Research

Back when we started the Friday Summary the world of blogs and social media was much different. RSS feeds were the primary means by which most of us sucked down our news, and we tended to communicate through cross-blog links and comments. Our goal with the Summary was to provide a good way to highlight what we have been to up every week, while also sharing some nice link love with our friends and strangers (all in an email-friendly format). We also wanted to highlight good comments and use that as an excuse to donate some cash back to the non-profit side of the community. Since then a lot has changed. People blog a lot less, and there are far fewer discussions across blogs commenting on each other’s posts. Much of this has gone over to Twitter – which is sometimes good and sometimes bad. We also brought Mike on board and restarted the Security Incite which covers at least 6 stories a week. So I think it’s time to shake up the Summary a bit and switch its format. Moving forward (as in, not this week) we will highlight the 1-3 top stories we think you need to pay attention to, why, and point out any angles we think folks are missing. After that we will continue to list what we have been up to, but you don’t need us to provide you with a random list of articles on the Internet. Some weeks we might not highlight a comment of the week, but we will still donate on a weekly basis to different charities related to the security world. We may also pick out a particularly good Nexus question instead. We hope you like the new format, and all feedback is appreciated. The Story of the Week: Carrier IQ The big story this week seems to be the saga of Carrier IQ – logging software installed on many phones, mostly by carriers, that enables them to log pretty much everything you do on your device. Yes, even your banking passwords. This became public thanks to the hard work of Trevor Eckhart and was quickly picked up by big media like Wired’s Threat Level. The story quickly hit the (mostly uninformed) spin machine. The short version is that Carrier IQ is software with the potential to log pretty much everything you do on your phone, and some but not all carriers install it on your phone without telling you or giving you a way to turn it off. From a privacy standpoint this is, of course, a crappy thing to do. But all the hype does highlight some hypocrisy: Your phone carriers already log all your calls, text messages, and web URLs you visit. Google and all the ad tracking networks work hard to log everything you do on the Internet. As I made fun of this on Twitter, I got some very thoughtful responses that highlighted the big differences between this and other privacy-invading stuff: @adamshostack: I generally agree, but CarrierIQ was surreptitious. I’m deeply privacy aware, didn’t know they were on my phone till this morning @davienthemoose: google logs my keystrokes on my banking site? 😮 While I still consider most web tracking surreptitious, at least there’s something you can do about it. With your phone you are locked in unless you change devices and/or carriers, and even then you might still have it installed. And there is definitely a difference between a keystroke logger and a URL tracker. So I stand corrected. Thanks to Twitter. Webcasts, Podcasts, Outside Writing, and Conferences Adrian quoted on Oracle database patching. Liquidmatrix Cyber Expert Interviewed (on TV). See one of our favorite Canadians, our own contributor Dave Lewis, on TV to discuss the Anonymous threats against the Toronto Government. Securosis Posts Incite 11/30/2011: An Introverted Thanks. Changing Focus through the Holidays. Fundamentals of Crowd Management. Occupy Work. Mobile Payments without Credit Cards. Index of Posts: Security Management 2.0. Incite 11/16/11: Blockage. FireStarter: Looking the other way. Favorite Outside Posts Mike Rothman: Are you positive? Jack Daniel discusses the Achilles’ heel of any detection technique: the false positive. Read it. Adrian Lane: DDoS Attacks Spell ‘Gameover’ for Banks, Victims in Cyber Heists. Hacks, fraud, money mules, and DDoS – this story has it all. Gunnar: Best statistics question ever. See if you can find the right answer. Research Reports and Presentations Security Management 2.0: Time to Replace Your SIEM? Fact-Based Network Security: Metrics and the Pursuit of Prioritization. Tokenization vs. Encryption: Options for Compliance. This week we will be making a donation to Brad “theNurse” Smith. Share:

Hey everyone, As you may have noticed, we are pretty focused on this Securosis Nexus thing we have been working on for a while. The system is coming along great, but it’s time for us to start hammering on its content. So through the end of this year we will be blogging on a reduced schedule. We will still hit you with the weekly Incite and Friday Summary plus our research projects, but day-to-day blogging will subside a bit (as it already has) so we can focus on writing for the Nexus. Unless, of course, something really tweaks us off and we need a good rant. Share:

I have joked over the years that I’m more qualified to run security at a stadium concert than an IT shop, and it’s somewhat true. My security career started way back at the young age of 18 when I started working on the event staff at CU Boulder, and for Contemporary Services Corporation (CSC), who managed most of the Denver venues. By 21 I was running security at CU and supervising for CSC – managing or supervising sports, music, and other events ranging from under 100 people to over 100,000. Sometimes I was in charge, sometimes I just managed one area, and I was often a rover/troubleshooter. I did this multiple times a week for about 4-5 years (including working summers at Red Rocks), then dropped down to occasional contract work for bigger events after that. Including some with extreme logistical complexity, high risk profiles, or other complicating factors. (Like the time my employees called to ask why the bomb squad was walking around and Secret Service snipers were in the rafters). I was also fortunate the the people I worked with were true professionals. Crowd management is an industry filled with low-bid/minimum-wage contract firms with very poor work ethics and management. CSC are the guys who run the Super Bowl and most other ‘massive’ events, and I learned a hell of a lot from them and running my own teams. I have been watching a lot of the coverage of the Occupy movement and the police response and see a series of common, preventable mistakes being made over and over. Rather than specifically criticizing YouTube clips without context, here are some of the fundamental principles I learned over the years with comments on mistakes I see. Deescalate. Always. – The single most important fundamental is that crowd management is all about deescalation. You’ll never outnumber the crowd… and the more tension rises, the greater the chance of physical conflict or transitioning to a riot. There are always more of them than of you. Peer security is more effective than policing – Peer security the principle of staffing the event with demographic peers of the attendees. Police are law enforcement officers, and so they naturally and unavoidably escalate any situation they are at, by the role they play in society and the weapons they carry. Unarmed peers of the crowd have much greater flexibility in response – they are not required to arrest or enforce all laws, they are not perceived as the same kind of threat, they do not carry weapons, and they do not have arrest authority. Weapons are not your friend in a crowd – Crowds are messy, fluid affairs that make it impossible to maintain a safe stand-off distance. I have never met an intelligent police officer who went into a crowd without more than a little fear that someone would try to grab their OC spray, handgun, or other tools. Where I worked, peer security would go into crowds and pull people out for the police – who would almost never enter the crowd itself. Know your crowd – You can fully predict the behavior of a crowd if you know the demographic and environmental conditions. I know how everything from the weather, to ages, to kinds of music affect a crowd… and it isn’t what you’d think. For example, serious injuries (and deaths) were far more common at Grateful Dead and Blues Travelers shows than metal bands with mosh pits. Slow and steady wins the race – When dealing with an uncooperative but nonviolent crowd, you have to eat at it bit by bit. From dispersing a crowd to ejecting a big group, you have to handle it piece by piece and person by person – even when force is used. That goes for removing tents (yes, I have had to do that at ‘campout’ events) and clearing the aisles at a Dead show so people could move around. The more authority you have, the less you should look like security – This was one of my favorite tricks – when I ran events I rarely wore an event staff shirt. As the last person able to deescalate most conflicts before turning someone over to the police, the more I looked like a normal person or non-security staff the better. If they think you’re with the band/team, even better. Defense in depth – Crowd management is like IT security – you need multiple people with different specialties, properly trained and positioned. For example, I hated going into a mosh pit without a spotter. At a large stadium show I might have 500 people working for me. We’d have rovers, ticket takers, people inside and outside, folks dedicated to ejections, supplementing medical (to help them through the crowd), and more. When you need to use force, don’t hesitate, but don’t hit – I have no problem using force when it is needed (and we frequently had to, especially to break up fights). In a crowd your goal is to get the person out of the crowd as fast as possible. You never punch or kick… that is excessive use of force (the exception is when you are in serious danger yourself). Your goal is to solve the problem without anyone getting hurt. Deescalation, remember? Spontaneous crowds aren’t riots – I sometimes dealt with spontaneous crowds appearing where we didn’t expect them, which weren’t tied to a normal event. Usually these were campouts, but I was also called into a few protests and such when the police wanted trusted people in the crowd but not uniformed officers. All normal crowd dynamics still apply. Riots are for the police – Crowds need peer security. Riots need cops and all the OC spray you can get your hands on. A riot is an uncontrolled situation where mob behavior takes over and there is serious damage to life/safety and property. I was at a Guns ‘n’ Roses show we thought might turn into a riot when that ass-hat Axl

