Identity and Access Management Framework Book

An old boss of mine likes to post on Facebook. All the time. All day long. I’ve told him, you’re like a sixteen year old girl. If you’re at Disney with your kids, or hiking, or hosting your three-year-old’s birthday party, STOP FREAKING POSTING. Pay attention to your kids. The whole world doesn’t need to know all this crap. My brother calls it, “Ate a banana and scratched my ass. Ate a banana and scratched my ass.”

It reminds me of an old SNL skit in which Robin Williams is videotaping his wife as she’s about to give birth in the hospital. When he has to help wheel her gurney down the hall, he hands her the camera and, as she’s shrieking in pain, he implores her to “Keep me in focus, honey!”

Not everybody has to know what you’re doing all the time. So it really surprises me when, at various functions, CISO’s and other security-minded folk start trading intimate details of their security infrastructures. This is one of the reasons RFP’s come with NDA’s. 

ON THE OTHER HAND … if the security perimeter you’re running is strong enough, you should have the confidence to say, this is my protection, and you can’t get past it. Depending on the access management product you’re using, you should be able to easily retrieve the cookie and figure out what it is: OAM, SAM, SiteMinder, etc.  

Remember the LifeLock CEO? He put his social security number on the side of a truck, to advertise it, and dare hackers to try to use it. Of course, LifeLock was banned by the Federal Trade Commission from lying to customers. Fred Thompson, possibly the worst presidential candidate ever, and Rush Limbaugh have shilled for them as well. Anyway, just because in theory you can publicize your private info doesn’t mean you SHOULD. And sure enough, the LifeLock guy had his SSN stolen. This is on top of the news that one of the co-founders had to resign when it came out that he’d stolen his own father’s id to obtain an AMEX.

At one customer, where my team was building an access management perimeter, the project manager handed me a DVD with every name and password in the place. HOW he had the passwords, I could not understand (but I guess that’s another story). I once had on an older box the entire network configuration, including IP addresses, routers, you name it, of a major metropolitan airport, because the partner thought I should have it. Turns out he was in violation of three different NDA’s.

And remember Kevin Mitnick, who became a sort of poster boy for hackers. Upon release from prison, he was ordered to not touch computers for a while. But guess what? He barely used computers for his deeds. He was a master at social engineering.

So what’s the moral? Keep your damn mouth shut. Put up a firewall, put up an application gateway, implement IAM, and keep your damn mouth shut. If people don’t need to know things, don’t tell them. That means, keep your damn mouth shut.