CISO

Cyber security podcasts I listen to

by Dave Farquhar
March 24, 2016June 13, 2017

Yesterday, after reading a post in which I cautioned about a popular security podcast, someone asked me what cyber security podcasts I do listen to. I wrote this up a long time ago and never posted it for some reason, so now I’m correcting the oversight. Here’s my collection of the best of the best security podcasts.

These are the security podcasts I’ve been listening to for several years now and continue to recommend. Security podcasts are a good way to keep in touch with current issues, and also a good way to get continuing education.

How do you conduct yourself as a security professional?

by Dave Farquhar
July 9, 2015October 5, 2018

At a recent job interview, the CISO asked me a really good question that I wish more people would ask.

He asked me how I conduct myself as a security professional when dealing with the rest of IT.

Three things to remember from Verizon’s Data Brach Investigations Report

by Dave Farquhar
April 20, 2015April 18, 2015

Every year around this time, Verizon releases its Data Breach Investigations Report, referred to in the trade as simply the “DBIR.” Verizon is one of two companies you call if you’ve been breached and you really want to get to the bottom of what happened and try to keep it from happening again. (Mandiant is the other.)

My CISO hates this year’s edition because of its Joy Division-inspired cover and some of the cutesy writing. But it still makes some valid points that I wish everyone would take to heart–and those points remind me why so many people in my field of work listen to Joy Division.

Lenovo’s preinstalled Superfish spyware: A post-mortem

by Dave Farquhar
February 20, 2015February 19, 2015

So, if you haven’t heard by now, last year Lenovo experimented with preloading its cheapest laptops with spyware that subverts HTTPS, allowing a third party to inject ads on any web page, and providing a convenient place for an attacker to hide behind while messing with your secure transactions.

By the end of the day yesterday, Lenovo had apologized, sort of, and after several sites had provided removal instructions, Lenovo provided its own. After spending much of the day downplaying the security concerns, by the end of the day they were at least reluctantly acknowledging them.

This was really bad, and I’ll explain why in a second, and I’ll also try to explain why Lenovo did it.

How to become an Info Assurance Analyst

by Dave Farquhar
February 11, 2015November 30, 2016

So, CNN/Money ran a story on the best 100 jobs in the United States, based on pay, projected job growth over the next 10 years, and quality of life ratings. And there was my job title, at #9. I think you should want to become one, so here’s how to become an Info Assurance Analyst.

The field desperately needs more of us, so I’m happy to share with you how to become someone like me.Read More »How to become an Info Assurance Analyst

IT jobs shortage? Slide over to security

by Dave Farquhar
September 8, 2014November 20, 2018

IT jobs are getting scarce again, and I believe it. I don’t have a cure but I have a suggestion: Specialize. Specifically, specialize in security.

Why? Turnover. Turnover in my department is rampant, because other companies offer my coworkers more money, a promotion, or something tangible to come work for them. I asked our CISO point blank if he’s worried. He said unemployment in security is 0.6 percent, so this is normal. What we have to do is develop security people, because there aren’t enough of them.

I made that transition, largely by accident, so I’ll offer some advice.Read More »IT jobs shortage? Slide over to security

How to measure the effectiveness of a security program

by Dave Farquhar
June 27, 2014June 23, 2014

On a recent episode of Down the Rabbit Hole, Rafal Los and James Jardine asked CISO-turned-CIO Joe Riesberg how he measures the effectiveness of a security program. He came up with five things, which are pretty much how we measure our effectiveness where I work too. That’s a pretty good indicator.Read More »How to measure the effectiveness of a security program

Chasing dreams

by Dave Farquhar
June 19, 2014June 17, 2014

Lifehacker says to follow your skills rather than chasing your dreams.

There’s something to this. Two years ago I had a job writing security documentation. The CISO where I work now didn’t want to hire me because he was sure I already had my dream job and I’d just go back. On paper, it should have been my dream job, but I was beyond miserable. I was writing and editing for an audience of three people, and the environment was toxic. I woke up literally every morning thinking, “I didn’t study all day every day for three months to pass a 250-question 6-hour test to do this.”

Today I manage Windows patches. On paper it’s the most boring job in the world. But I’m happier than I’ve ever been. I’m up for the mandatory midyear review, and though I’ve only been at the job for four months, I have to provide a six-month review. I can’t fit my four months of accomplishments on a single sheet of paper. I wake up every morning ready to seize the day and accomplish something.Read More »Chasing dreams

IT security vs. the construction industry

by Dave Farquhar
April 24, 2014April 22, 2014

On the Risky Business podcast last week, Andrew Wilson, the CEO of Australian cryptography gear maker Senetas, stated that many businesses see the bad things that happen from poor IT security as just a cost of doing business.

Nothing revolutionary there. We’ve all seen it. Target is paying a steep price right now, but what about Michaels and Nieman Marcus? They got breached at the same time as Target, and nobody’s talking about them. Maybe Target thinks the cost of doing business got too high, and they’ve hired a CISO and I hear they’re hiring lots of new security personnel–I have coworkers and former coworkers in the Minneapolis area who tell me as much–but for Michaels and Nieman Marcus, the cost, at least so far, appears to have been manageable.

But Wilson added something that I hadn’t heard anywhere else before. Fifty years ago, he said, construction workers dying while building a large building was considered a cost of doing business. Fifty years ago that was normal. Today it’s unacceptable.

Why it’s a good idea to schedule your router to reboot

by Dave Farquhar
February 19, 2014March 3, 2019

Many routers, notably Belkins, have a feature in them to schedule an automatic reboot periodically, usually once a week. Frequently this “feature” is there as a workaround, because something about the router’s software gets unreliable if it’s been running longer than a week. So it’s a kludge, but it keeps the thing working without a lot of effort, so the feature is there.

The respectably rock-solid DD-WRT also has the ability to schedule a reboot built in. I don’t know if it’s there to make life easier for developers, or if it’s there to deal with second-rate hardware, or if there was a time when it was necessary and they just never took the feature back out. Regardless, it’s there, though many DD-WRT stalwarts brag about never needing it because their router’s uptime is more than six years.

It’s fun to get into uptime contests, but it’s poor security. If you have a router, it’s a good idea to be rebooting it every so often, so you might as well turn on that feature, even if it costs you some pride.Read More »Why it’s a good idea to schedule your router to reboot