Category Archives: Blog

Announcing the Availability of an AI Governance Textbook

Leave a reply

Seattle, WA – January 21, 2026 – Author Peter H. Gregory has announced that his latest book, “AIGP Artificial Intelligence Governance Professional Study Guide,” has been released. Available in e-book and trade paperback formats, the AIGP Study Guide has been published by Wiley Publishing under the Sybex brand.

Image

The book is available from the publisher here: https://www.wiley.com/en-us/IAPP+AIGP+Artificial+Intelligence+Governance+Professional+Study+Guide-p-9781394363957

AI is being adopted by organizations worldwide, often without governance or executive management oversight. “Shadow AI” is a significant concern, as employees in numerous organizations circumvent AI embargoes and utilize personal AI accounts, often inadvertently leaking sensitive corporate data and relying on AI-powered guidance in the process.

“The AIGP certification is a step in the right direction, serving as a guide to organizations that need to quickly put guardrails in place without hampering innovation,” cites Gregory. “Without governance in place, organizations are at risk of their AI systems introducing more problems than they are solving.”

Companion training course

Gregory has also created the training course, “Artificial Intelligence Governance Professional (AIGP) Certification: Your Guide to Building a Management and Governance System to Ensure Responsible and Ethical AI.” The course is available online at O’Reilly Media, an organization renowned for its training content and programs.

The course URL is https://www.oreilly.com/videos/artificial-intelligence-governance/0642572035624/.

About the AIGP certification

The AIGP certification was launched in 2024 by the International Association of Privacy Professionals (IAPP), a professional organization renowned for its privacy certifications. The release of the AIGP certification affirms its continuing leadership role.

About Peter H Gregory

Peter H Gregory is a career information security, privacy, and technology professional and a former executive advisor and virtual CISO. Peter H Gregory is a well-known author of best-selling tech books, including certification study guides for the world’s leading professional certifications in information security and privacy. He has authored over fifty books in the past twenty-five years, including “Solaris Security,” “CISA Study Guide,” “CISM All-In-One Exam Guide,” “Chromebook For Dummies,” and “The Art of Writing Technical Books.” Visit him at peterhgregory.com.

For interviews with Peter H Gregory, please contact him at: https://peterhgregory.wordpress.com/contact/

# # # 

You are free to disseminate this news story. We request that you reference Peter H Gregory and include our web address, www.peterhgregory.com

Announcing the Availability of an AI Governance Training Course

Leave a reply

Seattle, WA – September 11, 2025 – Author Peter H. Gregory has announced that his latest training course, “Artificial Intelligence Governance Professional (AIGP) Certification: Your Guide to Building a Management and Governance System to Ensure Responsible and Ethical AI,” has just been released for general use. The course is available online at O’Reilly Media, an organization renowned for its training content and programs.

The course URL is https://www.oreilly.com/videos/artificial-intelligence-governance/0642572035624/

AI is being adopted by organizations worldwide, often without governance or executive management oversight. “Shadow AI” is a significant concern, as employees in numerous organizations circumvent AI embargoes and utilize personal AI accounts, often inadvertently leaking sensitive corporate data in the process.

“The AIGP certification is a step in the right direction, serving as a guide to organizations that need to quickly put guardrails in place without hampering innovation,” cites Gregory. “Without governance in place, organizations are at risk of their AI systems introducing more problems than they are solving.”

Gregory is also writing “AIGP Artificial Intelligence Governance Professional Study Guide,” to be published by Wiley Publishing in early 2026. The book is designed to be a certification study guide as well as a desk reference, and will include a comprehensive glossary, flash cards, and two online practice exams.

The AIGP certification was launched in 2024 by the International Association of Privacy Professionals (IAPP), a professional organization renowned for its privacy certifications. Its release of the AIGP certification affirms its continuing leadership role.

About Peter H Gregory

Peter H Gregory is a career information security, privacy, and technology professional and a former executive advisor and virtual CISO. Peter H Gregory is a well-known author of best-selling tech books, including certification study guides for the world’s leading professional certifications in information security and privacy. He has authored over fifty books in the past twenty-five years, including “Solaris Security,” “CISA Study Guide,” “CISM All-In-One Exam Guide,” “Chromebook For Dummies,” and “The Art of Writing Technical Books.” Visit him at peterhgregory.com.

For interviews with Peter H Gregory, please contact him at: https://peterhgregory.wordpress.com/contact/

# # # 

You are free to disseminate this news story. We request that you reference Peter H Gregory and include our web address, www.peterhgregory.com

Notes on iPhone Hardening

Leave a reply

As a seasoned career cybersecurity professional with extensive experience in hands-on system and device hardening, I’ve naturally applied some of these techniques to my iPhone. I’ll describe some of the measures I’ve taken here.

The device is an iPhone 13 Pro running iOS 18.5.

