Login  |  Register  |  Contact
Wednesday, January 20, 2016

Incite 1/20/2016 — Ch-ch-ch-ch-changes

By Mike Rothman

I have always gotten great meaning from music. I can point back to times in my life when certain songs totally resonate. Like when I was a geeky teen and Rush’s Signals spoke to me. I saw myself as the awkward kid in Subdivisions who had a hard time fitting in. Then I went through my Pink Floyd stage in college, where “The Wall” dredged up many emotions from a challenging childhood and the resulting distance I kept from people. Then Guns ‘n Roses spoke to me when I was partying and raging, and to this day I remain shocked I escaped largely unscathed (though my liver may not agree).

But I never really understood David Bowie. I certainly appreciated his music. And his theatrical nature was entertaining, but his music never spoke to me. In fact I’m listening to his final album (Blackstar) right now and I don’t get it. When Bowie passed away last week, I did what most people my age did. I busted out the Ziggy Stardust album (OK, I searched for it on Apple Music and played it) and once again gained a great appreciation for Bowie the musician.

Bowie Changes

Then I queued up one of the dozens of Bowie Greatest Hits albums. I really enjoyed reconnecting with Space Oddity, Rebel Rebel, and even some of the songs from “Let’s Dance”, if only for nostalgia’s sake. Then Changes came on. I started paying attention to the lyrics.

Ch-ch-ch-ch-changes (Turn and face the strange) Ch-ch-changes Don’t want to be a richer man Ch-ch-ch-ch-changes (Turn and face the strange) Ch-ch-changes Just gonna have to be a different man Time may change me But I can’t trace time – David Bowie, “Changes”

I felt the wave of meaning wash over me. Changes resonates for me at this moment in time. I mean really resonates. I’ve alluded that I have been going through many changes in my life the past few years. A few years ago I reached a crossroads. I remembered there are people who stay on shore, and others who set sail without any idea what lies ahead. Being an explorer, I jumped aboard the SS Uncertain, and embarked upon the next phase of my life.

Yet I leave shore today a different man than 20 years ago. As the song says, time has changed me. I have more experience, but I’m less jaded. I’m far more aware of my emotions, and much less judgmental about the choices others make. I have things I want to achieve, but no attachment to achieving them. I choose to see the beauty in the world, and search for opportunities to connect with people of varied backgrounds and interests, rather than hiding behind self-imposed walls. I am happy, but not satisfied, because there is always another place to explore, more experiences to have, and additional opportunities for growth and connection.

Bowie is right. I can’t trace time and I can’t change what has already happened. I’ve made mistakes, but I have few regrets. I have learned from it all, and I take those lessons with me as I move forward. I do find it interesting that as I complete my personal transformation, it’s time to evolve Securosis. You’ll learn more about that next week, but it underscores the same concept. Ch-ch-ch-ch-changes. Nothing stays the same. Not me. Not you. Nothing. You can turn and face the strange, or you can rue for days gone by from your chair on the shore.

You know how I choose.

–Mike

Photo credit: “Chchchange” from Cole Henley


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

SIEM Kung Fu

Building a Threat Intelligence Program

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Everyone is an insider: Since advanced threat detection is still very shiny, it’s not a surprise that attention has swung back to the insider threat. It seems that every 4-5 years people remember that insiders have privileged access and can steal things if they so desire. About the same time, some new technology appears that promises to identify those malicious employees and save your bacon. Then it turns out finding the insiders is hard and everyone focuses on the latest shiny attack vector. Of course, the reality is that regardless of whether the attack starts externally or internally to your network, at some point the adversary will gain presence in your environment. Therefore they are an insider, regardless of whether they are on your payroll or not. This NetworkWorld Insider (no pun intended and the article requires registration) does a decent job of giving you some stuff to look for when trying to find insider attacks. But to be clear, these are good indicators of any kind of attack. Not sure to track insiders. Looking for DNS traffic anomalies, data flows around key assets, and tracking endpoint activity are good tips. And things you should already be doing… – MR

  2. Scarecrow has a brain: On first review, Gary McGraw’s recent post on 7 Myths of Software Security best practices set off my analyst BS detector. Gary is about as knowledgable as anyone in the application security space, but the ‘Myths’ struck me as straw man arguments; these are not the questions customers are asking. But when you dig in, you realize that the ‘Myths’ accurately reflect how companies act. All too often IT departments fail to comprehend security requirements and software developers taking their first missteps in security fall into these traps. They focus on one aspect of a software security program – maybe a pen test – not understanding that security needs to touch every facet of development. Application security is not a bolt-on ‘thing’, but a systemic commitment to delivering of secure software as a whole. If you’re starting a software security program, this is recommended reading. – AL

  3. What’s next, the Triceratops Attack? Yes, I’m poking fun at steganography, but pretty much every sophisticated attack (and a lot of unsophisticated ones) entails hiding malicious code in seemingly innocuous files through this technique. So you might as well learn a bit about it, right? This pretty good overview by Nick Lewis on SearchSecurity (registration required here too, ugh) describes how steganography has become commonplace. With an infinite number of places to hide malicious code, we always come back to the need to monitor devices and activity to find signs of attack. Sure, you should try to prevent attacks. But, as we’ve been saying for years, it’s also critical to increase investment in detection, because attackers are getting better at hiding attacks in plain sight. – MR

  4. Winning: Jeremiah Grossman has a good succinct account of the ad-blocking wars, capturing the back and forth between ad-tech and personal blocker technologies. He also nails the problem people outside security are not fully aware of, that “the ad tech industry behaves quite similarly to the malware industry, with both the techniques and delivery” and – just like malware – advertisers want to pwn your browser. I guess you could make a case that most endpoint security packages are rootkits, but I digress. Although I disagree with his conclusion that “ad tech” will win. Many of us are fine with not getting content that requires registration, having our personal data siphoned off and sold, or paying for crap. With so many voices on the Internet you can usually find the same (or better) content elsewhere. Trackers and scripts are just another indication that a site does not have your best interests at heart. So yes, you can win… if you choose to. – AL

  5. Increasing the security of your (Mac): As a long-time security person, I kind of forget the basics. Sure I write about fundamentals from time to time on the blog, but what about the simple stuff we do by habit? That’s the stuff that our friends and family need to do and see. Some understand because they have been around folks like us for years. Others depend on you to configure and protect their devices. Being the family IT person is OK, but it can get tiring. So you can thank Constin Raiu for documenting some good consumer hygiene tactics on the Kaspersky blog. Yes, this is obvious stuff, but probably only to you. Yes, it’s allegedly Mac-focused. But the tactics apply to Windows PCs as well. And we can debate how useful so-called security solutions are. Yet that’s nitpicking. You can’t stop every attack (duh!), but you (and the people you care about) don’t need to be low-hanging fruit for attackers either. – MR

—Mike Rothman

Wednesday, January 13, 2016

Incite 1/13/2016: Permitted

By Mike Rothman

I’m not sure how it happened, but XX1 turned 15 in November and got her driver’s permit. Wait, what?!?! That little girl can now drive. Like, legally? WTF? Clearly it is now January, and I am still in shock that 15 years has passed by in the blink of an eye.

Now it’s on me to teach her to drive. She’ll take a driver’s ed course in February, so that will help and give her some practical experience with someone who actually drives with teenagers for a living. Is that on the list of worst jobs? Second to elephant cage cleaner at the zoo, driving with inexperienced drivers seems like my version of hell on earth.

Then I remembered back to when I learned to drive. My Dad had a ‘72 Bug for me that he drove around. He picked me up and drove me to the local town pool parking lot. He taught me how to balance the clutch (yes, it was a stick shift) and start, stop, drive in a straight line, and turn. I recall him being extraordinarily patient as I smoked the clutch and stalled out 10 times. But after a while I got the hang of it.

drivers permit

Then he said, “OK Mike. Drive home.” WHAT? I was kind of in shock. It was maybe 3 miles to my house, but it was 3 miles of real road. Road with other drivers on it. I almost crapped my pants, but we got home in one piece. Dad would let me drive most places after that, even on the highway and on bridges. He remained incredibly patient, even when I stalled 10 times on a slight incline with about 50 cars behind me sitting on their horns. Yup, crapped my pants that time too. I remember that like it was yesterday, but it was 31 years ago. Damn.

So before winter break I took XX1 out to the parking lot of the library. She got into the driver’s seat and I almost crapped my pants. You getting the recurring theme here? She had no idea what she was doing. I have an automatic transmission, so she didn’t have to worry about the clutch, but turning the car is a learned skill, and stopping without giving me whiplash was challenging for a little while. She did get the hang of it, but seeing her discomfort behind the wheel convinced me that my plan of having her drive home (like my Dad did to me) wouldn’t be a great idea. Neither for her self-esteem nor my blood pressure.

She’ll get the hang of it, and I have to remember that she’s different than me and I’m a different teacher than my Dad. We’ll get her driving at her pace. After she takes the driver’s ed class I’ll have her start driving when she’s with me. Before we know it, she’ll have 25-30 hours behind the wheel.

But I’m not taking any chances. I plan on sending her to an advanced driving school. My cousin sent me a link to this great program in NC called B.R.A.K.E.S, which provides a 4-hour defensive driving workshop specifically for teens. I’m also going to take her to a Skip Barber racing class or something similar, so she can learn how to really handle the car. Sure it’s expensive, but she’s important cargo, commanding a two-ton vehicle, so I want to make sure she’s prepared.

But I have to understand this is a metaphor for the rest of her life. As parents we can prepare her to the best of our ability. Then we need to let her loose to have her own experiences and learn her lessons. She can count on our support through the inevitable ups and downs. My little girl is growing up.

–Mike

Photo credit: “International Driving Permit” from Tony Webster


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

SIEM Kung Fu

Building a Threat Intelligence Program

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Security as a business problem: The more things change, the more they stay the same. NetworkWorld’s Overcoming stubborn execs for security sake took me back to 2006, right before I wrote the Pragmatic CSO. Senior management doesn’t get it? Yup. Mid-managers want to circumvent the rules? Yup. On and on it goes, and we run on the hamster wheel for a decade, ending up right back in the same place. Welcome to the rest of your security career. The fact is that as high-profile as security has become to senior management and the Audit Committee, what’s a lot more important to them is making the numbers and hitting their objectives. So how can you get them to understand? You can’t. Not fully anyway. But you can make sure you discuss security in business terms, and that will at least provide some common ground for discussion. The article does a good job of discussing those tactics. – MR

  2. Shoot the messenger: Every year some legitimate tool – security or otherwise – gets labeled as a security threat. It’s not just nmap or Metasploit – even Google’s web crawlers can detect certain vulnerabilities and catalog the results (and do), and are therefore called a “hacker tool”, especially after con talks that explain how to use Google to hack. This time the Shodan web crawler was called a threat, as a recent advisory from Checkpoint noted what appeared to be Shodan scans prior to data breaches. The advisory itself is a good thing, but advice to block Shodan scans to deter hacking made the Twitterverse erupt in controversy. Thankfully social media has set everyone straight and the issue is resolved, right? Honestly, there is nothing wrong with blocking external Shodan scans while you address the vulnerabilities, but those pesky skeptics in the security community know blocking will be the ‘solution’ – not merely a starting point. Exactly like last time. – AL

  3. 4 tips for IR? Obviously there are more steps an incident response. So this quick post by the CrowdStrike folks was interesting, but I think they did a decent job making a few critical points. First, you have to start with a damage assessment and an understanding of whether the adversary is still active in your environment. Next try to corral the devices in question, and data at risk, in some segmented and monitored environment, being careful to keep systems up to avoid either alerting the adversary or destroying evidence. Then call in the Forensicators. Given the shortage of those folks, and the level of demand, that is a non-trivial effort. But unless you are a Fortune-class enterprise with a group of incident responders you’ll need to work with an external firm. Then you need to notify affected stakeholders, and return systems to a healthy state. Obviously there are dozens of activities behind each of those tips, but they are good things to keep in mind.– MR

  4. Down in front: When Firefox stopped connecting via HTTPS to many web sites, some of you might have been frustrated enough to switch to a new browser. Firefox’s latest version stopped accepting SHA-1 signed certificates because the algorithm has been deprecated. But if your company uses DLP or a web security product that performs a ‘man-in-the-middle’ intercept to inspect content, odds are likely it still issues SHA-1 signed certificates. That makes Firefox barf, so you can’t connect. Too bad, so sad. You can use another browser if you choose, but as your requests are already being filtered (thanks, web proxy!), you can configure FF to accept those SHA-1 certificates without concern for degraded privacy or security. But you should ask your security vendor to up their game. – AL

  5. Can you change your mindset? This isn’t security related, but interesting enough to mention. There has been a ton of research on growth vs. set mindsets. Psychology Today has a quick article covering the research highlights. People with set mindsets are good with the status quo, and don’t think intelligence changes. Those with growth mindsets believe they can grow intelligence as they push out of their comfort zones and try new things. If you tend toward ‘set’, can you ‘grow’? Or are these fixed aspects of your personality that aren’t easy to change? The article makes it sound like you just decide to grow. Is it that easy? Maybe it should be, but I have my doubts about whether folks can fundamentally change their mindsets. – MR

—Mike Rothman

Wednesday, January 06, 2016

Incite 1/6/2016 — Recharging

By Mike Rothman

The last time I took 2 weeks off was probably 20 years ago. As I write that down, it makes me sad. I’ve been been running pretty hard for a long time. Even when I had some forced vacations (okay, when I got fired), I took maybe a couple days off before I started focusing on the next thing. Whether it was a new business or a job, I got consumed by what was next almost immediately. I didn’t give myself any time to recharge and heal from the road rash that accumulated from one crappy job after another.

Even when things are great, like the past 6 years working with Rich and Adrian, I didn’t take a block of time off. I was engaged and focused and I couldn’t wait to jump into the next thing. So I would. I spent day after day during the winter holidays as the only person banging away at their laptop at the coffee shop while everyone else was enjoying catching up with friends over Peppermint Mocha lattes.

recharge

I rationalized that I could be more productive because my phone wasn’t ringing off the hook and I wasn’t getting my normal flow of email. There wasn’t much news being announced and my buddies weren’t blogging at all. So I could just bang away at the projects I didn’t have time for during the year. Turns out that was nonsense. I was largely unproductive during winter break. I read a lot, spent time thinking, and it was fine. But it didn’t give me a chance to recharge because there was no separation.

The truth is I didn’t know how to relax. Maybe I was worried I wouldn’t be able to start back up again if I took that much time away. It turns out the projects that didn’t get done during the year didn’t get done over break because I didn’t want to do them. So they predictably dragged on through winter break and then into the next year.

That changed this year. I’m just back from two weeks pretty much off the grid. I took a week away with my kids. We went to Florida and checked out a Falcons game in Jacksonville, the Kennedy Space Center in Cape Canaveral, and Universal Studios in Orlando. We were able to work in some family time in South Florida for Xmas before heading back to Atlanta. I stayed on top of email, but only to respond to the most urgent requests. All two of them. I didn’t bring my laptop, so if I couldn’t take care of it on my iPad, it wasn’t getting done.

Then I took a week of adult R&R on the beach in Belize. I’m too cheap to pay for international cellular roaming, so my connectivity was restricted to when I could connect to crappy WiFi service. It was hard to check email or hang out in our Slack room during a snorkeling trip or an excursion down the Monkey River. So I didn’t. And the world didn’t end. The projects that dragged through the year didn’t get done. But they weren’t going to get done anyway and it was a hell of a lot more fun to be in Belize than a crappy coffee shop pretending to work.

I came back from the time off recharged and ready to dive into 2016. We’ve got a lot of strategic decisions to make as the technology business evolves towards cloud-everything and we have to adapt with it. I don’t spend a lot of time looking backwards and refuse to judge myself for not unplugging for all those years. But I’ll tell you, there will be more than one period of time where I’ll be totally unplugged in 2016. And I’ll be a hell of a lot more focused and productive when I return.

–Mike

Photo credit: “Recharging Danbo Power” from Takashi Hososhima


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Building a Threat Intelligence Program

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Cloud vs. on-prem. Idiotic discussions continue: Do me a favor and don’t read this article trying to get to the bottom of whether the public cloud or on-prem is more secure. It’s an idiotic comparison because it depends on way too many factors to make a crass generalization. Period. You can architect a public cloud environment that is more secure than an environment built on-prem. But for a different use case you could make a case for the converse. It’s not about the environment an application and technology stack is built and run in, it’s about how it’s architected and how it takes advantage of the native capabilities of each option. We believe (and are making pretty significant corporate bets) that a public-cloud environment can be more secure than something built on-prem. But it depends, and we cannot wait until everyone is doing their innovative work in the cloud, and then discuss how to make the public cloud as secure as possible, instead of whether it’s more secure than something else. – MR

  2. In front of our eyes: Volkswagen was discovered to have modified diesel vehicles engine management software to reduce emissions temporarily, during the emissions testing process. Think about it for a minute: millions of vehicles were tested each year, by trained techs with tools and software designed to audit vehicle emissions, and yet software designed to circumvent the audits went undetected for years. While that story has nothing to do with security per se, the ‘attack’ used to bypass the test (and therefore the certification process), and the third-party discovery, is a story we see played out over and over with IT breaches. When you have a sophisticated and motivated adversary, they will be aware of (and work around) your defenses and assessment techniques. A single static test with an unquestioned binary response does not cut it. Think about that the next time you are looking to catch fraud or look for compromised systems in a complicated environment. – AL

  3. The invisible malware: With all of the innovation happening around malware detection, it’s getting easier to detect attacks, right? Yeah, not so much. Turns out it’s getting harder. As Dark Reading described, the newly discovered Latentbot uses so much obfuscation it’s largely invisible to current-generation detection tools. It’s a good thing China isn’t hacking so much (according to FireEye’s last earnings call anyway) because that gives researchers plenty of time to find cool botnets. And it’s interesting to learn how this new malware injects code multiple times, never stays installed for too long, and exploits device at multiple levels to ensure persistent access and control over them. Yeah, it is clear you can’t stop attacks like this, so focusing on detecting lateral movement and exfiltration are your best options for finding pwned devices. – MR

  4. Banking on irrelevance: SSL and (to a lesser extent) TLS 1.0 have a handful of known vulnerabilities and weaknesses, depending on how they are deployed. The PCI Council previously required firms to update before the end of 2015, but recently the Council pushed its mandatatory migration date from SSL to TLS out to June 2018. Because, well, the big retailers pulling the PCI-DSS strings couldn’t get there in time. Attackers have bags full of tricks for attacking these older protocols and accessing the network sessions they were designed to protect. It’s not clear how the Council decided pushing back the date two and a half years made any sense, but since they don’t mandate end-to-end encryption and pass card data in clear text, you are probably thinking “What is the point?” And from a PCI assessment perspective, if Apple Pay, Samsung Pay, and the like continue to gain acceptance, in three years payment tokens will likely make most of current PCI compliance irrelevant. But sometimes compliance drives needed change, and migrating to TLS 1.2 will be beneficial to data security. At some point, if it ever happens. – AL

  5. The few, the proud, the cyber: It’s good to see the military continuing to invest in cyber capabilities. The Army National Guard is standing up new cyber units to help do surveillance and recon for the nation’s adversaries. Ho hum, right? Actually it’s interesting because the National Guard may be able to get access to security professionals otherwise gainfully employed by commercial entities. It’s a big sacrifice to do security for military pay, when commercial organizations have totally different pay scales. But being able to help out (via the National Guard) could be a good alternative for patriotic folks who want commercial jobs. – MR

—Mike Rothman

Wednesday, December 16, 2015

Incite 12/15/2015: Looking Forward

By Mike Rothman

In last week’s Incite I looked backwards at 2015. As we close out this year (this will be the last Incite in 2015), let me take a look forward at what’s in store for 2016.

Basically I don’t have any clue.

I could lie to you and say I’ve got it all figured out, but I don’t. I fly by the seat of my pants pretty much every day of my life. And any time I think I have things figured out, I get a reminder (usually pretty harsh) that I don’t know squat. One thing I’m comfortable predicting is that things will be changing. Because they always do. Some years the change is very significant, like in 2015. Other years less so. But all the same, change is constant in my world.

looking forward

We’re going to do some different things at Securosis next year. We are very pleased with how we have focused our research toward cloud security, and plan to double down on that in 2016. We’ll roll out some new offerings, though I’m not exactly sure when or what they’ll be. We have a ton of ideas, and now we have to figure out which of them make the most sense, because we have more ideas than time or resources. Rich, Adrian, and I will get together in January and make those decisions – and it will involve beer.

Personally, I’ll continue my path of growth because well, growth. That includes trying new things, traveling to new places, and making new friends. I’m not going to set any goals besides that I want to wake up every morning, maintain my physical health, and continue my meditation and spiritual practices. My kids are at an age where they need my presence and guidance, even though they will likely not listen, because teenagers know everything. Which basically means I’ll also need to be there to pick them up when they screw things up (and they will), and try to not say I told you so too many times.

I’ll also tell my story of transformation through the year. I’m not ready to do that yet, but I will because it’s an interesting story and I think it will resonate with some of you. It also ensures that I will remember as time marches on. I spent some time earlier in the year reading through old Incites and it was a great reminder of my journey.

Overall I’m very excited about 2016 and continuing to live with a view toward potential and not limitations. I’m focused on making sure those I love know they are special every single day. I’m committed to being happy where I am, grateful for how I got here, and excited for what is to come. I’ll ring in the New Year in a tropical paradise, and play the rest by ear.

All of us at Securosis are grateful for your support, and we wish you a healthy and happy 2016.

–Mike

Photo credit: “looking forward to” from Elizabeth M


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Building a Threat Intelligence Program

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Good deed for the holidays: You too can help make software security better! OWASP, the Open Web Application Security Project, is developing a new set of secure coding guidelines for software developers. This document will be a great aid to developers who want to get up to speed on secure coding. It offers a succinct set of code examples – in most of the widely used programming languages – which address the top ten security coding flaws. And what developer doesn’t love easy to understand code examples? But wait, there’s more! This effort is truly open, so you get to participate in building the guidelines: the document I referenced is open for public comments and direct editing! So if you think the document is missing something, or there are better examples to be offered, or you think something is wrong, you can improve it. Do a good deed for the holidays and contribute. – AL

  2. Happy Holidays. Let’s make some crap up… It’s the holiday season. So obviously we will be subjected to everyone’s predictions of what’s in store for 2016. As you can tell from our last FireStarter of the year, we don’t buy into predictions. But the IDC folks don’t have any issue making things up. Their cousins at NetworkWorld (both have the same corporate parent IDG) have some bait posted about an upcoming IDC predictions webcast, and one of their predictions is that by 2020 data breaches will affect 25% of the world’s population. What does that even mean? How could you tell if it’s right? And who cares anyway? How will that prediction do anything to change what you are doing on a daily basis? Right, it won’t, because odds are you have already been affected by a data breach. So this is the worst kind of prediction. It can’t be proven or disproven, and it’s not relevant to your daily activity. Bravo IDC. I hope the others are a little better, but I won’t know, because I have better stuff to do than listen to nonsense. – MR

  3. Black Friday, Cyber Monday, and Liability Tuesday: As I have been out and about a lot this month, showing relatives around Arizona, my credit cards have gotten a lot of use. Restaurants, gift shops, museums, pet stores, big box retail, national parks, and even a place called “The Hippie Emporium” (don’t ask). And you know what I have seen? Outside Target, not a single merchant had adopted EMV. EMV-ready PoS devices are in place, but the EMV functionality is not operational. Got that? All that hype about merchant liability and almost zero adoption. A couple weeks back Branden Williams asked (paraphrasing) will sucky and slow EMV chip readers will cause people stay home and shop at Amazon or other online retailers. To which I respond ‘No’: they are not in wide enough use to have a detrimental effect. Amazon is getting a ton of new traffic this year, and I hear so are Etsy and even the ecommerce sites of traditional brick-and-mortar stores. It’s not because of EMV readers – it’s just getting easier to shop online, and more people are comfortable with it. But it does mean we are going to see the effects of the liability shift soon – ‘tis the season for credit card scams and fraud, and we will see some merchants get hammered. – AL

  4. Step by step malvertising: I enjoy blow-by-blow descriptions of recent attacks, so thanks to the Malwarebytes folks, who posted a detailed analysis of a recent malvertising campaign targeting Xfinity. What’s interesting is how this attack combines malvertising, an exploit kit, phishing (to collect personal data), and then a tech support scam. Now that’s leverage. Of course there are clues it’s a scam, including a different domain for the first linked site. Malwarebytes also posted a set of indicators so you can be ready for this kind of attack if your employees or family tend to click. – MR

—Mike Rothman

Wednesday, December 09, 2015

Incite 12/9/2015: Looking Backwards

By Mike Rothman

As a guy who pretty much always looks forward, I still find it useful at the end of each calendar year to look backwards and evaluate where I am in life and what (if anything) I want to focus on in the coming year. 2015 has been a very interesting year, both personally and professionally. I’m at an age where transformation happens, and that has been a real focus for me. I’ve spent a long time evaluating every aspect of my life and making changes, some small and some very significant. Trying to navigate those changes gracefully requires focus and effort.

