Tuesday, May 8, 2018


If you want to do business with the Australian government, you'll need to learn about IRAP (the Australian Signals Directorate's InfoSec Registered Assessors Program). IRAP is a compliance regime that is designed to help secure "protected" data.

Like other compliance regimes, it's a non-trivial task to work through.


Have you been, have you been to the Land Down Under,
Risk-based rules that'll make you chunder?
Yeah, oh, yeah, I can hear the thunder
Of brains going "POP!" from walkin' to this blunder.

You ask me what I'm doing, why I'm layin' down this rap.
I'm workin' though requirements and all that kind of crap.
You think that this is easy? No, it ain't, man, it's a trap.
I'm throwin' up my arms trying to get us through IRAP.

Why you gotta ask me 'bout the color of my plugs?
What are you tryna do, decorate for Aussie thugs?
I get you should be worried how I diagnose my bugs,
But are you gonna ask me how I wash my coffee mugs?

You ask me what I'm doing, why I'm layin' down this rap.
I'm workin' though requirements and all that kind of crap.
You think that this is easy? No, it ain't, man, it's a trap.
I'm throwin' up my arms trying to get us through IRAP.

I see you wanna know we're assessin' all our risk.
Four hundred some-odd rules, dude, you know it makes me pissed.
You have to understand that I'm feelin' kinda dissed.
When this goes away? Lemme tell you, won't be missed!

You ask me what I'm doing, why I'm layin' down this rap.
I'm workin' though requirements and all that kind of crap.
You think that this is easy? No, it ain't, man, it's a trap.
I'm throwin' up my arms trying to get us through IRAP.

Monday, April 23, 2018

Frosty Assessor

Working with a good QSA can be a useful way to validate one's PCI controls and assumptions. They aren't just a speed bump toward getting your ROC. As with all things, though, there are good assessors, and there are bad assessors.

Frosty Assessor

Frosty Assessor
Was a nosy, noisome soul.
With his DSS and his calipers
And a soul as dark as coal.

Audit the people
To ensure that they comply.
If they don't, he'll know
And your biz won't go.
You'll be left outside to cry.

There must have been some documents
That covered all the things.
'Cause when he looked at evidence,
He began to dance and sing.

Frosty Assessor
Gave a passing grade that day.
Now for PCI,
And we just won't lie,
We're compliant, yeah, oh, yay!

Watch the spreadsheets go.
Through every rule he'll mow!

Thursday, April 19, 2018

I Have a ROC

I Have a ROC
(based on the Simon and Garfunkle tune)

A springtime day,
Every year so we'll remember.

I am alone.

Gazing at my Dashboard,
At responses so,
I can make sure the evidence will go.

I have a ROC!
I have compli-i-i-iance!

I have docs,
They make a stack tall and mighty!
That none may penetrate.
I have to do an audit.
An audit causes pain.
It's question after question! So insane!

I have a ROC!
I have compli-i-i-iance!

Don't talk too much.
Assessors heard it all before.
We're facing down a QSA,
And I let a quick comment
Make them ask me more.
Our processes should be enough and more.

I have a ROC!
I have compli-i-i-iance.

I have my NOC!
And my user training to protect me.
I am shielded by firewalls.
I have my AV,
Safety's watching me.
Nothing's gonna get me hacked, you'll see.

I have a ROC!
I have compli-i-iance.

And a ROC is endgame.
But at the end, I always cry.

Tuesday, April 17, 2018



FISMA is abysmal
It makes us jump through hoops.
We need a plan of action
And milestones to boot!

The OMB are meanies
And gatekeepers most dour.
The JAB keep watch unsmiling
With attitudes most sour.

We do our song and dance
For 3PAOs every year.
But they are not impress'ed
With what we're doing here.

And so we have a freak-out
A fire drill, a scramble.
We have to write a POAM
That we hope is not a gamble.

Friday, December 1, 2017

Some Subhaikuing

You've heard of subtweeting? Here is some subhaikuing.

Meanwhile, in the High Sierra

The tallest oak tree
Falls without the strongest root.
For mountains, also.

When ripe Apples fall,
We can see what's in their cores
By hitting Enter.

Even straightened roots
Can cause the mighty to trip.
Admins, tread with care.

