Disclaimer
I was an ISC2 Board Member from January 1st 2012 until December 2014. I am an ISC2 Member in good standing. I am, at this moment, not working for ISC2, with ISC2, or in any other fashion associated with ISC2. This letter represents my personal opinion only. It does not reflect the opinion of any organization I have been, am, or will be associated with.
That said ...
Good morning, good evening, or good night,
As an ISC2 Member, there is a big chance that you will find yourself in San Francisco, California next week. I understand that your agenda is full of awesome events, some professional and some a little less so, I think it is important to realize that the events in and around the Moscone Center are the ideal venue to interact with the organization you are a proud member of, and with it's Board members.
While I am sad to learn that ISC2 is not organizing a townhall meeting this year, there are still plenty of opportunities to meet them, get to know them, and to let them know how you feel as a member.
ISC2 will be on the expo floor at booth #108 and #109. Additionally, there is a member reception on Wednesday April 22nd that you can RSVP for. There are undoubtedly alternative venues where you will run into representatives of the organization, especially the board members (<- it makes sense to familiarize yourself with their faces if you aren't already).
As a member, first and foremost, we all have engaged ourselves to be part of, and contribute to, the membership. As such we bear a responsibility to want better for us. While I am personally not going to be in San Francisco with you, I would like to take the time to suggest some questions you can ask to your Board members in case you meet them or if you find yourself at a venue where you can interact with them.
Before I kick off, allow me to make one suggestion. In the event that you run into a member of ISC2 staff or a member of management, please take the time to give them a hug and thank them for the work they do every single day for you.
1. The ISC2 Bylaws are 10 years old. As the primary document that governs the organization and its Board, I feel it is up for a thorough review. As an example, what was a mostly US-centric organization in 2004 is now a fully international organization with a global membership. What are you, as a Board, doing to govern yourself in order to make this organization successful? What are you, as a board, doing to keep our Bylaws up to date with todays reality? How can I, as a member, help with that?
2. As a member, I believe that ISC2 misses a lot of opportunities to provide value to its membership. What are you, as a Board, doing to ensure that the organization is able to develop initiatives that benefit the membership? What can I expect over the next few months and years as a member? How can I contribute to that?
3. As a member, I believe I am under-informed about what the organization does. Your last publication of annual meeting minutes happened in 2014, your last annual report was published in 2012. What are you, as a Board, doing to inform the membership about the organization, it's financial health, the strategic initiatives, and how I can become more involved to contribute to the success of the organization and us as the membership?
Now obviously, you will be challenged in San Francisco. I am the first to admit that there's more opportunity to be distracted than there is to stay focused. I also believe that as an ISC2 member, you owe it to yourself to ask these, and more questions.
If you choose not to, I'd suggest you spend $85 in one of the awesome establishments you can find and consider to skip your next AMF payment.
In any case, enjoy the opportunity to spend time with your peers at RSAC and thank you for your contributions to make this digital world a safer place.
Sincerely,
Wim
donderdag 16 april 2015
maandag 13 april 2015
7 things in regards to conference calls
1. Being on time is being too late. You join conference calls 5 (FIVE) minutes beforehand, any later is too late. There can be some technical issues y'all need to root out.
2. Use a freaking phone. Most every conference call system has local/international dial-in numbers. Don't use Skype or other VoIP Systems.
3. If you use a mobile phone, USE A FREAKING HEADSET.
4. There is NO REASON to use speakerphone functionality. NONE!
5. Use a phone that you can mute. We're not interested in what happens in your open space office or your living room. You can unmute yourself when you need to speak. At any other time, MUTE! MUTE! MUTE!
6. Be in a place where you work. Real office, home office, hotel room. Those are about the only places where you should be to do a conference call. Bar, playground, movie theater, your car, amusement park, casino, massage parlor, the gym? HELL NO!
7. Be prepared. This should be a given but especially in a meeting where you can't see eachother, being prepared is not only courtesy, it is a must.
donderdag 12 februari 2015
(ISC)2's "Vulnerability Central" - what it is and what it isn't
[disclaimer: until December 31st I was a member of the (ISC)2 Board of Directors. My posts here are my personal opinion and not necessarily shared by any of the current Directors or the organization]
[disclaimer 2: I've personally written cve-search, a tool that enables you to do much of the same. Most of the recent development has been done by Alexandre Dulaunoy. You can find cve-search here: https://github.com/wimremes/cve-search. The goal of cve-search was to enable local lookup rather than using the internet. Alexandre has done an amazing job in adding features and functionality. I'm still amazed how open sourcing my crude script made it into such an awesome tool.]
