var _gaq = _gaq || []; _gaq.push(['_setAccount', 'UA-35754314-2']); _gaq.push(['_setDomainName', 'securityeverafter.com']); _gaq.push(['_trackPageview']); (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })();
Showing posts with label Leadership. Show all posts
Showing posts with label Leadership. Show all posts

Saturday, May 6, 2017

What Can You Learn On Your Own?


I recently posted the 
below on the SANS Internet Storm Center.

We are all privileged to work in the field of information security. We also carry the responsibility to keep current in our chosen profession. Regularly I hear from fellow colleagues who want to learn something, but do not have a training budget, feel powerless and sometimes give up. I would like to share several approaches that can be used to bridge this gap and will hopefully inspire a self-investment both this weekend and beyond. None of these ideas cost anything more than time.
 
I decided to borrow an idea from an informal mentor, something I generally give them credit for, but not always. I decided to wake up early each morning with the intent to learn something new every day. Maybe the something is a new tool, a new linux distribution or taking an online class. Having done this now for the last 7 years, I can say without hesitation or regret that it has been pivotal in making me a better me. I am convinced that applying just a little bit of incremental effort will serve you well as well.

Ideas to get you started:              
  • SANS Webcasts and in particular their Archive link                         
  • Serve as an informal mentor to a junior team member, while being open to learn from them 
  • Volunteer help out in a local information security group meeting
  • Read that book on your shelf that has a little more dust that you would like to admit
  • Subscribe to Adrian Crenshaw’s YouTube channel 
  • Be intentional by creating a weekly appointment with your team in order to learn something new over a brown bag lunch
  • Foster an environment that facilitates a culture of learning

After considering this topic for a long time, I want to ask this question - What are you doing to invest in yourself, particularly in ways that do not cost anything but your time? Please leave what works for you in the comments section below.

Russell Eubanks

Friday, April 28, 2017

KNOW before NO


I recently posted the 
below on the SANS Internet Storm Center.

A good friend told me that an engaged information security professional is one who leads with the KNOW instead of the NO. This comment struck me and has resonated well for the last several years. It has encouraged me to better understand the desires of the business areas in an attempt to avoid the perception of being the "no police”. 

We are each able to recognize the value in sprinkling in the information security concepts early and often into software development projects. This approach saves each of the stakeholders a great deal of time and frustration. Especially when compared to the very opposite approach that often causes the information security team to learn at the very last minute of a new high profile project that is about to launch without the proper level of information security engagement.

There are certainly projects and initiatives that may very well still warrant a “no” from an information security perspective. Before we go there by default, I respectfully invite us all to KNOW before we NO. I truly believe that each of us can all improve the level of engagement with our respective business areas by considering this approach. In what areas can you KNOW before you NO next week?

Please leave what works in the comments section below.

Russell Eubanks

Saturday, March 25, 2017

Distraction as a Service


I recently posted the 
below on the SANS Internet Storm Center.

Have you noticed that some security projects never seem to get finished? Despite the best of intentions, often times they linger, sometimes for years. I believe that distractions play a role in security projects being delayed and ultimately never being completed. If not monitored closely, nothing will get moved from the to do list to the this security project is finally done list.

For me, it has always been natural to accept every new project that needs attention. I want to be helpful and perceived as a good team player and I bet you do as well. I found that it is easier to say yes to every request for help than to say no. I suspect that "why yes I do have a minute" and "of course I can help you with that problem” sound very familiar. I have found this behavior can also carry potential for a negative reputation as an information security professional when it impacts the delivery of security projects.

While it is normal to want to help, it is not always natural to remain focused immediately after a distraction occurs. I have determined to ask the question "what is the next action I can take right now?” immediately after a distraction. I found this behavior helpful to remain both mission focused and results oriented. With some intentional discipline and focus on the impact of distractions on security projects, the impact of unplanned distractions can be minimized.

It is impossible to enumerate all of the ways distractions can impact a security project. It is very possible to more quickly recognize them when they occur and put measures in place to reduce the impact of distractions severely impacting productivity. Are distractions keeping you from closing out projects and ultimately preventing you from providing full value to your organization?

Please leave what works for you in the comments section below.

Russell Eubanks

@russelleubanks

Thursday, June 23, 2016

An Approach to Vulnerability Management

I recently posted the below on the SANS Internet Storm Center.


