God and Security

Well, now I am at about the 3 month mark in my experiment ( eliminating capsaicin from my diet ) and I have had a total of 4 headaches in the last three months and all but one were deliberately triggered. This is fascinating to me, as I wonder how many people are suffering the same as I am! ...and I'll tell you what, the idea of taking a capsaicin spray and sticking it up my nose as a "cure" scares the crap outta me. I sure hope it works for other folks who are having a different problem than I, but for me I think I would prolly be in so much pain I would but a bullet through my skull. Short update, and I'm grateful. I feel SOOOOO much better. 4 months ago I would not have even dared to dream I could be headache free for even so much as two weeks in a row...

Okay, so this is neither about God, nor is it about security, but it's too important for me to not post, so here goes. I have had debilitating headaches for years. Probably 6 or 7. They would typically hit one side of my head, often behind the eye, or to the side at the temple. My neck would sometimes hurt as if it were "out of whack". For years I had a "cure." I would take 3 Advil and one red Sudafed pill, then I would lie on my back for 45 minutes. It seemed that, usually, at the 45 minute mark I would feel my sinuses crackle and drain, and my headache would go away. Recently, about a year ago, this stopped working. I'd still do it, in hopes that it was lessening the pain, but it became a case of having to wait them out. This was unfortunate, as they used to also disappear without treatment overnight. Now, they would last for over 24 hours with alarming regularity. They were also happening much more frequently. What used to be an occasional (eve

Recently (yesterday) I had the opportunity to chat over a meal with George Kurtz, a Senior Vice President and general manager in charge of McAfee's Risk and Compliance unit. (whew, that's a mouthful). In attendance were a small number of other CSO's (or equivalent) and we listened to George, also a co-founder of Foundstone, the premier vulnerability scanning solution. We also bounced some ideas back and forth and generally shared information like good stewards of our respective enterprises. So, keep in mind that McAfee is a vendor. They sell products and services. I found it fascinating that one of the most common themes to the questions was not technology, rather it was something relating to the "human" side of information security. Question such as: how can we justify headcount? who dictates policy? how do we show value to management? I find this interesting for two reasons. One: security people often tend to be caricatures of other IT folks. Even more &

Okay, so after years of putting of taking the CISSP examination (read: trying to get someone else to pay for it) I finally scheduled my exam and took it in April. There are plenty of posts about it, and I don't want to duplicate what others have said, so I'll just put in this small bit: If you can regularly pass the FreePracticeTest exams online with an 80 or higher, then you are most of the way there. I don't think I ran into a single question on FreePracticeTests(FPT) that was on the actual exam, but they give a *great* fell for what to expect. This means, however, that just learning the answers to FPT won't do you any good. In my case, I had 10+ years of dedicated info security experience by the time I took the test, plus years of consulting and SA/SE work prior to that, so there was little on there to surprise me. What I did was go out and buy Shon Harris' excellent book and read the chapter titles to see what areas I seemed lacking in (based on the FPT).

Sometimes the obvious isn't. Apparently. An organization I'm familiar with recently had a small "virus" outbreak. It wasn't really a virus, but I'll call it that for simplicity. This "virus", though it infected over a score of computers, was largely held at bay due to defense-in-depth. It couldn't communicate with the outside world because of our firewalls and some local policy stuff on the workstations, but it *did* infect them in such a way that McAfee couldn't find them. It took an analysis of firewall logs to track the compromised systems down. All well and good. Nothing new. Now, we have an estimate of how much this incident "cost" the organization. I was peripheral to the cost calculation, but it seemed based on a simple I-CAMP model ( here's a good article on it from 2002 ) where you take the time people put into remediating the issue, and multiply by their wage. Thus, 5 administrators who each put in 10 hours at