Author Archives: peterhgregory

About peterhgregory

Published author of over forty books on security and technology, including Solaris Security, CISSP Guide to Security Essentials, and IT Disaster Recovery Planning for Dummies.

Audit Seeding

Management may spend considerable time and energy making sure that personnel understand one thing when dealing with auditors: specifically answer the question that the auditor asked, not the question the auditor should have asked; and do not volunteer any information.

There is, however, a useful technique that management (and only management) sometimes uses when working with auditors. I prefer to call this seeding the audit results.  Similar to the technique of cloud seeding, where rain clouds are seeded with substances to cause them to release rain, management can use audit seeding as a way of ensuring that auditors are aware of specific situations that they are willing to include in their audit report. The purpose of audit seeding is generally the creation of an audit issue that will permit management to prioritize an initiative to improve the business.

For example, external auditors are examining access controls, an area where a security manager has had difficulty obtaining funds to make key improvements. While in a discussion with auditors, the security manager may choose to illuminate particular actions, inactions, or other situations in access control processes or technology that the auditor might not have otherwise noticed.

Persons who are considering audit seeding must have a thorough understanding of the subject matter, the controls being tested, the procedures and technologies in play, the auditing methodology in use, and a bit of grit. Audit seeding may be considered a daring move that may have unforeseen results. Finally, persons considering audit seeding must not make auditors feel they are being manipulated, as this could have greater consequences. Instead, management is simply making auditors aware of an important aspect of a control they are auditing.

— excerpt from CISM All-In-One Study Guide

Advertisements

Information Security and Business Continuity Planning Share Common Ground

An analysis of threats that are considered in most risk assessments should prompt the reader to think of natural and man-made disasters that, when they occur, invokes business contingency plans to assure continuity of critical services. It is not an accident that information security and business continuity planning have a lot in common.  Risk assessments are often designed to amply serve both efforts. Indeed, one may argue that business continuity planning is just a branch of information security – the common objective for both is the protection and availability of critical assets and functions.

— Excerpt from CISM All-In-One Study Guide

The Fifth Option in Risk Treatment

For decades, risk management frameworks have cited the same four risk treatment options: accept, mitigate, transfer, and avoid. There is, however, a fifth option that some organizations select: ignore the risk.

Ignoring a risk is a choice, although it is not considered a wise choice.  Ignoring a risk means doing nothing about it – not even making a decision about it. It amounts to little more than pretending the risk does not exist. It’s off the books.

Organizations without risk management programs may be implicitly ignoring all risks, or many of them at least. Organizations might also be practicing informal and maybe even reckless risk management – risk management by gut feel. Without a systematic framework for identifying risks, many are likely to go undiscovered. This could also be considered ignoring risks through the implicit refusal to identify them and treat them properly.

  • excerpt from an upcoming book on risk management

Prior password hygiene comes home to roost

This week I received a notice from https://haveibeenpwned.com/ suggesting that my user account from last.fm had been compromised. In this case, the breach was fairly significant, according to Have I Been Pwned, indicating that mail addresses, passwords, usernames,  and website activity were among the compromised data.

Image result for password memeWow. Last.fm. I hadn’t even thought of that service in years. A quick check at Wikipedia shows they are still in business, but I had forgotten about last.fm, probably because SomaFM.com and Pandora had garnered my music listening attention.

I looked in my password vault to see what my password was.  I found there was no entry for last.fm. This is especially troubling, since there is a possibility that the password I used for last.fm is used elsewhere (more on that in a minute).  I still have one more password vault to check, but I don’t have physical access to that until tomorrow. Hopefully I’ll find an entry.

In any event, I’ve changed my password at last.fm.  But not knowing what my prior password was is going to gnaw at me for a while.

Occurrences like this are another reason why we should all use unique, hard to guess passwords for each web site.  Then, if any web site is compromised and that compromise reveals your password, then you can be confident that no other web sites are affected.

What I Was Doing On 9/11/2001

In 2001, I was the security strategist for a national wireless telecommunications company. I usually awoke early to read the news online, and on September 11 I was in my home office shortly after 5:00am Pacific Time.  I was perusing corporate e-mail and browsing the news, when I saw a story of a plane crashing into a building in New York.

I had a television in the home office, and I reached over to turn it on. I tuned to CNN and watched as smoke poured from one of the two towers in the background, as two commentators droned on about what this could be about. While watching this I saw the second airliner emerge from the background and crash into the second tower.

Like many, I thought I was watching a video loop of the first crash, but soon realized I was watching live TV.

I e-mailed and IM’d members of our national security team to get them aware of these developments. Before 6am Pacific time, we had our national emergency conference bridge up and running (and it would stay on all day). Very soon we understood the gravity of the situation, and wondered what would happen next.  We were a nation under attack and needed to take steps to protect our business.  Within minutes we had initiated a nationwide lockdown (I cannot divulge details on what that means), and over the next several hours we took more steps to protect the company.

——–

Since being a teen-ager I had a particular interest in World War Two. My father was a bombardier instructor, and his business partner and best friend was a highly decorated air ace.

——–

We are under attack and we are at war, I thought to myself early that morning, and while I don’t remember specifics about our national conference bridge, I’m certain that I or someone else on the bridge said as much.  Like the sneak attack on Pearl Harbor on December 7, 1941, we all believed that the 9/11 attacks could have been the opening salvos of a much larger plan. Thankfully that was not the case. But in the moment, there was no way to know for sure.

For many days, I and probably a lot of Americans expected more things to happen. The fact that they didn’t was both a surprise and a relief.

