The sun rose today. As it has every day for a couple billion years. Though plenty of people thought they would not be around on Sunday for the sunrise. Yes, I’m talking about the Rapture. Either it didn’t happen or we all got left behind, which is fine by me – I still have stuff to do. You may think the whole concept is wacky, but I’m the last guy to criticize someone else’s beliefs. What you believe is your business. I’m certainly not going to try to convince you I’m right. Especially about matters of faith.

But the Rapture preacher didn’t consider that he could be wrong. He dug in and didn’t leave any wiggle room. That didn’t work out very well. His followers awoke Sunday, confused and flabbergasted. Some haven’t paid their bills. Others took fancy vacations with money they didn’t have, figuring it would be the bank’s problem and they’d be laughing from heaven. These folks didn’t have a contingency plan. But you have to hand it to the preacher. He’s a true believer with a flexible and robust calendar.

Some may snicker about the lunacy of the whole thing, but that misses the point. The real lesson is that even if you are a true believer you need to leave your options open. Even if you know you are right, it’s probably a good idea to think through the unfathomable scenario that you could be wrong. I know, it’s hard. None of us want to believe we are wrong, especially folks of conviction and passion. But in the face of overwhelming evidence (like waking up on Sunday) that you are indeed wrong, you need to be able to move forward.

This remains a challenge for me too, by the way. I think in a pretty binary fashion. Right and wrong. Good and evil. Black and white, with very little gray. Though the gray area is increasing, which is kind of predictable. When you are young, you haven’t screwed up enough things to believe you could be wrong. Over time, you gradually realize not only your own limitations, but also that right/wrong is an interpretation.

Now do a little homework to start using this lesson in practice. Look back to your last 2-3 arguments. Did you leave yourself an out? Did you respond poorly because you had no choice but to defend your position to the bitter end? Did you need to fall on your sword to save face? I’m all for taking a position and defending it passionately, but 20+ years in the salt mines have taught me to find the middle ground. Because most likely the sun will rise tomorrow, and you need to move forward.

– Mike

Photo credits: “Caught up in the rapture” originally uploaded by Analogick

Incite 4 U

1. Target Practice: Life is about relationships. Pretty deep but true. Whether you are talking about family, friends, colleagues, even people you don’t like, your reality is based upon the relationships you have with these folks. That’s true in security as well, as Chris Hayes points out. There is a good quote here: “IT and business executives are craving value-add from information risk management functions.” Which is true, so how can you add this value? By defining success and then delivering it. It’s not your definition of success – you need to agree with other folks on what security can do to further business objectives. Find the target. Hit the target. Then tell folks you hit the target. Easy as pie. – MR
2. Hostage Situation: A Venafi study finds admins could hold data hostage from their employers if they chose to withhold encryption keys and passwords. To which I have to say “Well, duh!” Not everyone in an organization will have control over pieces of critical infrastructure, but you have to trust someone, so place control in the hands of a select few. This variety of insider threat rarely materializes, but is especially damaging when companies over-leverage key management solutions (so, for example, every key in the organization is stored in a single key server) or fail to implement separations of duties for key management. If you are worried about this type of scenario there are several things you can do: keep a master key stored off-premises so you can regenerate and rotate the working keys if an admin goes rogue. Think about separating duties for key management, so no single admin can take control of the key manager functions. Use different key servers for different applications or functions, minimizing the scope of potential damage. Do better background checks on your admins prior to employment, and have better employee departure processes to make sure all credentials and access points are changed as part of the termination process. Or maybe treat your employees better so they don’t get too pissed off – yeah, that last one’s probably not going to happen. – AL
3. There is no control for stupid: A fact that is mostly glossed over by security folks is that all the technical controls in the world can’t protect a stupid user with access. That’s the point of George Hulme’s story, and it’s a good one. Yes, we have to make it hard for user stupidity to bring down valuable systems – hat’s what technical controls are for. But we also need to anticipate some number of self-inflicted wounds, and be able to quickly respond and recover. That’s what Reacting Faster and Better is all about. So whether it’s a human FAIL, technical FAIL, or an attacker that kicks your butt, it’s all the same in the end. You need to handle the issue. – MR
4. Unless you are the lead dog, the scenery never changes: I love that concept. Most folks spend their life looking at someone else’s backside. Which is fine – not everyone can lead. But what does it mean? We all have our own ideas, but Bejtlich’s post defining Five Qualities of Real Leadership clarified a lot of the stuff I have done. And a lot of stuff that I haven’t. You can read the 5 qualities yourself, but to me they come down to one simple idea. Leadership is not about you. It’s about the folks you lead. If they are successful, then you are leading effectively. The rest is window dressing – mostly about selling management theory books. – MR
5. PDF Surprise: Want to know why antivirus is so ineffective? Because of attacks that use layers of obfuscation like this malicious PDF file example provided by Tomer Bitton of Imperva. It’s a very clear example of how easy it is to deliver malware to compromise your machine – in fact it’s your machine that asks for it. Encrypting malware is nothing new, but it’s incredibly effective at hiding malicious code and web addresses from any signature-based detection system. And wrapping executables in shellcode, or dropping JavaScript and Shellcode inside a PDF to hide the whole mess. The hardest part is for the attacker to leave the PDF someplace for you to find it. The average user won’t be able to detect an attack, and disabling PDFs would likely cause a riot. Unfortunately there are not many options, other than installing a different PDF viewer that can’t phone home, anti-malware tools that sandbox applications, or outbound web filtering. If you must use Reader in your browser, keep it patched. – AL
6. The death of UTM is greatly exaggerated: I know part of running a web site is whoring for page views, but I honestly expected better from Larry Walsh than UTM Security Appliances are Dead. We are big fans of application aware firewalls (AAFW) and expect them to play a key role in perimeter security for larger companies over time. But to think UTM is dying anytime soon is crazy. AAFW will gain in the enterprise market mostly because of performance, because the issue with using an IPS to enforce application policies is performance, not accuracy. And it’s not like UTM is a big seller in the large enterprise now anyway. There is a fairly large market segment (think 100,000s of companies) with roughly 5-25mbps connections to the Internet, so firewall performance is not an intractable issue for these folks. For all of them, there is nothing wrong with current UTM boxes with some bolt-on application policies to solve problems. Larry seems to forget that users don’t care what vendors call a product category. It’s all about the customer problem. They want more capability and less complexity. – MR