Presumpscott

Last summer the IT Community in Maine had a shock. The Info Sec User Group that was sponsored by Tech Maine was orphaned when that organization went away. Making a personal decision that the IT Security Community in Maine still needed a venue for networking and mutual support, I and a few others set out to keep the community alive. This entailed time and small expenses on my part to help the renewed “Maine Information Security Professionals” group re-emerge onto the scene.

Leveraging the no-cost avenue of Linked In and starting with the email list of past attendees I and the other volunteers have managed to keep the group going and help it to thrive. Our definition of members is pretty loose. We are now hovering around 140 members based on the LinkedIn registrations. Once each month we get about 30 attendees for our evening presentations. There is an email list and last count was about 120+ addresses.

Through the generosity of leaders in our community we have had valued access to meeting space and pizza. Door prizes of Technical books come from the generosity of O’Reilly Media. Our monthly meetings have been made up of individuals in our community that want to share something important to them and based on their own experience. That is a very strong indicator of the depth of support this group has achieved over the past several months. That people will take the time, at no profit to them, to construct a presentation and deliver it to a room of appreciative like minded people is a magical thing.

Where we go next has crystallized in the past few weeks. The group has created a governing body of officers. I am the volunteer president until the summer when we will have elections. The group is soliciting membership as an ISC(2) Affiliated Chapter. We have the necessary supporting signatures and group structure now. Once that application is approved we can then grant CPE time for our meetings and events. That should be a big plus for those trying to maintain CPE’s for their certifications. Not just for ISC(2) certificates.

I am certain our efforts have been a success. It has felt good to be part of a community of people working to make good things happen. When I reflect on how easy it would have been to just walk away and let the group die I know we took the right actions. We are going to keep working on the group and make improvements as things evolve. One of the things I said in our initial organization meeting last fall was that making the group a success simply required one thing. We had to put on presentations that would be of value to our members. Putting on good presentations was key to making the group a success. So far we have managed to do that with the support and cooperation of many members and supporters. As we move into a new phase for the group I see the value of the group growing each month.

This summer the group will vote on officers for the 2012-2013 cycle. The temporary volunteer officers have deferred some decisions. Once the full time officers are selected they can make decisions that may have profound impacts for the group. Once we are through that transition the success of the group should know no bounds.

Share on Facebook

Terrence Ryan has provided a worthwhile volume for my bookshelf. This was a book that was easy to read and absorb valuable lessons from. True to the name of the publishers imprint this book is full of practical observations and advice.  True to the title of the book the contents will help you drive technical change in your environment. The focus is on giving the reader methods of observing and responding to many of the personalities that we must deal with in IT situations in companies of all types.   Anyone familiar with the work of Otto Kroeger and Janet Thuesen in their Type Talk series will recognize many of the concepts.  In Terrence’s approach he is less academic and focused on immediate implementation of tactics that lead to results.  The most practical praise I can give the volume is that I have incorporated some of the methods and techniques into my approach in driving IT Security Changes.  

One of the key take-away’s from this book is that being successful with IT change requires the building of relationships.  Nearly each approach starts from the premise that success flows from understanding the needs of others and how your solution maps to those needs and to the benefit of the enterprise. This work must be in the effort to achieve results,  not intended to just inflate your own ego.

The structure the book uses provides clear sections that allow you to break up the reading into approachable blocks.  The final module, “Putting it into Practice”, is an ideal book end for each chapter. The one distraction in the book is that the examples and situations he uses for illustration do not speak to me.  I agree with him that the illustrations could be transposed to many other IT situations.  I just wished he had varied into a broader range of IT examples.

The site for the book can be found here:  http://pragprog.com/book/trevan/driving-technical-change

Share on Facebook

When thinking about all the IT Security activities that need to get done I like to think they can be split up into culinary analogies. Day to Day operations is the Short Order cook. Project design and execution is the Baker. Audit is the Health and Safety Inspector. Consultants are the Restaurant critics. Today let us consider how IT Security can be compared to a Short Order Cook. And, No I am not hungry while I compose this posting.

In IT Security Operations, like a restaurant, the menu of offerings is often not always well defined and strictly regulated. If you go to a Denny’s you may have something odd in your order that would be accommodated. If you go to a McDonald’s you will get something standard and consistent from one store to another. If you go to a local non-branded eatery it is possible to get something crafted just for you and different every time. Each of these types of restaurants offers service in a specific way. No single one is a correct model for every circumstance. Each one can be successful in its own right.

Each organization builds its IT Security Operations to meet its own needs. The best level of IT Security Outcomes starts with an understanding that it is a series of services. Documenting what is possible and how it gets done, by whom,and why allows the operation to focus on consistent delivery. When an operation does not understand what they need to deliver, how they do it and why then the find themselves in an difficult position. They did not order enough eggs to make omelets because one person put an omelet special on the menu without telling the person in charge of purchasing. There may be crates of unused Peppermint coffee in the back room because that was the favorite flavor of a former manager but customers never bought it.

The chief pain point for many organizations is always the TIME it takes to discuss and reach decisions on what is often mundane day to day activities. When you operate your day to day IT Security operations as a Service there is a dramatic reduction in the amount of discussion and delay. Each element of the offering is already agreed to. Exception processes are likewise defined. Just get it done becomes not a management enforcement but a team objective which can be successfully and cheerfully executed. The cook making the pancakes does not have to argue with the bus-person about when the table needs to be set and cleared. When you understand what you are delivering on a day to day, month to month basis it becomes much easier to catalogue your organizational needs and focus on long term, incremental improvements.

Running out of coffee becomes an exceptional event and not a common occurrence. Why is that? Because as a service you know what your typical and exceptional capacity needs are. You are leveraging your organizational experience to plan. You end up managing the process because the execution of the process is already taken care of.

What happens to your IT Security Operation if the staff changes? Does your operation essentially go out of business because the top cook leaves at the same time the waitress goes? Do you have to recreate all your customers favorite recipes because the people that knew and created them did not want to write them down?

Good IT Security Services grow organically but can and must be guided. Waiting to open for business until you get the recipes just right is not an option in IT or a restaurant. Sometime the best places have worked through tough times and shifted and adjusted to new styles, market conditions, and most of all customer feedback. Just as in the Restaurant trade, IT Security Operations will find that if they are not adequately servicing customer needs those customers will go elsewhere for the requirements. IT Security professionals know that frustrated customers usually find a way to circumvent IT controls when their needs are not being addressed.

In the end you don’t want your outfit to be considered the Greasy Spoon that no one wants to deal with. You want to be that cherished place the customers love to deal with because they get what they need at a great value. Is your organization the company Greasy Spoon? If so you really need to rethink the value you are providing.

Share on Facebook

Where does the time go? Not much of a conversation starter but definitely a common issue for Security people.

January was full of project kick offs, end of the year reviews, and intense time pressures for covering all the activities typically required in my profession. On the plus side it has all been lots of fun. I was engaged in three days of Forensics training provided by Verizon Cybertrust. That led to research on the best tools and procedures for first responders at my organization. Lots of needs, very little budget as of yet and a cool option for something that may address both issues. Orion Live CD from SourceForge looks like it could fill the bill. More discussion and research is needed.

The ME InfoSec group held their January meeting without me. I helped to organize the presentation on tools and techniques that are used for IT Security work. I was in Boston for the Forensics training and was unable to attend. I heard many good things about the presenters and the attendance. I was hoping to present on the Distributed Reporting Tool I had developed at Unum. I am embarrassed to say that I found I did not have a copy of my final work product available. I was not able to get a copy from Unum. I truly regret that. It represented five years of script and process development. Lesson learned is that I really need to make sure the most important stuff is backed up to three levels deep. Makes we want to quote Star Trek about the StarFleet engineers doing everything to nine layers of redundancy.

The Apple Store event presented by Andrew Johnson was great. I learned even more about what Apple as a company is doing to support Enterprise deployments. I took back to BCBSMA my findings and discovered that the Project Manager I had worked with just four weeks earlier on the iOS security review was gone. Luckily I was able to connect with the new owner of the Apple deployments and pass along the information.

Working with a couple folks planning on taking the CISSP soon has been invigorating. We plan on doing at least one six hour practice exam in February. There is something really challenging about seating for six solid hours and trying to get through 250 questions without a break. Practicing for those physical and psychological demands is important for being successful on the actual exam.

Share on Facebook

Wow – did some math today on my CPE’s.  I have been tracking but not updating my CPE efforts for the CISA and the CISSP.  Nothing I did prior to June 2011 counted for the CISSP.  I have 84 at a minimum for ISACA/CISA.  I have 16.5 for ISC2/CISSP.  I may be able to book another twenty for both by the end of the year. I have several projects underway that need to be completed and posted before the end of this year.  Still want to try to keep to at least 60 a year on average but won’t be able to hit that number for ISC2 unless I can complete some inflight classes by year end.

Share on Facebook

The Panelist are set. Agenda is ready. The final formal announcement should go out on the LinkedIn Group later this week.

Michael Swartz – General Manager of Tilson Technology Group
Mark Aiello – CEO and founder of The Revolution Group
Mia Dow – Senior IT Recruiter at Randstad Technologies
Brad Dormanen – Director of IT at GWI

Topic is Career Development and Advancement

Our Panelists experienced professionals with a broad range of experience in hiring and finding people for IT roles.

Location is InfoSecurus in Portland Maine. The new Stroudwater offices on Congress Street.
Time is Wednesday December 14th 6pm to 8pm. InfoSecurus has provide the space. Tilson Technologies is covering the cost of pizza and soda. The Revolution Group is offering a door prize.

It will be a fun evening of Networking and discussion. RSVP through the LinkedIn group. We want to be sure to order enough pizza.

Share on Facebook

Panel Members for the December 14th Maine Information Security Professionals is set. We have a great set of people for the panel. We will have pizza and soda and a door prize. I am keeping the door prize as a surprise but it is a great contribution.

We are hoping that people who plan to attend RSVP on the LinkedIn Group. We will be doing a posting of the full agenda and panel members next week.

Share on Facebook

I am organizing the next Maine Information Security Professionals Event in Portland Maine.  I have set up a Panel Discussion on Career Development and Advancement.  I have four committed professionals already signed up to be on the Panel.  Event will be held at the InfoSecurus offices in Portland Maine from 6pm to 8pm Wednesday December 14. Pizza, soda, and a door prize included. No cost whatsoever!

It will be a great opportunity to ask questions and get decent answers from knowledgeable people.

To attend join our group on LinkedIn “Maine Information Security Professionals” and get in the know.  Other interesting and worthwhile events are on the horizon for January and February.

Share on Facebook

Please join the former TechMaine Information Security User Group as we redesign and regroup ourselves in the wake of the departure of TechMaine.

There are plenty of individuals who would agree that this group provided great value to local professionals in the past. Now is our chance to regroup and determine just how we want to position ourselves for the future.

This will be an organizational meeting with a flexible agenda designed to provide direction for where the group is headed and any possible affiliations (i.e. ISC2 chapter?) that may be beneficial in taking us there.

Please join us on 11/9 from 6pm-8pm at the offices of InfoSecurus, located at:

Stroudwater Crossing
1685 Congress St., 2nd Floor
Portland, ME 04102

In the meantime, please feel free to reach out to me directly if you have any additional thoughts or questions. We hope to see you there on the 9th.

Rich Spies
Tilson Technology Management
rspies@tilsontech.com

Share on Facebook

The article below is from SANS, again. The word needs to get out. An organization with a professional IT Security staff must be sure to equip those teams with both the Hammer and the Nails to get the job done. In the article below it is pointed out that a report on threats was published before the threats materialized. What was NOT included in the threat report was the information and direction necessary to invalidate the threat.

The Nails are the threats. The Hammer is the answer for how to deal with the threat. A professional IT Security organization must use both. Announcing the threat is out there and not providing the executives with the solutions AT THE SAME TIME and in the same report is a disservice to both the executives and organization.

Canadian Intelligence Agency Warned Government About Targeted Cyber Attacks

(October 31, 2011)

A year ago, the Canadian Security Intelligence Service (CSIS) issued a

top secret intelligence report that included warnings of ongoing cyber

attacks against the Canadian government. The report was issued in

November, 2010; two months later, cyber attacks crippled Canadian

government networks. It is not clear who received copies of the report

when it was initially published.

http://www.theglobeandmail.com/news/national/ottawa-warned-about-hackers-weeks-before-crippling-cyber-attack-csis-report/article2219129/?from=sec434

http://spectrum.ieee.org/riskfactor/telecom/security/canadian-security-services-warnings-about-last-years-cyberattacks-apparently-ignored

[Editor's note (Paller): This type of journalistic Monday morning

quarterbacking is worse than useless because it places blame on the

wrong players. The CSIS report did a great job of identifying the

problem, but it did not identify the 3 or 4 key mitigations that needed

to be implemented immediately. So the recipients of the report got fair

warning from people who understood the threat but without the

threat-informed guidance that the users need. The Australian DSD faced

exactly the same type of attacks and delivered to their agencies the

four key mitigations that had to be implemented immediately. They are

listed at

http://www.cso.com.au/article/405364/dsd_wins_us_cybersecurity_innovation_award/#closeme

(Pescatore): This is one of the reasons why Intelligence and Defense

should always be kept separate. Intelligence is very good at warning

about many, many things but is never very good at stopping particular

individual threats.]

Share on Facebook