Tag Archives: MIRcon

Michael Chertoff: Addressing APT at MIRcon 2011

Posted on 2011-10-12 | Leave a comment

NB: The below are my notes from Michael Chertoff’s keynote speech at MIRcon 2011. They do not necessarily represent my views, and in some cases are completely opposed to my views.

The Internet was not built with security in mind, and net culture today believes that it’s inimicable to how the Internet works. But we need rules of the road, just like the actual roads. We’ve seen credit card numbers stolen from Wifi networks, and plans stolen from US countries to reproduce our stuff. DDOS attacks on Estonia and Georgia go hand-in-hand with hacktivism against organizations whose politics the attackers don’t like. Most disturbing is the possibility of a disruptive or destructive attack on an industrial control system or key piece of infrastructure. Stuxnet provides a good example though he’s basing his comments on what’s been reported in the newspapers, which he’ll accept as accurate for the sake of argument. If that can be done to Iran, what can be done to the US or its allies?

So everyone’s at risk: not just the above-mentioned groups, but anyone who does business anywhere in the world. Mine companies negotiating with the Chinese found that they had been “peeking into” their systems for additional leverage. This concept can be used to attack trading or financial platforms in order to gain market advantage. If there’s a widespread belief that some folks have that advantage, it will have an overall negative impact on the performance of the entire market. The challenge is that it seems complicated and expensive to those running mom and pop businesses, who don’t think of themselves as targets of “cyber criminals” even though they are. Identifying steps they can take to reduce their risk and deal with this type of fraud is highly valuable.

There isn’t one problem; there are a whole set of problems. There’s not one piece of software or a Maginot line that will fix things, but focusing on those things to the exclusion of all else ignores other key parts of a possible solution set. Layered defense, not a single point of defense, matters, and he doesn’t just mean hardware and software. Airline security has improved tremendously despite the fact that no one part is perfect (screening, airplanes, customs, etc.).

We’re facing threats from different actors: fraud, IP theft, DDOS attacks, destructive attacks. Different groups of people pursue different sorts of objective. Our approach to criminals centers around prosecution, although this fails somewhat for overseas attackers. Others are trying to “rob us of the birthright of our intellectual property”. So part of the solution set isn’t just arresting people (you can’t arrest nation states). You have to implement deterrence to prevent them, unlike with ordinary criminals. Nation states may have to respond at that level, rather than how we deal with criminals.

The vectors for these attacks are in three categories: over the network (the most imagined); the hardware and software in devices and systems (from fabrication of chips all the way to assembly); and the human factor (negligence or malice). Get away from the proposition that there’s a simple fix; there will never be perfect security. Concentrate on risk mitigation and risk management. You have to array all your tools against all your attackers, recognizing that not every tool works against every attack.

This requires a doctrine of cybersecurity. It has to map the landscape, the attackers, the toolset (across all possible actors, including technical, legislative, etc.). These must exist with the boundaries of the Constitution, but Congress can change specific laws subordinate to that. You won’t stop everything, so your best way of mitigating these threats is to live on the network, being aware of what’s going on and knowing what’s problematic. Information sharing also matters, particularly as we get more sophisticated about understanding our attackers. They have “tells”, including simple indicators like IP addresses and more complex indicators like particular techniques. The collection of information about these things is a critical part of building that series of layered defenses. We need to share within and among enterprises.

What role should the government play in this? Americans don’t want the government to have same sort of control that the Chinese government has. But there are certain tools that the government has. How do we share this information in ways that don’t compromise intelligence sources and methods? There’s a unique relationship between the defense contractors and the government. Sharing exists there, but it needs to get better. In other areas, that particular relationship doesn’t exist: power grid, water grid, transportation, financial services, etc. Chertoff advocates a “private party function” for firms who understand what’s going on in many clients and can then provide information. This could include, not just addresses and signature, but techniques. It’s about people, not just bits, and it’s really a counter-intelligence problem.

How do we train people and build the architecture so it’s easier for people to comply with the rules (and find the people who aren’t)? Social engineering defeats some of the verification questions used when passwords are forgotten. Golden questions allow the user to pre-define the questions and answers themselves. Chertoff sees this as an elegant solution, and therefore a good part of the overall solution set along with the things we already do (firewalls, secure software, etc.). Leaving laptops in hotel rooms needs just as much attention, but it requires another set of solutions.

So take a counter-intel approach and focus on the human domain, not just the tech domain. The threats won’t go away, because the value is online now. The notion of destructive and disruptive tools embedded in our control systems will be an important part of warfighting in the decades to come. Intelligence – knowledge about things and people – and sharing of that intel is the key tool in mitigating the risk.

Addressing my question on responding to civil liberties and intelligence failures for national defense in the cyber domain: an Internet kill switch for the President would probably not work, cause more damage, and be unacceptable. The harder issue is what the private sector can do in the area of civil liberties. Some advocate a series of different networks (like .secure that has no anonymity versus .wildwest with plenty of anonymity and no financial transactions). Are privacy and security opposite to each other? Security is an indefensible civil liberty. If the government is unable to secure our tax records, the promise of privacy there is worthless. People need to understand that, without security, they won’t have privacy. Understand that there will be a government on your network: will it be ours or a foreign government?

Naming and shaming can be counterproductive to information sharing. DHS could create a set of standards or metrics, and critical infrastructure organizations that don’t achieve them would suffer some form of disclosure. This has to be crafted in a way not to disclose that a company has had a breach but that they’ve not addressed underlying issues. Don’t penalize somebody for failure but for not trying or taking reasonable steps.

The rules are different for multinational enterprises, because their rules of the road are very different. So the entry point of a compromise can strongly affect how an investigation proceeds. In Europe, this is a challenge because protecting the privacy of one employee may put the privacy of all the other employees at risk. Europeans are historically fixated on data protection against the government and big institutions, not networks or criminals or terrorists, and they need to change.

We can’t take offense: you can’t go follow a burglar back to his house, break in, and take your stuff back. On the Internet, the attribution problem makes this particularly difficult as the hops from which you see the attacker could be a victim itself. This leads to problems with deterrence policies, since you can’t go to war every time you find a spy. But if you suffer an actual attack (disabling the power grid), you might want to respond, but against whom? This requires more discussion leading to public policy. You tend to get wars when you misread the other side, like Saddam Hussein misreading the US when he invaded Kuwait. Developing doctrine and policy in advance helps with that issue.

→ Leave a comment

Posted in Conferences

Tagged , , , , , ,

Tony Sager: The Future of Cyberdefense

Posted on 2011-10-11 | Leave a comment

Tony Sager joined the NSA in the mid to late 70s when it was far more secretive, with a college background in mathematics. At the time, he confused NSA with NASA because nobody really knew what it was. He went in as a ComSecIntern doing cryptography and what we now call “cybersecurity”. Coworkers joined the National Softball Association so they could get NSA caps to wear. He switched to math and computer science because the government would buy him an Apple II+. For the last seven years, he’s run the IAD focused on computer defense and vulnerability. Threats are about adversaries, but not the only part of the risk equation.

1: The optimal place to solve a problem is never where you found it. The NSA Red Team does a great job and will work with you to understand how they got in, how to stop it, et cetera. But knowing what patch to install isn’t good enough and doesn’t solve the real underlying operational issue. If you can’t manage configuration changes and patches at the enterprise, you’re doomed. But red teams can’t actually fix and redesign complex networks; that’s not their expertise. And the information you get is usually not in the optimal form to help you solve the problem. Pen test reports aren’t scalable, in other words. The purpose of red teaming is to help someone else understand and fix their problems quickly, not just to get better at it.

2: If a bad thing is happening to you today, it almost certainly happened to someone else yesterday. There aren’t really that many new things in this business. New twists and variations on a theme, certainly, but not truly new. And tomorrow it’ll happen to someone you care about. You almost certainly don’t know who the somebody is from yesterday and don’t have a relationship to share that information.

3: After you figure out what happened, you’ll notice plenty of obvious signs in your environment that would’ve helped. But you didn’t understand it to do the right analysis. The information that has that value might not be what we call cyberdefense information today, or even be accessible to the defenders. Think of VMs crashing at a much higher rate than normal, possibly because an attacker with imperfect information is trying to install something bad. Security people don’t usually see those logs because nobody sees them as defensive data. Similarly, license management can tell you if you suddenly have old versions of software running that weren’t running before. Don’t think of management tools and security tools as wholly separate. Think about how to bring the data into your analytic environment.

The future of cyberdefense is an information and action problem. Think about the movement of information from place to place. Only two kinds of people survive in this business: incredible cynics or hopeless optimists. Sager is the latter but knows that the problem has gotten worse, not better. The bad guys have a better business model than we do, better information sharing, adapt more quickly to new technologies, and have very high efficiencies: a very tight OODA loop. In theory, we’re protecting everything all the time from everything.

The vast majority of problems are known problems with known solutions. You can possibly draw the terrible conclusion that you have lazy front-line defenders who don’t care, but think about who that defender is. Typically, he’s an underpaid tech school graduate pulled in many different directions without appropriate equipment and training. But apply the Pareto Principle: what’s the 20% of input with 80% of the output? Network hygiene, user administration, and other things that help you get control and visibility of your environment. But we’re spending 90% of our resources on that effect, which is a bad way to go. You need better automation and approaches. The 20% output, though, matters because that’s the determined adversaries like nation-states and other really bad guys. When nations compete, they cheat. So not everything is “cyber” (or IO or CNO). Lots of stuff still happens in the real world with real people. It’ll actually be a happy day when the only adversary that concerns you is a nation-state, rather than drowning in information and processes now.

In the intelligence business, they talk about needing to “look over the horizon”. We need to get there and look beyond our own enterprise, because otherwise we’ll never solve our problems. One way is to have friends outside your borders who have the technical capability and willingness to share the data in a regular, methodical way. The other way is to have an intelligence service that looks in ways not limited to yourself and your friends, forward and backward and all around.

Don’t make the mistake that the adversary is perfect. He’s kind of like us, except he’s bad. Their tools don’t appear as if by magic, but have to get developed and acquired and deployed too. If I can look and see those things happening, I can tune my defenses to what’s coming down the road. And don’t separate the two problems (80% and 20%), making them different, unique, and independent. Everybody hides in the 80% noise, so if you ignore it, then you’ll miss it. And the 80% stuff is actually pretty clever and can teach you new tradecraft, the tools and techniques that you want to know about.

When a threat intel analyst, how do we get that information into a form and location that will make it usable to defenders? PDFs and all-upper-case DoD message formats don’t lend themselves to the usages we need them. A human being has to take it, read it, and go through a complex process to turn that into an actual defense (e.g. write a script, deploy a new policy, etc.) Why can’t I send an open file, such as XML, to share this information and let systems process it? Think about how the information will be used and get closer to a native language for that usage. Vendor lock-in is a terrible defensive strategy, compared to standards.

Professional “bad guys” (at least those who work for the US government) all agree that a well-managed network is a hard target. Doing the core things matters: patches, visibility, appropriate change control, etc. This doesn’t make it impenetrable, but it does harden the network and force the adversary to think and plan and cheat.

They also fear uncertainty: they like knowing the specifics of the target, like its behaviors and components and people. “Defense in depth” on its own has become a crutch. Throwing another layer of defense on something ‘because you can’ adds cost and complexity unless you do it for known reasons and integrate properly with the rest of your layers. Clever attackers, like clever users, find ways around your defenses, so put them in with purpose according to a data-based model. But building this model of adversaries requires sharing information in an automated, standardized, trusted way. So how do we extend these ideas? Look at the stuff that already has standards and work off of that. Threat information has lots of rich data, though, that we want to pump into our tools and not just read.

This is the new frontier: finding and sharing threat data.

→ Leave a comment

Posted in Conferences

Tagged , , , , , , ,

Richard Clarke: The Year of the Hack

Posted on 2011-10-11 | Leave a comment

NB: These are my notes of Richard Clarke‘s talk at MIRcon 2011 and don’t necessarily represent my own views.

People are beginning to call this the “Year of the Hack”. No need to go into the details, but he believes that we should look separately at the various attackers’ identities and policy solutions. He uses the abbreviation CHEW.

1: Crime

“Cybergang” money rivals some drug cartels, billions of USD. Foreign law enforcement (e.g. eastern Europe) frequently on the take, so that the real ‘bad guys’ operate from “cybersanctuaries”. We can get the mules sometimes, but that doesn’t solve the issue. Policy solution looks like what’s been done about money laundering, so that the crime doesn’t pay. Grow the Budapest Convention into an organization with teeth, otherwise the costs will increase for banks. And while it’s fine for the banks to get screwed, they pass on the costs to us anyway.

2: Hacktivism

Personified by Wikileaks and other similar groups. Hacking because they believe in cybersecurity is like shooting people because you believe in gun control.

The other group believes that there should be no secrets (unless it’s their own secrets). Overclassification is a real problem, but the Foreign Service has done a good job. The cables aren’t revealing nefarious stuff like if this had happened in the 1970s. The cables should never have been revealed, and the Army should never have allowed a private with a questionable background to have access to these data. The DoD facility where he sat had technology to detect and prevent this stuff but it wasn’t installed and operational.