No need to do anything to make your auditor happy than to purchase the most popular scanning tool

No need to worry, when the scan is over and the report has been produced - you are all done

No need to ever leave your cube and speak directly with your system administrators

No need to ever test the scanner on a non-production network in advance

No need to worry, a clean scan means you are both compliant and secure

No need to ever leave your cube and speak directly with your application developers

No need to ever let anyone know when your scan starts, after all an attacker is not going to do that so why should you

No need to worry, if something becomes unavailable during a scan it is totally not your problem


No need to show good stewardship after the purchase by producing metrics such as the percentage of findings that have been fixed as a percentage of all the findings

No need to seek data that demonstrates your scanner could serve as a platform to improve your security posture

No need to keep your boss informed of your progress, s/he would not understand 

No need to divert any of your time from finding things to fixing things

No need to ever think that your scanning tool is every anything but spot on accurate


No need to hold back, it would be great if you shared your Vulnerability Management “best practices" in our comments section below


Russell Eubanks

Saturday, May 28, 2016

Applied Lessons Learned

I recently posted the below on the SANS Internet Storm Center.

What were those tough lessons learned that you will never forget and more importantly vowed to never repeat again? Especially those of you who have been in information security for many years and perhaps a member of several different teams. Consider yourself encouraged to remember those "from now on I will Always and I will Never again” lessons that were learned at your $OldJob.  

I remember all to well when I decided to perform a network scan from a new laptop. I was so eager to use the new equipment that I failed to record the MAC and IP address of this shiny new device. I tested it out and everything seemed to be great - until the next morning when an enormous amount of scan traffic was detected inside a sensitive network. Our teams went into full incident response mode in an effort to determine what happened. After learning “who did it”, the team was gracious in its response to me and none of us made that mistake again. 

To get you motivated for action, the following are a few ideas to consider.

1 - Never settle for “we have always done it that way”. Assume nothing by asking lots of questions, such as “When was the last time we compared the GPO to the written security policy”?

2 - Share regularly within your trusted communities in a way that does not put your organization at risk, but demonstrates you are still learning and remain willing to contribute. Don’t think that you need to share all of the gory details to make a difference with this approach. In fact, you will be much better off by leaving those out entirely. 

3 - Behave like the Fresh New Guy/Gal (FNG) regularly, especially if has been a very long time since you have served in that role.

By leaning into this approach, you can not only get wisdom as cheaply as you can but also and also help make our world a better place. What lessons are you actively trying to avoid learning over and over again?



Russell Eubanks

Sunday, October 18, 2015

Security Awareness for Security Professionals

I recently posted the below on the SANS Internet Storm Center.

During Cyber Security Awareness Month (CSAM), we develop campaigns for our coworkers that attempt to encourage them to stop clicking on links and  reusing their passwords. These are good reminders for us as information security professionals even though we focus on these topics during the other 11 months of the year.

Is it possible that we too can improve our security awareness during this month? Can we as security professionals use this time to “sharpen our saw” and do things that can increase our awareness of our information security programs? 

One very non-technical event caused me consider this topic. My son found his old bicycle in the garage recently and wanted to ride it in the neighborhood. As he was getting up to speed, he suddenly and unexpectedly realized the handlebars had become disconnected. He had a firm grip on what he needed to successfully control the bike, but the handlebars were no longer effectively controlling his navigation.

With that example in mind, how aware are you of the effectiveness of your information security program? What systems do you have in place to let you know when your security posture changes? What reminders and automation do you need to create that will increase your awareness before blindly depend on your tools? By dedicating sometimes marginal effort you can develop near real time awareness capabilities that will confirm the effectiveness of your information security program.  

Below are just a few examples where increased security awareness would be very helpful to you as an information security professional.

  •  Ensure the running configurations on your network equipment have not changed
  •  Ensure you know within a few minutes when a new administrative account is added
  •  Ensure you know within a few hours if a device stops sending logs to your syslog server

What are you personally doing to make sure that you as a security professional are most aware of the things that matter the most? Use the comments field to share what works!


Saturday, October 17, 2015

CIS Critical Security Controls - Version 6.0

I recently posted the below on the SANS Internet Storm Center.



Right in the middle of Cyber Security Awareness Month (CSAM), the Center for Internet Security (CIS) released Version 6.0 of the CIS Critical Security Controls for Effective Cyber Defense. This update incorporates significant changes that represent the latest technologies and threats faced by information security professionals. The most notable changes to the CIS Critical Security Controls are listed below and discussed at length in the archived webcast.

  • A new Control for Email and Web Browser Protections
  • Deletion of the Control on Secure Network Engineering
  • Reordering of the Controls to make Controlled Use of Administration Privileges higher in priority

I believe this update positions the CIS Critical Security Controls to remain both an actionable and relevant framework to build and sustain an effective cyber security program. Implementing them has been the catalyst to many organizations demonstrably increasing their cyber security posture. With intentional planning and focus, you can too. The following are several steps you can take right now to start or continue on your journey.


What will you do differently at your organization as a result of this update? Use the comments field to share your feedback!

Russell Eubanks

Friday, May 29, 2015

Trust But Verify

I recently posted the below on the SANS Internet Storm Center.

Be intentional about how you spend your time. I believe that every person can incrementally improve their security program by being intentional about how they spend their time. One method is to be intentional about checking several items for compliance each and every month. While not intended to replace the value of an auditor, this approach can generate incremental value from the overall compliance process. If you have the requirement to be in compliance with PCI, you are in luck! You could easily create a table that pairs one of the 12 categories with one of the 12 months in a calendar year. Inside each month, you could list several items that are important to verify. When printed out and kept nearby, it can serve as a reminder to be diligent about tracking progress over time. Compare this table year over year and look for trends that will help identify the sometimes small areas to focus on that can make a big impact.
I have used this approach to expect more out of myself and to set the bar just a little bit higher. I found success in showing this matrix to outside auditors and received positive feedback. There was nothing magic about this table, it just forced me to be intentional each and every month. Using this approach, unexpected “compliance drift” can be identified and remediated on a much more timely basis. This approach can be used inside several of the regulatory compliance requirements. If you do not have one, ask friends and colleagues who do to learn what they find beneficial in their respective environments. As always, a great place to start is with the 20 Security Controls.
Can you make it easier on yourself to do the right thing by being intentional? It believe it is absolutely possible to leverage systems like this to make it easier to do the right thing.
What systems do you use to force you to be intentional? Please use the comments section to share what works for you.
Russell Eubanks
@russelleubanks

Wednesday, February 25, 2015

Leave Things Better Than When You Found Them

I recently posted the below on the SANS Internet Storm Center site.

Whether at the end of a project or at the end of your time with an organization, there are some low impact and high reward actions you can take to ensure that you leave things better than when you found them. Although it is not without risk for us as security professionals, if you have the opportunity it is ideal to spend time training your successor before you leave. Through a few intentional actions you can leave a legacy that can serve to inspire others to not only sustain but to actually improve operations.
This topic is particularly close to me now because I have recently started a new position. I had the opportunity to share my experience with others and found it to be rewarding and also a little uncomfortable for me and for the person who was assuming my duties. I found myself personally and professionally vested in the success of the program while recognizing that it was time for me to let go. There are of course certain circumstances that will prevent this sharing from happening. Sometimes policies will dictate that when someone resigns, the team members are escorted from the premises right away.
Even in you are not making your next career move, maybe you are transitioning from a project and can use this time to help others. The following are some suggestions on what you can provide to your successor:
  • Operational guides
  • Original installation media
  • Configuration checklists
  • Installation guides along with clear documentation of any deviations from the vendor instructions
  • Lessons learned of things that must be done along with those that must *never* be done
  • Key contacts to support sustaining the project such as administrators, change control tickets and project documentation
Even if you are not on the way out, I recommend that you "begin with the end in mind" today. Start by setting a monthly reminder on your work calendar to update and maintain your project or program documentation. You may very well recognize that the person this helps the most is you!
Use the comments section to share what are you doing to leave things better than when you found them.
Russell

Tuesday, December 9, 2014

Repost - Stop Admiring The Problem. Start Addressing The Problem.

I recently published the below post on the SANS Internet Storm Center site.

How much energy do you spending admiring your problems? It does not matter what the problem is - asset inventory, vulnerability management or security awareness. You do have problems. What are you doing to make your current problem less of a problem? Set your problems aside for just a minute and take a brief journey to explore how your problems can be viewed as an opportunity. 

