Throughout our career as Information Technology/Security professionals, we have, at one point or another, blamed a user for the problem. Granted there are some pretty good cases out there where it certainly is their fault; for example, using the CD tray as a coffee cup holder, or spilling soda in the keyboard then denying that they did it, and maybe attempting to fix the problem themselves and only making it worse. Seriously, one time I was working for University and I had to come up and check on a staff member's computer. I look at it and see a bunch of the power cables hanging out of the case. I look at them and ask if they attempted to fix it themselves, and they straight up denied it. So yeah we like to blame them for most, if not all of the problems. In Security we are no better.
The debate is a hot one these past few weeks in lieu of the latest series of breaches, in particular the celebrity photos being leaked. Now our first two comments on the matter are usually "You shouldn't take nude photos of yourself with your phone if you don't want it on the internet..." and "Why are you not using strong passwords!!?!?!?!" To those of us in security, these things are just common sense. For those not in this particular industry, they put trust in us to secure a system so they don't have to worry about such things. This is a pretty logical assumption from someone NOT in the security profession. But we all no better, don't we? Contrary to popular belief, this is something that was not instantly built into our DNA. It took years of experience to make us hardened pessimists of all things tech. We have seen what happens when things don't work right. We have worked for companies who have cut corners on a product just to get it out the door. We all know security is looked upon as a cost center, not a revenue driver. So if it comes down to making a product so simple to use that even the likes of the Kardashians can figure it out, then sometimes security is tossed out.
Can you make things extremely functional without skimping on security? Certainly! Is it easy? Hell no! But then if it was, many of us would not have jobs. So how do we fix this? After all it is a growing problem that doesn't seem to get better despite everything we tweet and post about. I think first, the main stream media just needs to stop... seriously, they are horrible at covering these types of news stories. Rather they need to get more REAL experts to comment and offer sensible recommendations. The larger news outlets are getting better at it by bringing folks in like Dave Kennedy (Trusted Sec) or tapping Dan Kaminski. But the smaller stations are really not there. So if you know folks at your local news organizations, reach out to them and let them know you have the answers! As for the companies who make these products, well the only way we can help is by taking on the difficult position of working for them and making things right. Then again, they have to be willing to compensate such positions appropriately.
Ok, I think that is it. Guess I'll shut up for now. I have some letters to write to my local news outlets!
Showing posts with label InfoSec. Show all posts
Showing posts with label InfoSec. Show all posts
Wednesday, September 10, 2014
Story of an IT Pro: Volume 2 "The Choice"
If you haven't read Volume 1 "The Beginning", check it out now.
So fast forward from that time where I worked in K-12. I had worked for the school system for a little over 4 years and it was time to move on. For those that have been in IT for a while, you know that the jobs can get stale which can cause you to burn out. I was there and it was time to go. I took a job with a consulting company which offered a nice pay increase as well as possible training opportunities (later I found this to be exaggerated a bit). The job was a love/like/hate relationship. I loved the amount of experience I was getting from all the different environments and systems. I loved that I had people above me that had much more knowledge than I did on a number of related topics. I liked most of the people I worked with. I hated the travel. Now I had an idea that I would be on the road a bit more than a normal 9-5 with a standard commute, but it does drain you and can cause you to make some poor decisions in handling your job. Now that being said, I still would not have traded that experience. I think 5 years doing the same job in IT is a pretty good run. Will I ever take on a job like this again? Certainly not, but I would still recommend that if you are new to the industry, a consulting job will be your best bet to gain a significant amount of experience. Just do your research on the company before hand. That is all I will say on the matter in this post. I may right something in the future on the topic.
Back to the story... So I was getting burned out and InfoSec was just starting to become a hot topic, at least in my world. We had one guy in the company that held a strong interest in the art of penetration testing. Sadly, at this time, there was little call for it. We mainly did vulnerability assessments since no one wanted to pay for the full penetration test and/or risk having their systems down if we succeeded in the test. This field of study fascinated me. So I began doing some heavy research in the topic. I provisioned some systems in my home lab to play with and started using twitter so I can follow some pros. I filled my iPhone with all sorts of security podcasts. I was really into it. After I learned that with good security, one can eliminate a number of the small day-to-day fires that Sys Admins have to deal with, I made a choice to pursue this as a career. So I updated my professional development plan and let my manager know this is what I want to do. And shortly after that, the lead engineer for Security Services gave his notice. Well I still tried to take on more security related tasks but eventually, it was time to look for something new.
Remember that thing about burning out? Due to a couple bad calls on my part, it was decided that the company and I were no longer a good fit. I was able to take a nice semi-paid 3 week vacation before going back to consulting. I took a job with another consulting company to pay the bills. But it was not the job I was looking for. If it wasn't clear, the choice I made was to pursue a career in Information Security. I really didn't know what that meant exactly. I did know what I didn't want to do, and that was to have to troubleshoot printer issues forever. So I was determined to find the job that would support my new goals. I wanted to find things before they became problems. I wanted to prevent the common day-to-day fires caused by improper anti-virus software installs and poorly configured firewalls. During that short stint with that other consulting company, I was presented an opportunity to take on a Security Administrator role in a local not-for-profit insurance company. So I jumped at! You have to do what is good for you. So you find that new job, write your resignation letter, and part ways...
Continued in Volume 3: Career Advice
Saturday, August 2, 2014
The Value of a Masters Degree in InfoSec
I was up extra early this morning and decided to comb through the twitters. I came across a tweet from Troy Hunt asking our opinion for a comment made on one of his blog posts:
So most of us in the profession have probably obtained at least a BS in some Computer Science or Information Systems degree. We then worked to get an internship and eventually some job in our field of study. Somewhere down the line we learned a whole lot about how to break stuff as well as fix said broken stuff. And after many long nights of figuring out why MS Exchange decided to throw up all over the datacenter, we got good at our job. So good, we figured out how to prevent others from breaking our stuff. After years begging management to give us more budget, or recommending to customers to implement new security measures, we decided to move on (that is a story all its own).
Somewhere in during our early careers, we decided to build our own home labs using spare parts or inexpensive E-bay hardware. We did this because, like most other important things, training wasn't in the budget. So we stood up our own Exchange servers or Web servers in order to prepare for inevitable migrations. Then we discovered other benefits of these labs. We could break things here and no one cares. So we did it on purpose and learned that we could make the computers and software due our bidding. Now, in the age of the breach, we are being paid pretty well to break stuff for a living. Hell those same managers and customers from before are now paying us double or triple our previous salaries, just to tell them the same things we told them 15 years ago.
But there is a reason for that, we know what we are talking about. We have always worked to educate ourselves on our profession (and sometimes hobby). This means we studied on our own time, sometimes took training on our own dime, and kept up on the cyber crime (I couldn't resist). We take jobs to keep the mortgage/rent paid (my last job). And sometimes we get lucky and fall into something awesome (my current job) that allows us to possibly shape the future in our field. Do I get to do everything I want right now at work? No, but that is OK. I am working in technologies that I never thought I would 15 years ago. We adapt to the situations that we find ourselves in. That is what makes us good at our jobs.
Now back to this guy asking about SQLi when going for a Masters in Cyber Security... So I was poking around at some local programs here in Connecticut. Sacred Heart University (SHU) has one such program. Besides the obvious requirement of a bachelor's degree, you need to have taken CS 504 Intro to Programming Using Scripting, and CS 505 or 339 Computer Networks. You can view the full outline here. Now granted those pre-reqs are not bad. CS 504 teaches you about Python, Perl, Ruby, etc... And CS 505 teaches you about networking, which is pretty valuable knowledge. Then you get thrown into things like digital forensics, Crypto, Securing the Cloud, Vulnerability Management... You have the link, you can look at the rest. My point is, by the time you decided to go for a Masters, hopefully you have been working a little in the related field. Information Technology, as well as Information Security, is not a profession you go into just for the paycheck. Granted it is a very nice bonus, but to succeed here, you need to keep sharp! If you are wondering what SQLi is all about? Go download one of the many vulnerable web app distros and find out! Go to Security Tube and watch videos on the topic. There are a ton of resources out on the web that will help you to your goal. Google is the InfoSec Pro's best tool as well as some type of desktop virtualization platform like VirtualBox or VMware Player (both free).
So why does this irk me so much, well I feel that these programs will create a pool of very useless managers. They may know all the buzz words, but not have any real life experience with it. It takes years to build a solid base on just regular IT material. If you have never stood up your own mini-datacenter, or wrote an advanced web or desktop application, then you will never truly understand the topics in InfoSec. There are over 94000 holders of the CISSP in the world. Of those that I have met, only a very small fraction actually know, and have applied the controls covered in the certification. The rest got it because their company said they had to, and bought up all the seats in the class. Over the next few years we will probably see a similar growth spurt of newly decorated "Masters" of Cyber Security. If they are of the caliber seen in Troy's blob post, then I am just going to stop all this and become hermit. Or move somewhere tropical and spend my remaining days on the beach.
Well that is enough ranting for a Saturday, need to get back to loading up the newest addition to the home lab and break stuff!
Is it just me, or is this an odd question for someone doing their "masters in cyber security" to ask? http://t.co/r7FbR7H9t4
— Troy Hunt (@troyhunt) August 2, 2014
So of course I had to see for my own eyes. I suggest you should to... right now, I'll wait... Done? Good, now this is the sort of thing that just makes me sad for the future of InfoSec. Do I think Master's degrees are good? Sure, any education is usually not bad. It makes us all a little more knowledgeable, and sparks new ideas. That is, of course, if we already have a bit of experience in our field of study. So most of us in the profession have probably obtained at least a BS in some Computer Science or Information Systems degree. We then worked to get an internship and eventually some job in our field of study. Somewhere down the line we learned a whole lot about how to break stuff as well as fix said broken stuff. And after many long nights of figuring out why MS Exchange decided to throw up all over the datacenter, we got good at our job. So good, we figured out how to prevent others from breaking our stuff. After years begging management to give us more budget, or recommending to customers to implement new security measures, we decided to move on (that is a story all its own).
Somewhere in during our early careers, we decided to build our own home labs using spare parts or inexpensive E-bay hardware. We did this because, like most other important things, training wasn't in the budget. So we stood up our own Exchange servers or Web servers in order to prepare for inevitable migrations. Then we discovered other benefits of these labs. We could break things here and no one cares. So we did it on purpose and learned that we could make the computers and software due our bidding. Now, in the age of the breach, we are being paid pretty well to break stuff for a living. Hell those same managers and customers from before are now paying us double or triple our previous salaries, just to tell them the same things we told them 15 years ago.
But there is a reason for that, we know what we are talking about. We have always worked to educate ourselves on our profession (and sometimes hobby). This means we studied on our own time, sometimes took training on our own dime, and kept up on the cyber crime (I couldn't resist). We take jobs to keep the mortgage/rent paid (my last job). And sometimes we get lucky and fall into something awesome (my current job) that allows us to possibly shape the future in our field. Do I get to do everything I want right now at work? No, but that is OK. I am working in technologies that I never thought I would 15 years ago. We adapt to the situations that we find ourselves in. That is what makes us good at our jobs.
Now back to this guy asking about SQLi when going for a Masters in Cyber Security... So I was poking around at some local programs here in Connecticut. Sacred Heart University (SHU) has one such program. Besides the obvious requirement of a bachelor's degree, you need to have taken CS 504 Intro to Programming Using Scripting, and CS 505 or 339 Computer Networks. You can view the full outline here. Now granted those pre-reqs are not bad. CS 504 teaches you about Python, Perl, Ruby, etc... And CS 505 teaches you about networking, which is pretty valuable knowledge. Then you get thrown into things like digital forensics, Crypto, Securing the Cloud, Vulnerability Management... You have the link, you can look at the rest. My point is, by the time you decided to go for a Masters, hopefully you have been working a little in the related field. Information Technology, as well as Information Security, is not a profession you go into just for the paycheck. Granted it is a very nice bonus, but to succeed here, you need to keep sharp! If you are wondering what SQLi is all about? Go download one of the many vulnerable web app distros and find out! Go to Security Tube and watch videos on the topic. There are a ton of resources out on the web that will help you to your goal. Google is the InfoSec Pro's best tool as well as some type of desktop virtualization platform like VirtualBox or VMware Player (both free).
