DDoS: Distributed, but not evenly

It shouldn’t come as any surprise, but big financials are still suffering a wave of DDoS attacks. DDoS is like an accidental amputation – there is no question whether it’s a problem. The trick is to know ahead of time if you are on the list, and the best thing to do is keep an eye on your peers. Not everyone needs to invest proactively in DDoS protection, but you sure as heck need a plan and a vendor contact just in case. Especially if you are big, handle money, work with (or piss off) governments located “East” (Europe, Asia, Middle, whatever), or like to poke Anonymous. Update 1/9: According to the New York Times, a “former” gov official with connections says Iran is definitely behind the attacks. Backing up the rumors we’ve all been hearing from the start. Share:

Read Post

Incite 1/9/2013: Never Lost

I was in the car the other day with one of the kids, and they asked me if I ever get lost. I have a pretty good sense of direction and have been able to read maps as long as I remember. I was probably compensating for my Mom’s poor sense of direction and my general anxiety at a young age about feeling lost. But it’s different today. With the advent of ever-present GPS and decent navigation, I can say it has been a long while since I have really been lost. I get misdirected sometimes, but that lasts maybe a minute and then I figure out my way. But these gadgets are no silver bullet. A couple years ago I was doing a seminar tour and ended up in Detroit. I did my thing, got some sleep, and was ready to head out to the airport the next morning. The car was equipped with a GPS from the rental car company, so I hit the button to take me to the airport and started driving. About 40 minutes later, I started thinking something was screwy. Then I got that feeling in the pit of my stomach, when I realized I selected the wrong airport in the GPS. I was driving in the wrong direction for over a half-hour and I was very unlikely to make my flight. And this was not the day to miss the flight. The Boss was leaving town and I had to get the kids from their various schools and activities. Of course, when I finally got to the right airport, all the flights back to Atlanta were booked up. I was totally screwed. So I paid a whole bunch of idiot tax and bought a first class seat on another airline. And I still had to call in a bunch of favors from friends and family to take the kids until I could get home. Feels like I’m still paying for that period of idiocy. Let’s just say I double check every time I enter an address into a GPS nowadays. But now let’s consider navigation metaphorically. We have technology that can help us get anywhere we want to go. It’s built into your car and you carry it in your pocket. But that doesn’t make it any easier to know where you should be going. And even when you get there, you are usually disappointed with the destination… Maybe it wasn’t everything you cracked it up to be. Sometimes the grass isn’t greener when you get there. When I think about it and play out the metaphor a bit further, there’s another reason it has been a while since I was last lost. I guess at this point in my life, I don’t get lost because I’m not trying to get anywhere. I’m very fortunate to be in a situation where I can actually say that. And mean it. Given my cultural programming, it took me a long time to accept where I am and to not strive to get to where I’m not. There are some days I forget – I am human after all. But there is no GPS for life. That’s worth remembering. –Mike Photo credits: Hertz NeverLost III originally uploaded by Josh Bancroft Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Understanding Identity Management for Cloud Services The Solution Space Introduction Newly Published Papers Implementing and Managing Patch and Configuration Management Defending Against Denial of Service Attacks Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments Pragmatic WAF Management: Giving Web Apps a Fighting Chance Incite 4 U BYOD basics: I mentioned this briefly on the blog earlier this week but wanted to add a bit. ENISA released a great guide to getting started with BYOD. It is far more practical than most approaches I have seen, and includes links to a lot of public examples. One of key aspect is how the guide consistently addresses the issue of getting employee cooperation. You can’t hit BYOD with a hammer or you will just end up smashing your thumb. If the employee owns it, you need to entice them with benefits – not act as if you are doing them a favor by allowing them access to corporate email on their off hours. For more detail on the technology, I wrote a paper with a spectrum of options for protecting data on iOS. As a security guy I hate giving up control as much as anyone, but employees aren’t cattle and they need a fair deal or they’ll figure out a way around whatever you come up with. – RM Carnival of dysfunction: Leaking thousands of patient records is not news, – we have had a steady diet of leaks and breaches over the past decade. But the recent LA Times article on a couple who improperly stored some 300k patient records was interesting for the myriad levels of disfunction it describes. And it’s clear from comments by both the third party provider and Kaiser that they don’t understand data security. Couple that with the Times slant that small firms should never store sensitive data at home because it can’t be secure, and you have a carnival of dysfunction. This issue is not unique to Kaiser – most large enterprises engage small third party service providers because they offer a specific skill at low cost and are agile enough to adapt to market changes. But don’t expect them to know security, and don’t expect them to comply with requests for military-grade security or formal compliance processes. Companies should provide simple security controls that are both understandable and implementable by small firms. For example some full disk encryption, key management, and a dedicated computer for sensitive

Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.