(Just to let everyone know, I haven’t forgotten about the Infosec/Professional Cooking string – I’ve been both very busy and very sick the past few weeks.  I also don’t want to just put something down and post it.  As the last post, I want to really bring the analogy together and I’d rather hold off a bit and do it right than lose it just before I bring it across the finish line.)

(Oh, and just another quick note on terms – I know that some people out there have an issue with any use of the term “cyber.”  With all the issues out there I think this one is perhaps the most worthless.  Personally I don’t care what we call it but it appears that “cyber” has caught on and therefore I will use it until another word tends to dominate.  Arguments and debates over semantics serve no purpose other than to distract us away from the real issues.  If you really want to debate that then let me know and I’ll start another thread for that.)

After seeing a tip from Bob Gourley on an article over at Government Computer News (GCN) I went over to read it.  Bob, and his blog, CTOVision are great sources to keep abreast of the goings on of the federal government especially from the National Security/Intelligence Community perspective. 

The article, entitled “Cyber threat calls for flexibility in command model, general says” offers great insight into the problem of cyber warfare as well as the general problems that everyone faces with threats from the Internet.  The article is rather short but it brings up a lot of issues that would take a great amount of space to really explore. 

Running the risk of oversimplifying things let me say that the issues that we face with the Internet both from a Cyberwar as well as a Cyberthreat perspective is that it are never static.  Attacks can come from anywhere and most often not directly from an attacker.  A device or network that is safe today won’t necessarily be so tomorrow or even five minutes from now.  Now I’m no military strategist by any stretch of the imagination but to the laymen it appears that the natures of cyber warfare and cyber threats are more akin to guerilla warfare than a traditional battlefield. 

The article talks about how the command and control structure should be established within the U.S. Military to deal with the threat.  It cites Lt. General William Lord, Chief of Warfighting Integration and Chief Information Officer of the Office of the Secretary of the Air Force.  One of the quotes I find most telling:

“We need to operate without heavy restrictions.  There are enormous restrictions in the offensive domain.  The biggest problem isn’t the enemy, the biggest problem is us.”

There is so much contained in that short three sentence quote that we could talk for days. 

The problem is that Cyberspace is global as well as local.  It involves both the physical devices that transmit information in the electromagnetic spectrum and the electromagnetic spectrum itself.  There are physical boundaries (network, national, and international) in some respects but in others there are no boundaries at all.  Any action taken within this realm has the potential for global ramifications.  Achieving cyber superiority may not be as easy and straightforward as it seems. There are a confusing array of laws and international agreements that deal with the free flow of communications between countries.  These add layers of complexity to an already complex issue. 

We have hemmed ourselves in with the laws and agreements we have made and have chosen to operate by a code of conduct that our adversaries do not have to follow.  This is how we have chosen to organize ourselves as a society and there is no doubt that it sometimes puts us at a disadvantage when pitted with an adversary who rejects our conventions.

I don’t believe that we can ever eliminate all risk or all threats.  I believe that these are just part of the world we live in.  We can chose to manage them and we can find ways to reduce them to levels with which we are comfortable (acknowledging that comfort levels can also change over time.)

As the article suggests, we must above all else remain flexible in order to meet the challenges that face us.  We must be learn to fight the next war, not the last one.

  • Share/Bookmark
Tags: , , , , , , , , , , ,

Comments 46 Comments »

If you are a subscriber to the Cutter IT Journal you can check out my article in the August 2009 issue.  If not you can find out more information at the following link:



I’m also trying to get a link to a PDF version of the article and will post it here as soon as I do.


Just an FYI – I don’t earn any income from the Cutter IT Journal so if you do decide to purchase a subscription I won’t benefit in any way from it.  Basically I get a free subscription by having my article accepted for publication that is about it.  That said I’ve enjoyed this issue so far (aside from my article of course) so if you do decide on purchasing a subscription you will probably enjoy it.

  • Share/Bookmark
Tags: , , ,

Comments 28 Comments »

I’m just curious what everyone things would improve security. 

What is the best way to make companies/organizations become more secure?

  • Other (Please describe in comments) (60%, 3 Votes)
  • Increased Industry Mandated Standards (20%, 1 Votes)
  • Customer Demands (20%, 1 Votes)
  • Increased Governmental Regulation (0%, 0 Votes)
  • Don't Know (0%, 0 Votes)

Total Voters: 5

Loading ... Loading ...

I’ll close this poll at midnight on 9/11/2009

  • Share/Bookmark

Comments 35 Comments »

A while back I posted a link to the Quadrennial Homeland Security Review (QHSR).  The 2nd National Dialogue opened September 1st and will run to September 9th.  This is another chance to provide your opinion on any number of Homeland Security concerns – one of which is cybersecurity.  This dialogue has refined the original dialogue into objectives and they are asking our opinion in prioritizing these objectives and providing feedback on how they may be achieved.  I urge everyone out there – regardless of political persuasion or creed to provide informed constructive feedback.  

You can find the second dialogue at http://www.homelandsecuritydialogue.org/dialogue2/


  • Share/Bookmark
Tags: , , ,

Comments 52 Comments »

In the first part of this series, I began by explaining that the topic came from a reaction I had to a quote from Robert Carr the CEO of Heartland.  The underlying premise of the quote was built on the assumption that Heartland was PCI DSS compliant therefore they should have been secure.  Anyone who has read this blog won’t be surprised to hear that I don’t agree that compliance can be equated to in any way to how secure a network or system is or isn’t. 

