I hate it when I get caught by trolls. No, there is no new LinkedIn breach. I read the article and missed the date on it. Thanks Jayson Street for pointing out the date to me. 

Posted in InfoSec | Tagged , , | Comments Off on Trolls

Eric Update

As many of you probably know by now, we sold Core Security. Courion and Core Security will be merging as a result of the sale. This is good for Core. At the same time, I am leaving Core Security and looking for my next adventure!

Courion acquires Core Security


Posted in Career, General, Life and Times, Security | Tagged , , | 1 Comment

Information Security and Tanks

Not too long ago my good friend, Michael Farnum, invited me to be the closing speaker at HouSecCon. I told him I would love to … then he asked me to give a talk that involved my military experience and how it prepared me for the world of Information Security. Two things that are very important in my life, but not necessarily ones I had connected very strongly. After I spent a bunch of time looking at old pictures and revisiting stories of my years in the Army, I realized that the Army had actually prepared me quite well for a career in Information Security. And I knew just the pictures and stories to share with my audience.

One of the things that was going to be key was to share my experiences on tanks and to show pictures of tanks. And, because of the awesome contributions of Adrian Crenshaw, I am able to share not just the slides and pictures of tanks, but the entire presentation with you.

Everything I Know About Information Security, I Learned Shooting Tank Guns!

Posted in Career, InfoSec, Life and Times, Military | Tagged , , , | Comments Off on Information Security and Tanks

Emergency Preparedness and Cyber Security

This week I had the opportunity to be the plenary speaker for the Alaska Homeland Security Preparedness Conference. It was a great chance to talk to folks who worry about terrorism and natural disasters and convey to them the impact that information security threats could have in their readiness planning and response. I thought people might be interested in the presentation I used. It doesn’t have huge detail in it, I spoke to that. But it conveys the issues I think Homeland Security Emergency Planners at the state and local level should be thinking about.

Homeland Security And Cyber Threats

Posted in Conferences, CyberWar, InfoSec, Security | Tagged , , , | Comments Off on Emergency Preparedness and Cyber Security

Thinking About Reducing Risk

Wow, it’s been a long time since I’ve posted here. I’ve been kinda busy, tons of travel, sending a kid off to college, BlackHat and DefCon and DerbyCon, lots of engagement with customers around the idea of a mature vulnerability management program. It’s been busy. No excuse, though. Although some of my content and thoughts can be found over at the RSA Conference Blog. So, I’ve got that going for me anyway.

Be that as it may, I’ve been thinking about something and thought I would put it out there.

I often hear that perfection when it comes to risk is critical for airlines and the aviation industry. But that perfection is not possible for the security industry and we just have to do our best. Now, let’s think about this for a minute. Does it really makes sense to just blithely say we can’t do it, throw our hands in the air and give up?

When I was a kid growing up I remember roughly an airplane crash almost once a week on the evening news. It was sort of common place. Today? We are shocked when it happens. This chart, which is available from Plane Crash Info, makes really clear the change over the past 40 years.

Commercial Aviation Accidents Involving a Fatality

Notice the steep decline that began around 1990. How did this happen? Simple, the aviation industry made a very clear choice to reduce risk. Instead of shooting for perfection, though, they spent time identifying risks and deciding how to eliminate the risks. They took each small thing that posed the risk of an accident and found a way to reduce or eliminate the risk. The chart above is impressive considering the dramatic increase in passengers, planes and miles flown that began around 1990.

Now, let’s do a thought experiment. Suppose that the risk reduction efforts hadn’t happened starting in the 1980’s. As the number of planes, passengers and miles flown doubled and then tripled, what would that chart look like? How many crashes would occur regularly? Fatalities? Impact to airline profitability? Impact to flying trends? Costs of insurance? And so on.

We security types need to look at the aviation industry for our model. Each time we identify something that poses the risk of a breach, we need to invest in that small risk reduction. Rather than trying for perfection, we need to address each small thing, every day. Incremental improvement. And suddenly you will look back and realize that your risk posture today is much lower than it was in the past. Your chart can look like this one.

Take your pick. I know which way I will go.

Posted in Risk Management | Tagged , , | Comments Off on Thinking About Reducing Risk

Recently a CEO that I worked for in the past reached out to me. Like many successful CEO’s, he has “retired”. But do you ever really retire at that point? John now sits on the board of a few companies and does some consulting. He’s written a very insightful book about transformation in the industry we worked in. And he is an insanely successful guy in his entire career. I was very pleased and honored that he reached out to me for some advice.

His question revolved around what a board member should be asking to get informed about the security program of the company he was responsible for as a Director. This is a fantastic question. One I think more Directors need to think about. After all, they have a fiduciary responsibility for that company.

I wrote my former CEO a long (for me) email around all of this. After thinking about it a bit, I realized that this is something that should be shared more broadly. So, stripping the personal content out, I am including my answer to John in full for your reading pleasure.


I think a board member’s focus should be on whether the security program has good governance, visibility at the right level and is addressing key threats and issues. Questions to ask, include the following. And you should follow up with more questions, based on the responses to these.

Q1 – to the CEO – how often do you interact with the security leadership of your organization. Do you know the top 3 security threats facing your organization? You and I interacted at least once per quarter the entire time I we worked together. There was great value in this.

Q2 – to the Leadership generally – How have you empowered the security leaders to address current security issues? How confident are you that you will not be the next Target, Community Health, Anthem or Premera?

Q3 – To the senior leader responsible for security – How is the security team organized? What level of the organization does the security leader report to? Is he/she buried too deeply in the leadership hierarchy?

Q4 – to the leadership generally – How is the leadership of the system assuring itself that they have a security program that meets their fiduciary responsibilities to the owners/sponsors, to the system itself, to the patients? Does the security leader meet regularly with leaders, with business unit leaders, with the Board, etc. Is there a system of measurement in place to demonstrate maturity and efficacy of the security program?


In my experience, Board members are not having these conversations with senior management. If Board members don’t do this, then senior management is not going to dig in to security. It’s that simple.

Posted on by ecowper | Comments Off on Advice for Board Members

Do The Security Basics Well ….. AGAIN (and again, and again)

I’m not really sure what it is going to take for people to do Information Security basics well. Just how many multi-million credit card breach, PLA attacks a hospital company, hacktivists use insider to breach you headlines is it going to take? Seriously people, I feel like the boy who cried wolf. Except that I really am alerting you to the wolf and you appear to think I’m just making it up.

I’ve been writing and presenting on what is going on for years now. For example, there is this piece I wrote in July. In it I said that you could reduce 80-90 percent of the risk you face by doing the following:

  • Patch and Update (yep, they listed it first)
  • Good fundamental policies
  • Security education
  • Encryption where it’s warranted
  • Serviceable perimeter protection
  • Identity and Access Management

Based on the onslaught of breaches since then, this hasn’t sunk in yet. Nor the 14 other times I wrote some variation of that piece. In Jan, 2008 I gave this presentation to the ISSA CISO Forum …. notice that most of the things I call for Information Security leaders to do is still the focus of presentations being given today.

Today, I was reading an article in CIO that sparked this rant. This gist of the article is that 2015 will be much worse than 2014. Sadly, I agree with this. And that Boards will become very involved in what is now clearly a fiduciary risk. Worse, the CSO won’t be able to answer the questions asked by the Board. And the CSO won’t have done the fundamentals needed to build a good security program ALTHOUGH they will have spent millions on fancy next generation firewalls and end point incident detection (you know just who I mean, I don’t really have to name names, do I?). As the article points out:

There are four foundational responsibilities that companies must address; these responsibilities include asset identification, configuration management, change control, and data discovery. Many organizations have no idea what someone has plugged into their networks. They don’t know how people have configured these assets. They don’t manage change, and they don’t know where their critical data is located. “If you fail in those four areas, you can spend $50M on security products, and it’s not going to help you because the underlying vulnerabilities that create risk are still there,” says Cole.

Once again I am going to get on my soapbox, the one I’ve been on for like a decade now, and tell you security executives to fix your s**t or you are gonna get fired. Get your basics in order. You need to patch your systems now. You need to know who is going to attack you and how. You need to have encryption in place.

Don’t complain to me that your organization doesn’t support you and your CEO doesn’t care. Frankly, you’ve been paid huge amounts of money to figure out how to get the support of your organization. You need to do your job. And I promise your CEO cares about security. He or she does not want to become Greg Steinhafel.

So get your stuff together, figure out how to collaborate, how to communicate the issues up, down and sideways in the organization. Design a plan to get the basic foundations of good information security in place. Build a capability to detect problems. Have a plan for how you will respond to a security incident. Be prepared to solve the problems. What are you going to say when your Board calls you in to answer their questions?

Do the security basics well.

Either do that or get a resume ready.

Okay, end of rant. Return to your daydreams of fancy systems designed to fight off the dreaded APT.

Posted in Career, InfoSec, Security | Tagged , , , | Comments Off on Do The Security Basics Well ….. AGAIN (and again, and again)

A Graycliff Casillero Privada Cigar

I’m in the middle of fall in the Pacific Northwest. Which means that it’s mostly rainy and grey … and my opportunity to get out and smoke a great cigar is pretty slim. Last week and next week are travel weeks for me and that makes it even more difficult. You have to take advantage of any break in the rain this time of year, but if you’re on the road that’s difficult. Fortunately, Saturday was a beautiful fall day in the Northwest. It was cold, but crisp and clear.

The day was so beautiful and the opportunity so prime, that I had to break out a cigar from my the bottom shelf of my humidor. The top shelf, easy to get to and visible through the glass top, has my sort of daily smoking, not so prime cigars. The bottom shelf has the Montecristo Churchills and Oliva Serie V in it. And something very special, as well. I figured today called for the Graycliff Casillero Privada. I bought a mazo of 10 a few months ago. They’ve been in the humidor ever since.

I love Graycliff cigars. And these promised to be special. Casillero Privada, in Spanish, means Private Locker. These are the cigars that the famous Graycliff hotel in Nassau keeps locked away for their VIP guests. But they released a few mazo’s to be sold publicly earlier this year and when they did I grabbed one without hesitating.

All in all, a perfect excuse to light one of these guys up and see if it lives up to expectations.


Bottom line up front in case this post is tl;dr for you …. This is an absolutely fantastic cigar, but may not be approachable for a novice. If you haven’t smoked much, I would recommend choosing something else. But if you are a cigar enthusiast who enjoys robust, complex, premium smokes then this is the cigar for you.

On to the review

Cigar Overview

This is a Graycliff Casillero Privada PG 5×52. At first sight, the cigar is decent sized with a shaggy foot, giving it a rustic “old school” appearance. The wrapper is dark brown, lightly oily and looks like old leather. It had no obvious cracks, bubbles or other blemishes. The seams in the wrapper and cap are very tight, almost invisible and very few veins are apparent. The unlit aroma was of exotic spices, pepper and black tea, with an underlying barnyard odor that I suspected would turn to a very deeply earthy aroma once lit. The cigar is clearly rolled by hand and does not use a form for assistance. It is not as dense and firm as a form rolled, mass manufactured cigar would be.

Initial Impressions

The Cigar

Lighting the cigar, in spite of the shaggy foot, was easy. I use a Bugatti lighter with 3 jets, which allows for a wide, even lighting. Toasting the end of a cigar is easy with the Bugatti.


As I said, it lit easily and very uniformly. The first taste was medium bodied and complex, the smoke was cool, the flavor was peppery with a bit of earthiness. The draw was very easy and smooth. The cigar produces a lot of smoke and burns quite clean. First impression was excellent.

First Impressions

I’m drinking Bulleit Rye and soda and this seems like a good choice to start. The rye, with its spice, fruit and hints of maple syrup sweetness should really compliment the earthy, peppery cigar that I’m anticipating.

Bulleit Rye and soda

During the first 1/4 of the cigar I found that the initial complexity was not a fluke. It kept building, with notes of leather in addition to the spice and earth. It is very robust, definitely not for the faint of heart. Within the first inch all sense of the barnyard is gone, replaced with a very lovely earthiness that I am really enjoying. The cigar burns quite evenly and draws very smoothly.

Middle of the Cigar

Mid Cigar

As I work my way into the cigar I find that I was right, the rye and soda is a great choice and really compliments the dry leathery notes in the cigar. The ash is white and even and one inch of ash is not a problem whatsoever. As I move further into the cigar more becomes apparent. Toasted nuts, leather, earthy, peppery. This cigar is very masculine. At the halfway mark the pepper has built to the point that I am getting spice in my nose.

Moving into the second half of the cigar it still burns cool and even and the draw remains smooth. Hints of oak and vanilla begin to appear and the the leather and pepper build even further. This cigar is really amazing. I have yet to find anything negative about it. This cigar is clearly very special, among the elite of cigars.

Final Impressions

In the last 1/3 of the cigar, if it is possible, this cigar blossoms even more. It becomes very robust and much more complex and full bodied. I can taste earthiness overall, but quite a bit of spice, pepper, toasted nuts, leather and coffee, even a bit of cane sweetness. It is clearly hand rolled. The cigar is light in the hand, almost fragile feeling compared to cigars rolled in forms and made in factories. Clearly it is not a mass made cigar. The head has gotten slightly soggy, but not enough to detract from the overall experience.


Graycliff Casillero Privada

First, the score. This cigar absolutely deserves a 95 or 96 score. Definitely on top of the game. This is a cigar for a smoker that appreciates being challenged. Matching it with the right drink is imperative. A bourbon or rye will be a much better choice than wine or a scotch, where the alcohol will vie with the cigar rather than compliment it. I cannot recommend the Casillero Privada highly enough. It really is among the great cigars I have ever had. I have 9 more in the humidor and will be enjoying them over the coming years, seeing how they age and improve over time.

Avelino Lara

Avelino Lara was one of the greats of the cigar industry. Born in 1921, he was the creator of Cohiba and contributed materially to the Davidoff line of cigars. At one point, Lara was the personal roller for Fidel Castro. After retiring in 1996, he moved to Nassau. There he rolled a few cigars for guests at the Graycliff hotel. This did so well that the Graycliff and Lara joined forces to create the Graycliff line of cigars, which are considered by most to be among the finest in the world. As I understand it, the Casillero Privada was the continuation of the original starting point at Graycliff, where Lara was just rolling cigars here and there for guests. After the Graycliff line was started, Lara’s hand-rolled cigars were kept in a private locker, a casillero privada, for the VIP guests.

So, if you want to smoke a cigar that celebrates the heritage and craft of one the greatest cigar makers of all time, this is the one.

Posted in Alcohol, Cigars | Tagged , , , , , , , | Comments Off on A Graycliff Casillero Privada Cigar


I realized I haven’t been living up to the full name of this site lately. Here’s what’s on the menu for this weekend!

Lagavulin, Graycliff and a Montecristo

Lagavulin, Graycliff and a Montecristo

Posted in Uncategorized | 2 Comments

The Threat & Vulnerability Management Maturity Model Arrives

If you follow my blog, you know the Threat & Vulnerability Management Maturity Model has been in the works for a while now. I’m happy to report the full model has finally been published in Core Security’s latest white paper.

What’s the value?

By moving through this model, organizations will simultaneously 1) reduce risk exposure and the likelihood of a breach 2) gain ongoing visibility into true business risk, improving future decision-making 3) align IT, information security, and the rest of the organization in the direction of strategic business goals and 4) significantly increase operational efficiency. It’s not merely an ideal model from a security perspective; it’s a no-brainer for the business.

So take a look. What do you think? Can you easily identify where your organization stands on the model, and steps for advancing to the next level? Looking forward to your thoughts and feedback!

PS This is free to the security community and completely focused on how security programs improve their ability to reduce the risk of breach. It is not a product, nor are we selling it.

Posted in InfoSec, Security, Vulnerability Management | Tagged , , , , , , | Comments Off on The Threat & Vulnerability Management Maturity Model Arrives