Research

In our Introduction to Implementing and Managing a DLP Solution we started describing the DLP implementation process. Now it’s time to put the pedal to the metal and start cranking through it in detail. No matter which path you choose (Quick Wins or Full Deployment), we break out the implementation process into four major steps: Prepare: Determine which process you will use, set up your incident handling procedures, prepare your directory servers, define priorities, and perform some testing. Integrate: Next you will determine your deployment architecture and integrate with your existing infrastructure. We cover most integration options – even if you only plan on a limited deployment (and no, you don’t have to do everything all at once). Configure and Deploy: Once the pieces are integrated you can configure initial settings and start your deployment. Manage: At this point you are up and running. Managing is all about handling incidents, deploying new policies, tuning and removing old ones, and system maintenance. As we write this series we will go into depth on each step, while keeping our focus on what you really need to know to get the job done. Implementing and managing DLP doesn’t need to be intimidating. Yes, the tools are powerful and seem complex, but once you know what you’re doing you’ll find it isn’t hard to get value without killing yourself with too much complexity. Preparing One of the most important keys to a successful DLP deployment is preparing properly. We know that sounds a bit asinine because you can say the same thing about… well, anything, but with DLP we see a few common pitfalls in the preparation stage. Some of these steps are non-intuitive – especially for technical teams who haven’t used DLP before and are more focused on managing the integration. Focusing on the following steps, before you pull the software or appliance out of the box, will significantly improve your experience. Define your incident handling process Pretty much the instant you turn on your DLP tool you will begin to collect policy violations. Most of these won’t be the sort of thing that require handling and escalation, but nearly every DLP deployment I have heard of quickly found things that required intervention. ‘Intervention’ here is a polite way of saying someone had a talk with human resources and legal – after which it is not uncommon for that person to be escorted to the door by the nice security man in the sharp suit. It doesn’t matter if you are only doing a bit of basic information gathering, or prepping for a full-blown DLP deployment – it’s essential to get your incident handling process in place before you turn on the product. I also recommend at least sketching out your process before you go too far into product selection. Many organizations involve non-IT personnel in the day-to-day handling of incidents, and this affects user interface and reporting requirements. Here are some things to keep in mind: Criteria for escalating something from a single incident into a full investigation. Who is allowed access to the case and historical data – such as previous violations by the same employee – during an investigation. How to determine whether to escalate to the security incident response team (for external attacks) vs. to management (for insider incidents). The escalation workflow – who is next in the process and what their responsibilities are. If and when an employee’s manager is involved. Some organizations involve line management early, while others wait until an investigation is more complete. The goal is to have your entire process mapped out, so if you see something you need to act on immediately – especially something that could get someone fired – you have a process to manage it without causing legal headaches. Clean directory servers Data Loss Prevention tools tie in tightly to directory servers to correlate incidents to users. This can be difficult because not all infrastructures are set up to tie network packets or file permissions back to the human sitting at a desk (or in a coffee shop). Later, during the integration steps, you will tie into your directory and network infrastructure to link network packets back to users. But right now we’re more focused on cleaning up the directory itself so you know which network names connect to which users, and whether groups and roles accurately reflect employees’ job and rights. Some of you have completed something along these lines already for compliance reasons, but we still see many organizations with very messy directories. We wish we could say it’s easy, but if you are big enough, with all the common things like mergers and acquisitions that complicate directory infrastructures, this step may take a remarkably long time. One possible shortcut is to look at tying your directory to your human resources system and using HR as the authoritative source. But in the long run it’s pretty much impossible to have an effective data security program without being able to tie activity to users, so you might look at something like an entitlement management tool to help clean things up. This is already running long, so we will wrap up implementation in the next post… Share:

I have been so tied up with the Nexus, CCSK, and other projects that I haven’t been blogging as much as usual… but not to worry, it’s time to start a nice, juicy new technical series. And once again I return to my bread and butter: DLP. As much as I keep thinking I can simply run off and play with pretty clouds, something in DLP always drags me back in. This time it’s a chance to dig in and focus on implementation and management (thanks to McAfee for sponsoring something I’ve been wanting to write for a long time). With that said, let’s dig in… In many ways Data Loss Prevention (DLP) is one of the most far-reaching tools in our security arsenal. A single DLP platform touches our endpoints, network, email servers, web gateways, storage, directory servers, and more. There are more potential integration points than nearly any other security tool – with the possible exception of SIEM. And then we need to build policies, define workflow, and implement blocking… all based on nebulous concepts like “customer data” and “intellectual property”. It’s no wonder many organizations are intimidated by the thought implementing a large DLP deployment. Yet, based on our 2010 survey data, somewhere upwards of 40% of organizations use some form of DLP. Fortunately implementing and managing DLP isn’t nearly as difficult as many security professionals expect. Over the nearly 10 years we have covered the technology – talking with probably hundreds of DLP users – we have collected countless tips, tricks, and techniques for streamlined and effective deployments that we’ve compiled into straightforward processes to ease most potential pains. We are not trying to pretend deploying DLP is simple. DLP is one of the most powerful and important tools in our modern security arsenal, and anything with that kind of versatility and wide range of integration points can easily be a problem if you fail to appropriately plan or test. But that’s where this series steps in. We’ll lay out the processes for you, including different paths to meet different needs – all to help you get up and running; and to stay there as quickly, efficiently, and effectively as possible. We have watched the pioneers lay the trails and hit the land mines – now it’s time to share those lessons with everyone else. Keep in mind that despite what you’ve heard, DLP isn’t all that difficult to deploy. There are many misperceptions, in large part due to squabbling vendors (especially non-DLP vendors). But it doesn’t take much to get started with DLP. On a practical note this series is a follow-up to our Understanding and Selecting a Data Loss Prevention Solution paper now in its second revision. We pick up right where that paper left off, so if you get lost in any terminology we suggest you use that paper as a reference. On that note, let’s start with an overview and then we’ll delve into the details. Quick Wins for Long Term Success One of the main challenges in deploying DLP is to show immediate value without drowning yourself in data. DLP tools are generally not be too bad for false positives – certainly nowhere near as bad as IDS. That said, we have seen many people deploy these tools without knowing what they wanted to look for – which can result in a lot of what we call false real positives: real alerts on real policy violations, just not things you actually care about. The way to handle too many alerts is to deploy slowly and tune your policies, which can take a lot of time and may even focus you on protecting the wrong kinds of content in the wrong places. So we have compiled two separate implementation options: The Quick Wins process is best for initial deployments. Your focus is on rapid deployment and information gathering rather than enforcement, and will help guide your full deployment later. We detailed this process in a white paper and will only briefly review it here. The Full Deployment process is what you’ll use for the long haul. It’s a methodical series of steps for full enforcement policies. Since the goal is enforcement (even if enforcement is alert and response, instead of automated blocking and filtering), and we spend more time tuning policies to produce useful results. The key difference is that the Quick Wins process isn’t intended to block every single violation – just really egregious problems. It’s about getting up and running and quickly showing value by identifying key problem areas and helping set you up for a full deployment. The Full Deployment process is where you dig in, spend more time on tuning, and implement long-term policies for enforcement. The good news is that we designed these to work together. If you start with Quick Wins, everything you do will feed directly into full deployment. If you already know where you want to focus you can jump right into a full deployment without bothering with Quick Wins. In either case the process guides you around common problems and should speed up implementation. In our next post we’ll show you where to get started and start laying out the processes… Share:

I think I need to ban Mike from Arizona. Scratch that – from a hundred mile radius of me. A couple weeks ago he was in town so we could do our 2012 Securosis strategic planning. He rotates between my screaming kids and Adrian’s pack ‘o dogs, and this was my turn to host. We woke up on time the next morning, hopped in my car, and headed out to meet Adrian for breakfast and planning. About halfway there the car sputtered a bit and I lost power. It seemed to recover, but not for long. I popped it into neutral and was able to rev up, but as soon as there was any load we stalled out. I turned around and started creeping toward my local mechanic when it died for good. In a left turn lane. A couple workers (they had a truck but I couldn’t see what tools they had to identify their work) offered to help push us out of the road. Seemed like a good idea, although I was arranging our tow at the same time. I kicked Mike out, hopped in the driver’s seat, and was waiting for a gap in traffic. They weren’t. These dudes were motivated to get us the hell out of their way. Here I am on the phone with the tow company, watching Mike’s face as he decided the rest of us were about to get creamed by the traffic speeding our way… with him on outside the car. I was wearing my seatbelt. We made it, the tow truck showed up on time, and I quickly learned it was what I expected – a blown fuel pump. My 1995 Ford Explorer was the first car I ever bought almost new (a year old, under 25k miles). I had it for about 16 years and it showed it. Living in Colorado and working with Rocky Mountain Rescue, it drove through all sorts of off-road conditions and on rescue missions (including roads closed due to avalanche quirks) that would have pissed off my insurance company. Anyway, despite my emotional attachment, the repair costs were over my mental limit, and it was time to find a younger model. I briefly toyed with minivans but just couldn’t do it. Logically they are awesome. But… err… it’s a friggin’ minivan. I then moved on to SUVs, even though they aren’t nearly as practical. I have rescue deeply ingrained into my brain, and it’s hard for me to not get something with 4WD. And yes, I know I live in Phoenix – it isn’t exactly rational. The GMC Arcadia wasn’t bad. The Dodge Durango drove like my 1980’s Chevy Blazer. The Mazda CX-9 drove well but couldn’t handle our car seat requirements. Eventually I ended up with another Explorer… but damn, they have improved over 16 years! Two words – glass cockpit. Ford is really ahead of most of the other car manufacturers when it comes to telematics. Aside from the big screen in the middle, two others are integrated into the dash to replace analog instruments. They actually issue software updates! Sure, they might be due to the bugs, but late last year I decided I would do my darned best to avoid buying anything with a screen I couldn’t update. Aside from all the cool software stuff, it comes with tons of USB ports, charging ports, and even a built-in 110V inverter and WiFi hotspot so the kids can play head-to-head games. And safety systems? I have… for real… radar in every direction. Blind spot, backup, cross traffic, and even a nifty “you are about to ream the car in front of you up the tailpipe, maybe slow down” alert. It also… er… drives and stuff. Mileage isn’t great but I don’t drive much. And when my phone rings the brakes lock up and the wipers go off, but I’m sure the next software update will take care of that. Almost forgot – the Mike thing? One of the first times he was out here my kid got stomach flu and Mike had to watch her while I took client calls. Then there was the time he had to drive me to the emergency room in DC. Then there was the time we had to end our video session early because I got stomach flu. You get the idea. He’s a bad man. Or at least dangerous. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich on How to Monitor Employees Without Being a Perv. I still can’t believe they let me use that title. Mort on counterattacks at CIO Magazine. Mike also quoted at CIO – this time on cloud security. Favorite Securosis Posts We didn’t write much this week, but here’s an old post I’m about to revive. Principles of Information Centric Security. Other Securosis Posts Oracle SCN Flaw. Incite 1/19/2012: My Seat. Censored #sopa. Network-based Malware Detection: The Impact of the Cloud. Favorite Outside Posts Adrian Lane: InfoWorld’s ‘Fundamental Oracle Flaw’ post. Really well done. Mike Rothman: Eating the Security Dog Food. The only way to really lead (sustainably, anyway) is by example. Wendy makes that point here, and it’s something we shouldn’t ever forget. If policies are too hard for us to follow, how well do you expect them to work for users? Project Quant Posts Malware Analysis Quant: Process Descriptions. Malware Analysis Quant: Monitoring for Reinfection. Malware Analysis Quant: Remediate. Malware Analysis Quant: Find Infected Devices. Malware Analysis Quant: Defining Rules. Malware Analysis Quant: The Malware Profile. Malware Analysis Quant: Dynamic Analysis. Malware Analysis Quant: Static Analysis. Malware Analysis Quant: Build Testbed. Research Reports and Presentations Tokenization Guidance Analysis – Jan 2012. Applied Network Security Analysis: Moving from Data to Information. Tokenization Guidance. Security Management 2.0: Time to Replace Your SIEM? Fact-Based Network Security: Metrics and the Pursuit of Prioritization. Tokenization vs. Encryption: Options for Compliance. Security Benchmarking: Going Beyond Metrics. Top News and Posts Symantec Acquires LiveOffice. Norton Source Code Stolen in 2006. Feds Shutdown Megaupload, Bust Founder. Training employees – with phishing! Internet SOPA/PIPA Revolt:

We blacked out Securosis (mostly – it was a rush job) to protest SOPA, PIPA, and the future variants we are sure will appear now that everyone has targeted these two acronyms. We don’t support criminal activity, but by the same token we don’t support poorly-written laws that can do nearly nothing to prevent privacy while doing a lot to stifle free speech. Especially when these laws would seriously undermine our ability to secure the Internet. ‘Nuff said. You can read more at americansensorship.org. Share:

A couple weeks ago we decided to change up the Friday Summary and update the format to something new and spiffy. That… umm… failed. All the feedback we received asked us to keep it the way it is, so since we’re only half-stupid we’ll learn our lesson and do what you tell us to. However, this will be the last Summary of the year. We have lives, ya know? And what a crazy year it’s been (at least for me). Securosis is doing very well – we’ve got a great customer base and can’t keep up with the research we are trying to pump out. Aside from getting to work with some great clients (seriously… some major breakthroughs this year), we also pumped out the CCSK training program for the Cloud Security Alliance and finished most of the development of version 1 of our Nexus platform. On the downside, as I have written before, I took some body blows through this process, and my health bitch slapped me upside the head. Nothing serious, but enough to show me that no matter how insane things get I need to focus on keeping a good balance. I also have to lament to demise of blogging. I love Twitter as much as the next guy, but I really miss the reasoned, more detailed community debates we used to (and on occasion still do) have on the blogs. Don’t get me wrong – I’m friggen ecstatic about where we are. The last (hopefully) set of updates are going into the Nexus over the next 2 weeks and we have a ton of content to load up. We also realized the platform can do a lot more than we originally planned, and if we can pull off the version 2 updates I think we’ll have something really special. Not that v1 isn’t special, but damn… the new stuff could turn it up to 11. We are also working on some new training things for the CSA and updating the CCSK class with the latest material. Again, some big opportunities and the chance to do some very cool research. I love being able to get hands on with things, then take that into the field and learn all the cool lessons from people who are spending their time working with these tools day in and out. And heck, I was even on the BBC last night. 2012 is going to rock. I think the industry is in a great place (yes, you read that right) with a kind of visibility and influence we’ve never had before. The company is cranking along and while we haven’t hit every beat I wanted, we’re damn close. I work with great partners and contributors, and my kids are walking and talking up a storm. With that said, it’s time for me to turn off the lights, finish my last minute shopping, enjoy my Sierra Nevada Holiday Ale, and say goodnight. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mort quoted at CSO Online. Take Off The Data Security Blinders. Rich’s latest Dark Reading article. Rich on the first (and perhaps only) Southern Fried Network Security Podcast. Adrian quoted on Oracle database patching. Favorite Securosis Posts Rich: My 2011 predictions – all of which were 100% accurate and I’m repeating for 2012. Other Securosis Posts Network-Based Malware Detection: Introduction [new blog series]. Incite 12/21/2011: Regret. Nothing. Introducing the Malware Analysis Quant Project. Favorite Outside Posts Rich: A man, a ball, a hoop, a bench (and an alleged thread)… TELLER! – Las Vegas Weekly. This is my favorite item in a long time. It really shows what it takes to become a true master of your art – whatever it might be. Mike Rothman: Cranking. A big thank you to Jamie, who pointed me toward this unbelievable essay from Merlin Mann. So raw, so poignant, and for someone who’s always struggled with how to balance my sense of personal/family responsibility with my career aspirations, very relevant. Read. This. Now. Adrian Lane: The Siemens SIMATIC Remote, Authentication Bypass (that doesn’t exist). 3 digit hard-coded default passwords – that’s so mind-bogglingly stupid there needs be be a new word to describe it. And after all these years of breach disclosures – and all of the lessons learned – people still treat researchers and the bugs they report like garbage. Project Quant Posts Malware Analysis Quant: Process Map (Draft 1). Malware Analysis Quant: Introduction. Research Reports and Presentations Applied Network Security Analysis: Moving from Data to Information. Tokenization Guidance. Security Management 2.0: Time to Replace Your SIEM? Fact-Based Network Security: Metrics and the Pursuit of Prioritization. Tokenization vs. Encryption: Options for Compliance. Security Benchmarking: Going Beyond Metrics. Understanding and Selecting a File Activity Monitoring Solution. Database Activity Monitoring: Software vs. Appliance. Top News and Posts U.S. Chamber Of Commerce Hit By Chinese