Tuesday, June 11, 2013

Book Review: The Millionaire Next Door

The Millionaire Next Door: The Surprising Secrets of America's Wealthy


by Thomas Stanley, William Danko
Narrarated by: Cotter Smith
Publisher: Sound Ideas
Total Length: 8 Hours, 50 Minutes
Date Published: June 24, 2008

Publisher: Taylor Trade Publishing
ISBN: 978-1589795471
Number of Pages: 258
Date Published: November 16, 2010




Each time I interview someone for an opening that I trying to fill, I almost always throw out the question, "What book have you read most recently (other than a technical manual), and what did you learn from it?"  It helps gauge a person's analytical skills on something other than a purely technical problem (gives them the opportunity to identify an issue or area of interest and prove that they put some thought into it).  It was during one of these interviews that a candidate mentioned The Millionaire Next Door (TMND).  I ended up sending that candidate a job offer, and I am grateful for the recommendation for my reading list.

Surprised?
  • What kind of car do you drive?
  • What neighborhood do you live in?
  • What is the most you ever paid for a pair of shoes?
  • How much did you spend on a college education?
  • Are you an entreprenuer?
  • Do you believe that hard work pays off?
Danko and Stanley surveyed millionaires with these types of questions and many, many more.  This book is a distillation of the metrics that they found correspond to the success of millionaires.  "In the course of our investigations, we discovered seven common denominators among those who successfully build wealth."
  1. They live well below their means
  2. The allocate their time, energy, and money efficiently, in ways conducive to building wealth.
  3. They believe that financial independence is more important than displaying high social status.
  4. Their parents did not provide economic outpatient care.
  5. Their adult children are economically self-sufficient.
  6. They are proficient in targeting market opportunities.
  7. They chose the right occupation.
Wealth Accumulation

Income does not equal wealth.  Stanley and Danko make it a point to distinguish between current income, total net worth and expected net worth.  They provide an interesting calculation to see where you stack up.


"Multiply your age times your realized pretax annual household income from all sources except inheritances. Divide by 10. This, less any inherited wealth, is what your net worth should be."

Based on this formula, if you are close to the expected value, then you are considered an Average Accumulator of Wealth (AAW).  The ones that have at least twice the expected net worth (Age * Income / 10 * 2) are considered a Prodigious Accumulators of Wealth (PAW).  At the bottom end of the calculation, you are an Under Accumulator of Wealth (UAW) if you have less than half of your expected net worth (Age * Income / 10 / 2).

"Big Hat, No Cattle"

The primary reason that so many people do not achieve the levels of wealth accumulation that they should is because they are too busy trying to appear well off, at the expense of sacrificing true financial security for the façade of keeping up with the Jones'.  The truly affluent are more worried about how many cattle they have, not how big their cowboy hat is.

Education

The wealth accumulation formula is interesting because it takes into account how many years a person has to build their wealth.  One of the major factors that contribute to the time spent building wealth is whether that person pursues post secondary education.  Michael Bloomberg gave a graduation speech last month that mentions this fact (which some criticized him for), but Stanley and Danko's research supports this fact.  The time spent in college, is time lost in terms of accumulating wealth, plus the money spent on college tuition and expenses (see denominator #7 above).

Budgeting Is Like Exercise 

There probably aren't many people that really "enjoy" sitting down and going over all of their expenses and categorizing them and analyzing income and spending trends, but that is was the majority of these PAWs do on a regular basis.  Do you know how much you spent on gasoline last month?  How about eating out?  How about household utilities?  TMND relates this routine practice to that of exercise.  Who is more likely to have a regular exercise routine, those who are in shape or the less than healthy types?  

You might think, why would someone who is rich need to worry about keeping track of all these details?  But that is precisely the point.  They don't keep track of them because they are wealthy; they are wealthy because they took the time to keep track of their budget.

Economic Outpatient Care

Economic Outpatient Care is defined in the book as relying on income from your parents when you should be at a point of providing for yourself (see denominator #4 and #5 above).  Some of the best lessons I got from TMND was the sections dealing how to help your children be successful.  What it really comes down to is that teaching children how to be self sufficient and provide for themselves is much more beneficial than continually investing in their bad spending habits.

