Friday Summary: March 9, 2012
By Adrian Lane: I learned something from the e10+ session during RSA. Usually it’s my least favorite event but this year was different – it was most favorite, and not just because Rich and Mike were instrumental in putting it together. The consumerization presentation was really informative – the audience responses surprised me – but the breach victim “fireside chat” was awesome. The only way we could mimic the human stress angle in a preparedness drill is to set part of your office on fire during a press conference, or taze IT personnel as they rummage through logs. Don’t discount the stress factor in breach planning. Around the time of the RSA conference I have had a few discussions with VCs about technology acquisition. We discussed market trends, total market revenue estimates, sales opportunities, how products should be sold, and what changes in the ‘go-to-market’ strategy were needed to turn the company around. At the end of the day, the investment was a non-starter. Not because of the market, or the value of the technology, but because of the level of trust in the management team. They simply got “a bad feeling” they could not overcome. People not trusting people. I know several other bloggers have mentioned the exotic cars this year in vendor booths on the conference floor. What’s the connection with security? Nothing. Absolutely nothing. But they sure pulled in the crowds. Cars and booth babes with matching attire. I admit the first time I swung by Fortinet’s booth was to see the Ferrari. Sure, it was an unapologetic lure. And it worked. I even took a photo, I was so impressed with the beauty of its engineering. Nice, huh? It’s too easy to be dispassionate about security, especially when talking about cryptography or key management. Heck, I have seen presentations on social engineering that had the sex appeal of paint brushes. How many of you have seen the “blinky light phenomena”, where buyers prefer hardware over software because there was a very cool looking (read: tangible) representation of their investment? But security users – or should I say security buyers – are motivated by human factors like everyone else. Too many CTOs I speak with talk about what we should be doing in security, or the right way to solve security problems. They fail to empathize with IT guys who are trying to get multiple jobs done without much fanfare. And many of them don’t want to talk about it – they want to get out of their cubicles for a day, walk around some shiny cars, have someone listen to their security issues and bring some tchochkes back to their desks. Human behavior is not just an exploit vector – it’s also part of the solution space. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mike quoted on Bank Info Security. Adrian’s DR article on Deleting Databases. Rich quoted on Daring Fireball about OS X Gatekeeper. Adrian talks Tokenization at RSA Conference. Adrian quoted in CSO on Big Data. Favorite Securosis Posts Mike Rothman: Burnout. This is a great post by Rich. Read. it. now. Adrian Lane: Bringing Sexy back (to Security): Mike’s RSAC 2012 Wrap-up. Rich: Lazy Deal Analysis in this week’s Incite Other Securosis Posts Incite 3/7/2012: Perspective. Upcoming Cloud Security Training Courses. Objectivity Matters. Implementing DLP: Ongoing Management. Implementing DLP: Deploy. The Securosis Guide to RSA 2012. The Last Friday before the 2012 RSA Conference. RSA Conference 2012 Guide: Cloud Security. RSA Conference 2012 Guide: Data Security. RSA Conference 2012 Guide: Security Management and Compliance. Favorite Outside Posts Rich: How’s that secrecy working out? The bad guys talk. We don’t. Guess who has the advantage? Dave Lewis: Researchers find MYSTERY programming language in Duqu Trojan. It shows both skill and dedication to create your own language to write malware. But why? Anti-reverse engineering? Sounds spook-y! Mike Rothman: Heartland 2011. Gunnar revisits the impact of the breach Heartland’s on business operations. Some folks will use this as proof that a high-profile breach is nothing but brief event. Heartland clearly responded effectively and got their business back on a nice growth path. But don’t make the mistake that correlation = causation. It’s a data point, nothing more nor less. Adrian Lane: The Ruby/GitHub hack: translated. The only lucid discussion of the GitHub incident I’ve seen, and a nice breakdown of the issue. Project Quant Posts Malware Analysis Quant: Metrics–Monitor for Reinfection. Malware Analysis Quant: Metrics–Remediate. Malware Analysis Quant: Metrics–Find Infected Devices. Malware Analysis Quant: Metrics–Define Rules and Search Queries. Research Reports and Presentations Network-Based Malware Detection: Filling the Gaps of AV. Tokenization Guidance Analysis: Jan 2012. Applied Network Security Analysis: Moving from Data to Information. Tokenization Guidance. Security Management 2.0: Time to Replace Your SIEM? Fact-Based Network Security: Metrics and the Pursuit of Prioritization. Tokenization vs. Encryption: Options for Compliance. Top News and Posts We Need to Talk About Android. The practical side of app security. East Villager is ID’d as leading hacker with Anonymous group. Consumerization is not BYOD, and what that means for security. Head of Lulzsec Arrested. TSA Pooh-Poohs Video Purporting to Defeat Airport Body Scanners The video is a ‘must see’. Adobe patches critical flaws. Feels like I write that sentence every week. Tips for NOT getting Hacked on the Web. I would have said “for the common man”, and I would included a recommendation to not click email links, but solid advice for basic user protection! Fake AV attack targets WordPress users. Apparently some people we know have experienced this. Apple releases Configurator app for Mac. With all the hoopla surrounding the new iPad and Apple TV releases, you might have missed this important iDevice management tool. Still Life With Anonymous. In case you missed it, just before the RSA Conference, Imperva launched a report containing their findings on Anonymous. Mitt Romney or Mr. Burns? OK, it’s political, but it’s really funny. Hackers grab Michael Jackson songs from Sony. Google Pay Out $47,500 in bug bounties. This program is working, people! Take note. Blog Comment of the Week Remember, for every comment selected, Securosis makes a