From a business perspective, it’s a pretty good time to be in the security industry. You have seen a slowdown in our blog activity over the past couple months because our business continues to evolve and we’ve been doing a lot more work out of the public eye. We’ve been called in to do a lot more strategic advisory, and we’re even starting to do security architecture work for some enterprise organizations, typically around cloud initiatives.

We’re also increasingly being called into diligence efforts for companies considering acquisitions, and investors considering putting large sums of money to work in this space. These are pretty intense gigs and that usually means more external projects lag a bit. We also aren’t sure how long the good times will continue to roll, so we usually jump on diligence projects.

Emu

Personally, suffice it to say things are substantially different for me, though I’m not going to go into detail at this point. Different is scary for most people, but I’ve always embraced change, so my challenge is more about having the patience to let the world around me adapt. My kids continue to amaze me with how they are growing into fantastic people, and this past year they’ve navigated new schools and additional workload with minimum drama and angst. You can’t entirely avoid drama and angst (not as a teenager anyway), but their Mom and I are proactive about making them aware of the drama.

Physically I’m still working my program, running two half marathons and continuing my yoga practice. I’m making many new friends who provide different perspectives on life, and I’ve been able to fulfill a need for social activity I didn’t even know I had. As I look back at 2015, I realize that the signs of significant disruption were there both personally and professionally. It has been a long road, and I finally feel that my world is opening up and I’m moving toward my potential, away from my self-imposed limitations.

I’m really excited for what’s next. All is see ahead is blue sky. As I wrap up the Incite next week, I’ll ruminate a little into what the path ahead looks like.

–Mike

Photo credit: “Emu (Dromaius novaehollandiae) looking backwards at Auckland Zoo” from Wikimedia Commons


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Building Security into DevOps

Building a Threat Intelligence Program

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. R marks the spot: NetworkWorld ran a great article examining how the Verizon Data Breach report folks use R to do the analysis and generate the charts in their widely read report. I personally haven’t played with statistical programs since I was in college, but there is an increasing need for math people (although we call them data scientists now) to perform the analysis to mine through all of that security data and figure out what’s going on. I tell many younger folks, who ask what they should focus on, to dust off their programming/scripting skills – security automation is coming. The other thing I now suggest is for the math-inclined to study a lot more statistics and get to know these kinds of tools. The future is here and it seems to require math (so says the writer). – MR

  2. Pre-owned: If you’re wondering how the credit card you just got two weeks ago already got popped, here is on possible answer. Samy Kamkar demonstrated that AmEx-based new card numbers are predictably generated from the previous numbers allowing crackers to guess the number of the next card they issue you. If you’re an application developer, this is why you need to be careful with sequence generators – they tend to leak information attackers can (and do) exploit. This attack does not compromise the CVV, and other protections are embedded in credit card magstripes, but there are enough cracks in the credit card ecosystem for attackers to trick terminals with bogus card-present transactions. And if history repeats itself, it will only take one phony transaction to trigger an AmEx card re-issue, so you’ll get to re-enter your next number at the dozen or so websites you use. Again. – AL

  3. Keep your enemies closer… Running a big business can be messy at times, and it seems it’s tough to scale ethics. I can’t say I’m surprised to hear that Walmart spies on the employees who advocate for change and agitate its workforce. I’m also not surprised they hired Lockheed to run their intelligence gathering program. I am a bit surprised they got FBI Joint Terrorism Task Force help, but I guess they made the case that they were worried about a terrorist strike against a store. And that’s how a lot of surveillance is justified. It’s about knowing before something bad happens. I don’t know that there is a clear answer, because most folks gladly will cede privacy for a perception of security. Of course, as we’ve seen all too frequently, any sense of personal security is a myth. And as we in the security industry know, computer security is a myth as well. I guess the only thing to accept is that Big Brothers are watching. And yes, that’s intentionally plural. – MR

  4. Payments for nothin’, chips for free: Speaking of cracks in the payment system: University College London researchers are reporting an uptick of card present fraud, specifically with Chip and PIN cards. It seems hackers are using stolen cards with embedded EMV chips, without their PIN codes. So to perpetrate the fraud the attacker forces the terminal into a “referral mode” where the merchant transmits the code from the PIN pad. But the attacker has possession of the terminal to enter their secret PIN while the alternative authorization occurs. To add insult to injury, it seems no one ever tested this procedure – because transactions are accepted even with bogus authorization codes. Security! It’s amazing that so many financial processes seem to lack any kind of threat modeling prior to rollout, as we also saw with the banks’ failure to vet cards in the so-called “Apple Pay Hack”, and Starbucks mobile account takeovers with automatic replenishment. This is threat modeling 101. This attack should be short-lived – whether prevented with payment terminal patches or mitigated through merchant employee training. – AL

  5. Attacks never go away either: We joke as security professionals that we can never get rid of a control – we just keep adding to the mix. Go into your telecom room and check out the link encryptors if you don’t believe me. It seems old attack kits never go away either. Peter Stephenson assembled information from a bunch of sources to show that NEK (Nuclear Exploit Kit) is back. This shouldn’t be a surprise – folks are inherently lazy. Unless you are doing something totally novel (like StuxNet), why wouldn’t you use stuff that already exists as a starting point. We do that in development now (just ask your developers to list the external and open source libraries they use in an app), we do it with monitoring (leveraging existing patterns), and we recycle pretty much everywhere. Why wouldn’t attackers do the same? Peter’s conclusions (use multiple AV products, LOL) are suspect, but if most attacks seem familiar it’s because they are. – MR

—Mike Rothman

Thursday, December 03, 2015

Incite 12/2/2015: Grateful Habits

By Mike Rothman

A week ago most folks in the US were in food comas from the Thanksgiving feast. Of course this is a great time of year to be grateful for what you have. Whether it’s family, health, work, or anything else. This morning I got a great reminder that expressing gratitude is a habit, which requires daily work – especially for security people.

I was doing a speaking gig for a client in Atlanta, and I ran into an old friend who traveled in for the seminar. We were catching up and he mentioned how busy he was and that it was a bit overwhelming. I jumped right in because we at Securosis are pretty busy ourselves. But then I got a flash of awareness and decided I had to break the cycle. I specifically asked whether he remembered 10 years ago when no one cared about security?

I certainly do. A lot of you (like Rich, Adrian, and myself) did security before security was cool. You remember talking to blank stares when evangelizing the importance of security. You remember cleaning the same malware off the same person’s device, over and over again, because they just couldn’t understand why they can’t click ads on questionable sites. You also remember looking for a new job when the senior team needed a scapegoat after yet another breach, after they didn’t listen to what you said the first time.

It’s a different situation now. Many folks still don’t understand what they need to do, but they don’t really argue about the importance of security any more. Most of us have a bigger issue finding talent to fill open positions, rather than making the case for why any security people are needed. These are things to be grateful for.

It turns out that a little gratitude leads to a lot. So if you have any interest, don’t just think about being thankful around the holidays. Start the day by making a list of 2 or 3 things you are grateful for every day. It’s hard to get into the right mindset to get things done, when you wake up overwhelmed by the amount of stuff that needs to get done. So break that cycle too. Think about what’s working in your life. It doesn’t have to be a lot. Just a little thing. Take a small step toward feeling gratitude every day.

I do this consistently, every day. It puts me in the right frame of mind. I’m thankful for so many things, but none more than the habits I have established over the past few years, which have made a huge difference in my life.

–Mike


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Building Security into DevOps

Building a Threat Intelligence Program

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Can security be fixed? Is it broken? I’ve gotta send a hat tip to my friend Don, who pointed out this article on TechCrunch explaining how Humility, Accountability And Creative Thinking Can Fix IT Security. Really? A lot of the security folks I know are pretty humble and creative. It’s not like they sit around and talk about how great they are while the city is burning. But aside from the clickbait title, there are some decent points in that post. I especially like the idea of killing silver bullet syndrome. There is no single answer for dealing with sophisticated adversaries. I also agree that security will need to evolve as the cloud and mobility continue to take root. Inflection anyone? The article also points out the need to share information, and that’s all about Threat Intelligence. But I still push back on the contention that security is broken. It’s not broken, because that supposes that it can be fixed. I posit that you don’t win security – you just survive to fight another day. – MR

  2. Student jobs: It appears the FBI is funding security vulnerability research; not for bug bounties, but to conduct surveillance. Recently they paid University students to hack Tor networks so they could inspect Tor traffic and de-anonymize Tor users. The FBI’s disclosed target could have been tracked financially, and Tor offers law enforcement other means to locate users, which implies (shockingly) their goal was something more than they disclosed. The problem is that they used the same techniques legitimate security researchers use to find flaws – efforts which the FBI is more known for prosecuting than for sponsoring. So we come back to the sad fact that some folks in law enforcement think the rules are importang, but don’t apply to them. – AL

  3. Volunteering to get started in security: Recently I highlighted a great article from Lesley Carhart about getting started in infosec. Given the skills gap, all the help we can offer interested parties who want to join us in security is welcome. So check out this interview with Ron Woerner on Michael Santarcangelo’s blog. Ron points out the Catch-22 that security jobs demand experience, but most entry-level folks have no way to get it. Ron suggests volunteering on open source projects or with local organizations, such as schools and religious organizations. Maybe even your doctor’s or dentist’s office. Ron also suggests reading. A lot. He’s right – there are so many talks and so much content out there free, that anyone can familiarize themselves with the practice. Of course nothing replaces the experience of screwing things up, so reading isn’t enough. But these are all good ways to get onto the path of security ‘bliss’. LOL. – MR

  4. Delusional: The claim that Snowden’s leaks contributed to the Paris bombings is so outrageous I thought at first I would not comment on it at all. But in our daily jobs, helping firms deploy encryption, I realize how few communications – email, voice, data, text messages. etc. – are actually encrypted even after we learned mass surveillance is a reality. I have used encryption on and off during my professional career for both personal and professional communications. Most of the time I have used encryption during the development phases of new encryption, key management, and PRNG modules to protect us from both eavesdropping and code tampering. But even most paranoids like myself don’t use it most of the time, because it is too hard to use except for the most sensitive communications. But after the Snowden revelations I am still surprised how little of our critical infrastructure is encrypted and private. But maybe I shouldn’t be. – AL

  5. Screwing up is part of the process: Fahmida posted a pretty entertaining article on 10 dumb security mistakes that sys admins make. It’s mostly simple stuff like using sudo and making changes as root. I mean, the list is the list, and dumb mistakes are made all day, every day. My point is that screwing up is an integral part of learning security. Those with a future in this practice mess things up all the time. They try stuff. They hack together solutions to problems no one has ever seen, and sometimes they work. But often they don’t. That’s part of the learning process, and as security folks we always need to be learning. So don’t stigmatize mistakes – embrace them. Just don’t make the same mistakes more than once. – MR

—Mike Rothman

Wednesday, November 04, 2015

Incite 11/4/2015: The Taper

By Mike Rothman

As I mentioned, I’m running a half marathon for Team in Training to defeat blood cancers. I’ve raised a bunch of money and still appreciate any donations you can make. I’m very grateful to have made it through my training in one piece (mostly), and ready to go. The race is this coming Saturday and the final two weeks of training are referred to as the taper, when you recover from months of training and get ready to race.

This will be my third half, so by this time in the process I’m pretty familiar with how I feel, which is largely impatient. Starting about a month out, I don’t want to run any more because my body starts to break down a bit after about 250+ miles of training. I’m ready to rest when the taper starts – I need to heal and make sure I’m ready to run the real deal. I want to get the race over with and then move on with my life. Training can be a bit consuming and I look forward to sleeping in on a Sunday morning, as opposed to a 10-12 mile training run. It’s not like I’m going to stop running, but I want to be a bit more balanced. I’m going to start cycling (my holiday gift to myself will be a bike) and get back to my 3x weekly yoga practice to switch things up a bit.

The Taper

The taper is actually a pretty good metaphor for navigating life transitions. Transitions are happening all the time. Sometimes it’s a new job, starting a new hobby, learning something new, relocating, or anything really that shakes up the status quo. Some people have very disruptive transitions, which not only shake their foundations but also unsettle everything around them. To live you need to figure out how to move through these transitions – we are all constantly changing and evolving, and every decade or so you emerge a different person whether you like it or not. Even if you don’t want to change, the world around you is changing, and forces you to adapt. But if you can be aware enough to sense a transition happening, you can taper and make things more graceful – for everyone.

So what does that even mean? When you are ready for a change, you likely want to get on with it. But another approach is to slow down, rest a bit, take a pause, and prepare everyone around you for what’s next. I’ve mentioned the concept of slowing down to speed up before, and that’s what I’m talking about. When running a race, you need to slow down in the two weeks prior to make sure you have the energy to do your best on race day. In life, you need to slow down before a key transition and make sure you and those impacted are sufficiently prepared.

That requires patience and that’s a challenge for me and most of the people I know. You don’t want to wait for everyone around you to be ready. You want to get on with it and move forward, whatever that means to you. Depending on the nature of the transition, your taper could be a few weeks or it could be a lot longer. Just remember that unless you are a total hermit, transitions reverberate with those around you. It can be a scary time for everyone else because they are not in control of your transitions, but are along for the ride. So try to taper as you get ready to move forward. I try to keep in mind that it’s not a race, even when it’s a race.

–Mike

Photo credit: “graff la rochelle mur aytre 7” originally uploaded by thierry llansades


Thanks to everyone who contributed to my Team in Training run to battle blood cancers. We’ve raised almost $6,000 so far, which is incredible. I am overwhelmed with gratitude. You can read my story in a recent Incite, and then hopefully contribute (tax-deductible) whatever you can afford. Thank you.

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Building Security into DevOps

Building a Threat Intelligence Program

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Getting started in InfoSec: Great post/resource here from Lesley Carhart about how to get started in information security. Right up at the top the key points comes across loud and clear: you need to understand how things work to hack them (or defend them). YES! That’s why a degree in security is useful, but the reality is that students coming out of these programs aren’t ready because they don’t know how everything works. That takes a few years in the coal mines, so you need to grow folks to meet demand, but it’s a multi-year investment. You can’t just send them to a SANS class and figure they’ll be ready to take on sophisticated adversaries. The other point right up front is on passion about security. It’s not a 40-hour-a-week job (not even in France), and it’s thankless. So if you don’t really like it, it’s a slog to do security for years. If you have folks who are interested in getting into our little area of the world, have them read this post. – MR

  2. Infinite primes, wasted: Remember back in high school, when your teachers said “Math is important!” You muttered under your breath, “When am I ever going to use this stuff? Combinatorials? Prime numbers? Never again!” Well guess what? Your math teacher was right. J. Alex Halderman and Nadia Heninger, in How is NSA breaking so much crypto?, offer a plain english explanation of how nation-state hackers are likely able to eavesdrop on HTTPS sessions. They go on to discuss the economics, and the incentives for governments to invest in crypto hacking hardware to keep pace with networks and technology. Because of a common implementation failure in the use of prime numbers – using the same ones every time – the NSA and other nation-states can leverage a few hundred million in custom hardware to crack the majority of secured sessions – and what’s a few hundred million between friends (or enemies). The brute force cracking is not rocket science, nor is the discovery of the simple mistake in usage of prime numbers, but combined they allow determined parties to eat ‘secure’ sessions for lunch. – AL

  3. Mobile + Pr0n = Pwn: I highlighted this link in last week’s Friday Summary, but it’s worth a broader discussion: porn sites are the top mobile infection vector. Mostly because it’s about pr0n. HA! But that brings up a good point about the path of least resistance. Attackers find ways to figure out the easiest way to achieve their mission, and folks who use tablets and phones to consume adult content are pretty low-hanging. No pun intended, but the key points here are that malvertising is a key attack vector now and some sites are going to be more careful about it, and that porn sites probably aren’t among the best of them. So what to do? Abstinence? Just say no? As Nancy Reagan turns over in her grave, the answer is to make sure you are following the same practices you follow on your PC devices. Don’t click on stupid links, and make sure your device is patched and up to date. – MR

  4. Fast pass to replacement: In the last two weeks Mastercard has launched the MasterPass Mobile App with full tokenization of credit cards (i.e., PAN) through the MasterPass Digital Enablement Service – a fancy name for their tokenization gateway. This is important as they are directly linking issuing banks to mobile apps like Android Pay, Apple Pay, and Samsung Pay. In The EMV Migration and the Changing Payment space we explained that EMV cards are almost trivial in the bigger picture. The transition to mobile is where the real security benefits will be derived. And here is we will see full end-to-end tokenization and merchants no longer getting access to card numbers. The road will continue to be bumpy for a while, as card-not-present fraud forces banks to reissue cards (and reissue them again), and consumers are forced to sit on their phones (if you’re like me) explaining to their bank that they are putting another new credit card number into Apple Pay, and asking why the $@#! the bank can’t automate this process! The answer in both cases is fraud, which will continue to escalate until this migration to more secure (i.e., mobile) platforms, which can help combat both card cloning and card not present fraud. – AL

  5. Patience is hard: Most of the folks in your organization aren’t security people. Sure you can bust out the platitudes like “security is everyone’s job” and other such puffery, but the reality is these folks have demanding jobs, and security isn’t in their job descriptions. So how long does it take them to become aware? Sometime between forever and forever? The news isn’t that bad, but it will take time and repetition, with some gamification and possibly some public shaming, for everyone to get the picture. And there will always be those ‘special’ folks who won’t ever get it, but you have to tolerate them (and clean up their messes) because they are too important. Maybe show them the article linked above about mobile and porn – I’m sure that has never been an attack vector for these folks. – MR

—Mike Rothman

Wednesday, October 21, 2015

Incite 10/21/2015: Appreciating the Classics

By Mike Rothman

It has been a while since I’ve mentioned my gang of kids. XX1, XX2 and the Boy are alive and well, despite the best efforts of their Dad. All of them started new schools this year, with XX1 starting high school (holy crap!) and the twins starting middle school. So there has been a lot of adjustment. They are growing up and it’s great to see. It’s also fun because I can start to pollute them with the stuff that I find entertaining.

Like classic comedies. I’ve always been a big fan of Monty Python, but that wasn’t really something I could show an 8-year-old. Not without getting a visit from Social Services. I knew they were ready when I pulled up a YouTube of the classic Mr. Creosote sketch from The Meaning of Life, and they were howling. Even better was when we went to the FroYo (which evidently is the abbreviation for frozen yogurt) place and they reminded me it was only a wafer-thin mint.

horse teeth

I decided to press my luck, so one Saturday night we watched Monty Python and the Holy Grail. They liked it, especially the skit with the Black Knight (It’s merely a flesh wound!). And the ending really threw them for a loop. Which made me laugh. A lot. Inspired by that, I bought the Mel Brooks box set, and the kids and I watched History of the World, Part 1, and laughed. A lot. Starting with the gorilla scene, we were howling through the entire movie. Now at random times I’ll be told that “it’s good to be the king!” – and it is.

My other parenting win was when XX1 had to do a project at school to come up with a family shield. She was surprised that the Rothman clan didn’t already have one. I guess I missed that project in high school. She decided that our family animal would be the Honey Badger. Mostly because the honey badger doesn’t give a _s**t_. Yes, I do love that girl. Even better, she sent me a Dubsmash, which is evidently a thing, of her talking over the famous Honey Badger clip on YouTube. I was cracking up.

I have been doing that a lot lately. Laughing, that is. And it’s great. Sometimes I get a little too intense (yes, really!) and it’s nice to have some foils in the house now, who can help me see the humor in things. Even better, they understand my sarcasm and routinely give it right back to me. So I am training the next generation to function in the world, by not taking themselves so seriously, and that may be the biggest win of all.

–Mike

Photo credit: “Horse Laugh” originally uploaded by Bill Gracey


Thanks to everyone who contributed to my Team in Training run to battle blood cancers. We’ve raised almost $6,000 so far, which is incredible. I am overwhelmed with gratitude. You can read my story in a recent Incite, and then hopefully contribute (tax-deductible) whatever you can afford. Thank you.

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Building Security into DevOps

Building a Threat Intelligence Program

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. The cloud poster child: As discussed in this week’s FireStarter, the cloud is happening faster than we expected. And that means security folks need to think about things differently. As if you needed more confirmation, check out this VentureBeat profile of Netflix and their movement towards shutting down their data centers to go all Amazon Web Services. The author of the article calls this the future of enterprise tech and we agree. Does that mean existing compute, networking, and storage vendors go away? Not overnight, but in 10-15 years infrastructure will look radically different. Radically. But in the meantime, things are happening fast, and folks like Netflix are leading the way. – MR

  2. Future – in the past tense: TechCrunch recently posted The Future of Coding Is Here, outlining how the arrival of APIs (Application Programming Interfaces) has ushered in a new era of application development. The fact is that RESTful APIs have pretty much been the lingua franca of software development since 2013, with thousands of APIs available for common services. By the end of 2013 every major API gateway vendor had been acquired by a big IT company. That was because APIs are an enabling technology, speeding integration and deployment, and making it easy to leverage everything from mobile to the Internet of Things. And don’t even bother trying to use cloud services without leveraging vendor APIs. But the OWASP Top Ten will not change any time soon, as traditional web-facing apps and browsers still provide too many attractive targets for attackers to forsake them. – AL

  3. Cheaters gonna cheat: Crowdstrike published some interesting research recently, discussing how they detected the Chinese hacking US commercial entities, even after the landmark September 25 agreement not to. Now, of course, there could have been a lag between when the agreement was signed and when new marching orders made it to the front lines. Especially when you send the message by Pony Express. Turns out there are things like email, phones, and maybe even these newfangled things called “web sites” to make sure everyone knows about changes in policy. But did you really expect a political agreement to change anything? Me neither. So just like cheaters are gonna cheat, nations states are gonna hack. – MR

  4. Stealing from spies: Hackers have figured out how to uncloak advertising links embedded in iFrames by exploiting the relationship between two frames. For those of us who think iFrames are an attack vector themselves, it’s no surprise that this dodgy means of tracking users and supporting ad networks was cracked by bad (worse?) guys. The good news is that it does not expose any additional user information, but it does allow attackers to manipulate ad clicks. Most tricks, hacks, and sneaky methods of scraping data or force user browsers to take action were pioneered by some marketing firm to game the system. The problem is that dodgy habits are endemic to how many very large companies make money, so we get hacked solutions to compensate for the hacks these firms leverage to satisfy their own profit motive. Until the economics change, hackers will have plenty of ‘features’ from ad, social, and analytics networks to exploit and profit. – AL

  5. A cyberinsurance buffet: Warren Buffett has done pretty well by sticking to things he can understand. OK, maybe that’s the understatement of the millennium. His Specialty Insurance business getting into underwriting cyber policies seems to run counter to that philosophy. He wouldn’t even invest in tech companies, but now he’s willing to value something that you pretty much can’t value (cyber-exposure). Of course it’s not Warren himself writing the policies. But all the same, and maybe it’s just me, but it is not clear how to write these policies – even the best defenses can be breached at any time by sophisticated attackers. I’m happy to hear explanations, because I still don’t get this. – MR

—Mike Rothman

Thursday, September 24, 2015

Incite 9/23/2015: Friday Night Lights

By Mike Rothman

I didn’t get the whole idea of high school football. When I was in high school, I went to a grand total of zero point zero (0.0) games. It would have interfered with the Strat-o-Matic and D&D parties I did with my friends on Friday listening to Rush. Yeah, I’m not kidding about that.

A few years ago one of the local high school football teams went to the state championship. I went to a few games with my buddy, who was a fan, even though his kids didn’t go to that school. I thought it was kind of weird, but it was a deep playoff run so I tagged along. It was fun going down to the GA Dome to see the state championship. But it was still weird without a kid in the school.

Friday Night Lights

Then XX1 entered high school this year. And the twins started middle school and XX2 is a cheerleader for the 6th grade football team and the Boy socializes with a lot of the players. Evidently the LAX team and the football team can get along. Then they asked if I would take them to the opener at another local school one Friday night a few weeks ago. We didn’t have plans that night, so I was game. It was a crazy environment. I waited for 20 minutes to get a ticket and squeezed into the visitor’s bleachers.

The kids were gone with their friends within a minute of entering the stadium. Evidently parents of tweens and high schoolers are strictly to provide transportation. There will be no hanging out. Thankfully, due to the magic of smartphones, I knew where they were and could communicate when it was time to go.

The game was great. Our team pulled it out with a TD pass in the last minute. It would have been even better if we were there to see it. Turns out we had already left because I wanted to beat traffic. Bad move. The next week we went to the home opener and I didn’t make that mistake again. Our team pulled out the win in the last minute again and due to some savvy parking, I was able to exit the parking lot without much fuss.

It turns out it’s a social scene. I saw some buddies from my neighborhood and got to check in with them, since I don’t really hang out in the neighborhood much anymore. The kids socialized the entire game. And I finally got it. Sure it’s football (and that’s great), but it’s the community experience. Rooting for the high school team. It’s fun.

Do I want to spend every Friday night at a high school game? Uh no. But a couple of times a year it’s fun. And helps pass the time until NFL Sundays. But we’ll get to that in another Incite.

–Mike

Photo credit: “Punt” originally uploaded by Gerry Dincher


Thanks to everyone who contributed to my Team in Training run to support the battle against blood cancers. We’ve raised almost $6000 so far, which is incredible. I am overwhelmed with gratitude. You can read my story in a recent Incite, and then hopefully contribute (tax-deductible) whatever you can afford. Thank you.

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Pragmatic Security for Cloud and Hybrid Networks

Building Security into DevOps

Building a Threat Intelligence Program

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Monty Python and the Security Grail: Reading Todd Bell’s CSO contribution “How to be a successful CISO without a ‘real’ cybersecurity budget” was enlightening. And by enlightening, I mean WTF? This quite made me shudder: “Over the years, I have learned a very important lesson about cybersecurity; most cybersecurity problems can be solved with architecture changes.” Really? Then he maps out said architecture changes, which involve segmenting every valuable server and using jump boxes for physical separation. And he suggests application layer encryption to protect data at rest. The theory behind the architecture works, but very few can actually implement. I guess this could be done for very specific projects, but across the entire enterprise? Good luck with that. It’s kind of like searching for the Holy Grail. It’s only a flesh wound, I’m sure. Though there is some stuff of value in here. I do agree that fighting the malware game doesn’t make sense and assuming devices are compromised is a good thing. But without a budget, the CISO is pissing into the wind. If the senior team isn’t willing to invest, the CISO can’t be successful. Period. – MR

  2. Everyone knows where you are: A peer review of meta data? Reporter Will Ockenden released his personal ‘metadata’ into the wild and asked the general public for an analysis of his personal habits. This is a fun read! It shows the basics of what can be gleaned with just cell phone data. But it gets far more interesting when you do what every marketing firm and government does – enrichment by adding additional data sources, like web sites, credit card purchases. Then you build a profile of the user; marketing organizations look at what someone might be interested in buying, looking at trends from similar user profiles. Governments look for behavior that denotes risks, and creates a risk score based upon behavior – or outliers of your behavior – and also matches this against the profile of your contacts. It’s the same thing we’ve been doing with security products for the last decade (you know, that security analytics thing), but turned on the general populous. Just as the reviewers of Ockenden’s data found, some of their findings are shockingly accurate. Most people, like Ockenden, get a little creeped out knowing that there are people focusing something akin to invisible cameras on their lives. Once again, McNealy was right all those years ago. Privacy is dead, get over it. – AL

  3. Own it. Learn. Move on.: I love this approach by Etsy of confessing mistakes to the entire company and allowing everyone to learn. Without the stigma of screwing up, employees can try things and innovate. Having a culture of blamelessness is really cool. In security, sharing has always been frowned upon. Practitioner thinks the adversaries will learn how to break into their environment. It turns out the attackers are already in. Threat intelligence is helping to provide a value-add for sharing the information and that’s a start. Increasingly detailed breach notifications given everyone a chance to learn. And that’s what we need as an industry. The ability to learn from each other and improve. Without having to learn everything the hard way. – MR

  4. Targeted Compliance: Target says it’s ready for EMV having made their transition to EMV card enabled devices at the point of sale. What’s more, they’ve taken the more aggressive step in using chip and PIN, and opposed to chip and signature, as that offers better security for the issuing banks. Yes, the issuing banks benefit, not the consumer. But they are marketing this upgrade to consumers with videos to show them how to use EMV ‘chipped’ cards – which need to stay in the card reader for a few seconds, unlike mag stripe cards. I think Target should be congratulated on going straight to chip and PIN, although it’s probably not going yield much loss prevention as most of the chip cards are being issued without a PIN code. But the real question most customers and investors should be asking is “Is Target still passing PAN data from the terminal in the clear?” Yep, just because they’re EMV compliant does not mean that credit card data is being secured with Point to Point Encryption (P2PE). One step forward, one step back. Which leaves us in the same place we started. Sigh. – AL

  5. Lawyers FTW. Cyber-insurance FML. You buy cyber-insurance to cover a breach, right? At least to pay you for the cost of the clean-up. And then your insurer rides a loophole to reject the claim, which basically protects them from having to pay in the case of social engineering. Yup, lawyers are involved and loopholes are found because that’s what insurance companies do. They try to avoid liability and ultimately force the client into legal actual (yes, that’s a pretty cynical view of insurers, but I’ll tell you my healthcare tale of woe sometime as long as you are paying for the drinks…). At some point in 3-4 years some kind of legal precedent regarding whether the insurer is liable will be established. Until then, you are basically rolling the dice. But you don’t have a lot of other options, now do you? – MR

—Mike Rothman

Wednesday, August 26, 2015

Incite 8/26/2015: Epic Weekend

By Mike Rothman

Sometimes I have a weekend when I am just amazed. Amazed at the fun I had. Amazed at the connections I developed. And I’m aware enough to be overcome with gratitude for how fortunate I am. A few weekends ago I had one of those experiences. It was awesome.

It started on a Thursday. After a whirlwind trip to the West Coast to help a client out with a short-term situation (I was out there for 18 hours), I grabbed a drink with a friend of a friend. We ended up talking for 5 hours and closing down the bar/restaurant. At one point we had to order some food because they were about to close the kitchen. It’s so cool to make new friends and learn about interesting people with diverse experiences.

The following day I got a ton of work done and then took XX1 to the first Falcons pre-season game. Even though it was only a pre-season game it was great to be back in the Georgia Dome. But it was even better to get a few hours with my big girl. She’s almost 15 now and she’ll be driving soon enough (Crap!), so I know she’ll prioritize spending time with her friends in the near term, and then she’ll be off to chase her own windmills. So I make sure to savor every minute I get with her.

On Saturday I took the twins to Six Flags. We rode roller coasters. All. Day. 7 rides on 6 different coasters (we did the Superman ride twice). XX2 has always been fearless and willing to ride any coaster at any time. I don’t think I’ve seen her happier than when she was tall enough to ride a big coaster for the first time. What’s new is the Boy. In April I forced him onto a big coaster up in New Jersey. He wasn’t a fan. But something shifted over the summer, and now he’s the first one to run up and get in line. Nothing makes me happier than to hear him screaming out F-bombs as we careen down the first drop. That’s truly my happy place.

If that wasn’t enough, I had to be on the West Coast (again) Tuesday of the following week, so I burned some miles and hotel points for a little detour to Denver to catch both Foo Fighters shows. I had a lot of work to do, so the only socializing I did was in the pit at the shows (sorry Denver peeps). But the concerts were incredible, I had good seats, and it was a great experience.

in the pit

So my epic weekend was epic. And best of all, I was very conscious that not a lot of people get to do these kinds of things. I was so appreciative of where I am in life. That I have my health, my kids want spend time with me, and they enjoy doing the same things I do. The fact that I have a job that affords me the ability to travel and see very cool parts of the world is not lost on me either. I guess when I bust out a favorite saying of mine, “Abundance begins with gratitude,” I’m trying to live that every day.

I realize how lucky I am. And I do not take it for granted. Not for one second.

–Mike

Photo credit: In the pit picture by MSR, taken 8/17/2015


Thanks to everyone who contributed to my Team in Training run to support the battle against blood cancers. We’ve raised almost $6000 so far, which is incredible. I am overwhelmed with gratitude. You can read my story in a recent Incite, and then hopefully contribute (tax-deductible) whatever you can afford. Thank you.

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Building a Threat Intelligence Program

EMV and the Changing Payment Space

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Can ‘em: If you want better software quality, fire your QA team – that’s what one of Forrester’s clients told Mike Gualtieri. That tracks to what we have been seeing from other firms, specifically when the QA team is mired in an old way of doing things and won’t work with developers to write test scripts and integrate them into the build process. This is one of the key points we learned earlier this year on the failure of documentation, where firms moving to Agile were failing as their QA teams insisted on hundreds of pages of specifications for how and what to test. That’s the opposite of Agile and no bueno! Steven Maguire hit on this topic back in January when he discussed documentation and communication making QA a major impediment in moving to more Agile – and more automated – testing processes. Software development is undergoing a radical transformation, with restful APIs, DevOps principles, and cloud & virtualization technologies enabling far greater agility and efficiency than ever before. And if you’re in IT or Operations, take note, because these disruptive changes will hit you as well. Upside the head. – AL

  2. Security technologies never really die… Sometimes you read an article and can’t tell if the writer is just trolling you. I got that distinct feeling reading Roger Grimes’ 10 security technologies destined for the dustbin. Some are pretty predictable (SSL being displaced by TLS, IPSec), which is to be expected. And obvious, like calling for AV scanners to go away, although claiming they will die in the wake of a whitelisting revolution is curious. Others are just wrong. He predicts the demise of firewalls because of an increasing amount of encrypted traffic. Uh, no. You’ll have to deal with the encrypted traffic, but access control on the network (which is what a firewall does) are here to stay. He says anti-spam will go away because high-assurance identities will allow us to blacklist spammers. Uh huh. Another good one is that you’ll no longer collect huge event logs. I don’t think his point is that you won’t collect any logs, but that vendors will make them more useful. What about compliance? And forensics? Those require more granular data collection. It’s interesting to read these thoughts, but if he bats .400 I’ll be surprised. – MR

  3. Don’t cross the streams In a recent post on Where do PCI-DSS and PII Intersect?, Infosec Institute makes a case for dealing with PII under the same set of controls used for PCI-DSS V3. We take a bit of a different approach: Decide whether you need the data, and if not use a surrogate like masking or tokenization – maybe even get rid of the data entirely. It’s hard to steal what you don’t have. Just because you’ve tokenized PAN data (CCs) does not mean you can do the same with PII – it depends on how the data is used. Including PII in PAN data reports is likely to confuse auditors and make things more complicated. And if you’re using encryption or dynamic masking, it will take work to apply it to different data sets. The good news is that if you are required to comply with PCI-DSS, you have likely already invested in security products and staff with experience in dealing with sensitive data. You need to figure out how to handle data security, understanding that what you do for PII will likely differ from what you do in-scope PCI data because the use cases are different. – AL

  4. Applying DevOps to Security Our pal Andrew Storms offers a good selection of ideas on how to take lessons learned in DevOps and apply them to security on the ITProPortal. His points about getting everyone on board and working in iterations hit home. Those are prominent topics as we work with clients to secure their newfangled continuous deployment environments. He also has a good list of principles we should be following anyway, such as encrypting everything (where feasible), planning for failure, and automating everything. These new development and operational models are going to take root sooner rather than later. If you want a head start on where your career is going, start reading stuff like this now. – MR

—Mike Rothman

Wednesday, August 12, 2015

Incite 8/12/2015: Transitions

By Mike Rothman

The depths of summer heat in Atlanta can only mean one thing: the start of the school year. The first day of school is always the second Monday in August, so after a week of frenetic activity to get the kids ready, and a day’s diversion for some Six Flags roller coaster goodness, the kids started the next leg of their educational journey.

XX1 started high school, which is pretty surreal for me. I remember her birth like it was yesterday, but her world has got quite a bit bigger. She spent the summer exploring the Western US and is now in a much bigger school. Of course her world will continue to get bigger with each new step. It will expand like a galaxy if she lets it.

The twins also had a big change of scene, starting middle school. So they were all fired up about getting lockers for the first time. A big part of preparing them was to make sure XX2’s locker was decorated and that the Boy had an appropriately boyish locker shelf. The pink one we had left over from XX1 was no bueno. Dark purple shelves did the trick.

Ever expanding

Their first day started a bit bumpy for the twins, with some confusion about the bus schedule – much to our chagrin, when we headed out to meet the bus, it was driving right past. So we loaded them into the car and drove them on the first day. But all’s well that ends well, and after a couple days they are settling in.

As they transition from one environment to the next, the critical thing is to move forward understanding that there will be discomfort. It’s not like they have a choice about going to the next school. Georgia kind of mandates that. But as they leave the nest to build their own lives they’ll have choices – lots of them. Stay where they are, or move forward into a new situation, likely with considerable uncertainty.

A quote I love is: “In any given moment we have two options: to step forward into growth or to step back into safety.” If you have been reading the Incite for any length of time you know I am always moving foward. It’s natural for me, but might not be for my kids or anyone else. So I will continue ensuring they are aware that during each transition that they can decide what to do. There are no absolutes; sometimes they will need to pause, and other times they should jump in. And if they take Dad’s lead they will keep jumping into an ever-expanding reality.

–Mike

Photo credit: “Flickrverse, Expanding Ever with New Galaxies Forming” originally uploaded by cobalt123


Thanks to everyone who contributed to my Team in Training run to support the battle against blood cancers. We have raised over $5,000 so far, which is incredible. I am overwhelmed with gratitude. You can read my story in a recent Incite, and then hopefully contribute (tax-deductible) whatever you can afford. Thank you.

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Building a Threat Intelligence Program

EMV and the Changing Payment Space

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Business relevance is still important: Forrester’s Peter Cerrato offers an interesting analogy at ZDNet about not being a CISO dinosaur, and avoiding extinction. Instead try to be an eagle, whose ancestors survived the age of the dinosaurs. How do you do that? By doing a lot of the things I’ve been talking about for, um, 9 years at this point. Be relevant to business? Yup. Get face time with executives and interface with the rank and file? Yup. Plan for failure? Duh. I don’t want to minimize the helpfulness or relevance of this guidance. But I do want make clear that the only thing new here is the analogy. – MR

  2. The Dark Tangent is right: What did I learn at Black Hat? That people can hack cars. Wait, I am pretty sure I already knew this was possible. Maybe it was the new Adobe Flash bugs? Or IoT vulnerabilities? Mobile hacks or browser vulnerabilities? Yeah, same old parade of vulnerable crap. What I really learned is that Jeff Moss is right: Software liability is coming. Few vendors – Microsoft being the notable exception – have really put in the effort to address vulnerable software. Mary Ann Davidson’s insulting rant reinforces that vendors really don’t want to fix vulnerabilities – to the extent they will threaten and sue their customers to retain the status quo. We have seen it in the past with automotive Lemon Laws and in meat packing industry of the early 1900s – when vendors won’t address their $#!?, legislators will. – AL

  3. Hygiene separates those who know what they are doing… As security becomes a more common topic of discussion with the masses (thank the daily breach-o-rama for that), it’s interesting to see how experienced folks think differently than inexperienced people. Google did some research to get a feel for what separates ‘experts’ from ‘non-experts’ in terms of how they attempt to stay safe. The biggest difference? If you had patching, you win the pool. Both groups are aware of strong passwords. The experts like MFA (as they should) and the n00bs change passwords frequently (which doesn’t help). But it’s keeping devices up to date and configured correctly that makes the difference. Who knew? You did, because this is what you do for a living. – MR

  4. Double Trouble: Encryption is an amazingly effective security control – when properly implemented and deployed. Both are hard to do, and it is shocking how often big companies get this wrong. It turns out that SAP Hana is storing the same encryption key in the same memory location for all servers. Security researchers found the weakness after the discovery of a SQL injection bug that allowed them to remotely execute code on the Hana cluster. The good news is that customers can – and should – change the key after the software is installed, so there is a workaround. But given the complexity of the process and the fear of encrypting data and losing keys, many don’t. And even if you do, until you patch the known attack vectors, the new key can also be obtained by hackers, who can then decrypt at will. Given SAP’s prevalence at large firms, attackers and security researchers have turned their attention to SAP products in the last couple years. So if you’re an SAP Hana customer patch and change your keys now! – AL

  5. Control? Ha! As always, Godin puts everything in perspective. This time he tackles the illusion of control. So many folks get pissed when things don’t go their way. They don’t get a project funded. Their prodigy leaves for a high-paying consulting job. You get owned because an employee clicked the wrong thing. You can let this result in disappointment, or not. Your choice. Control is a myth. The post ends with a truism we all should keep front and center in our daily activities: “You’re responsible for what you do, but you don’t have authority and control over the outcome. We can hide from that, or we can embrace it.” – MR

—Mike Rothman

Wednesday, July 29, 2015

Incite 7/29/2015: Finding My Cause

By Mike Rothman

When you have resources you are supposed to give back. That’s what they teach you as a kid, right? There are folks less fortunate than you, so you help them out. I learned those lessons. I dutifully gave to a variety of charities through the years. But I was never passionate about any cause. Not enough to get involved beyond writing a check.

I would see friends of mine passionate about whatever cause they were pushing. I figured if they were passionate about it I should give, so I did. Seemed pretty simple to me, but I always had a hard time asking friends and associates to donate to something I wasn’t passionate about. It seemed disingenuous to me. So I didn’t.

I guess I’ve always been looking for a cause. But you can’t really look. The cause has to find you. It needs to be something that tugs at the fabric of who you are. It has to be something that elicits an emotional response, which you need to be an effective fundraiser and advocate. It turns out I’ve had my cause for over 10 years – I just didn’t know it until recently.

Cancer runs in my family. Mostly on my mother’s side or so I thought. Almost 15 years ago Dad was diagnosed with Stage 0 colon cancer. They were able to handle it with a (relatively) minor surgery because they caught it so early. That was a wake-up call, but soon I got caught up with life, and never got around to getting involved with cancer causes. A few years later Dad was diagnosed with Chronic Lymphocytic Leukemia (CLL). For treatment he’s shied away from western medicine, and gone down his own path of mostly holistic techniques. The leukemia has just been part of our lives ever since, and we accommodate. With a compromised immune system he can’t fly. So we go to him. For big events in the South, he drives down. And I was not exempt myself, having had a close call back in 2007. Thankfully due to family history I had a colonoscopy before I was 40 and the doctor found (and removed) a pre-cancerous polyp that would not have ended well for me if I hadn’t had the test.

Yet I still didn’t make the connection. All these clues, and I was still spreading my charity among a number of different causes, none of which I really cared about. Then earlier this year another close friend was diagnosed with lymphoma. They caught it early and the prognosis is good. With all the work I’ve done over the past few years on being aware and mindful in my life, I finally got it. I found my cause – blood cancers. I’ll raise money and focus my efforts on finding a cure.

It turns out the Leukemia and Lymphoma Society has a great program called Team in Training to raise money for blood cancer research by supporting athletes in endurance races. I’ve been running for about 18 months now and already have two half marathons under my belt. This is perfect. Running and raising money! I signed up to run the Savannah Half Marathon in November as part of the TNT team. I started my training plan this week, so now is as good a time as any to gear up my fundraising efforts. I am shooting to run under 2:20, which would be a personal record.

Team in Training

Given that this is my cause, I have no issue asking you to help out. It doesn’t matter how much you contribute, but if you’ve been fortunate (as I have) please give a little bit to help make sure this important research can be funded and this terrible disease can be eradicated in our lifetime. Dad follows the research very closely as you can imagine, and he’s convinced they are on the cusp of a major breakthrough.

Here is the link to help me raise money to defeat blood cancers: Mike Rothman’s TNT Fund Raising Page.

I keep talking about my cause, but this isn’t about me. This is about all the people suffering from cancer and specifically blood cancers. I’m raising money for all the people who lost loved ones or had to put their lives on hold as people they care about fight. Again, if you can spare a few bucks, please click the link above and contribute.

