Securosis

Research

Hindsight FTW

[soapbox] Within a week or two after every high profile data breach, we get naysayers and Tuesday Morning Quarterbacks playing the “If they only did X…” game. You know – the game where they are always right in hindsight. I am a bit surprised Pescatore jumped on that bandwagon in Simple Math: It Always Costs Less to Avoid a Breach Than to Suffer One, but he did. **Of course* it’s much cheaper to avoid a data breach. And folks have been talking about whitelisting on fixed-function devices such as POS systems for years (including me). Whitelisting is one of the SANS Critical Controls so Home Depot definitely should have implemented it, right? After all, they could have avoided over $200MM in losses if they only had spent $25MM installing whitelisting on every device across their network. But that calculation is nonsense without the benefit of foresight. $25MM to implement whitelisting is real money. When folks make resource allocation decisions in a company like Home Depot, it’s not just a simple question of “Let’s spend $25MM to save $200MM.” The likelihood of a breach is X. The potential loss is Y. And X and Y are both unknown. Whereas $25MM could be used to update a bunch of stores, resulting in assured revenue increases. It’s not like they knew about Target or any other retail breach when they made that decision. Even though John contends they should have known (again with the fortune telling) and mobilized immediately to protect their devices. However, after the Target breach become public, any rational risk assessment would have significantly raised the probability of the bad thing happening – to pretty close to 100%! Note that I do not know for sure why Home Depot didn’t install tighter controls on their POS systems. I don’t know if they weighed one capital expenditure against another and whitelisting lost. I don’t know if they decided not to implement whitelisting after learning about Target. The only thing I know is that I don’t know enough to call them out. It is disingenuous to make assumptions about what they did or didn’t do and why, so I will not. But I feel like the only one. We see an amazing number of folks have perfect vision about what Home Depot should have done. Of course it’s easy to see clearly in the rearview mirror. Or as the Fall Out Boys sing: I’m looking forward to the future But my eyesight is going bad And this crystal ball It’s always cloudy except for When you look into the past [/off soapbox] Share:

Share:
Read Post

Incite 9/17/2014: Break the Cycle

The NFL has had a tough week. The Ray Rice stuff I mentioned last week. And uber-running-back Adrian Peterson deactivated on Sunday, due to a child abuse indictment. The stories are terrible, especially given that NFL players are explosive athletes and trained in violence. No kid or spouse has a chance in the face of an angry NFL player. And no, I’m not going to anywhere near Floyd Mayweather on this topic. Peterson’s excuse was that he was just disciplining his 4 year old, just as he was disciplined as a child. With a switch, which is evidently a thin tree branch. Of course we are hearing about switches and abusers because these high-profile athletes make millions a year. They are human. They make mistakes, regardless of their bankrolls. And like everyone else (including you and m), they are defined by their experiences. I’m not making excuses – what they have done is not really excusable. But the real point isn’t about suspending or pushing Adrian Peterson, Ray Rice, Greg Hardy, or Ray McDonald out of the league. It is about trying to figure out how to break the cycle. Many of these people grew up in abusive environments. That is all they know, and they think it is the way to get results. Peterson’s public statement indicates he has worked with a counselor to learn other techniques for disciplining children. That’s good to hear. It doesn’t heal the scars on his son’s legs or psyche, but it’s a start. No one teaches you how to be a parent. There is no curriculum. There are no training courses, besides child CPR and maybe changing a diaper. You figure things out. You do what you think is right. If you don’t like how you grew up, maybe you decide to do things differently. Or maybe you do the same because that’s all you know. Abuse of any kind is terrible and exacts a toll over generations. Yes, we should punish those responsible, but we also need to address the root causes if we want to change anything. That requires education and support for parents at risk of abuse. Given the prevalence of online education and training, there is a better way to do this, and the Internet is a part of the answer. At some point someone will figure it out, and we’ll all be better for it. Until then you can only feel bad for the people (especially kids) on the other end of the switch. –Mike Photo credit: “Little 500 Wreck 2005” originally uploaded by Lambda Chi Alpha Fraternity The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. September 16 – Apple Pay August 18 – You Can’t Handle the Gartner July 22 – Hacker Summer Camp July 14 – China and Career Advancement June 30 – G Who Shall Not Be Named June 17 – Apple and Privacy May 19 – Wanted Posters and SleepyCon May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling May 5 – There Is No SecDevOps April 28 – The Verizon DBIR Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. Secure Agile Development Working with Development Agile and Agile Trends Introduction Trends in Data Centric Security Deployment Models Tools Introduction Use Cases Newly Published Papers The Security Pro’s Guide to Cloud File Storage and Collaboration The 2015 Endpoint and Mobile Security Buyer’s Guide Open Source Development and Application Security Analysis Advanced Endpoint and Server Protection Defending Against Network-based DDoS Attacks Reducing Attack Surface with Application Control Leveraging Threat Intelligence in Security Monitoring The Future of Security Incite 4 U Living to fight another day: Given the inevitability of breaches, as a security professional you will come into contact with PR/media spin doctors at some point. Probably sooner rather than later. They may be external folks with fancy cards which say crisis communications, but odds are they don’t know much more than you about dealing with a security breach. Kellie Cummings has a great primer of things to remember, highlighting issues like slow response, lack of candor, missing transparency, mismanaged expectations, and imprecise statements that undermine trust… and trust is critical for crisis communications. So don’t be afraid to share your opinion when you know the spinsters are screwing up. Not to be melodramatic, but your job might depend on it. – MR Radicals: Most people, if presented with a plate of common food additives would not willing put any of them in their mouths. You might even think you were being poisoned. But invisibly embedded in food, you have no idea any nasty stuff is there, and you consume willingly. Browsers are the same way – if you looked closely at how many ways a browser can scrape user, machine, and session data you would be appalled. Likely you would ban these things from your firm. But personal data silently and invisibly exploited by marketing and analytics firms gets a pass, and since we cannot detect attackers leveraging them nobody is willing to rock the boat. Enterprise IT folks spend tons on anti-fraud, malware, and phishing detection products – and millions more to control BYOD – but on browser security settings and plug-ins? Not so much. Which is why I was shocked to see