(ISC)2 has recently launched "Vulnerability Central", a service for members at no additional cost that provides a feed of vulnerabilities and other information that they could use to stay up to date on recent vulnerabilities, threat reports, etc. etc. The service is offered through a company called Cytenna about which I unfortunately have not found much information apart from the fact that they exist and the following statement on their website:
Today I browsed through the functionality offered through the (ISC)2 portal and here is what I found:
Apart from my own tool, I am a big fan of www.cvedetails.com and OSVDB. Both offer similar functionality based on different data sets.
However, this tool is now available to 100,000 members across the globe. If you are a member, you should explore it, use it and provide (ISC)2 with your feedback. What is good and what is not? What feature are you missing and how can it be more useful to YOU? If they listen, Vulnerability Central has the potential of turning into a must-have tool in the chest of (ISC)2 members and even change how you work today.
The beauty of being part of a membership organization is that you directly benefit from the contributions of fellow members. The downside (or should I say opportunity?) is that your fellow members count on you to do the same.
[disclaimer 2: I've personally written cve-search, a tool that enables you to do much of the same. Most of the recent development has been done by Alexandre Dulaunoy. You can find cve-search here: https://github.com/wimremes/cve-search. The goal of cve-search was to enable local lookup rather than using the internet. Alexandre has done an amazing job in adding features and functionality. I'm still amazed how open sourcing my crude script made it into such an awesome tool.]
(ISC)2 has recently launched "Vulnerability Central", a service for members at no additional cost that provides a feed of vulnerabilities and other information that they could use to stay up to date on recent vulnerabilities, threat reports, etc. etc. The service is offered through a company called Cytenna about which I unfortunately have not found much information apart from the fact that they exist and the following statement on their website:
"Cytenna was originally conceived in the research laboratories of InferLink Corporation. We are constantly innovating to provide our clients with better ways to connect the dots in an ever-rising sea of information."
Today I browsed through the functionality offered through the (ISC)2 portal and here is what I found:
- The initial information feed (mostly composed of CVEs but it also contains data from other sources) is well laid-out. When clicking on an item, the information displayed is very much summarized. You'll have to click on the external links to get more information. That seems a bit weird because most of the information is public so it would make sense to incorporate it in the Vulnerability Central UI.
- Filtering, it does it. One of the most important features of a this type of tool is customization. This can be done by editing your profile. You can basically tell the tool to filter only the information that you want to see based on keywords and keyphrases. This is good. I'd appreciate some more granularity or even different profiles (I could be a consultant working with/for different clients). One thing that hit me on the main page is that I can filter by "Show starred". It took me a while to understand what that meant and how I could "star" an item. Unfortunately I have to first open an item and then star it. I can not star items on the main page. This partially breaks the usefulness of the star feature. What is positive is that I can easily switch between filter modes (all, profile, starred). This would become even more powerful with the support of multiple profiles or filters.
- I have to log in with my (ISC)2 credentials. This is understandable because it is a member benefit but at the same time it limits the usability of the tool. If I want to use it, I'm restricted to the website and in a time of APIs and mobile applications that greatly limits how I can consume information. Support for API keys would be a definite plus here.
- Vulnerability Central doesn't only provide vulnerability information, it also has a "News" and "Reports" section. Unfortunately those are hidden at the bottom of the page. They should have prominence at the top of the page. The "News" section provides links to security-relevant articles and the "Reports" section centralizes links to vendor and independent reports.
- The information seems to be fairly up to date. I have not done extensive analysis of the accuracy but given that it is mostly based on public information, I think there should be no problem there.
- There currently is no ability to export data sets. This should be #1 on the feature road map without any debate. If I am only able to consume the information on the website, its value drops to 0 immediately. Need.That.Yesterday!
Apart from my own tool, I am a big fan of www.cvedetails.com and OSVDB. Both offer similar functionality based on different data sets.
However, this tool is now available to 100,000 members across the globe. If you are a member, you should explore it, use it and provide (ISC)2 with your feedback. What is good and what is not? What feature are you missing and how can it be more useful to YOU? If they listen, Vulnerability Central has the potential of turning into a must-have tool in the chest of (ISC)2 members and even change how you work today.
