps the attitude of thinking like a manager and understanding the RMF above all else is the only thing that will keep you above the stacks and stacks of policies and help you connect the dots all the way home.
If you think that's dated, I'll do you one better (heck this is only for me anyway) directly from NIST
Monday, June 2, 2014
Certs renewed!!
I'm just happy the 100 something hours I spent on the job on training courses the last couple of years have been duly credited by CompTIA into renewing my A+ and Security+ ce certifications. Just thought I'd share that with y'all.
Wednesday, May 28, 2014
Syrian Electronic Army: A threat is a threat, even if it's only a demo
The SEA seems to be monitoring the RSA Conference and within minutes, hacked the home page. Read how on Krebs on Security:
Thursday, May 22, 2014
China Government bans use of Windows 8
It seems to be a move of pure defiance and a commitment to security holes if this is true. Windows XP as you may have heard has reached its EOS (End of Support) date. Yet many users here and abroad continue to use it, many systems either cannot handle the upgrade or those machines are typically not networked frequently enough, but still endure bugs.
Days after the Justice Department issued it's accusation of China's cybercrime activities, China responds with a foolhardy declaration to ban use of the Windows 8 OS and continue using unlicensed versions of Windows XP.
One could surmise the typical motis operandi that China would simply bootleg Windows 8 at every opportunity and that is still very likely. They may also simply state it is an issue of preference, which is typical in every new OS rollout. The rhetoric remains belligerent between the two superpowers over the domain of intellectual property and cyber spying.
Tuesday, May 20, 2014
Justice Department, U.S. declare the obvious.
It certainly took some consideration and a long hard look at evidence in a report that sat for a year, but the Justice Department formally issued charges against China for cyber-spying. Secondarily, information stolen was used as a means to copyright infringement and the flow of illegal and cheap goods into the U.S.
Over a year ago, Northern Virginia cybersecurity group Mandiant released their report with a sense of personal outrage. Stating the actions of this particular group from The People's Liberation Army operating out of an innocuous looking building in Shanghai was directly responsible, it challenged the U.S. Government to act upon this Advanced Persistent Threat (APT).
In addition to the report, Mandiant is releasing more than 3,000 APT1 indicators to expose and degrade APT1’s infrastructure and allow organizations to bolster their defenses against APT1’s arsenal of digital weapons. The indicators released in conjunction with the report include domain names, MD5 hashes of malware and X.509 encryption certificates.
Here are the domain names, IP addresses, all routed to this location. After gaining consensus throughout the Information Security Community, it looks like the White House is finally ready to act, and through Attorney General Eric Holder, our salvo has been launched that this shall not stand.
The net reaction has been swift denial on China's part. The threat landscape will continue to be speckled with malware and perhaps bolder attacks on enterprise infrastructure. A simple spearfishing campaign can create a backdoor into a company if not safeguarded.
After the DOJ’s announcement, China immediately pulled out of a bilateral cyber working group and lodged a formal protest urging the U.S. to withdraw the charges.
A more aggressive response could be on the way, experts say, perhaps in the form of new cyberattacks.
“I think we’re going to see retaliation from the patriotic hackers in China,” said Richard Bejtlich, a security strategist with the cybersecurity company FireEye and nonresident senior fellow at the Brookings Institution.
Best advice is to stay vigilant, utilize an active security program comprising antivirus, anti-malware, drop in some security awareness training, and read the news. Ultimately it is a war over commerce. China does not want to engage in a holy war for territory, they have enough of that. It is about economics and being #1 in the world trading. The more you pay them for cheap goods, the more you undermine the United States.
Thursday, May 15, 2014
Final Notes from #FOSE
I do love these recycled post it/pads. Anyway, I picked up where VA left off, leading the way with their mobile initiative distributing iPads loaded with 11 pilot apps designed for patient generated data and prescription refills. This bridges the gap in areas where doctors are overbooked or unavailable. These are developed using HTML 5, which will run on all devices. Development programs such as this may be picked up on in other agencies to increase the mobile workforce productivity.
The final lecture was an important one. DHS representative Benjamin Scribner talked about the National Cybersecurity Workforce Framework. Security is an important aspect for all those involved in government IT work. This framework outlines job descriptions and where Cybersecurity lies in that particular role.
Bridging the gap and furthering this are the efforts of the 2010 White House initiative NICE. National Initiative for Cybersecurity Education and the NICCS portal. Tons of free, publicly available resources for good practices.
Meanwhile, after I wrote this entry and watched an episode of Curb Your Enthusiasm with my proper shoes resting on an ottoman, this slob in short pants is spread eagled across from me with one foot up on the silver table diddling his device. How very attractive.
#socialassassin. #outrage. #damntourists.
Wednesday, May 14, 2014
Shameless plugs
#FOSE and #GOVSEC are the events that inspire me to improve and learn more about the IT Security world and the threat landscape.
