Travel Like a Pro

I was chatting with my friend Katie Ledoux (@kledoux) a few weeks ago about travel type stuff. She was totally stoked that, for the first time ever, she had status on an airline. Remembering that, I saw that her airline had a bonus for flights going to/from NYC. Since she lives in Boston, it should be pretty easy for her to route through NYC airports and earn the bonus.

When I shot her a quick note this morning about the bonus offer, Katie got excited all over again. I asked her if she had a travel credit card, and she said that was next on her “being a grown-up” list of things to do. Thinking about what travel credit card to advise her to get, I asked if she was loyal to a specific hotel chain. After saying “wow, imagine being fancy enough to prefer a particular hotel chain”, then Katie said to me “please advise” ….. hence the new blog tags of “please advise”, “being a grown-up” and “doing adulting right”.

Millenials are the biggest group of new travelers, with cash in hand, that the airlines and hotels have seen since the Baby Boomers …. And travel was radically different in the 1960’s and 1970’s. And the airlines, hotels, credit card companies definitely are not going to help you with this topic. So, I thought instead of just texting Katie advise on this, I’d write a blog post about picking a hotel chain (which is a little complex right now). That’s coming next.

But first, back to that travel credit card. This should be fairly easy. The first thing is, you need to know if you have a good credit score. I could write a whole blog post on just that (and probably will). But here’s how to find out. Go to Discover’s credit scorecard and signup. You’ll get your FICO 8 score via your Experian credit report. You want your FICO score, which ranges between 300 and 850, to be in the “good” range for general ability to get a credit card without having to jump through a million hoops. If you have low/poor credit scores, that is an entirely different topic for another day. Meanwhile, if your FICO score is over 670, you have a great likelihood of being approved for a good travel credit card.

This infographic is a great review of the basics of how a FICO score works.

FICO Score Infographic

There are really two choices on travel credit cards that make sense.
The first is to get a credit card co-branded with your airline. I travel with Delta, so I have a Delta branded American Express. Every dollar I spend on that card gives me a mile on Delta. Every time I buy a Delta flight with it, I get 2 miles per dollar. Plus a slew of other benefits, like Delta SkyClub access, rental car insurance coverage, a concierge line I can call and have them book flights and hotels for me, etc.

The second choice is to get a general purpose travel credit card or charge card. These include choices like American Express charge cards (Amex Premier Rewards Gold is a great choice) or Chase Sapphire credit cards (with a FICO score above 670, reasonable income, low credit utilization, you can likely get a Sapphire Preferred card fairly easily).

What is the right choice? Well, a lot depends on you and your airline choice. That said, if you have committed to a single airline for travel …. Which early on in adult travel, you really should …. Then your best first option for a travel credit card is the one co-branded with your airline. It will give you mileage earning on purchases directly with the airline AND all your other purchases. Plus, likely, it gives you a free checked bag, early boarding, and more. Plus, accumulating all those frequent flyer miles will help you to take leisure travel for free while having your employer pay for your business related travel (that you book on your personal travel credit card). Most employers are totally okay with you double dipping this way, so you absolutely should.

I take my family on a large vacation pretty well every year. And the airfare is always covered, for a family of 4-5 (depending on which kids are around), by my Delta skymiles. This year, four of us are going to Europe for 2 weeks!

One important caveat – Credit cards are not “extra money” for you to spend and then make minimum payments to your credit card company. This will heavily impact your credit score, your ability to get more credit, and your opportunity to use that credit card appropriately. You need to commit to your credit utilization being 20%, or less, of your total credit line. If your credit card has a $5000 credit limit, you should never end a billing cycle with more than a $1000 balance on your card. If that doesn’t work for you, then a travel credit card strategy is not for you.

So …. First steps for a young person wanting to be “a grown-up”, as Katie would say, is to pick a single airline for all your travel, both business and leisure. Then figure out your FICO credit score and make sure it is over 670. Then get a travel credit card with your airline. There’s a lot more and this topic can get really advanced, but there’s the starting point. Have fun!

