When you sit down and think about it, I have a really neat user community.  Since we’re an IT services company, all of the users on my back-end infrastructure are IT architects, engineers, or operations.  That means that they are all system administrators in one way or another.  My challenge is to keep track of all these sneaky people, which is different from the usual unskilled user community, where it’s a case of “you clicked on what link and now none of your applications work?”.

We used to have this very talented network administrator working in the NOC.  Not only did he know networks, but he was CISO-savvy.  When he wanted to change something on our core switches, we played a little game that went something like this:

Me: So what VLANs are you going to change?

J: I’m going to connect switch A to switch B and trunk over VLAN 25.

Me: So what is that VLAN used for?

J: It’s a NOC server VLAN.

Me: And what else is connected to switch B?

J: Some other switches.

Me: And what is connected to those switches?

J: Stuff.

Me:  And what would “stuff” entail?

J: Some routers.

Me: And what do those routers connect?

And we would go on like this for a couple of minutes until I felt comfortable with most what was going on.  The funny thing was that most of the time he was up-front with what he was doing, because he didn’t want to do anything bad, either.  It’s when he started to get non-detailed that I knew something was up.
Now the fun part of this is that I have 200 people like this to contend with.  It sounds worse to say it than it actually is, but it’s one of the threats that I live with.

• Omigod, I’m Part of a Botnet?!?!?!
• My Favorite Conspiracy Theory
• CISO Trick: Know the Hiding Places
• A Step Inside the Guerilla CISO’s Mind
• Lions, Tigers, and VLANs Oh MY!

8 Bit Peoples:  comfort music for geeks who grew up in the 80’s.  It’s simple and Street-Fighter-sounding, yet oddly addicting.  And oh yeah, creative commons licensing.  It makes me want to download the entire set and use that as music to work by.

When I’m elected Dictator of the World, one of my first acts will be to commission a global anthem from one of the 8 Bit Peoples. =)

• Blame it all on John Hughes….
• Hello World
• Making Press Releases
• Radio Nigel
• Famous Quotes: George H

Me: So why is it that every single security problem I’ve had in the past 6 months has come down to personnel management?  Either they’re not trained well enough or we don’t have enough or they’re staffed in the wrong job.

Steve: I think it’s because security is more about the people than it is the technology.

That Steve, he’s pretty smart sometimes….

• Core Belief #1 — Security is not Different
• Backhanded Compliments
• Super Secret Security Control You Were Never Meant To See
• Workin’ for the ‘Counters: an Analysis of my Love-Hate Relationship with the CPAs
• Cult Crossovers Into Information Security

JD Meier wrote today about not saving the worst parts until last, and it reminded me of Meals Ready to Eat (MREs).  I should probably lay claim to being the Northern Virginia Master of Obscurisms right now while I have your attention, but let me elaborate for a minute.

A case of MREs is 12 individual meals.  That means that one person can, by the book, live off one case of MREs for 4 days assuming that they eat 3 times/day.  That’s a little excessive, since most people can only eat 2/day because of time constraints.

Inside a case of MREs, there are 12 individual meals.  Some are decent, like spaghetti or tuna with noodles.  Some are not, like omelette with ham or corned beef hash.  Keep this in mind, we’ll be using this little kernel of knowledge later.

So imagine this:  You’re out in the woods for 2 weeks with just your 5-member team and your MREs.  Let’s do the math on what you’re eating:

5 people x 14 days x 2 meals per day = 140 individual MREs or roughly 12 cases.

Now inside each case of MREs there are 2 foul-tasting MREs (omelette and CBH), which means 24 of them total.  If the muldoons eat their favorite MREs first and work down the cases in order of most favorite to least favorite, then the last 3 days we are eating nothing but omelette and corned beef hash, and after being in the woods for 2 weeks, I just can’t bear it anymore.

Bad news does not get better with age.  Neither does the MRE selection!

Moral of this story:  Take the MRE that I throw at you and don’t read what the label says, it’s the luck of the draw.

Secondary moral of this story:  You can’t store up badness and expect to tackle it later.  You have to take it as it comes.

Tertiary moral of this story:  Don’t join the army or work in IT. =)

• Bad Security People
• Cult Crossovers Into Information Security
• When the News Breaks, We Fix it…
• Core Belief #3 — Learn Something from the Cavalry
• MOUT and Risk Management

Our government hasn’t had a ton of time to get their act together.  It’s only been 225 years, give or take, and in that time, we might have learned a thing or two.

So why is it that it took us this long before we could get one agency to recognize the clearances from another agency?  Even though OMB keeps trying to unify the clearance management systems, as a managed service provider I still have to convince every new client that I’m trustworthy because I have a DoD Top Secret.
So what’s the benefit?  Well, from my angle, one unified clearance system means economy of scale simply by avoiding a “Not Invented Here” attitude.  If I have 5 clients, 100 employees, and $5000 per person for a clearance, the savings add up really quickly if I just have to clear people once.

Now the strange thing is that by agencies having their own individual clearance system, we are creating an artificial scarcity of cleared people.  For somebody with a TS/SCI, starting salary in the DC area is around $80K/year, simply because of lack of supply.  That’s an indirect cost that we could avoid.

• Tangling with the Clearance Monsters
• Lines of Business, Relationships, and Trustability
• Feds to Embrace SaaS, End is Nigh for Security!
• Compensating Controls
• The Guerilla’s Guide to Piggybacking

This is an exceptionally well-written piece at CSOOnline.  I still reread it from time to time.

For the record, I’m a geek at heart but a soldier and cop functionally and a mandarin and banker only when I’m forced to. =)

• Core Beliefs Series
• More Tollroad Follies
• A Story About Potatoeseses
• I’m Addicted to the Hans Reiser Trial
• Blame it all on John Hughes….