Friday, November 3, 2017

Black Hat and DEF CON (a little late)

I had written a few thoughts on Black Hat and DEF CON that I never shared here. They are two very different experiences, and the intersection of tech, culture, and commerce left a distinct impression on  me. Here are three of those impressions.

I Wish I'd Done More EE

I wish I'd done more Double-E
   Those folks have all the fun.
They solder random shit and then
   They code it 'til it runs.
They get to play with flashy lights,
   They get to plug in wires.
They mess with crazy 'sciloscopes,
   They get to tweak with pliers.
They rip apart all sorts of goods
   To find out how they work,
Then they post their hacks online:
   Part hero and part jerk!
Oh, why did I waste all that time
  With English and not math?
History just can't teach you how
  To build the future path.

I Don't Wanna Go To DEF CON

(with thanks to Elvis Costello)

I don't wanna go to DEF CON
They're all crazy there.
They pick the locks and hack the toys and
Color all their hair.
They brag about the 'splits and O-days.
They drink and get tattoos.
They want to free the information
And smash apart taboos.

Don't even think about turning on your wifi.
If you do you can kiss your phone goodbye.
Social engineers who try to con.
I don't wanna go to DEF CON.

They wear black shirts with skulls and crossbones.
They listen to the goons in red.
You ask a name, can't trust the answer.
Who would name their kid "TehG0dHed"?

Mobs of stinky nerds sitting side by side all
Listening to talks 'about shit that got fried.
Just like X-Files, you can't trust no one.
I don't wanna go to DEF CON.

Monday, May 22, 2017

One Conference - NLCyber Haiku

I attended the One Conference in The Hague recently, and seeing my European peers talking cybersecurity and Vermer's art inspired me.

The Girl With the Perl Earring

What does she look at,
The Girl with the Perl Earring?
Your code needs review.

Beneath her turban,
Her mind races through the vulns.
She sees the exploits.

Just out of the frame,
Her lithe fingers are dancing.
She's pwning your site.

Thursday, April 27, 2017

SOURCE Boston - Stop Asking?

I've had a great time attending this year's SOURCE Boston conference. Today's panel discussion on ransomware inspired this sad song.

Stop Asking?

Files arrive with a smile,
   a wink,
   and a nod.
Or they trickle down,
   the drips from a leaky ceiling,
   bad news arriving, staining,
      and costing.

You need to click.
   They demand your attention.
      (So shiny!)
   They promise you others' secrets.
      (While demanding all yours.)
   They warn you of impending doom.
      (Not far from the truth.)

You have to click.
   and the smiles drop,
     the ceiling crashes down,
   and you are left to wade
      through unfriendly faces
      offering you a life jacket
         for a price.

"But what if
   those smiles had been genuine
   and there really was
   a hole that needed patching?"
      (How could you know?)

The next file arrives
   and while holding a mop,
   you ask again.

Tuesday, June 14, 2016

FIRST 2016 - Innovation

Today's keynote at the FIRST conference discussed the importance of innovation in security products and services. Not everyone is a fan of such things.


Innovation, you say?
It's easy to say.
Harder to do when you're spending your day
Fighting the fires and calling out liars
And answering calls from your C-level criers.
We barely have time to kick all the tires
On products we buy
Whenever we try
To solve all our problems
When the budget is high.
(Sometime we barely can even ask why.)
Often we're choosin'
Tools that are proven
By peers who have shown
That they're really worth usin'
And are ones that risk management ain't refusing.
We'd like something new,
Innovation that's true,
But it's rare that it's something we'd purposely do.
Radical changes we often eschew.
Innovation is something, I guess, that we fear.
It's something, I'd say, you'll never find here.

Monday, June 13, 2016

FIRST 2016 - Tabletop Exercises

Performing tabletop exercises to practice and learn more about incident response processes of an organization and to improve those processes is an excellent thing to do. Kenneth van Wyk gave an excellent presentation on how to run tabletop exercises.


Fledgling stretches wings
Learning how to make them work.
SOC testing new tools.

A confident hawk
Dives to catch its fleeing prey.
The IDS fires.

Unseen in the trees,
Trappers wait with heavy nets.
A tabletop drill.

How will the hawk eat
When it's wings and beak are bound?
Prepare for the worst.

Hawk learning to hunt
While tied to the rocky ground.
SOC will be ready.

No matter the wind,
The rain, or the predators.
Business must go on.