The Week That Was - 2013-04-08

Welcome back, all five of you reading my blog.  Thanks for stopping by.  You might have noticed I changed the look and feel of the blog.  The old theme just didn't feel right anymore so I've changed it around a bit.  I won't promise the changes are done, but I think most of the big adjustments are behind us. My highlights this week focus more on the people and process side of the information security profession.  Jack Daniel caught my eye with his response to a post by Krypt3ia discussing Digital Natives and Digital Immigrants. [4], [16]  And no, I don't know how to pronounce "Krypt3ia".  My lack of phonetic prowess notwithstanding, the articles were very interesting and worth a read.  They underline a social shift that we, as INFOSEC professionals, need to be aware of and understand.  Folks who grew up never knowing a world without the WWW have a very different perspective appropriate vs. inappropriate behavior online.  I'm not saying the Digital Native perspective is better or worse, I'm just saying that it's there and we need to account for it as we evolve our information security programs.

Next up I want to discuss a great quote I picked from Glen Alleman up over on Herding Cats [8]:

When we speak of strategy, we must consider it a hypothesis that can be tested by experiment. These tests produce Measures of Effectiveness, Measures of Performance, Key Performance Parameters, and Technical Performance Measures resulting from the work activities of the project employes to implement the strategy.

This is a great quote because it reminds me that we need to start treating information security and risk more a science rather than as an art.  If we look at our strategy as an experiment, I think we can be much more effective.  The tradeoff is that we must become much more expert at the empirical side of our business.

Part of the strategy we might want to change is lying to our attackers.  There was an interesting article on Forbes about a Mitre Red vs. Blue exercise.  The Red team totally pwn3d the Blue network early on and the Blue team knew it.  However rather than just give up, the Blue team exercised some network security judo and fed the Red team disinformation that ultimately gave the Blue team a decided advantage.  Well done, Mitre Blue.  Sun Tzu would be proud.  [1]

Wrapping things up, I crawled out from under my rock just long enough to find Bob Rudis' Visualizing Risky Words series.  That series got the propeller on my beanie spinning.  I'll have to try out some of what he shared in my copious amounts of free time.  [18-21]


Link Dump

[1]  A. Greenberg, “A Different Approach To Foiling Hackers? Let Them In, Then Lie To Them.,” Forbes, 05-Apr-2013. [Online]. Available: [Accessed: 05-Apr-2013].

[2]  J. Leyden, “Advanced Persistent Threats get more advanced, persistent and threatening,” The Register, 04-Apr-2013. [Online]. Available: [Accessed: 04-Apr-2013].

[3]  M. S. Oberlaender, “Book excerpt: ‘C(I)SO: And Now What?’,” CSO Online, 26-Mar-2013. [Online]. Available: [Accessed: 02-Apr-2013].

[4]  Krypt3ia, “Digital Natives, Digital Immigrants, Exo-Nationals and The Digital Lord of The Flies,” Krypt3ia, 22-Mar-2013. [Online]. Available: [Accessed: 04-Apr-2013].

[5]  S. Ackerman, “Ex-CIA Analyst Expects North Korea to Attack South Korea Before Tensions End,” Danger Room, 04-Apr-2013. [Online]. Available: [Accessed: 05-Apr-2013].

[6]  “FireEye Advanced Threat Report - 2H 2012,” Apr-2013. [Online]. Available: [Accessed: 04-Apr-2013].

[7]  K. Fiveash, “Head of privacy at Google leaves. Yes, that’s a real job,” The Register, 02-Apr-2013. [Online]. Available: [Accessed: 04-Apr-2013].

[8]  G. B. Alleman, “Herding Cats: Quote of the Day,” Herding Cats, 05-Apr-2013. [Online]. Available: [Accessed: 05-Apr-2013].

[9]  M. Cobb, “How Attackers Choose Which Vulnerabilities To Exploit,” Dark Reading, 04-Apr-2013. [Online]. Available: [Accessed: 04-Apr-2013].

[10]  B. Prince, “Identifying And Remediating Security Vulnerabilities In The Cloud,” Dark Reading, 03-Apr-2013. [Online]. Available: [Accessed: 03-Apr-2013].

[11]  B. Prince, “NSA Director: Information-Sharing Critical To U.S. Cybersecurity - Dark Reading,” Dark Reading, 03-Apr-2013. [Online]. Available: [Accessed: 03-Apr-2013].

[12]  D. Smith, “R version 3 released,” Revolutions, 03-Apr-2013. [Online]. Available: [Accessed: 04-Apr-2013].

[13]  M. O’Rourke, “Stocks Rise with Risk Management,” Risk Management, 28-Mar-2013. [Online]. Available: [Accessed: 01-Apr-2013].

[14]  J. Heimerl, “Talking Information Security: What’s Important to You?,” Solutionary Minds, 04-Apr-2013. [Online]. Available: [Accessed: 05-Apr-2013].

[15]  R. Rachwald, “The New FireEye Advanced Threat Report,” FireEye Blog, 03-Apr-2013. [Online]. Available: [Accessed: 04-Apr-2013].

[16]  J. Daniel, “Uncommon Sense Security: Digital Natives, Digital Savages, and immigration,” Uncommon Sense Security, 03-Apr-2013. [Online]. Available: [Accessed: 04-Apr-2013].

[17]  E. Chickowski, “Using Dependency Modeling For Better Risk Decisions,” Dark Reading, 01-Apr-2013. [Online]. Available: [Accessed: 02-Apr-2013].

[18]  B. Rudis, “Visualizing Risky Words,”, 06-Mar-2013. [Online]. Available: [Accessed: 04-Apr-2013].

[19]  B. Rudis, “Visualizing Risky Words — Part 2,”, 09-Mar-2013. [Online]. Available: [Accessed: 04-Apr-2013].

[20]  B. Rudis, “Visualizing Risky Words — Part 3,”, 10-Mar-2013. [Online]. Available: [Accessed: 04-Apr-2013].

[21]  B. Rudis, “Visualizing Risky Words — Part 4 (D3 Word Trees),”, 12-Mar-2013. [Online]. Available: [Accessed: 04-Apr-2013].