Layer 8

Security is fundamentally about people, and everything we know about people is relevant to security. -- B. Schneier

Nao and Zen:  Security Koans for Everybody

“In the very moment that you attempt to achieve compliancy, you have lost it,” explained the master.  “Strive therefore simply to be secure, and compliancy will come of itself.”
Saying “compliancy,” thus was the master exposed as a vendor, and the students beat him.

“Master, master!” cried the student as he entered the temple.  “I was meditating, and had a great vision.  All threats were united into one entity, and thus were they managed together.  I have finally become enlightened!”
The master hit the student.  “You were not enlightened,” he told him.  “You were pwned.”

What is this mind?
Who is hearing these sounds?
Do not mistake any state for
Self-realization, but continue
To ask yourself even more intensely,
Who is logged into my SAP system?

“All roads lead to DEFCON,” said the master to the students as they were sitting beneath the trees.
One student raised his budget.  “See, master, I cannot travel.”
“DEFCON is of the mind, not the budget,” replied the master.  “Find but the right t-shirt, and you shall know it.  All that you require is within you.  Be still within your heart, seek always the Riviera Path, and DEFCON shall find you.”
“The hell with this,” said the student, and wandered off to find a mojito.

Those who see worldly life as an obstacle to Security
see no Security in everyday actions.
They have not yet discovered that
there are no everyday actions outside of Security.
At least, not when you are outside the C-suite.

“There are no material findings,” said the master to the QSA, “since there is no material world.  All is impermanent in this world of the mind.”
“And yet,” replied the QSA, “PCI-DSS is not of this world, and therefore you may reach the state of compliance with it.”
And the master said nothing.

Secure and insecure have no self nature;
Open and closed are empty names;
In front of the firewall is the land of LOLcats and phishing;
And also inside, where the users bring them.

“Your server settings are not compliant,” said the auditor.
“This is not surprising,” said the master with equanimity, “for the server you are inspecting is a UPS.”
The auditor was not enlightened, and wrote him up anyway.

The perimeter is no perimeter. —Jericho

The intern approached the master.  “Master, I would like to become a CISO.  How do I enter the world of security?”
The master replied, “You have no servers.”
The intern nodded sheepishly.
The master continued, “You have no network.”
The intern also acknowledged this with sadness.
The master concluded, “And you have no users.”
The intern replied, “All this is so, Master.  Have I no hope of achieving security?”
“Fear not,” said the master kindly.  “You have already achieved it perfectly.”

 

Posted by shrdlu on Saturday, July 25, 2009
(4) CommentsPermalink blogmarks Favicon del.icio.us Favicon Digg Favicon Fark Favicon Furl Favicon Google Bookmarks Favicon StumbleUpon Favicon Technorati Favicon TailRank Favicon

Next entry: The BIG REVEAL. (Sort of.)

Previous entry: Data classification for dummies.

Comments

Anton Chuvakin United States on 07/27  at  01:31 PM:

These exude pure awesomeness!!

Kevin United States on 07/27  at  02:57 PM:

Like Anton, said pure awesomeness. Several worth printing an posting on the cubicle wall smile

shrdlu United States on 07/27  at  03:01 PM:

Wow, CUBICLE WALL status??  High praise indeed!  Thanks, guys. grin

Fred United States on 11/28  at  06:55 PM:

I just stumbled upon this blog and I am reading backlog posts…this entry has cemented me as a loyal follower! smile Entertaining writing for sure.

Page 1 of 1 pages

Add a comment

Name:

Email:

Location:

URL:

Smileys

Remember my personal information

Notify me of follow-up comments?

Submit the word you see below: