From Jack’s site:

Below are the five candidates I am aware of, in alphabetical order:

• Tadd Axon
• email: isc2bodpetition@tadda.org
• website: https://sites.google.com/a/tadda.org/isc2petition/
• Seth Hardy
• email:  shardy@asymptotic.ca 
• website:  http://sethforisc2board.org
• Javed Ikbal
• email: javed@bodelection.com 
• website: http://bodelection.com
• Rolf Moulton
• email:  rolf.moulton@boardcandidate.com 
• website:  http://www.boardcandidate.com
• Wim Remes
• email: wim@remes-it.be 
• website:  http://blog.remes-it.be/petition.html

I’ve seen a few attempts at joining the ISC2 Board of Directors over the last few years, but unluckily I’ve never heard of most of the people who apply.  And to make matters worse, it’s incredibly difficult to get a seat on the Board unless you’re endorsed by current members of the Board.  So when I see someone I know of who’s preparing to take a run at the windmill again, I’m more than willing to help by putting my support behind them.  This year, Wim Remes is running for the Board and I’m going to support him and hope other CISSP’s will consider backing him as well.  I don’t know him personally, but given the interactions I’ve had with him on-line and the endorsements he’s already received from people I trust, I’m willing to take a chance.

Support Wim Remes by sending an e-mail from your e-mail address registered with ISC2 mentioning your NAME, EMAIL ADDRESS and CERTIFICATION NUMBER to wim@remes-it.be

I wanted to take a moment to make everyone aware of a very useful site I found several years ago that’s helpful when getting involved in argumentation of any sort.  It is the Nizkor Project listing of logical fallacies.  I find it helps me a lot to be able to identify and call out specific logical fallacies, at least to myself, and it helps in forming the response to these logical fallacies.  As is often the case in online forums, the person guilty of the fallacies is either unaware of committing the fallacies in the first place or mistakes these fallacies for honest communication.  In either case, conversations with this sort of individual often devolves into appeals to emotion or ad hominem attacks.  I wanted to take some time this morning to point out a few of the fallacies that seem to be more common on this forum:

http://www.nizkor.org/features/fallacies/

First, the ad hominem attack itself:  http://www.nizkor.org/features/fallacies/ad-hominem.html
This is an attack on the person who’s making the argument rather than the argument itself, aka name calling.  This is also mirrored by the personal attack fallacy (http://www.nizkor.org/features/fallacies/personal-attack.html) where the person claims that any argumentation is a personal attack against them.  This is also related to the appeal to pity, aka ‘They’re picking on me, therefore they must be wrong’ http://www.nizkor.org/features/fallacies/appeal-to-pity.html

The second fallacy I often see is the red herring (http://www.nizkor.org/features/fallacies/red-herring.html)  The answers that are sent to the forum have little or no relation to
the question that was asked.  This can be an innocent case of missing the point or it can be an example of purposefully leading the conversation away from the subject that was originally brought up.  If you see “you’re missing the point” in a reply, this is often the fallacy that was committed.

Another common fallacy on this forum is the appeal to authority (http://www.nizkor.org/features/fallacies/appeal-to-authority.html)  We’re all experts of one level or another in this forum, otherwise we should never have been awarded our CISSP’s in the first place.  However, we sometimes try to falsely extend our authority in one area to cover areas that are tangential to our areas of expertise in was that are not appropriate.  Another example of this is citing vague articles or standards as supporting our cause when they really don’t have any direct bearing on the argument.  For example, just because Bruce Schneier is a respected author and cryptographer, he could not by any means be considered an expert on securing an Exchange server.  Another part of this fallacy that’s common is expecting that just because we hold certificates in certain disciplines, that we’re actually experts in that discipline.  A doctor who graduated at the bottom 5% of his class still graduated after all.

A final fallacy to think on, not because it’s especially common on the forum, but because it’s especially common in our lives in general is the appeal to common practice (http://www.nizkor.org/features/fallacies/appeal-to-common-practice.html)  Everyone is doing it, so it can’t be that bad, can it?  This is a fallacy that should be avoided in every aspect of life, not just security.  As parents have been asking their kids for eons, “If every one of your friends jumped off a cliff, would you jump too?”.  Everyone has a firewall at the perimeter of their network; does that make a firewall a best practice or does that just mean that it’s what people are doing because everyone else is doing it?  It may be the best thing to do in your situation, but unless you evaluate it based on your circumstances rather than what others do, you’ll never know.

I try not to make the mistake of ad hominem attacks, I try to attack a person’s argument whenever possible.  This is not always possible as the number of fallacies in a response rise and overwhelm any content that may be contained in a response.  Rather than continue down a path of personal attacks and appeals to emotion, I try to bow out of the conversation at that point.  But I’m not perfect. Next time you send a reply to the list, take a few minutes to check your logic and see if you’re committing any of these common fallacies.  It will help make your point and increase your standing with your colleagues.  Failure to do so can hurt your standing in the community greatly.

Thank you,

Martin

Thanks Rob!

CISSP Song
Lyrics by Rob Slade slade@victoria.tc.ca

Sung to the tune of “The Major General’s Song,” from
“Pirates of Penzance,” by Gilbert and Sullivan [1]

CISSP (solo):
I am a Certifiable Security Professional
I’ve countermeasures physical, administrative, technical
I know the ports of TCP and backdoors with malign intent
And survey risk analysis to prove the safeguards wisely spent
I’m very well acquainted, too, with matters of the blackhat crew
Attendance on the IRC phrack channel makes my colleagues stew
With viruses and zero days I’m teeming with a lot o’ news,
With many cheerful facts about the weaknesses in Usenet news

CIO Chorus:
With many cheerful facts about the weaknesses in Usenet news (etc.)

CISSP:
I’m very good at ACLs and mandatory access modes
I know the disassembled names of CPU compare opcodes
In short, in matters physical, administrative, technical
I am the very model of an infosec professional!

Chorus:
In short, in matters physical, administrative, technical
He is the very model of an infosec professional!

CISSP:
I know our mythic history, LaPadula, Biba, and Bell
I know the biometric facts, memorized CERs as well
I understand the lattice, roles, rules, and discretion base
And pseudorandomize my keys to maximize the address space
I’ve tokens, tickets, one-time passwords, smart cards and a kerberos
And Centralized Remote Authentication to remove the dross
I’m proof against the DoS, Man-in-the-Middle and brute force attacks
My proprietary off-the-shelf stuff’s licenced and it never cracks.

Chorus:
His proprietary off-the-shelf’s all licenced and it never cracks.

CISSP:
My audit logs are analysed, detect intrusions evey time
My legal counsel’s up to date with all the best computer crime
In short, in matters physical, administrative, technical
I am the very model of an infosec professional!

Chorus:
In short, in matters physical, administrative, technical
He is the very model of an infosec professional!

CISSP:
In fact when I know what is meant by “data link” and “twisted pair”
When I can tell a fibre optic cable from a trigger hair
When Internet Explorer I no longer use the Web to surf
Or let my users chat on IRC on all my network turf
When I have learnt that firewalls can filter out the packets bad
When I know that the guy with foreign bank accounts might be a cad
In short when I’ve a wee bit of professional paranoia
You’ll say a better CISSP has never addressed yuh.

Chorus:
You’ll say a better CISSP has never addressed yuh.

CISSP:
For my security training, managerial though it may be
Lacks practical direction and real-world applicability
But still, in matters physical, administrative, technical
I am the very model of an infosec professional!

Chorus:
But still, in matters physical, administrative, technical
He is the very model of an infosec professional!

NSP-RSAC2010-ISC2.mp3

I’ve been amazed at some of the subject lines I see, as well as what I see in the preview of the email.  There’s no way I’m going to click on any of them to find out what else is in the spam, because it’s just not worth the risk.  But I do have to say that my favorite subject line so far is “Thanks for contributing to our financial success”.  It’s honest and straight forward even if it is just an attempt to rip off people around the globe.

On a side note, I used to clean out my spam folder every couple of days, but in March I started letting them accumulate and get deleted automatically when they’ve aged 30 days.  It’s been interesting watching the number of spams spike and drop.  At one point I had gathered nearly 9000 spams in a 30 day period, which works out to an average of 300 spams a day.   Personally, that means about 60% of my email is spam, a far lower percentage of spam than most people see.  I guess being subscribed to ten or so mailing lists had to have some benefit.

Mine is just a single data point, compared to the millions some anti-spam vendors get to see.  But I like having a personal high water mark to compare to what the vendors are reporting. I’m not a spam expert, so it’s interesting to see new spam subjects that companies like  F-secure report.  Anyone else out there keep track of the spam they receive for fun?

Technorati Tags: security, spam, McKeay

This is just one more reason to never respond directly to any request from a merchant or bank that comes to you in the form of an email.  As always, if you think an email alert is real, open a browser window and manually type in your bank’s URL, never click on the link in the email. 

Technorati Tags: security, McKeay, AT&T, phishing

This was done as part of a penatration test, with the full approval of the company that was attacked.  But is it really safe for anyone to assume that the any media you find laying around was lost, not placed there on purpose?  This really would be a good way to target almost any company you might want to mention.  It’s so much safer to always assume a malicious intent and take the proper precautions than it is to assume innocence.  This is why I always get so angry when businesses talk about stolen laptops and the thieves not knowing what they have.  You have to assume malicious intent and prove that none exists, not the other way around.

Technorati Tags: security, USB drive, social engineering

Technorati Tags: security, Okopipi, spam