I wouldn’t say I’m a control freak, but I am definitely “control aligned”. If something is important to me I like to know what’s going on under the hood. I also hate to depend on someone else for something I’m capable of. So I have no problem trusting my accountant to keep me out of tax jail, or hiring a painter for the house, but there is a long list of things I tend to overanalyze and have trouble letting go of. Pretty damn high up that list is the Securosis Nexus. I have been programming as a hobby since third grade, and for a while there in the early days of web applications it was my full time profession. I don’t know C worth a darn, but I was pretty spiffy with database design and my (now antiquated) toolset for building web apps. I still code when I can, but it’s more like home repair than being a general contractor. When Mike, Adrian, and I came up with the idea for the Nexus I did all the design work. From the UI sketches we sent to the visual designers to the features and logic flow. Not that I did it all alone, but I took point, and I’m the one who interfaces with our contractors. Which is where I’m learning how to let go. The hard way. I have managed (small) programming teams before but this is my first time on the hiring side of the contractor relationship. It’s also the first time I haven’t written any significant amount of code for something I’m pretty much betting my future on (and the future of my partners and our families). Our current contractor team is great. Among other things they suggested an entirely new architecture for the backend that is far better than my initial plans and our PoC code. I wish they would QA a little better (hi guys!), and we don’t always see things the same way, but I’m damn happy with the product. But it’s extremely hard for me to rely on them. For example, today I wanted to change how a certain part of the system functioned (how we handle internal links). I know what needs to be done, and even know generally what needs to happen within the code, but I realized I would probably just screw it up. And it would take me a few hours (to screw up), while they can sort it all out in a fraction of the time. I don’t know why this bothers me. Maybe it’s knowing that I’ll see a line item on an invoice down the road. But it’s probably some deep-seated need to feel I’m in control and not dependant on someone else for something so important. But I am. And I need to get used to it. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Me (Rich) in a DLP video I for Trend Micro. I really liked the video crew on this one and the quality shows. I may need to get myself a Canon DSLR for our future Securosis videos instead of our current HD camcorder. I also wrote up how to recover lost iCloud data based on my own serious FAIL this week. Favorite Securosis Posts Mike Rothman: Virtual USB? Not.. Adrian has it right here. Even though it’s more secure to carry (yet another) device, users won’t do it. They want everything on their smartphone, and they will get it. It’s just a matter of when, and at what cost (in terms of security or data loss). Adrian Lane: How Regular Folks See Online Safety. Lately news items are right out of Theater of the Absurd: Security Tragicomedy. Rich: Tokenization Guidance: Audit Advice. Adrian is really building the most definitive guide out there. Other Securosis Posts Incite 11/2/2011: Be Yourself. Conspiracy Theories, Tin Foil Hats, and Security Research. Applied Network Security Analysis: The Advanced Security Use Case. Applied Network Security Analysis: The Forensics Use Case. Favorite Outside Posts Mike Rothman: 3 Free Tools to Fake DNS Responses for Malware Analysis. This is a good tip for testing, but also critical for understanding the tactics adversaries will use against you. Adrian Lane: The Chicago Way. Our own Dave Lewis does the best job in the blogsphere at explaining what the heck is going on with the Anonymous / Los Zetas gang confrontation. James Arlen: Harvard Stupid. Two posts in one – interesting financial story tailed by an excellent example of how security should be implemented from a big picture view. If you run IT security for your company, read this! Rich: Kevin Beaver on why users violate policies. I don’t agree with the lazy comment though – it’s not being lazy if your goal is to get your job done and you deal with something in the way. Research Reports and Presentations Fact-Based Network Security: Metrics and the Pursuit of Prioritization. Tokenization vs. Encryption: Options for Compliance. Security Benchmarking: Going Beyond Metrics. Understanding and Selecting a File Activity Monitoring Solution. Database Activity Monitoring: Software vs. Appliance. React Faster and Better: New Approaches for Advanced Incident Response. Measuring and Optimizing Database Security Operations (DBQuant). Network Security in the Age of Any Computing. Top News and Posts UK Cops Using Fake Mobile Phone Tower to Intercept Calls, Shut Off Phones. Malaysian CA Digicert Revokes Certs With Weak Keys, Mozilla Moves to Revoke Trust. Four CAs Have Been Compromised Since June. Hackers attacked U.S. government satellites. How Visa Protects Your Data. Exposing the Market for Stolen Credit Cards Data. ‘Nitro’ Cyberespionage Attack Targets Chemical, Defense Firms. Blog Comment of the Week This week we are redirecting our donation to support Brad “theNurse” Smith. This week’s best comment goes to Zac, in response to Conspiracy Theories, Tin Foil Hats, and Security Research. I personally think that the problem with the media hype is that it seems to distract more than inform. The overall result being that you end up with “experts” arguing over inconsequential

