With a shout-out to Chris Paget who generated some of the biggest buzz at Defcon with his GSM hacks.

• Lolcats Attend B-Sides
• Look Out, Sir Bruce, IKANHAZFIZMA is Coming for You
• Preparing for Cybergeddon
• Lolcats Coming to you from the Cloud
• Super Secret Security Control You Were Never Meant To See

Now I’ve been reasonably impressed with GovInfoSecurity.com and Eric Chabrow’s articles but this one supporting 20 CSC doesn’t make sense to me.  On one hand, you don’t have to treat your auditor’s word as gospel but on the other hand if we feed them what to say then suddenly it has merit?

Or is it just that all the security management frameworks suck and auditors remind us of that on a daily basis.  =)

However, it seems that there are 3 ways that people approach frameworks:

• From the Top–starting at the organization mission and working down the stack through policy, procedures, and then technology.  This is the approach taken by holistic frameworks like the NIST Risk Management Framework and ISO 27001/27002.  I think that if we start solely from this angle, then we end up with a massive case of analysis paralysis and policy created in a vacuum that is about as effective as it might sound.
• From the Bottom–starting with technology, then building procedures and policy where you need to.  This is the approach of the 20 Critical Security Controls.  When we start with this, we go all crazy buying bling and in 6 months it all implodes because it’s just not sustainable–you have no way to justify additional money or staff to operate the gear.
• And Then There’s Reality–what I really need is both approaches at the same time and I need it done a year ago. *sigh*

• SP 800-53A Now Finally Final
• Opportunity Costs and the 20 Critical Security Controls
• 20 Critical Security Controls: Control-by-Control
• A Niche to a Niche is Still Hard to Staff
• 20 Critical Security Controls: What They Did Right and What They Did Wrong

…and I’m excited.  I’ll be talking on “Meta-Metrics: Building a Scorecard for the Evaluation of Security Management and Control Frameworks” which is an Idea I’ve been mulling over on how to “build a better rat race” or at least to consciously build security management frameworks in a coherent manner. Obviously I’ll put up slides afterwords.

Agenda is here, I think there is still time to sign up and come as long as you’re not going to be a wallflower.  =)

• Draft of SP 800-37 R1 is Out for Public Review
• Oh Lookie, Somebody’s Doing What I Said To Do….
• Federal Computer Week and S.773
• A New Take on Continuous Controls Monitoring
• CISOin’ Ain’t Easy, But It’s a Living