The perimeter isn’t where it used to be.
I’m glad that the federal government along with states have started taking action against the app for its apparent theft of sensitive information. This is good and all but what too so long?
FBI director says TikTok poses U.S. national security concerns : NPR
Maryland governor bans use of TikTok on state devices (yahoo.com)
Texas bans use of TikTok for all state employees (chron.com)
I’m humbled to be brought back as a panel speaker at the CISO Boot Camp. I was involved in designing and ended up MC’ing the first two CISO Boot Camps (2019 and 2020).
Unfortunately, COVID took the wind from the sails from 2021 and 2022 but now, in partnership with the SANS institute the CISO Boot Camp is coming back, and will be better than ever!
RSAC CISO Boot Camp is an invitation-only gathering of future CISOs from a broad set of organizations around the globe. This closed-door, Chatham House Rules program will deliver a unique and curated experience designed to prepare aspiring CISOs for the next step in their careers.
Launched in 2019, CISO Boot Camp is in its next iteration and is now co-designed by RSAC and SANS Institute, two leading organizations in the cybersecurity ecosystem. Delivered by experienced CISOs and industry experts, attendees can expect quality presentations, inspiring conversations, and immersive hands-on learning with live simulations to help instill the skills needed to be successful–not to mention, plenty of networking with new peers on the same career trajectory, and experts with possible mentoring opportunities.
This is a free program and attendees will receive Expo Pass access to RSAC 2023 as part of their RSAC CISO Boot Camp badge, with the opportunity to upgrade to an Expo Plus Pass or Full Conference Pass. Program size is limited to 100 participants. Attendance is limited to one year, with alumni networking opportunities to follow.
From: https://www.rsaconference.com/usa/programs/ciso-boot-camp
I will be participating in the kick-off panel: “Inside the Mind of a CISO” and will get to sit next to Frank Kim, Jerich Beason, and Jenny Menna while awkwardly holding a microphone.
I’m super excited and look forward to participating in such an exciting event and am truly humbled they keep bringing me back. I look forward to seeing all of you April 2023 in sunny San Francisco.
Like everyone else with a browser, free time, and an interest in AI I’ve been playing with ChatGPT, an text-generating AI engine by OpenAI, the folks that created DALL-E, that can write research papers, programs, poems, and blog posts. You can find more information about both ChatGPT and DALL-E at OpenAI’s website (https://openai.com/).
I started with something that I thought would be fun:
As you can see, it wrote well-commented python script to generate a random number for each of the types of dice used when playing Dungeons and Dragons (something I do with my kids and friends). I doubt I’ll use this specific script as I have some pretty fly VTT apps and like to use the real thing when I can. I kept playing with ChatGPT. It wrote me a haiku, a poem in the style of Keats, a few jokes, a Mastodon post, and finally, a blog post.
I wanted to see if it could do something in a longer form so I fed it some prompts and after a few tries I got one back that was passable. The following post was written entirely by the ChatGPT interface with the following prompt:
And so, without further delay, I hand over the reigns of my blog to ChatGPT.
Here is a potential blog post about the intersection of cybersecurity, nation-state threats, and flaming hot Cheetos:
Title: “The Spicy Politics of Cybersecurity”
As the world becomes increasingly connected, the realm of cybersecurity has become a critical battlefield for nation-states. Hackers and cyber espionage groups backed by governments are constantly probing and attacking each other’s networks, trying to steal sensitive information or disrupt critical infrastructure.
In this high-stakes game of cat and mouse, the use of sophisticated tools and techniques is common. But sometimes, even the most unexpected things can play a role.
Take, for example, the case of the flaming hot Cheetos. In 2017, it was reported that Russian hackers used the popular snack as a covert communication channel to avoid detection by security software. By embedding data in the pixels of images of flaming hot Cheetos posted on social media, the hackers were able to transmit information without raising suspicion.
This may seem like a silly and unlikely tactic, but it highlights the creative and unpredictable nature of cyber warfare. As security technologies and defenses continue to evolve, so do the methods used by hackers to evade them.
