One Conference - NLCyber Haiku

I attended the One Conference in The Hague recently, and seeing my European peers talking cybersecurity and Vermer's art inspired me.

---

The Girl With the Perl Earring

What does she look at,
The Girl with the Perl Earring?
Your code needs review.

Beneath her turban,
Her mind races through the vulns.
She sees the exploits.

Just out of the frame,
Her lithe fingers are dancing.
She's pwning your site.

FIRST 2016 - Tabletop Exercises

Performing tabletop exercises to practice and learn more about incident response processes of an organization and to improve those processes is an excellent thing to do. Kenneth van Wyk gave an excellent presentation on how to run tabletop exercises.

_____

Fledgling stretches wings
Learning how to make them work.
SOC testing new tools.

A confident hawk
Dives to catch its fleeing prey.
The IDS fires.

Unseen in the trees,
Trappers wait with heavy nets.
A tabletop drill.

How will the hawk eat
When it's wings and beak are bound?
Prepare for the worst.

Hawk learning to hunt
While tied to the rocky ground.
SOC will be ready.

No matter the wind,
The rain, or the predators.
Business must go on.

Boston Security Camp - Afternoon Session

From the afternoon session of the BC Security Camp.

REN-ISAC

REN-ISAC watches,
Threat sharing flows through their hands,
Tall trees grow stronger.


APT Experiences

Even an oyster,
Old, rotten, may have a pearl.
Must open a phish.

VirusTotal shrugs
At the malware file we found.
Wolves howl outside.

IOCs popping.
The APT evolving.
Wounded lamb crying.


Creating a Good Business Relationship Between IT and Treasury for PCI compliance

One good data breach.
Storm water breaks through a dam.
Beavers must rebuild.

Follow the money.
Stars pointing to Treasury:
A PCI map.

Sharing the burden,
Huddling against the winds
Of attestation.

Database Security

The harsh thunder booms
When audit arrives, seeking
Your database logs.

A giant mountain,
Oracle databases.
Their logs are lava.

Information flows
Meta information grows.
DBA hair grays.

Boston College Security Camp - Morning Haiku

I have the privilege of attending this year's Security Camp hosted by Boston College. This morning's presentations inspired some haiku.

Security Camp.

Talks around the camp fire.

Ghost stories, epics.

Moving to the Cloud - Resistance is Futile

Somewhere in the Cloud,

Raindrops form from falling ice.

Your data in tears.

Backups in the Cloud

Backing up backed up data.

Clouds, rain, ocean, clouds.

Acquiring clouds

And claiming them to be yours.

A game for sad fools.

Information Stewardship Governance Program 

Stewarding data,

Each piece led across the Styx

Or to calm prairies.

Understand your data:

A wolf knows all paths traveled

By each pup and prey.

Acorns stored by squirrels

Remain hidden all winter.

Come spring, they grow large.

Software Identification Tags

What should be patched when

Vulnerabilities drop?

Ask the wind and hope.

Browsing undergrowth,

Doe wishes she knew what's there,

Eating, not searching.

XML flowing,

Tagging the world that it knows.

Each leaf on each branch.

SPC 2015 - How To Sell Security

I sat in on William Perry's talk entitled Rethinking and Simplifying Security: A Best Practices Roadmap.  One of his points was the need to develop a good value proposition for any security program change you make.

This idea drove me to haiku.  (Yes, one can haiku.  Verb all the things.)

---

How To Sell Security

Only the greenhouse
Survived the plague of locusts.
The gardener planned.

An angry gray goose
Chases the red, hungry fox:
Her chicks protected.

Frightened zebras run
Lion is dazzled, confused;
Until one falls back.

SPC 2014 - The Cloud, some more

Joel Rosenblatt from Columbia is giving a great talk on sensitive data in the cloud along with CloudLock.  My thoughts, slightly less minimalistic than my last Cloud post.

---

The Cloud is Really Great

We gave our data names, we gave the data places.
But when we gave out access, it began all kinds of races.

The users needed info, they pulled it from the store.
And then we were surprised to find it running out the door.

They brought it to the Cloud and the services within.
They posted it it Google Docs and shared it on LinkedIn.

Dropbox was their favorite for sharing with their friends
Or maybe they just put it there for sinister of ends.

We asked them not to do it; we pleaded and we begged.
It didn't make us popular; it was like getting egged.

So we're looking now for policy and maybe DLP,
Or many we'll encrypt it all; I hope we keep the key!

But horses, they have left the barn; it may just be too late.
We cringe whenever users say, "The Cloud is really great!"

______________

Within wispy gauze,
Floating silently above,
There is turbulence.

The acorn planted
Last autumn by a squirrel.
New roots crack sidewalk.

SPC 2014 - Cloud

Cloud, Cloud, PII, Cloud, Cloud.
Cloud, Users, Cloud, Control, Cloud.
Cloud, Cloud, Cloud, Cloud.  Cloud.

SPC 2014 - Keynote #2

The second keynote for this year's SPC is "Failures of the InfoSec Community" by Charlie Miller.

He ended up depressing me.  The barbarians are at the gates and within our PCs.  So much work to do.

---

Exploding PCs:
Reality written wrong.
Goat describes tractors.

Time marches onward
But the headlines stay the same.
Earth around the sun.

Software bugs hiding,
Dormant for years upon years.
Cicadas emerge.

How much is too much?
You could fuzz inputs all day.
A bear fishing.

Assuming a breach
Will bring you serenity.
Water finds a way.

SPC 2014 - Risky Poetry

The first break-out panel I attended this year was "A Consolidated Approach to Risk and Standards Management" by Matthew Dalton from The Ohio State University.  OSU has a nice tool for doing risk assessments, which I plan to steal (once he's made it available).  It is a method for defining your assets, measuring the likelihood and impact of different events, and creating a risk report that C-level folks can easily understand.  It also contains a way to track mitigating controls (including their costs and their effectiveness) that affect those risks.  Pretty slick.

---

If you use all those frameworks from NIST,
Regulators will never be pissed.
You'll look like a pro
And put on a good show
When the auditors search for what's missed.
_____________________

Measuring your risk:
Teaspoons carefully poured, then:
A tsunami comes.

Red, yellow, and green.
Sunset flairs above lush grass.
Or fire, tornado.

SPC 2014 - Keynote Haiku

Greetings from St. Louis and the 2014 EDUCAUSE Security Professionals Conference.  Today's keynote speaker has been Harriet Pearson talking about privacy, cybersecurity, and law.  Here are my notes in haiku form.

---

Government listens
For cybersecurity.
Thunder all around.

Higher ed moves slow:
The sun setting behind hills.
Eternal sunset.

NIST builds a framework.
Robin weaving tangled nest
To protect her eggs.

Lawyers are friendly:
Guard dogs that know their master
And protect their yard.

SPC 2013 - Risk Management Haiku

We cannot eliminate risks.  We can only manage them.

We can also dazzle them with 5, 7, 5.

---

Risk Management Haiku

Identify risks:
Boulders cling to mountain sides.
Gravity calls them.

Entropy calls us,
Daring the brave to forget
To run the backups.

Like the beaver's dams,
The change control processes
Keep torrents at bay.

I don't think I posted these before. I created them for a haiku contest that EDUCAUSE has sponsored a while back.

---

Mobile Device Haiku

Any time or place,
The world at our fingertips.
Data on the wind.

Message sent through air,
Dodging wind and rain and snow.
"Remember the milk."

"Secure mobile phone".
Truly an oxymoron
Like "gentle winter".

News Haiku

Taken from some news stories and recent postings, I offer another round of haiku.

---

A germ can blossom
In mother and new-born child.
Size does not matter.

OUCH! Monthly Security Awareness Newsletter - Securing Your Mobile Device Apps [PDF]

---

Even in the storm,
Roaring wind and pelting rain,
Calm voices call you.

Security Now Episode 339

---

Winds blow, water flows.
When you think you control tides
Someone else might too.

ICS-ALERT-12-039-01 - Advantech BroadWin RPC Server Vulnerability [PDF]

---

Wolves hunting in packs.
The scattered flock can't escape
The jaws of malware.

Citadel - An Open-Source Malware Project

---

Electronics Manufacturing Giant Foxconn Is Hacked

The prey will not care
The color of the snake's scales.
Black or grey still kills.

---

Microsoft Security Bulletin Advance Notification for February 2012

Cycles surrounding.
The moon. The sun. The seasons.
Monthly patch day comes.

Haiku for compromised websites

Web sites compromised:
Stars falling from the heavens,
Their whispers made loud.

Looking to sting true,
SQL injections fly.
Angry summer bees.

A weed will wither
When denied air and water.
Store data offline.

Victory!

I won the aforementioned haiku contest with this haiku:

Losing your cell phone
Is worse than losing your keys
My thumbs get so bored

Another step toward being the poet laureate of the higher ed infosec community.

Life in the Mobile World Haiku

My entries to this Haiku contest:

http://www.educause.edu/Mobile+Sprint/MobileComputingA5DaySprint/Contests/227381

---

Losing your cell phone
Is worse than losing your keys.
My thumbs get so bored.

---

Any time or place
The world at our fingertips.
Data on the wind.

---

Message sent through air,
Dodging wind and rain and snow.
"Remember the milk."

---

"Secure mobile phone".
Truly an oxymoron
Like "gentle winter".

---

InfoSec Haiku

Data breach occurred
Like wind through a closed screen door.
Notification.

Birds softly singing
Sad songs of un-patched systems.
SysComps like leaf buds.

Summer rains come hard
Like spam through email servers.
An endless torrent.