Administration & Latin

By timadmin in Philosophical 0 Comment

This morning I read yesterdays SANS News Bites (http://www.sans.org/newsletters/newsbites/ retrieved 3/4/2015) and was struck by a comment authored by Stephen Northcutt:  “Every month that goes by I see the similarity of cyber-security and the medical field. Primum non nocere.”  Personally I see more similarities between cyber security and safety, but his point that practicioners of cyber security must primum non nocere is true, and holds up well in the arena of securing industrial control systems too.  As cyber security if often seen as a loss prevention program first, a practicioner’s credibility with decision makers must be strong in order to persuade an organization to tolerate the inconvenience and spend the resources required to achieve the organizations security objectives.  Doing harm is a quick way to destroy credibility.

Moving on, I’d like to record a few latin phrases that I like, and that may prove useful in the day to day life of a controls engineer or a cyber security practicioner.

1.  Primum non nocere – First, do no harm  (https://en.wikipedia.org/wiki/Primum_non_nocere retrieved 3/4/2015).  Carried a bit further from the same source:  Another way to state it is that, “given an existing problem, it may be better not to do something, or even to do nothing, than to risk causing more harm than good.”

2.  Este Paratus – Be prepared (https://en.wikipedia.org/wiki/Scout_Motto#Motto_in_various_languages retrieved 3/4/2015).  I frequently find this in my work with the Boy Scouts of America.  Robert Baden-Powell explains the meaning more fully as “The Scout Motto is: BE PREPARED which means you are always in a state of readiness in mind and body to do your DUTY.”

And last but certainly not least:

3.  Semper Virilis – Always manly (http://www.artofmanliness.com/2014/06/09/semper-virilis-a-roadmap-to-manhood-in-the-21st-century/ retrieved 3/4/2015).  I have to include this simply because its cool.  I have to read the full article, but at the moment I think that a great deal of this concept can be summed up by this quote from the same source: “Some say that only a sucker would try to be his best when it isn’t required of him, when you can get ahead by simply getting by. That trying to be a man these days will simply get you taken advantage of by a system that no longer appreciates the effort.”

In closing I leave with a quote that isn’t in Latin, yet.  There is a rock that sits on my desk which bears a quote ascribed to George S. Patton.  “If a man does his best what else is there?”  Someday I’ll find the Latin.

Raspbian Support

By timadmin in Home Server, Open Source Support 2 Comments

As I was exploring the configuration details for the DHCP Server daemon on Raspbian, to be used on my Raspberry Pi I discovered that there is a line between the hardware (Raspberry Pi) and the operating system (Raspbian).  They are not developed or supported by the same organization.  So if I buy a Raspberry Pi I can presume that a portion of that money proceeds to the Raspberry Pi Foundation (http://www.raspberrypi.org/about/ visited 2/25/2015).

If I choose to proceed with the Raspbian distribution, which is my first choice as it is “a free operating system based on Debian optimized for the Raspberry Pi hardware” (http://www.raspbian.org/ visited 2/25/2015) then how does this development get funded?  By donations, of course.  So this post documents where I can send those donations:

http://www.raspbian.org/RaspbianDonate visited 2/25/2015

I’ll probably make my first donation tonight, so as to get things started.

Black Swan Events

By timadmin in Philosophical 0 Comment

Today I was reading a review of the book Security Metrics: Replacing Fear, Uncertainty and Doubt (2007, Andrew Jaquith) and found this interesting use of the black swan concept:

The “black swan event” term was made famous by Nassim Nicholas Taleb in his 2007 book “The Black Swan: The Impact of the Highly Improbable.” For some organizations, computer breaches are black swan events that Taleb describes as “outliers that carry extreme impact.” They are outliers because the chances of something like that happening to your network are pretty small, but when it does, the cost to your organization is extreme.  [http://researchcenter.paloaltonetworks.com/2014/01/cybersecurity-canon-security-metrics/#more-4523]

The author of the review brought this concept up to support the larger point that applying statistical risk  analysis to black swan events is pointless at best and misleading at worst because the data about these events is statistically insignificant.  Computer breaches beyond the routine random collateral damage caused by malicious code should best be managed by building robust, resilient systems that are supported by capable incident detection and response programs.

Laboratory Goals & Objectives

By timadmin in Administrative 5 Comments

A large part of the reason for this blog is to chronicle progress of my laboratory activities.  Another part is to support the grimoire<1> that I’m building which details the lessons learned (how to do a specific task) and the specific configuration details of the laboratory, charity, & home environments.  The first step is to define the things I want from the experience, so here goes.

  1. Setup services on a Raspberry PI for use as a home / laboratory server
    • DHCP Addressing, with reservations
    • DNS Resolution, with caching and forwarding to OpenDNS
    • Syslog Log Management, with retention & removal of aged logs
  2. Learn Python, especially for scripting (i.e.:  a script to remove aged log files)
  3. Setup time-ranges on a firewall (control outbound traffic in conjunction with DHCP reservations)
  4. Setup VPN access to the firewall from the Internet (including hairpin provision of HTTP services)
  5. Learn Security Onion for intrusion detection
    • Workstation
    • Sensors (perhaps deployed on Raspberry PIs
    • Server (to collect data for future review) – Maybe
  6. Use Git to manage configuration files, scripts, and documentation.  Especially formats and reusable items.
  7. Use FreeRADIUS to manage authentication to network devices.  Maybe even wireless authentication someday.
  8. Setup a blog to share and provide high-level documentation of everything (here we are!) [Blog exists on 2/16/2015, lots of details to fill in]

At this point I have a Cisco ASA 5505 firewall and one Raspberry PI.  As I accomplish the objectives in the list I’ll italicize them and smile at my progress.  Once they are complete I’ll build a new list.  Which probably means I’ll need to setup a location for potential future items, watch for a future post on that topic!

 

1.  See the article Why you need a Grimoire – How to use technical “black magic” in your hacking sessions.  by Leviathan, published in 2600 The Hacker Quarterly, Volume 27 Issue 2, Summer 2010.  http://advancedphotosolutions.blogspot.com/2010/07/why-you-need-grimoire.html

Happy People – Good business

By timadmin in Philosophical 0 Comment

From Scrum: The Art of Doing Twice the Work in Half the Time [Jeff Sutherland, Crown Business, New York 2014  ISBN:978-0-385-34646-7]

“What are the things that actually make people happy?  They’re the same things that make great teams: autonomy, mastery, and purpose.  Or to say it more expansively, it’s the ability to control your own destiny, it’s the feeling that you’re getting better at something, and it’s knowing that you’re serving something bigger than yourself.”

This leads to a pretty short list of things that can define an individual’s happiness on a team at work:

1.  Do you control the outcome of the work?

2.  Are you getting better at the work over time?  Are you learning new skills, or better mastering existing ones?

3.  Is the world a better place because the work is done?  Does the work contribute to something beyond simply making money?

This last point dovetails into another quote I read somewhere, which I don’t entirely remember.  In short, the idea is that businesses exist to make money while people want to do good works.  Businesses which make money while their employees do good works should become powerful and exciting places to work, even Excellent a la Tom Peter’s work in the 1990’s (In Search of Excellence).