Back in the day when I was PFC Smith, they taught me in school that one of the definitions of good intelligence is that it had 3 qualities:

• Timely–you get the information with enough time to act on it
• Accurate–yes, it’s not an exact science, but as accurate as you can get and still be timely
• Relevant–it answers the questions that the commanders need to make decisions

You can extend these 3 qualities really to just about any piece of information such as vulnerability reports, security metrics, audit findings, or vendor presentations.

Now an interesting piece of trivia: Inside the US Federal Government, security practitioners are charged with providing “adequate security”. I’ve listened to Hord Tipton and his travails with the Cobell v. (Kempthorne|Norton|Babbit) case and it was interesting to me because he had to prove that his organization provided “adequate security”, so there was much talk about the definition of what that entailed.

Really what I’m looking for is a good, concise definition of “adequate security” in keeping with the values of good intelligence.

• Threat-specific–we protect against all likely types of attack
• Cost-effective–we’re not spending money just to check a box in a compliance framework
• Relevant–we support the business processes

• You Didn’t Outsource Your Responsibilities
• Random Thoughts on “The FISMA Challenge” in eHealthcare
• Keys to the Outsourcing Kingdom
• How Much Security Should the Outsourcer Do?
• Split-Horizon Assessments and the Oversight Effect

Can you really kill the undead?  It’s an age-old question.

Anyway, check out this game (caveat for flash games is in effect) and learn how important it is to barricade your house and pull out the big guns.

And while you’re busy shooting zombies, have a happy D-Day!

• Training for the Zombie Pandemic
• Wednesday Zombie Post–Humans v/s Zombies
• Wednesday Zombie Post-How Zombies Work
• Wednesday Zombie Post–Zombies on Uncyclopedia
• Wednesday Zombie Post–The Zen of Zombie

My blog server went down.  Don’t know how it happened, but a brief power outage happened and the server didn’t come up.  I went to it today after lunch and gave it a reboot.  It came right up.  I didn’t even have to boot off CD to do some lilo surgery or anything extraordinary.  I have that effect on computers–they fear me for some reason and just work when I’m around.  I guess it’s the fact that I’m holding their little brother for ransom that does the trick.

And just so you know, dear blog readers, you get the same level of service that you pay for. =)   This server is nowhere near anything that would resemble a need for high-availability.

• Meerkats and Risk Management
• Omigod, I’m Part of a Botnet?!?!?!
• An Informal Study on the Literacy Level of Security Blogs–We All Get Pwned by Amrit
• Internet in the Remote Desert
• Tie Down the Livestock, Twister’s a Comin’!

Nice posting at Emergent Chaos on Social Security Number Purges.  Imagine that.  I see people who collect SSNs around DC like they’re candy.

Need to get into a building, we collect your SSN, like terrorists don’t have them, and like you can’t lie about what yours is.  Come to think of it, I did that for 6 months at one site and nobody caught on. =)

• What’s Happening at Wired?
• Backhanded Compliments
• An Informal Study on the Literacy Level of Security Blogs–We All Get Pwned by Amrit
• Meerkats Join the Big 4
• Federal CIO Council’s Guidelines on Security and Social Media

Zombies, compliance, and auditors all at the same time?

Alex, you know you’re trolling for a link from me.

Check out the zombie auditors faux banner ad.

Postscript:  Alex added in a bigger, better zombie ad and some shirts.

• Wednesday Zombie Post–Zombies on Uncyclopedia
• Wednesday Zombie Post–The Federal Vampire and Zombie Agency
• Wednesday Zombie Post–The Zen of Zombie
• Wednesday Zombie Post–Ethical Zombies
• The Next Pandemic

I’m an engineer at heart. I love technology and I love to build. I can’t really understand the operational mindset, which is a weakness I have to work around at times, considering I’m managing security for an operational division.

Back in November, I spent a month building $3Million worth of equipment. The reason? It was the biggest risk to my organization at the time–failure to meet a delivery deadline.  As a side benefit, I know what each and every device does.

In fact, if I haven’t done anything techie in a week, I start to get antsy. I go home and rearrange my linux partitioning scheme just to move data around.

There’s a lesson in there: Get out of the office and into the Data Center at least once a week, even if you’re a total wonk.

Common sense, right? But you would be surprised how many security people don’t get out of their cubicle and go see the technology. One of the critical failings of how we do security in DC is that because there is a shortage of people with hard skills, we send in the people with soft skills such as financial auditors, technical writers, and quality assurance. Don’t get me wrong, there is a place for these people in security as long as they adopt a security mindset, but overall your security staff need to have some sort of technical background.

Question is, how do you get your non-technical staff into the technology?  Believing in practical solutions and advice, I have a couple tactics, techniques, and procedures for you:

• Give them the responsibility to do a data center walkthrough every week
• Assign them as direct support to a smaller project
• Turn them into a mobile vulnerability scanning and reporting team
• Send them to investigate the security implications of a specialized technology like a SAN
• Give them a cubicle next to the system administrators and encourage them to socialize

Of course, none of this is really a new idea, it’s basic career development activities for a junior security staff member.  I guess that’s the topic for a later post. =)

• Trouble Tickets
• More Security Controls You Won’t See in SP 800-53
• NIST and SCAP; Busting a cap on intruders Part 1
• And in This Corner, Special Publication 800-60
• How I Do the “FISMA Thang”