3: Espionage

A cancer that is destroying our economy. We do it, too, but against foreign governments to protect ourselves. The US doesn’t spy on private corporations and research labs to steal proprietary information for competitive business advantage. The WTO should have written rules about what can and cannot be done via espionage. There are rules about intellectual property, albeit often disregarded. China (primarily) has hacked its way into every corporation it can find in the US, Asia, and Europe, sucking out petabytes of data. Even if data isn’t secret research stuff, they will auction off the data (e.g. transactional data and business plans to international competitors).

The attacks are frequently successful and not noticed, so companies believe they haven’t been hit. In the meantime, a factory in China looks just like theirs and produces stuff just like theirs. And the Predator drone plans were stolen years ago, so the Chinese have the “Flying Dragon” drone that is just like it. In a nation with high labor costs, the only way to compete is through knowledge and innovation. Take that away and we can’t compete.

The technology and systems need to catch up. We need a plan to deal with the “cyber-rape” of our time. The Chinese will never stop until we penalize them somehow, either overtly (sanctions, etc.) or covertly. We’re not doing either.

4: War (cyberwar)

Something we’ve never had yet. It’s not hype; if it weren’t real, we wouldn’t have a 4-star general running Cyber Command and the Navy’s 10th Fleet that has no ships.

We’re talking about blowing up the same things in society that we traditionally blow up with missiles: telco facilities, power generators, all communications. We can also do it from data centers in Nevada and Maryland, like the Russians DDOSing Estonia or Georgia.

Then there’s Stuxnet. (China’s not the only company stealing digital certificates.) It looked for very specific sorts of SCADA operating systems, and when it found it, it looked very closely at which particular version and deployment it found. 1000 of the Iranian nuclear centrifuges were physically damaged so badly that they had to be removed and replaced, but without using B2 bombers.

The code is available now, as it didn’t actually wipe itself. People can modify and redeploy it to attack other SCADA systems, including inside the US. Someday, someone will attack us this way. It doesn’t even have to be a nation state like Iran. It could be some “nutcase group” that gets its hands on attack software. Cyber Command defends .mil and .gov but not .com. DHS can offer assistance, but companies have to defend themselves.

This is like asking every company in the Cold War to mount their own anti-air defenses against Soviet bombers. But Washington thinks any new government regulation of any sort is a bad thing. Until regulations require ISPs to filter packets and SCADA systems to disconnect from the Internet, none of these things will happen.

→ Leave a comment

Posted in Conferences

Tagged , , , , , , , , , , , , , , ,

MIRcon notes

Posted on 2010-10-20 | Leave a comment

'Bitter tears' by Crystal Joseph OleshI’m all up in the mindmapping, so I took all my MIRcon notes that way. However, since the resultant readability is sort of equivalent to 4chan for the uninitiated, I exported it to Google Docs in outline form.

If you’d really like the .mm file for use with Freeplane or Freemind, let me know.

→ Leave a comment

Posted in Conferences

Tagged , ,

I can haz MIRcon?

Posted on 2010-10-18 | 1 Comment

TLDR: Ninjas and beer. And security lulz.

Nothing livens up a beautiful fall day more than a bunch of geeks and suits sitting in a DC hotel meeting room talking about finding evil. Who doesn’t live for that sort of thing, amirite? So Mandiant decided that they’d get a bunch of incident response types in a room for two days, throw out some coffee and notecards and a projector screen, and see what happens.

'XIX Party Conference' by fotofreq

After having recovered from the beer tasting, intense questioning of product managers, and the ALDS (let’s go Rangers!), I can tell you that we haz moar ideaz than Taylor Swift has fashionable shoes. And that’s a lot, so some of this stuff will get a Killswitch Engage-style breakdown in future blog posts.

Kevin Mandia looks kind of like Nathan Fillion in a suit. He has nice hair, a rugged jawline, and a never-ending idiom factory lodged somewhere between those two things. (He should definitely get Captain Mal to play him in “Mandia: The Man, The Myth, The Legend.) His keynote speech put all of these on display, and we learned that a greenish-yellow Global Threatcon Severity Indicator means we’re all gonna die, man, game over.

Mandia-Fillion

Separated at birth?

Once we moved on to the panel discussion, things started to liven up. Well, that’s not true. The panel tried to stay away from too much management-speak (yeah, you know what I mean). For example, they talked about visibility and authority for incident response: how do you know if you’re compromised? What happens when you realize you are? You probably won’t reach a 100% solution, so shoot for achievable goals. I mean, I’m really happy for your incident response program, and I’m gonna let you finish, but GE has one of the best CIRTs of all time. OF ALL TIME!

Ahem. So your best threat intel might not come from your sekrit friends in the Illuminati^W military-industrial complex^W^W^W defense industry or critical infrastructure ISAC. Your best intel might come from the cases you’re already working. Pull on the threads you already have, see where they go, and soon your sweater will be undone.

'Loose Threads' by Chris Luckhardt

Then the sparks started to fly. Let me tell you, I thought GE and BAE were in a cage match (“two corporate security directors enter, one corporate security director leaves”). Richard “GE” Bejtlich got all Courage Wolf on us: neutralize the threat, take out the bad guys, RAWRAWRAWR! Then Ron “BAE” Davis was all about “hmmm, maybe that’s a bad idea, you could get the wrong person or go to jail”. And we were all, “ooooh, he TOLD you!” in the audience, and GE was all “ORLY”, and BAE was all “YA RLY”, but then they all smiled and reminded each other that we’re the good guys after all. And we all had ice cream with cherries on top. It was nice.

Michael Graven from Mandiant came up next on behalf of an “anonymous” customer to talk about tool integration. I’m going to call them “Anony Moose” from here on out. See, Mandiant is really proud of this technological terror they’ve constructed called Intelligent Response. It has a RESTful API that spits out well-defined XML and lots of other cool-sounding 2.0 kind of stuff. Anony Moose (wonder if they were in the room at all? nah, too obvious… OR IS IT) has a SEIM that automagically generates trouble tickets when it detects, er, trouble. In paradise. Or something.

So these tickets live in Request Tracker, which has a RESTful API. See some potential there? I guess Anony Moose did, too. They took off for every zig and matched the two of them up. I hear several steps and boxes with holes were involved. And when a ticket comes in, the system reaches out and touches someone^W the target system to gather lots of volatile data like ports, processes, recent audit logs, and all the sorts of things that a super-smart sekrit security agent will want to know. Good stuff and I bet it saves them time so they can kick back in their Fortress of Solitude, laughing at the evildoers stymied by their most excellent planning.

The next talk had ninjas. No, not real ninjas, because we couldn’t have seen them. And since ninjas just flip out and kill people, I’d be dead already. But these were malware reverse engineering ninjas, which is pretty sweet even if it isn’t Real Ultimate Power. They talked about generating Indicators of Compromise, which is how you can talk about targeted malware without actually giving it up to the antivirus vendors and getting useless MD5 hashes and registry key indicators. They do some awesome behavioral analysis in addition to standard sandboxing and static analysis. They can even look at DLL-based malware, and rocking that ain’t easy. When they get super-smart sekrit security agents who find this stuff in the field, then they tear apart the malware until they find the plans. I mean, uh, how it works and how to identify all variants.

'The Urban Ninja' by Tyson Cecka

After we had coffee to clear our heads from the sheer unmitigated awesomeness that was hex dumped assembly code in a screen magnifier, a panel discussion on information sharing ensued. Now, see, everybody wants somebody to love, and if they can’t get that, they at least want somebody to share their interest in a secure operating environment for truth, justice, and the Internet way. This leads to trust issues, because the first rule of the advanced persistent threat is that YOU DO NOT TALK ABOUT the advanced persistent threat. Though I suppose that’s only unless you have clearance, in which case you totally DO talk about the advanced persistent threat.

On that note, Sandia National Laboratories scares me. They have some project where FBI agents arrest the red team and interrogate people with Borg headsets that can totally read your mind. One minute, you’re doing an incident response cyber exercise, and the next minute a man in a black suit is all, “HALLO CAN I VIOLENCE YOUR BRAIN”.

Other organizations were a little more chill. They got back on the question of trusting other folks and maybe punching them in the nose if they talk about the advanced persistent threat (see?!), but then they realized they were harshing everybody’s mellow and just said we shouldn’t share the stuff that can hurt us. And threat data never expires. At least not if you’re a defense contractor.

Ever been playing Minesweeper and, just when you think you’re about to clear it in Expert mode, get that Blue Screen of Death? It’s not all bad. We learned about how crash dumps preserve your integrity. (Apparently that doesn’t work very well on Congress’s computer systems. HEY-YO!) Normally, these dumps of the process memory space and system debug data get sent to Microsoft, but if you don’t like Steve Ballmer getting his grubby paws on your data, you can instead direct all that stuff to an internal share. And hey, maybe you can get some good forensic data out of all those dumps. If you can, then you should probably grab all the dumps and drop them in a debugger. Highly situational, but it’s better than a mudkip.