So why does this irk me so much, well I feel that these programs will create a pool of very useless managers. They may know all the buzz words, but not have any real life experience with it. It takes years to build a solid base on just regular IT material. If you have never stood up your own mini-datacenter, or wrote an advanced web or desktop application, then you will never truly understand the topics in InfoSec. There are over 94000 holders of the CISSP in the world. Of those that I have met, only a very small fraction actually know, and have applied the controls covered in the certification. The rest got it because their company said they had to, and bought up all the seats in the class. Over the next few years we will probably see a similar growth spurt of newly decorated "Masters" of Cyber Security. If they are of the caliber seen in Troy's blob post, then I am just going to stop all this and become hermit. Or move somewhere tropical and spend my remaining days on the beach.
Well that is enough ranting for a Saturday, need to get back to loading up the newest addition to the home lab and break stuff!
Saturday, May 25, 2013
Communicating with Execs on InfoSec
As I sit here, drink my coffee, and worry about the troubles of the world, I came across this DarkReading post on Security Pros failing in Business Lingo. It is an interesting read but nothing ground breaking. The argument has been around for a while now that much of senior management rarely has any idea of what we are talking about. We are finally seeing more of us making their way to that table. Those that do are usually well versed in the business speak. I would agree that all Security pros should be familiar with out to explain why technical vulnerabilities affect business. In smaller shops you may not have that C-level representation so you would need to double has the highly skilled security engineer and the CISO/CSO. But in the larger environments, there really needs to be some tiers in place. Your skilled staff should worry about the job/mission while their management can translate their activities/needs to the execs.
An engineer is an engineer regardless if they are building a new jet propulsion system or developing a new architecture to store that system's critical data. People like your incident responders, security architects, penetration testers and such are (hopefully) highly skilled individuals who know their craft inside and out. They spend their days learning about the newest attack methods and how to detect/defend against them. They are engineers and scientists of the IT world. They are not that different from your network/systems engineers who build the infrastructure. I'm not saying they can't be bothered with talking to execs, but they really shouldn't be focusing on that. They should be able to provide data to their management so they can communicate it up the chain. Let them do what they are good at and everyone will be happy. At times though, the engineers may need to step up and speak directly to management. At that point, the security execs/managers should be supportive and help get the right "Lingo" into that presentation.
As a consultant, it is a different story. You need to be able to play both sides as you are typically selling your service to non-technical people. You need to understand what keeps them up at night and address that. If you cater to SMBs, you will most likely be talking to the President/CEO of the company. They will most likely not know about things like "Firewalls" or "SQL Injection" and what types of risk they pose to their company. So things like "getting shell on your webserver" will need to be explained in different terms; for example, "Your web server that hosts <insert app name here> is vulnerable to a number of attacks that will lead to a compromise of your customers data. This data can then be downloaded and used to carry out a number of computer fraud crimes. Since this data contains SSNs and other Personally Identifiable Information, you can be held accountable and possibly fined a significant amount by the federal government." Make sure you include numbers on the possible fines because in some cases, if the business is small enough, that one fine can end them. I would site similar numbers if I found a prospect that was out of compliance with Microsoft licenses. That was something like $100K per incident. Tell that to a company who doesn't want to "waste" money on a $1500 license pack and they change their tune.
So I guess to wrap this up... This is going to be ever-present as you will always need highly skilled individuals who know how to figure out the problems and fix them. The types that you throw a rubik's cube in front of and they will relentlessly work it until they achieve their goal. You will have the researchers who continually take a part hardware/software to see how it ticks. These guys are the scientists of technology and they need to spend their days doing this type of work. Eventually one will rise out of the lab, that person will realize they are better fit to help the cause from a managerial post. They will work to attain the skills to better work with the executives, but will retain the knowledge to continue communicating with the engineers and architects.
As always feel free to leave your comments, do you agree or disagree?
An engineer is an engineer regardless if they are building a new jet propulsion system or developing a new architecture to store that system's critical data. People like your incident responders, security architects, penetration testers and such are (hopefully) highly skilled individuals who know their craft inside and out. They spend their days learning about the newest attack methods and how to detect/defend against them. They are engineers and scientists of the IT world. They are not that different from your network/systems engineers who build the infrastructure. I'm not saying they can't be bothered with talking to execs, but they really shouldn't be focusing on that. They should be able to provide data to their management so they can communicate it up the chain. Let them do what they are good at and everyone will be happy. At times though, the engineers may need to step up and speak directly to management. At that point, the security execs/managers should be supportive and help get the right "Lingo" into that presentation.
As a consultant, it is a different story. You need to be able to play both sides as you are typically selling your service to non-technical people. You need to understand what keeps them up at night and address that. If you cater to SMBs, you will most likely be talking to the President/CEO of the company. They will most likely not know about things like "Firewalls" or "SQL Injection" and what types of risk they pose to their company. So things like "getting shell on your webserver" will need to be explained in different terms; for example, "Your web server that hosts <insert app name here> is vulnerable to a number of attacks that will lead to a compromise of your customers data. This data can then be downloaded and used to carry out a number of computer fraud crimes. Since this data contains SSNs and other Personally Identifiable Information, you can be held accountable and possibly fined a significant amount by the federal government." Make sure you include numbers on the possible fines because in some cases, if the business is small enough, that one fine can end them. I would site similar numbers if I found a prospect that was out of compliance with Microsoft licenses. That was something like $100K per incident. Tell that to a company who doesn't want to "waste" money on a $1500 license pack and they change their tune.
So I guess to wrap this up... This is going to be ever-present as you will always need highly skilled individuals who know how to figure out the problems and fix them. The types that you throw a rubik's cube in front of and they will relentlessly work it until they achieve their goal. You will have the researchers who continually take a part hardware/software to see how it ticks. These guys are the scientists of technology and they need to spend their days doing this type of work. Eventually one will rise out of the lab, that person will realize they are better fit to help the cause from a managerial post. They will work to attain the skills to better work with the executives, but will retain the knowledge to continue communicating with the engineers and architects.
As always feel free to leave your comments, do you agree or disagree?
Friday, March 22, 2013
You Just Won A MEGA DISCOUNT!!!! (no you didn't)
You are an infosec geek when you receive a call that you know is a scam but you pick it up anyway to hear the recording. You then do some internet recon on the domain they tell you to go to and find that it was registered very recently. Next you pull up your sandbox system, load up BurpSuite and proceed to visit the very obvious phishing site to see what happens.
 |
| Fake AT&T Phishing Site |
So random pre-recorded call from a bogus 800 number.
"You just won the AT&T Mega Discount for $555 dollars off your next AT&T bill. You just need to visit att555.com to claim your discount."
So you go to this site and say "Hey this looks legit, all the logos are there and such. Let me just log in and get my reward!"
 |
| Real AT&T Account Site |
With BurpSuite running in intercept mode, you can watch the activity as you throw in the fake information in the site. It took whatever I submitted with no validation (another sign it is a bogus site). When I hit "log in", a ton of stuff happens in the background. It sends the data you entered to an web address in Germany:
hxxp:[85.25.17.164]kingpin/deduct2.php.
This happens in clear text as well, with no SSL anywhere to be seen. This is just one more thing to add to the list of suspicious activity. If they phisher was more creative, they would have at least used a bogus SSL Cert to add more realism to the ruse.So moral of the story, think before you click! Be aware of your surroundings. If something is too good to be true... it probably is.
Sunday, October 7, 2012
DerbyCon 2.0 review and other ramblings
Yes this is another DerbyCon review. I'll try not to write the same stuff as the other 1500 blog reviews already out there. I will say that it was awesome, and I think those of us that attended will agree on that fact. First and foremost, if you are interested in pursuing a career in Information Security, you must attend a conference such as this. The setup makes it very accessible for attendees to engage in great discussions around hacking, InfoSec and just about anything else. Don't worry, you don't need to be a traditional hacker to get something out of this Con. I met a programmer who currently does nothing with InfoSec. He wants to learn more about the threats as well as why secure coding is important. Even though you don't need to hack to enjoy yourself, you may find yourself attempting to pop a lock in the LockPick Village, or maybe picking up a soldering gun in the hardware village. After you leave this Con, you may even look at picking up a Raspberry Pi to play around with. This is a true community event where one is surrounded by people willing to share their knowledge.
The speakers made themselves pretty accessible, you did not need to wait in long lines to get seat for a talk, and you didn't need to leave a talk early to get to another talk. Speaking of talks... well they had such a large volume of CFP entries, that they had 4 main tracks, they were separated into: Break Me, Fix Me, Teach Me, and The 3-way (a mix of the other 3) and opened a 5th track called "Stable Talks." There were so many great topics, it was very difficult to determine which ones to attend. Luckily they captured the 4 main tracks on video and most of them are posted to YouTube. You can get to the full list at IronGeek's (Adrian Crenshaw) page: DerbyCon Videos. Although the Stable Talks were shorter, that didn't affect the quality. I think some of these talks will move into the main tracks next year.
So I arrived Thursday afternoon. Unfortunately, I was not there early for the training, which was going on Thursday and Friday morning. They had a number of quality training opportunities which covered everything from Social Engineering to Reverse Engineering. Thursday evening I was able to grab some dinner with a fellow EH netter (ethicalhacker.net member). We discussed some of the finer points of working in a large organization and trying to push proper security procedures. We were later joined by two more members and continued the discussion over Ethiopian food (which was mighty tasty). Later that evening I was able to experience my first SlideShare Roulette at "Whose Slide Is It?". For those that don't know, this is basically a test of one's presentation skills. The moderator will pick a random slide deck from the slideshare.net site based on topic suggestions from the audience. The presenter then must use his/her skills and work with the given slides. It got interesting when the hotel staff arrived with 100 shots of bourbon courtesy of HD Moore (CSO/Chief Architect @ Rapid7).
Friday morning was pretty much just hanging out and waiting for the opening ceremonies. There were some great discussions going on in the hallways and main lobby of the Hyatt. Some of the best talks can be found in these "hallway cons" so I highly recommend getting involved in these sorts of discussions. You will learn something and you may even have a different point of view to add that could benefit the group. Eventually 1:00 pm rolled around and the talks began! They kicked it off with keynotes from HD Moore's The Wild West, Dan Kaminsky's Black Ops, and Mudge's talk about the Cyber Fast Track program from DARPA. After dinner the 5 tracks began and continued through the weekend. I will not do a review of the talks I attended since I was pretty much in absorption mode and I am still catching up on the ones I missed as well as re-watching those I attended.
As I touched upon earlier, there were a number of events going on during and after the talks. The big one was the CTF (Capture The Flag) competition. Your mission is to use your skills in hacking to find all the flags on the CTF network. I attempted but never got on long enough to even find the "beginner" flags. This was in part due to the WiFi network for the event being unavailable and the bouncing in and out of talks. These competitions are best handled by teams since the expertise needed to find the flags will vary. You may have to write an exploit or use some forensic skills to find the various flags. Hackers For Charity (HFC) held both a silent and regular auction throughout the weekend. They raised over $33,000 thanks to the very generous community. If you wanted to just wind down you can head over to the theater for the Hacker Movie Marathon. Maybe you want to know if you should get your CISSP, but you aren't sure if you have the right knowledge, then you could have headed over to "Are You Smarter Than a CISSP?" held on Friday night. You were given questions from each of the 10 CISSP domains, you can choose to answer them yourself or discuss it with the panel of actual CISSPs. They were also available to save you if you got a question wrong.
Sadly Sunday morning came and it was time for me to leave the land of bourbon and horses. Unfortunately there were still a slew of talks and the closing ceremonies to attend but I will catch them on video. Next year I will plan on taking the training and staying until the closing ceremonies! One more thing specific to the conference, a big THANKS! to the organizers and volunteers. They made this such a great experience that I am still missing it a week later.
Friday morning was pretty much just hanging out and waiting for the opening ceremonies. There were some great discussions going on in the hallways and main lobby of the Hyatt. Some of the best talks can be found in these "hallway cons" so I highly recommend getting involved in these sorts of discussions. You will learn something and you may even have a different point of view to add that could benefit the group. Eventually 1:00 pm rolled around and the talks began! They kicked it off with keynotes from HD Moore's The Wild West, Dan Kaminsky's Black Ops, and Mudge's talk about the Cyber Fast Track program from DARPA. After dinner the 5 tracks began and continued through the weekend. I will not do a review of the talks I attended since I was pretty much in absorption mode and I am still catching up on the ones I missed as well as re-watching those I attended.
As I touched upon earlier, there were a number of events going on during and after the talks. The big one was the CTF (Capture The Flag) competition. Your mission is to use your skills in hacking to find all the flags on the CTF network. I attempted but never got on long enough to even find the "beginner" flags. This was in part due to the WiFi network for the event being unavailable and the bouncing in and out of talks. These competitions are best handled by teams since the expertise needed to find the flags will vary. You may have to write an exploit or use some forensic skills to find the various flags. Hackers For Charity (HFC) held both a silent and regular auction throughout the weekend. They raised over $33,000 thanks to the very generous community. If you wanted to just wind down you can head over to the theater for the Hacker Movie Marathon. Maybe you want to know if you should get your CISSP, but you aren't sure if you have the right knowledge, then you could have headed over to "Are You Smarter Than a CISSP?" held on Friday night. You were given questions from each of the 10 CISSP domains, you can choose to answer them yourself or discuss it with the panel of actual CISSPs. They were also available to save you if you got a question wrong.
Sadly Sunday morning came and it was time for me to leave the land of bourbon and horses. Unfortunately there were still a slew of talks and the closing ceremonies to attend but I will catch them on video. Next year I will plan on taking the training and staying until the closing ceremonies! One more thing specific to the conference, a big THANKS! to the organizers and volunteers. They made this such a great experience that I am still missing it a week later.
Sunday, July 29, 2012
Coffee...
As I sit here ingesting my second cup of the drinkable java, I sit and wonder the advantages of drinking it black. For those that don't know, when you take it black it means nothing added... no sugar and no lightening agent. The advantages of consuming said beverage in this manner are few but can mean so much to some.
For example, the health implications of drinking coffee black are as follows:
- You intake less daily sugar, my average before was at least a table spoon per cup. If you go to the local donut shop, you are looking at almost 4 tbsp in the average "Light 'N Sweet" request. A tbsp of sugar equates to roughly 45 calories. Here's some quick math:
- 1 tbsp of sugar = 45 calories
- x = # of tbsps
- y = # of cups of coffee (10oz) / day
- d = # of days
- ((45*x)*y)*d = total number of calories from just sugar
- If I add 2% milk to my coffee, that is another 16 calories per 20oz (based on 130 calorie per 1 cup of milk). That also includes the sugars. Add that into the equation and now you have 732 calories per 6 days. Of course that will increase/decrease depending on the type of milk used. If you prefer half n half, you are looking at 20 calories per .5 oz container.
OK so there are some health facts related to drinking coffee black and this assumes you can control what is put in. I prefer adding just some cinnamon to the coffee for some aromatics as well as some additional health benefits of the spice. A friend at work recommended that and it seems to be working.
So we have the healthy stuff taken care of now lets move on to more practical benefits of drinking it coffee as it was meant to be drunk.
- You go to the fridge and realize you are out of milk! No worries, you don't need it because you drink it black.
- You go to the fridge and grab the milk and are about to lighten your coffee but you notice the expiration is well passed. You figure well quick smell test, it seems slightly off but maybe it is still good for coffee, you take a quick sip and realize NOPE! It's way off! Again, no worries, you drink you coffee black, put the milk back in the fridge and let some other poor sap discover its bad (I keed I keed... ).
- You open the sugar container and attempt to get your tbsp of the sweets and realize it has hardened into an impenetrable rock. You are already running late so you have no time to chisel out a cube or two. Again you realize you don't need to, proceed to cap your travel mug and head out the door!
- Drinking coffee black also reduces any mysterious loss of the precious nectar due to ninja tactics made by your spouse who didn't have time to make her own cup of coffee and just needs a quick fix. One sip of the unsweetened ecstasy, and she/he will never attempt such tactics again.
Subscribe to:
Posts (Atom)