So the next time you enjoy a bag of flaming hot Cheetos, just remember that they may be more than just a tasty snack – they could also be a potential weapon in the global cyber conflict. #cybersecurity #nationstatethreats #flaminghotcheetos
Not the worst blog post I’ve ever read (and may have been guilty of writing). I think this is going to be a very disruptive technology for certain vocations in the not-so-distant future. Honestly, I’m not sure how that makes me feel.
./dg
I’ve seen it time and time again. An executive wants a to fund a transformational project of specious value but requires multiple years of expensive funding. The executive will work hard on branding an internal projects with acronyms, mythological names, and even custom logos. Aspects such as goals, objectives, features, and (most importantly) risks are either glossed over, not documented, or delegated to employees that may not have the full scope of the initiative well understood.
And when it finally comes forward? It gets eviscerated for poor planning, inaccurate estimates, and the project name is sometimes even mocked.
Worse yet, the project gets funded and falls into a swirling morass of mis-aligned goals, missing user-stories, incomplete features, slow progress, and budget overruns. I’d rather get laughed out of the room and told no, personally.
So what’s an ambitious executive to do?
Create a multi-year strategy that builds toward your ultimate goal system that takes the concept of “eating the elephant” into mind. As you probably know, the idiomatic phrase comes from the question “How do you eat an elephant?” with the answer being “One bite at a time.” Instead of trying to take it all on at once, break your project down into small chunks, organize them using the following as guides:
Of course, all roads lead to Rome (many ways to accomplish the same thing) and there are other strategies to employ to get to the final goal. I have found the above works for me but it may not work for you. Also, this method may take longer, it may actually be more expensive, but it will get done which is what the goal is supposed to be, right? Then you can let everyone know that “Medusa 2.0” can be launched with great fanfare.
./dg
I submitted a short blurb to an effort to gather advice from CISO’s. I believe many CISO’s (especially new ones) will focus primarily on advanced security controls and miss the admittedly boring “blocking and tackling” like patch and configuration management…
While we (as CISO’s) certainly need to deploy protective technology to help defend our brands, we must also ensure we stay laser-focused on helping our friends in IT with the monumental task of properly configuring and expediently patching endpoints, servers, and applications. No matter how good your EDR or XDR systems may be you will be helpless to stop attackers if systems are not properly configured and maintained.
The submission asked for additional information so I decided to expand (very slightly) on my earlier point – but the fact that governance alone has not and most likely will never work.
The information security product ecosystem has certainly produced some excellent detective and preventative controls to thwart would-be attackers. However, time and time again systems and applications are compromised due to shoddy administrative practices and slow update cycles. We (as CISO’s) need to that our IT sisters and brothers are empowered to invest in solutions to solve these issues – sheer governance has not been enough so we have to think outside the box on how to enable IT to be successful for the company and achieve better security outcomes.
I really miss the days when I paid maintenance for software. The new ARC paradigm really sucks for the consumer.
The only positive piece is that the financial implications of switching vendors is mostly gone but the inflation on the infosec budget has been profound.
(Originally posted on Mastodon)
This post is part experiment, part memorializing a short conversation I had with Sasha Romanosky (one of the creators of CVSS). I have more thoughts on the subject of the thread which I may expand on here or on Mastodon sometime in the future.
The experiment is how well I can integrate Mastodon micro-blogging with my fledgling WordPress site. I also want to memorialize the conversation since I’ve set my Mastodon posts to self-destruct after a relatively short period of time.
I’ve been trying to clean up my document repositories and found a talk I gave at RSAC back in 2016 that brought back some thoughts I’ve been having recently about cyber resilience and how to pull together a strategy to ensure a new CISO is focusing on the right things.
Perhaps I’ll weave some of this plus a lot of things I’ve learned over the past few years into a new talk for RSAC in 2023. For now, I hope someone finds this content somewhat useful.
I had the privilege of presenting to over 50 13 year olds at a middle school’s career day. It was a ton of fun, the kids asked great questions, and were generally very interested in information security as a subject. I’ve included the slides I presented to the classes to this post. If you work in information security, I highly recommend doing career days and presenting at community colleges to let them know what we do and how satisfying a career field it can be.