Share:
Read Post

Fix Something

Once again Wendy kills it with How to Help, saying things many of us probably think. Daily. It can get frustrating when all you hear is one person after another bitching about what’s wrong with security. And as she correctly points out, there are tools aplenty to tell you exactly how much work you have to do. But that doesn’t really help. None of this is actually fixing anything. It’s simply pointing out to someone else, who bears the brunt of the responsibility, “Hey, there’s something bad there, you really should do something about it. Good luck. Oh yeah, here, I got you a shovel.” Her message is complain less, do more. And I agree. Wendy then runs through a list of things you could do. All of them require work, and most of us don’t have a lot of time for side projects. Of course she has an answer for that as well. And if you’re just about to say, “But that takes time and effort, and it’s not my problem,” then at least stop pretending that you really want to help. Because actually fixing security is hard, tedious, thankless work, and it doesn’t get you a speaker slot at a conference, because you probably won’t be allowed to talk about it. Yes, I know you don’t have time to help those organizations secure themselves. Neither do they. Naming, shaming and blaming are the easy parts of security – and they’re more about self-indulgence than altruism. Go do something that really fixes something. Amen. Really great post. One of those I wished I’d written myself. Photo credit: “The Fix Is In” originally uploaded by JD Hancock Share:

Share:
Read Post

Incite 9/10/2014: Smile and Breathe

Last week I mentioned how excited I was for the NFL season to be starting. I took the Boy to the Falcons’ home opener and it was awesome. It was a great game, and coming away with a victory in overtime was icing on the cake. As predicted, my voice was a bit rough on Monday from screaming all day Sunday, but it was worth it. I don’t think my son will ever forget that game, and neither will I. Of course, I was expecting Monday to be all about the big victories. Who would have expected Buffalo to beat the Bears at home? Not me – I picked Chicago in my knockout pool, and was promptly knocked out. I’m like Glass Joe I get knocked out so early and often. At least that game happened during the Falcons game, so I wasn’t bothered to be setting $20 on fire. Again. And the Dolphins beating the Pats? Another surprise. But the Monday news cycle was hijacked and dominated by the Ray Rice video. I will not link to it because it’s disgusting. The Ravens cut ties with the guy and now he’s suspended by the NFL. All of which is deserved. Can he rehabilitate himself? Maybe. Can he and his (now) wife work it out? Maybe. Was this an isolated incident, totally shocking and surprising to the people who claim to know him? No one knows that. All we know is that at that moment in time, Ray Rice was a wife-beater. And he’ll suffer the consequences of that action for the rest of his days. But let’s take a more constructive view of the situation. How did he get so angry as to strike the person he claims to love the most? What could he have done differently to avoid finding himself in that situation or role? I don’t have any experience with domestic violence. I don’t let the Boy hit his sisters, no matter what they do. But I do know a thing or two about anger. Anger (and my inability to manage it) was my catalyst to start moving down the mindfulness path, as I described in my RSA talk with JJ (link below). I am not going to preach the benefits of a daily hour of meditation. I won’t push anything except a little tactic I have learned, to both help me be aware of my increasing frustration, and to stop the process before it turns to anger and then rage. When I feel my fight or flight instincts kicking in, I smile and then take a deep breath. That brings my awareness out of the current stressful situation and lets me take a step back before I do something stupid. It allows me to sit with my frustration and not allow it to become anger. If it sounds easy, that’s because it is. It takes discipline to not take the bait, but it’s easy to do. Of course this is not the right approach if you are being chased by a lion or an angry mob. At that point your fight or flight instincts are right on the money. But as long as your life is in no danger, a smile and then a deep breath work. At least they do for me. You will get strange looks when you break into a smile during a tense situation. Folks may think you are crazy, and may get more fired up that you aren’t taking them seriously. I don’t worry about what other people think – I figure they prefer a smile to a felonious assault. We all need tactics to handle the stress in our lives. Figure out what works for you, and make it a point to practice. The unfortunate truth is that if you do security you will have plenty of opportunities for practice. –Mike Photo credit: “[077/365] Remember to Smile” originally uploaded by Leland Francisco The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. August 18 – You Can’t Handle the Gartner July 22 – Hacker Summer Camp July 14 – China and Career Advancement June 30 – G Who Shall Not Be Named June 17 – Apple and Privacy May 19 – Wanted Posters and SleepyCon May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling May 5 – There Is No SecDevOps April 28 – The Verizon DBIR April 14 – Three for Five Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. The Security Pro’s Guide to Cloud File Storage and Collaboration Additional Security Features Core Security Features Overview and Baseline Security Introduction Trends in Data Centric Security Deployment Models Tools Introduction Use Cases Understanding Role-based Access Control Advanced Concepts Introduction NoSQL Security 2.0 Understanding NoSQL Platforms Introduction Newly Published Papers The 2015 Endpoint and Mobile Security Buyer’s Guide Open Source Development and Application Security Analysis Advanced Endpoint and Server Protection Defending Against Network-based DDoS Attacks Reducing Attack Surface with Application Control Leveraging Threat Intelligence in Security Monitoring The Future of Security Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7 Incite 4 U Pay Apple: With Apple’s announcement today of Apple Pay, they have now released some details of how their payment architecture will work. Yes, it’s a

Share:
Read Post

Feeding at the Data Breach Trough

They say when industries go nutty with consolidation and high-dollar M&A deals, the only folks who really make money are the bankers and the lawyers. Shareholders end up holding the bag, but these folks have moved on to the next deal. Given all the recent retail sector breaches (there are too many to even link), let’s take a look at who is going to profit. Mostly because we can. The forensicators are first in line. They are running the investigations and figuring out how many millions of identities and credit cards have been stolen. The next group feeding at the breach trough are the credit monitoring folks, who get a bulk purchase agreement each time to cover consumers who were compromised this time. The crisis communication PR folks also generate hefty bills. Customers are pissed and the retailer is on the evening news – not for the new store design. The company needs to start driving the message, which means they need PR heavies to start spinning like a top. Ka-ching. Of course security vendors win as well. There is no time to grab security budget like right after a breach. Senior management doesn’t ask why – they ask whether it is enough. Every security salesperson tells tall tales about how their products and services would have stopped the breach. Who cares if the offering wouldn’t have made a difference? Don’t let the truth get in the way of the new BMW payment! It’s a feeding frenzy for a few quarters after the breach. Sell, sell, sell! But it doesn’t end there – lawyers always get their piece of the action by launching a variety of class-action suits against the retailer. We haven’t yet (to my knowledge) seen a successful judgement against a company for crappy security resulting in lost identities, but it’s coming. Although it is usually just easier to settle the class action rather than fight it. The lucky winners in the class action might each get a $5 gift card. The lawyers walk away with 20-30% of the judgement. Yes, that’s a lot of gift cards. Internally the company needs to make sure this kind of thing doesn’t happen again. So they fire the existing CISO and look for another one. Then the security recruiters spring into action. The breached retailer is looking, but many others will either try to fill their own positions, or perhaps decide to make a change before they find themselves in the same unhappy place. Of course the new CISO had better take advantage of the first few quarters during the honeymoon, with a mandate to fix things. Lord knows that doesn’t last long. Soon enough retailers always realize they are still in a low-margin business, and spending on security technology like a drunken sailor hasn’t helped sell more widgets. But that flyer in the Sunday paper offering a 35% discount sure did. Finally, let’s not forget the shareholders. You’d think they’d be losers in this situation, but not so much. Wall Street seems to be numb to breaches by now. The analysts just build the inevitable write-down into the model and move on. If anything it forces companies to button down some leaky operational issues and might even improve performance. Of course the loser is the existing CISO and maybe the CIO, who get thrown under the bus. But don’t feel too bad for them. They will probably write a book and do some consulting while they collect the severance package and the road rash heals. Then they’ll get back in the game by being candid about what they learned and how they will do it differently next time. We have all seen this movie before. And we’ll see it again. And again. And again. Photo credit: “Pigs at trough, 1927” originally uploaded by King County, WA Share:

