Friday, April 24, 2015

"The Frugal CISO" by Kerry Anderson

Currently I am reading thru Kerry Ann Anderson's The Frugal CISO (CRC Press, 2014).

I am always on the lookout for good infosec books, and one area that I think is under served are those that are aimed at the top-level security professional on how to implement a good information security program.

This one I had discovered thanks to a related article the author had in a recent issue of the ISACA Journal on information security maturity models ("From Here to Maturity—Managing the
Information Security Life Cycle" v6, 2014). She makes use of the Nolan Model, which I wasn't familiar with (being more familiar with the CMM/CMMI based models).  The article was interesting, and I wanted to know more on the idea and she spends a chapter on this concept, which is good.  I think this would be a better maturity model for infosec groups to use then a CMM-based one.

I am currently reading thru the book, basically jumping around based on my interests.  What I see is pretty good.  She has stuff on hiring and building an infosec team, policies, controls, and more.  Her main theme overall is being frugal, being smart with you are spending money on, an important concept in today's cost-cutting attitude.

This is not a full review of the book.  I will probably post something like that later on.

Monday, April 13, 2015

Resources for the NIST CSF

At the recent Security BSides Orlando conference, I gave a talk on the NIST Cybersecurity Framework (NIST CSF).

As an aide to that talk, here are a collection of resources on the CSF.

Security BSides Orlando 2015 Report

This past weekend, April 11 & 12 2015, we had the third Security BSides Orlando.  This was my second BSides Orlando and this year I also presented.  For those that may have missed it, this is my report of the event.

Sadly, I was not able to attend on Saturday, due to another event I went to.  I was disappointed by that, as there were a few talks I wanted to attend.  Each day there was a keynote, along with a second keynote on Saturday.  Talks were organized into 2 physical tracks, and the topics fell into one of 4 broad areas:  Foundations, Construction, Wrecking Ball, and Ground Truth.  Foundations was the more intro topics, construction built on that with tools, techniques, knowledge to build your program, Wrecking Ball was the red teaming, awesome tools, and Ground Truth was innovative comp sci/math.

In addition, there were all-afternoon workshops, 2 each day, a lockpick village all day each day, and the Capture the Flag game both days.

Friday, April 3, 2015

SFISSA's 2015 Anniversary Party/Hack the Flag event

The South Florida Chapter of ISSA is celebrating their 15th Anniversary this year.

Every year an event they put on is the Hack the Flag/Chili Cookoff.  At this event, they usually have 2 "hack the flag" events, one for beginners and another advanced.  The advanced game had been done by our local friends at Kommand && KonTroll CTF (part of HackMiami).