Be a good observer: The primary skill of a security analyst

The late author Douglas Adams would have been a great security analyst. His writing style – like many successful authors – forged detailed images in the reader’s mind with easily-understood, information-packed prose. The key to much of his writing is the use of such detail without boring or over-burdening the reader. The result of his effort was rich text, which, much like Ansel Adam’s artwork, brought out the subject of the print by including detail from other objects which surround it. The detail was not ancillary to the subject, but enriched it. Consider this excerpt from one of Adams’ last releases:

Continue reading


Accidental FUD


, , , ,

I recently attended a threat intelligence briefing in Atlanta to get some last-minute CPEs, have a free lunch, hobnob with my colleagues in the area, and learn a thing or two from those who spend time in the company of hackers.  The presentations at the briefing were given by various research staff from the vendor and covered topics like advances in Advanced Persistent Threat detection and eradication, low-level training materials created and used by the Anonymous collective, and other trends from the dark side of the internet. Surprisingly, the most interesting part of the afternoon was not focused on the hackers or hacks themselves, but on news reporters who uncritically cover unconfirmed and unsubstantiated reports of compromise, hacks, and vulnerabilities. These reporters appear to stumble upon claims that flash the magic keywords that strike fear in the public and, in what I can only assume is the best interest of public awareness, hurriedly rush to press with incomplete and uncritical parroting of the claims made by the source. The generation of Fear, Uncertainty, and Doubt (FUD) adds noise to an already noisy landscape of threats, countermeasures and compromise.

Continue reading

Compliance vs. Security


, ,

At work today, I found myself fighting he same battle again – The battle I have faced at this job more than I have seen in past roles. The battle is between being “Compliant” and being “Secure”.

In 2009, Heartland Data Systems reported that they had been breached to the tune of greater than 130 Million credit card records. The company had all of the appropriate certifications and attestations to state that they were compliant with the PCI DSS and other security controls tests, however their defenses were so weak that even with the controls associated with the DSS, they were breached.

Continue reading

Google Scholar search



In scientific circles, papers are published and released in peer-reviewed journals. Scientists write up their latest research, and those papers are made available for others in the field to read, comment upon, and validate. You can find papers on many subjects in the Google Scholar search tool. Since my wife is on a health food kick (and kicking and screaming, so am I), I typed in “tofu” and sorted by date to find:

In a word: “Yuck”. Continue reading