Security Catalyst Community Roundup – May 6th, 2008

May 6, 2008

What is the Security Catalyst Community?Community

The Security Catalyst Community is a forum where individuals who are interested in or work in the Information Security field can come together and leverage each others strengths and experiences. There are several things that make this forum so great:

  • Everybody uses their real name. That may seem like something odd to bring up, but in my opinion, knowing who you are talking to is part of what it means to be in a community.
  • Very high signal to noise ratio. I would go so far as to say there is no noise on the forums.
  • Very knowledgeable people. When you post something, you are guaranteed to get responses from individuals who have a significant amount of knowledge and experience and are very willing to share it with you.

Where is it?

It is right here! One note, in order to read the forums you will need to register first.  So go do that now and come back when you are done.

What kinds of things get talked about?

Instead of talking about topic areas and what different aspects of Information Security are discussed, let’s take a look at a few recent posts:

Don Weber posted a question about how to measure whether a security team is overburdened or not. A great discussion followed with helpful tips on how to gather metrics that can be used to answer the question.

Allen Baranov is in the unenviable position of inheriting a couple of IPS devices and was looking for some guidance on best practices on managing rule sets. Again, several folks stepped and shared their experiences which provided a good base to start from.

Jay Benson was looking for diagram of how WPA2 actually works for a presentation he is giving and the theme of folks helping out continues as a couple folks pointed him to some resources that might be of help.

Fred Donovan posted an observation about, “Hacker Safe” and a letter sent our to customers regarding their site being hacked last month. A very interesting discussion followed that is worth reading.

The last item I would like to mention is one that was also posted by Don. It was posted in October of last year, but has seen some recent activity. It poses the question “How do you do Email?” A great set of posts follow in which people share their strategies for dealing with our overflowing inboxes.

Who participates?

Here is a bunch of folks who participate and have blogs. Yes, it is a long list, but it is worth your while to visit these blogs a regular basis.

The Security Catalyst (Michael Santarcangelo) |
The Network Security Blog and Podcast (Martin McKeay) |
Security Ripcord Blog and Podcast |
Education Security Incidents (Adam Dodge) |
An Information Security Place (Michael Farnum) |
Andy, IT Guy (Andy Willingham) |
Andrew Hay |
Scott Wright (Security Views) |
Security Renaissance |
Marcin Wielgoszewski |
John Biasi |
Chris Hoff |
RioSec Security WebLog (Chris Byrd) |
James Costello |
Harlan Carvey, CISSP |
Jon Robinson |
Chris Harrington |
John Gerber |
Steve Mullen |
Rory McCune |
Rebecca Herold |
Randy Armknecht |
Didier Stevens, CISSP |
Amrit Williams |
David D Bergert, CISSP, CISA |
Justin Clarke |
Andrew Storms |
Lori MacVittie |
Rob Newby |
Andrew Mason |
Andy Steingruebl |
Security Thoughts (Allen Baranov) |
Jeff Stebelton |
Brad Andrews | Brad on Security
Anton Chuvakin |
Eric McMillen |
Dana Hendrickson |
Tyler Reguly | &
Keith Kilroy |
Peter Giannoulis |
Walt Conway |

Um..this post is long, how do I join again?

Simply go to and click on the register link. You will not regret it.

Kevin Riggins


Influencing our user community….

May 1, 2008

Mike Rothman in his latest Pragmatic CSO Newsletter (I highly recommend subscribing) has a really good post up about our responsibility to ensure that user community understands why they should be adhering to established policies and not attempting to circumvent controls put in place to protect our organizations.

I left the following comment and now am going to reuse it as a post 🙂


I have been reading the book “Influencer: The Power to Change Anything” which I highly recommend. In it they posit that there are essentially six sources of Influence. They fall into two categories and what I call three strata. The categories are motivation and ability and the strata are personal, social and structural. Where motivation and personal intersect, the source of influence is defined as “Make the Undesirable Desirable.”

If the general user community does not desire to adhere to or follow established policies and is actively attempting to circumvent controls, then we have failed to instill in them a desire to be compliant. It is our responsibility to influence them to change that mindset, in other words, to make the undesirable desirable.

So how do we do that? What you suggest exemplifies what the authors of the book have discovered. People are much more likely to embrace ideas when they have been shown the consequences of ignoring those ideas in a very personal and impactful way. I’m not saying that we should all use the specific scenario you suggest, although it would certainly bring
home the messages :), but we do need to find ways to instill awareness into our user communities that is much more personal than “read this policy and sign this paper.”

Kevin Riggins

Are you an Information Security Evangelist?

April 4, 2008

EvangelistMirriam-Webster defines Evangelist as follows:

1: often capitalized : a writer of any of the four Gospels
2: a person who evangelizes; specifically : a Protestant minister or layman who preaches at special services
3: an enthusiastic advocate <an evangelist for physical fitness>

I’m pretty sure you are not one of the writers of any of the four Gospels. While you may be a minister or lay speaker on religious topics, that isn’t really what I am talking about either.

So that leaves the third definition to look at; an enthusiastic advocate. There is something that anybody can do. So let’s restate the questions: Are you an enthusiastic Information Security advocate?

Not my job

Now I am sure at least one of the three of you who are reading this is muttering, “Not me, I’m not in the Information Security department. Its not my job.” Don’t hang up yet. I’m talking to you too 🙂

Of course we want the Information Security personnel in our organization to be enthusiastic advocates. We rely on them to protect our information assets. But they can’t do it by themselves. They need the help of those around them. The job is just too big and too far reaching for one small band of people to tackle.

I’m not Enthusiastic about much of anything.

Okay, maybe enthusiastic isn’t the right word. How about just plain advocate. Someone who believes in something and is willing to promote it.

So how do I do that?

Since we are not talking about preaching to the masses and enthusiasm may be a stretch for some. How about quietly influencing those around you by your actions. You know the cliche: “Actions speak louder than words”. If we are educated and aware, a whole other topic we will be exploring, and conduct ourselves in a manner that displays said education and awareness, we are likely to have a greater impact on our surroundings than any amount of emails or announcements or posters or threats from above.

How do I become educated and aware?

It’s your turn Information Security folks. We need to make sure that we are providing many opportunities for those who rely on us to obtain the education and awareness training that will help them help us. Our E&A programs are as important as, maybe even more important than, our firewalls, IDSes and other technical controls.

I will end this by asking the questions again: Are you an Information Security evangelist? If not, why?


Meaningful Conversation

March 24, 2008

Scott Young over at PickTheBrain writes in this post about a couple of ways to improve the quality of the conversations we have with people.

He points to two basic rules that can help make conversations more meaningful.

  1. The conversation is not about you.
  2. You need to give trust to get trust.

I will leave it you to explore his take on these two tenets from a general conversational perspective. However, it strikes me that if we, as Information Security professionals, would incorporate these rules into our conversations with our respective constituents, we might be met with a little less resistance. Of course, I am speaking from the perspective of being a corporate drone.

Having a conversation with the Information Security dude or dudette is viewed with a certain amount of trepidation by many who are “forced” to deal with us. In my experience, most of this trepidation is caused by us and not the poor supplicant 🙂 Why do you think they feel this way? Let’s look at number 1 above first.

1. The conversation is not about you.

Pretty simple statement. Harder to put into practice than it appears though. Let’s change it a little; the conversation is about them. They are looking, whether they know it or not, for the best method of accomplishing their goal in the most secure manner available that is appropriate for the business risk they have chosen to accept. Which, by the way, is a topic for another post. If we approach things from this perspective, it becomes a collaborative endeavor, not an adversarial one. Of course, I am not suggesting that there will not be times when we are required to tell people they can’t do something in the manner they desire. But as long as we avoid just saying no and try to help them find a way that is also acceptable from an infosec perspective, we have still remained their helper and not their roadblock.  If they view us as their helper, they will be less concerned when they need to talk to us.  They will involve us earlier and finally will be more likely to share more information with us.

2. You need to give trust to get trust.

This one is even more difficult. Why should they trust you? Do they know you? We have to build relationships with the people we work with. For those of us who work in the corporate world, this is a little easier. I talk to the same folks day after day and we have the opportunity to get to know each other and build trust.  I have to trust that they believe I have their best interests at heart and they have to trust that I am not out to “get them” or stop them for being successful.  Following rule 1 above goes along way towards building this trust.  Those who don’t have the luxury of long term relationships with the folks you are dealing with have to find some way to establish that trust quickly and right at the beginning.  Again, approaching it from a rule 1 perspective will help a great deal.

So there is my two cents worth about something that has been a problem in several companies for which I have worked.

I have not done the subject matter justice, but it was on my mind so here it is.