I have been guilty of this behavior in the area of vulnerability management. I was so focused on making sure that everything was scanned on a regular basis that I failed to work with the system and application administrators to help them remediate the vulnerabilities the scanners had identified. A much better alternative to just scanning everything on your network is to scan for a brief amount of time and then stop. Stop long enough to fix some issues the scanner identified and then go back and confirm they really were fixed. It does not have to be complicated. Perhaps you can use a simple chart that shows what was found, what was corrected and what still needs to be corrected. 

Collecting a bunch of "High" rated vulnerabilities adds no value. Correcting "High" rated vulnerabilities adds tremendous value. Instead of throwing missing patches over the fence to your administrators, offer help to them in their time of need. Maybe there is a valid business reason the administrators are not responding as quickly as you would like. Maybe they need extra support from your security or compliance teams to make progress in this area. Maybe they could use your help to focus on a solution to this problem. 

Every person should take time to make undeniable progress on one of their security problems because of the positive impact it will make on the security posture of their organization. Make progress, even if it is just baby steps. Make a move in the right direction to become the change agent that is desperately needed. 

What can you do right now to be the catalyst for the positive change your organization so desperately needs? 


What can you do right now to stop admiring the problem?


Saturday, November 8, 2014

Do you remember your "first love"?

I recently published the below post on the SANS Internet Storm Center site.


I will never forget the name of my first server - Rachel. I was very proud to be the person whose job it was to defend Rachel from all types of disruption. To this day I still remember each IP address, user account, service account and application. When patches were installed, I manually verified they had been applied successfully. I diligently reviewed the logs and configured full auditing to let me know the success and failure of just about everything. 
I have administered many servers since Rachel, but do not remember as much about them as I do about my "first love”. Consider this an invitation to fall back in love with your servers. An invitation to return back to the time when you did everything possible to defend them. It may be possible that by returning to the diligence you once had, many problems and outages could be avoided.
How can you do this? The act of actively measuring how well you manage, secure and maintain your severs can very well be the catalyst you need to return back to your "first love”. Consider creating and sending yourself a daily report that clearly shows its current security posture. What are good candidates for this report? Some of my favorites include the below.

  • Mean time to detect a network scan
  • Mean time to identify a new administrator account
  • Mean time to identify a new service running (or not running anymore)
  • Ask psexec to list all executables on a Windows system and send the output to a file using

                 @echo off
                 psexec dir *.exe > %computername%_ExeFound.txt

  • Ask WMIC to tell you the patches that are installed using the command: 
                 wmic qfe > patches.txt 
  • Use the security log to search for Successful ( and unsuccessful ) logins for administrative and service accounts
  • Review the daily log volume, perhaps looking at the last 7 days to show trends that indicate significantly more or less than expected log volume
  • Count the number of Remote Desktop sessions in a "normal" day
  • Look for the events generated when the Security log is cleared

There are certainly many metrics you could track. Pick a few and diligently check them every day for the next month. You'll be glad you did!  


Wednesday, October 9, 2013

Security BSides DC

I am thrilled to be a speaker at the upcoming Security BSides DC. The lineup for this 2 day event is outstanding. I look forward to speaking on the 20 Security Controls and specifically how they can be used to improve the security of your network.

Saturday, August 31, 2013

How to get sufficient funding for your security program (without having a major incident) - Repost

I recently had another guest diary published on the SANS Internet Storm Center Diary. I have enjoyed the material on the ISC site for many years and consider it an honor to contribute. I hope this is helpful information that you can use to secure sufficient funding for your security program in advance of your next security incident.


                                                               

Thursday, February 28, 2013

Are You Glad You Bought It?


Remember how you felt during your first meeting with the vendor of that shiny new thing? Do you remember all the possibilities? You could not capture the seemingly endless use cases fast enough. Surely this was the product you had long been looking for. All you had to do was write a business case to secure the needed funding. You knew deep inside that your enemies were already starting to tremble in fear at the thought of the new shiny new thing running in your environment. Move along folks you said, nothing to see here.

All that mockery aside, how well did your shiny new thing actually do everything the sales person claimed it would before you made the purchase? Can you honestly say you feel the same way after using it for a year? If not, what changed? 

Take a moment to look back on these questions as you approach a new vendor relationship.

  • Are you glad you bought the shiny new thing? Really?
  • Should the vendor get all of the blame for a failed experience? 
  • What role did your lack of understanding or lack of attention play?
  • What new requirements would you add based on your previous experiences?
  • What do you wish you knew back then? 
  • Would you recommend the shiny new thing to your closest friends? 
  • Would you make the same decision today?

Like most all of us, I had a similar experience. One in particular was a rush to purchase products for compliance purposes and do so in very short order. Looking back, I should have slowed down a lot and not just looked for a quick win. I recommend staying focused on the "why" behind the purchase and doing and over communicate this to all possible stakeholders ahead of making the purchase. The last thing you want is to have one of your stakeholders asking basic questions during pivotal moments such as the change control board meeting where you are seeking approval to put your shiny thing into production.

Get to know the technical product manager ahead of the purchase. Make sure you can get along with them and more importantly that they know why you are a customer. I have found they are in a better position to know the roadmap better than the people in sales. Also call support and ask questions to which you already know answers. How do they treat you? That will be very important in the future.

It is far too easy to blame the vendor for a failed implementation. It is not as comfortable to ask what could YOU have done better during the evaluation of the shiny new thing. Take a moment now to reflect back on what worked and what did not work and more importantly why it did not. This will help make sure the next time is the best time and it exceeds your expectations. 

If you could go back in time, what additional questions would you ask and new conditions would you place based on what you have learned from past vendor experiences?

Thursday, January 26, 2012

Sweet Spot - Minimize the Number of Users with Domain or Local Administrator Privileges

Gaining access to administrative accounts is often the goal of an attacker. What can you do to ensure that only the appropriately trained and fully accountable people have and maintain administrative access on your systems? This effort must start with an accurate inventory of every account with elevated access and must be strictly maintained. The change control board should approve every new account that requires persistent administrative access. Maintaining strict admission guidelines for administrative access will help curb the desire for everyone to be an administrator. Implement an annual renewal process that requires each administrator to justify his or her continued need for elevated access. Allow those with administrative rights to participate in the on call rotation.

Encourage administrators to maintain different passwords for administrator accounts where clear differences in system type exist, such as on workstations and individual server types. Encourage this practice by requiring more frequent passwordexpiry and increased complexity rules for these elevated access accounts.

Accounts with elevated access must be used only when administrative activities are required. Normal web browsing and email usage should never be permitted from accounts that have elevated access. The damage that could occur is much greater than the convenience gained by allowing a system administrator to check their Twitter account.

Where feasible, require all administrative access to be achieved by elevating their access from a regular user account. Examples to facilitate this to create a Microsoft Management Console (MMC) that includes all tools needed for administration. Open this with a Run As command that uses the credentials of the elevated account. The Windows command prompt can also be run as another user by right clicking the icon and selecting the RunAs option.

Accurate and timely recording and distributing all activities performed by members of elevated access groups as found in system and security logs could help determine use and increase accountability. Configure an automated report that daily lists all administrative activities from the previous day to the entire team.

Look for default accounts on workstations and servers that can be removed or disabled. It is up to you to explain and justify every account on your system. The faster you can identify new accounts on the system, the better. The underling goal must be to do everything in your power to not allow untrained or unauthorized people to gain administrative access on your networks or systems.

Send automated alerts to any change or attempted change to any group whose membership grants elevated access. Daily alerts and reports of locked-out accounts, disabled accounts, accounts with passwords that exceed the maximum password age, and accounts with passwords that never expire.

Use the log review solution to create automated alerts for any new account, any new administrator access and also for when any account is locked out. At a minimum you will be able to provide better customer service by knowing about accounts that need to be unlocked. Perhaps these same alerts can be used to serve as indications and warnings to an attack.

Splunk is an example of a log review and consolidation tool. This tool compiles all system, device and application logs into one place and provides a Google-like interface into these logs. Searches can be created, refined and scheduled to run at regular intervals. These can be configured to send an alert if the number of results from this automated search is greater than zero. This is alow cost way to get wisdom as cheaply as you can.

Tuesday, September 27, 2011

Control 17: Penetration Tests and Red Team Exercises

Penetration testing is often confused with vulnerability assessments, as mentioned in Control 10. Penetration testing differs in that it involves attempted exploitation. Just like in Control 10, penetration testing should occur in each network zone to ensure adequate coverage.

Track all open issues and document through confirmed remediation of all issues to be corrected. Determine an effective means to document the core causes of these issues to make sure new development projects are not subject to the same flaws identified in the penetration test.

Always perform careful screening of potential external pen testers. Make sure the people you engage to perform external testing have to work for their money and do not just point a tool at your network. Force them to articulate the business risk associated with their findings. Identify and resolve as many issues as is possible ahead of their work. Race to see how fast your continuous monitoring program identifies external penetration testers. If they work for long and have not been identified, there are likely gaps in the continuous monitoring program.

BackTrack makes an excellent preconfigured platform to perform penetration tests. BackTrack can easily be used as the primary environment to build and use an internal pen testing program. With so many tools available, it is a good idea to make a weekly task to learn one tool in BackTrack per week. Make it stick by writing a small note of what was learned for future reference.

Sunday, September 18, 2011

Control 16: Secure Network Engineering

Secure networks do not appear by accident. It starts with thoughtful planning and sound engineering principles. Seek out flaws in the current network design as an attacker would and correct all of the faults found in its design. By being intentional and meticulous, a true design can emerge and more importantly it will persist.

A key step to this is creating a document that explicitly lists all approved connections by traffic initiator. This is an excellent source document to audit the firewall rules against each and every quarter. Diligently look for the use of insecure protocols, such as FTP and Telnet in each network segment. When they are found, strongly consider using protocols that do not send their information in clear text format.

Segment networks according to security zones as well as logical departments and divisions. This will allow for more granular firewall rules and a better understanding of the communication paths that are required. Using both color-coded network diagrams and network cables is an excellent visual indicator to the types of traffic and zones being used throughout the environment.

In all monitoring systems that allow it, labeling critical systems within your existing monitoring tools will help reinforce these systems in the monitoring tools. When all else fails, this can help to guide the impact assessment. It is important to include junior team members in these exercises and discussions. Both teaching and learning will happen for everyone involved and will lead to a more informed and engaged team environment.

Thursday, April 21, 2011

Book Review: Linchpin

Linchpin by Seth Godin is one of the best books I have read. It gives the formula necessary to become the most valued member of an organization and not just a cog in the wheel. What follows are two of my favorite direct quotations from this book, sprinkled with my commentary.

-Enjoy.

"When you give something away, you benefit more than the recipient does. The act of being generous makes you rich beyond measure, and as the goods or services spread through the community, everyone benefits". I have found this to be so incredibly true in my life. I believe there is nothing more valuable than giving your time and resources to someone who can not possible return the favor.

"You can either fit in or stand out. Not both". I bet you can easily recall many examples where this is true. Think about it and choose wisely. A lot depends on your selection.

Monday, February 14, 2011

Book Review: Failure Is Not an Option: Mission Control from Mercury to Apollo 13 and Beyond

Today I finished reading "Failure Is Not an Option: Mission Control from Mercury to Apollo 13 and Beyond" by Gene Kranz, former Flight Director at NASA. The book provides a historical account of how NASA delivered on the promise made by President John F. Kennedy to land a man on the moon and return him back safely to the Earth.

The majority of the book is focused on how the space program and technologies were created and implemented to support this bold initiative. It is easy to watch a spacecraft launch and landing and be impressed. What was previously lost with me was the amount of effort that led up to that point and the continual, real-time problem solving needed for each mission.  I was previously unaware at the depth of knowledge required of the Mission Controllers and how closely they trained with the astronauts.

I remember launching model rockets myself in the 7th grade and often wondered how the real rockets worked and how everything seemed to magically came together. This book answers that question and gives insight into how it was all possible.

My favorite quote from the book occurs close to the end. I believe it accurately and without wasting words summarizes the race to the moon"..the mark of a champion is the ability to thrive in tough times". Well said, sir. I agree that it requires no effort to celebrate success during the easy times. Times when it naturally comes together without stretching yourself or others. Those who make an impact on future generations are the ones who are able to, against insurmountable odds, embrace the challenge and achieve success in the worst possible situations.

This is an excellent book on teamwork and working on and solving seemingly intractable problems. Problems that need immediate attention and do not always come with a guarantee of success. I believe there are lessons form this book that can be applied to circumstances in our lives today:

  • Overwhelming preparedness to perform your daily duties.
  • Trust in the ability of your to deliver sound results.
  • The value and joy of working toward a goal that is as big, or bigger than your ability to achieve alone.

The book ends with a plea for the United States to resume an international leadership role in space. Only time will tell if and when this will ever occur.