I remember very clearly the day I vowed to stop watching local news. I was sitting at home cooking dinner or something, when a teaser report of a toddler who died after being left in a car in the heat aired during that “what we’re covering tonight” opening to the show. It wasn’t enough to report the tragedy – the reporter (a designation she surely didn’t deserve) seemed compelled to illustrate the story by locking a big thermometer in the car, to be pulled out during the actual segment. Frankly, I wanted to vomit. I have responded to more than a few calls involving injured or dead children, and I was disgusted by the sensationalism and desperate bid for ratings. With rare exceptions, I haven’t watched local news since then; I can barely handle cable news (CNN being the worst – I like to say Fox is right, MSNBC left, and CNN stupid). But this is how a large percentage of the population learns what’s going on outside their homes and work, so ‘news’ shows frame their views. Local news may be crap, but it’s also a reflection of the fears of society. Strangers stealing children, drug assassins lurking around every corner, and the occasional cancer-causing glass of water. So I wasn’t surprised to get this email from a family member (who found it amusing): Maybe you have seen this, but thought I would send it on anyway. SCARY.. This is a MUST SEE/ READ. If you have children or grandchildren you NEED to watch this. I had no idea this could happen from taking pictures on the blackberry or cell phone. It’s scary. http://www.youtube.com/watch?v=N2vARzvWxwY Crack open a cold beer and enjoy the show… it’s an amusing report on how frightening geotagged photos posted online are. I am not dismissing the issue. If you are, for example, being stalked or dealing with an abusive spouse, spewing your location all over the Internet might not be so smart. But come on people, it just ain’t hard to figure out where someone lives. And if you’re a stalking victim, you need better sources for guidance on protecting yourself than stumbling on a TV special report or the latest chain mail. But there are two reasons I decided to write this up (aside from the lulz). First, it’s an excellent example of framing. Despite the fact that there is probably not a single case of a stranger kidnapping due to geotagging, that was the focus of this report. Protecting your children is a deep-seated instinct, which is why so much marketing (including local news, which is nothing but marketing by dumb people) leverages it. Crime against children has never been less common, but plenty of parents won’t let their kids walk to school “because the world is different” than when they grew up. Guess what: we are all subject to the exact same phenomenon in IT security. Email is probably one of the least important data loss channels, but it’s the first place people install DLP. Not a single case of fraud has ever been correlated with a lost or stolen backup tape, but many organizations spend multiples more on those tapes than on protecting web applications. Second, when we are dealing with non-security people, we need to remember that they always prioritize security based on their own needs and frame of reference. Policies and boring education about them never make someone care about what you care about as a security pro. This is why most awareness training fails. To us this report is a joke. To the chain of people who passed it on, it’s the kind of thing that freaks them out. They aren’t stupid (unless they watch Nancy Grace) – they just have a different frame of reference. Share:

Yesterday I was in Vegas to participate in a panel at IBM’s Information on Demand Conference. To my amusement and frustration, I was already in Vegas that weekend, drove 4.5 hours home to Phoenix on Sunday, then flew back Monday evening (4 hours door to door). The panel was on database security in the cloud, and at one point I came up with an example to show how this sh*t is seriously different than how we do security today. The example below would be nearly impossible in a non-cloud environment. It’s fictional, but there are no technical obstacles to implementing it right now. There is, however, one limitation I will mention at the end. Imagine a world where you have a robust internal cloud to support business units in a large enterprise. This is in contrast to current environments where, if a business unit wants an application or database resource: they submit a request, things are approved (maybe), then physical or virtual assets are acquired, configured, and assigned. You are one of those forward-thinking orgs which stood up your private cloud with a self-service portal where approved managers can dynamically provision a pre-established set of resources. No, this probably isn’t how most of you use the cloud today, but it will be. Now imagine that some of these resource stacks include databases. You are, obviously, concerned with the security and compliance of these databases. This is the sort of thing that used to constantly bite you in the ass, as teams ranging from developers to sub-departments installed their own stuff, loaded sensitive data, and then failed to secure it. But you now sleep soundly at night because… When the user requests the application stack, all operating systems and software are automatically patched to current levels using mandatory installation scripts. The installation scripts also configure the resources to a secure-by-default state, doing things like inserting user credentials, locking down ports, setting appropriate file permissions, configuring application defaults, and so on. You