The beauty of being part of a membership organization is that you directly benefit from the contributions of fellow members. The downside (or should I say opportunity?) is that your fellow members count on you to do the same.
maandag 19 januari 2015
Can we ... do better?
Disclaimer: In this blogpost I analyse one particular blogpost. This is not a personal attack against the author of said blogpost nor is it a value judgement against the content produced or the platform it is hosted on. Rather, the content analysed is relevant to a point I want to make and the who and what is secondary to that point. If anyone wants to use this to turn it into an ordinary flame war, go right ahead. I have bronchitis and as such I ain't got time for dat (1).
Disclaimer 2: This is my personal blog. It does not represent the opinion of any organisation that I am affiliated with. At best I have talked this through with my cat, who wholeheartedly agreed with me (but only when offered a considerable amount of treats).(2)
That said, here we go.
As a community, we have been looking for ways to reach outside the "echo chamber" for quite a while now. There have been concerted initiatives and some individuals have gone out on their own to carry out the messages we/they believe are important for the general public, governments and industries. This in itself is not a bad thing were it not that the only industry that seems to capitalise on this trend is the media industry (and by extension, the ad networks). Under pressure of time, people are rushed into voicing opinions rather than speaking from experience. After all, we have ads to sell ... good enough is OK!
I personally believe that we, as an industry, can do better. It's OK to say no to a media outlet. It's OK to embargo a post until you've found the time to make it valuable to your target audience. It's OK to value quality over quantity. It's OK to keep the standard high.
The article that triggered my outrage today was titled "Will 2015 Be the Year We Say Goodbye to Passwords?" . It is hosted on CSOOnline which, by its own words, tries to achieve the following:
First: the target audience. On a platform that calls itself CSOOnline, one would expect the content to be geared towards Chief Security Officiers. One would expect the analysis and research to be of value for a person (m/f) who is known to have little time for useless diatribe and/or clickbait. I, for one, would expect data-driven analysis followed by solid recommendations and actionable information. I, obviously, expected too much :(
Already in the first paragraph, we change the original question (it was the title of the article FFS!) to "With this in mind will 2015 be the year that two-step authentication and non-standard password security methods like biometrics become the norm for forward-thinking businesses?" Maybe asking a question in the title isn't that smart if you're not going to answer it anyway.
2FA or two-step authentication and biometrics do not REPLACE passwords. They perpetuate their use! They obviously increase the challenge for attackers to gain access to a system but that's nothing news.
This is the moment where we digress into a load of missed opportunities ... I illustrate.
Let's continue:
We are talking to an audience that, today, is responsible for a diverse set of technologies they didn't choose. An audience that is pressured into adopting cloud-based solutions to enable business units to do their actual job and keep their companies competitive. An audience that is challenged to respond to complex architecture questions and all we can tell them is to use stronger passwords and password managers? No, just no.
I agree that our challenge exists in breaking down very complex solutions into understandable chunks of information on an executive level but in all honesty, you can not address the password issue without talking about consolidation of directories (reducing the potential points of failure!), federated authentication and single sign on. This doesn't mean you have to quote RFCs on SAML, OAuth, etc. but if our common goal is to reduce the noise and to increase the signal, we have to start by being honest with ourselves and with our audience.
The article at hand is opinion more than it is something that shares experience/knowledge. As professionals we should hold ourselves to a higher standard when addressing the audience we care so much about. Next time when asked to write an article or partake in an interview or panel, I will ask myself "am I truly the person they want to talk about this subject" instead of letting my vanity get the better of me.
We can do better and we should.
(1) your messages of sympathy are much appreciated but I don't actually have bronchitis!! You just missed the Sweet Brown reference.
(2) I don't actually have a cat.
Disclaimer 2: This is my personal blog. It does not represent the opinion of any organisation that I am affiliated with. At best I have talked this through with my cat, who wholeheartedly agreed with me (but only when offered a considerable amount of treats).(2)
That said, here we go.
As a community, we have been looking for ways to reach outside the "echo chamber" for quite a while now. There have been concerted initiatives and some individuals have gone out on their own to carry out the messages we/they believe are important for the general public, governments and industries. This in itself is not a bad thing were it not that the only industry that seems to capitalise on this trend is the media industry (and by extension, the ad networks). Under pressure of time, people are rushed into voicing opinions rather than speaking from experience. After all, we have ads to sell ... good enough is OK!
I personally believe that we, as an industry, can do better. It's OK to say no to a media outlet. It's OK to embargo a post until you've found the time to make it valuable to your target audience. It's OK to value quality over quantity. It's OK to keep the standard high.
The article that triggered my outrage today was titled "Will 2015 Be the Year We Say Goodbye to Passwords?" . It is hosted on CSOOnline which, by its own words, tries to achieve the following:
CSO provides news, analysis and research on a broad range of security and risk management topics. Areas of focus include information security, physical security, business continuity, identity and access management, loss prevention and more.The answer to the question posed in the title of the article obviously is a resounding "hell no!" but allow me to dig further.
First: the target audience. On a platform that calls itself CSOOnline, one would expect the content to be geared towards Chief Security Officiers. One would expect the analysis and research to be of value for a person (m/f) who is known to have little time for useless diatribe and/or clickbait. I, for one, would expect data-driven analysis followed by solid recommendations and actionable information. I, obviously, expected too much :(
Already in the first paragraph, we change the original question (it was the title of the article FFS!) to "With this in mind will 2015 be the year that two-step authentication and non-standard password security methods like biometrics become the norm for forward-thinking businesses?" Maybe asking a question in the title isn't that smart if you're not going to answer it anyway.
2FA or two-step authentication and biometrics do not REPLACE passwords. They perpetuate their use! They obviously increase the challenge for attackers to gain access to a system but that's nothing news.
This is the moment where we digress into a load of missed opportunities ... I illustrate.
Other forms of two factor authentication include the use of security tokens, similar to the RSA SecurID tokens, or using biometrics such as peoples’ fingerprints, retina scanning or other items unique to them. Apple for example have introduced fingerprint readers to unlock their latest range of iPhones.Wrong ... Apple's introduction of fingerprint readers and their related APIs have ALREADY brought biometric authentication to the consumer and adoption is happening RIGHT NOW. As an example, my bank leverages Touch ID to allow me to authenticate on my mobile banking application. This is NOW, not years from know! The audience for this article may be interested to know that they too can leverage this right now with very little effort. Missed opportunity #1. But who cares?
What is interesting from the above developments is that it brings two factor authentication, previously an area mainly reserved for corporates, into the consumer arena. While this acceptance may make it easier for businesses to introduce two factor authentication to their workforce it may still be a number of years before we see this adoption take place.
Let's continue:
Passwords, for all their weaknesses and issues, have the big advantage of being a very cost effective way of securing systems. Implementing and managing two factor authentication systems can introduce a lot of extra costs and overheads for companies to employ. Because of this the use of passwords will continue to be a necessary evil.
What we need to do is educate users on how to select and use passwords securely, for them to use password managers to help them cope with the multitude of passwords they may have to use, and get companies to properly secure the passwords being used to access their systems.This is probably the paragraph that irked me the most. We are talking to a CSO audience and all we can tell them is to tell users how to select "secure passwords" and to use "password managers"? Really? I've personally worked in complex IDM architectures for quite a while and I've custom built centralised authentication/authorization systems in heterogeneous IT environment from scratch. With all due respect, these recommendations don't cut it.
We are talking to an audience that, today, is responsible for a diverse set of technologies they didn't choose. An audience that is pressured into adopting cloud-based solutions to enable business units to do their actual job and keep their companies competitive. An audience that is challenged to respond to complex architecture questions and all we can tell them is to use stronger passwords and password managers? No, just no.
I agree that our challenge exists in breaking down very complex solutions into understandable chunks of information on an executive level but in all honesty, you can not address the password issue without talking about consolidation of directories (reducing the potential points of failure!), federated authentication and single sign on. This doesn't mean you have to quote RFCs on SAML, OAuth, etc. but if our common goal is to reduce the noise and to increase the signal, we have to start by being honest with ourselves and with our audience.
The article at hand is opinion more than it is something that shares experience/knowledge. As professionals we should hold ourselves to a higher standard when addressing the audience we care so much about. Next time when asked to write an article or partake in an interview or panel, I will ask myself "am I truly the person they want to talk about this subject" instead of letting my vanity get the better of me.
We can do better and we should.
(1) your messages of sympathy are much appreciated but I don't actually have bronchitis!! You just missed the Sweet Brown reference.
(2) I don't actually have a cat.
vrijdag 10 oktober 2014
"Hackin" ATMs isn't magic ...
Over the past few weeks, not a day passed without a news outlet or an AV vendor coming up with another post or article on ATM hacking. Today was no different.
Network World published an elaborate article that drew the attention to a "mysterious" DLL (msxfs.dll) that allowed the "hackers" to interact with the ATM's pin pad.
First things first: Microsoft does not provide any official documentation for this library's functions ... because it is not a Microsoft library. The library is a result from the CEN Workshop on eXtensions for Financial Services (WS/XFS).
You can find their website here : http://www.cen.eu/work/areas/ict/ebusiness/pages/ws-xfs.aspx
On it you will find both the documentation of the API as well as the MSI package to install msxfs.dll on your system. Granted that most ATM vendors will integrate this into their product, it's not hard to analyze the DLL itself ... if you want to (I'm not gonna do it here for you, magazines have ads to sell and AV vendors have products to sell so I'll give them the opportunity to do just that).
Now, there is indeed little documentation available for this version of the API beyond what you need as a programmer but there is more for the Java version. To be found here : http://www.cen.eu/work/areas/ICT/eBusiness/Pages/WS-J-XFS.aspx.
The latest version of the documentation for the "base architecture" (2009has some interesting paragraphs that you can ponder on from a security point of view, specifically under point 2.17:
TL;DR : the main API allowing ANY application running on a box connected to an ATM machine provides NO authentication, authorization and encryption. Rather, it offloads that responsibility to the "TCP/IP installation and add-on security products".
Maybe this post can help us narrow down where the work to protect our ATMs should start and maybe ... we don't need to do weird searches on Baidu to understand what we're looking at.
Cheers,
Wim
PS : Oh, instead of vendor-specific programming guides, maybe the Kaspersky guys want to look at the official Pin Keypad Device Interface ... it's not that hard of a read once you found it ;-)
Network World published an elaborate article that drew the attention to a "mysterious" DLL (msxfs.dll) that allowed the "hackers" to interact with the ATM's pin pad.
Analyzing the code, we started wondering how the malware author knows which pin pad service name to provide to the API so that the program is able to interact with the pin pad device,” the F-Secure researchers said in a blog post, noting that Microsoft doesn’t provide any official documentation for this library’s functions. “It’s a valid question because the pin pad service name used in the code is quite unique and it is very unlikely one can figure out the service name without documentation.Now allow me to bring us down from the lala wonderland of AV blog posts.
First things first: Microsoft does not provide any official documentation for this library's functions ... because it is not a Microsoft library. The library is a result from the CEN Workshop on eXtensions for Financial Services (WS/XFS).
The fundamental aims of the XFS Workshop are to promote a clear and unambiguous specification for both service providers and application developers. This has been achieved to date by sub groups working electronically and quarterly meetings.
You can find their website here : http://www.cen.eu/work/areas/ict/ebusiness/pages/ws-xfs.aspx
On it you will find both the documentation of the API as well as the MSI package to install msxfs.dll on your system. Granted that most ATM vendors will integrate this into their product, it's not hard to analyze the DLL itself ... if you want to (I'm not gonna do it here for you, magazines have ads to sell and AV vendors have products to sell so I'll give them the opportunity to do just that).
Now, there is indeed little documentation available for this version of the API beyond what you need as a programmer but there is more for the Java version. To be found here : http://www.cen.eu/work/areas/ICT/eBusiness/Pages/WS-J-XFS.aspx.
The latest version of the documentation for the "base architecture" (2009has some interesting paragraphs that you can ponder on from a security point of view, specifically under point 2.17:
The access control for the device (i.e. the authorization to access a specific function in the J/XFS API) has to be controlled by the calling application and the network software. In the current CWA 12345 no support for login and user rights administration is supported. Also, it may be desirable to encrypt all data which is send over the LAN between the workstations and the server, as well as between the peer-workstations sharing a device using J/XFS.
This is, however, also not a task defined in the CWA 12345. It is rather left to the TCP/IP installation and add-on security products to ensure that the data transfer is secure. We assume that a solution to this is or will be available for use without the necessity to change the J/XFS structure. One possible option here would be to use RMI over SSL.
TL;DR : the main API allowing ANY application running on a box connected to an ATM machine provides NO authentication, authorization and encryption. Rather, it offloads that responsibility to the "TCP/IP installation and add-on security products".
Maybe this post can help us narrow down where the work to protect our ATMs should start and maybe ... we don't need to do weird searches on Baidu to understand what we're looking at.
Cheers,
Wim
PS : Oh, instead of vendor-specific programming guides, maybe the Kaspersky guys want to look at the official Pin Keypad Device Interface ... it's not that hard of a read once you found it ;-)
dinsdag 7 oktober 2014
3 years flew by ... looking back and looking forward
[Note that I am speaking for myself and not for the (ISC)2 Board of Directors or (ISC)2 as an organization. I believe that 3 years after being elected, it is my responsibility to tell you what we have done and what we have achieved. Feel free to ask questions in the comments or on twitter (@wimremes). While I am restricted in what I can say, I will definitely try to answer as many questions as possible. Again, this is my personal perception and opinion.]
It's a bit more than 3 years ago that I decided to run a petition to be added to the (ISC)2 Board of Directors election slate. It's a bit more than 3 years ago that more than 500 members supported that petition and allowed me to be elected that same year. After effectively joining the board in January 2012, I went to work. After all, more than 500 members supported me on a platform of change and I was eager to follow through on that.
Today it is time to look back and see what we have done. I can't stress enough how important the "we" is in this endeavor. It isn't just me, it is me as part of a team of 13 board members. It is "we", as (ISC)2 is an organization with more than 100 employees across the globe. It is "we", as (ISC)2 has more than 100,000 members today. But it is me that made a commitment to you when I launched my petition. And it is me that owes you some feedback and reflection.
It was no secret that I joined the (ISC)2 board on a platform of change. All joking aside, it isn't easy to walk into a boardroom with a "here I am, let's change things!" attitude. I didn't do that. My first task was to understand what the board did, what the organization did and how I could help to make that better, taking into account that platform and the continuous feedback from (ISC)2 members around the globe. Today I look back and I see that I moved from being that "rogue element" to getting elected as Chairperson of the board earlier this year. This, to me, confirms that I've managed to build the bridge between the opposing voices (including my own) that supported my petition and all other walks of life and opinions within the organization and the membership. It's an incredible honor to me to lead the board and I can't be more proud of the team we are currently working with.
Since I joined the board, we truly have come a long way. We have built on what was already in the works and worked diligently to do even more. To me it started with ratifying our new member-focused strategy in April 2012. Since then, (ISC)2 has further engaged with it's membership and the security community.
A first example is found in the (ISC)2 chapters. Varying in size between more than 4000 members (South Korea) and less than 15 members (Ethiopia) they have become a platform where members (and non-members) can exchange experience and knowledge. Maybe more importantly, they have become an important source of feedback for the organization and the board. They allow us to better understand the needs of our membership and their regional intricacies. Empowering our regional offices in The UK, Hong Kong and China has, in my opinion, resulted in a better regional integration and an ability to adapt to the needs and differences.
A second example is found in the CPE opportunities. (ISC)2 has worked with several non-profit events and conferences to enable them to submit CPEs for attending members. Where it was mostly up to the member to submit CPEs manually and only large and commercial events would auto-submit, there are now Security B-Sides events that auto-submit CPEs. I believe this brings more diversity into the CPE opportunities. Additionally, we have worked with different organizations to offer even more CPE opportunities to our members. One such example, which is near and dear to my heart, is BugCrowd. If an (ISC)2 member becomes a member of BugCrowd, they will get CPEs for every bug they submit through the BugCrowd Bug Bounties. While still in an early stage, I think this is a prime example of where we are going with CPE opportunities.
A third example comes in the form of community outreach. I fondly remember taking part of the (ISC)2 team to their first 44Cafe (hat tip to Steve Lord and his amazing crew) and DC4420 (DEFCON London chapter) meeting in April 2012. Since then the organization has supported B-Sides events and other community efforts around the globe. Being there and keeping a finger on the pulse of the community once again is an incredibly valuable source of information for the organization and for the board. This too allowed us to better understand the membership and the community.
Then come our credentials. (ISC)2 has diligently worked to review and keep their credentials up to date. This will be very clear in 2015 when the reviewed versions of the CISSP and SCCP are launched. At the same time, we have launched the HCISPP (healthcare) credential and the CCFP (Forensics). The latter being the first credential that is rolled out regionally as local laws are elementary to the practice. Are we done yet? No! Are we on the right track? I certainly believe so.
Lastly I must talk about the (ISC)2 Foundation, which is effectively a seperate 501c3 organization. The Foundation grants scholarships globally to students who are focusing on information security. With the scholarships alone, we have allowed people who would otherwise not be able to fund it themselves, pursue their dream and join the information security workforce. On the same token, The Foundation allows our members to give back to their communities and society through the Safe and Secure Online (SSO) program. This program provides learning materials to teach children, teachers and parents about online security and safe use of social networks. This is possible through the donations and effort of individuals and the support of bigger organizations. You can find out more about the Foundation here : https://www.isc2cares.org/Default.aspx.
Now obviously I will be up for re-election come December. I wouldn't be more grateful if I'm allowed to continue the work we have done in the past 3 years and I'd welcome your support to make that happen. I truly believe that (ISC)2 is well-positioned to keep going on its current momentum. While the subtle tweaks on the underlying machinery are difficult to quantify and their effect only visible further down the path, I am convinced that this organization is going nowhere but up.
I come to realize that I could easily write a book about the past 3 years of being involved with this organization. I can only hope it would be the first chapter of an even longer book.
Cheers,
Wim
It's a bit more than 3 years ago that I decided to run a petition to be added to the (ISC)2 Board of Directors election slate. It's a bit more than 3 years ago that more than 500 members supported that petition and allowed me to be elected that same year. After effectively joining the board in January 2012, I went to work. After all, more than 500 members supported me on a platform of change and I was eager to follow through on that.
Today it is time to look back and see what we have done. I can't stress enough how important the "we" is in this endeavor. It isn't just me, it is me as part of a team of 13 board members. It is "we", as (ISC)2 is an organization with more than 100 employees across the globe. It is "we", as (ISC)2 has more than 100,000 members today. But it is me that made a commitment to you when I launched my petition. And it is me that owes you some feedback and reflection.
It was no secret that I joined the (ISC)2 board on a platform of change. All joking aside, it isn't easy to walk into a boardroom with a "here I am, let's change things!" attitude. I didn't do that. My first task was to understand what the board did, what the organization did and how I could help to make that better, taking into account that platform and the continuous feedback from (ISC)2 members around the globe. Today I look back and I see that I moved from being that "rogue element" to getting elected as Chairperson of the board earlier this year. This, to me, confirms that I've managed to build the bridge between the opposing voices (including my own) that supported my petition and all other walks of life and opinions within the organization and the membership. It's an incredible honor to me to lead the board and I can't be more proud of the team we are currently working with.
Since I joined the board, we truly have come a long way. We have built on what was already in the works and worked diligently to do even more. To me it started with ratifying our new member-focused strategy in April 2012. Since then, (ISC)2 has further engaged with it's membership and the security community.
A first example is found in the (ISC)2 chapters. Varying in size between more than 4000 members (South Korea) and less than 15 members (Ethiopia) they have become a platform where members (and non-members) can exchange experience and knowledge. Maybe more importantly, they have become an important source of feedback for the organization and the board. They allow us to better understand the needs of our membership and their regional intricacies. Empowering our regional offices in The UK, Hong Kong and China has, in my opinion, resulted in a better regional integration and an ability to adapt to the needs and differences.
A second example is found in the CPE opportunities. (ISC)2 has worked with several non-profit events and conferences to enable them to submit CPEs for attending members. Where it was mostly up to the member to submit CPEs manually and only large and commercial events would auto-submit, there are now Security B-Sides events that auto-submit CPEs. I believe this brings more diversity into the CPE opportunities. Additionally, we have worked with different organizations to offer even more CPE opportunities to our members. One such example, which is near and dear to my heart, is BugCrowd. If an (ISC)2 member becomes a member of BugCrowd, they will get CPEs for every bug they submit through the BugCrowd Bug Bounties. While still in an early stage, I think this is a prime example of where we are going with CPE opportunities.
A third example comes in the form of community outreach. I fondly remember taking part of the (ISC)2 team to their first 44Cafe (hat tip to Steve Lord and his amazing crew) and DC4420 (DEFCON London chapter) meeting in April 2012. Since then the organization has supported B-Sides events and other community efforts around the globe. Being there and keeping a finger on the pulse of the community once again is an incredibly valuable source of information for the organization and for the board. This too allowed us to better understand the membership and the community.
Then come our credentials. (ISC)2 has diligently worked to review and keep their credentials up to date. This will be very clear in 2015 when the reviewed versions of the CISSP and SCCP are launched. At the same time, we have launched the HCISPP (healthcare) credential and the CCFP (Forensics). The latter being the first credential that is rolled out regionally as local laws are elementary to the practice. Are we done yet? No! Are we on the right track? I certainly believe so.
Lastly I must talk about the (ISC)2 Foundation, which is effectively a seperate 501c3 organization. The Foundation grants scholarships globally to students who are focusing on information security. With the scholarships alone, we have allowed people who would otherwise not be able to fund it themselves, pursue their dream and join the information security workforce. On the same token, The Foundation allows our members to give back to their communities and society through the Safe and Secure Online (SSO) program. This program provides learning materials to teach children, teachers and parents about online security and safe use of social networks. This is possible through the donations and effort of individuals and the support of bigger organizations. You can find out more about the Foundation here : https://www.isc2cares.org/Default.aspx.
Now obviously I will be up for re-election come December. I wouldn't be more grateful if I'm allowed to continue the work we have done in the past 3 years and I'd welcome your support to make that happen. I truly believe that (ISC)2 is well-positioned to keep going on its current momentum. While the subtle tweaks on the underlying machinery are difficult to quantify and their effect only visible further down the path, I am convinced that this organization is going nowhere but up.
I come to realize that I could easily write a book about the past 3 years of being involved with this organization. I can only hope it would be the first chapter of an even longer book.
Cheers,
Wim
donderdag 9 januari 2014
Can we stop losing?
To whomever this may concern,
This is a personal post in so much that I need to clear out that I am not speaking for my employer or any other organization that I may be affiliated with. It is also personal on a level where I will not go into discussions in comments, on twitter or any other forum than face to face meetings. However, I think it is important enough to put this out there.
I have lost acquaintances, colleagues, friends. I have not lost them because of fate. I have lost them for stupid reasons. I have lost peers for things that I, we, could have prevented or at least I think I, we, could have. I am DONE with losing people I love for the wrong reasons. I hope WE are done with losing people for the wrong reasons.
My experience with losing started at a rather young age. I was working at my first employer when we were all gathered in a meeting room when we came in on a fateful morning. Some of us were sure that they were going to be fired, some of us were excited because maybe we would get a raise. Nobody was prepared to hear that one of our colleagues has lost his life when he crashed his car against a lighting pole very early in the morning. I was shocked, not surprised. A few weeks prior to his death we had been on the road for an engagement in a remote part of the country. While I was driving, this guy started to roll a joint and it was his clear intention to light it. As I was the lead on this engagement I told him not to but he laughed at me and lit it nonetheless. I kindly asked him to put it out or I would have to remove him from the car. He obviously thought it was funny enough, until I stopped the car and told him to get out. After he got out I returned to the office, told my boss what hat happened and somebody went to pick him up. He wasn't fired, just reprimanded. To this day I believe I did the right thing. It's obvious that a joint didn't kill this person, not enough persons being available to him to guide him about his substance abuse did. I'm also pretty sure that it wasn't just weed. It doesn't really matter WHAT it was, I lost a friend and an awesome colleague.
We have lost enough people for stupid reasons. We have lost enough people because I, we, fail to notice subtle changes in behavior. We have lost people because they felt lost. I believe everybody has at least this one person they can think of right now and say "I wish he or she was still here. I wish I could've helped". I want this to stop.
Over the years I have also witnessed substance abuse in our community and the stupid things people do to "fit in". It doesn't get more pathetic than seeing a dude fake snorting a line of coke to make sure he remained "one of them". I've seen alcohol, weed, cocaine and heroin do things to people you wouldn't wish to your worst enemies. I've seen a lack of support and understanding do the same.
I'm the first to admit that I like to get my drink on. Damn, I got more than enough stories to fill a pretty funny book with. However, I can remember the times that I was absolutely and utterly shitfaced on one hand. In almost 22 years that I'm legally allowed to drink.
So, from here on going forward I won't stop being the guy that wants to have fun. But I will be that guy that asks if you are ok. I will also be that guy that takes you aside and says "I think you had enough". Fuck, I will probably ruin your night but only because I don't want to see you ruin your life.
I will definitely be that guy that you can call 24/7/365 because I don't want to lose anymore. I hate losing, I want us all to win.
Abonneren op:
Posts (Atom)