The Security Catalyst

Earlier today we received the shipment of “preview copies” for Into the Breach. This is the first book that I authored by myself (as opposed to contributing) - and it took longer than expected. Despite the delays, the entire journey has been amazing!

To open the book and hold the finished (albeit preview) product in my hands felt cool.Okay, I did a little happy dance in the office. Then I realized that the book website is out of date (and is slated for massive overhaul next weekend). We’re also working on the link for pre-orders and a final ship date for the Hardcover version…. mind racing, pressure building, I got back to work.

Just now, my children came home. My son actually snuck into my office (he’s getting good!), walked up behind me and yelled “Congratulations” and gave me a huge hug. He was as excited as his birthday when I handed him his own copy. He looked me dead in the eye and told me, “Daddy, this must have taken a lot of time. I am very proud of you.” His entire body let me know he was excited. And proud. A minute later, my daughter came running in, cheering for me. She immediately asked for her copy, hugged me and told me the book looked “great.”

The tears welled up as they scampered upstairs to put their books in “a safe place.”

I didn’t write this book for the sake of writing; rather I wrote to shift thinking and change behaviors. I asked, “What if breach isn’t the problem?” and then spent a few years blending and distilling sociology, psychology, applied economics and experience with technology to share some insights and suggest a path. I wrote to make a difference. The process of writing involved the entire family - and for that, I am grateful.

Holding the book today was an awesome feeling. And yet it was quickly trumped by the simple celebration and pride my children took in me. This is what really matters. Today is a day to remember.

Update: My parents and Grandmother came by for dinner. My son ran out to meet them - book in hand. Couldn’t wait to tell them “how totally awesome Daddy’s book is.” Totally an awesome day to remember.

Technorati Tags: catalyst, into the breach

It was disclosed last week that a vulnerability in the OpenSSL packages used by debian systems contained a flaw where random numbers were not actually random, paving the way for another attack vector.

Plenty of specific details and analysis can be found in different places, including:

http://wiki.debian.org/SSLkeys

http://www.us-cert.gov/cas/techalerts/TA08-137A.html

http://www.kb.cert.org/vuls/id/925211

http://secunia.com/advisories/30220/

For many, this signals the fire-drill of reaction and patching — just in time for a big holiday weekend (aka the “start of summer”) here in the United States.

Just days before this was announced, I was introduced to Venafi (as a direct result of my press pass at RSA). During the conversation, I realized they really own the niche of Systems Management for Encryption. As we shared a lively and informative conversation, I was reminded that SSL is not just something we stick on web servers; it goes deeper and wider in many enterprises today. As soon as you have to manage many of these encrypted connections, the process gains some complication – and is ripe for error. Step in Venafi.

When the debian vulnerability was announced, I immediately asked if Venafi would be willing to share some insights about how organizations should be handling this issue. This is bigger than patching (remember code red?) – and I wanted a discussion that provided insights into how to manage this in a way that brought immediate results but also good long-term gain.

During this program, Paul (from Venafi) and I start by exploring how to engage business users in the conversation. We progress to tactical and strategic ways to address this challenge while realizing this is an opportunity to make some improvements that bring better future results.

It comes from planning and following a process informed by experience – and we’ll share the insights with you in 30 minutes or less!

In the wrap-up, I suggest following the approach of plan-do-review, outlined in this podcast: http://www.securitycatalyst.com/blog/2008/01/31/the-security-catalyst-show-plan-do-review-your-way-to-success/

Tune in next week for the debut of the Pop Culture Security podcast – your monthly “how-to” for Security Awareness Training.

 

 Security Catalyst May 21 2008 [33:06m]: Play Now | Play in Popup | Download (101)

I’m about to head to the opening of Hershey Park for the 2008 Season. This is the celebration of the opening (we were here for the last day of 2007, too) and the culmination of our April Expedition of the Campaign Across America. I’ll compile the stats and experiences from the trip and share in the coming weeks.

In the meantime, I had two really cool experiences this week - at truck stops. First, en route to Charlotte, NC (to help a friend), it was pouring rain when we stopped to “diesel up.” The protocol at truck stops is simple: pull in, diesel up, pull forward for someone else to get to the pump, head in to pay. I did. When I hopped out of the RV to pay (now fully exposed to the rain), I was surprised to find a fellow driver (though he was driving a big rig) _waiting_ for me - umbrella in hand.

