It’s been a while since I have gotten into a good old-fashioned Twitter fight. Actually the concept behind FireStarter was to throw some controversial thought balloons out there and let the community pick our stuff apart and help find the break points in our research positions. As Jeremiah tweeted yesterday, “whatever the case, mission accomplished. Firestarter!” to my post Risk Metrics Are Crap. It devolved into a bare-knuckled brawl pretty quickly, with some of the vociferous risk metrics folks.

After reading our Twitter exchanges yesterday and today, you might think that Alex Hutton and I don’t like each other. I can’t speak for him, but I like Alex a lot. He’s smart, well read, and passionate about risk metrics. I knew I’d raise his ire with the post, and it’s all good. It’s not the first time we’ve sparred on this topic, and it won’t be the last. Lord knows I make a trade of giving folks a hard time, so it would be truly hypocritical if I didn’t like the taste of my own medicine. And it don’t taste like chicken. Just remember, you won’t last in any business if you can’t welcome opposing perspectives and spirited debate.

Though I do have to admit that Twitter has really screwed up the idea of a blog fight. In the good old days – you know, like 3 years ago – fights would be waged either in the comments or by alternating inflammatory blog posts. It was awesome and asynchronous. I wouldn’t lose part of an argument because I had to take a piss and was away from my keyboard for a minute. And I also wasn’t restricted to 140 characters, which makes it tough to discuss the finer points of security vs. risk metrics.

But either way, I appreciate the willingness of Alex and other risk metrics zealots like Jack Jones and Chris Hayes to wade into the ThunderDome and do the intellectual tango. But hugging it out with these guys isn’t the point. I’ve always been lucky to have folks around to ask the hard questions, challenge assumptions, and make me think about my positions. And I do that for my friends as well. One of whom once called me a ‘provocateur’ – in a good way. He wanted to bring me into his shop to ask those questions, call their babies ugly, and not allow his team to settle for the status quo. Not without doing the work to make sure the status quo made sense moving forward.

It doesn’t matter what side of the industry you play. Users need someone to challenge their architectures, control sets, and priorities. Vendors need someone to stir the pot about product roadmap, positioning, and go-to-market strategies. Analysts and consultants need someone to tell them they are full of crap, and must revisit their more hare-brained positions. The good news is I have folks, both inside and outside Securosis, lined up around the block to do just that. I think that’s good news.

Where can you find these provocateurs? We at Securosis do a good bit of it, both formally and informally. And we’ll be doing a lot more when we launch the sekret project. You can also find plenty of folks at your security bitch sessions networking groups who will be happy to poke holes in your strategy. Or you can go to an ISSA meeting, and while trying to avoid a sales person humping your leg you might run into someone who can help. They would much rather be talking to you than be a sales spunk repository, for sure.

Also keep in mind that the provocateur isn’t just a work thing. I like when folks give me pointers on child rearing, home projects, and anything else. I probably wouldn’t appreciate if someone blogged that “Rothman’s Drywall Skills Are Crap” – not at first, at least. But maybe if they helped me see a different way of looking at the problem (maybe wallpaper, or paneling, or a nice fellow who does drywall for a living), it would be a welcome intrusion. Or maybe I’d just hit them with a bat. Not all provocateurs find a happy ending.

-Mike

Photo credits: “So pretty.” originally uploaded by cinderellasg

Incite 4 U

1. Ready for the onslaught of security migrants?: Last week I ranted a bit about giving up, and how some folks weren’t really prepared for the reality of the Bizarro World of security. Well, sports fans, it won’t be getting better. When the CareerBuilder folks call “Cyber security specialist” the top potential job, we are all screwed. Except SANS – they will continue running to the bank, certifying this new generation of IT migrants looking for the next harvest. But we probably shouldn’t bitch too much, given the skills shortage. But do think ahead about how your organization needs to evolve, given the inevitable skill decline when you hire n00bs. We all know a company’s security is only as good as its weakest link, and lots of these new folks will initially be weak. So check your change management processes now and make sure you adequately test any change. – MR
2. NSFW login: Every now and then an idea comes along that is so elegant, so divinely inspired, that it nearly makes me believe that perhaps there is more to this human experience than the daily grind of existence. I am, of course, talking about the Naked Password. Here’s how it works… you install the JavaScript on your site and as users create passwords – the (ahem) ‘longer’ and ‘stronger’ the password, the less clothing on the 8-bit illustrated woman next to the password field. Forget the password strength meter, this is a model I can… really get my arms around. Mike Bailey said it best when he reminded us that, for all the time we spend learning about social engineering attacks, perhaps we should apply some of those principles to our own people. – RM
3. Old school cloud: When did Gmail & Hotmail become “The Cloud”? Seriously. Gmail goes down for a few hours – because of a bad patch – and that warrants talking about the viability and security of the Cloud? Did this whole ‘Cloud’ thing sneak up on me, or has it been raining spam since 2004? I can’t tell. It seemed like a ‘feature’ that my inbox disappeared, but apparently it caused some people to panic. Maybe, just maybe, they might have something valuable stored there and need a backup. Is this whole email as a service thing reliable? I mean it only was released from Beta in 2009, so it’s still immature technology. They promise so much, yet I still have to worry about security and data retention. It’s all so confusing! – AL
4. Little Red: Buh bye: After Lord knows how many concessions to the EU, Intel closed their acquisition of McAfee. What does this mean for MFE customers? Not much. It’ll be business as usual, as it’s likely the senior folks got big retention bonuses to stay around for a little while. Now that the deal is done, they can stop this silly charade about security on chips and the like. Milk the better margins of Big AV and move on. And it’s not like the innovation machine was working overtime. Though we should all expect the M&A machine to ramp up. Not that MFE didn’t do deals before, but they did smaller deals because dilution was a big problem. With Intel’s balance sheet behind them, it wouldn’t be surprising to see DeWalt break out Otellini’s Black Card and go shopping. – MR
5. But what’s your interest rate? We always make sacrifices when designing, developing, and deploying applications. My goal as a developer was always to understand those limitations to the best of my ability, to have key indicators of when they needed to be addressed, and to have migration paths to manage any necessary changes. This, more than raw coding skill, is what I look for when working with developers. For example, in the not-so-secret system we are building, I made an initial call that would have imposed a performance limit. We quickly realized there was a better path, and even though it meant tossing out weeks of work, it will save us months of work later. For security, Chris Wysopal calls this Application Security Debt. And it’s a debt with a variable, sometimes-opaque interest rate that rises as more people rely on your application, and as the threat environment changes. And interest rates in security rarely drop. This is a great way to think about application security, which I suspect we can communicate well to the financial folks in charge of the budget. Especially if we tell them the answer is “11”. – RM
6. Clearing up anonymization: Colin Watson blogged about the upcoming seminar on Data Anonymisation, and how this is an important security measure in testing and logging applications. It is a confusing topic, and Colin’s post glosses over the issue. There is a difference between data anonymization and data obfuscation. Technologies like masking, encryption, and hashing all transform data to obfuscate its original value. Tokenization replaces the original value with an arbitrary copy. The cool thing about these technologies is that they can be used to hide the original data by creating a facsimile that looks like the original, but does not leak the sensitive data the copy protects. Anonymization in practice is different than these technologies – instead it applies to sets of data, and is not tied to any one technology. The problem is that we can obfuscate a single value – let’s say someone’s name – with encryption; but associated values – such as address, sex, phone, and graduation year – let us determine the original value with high accuracy. It’s more about data relationships than the technology. This is important because you can anonymize data without using encryption, masking, hashing or tokenization. – AL
7. 80% have no idea. The other 20% are lying: Oh, you know how I love surveys. So celebrating the Intel/MFE deal some more, let me pick on a recent survey from our little red friends. The highlights are that 41% “are not well aware of or protected against IT security risks.” Uh, according to who? Self-selection? Well, do these folks even know what they don’t know? Or maybe it’s the other 60% saying those 40% (not-me) are totally screwed. And then another 40% weren’t confident they can “accurately deploy countermeasure products.” Actually, I think 80% of the survey audience didn’t know what the questions meant. Then there is a whole bunch of other nonsense focused on why a customer should by MFE’s risk and compliance products. Yeah, whatever. But in light of the need to drive page views, we’ll see tech books continue to provide coverage. Which will drive more surveys. And maybe that should be one of the top jobs of the future. Pumping out crappy, meaningless information security surveys. Just maybe. – MR