Reflections

I originally listened to the audiobook first, but then ended up getting a copy of the paperback to be able to review all of the tables and charts in the book.  I have since loaned out my copy of this book to several friends and they have all be appreciative of the recommendation as well.  Take the time to read this book.  It is definitely an eye opener.

Thursday, June 6, 2013

Book Review: Breakpoint

Breakpoint by: Richard A. Clarke
Narrarated by: Robertson Dean
Publisher: Penguin Audio
Total Length: 8 Hours, 19 Minutes
Date Released: September 20, 2007



It has been a while since I've enjoyed a recreational novel, or so I thought.  (I don't count The Phoenix Project since that more or less is a text book on DevOps, ToC, Lean, and VisibleOps disguised as a novel).  But then I saw this quote from the author, 

"Fiction can often tell the truth better than nonfiction. And there is a lot of truth that needs to be told."

The Internet links between North America and the rest of the world severed.  Research facilities blown up by hackers gaining access to SCADA devices.  The heads of DARPA, the National Science Foundation, and the National Institutes of Health blown up by a suicide bomber.  The evolution of a new human species...  This cloak and dagger story is filled with twists and turns.  The FBI, CIA, DHS, NSA and every other government agency is trying to figure out who is behind these attacks, but it is up to a NYPD detective and an analyst with the 'Special Projects Office, Intelligence Analysis Center' to really crack the case.  As far fetched or implausible as the plot line seems, Clarke lays out some very clear reasoning for combining these particular elements and other into Breakpoint.

Questions to Ponder

Given the news articles throughout the past year or so, I wasn't surprised by all the references to China hacking into university research centers or SCADA systems.  But had I read this book when it came out back in 2007, I probably would have been fairly surprised by and skeptical of all these vulnerabilities gaping holes in the safety of the everyday life that I take for granted as an American.

Throughout the book, Clarke presents several conflicts of ethical debate, the biggest of which is the question of what it means to be "human".  Would genetically engineering someone to have several extra chromosomes change whether they were still human?

Clarke makes an interesting reference to Plato's republic, by bringing up the class system of gold men vs bronze men.  Are the changes and advances in technology widening the gap between the haves and the have-nots?

For all the advances that we claim technology has made for us, are we really any better off in terms of happiness or quality of life?

Tuesday, June 4, 2013

Book Review: Three Questions

What Men Live By and Other Tales: Three Questions


by Leo Tolstoy 
Translated by L. and A. Maude
Originally Published: 1885
Project Gutenberg: June 13, 2009

I love this short story, a great lesson in Time Management and Social Responsibility... 

 - How can I learn to do the right thing at the right time? 
 - Who are the people I most need, and to whom should I, therefore, pay more attention than to the rest?  
- And, what affairs are the most important, and need my first attention? 

Three Questions

It once occurred to a certain king, that if he always knew the right time to begin everything; if he knew who were the right people to listen to, and whom to avoid; and, above all, if he always knew what was the most important thing to do, he would never fail in anything he might undertake.

And this thought having occurred to him, he had it proclaimed throughout his kingdom that he would give a great reward to any one who would teach him what was the right time for every action, and who were the most necessary people, and how he might know what was the most important thing to do.

And learned men came to the King, but they all answered his questions differently.

In reply to the first question, some said that to know the right time for every action, one must draw up in advance, a table of days, months and years, and must live strictly according to it. Only thus, said they, could everything be done at its proper time. Others declared that it was impossible to decide beforehand the right time for every action; but that, not letting oneself be absorbed in idle pastimes, one should always attend to all that was going on, and then do what was most needful. Others, again, said that however attentive the King might be to what was going on, it was impossible for one man to decide correctly the right time for every action, but that he should have a Council of wise men, who would help him to fix the proper time for everything.

But then again others said there were some things which could not wait to be laid before a Council, but about which one had at once to decide whether to undertake them or not. But in order to decide that, one must know beforehand what was going to happen. It is only magicians who know that; and, therefore, in order to know the right time for every action, one must consult magicians.

Equally various were the answers to the second question. Some said, the people the King most needed were his councillors; others, the priests; others, the doctors; while some said the warriors were the most necessary.

To the third question, as to what was the most important occupation: some replied that the most important thing in the world was science. Others said it was skill in warfare; and others, again, that it was religious worship.

All the answers being different, the King agreed with none of them, and gave the reward to none. But still wishing to find the right answers to his questions, he decided to consult a hermit, widely renowned for his wisdom.

The hermit lived in a wood which he never quitted, and he received none but common folk. So the King put on simple clothes, and before reaching the hermit's cell dismounted from his horse, and, leaving his body-guard behind, went on alone.

When the King approached, the hermit was digging the ground in front of his hut. Seeing the King, he greeted him and went on digging. The hermit was frail and weak, and each time he stuck his spade into the ground and turned a little earth, he breathed heavily.

The King went up to him and said: "I have come to you, wise hermit, to ask you to answer three questions: How can I learn to do the right thing at the right time? Who are the people I most need, and to whom should I, therefore, pay more attention than to the rest? And, what affairs are the most important, and need my first attention?"


The hermit listened to the King, but answered nothing. He just spat on his hand and recommenced digging.

"You are tired," said the King, "let me take the spade and work awhile for you."

"Thanks!" said the hermit, and, giving the spade to the King, he sat down on the ground.

When he had dug two beds, the King stopped and repeated his questions. The hermit again gave no answer, but rose, stretched out his hand for the spade, and said:

"Now rest awhile-and let me work a bit."

But the King did not give him the spade, and continued to dig. One hour passed, and another. The sun began to sink behind the trees, and the King at last stuck the spade into the ground, and said:

"I came to you, wise man, for an answer to my questions. If you can give me none, tell me so, and I will return home."

"Here comes some one running," said the hermit, "let us see who it is."

The King turned round, and saw a bearded man come running out of the wood. The man held his hands pressed against his stomach, and blood was flowing from under them. When he reached the King, he fell fainting on the ground moaning feebly. The King and the hermit unfastened the man's clothing. There was a large wound in his stomach. The King washed it as best he could, and bandaged it with his handkerchief and with a towel the hermit had. But the blood would not stop flowing, and the King again and again removed the bandage soaked with warm blood, and washed and rebandaged the wound. When at last the blood ceased flowing, the man revived and asked for something to drink. The King brought fresh water and gave it to him. Meanwhile the sun had set, and it had become cool. So the King, with the hermit's help, carried the wounded man into the hut and laid him on the bed. Lying on the bed the man closed his eyes and was quiet; but the King was so tired with his walk and with the work he had done, that he crouched down on the threshold, and also fell asleep--so soundly that he slept all through the short summer night. When he awoke in the morning, it was long before he could remember where he was, or who was the strange bearded man lying on the bed and gazing intently at him with shining eyes.

"Forgive me!" said the bearded man in a weak voice, when he saw that the King was awake and was looking at him.

"I do not know you, and have nothing to forgive you for," said the King.

"You do not know me, but I know you. I am that enemy of yours who swore to revenge himself on you, because you executed his brother and seized his property. I knew you had gone alone to see the hermit, and I resolved to kill you on your way back. But the day passed and you did not return. So I came out from my ambush to find you, and I came upon your bodyguard, and they recognized me, and wounded me. I escaped from them, but should have bled to death had you not dressed my wound. I wished to kill you, and you have saved my life. Now, if I live, and if you wish it, I will serve you as your most faithful slave, and will bid my sons do the same. Forgive me!"

The King was very glad to have made peace with his enemy so easily, and to have gained him for a friend, and he not only forgave him, but said he would send his servants and his own physician to attend him, and promised to restore his property.

Having taken leave of the wounded man, the King went out into the porch and looked around for the hermit. Before going away he wished once more to beg an answer to the questions he had put. The hermit was outside, on his knees, sowing seeds in the beds that had been dug the day before.

The King approached him, and said:

"For the last time, I pray you to answer my questions, wise man."

"You have already been answered!" said the hermit, still crouching on his thin legs, and looking up at the King, who stood before him.

"How answered? What do you mean?" asked the King.

