My Great Grandfather’s WW1 Memoir

My great grandfather, Roy Harper, served in WW1 and wrote this narrative account of his service.

Harper Royal C. WW1 Narrative

Posted in Uncategorized | Comments Off on My Great Grandfather’s WW1 Memoir

How To Get My Attention

A couple days ago, I let it be known on LinkedIn that I had taken a new position as the Director, Information Security at Esterline Technologies. Then I got a bunch of private messages from sales folks trying to sell me stuff. So, I posted a quick response to that calling out the poor behavior. And finally, decided to write something longer. I wrote it as an article on LinkedIn, but thought I’d post it here, also. Everything below the line is the original LinkedIn article.

Continue reading

Posted in Career, FUD, InfoSec, Life and Times | Tagged , , , , , | 1 Comment

Travel Like a Pro

I was chatting with my friend Katie Ledoux (@kledoux) a few weeks ago about travel type stuff. She was totally stoked that, for the first time ever, she had status on an airline. Remembering that, I saw that her airline had a bonus for flights going to/from NYC. Since she lives in Boston, it should be pretty easy for her to route through NYC airports and earn the bonus.

When I shot her a quick note this morning about the bonus offer, Katie got excited all over again. I asked her if she had a travel credit card, and she said that was next on her “being a grown-up” list of things to do. Thinking about what travel credit card to advise her to get, I asked if she was loyal to a specific hotel chain. After saying “wow, imagine being fancy enough to prefer a particular hotel chain”, then Katie said to me “please advise” ….. hence the new blog tags of “please advise”, “being a grown-up” and “doing adulting right”.

Millenials are the biggest group of new travelers, with cash in hand, that the airlines and hotels have seen since the Baby Boomers …. And travel was radically different in the 1960’s and 1970’s. And the airlines, hotels, credit card companies definitely are not going to help you with this topic. So, I thought instead of just texting Katie advise on this, I’d write a blog post about picking a hotel chain (which is a little complex right now). That’s coming next.

But first, back to that travel credit card. This should be fairly easy. The first thing is, you need to know if you have a good credit score. I could write a whole blog post on just that (and probably will). But here’s how to find out. Go to Discover’s credit scorecard and signup. You’ll get your FICO 8 score via your Experian credit report. You want your FICO score, which ranges between 300 and 850, to be in the “good” range for general ability to get a credit card without having to jump through a million hoops. If you have low/poor credit scores, that is an entirely different topic for another day. Meanwhile, if your FICO score is over 670, you have a great likelihood of being approved for a good travel credit card.

This infographic is a great review of the basics of how a FICO score works.

FICO Score Infographic

There are really two choices on travel credit cards that make sense.
The first is to get a credit card co-branded with your airline. I travel with Delta, so I have a Delta branded American Express. Every dollar I spend on that card gives me a mile on Delta. Every time I buy a Delta flight with it, I get 2 miles per dollar. Plus a slew of other benefits, like Delta SkyClub access, rental car insurance coverage, a concierge line I can call and have them book flights and hotels for me, etc.

The second choice is to get a general purpose travel credit card or charge card. These include choices like American Express charge cards (Amex Premier Rewards Gold is a great choice) or Chase Sapphire credit cards (with a FICO score above 670, reasonable income, low credit utilization, you can likely get a Sapphire Preferred card fairly easily).

What is the right choice? Well, a lot depends on you and your airline choice. That said, if you have committed to a single airline for travel …. Which early on in adult travel, you really should …. Then your best first option for a travel credit card is the one co-branded with your airline. It will give you mileage earning on purchases directly with the airline AND all your other purchases. Plus, likely, it gives you a free checked bag, early boarding, and more. Plus, accumulating all those frequent flyer miles will help you to take leisure travel for free while having your employer pay for your business related travel (that you book on your personal travel credit card). Most employers are totally okay with you double dipping this way, so you absolutely should.

I take my family on a large vacation pretty well every year. And the airfare is always covered, for a family of 4-5 (depending on which kids are around), by my Delta skymiles. This year, four of us are going to Europe for 2 weeks!

One important caveat – Credit cards are not “extra money” for you to spend and then make minimum payments to your credit card company. This will heavily impact your credit score, your ability to get more credit, and your opportunity to use that credit card appropriately. You need to commit to your credit utilization being 20%, or less, of your total credit line. If your credit card has a $5000 credit limit, you should never end a billing cycle with more than a $1000 balance on your card. If that doesn’t work for you, then a travel credit card strategy is not for you.

So …. First steps for a young person wanting to be “a grown-up”, as Katie would say, is to pick a single airline for all your travel, both business and leisure. Then figure out your FICO credit score and make sure it is over 670. Then get a travel credit card with your airline. There’s a lot more and this topic can get really advanced, but there’s the starting point. Have fun!

Posted in Being A Grown-Up, Doing Adulting Right, Please Advise, Travel | Tagged , , , , , | Comments Off on Travel Like a Pro


I hate it when I get caught by trolls. No, there is no new LinkedIn breach. I read the article and missed the date on it. Thanks Jayson Street for pointing out the date to me. 

Posted in InfoSec | Tagged , , | Comments Off on Trolls

Eric Update

As many of you probably know by now, we sold Core Security. Courion and Core Security will be merging as a result of the sale. This is good for Core. At the same time, I am leaving Core Security and looking for my next adventure!

Courion acquires Core Security


Posted in Career, General, Life and Times, Security | Tagged , , | 1 Comment

Information Security and Tanks

Not too long ago my good friend, Michael Farnum, invited me to be the closing speaker at HouSecCon. I told him I would love to … then he asked me to give a talk that involved my military experience and how it prepared me for the world of Information Security. Two things that are very important in my life, but not necessarily ones I had connected very strongly. After I spent a bunch of time looking at old pictures and revisiting stories of my years in the Army, I realized that the Army had actually prepared me quite well for a career in Information Security. And I knew just the pictures and stories to share with my audience.

One of the things that was going to be key was to share my experiences on tanks and to show pictures of tanks. And, because of the awesome contributions of Adrian Crenshaw, I am able to share not just the slides and pictures of tanks, but the entire presentation with you.

Everything I Know About Information Security, I Learned Shooting Tank Guns!

Posted in Career, InfoSec, Life and Times, Military | Tagged , , , | Comments Off on Information Security and Tanks

Emergency Preparedness and Cyber Security

This week I had the opportunity to be the plenary speaker for the Alaska Homeland Security Preparedness Conference. It was a great chance to talk to folks who worry about terrorism and natural disasters and convey to them the impact that information security threats could have in their readiness planning and response. I thought people might be interested in the presentation I used. It doesn’t have huge detail in it, I spoke to that. But it conveys the issues I think Homeland Security Emergency Planners at the state and local level should be thinking about.

Homeland Security And Cyber Threats

Posted in Conferences, CyberWar, InfoSec, Security | Tagged , , , | Comments Off on Emergency Preparedness and Cyber Security

Thinking About Reducing Risk

Wow, it’s been a long time since I’ve posted here. I’ve been kinda busy, tons of travel, sending a kid off to college, BlackHat and DefCon and DerbyCon, lots of engagement with customers around the idea of a mature vulnerability management program. It’s been busy. No excuse, though. Although some of my content and thoughts can be found over at the RSA Conference Blog. So, I’ve got that going for me anyway.

Be that as it may, I’ve been thinking about something and thought I would put it out there.

I often hear that perfection when it comes to risk is critical for airlines and the aviation industry. But that perfection is not possible for the security industry and we just have to do our best. Now, let’s think about this for a minute. Does it really makes sense to just blithely say we can’t do it, throw our hands in the air and give up?

When I was a kid growing up I remember roughly an airplane crash almost once a week on the evening news. It was sort of common place. Today? We are shocked when it happens. This chart, which is available from Plane Crash Info, makes really clear the change over the past 40 years.

Commercial Aviation Accidents Involving a Fatality

Notice the steep decline that began around 1990. How did this happen? Simple, the aviation industry made a very clear choice to reduce risk. Instead of shooting for perfection, though, they spent time identifying risks and deciding how to eliminate the risks. They took each small thing that posed the risk of an accident and found a way to reduce or eliminate the risk. The chart above is impressive considering the dramatic increase in passengers, planes and miles flown that began around 1990.

Now, let’s do a thought experiment. Suppose that the risk reduction efforts hadn’t happened starting in the 1980’s. As the number of planes, passengers and miles flown doubled and then tripled, what would that chart look like? How many crashes would occur regularly? Fatalities? Impact to airline profitability? Impact to flying trends? Costs of insurance? And so on.

We security types need to look at the aviation industry for our model. Each time we identify something that poses the risk of a breach, we need to invest in that small risk reduction. Rather than trying for perfection, we need to address each small thing, every day. Incremental improvement. And suddenly you will look back and realize that your risk posture today is much lower than it was in the past. Your chart can look like this one.

Take your pick. I know which way I will go.

Posted in Risk Management | Tagged , , | Comments Off on Thinking About Reducing Risk

Recently a CEO that I worked for in the past reached out to me. Like many successful CEO’s, he has “retired”. But do you ever really retire at that point? John now sits on the board of a few companies and does some consulting. He’s written a very insightful book about transformation in the industry we worked in. And he is an insanely successful guy in his entire career. I was very pleased and honored that he reached out to me for some advice.

His question revolved around what a board member should be asking to get informed about the security program of the company he was responsible for as a Director. This is a fantastic question. One I think more Directors need to think about. After all, they have a fiduciary responsibility for that company.

I wrote my former CEO a long (for me) email around all of this. After thinking about it a bit, I realized that this is something that should be shared more broadly. So, stripping the personal content out, I am including my answer to John in full for your reading pleasure.


I think a board member’s focus should be on whether the security program has good governance, visibility at the right level and is addressing key threats and issues. Questions to ask, include the following. And you should follow up with more questions, based on the responses to these.

Q1 – to the CEO – how often do you interact with the security leadership of your organization. Do you know the top 3 security threats facing your organization? You and I interacted at least once per quarter the entire time I we worked together. There was great value in this.

Q2 – to the Leadership generally – How have you empowered the security leaders to address current security issues? How confident are you that you will not be the next Target, Community Health, Anthem or Premera?

Q3 – To the senior leader responsible for security – How is the security team organized? What level of the organization does the security leader report to? Is he/she buried too deeply in the leadership hierarchy?

Q4 – to the leadership generally – How is the leadership of the system assuring itself that they have a security program that meets their fiduciary responsibilities to the owners/sponsors, to the system itself, to the patients? Does the security leader meet regularly with leaders, with business unit leaders, with the Board, etc. Is there a system of measurement in place to demonstrate maturity and efficacy of the security program?


In my experience, Board members are not having these conversations with senior management. If Board members don’t do this, then senior management is not going to dig in to security. It’s that simple.

Posted on by ecowper | Comments Off on Advice for Board Members

Do The Security Basics Well ….. AGAIN (and again, and again)

I’m not really sure what it is going to take for people to do Information Security basics well. Just how many multi-million credit card breach, PLA attacks a hospital company, hacktivists use insider to breach you headlines is it going to take? Seriously people, I feel like the boy who cried wolf. Except that I really am alerting you to the wolf and you appear to think I’m just making it up.

I’ve been writing and presenting on what is going on for years now. For example, there is this piece I wrote in July. In it I said that you could reduce 80-90 percent of the risk you face by doing the following:

  • Patch and Update (yep, they listed it first)
  • Good fundamental policies
  • Security education
  • Encryption where it’s warranted
  • Serviceable perimeter protection
  • Identity and Access Management

Based on the onslaught of breaches since then, this hasn’t sunk in yet. Nor the 14 other times I wrote some variation of that piece. In Jan, 2008 I gave this presentation to the ISSA CISO Forum …. notice that most of the things I call for Information Security leaders to do is still the focus of presentations being given today.

Today, I was reading an article in CIO that sparked this rant. This gist of the article is that 2015 will be much worse than 2014. Sadly, I agree with this. And that Boards will become very involved in what is now clearly a fiduciary risk. Worse, the CSO won’t be able to answer the questions asked by the Board. And the CSO won’t have done the fundamentals needed to build a good security program ALTHOUGH they will have spent millions on fancy next generation firewalls and end point incident detection (you know just who I mean, I don’t really have to name names, do I?). As the article points out:

There are four foundational responsibilities that companies must address; these responsibilities include asset identification, configuration management, change control, and data discovery. Many organizations have no idea what someone has plugged into their networks. They don’t know how people have configured these assets. They don’t manage change, and they don’t know where their critical data is located. “If you fail in those four areas, you can spend $50M on security products, and it’s not going to help you because the underlying vulnerabilities that create risk are still there,” says Cole.

Once again I am going to get on my soapbox, the one I’ve been on for like a decade now, and tell you security executives to fix your s**t or you are gonna get fired. Get your basics in order. You need to patch your systems now. You need to know who is going to attack you and how. You need to have encryption in place.

Don’t complain to me that your organization doesn’t support you and your CEO doesn’t care. Frankly, you’ve been paid huge amounts of money to figure out how to get the support of your organization. You need to do your job. And I promise your CEO cares about security. He or she does not want to become Greg Steinhafel.

So get your stuff together, figure out how to collaborate, how to communicate the issues up, down and sideways in the organization. Design a plan to get the basic foundations of good information security in place. Build a capability to detect problems. Have a plan for how you will respond to a security incident. Be prepared to solve the problems. What are you going to say when your Board calls you in to answer their questions?

Do the security basics well.

Either do that or get a resume ready.

Okay, end of rant. Return to your daydreams of fancy systems designed to fight off the dreaded APT.

Posted in Career, InfoSec, Security | Tagged , , , | Comments Off on Do The Security Basics Well ….. AGAIN (and again, and again)