  • Longer unlock code. I use an unlock code that is considerably longer than the minimum four numeric digits, making shoulder surfing more challenging.
  • Application protection. I’ve added “Require FaceID” to many installed applications, particularly those related to security, finance, and privacy, reducing the risk of a bystander who may pick up my unlocked phone and expect to run any of those applications.
  • Application hiding. I’ve hidden specific applications, so that they are not seen on the iPhone. FaceID is required to show and run hidden applications.
  • Lock when disconnected from power. The phone will immediately lock when disconnected from power. This is accomplished by going to Shortcuts > Automation, and creating a new automation that is run immediately when the device is disconnected from power. This setting reduces the risk of compromise if I’m charging the phone in public and someone grabs it while it is unlocked. This feature is similar to one where our automobile will automatically lock after a short time if we are not in or near the vehicle.
  • Lock when connected to power. Similarly, when my iPhone is connected to power, the phone will immediately lock. This is enabled in the same way as the power disconnect discussed above.
  • Stolen phone focus mode. If my iPhone is stolen, then I can use any of my other Apple devices to enter “Stolen phone” Focus mode. If my iPhone is online, then the following actions will take place:
    • The phone enters low-power mode, allowing it to remain active for as long as possible.
    • The screen is immediately locked.
    • Screen brightness is set to zero, so that nothing is visible on the lockscreen.
    • Photos are taken with front and rear cameras and sent to selected family members and me.
    • Audio recording is turned on, and those recordings are sent to selected family members and me.
    • The iPhone’s current location is obtained, and sent to selected family members and me.
    • A screenshot is taken and sent to selected family members and me.

Stolen phone Focus mode is enabled by creating a new automation that is triggered when the Stolen Phone focus mode is activated. It’s also necessary to create the Stolen Phone focus mode. Incidentally, Focus mode is synchronized on all my Apple devices, which will put the iPhone into Stolen Phone Focus mode when I set that Focus on any other device.

I also use Apple’s “Find My” function that helps track the location of devices, and utilize the lost/stolen features found there.

I also use secure DNS, antimalware, spam/phishing filtering, and I install security patches and application updates when available. I also restrict all applications’ access to location, contacts, photos, and internal networks – although this is more about application and data security than device hardening.

What other measures are you using to harden your mobile devices? Let me know in the comments.

The problem of misaddressed email

Leave a reply

Over the last three decades, I have received dozens—perhaps hundreds—of email messages intended for other people. Today, I received two that are particularly sensitive, which is prompting me to write this article.

Since the 1990s, I have received many different types of emails, and in various ways. Some persisted for years. Here are some examples:

  • Starting in the early 2000s, I began receiving large numbers (dozens per day) of emails addressed to three separate Canadian persons served by three different ISPs. In each case, I was BCCed on every message sent to three different persons. I confirmed this through brief experimentation. I wrote to security, privacy, support, and other functions at the ISPs and never received a reply. I even wrote to the three persons, informing them of the matter so they could lodge complaints. None of them apparently cared; only one replied, and his suggestion was that I close my email account! I ended up writing email rules to delete all these incoming messages immediately. I occasionally checked my trash and saw this Ho on for years.
  • Starting around 2005, I began receiving emails for a physician who shares my name. I would receive sales literature and patient information on many occasions. I was once invited to speak at a conference.
  • Starting in the late 2000s, I began receiving invoices and other correspondence meant for a private aircraft repair facility in Singapore. On several occasions, I returned them, stating they were misaddressed. 
  • Starting a couple of years ago, I began receiving emails from a vehicle repair shop to confirm repair appointments and surveys afterward.
  • Starting a few years ago, I began receiving e-receipts from a Harbor Freight Tools store in Florida. 
  • I recall one instance when a law firm (which I had not heard of) included me in sensitive correspondence. When I alerted them of their error, they began treating me like it was my error.
  • I am occasionally included in email messages related to a school soccer club and a church group in England.
  • In the late 1990s, I was accidentally included in a prayer request email. I wrote back to the sender to inform her, and we corresponded for many years.
  • Today, the government of Indonesia emailed me a foreign visitor Visa (which included someone else’s photo and passport number) and a Limited Stay Permit. I forwarded both to the Indonesian immigration office and am awaiting a reply.
  • There have been numerous one-off examples over the past 20-30 years that I don’t recall specifically.

I have often wondered what emails intended for me were sent to others and what impact the misaddressing might have had. Businesses and governments often use email to convey official communication, and certainly, there are sometimes unintended consequences.

I can not imagine that my experience is unique. In my entire career, I have not seen any articles or news items on this topic.

MacBook Pro (2023 M2 Max) Review

Leave a reply

Last week, I took delivery of the fourth MacBook Pro I have owned. In this post, I’m sharing my experience and impressions in the hope that any of you contemplating a new MacBook Pro will have more helpful information to guide you in your purchase decision.

