Securosis

Research

Ramping up the ‘Cyber’ Rhetoric

The rhetoric about cyberattacks is nearly deafening. It seems like my Twitter timeline blows up every day about cyber-this or cyber-that. Makes me want to cyber-puke. Since Mandiant pointed the finger at China everyone seems to be jumping on the bandwagon of tough talk and posturing. Take example #1: The US is now fielding teams to play offense and respond to computer attacks on critical infrastructure. I would like to be clear that this team, this defend-the-nation team, is not a defensive team,” Gen. Keith Alexander, who runs both the National Security Agency and the new Cyber Command, told the House Armed Services Committee. “This is an offensive team that the Defense Department would use to defend the nation if it were attacked in cyberspace. Thirteen of the teams that we’re creating are for that mission alone. Uh, this is news? Maybe that there is finally acknowledgement that the US (along with every other first world nation) invests in building cyber-attack capability. I know it’s hard to remember, but a few short years ago there was an uproar when Anonymous documentated that HBGary was proposing to build weaponized exploits. Where’s the uproar now? Oh yeah, now it’s politically correct to defend ourselves. This is media-driven nonsense. I doubt the strategy has changed at all, except maybe accelerated a bit. Though it will be interesting to see if and how sequestration impacts these kinds of investments. Rich recently pointed out that China is fundamentally different because they use military hacking apparatus to help commercial Chinese entities gain intelligence that helps them win big contracts. Obviously Israel’s announcement that their cyber-defense capabilities will be used to protect private Israeli enterprises is different, but it is another clear indication that the line is blurring between the private and public sectors. As it should. The Defense Ministry will set up a new body to support local defense industries in coping with cyber threats, ministry director-general Maj.-Gen. (res.) Udi Shani announced Tuesday. And if you need another data point showing ‘cyber’ is the new hotness, the CEO of BP disclosed on CNBC that BP Fights Off Up to 50,000 Cyber-Attacks a Day. Cybersecurity is a growing issue around the world, not only with companies but with governments,” Dudley observed. “We see as many as 50,000 attempts a day like many big companies … to my knowledge we haven’t had an incident that’s taken away data from us, but we’re incredibly vigilant. Clearly someone is hiding something from the CEO here, but he pulled the plausible deniability card in the form of “to my knowledge…” But if he’s right and they haven’t lost any data that would make them only such company. And before you start bitching in the echo chamber about how the hype is getting in the way of you doing your job because you are being paraded in front of the board and up to the CEO’s office once a week, remember when no one gave a crap about security. It’s always good to be careful what you wish for. Share:

Share:
Read Post

Limit Yourself, Not Your Kids—Friday Summary: March 15, 2013

Raising children in the age of the Internet is both exhilarating and terrifying. As a geek I am jealous of the technology my children will grow up with. You can make the argument that technology always advances, and my children will feel the same way about their offspring, but I think the genesis of the Internet is a clear demarcation line in human history. There is the world before the Internet, and the world after. The closest equivalents are the rise of agriculture and the Industrial Revolution, and I argue the Internet hit harder and faster. Mix in mobile devices, near-ubiquitous wireless data, and “the cloud”, and the changes are profound. Part of me feels incredibly lucky to have lived through this change, and another part is sad it wasn’t around sooner. It is an exciting time to raise kids. The resources available to us as parents are truly stunning. We have access to information resources our parents couldn’t conceive of. Want to know how to build a robot? Make the perfect sand castle? Build a solar-powered treehouse? Answer nearly any imaginable question? It’s all right there in your pocket. Anything my children choose to explore, I can not only support, I can get the supplies deliverd with free two-day shipping. My kids will grow up with drones, robots, 3D printers, and magical books with nearly all of human knowledge inside. Which isn’t always a good thing. Once they figure out the way around my filters (or go to a friend’s house), there won’t be any mysteries left to sex. Not that what they’ll find will represent reality, and some of it will warp their perceptions of normality. They will post their innermost thoughts online, without regard to what that may mean decades later. They will see and learn truly horrible things that, before the Internet, were physically isolated. They will witness lies and hatred on a colossal scale (especially if they post anything in a gaming forum). I accept that all I can do is try my best to prepare them to understand, filter, and think critically on their own. But I truly believe the benefits outweigh the dangers. Like this author, I will flood my children with technology. They have, today, essentially infinite access to technology. I don’t limit iPad time. I don’t count the television hours. We don’t restrict the laptops. This may change as they grow older, but my gut feeling is that the more you restrict something, the more they want it. And our family’s lifestyle is more centered on physical activity and creating than consuming. There is, however, one place where I have started restricting technology. Not for my children, but for myself. This week as I sat in the parents’ observation area at our swim school, I noticed every adult head wasn’t focused on their kids, but on the screens in their hands. Go to any playground or Chuck E Cheese and you will see more parental heads staring down than up. I noticed I do it. And my children notice me. Children, especially young children, don’t necessarily remember what we try to teach them. They, like nearly every other species, learn by watching us. And they remember absolutely everything we do, especially when it involves them. I don’t want my kids thinking that the screen in my hand is more important than they are. I don’t want them thinking that these wonderful devices are more important than the people around them (well, I do prefer Siri over most people I meet, but I’m a jerk). I can’t just tell them – I need to show them. I have started weaning myself off the screen. When I’m with my family, I try to only use it when absolutely necessary, and I verbalize what I’m doing. I am trying to show that it is a tool to use when needed, not a replacement for them. I am not perfect, and there are plenty of times it’s okay to catch up on email in front of my kids – just not when I should be focused on them. And, to be honest, once I got over the initial panic, it’s nice to just relax and see what’s around me. It doesn’t hurt that my kids are damned cute. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich quoted on Watering Hole Attacks. Adrian’s DR post: Database Security Operations. Favorite Securosis Posts Mike Rothman: Compromising Cloud Managed Infrastructure. You cloud is only as secure as the web interface you use to configure it… Adrian Lane: The BYOD problem is what? Rich: Ramp up the ‘Cyber’ Rhetoric. Other Securosis Posts Email-based Threat Intelligence: Quick Wins. Email-based Threat Intelligence: Industrial Phishing Tactics (New Series). A Brief Privacy Breach History Lesson. Incite 3/13/13: Get Shorty. Could This Be the First Crack in the PCI Scam? TripWire nCircles the Vulnerability Management Wagon. Untargeted Attack. Email-based Threat Intelligence: Analyzing the Phish Food Chain. In Search of … Data Scientists. Encryption Spending up in 2012. Security Education still an underused defense. Favorite Outside Posts Mike Rothman: Father hacks ‘Donkey Kong’ for daughter, makes Pauline the heroine. Hacking for the win. This is the right example to set for young girls. They can do anything they want. Adrian Lane: Which Encryption Apps Are Strong Enough to Help You Take Down a Government? People talk about privacy, but Matt Green arms you with some tools to actually help. The question is would you actually use these tools. Dave Lewis: Time Stamp Bug in Sudo Could Have Allowed Code Entry. Gunnar: Google services should not require real names – Vint Cerf. Two years back Bob Blakley brought us on a quick tour of the weak points of Google requiring real names – in a word: insane. Top News and Posts Spy Agencies to Get Access to U.S. Bank Transactions Database Microsoft and Adobe release patches to fix critical vulnerabilities. Deja patch. Obama Discusses Computer Security With Corporate Chiefs. Update on iOS 6 exploitation. TL;DR: it’s really hard. Blog Comment of the Week This week’s best comment goes to Nate, in response

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.