Thursday, May 8, 2014

SPC 2014 - Good Morning

Good morning, SPC-goers!  I hope last night was good for you.  Many of us found ourselves at the bars, talking, planning, and dreaming.

Glasses dance
From table to mouth to table
Riding the conversation's
Networking while talking networking,
or policies,
or war stories,
or master plans,

Or planting the seeds for new plans
Deep in the soil of conversation
Watered by a rain
Of bar drinks
and laughter
and song.

Wednesday, May 7, 2014

SPC 2014 - The Cloud, some more

Joel Rosenblatt from Columbia is giving a great talk on sensitive data in the cloud along with CloudLock.  My thoughts, slightly less minimalistic than my last Cloud post.

The Cloud is Really Great

We gave our data names, we gave the data places.
But when we gave out access, it began all kinds of races.

The users needed info, they pulled it from the store.
And then we were surprised to find it running out the door.

They brought it to the Cloud and the services within.
They posted it it Google Docs and shared it on LinkedIn.

Dropbox was their favorite for sharing with their friends
Or maybe they just put it there for sinister of ends.

We asked them not to do it; we pleaded and we begged.
It didn't make us popular; it was like getting egged.

So we're looking now for policy and maybe DLP,
Or many we'll encrypt it all; I hope we keep the key!

But horses, they have left the barn; it may just be too late.
We cringe whenever users say, "The Cloud is really great!"


Within wispy gauze,
Floating silently above,
There is turbulence.

The acorn planted
Last autumn by a squirrel.
New roots crack sidewalk.

SPC 2014 - Cloud

Cloud, Cloud, PII, Cloud, Cloud.
Cloud, Users, Cloud, Control, Cloud.
Cloud, Cloud, Cloud, Cloud.  Cloud.

SPC 2014 - Bounty

Charlie Miller got me thinking about software bug bounty programs.  Are they good?  Are they bad?  Hard to say.


I found myself a little bug.
It's in your favorite app.
It makes me feel a little smug.
It'll put me on the map.

I spent a year on Mountain Dew
While plowing through some code.
I fuzzed and fuzzed, just like you do
To find a weakly node.

So after months of grinding hard,
I thought I would cash in.
I finally played my final card
The money filled my bin.

For months I longed to hear the tale
Of how the app was lacking.
But the buyer seemed to cop a fail
and others started hacking.

It was my bug that broke the app,
But someone else had found it.
They used it like a leaky tap
To hack some more, confound it!

If I had let more people know,
They may have fixed it early.
Instead I chose to make some dough,
And now I'm feeling surly.

Yes, I spent a lot of time
And did a lot of work.
But did I help commit a crime
By acting like a merc?

SPC 2014 - Keynote #2

The second keynote for this year's SPC is "Failures of the InfoSec Community" by Charlie Miller.

He ended up depressing me.  The barbarians are at the gates and within our PCs.  So much work to do.

Exploding PCs:
Reality written wrong.
Goat describes tractors.

Time marches onward
But the headlines stay the same.
Earth around the sun.

Software bugs hiding,
Dormant for years upon years.
Cicadas emerge.

How much is too much?
You could fuzz inputs all day.
A bear fishing.

Assuming a breach
Will bring you serenity.
Water finds a way.

SPC 2014 - Risky Poetry

The first break-out panel I attended this year was "A Consolidated Approach to Risk and Standards Management" by Matthew Dalton from The Ohio State University.  OSU has a nice tool for doing risk assessments, which I plan to steal (once he's made it available).  It is a method for defining your assets, measuring the likelihood and impact of different events, and creating a risk report that C-level folks can easily understand.  It also contains a way to track mitigating controls (including their costs and their effectiveness) that affect those risks.  Pretty slick.

If you use all those frameworks from NIST,
Regulators will never be pissed.
You'll look like a pro
And put on a good show
When the auditors search for what's missed.

Measuring your risk:
Teaspoons carefully poured, then:
A tsunami comes.

Red, yellow, and green.
Sunset flairs above lush grass.
Or fire, tornado.

SPC 2014 - Keynote Haiku

Greetings from St. Louis and the 2014 EDUCAUSE Security Professionals Conference.  Today's keynote speaker has been Harriet Pearson talking about privacy, cybersecurity, and law.  Here are my notes in haiku form.

Government listens
For cybersecurity.
Thunder all around.

Higher ed moves slow:
The sun setting behind hills.
Eternal sunset.

NIST builds a framework.
Robin weaving tangled nest
To protect her eggs.

Lawyers are friendly:
Guard dogs that know their master
And protect their yard.