The MBP I have just purchased is a 2023 16-inch MBP M2 Max with 32GB of RAM and a 1 TB SSD. I bought it as a Premium Renewed machine through Amazon, and paid $1,889. Cosmetically, the MBP had no visible marks and appeared as though it were brand new. Amazon renewed MBPs come with a third-party power supply and power cord, which are working fine for me. I purchased a second power cord as a backup.

I previously purchased my MBPs through Apple Refurbished, but this time around, the least expensive 16-inch Apple Silicon machines with a 1 TB SSD were $1,000 higher than Amazon Premium Renewed. I don’t regret my decision, although this is the first time in years that AppleCare does not cover my MBP.

The MBP I replaced is a late 2019 model with 16GB of RAM, a 1TB SSD, and an Intel processor. This machine continues to perform well, but is slow on some tasks. Since it’s now six years old, I thought it was high time to retire it. I rely heavily on my MBP and other equipment for my livelihood; hence, having reliable equipment is critical for me.

The primary reason I replaced my Intel MacBook Pro was based on performance. I use video editing tools frequently, and the Intel-based MBP was taking a long time to perform various tasks, notably exporting 30-minute videos to MP4. Incidentally, you might wonder if a 1 TB SSD is large enough. Well, Apple charges a premium for internal storage, so I opted to process the videos I’m developing on the internal SSD. However, my long-term storage of video courses is an 8 TB RAID array, with backups to two cloud storage providers. [April 28, 2025 update: on my previous Intel MBP, tasks with my video editing software got the cooling fans running at high speed, sometimes loud enough to be heard in recordings. The new M2 laptop fans never turn on, even when performing these same tasks.]

My old MBP had the TouchBar, which I didn’t use much. My new MBP lacks a TouchBar, which is not a big deal for me. MBPs still have TouchID in the upper right corner of the keyboard – this also functions as the power button.

Apple made it really easy to migrate my data from my former MBP to the new one. Migration Assistant worked like a charm.

A few of my apps are compiled for Intel, but macOS prompted me to install Rosetta, a tool that translates Intel machine code into Apple Silicon machine code at near machine speeds. None of my big apps require Intel, just a few little tools and utilities, so this is a non-issue for me.

I did encounter one significant difficulty, in that I was unable to get a couple of software tools working, namely antivirus (yes, it’s wise to have antivirus on a Mac) and a few others. I fussed with this issue for 2-3 hours, until I came to the realization that it’s the confounded DISPLAY NOTCH that was the true culprit. Similar to iPhones, newer MBPs have a notch in the display for the camera. The problem is that when there isn’t enough room to display all the menu icons, those that would overlap the notch simply do not appear. Apple support and community forums contain numerous others who have complained about this, and it appears there is no short-term fix.

My remedy was to simply stop displaying many of the menu icons I’ve grown to love, including Wi-Fi, Bluetooth, keyboard backlight, and others. By turning those off, the others I was looking for reappeared. It turns out that my AV software was working all along, but without the menu icon, I had no way to know.

The only other issue I’ve run across so far happened just today, when I was trying to get my Logitech Spotlight to pair. I spent about an hour troubleshooting this, including reading FAQs, community posts, and conducting trial-and-error tests. I finally got it working, and the root cause was baffling, which was related to FileVault. I still don’t get the association, but it’s working now. And yes, FileVault is turned on.

My former MBP was one of those with four USB-C ports, requiring all manner of adaptors for displays and such. My new MBP is more traditional, with a MagSafe power adaptor, SD card slot, HDMI port, and 3 USB-C ports (also an audio jack). Because of the presence of the SD card slot, I was able to resume a former practice that I’m happy to return to – backups.

In the SD card slot, I use a BaseQI adaptor that accepts any micro-SD card, and plugs into the SD card slot completely flush. I use a 512GB micro-SD card, and use it as one of my Time Machine drives. Thus, even if I’m out in the field, I always have a Time Machine drive tucked away in the SD card slot. This gives me a way to quickly recover any file – or the entire machine – without having to get one of my external SSD drives or my RAID array.

Apple-branded power cords really make a difference

Leave a reply

Lately, I’ve been doing a lot of compute-intensive work on my 2019 MacBook Pro (16″, 16GB RAM, 1TB SSD), and like a lot of MBP users, I was watching the battery level slowly drain despite being plugged into mains power with the Apple 96W charger.

I read several tech articles and postings in the Apple community, notably this one.

Bottom line – I was doing all the right things, but could not stop the low battery drain.

One tech article (I don’t remember where, sorry) suggested that Apple-branded cords sometimes have more power-carrying capacity than off-brand cables. I was using an off-brand 3m cable to charge my Mac, so I replaced it with an Apple-brand 2m cable that I was using to charge my Chromebook. Immediately, without changing anything else on my MBP, the battery charge level began to rise.

So for me, it is true that Apple brand power cords really do work better.

P.S. It helps to use the proper wattage charger as well. I use Apple brand for my MBPs, but use off-brand for my iPad, iPhone, and other mobile devices.

Email Wellness Essentials for Work-Life Balance

Leave a reply

Invented in the 1960s and becoming mainstream in the 1990s, email facilitates asynchronous communication with individuals. By “asynchronous,” I mean that a sender can send a message at a time of their choosing, and recipients can respond at a later time convenient for them. Unlike phone calls and videoconferencing, email senders and receivers can message each other without having to consider the availability of the other parties.

Many organizations support and permit corporate email on their employees’ personally owned smartphones and tablets, adding to after-hours convenience. However, some individuals have acquired a sense of entitlement, expecting after-hours responses to after-hours messages when the matter can often wait until the next workday.

Two of my associates have recognized that after-hours email can upend the work-life balance applecart, and have added statements to their email footers to remind recipients that an immediate reply is not expected.

Alyson Laderman – CEO of Akylade

Alyson’s email footer includes:

Well Being Notice: Receiving this email outside of normal working hours? Managing work and life responsibilities is unique for everyone. I have sent this email at a time that works for me. Please respond at a time that works for you.

As the CEO of Akylade, a global company, Alyson recognizes that everyone is in different locations and schedules. She states, “Our teammates, candidates, and advisors are all over the world, and it’s difficult to keep up with all the time zones and use the email delays appropriately. I send emails when I am working and certainly don’t want anyone to feel that they are required to be accessible at all hours and all days. Being remote and working during productive hours for me does not entitle me to access someone else 24/7. That’s not the expectation or the obligation. There needs to be work time and personal time.”

Cindy Johnson, Co-Founder of Tag4HR

Cindy’s email footer includes:

I support flexible working. If you receive this email outside of your normal working hours, please respond at a time that is convenient for you.

Like Alyson, Cindy has colleagues and clients who work in various time zones, and it is essential to respect their diverse schedules. “My approach is rooted in trust – I send emails when it suits my schedule, knowing that my message will be addressed when it’s convenient for them,” Cindy states. “This balance fosters a positive, respectful work culture where personal time is valued just as much as productivity.”

While many working professionals have healthy work-life balance boundaries, these statements in email footers are a kind and gentle reminder that your response can wait.

Image

Announcing CISSP For Dummies, 8th edition

1 Reply

The best-selling certification study guide, CISSP For Dummies, will be published in its eighth edition in mid-2024. Authors Lawrence Miller and Peter H. Gregory have been the authors of CISSP For Dummies since its first edition was published in 2002, marking a 23-year collaboration.

Image
CISSP For Dummies, 8th ed

CISSP itself is celebrating its 30th anniversary in 2024. Established in 1994, CISSP has been the gold standard for cybersecurity certification since its beginning. Over 150,000 security professionals worldwide have earned the Certified Information Systems Security Professional (CISSP), and many have launched great careers as a result.

CISSP For Dummies contains all of the information that CISSP exam candidates are responsible for. CISSP For Dummies is written in the classic “For Dummies” tone, which is described as friendly and confident, as though imparted by your cool, helpful friend. The book goes beyond just the core examination material and includes sections on study plans, learning styles, maintaining one’s certification once earned, and the numerous ways in which CISSP certification holders can make the cybersecurity world a better place. Authors Miller and Gregory are passionate about this aspect of “giving back” to a profession that is critical in today’s world.

CISSP For Dummies, 8th edition, is available now for pre-order from Amazon, Barnes & Noble, Walmart, Target, and others.

About the Authors

Lawrence C. Miller, CISSP, has worked in information security and technology management for over 20 years. He received his MBA from Indiana University and has earned numerous technical certifications throughout his career. He has previously worked in Vice President and Director level positions at several small to mid-sized companies in various industries. He served as a chief petty officer in the U.S. Navy in various roles and is a veteran of Operations Desert Shield/Storm. He is the author of more than 130 other For Dummies Custom Edition books.

Peter H. Gregory, CISSP, CISM, CISA, CRISC, CIPM, CDPSE, CCSK, DRCE, A/CCRF, is the author of more than 50 books on security and technology, including Solaris Security (Prentice Hall), IT Disaster Recovery Planning For Dummies (John Wiley & Sons, Inc.), The Art of Writing Technical Books (Waterside), and CISA Certified Information Systems Auditor All-In-One Study Guide (McGraw-Hill). Peter is a career technologist and a security executive at a regional telecommunications provider. Prior to this, he held strategic security positions at Optiv Security (www.optiv.com) and Concur Technologies (www.concur.com). Peter is an advisory board member for the University of Washington for continuing education programs in cybersecurity. He is a member of the Forbes Technology Council, CyberEdBoard, InfraGard, and a graduate of the FBI Citizens’ Academy.

Shadow AI

Leave a reply

Shadow AI is rampant in organizations today. Employees are signing up for ChatGPT and other generative AI services, and using GenAI in many ways.

Image

Shadow AI is the use of AI services, away from the scrutiny of IT, information security, and legal department awareness and control. Because employees are using GenAI on the sly, there is little doubt that some are unknowingly compromising their organizations’ intellectual property and sensitive information by uploading it to an AI system for analysis.

A software engineer in a global semiconductor company uploaded proprietary software source code to an AI system, only to realize that the source code became a part of the AI system — the source code was essentially released into the public domain with no recourse. This is a well-known example, and certainly not the only instance where an employee compromised sensitive information out of plain ignorance.

Organizations need to establish AI Governance, even as they continue to learn about AI and what it can do (both good and bad) for their organizations. Responsible AI use means subjecting its use to lifecycle processes in which stakeholders such as Legal, IT, and Information Security can apply policies and requirements to ensure that all uses of AI are safe, legal, fair, explainable, and improve the efficiency or effectiveness of the organization.

Tracking CPE Records

1 Reply

Those of us in cybersecurity and related professions have our professional certifications, many of which require annual CPE (continuing professional education) hours. Most of my certifications require 120 hours each three-year period, or 40 hours per year on average.

I recommend you develop and maintain an offline workbook where you track your eligible CPE activities, and use the workbook to track when you enter your CPE hours for each applicable certification you hold. Accompanying the workbook, I further suggest you create a file folder hierarchy where you will store your required CPE evidence in the event you are audited.

I’ve been audited twice in the past twenty years. The first time was in the early 2000s by ISACA, who requested I provide the records for all of my claimed CPE hours.

I came up short in the ISACA audit, as I lacked evidence for some of my claims. ISACA passed and permitted my claimed CPE hours, but the lesson was learned: I only record CPE hours for activities in which I possess digital evidence of the activity. Examples of the evidence I capture include: a PDF of the “thank you for attending our event” email, a certificate of attendance (when issued), or some other artifact that reasonably proves my attendance.

I was audited again last week, this time by ISC2, who randomly selected one of my CPE activities (a 13-hour course on the CCSP certification by Cybrary). When claiming the CPE, I attached the certificate that Cybrary issued to me upon completion of the course. A few days later, ISC2 informed me that I had successfully passed my audit, when a human examined my evidence and called it sufficient.

Image

If you have waited until now to enter your CPE hours for the year, good luck! It can be challenging to mine one’s records for CPE events. If this is you, I strongly suggest you start a workbook today and be more diligent in your CPE recordkeeping for 2024 and beyond.

Patch Installation Benchmark: Windows, macOS, ChromeOS

Leave a reply

I have one or more Macs, Windows, and ChromeOS machines in my lab, and decided to measure the amount of time required to download and install patches across all three OS’s.

Windows: it took the greatest amount of time (nearly three hours) to download and install recent patches on Windows 11 (KB5007651, KB5031354, and KB5031323). The total amount of time the machine was unavailable was approximately 11 minutes in two iterations of restarts.

macOS: it took approximately 48 minutes to download and install Ventura 13.6.1. The total amount of time the machine was unavailable was approximately 19 minutes in a single restart and install operation.

ChromeOS: Chromebooks automatically download new OS updates without being asked. The total amount of time the machine was unavailable when installing Version 117.0.5938.157 was 49 SECONDS, including the time required to log in and restore sessions running before the restart.

ChromeOS is the clear winner here, as Chromebook OS updates impose negligible downtime on users. Downtime of less than one minute is less time than a brief biobreak. My experience with Windows is vastly improved from a few years ago when an install took the better part of an hour, or even longer.

Notes:

  • My internet speed is 100/100Mbit/sec with 3-4ms of latency. Speed tests consistently indicate speeds greater than 90Mbit/sec.
  • All three machines are on the same Wireless LAN with very good signal strength.
  • Machine specs:
    • MacBook Pro A2141, 16GB RAM, 1TB SSD
    • Lenovo Chromebook C330, 4GB RAM, 64GB SSD
    • Lenovo IdeaPad 1i, 4GB RAM, 128GB SSD
Image

Where Are You Going?

Leave a reply

Fifteen years ago, we purchased a cabin in the mountains that is situated on forty acres of woodland and open, rolling hills. We enjoy taking walks and hiking around, and beyond, our property. Far away from electricity, cell coverage, and paved roads, the property is far from the bustle of modern life. The stillness can be deafening.

Image
Views from our cabin property

Often when walking around on the property, I’ll be looking down at my path, being careful to step on solid ground and avoiding a hole, rock, or branch that might cause me to stumble. One day while on such a walk, my inner voice asked, “Where are you going?”

I stopped. Good question. Where was I going?

I reflected on this question for a good long time, and realized this was a matter of perspective and focus.

I resumed walking, every few moments looking up from my footsteps to keep my eye on my objective: a hilltop, a pile of rocks, an interesting tree, or a shed elk antler.

In my early adulthood and in my career, I was too focused on my next move, without considering long-term objectives. Like my walking around on our cabin property, I was wandering aimlessly, lacking objectives, and only being busy and living in the moment. The concept of life and career goals was somehow unknown to me until my mid-20s.

Image

It is important to be conscious of the moment, but without understanding where you are going, the moment is most likely wasted, carrying you along like the wind blowing a dandelion seed.

More often, I’m conscious of where I am and where I’m going, whether outside at home, at our cabin, or in a public place. I find myself watching only my footsteps and thinking to myself, “Where am I going?” and remember to keep my eye on the goal.

Where are you going? Are you going where the currents take you, or are you proceeding toward one or more carefully planned objectives?

How’s Your LinkedIn Feed Looking?

Leave a reply

It seems to have started during the pandemic, when home and work blurred together. Our use of social media began to blur as well – with personal life postings on LinkedIn, and work life postings everywhere else.

Like many of you, I like to compartmentalize my social media: LinkedIn for business, and the rest for personal. But what to do about all of those non-work-related postings on LinkedIn, diluting the business vibe?

I have adopted these practices:

  • When you see “too many” non-work-related likes or posts from a connection, unfollow them. They’ll still be a connection, but you won’t see their posts.
  • When you see certain people posting non-work-related posts in groups, mute them. You’ll still receive other posts in the group.
  • The best part about muting or unfollowing: they won’t even know you did it (pretty sure).

That is all. Practice this for a few weeks, and your feed should clean right up.

There Are No Temporary Tools

1 Reply

The year is 1993. I’ve been retained by McCaw Cellular Communications in the Traffic Engineering department to create a lightweight system that performs similarly to NFS, but without the network overhead. The problem: Unix servers in various locations around the U.S. receive alarms from switches, which are appended to local text files. Because NFS creates excessive network overhead (sites are connected via T-1 circuits), McCaw Cellular wants to replicate that functionality, in the form of a copy of those local text files on a central server, being updated in real-time as records are added to the remote logfiles.

In response, I built a set of tools that functioned as follows: on the remote end, a C program opens and watches the local logfile; when records are added to it, the C program sends the records through a named pipe to another C program at headquarters that listens for those new records, and appends them to a centralized copy of the logfile. I borrowed some C code from another tool and adapted it for this new need.

I wrote this tool in the summer of 1993, and I was told that it would be replaced by a commercial product by the end of the year.

A few months later, I moved to a different part of McCaw Cellular called the Wireless Data Division, which implemented the world’s first cellular digital packet data service that ran over the old AMPS mobile phone protocol. I worked there for a few years, building systems and networks for this new business unit. Later, I moved to McCaw’s Project Angel, where I developed and supported systems, networks, and security (and where I pivoted my career from IT architecture to cybersecurity).

It’s now 1999 in this story

One day while at Project Angel, my phone rang. On the line was someone from the company’s Y2K project office. The person asked if I was Peter Gregory, the developer who wrote the tool in 1993 used by Traffic Engineering. Yes, that’s me. They wondered if I still had the source code for that tool, as it was determined to not be Y2K compliant.

So, seven years later, my temporary tool is still in production use! And no, I did not have the source code, as I turned over all source code and documentation to the department manager before moving to the next department.

There are no temporary tools.

When Is a Pen Test Not a Pen Test

Leave a reply

Like many terms in cybersecurity, “Penetration test” is one where you’ll hear several definitions. Some will be right, and most will not. The point of this article is to explain pen testing a bit, and to tell a story about a memorable pen test.

Image
justentrepreneurs.co.uk

A penetration test is one in which a cybersecurity specialist will use various tools to map out a network, identify assets, and perhaps perform a security scan for an initial look at vulnerabilities. Next, the specialist will use other tools to drill deeper into selected assets to see what vulnerabilities may be found. Next, the specialist may exploit selected vulnerabilities, to prove their existence and to demonstrate the potential impact if an attacker was poking around.

I’m not trying to debate the nuances of pen testing, but to provide an overall flavor of what they’re like. Now, on to my story.

About ten years ago, I managed cybersecurity in a brick-and-mortar + online merchant organization headquartered in Seattle. One of the things I inherited was a signed contract with a local cybersecurity advisory firm to perform a pen test. After joining the company, this vendor contacted me to schedule the pen test. I agreed, and we had a conference call in which we established the rules of engagement.

A few weeks later, the vendor informed me that they had completed the penetration test, and that I could download the report from their online portal.

I downloaded the file and opened it with Acrobat Reader. I was astounded by the contents of the cover page, which read (verbatim):

“Rapid 7 Security Scan Report For

<Insert Customer Name Here>

Performed By

<Insert Consultant Name Here>”

I laughed out loud when I saw this. I laughed even more when I read through the detailed report items, which confirmed that whoever did this penetration test security scan did not even validate the results: there were several false positives and other issues.

One of my regrets is that I did not take a photo or screenshot of this report.

Gratitude Is a Choice

1 Reply

While not strictly a portmanteau, it’s easy to think of gratitude as a “grateful attitude,” a state of mind when pondering favorable events or circumstances.

I assert that gratitude is a choice. I mean, sure, gratitude gushes from someone blessed with an abundance of good things (whatever they are). But gratitude in a time of plenty is little more than a reflex, like laughing and squirming when tickled.

I’m talking about gratitude in more difficult times. Times of pain and anguish. In these dark valleys, feeling and showing gratitude takes a conscious choice. But you might ask, why would one have gratitude when things aren’t going their way?

Now we’re getting to the point of my writing: gratitude is a choice we can make, regardless of our circumstances. So am I saying we need to show gratitude when things are not going our way or when we’re suffering? Yes, and especially so when we are suffering.

Image
Fantom_rd | Shutterstock

Gratitude is not a feeling, but a choice. We can assess our circumstances and choose to be grateful, or we can choose to be bitter. In my own life, I’ve faced difficult trials: when my three-year-old son died, I had the opportunity to choose between gratitude and bitterness. I chose gratitude because I was grateful for the three years my son and I had together. By choosing bitterness, I would have disregarded the three beautiful years together and felt sorry for myself for the future years that never happened.

Gratitude is accepting one’s circumstances and finding a way of being thankful for what is still good, or things that were good, in one’s life. For instance, I was laid off from work once (one of three times throughout my career). I chose gratitude: I had learned a great deal in that job, lived in a small but comfortable home, and decided to be optimistic about my prospects for finding another job (which was difficult as I lived in a small city in a down economy).

Gratitude is like forgiveness – it is an acceptance of circumstances. An old adage goes, refusing to forgive someone is like taking poison and hoping the other person will die. Choosing bitterness over gratitude makes a person unpleasant, which could spiral into depression. All because of a choice.

Gratitude is not always an easy choice. Our circumstances, whether in our control or not, may be difficult and filled with loss. But it is a choice, and like all choices, choosing gratitude or not has consequences by shaping one’s future. A bitter person looks downward and inward and may miss opportunities to improve oneself. But a grateful person looks upward and outward and has opportunities to improve things. Bitterness is also like a closed fist, clenched shut and unable to receive anything. Contrast that to gratitude, which is like an open hand of supplication, capable of receiving good things.

Those who know God personally have an added perspective: it is easier for them to have and show gratitude, because they know the God who made them and who has saved them, and who has prepared a wonderful place for them that they will enjoy for eternity, regardless of their circumstances, no matter how dire and dark. They know that they have the final victory and eternal happiness. Even then, gratitude is a choice; those who know God can still easily slip into bitterness.

We cannot control our circumstances, but we can control our response to them, in what we say, what we do, what we think, and whether we choose gratitude or not. It is our choice to make, and we are responsible for the outcome of this and all our choices.

Badly Worded Controls

Leave a reply

Just a short story about a SOX audit long ago…

I joined a public company as the cybersecurity leader just as the external SOX audit was underway. While I was responsible for the organization’s ITGCs, I had just started and had only seen them a day or two before. And since the SOX audit was underway, we were locked in regarding the language in the ITGCs.

I started attending audit walkthroughs, to listen to control owners describe and represent their controls, and to get an idea of how mature the company’s controls were. A great way to get to know someone is to watch them on the proverbial witness stand.

So in this one particular walkthrough, the topic was antivirus and other malware controls. The IT manager described the tooling, the process, and the reporting. It all sounded pretty good, I thought to myself. Then, at the end of the conversation, the auditor said, “Well, I have to fail this control.”

“On what basis?” I replied.

The auditor showed me the control language: All end-user workstations shall have McAfee antivirus installed. The auditor said, “Your company uses Symantec, but the control states McAfee. I have to fail the control.”

I responded, “Seriously? You heard the IT manager describe the tooling and the process, and it sounds like they have their act together.”

“But you’re not using McAfee AV.”

I was getting frustrated. Just what we need, I thought to myself, is a junior auditor being legalistic.

The auditor leaned across the table to me and whispered, “It’s a badly written control.”

The auditor was absolutely correct: it was a badly written control. Nothing I could do about it at the moment. I smiled and responded, “Yes, you’re right, and I know what I’ll be doing next week.”

Writing Requires a Thick Skin

Leave a reply

Early in my career, in the age of typewriters and the emergence of word processors, I thought I was a pretty good writer. Having written a few user manuals and newsletter articles and coming out of a four-year degree curriculum, I had writing down pat.

My employer sent me to a couple of community college courses to develop my skills: accounting and business writing. In the latter, our first assignment was an essay on some topic, which I proudly wrote and turned in. I was in shock when it was returned to me, with a “C” and red marks all over it—too many words. Too much flourish. It hurt my heart and defeated what I learned was an unfounded feeling of self-confidence.

Fast-forward a decade, when I was asked by a colleague to be the official technical editor for her first book. I jumped at the opportunity, unaware of what would happen down the road apiece. The tech editing job got me introduced to executives at Prentice-Hall Publishing, one of the biggest in the world. I did more than a dozen tech edit jobs over the next few years, establishing me as a reliable resource. In 1998, I happened upon the idea of writing a book, and the publisher agreed, so I wrote and published Solaris Security through Prentice-Hall in 1999.

Writing all may seem like fun and games, and there’s an upside to writing books. But within the process itself, I learned to grow a thick skin to survive the process. I’ll explain.

In terms of getting an idea transformed into a book, I’ve written several book proposals to get my idea published. Publishers usually respond with rejection letters. Often, they don’t even want to talk about it. I wonder if this is what it feels like to be rejected at an audition or, worse yet, to be told not even to try. Ouch!

Image

When an author writes the first draft of a book, the publisher will throw several editors at it, some of whom are subject matter experts, and others are language experts. They’re all great at what they do, but in the process, when a manuscript is returned to the author, there will be hundreds, even thousands, of corrections and comments. Some of them genuinely hurt. As we write the first draft, we pour our heart and soul into the work, and when we turn in the draft manuscript, we have a lot of time and emotion invested in it. It’s humbling when editors make corrections and add notes asking us to change how we say things. There have been more than a few moments where I disagreed with an editor’s comments or changes and replied, saying it’s fine as-is. As an author, sometimes you win those arguments, but at what cost?

So you get your book published, do your little unboxing thing, get your author copies, and take pictures of your opening the box to see your proud accomplishment. We hold up a copy of the book while someone takes our picture, and we’re beaming with that “I’m a published author (nah nah nah nah nah nah)!” face, which we quickly post on social media. It’s our moment in the sun, although sometimes it’s brief.

Then the Amazon reviews come in. Some are gracious, but some are critical, and for the proud author, some may feel cruel. Did we really think we could please every reader? Well, I think we hoped so, but soon the cruel reality sets in: we have happy readers and some unhappy readers as well.

The next time you pick up a book, take a moment to admire the finished product. But also remember that the finished product results from a lot of hard work, including those moments of self-doubt when we wonder if our effort will all be worth it.

If you are considering writing a book, pick up a copy of The Art of Writing Technical Books, which I published in 2022. There, you will find not only a lot of pointers, but a rich guide to the end-to-end process of transforming your idea into a published book.

Reflections on Summertime

Leave a reply

As I recall scenes from my childhood, I remember that the duration of Summer seemed vast – almost endless. Three months of Summer felt almost limitless to a ten-year-old. We had so much time to do whatever we wanted.

Today, Summer comes and goes in the blink of an eye. In my busy life, I recall years in which I virtually missed Summer. I was asking myself and others, where did Summer go? It was here – seemingly – yesterday, and now it’s snowing again.

I’ve devised a technique to overcome this.

Now and again, I’ll stop what I’m doing, go outside, and just stand there, feeling the warmth, listening to the sounds of birds and the smell of freshly cut alfalfa. I clear my head and say to myself, this is Summer, right here, right now, all around me, and just take it in, a blissful, quiet moment. And I’ve bottled it up for you in a 30-second video, here.

I’ll do this multiple times this Summer. In whatever busyness I’m involved in, I’ll stop and take in the moment, and maybe take a picture to look at later.

I do this in Winter as well. There’s nothing as lovely as the quiet of a recent big snow.

Trial By Jury

Leave a reply

In the United States, there is not much public discourse on the topic of a trial by jury. This absence is unfortunate, because, without it, your fate would be up to the presiding judge alone.

“Jury duty” is maligned in our society. Often, when one hears of someone summoned for jury duty, others say they hope their friend will escape its clutches and be free of it. And often, one seeks and hears advice on various strategies for getting out of jury duty, because of some kind of hardship.

But this is precisely the point. Jury duty is inconvenient at best, and may bring genuine hardship at its worst. Most persons are not paid by their employer for the days they serve on a jury, and often we must cancel appointments, rearrange schedules and find others who can pick up the slack because we are unavailable. Judges clarify that one cannot escape jury duty because it is inconvenient.

Jury duty requires sacrifice, which is unpopular in our “me first” society, where we are addicted to endorphins from the number of “likes” we receive on social media posts of no importance.

Image
California Courts

I recently served on a jury in a three-week civil trial between two local businesses in my small county. The matter: a general contractor built a shop building for an auto repair business, and the auto repair business refused to pay the contractor in full. The conflict was apparently unresolvable and resulted in the jury trial, four years later. All six of us (plus alternates) were highly attentive, and took hundreds of pages of notes through two weeks of testimony by sixteen or more witnesses. When we were finally given the case, we deliberated carefully and thoughtfully to arrive at a fair decision, based upon the facts we were shown.

Thirty years ago, I served on a jury in a capital murder trial that lasted four weeks, and I was elected the jury foreman. I found the facts of the murder tragic and needless, but the legal process I found fascinating. The experience was positive overall, and I would do it again.

I wish jury duty would be seen as an honor instead of a chore. Jury duty is one of the cornerstones of a free society, like voting and military service.