"Do you not see," replied the hermit. "If you had not pitied my weakness yesterday, and had not dug those beds for me, but had gone your way, that man would have attacked you, and you would have repented of not having stayed with me. So the most important time was when you were digging the beds; and I was the most important man; and to do me good was your most important business. Afterwards when that man ran to us, the most important time was when you were attending to him, for if you had not bound up his wounds he would have died without having made peace with you. So he was the most important man, and what you did for him was your most important business. Remember then: there is only one time that is important; now! It is the most important time because it is the only time when we have any power. The most necessary man is he with whom you are, for no man knows whether he will ever have dealings with any one else: and the most important affair is, to do him good, because for that purpose alone was man sent into this life."

Friday, May 31, 2013

Book Review: Assessing Vendors

Assessing Vendors: A Hands-On Guide to Assessing InfoSec and IT Vendors


by Josh More
Publisher: Syngress
ISBN: 978-0124096073
Number of Pages: 95
Date Published: May 10, 2013 


As I've noted in several previous blog posts, I believe the concept of Vendor Management is one of the weaker links in the security chain at many organizations.  While this book doesn't necessarily show you everything you need to know to fix this problem, it does provide solid advice on proper due diligence for selecting vendors and products that you want to build a relationship with.

Josh More lays out a very practical framework for finding vendors that provide technology (products and/or services) that address the needs of your situation.  More's Vendor Assessment process contains nine phases to help those responsible for evaluating and recommending solutions in Information Technology and InfoSec.  The process is designed to help these individuals in fairly and quickly evaluating vendors, understanding how the vendor/sales atmosphere operates, and getting more value out of vendor contracts.


One of the biggest lessons I got out of the book was in properly defining the criteria used to assess and compare various solutions.  By selecting specific criteria to measure each vendor, you are ensuring a fair and systematic evaluation so that the final decision can be based on a true apples to apples comparison and backed up with data.  On page 17, More provides some great advice for deciding how many different criteria should be used in this process:

The limit is going to be the number of dimensions that you can hold in your head at any given time.  This way, as you assess systems, you don't have to bounce between modes of thinking too much.  This process, called "context shift," is a very common source of time loss when doing analyses.  If you are running down a large list for each candidate, you have to constantly change your mode of thinking and every time you do, it will cost you a little bit of time.  If your list is too short, you will be losing time thing of real-world scenarios that could be concerning but cannot be captured in your limited system. 

More provides several examples to address this issue, ranging from the C-I-A triad to the CISSP 10 Domains.  But I really liked the reference to the Parkerian Hexad on page 18, which is a short enough list to easily remember, but comprehensive enough to cover the majority of vendor/product assessments you will run into.
  1. Availability
  2. Possession/Control
  3. Confidentiality
  4. Utility
  5. Integrity
  6. Authenticity
I have to admit, this isn't the most exciting IT book out there, but I'm glad I read through it.  All in all, this one is a quick read weighing in at just under 100 pages, but sheds some light on what can sometimes be a very ad-hoc selection and purchasing process.

Thursday, May 30, 2013

Coursera: A Beginner's Guide to Irrational Behavior

I recently participated in a Behavioral Economics MOOC on Coursera.org taught by Dan Ariely.  I used to love listening to Dan's conversations with Kai Ryssdal on NPR/Marketplace on my drive home several years ago. And I had already been through each of his books, Predictably Irrational, The Upside of Irrationality, and The Truth About Dishonesty.  So, I thought the class would be a lot of fun.



A Beginner's Guide to Irrational Behavior

Most of the topics, research and experiments that were covered in the class were ones straight out of the books, but there were also interesting references to research papers to see more details about how the experiments were carried out and the exact findings of the research.  It is evident that Dan and his team put a lot of effort into building and presenting a very high quality MOOC.

Impressions of Coursera

I have to say I'm a fan of Coursera.  I think it is very cool that they have worked out a deal with so many top colleges and universities to offer outstanding content to the masses for free!  The Coursera website is easy to navigate.  Access to course materials, video lectures, and discussions is fantastic.  The quizzes associated with the lectures and reading assignments were straight forward and engaging.

The one area that I find to be rather disheartening is the peer grading process.  I understand that there is no way for a professor and a couple of graduate students to grade tens of thousands of essays and writing assignments, but there seems to be a rather large flaw in the the grading criteria for these non-multiple choice assignments.  The problem is subjectivity of the grader on the written assignment.



Peer Grading

After submitting the written assignment, each student was asked to grade three other assignments based on the following criteria:
  1. Did the student identify and describe a behavioral problem?
  2. Did the student correctly identify and describe research that is relevant to the problem?
  3. Did the student propose a research-based solution?

I find it odd that someone as fluent in measuring the results of research and experiments as professor Ariely (which are often dependent upon how questions are phrased, the order in which the questions appear and the types of choices presented), would purposefully introduce subjectivity into this grading process by allowing the grader a three point scale for each of these criteria.  Unless I'm mistaken, these appear to be simple "Yes/No" questions, yet the grader was given a range of choices from 1 (didn't meet the criteria) to 3 (met the criteria) thereby adding unnecessary subjectivity.

For the first criteria, either the student described a behavioral problem or they didn't.  Answering this question should not be based upon the grader's bias as to whether they perceive the issue to truly be a problem or not.  If the student articulated a topic in the context of human behavior, how can anyone honestly give them less than full credit for this criteria?


The second criteria possibly could have been worded more precisely as to convey the intent of the question, such as, "Did the student utilize material from the course reading assignments that supports the claim of the behavioral problem?"

The third criteria, again, is not asking for the grader's biased opinion as to whether or not they agree with the proposed solution.  It is simply asking if the student proposed a solution within the context of the research covered by the course reading assignments.  It is not the grader's responsibility to assess the viability of the proposed solution.  It shouldn't be the grader's prerogative to judge the effectiveness of the proposed solution.  I find it hard to believe that anyone would submit their written assignment if it were totally void of a proposed solution.

Proposed Solution for Peer Grading
 


Dear Coursera and prof. Ariely, to improve the quality of this course for the students, I believe an effort should be made to remove as much subjectivity from the peer grading process as possible.  If you are going to ask "Yes/No" questions, then grade accordingly with "Yes/No" answers.  If you want the written assignment to be based on a total of 9 points, then ask 9 "Yes/No" questions that are specific to the quality of the written assignment, such as:
  1. Did the student use the correct name for the problem (if the problem has a name we discussed in this course)? 
  2. Did the student give a clear indication of why the behavior is problematic?
  3. Did the student tell us what the scale of the problem was?
  4. Did the student summarize the experiments and findings about this behavior? This should include only relevant experiments and findings. 
  5. Did the student refer to experiments from the assigned readings and/or lectures? 
  6. Did the student cite his or her sources? 
  7. Did the student propose a solution?
  8. Did the student show the solution was based on existing behavioral research? 
  9. Was the solution original? That is, did the student come up with plan that was not exactly like another we have studied?
By the way, these questions were provided as guidance for answering the original three criteria, but were left up to the subjectivity of the grader to incorporate within the faulty three point scale.

I also realize that grading any written assignment will inherently include some subjectivity of the grader, but the need to limit this subjectivity is only magnified by the fact that the graders in this case have no credibility on which to base their opinions (i.e. the students of a free online introduction class are most likely not "experts" on the subject of behavioral economics).

Sunday, May 19, 2013

Detecting Evil: Network Security Monitoring

Trying to clear out the backlog of posts in my Drafts folder and this one is long over due...

News Headlines

These are just a couple of the new stories that caught my eye [in the hopefully not too distant past].

BofA Confirms Third-Party Breach

"Bank of America systems were not compromised. Our customer data is secure." Mark Pipitone, BofA Spokesman

Evernote Security Notice

"Evernote’s Operations & Security team has discovered and blocked suspicious activity on the Evernote network that appears to have been a coordinated attempt to access secure areas of the Evernote Service."


LA Times Serving Up Malware

"To ensure safety, the Offers & Deals platform has been rebuilt and further secured. The sub-domain generates only advertising content and does not contain any customer information."

So What's Going On?

When ever I read headlines like this, they almost always come with some disclaimer that "There is no evidence that the intruders gained access to..." and rightly so.  A lot of companies don't have the ability to detect the breach in the first place, and then when they are notified about it by some third party (customers, law enforcement or the attackers themselves) they most certainly don't have any way to tell what information was stolen, so they claim that customers need not worry because there isn't any evidence of their information being stolen.

"Is it just me or am I the only one who thinks how can these attackers be so good as to break into the networks of companies yet those companies always seem to stop the attack just before the attackers gain access to sensitive information?" Brian Honan, SANS NewsBites Vol 15 Issue18.
 

Assessing the Damage

Because of all of the cover-up attempts by companies to minimize the negative publicity falls out from disclosing a data breach, it can be difficult to find relevant data to use to education the decision makers in your organization about the importance of good Network Security Monitoring.  Here are some resources that I have found useful in describing the impact of a security breach to executives and senior management:
 
And some other interesting statistics in regards to the accuracy of claims that companies caught the bad guys "just in the nick of time".
  • Trustwave 2012 GSR states breach to detection was 173.5 days within the victim’s environment before detection occurred. 
  • In the Trustwave 2013 GSR breach to detection window widened to 210 days. 
  • The Mandiant 2012 Annual Threat Report on Advanced Targeted Attacks sites a much larger window, "The median number of days from the first evidence of compromise to when the attack was identified was 416 days." 
  • The more recent Mandiant APT1 Report states "[attackers] were inside victim systems for avg of 356 days; longest observed: 1764 days"
  • The Verizon DBIR 2012 states, "It saddens us to report that, yet again, breach victims could have circumnavigated the globe in a pirogue (not from the bayou? Look it up.) before discovering they were owned. In over half of the incidents investigated, it took months—sometimes even years—for this realization to dawn. That’s a long time for customer data, IP, and other sensitive information to be at the disposal of criminals without the owners being aware of it."
  • The Verizon DBIR 2013 concludes that it still takes on average 221 from breach to discovery.
These numbers seem to echo a common sentiment that there are two kinds of companies out there; those who know they've been breached and those who have been breached and just don't know it yet.

Saturday, May 18, 2013

Book Review: Lean Security 101

Lean Security 101: The Comic Book


by Josh More
Publisher: RJS Smart Security
Number of Pages: 24


Josh More over at RJS Smart Security obviously had some fun putting this together. Lean Security 101 is a neat little info-graphic that looks an awful lot like a comic book.  

Percy the Protection Pangolin

I'll admit it; I had to look up what a Pangolin actually was (+1 for originality).  The Pangolin is Josh's sidekick throughout the story.

The 80x5 Rule

The biggest insight I got out of this comic was the 80x5 Rule.  So you've probably heard of the "Pareto Principle", commonly referred to as the 80/20 rule.  Well the 80x5 rule builds on this idea using concepts from Lean.


The 80/20 rule is often quoted by business managers and executives as a rallying cry to take some action or get started with some new project by trying to justify quick returns with minimal effort.  But hidden within this management standard is an implicit acknowledgment that getting a project to 100% perfection (meeting all of the requirements on time and within budget) becomes increasingly difficult.  The law of diminishing returns takes over and additional effort is needed just to make incremental progress towards the goal.

When applied to Information Security, this concept is just as true.  There is no silver bullet for protecting your digital assets, so no single project or technology or defense mechanism is ever going to be 100% effective at keeping your data safe.

The 80x5 rule is designed to help you get the most value from the least amount of effort, and while maximizing your defensive posture.




The 80x5 rule says that instead of spending all of your effort trying to implement a single defensive measure (that will never reach 100% effectiveness), it would be much more productive to add complementary layers of security.  After you have spent the first 20% of your effort on that defensive measure (and reached 80% of the results), any further effort on that task could be considered waste (based on Lean).  In terms of opportunity cost, if you took the remaining unspent effort (you still have 80% left at this point) and divide that into four more blocks, you could potentially get 80% results from each of another four projects.  This is obviously a much better ROI than spending that remaining 80% and only obtaining at most 20% benefit from your current task.

Assuming each layer is 80% effective (based on the Pareto Principle), eight layers could give you up to 99.999% effective security.  Yes, there can and will be various exceptions to this line of reasoning.  But why spend all your effort on fixing things that should be considered "good enough" when there are other more productive security measures you could be working on (like building up your incident response team and testing your IR plan)?  I see this as an important tool for helping to prioritize competing projects and assessing those final inches toward the goal line.

The book goes into more detail, but hopefully you get the idea.  Go download a free copy for yourself, http://www.rjssmartsecurity.com/Lean-Security-101-Comic/, and give them a call about a free Lean Security Assessment.