Quick hit on some things for reading up on control system security. One of my favorites is Kurtz, R., (2006) “Securing SCADA Systems” this particular book is older, but it has a great section on comparing ICS security protocols. Meant…
Category: Enterprise Risk Management
Analysis of risk and the principles of mitigation using metrics and evidence rooted in causal analysis to protect and defend the enterprise.
Don’t be that guy: Try promoting professionalism and empathy
I’ve hired a lot of people. Between academia, government, and industry I’ve been on hundreds of hiring boards. I’ve been junior enough to be a primary assessor and senior enough to rate other peoples skill at hiring. I like building…
Humans, networks, and visualizing risk to the network
Risk is made of disparate components that technologists inherently understand. Decision makers and corporate staff that are not necessarily smart in technology are often left flummoxed by the technobabble. As technologists and information security practitioners it is important to think…
Infosec Risk Management (graphic)

This gallery contains 1 photo →
2014 Indianapolis Summit: Threat trends to the enterprise
Slides of my presentation today at the Indianapolis Summit. 2014 November Indianapolis Summit Threat Trends
Lightweight portable threat intelligence for the enterprise
Does your enterprise threat intelligence feed get you down? Does the wide-ranging list of IP’s, URLs, and other IOCs make you feel bloated? Do you have acronym fatigue? Then you should get lightweight portable threat intelligence for the enterprise. It…
Let’s #FixIt: Information security and the fud of the breach
If I told you tomorrow that a major corporation was going to be breached and a huge volume of credit cards or personal identifiable information was going to be released. You would not be surprised. “What is the big deal”,…
Strategic information security: Enterprise asset control and response
What do we mean when we say strategic?. Usually the people talking about strategic effort are more interested in effects than in the actual activity of strategic decision making. Most assuredly, strategic leadership that is poor can have just as…
Research note: Strategic compression and the future of information security
In the world of strategic theory there are many pages and gallons of ink exhorting the relative merits of various historical figures thinking. I don’t discount the relative merits of Clausewitz or Sun Tzu but in each entities time their…
Events over time as applied to OSI 7 layer model…
If you track the events reported (insert numerous caveats) they can be associated to a particular OSI layer and give you an idea of what is going on year to year. However, even with this raw data you can see significant…
Risk management notes: Diagram of explanation of analysis
Based off the McCumber Cube model, the IBM ring model of operating systems, and the OSI 7 Layer model. To be done still? Figure out the metrics and feeder mechanisms.
The affair, Snowden, effects, outcomes, plans
It won’t take very long looking at the news from the last few days to realize there is something up in the media. Greenwald at the Guardian has been trickling out a series of stories on the NSA via the…
Experienced Rider Course: Considering risk in the activity of motorcycling
This past weekend I woke in the early morning around 4AM climbed on my motorcycle and rode from West Lafayette down to Evansville. On the border of Indiana and Kentucky I took a minor extension to my route and crossed…
Thinking about risk: Active defense
If we can agree… (e.g. Ryan and Ryan heuristic). Then most policy, mechanisms, and effort has in the past been at decreasing vulnerabilities. FISMA, IAVA’s, patches, etc. are all part of the mitigation of vulnerabilities. They are not countermeasures. This was…
When critical infrastructure is no longer a target then commodity infrastructure suffices
With the current list of critical infrastructures inclusive of electricity generation, telecommunication, water, transportation, and financial services you would think society has identified key risk points. I think that would be false. Though key resources are identified for each of…