As I rest my feet, I will quickly acknowledge the fine presentation by Stephen Cobb of eset.com security solutions for the quick analysis of the recent breaches and enterprise solutions he described.
Also, a self reminder and suggestion to keep up my research efforts with Www.niccs.us-cert.gov. No excuse for being bored with all this cyber training at your disposal. Get on it!
As I took this picture, one of the speakers compared a Federal project to a self-licking ice cream cone. If that's not a nasty curve, then I missed the point entirely. Rewind!
Tuesday, May 13, 2014
Living among giants
Living a mere block away from a big office building with a DELL logo up top has got to be encouraging to an IT worker, right? Despite the heavy traffic that rolls through my neighborhood, I'd venture not much of it is coming from Dell. Given then heavy reduction of hardware units sold and the rise of virtualization, Dell is a company that is in the process of a massive retooling. The building has also been rebranded and many suites I'm sure are available.
Security has it's relevance in the area of technology sales, and while Dell may not have dropped the ball in that regard. Their SecureWorks service shows a dedication to where security is headed: continuous monitoring, information assurance and cyber threat analysis.
To that end, Symantec, a revered company in in security with their Anti-Virus products is acknowledging the state of the (nasty) curve and moving more into continuous monitoring as well.
Sunday, May 11, 2014
Secure your rarest of condiments
My wife and I have been looking for our favorite brand of mustard for some time. Cleveland's own Stadium Mustard is a delightful brown for your hot digs, pastrami sandwiches, etc. and we found it at Big Lots. Well worth the search. 
Let's not forget, the A of the CIA
security triad stands for availability. In a post apocalyptic world there are some things you don't want to live without.
Saturday, May 10, 2014
Welcome!
Hi, I'm Gary and welcome to my new blog: The Nasty Curve.
My somewhat indirect focus on this blog is on security topics related to information systems and technology. However, even though this pertains to my chosen profession (barely 5 years...I'm hardly geek enough to profess any expertise), this is my launch point for the choices we make in society.
Decisions: Things we do to perform a function. Do we spend more time and money to get the job done or do we try to save a few bucks along the way.
Options: Do we trust a vendor that has been vetted by your Enterprise, or do you start shopping around, maybe check out an Expo, grab some swag and get carried away by a excitable representative with an enticing accent espousing the great advances of his tech firm.
Simple enough, right? Maybe, maybe not. I'm going to talk about music, movies, sports, wrestling, politics, songwriting as well as techie stuff because those are the things I am also passionate about.
Passion: that's another thing altogether. Computers were not my passion growing up. I have only been lucky enough to make it my career for the last few years. This blog is contributing to my CE credits to maintain my IT certifications, but it is mainly to serve as a testament to WHAT I DO. If you looked at my resume, say if you were a non-technical person you'd have no idea. I've had different roles, and I don't necessarily specialize in any. I bring an artists' point of view to the decision making process of addressing security issues for The Enterprise. Not the Star Trek ship. You know what I mean.
Dig it yet? I'll have some more interesting stuff to come, and hopefully it will be worth jumping over from Facebook to dig through, 'cause I'll be linking all right. You betcha.
Now, this 45 year old ex-New Yorker must help his wife deal with some stuff and junk and crap and sh#t so our dinner guests will be entertained.
G
My somewhat indirect focus on this blog is on security topics related to information systems and technology. However, even though this pertains to my chosen profession (barely 5 years...I'm hardly geek enough to profess any expertise), this is my launch point for the choices we make in society.
Decisions: Things we do to perform a function. Do we spend more time and money to get the job done or do we try to save a few bucks along the way.
Options: Do we trust a vendor that has been vetted by your Enterprise, or do you start shopping around, maybe check out an Expo, grab some swag and get carried away by a excitable representative with an enticing accent espousing the great advances of his tech firm.
Simple enough, right? Maybe, maybe not. I'm going to talk about music, movies, sports, wrestling, politics, songwriting as well as techie stuff because those are the things I am also passionate about.
Passion: that's another thing altogether. Computers were not my passion growing up. I have only been lucky enough to make it my career for the last few years. This blog is contributing to my CE credits to maintain my IT certifications, but it is mainly to serve as a testament to WHAT I DO. If you looked at my resume, say if you were a non-technical person you'd have no idea. I've had different roles, and I don't necessarily specialize in any. I bring an artists' point of view to the decision making process of addressing security issues for The Enterprise. Not the Star Trek ship. You know what I mean.
Dig it yet? I'll have some more interesting stuff to come, and hopefully it will be worth jumping over from Facebook to dig through, 'cause I'll be linking all right. You betcha.
Now, this 45 year old ex-New Yorker must help his wife deal with some stuff and junk and crap and sh#t so our dinner guests will be entertained.
G
Subscribe to:
Posts (Atom)