He didn’t want me to get soaked, so he waited for me and we walked in together. It was a two-minute conversation about where each of us was heading and the weather. No ulterior motive. Pure generosity on his part.

If it were raining - would you wait for someone you never met to offer them your umbrella?

When we stopped to diesel up before we got to the Hershey High Meadow Campground (we got in yesterday), we stopped at a BUSY Petro station (we have two favorites: Pilot and Petro). While I was fueling, a truck pulled in - and based on the way he drove, I sensed he might have been frustrated. Then he hops out of the cab and walks right at me! Well, he wasn’t mad - he wanted to make sure I wasn’t getting ripped off!! He asked me if I held a Pilot Driver’s Rewards Card, and then shared tips on how to use it more effectively! We talked about fueling up, cars, trucks, locations, the whole bit. It was actually pretty cool - and I learned a lot (and left with a smile on my face).

Do you go out of your way to make sure people get taken care of (especially a complete stranger)?

In both of these cases, I found some of the most generous and thoughtful people while on the road. Complete strangers looking out for me, no strings attached. I know we need more of this in the world, and I hope that you take even a few moments to ponder these two examples to look for ways we can all look out for each other.

Have a great weekend.

Sorry for the lack of posting. We drove hard this weekend and have enjoyed two days in Lincoln, NE. I was honored to provide two keynote sessions today — and was made an Admiral in the Nebraska Navy!

I just looked at the travel plan for the next 24 hours - and I am making my way to southern Tennessee by nightfall tomorrow. It’s about 12 hours of driving, and brings me through Kansas City, St. Louis, Paducah (just love the name) and Nashville. After Talladega, we will swing to Nashville again…

Meantime - if you are in one of these cities and want to catch up - drop me a note and if I can, we’ll coordinate.

Michael

Special Segment by Brad Montgomery

Brad is a friend of mine who had worked to improve my ability to use humor. He’s witty, funny and nice. As a “corporate comedian” he always cracks me up - so I asked him for some advice on how to use what he knows to ease some stress and improve the workplace, and he agreed. Here is what he shared! — Michael

I love office harmless, victimless office pranks. Before I give you a couple cool pranks you can do today, let me tell you why I love them.

Practical jokes are fun, create fun, and inspire fun. When I talk to my clients about boosting humor in their workplace (which increases productivity, improves morale, and aids with employee recruitment and retention), one of the main points I teach is that humor doesn’t start spontaneously. It’s not like a lightning strike. It has to be created, nurtured, and fed.

If your goal is to LEAD the way to humor, the single best way to create an environment conducive to fun is to demonstrate an appreciation for humor yourself. In other words, if you want to have more fun at work, you don’t have to be able to tell jokes, wear clown shoes, or crack wise during meetings. (Though if those things float your boat, go for it!) Instead, show appreciation for a good joke or prank, and laugh at other people’s wise cracks.

Guess what happens when you demonstrate this appreciation of humor? You’ll hear more jokes, you’ll see (and fall victim to) more pranks, and you’ll be entertained by wise cracks. See the brilliance? In order to lead the way to more humor at work, you don’t have to be funny at all. All you have to do is DEMONSTRATE that you like it when other people are funny.

Ok… this is where pranks come in. When you pull a prank, you’re shouting to the world, “Take me on! I love to laugh! Go for it!” And lucky you … your people will listen.

So, how ‘bout a couple of easy, victimless won’t get you sent to the HR department pranks you can execute today? Easy. Here are three:

• Use tape loops to tape your workmate’s telephone receiver to their phone. (So when they try to answer the phone they can’t “pick up.”
• Put a small piece of tape over the laser on the bottom of somebody’s mouse. It will simulate a broken mouse.
• Change the height of a workmate’s desk chair. Do this one time and it’s funny. Do this twelve times over the course of two weeks, it’s hilarious.

Now all you have to do is to laugh. Smile. And wait for the joy — and pranks — to come back to you. And they will.

Good for you… now you’re doing your part to Lead the Way to Laughter.

==
Brad Montgomery is a motivational humorist speaker, author, and facilitator. He works with groups who want to laugh-out-loud while learning how to make their workplaces more fun. You can reach Brad at BradMontgomery.com and read his latest rants and ideas at his blog: Bradlaughs.com

With a focus on bringing new insights into the challenges business and professionals face, I am keynoting the April 22 Nebraska Cyber Security Conference in Lincoln, NE. Additional details and registration can be found here: http://www.cio.ne.gov/cybersecurity/conference/registration08.html

I will share ideas, anecdotes and strategies from Into the Breach, designed to to help bring more effective results and address the challenges we face. If you are going to be there, I would enjoy the opportunity to speak with you before, during or after the event.

As we near the end of the year, I’m advising friends and clients on successful strategies to address their current challenges around improving their security programs, how to reduce the cost of compliance, and engage their people in security awareness programs that get results!

Several of my clients have started to book my keynotes and training programs using end of year budget; they view this as the perfect way to kick-start their programs next year. Obviously, I’m biased - but I happen to think this is a good idea.

Engaging me now for a keynote or day-long program brings you my experience, passion, energy and allows you to benefit from the research and effort that has gone into writing the book (http://www.intothebreach.com/into_the_breach.htm).

If you’re ready to engage your people, I’m ready to help you. You can call me at 800.996.8351 and ask for Ffion (FEE-ON). She’ll be more than happy to help you and arrange a time when we can speak.

What do people have to say about my programs?
I take great pride in being able to bring everything I have to each and every engagement. If you’ve worked with me in the past, you’ve experienced my passion and contagious energy. You can read some really appreciated endorsements of my efforts on my profile at http://www.linkedin.com/in/securitycatalyst

“Michael is a rarity in today’s world. He is a fountain of personal energy and knowledge that shows no sign of drying out. Even better than that, his sincere desire is to help others understand information protection concepts for their own personal betterment and for the betterment of the security community as a whole. Michael’s communication style is unabashedly straight-forward – cutting through the mess, and getting right to the point. This makes him a great presenter, coach, or sounding board. I truly appreciate Michael’s contribution to the security community and am grateful he is out there actually *doing* what so many of us talk about, but never seem to actually attempt.”
Mr. Carpenter
Information Security Manager

What are the most requested topics I speak on?
As a professional speaker and member of the National Speaker’s Association, I work with you to customize a program that meets the precise needs of your audience and delivers the results you need. I bring over a decade of in-the-trenches experience, combined with the breadth and depth I demonstrated as a top CISSP instructor and deliver it in an engaging, entertaining and simple to understand way.

Each of these programs can be tailored for your audience. Call me to explore how I can help you solve your information protection challenges or for program summaries.

Mind the Gap
Journey Into the breach, protect Information and reduce the cost of compliance

Speak with impact!
Communicate security so they really get it

Awareness with Attitude
Developing the mindset for protecting information

Punching Above Your Weight
Get executives to care without peddling fear

Staying Safe (Without Wires)
Protect your information, your identity and your children

Training workshops
I have developed these training programs based on my experience in providing opportunities to engage, understand and practice. If you are looking for clear results from a training session, I invite you to consider:

Results-driven Information Protection Through Leadership(one-day program)
Learn the process-driven approach to improved security, lower costs and higher value

Speaking About Security (two-day program)
Communicate effectively and engage your audience in information protection

Engage. Empower. Enable. (one-day program)
Develop effective awareness programs that connect with your colleagues

See me in action (Video Demonstration)
Actually, the video I currently have is pre-triathlon training; while it shows my passion and energy, it’s time for an update. This means an opportunity for you. I’ve already reached out to some clients about a barter deal in return for high-quality video capture.

If you have the ability to record my keynote or training session this year, then we can make a deal!

What does it mean to be a professional speaker?
First and foremost, it means that I have met the requirements to join the National Speaker’s Association as a professional member, and I abide by their code of conduct and ethics. Being a member of NSA is not required to be a professional speaker, of course, but it does demonstrate I have achieved a level of success in this pursuit.

As a member of the National Speakers Association, I have the privilege to work with and learn from some of the best and most gifted communicators in the world. All of that learning, practice, feedback and insight goes back into the efforts I bring to you.

As a professional speaker, I actively study the elements of successful communication. I focus on how information becomes understanding - and specifically on how to guide understanding into action. This is a true passion of mine, and I have developed the Security Salon as a direct result. I’ll share more about the salon with you in the coming months.

When you engage me to work with your team or audience, I leverage my skills and experiences in a way that delivers you a program focused on your success.

Each and every engagement - speaking or training - receives extensive preparation and planning. Each message is tailored to your group and crafted to connect with the audience. Depending on the audience, I prepare customized materials and handouts or structure hands-on opportunities to work with the information and experience I am sharing.

When you hire me as a speaker - you get my insights, my passion, my experience and I always bring my contagious energy and can-do spirit.

Regardless of what the calendar says, the new year really begins in September. After a summer of obstacles to productivity, in September, we jump into gear.

This message is to update you on:

• Information Protection Assessment Toolkit (IPAT) – special offer deadline imminent
• September Events

Build Budgets, Awareness, Strategy… with IPAT
Special offer deadline

My plan for a guided, supported and realistic toolkit to help those responsible for security build a plan, budget and awareness program became real this summer. The Information Protection Assessment Toolkit (IPAT) and the IPAT preview program launched in July.

The special offer of a ½ day of my time to launch the program in your organization will soon end. As you can see from my schedule below, my hours are limited. Contact us to book your IPAT program before September 13th.

September events:.

The Protecting Information Workshop
Sponsored by: Albany, NY Tech Valley ISSA Chapter
Thursday, September 20th, 9am-3pm EST
MetLife facility, Rensselaer Technology Park, North Greenbush.
Thanks to their sponsorship, the fee is only $25 for non-members
Certificate: 5 Continuing Professional Education (CPE) credits
Registration: http://www.techvalleynyissa.org/

Security Solutions Virtual Tradeshow
Sponsored by: Ziff-Davis
Wednesday, September 26th, 11am -6pm EST
Registration: http://go.ziffdavisvts.com/securitysolutions

Into the Breach – Keynote Speaker
Sponsored by: CSO Breakfast club
Friday, September 28
Pittsburgh
Registration: http://www.csobreakfastclub.com/

Cutting Edge Conference
Sponsored by: Symantec Corporation (Internal event, closed to public)
October 2 & 3, 2007
Orlando, Florida.
Registration: closed

Enjoy a secure September.

Michael

According to many, user education is one of the best methods of ensuring adequate protection of your information assets.  It’s been eternally touted as one of the requirements of a viable information security program.  This article is not about that, though.  It’s about knowing your users/customers.  Yes, Mr. & Ms. Security Professional, your users are also your customers.  You are here to serve them; not vice-versa.

How well do you understand your users?  Are you aware of their needs, habits, and abilities?  Most security professionals understand the technology, but don’t have a clue about their user base.  All security professionals need user awareness training to ensure they understand their customers.

In the June 1, 2007 edition of CIO magazine, Publisher Gary Beach asks the question, “How social are you?” (http://www.cio.com/article/109302)  He references a new report by the Pew Research Center titled, “Typology of Information and Communication Technology Users” (found at http://www.pewinternet.org/pdfs/pip_ict_typology.pdf).  This report classifies Information and Communication Technology (ICT) Users.  Based on its findings, we in security can no longer assume that users are stupid.  From Mr. Beach’s column, “customers (users) are ‘wicked smart.’ They know what they want, they know how to get it, and they’re doing so by leveraging the poser of social networks to reach out to <others>.”

The report’s author, John Horrigan has classified ICT users in America into ten categories based on their ICT assets, actions, and attitudes.  The ten groups that emerge in the typology fit broadly into a “high end,” (31%) “medium users,” (20%) and “low-level adopters” (49%) framework. However, the groups within each broad category have their own particular characteristics, attitudes and usage patterns.

From the Report*,
  - 8% of Americans are deep users of the participatory Web and mobile applications;
  - Another 23% are heavy, pragmatic tech adopters – they use gadgets to keep up with social networks or be productive at work;
  - 10% rely on mobile devices for voice, texting, or entertainment;
  - 10% use information gadgets, but find it a hassle;
  - 49% of Americans only occasionally use modern gadgetry and many others bristle at electronic connectivity.

Do you know where your customers/users fit?  How about you?
You can take their on-line Internet Typology Test (http://www.pewinternet.org/quiz/) to see where you fit in the new typology of ICT users.  Once you know yourself, you can better understand your users/customers.

By understanding your users/customers, you can tailor you security program to fit their needs. The fear of the unknown is often the greatest fear amongst security professionals.  By having a little awareness training of your users, that fear will be lessened.

To paraphrase from Mr. Beach’s column, the big deal is this: As your firm continues to drive a growth-and-innovation agenda, your users and customers ultimately will determine the degree to which you succeed.  So CISOs need to ask themselves, “Is my infrastructure sufficiently robust to encourage and support the use of ICTs while protecting against the biggest and most prevalent risks brought on by these new technologies?”  CISOs should have an understanding and a vision of their users/customers to enable their business’ use of technology while protecting the critical assets.

What do you think?  Is the Pew Report accurate?  Respond either in the comments below on the Security Catalyst forums.

By helping each other, we all become stronger.

* Horrigan, John. A Typology of Information and Communication Technology Users. Pew Internet & American Life Project, May 6, 2007, http://www.pewinternet.org/PPF/r/213/report_display.asp, accessed on May 10.

Last night I took the opportunity to celebrate another (Key West) sunset. Ironically, it was the sunset I have been searching to capture on camera for a while - and yet it eluded my lens. Regardless, I drank it in, felt some stress slip away and then took in a “show.” The street performers of the Sunset Celebration in Key West are some of the most entertaining and practiced I have seen. When you visit and take the time to celebrate, do plan to stick around and be entertained.

Yesterday I had the opportunity to see the Great Rondini, an escape artist, dazzle and entertain the crowd. What I enjoyed (as much as the performance itself) is how he built the crowd, got the energy going and then put on a show - and in the end, he escaped his bonds. In addition to his humor and well-practiced quips, he stopped at least once, commanded our attention and issued a heartfelt thanks for supporting him. No, not the pitch for money… a true thank you for rewarding his efforts with our attention and applause. It was an honest emotional connection with the audience.

(I tried to insert a picture here, but my software bombed out - maybe soon!)

Beyond his excellent performance, I noticed that he held the attention of my children for the entire time (I also don’t recall any cell phone conversations or people using blackberries!). Better yet, when he was done, he came and thanked each child that came by - and rewarded them with a glow-stick style bracelet. It was genuine and classy.

On the walk back, I started thinking about how we could apply what I just experienced to our practice of security and how we protect information….

Rondini worked his timing, built interest, got people engaged and then put on a show. He waited until the sun went down (and people were less focused on finding the “right” spot. He waited patiently until the tight rope act was done, and then quietly stood on a chair and then blew a whistle. A bright orange get-your-attention whistle. SHOWTIME! He immediately engaged those standing right near him (including me) to form up at his line. He even said - look like you’re a crowd (to some laughs). He has a line for each of us as he invited us to participate. He threw out some practiced lines to get you to laugh… which is immediately disarming… and slowly, the crowd grew. When the crowd was right, he selected volunteers - got the crowd to support them and started the show.

It was clear that he was a professional. He’s practiced at his craft - and yet the show was different than I have seen in the past (so he’s still improving, changing and growing). Think about it for a second - how do you brief people? How do you explain what you do? How do you approach security?

Rondini smiled. He engaged. His passion for performing came through. As a security professional, this is an approach we need to follow. Rondini only gets paid when he puts on a good show. The larger the audience, the better the involvement and the stronger his performance, the more tips (and larger tips) he will be able to collect. He is motivated to improve and to perform. Most of us are lucky - the paycheck shows up no matter how well we do. Take a moment, though, and imagine ALL of your compensation based entirely on how you connected, engaged and entertained?

I don’t think it makes sense to tell people security is hard, complex heavy and something they _have_ to do. We can all learn something from the Sunset Celebration Performers - and bring a bit of entertainment to our efforts to make a difference. I am confident you will reap rewards from this approach.
Here is what I learned from Rondini - and how I think we can all benefit with our practice of security:

1. Choose the right time to perform (or deliver your message)
2. Engage your supporters and build them up (we need to find and build security champions)
3. Bring the audience into the performance and reward them (we need others to engage - but they have to be encouraged and rewarded)
4. Rehearse, rehearse, rehearse - so you seem practiced, smooth, confident - and really entertaining! (we *all* need more of this. period.)
5. Show sincere thanks and remain genuine and classy

Need help - shoot me an email: securitycatalyst@gmail.com. When this works, share your success with me!