Posted in Being A Grown-Up, Doing Adulting Right, Please Advise, Travel | Tagged , , , , , | Comments Off on Travel Like a Pro

Trolls

I hate it when I get caught by trolls. No, there is no new LinkedIn breach. I read the article and missed the date on it. Thanks Jayson Street for pointing out the date to me. 

Posted in InfoSec | Tagged , , | Comments Off on Trolls

Eric Update

As many of you probably know by now, we sold Core Security. Courion and Core Security will be merging as a result of the sale. This is good for Core. At the same time, I am leaving Core Security and looking for my next adventure!

Courion acquires Core Security

 

Posted in Career, General, Life and Times, Security | Tagged , , | 1 Comment

Information Security and Tanks

Not too long ago my good friend, Michael Farnum, invited me to be the closing speaker at HouSecCon. I told him I would love to … then he asked me to give a talk that involved my military experience and how it prepared me for the world of Information Security. Two things that are very important in my life, but not necessarily ones I had connected very strongly. After I spent a bunch of time looking at old pictures and revisiting stories of my years in the Army, I realized that the Army had actually prepared me quite well for a career in Information Security. And I knew just the pictures and stories to share with my audience.

One of the things that was going to be key was to share my experiences on tanks and to show pictures of tanks. And, because of the awesome contributions of Adrian Crenshaw, I am able to share not just the slides and pictures of tanks, but the entire presentation with you.

Everything I Know About Information Security, I Learned Shooting Tank Guns!

Posted in Career, InfoSec, Life and Times, Military | Tagged , , , | Comments Off on Information Security and Tanks

Emergency Preparedness and Cyber Security

This week I had the opportunity to be the plenary speaker for the Alaska Homeland Security Preparedness Conference. It was a great chance to talk to folks who worry about terrorism and natural disasters and convey to them the impact that information security threats could have in their readiness planning and response. I thought people might be interested in the presentation I used. It doesn’t have huge detail in it, I spoke to that. But it conveys the issues I think Homeland Security Emergency Planners at the state and local level should be thinking about.

Homeland Security And Cyber Threats

Posted in Conferences, CyberWar, InfoSec, Security | Tagged , , , | Comments Off on Emergency Preparedness and Cyber Security

Thinking About Reducing Risk

Wow, it’s been a long time since I’ve posted here. I’ve been kinda busy, tons of travel, sending a kid off to college, BlackHat and DefCon and DerbyCon, lots of engagement with customers around the idea of a mature vulnerability management program. It’s been busy. No excuse, though. Although some of my content and thoughts can be found over at the RSA Conference Blog. So, I’ve got that going for me anyway.

Be that as it may, I’ve been thinking about something and thought I would put it out there.

I often hear that perfection when it comes to risk is critical for airlines and the aviation industry. But that perfection is not possible for the security industry and we just have to do our best. Now, let’s think about this for a minute. Does it really makes sense to just blithely say we can’t do it, throw our hands in the air and give up?

When I was a kid growing up I remember roughly an airplane crash almost once a week on the evening news. It was sort of common place. Today? We are shocked when it happens. This chart, which is available from Plane Crash Info, makes really clear the change over the past 40 years.

Commercial Aviation Accidents Involving a Fatality

Notice the steep decline that began around 1990. How did this happen? Simple, the aviation industry made a very clear choice to reduce risk. Instead of shooting for perfection, though, they spent time identifying risks and deciding how to eliminate the risks. They took each small thing that posed the risk of an accident and found a way to reduce or eliminate the risk. The chart above is impressive considering the dramatic increase in passengers, planes and miles flown that began around 1990.

Now, let’s do a thought experiment. Suppose that the risk reduction efforts hadn’t happened starting in the 1980’s. As the number of planes, passengers and miles flown doubled and then tripled, what would that chart look like? How many crashes would occur regularly? Fatalities? Impact to airline profitability? Impact to flying trends? Costs of insurance? And so on.

We security types need to look at the aviation industry for our model. Each time we identify something that poses the risk of a breach, we need to invest in that small risk reduction. Rather than trying for perfection, we need to address each small thing, every day. Incremental improvement. And suddenly you will look back and realize that your risk posture today is much lower than it was in the past. Your chart can look like this one.

Take your pick. I know which way I will go.

Posted in Risk Management | Tagged , , | Comments Off on Thinking About Reducing Risk

Recently a CEO that I worked for in the past reached out to me. Like many successful CEO’s, he has “retired”. But do you ever really retire at that point? John now sits on the board of a few companies and does some consulting. He’s written a very insightful book about transformation in the industry we worked in. And he is an insanely successful guy in his entire career. I was very pleased and honored that he reached out to me for some advice.

His question revolved around what a board member should be asking to get informed about the security program of the company he was responsible for as a Director. This is a fantastic question. One I think more Directors need to think about. After all, they have a fiduciary responsibility for that company.

I wrote my former CEO a long (for me) email around all of this. After thinking about it a bit, I realized that this is something that should be shared more broadly. So, stripping the personal content out, I am including my answer to John in full for your reading pleasure.

————————————–

I think a board member’s focus should be on whether the security program has good governance, visibility at the right level and is addressing key threats and issues. Questions to ask, include the following. And you should follow up with more questions, based on the responses to these.

Q1 – to the CEO – how often do you interact with the security leadership of your organization. Do you know the top 3 security threats facing your organization? You and I interacted at least once per quarter the entire time I we worked together. There was great value in this.

Q2 – to the Leadership generally – How have you empowered the security leaders to address current security issues? How confident are you that you will not be the next Target, Community Health, Anthem or Premera?

Q3 – To the senior leader responsible for security – How is the security team organized? What level of the organization does the security leader report to? Is he/she buried too deeply in the leadership hierarchy?

Q4 – to the leadership generally – How is the leadership of the system assuring itself that they have a security program that meets their fiduciary responsibilities to the owners/sponsors, to the system itself, to the patients? Does the security leader meet regularly with leaders, with business unit leaders, with the Board, etc. Is there a system of measurement in place to demonstrate maturity and efficacy of the security program?

——————————-

In my experience, Board members are not having these conversations with senior management. If Board members don’t do this, then senior management is not going to dig in to security. It’s that simple.

Posted on by ecowper | Comments Off on Advice for Board Members

Do The Security Basics Well ….. AGAIN (and again, and again)

I’m not really sure what it is going to take for people to do Information Security basics well. Just how many multi-million credit card breach, PLA attacks a hospital company, hacktivists use insider to breach you headlines is it going to take? Seriously people, I feel like the boy who cried wolf. Except that I really am alerting you to the wolf and you appear to think I’m just making it up.

I’ve been writing and presenting on what is going on for years now. For example, there is this piece I wrote in July. In it I said that you could reduce 80-90 percent of the risk you face by doing the following:

  • Patch and Update (yep, they listed it first)
  • Good fundamental policies
  • Security education
  • Encryption where it’s warranted
  • Serviceable perimeter protection
  • Identity and Access Management

Based on the onslaught of breaches since then, this hasn’t sunk in yet. Nor the 14 other times I wrote some variation of that piece. In Jan, 2008 I gave this presentation to the ISSA CISO Forum …. notice that most of the things I call for Information Security leaders to do is still the focus of presentations being given today.

Today, I was reading an article in CIO that sparked this rant. This gist of the article is that 2015 will be much worse than 2014. Sadly, I agree with this. And that Boards will become very involved in what is now clearly a fiduciary risk. Worse, the CSO won’t be able to answer the questions asked by the Board. And the CSO won’t have done the fundamentals needed to build a good security program ALTHOUGH they will have spent millions on fancy next generation firewalls and end point incident detection (you know just who I mean, I don’t really have to name names, do I?). As the article points out:

There are four foundational responsibilities that companies must address; these responsibilities include asset identification, configuration management, change control, and data discovery. Many organizations have no idea what someone has plugged into their networks. They don’t know how people have configured these assets. They don’t manage change, and they don’t know where their critical data is located. “If you fail in those four areas, you can spend $50M on security products, and it’s not going to help you because the underlying vulnerabilities that create risk are still there,” says Cole.

Once again I am going to get on my soapbox, the one I’ve been on for like a decade now, and tell you security executives to fix your s**t or you are gonna get fired. Get your basics in order. You need to patch your systems now. You need to know who is going to attack you and how. You need to have encryption in place.

Don’t complain to me that your organization doesn’t support you and your CEO doesn’t care. Frankly, you’ve been paid huge amounts of money to figure out how to get the support of your organization. You need to do your job. And I promise your CEO cares about security. He or she does not want to become Greg Steinhafel.

So get your stuff together, figure out how to collaborate, how to communicate the issues up, down and sideways in the organization. Design a plan to get the basic foundations of good information security in place. Build a capability to detect problems. Have a plan for how you will respond to a security incident. Be prepared to solve the problems. What are you going to say when your Board calls you in to answer their questions?

Do the security basics well.

Either do that or get a resume ready.

Okay, end of rant. Return to your daydreams of fancy systems designed to fight off the dreaded APT.

Posted in Career, InfoSec, Security | Tagged , , , | Comments Off on Do The Security Basics Well ….. AGAIN (and again, and again)

A Graycliff Casillero Privada Cigar

I’m in the middle of fall in the Pacific Northwest. Which means that it’s mostly rainy and grey … and my opportunity to get out and smoke a great cigar is pretty slim. Last week and next week are travel weeks for me and that makes it even more difficult. You have to take advantage of any break in the rain this time of year, but if you’re on the road that’s difficult. Fortunately, Saturday was a beautiful fall day in the Northwest. It was cold, but crisp and clear.

The day was so beautiful and the opportunity so prime, that I had to break out a cigar from my the bottom shelf of my humidor. The top shelf, easy to get to and visible through the glass top, has my sort of daily smoking, not so prime cigars. The bottom shelf has the Montecristo Churchills and Oliva Serie V in it. And something very special, as well. I figured today called for the Graycliff Casillero Privada. I bought a mazo of 10 a few months ago. They’ve been in the humidor ever since.

I love Graycliff cigars. And these promised to be special. Casillero Privada, in Spanish, means Private Locker. These are the cigars that the famous Graycliff hotel in Nassau keeps locked away for their VIP guests. But they released a few mazo’s to be sold publicly earlier this year and when they did I grabbed one without hesitating.

All in all, a perfect excuse to light one of these guys up and see if it lives up to expectations.

IMG_4815

Bottom line up front in case this post is tl;dr for you …. This is an absolutely fantastic cigar, but may not be approachable for a novice. If you haven’t smoked much, I would recommend choosing something else. But if you are a cigar enthusiast who enjoys robust, complex, premium smokes then this is the cigar for you.

On to the review

Cigar Overview

This is a Graycliff Casillero Privada PG 5×52. At first sight, the cigar is decent sized with a shaggy foot, giving it a rustic “old school” appearance. The wrapper is dark brown, lightly oily and looks like old leather. It had no obvious cracks, bubbles or other blemishes. The seams in the wrapper and cap are very tight, almost invisible and very few veins are apparent. The unlit aroma was of exotic spices, pepper and black tea, with an underlying barnyard odor that I suspected would turn to a very deeply earthy aroma once lit. The cigar is clearly rolled by hand and does not use a form for assistance. It is not as dense and firm as a form rolled, mass manufactured cigar would be.

Initial Impressions

The Cigar

Lighting the cigar, in spite of the shaggy foot, was easy. I use a Bugatti lighter with 3 jets, which allows for a wide, even lighting. Toasting the end of a cigar is easy with the Bugatti.

IMG_4806

As I said, it lit easily and very uniformly. The first taste was medium bodied and complex, the smoke was cool, the flavor was peppery with a bit of earthiness. The draw was very easy and smooth. The cigar produces a lot of smoke and burns quite clean. First impression was excellent.

First Impressions

I’m drinking Bulleit Rye and soda and this seems like a good choice to start. The rye, with its spice, fruit and hints of maple syrup sweetness should really compliment the earthy, peppery cigar that I’m anticipating.

Bulleit Rye and soda

During the first 1/4 of the cigar I found that the initial complexity was not a fluke. It kept building, with notes of leather in addition to the spice and earth. It is very robust, definitely not for the faint of heart. Within the first inch all sense of the barnyard is gone, replaced with a very lovely earthiness that I am really enjoying. The cigar burns quite evenly and draws very smoothly.

Middle of the Cigar

Mid Cigar

As I work my way into the cigar I find that I was right, the rye and soda is a great choice and really compliments the dry leathery notes in the cigar. The ash is white and even and one inch of ash is not a problem whatsoever. As I move further into the cigar more becomes apparent. Toasted nuts, leather, earthy, peppery. This cigar is very masculine. At the halfway mark the pepper has built to the point that I am getting spice in my nose.

Moving into the second half of the cigar it still burns cool and even and the draw remains smooth. Hints of oak and vanilla begin to appear and the the leather and pepper build even further. This cigar is really amazing. I have yet to find anything negative about it. This cigar is clearly very special, among the elite of cigars.

Final Impressions

In the last 1/3 of the cigar, if it is possible, this cigar blossoms even more. It becomes very robust and much more complex and full bodied. I can taste earthiness overall, but quite a bit of spice, pepper, toasted nuts, leather and coffee, even a bit of cane sweetness. It is clearly hand rolled. The cigar is light in the hand, almost fragile feeling compared to cigars rolled in forms and made in factories. Clearly it is not a mass made cigar. The head has gotten slightly soggy, but not enough to detract from the overall experience.

Conclusions

Graycliff Casillero Privada

First, the score. This cigar absolutely deserves a 95 or 96 score. Definitely on top of the game. This is a cigar for a smoker that appreciates being challenged. Matching it with the right drink is imperative. A bourbon or rye will be a much better choice than wine or a scotch, where the alcohol will vie with the cigar rather than compliment it. I cannot recommend the Casillero Privada highly enough. It really is among the great cigars I have ever had. I have 9 more in the humidor and will be enjoying them over the coming years, seeing how they age and improve over time.

Avelino Lara

Avelino Lara was one of the greats of the cigar industry. Born in 1921, he was the creator of Cohiba and contributed materially to the Davidoff line of cigars. At one point, Lara was the personal roller for Fidel Castro. After retiring in 1996, he moved to Nassau. There he rolled a few cigars for guests at the Graycliff hotel. This did so well that the Graycliff and Lara joined forces to create the Graycliff line of cigars, which are considered by most to be among the finest in the world. As I understand it, the Casillero Privada was the continuation of the original starting point at Graycliff, where Lara was just rolling cigars here and there for guests. After the Graycliff line was started, Lara’s hand-rolled cigars were kept in a private locker, a casillero privada, for the VIP guests.

So, if you want to smoke a cigar that celebrates the heritage and craft of one the greatest cigar makers of all time, this is the one.

Posted in Alcohol, Cigars | Tagged , , , , , , , | Comments Off on A Graycliff Casillero Privada Cigar

Cigars

I realized I haven’t been living up to the full name of this site lately. Here’s what’s on the menu for this weekend!

Lagavulin, Graycliff and a Montecristo

Lagavulin, Graycliff and a Montecristo

Posted in Uncategorized | 2 Comments