Then we had beer. It was good.

Next morning, we had a sound check with Heavy D. Not really, but Michael Graven thinks he sounds like him even though he kinda looks more like River Cuomo back when Weezer made the Blue album. (Nothing but love for ya, Mike.)

MIRcon then hosted a real, actual, Man in Black. I don’t remember much except him putting on some sunglasses and asking us to look into his space pen LED. Oh, and that every investigation now relates to cyber (stop snickering, WoW players, you know that’s not what he meant). They want to get “IT” off the network, where I is “intellectual property” and T is your “treasure chest”. The FBI, or at least Assistant Director Gordon Snow, wants a culture shift so we quit putting the good stuff online where the Ebul Doers can get to it. Since the threat isn’t going away anytime soon and vulnerabilities get all the attention already, the best way to reduce your risk is to lower the value of the asset. (I assume he drives a Ford Focus, since his logic also says that the best way to keep your car from getting stolen is to drive a clunker.)

'How did that get here!?' by Purple Wyrm

Finally, Halvar Flake totally blew our minds. Honestly, he had me at “Hello, my name isn’t really Halvar Flake”, but then he set the hook when he went straight into “approximate maximum subgraph homomorphisms”. That is, imagine you have two street maps of different scale and resolution, but they actually represent more or less the same area. You’ll want to stretch and zoom and align and twist the maps until you can see where they overlap, so you can look at your wife and be all, “I told you we weren’t lost.” And that you found new families of malware.

But then, once you cluster these maps together, you can give out different signatures that tell everybody how to match up new maps. Nobody gets the same signatures, though, because (just like eating a Reese’s Peanut Butter Cup), there’s no WRONG way to perform an approximate maximum subgraph homomorphism. See, if it’s wrong, then it wasn’t really a homomorphism after all.

And by splitting things up, you don’t actually have to talk about the advanced persistent threat. That would lead to nose punchings, and anybody who would try to punch Kevin Mandia in the nose will definitely get a “NO WAI”. And probably their OWN nose punched. Because he’s Captain Hammer.

I did sort of lie. That wasn’t the final talk. But that was the last one I really noted, because after that we had a demo of MIR. And then Mandia and Bejtlich showed us their sweet incident response kung fu auditions. “I NEVER LOSE! YOU NEVER WIN!” Then real actual computer scientists handed out the Malies (think “mallies”, not “mailies” because the latter sounds kind of sexist and could create a hostile work environment). That was a one-shot deal, but many memes died to bring us that information.

And some lawyers came on to tell us about the legal costs of data breaches, but I had a plane to catch home.

For the future, I’d just suggest averaging out start times. 10:30am one day, 7:30am the next. Let’s split the difference and keep it at 9am, because ninjas and beer and baseball (let’s go Rangers!) and early mornings don’t mix.

If you want a more serious and professional look at MIRcon, go read Greg Pendergast’s summary over at the SANS Forensics Blog. And buy him a beer, because he’s a mensch.

→ 1 Comment

Posted in Conferences

Tagged , , , , , , , , , , , , , , , , , , , ,

What Overhack covers

Posted on 2010-10-14 | Leave a comment

'Ceiling Vent' by Christina WelshI don’t write about management or organizational risk. I don’t write about budgeting, compliance, or buzzwords.

I do write and think about using our powers for good, not evil. Risk management matters, of course, but I don’t focus on vulnerability management, asset classification, or preventive controls. Instead, I respond to threats. I have to show up and try to find and stop the bad guys before bad things become worse things.

Actually, perhaps I could state that first paragraph more accurately and precisely. I don’t write for MBAs and I generally don’t look at the entire risk equation. Lots of other people cover that well, and I read what they have to say. Compliance only matters when I want to get somebody else to do the right thing. If you do the right thing, you’ll end up compliant (even though it might cause some pain in the meantime). And I don’t do buzzwords, but I definitely do memes. ROFLcopter and Courage Wolf have a lot to teach us all, mkay?

Future posts already in the pipeline touch on topics like MIRcon, active defense, the slow and deserved death of antivirus, approximate maximum subgraph homomorphisms, and the intersection of civil liberties and human rights.

kthxbai

→ Leave a comment

Posted in Meta

Tagged , , , , , , ,