As I milled this over an analogy came to mind.  It was that Information Security is a lot like professional cooking.  Part One basically set things up and this part (Part Two) will begin the analogy by showing how standards are a lot like professional recipes.  In Part Three I will broaden the image by relating what we do to working in a professional kitchen.

As some of you know when I first graduated from college I went to culinary school.  The school I went to focused on technique and we spent every day in the kitchen learning and refining what we have learned.  I went on to work in some fine dining restaurants and while I later came to the realization that life in a professional kitchen wasn’t for me, I learned quite a few life lessons during that experience. 

Getting back to the that standards are much like recipes, let me share with you one of the base recipes from my time in culinary school:

Mediterranean Fish Soup

(Serve with rouille on croutons)

Olive Oil

Scallions – FC

Onion – C

Garlic – FC

Tomato – C

White Wine

Fish Stock




Fish in 1” pieces

(Salmon, Red Snapper, Scallops, Clams/Mussels, etc)


That’s it.  Most professional recipes are like this one.  Some even have less detail.  Now if you know what you are doing then this is really all you need. 

The Chef who taught me to cook was from France and he taught us as he was taught.  No recipes – just technique.  We didn’t have recipes, cook times, or for the most part cook temperatures (Pastry and baking is a whole different world.  In order to do pastry and baking you need all of those things.  I’m talking savories not pastry and baking.)  When asked how long to cook something Chef’s response was: “Until it’s done.”  When we pushed him further he told us to start cooking and we would see. 

What he didn’t want us doing was blindly following a recipe.  He wanted us to think about the food; how it was cooking; what was happening in the pan; how this flavor blended with that one; how they blend differently depending on the cooking technique being used, etc

By teaching us the technique he was developing in us the skill to understand how different ingredients interact to create a dish.  We could then experiment to create our own dishes and creations (later outside of class of course). 

Now standards (such as PCI, HIPAA, GLBA, FISMA, DIACAP, etc) are very much like professional recipes.  Some have more detail than others but they are a basic set of instructions and all imply a certain baseline of knowledge to make heads or tails of them. They take someone with skill to apply them if they are going to result in something.  And by something I mean a soup that is so memorable that it brings you back to the restaurant time after time. 

Take the above recipe.  If you throw everything that I listed in a pot and cook it you’ll end up with garbage (much like blanket applying a standard or baseline set of controls).  The vegetables will take longer to cook than the fish.  Some fish will take longer to cook than other fish.  So you could end up with a soup with overcooked mushy vegetables and fish that will range from being overcooked to raw. 

Here’s the thing: you followed or rather were “compliant” with the recipe but you still ended up with garbage (or at least not something worthy of a fine dining restaurant).  Sound familiar?

Put this recipe in the hands of a trained/experienced cook however and you will have something. (WARNING – minor digression here.  We throw around the term “Chef” too loosely in this country.  There is really only one Chef in a kitchen – everyone else is a cook.  IMHO, you must earn the title “Chef” and shouldn’t get it just because you put on a white jacket and stand next to a stove.) A trained/experienced cook will take the finely chopped scallions and onion and sweat them down in a little olive oil. Just as they are tender and translucent the garlic will be added for a minute or two – that way it doesn’t burn.  Next in will be some chopped and seeded tomato.  This will be cooked down until the pan is somewhat dry but the tomatoes are moist.  At this stage you’ll need to keep your eye on the bottom of the pan.  You are looking for a little caramelization of the sugars from the scallions, onion, garlic and tomato to occur.  Don’t burn it though.  As the caramelization occurs, add in some white wine to deglaze the pan.  When that cooks down to the point that it is gone, add the saffron followed by the fish stock and some fresh thyme. 

Now you have your fish soup base.  To this you will be adding several types of fish/shell fish.  The problem is that even though you will cut them all to the same size, they won’t all cook the same.  Some will take longer than others.  Here is where experience comes in again.  What some people do is that once they have a huge pot of the base, they take a cup or two of it and put it in a smaller pot or pots.  They use these pots to cook the fish to order and return the cooking liquid back to the soup base after each go.  That means that the base will pick up the flavors and oils from the fish and actually get better throughout the night.  The base is kept at a simmer all night too so you can quickly cool it down and refrigerate it for use the next day too.  

Now in this analogy the cook was able to use the elements of the recipe to create a pretty good basic fish soup.  Can you alter the ingredients to create something else – of course you can.  You can substitute shallots for the onions and some of the garlic.  You can add in Leeks or other vegetables too and you would treat them slightly different depending upon how the soup was going to be served.  I won’t go into all that here as I’ll get too far away from the analogy but once the basic technique is learned a lot can be done from that basic starting point.

That is what standards are – basic starting points.  In the hands of a skilled professional they can take us a long way towards securing our networks but they are by no means an end unto themselves. 

Now that I’ve run a bit long on that I’ll wrap this up by saying that now that we have an idea how standards fit into professional cooking we can move on to how managing security in a network is akin to professional cooking.  That will be next time of course.

  • Share/Bookmark
Tags: , , , , , , , , , ,

Comments 29 Comments »