Words cannot describe how awesome it feels to have attained a B.S. in IT with a focus in Computer Forensics.  Furthermore, I exceeded my expectations by earning a 4.0 GPA (Summa Cum Laude honors)! The strangest thing I have found so far is that I caught myself the other day pondering how I could turn a topic into a five-paper essay…  Without a doubt, this journey has definitely taught me many things, which I believe the critical thinking aspect I will use the most.

Taking stock of how far I have come academically (I was just about the dullest tool in the shed in high school ), I cannot help but feel extremely blessed to have so many wonderful people by my side throughout this endeavor.  Without their dedication, perseverance, flexibility and blind faith in me, I would not have made it – thanks ya’ll!  Now it is time to relax a little bit before I dive into my next project (Linux+ certification).  This involves hanging with the family, painting miniatures with my kids, hiking the C&O trail and playing all of the games I have been neglecting over the last 18 months or so…  However, as Bill Watterson, the creator of Calvin and Hobbes, so eloquently stated, “There just is not enough time to do all the nothing we want to do” (Watterson, n.d.).  <-  I APA cited a reference in a post – LOL!

Watterson, B., (n.d.).  Quote about nothing.  Retrieved on September 06, 2010, from

Adamloving.com web site:  http://adamloving.com/internet-programming/four-hour-work-week-quotes

BTW:  4-hr work week is definitely worth a read/listen…

Do the people who are making the decisions honestly believe that by installing programs to run continuous scans of systems will make our Nation’s assets more secure without leveraging the proven C&A processes to do so?  Maybe some people believe this will enable us to win the “cyber war”, but it will only cover us from one perspective…

What about the human element?  Without the people who are knowledgeable about the systems CONOPS, configurations, contingency plans, system rules of behavior, data inputs and outputs, diagram constructs, whether a port is approved or not approved, what good will all of this continuous monitoring be?  To top it all off, will these continuous monitoring applications be able to conduct interviews with the code developers to ensure the code base was actually secured in a verifiable manner throughout each phase of the SDLC (i.e., baking security in versus bolting it on)?  The simple answer to all of this is a solid no.  Let us not forget the defense-in-depth strategy.  It will be broken if the paper (i.e., hard work) is removed from this seemingly “silver bullet” C&A equation of continuous monitoring…  And as Paul Harvey use to say, “That’s the rest of the story”.

Even at my age, it remains hard for me to comprehend how many lives we have given, as a Nation, in pursuit of the American dream.  However, this experience allowed me to absorb the magnitude of this prestigious event first hand.  The wave of emotion that flooded my entire being when the taps (a 24-note melody) were playing, just after the wreath was placed, is by far the moment I will remember forever.  The pictures of generations after generations, both in black and white as well as in color, giving their entire beings to our ideals was overwhelming and awe-inspiring as my mind tried to process everything at that moment in time.  Then the waves of respect, admiration and tears left me feeling safe as the taps came to a close…

My personal experience aside, I also witnessed how we are the weakest link when it comes to security…  At the visitor’s gate, we were met with signs that indicated no water bottles or backpacks were allowed beyond this point.  However, according to the website, we were allowed to bring these items, but we should be prepared to be searched at certain checkpoints throughout the cemetery…  No big deal, but this obviously was not the case now.  Therefore, we decide to chance it.  When we entered the visitor’s center, I asked one of the military personnel standing at the door if I could enter with my backpack.  He said we should not because the secret service does not want us to.  However, he did not demand I remove it either and I was allowed to continue along with my backpack unaccosted.

Once inside the visitor’s center, we saw that the line was extremely long for the shuttles that were taking people up to the amphitheater.  We quickly decide to walk since we were already prepared to do so even before we arrived.  As we strode past the overgrowing shuttle line, we were greeted with another sign that indicated no one was allowed to walk to the amphitheater until after 1 PM.  The ceremony was starting at 10:30 AM and we would miss out if we did not walk.  Again, we decided to chance it and walked along with a few other people to the amphitheater.  We ran across many military personnel, who kindly directed us to take certain roads to the amphitheater, but we were never asked to turn around nor was I asked to remove my backpack.  Then we reached the checkpoint that was just before the amphitheater and I told everyone they should get a drink now because this is probably where we will lose our water and backpack.  To my delight and disbelief, the personnel briefly (which in hindsight concerns me greatly) looked through my backpack and allowed us to continue.  We would not have even of lost our stride if my son would have taken off his necklace and belt for the metal detector, but after that, we were inside with our water and backpack.

Once we reached the amphitheater were the wreath was going to be laid, we noticed there were some other people who had backpacks and others were dying of thirst because they did not want to give up their spot…  Of course, my personality would not let this slide, so I asked the people with backpacks, how they got theirs in and they said they walked to the amphitheater.  On the other hand, those who were parched, we gave them two of our bottles of water and asked them the same question.  They said they rode the shuttle and were asked to leave all of their water and bags behind.  Luckily, there was a water station nearby, but if you left your spot, which was standing room only, people would quickly fill in behind you.  What were the differences between riding the shuttle versus walking?  I could speculate this until the end of my existence, but I would like to hear your thoughts and or comments on the subject.

We have all heard that “knowledge is power… “   I wrote this little intro a month or so ago and it fits perfectly here:

What do our adversaries need to accomplish their goals – wisdom.  How do they gain the wisdom to defeat us – knowledge.  In order to be knowledgeable about our weaknesses, what must they utilize – information.  Obtaining information requires the use of what type of material – data.  Video feeds contain critical data elements for our adversaries.  Ensuring the confidentiality, integrity and availability of these video feeds is one of the many defense-in-depth mechanisms we must employ to ensure the success of the United States of America’s ideals and the lives of our brethren.  A wise man once told me, the enemy only has to get lucky once; we have to be lucky all the time…

Based on the WSJ news article, it appears the enemy got lucky, but this is not because we did not know about this vulnerability.  We have known about this vulnerability for nearly a decade!  Why would we not fix such a fundamental Information Assurance (IA) issue?  Many reasons spring to mind, but the excuse we have been given is that it was easier to just leave the security turned off rather than enabled.  Then they make those of us who would strike them down with vengeance and furious anger for such an excuse by stating by not having this type of security measure enabled they/we have saved several thousands of lives and money.  This scary fad is better known as the “need to share” versus “need to know.”  IA professionals experience this heinous horror story on almost a daily basis.  I truly hope Mr. Howard Schmidt how the world views IA before more of these mistakes undoubtedly cost us tons of more blood and treasure than they would have if these types of vulnerabilities would have been addressed at the development phase of a system’s life cycle…

In closing, John Cierra said it perfectly, “Who were the lame engineers who came up with a system that runs without encryption?  Even the graduates of the local high school programming courses know better than to leave to chance an important security hole.”  Pump up the Volume all you teenage programmers!