System Advancements at the Monastery

Risks and Rewards

May 27th, 2007 by John Gerber

“Far better is it to dare mighty things, to win glorious triumphs even though checkered by failure than to take rank with those poor spirits who neither enjoy much nor suffer much because they live in the grey twilight that knows neither victory nor defeat.” — Theodore Roosevelt

I am, and will always be, an O’Reilly Media, Inc. fan. The Camel Book for Perl 4 was my introduction to Perl. I was working as a graduate student in my university’s Research Services department. We were receiving professor’s vitas, putting them into RTF format, and looking for a way to parse through them. The ultimate goal was to automate the matching of their work against research grants. This was back before the web, in the time of Gopher. I took home the Perl 4 book that Friday and by Monday morning I had a program to parse through the RTFs.

One of the things that I think frequently about as I listen to folks talk about security is that many people forget the fact that information technology exist to help us do something. Security’s job is to figure out how to allow the task to be done while minimizing risk. If implementing security only results in a company unable to advance, security has failed the company. It is like the old analogy about security being the brakes to the corporate car. To quote Ron Woerner of the Security Catalyst:

Brakes allow the driver to go faster, have more control and go where they want to go safely. While brakes are an inhibitor, they actually allow the driver to reach their destination in a safe, yet quick manner.

Imagine driving without them. You’d be a nervous wreck. (Okay, maybe not you, but most of us would be.) You’d go really slow; be afraid of changing directions; and feel stressed. Think: the only way to stop is to crash into something.

In the paragraphs above, replace brakes with security (meaning security controls and processes) and driver with your organization’s name. Isn’t the concept the same? Security allows the user (driver) to reach their goal (destination) in a safe, yet quick manner. If you (security professionals) and your customers (users) are doing it right, security should allow the business to go faster, have control, and reach their goals safely without crashing.

Don Ulsch, technology risk management director in the Boston office of Jefferson Wells, told security executives during a lunchtime presentation that “many people blog from work and mobile platforms and that’s very bad.” He went on to categories blogs as one of the bad guys’ tools. Alan Shimel, chief strategy officer for StillSecure, addresses Don’s statement in his blog, “Don Ulsch, keep the FUD to yourself.” Don’s job is to see emerging threats and he makes the point that blogs represent a possible source of data leakage. This is a case where risk needs to be weighed against reward. That is Alan’s point. I listen to the “StillSecure, After All These Years” podcast and I read Alan’s blog. I am aware of his company StillSecure, and I have respect for the people he works with. I think Alan has demonstrated how useful the latest technology can be if you do not allow risk to stop your company from utilizing such technology. Sure, you want to minimize risk, but it is about balance. You cannot allow just the existence of risk to stop you from doing your business efficiently.

For this reason, I feel that one of the most important quality in a security professional is their ability to keep up with the latest technologies. We need to know the tools our organizations will be using in order to understand the risks involved. I am thankful to O’Reilly for helping me do my best to stay up on developments in IT. I read daily the O’Reilly Radar blog. I listen to the Distributing the Future podcast. Finally, I am subscriber to Safari Books Online. When Tim O’Reilly speaks, I listen.

I have a confession and I hope Tim does not feel I am stepping out on him. Occasionally, I will check out what books the Pragmatic Programmers, LLC might have. Awhile back, I brought the online version of the book by Dave Thomas and David Heinemeier Hansson, “Agile Web Development with Rails, Second Edition.” I found the web site to be very profession and well done. This is what you want to see in a publisher that sells books on web development. They have continued to provide free updates to the book. Considering the changing nature of agile web development, I have been very appreciate of that.

I also recently purchased the electronic version of Harlan Carvey’s book, “Windows Forensic Analysis DVD Toolkit.” It is a great book. Syngress’ site is not as slick as the Pragmatic Programmer site. I purchased from Syngress only because Harlan has produced such a great book. If you want to get a feel for Harlan technical and writing capability, check out his blog, the Windows Incident Response.

Right now, I am sitting at work finishing up the printing of some documents. While it might be nice to have documents in PDF format for searching and convenience in carrying around on a USB stick, I like to read hardcopy. While printing, I also have my MP3 player. I was listening to podcasts until I figured I would post a blog while waiting for my documents to finish printing. My phone and MP3 player are capable of making voice recording, which I occasionally use to record notes to myself. I don’t think Don would approve. The questions is how much safer would the company be verses how less productive would I be if these technologies were eliminated?

Here are a few other documents I am printing:

What a way to spend Sunday.

Posted in Forensics, To Do, Web Application