can even automate service account management and cross-link them between application components (heck, we do this in the CCSK Plus training class). All application components instantiate themselves in different, locked-down network security groups. Only required internal ports are open. This can be much more granular and restrictive than current application stacks which require physical hardware to protect. When the database spins up it registers itself with your Database Activity Monitoring (DAM) and assessment tools via their APIs. The DAM tool performs an initial database vulnerability assessment and registers the database for future scans. (Other stack components do similar things, but we’re focusing on the database for this example). Thanks to those cloud APIs, it knows where to look for the database and who created it, and the necessary firewall ports are opened. After the initial DAM scan is complete and passed, the DAM tool makes an API call to the cloud’s network controller to open up any additional ports needed for internal access. Depending on the script, this may be restricted to subnets, individual IPs, and so on. Similar processes are followed for the application and web server components and their various security tools (vulnerability assessment, asset registration, configuration management, etc.). Assuming everything is hunky dory, any last required ports to access the application can be opened up. The user won’t pick this – it will be handled automatically via API and policy scripts. The DAM tool will have installed its monitoring agent at initial launch. The agent connects back to the DAM server and activity is now monitored (including administrative SQL queries). On a specified schedule, the database is scanned for ongoing configuration compliance and vulnerabilities. It is also scanned for sensitive data, using the content discovery feature of your DAM tool and policies tied to the type of application stack deployed and the business unit assigned. If it isn’t supposed to have credit card numbers, but they start appearing, security gets an alert. Think about this for a moment – today people try to spin stuff up all over the place and it’s nearly impossible to find, never mind configure securely. In the example above we completely automate the configuration and security of the application stack (including the database) on a dynamic basis using APIs and policy scripts. The database spins up with secure settings in a secure network; it is centrally registered, actively monitored, and scanned for both problems and sensitive (read ‘regulated’) data on an ongoing basis. Today’s limitation is that very few security tools, by default, support the automation I described above. But things like initialization scripts and dynamic network management via APIs are fundamental to all cloud platforms. Cool, eh? And heck, I’m probably missing a bunch of things Share:

My wife and I are pretty big Jimmy Buffett fans. I first got hooked way back in high school, working as a lifeguard. The summer of my freshman year in college I went with a group of friends down to the Orange Bowl, and we snuck off for a day trip to Key West and a short visit to the very first Margaritaville. I really got hooked when I was deep into paramedic school. In our program you worked or attended classes 80+ hours a week – bouncing around between a bunch of hospitals, fire stations, and ambulance bays throughout the entire Denver Metro area. In the middle of winter I survived all those hours on the road thanks only to a Buffett tape serenading me with sweet visions of beaches and beer. Later, it didn’t hurt that I met my wife at a Buffett show. While he tours consistently year after year, he only hits Phoenix every 2-3 years now. So when we didn’t see our home town on the schedule, a bunch of us decided to get tickets to the Vegas show. Then he added the Denver show. I lived in Boulder for 16 years and still have a big chunk of friends there who convinced me to pop over for the show – especially since I hadn’t seen some of them in 2 years, and Buffett hadn’t played Denver in 8. Then he added the Phoenix show. And that, my friends, is how I managed to sign up for three Jimmy Buffett shows, in three different cities, in three different states in one week. One of which is tonight, and I have to go assemble our new portable grill. So… On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Quiet week. Guess even media whores need some time off. Favorite Securosis Posts Adrian Lane: Tokenization Guidance: Merchant Advice. Rich: Applied Network Security Analysis. Because Mike writes much better section headings than I do. Other Securosis Posts Incite 10/19/2011: The Inquisition. Database Security Market Sizing and Guesstimation. Favorite Outside Posts Adrian Lane: Secret iOS business; what you don’t know about your apps. There are scarier threats to all mobile platforms than what’s mentioned here, but the post does a great job of underscoring that security is only as good as the app developer. And if they want to spy on you… they will. Mike Rothman: The forever recession (and the coming revolution). Seth Godin is the philosopher king of the Internet age. This is a great post about how every recession gives way to unbounded growth. If you can figure out how to deal with the next thing. Read this. Read his stuff. Adapt. Pepper: Georgia Tech Turns iPhone into spiPhone. Fortunately not suitable for even half-decent passwords, but a very clever hack to eavesdrop