The rapid growth and adoption of cloud computing leads to sometimes confusing situations where security remains an afterthought.

At a time when everyone is expected to do more with less, the difference between success and failure hinges upon the ability to communicate effectively. In fact, many people now realize the ability to communicate the value of security, and of their efforts, is the difference between career success and failure.

I recently considered how to cut through the confusion surrounding “cloud security” to successfully communicate the value of our efforts and shared some insights during the BrightTalk cloud security summit. Special thanks to Trend Micro, Symantec, Dave Shackleford and Lori MacVittie for sharing time, research and experience with me.

Blending their insights and experiences with my studies and models of how to effectively communicate value resulted in some interesting findings, including the need to translate our security experiences into the cloud is as (maybe more) important than selecting the right examples. The result is a 45-minute briefing, shared below.

Check out the recording here:

I work to help harness the human side of security; without a doubt, the challenges we face in our journey to the cloud is less technical and more dependent on our ability to successfully communicate with each other, with decision makers and with our colleagues who use the solutions we design, deploy and maintain.

This presentation is only the beginning.

I continue to research, test and help industry, enterprise and individuals to improve how we distill and and effectively communicate the value of security.

How can I help you?

Reach out with comments, questions and suggestions or share your communication challenges with me and we can explore how to solve them together.

The audio of the roundtable is now available for download and enjoyment.

Joined by Justin Bovee and Steve Ellis, we presented the definition of security awareness, explored how it sets the stage for success and offered insights into using the definition to build an effective program.

We also talked about how this definition makes it possible to turn what is often considered a cost into an investment – while satisfying compliance issues and a sometimes sour attitude toward “security awareness training.” We’ll go deeper on that topic in August.

We covered a lot of ground in a short period.

I’ll be expanding on key concepts in this blog, my CSO column, and offering some additional resources to help the establishment of effective security awareness programs.

Check out the event page to see what others contributed, ask questions and offer your thoughts (I keep tabs on all questions, comments and contributions for future roundtables): http://www.focus.com/roundtables/security-awareness-roundtable-defining-security-awareness/

In the meantime, while or after listening to the roundtable:

• Engage with me on twitter to talk about security awareness, effective communication of security or whatever is on your mind
• Send me email or submit questions for this or an upcoming roundtable
• Check out and participate in the security awareness section growing on Focus.com by clicking on http://www.focus.com/topic/security-awareness/

On August 24^th, join us for our second Security Awareness Roundtable and learn how to invest in security awareness, how to get budget and how much it should cost.

This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author.

What you’ll find in this episode (Chapter 11)

Outsourcing makes sense for a lot of organizations and continues to gain in popularity. Does this drive to outsource and partner actually increase security and protection of information?

By leveraging the strategy and concepts shared in Into the Breach, learn how to build a firm foundation for success – including how to measure the effectiveness of the partner and ensure mutual and lasting benefit from the arrangement.

• Learn how to establish appropriate and measurable criteria upon which to make better decisions
• Understand how to assess potential partners and providers to ensure appropriate fit and mutual success
• Gain insights into verifying and building relationships based on trust and mutual understanding

If outsourcing and working with partners is part of the process, then this chapter is a must listen.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author.

In this episode (Chapter 10)

Compliance is not a commodity that can be purchased. And demonstrating compliance at a point in time does not mean information is being protected properly. There is a growing chorus of practitioners that suggest compliance is not security; however, proper security can and often does lead to effective compliance.

The key in managing risk and demonstrating compliance is to engage people in the process of assessing and protecting information – with and without the use of technology and controls.

In this chapter, I share some personal experiences and research that demonstrate the difference between a reactionary approach to compliance and a more mature process that addresses many needs at once.

If you find yourself drowning in compliance – or are trying to convince others of a different approach – this chapter is written for you.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!

This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author.

What you’ll find in this episode (Chapter 9)

Writing this book and testing these methods revealed a surprise: people who are engaged – connected more closely to the consequences of their actions – do more than protect information.

This chapter explores additional benefits from the improved communication and insights that come from following the strategies and elements shared in Into the Breach, including:

• Quickly align business and technology organizations (true alignment, not lip service)
• Harnessing the power of people to uncover new revenue opportunities
• Leveraging and engaging individuals in the act of reducing waste while doing more with less

You want more, so after listening…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engaging (not following) Michael on twitter (http://twitter.com/catalyst)
2. Subscribing to The Security Catalyst podcast & blog to get more insights
3. 3. Checking out Awareness that Works™ – a new program from Michael Santarcangelo to guide smart investment in people, with guaranteed results (this program pays for itself).

What you’ll find in this episode (Chapter

The strategy has been revealed. The fundamentals of what is now The Catalyst Method have been shared (note: if you want the update on The Catalyst Method, drop me an email). The key considerations for a pilot shared – and now it is time to measure success.

So how do you measure what matters so you can communicate what counts?

In this chapter, “Measuring Success,” Michael draws on his background of social science and economics to explain a powerful approach to measuring success. Learn how to use the right mix of qualitative and quantitative measurements to get the feedback necessary for success.

Learn how to measure what matters and communicate what counts.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

What you’ll find in this episode (Chapter 7)

The strategy has been revealed. The fundamentals of what is now The Catalyst Method have been shared (note: if you want the update on The Catalyst Method, contact us to learn more).

So how do you implement in a way that gets results?

In this chapter, “Putting the Strategy to Work: A Pilot,” Michael explains the basic approach – with key insights – to engaging people in the process of protecting information. Learn how to select the pilot approach that works best, build the team and plan a strategy that drives tactical and strategic success.

There is no “one-size-fits all” approach, and this chapter lays out how to make the right decisions the first time. Get a jumpstart on success with this chapter.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

What you’ll find in this episode (Chapter 6)

Chapter Six is where Michael explains how to customize and implement the Strategy to Protect Information. The information he shares is designed for immediate results by harnessing the power of people. By asking the right questions — in the right way — people are connected to the consequences of their actions and share information about known and unknown risks about the information they use every day.

The elements of this chapter are the building blocks to what is now called The Catalyst Methodâ„¢ — what Michael teaches, guides and uses to help organizations get results that improve awareness assessments and help deliver Awareness that Worksâ„¢.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in episode 6, Into the Breach: Chapter 5 (The Strategy to Protect Information)

Chapter 5 is the introduction to Part II of Into the Breach — where the focus shifts to looking at what needs to be done. I outline a powerful, yet simple, approach dubbed “The Strategy to Protect Information.”

Key is the focus on information, not data, and the three steps that any organization must follow in order to be effective. The balance of Part II explains how – but just learning and understanding the three part strategy is transformative.

After listening to this chapter, you will know the strategy and be able to apply it to your current challenge — small and tactical or larger and organizational.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in this episode (Chapter 4)

Chapter four wraps up the first part of Into the Breach with a candid discussion about the current approaches to managing risk – and why they are not working. Michael explains that risk management is based on curves, not continuums, then dives deeper into the three barriers to effective risk management: scale, perception and probability. While looking at each, Michael makes suggestions on how to overcome them, then introduces the concept of managing risk on the efficient frontier.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

Welcome to the continuation of the Into the Breach: Protect Your Business by Managing People, Information and Risk audio series. (Click this link) to learn more about this how this book solves today’s challenges and pick up a complete copy. This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

In chapter 3 : Breaking the Security Diet

Breaking the security diet is recognition that what happens in organizations today is more akin to a crash diet than a healthy approach to securing information. In this chapter, Michael reveals the high cost of this “fad diet” approach and shines a light on the new fad diet: encryption. However, there is a solution, and Michael explains how to break the fad diet, improve leadership and engage individuals. A pivotal chapter in the book, designed to create a fundamental change in the way organizations and individuals protect information.

Put the power of Into the Breach to work for you

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!

Welcome to the audio series of Into the Breach: Protect Your Business by Managing People, Information and Risk (click this link to learn more about this book and pick up a complete copy – to get started on your personal journey). This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in this episode (Chapter 2: People Just Want to do their Jobs)

Chapter 2 reframes the challenge with powerful insights about the way people “just want to do their jobs.” Michael introduces what he calls the two principles  – a powerful concept about how people do their jobs, and an eye-opener that leads to improved interactions. The corollary to these principles is also explored, along with guidance on what to do about it. With a focus on individuals, Michael explains, “Compliance is not a video game” and reveals that a common approach of “exclusion” is creating more harm than good. The chapter wraps up with a discussion of “the human response to pain” – with a common example played out in organizations everywhere.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

Welcome to the audio series of Into the Breach: Protect Your Business by Managing People, Information and Risk (click this link to learn more about this book and pick up a complete copy – to get started on your personal journey). This series, underwritten by Configuresoft, now part of EMC, is the full and unabridged audio version of Into the Breach, written by Michael Santarcangelo and read by the author. Join us for a new chapter released on the first Tuesday of each month (there are 13 chapters total).

What you’ll find in this episode (Chapter 1: Breach: A Human Problem)

Chapter 1 defines the challenge of breach as a “human problem” and begins the journey to understand how and why we got where we are today. Michael reveals how reliance on technology has masked the true nature of the problem and explains how to re-think the way technology supports the needs of people. He also suggests that a focus on breach is too narrow, and that all information must be protected.

Update from Michael: the updated approach is to focus on the human paradox – introduced in this segment – that points out the unintentional, but systematic, disconnection of people from the consequences of their actions. This means “breach” and information protection is less a human problem than a paradox; my focus is on connecting people back to the consequences of their actions and presenting solutions that turn the cost of working with people into an investment.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

What you’ll find in this segment

The Introduction explores the nature of the challenge faced by organizations around the world. As we prepare for the journey “Into the Breach”, it is revealed that breaches are only symptoms, and the real challenge is described as a human paradox. Setting the stage for a shift in thinking necessary to get results, three common myths are exposed and addressed. A powerful strategy to protect information is shared, and the clarion call to engage, empower and enable people is sounded.

Put the power of Into the Breach to work for you…

After listening to this segment of Into the Breach, keep the energy going and support the shift in thinking and inspire behavior change by

1. Engage with Michael on twitter (http://twitter.com/catalyst)
2. Subscribe to The Security Catalyst podcast & blog to get more insights; ask a question and get an answer!
3. Check out Awareness that Works™ – Michael Santarcangelo’s program to guide smart investment in people, with guaranteed results (this program pays for itself).

Welcome to the Security Catalyst Program – bringing you the ideas, insights and tools necessary to change the way people protect information. I am Michael Santarcangelo, your personal catalyst on this journey. Thanks for listening!

On today’s program, we explore Certification and Accreditation with the help of three experts who share an absolute wealth of knowledge.

A few quick notes

1. Into the Breach is available as an eBook and signed Hardcover from www.intothebreach.com Learn more about how to engage users, restore responsibility and hold people to account. In fact, this book lays out how to reduce costs without increasing risk, turn insiders into allies and manage people, information and risk better.

2. For 2009, I am excited to announce the expansion of the Security Catalyst Blog – with the awesome Catalyst Contributors. Visit the blog each day to get a fresh perspective

3. I’m in the process of revamping the podcast series for 2009. I know a lot of people are struggling – and in addition to being a voice of optimism, I’m building a team to share information and strategies necessary for making a difference this year. If you want to contribute, or if you are facing a challenge and need some help – shoot me an email: securitycatalyst@gmail.com

Stay tuned for more information.

For today’s program, I am joined by Mike Smith, Graydon McKee and Joe Faraone to discuss C&A.

Links at a glance

The presentation that started the idea for this episode: http://www.slideshare.net/rybolov/why-care-about-government-security?src=embed

Graydon, Joe, and Mike teach 2-day C&A workshop and a 5-Fridays NIST Framework for FISMA workshop for the Potomac Forum. http://www.potomacforum.org/

Graydon’s blog: http://www.ascensionriskmanagement.com/BlogOne/

Papers and presentations: http://www.ascensionriskmanagement.com/BlogOne/paperspresentations/

Mike’s blog:http://www.guerilla-ciso.com/

Papers and presentations: http://www.guerilla-ciso.com/papers-and-presentations

The most relevant NIST publications are special publications 800-37 and 800-53, available here: http://csrc.nist.gov/publications/PubsSPs.html

About the Experts

Mike Smith

Michael Smith is a Manager in the Audit and Enterprise Risk Services organization of Deloitte & Touche LLP, where he leads engagements to provide security services to both commercial enterprises and government agencies. Prior to Joining Deloitte, Michael served as the Chief Information Security Officer with the Unisys Federal Service Delivery Center based in Reston, Virginia.  His scope of responsibility included both providing governance and managing risk for several data centers, Security Operations Center, Network Operations Center, and Server Management Team.

Graydon McKee

Graydon McKee is the Vice President and Chief Operating Officer of Ascension Risk Management LLC.  Graydon is an accomplished Risk Management/Information Security professional with extensive experience in developing and implementing Information Risk Management and Information Security Programs to clients in both the public and private sector.  He is a recognized leader in government regulatory compliance (Federal Information Security Management Act and the Defense Information Technology Security Certification and Accreditation Process compliance) and has taught the process to over 2,000 individuals representing over 600 federal government agencies and offices. 

Joe Faraone

Joe Faraone is a Senior Information Security Architect with GCI Corporation, based in Reston, Virginia with over 20 years’ experience in Information Security. Joe has delivered services for numerous Federal customers including Certification and Accreditation support, Security Governance Gap Analysis and Independent Validation and Verification (IV&V).  Over his career, he has served as Lead Independent Security Engineer, Manager and Architect of a managed security center for an Intelligence Community Agency, and has performed Certification and Accreditation services for several high-assurance systems.

The world of blogging, podcasting and social media is a dynamic –and dominant – force in the way individuals share and consume information. In this fast-paced approach to sharing, we stop to consider the ethics involved.

With the help of Jennifer Leggio  - social media expert, former journalist and friend of the Security Roundtable – we tackle the issue of ethics. During this highly informative roundtable discussion, we tackle the responsibility (and credibility) of bloggers, podcasters and especially the individual responsibility of those consuming the information.

This episode is packed with ideas and comments that will get the juices flowing. If you want to continue to conversation with us – join us in the Security Catalyst Community (just pay attention to the naming standard – you must use your real name).

Learn more about the participants:

Jennifer Leggio

http://blogs.zdnet.com/feeds/

http://mediaphyter.wordpress.com/

http://twitter.com/mediaphyter

Martin McKeay

http://www.mckeay.net/

http://netsecpodcast.com/

http://twitter.com/mckeay

Michael Santarcangelo

http://www.securitycatalyst.com/

http://www.intothebreach.com/ (books now available – eBook or hardcover)

http://twitter.com/catalyst

Our guest for this episode is Zach – security professional, friend of the show and curator of the Security Twits list.

Twitter: www.twitter.com

Zach: http://twitter.com/quine

Michael: http://twitter.com/catalyst

Martin: http://twitter.com/mckeay

 

Security Twits: http://n0where.org/security-twits/

 

Next Recording: Saturday, October 11, 2008 @ 10a Eastern – look for the live stream (and your chance to participate) around 10:15.

 

PS: 10 Days after the break-in and theft – we’re still working with insurance and others to sort out the mess, get the laptops replaced and head back out on the road. I will be posting a complete run-down of what happened, what we did well, what we learned and how we are going to improve. I’m also following the advice of my book – and will be publishing a set of requirements and inviting participation as we all learn smarter ways to protect ourselves. This will hit home for small businesses and those who travel a lot. 

I am confirming some exciting opportunities this week and next – and should be back out on the road within the next 10-15 days. The theft slowed us down a bit, but has not stopped us. Not one bit. Thanks for your continued support and help!

Join me on Friday – September 19^th – at 2pm ET (11am PT) for Catalyst Live! – a live chat hosted by Michael Santarcangelo. This week, we look deeper into my recent freeware experience and welcome Dave Cole from Symantec to the call.

I’ll be monitoring twitter and the talkshoe client during the call, allowing us to field live calls, chats and instant messages. Participate in the conversation!

Join In!

Join the conversation on TalkShoe by using the spiffy browser-only client. For the more adventurous, check out the shiny TalkShoe Pro Java client.

To listen and join in – including to ask questions and engage in the conversation, launch your browser an click here: http://www.talkshoe.com/tc/25233 on Friday at 2pm ET.

Call in on regular phone or VOIP lines: dial (724) 444-7444 and enter the talkcast ID, 25233.

Martin McKeay and I are evolving the Security Roundtable: we’ll be recording every other week at 7 am Pacific/10a Eastern on Saturday mornings. And we’ll be streaming the recording live (http://hak5radio.com:8000/srt.mp3.m3u), opening a chat session and encouraging more bloggers and podcasters to join us.

Our goal is simple: keep the program simple, under an hour and relevant while blending together the voices of the community. This is also an opportunity for members of the community to participate through segments. Rather than have a larger, static “panel” of people, we’re exploring more voices, shorter segments and more interactive. We’d love to know what you think, what you want to hear and if you want to be involved.  

While we consider this recording to be an experiment – it is a show where I learned from the conversation. In fact, I look forward to listening to it again. Our guest for the show is Marc Massar, Principal Solutions Architect at Venafi. I had interviewed Venafi previously (and liked their approach) and was happy to welcome Marc to the program.

Our rules are/were simple: no sales pitch. Marc didn’t need the rules – he’s got a solid background and jumped right into a meaty discussion about the industry and how we can improve our solutions.

Security Roundtable for September 13th, 2008

The next SRT will be recorded on September 27th, 2008 at 7:00 a.m. PDT.  I’ll be in Las Vegas – so for me, it will actually be nice and early (and I’ll find some Mountain Dew before we start – MD should sponsor me!).

Join me on Friday – September 19^th – at 2pm ET (11am PT) for Catalyst Live! – a live chat hosted by Michael Santarcangelo. This week, we look deeper into my recent freeware experience and welcome Dave Cole from Symantec to the call.

I’ll be monitoring twitter and the talkshoe client during the call, allowing us to field live calls, chats and instant messages. Participate in the conversation!

Join In!

Join the conversation on TalkShoe by using the spiffy browser-only client. For the more adventurous, check out the shiny TalkShoe Pro Java client.

To listen and join in – including to ask questions and engage in the conversation, launch your browser an click here: http://www.talkshoe.com/tc/25233 on Friday at 2pm ET.

Call in on regular phone or VOIP lines: dial (724) 444-7444 and enter the talkcast ID, 25233. 

Check it out here: http://www.talkshoe.com/tc/25233

The first episode is going to deal with the question: Is Freeware Really Free? and will feature special guest Dave Cole from Symantec.

This is an opportunity to discuss, live, some research findings I will be sharing this week, as well as engaging in good conversation. I look forward to speaking with you on Thursday!

Whether responsible for security awareness training — or just interested in communicating more effectively, the PCS series is designed to bring insights that get people thinking differently about protecting information.

This month James Costello and I break down – in less than 20 minutes — how to use Pop Culture references and examples to explain two simple security concepts: trojan horse and social engineering.

Time is tight – so we work fast to get rid of the boring and plain ways to explain concepts and share the insights we use to connect with people and make a difference. Listen, learn and contribute!

Direct Link: TSC-20080716.mp3

Call for challenges

 Email us at: popculturesecurity **SHIFT2** securitycatalyst [dot] com

 Phone number is 206-350-8346

== Detailed Show Notes After the Break ==

(and by detailed, I mean… wow. Detailed – Thanks to James for pulling the links together!!)

On this episode

5 Critical Life Lessons your can Learn from Kung Fu Panda

http://www.dumblittleman.com/2008/07/5-critical-life-lessons-you-can-learn.html

 

The Trojan Horse

•       Defined:  Wikipedia – original Trojan Horse – http://en.wikipedia.org/wiki/Trojan_horse
•       Wikipedia -Trojan Horse in computing:  http://en.wikipedia.org/wiki/Trojan_horse_(computing)
•       Dictionary.com – http://dictionary.reference.com/search?q=trojan+horse&x=0&y=0
•       Whatis.com – http://searchsecurity.techtarget.com/sDefinition/0,,sid14_gci213221,00.html

Examples:

Ocean’s Eleven – not the good one with Frank Sinatra, the remake with George Clooney

•       IMDB link – http://www.imdb.com/title/tt0240772/
•       NetFlix link – http://www.netflix.com/Movie/Ocean_s_Eleven/60021783?trkid=222336&lnkctr=srchrd-sr&strkid=1922003599_0_0
•       Trailer – http://www.imdb.com/title/tt0240772/trailers-screenplay-vi1822294297
•       Hulu clips:  http://www.hulu.com/search/oceans+eleven?company=tbs&type=all

Example of a scene:

the container that supposedly contains diamonds sent to the vault that the acrobat is hiding inside.

 

Thomas Crown Affair (Pierce Bronson and the Hottie Rene Russo)

•       IMDB link – http://www.imdb.com/title/tt0155267/
•       NetFlix link – http://www.netflix.com/Movie/The_Thomas_Crown_Affair/22589663?trkid=222336&lnkctr=srchrd-sr&strkid=1347506257_0_0
•       Trailer (Requires Real Player) – http://www.film.com/movies/mediaplayback/the-thomas-crown-affair/17115147

Examples of scene:

Early on in the film a statue of horse is delivered to the museum.  No one knows what to do with it so it gets set off to the side.  There are several people hiding inside who break out to break into the museum

 

Monty Python and the Holy Grail

•       IMDB link – http://www.imdb.com/title/tt0071853/
•       Trailer link – http://www.imdb.com/title/tt0071853/trailers-screenplay-vi1217855769
•       NetFlix link – http://www.netflix.com/Movie/Monty_Python_and_the_Holy_Grail/771476?trkid=222336&lnkctr=srchrd-sr&strkid=784608964_1_0

Scene:  Attacking the castle the French have taken control of – Trojan Rabbit

This is an example of how some really bad malware is written – the package gets delivered before the payload is really ready and trojan rabbit will get shot right back out of the castle

 

Social Engineering

•       Wikipedia – http://en.wikipedia.org/wiki/Social_engineering_(security)
•       Dictionary.com – http://dictionary.reference.com/search?q=social+engineering&x=0&y=0

 

Examples:

Wall Street

•       IMDB – http://www.imdb.com/title/tt0094291/
•       trailer – http://www.imdb.com/title/tt0094291/trailers-screenplay-vi3554738457
•       NetFlix link – http://www.netflix.com/Movie/Wall_Street/60003330?trkid=222336&lnkctr=srchrd-sr&strkid=790572831_0_0

Example scenes:

a) talking with his buddy (James Spader), the attorney is initially reluctant to share any information, but Charlie Sheen’s character convinces him that everyone is doing it

b) posing as a janitor to gain information.  Who has access to your office when you are not there.

 

Monty Python and the Holy Grail

•       IMDB link – http://www.imdb.com/title/tt0071853/
•       Trailer link – http://www.imdb.com/title/tt0071853/trailers-screenplay-vi1217855769
•       NetFlix link – http://www.netflix.com/Movie/Monty_Python_and_the_Holy_Grail/771476?trkid=222336&lnkctr=srchrd-sr&strkid=784608964_1_0

Example of a scene:

Where Lancelot goes to the castle filled with women because of the Grail shaped light at the top

Also the women attempt to use sex to keep the knights at the castle

 

Fletch

•       IMDB link – http://www.imdb.com/title/tt0089155/
•       trailer link – http://www.imdb.com/title/tt0089155/trailers-screenplay-vi3064398105
•       NetFlix link – http://www.netflix.com/Movie/Fletch/510088?trkid=222336&lnkctr=srchrd-sr&strkid=1956738209_0_0

 

Chevy Chase/Fletch uses social engineering to obtain the information he needs – he uses disguises, voices and fake ID’s to get what he wants

 

Would you participate in a live, call-in show?

If so, send us an email!!

 

Coming Up

August: Lessons learned from Burn Notice on the USA Network

This is available, free, as a streamed series. Plenty of clips. Anyone has access and appeals to a wide audience.

•       USA Network – full episodes:  http://www.usanetwork.com/series/burnnotice/video/fullep/
•       USA Network – Clips:  http://www.usanetwork.com/series/burnnotice/video/new.html
•       Hulu – Clips:  http://www.hulu.com/videos/search?query=burn+notice

If nothing else, check out the interviews with Matt Nix. Brilliant writing!

 

September: Back to School Edition

Thinking about School of Rock and Back to School and maybe Summer School thrown in for giggles. Got ideas? Want to be part of the show?

 

Movie to watch this month for ideas

Social Engineering – Defcon last year – our friend Mike Murray presented The Science of Social Engineering: NLP, Hypnosis and the Science of Persuasion – available on Google Video here:  http://video.google.com/videoplay?docid=-1210687204734530548&hl=en

(and no, he didn’t “persuade” us to include this. It was the Jackson he slipped us)

 

Call for challenges

 Email us at: popculturesecurity **SHIFT2** securitycatalyst [dot] com

 Phone number is 206-350-8346

  ]]> http://www.securitycatalyst.com/2008/07/security-catalyst-show-pop-culture-security-edition-july-2008/feed/ 0 catalyst,monty python,PCS,pop culture security,social engineering,thomas crown affair,trojan horse Whether responsible for security awareness training -- or just interested in communicating more effectively, the PCS series is designed to bring insights that get people thinking differently about protecting information. Whether responsible for security awareness training -- or just interested in communicating more effectively, the PCS series is designed to bring insights that get people thinking differently about protecting information. This month James Costello and I break down -- in less than 20 minutes -- how to use Pop Culture references and examples to explain two simple security concepts: trojan horse and social engineering. Time is tight - so we work fast to get rid of the boring and plain ways to explain concepts and share the insights we use to connect with people and make a difference. Listen, learn and contribute! The Security Catalyst no http://www.securitycatalyst.com/2008/07/the-july-security-rountable-is-available-battling-botnets-with-botnets/ http://www.securitycatalyst.com/2008/07/the-july-security-rountable-is-available-battling-botnets-with-botnets/#comments Wed, 09 Jul 2008 14:51:31 +0000 Michael Santarcangelo http://www.securitycatalyst.com/blog/?p=473

Complete details are available here: http://www.securityroundtable.com/2008/07/security-roundtable-for-july-2008-battling-botnets-with-botnets/

The discussion ran a bit longer than we alloted, yet even on our review listen proved worth every minute. We raised some interesting questions and look forward to sharing the conversation with you. This is only the beginning and we invite you to share your ideas, insights and feedback in the Security Catalyst Community. 

 

Thanks to the panel:

• Colin Dixon | http://www.cs.washington.edu/homes/ckd/
• Andrew Hay | http://www.andrewhay.ca/
• Martin McKeay | www.mckeay.net
• Michael Santarcangelo | www.securitycatalyst.com & www.intothebreach.com

Joining the conversation in the Security Catalyst Community

Share your ideas in the Security Catalyst Community. Your participation is your currency (means no charge to join) – the more you contribute the more you learn and the more valuable the community becomes to everyone (so dive in and share). If you have not yet registered, please remember to use firstname.lastname as the standard.

So when Martin McKeay and I were “chatting” online Tuesday night, he popped in with “Hey – no pressure, but do you want to cohost tonight?” It took about a minute to decide. He shared some links to stories to talk about and I took 30 minutes to read them and write down some ideas – and then boom – we recorded.

I really enjoyed the conversation and was really amped at the end. It took me a while to get ready for bed – my mind was still engaged. I hope you have a similar experience when listening!

Find the show notes here: http://netsecpodcast.com/?p=48

And the direct link to the program here: http://media.libsyn.com/media/mckeay/nsp-070108-ep110.mp3

 

(PS: I hope you still chose to listen to the programming on The Security Catalyst; however, somewhere in the feedchange, we seem to have confused iTunes. If it doesn’t look like we have new shows – you may want to unsubscribe and resubscribe.)

If you believe the Jericho Forum has called for the end to firewalls, then you need to stop what you’re doing and take a listen to this month’s Security Roundtable.

After attending an interesting discussion during RSA, Martin and I invited the Jericho Forum to join us at the roundtable to talk more about what Jericho Forum is, an what it does. We learned a lot and share the discussion with you…

Joining us on the program:

 

• Michael Santarcangelo - The Security Catalyst and author of Into the Breach
• Martin McKeay – Host of the Network Security Podcast and Captain Privacy
• Chris Hoff - Luminary and Jogger
• Paul Simmonds (bio below) – Co-Founder Jericho Forum
• Shane Buckley (bio below) – CEO Rohati Systems

 

 

Learn more about Jericho Forum: http://www.opengroup.org/jericho/

 

 

Paul Simmonds, Co-founder and board of management Jericho Forum  & former CISO, ICI
Until May 2008 Paul Simmonds was the CISO at ICI (www.ici.com). Paul’s varied career has included Electronic counter-measures, Theatre Lighting, North Sea Oil control systems, JET (Nuclear Fusion Research) and commercial radio. Prior to joining ICI in 2001 he was Head of Information Security with a high security web hosting company and before that spent seven years with Motorola, as global information security manager. 

Paul was awarded European Chief Security Officer of the year at the 2005 SC Magazine Awards and is listed in both the 2004 & 2005 global top 50 most powerful people in networking by the US publication Network World.  Paul sits on the management board of the Jericho Forum and the Executive Advisory Board of ISSA UK. He also is a British Canoe Union Level 3 Kayak Coach.

 

Shane Buckley, President & CEO, Rohati Systems, Inc.

Shane Buckley is the President and Chief Executive Officer at Rohati Systems, Inc. Buckley comes to Rohati with more than 20 years of global executive and general management expertise, having held senior executive positions in the United States, Europe, the Middle East and Asia-Pacific.

 

Before taking the helm at Rohati, Buckley served as Chief Operating Officer at Nevis Networks, Inc. a leader in network access control. Previously, he was Vice President of Worldwide Enterprises for Juniper Networks. Prior to that, he served as the International President of Peribit Networks, the leader in Network Optimization. Juniper Networks purchased Peribit in June 2005 for $380M. Before Peribit, Buckley served as Chief Executive Officer of Conduit Software, a provider of Directory Assistance and Wireless Applications solutions. Previously, he was Vice President, EMEA at 3Com. In this role, he managed a $2.2 billion business unit and was responsible for 3Com’s distribution strategy, OEM partnerships and reseller channels. Buckley also chaired 3Com’s Global Distribution Council, was a member of the company’s worldwide OEM steering team, and served as 3Com’s head of operations for the Asia-Pacific Region based in Hong Kong and Tokyo. 

 

Buckley is a frequent speaker at high-level industry trade shows and events such as Gitex, CeBIT and The Wall Street Journal Europe conference. He has also contributed to a number of magazines and news programs including MSNBC, SABC and Middle East Business news. He holds an engineering degree from the Cork Institute of Technology in Ireland.

 

This podcast is based, to a large extent, on the work James did in preparing for and delivering a peer to peer session at the RSA conference this year. While sitting at Mel’s the morning of his presentation, we enjoyed a conversation about the topic that kept on going, and immediately decided the best way to extend the conversation and build on his efforts was to produce a monthly program.

For our first piece of Pop Culture to use as a reference point to better explain security, we selected Night at the Museum – a comedy with Ben Stiller that is currently (or was) running on Home Box Office (HBO). 

Movie at IMDB (including synopsis): http://www.imdb.com/title/tt0477347/

Movie Trailer: http://www.imdb.com/video/screenplay/vi2459500825/

This movie held many lessons for those responsible for security in addition to providing some excellent examples for us to anchor our points to. We will work to keep the program short, informative and useful – especially if you are interested in building a security awareness training program that works!

To participate in the monthly challenge:

• call  206-350-8346 and leave us a message with your challenge
• email popculturesecurity &at& securitycatalyst dot com

 

PS: I recently purchased a snowball microphone in an effort to streamline my audio programs and preserve quality. So far, I am disappointed with the quality of the unit – and feel that my sound is hollow and tinny; as such, I’ll be exploring how to restore the sound quality I appreciate in the coming days. The challenge is capturing sound in a way that works with Skype for many of this interviews, but is still portable. If you have experiences, ideas and suggestions for something functional, portable and reliable – shoot me a note. In the meantime, enjoy the programs. More to come next week, with an “Author Interview.”

It was disclosed last week that a vulnerability in the OpenSSL packages used by debian systems contained a flaw where random numbers were not actually random, paving the way for another attack vector.

Plenty of specific details and analysis can be found in different places, including:

http://wiki.debian.org/SSLkeys

http://www.us-cert.gov/cas/techalerts/TA08-137A.html

http://www.kb.cert.org/vuls/id/925211

http://secunia.com/advisories/30220/

For many, this signals the fire-drill of reaction and patching — just in time for a big holiday weekend (aka the “start of summer”) here in the United States.

Just days before this was announced, I was introduced to Venafi (as a direct result of my press pass at RSA). During the conversation, I realized they really own the niche of Systems Management for Encryption. As we shared a lively and informative conversation, I was reminded that SSL is not just something we stick on web servers; it goes deeper and wider in many enterprises today. As soon as you have to manage many of these encrypted connections, the process gains some complication – and is ripe for error. Step in Venafi.

When the debian vulnerability was announced, I immediately asked if Venafi would be willing to share some insights about how organizations should be handling this issue. This is bigger than patching (remember code red?) – and I wanted a discussion that provided insights into how to manage this in a way that brought immediate results but also good long-term gain.

During this program, Paul (from Venafi) and I start by exploring how to engage business users in the conversation. We progress to tactical and strategic ways to address this challenge while realizing this is an opportunity to make some improvements that bring better future results.

It comes from planning and following a process informed by experience – and we’ll share the insights with you in 30 minutes or less!

In the wrap-up, I suggest following the approach of plan-do-review, outlined in this podcast: http://www.securitycatalyst.com/blog/2008/01/31/the-security-catalyst-show-plan-do-review-your-way-to-success/

Tune in next week for the debut of the Pop Culture Security podcast – your monthly “how-to” for Security Awareness Training.

RSA carries a lot of hype. Now that the conference is over, Martin and I wanted to go beyond the hype and invited a panel with mixed experience to share with us their impressions, opinions and lessons learned. During this SRT, we cover the role of bloggers as media, the *real* value of RSA and a whole bunch of other interesting issues and perspectives.

I also share, near the end, what I thought the theme should have been. Thinking about it now, it is a good choice for next year, or even for a SCC conference!

This marks the return of the SRT. We already have the June SRT recorded — a great show with the Jericho Forum, dispelling a lot of myths and providing some good insight into how they are helping to drive change in the industry. In July we’ll tackle the issue of using botnets to fight botnets and August will revisit a topic raised during the May SRT — the responsibility of security bloggers and the role of new media.

Happy Listening.

 

 

In this podcast, I share a simple and powerful concept that can be applied to anything you do: PLAN – DO – REVIEW

I first learned about PLAN – DO – REVIEW a few years back when it was time to learn about nursery schools, and one of the schools followed the HIGH/SCOPE method. Curious, I went to explore and learn more. Since then, I have tested and adapted the approach for my own use – with excellent results.

Now I share my experience with you.

Here are three links if you would like to learn more:

http://www.highscope.org/

http://en.wikipedia.org/wiki/High/Scope

http://www.perpetualpreschool.com/highscope/highscope_info.htm

Brian takes an approach with secure programming that is similar to the approach I follow when assessing and implementing awareness and training programs. So whether you are a developer or not, you will change the way you protect information by listening to Brian!

What I took away from my conversation with Brian
After reflecting on our conversation (I explain more during the podcast), here are the top five points I took away:

1. Introspection is important when looking to protect information. To me, this also means we have to stop blaming and looking to assign blame. We can look within, take (and encourage) responsibility and find solutions.

2. Trust is paramount. We have to find ways to establish and maintain trust, offline and online.

3. We need to develop processes and tools to support our experts in a way that naturally engages them and encourages their participation in information protection.

4. New processes, new learning and new tools require an initial investment (time, money and resources) that may sometimes seem sizeable – but the savings are realized rapidly and bring long-term positive benefits.

5. In security, we need to stop griping and learn to be good coming from behind. It’s okay, and we can do it.

What did you take away from this conversation? Send me an email: securitycatalyst@gmail.com, or better yet – join us in the security catalyst community – www.securitycatalyst.org and share your insights with others.

Information and Links

Brian Chess, Ph.D., Founder & Chief Scientist

http://extra.fortifysoftware.com/blog/bloggers.html

Dr. Chess’s research focuses on methods for creating secure systems. He received his Ph.D. from the University of California at Santa Cruz, where he applied his background in integrated circuit test and verification to the problem of identifying security errors in software. In addition to authoring numerous patents and technical papers, Dr. Chess has more than ten years of experience in the commercial software arena, having led development efforts at Hewlett Packard and NetLedger.

Secure Programming with Static Analysis

http://www.amazon.com/Programming-Analysis-Addison-Wesley-Software-Security/dp/0321424778/ref=sr_1_1?ie=UTF8&s=books&qid=1196292147&sr=8-1

Blogging with Brian Chess

http://extra.fortifysoftware.com/blog/

Serving Your Needs
I thoroughly enjoy researching and producing these podcasts – and looking forward to getting back into a programming schedule with a bit more regularity. I’ve also been impressed with the Talk Shoe service, and considering hosting more podcasts through Talk Shoe so you can listen in live.

Let me know if you would listen live and participate if we made that an option, and who you would like to share a conversation with by sending me a note: securitycatalyst@gmail.comAs always, thanks for the gift you give me by listening. If you liked the program, tell a friend. If not, tell me!

My belief is that in order to protect information, we have to support the individual – and make it easier for them to do their job. By learning more about how virtual teams fail, we can learn how to avoid mistakes and build stronger and more effective collaboration opportunities – where people can do their jobs while taking responsibility for protecting information. By absorbing this research, you may also learn how to work more effectively on your own virtual teams.

After our interview, I share the top five things that I learned about nurturing and protecting virtual teams. I invite you to sit back, listen, learn and contribute. I’m happy to keep the conversation going in the security catalyst community.

Background: Bring new knowledge to the field of work team behavior
A group of five graduate students (Robert Darling, Cari Endicott, Lisa Fratino, Matsuno Inoue, and Ellen Snydman) from the Carey Business School of Johns Hopkins University participating in a team building course under the leadership of Dr. Robert Pernick were charged with bringing new knowledge to the field of teaming.

This group elected to research the world of virtual teaming, and in doing so, found that here is a great body of literature on what makes virtual teams successful, but little written about what causes them to fail or become sub-optimized.  The team’s first research effort was to conduct structured interviews with a group of virtual teaming experts.

The experts interviews generally agreed that the success of virtual teams were threatened by:
•    Concerns regarding the ability to protect sensitive information
•    Lack of a single platform that provides all the tools necessary to optimize
•    The struggles of virtual communication
•    Poorly or under-trained users
•    The challenge of building trust  without the use of face-to-face communication

Overall, the experts agreed that all of these obstacles can be overcome and unless combined into the “perfect storm” are not likely to cause catastrophic failure. The experts felt very good about the work that is be done virtually and believe that the use of virtual teams will become even more prevalent into today’s global society.

The second phase of research involved the distribution of a short, online survey about virtual work.  The results of the survey are still be collected, but at this point there seems to be a great deal of overlap with the findings from the subject matter experts.  The podcast you are listening to will explore both elements of the research and will introduce yet another subject matter expert, Stu Snydman, the Manager of Digital Production at the Stanford University Libraries.

This podcast was created and hosted by Michael Santarcangelo and expertly engineered by Steve Witt. Thank, Steve!

Is there a right way to report on privacy and security breaches?

Join the Security Round Table with Special Guest Randal Schwartz to discuss this important issue.

On this episode:

Larry Pesce | Pauldotcom Security Weekly | Haxor the Matrix
Martin McKeay | Network Security Blog & Podcast
Michael Santarcangelo | The Security Catalyst
Randal Schwartz | Stonehenge