Share:
Read Post

Incite 9/3/2014: Potential

It starts with a blank slate. Not entirely blank because some stuff has happened over the past few months, which offers hints to where things will go. But you largely ignore that data because you want to believe. Maybe this time will be different. Or maybe it will be the same. All you can see is potential. Yet soon enough the delusions of grandeur will be shown to be exactly that – delusions. No, I’m not talking about self-help or resetting your personal or professional lives. I’m talking about the NFL season. It starts on Thursday night and I’m pumped. I’m always pumped for football. Sure, there were some college games over the weekend, and I enjoyed watching those. But for me nothing compares to the pro game. Will my teams (the Giants and Falcons) recover this year? Will their off-season efforts be enough? Will the other teams, who have been similarly busy, be even better this year? Can I look forward to being excited about the NFL playoffs in January because my teams are in, or will I be paying attention to the bowl games to look for high draft picks for next year? Like I did this past January/February. So many questions, but all I have now is optimism. Why not? I’ve been following the beat reporters covering my teams every day. They tweet and file reports about practices and injuries and dissect meaningless pre-season games. It’s fun for me and certainly better than chasing down malware-laden sites claiming to have celebrity nudie pictures. My teams have holes, but that’s OK. You forget about those in the build-up to the first week. There is plenty of time over the next four months to grind my teeth and wonder why they cut this guy or call that play. No second-guessing yet – there isn’t much to second guess. Until next Tuesday morning anyway. Soon enough we’ll know whether the teams are real. It’s always fun to see which teams will surprise and which will disappoint. Soon the suspense will be over. It’s time. And I’m fired up. I’ll be in the GA Dome on Sunday. You know, that guy losing his voice as the Falcons take on the Saints. Same as it ever was. –Mike Photo credit: “NFL Logo” originally uploaded by Matt McGee The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. August 18 – You Can’t Handle the Gartner July 22 – Hacker Summer Camp July 14 – China and Career Advancement June 30 – G Who Shall Not Be Named June 17 – Apple and Privacy May 19 – Wanted Posters and SleepyCon May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling May 5 – There Is No SecDevOps April 28 – The Verizon DBIR April 14 – Three for Five Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. The Security Pro’s Guide to Cloud File Storage and Collaboration Additional Security Features Core Security Features Overview and Baseline Security Introduction Leveraging Threat Intelligence in Incident Response/Management Quick Wins The (New) Incident Response & Management Process Model Threat Intelligence + Data Collect = Responding Better Really Responding Faster Introduction Trends in Data Centric Security Deployment Models Tools Introduction Use Cases Understanding Role-based Access Control Advanced Concepts Introduction NoSQL Security 2.0 Understanding NoSQL Platforms Introduction Newly Published Papers The 2015 Endpoint and Mobile Security Buyer’s Guide Open Source Development and Application Security Analysis Advanced Endpoint and Server Protection Defending Against Network-based DDoS Attacks Reducing Attack Surface with Application Control Leveraging Threat Intelligence in Security Monitoring The Future of Security Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7 Incite 4 U Foole and Boobage: As alluded above, the Intertubes exploded over the weekend – not with news of things that matter, like global unrest, tentative ceasefires, NASCAR, college football, or even more ice-bucketry. Everyone was aflutter about seeing some celebrity boobies. Everyone now has an opinion about how the hack happened, even your general mass media sites chock full of security expertise. Yes, that was sarcasm folks. As usual, don’t believe everything you read on the Internet – a lot of speculation is wrong. I have no inside information and neither does our resident Apple Fan Boi, the Rich Mogull. Which means those folks probably don’t either, so they are coming up with plausible threat models that could have resulted in an attacker (or group of attackers) gaining access to the Photostreams of these celebrities, who evidently like to take pictures of themselves without shirts on. I’m certainly not judging that, despite the fact that folks get pretty uptight about seeing breasts in the US. I am judging the baseless speculation. At some point we may find out how it happened. Or we may not. At the end of the day, if you take nudie pictures and store them in a cloud service, other people may see them. Not that it’s right, but it’s reality. (PS: Dog yummy to anyone who gets the reference in the title.) – MR Customer centric: Owen Thomas discusses the gaps Apple needs to address before they can enter the payments market, but his arguments assume Apple wants to go all in. If their goal is to provide mobile payments Apple

Share:
Read Post

PR Fiascos for Dummies

If you are the head of communications for a big company and one of your executives goes off-script and says something … ill advised … and puts the foot in the mouth, what can you do? You curse the gods for putting you in that job and you long for the days when someone else was in the hot seat, when you have to go into damage control. What else could the head of Trend Micro’s marketing be thinking when CISO Tom Kellermann basically said Russians are smarter than Americans. Evidently he really said this. I don’t even know where to start and I’ve known Tom for years. He’s not dumb, but that’s a dumb statement. Thereby making a strong argument for his hypothesis: Tom, you see, is an American. The lengths people go to be proven right continue to astound me. Maybe he means that Russian attackers take a more strategic view of their jobs. And that they view hacking as a national area of focus (like the Chinese). But the money shot, where he states Russians are ‘smarter’ is not a conclusion you can legitimately draw. Not without coming off sounding like a jackass. If we are going to dabble in crass generalizations, it seems like Stuxnet was pretty strategic but didn’t come from Russia. So there’s that. But let’s be real and understand that kind of statement is bait for every clickwhore. Graham Cluley jumps on it and basically calls it what it is: an idiotic statement. Though I do take issue with Graham attributing the statement to Trend Micro as a whole, rather than just Kellermann shooting from the hip to hit himself in the head with a shotgun blast. Trend’s research seems to have been focused on Russia’s strategic approach to hacking – not a generic question about the intelligence of the American populace. But I’m sure Graham got lots of clicks for his assessment as well, so the beat goes on… Photo credit: “profile picture” originally uploaded by vtbrak Share:

Share:
Read Post

Respect the Hierarchy

Wendy (again) states things that we should already know in such an easy to understand way, that you smack yourself upside the head and wonder why you didn’t think of it. Her post on the 451 blog about The hierarchy of IT needs makes very very clear why you continue to have problems making the case for security in your organization. I won’t just pirate her image, but go look at it and it will feel like a gut punch. Of course there are exceptions to this hierarchy. Like in the few quarters after a high-profile breach. Then blow up the pyramid and spend all the money you can. It won’t last long. Soon enough senior management will forget the pain and get back to allocating resources based on your business needs. Wendy also offers a secret that can help get funding for those security projects you know you need to do, but can’t get senior management to understand. If you can tie security to one of the lower requirements (lower than compliance, that is), you’ll have a much better chance at getting it incorporated more frequently. And to net it out, more wisdom: This hierarchy of needs also explains why security is an afterthought, and how even in the most mature of environments, it gets abandoned if one of the lower layers is suddenly threatened. It’s why holes get left in firewalls, why the accounts of terminated employees are still running services, and why back doors are left in systems. It’s all about keeping things working. This is our reality. You can certainly resist it and bang your head against the wall repeatedly. But the only thing that will accomplish is to give you a headache. You won’t get any more funding, because the hierarchy of IT needs is alive and well. Photo credit: “Hierarchy of Letter Boxes” originally uploaded by Michael Coghlan Share:

Share:
Read Post

Incite 8/27/2014: It takes a village

The first couple weeks when the kids are back in school can be a little rough. We don’t have the routine down so there is some inevitable confusion and miscommunication. There are just so many details. Who is picking up which kid, from where? We drive that carpool which night? What is the address of the 3rd kid to grab for LAX practice? You know, that kind of thing. And that’s just the logistical stuff the Boss and I need to figure out. Complicating matters is the alternative schedules we have to maintain. One when I’m in town, and the other for when I’m on the road working with clients. Obviously things are a bit easier when I can lend a hand and grab this kid from there and/or take the other kid to the dance studio. We have found it really does take a village to raise kids nowadays. I remember when I was growing up and my Mom worked in a retail pharmacy. Some nights she would have the afternoon shift and then have to close the store. I was a latchkey kid, so once we were old enough to go home and fend for ourselves for a couple hours (probably late in elementary school for me) I would take my brother home and we’d play until Mom got home. Sometimes I’d go to a friend’s house and play a game of pick-up football. Another kid had an Intellivision so we went to his house a lot. I became pretty self-sufficient. My Mom would cook a bunch of meals over the weekend, and I’ll pull one out of the freezer and throw it (whatever it was) into a pan and boom! Dinner. If my clothes were dirty I put them in the wash. She would get home after a long day of work standing in the pharmacy and make sure we got our homework done, and we all had to lend a hand to get everything done. That’s just the way it was for us. Nowadays that wouldn’t work very well. Sure my kids can do laundry and probably even warm up their food (through the magic of the microwave!) But the kids can’t get themselves to dance practice 4 days a week. I guess the Boy could walk down to his tennis practices in the neighborhood, but he can’t walk the 10 miles to LAX practice Monday nights. Actually he could, but probably not in time for 6pm practice. So we work it out with the other parents. We drive some nights and pick up others. With 3 kids and overlapping activity schedules, there isn’t really any other way – especially given my travel schedule. Though we got a little smarter this year. I put the kid’s schedule in my phone, so I know which practices are what days and where. We discuss who is doing what at the beginning of the week, so I know where I’m expected to be, and I put it in my calendar. The goal is to minimize confusion and so far it’s working. And we took another step towards what emancipation looks like for 10-year-olds this year. We got them pre-paid cell phones, so when they are tooling around the neighborhood or at their various practices, and we make the inevitable mistakes, they can just call. It’s very helpful to just dial them up and figure out where they are. My Mom didn’t have that option – she sometimes had to drive around the neighborhood to figure out which back yard I was playing in. Yes, things are more complicated now, but we have much better tools to handle them. But the thing that hasn’t changed? The relationships you build with people who can lend a hand when you need one. And where you lend a hand when they need one. No magic device or web-based service can replace that. –Mike Photo credit: “The Village Store and Tea Shop” originally uploaded by Alison Christine The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. August 18 – You Can’t Handle the Gartner July 22 – Hacker Summer Camp July 14 – China and Career Advancement June 30 – G Who Shall Not Be Named June 17 – Apple and Privacy May 19 – Wanted Posters and SleepyCon May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling May 5 – There Is No SecDevOps April 28 – The Verizon DBIR April 14 – Three for Five Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. The Security Pro’s Guide to Cloud File Storage and Collaboration Additional Security Features Core Security Features Overview and Baseline Security Introduction Leveraging Threat Intelligence in Incident Response/Management Quick Wins The (New) Incident Response & Management Process Model Threat Intelligence + Data Collect = Responding Better Really Responding Faster Introduction Trends in Data Centric Security Deployment Models Tools Introduction Use Cases Understanding Role-based Access Control Advanced Concepts Introduction NoSQL Security 2.0 Understanding NoSQL Platforms Introduction Newly Published Papers The 2015 Endpoint and Mobile Security Buyer’s Guide Open Source Development and Application Security Analysis Advanced Endpoint and Server Protection Defending Against Network-based DDoS Attacks Reducing Attack Surface with Application Control Leveraging Threat Intelligence in Security Monitoring The Future of Security Security Management

Share:
Read Post

Shipping Decent Breach Notification

Many folks have strong opinions about the right way to perform breach notification. More to the point, many folks think they know what not to do. But that’s okay – the great thing about opinions is that everyone gets their own. Recently the UPS Store, a franchised chain of shipping stores, reported a breach. In the incident information they detailed about how many of their stores were impacted. They listed dates when they determined the store systems were breached, and dates the systems were cleaned up. They also provide a fairly comprehensive FAQ about what happened and what affected consumers should do. Additionally they are providing credit monitoring services for the impacted. As a security guy, it would be great to have learned more about the specific malware and other technical details of the incident and the cleanup. But that level of detail would be lost on most folks impacted by this breach. The notification and FAQ told consumers what they need to know and to do. Complicating matters is the fact that the franchises are independently owned, and UPS doesn’t control their networks. So the fact that they clearly investigated all 4,470 stores is impressive as well. Kudos to UPS and the UPS Store folks. Among all the breach notification fiascos we see, it is good to see one done well. Photo credit: “UPS Store” originally uploaded by Mike Mozart Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.