Leaving the Comfort Zone

travel destinations

Jumping out of one’s comfort zone

Early in my career, I had seemingly regular opportunities to learn new skills and technologies. It was interesting, for sure, and sometimes challenging, but rarely in ways that I would consider the least bit scary or risky.  It was just plain fun.

Several years into my career, I found that my learning curve was steepening. I was apparently seen to have some good skills, and the small company that employed me seemed fit to thrust me into new situations with little supervision. This included teaching computing classes to county commissioners, being responsible for obtaining computers half a world away for international conferences (in the 1980s this was no mean feat), being asked to attend client executive business meetings to explain the software that my company had provided – or explaining yesterday’s outage.

Then came public speaking. My first real speaking gig was in 1988 where a colleague and I were presenting to a large audience. Before PowerPoint, producing slides for a presentation was difficult. You PowerPoint weanies have it way too easy.

That first speaking gig was a disaster. A real train wreck. I was beyond nervous. I’m sure it showed. But at least I knew it was a clear fail. And I was determined to not let that happen again.

As luck would have it, just weeks later a friend of mine mentioned his local Toastmasters club. I had heard of Toastmasters, and feeling the sting of my recent public speaking failure, I jumped at the chance.

The next year at Toastmasters was hard work. I had terrible bad habits and no good ones. My club consisted of really seasoned speakers, including local city officials and business owners. Really senior guys. Safe and friendly. But full of criticism, of the constructive kind.

I was nervous in all of my Toastmaster speeches. I was really terrible but desperately wanted to improve. I had a glimpse of my career’s future where I would be speaking before audiences again, but I was determined to never fail like that again.

A few short years later, I was asked to teach Unix concepts and skills to co-workers in semi formal classroom settings. I prepared and was less nervous. I did okay.

A few years after that, I was invited to speak at a global user conference on the business benefits of some software products. I did this two years in a row, and even recorded promotional testimonial videos for the company. I’m not sure whether they were ever used, though.

A couple of years later, opportunities to speak at conferences began. First it was once a year, then twice a year. These were great learning opportunities. Generally I did well, and slowly accumulated experience and added skills. I felt like I was going places. Not big places, but places nonetheless.

Last year I had the opportunity to keynote a regional security conference. I had the freedom to select my speaking topic, at least. But this was the first time I was formally introduced to a big stage before hundreds. Moreover, this was in my city, where probably half the audience knew me by first name.

No pressure.

Riiiight.

My animation acted up a bit, but I delivered.

FullSizeRender.jpgEight weeks later, I had another keynote opportunity to an even larger audience, around 800. Yes I was nervous. But I delivered fairly well. This was the first time I had “comfort monitors” (the big monitors down in front that I could look at, as opposed to turning around to look at the big screens behind me.

Wait, isn’t this supposed to be about my comfort zone?  Well yes, it has been all along.

Virtually all of my speaking gigs take me out of my comfort zone. Some, a little; others, quite a bit.

Two weeks ago, my boss’s boss called me up and asked if I would be interested in a speaking gig in Ottawa.  I told him, sure, sign me up.

Then we hung up. And I thought about it. And I realized, I don’t even know what I’ll be speaking about, to whom, or in what context. That was okay.

Yes it was okay.  Given the perspective of many years now, I realize that I thrive at the very edge, and often beyond, the boundaries of my comfort zone.

Public speaking is not the only context where I do this. In fact, every day when I’m asked to talk with a client, partner, or colleague, I almost never know what the conversation is going to be about. I might be praised in one conversation, bitched out in another, and asked my opinion in another.

So what am I getting at here?  Please be patient, I’m getting to it. This is not a rehearsed piece, but written stream of consciousness, much like an impromtu talk. Other than mis-spellings in mid-sentence, I’m not editing this.  These are my thoughts. Peter H Gregory unplugged.

For me this has been a great ride, the past few decades. I never know what’s around the corner. And that’s okay.

Those who know me know that I talk in metaphors a lot. Maybe too much. I liken my public speaking to bungee jumping. A few moments of terror, but what a ride. Only in my case, the chances of imminent death are remote. Embarrassment, or humiliation with no way out?  Absolutely. In any of my talks, whether keynote, small session, executive briefing, or a university class, I could blow it at any time and be a bufoon or worse.

It hasn’t happened since that first conference, many many years ago.

And it keeps happening. Today at 3:30pm I found out that I to give an executive briefing to a group of colleagues I’ve never met in person, tomorrow morning. Do I know exactly what I’m going to be talking about?  Somewhat.  Am I nervous?  Yes, somewhat.  Will it be okay?  Probably.

In high tech, if you want to grow, you’ve got to live on the edge of your comfort zone. Or near the edge anyway. Close enough so that you can see over the edge and see what potential failure looks like. Or gaze upward toward the brilliant blue sky and see what potential success looks like.

It’s worth it.

State University Gives Copies of Security Career Books to Students

Earlier this year, Georgia State University asked me to speak at an information session for students in its Masters of Science in Information Systems (MSIS). Students needed to choose their study concentration; my job was to describe the information security profession to them so that they could choose whether to elect the security concentration, or one of two other concentrations. 
The university gave to all of its MSIS students a copy of one of my recent books, Getting an Information Security Job For Dummies. University officials recognized that the book accurately describes the profession, how professionals can learn more about the profession, career choices within the profession, and steps someone can take to get into the profession.

After my talk, university officials informed me that twenty-five students elected to pursue the information security concentration. This was greater than they expected, and they were pleased with the outcome. They expressed their gratitude to me for the time I took to describe the profession to them and answer their questions.