My second month of trying new recipes is coming to a close. This month I started to try some sweet things along appetizers and main dishes. One of my sweet creations was a red velvet cupcake and cream cheese frosting. Of course my kids loved them and declared they were the best they ever had, but I was interested in what my wife thought. After tasting the cupcakes she said the frosting was outstanding, but the cupcake was a little dry. I knew the first batch I had cooked probably was in a minute or two longer than they should have been. A little later in the evening one of my sons said “daddy’s homemade cupcakes were sooooooo good.” My wife responded to me with “wait, you made the cupcakes from scratch also?” Although she thought I had slightly overcooked them she felt the recipe was really good and was impressed.

It is funny, usually when I would make cupcakes, cake, or brownies for that matter I usually start with a box mix. These are easy as they usually just need to add two or three items, mix and toss in a pan. After tasting my cupcakes though I can see the difference over the pre-made mix. This also can be the case in information security. We are constantly inundated with ads, information sheets, and phone calls where we are told that we can use a product that will solve our problems. For a time these may meet our requirements and get us up and moving with a speed we may require. However, after you build a solution from scratch you start to see where these “boxed” solutions don’t satisfy your new tastes.

Along the same lines, using fresh ingredients also can make a big difference. There is a definite taste difference between herbs and foods that come pre-packaged over ones that you may grow in your own home garden or get from a fresh market. Many times once you make something with those fresh ingredients you don’t want to use the pre-packaged ones again. Just like in cooking , it is important we use the right ingredients in our security programs. Even when you need to used those “boxed” products you can certainly enhance their functioning through your own home grown security experts. Cultivating the people in and around your security program will ensure that no matter what you have to start with, the final product works they way you need and want it to work.

We can’t be afraid to branch out from those things that make us comfortable just because they are generally foolproof. Sometimes taking that chance and trying something new, making it from scratch will not only surprise us but will also lead us to become more aware of how all the ingredients work. Thinking in terms of People, Process, and Technology we don’t want to use the box solution in all three. Lets use the ones we make from scratch to enhance those areas we find we need to use the box solutions.


So today I had the pleasure of giving a talk at BSides Cleveland. BSidesCLE was had held at the House of Blues which turned out to be a great venue for this event. The speakers  room very large and allowed for the participants to be relaxed. At the same time the lobby was a great place to kick back and chat with people if you wanted. I titled my talk “Please Step Away from the Binaries: Educating Security.” I have been thinking about a way to incorporate what my wife has been doing for the last 6 years in the space of Response to Intervention with my passion for information security. When looking at the common “People, Process, Technology” diagrams it came to me that security often misses the People part.

So I put together my thoughts on how information security professionals can improve educational opportunities, thus improving security. If you weren’t at the event, which was fantastic, you can see my talk here. My talk starts around 9 minutes, but if you aren’t familiar with the concept of BSides it is good to watch the introduction. I want to thank all the people who worked very hard to put BSidesCLE together, and to the other speakers and participants who made things  interesting. I look forward to the next BSidesCLE.

I am going to try and put my thoughts into a series of blog posts and being to expand on areas I didn’t get very detailed in during my talk. I look forward to hearing your thoughts on this talk and the ideas around security education programs.


My wife told me an interesting story the other day. She had gone to a drive thru to get a cup of coffee. The car in front of her was an older car and it was a very cold day. As the driver attempted to pull forward to the speaker his car stopped. We have all been in a drive thru and can understand the frustration which would follow when a car becomes disabled, after all we are there because we want fast service.  Yet my wife said the driver hopped out of the car and quickly corrected the problem. She said the whole ordeal took less than half a minute, and really wasn’t too bad.

Yet the person behind my wife felt those few seconds were to long and drove around not only the broken down but also my wife. The story doesn’t end there however. After the vehicle who jumped ahead in line placed a rather large order, the man in the broken down skipped in front of him. Broken down paid for the order, took it and drove off. My wife now had to wait for a very confused drive thru crew to sort out what had happened just to get her cup of coffee.

Besides the pure entertainment of the story I saw a point. In information security we are tasked with protecting our organizations assets. Each time an attacker attempts to break into our system we analyze their efforts and adjust our security posture to stop their next assault. For an attacker that just wants the quick hit this would be enough to ward off future attacks. However, given a determined attacker the shift in security will only slow them down and may aggravate them. Not that I am against causing a little stress to the aggressor, as long as we understand the consequences. In implementing security measures we can’t just focus on the immediate threats, we need to understand where all our weaknesses may lie.

We shouldn’t analyze an attack just to see how it was attempted, we also need to analyze what was the end game. Even if the end game wasn’t indicative of a determined attacker, we still need to ensure that we evaluate our weaknesses. I don’t mean to imply we should sit around and wait to fix our systems just so we can cover all the bases. We need to make sure as we apply new measures we continue to evaluate where we may get hit next. Also, we need to remain on guard for a change in tactics and watch incoming traffic for new patterns. Just like a game of chess we need to see our opponents next moves before they do, otherwise we are just tossing resources with no hope for returns.

The man who skipped ahead in the drive thru was in a rush and was more concerned about his time than that of all the people in line. Had he waited a few more seconds and not reacted out of haste everyone could have had their order and been on their way. Instead, the people who were patient ended up victims. Mr Breakdown ended up spending a lot of money he didn’t have to in order to make his point. The point being their was a higher cost to everyone based on one bad decision. Keeping a level head is what will keep professionalism in information security, and information security a valuable asset to our organizations.