via an accelerometer. Should work on Android phones too – for now. Rich: Michael Winslow gets the Led out. I know this has nothing to do with security. And I know it’s been all over Twitter. But it’s still the awesomest thing I’ve seen in a while. Research Reports and Presentations Fact-Based Network Security: Metrics and the Pursuit of Prioritization. Tokenization vs. Encryption: Options for Compliance. Security Benchmarking: Going Beyond Metrics. Understanding and Selecting a File Activity Monitoring Solution. Database Activity Monitoring: Software vs. Appliance. React Faster and Better: New Approaches for Advanced Incident Response. Measuring and Optimizing Database Security Operations (DBQuant). Network Security in the Age of Any Computing. Top News and Posts Venafi’s take on Duqu. W32.Duqu: The Precursor to the Next Stuxnet. Supposedly from the Stuxnet authors. New Jersey Transit Embraces Google Wallet. And so it begins. Oracle publishes major patch release. Many database and Java patches. Cloud Security in Datacenter Terms. Google embraces HTTPS. Social Security kept silent about private data breach. We missed this last week. APT – The Plain Hard Truth. RSA blames breach on two hacker clans working for China. I didn’t get to see the talk, and so am still slightly skeptical, but expect more info to come out at RSA this year. Blog Comment of the Week Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Patrick, in response to Database Security Market Sizing and Guesstimation. This post raises an interesting issue for me – And that is, what is the purpose of measurement and estimation? Of anything, really – a market, an effect, a potential risk or loss magnitude? In my mind, it’s a matter of accuracy vs precision, bounded by the contextual requirements of how much reduction in uncertainty is required by the subject/decision at hand. Single point estimates, like the one referenced above – are usually not as informative as we might wish. A range, or even an estimated probability distribution, is much more useful, and not that hard to do quickly. How big is the database security market? I don’t know – but that doesn’t mean I couldn’t come up with something useful if I needed to make a decision. The key here is useful, not precise – just about measurement carries some uncertainty. Share:

We’ve been getting some questions about the beta test, so I decided to put an FAQ together which we will also post within the system. If you have any other questions, please feel free to ask: General What is the Securosis Nexus? The Securosis Nexus is an online environment to help you get your job done better and faster. It provides pragmatic research on security topics that tells you exactly what you need to know, backed with industry-leading expert advice to answer your questions. The Nexus was designed to be fast and easy to use, and to get you the information you need as quickly as possible. Who is it for? The Nexus is for anyone with security responsibilities at their organization. We know that most of the people who work on security don’t have ‘Security’ in their titles, but need to protect their business every bit as much as the Chief Information Security Officer of a Fortune 500 company. The Nexus provides pragmatic research and advice for everyone, even if security is only one of the many hats you wear. What’s “pragmatic research”? Pragmatic research is information you can use. The Nexus doesn’t waste your time on theory and background information (although it is available for the curious). The content tells you exactly what you need to get your job done, and makes it very easy to find. Does that mean it tells me how to configure my products? No. The Nexus provides everything except product-specific information. What’s “expert advice”? Through our Ask an Analyst feature you can submit questions directly to our analysts, each with decades of security experience. We know sometimes reading research isn’t enough and you need direct advice from an experienced professional to get a clear answer on your specific issue. What makes this any different from a wiki, Gartner, or something like LinkedIn? The research is specific to security, and the Nexus presents data in several different ways, making it as quick and easy to locate information as possible. Unlike a wiki, all the content is written by professional research analysts, edited by folks who know how to write and topics are covered completely – not a hodge-podge of whatever people want to contribute. It’s far more structured and pragmatic than big analyst firms like Gartner. And unlike LinkedIn and social media sites, you are guaranteed answers to your questions. The Nexus is not just academic reference data – it is written by people who have built and deployed security products for a living. What else is included? Research and specific answers to your questions is core, but the Nexus includes much more. It offers videos, checklists, podcasts, templates, and other tools to help you get your job done. All the research can be rated and commented on, which helps ensure the content is useful and up to date as well as helping us to improve the content over time based on your feedback. The system tracks your history so you never forget what you read, and enables you to build a custom library of your favorite content. Good questions are anonymized and tied back to the content, to help others with the same problems. And we are just getting going, there will be even more capabilities in the coming months. What are the platform requirements? The Nexus should work with all current browsers, as well as Internet Explorer version 7 and later. Although we don’t have an iOS app yet, we have optimized the site to work well on the iPad. Beta Testing When does the beta start? If you are reading this, it has started. Why can’t I log in yet? We are running the beta in phases and will be adding people on an ongoing basis. We are very conservative, and really want to ensure the system is ready before we let too many people in. We will email you when your name comes up, and we plan to eventually include everyone who signs up for the beta. What can I expect in the beta? This is a real beta test – while the entire system is functional, there will be some bugs. We have set up forum for feedback and will directly answer system questions (but not research questions) there. During the beta, we will be adding research on a daily basis. The beta is opening with the first layer of PCI information, but we have a ton more to add before we open the system to the public (and ask people to pay for it). We will post announcements on the portal page as we add material throughout the beta. Right now, the weakest area is multimedia and tools/templates – such as checklists and PowerPoint samples. We will be adding these along with the rest of the content throughout the beta period. Ask an Analyst is completely open for business, so please do your best to stump us. Is the beta free? Yes. In exchange for your help testing, we provide access to all the content as we build it, plus the Ask an Analyst tool for questions. Will I get a free membership after the beta? No. The Nexus will be competitively priced (think hundreds, not thousands), but beta testers will need to subscribe after we open it up to the public. But until then you get all the free research and advice you can eat. Where should I leave feedback? Please use the beta forum linked on the portal page. That provides direct access to our developers and doesn’t clutter up the comments or the rest of the live system. After the beta, will you delete my account? No – you won’t have access, but your account will stay there if you want to come back. You should also review our privacy policy. Privacy Policy The Securosis Nexus does not sell your information to anyone, ever. We do retain the right to sell or distribute bulk statistics (e.g., what content is most viewed, what topics create the

Yesterday afternoon I decided to head out for my first run since my August health scare (which turned out to be pretty much nothing). I grabbed my iPhone, and as I was putting it into my armband case a news alert popped up. Steve Jobs is dead I stopped. The world paused for a moment. Standing in front of my desk, I turned and opened up a web browser to read the press release from the Apple board. It was true, and it wasn’t a surprise. Like nearly all of you reading this, I never met Steve Jobs. Unlike most of you I was fortunate enough to get to attend his last Macworld keynote and experience the reality distortion field myself. I walked in carrying a BlackBerry. I went home with an iPhone. Call the RDF what you will, but I never regretted that decision. I have spoken with other Apple executives, but never the man himself. My love of technology started with Apple and, to a lesser degree, Commodore. That’s when I started hacking; and by hacking I mean exploring. But I never owned an Apple. I didn’t buy my first Mac until 2005; a victim of the halo effect from the beauty of my first iPod (a third gen model). Today there are 6 or so Macs in my house, a couple iPads, a few iPhones, and various other products. Including, still, that third generation iPod I can’t seem to let go. It doesn’t matter if you love or hate Apple – everything we do in technology today is influenced by the work of the teams Steve led. Every computer, every modern phone, and every music player is influenced more by Apple designs than by any other single source. Even the CG animated cartoons my daughter loves so much. I used to criticize Apple. Too expensive. Too constraining. But over the course of several years I have found my own beliefs aligning with the “rules” Jobs defined. People won’t know what they want until you show them. Don’t let customers derail your vision, but be ready to move when they’re right. Design and usability are every bit as important as features – if either fails, the product fails. Remove as much as possible. Imagine if we had a security leader as visionary as Jobs. We have many who might think they are, but no one comes close. Can you imagine Steve in a UI design meeting for nearly any security product on the market? His death hit me harder than I expected. Because not only do we not have a Steve Jobs in security, we no longer have one at all. The entire technology world just lost the one person climbing the hills in front of us, breaking the trail, and turning back to wave and shout “follow me”. Now we’re on our own. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Adrian & Mel Shakir on SIEM Replacement. Rich is giving a webcast on cloud security next week. This is with Dome9, but all the content coming from me is objective and influence-free. Favorite Securosis Posts Adrian Lane: The iPad-Enterprise-Data Security Spectrum. Face it, the iPad is so compelling that it is forcing its way into the enterprise – Rich offers good tips for facing the inevitable. David Mortman: Force Attacker Perfection. Mike Rothman: Force Attacker Perfection – Rich is right. We can’t stop them, but we should make them work for it. Rich: Need a CISO cert? Got $200? Get one while they’re hot…. Other Securosis Posts When to Use Amazon S3 Server Side Encryption. Incite 10/5/2011: Time waits for no one. Nitro & Q1: SIEM/Log Management vendors dropping right and left. Introducing the Securosis Nexus. Incite 9/28/2011: Renewal. Comment on the Next Version of the Cloud Security Alliance Guidance. Favorite Outside Posts Mike Rothman: Text of Steve Job’s Commencement Address (2005). Passed on, but Steve Jobs’ teachings will stick with me forever. I look at this speech every couple of months. Puts everything (life, job, happiness, purpose, etc.) into context for me. Everything. David Mortman: Application-Layer DDoS Attacks Are Growing: Three to Watch Out For. Adrian Lane: The Web won’t be safe, let alone secure, unless we break it. Topics Jeremiah has covered before, but a very nice overview of the situation. Browsers, like many other platforms, have idiotic ‘features’ that make security impossible, and it’s time to throw some of the garbage out. Rich: The Vendor Beating. I’ve been in similar meetings as an analyst. Nothing beats the blame game. Dave Lewis: Some SCADA Problems Too Big to Call Bugs. Yeah… That will fix it. Top News and Posts Amex XSS Vuln But it’s the twitter dialog that’s worth reading. This is just so typical for a McBank response to any inquiry – they can only follow the script. Awesome. Tool to crack SSL. Hacker nabbed after topping up three EasyCards. Using ICMP Reverse Shell to Remotely Control a Host. Privacy and security implications of Amazon’s new “Silk” browser. Microsoft Pushes Emergency Update After Security Products Call Chrome “Banking Trojan” Cisco patches the other iOS. Blog Comment of the Week Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Bill, in response to Nitro & Q1: SIEM/Log Management vendors dropping right and left. Excellent analysis. Until recently, SIEM vendors were a kind of “Switzerland” with respect to third party event sources, i.e, treating them all the same for the most part. I think customers will become concerned if the big three manufacturers start favoring their own complementary security products. What do you think? Share:

As I mentioned in the Incite yesterday, Symantec announced DLP support for the iPad. I have been meaning to talk about this for a while, as various products have been popping onto the market, and now seems like the time. Note: I’m focusing on the iPad because that’s what most people are interested in, but much of what I’m going to talk about also applies to the iPhone. The iPad is an extremely secure device; odds are it is much more secure than any laptop or desktop you let your users on. The main reason is that it is locked down so tightly with a combination of hardware and software controls. This is also a challenge for security, because you can’t run any background tasks. For the record, I really like this approach – it eliminates the need for things like antivirus in the first place. For data security, that means we are limited in what we can do. No DLP running in the background, for example. To fill this gap, a spectrum of approaches and tools have hit the market. I like to list them as a spectrum from least control to most. Most control doesn’t mean it’s better – which of these to use depends heavily on the needs of both your organization and your users. As a baseline I assume you allow access to corporate assets in some way using the device. I’m skipping the “do nothing” and “don’t let them in at all” options: Here we go: ActiveSync and device profiles. You allow users access to corporate email, but enforce a basic device profile to require a passcode/password and enable remote wiping if the device is lost. This enables basic encryption of the entire device (easier to crack), with data protection for email attachments. Server-side DLP. You create DLP policies that restrict the email/files going to an otherwise approved device. Websense offers this – not sure who else. Walled-garden applications. These are apps like Good for Enterprise, the new Zenprise SharePoint client for iPad, Watchdox, and GroupLogic mobilEcho. All access to documents is purely through the approved app, and the app can restrict opening or usage of that document elsewhere on the device. Remember, if you don’t totally wall the content off, any standard document format can be opened in another app – thus losing any security controls. These usually offer viewing but not editing, because that would require building in a complete editor. There is a very broad range of variation between these apps. Fully-managed device with always-on VPN. You use mobile device management (MDM) to enforce an always-on VPN connection and block unmanaged network traffic. Then you use DLP on your network to manage traffic and content. This is how Symantec works. They use an app on the device to enforce the VPN, and made changes on the DLP gateway to improve the user experience with the device. For example, the iPad doesn’t handle failed email connections well (it tends to stall), so they had to play games to block protected content from going to Gmail without ruining the device experience. Each of these models has its own advantages, and there are different levels of control within each tier. But these should give you a good idea of the options. Someday I might write a paper with more detail, but hopefully this is enough for now. Share: