Research

Galaxy Note II security flaw lets intruders gain full device access. Confirmed: iOS 6.1.3 Has Another Passcode Security Flaw The iOS one in particular is very limited, but I am continuously astounded by the creativity of some of these passcode flaws. Give me SQL injection or heap sprays any day… Share:

All you IT professionals out there who want to divert attention, give your exec’s a warm and fuzzy feeling you’re saving money and making you’re users experience better, just do what the DHS did. Margaret Graves, DHS deputy CIO, pulled a page from Star Trek and flummoxed Congress with some Techno-Babble. From [Network World](http://www.networkworld.com/news/2013/032013-dhs-shifting-to-cloud-agile-267910.html): > At a hearing before the House Committee on Homeland Security on Tuesday, a DHS IT official gave lawmakers an overview of agile development methodologies, one of the tools that the department is using to fix its IT project management. Agile came up after U.S. Rep Ron Barber (D-Ariz.), a former staffer in Rep. Gabrielle Gifford’s office who won that seat after Giffords resigned, asked what DHS was doing to ensure that its IT systems met user needs. Margaret Graves, DHS deputy CIO, said the department is using agile methodologies to create user stories to help shape the systems. In agile development, user stories can be short and informal descriptions of some of the functions users would like to see. She blinded him with science! Throw out a ‘solution’ that sounds good, which lots of people ‘in the know’ approve of, but it too esoteric or complex for critics to understand. In this case it’s Agile development on Cloud resources tuned by User Stories. It’s a red-herring trifecta! I’d be a hypocrite if I said I’d not used this IT-Judo technique before. It works! It always worked on Star Trek. Get in trouble and just re-phase the shield generators and send out a broad spectrum particle beam to detect cloaked vessels. Just so happens the technique works in real life too. All kidding aside – Agile is a great development _process_ as the approach forces simplification of grand projects into simple tasks. And it intrinsically offers the benefits that you are always be working on the most important part of the project – or at least a portion that can be delivered within the coming sprint. But Agile pushes a lot of the burden of successful implementation onto the project manager. PM’s take more control over product and service enhancements, really steering the course of development through prioritization. But _if your product management already sucks, you’ll still fall off the tracks with Agile_. You’ll just do it faster. Dare I say faster than an anti-matter explosion from a warp core breach. And if you don’t understand what that means, fear not, neither does U.S. Representative Ron Barber (D-Ariz.). Chalk one up for Ms. Graves of the DHS. Share:

I read a profile of Spanx’s Sara Blakely in Forbes Billionaires issue, and the tip that really resonated was that at dinner each night, her father would ask each child what they failed that day. Wait, what? He would be disappointed if the kids didn’t fail something because it meant they weren’t stretching far enough out of their comfort zone. Damn, I wish I thought of that. There is an unnecessary stigma about failure and it’s counter-productive. This is programmed into our heads from a young age. “Winning isn’t everything, it’s the only thing.” Hyper-competitive helicopter parents screaming at their kids to win their 4-year-old T-ball game. I have to say the Boy competes in both lacrosse and tennis, but he doesn’t much care whether he wins or loses. He just moves on. He certainly didn’t get that trait from me – I was very competitive growing up and hated to lose at anything. But I admire it in him. As a result of my unwillingness to screw up, I didn’t really try enough new things. I would compete when I knew I had a very good chance to win. Looking back, it would have served me much better to have tried stuff and made mistakes and realized that I could fall down, and it would be okay. Think about it – we fail every day at all sorts of things, both little and big. Entrepreneurs talk about failing fast and pivoting to the next idea quickly. They fall down but reload and move on. I love the guys who breathe their own exhaust and think they are all who because they joined a company like Google or Facebook early enough to make some money, but not so early that they had much to do with the company’s success. These folks think it was them, while in reality they were lucky. To be fair, these lucky few do learn from being around success. Some can parlay that into success in their next venture. But most don’t. The folks who got blown out are more interesting. As one of them I can tell you that I learned a lot more from failing. In the security world a breach occurs when something fails. Some of the small-minded clean up the mess and move on. They don’t spend enough time trying to figure out what went wrong. They hope the problem will go away. It won’t. It never does. They should do a post-mortem. They need to identify what didn’t work and fix it. An organization’s culture must allow for mistakes, though it’s realistic to expect employees not to make the same mistake twice. I am pretty good about telling my kids that it’s okay to make mistakes. As long as they learn from them. So when they have a no good, horrible, very bad day, messing everything up, I always ask what they have learned. Usually they can tell me, but if not I’ll use it as a teaching moment to explain what they could do differently next time. Ultimately I try to make it clear to them that it’s okay to fail. Really, it’s okay. As long as they get back up and jump into the mix. –Mike Photo credits: Oops! “This Was NOT What I Intended!” originally uploaded by Bridget Coila Upcoming Cloud Security Training Interested in Cloud Security? Are you in EMEA (or do you have a ton of frequent flyer miles)? Mike will be teaching the CCSK Training class in Reading UK on April 8-10. Sign up now. Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Email-based Threat Intelligence Quick Wins Analyzing the Phishing Food Chain Industrial Phishing Tactics Understanding Identity Management for Cloud Services Buyers Guide Architecture and Design Integration Newly Published Papers Network-based Threat Intelligence: Searching for the Smoking Gun Understanding and Selecting a Key Management Solution Building an Early Warning System Implementing and Managing Patch and Configuration Management Defending Against Denial of Service Attacks Incite 4 U Vulnerability scoring snoring: I have to admit I have never been a fan of generic vulnerability scoring because it doesn’t take into account the context required to understand the impact of the issue on your network. It’s nice to see Tyler Reguly of nCircle make the same point. He says it pretty bluntly: “The current state of vulnerability scoring is useless. With the frequency of vulnerability disclosure and the number of vulnerabilities patched in products, a bucket consisting of High, Medium, and Low tells me nothing.” Back in Vulnerability Management Evolution I talked a lot about how prioritizing what to do is the key value of these platforms. Tyler then goes on to talk about risk scoring, which adds a few key attributes like exploit availability and access to the system. Right – if you can’t exploit the vulnerability or get to the system, your urgency score needs to drop. Period. – MR SCADA chum: Even today we still run into far too many Operational Technology (OT, as opposed to IT) people who like to pretend they are still safe behind their firewalls. Or that their systems are too specialized for Internet attackers to do anything with, even if they do get in. New research by Trend Micro shatters those misconceptions. The research team put up 3 honeypot networks designed to emulate real utility company networks, and watched as they were hit with 39 attacks from 14 nations (guess who came first?). This is merely one more in a series of wake-up calls, and you can bet that these sorts of results are driving more of the cybersecurity activity in DC than the more-public IP theft. – RM Right idea, wrong direction: This attacks to critical infrastructure story is making the rounds as news. But this is the same story we heard for years about SCADA; vulnerable – we know. But why is it an issue now, and why is it any

Microsoft confirms ‘high-profile’ employee Xbox Live accounts hacked Major vulnerability in EA’s Origin platform lets hackers overtake PCs Anyone surprised? Games made an estimated $25.1B in 2010 in the US alone. This is an industry under constant attack – just ask Sony. I’d love to learn more security lessons from them. Share: