CAG Fever… we haz it here at Guerilla-CISO.  So far the konsensus is that CAG works well as a “Best Practices” document but not really as an auditable standard.  We’re thinking that CAG will provide the rope with which our IGs and GAO will hang us.

• CIO Council Guidelines on Social Media Meet IKANHAZFIZMA
• LOLCATS Take on MS08-67
• Shmoocon: Less Moose, More LOLCATS
• Guerilla CISO Goes Back to Work
• IKANHAZFIZMA Finds Caution Tape

While I’ve been busy running all over the US and Canada, I missed a quasi-momentus date: the second anniversary of the Guerilla-CISO.  You can read the “Hello World” post if you want to see why this blog was started.

Blah Blah blah much has happened since then.  I swapped out blog platforms early on.  I started playing the didgeridoo.  I went on a zombie stint for 9 months.  I switched employers.  I added FISMA lolcats (IKANHAZFIZMA).  I started getting the one-liners out on twitter.  Most momentous is that I’ve picked up other authors.

• Ian Charters (ian99), an international man of mystery, is a retired govie with a background in attacking stuff and doing forensics.
• Joe Faraone (Vlad the Impaler), besides being a spitting imitation of George Lucas, is the guy who did one of the earliest certification and accreditations and informally laid down some of the concepts that became doctrine.
• Dan Philpott (danphilpott), Government 2.0 security pundit extraordinaire, is the genius behind Fismapedia.org and one of the sharpest guys I know.
• Mini-Me, he’s short, he’s bald, and he guest-blogs from time to time about needing a hairdryer.

So in a way, I’ve become “the pusher”–the guy who harrasses the other authors until they write something just to quiet me up for a couple of weeks.

• Digital Forensics and the case for change
• How I Became the Owner of Two Rogue WiFi APs
• Lousy Security Advice
• What’s Missing in the way the Government does Security?
• An Informal Study on the Literacy Level of Security Blogs–We All Get Pwned by Amrit

Yes, I understand what Paul Kurtz is saying in that we need a single command structure for large-scale IT security incident response before we have bureaucratic paralysis like the previous administration’s response to Hurricane Katrina, but the metaphor is way ugly–too ugly just to let it go without IKANHAZFIZMA getting involved.  =)

More serious commentary if I ever get done with the “death by work” that the last 2 weeks has been.

• LOLCATS: Defending our Cyber-Turf
• Snowmageddon Meets the IKANHAZFIZMA Lolcats
• Cyber Command Goes LOLCATS
• Incident Response and Lolcats
• IKANHAZFIZMA and Transparency

Hot on the heels of our DAA presentation, the Guerilla CISO is proud to present our lolcat Authorizing Official.

Yes, it’s all about the budget. If you do not have a budget, you do not have the ability to change things. We have a word for people who have all the authority of an Authorizing Official but none of the budget: scapegoat.

And since I’m in Toronto for an extended stay thanks to the weather, today is a 2-fer:

• IKANHAZFIZMA and Transparency
• IKANHAZFIZMA Finds Caution Tape
• Exhaustive Security Testing is Bad For You
• CIO Council Guidelines on Social Media Meet IKANHAZFIZMA
• Cyber-Ninja Lolcats Caught on Film

While our Guerilla-CISO heroes most likely will not be going to Shmoocon due to that “work thing” that always gets in the way, we will be sending a legion of LOLCATS to play.

• LOLCATS Take on MS08-67
• Lolcats Coming to you from the Cloud
• Lolcats Protect the End Users
• Guerilla CISO Goes Back to Work
• Lolcats and QR Codes

It’s a sad tale we all know too well:  our poor CISOs are tied down with red tape while the attackers have all the time in the world.  My only regret is that the hakker kitteh isn’t a siamese.  =)

• LOLCATS Take on Catalog of Controls
• Lolcats Protect the End Users
• Noms and IKANHAZFIZMA
• LOLCATS Take on MS08-67
• Lolcats, Capital Hill, and a Haiku