The last two nights, we have celebrated Passover. Basically, we have a big dinner commemorating the escape of our forefathers from bondage and slavery in Egypt. At least that’s how the story goes, although I wasn’t there, so I maintain a healthy skepticism regarding burning bushes, parting seas, and plagues. But the point remains whether or not the stories are true. It’s really an excuse to party with friends and family, and enjoy some time together outside the craziness of day-to-day existence.

I’m not unique in having a pretty hectic existence. For instance, the twins play baseball/softball, which means we were at the field both Saturday and Sunday, for a total of 5 games. Combined with the oldest one preparing for a dance show in a few weeks, we hardly had time to hit the head all weekend. But a close friend had a birthday party to celebrate her 40th Friday, so we had to take a break and celebrate. I did not squander the opportunity, and got rather festive with the help of some vanilla rum. OK, it might have been a lot of vanilla rum. If you find my liver, feel free to mail it back to Securosis Central. Adrian the mailman likes that kind of care package.

Many of us don’t intentionally party enough. So I actually appreciate the religious holidays interspersed throughout the year. For me it’s not about the dogma, or whether what we are celebrating actually happened or not. And most of the time we don’t spontaneously start throwing food at each other. It’s about turning off the distractions and focusing on family and friends, if only for a night or two. We actually talk, as opposed to planning the next day’s activities. We eat (too much) and until you’ve experienced it, you can’t appreciate a Manischewitz Concord Grape hangover.

A lot of our personal history is tied to these holiday celebrations, providing stories we tell for a lifetime. Like when – despite Mom’s stern warning not to get dirty – I fell into a stream behind my babysitter’s house, fancy corduroy pants and all. It was great fun but Mom was not amused. I think she’s still fuming. And it didn’t even involve Concord Grape.

We can even make the wacky traditions fun. For instance, on Passover the kids hunt for a piece of Matzoh hidden in the house (it’s called the Afikomen), and if they find it they get a couple bucks. Which is huge progress, because I was lucky to get a piece of chocolate from my grandfather back in the day. Given this year’s bounty ($2 for each kid), and my oldest daughter’s big spending plans, she was very concerned that I wouldn’t make good on my financial obligations. I’m afraid I didn’t help the situation when I mentioned my new policy of charging $2 per month for rent. Imagine that – I can be difficult sometimes.

Obviously I made good on the gift, but not before I had her unknowingly play back one of my favorite movie scenes. I asked her to say “I want my $2” about 10 times, and she didn’t understand why I was rolling on the floor. Too bad it was a school night, or I would’ve made her get on her bike and chase me around the neighborhood screaming “I want my $2.” Really, that’s not bad parenting, is it? Some folks figure they are Better Off Dead than suffering through yet another family holiday. But not me – I can make almost any occasion a big party. And I do.

-Mike

Photo credits: “La Tomatina / Spain, Bunol” originally uploaded by flydime

I would be negligent if I didn’t call attention to a major milestone that one of us hits today. That’s right, the baby of the bunch, the rich mogul turns 40. Today. I’d say that’s old, but I still have 2+ years on him, and a lot more gray hair. Rich is taking a vacation day (as he should) and my hope is that he’ll take a step back to appreciates all he has and has done over the past 4 decades. He has a great wife and kids, he’s building a great business, and he’s one of the top dogs in this little game we play.

So when you have your nightcap, after a typically hard day in the trenches of security, raise your glass to Rich and know that the next 40 will be better than the last.

Incite 4 U

1. Understand the real threat: Given all the (justified) bluster around the Verizon Data Breach Report, we can’t forget the need to understand what’s really at risk and how it is most likely to be compromised. Ax0n does a great job of reminding us by talking about the real insider threat, reminiscing about the hoops he’s had to jump through in order to remotely manage a server (legitimately, apparently). Then he contrasts that against the fact that other folks take the company’s most sensitive data outside on laptops and USB keys, posing a much more serious risk than a conscientious admin trying to fix things from home. Especially when the internal controls make life hard for people who don’t care about security. His point is that we need to match the controls (and security rhetoric) to the threat, and make sure it’s not onerous to drive creative folks to find a way around security. Remember, most folks believe security is not their job – it’s yours. You can make the case that it’s everyone’s job and you wouldn’t be wrong. But sales guys have to meet their quota each quarter, and that’s more important than meeting your rules. – MR
2. DBIR poop commences: It took about a nanosecond, but as Rich predicted, the Verizon Data Breach Investigations Report is already being misquoted and misinterpreted. More breaches being investigated does not necessarily mean there were more breaches, but that’s the poop already hitting the wire. I understand the rush to get an article live, but they should at least read some of the report before editorializing. The general public – who won’t read the full report either – gets the FUD about more breaches, without the useful bits about who is targeted, what’s been compromised, and what to do about it. That is sad, especially given how much time the Verizon team took to make solid recommendations about basic security steps to address common threats. – AL
3. Takedown: One of the biggest problems in cyber-security (yes, I used the word, get over it) is often the lack of effectiveness of law enforcement. It used to be that if you called the cops, more often than not they’d confiscate your servers and take you down than actually catch the bad guys. Either that or there’d be a chuckle on the other end of the phone (perhaps a guffaw) as they take down your information and say they’ll get back to you. Much of this is lack of training, but some is due to the sheer complexity and jurisdictional issues related to most cybercrime. But we just might be past that wall. The Feds just took down the Coreflood botnet by seizing the domain names, redirecting command and control traffic, and… wait for it… sending the “exit” command to shut down the running agents on infected systems. This is the first time law enforcement has ever made a move to disable software on endpoints, and it’s a very very big deal. Between this and the US Secret Service stating they’ve arrested 1200 cyber bad guys over the past few years, perhaps we are turning a corner. – RM
4. The myth of savings: We are working to categorize all the ways vendors use FUD (Fear, Uncertainty, and Doubt) to convince you their products are an absolute must. Meanwhile our contributor Gunnar reminds us of yet another way that potential cost savings might turn out to be vapor. Gunnar points out that even if you save $100 by embracing public cloud services, you’ll need to spend some of that savings on new things to provide a similar level of security & control in that environment. He uses the example of identity and federation, but there are many other examples such as application/database monitoring. So before you present this wonderful spreadsheet to the CFO, claiming $X in savings, make sure you understand (really understand) any hidden costs. – MR
5. Smothered by the cloud: Iron Mountain getting out of the online archival business is pretty big news for the company, and indicates the industry direction. Two years ago I spoke with their senior management and they predicted digital storage would be a huge part of their business. Physical media storage was on the decline and customers wanted easier, faster, and cheaper storage for secure data archival. Encrypted backups sent over the Internet – with external key management – made sense at the time and delivered what customers asked for. Apparently that did not pan out so well, but the lack of interest makes sense in hindsight. Long-term cloud storage is easy, fast and super-cheap, and if your apps are already in the cloud, it’s easier to leverage existing cloud vendor services. The model is changing the concept of archiving: Customers are not making backups (either tape or electronic) and sending tjem to secure storage vendors – instead they take periodic snapshots and save them to cheap archive media/services such as Amazon S3. Disk archives are spread across multiple locations, providing (at least theoretically) better and faster disaster recovery. How secure the data is depends upon the customer. – AL
6. Trusted identity for what?: Ed over at SecurityCurve makes some great points about the new Internet Identity Plan which is moving forward. Small questions, like what problem does it solve, and why will it be better than what we already have? Ed hedges at the end of the post by showing some hope that they (whoever “they” is) might make some progress. I won’t hedge at all: this seems ridiculous to me. The lack of a verified Internet Identity isn’t stopping commerce. Nor do I think folks who are scared to buy stuff online would start if they had this. The plan’s backers appear to have forgotten that most folks don’t care about security. They care about convenience. I don’t need or even want SSO for most of my web properties. With SSO a compromise of one credential provides to everything. Joanna Rutkowska points out that this is a bad idea. Maybe I’m missing something, but I’d rather we issue a password vault to everyone and teach them how to use it, including extremely long random passwords for protected data. It’s not that passwords are intrinsically busted, it’s the way (almost) everyone uses passwords that’s busted. – MR
7. App security goodness: While many enterprises are trying to keep consumer mobile devices out of their IT departments, iOS app developers keep making it harder to deny employees. Panic released Prompt, an SSH client for iOS devices. You can run encrypted management sessions to servers to prevent eavesdropping and session hijacking, as well as store key files to manage identities. Even GoodReader now offers per-file encryption that leverages iOS and hardware features to secure documents. I find it fascinating that I patch my iPhone/iPad faster than any computer I have ever owned. I connect it to iTunes every evening, so most updates are in place 24-48 hours after release, which I can tell you is an order of magnitude faster than servers and applications. Let’s face it – Apple makes it easy to do, so I do it. iTunes automatically makes a backup, and when something goes wrong it’s the easiest recovery process I have ever used. At this point, reticence against mobile iOS devices in the enterprise is more about configuration consistency and central control that absence of security features. – AL