Cyberspies. The Thought Leader… One Year Later. Chris Eng nails it. For the record, although some people like to think all analysts are also like this… read my favorite external link for the week to understand how I view my profession. Big difference. An MIT Magic Trick: Computing On Encrypted Databases Without Ever Decrypting Them. The Cryptographic Doom Principle Moxie talks, you listen. Nuff said. Uncommon Sense Security: The Pandering Pentagram of Prognostication. I won’t lie – I used to make these stupid predictions… but I stopped years ago. And for the record, I never tried to predict attacks. Security researcher blows whistle on gaping Siemens’ security flaw ‘coverup’ No, this time we’ve got it handled. Trust us. Please? University accuses Oracle of extortion, lies, ‘rigged’ demo in lawsuit Preventing Credit Card Theft + Inside Visa’s Top Secret Data Facility. Top secret, eh? I love the smell of PR in the morning. Forensic security analysis of Google Wallet. I’m sure this won’t get hacked. Right? Microsoft’s plans for Hadoop. Not security related – yet. Blog Comment of the Week Remember, for every comment selected, Securosis makes a $25 donation to a

Back when we started the Friday Summary the world of blogs and social media was much different. RSS feeds were the primary means by which most of us sucked down our news, and we tended to communicate through cross-blog links and comments. Our goal with the Summary was to provide a good way to highlight what we have been to up every week, while also sharing some nice link love with our friends and strangers (all in an email-friendly format). We also wanted to highlight good comments and use that as an excuse to donate some cash back to the non-profit side of the community. Since then a lot has changed. People blog a lot less, and there are far fewer discussions across blogs commenting on each other’s posts. Much of this has gone over to Twitter – which is sometimes good and sometimes bad. We also brought Mike on board and restarted the Security Incite which covers at least 6 stories a week. So I think it’s time to shake up the Summary a bit and switch its format. Moving forward (as in, not this week) we will highlight the 1-3 top stories we think you need to pay attention to, why, and point out any angles we think folks are missing. After that we will continue to list what we have been up to, but you don’t need us to provide you with a random list of articles on the Internet. Some weeks we might not highlight a comment of the week, but we will still donate on a weekly basis to different charities related to the security world. We may also pick out a particularly good Nexus question instead. We hope you like the new format, and all feedback is appreciated. The Story of the Week: Carrier IQ The big story this week seems to be the saga of Carrier IQ – logging software installed on many phones, mostly by carriers, that enables them to log pretty much everything you do on your device. Yes, even your banking passwords. This became public thanks to the hard work of Trevor Eckhart and was quickly picked up by big media like Wired’s Threat Level. The story quickly hit the (mostly uninformed) spin machine. The short version is that Carrier IQ is software with the potential to log pretty much everything you do on your phone, and some but not all carriers install it on your phone without telling you or giving you a way to turn it off. From a privacy standpoint this is, of course, a crappy thing to do. But all the hype does highlight some hypocrisy: Your phone carriers already log all your calls, text messages, and web URLs you visit. Google and all the ad tracking networks work hard to log everything you do on the Internet. As I made fun of this on Twitter, I got some very thoughtful responses that highlighted the big differences between this and other privacy-invading stuff: @adamshostack: I generally agree, but CarrierIQ was surreptitious. I’m deeply privacy aware, didn’t know they were on my phone till this morning @davienthemoose: google logs my keystrokes on my banking site? 😮 While I still consider most web tracking surreptitious, at least there’s something you can do about it. With your phone you are locked in unless you change devices and/or carriers, and even then you might still have it installed. And there is definitely a difference between a keystroke logger and a URL tracker. So I stand corrected. Thanks to Twitter. Webcasts, Podcasts, Outside Writing, and Conferences Adrian quoted on Oracle database patching. Liquidmatrix Cyber Expert Interviewed (on TV). See one of our favorite Canadians, our own contributor Dave Lewis, on TV to discuss the Anonymous threats against the Toronto Government. Securosis Posts Incite 11/30/2011: An Introverted Thanks. Changing Focus through the Holidays. Fundamentals of Crowd Management. Occupy Work. Mobile Payments without Credit Cards. Index of Posts: Security Management 2.0. Incite 11/16/11: Blockage. FireStarter: Looking the other way. Favorite Outside Posts Mike Rothman: Are you positive? Jack Daniel discusses the Achilles’ heel of any detection technique: the false positive. Read it. Adrian Lane: DDoS Attacks Spell ‘Gameover’ for Banks, Victims in Cyber Heists. Hacks, fraud, money mules, and DDoS – this story has it all. Gunnar: Best statistics question ever. See if you can find the right answer. Research Reports and Presentations Security Management 2.0: Time to Replace Your SIEM? Fact-Based Network Security: Metrics and the Pursuit of Prioritization. Tokenization vs. Encryption: Options for Compliance. This week we will be making a donation to Brad “theNurse” Smith. Share:

Hey everyone, As you may have noticed, we are pretty focused on this Securosis Nexus thing we have been working on for a while. The system is coming along great, but it’s time for us to start hammering on its content. So through the end of this year we will be blogging on a reduced schedule. We will still hit you with the weekly Incite and Friday Summary plus our research projects, but day-to-day blogging will subside a bit (as it already has) so we can focus on writing for the Nexus. Unless, of course, something really tweaks us off and we need a good rant. Share:

I have joked over the years that I’m more qualified to run security at a stadium concert than an IT shop, and it’s somewhat true. My security career started way back at the young age of 18 when I started working on the event staff at CU Boulder, and for Contemporary Services Corporation (CSC), who managed most of the Denver venues. By 21 I was running security at CU and supervising for CSC – managing or supervising sports, music, and other events ranging from under 100 people to over 100,000. Sometimes I was in charge, sometimes I just managed one area, and I was often a rover/troubleshooter. I did this multiple times a week for about 4-5 years (including working summers at Red Rocks), then dropped down to occasional contract work for bigger events after that. Including some with extreme logistical complexity, high risk profiles, or other complicating factors. (Like the time my employees called to ask why the bomb squad was walking around and Secret Service snipers were in the rafters). I was also fortunate the the people I worked with were true professionals. Crowd management is an industry filled with low-bid/minimum-wage contract firms with very poor work ethics and management. CSC are the guys who run the Super Bowl and most other ‘massive’ events, and I learned a hell of a lot from them and running my own teams. I have been watching a lot of the coverage of the Occupy movement and the police response and see a series of common, preventable mistakes being made over and over. Rather than specifically criticizing YouTube clips without context, here are some of the fundamental principles I learned over the years with comments on mistakes I see. Deescalate. Always. – The single most important fundamental is that crowd management is all about deescalation. You’ll never outnumber the crowd… and the more tension rises, the greater the chance of physical conflict or transitioning to a riot. There are always more of them than of you. Peer security is more effective than policing – Peer security the principle of staffing the event with demographic peers of the attendees. Police are law enforcement officers, and so they naturally and unavoidably escalate any situation they are at, by the role they play in society and the weapons they carry. Unarmed peers of the crowd have much greater flexibility in response – they are not required to arrest or enforce all laws, they are not perceived as the same kind of threat, they do not carry weapons, and they do not have arrest authority. Weapons are not your friend in a crowd – Crowds are messy, fluid affairs that make it impossible to maintain a safe stand-off distance. I have never met an intelligent police officer who went into a crowd without more than a little fear that someone would try to grab their OC spray, handgun, or other tools. Where I worked, peer security would go into crowds and pull people out for the police – who would almost never enter the crowd itself. Know your crowd – You can fully predict the behavior of a crowd if you know the demographic and environmental conditions. I know how everything from the weather, to ages, to kinds of music affect a crowd… and it isn’t what you’d think. For example, serious injuries (and deaths) were far more common at Grateful Dead and Blues Travelers shows than metal bands with mosh pits. Slow and steady wins the race – When dealing with an uncooperative but nonviolent crowd, you have to eat at it bit by bit. From dispersing a crowd to ejecting a big group, you have to handle it piece by piece and person by person – even when force is used. That goes for removing tents (yes, I have had to do that at ‘campout’ events) and clearing the aisles at a Dead show so people could move around. The more authority you have, the less you should look like security – This was one of my favorite tricks – when I ran events I rarely wore an event staff shirt. As the last person able to deescalate most conflicts before turning someone over to the police, the more I looked like a normal person or non-security staff the better. If they think you’re with the band/team, even better. Defense in depth – Crowd management is like IT security – you need multiple people with different specialties, properly trained and positioned. For example, I hated going into a mosh pit without a spotter. At a large stadium show I might have 500 people working for me. We’d have rovers, ticket takers, people inside and outside, folks dedicated to ejections, supplementing medical (to help them through the crowd), and more. When you need to use force, don’t hesitate, but don’t hit – I have no problem using force when it is needed (and we frequently had to, especially to break up fights). In a crowd your goal is to get the person out of the crowd as fast as possible. You never punch or kick… that is excessive use of force (the exception is when you are in serious danger yourself). Your goal is to solve the problem without anyone getting hurt. Deescalation, remember? Spontaneous crowds aren’t riots – I sometimes dealt with spontaneous crowds appearing where we didn’t expect them, which weren’t tied to a normal event. Usually these were campouts, but I was also called into a few protests and such when the police wanted trusted people in the crowd but not uniformed officers. All normal crowd dynamics still apply. Riots are for the police – Crowds need peer security. Riots need cops and all the OC spray you can get your hands on. A riot is an uncontrolled situation where mob behavior takes over and there is serious damage to life/safety and property. I was at a Guns ‘n’ Roses show we thought might turn into a riot when that ass-hat Axl

I wouldn’t say I’m a control freak, but I am definitely “control aligned”. If something is important to me I like to know what’s going on under the hood. I also hate to depend on someone else for something I’m capable of. So I have no problem trusting my accountant to keep me out of tax jail, or hiring a painter for the house, but there is a long list of things I tend to overanalyze and have trouble letting go of. Pretty damn high up that list is the Securosis Nexus. I have been programming as a hobby since third grade, and for a while there in the early days of web applications it was my full time profession. I don’t know C worth a darn, but I was pretty spiffy with database design and my (now antiquated) toolset for building web apps. I still code when I can, but it’s more like home repair than being a general contractor. When Mike, Adrian, and I came up with the idea for the Nexus I did all the design work. From the UI sketches we sent to the visual designers to the features and logic flow. Not that I did it all alone, but I took point, and I’m the one who interfaces with our contractors. Which is where I’m learning how to let go. The hard way. I have managed (small) programming teams before but this is my first time on the hiring side of the contractor relationship. It’s also the first time I haven’t written any significant amount of code for something I’m pretty much betting my future on (and the future of my partners and our families). Our current contractor team is great. Among other things they suggested an entirely new architecture for the backend that is far better than my initial plans and our PoC code. I wish they would QA a little better (hi guys!), and we don’t always see things the same way, but I’m damn happy with the product. But it’s extremely hard for me to rely on them. For example, today I wanted to change how a certain part of the system functioned (how we handle internal links). I know what needs to be done, and even know generally what needs to happen within the code, but I realized I would probably just screw it up. And it would take me a few hours (to screw up), while they can sort it all out in a fraction of the time. I don’t know why this bothers me. Maybe it’s knowing that I’ll see a line item on an invoice down the road. But it’s probably some deep-seated need to feel I’m in control and not dependant on someone else for something so important. But I am. And I need to get used to it. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Me (Rich) in a DLP video I for Trend Micro. I really liked the video crew on this one and the quality shows. I may need to get myself a Canon DSLR for our future Securosis videos instead of our current HD camcorder. I also wrote up how to recover lost iCloud data based on my own serious FAIL this week. Favorite Securosis Posts Mike Rothman: Virtual USB? Not.. Adrian has it right here. Even though it’s more secure to carry (yet another) device, users won’t do it. They want everything on their smartphone, and they will get it. It’s just a matter of when, and at what cost (in terms of security or data loss). Adrian Lane: How Regular Folks See Online Safety. Lately news items are right out of Theater of the Absurd: Security Tragicomedy. Rich: Tokenization Guidance: Audit Advice. Adrian is really building the most definitive guide out there. Other Securosis Posts Incite 11/2/2011: Be Yourself. Conspiracy Theories, Tin Foil Hats, and Security Research. Applied Network Security Analysis: The Advanced Security Use Case. Applied Network Security Analysis: The Forensics Use Case. Favorite Outside Posts Mike Rothman: 3 Free Tools to Fake DNS Responses for Malware Analysis. This is a good tip for testing, but also critical for understanding the tactics adversaries will use against you. Adrian Lane: The Chicago Way. Our own Dave Lewis does the best job in the blogsphere at explaining what the heck is going on with the Anonymous / Los Zetas gang confrontation. James Arlen: Harvard Stupid. Two posts in one – interesting financial story tailed by an excellent example of how security should be implemented from a big picture view. If you run IT security for your company, read this! Rich: Kevin Beaver on why users violate policies. I don’t agree with the lazy comment though – it’s not being lazy if your goal is to get your job done and you deal with something in the way. Research Reports and Presentations Fact-Based Network Security: Metrics and the Pursuit of Prioritization. Tokenization vs. Encryption: Options for Compliance. Security Benchmarking: Going Beyond Metrics. Understanding and Selecting a File Activity Monitoring Solution. Database Activity Monitoring: Software vs. Appliance. React Faster and Better: New Approaches for Advanced Incident Response. Measuring and Optimizing Database Security Operations (DBQuant). Network Security in the Age of Any Computing. Top News and Posts UK Cops Using Fake Mobile Phone Tower to Intercept Calls, Shut Off Phones. Malaysian CA Digicert Revokes Certs With Weak Keys, Mozilla Moves to Revoke Trust. Four CAs Have Been Compromised Since June. Hackers attacked U.S. government satellites. How Visa Protects Your Data. Exposing the Market for Stolen Credit Cards Data. ‘Nitro’ Cyberespionage Attack Targets Chemical, Defense Firms. Blog Comment of the Week This week we are redirecting our donation to support Brad “theNurse” Smith. This week’s best comment goes to Zac, in response to Conspiracy Theories, Tin Foil Hats, and Security Research. I personally think that the problem with the media hype is that it seems to distract more than inform. The overall result being that you end up with “experts” arguing over inconsequential

I remember very clearly the day I vowed to stop watching local news. I was sitting at home cooking dinner or something, when a teaser report of a toddler who died after being left in a car in the heat aired during that “what we’re covering tonight” opening to the show. It wasn’t enough to report the tragedy – the reporter (a designation she surely didn’t deserve) seemed compelled to illustrate the story by locking a big thermometer in the car, to be pulled out during the actual segment. Frankly, I wanted to vomit. I have responded to more than a few calls involving injured or dead children, and I was disgusted by the sensationalism and desperate bid for ratings. With rare exceptions, I haven’t watched local news since then; I can barely handle cable news (CNN being the worst – I like to say Fox is right, MSNBC left, and CNN stupid). But this is how a large percentage of the population learns what’s going on outside their homes and work, so ‘news’ shows frame their views. Local news may be crap, but it’s also a reflection of the fears of society. Strangers stealing children, drug assassins lurking around every corner, and the occasional cancer-causing glass of water. So I wasn’t surprised to get this email from a family member (who found it amusing): Maybe you have seen this, but thought I would send it on anyway. SCARY.. This is a MUST SEE/ READ. If you have children or grandchildren you NEED to watch this. I had no idea this could happen from taking pictures on the blackberry or cell phone. It’s scary. http://www.youtube.com/watch?v=N2vARzvWxwY Crack open a cold beer and enjoy the show… it’s an amusing report on how frightening geotagged photos posted online are. I am not dismissing the issue. If you are, for example, being stalked or dealing with an abusive spouse, spewing your location all over the Internet might not be so smart. But come on people, it just ain’t hard to figure out where someone lives. And if you’re a stalking victim, you need better sources for guidance on protecting yourself than stumbling on a TV special report or the latest chain mail. But there are two reasons I decided to write this up (aside from the lulz). First, it’s an excellent example of framing. Despite the fact that there is probably not a single case of a stranger kidnapping due to geotagging, that was the focus of this report. Protecting your children is a deep-seated instinct, which is why so much marketing (including local news, which is nothing but marketing by dumb people) leverages it. Crime against children has never been less common, but plenty of parents won’t let their kids walk to school “because the world is different” than when they grew up. Guess what: we are all subject to the exact same phenomenon in IT security. Email is probably one of the least important data loss channels, but it’s the first place people install DLP. Not a single case of fraud has ever been correlated with a lost or stolen backup tape, but many organizations spend multiples more on those tapes than on protecting web applications. Second, when we are dealing with non-security people, we need to remember that they always prioritize security based on their own needs and frame of reference. Policies and boring education about them never make someone care about what you care about as a security pro. This is why most awareness training fails. To us this report is a joke. To the chain of people who passed it on, it’s the kind of thing that freaks them out. They aren’t stupid (unless they watch Nancy Grace) – they just have a different frame of reference. Share: