I used to be a real TV head. Before the kids showed up, the Boss and I would spend a good deal of every Saturday watching the 5 or 10 shows we recorded on the VCR (old school, baby). Comedies, dramas, the whole ball of wax. Then priorities shifted and I had less and less time for TV. The Boss still watches a few shows, but I’m usually along for the ride, catching up on my reading while some drivel is on the boob tube (Praise iPad!).

In fact, the only show I religiously watch is The Biggest Loser. I’ve mentioned before that, as someone for whom weight control is a daily battle, I just love to see the transformations – both mental and physical – those contestants undergo in a very short time. Actually this season has been pretty aggravating, but more because the show seems to have become more about the game than about the transformation. I stopped watching Survivor about 8 years ago when it became all about the money. Now I fear The Biggest Loser is similarly jumping the shark. But I do like the theme of the show this year: Pay It Forward.

Each eliminated contestant seems to have found a calling educating the masses about the importance of better nutrition and exercise. It’s great to see. We have a similar problem in security. Our security education disconnect is less obvious than watching a 400 pounder move from place to place, but the masses are similarly uneducated about privacy and security issues. And we don’t have a forum like a TV show to help folks understand. So what to do?

We need to attack this at the grassroots level. We need to both grow the number of security professionals out there working to protect our flanks, and educate the masses to stop hurting themselves. And McGruff the Cyber-crime dog isn’t going to do it.

On the first topic, we need to provide a good career path for technical folks, and help them become successful as security professionals. I’m a bit skeptical of college kids getting out with a degree and/or security certification, thinking they are ready to protect much of anything. But folks with a strong technical/sysadmin background can and should be given a path to the misery that is being a security professional. That’s why I like the InfoSec Mentors program being driven by Marisa Fagan and many others. If you’ve got some cycles (and even if you don’t), working with someone local and helping them get on and stay on the path to security is a worthwhile thing.

We also need to teach our community about security. Yes, things like HacKid are one vehicle, but we need to do more faster. And that means working with your community groups and school systems to build some kind of educational program to provide this training. There isn’t a lot of good material out there to base a program on, so that’s the short-term disconnect (and opportunity). But now that it’s time to start thinking about New Year’s Resolutions, maybe some of us can band together and bootstrap a simple curriculum and get to work. Perhaps a model like Khan Academy would work. I don’t know, but every time I hear from a friend that they are having the Geek Squad rebuild their machine because they got pwned, I know I’m not doing enough.

It’s time to Pay it Forward, folks. And that will be one of my priorities for 2011.

Photo credits: “Pay It Forward” originally uploaded by Adriana Gomez

Incite 4 U

1. You can’t outsource innovation: Bejtlich goes on a bit of a tirade in this post, basically begging us to Stop Killing Innovation. He uses an interview with Vinnie Mirchandani to pinpoint issues with CIO reporting structures and the desire to save money now, often at the expense of innovation. What Richard (and Vinnie) are talking about here is a management issue, pure and simple. In the face of economic uncertainty, many teams curl up into the fetal position and wait for the storm to pass. Those folks expect to ride productivity gains from IT automation, and they should. What they don’t expect is new services and/or innovation and/or out-of-the-box thinking. Innovation has nothing to do with outsourcing – it’s about culture. If folks looking to change the system are shot, guess what? They stop trying. So your culture either embraces innovation or it doesn’t. What you do operationally (in terms of automation and saving money) is besides the point. – MR
2. It’s time: It’s time for a new browser. Some of you are thinking “WTF? We have Chrome, Safari, IE, Firefox, and a half dozen other browsers … why do I need or want another one”? Because all those browsers were built with a specific agenda in the minds of their creators. Most want to provide as much functionality as possible, and support as many fancy services as they can. It’s time for an idiot-proof secure browser. When I see stupid S$!& like this, which is basically an attempt to ignore the fundamental issue, I realize that this nonsense needs to stop. We need an unapologetically secure browser. We need a browser that does not have 100% functionality all the time. Sure, it won’t be widely used, because it would piss off most people by breaking the Internet with limited support for the ubiquitous Flash and JavaScript ‘technologies’. But I just want a secure browser to do specific transactions – like on-line banking. Maybe outfitted to corporate security standards (wink-wink). Could we fork Firefox to make this happen? Yeah, maybe. But I am not sure that it could be effectively retrofitted to thwart CSRF and XSS. The team here at Securosis follows Rich’s Macworld Super-safe Web Browsing guide, but keeping separate VMWare partitions for specific tasks is a little beyond the average user. This kind of security must come from the user side – web sites, security tool vendors, and security service vendors are all disincentivized to protect you. Secure. Browser. Now. – AL
3. Buy your way into the party: I’ve worked on a fair few due diligence projects for investors or acquirers since we started Securosis. One of the trickier aspects is realizing that when it comes to the tech or the people, very few deals actually create value. Sometimes it’s more about grabbing turf than anything else. I haven’t talked with anyone using Mobile Armor, the Full Disk Encryption vendor Trend just bought, in a while. But when you’re the last major enterprise endpoint protection platform vendor without FDE, you might as well buy someone on the DoD and OMB/GSA approved products lists. Especially since all mobile drives in the government are mandated to be encrypted. – RM
4. My Precious: No, Smeagol no collect payload data packets! Smeagol only collectses photos, local WiFi network data and 3-D building imagery. Smeagol good and not do evil! Smeagol like data privacy. We helpses with security. Not spying, just business. Irish and Germans tricksed us. Cruel men hurts us. Sneaky little press-peoples. Wicked, tricksy, false! Smeagol works hard to earn your trust and you steals it from us. Thief! Stole myyy PRECIOUSSS Data! – AL
5. Playing the wrong position: I only played football for my last two years of high school. I was the second smallest guy on the team, but ran a 4.5 40 (for those who know what that means) and could hit kind of hard (knocked someone out cold once). So I slotted in at wide receiver and strong safety, but wasn’t a starter. There wasn’t even the slightest thought I could be a quarterback, defensive end, or even a running back. In a big analyst firm keeping someone in their position can be a tough job. Take this prediction by “Gartner” that a cyberattack will seriously damage a G20 economy by 2015. The author? Brian Gammage… who isn’t on the Gartner security team. When I was there, every year or two someone outside security – usually someone up the food chain – would try to drop a broad, random security prediction into some big presentation or research collection. Usually involving some asteroid-type attack like this. It was always a pain for the actual security analysts to try reigning this junk in, since they’re the ones who will have to deal with the aftermath. Have fun with that, guys. – RM
6. DSS: the government edition: Mike Vizard raises a good point when it comes to Internet fraud, that companies won’t divulge fraud statistics because customer and investor faith could be impacted. Sell now, fix security later, but only if it’s economically viable. I reluctantly have to agree with Ori Eisen’s point that fraud likely funds ‘illicit activities’, but I would claim this is hookers and blow, and not blowing up buildings. Regardless, the thrust of this message is that there is an imbalance in the system that makes bad security a good business decision. A theme in many of David Rice’s (Geekonomics) presentations is that people won’t bet against themselves. This means that, while we recognize problems that affect everyone, as individuals we won’t do the right thing when it puts us at a disadvantage relative to everyone else. Botnets are a great example, as when the FBI informs a corporation that some 2,000 of their servers have been infected and are generating huge volumes of spam, rather that work with the FBI to solve the community problem, a team of lawyers threatens litigation to escape any liability. And I hear the FBI doesn’t like it when companies lawyer up like that. The most likely outcome of the 2 millionth FBI complaint – in essence a consumer poll – will be that the government has enough evidence that bad security negatively impacts the economy and will create broad security legislation to address the problem. It’s coming. – AL
7. Arm yourself with Armitage – I’m a big fan of automated pen testing tools. You need to be hacking into your stuff with the tools your adversaries use. Anything less is just naive. So courtesy of the Security Monkey, we got a link to a demo of Armitage, a GUI for Metasploit (directions for use) shipped as part of BackTrack 4. Cool. Anything that can make these tools easier to use is goodness in my book. Now you need to be careful, because you don’t want to knock down production systems too often, but ultimately the bad guys are using Metasploit, probably with Armitage. So you probably should too. – MR