Securosis

Research

Friday Summary: March 22, 2013, Rogue IT Edition

What happened to the guru? The magician? The computer expert at your company who knew everything. I have worked at firms that had several who knew IT systems inside and out. They knew every quirky little trick of how applications worked and what made them fail, and they could tell you which page of the user manual discussed the exact feature you were interested in. If something went wrong you needed a guru, and with a couple keystrokes they could fix just about anything. You knew a guru by their long hair, shabby dress, and the Star Trek paperback in their back pocket. And when you needed something technical done, you went to see them. That now seems like a distant memory. I have lately been hearing a steady stream of complaints from non-IT folks that IT does not respond to requests and does not seem to know how to get out of their own way. Mike Rothman recently made a good point in The BYOD problem is what? BYOD is not a problem because it’s already here and is really useful. Big Data is the same. Somewhere along the line business began moving faster than IT could keep up. Users no longer learn about cool new technologies from IT. If you want a new Android or iPad for work, you don’t ask IT. You don’t ask them about “the cloud”. You don’t consult them about apps, websites, or even collecting credit card payments. In fact we do the opposite – we see what our friends have and what our kids are doing, Google what we need to know, and go do it! The end-run around IT is so pervasive that we have a term for it: Rogue IT. Have credit card, will purchase. How did the most agile and technically progressive part of business become the laggard? Several things caused it. High-quality seamless rollouts of complex software and hardware take lots of time. Compliance controls and reports are difficult to set up and manage. It takes time to set up identity and access management systems to gate who gets to access what. Oh, and did I mention security? When I ask enterprise IT staff and CISOs about adoption of IaaS services, the general answer is “NO!” – none of the controls, systems, and security measures they rely on are yet fully vetted, or they simply do not work well enough. The list goes on. Technologies are changing faster than they can be deployed into controlled environments. Their problems are not just a simple download away from being addressed, and no trip to the Apple Store will solve them. It’s fascinating to watch the struggle as several disruptive technologies genuinely disrupt technology management. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian’s DR paper: Security Implications Of Big Data. Rich quoted on Watering Hole Attacks. Gunnar’s DR Post: Your Password Is The Crappiest Identity Your Kid Will Ever See. Favorite Securosis Posts Mike Rothman & Adrian Lane: When Bad Tech Journalism Gets Worse. Totally ridiculous. The downside of page view whores in all its glory. Certainly wouldn’t want a fact to get in the way of the story… Other Securosis Posts Services are a startup’s friend. New Paper: Email-based Threat Intelligence. Who comes up with this stuff? The World’s Most Targeted Critical Infrastructure. DHS raises the deflector shields. Incite 3/20/2013: Falling down. If you don’t know where you’re going… When Bad Tech Journalism Gets Worse. The Right Guy; the Wrong Crime. New Job Diligence. Preparation Yields Results. The Dangerous Dance of Product Reviews. Limit Yourself, Not Your Kids – Friday Summary: March 15, 2013. Ramping up the ‘Cyber’ Rhetoric. Favorite Outside Posts Adrian Lane: Firefox Cookie-Block Is The First Step Toward A Better Tomorrow. Mike Rothman: Indicators of Impact. Kudos to Russell Thomas for floating an idea balloon trying to assess the impact of a breach. I’ll do a more thorough analysis over the next week or so, but it’s a discussion we as an industry need to have. Project Quant Posts Email-based Threat Intelligence: To Catch a Phish. Network-based Threat Intelligence: Searching for the Smoking Gun. Understanding and Selecting a Key Management Solution. Building an Early Warning System. Implementing and Managing Patch and Configuration Management. Defending Against Denial of Service (DoS) Attacks. Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments. Tokenization vs. Encryption: Options for Compliance. Top News and Posts Critical updates for Apple TV and iOS available Ring of Bitcoins: Why Your Digital Wallet Belongs On Your Finger Subway Hit By The Ultimate Cyberthief Inside Job: A Double-Insider. Two opportunities to vet – both failed. Cisco switches to weaker hashing scheme, passwords cracked wide open Why You Shouldn’t Give Retailers Your ZIP Code Microsoft, Too, Says FBI Secretly Surveilling Its Customers The World Has No Room For Cowards. Krebs ‘SWATted’ in case you missed it. On Security Awareness Training Gravatar Email Enumeration in JavaScript. Clever. Spy Agencies to Get Access to U.S. Bank Transactions Database Blog Comment of the Week This week’s best comment goes to Dwayne Melancon, in response to New Job Diligence. Good advice, Mike. Surprised at how many people don’t look before they leap. If you apply some of your own “social engineering for personal gain” to this, you can avoid a lot of pain. Mining LinkedIn is a great shortcut, assuming the company you’re investigating has a decent presence there. Not only can you talk with specific people (including the ones who’ve left, as you mentioned), you can get a feel for whether there is a mass exodus going on. If there is, it can be a sign of a) opportunity b) Hell, or c) both. But at least you know what you’re getting into. Share:

Share:
Read Post

Apple Disables Account Resets in Response to Flaw

According to The Verge, someone discovered a way to take over Apple IDs using only the owner’s email address and date of birth. This appears to be an error exposed when they enabled 2-factor authentication, but as soon as it went public Apple disabled the iForgot feature and locked all accounts down. This seems to be one of those annoying cases where someone decided to disclose something in the press instead of just reporting it and getting it fixed. That’s really damn dangerous when cloud services are involved. I expect this to be resolved pretty quickly. Possibly before my bracket is blown to unrecoverable levels. We’ll update as we learn more … Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.