–Mike


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Building a Threat Intelligence Program

EMV and the Changing Payment Space

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Zombie software: Every few years a bit of software pops up that advocates claim will identify users through analysis of typing patterns. Inevitably these things die because nobody wants or uses them. That old technology looking for a problem problem. Over the years it has been positioned as a way to keep administrative terminals safe, or for use by banks to ensure only legitimate customers access their accounts. And so here we go again, for the 8th time in my memory, a keyboard-based user profiler, only now it’s positioned as a way to detect users behind a Tor session. What we are looking at is a bit of code installed on a computer which maps the timing intervals between characters and words a user types. I first got my hands on a production version of this type of software in 2004, and lo and behold it could tell me from my co-workers with 90% certainty. Until I had a beer, and then it failed. Or when I was in a particularly foul mood and my emphatic slamming of keys changed my typing pattern. Or until I allowed another user on the machine and screwed up its behavioral pattern matching because it was retraining the baseline. There are lots of people in the world with a strong desire to know who is behind a keyboard – law enforcement and marketers, to name a few – so there will always be a desire for this tech to work. And it does, under ideal conditions, but blows up in the real world. – AL

  2. Endpoint protection is hard. Duh! With all the advanced attacks and adversaries out there, it’s hard to protect endpoints. And in other news, grass is green, the sky is blue, and vendors love FUD. This wrapup in Network World is really just a laundry list of all the activity happening to protect endpoints. We have big vendors and start-ups and a bunch of companies in between, who look at a $5B market where success is not expected and figure it’s ripe for disruption. Which is true, but who cares? Inertia is strong on the endpoint, so what’s different now? It’s actually the last topic in the article, which mentions that compliance regimes are likely to expand the definition of anti-malware to include these new capabilities. That’s the shoe that needs to drop to create some kind of disruption. And once that happens it will be a mass exodus off old-school AV and onto something shinier. That will work better, until it doesn’t… – MR

  3. Hippies and hackers: According to emptywheel, only hippies and hackers argue against back doors in software. Until now, that is. Apparently at the Aspen Security Forum this week, none other than Michael Chertoff made a surprise statement: “I think that it’s a mistake to require companies that are making hardware and software to build a duplicate key or a back door … ” All kidding aside, the emptywheel blog nailed the sentiment, saying “Chertoff’s answer is notable both because it is so succinct and because of who he is: a long-time prosecutor, judge, and both Criminal Division Chief at DOJ and Secretary of Homeland Security. Through much of that career, Chertoff has been the close colleague of FBI Director Jim Comey, the guy pushing back doors now.” This is the first time I’ve heard someone out of the intelligence/DHS community make such a statement. Back doors are synonymous with compromised security, and we know hackers and law enforcement are equally capable of using them. So it’s encouraging to hear from someone who has the ear of both government and the tech sector. – AL

  4. Survival of the fittest: Dark Reading offered a good case study of how a business deals with a DDoS attack. The victim, HotSchedules, was targeted for no apparent reason – with no ransom or other demands. So what do you do? Job #1 is to make sure customers have the information they need, and all employees had to work old-school (like, via email and phones) to make sure customers could still operate. Next try to get the system up and running again. They tried a few options, but ultimately ended up moving their systems behind a network scrubbing service to restore operations. My takeaways are pretty simple. You are a target. Even if you don’t think you are. Also you need a plan to deal with a volumetric attack. Maybe it’s using a Content Delivery Network or contracting with a scrubbing service. Regardless of the solution, you need to respond quickly. – MR

—Mike Rothman

Wednesday, July 15, 2015

Incite 7/15/15 — On Top of the Worlds

By Mike Rothman

I discussed my love of exploring in the last Incite, and I have been fortunate to have time this summer to actually explore a bit. The first exploration was a family vacation to NYC. Well, kind of NYC. My Dad has a place on the Jersey shore, so we headed up there for a couple days and took day trips to New York City to do the tourist thing.

For a guy who grew up in the NY metro area, it’s a bit weird that I had never been to the Statue of Liberty. The twins studied the history of the Statue and Ellis Island this year in school, so I figured it was time. That was the first day trip, and we were fortunate to be accompanied by Dad and his wife, who spent a bunch of time in the archives trying to find our relatives who came to the US in the early 1900s. We got to tour the base of Lady Liberty’s pedestal, but I wasn’t on the ball enough to get tickets to climb up to the crown. There is always next time.

WTC

A few days later we went to the new World Trade Center. I hadn’t been to the new building yet and hadn’t seen the 9/11 memorial. The memorial was very well done, a powerful reminder of the resilience of NYC and its people. I made it a point to find the name of a fraternity brother who passed away in the attacks, and it gave me an opportunity to personalize the story for the kids. Then we headed up to the WTC observation deck. That really did put us on top of the world. It was a clear day and we could see for miles and miles and miles. The elevators were awesome, showing the skyline from 1850 to the present day as we rose 104 stories. It was an incredible effect, and the rest of the observation deck was well done. I highly recommend it for visitors to NY (and locals playing hooky for a day).

Then the kids went off to camp and I hit the road again. Rich was kind enough to invite me to spend the July 4th weekend in Boulder, where he was spending a few weeks over the summer with family. We ran a 4K race on July 4th, and drank what seemed to be our weight in beer (Avery Brewing FTW) afterwards. It was hot and I burned a lot of calories running, so the beer was OK for my waistline. That’s my story and I’m sticking to it.

The next day Rich took me on a ‘hike’. I had no idea what he meant until it was too late to turn back. We did a 2,600’ elevation change (or something like that) and summited Bear Peak. We ended up hiking about 8.5 miles in a bit over 5 hours. At one point I told Rich I was good, about 150’ from the summit (facing a challenging climb). He let me know I wasn’t good, and I needed to keep going. I’m glad he did because it was both awesome and inspiring to get to the top.

Mike on Bear Peak

I’ve never really been the outdoorsy type, so this was way outside my comfort zone. But I pushed through. I got to the top, and as Rich told me would happen before the hike, everything became crystal clear. It was so peaceful. The climb made me appreciate how far I’ve come. I had a similar feeling when I crossed the starting line during my last half marathon. I reflected on how unlikely it was that I would be right there, right then. Unlikely according to both who I thought I was and what I thought I could achieve.

It turns out those limitations were in my own mind. Of my own making. And not real. So now I have been to the top of two different worlds, exploring and getting there via totally different paths. Those experiences provided totally different perspectives. All I know right now is that I don’t know. I don’t know what the future holds. I don’t know how many more hills I’ll climb or races I’ll run or businesses I’ll start or places I’ll live, or anything for that matter. But I do know it’s going to be very exciting and cool to find out.

–Mike

Photo credit: “One World Trade Center Observatory (5)” originally uploaded by Kai Brinker and Mike Selfie on top of Bear Peak.


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Threat Detection Evolution

Network-based Threat Detection

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. It takes a data scientist to know one: Data science is hot, hot, hot. Especially in security, where the new hotness is analytics to detect space alien attackers. And the data scientists have the keys to find them. Of course, then you actually have to hire these folks. And it’s not like when I ran marketing teams, and knew the jobs of my team as well as they did. So if you’re not a math person, how do you hire a math person? The good news is that one of my favorite math people, Jay Jacobs (now of BitSight) has listed 5 things to think about when hiring a data scientist. His first suggestion is to give them data and let them do their stuff. Which makes a huge amount of sense. That’s what I did for every job I interviewed for. I either prepared a research report or presentation, or built a marketing plan. You also need to ask questions (even if you think they are dumb questions), understand what they’ve done, and see if they can communicate the value of their efforts in business terms. Jay’s last point is the most critical. Data scientists are kind of like unicorns. If you hold out for the perfect one, you will be looking for a long time. As in every emerging field, you need to balance substance and experience with intelligence and drive, because the function will change and you will need your hires to grow along with it. – MR

  2. Tortoise and Hare: Our own Dave Lewis’ recent post on Forbes – The Opportunity Presented By Shadow IT – mirrors a trend I am seeing with CISOs. Several CISOs I heard from during a recent panel said much the same thing. They had come to view rogue IT as an opportunity to learn. It showed them their users’ (their real customers’) pain points, and where resources should be allocated to address these issues. It showed the delta between IT-governed rollouts and rogue IT, and made very clear the cost differential between the two. Shadow IT showed where security controls went unnoticed, and which users fought or ignored/avoided ‘real’ IT altogether. Dave’s point that the rogue project put the company at risk is on the mark, but it should be clear that a lack of agility within IT – across all industries – is an issue which IT and operations teams need to work on. The status quo is not working. But that’s not news – the status quo has been broken for a long time. – AL

  3. Sucking less at security operations: When I’m doing a talk, I usually get big laughs when I state the obvious: most organizations suck at security ops. Of course the laughs are a bit forced: “Is he talking about me?” Odds are I am, because security ops, like consistent patch and configuration management, is hard. Hygiene is not sexy, but neither is flossing your teeth. Until you lose all your teeth, as my dentist constantly reminds me. SecurityWeek ran a good reminder of the challenges of patching consistently a while ago. But it’s worth revisiting, especially given that almost every major software company has some kind of patching process for their stuff. Of course, as we enter cloud-based reality, patching and ops take on different connotations (and we have a lot to say about that), but for now you need to continue paying attention to the security ops side of the house. Which is a reminder that never gets old, mostly because we as an industry still can’t seem to figure it out. – MR

  4. Bit Split Reduce: Homomorphic encryption is essentially encrypted data that you can still do real work with, including sorting and summing values. A recent Wired article, MIT’s Bitcoin-Inspired ‘Enigma’ Lets Computers Mine Encrypted Data discusses a new take. We have seen many of these claims in the past, including many variants which force cryptographic compromises to enable computation. And we’ve seen the real thing too, but only in laboratory experiments – the processing overhead is about 100k times higher than normal data processing, so not feasible for normal usage. The MIT team’s approach sounds like a combination of the ‘bitsplitting’ storage strategies used by some cloud providers to obfuscate customer data, and big data style distributed processing. With a big data MapReduce function, they use the reduce part to arrange or filter data, protecting its integrity by assigning each node tiny data elements that – on their own – are meaningless. In the aggregate they can produce real results. But the real question is “Is this secure?” Unfortunately I have no clue from the white paper, because security issues are more likely to pop up in practical application, rather than in general concepts. That said, statements like “Thanks to some mathematical tricks the Enigma creators implemented” make me very nervous… so the jury is still out, and will remain so until we have something we can test. – AL

  5. It’s bad. Trust me. Ever the contrarian, Shack goes after the valuation in the wake of a breach bogeyman. A key message in most security vendor pitches is that breaches are bad for market cap. But what if that’s not really the case? What if the data shows that over time a breach can actually be good for business, if only to shine a spotlight on broken processes and force the business to be much more strategic and effective about how they do things? Like most transformation catalysts, it really sucks at the time. Anyone who has lived through a breach response and the associated public black eye knows it sucks. But if that results in positive change and a stronger company at the end of the process, maybe it’s not the worst thing. Nah, never mind. That’s crazy talk. What would all the vendors talk about if they couldn’t scare you with FUD? They’d actually have to address the fact their products don’t help (for the most part). Oh, did I actually write that down? Oops. – MR

—Mike Rothman

Wednesday, July 01, 2015

Incite 7/1/2015: Explorers

By Mike Rothman

When I take a step back I see I am pretty lucky. I’ve seen a lot of very cool places. And experienced a lot of different cultures through my business travels. And now I’m at a point in life where I want to explore more. Not just do business hotels and see the sights from the front seat of a colleague’s car or taxi. I want to explore and see all the cool things this big world has to offer.

It hasn’t always been this way. For the first two decades of my career, I was so focused on getting to the next rung on the career ladder that I forgot to take in the sights. And forget about smelling the roses. That would take time away from my plans for world domination. In hindsight that was ridiculous. I’m certainly not going to judge others who still strive for world domination, but that does not interest me any more.

I’m also at a point in life where my kids are growing up, and I only have a few more years to show them what I’ve learned is important to me. They’ll need to figure out what’s important to them, but in the meantime I have a chance to instill a love of exploration. An appreciation of cultures. And a yearning to see and experience the world. Not from the perspective of their smartphone screen, but by getting out there and experiencing life.

Dora is an explorer

XX1 left for a teen tour last Saturday. Over the next month she’ll see a huge number of very cool things in the Western part of the US. The itinerary is fantastic, and made me wonder if I could take a month off to tag along. It’s not cheap and I’m very fortunate to be able to provide her with that opportunity. All I can do is hope that she becomes an explorer, and explores throughout her life. I have a cousin who just graduated high school. He’s going to do two years of undergrad in Europe to learn international relations – not in a classroom on a sheltered US campus (though there will be some of that), but out in the world. He’s also fortunate and has already seen some parts of the world, and he’s going to see a lot more over the next four years. It’s very exciting.

You can bet I’ll be making at least two trips over there so we can explore Europe together. And no, we aren’t going to do backpacks and hostels. This boy likes hotels and nice meals.

Of course global exploring isn’t for everyone. But it’s important to me, and I’m going to try my damnedest to impart that to my kids. But I have multiple goals. First, I think individuals who see different cultures and different ways of thinking are less likely to judge people with different views. Every day we sees the hazards of judgmental people who can’t understand other points of view and think the answer is violence and negativity.

But it’s also clear that we move in a global business environment. Which means to prosper they will need to understand different cultures and appreciate different ways of doing things. It turns out the only way to really gain those skills is to get out there and explore.

Coolest of all is the fact that we all need travel buddies. I can’t wait for the days when I explore with my kids – not as a parent/child thing, but as friends going to check out cool places.

–Mike

Photo credit: “Dora the Explorer” originally uploaded by Hakan Dahlstroem


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Threat Detection Evolution

Network-based Threat Detection

Applied Threat Intelligence

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Polishing the crystal ball: Justin Somaini offers an interesting perspective on The Future of Security Solutions. He highlights a lot of disruptive forces poised to fundamentally change how security happens over the next couple of. To make the changes somewhat tangible and less overwhelming, Justin breaks the security world into a few buckets: Network Controls Management, Monitoring and Threat Response, Software Development, Application Management, Device Management, and Risk Management/GRC. Those buckets are as good as any others. We could quibble a bit about where the computing stack resides, which is really about the data. But he highlights a lot of concepts we published in our own Future of Security research. Suffice it to say, it really makes no difference whose version of the future world you believe, because we will all be wrong somehow. Just understand that things are changing for security folks, and you’ll either go headlong into the change or get run over. – MR

  2. Less bad: Bruce Schneier offered a personal look into his selection of full disk encryption options for Windows machines. Surprised he didn’t write his own? Don’t be. Design principles and implementation details make this a hard problem to simplify, and that’s what most users need. He calls his selection “the least bad option”, but honestly it’s noteworthy that the industry has (mostly) progressed past some kid fresh out of school forming a new company based on an algorithm he cobbled together during his graduate studies. Historically you couldn’t audit this superduper new encryption code, because it was someone’s intellectual property and might compromise security if anyone else could see it. The good news is that most of you will be fine with any of Bruce’s options, because you just need to make sure the contents of your drive can’t be copied by whoever steals your laptop. As long as you’re not worried about governments breaking into your stuff, you’re good. If you are worried about governments, then you understand how hard it is to defend against an adversary with vast resources, and why “the least bad option” is really the only option for you. – AL

  3. Due care and the profit motive: Given the breach du jour we seem to read about every day, Trey Ford on the Rapid7 blog reiterates a reasonable question he heard at a recent convention from a government employee: “How do you build a standard of due care?” The Feds think putting Mudge in charge of a CyberUL initiative is a good place to start. I can’t disagree – yet. But I still believe we (as an industry) cannot legislate our way out of the issues of crap security and data protection. Trey mentions the need for information sharing (a NTSB of sorts for breaches) and cyberinsurance underwriting based on data instead of voodoo. I agree on both counts, but add that we need a profit driver to focus the innovation on options that make sense for enterprises, large and small. NIST puts out a bunch of great stuff, but it’s not always relevant to everyone. But if they had to pay their own way, Mr. Market says they’d figure out something that works for a large swath of businesses. Or they’d go away. We have threat intel as a business, and have always talked about the need for metrics/benchmarking businesses to help organizations know how they compare to others, and to optimize their limited resources accordingly. Needing to generate money to keep the lights on tends to help organizations narrow their efforts down to what matters, which legislation doesn’t. – MR

  4. The failure of documentation: I had a peer to peer (P2P) session at the RSA Conference this year on moving security into the Agile development process. But that is not what happened – instead security played a small part, and general process failures a much larger one. In fact it was a room filled mostly with people who had recently tried to move to Agile, and were failing miserably. The number one complaint? “How do we handle documentation?” QA, design, and all the other groups demand their specifications. I stepped on my instinct to say “You’re doing it wrong” – documentation is one of the things you are striving to get rid of, but a lack of agility across the rest of the company trips up many Agile efforts. A handful of people in the room had adopted continuous integration and continuous deployment, which offer one or more solutions to the group’s problems. I am not saying all problems are solved by DevOps – just that the failure common modes in that P2P discussion can be traced back to the silos we created in the days of waterfall, and need to be broken up for Agile processes to thrive. Darknet’s discussion on Agile Security raises the same concerns, and reached a similar conclusion. Security – and the rest of the team for that matter – needs to be better integrated with development. Which we have known for a long time. – AL

  5. Bootstrapping the IR report: Too many incident response reports are pretty short. Slide 1: We got owned. Slide 2: Please don’t fire me. Ugh. Okay, maybe not quite that short, but it’s not like the typical practitioner has models and guides to help document an incident – and, more importantly, to learn from what happened. So thank Lenny Zeltser, who posted a template which combines a bunch of threat, intrusion, and response models into a somewhat coherent whole. It is obviously valuable to have a template for documentation, and you can refine the pieces that work for you after a response or ten. Additionally you can use his template to guide your response if you don’t have an established incident response process. Which is really the first thing you should create. But failing that, Lenny’s template can help you understand the information you should be gathering and its context. – MR

—Mike Rothman

Thursday, June 11, 2015

Incite 6/10/2015: Twenty Five

By Mike Rothman

This past weekend I was at my college reunion. It’s been twenty five years since I graduated. TWENTY FIVE. It’s kind of stunning when you think about it. I joked after the last reunion in 2010 that the seniors then were in diapers when I was graduating. The parents of a lot of this year’s seniors hadn’t even met. Even scarier, I’m old enough to be their parent. It turns out a couple friends who I graduated with actually have kids in college now. Yeah, that’s disturbing.

It was great to be on campus. Life is busy, so I only see some of my college friends every five years. But it seems like no time has passed. We catch up about life and things, show some pictures of our kids, and fall right back into the friendships we’ve maintained for almost thirty years. Facebook helps people feel like they are still in touch, but we aren’t. Facebook isn’t real life – it’s what you want to show the world. Fact is, everything changes, and most of that you don’t see. Some folks have been through hard times. Others are prospering.

Dunbar's Ithaca NY

Even the campus has evolved significantly over the past five years. The off-campus area is significantly different. Some of the buildings, restaurants, & bars have the same names; but they aren’t the same. One of our favorite bars, called Rulloff’s, shut down a few years back. It was recently re-opened and pretty much looked the same. But it wasn’t. They didn’t have Bloody Marys on Thursday afternoon. The old Rulloff’s would have had galloons of Bloody Mix preparing for reunion, because that’s what many of us drank back in the day. The new regime had no idea. Everything changes.

Thankfully a bar called Dunbar’s was alive and well. They had a drink called the Combat, which was the root cause of many a crazy night during college. It was great to go into D-bars and have it be pretty much the same as we remembered. It was a dump then, and it’s a dump now. We’re trying to get one of our fraternity brothers to buy it, just to make sure it remains a dump. And to keep the Combats flowing.

It was also interesting to view my college experience from my new perspective. Not to overdramatize, but I am a significantly different person than I was at the last reunion. I view the world differently. I have no expectations for my interactions with people, and am far more accepting of everyone and appreciative of their path. Every conversation is an opportunity to learn, which I need. I guess the older I get, the more I realize I don’t know anything.

That made my weekend experience all the more gratifying. The stuff that used to annoy me about some of my college friends was no longer a problem. I realized it has always been my issue, not theirs. Some folks could tell something was different when talking to me, and that provided an opportunity to engage at a different level. Others couldn’t, and that was fine by me; it was fun to hear about their lives.

In 5 years more stuff will have changed. XX1 will be in college herself. All of us will undergo more life changes. Some will grow, others won’t. There will be new buildings and new restaurants. And I’ll still have an awesome time hanging out in the dorms until the wee hours drinking cocktails and enjoying time with some of my oldest friends. And drinking Combats, because that’s what we do.

–Mike

Photo credit: “D-bars” taken by Mike in Ithaca NY


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Threat Detection Evolution

Network-based Threat Detection

Applied Threat Intelligence

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Vulnerabilities are not intrusions: Richard Bejtlich is a busy guy. As CSO of FireEye, I’m sure his day job keeps him pretty busy, as well as all his external responsibilities to gladhand big customers. So when he writes something on his personal blog you know he’s pissed off. And he’s really pissed that it seems parties within the US federal government doesn’t understand the different between vulnerabilities and intrusions. In the wake of the big breach at the Office of Personnel Management (yeah, the Fed HR department), people are saying that the issue was the lack of implementation of CDM (continuous diagnostic monitoring). But that just tells you what’s vulnerable, and we all know that’s not a defense against advanced adversaries. Even the lagging Einstein system would have had limited success, but at least it’s focusing on the right stuff: who is in your network. Richard has been one of the most fervent evangelicals of hunting for adversaries, and his guidance is pretty straightforward: “find the intruders in the network, remove them, and then conduct counter-intrusion campaigns to stop them from accomplishing their mission when they inevitably return.” Easier said than done, of course. But you never will get there if your answer is a vulnerability management program. – MR

  2. De-Googled: The Internet is a means for people to easily find information, but many large firms use the Internet to investigate you, and leverage it to monitor pretty much everything users do online. Every search, every email, every purchase, every blog comment, all the time – from here to eternity. I know a lot of privacy advocates who read the blog. Heck, I talk to many of them at security conferences, and read their comments on the stuff we post. If that’s you, a recent post from ExpressVPN on How to delete everything Google knows about you should be at the top of your reading list. It walks you through a process to collect and then delete your past Google history. I can’t vouch for the accuracy of the steps – frankly I am too busy to try it out – but it’s novel that Google provided the means, and someone has documented the obfuscated steps to delete your history. Bravo! Of course if you continue to use the embedded Google search bar, or Google+, or Gmail, or any of the other stuff Google offers, you will still be tracked. – AL

  3. What point are you trying to make? There have always been disagreements over the true cost of a lost data record. Ponemon has been publishing numbers in the hundreds of dollars per record for years (this year’s number was $350), and Verizon Business recently published a $0.58 number in the 2015 DBIR. So CSO asks if it’s $350 or $0.58? The answer is neither. There is no standard cost. There is only what it costs you, and how much you want to bury in that number to create FUD internally. Ponemon includes pretty much everything (indirect costs) and then some. Verizon includes pretty much nothing and bases their numbers off insurance claims, which can be supported by objective data. Security vendors love Ponemon’s numbers. Realists think Verizon’s are closer. Again, what are you trying to achieve? If it’s to scare the crap out of the boardroom, Ponemon is your friend. If it’s to figure out what you’ll get from your cyber-insurance policy, you need the DBIR. As we have always said, you can make numbers dance and tell whatever story you want them to. Choose wisely. – MR

  4. Barn door left open: Apache ZooKeeper is a configuration management and synchronization tool commonly used in Hadoop clusters. It’s a handy tool to help you manage dynamic databases, but it moves critical data between nodes, so the privacy and integrity of its data are critical to safe and secure operations. Evan Gilman of PagerDuty posted a detailed write-up of a ZooKeeper session encryption bug found in an Intel extension to Linux kernel modules and XEN hypervisors which essentially disables checksums. In a nutshell, the Intel support for AES within encryption module aesni-intel, which is used for VPNs and SSL traffic, will – under certain circumstances – disable checksums on the TCP headers. That’s no bueno. The bug should be simple to fix, but at this time there is no patch from Intel. Thanks to the guys at PagerDuty for taking the time to find and document this bug for the rest of us! – AL

  5. Cyber all the VC things…: Mary Meeker survived the Internet bubble as the Internet’s highest profile stock analyst, and then moved west to work with VC big shots Kleiner Perkins. She still writes the annual Internet Trends report and this year security has a pretty prominent place. Wait, what? So, in case you were wondering whether security is high-profile enough, it is. We should have been more careful about what we wished for. She devoted two pages to security in the report. Of course her thoughts are simplistic (Mobile devices are used to harvest data and insiders cause breaches. Duh.) and possibly even wrong. (Claiming MDM is critical for preventing breaches. Uh, no.) But she pinpoints the key issue: the lack of security skills. She is right on the money with that one. Overall, we should be pleased with the visibility security is getting. And it’s not going to stop any time soon. – MR

—Mike Rothman