The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes Book Review

Working as a Software Architect one of the main concerns we always have is Security. At an application level that can usually be easily implemented if you are up to speed with the latest industry standards and best practices for the technology you are working in. Working as an Enterprise Architect, security becomes a much broader subject. Insider threats become part of the picture and there is no cookie cutter solution for them. I have seen plenty of potential issues thwarted, and over the years working as a consultant I have witnessed plenty of successful insider attacks. One of my first experiences with insider threat was when I was still in the engineering field. We used an email product called Pega eMail. A few of us discovered that no password was required to log into another person's email if it was done in a certain way. We would do goofy stuff like rename each other's folders to stupid names. We got bored with it in about a day and forgot about it. As time went on our company was purchased by an England company. The new parent company sent in a new president. One of the new president's jobs was to reorganize. People were let go and offices were moved. Some of the people in one of the departments decided they wanted the inside scoop. Apparently they had learned about the email trick. They began reading all the new presidents emails. From what I heard one of them mentioned something in a meeting that was confidential between the new president and the company's London office. The IT security team started to investigate and discovered the email product flaw. They then monitored the IP logging into the presidents email and discovered the entire department was guilty. One Friday afternoon they were all escorted out of the building. I have experienced several insider threat scenarios but the worst one was at a small company that decided it was a good idea to hire a hacker to be the lead network administrator. At the time he was very good at hacking, but not so good with ethical hacking. Actually he wasn't so good with ethics at all. I am pretty sure he had a drug problem also. Either that or he was just downright nuts. He came and went as he pleased. In the weeks leading up to the incident he was missing for days at a time. When he did show up, it was better to avoid him. He was a mess. They eventually called him in and told him he had to straighten up, or else. He politely apologized, said no problem, and proceeded to change all the network and server passwords and remove everyone else's access. He then disappeared for good. It took the company a few days to figure out what had happened. There only choice was to completely rebuild a mirror company infrastructure. It took weeks and cost them a ton of cash. That is just two of many things I have witnessed over the years as a consultant. You like to think you work with people you can trust, but everyone has the potential for having an off day and making a bad choice. The problem is being able to identify those individuals that are heading towards their bad day and their bad decision. This book is a tremendous resource in helping with that. Below are the chapters and appendices included in the book. Chapter 1: Overview Chapter 2: Insider IT Sabotage Chapter 3: Insider Theft of Intellectual Property Chapter 4: Insider Fraud Chapter 5: Insider Threat Issues in the Software Development Life Cycle Chapter 6: Best Practices for the Prevention and Detection of Insider Threats Chapter 7: Technical Insider Threat Controls Chapter 8: Case Examples Chapter 9: Conclusion and Miscellaneous Issues Appendix A: Insider Threat Center Products and Services Appendix B: Deeper Dive into the Data Appendix C: CyberSecurity Watch Survey Appendix D: Insider Threat Database Structure Appendix E: Insider Threat Training Simulation: MERIT InterActive Appendix F: System Dynamics Background This book has categorized insider threats into IT Sabotage, theft of intellectual property (IP), and fraud. After the introduction in chapter 1 the book has a chapter on each category. It mainly covers attacks by current and former employees, contractors, and trusted business partners. They each cover patterns related to the crimes and offer mitigation strategies. Insider IT Sabotage covers patterns like Personal Predispositions, Disgruntlement and Unmet Expectations, Behavioral Precursors, Stressful Events, Technical Precursors and Access Paths, and The Trust Trap. Some of the mitigation strategies include Handling Disgruntlement through Positive Intervention, Eliminating Unknown Access Paths, A Risk-Based Approach to Prioritizing Alerts, Measures upon Demotion or Termination, and Test Backup and Recovery Process. Insider Theft of Intellectual Property patterns include Insider Contribution and Entitlement, Insider Dissatisfaction, Insider Theft and Deception, Insider Planning of Theft, and Increasing Access. This chapter also cover the who, what, and why of the crimes. Some of the mitigation strategies covered include Network Data Exfiltration, Host Data Exfiltration, Physical Exfiltration, Exfiltration of Specific Types of IP, and Concealment. Insider Fraud patterns include Origins of Fraud, Outsider Facilitation, Recruiting Other Insiders into the Scheme, and Insider Stressors. This chapter also includes a cool who, why, what, and how section. This chapter countermeasure such as watching out for Inadequate Auditing of Critical and Irregular Processes, Employee/Coworker Susceptibility to Recruitment, Financial Problems, and Excessive Access Privilege. The authors use MERIT (Management and Education of the Risk of Insider Threat) diagrams to design the most effective mitigation strategies. They really help put the threat into context. The really cool thing about the MERIT diagrams in the book is that they are mirrors of actual working system dynamics models. I wish these models were available for download. The chapter on Insider Threat Issues in the Software Development Life Cycle really points out the importance of following a good SDLC and how a an inadequate job of following one can later lead to exploitations. It covers topics like Separation of Duties, Automated Data Integrity Checks, Exception Handling, Code Reviews, Attribution, System Deployment, and Backups. Best Practices for the Prevention and Detection of Insider Threats is worth the price of the book. It covers 15 practices. A few of them include Consider Threats from Insiders and Business Partners in Enterprise-Wide Risk Assessments, Institute Periodic Security Awareness Training for All Employees, Anticipate and Manage Negative Workplace Issues, and Monitor and Respond to Suspicious or Disruptive Behavior, Beginning with the Hiring Process. Each principle includes section explaining what you can do, and offers a case study to give you an example of what can happen if you don't. One of the things I like most about this book is all the examples that are included. They are very interesting. They help to put you in the shoes of a person that may commit a crime. They really will help you identify and head off attacks. The CERT Insider Threat Center has a ton of additional information available. You can learn a lot form the site, but I highly recommend reading the book. It has put everything together in one place in a logical reading order. Over all I think every single person that has anything to do with IT should read this book. Even if you don't deal with sensitive data, you are at risk for sabotage.

The CERT Guide to Insider Threats: How to Prevent, Detect, and Respond to Information Technology Crimes (Theft, Sabotage, Fraud) (SEI Series in Software Engineering)

Succeeding with Agile: Software Development Using Scrum Book Review

I have been implementing and improving development processes for a while now. Either directly when I am brought in as a Software Process Engineer, or indirectly when I am brought in as a Software Architect. I have not been involved with process improvement on all my engagements. The ones I was not involved with already had a decent development process in place, or they already had an initiative underway. I have never personally led a process improvement initiative to a Scrum implementation. I always implement a configurable process repository that allows for everything from OpenUP, to UP, to RUP. I have never had the request for Scrum nor have I tried to sell it as an option. The main reason for that is until recently I have found it to be incomplete when it came to enterprise scale. The Scaled Agile Framework has taken the initiative and filled in the gaps. The book Agile Software Requirements: Lean Requirements Practices for Teams, Programs, and the Enterprise does a great job of covering the Scaled Agile Framework. I have seen Scrum attempted multiple times. Depending on the perspective they all failed and they all succeeded. Watching from the sidelines, our consult team's view was they failed miserably, but according to the internal managers that made the choice to go with Scrum they were a huge success. Depending on who was asking the development team, us or the managers, they had completely different answers. The most important party, the end user, saw no change to the quality of software delivered or slightly worse quality. They were never the wiser that the team was attempting Scrum, so their opinion didn't matter. What? Yep, in every single attempt I have witnessed the end user's role didn't change. Neither did the upper management, sales, or marketing. It was a development level attempt to implement a bottom up change that requires change at every level of any decent size organization. I don't have to really go into any more detail explaining why the initiatives failed. By the way, if you are sitting there thinking, 'I must have missed something, why did they fail?', you absolutely must read this book!!! This book is down to earth does not just regurgitate Scrum practices, it provides tons of advice and examples from past experience. The book is for all levels of individuals and teams involved with or thinking about getting involved with Scrum. The book is broken down into five parts. Getting Started, Individuals, Teams, The Organization, and Next Steps. The chapter's titles are self explanatory. I have listed them by part below. Part I: Getting Started- Why Becoming Agile Is Hard (But Worth It), ADAPTing to Scrum, Patterns for Adopting Scrum, Iterating Toward Agility, Your First Projects Part II: Individuals- Overcoming Resistance, New Roles, Changed Roles, Technical Practices Part III: Teams- Team Structure, Teamwork, Leading a Self-Organizing Team, The Product Backlog, Sprints, Planning, Quality Part IV: The Organization- Scaling Scrum, Distributed Teams, Coexisting with Other Approaches, Human Resources, Facilities, and the PMO Part V: Next Steps- Seeing How Far You’ve Come, You’re Not Done Yet Every chapter gives in depth coverage of the topics included. What I like best about the book is all the examples the author includes from past experience. There is only two ways of gaining experience, gain by doing and learning yourself, or learning from others that are willing to share theirs with you. The author offers every ounce of his experience he has with both successes and failures. He does not pull punches. He gives accurate full accounts of the reasons for both. There wasn't a chapter I did not enjoy or did not find valuable, but I really liked part two, Individuals. The first chapter in part two is Overcoming Resistance. I have experienced everything the author highlights in this chapter when I am involved with process improvement. You will need the advice offered in this chapter to succeed. People do not like change even when it is for the better. There will be those that make it their mission to sabotage your efforts. Another really important chapter in part two is Changing Roles. Not only is it important to understand what is changing about the roles, but also understand the ones being eliminated, like the project manager. Although the project manager is being eliminated the responsibilities are not. In Scrum most of the responsibility is transferred to the team. This can be a major issue if the team can't handle them. You need to be careful to not just blindly axe the project manager. Every time I have seen Scrum attempted the project managers are simply give the role of ScrumMaster. The problem I have seen though, is that they don't change anything they are doing. You don't have to do away with project managers, but at a minimum a name change is recommend. The author includes a great explanation as to why in this chapter. The chapter discusses changes to Analysts, Project Managers, Architects, Functional Managers, Programmers, Database Administrators, Testers and User Experience Designers. Another thing I like about this book is that the author does not lose sight of the enterprise. He covers several topics throughout the book that enable scale and organization wide implementation. You may get lucky and Scrum may take off like wild fire after you have a small successful project, but odds are it will not. The author covers Enterprise Transition Community, scaling Scrum, distributed teams, epics, themes, and Scrum of Scrums. There is nothing I can think of that I would have liked to see included that wasn't. This is one of the most enjoyable reads I have read in a while. The author's writing style is great. All the stories from past experience really help you to put the subject being covered into context. The stories also keep it interesting. All in all I highly recommend this book to anyone getting involved with, or already involved with Scrum. It is an absolute must read!!!

Succeeding with Agile: Software Development Using Scrum

Warning about Pro Silverlight 5 in C# Publishing Issue - NO COLOR

I just wanted to give everyone a heads up that Pro Silverlight 5 in C# is not printed in color. The cover has the full color inside advertisement, but the book I received today is only in black and white.

I am hoping this was a printer error because one of the things that made this book a really nice read was the color.  I have contacted the author and the publisher and will update this post as I receive feedback.

I am sure the content is still great, and I will follow up with a full review after I have had the chance to read it, but I wanted to get a warning out.

UPDATE
Looks like this version will be black and white. I must say I hope the printing process is improved because as it is the code in the book was made for color, and printed in grey scale makes it practically unreadable. I do want to say everyone involved was helpful.  Apress gave me an ebook version and Amazon sent a second book thinking the first one was just a mistake.

From Apress:
We're very sorry about this; what you saw - and experienced - is the result of a mistake on our part, pure and simple. The print version of the book is grayscale, while the eBook version is in full color. If the grayscale version is not suitable for your needs, we recommend you seek a refund from the vendor who sold you the book. We have begun the process of altering the cover for a new print run, and changing the preview images available at sites such as amazon.com.

TFS Process Template Content Comparison - Scrum 1.0 vs Agile Software Development v5.0 vs CMMI Process Improvement v5.0

I recently had to decide which base template I wanted to use for a TFS project. I had not looked at the templates for a while and wanted to compare them to each other. I ended up just taking screenshots for each category's tab. You can check them out in this PDF.

The Definitive Guide to HTML5 Book Review

Although I started with Cold Fusion for application development, I did plenty brochureware sites with HTML. I believe the version was HTML 2.0 for IE 2.0. I lived in the browser world for years doing Cold Fusion, ASP, and HTML sites. When winforms and Smart Client with Web Services emerged I changed my religion. I have been avoiding the browser whenever possible since. For the past couple of years my extent of using simple HTML has been limited to writing blogs and book reviews. Simple HTML means no ASP.NET or ASP.NET MVC. With all the HTML5 hype I figured I would take some time and read a few books on it. This one is my third and I have one more on the way. So far I have found HTML5 is no different than any other version with respect to the way its capabilities are implemented and where it belongs when architecting a solution. It is far reaching, but if you want a rich HTML5 UI you will be writing a lot of JavaScript and CSS. It really can't be helped, that has always been the real skin and muscle on the HTML skeleton. HTML5, JavaScript, and CSS are broad subjects. This book can help the beginner learn HTML5, JavaScript, and CSS and it can serve as a nice reference for the experienced developer. This tome definitely delivers a lot of information. There are getting started chapters for beginner on HTML5, JavaScript, and CSS. They are followed by a chapter that puts all the elements the book covers into context. Meaning there are tables showing which elements are used for metadata, text, grouping, sectioning, tables, forms, and embedding. The book continues with chapters covering Creating HTML Documents, Marking Up Text, Grouping Content, Creating Sections, Working with Tables, Working with Forms, Customizing the Input Element, Other Forms Elements & Input Validation, and Embedding Content. The chapters list above are followed by an in-depth treatment of CSS and JavaScript. There are 16 chapters covering the topics in great detail. The author then moves into more advanced features. It covers using ajax, multimedia, the canvas, drag and drop, geolocation, web storage, and creating offline applications. The one thing the book does not do is stray from core browser capabilities. However, the author points out when using advanced libraries like jQuery would be advantageous. I am glad the author handled it this way. Instead of glossing over topics that need a complete book to cover completely, he kept the scope limit allow for more in-depth coverage of core browser capabilities. The authors writing style is great, but the book also makes a great reference. Tons of tables and a nice index helps you to find things quickly. The code is organized in folders by chapter. It is all usable and works like it is supposed to. I know this sounds like something that is just expected, but there have been some book's code I have downloaded that was disorganized to the point of being unusable. In a book like this, accompanying code is an important aspect. If you are doing, or considering doing HTML5 development, you own it to yourself to have this book by your side. I highly recommend it to anyone involved with web development.

The Definitive Guide to HTML5