Login  |  Register  |  Contact
Wednesday, April 27, 2016

Incite 4/27/2016: Tap the B.R.A.K.E.S.

By Mike Rothman

I mentioned back in January that XX1 has gotten her driver’s permit and was in command of a two ton weapon on a regular basis. Driving with her has been, uh, interesting. I try to give her an opportunity to drive where possible, like when I have to get her to school in the morning. She can navigate the couple of miles through traffic on the way to her school. And she drives to/from her tutor as well, but that’s still largely local travel.

Though I do have to say, I don’t feel like I need to run as frequently because the 15-20 minutes in the car with her gets my heart racing for the entire trip. Obviously having been driving for over 30 years, I see things as they develop in front of me. She doesn’t. So I have to squelch the urge to say, “Watch that dude over there, he’s about to change lanes.” Or “That’s a red light and that means stop, right?” Or “Hit the f***ing brakes before you hit that car, building, child, etc.”

She only leveled a garbage bin once. Which caused more damage to her ego and confidence than it did to the car or the bin. So overall, it’s going well. But I’m not taking chances, and I want her to really understand how to drive. So I signed her up for the B.R.A.K.E.S. teen defensive driver training. Due to some scheduling complexity taking the class in New Jersey worked better. So we flew up last weekend and we stayed with my Dad on the Jersey Shore.

First, a little digression. When you have 3 kids with crazy schedules, you don’t get a lot of individual time with any of the kids. So it was great to spend the weekend with her and I definitely got a much greater appreciation for the person she is in this moment. As we were sitting on the plane, I glanced over and she seemed so big. So grown up. I got a little choked up as I had to acknowledge how quickly time is passing. I remember bringing her home from the hospital like it was yesterday. Then we were at a family event on Saturday night with some cousins by marriage that she doesn’t know very well. To see her interact with these folks and hold a conversation and be funny and engaging and cute. I was overwhelmed with pride watching her bring light to the situation.

But then it was back to business. First thing Sunday morning we went over the race track. They did the obligatory video to scare the crap out of the kids. The story of B.R.A.K.E.S. is a heartbreaking one. Doug Herbert, who is a professional drag racer, started the program after losing his two sons in a teen driving accident. So he travels around the country with a band of other professional drivers teaching teens how to handle the vehicle.

BRAKES car

The statistics are shocking. Upwards of 80% of teens will get into an accident in their first 3 years of driving. 5,000 teen driving fatalities each year. And these kids get very little training before they are put behind the wheel to figure it out.

The drills for the kids are very cool. They practice accident avoidance and steering while panic breaking. They do a skid exercise to understand how to keep the car under control during a spin. They do slalom work to make sure they understand how far they can push the car and still maintain control. The parents even got to do some of the drills (which was very cool.) They also do a distracted driving drill, where the instructor messes with the kids to show them how dangerous it is to text and play with the radio when driving. They also have these very cool drunk goggles, which simulates your vision when under the influence. Hard to see how any of the kids would get behind the wheel drunk after trying to drive with those goggles on.

I can’t speak highly enough about the program. I let XX1 drive back from the airport and she navigated downtown Atlanta, a high traffic situation on a 7 lane highway, and was able to avoid an accident when a knucklehead slowed down to 30 on the highway trying to switch lanes to make an exit. Her comfort behind the wheel was totally different and her skills were clearly advanced in just the four hours. If you have an opportunity to attend with your teen, don’t think about it. Just do it. Here is the schedule of upcoming trainings, and you should sign up for their mailing list.

The training works. They have run 18,000 teens through the program and not one of them has had a fatal accident. That’s incredible. And important. Especially given my teen will be driving without me (or her Mom) in the car in 6 months. I want to tip the odds in my favor as much as I can.

–Mike


Security is changing. So is Securosis. Check out Rich’s post on how we are evolving our business.

We’ve published this year’s Securosis Guide to the RSA Conference. It’s our take on the key themes of this year’s conference (which is really a proxy for the industry), as well as deep dives on cloud security, threat protection, and data security. And there is a ton of meme goodness… Check out the blog post or download the guide directly (PDF).

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Maximizing WAF Value

Resilient Cloud Network Architectures

Shadow Devices

Building a Vendor IT Risk Management Program

SIEM Kung Fu

Recently Published Papers


Incite 4 U

  1. Blockchain demystified: So I’m having dinner with a very old friend of mine, who is one of the big wheels at a very big research firm. We started together decades ago as networking folks, but I went towards security and he went towards managing huge teams of people. One of his coverage areas now is industry research and specifically financials. So these new currencies, including BitCoin is near and dear to his heart. But he didn’t call it BitCoin, he said blockchain. I had no idea what he was talking about, but our pals at NetworkWorld put up a primer on blockchain. Regardless of whether it was a loudmouth Australian that came up with the technology, it’s going to become a factor in how transactions are validated over time and large tech companies and banks are playing around with it. Being security folks and tasked at some point with protecting things, we probably need to at least understand how it works. – MR

  2. Luck Meets Perseverance: I’m not the first to say that being too early to a market and being dead wrong are virtually indistinguishable, certainly when the final tally is counted. When disruptive technologies emerge during tough economic times, visionaries teeter on oblivion. The recent Farnum Street post on The Creation of IBM’s Competitive Advantage has nothing to do with security. However, it is an excellent illustration of what it takes to succeed; a strong vision of the future, a drive to innovate, the fortitude do what others think is crazy, and enough cash to weather the storm for a while. If you’re not familiar with the story, it’s definitely worth your time. But this storyline remains relevant as dozens of product vendors struggle to sell the future of security to firms that are just trying to get through the day. We see many security startups with the first three attributes. That much is common. We don’t see the fourth attribute much at all, which is cash. Most innovation in technology is funded by VCs with the patience of a 5 year old who’s just eaten a bowl of Cap’n Crunch. IBM was lucky enough to sell off ineffectual businesses to build a war chest, then focused their time, effort and cash on the long term goal. That recipe never goes out of style, but with the common early stage technology funding model, we witness lots of very talented people crash and burn. – AL

  3. Internet Kings Do Research: With ever increasing profits expected by companies (yes, it’s that free market thing), it seems that there isn’t a lot of commercially funded basic research. You know, like the kind Microsoft did back in the day? Stuff that didn’t necessarily help sell more Windows, rather helped to push forward the use of technology. MSFT had the profits to support that. And now it seems Google and Facebook do too. In fact, rock star researchers are moving from one to the other to drive these basic research initiatives. Most recently, Regina Dugan who spent time at DARPA working on military research before heading off to Google to lead their advanced tech lab, now is with Facebook to build a similar team. I think it’s awesome and I’m glad that every time I like something on Facebook it contributes to funding research that may change the world at some point. – MR

  4. EU Data Protection Reform: The EU has approved a new data protection standard set to reform the standing 1995 rules. There are several documents published so it will take time for a thorough analysis, but there are a couple of things to like here. The right to be forgotten, the right to know when your data has been hacked, and the need for consent to process your data are excellent ideas conceptually. With storage virtually limitless, companies and governments have no incentive to forget you or take precautions on your behalf unless pushed. So this is a step in the right direction. But as usual, I’m skeptical at most of the proposal: There is no provision to extend protection to 3rd parties that access citizen’s data. There is no way to opt out of having your data shared amongst third parties or transparency when law enforcement goes rummaging around in your junk, which should be treated no differently than “being hacked”. In fact the EU seemed to go overboard to accommodate “law enforcement”, aka government access, without much oversight. Different day, same story. And without a way for someone to verify you’ve actually been ‘forgotten’ – and not just backed up to different servers – the clause is pretty much worthless. It’s a good next step, and hopefully we won’t wait another 20+ years for an update. – AL

  5. Shyster pen testers: It’s inevitable. There aren’t enough security folks, and services shops are expected to grow. So what do you do? The bait and switch, of course. Have a high level, well regarded tester and then have a bunch of knucklehead kids do the actual test. Then write some total crap report and cash the check. As the Chief Monkey details, there are a lot of shysters in the business now. This is problematic for a lot of reasons. First, a customer may actually listen to the hogwash written in the findings report. You’ve got to check out the post to see some of the beauty’s in there. It also makes it hard for reputable firms, who won’t start dropping the price when a customer challenges their quals. But we have’t repealed the laws of economics, so as long as there is a gap in the number of folks to do the job, then snake oil salespeople will be the reality in the business. – MR

—Mike Rothman

Thursday, April 07, 2016

Incite 4/6/2016—Hindsight

By Mike Rothman

When things don’t go quite as you hoped, it’s human nature to look backwards and question your decisions. If you had done something different maybe the outcome would be better. If you didn’t do the other thing, maybe you’d be in a different spot. We all do it. Some more than others. It’s almost impossible to not wonder what would have been.

But you have to be careful playing Monday Morning QB. If you wallow in a situation you end up stuck in a house of pain after a decision doesn’t go well. You probably don’t have a time machine, so whatever happened is already done. All you have left is a learning opportunity to avoid making the same mistakes again.

hindsight can be painful

That is a key concept, and I work to learn from every situation. I want to have an idea of what I would do if I found myself in a similar situation again down the line. Sometimes this post-mortem is painful – especially when the decision you made or action you took was idiotic in hindsight. And I’ve certainly done my share of idiotic things through the years. The key to leveraging hindsight is not to get caught up in it. Learn from the situation and move on. Try not to beat yourself up over and over again about what happened. This is easy to say and very hard to do. So here is how I make sure I don’t get stuck after something doesn’t exactly meet my expectations.

  1. Be Objective: You may be responsible for what happened. If you are, own it. Don’t point fingers. Understand exactly what happened and what your actions did to contribute to the eventual outcome. Also understand that some things were going to end badly regardless of what you did, so accept that as well.
  2. Speculate on what could be different: Next take some time to think about how different actions could have produced different outcomes. You can’t be absolutely sure that a different action would work out better, but you can certainly come up with a couple scenarios and determine what you want to do if you are in that situation again. It’s like a game where you can choose different paths.
  3. Understand you’ll be wrong: Understand that even if you evaluate 10 different options for a scenario, next time around there will be something you can’t anticipate. Understand that you are dealing with speculation, and that’s always dicey.
  4. Don’t judge yourself: At this point you have done what you can do. You owned your part in however the situation ended up. You figured out what you’ll do differently next time. It’s over, so let it go and move forward. You learned what you needed, and that’s all you can ask for.

That’s really the point. Fixating on what’s already happened closes off future potential. If you are always looking behind you, you can neither appreciate nor take advantage of what’s ahead. This was a hard lesson for me. I did the same stuff for years, and was confused because nothing changed. It took me a long time to figure out what needed to change, which of course turned out to be me.

But it wasn’t wasted time. I’m grateful for all my experiences, especially the challenges. I’ve had plenty of opportunities to learn, and will continue to screw things up and learn more. I know myself much better now and understand that I need to keep moving forward. So that’s what I do. Every single day.

–Mike

Photo credit: “Hindsight” from The.Rohit


Security is changing. So is Securosis. Check out Rich’s post on how we are evolving our business.

We’ve published this year’s Securosis Guide to the RSA Conference. It’s our take on the key themes of this year’s conference (which is really a proxy for the industry), as well as deep dives on cloud security, threat protection, and data security. And there is a ton of meme goodness… Check out the blog post or download the guide directly (PDF).

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Resilient Cloud Network Architectures

  • [Design Patterns]
  • [Fundamentals]

Shadow Devices

Building a Vendor IT Risk Management Program

SIEM Kung Fu

Recently Published Papers


Incite 4 U

  1. Still no free lunch, even if it’s fake: Troy Hunt’s post is awesome, digging into how slimy free websites gather personal information and then sell it. But it turns out all that glitters isn’t gold, and some of those records are total crap. It’s very interesting to see how Troy pulled a number of strings to figure out which sites were responsible, and then figured out that a lot of their data is fake. Which makes sense given that no one can really check 5MM records, so they confirm a small sample and then pad with nonsense. Now you can’t even believe the fraudsters that are selling records to perpetrate more fraud. That’s totally shocking! – MR

  2. The flaw: I’ve never been a fan, but since I have neither deep experience nor data to show whether the Bi-modal IT model is good or bad, I have shied away from commenting on it. Jez Humble does not mince words, and his recent analysis of Gartner’s Bi-modal model for IT practices is no exception. He states that Gartner’s model is based on the idea that reliability and agility are at odds. I think frameworks like this were created by philosophers who grasp a specific problem, but lack the practical experience to understand why idealistic solutions don’t work in the real world. But when you examine a confounding, anti-intuitive approach like DevOps on paper, it looks reckless. In practice it has shown that speed and quality can be synergistic. Much the way Toyota demonstrated how their manufacturing approach allowed them to make cars better, faster, and cheaper; DevOps is blowing up assumptions of what’s possible with IT operations and software delivery. A few years down the line, we won’t call it DevOps – it will just be how we do things. – AL

  3. Smokin’ hot job: Based on the latest ComputerWorld Salary Survey, security folks are in the catbird seat. Information Security Manager is the hottest job in IT. No kidding. The survey states “security pros are paid well, rate job satisfaction high, and will make a move for money.” No kidding. Salaries were up 6% or so, and it’s probably more in metro areas with high demand and lots of options for practitioners. Though I can’t say job satisfaction is a highlight in the (very non-statistically significant) sample of folks I talk to regularly. It’s a tough job, and it’s worth a lot. So once again Mr. Market wins. And if anything salaries will continue to move upward because it’s not like a bunch of security personnel are about to come online anytime soon, if ever. – MR

  4. Subtle: Google’s announcement last week on encryption and email security nearly put me to sleep with their understated blog post and crappy “Safer Internet Day” tag. Let’s be honest: “Safe Browsing” has been around for years, and has allowed me to go to dangerous sites without protest. But not those sites. I don’t do that (doh). Flagging sources already using TLS is handy, but few use content encryption, so it’s hard to say that content is not being read by some government entity which subpoenaed an Internet provider somewhere. But what got my attention was the new warning about “state sponsored attacks”. When you realize the route your email takes to get to its destination, you realize this is agnostically targeting your government, regardless of where you sit. Very subtly backing the recent swell of support for user privacy and encryption. – AL

  5. WhatsApp’s one-finger salute: Whereas Google has taken a more subtle approach to telling the feds who want full access to customer data to bugger off, Facebook’s WhatsApp has basically stood on the proverbial table to give them the one-finger salute. By integrating the Signal protocol into their app and stating in no uncertain terms that all messaging traffic is encrypted from device to device, Facebook is making it clear that they cannot access user content, regardless of subpoenas. Although law enforcement can still access who spoke to whom, they cannot get anything else. We have written quite a bit about privacy and the slippery slope of backdoors and special operating systems. I applaud Facebook for taking a stand here, knowing that bad folks can (and do) use their network to plan bad things. But either there is monitoring or there isn’t, and by not providing any wiggle room, WhatsApp has clearly decided against monitoring. But you have to wonder if Facebook is forgoing a huge advertising stream by providing truly private messaging. – MR

—Mike Rothman

Wednesday, March 30, 2016

Incite 3/30/2016: Rational People Disagree

By Mike Rothman

It’s definitely a presidential election year here in the US. My Twitter and Facebook feeds are overwhelmed with links about what this politician said and who that one offended. We get to learn how a 70-year old politician got arrested in his 20s and why that matters now. You also get to understand that there are a lot of different perspectives, many of which make absolutely no sense to you. Confirmation bias kicks into high gear, because when you see something you don’t agree with, you instinctively ignore it, or have a million reasons why dead wrong. I know mine does.

Some of my friends frequently share news about their chosen candidates, and even more link to critical information about the enemy. I’m not sure whether they do this to make themselves feel good, to commiserate with people who think just like them, or in an effort to influence folks who don’t. I have to say this can be remarkably irritating because nothing any of these people posts is going to sway my fundamental beliefs.

Disagree

That got me thinking about one of my rules for dealing with people. I don’t talk about religion or politics. Unless I’m asked. And depending on the person I might not engage even if asked. Simply because nothing I say is going to change someone’s story regarding either of those two third rails of friendship. I will admit to scratching my head at some of the stuff people I know post to social media. I wonder if they really believe that stuff, or they are just trolling everyone.

But at the end of the day, everyone is entitled to their opinion, and it’s not my place to tell them their opinion is idiotic. Even if to it is. I try very hard not to judge people based on their stories and beliefs. They have different experiences and priorities than me, and that results in different viewpoints. But not judging gets pretty hard between March and November every 4 years. At least 4 or 5 times a day I click the unfollow link when something particularly offensive (to me) shows up in my feed.

But I don’t hit the button to actually unfollow someone. I use the fact that I was triggered by someone as an opportunity to pause and reflect on why that specific headline, post, link, or opinion bothers me so much. Most of the time it’s just exhaustion. If I see one more thing about a huge fence or bringing manufacturing jobs back to the US, I’m going to scream. I get these are real issues which warrant discussion. But in a world with a 24/7 media cycle, the discussion never ends.

I’m not close-minded, although it may seem that way. I’m certainly open to listening to other candidates’ views, mostly to understand the other side of the discussion and continually refine and confirm my own positions. But I have some fundamental beliefs that will not change. And no, I’m not going to share them here (that third rail again!). I know that rational people can disagree, and that doesn’t mean I don’t respect them, or that I don’t want to work together or hang out and drink beer. It just means I don’t want to talk about religion or politics.

–Mike

Photo credit: “Laugh-Out-Loud Cats #2204” from Ape Lad


Security is changing. So is Securosis. Check out Rich’s post on how we are evolving our business.

We’ve published this year’s Securosis Guide to the RSA Conference. It’s our take on the key themes of this year’s conference (which is really a proxy for the industry), as well as deep dives on cloud security, threat protection, and data security. And there is a ton of meme goodness… Check out the blog post or download the guide directly (PDF).

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Resilient Cloud Network Architectures

Shadow Devices

Building a Vendor IT Risk Management Program

Securing Hadoop

SIEM Kung Fu

Recently Published Papers


Incite 4 U

  1. That depends on your definition of consolidation: Stiennon busts out his trusty spreadsheet of security companies and concludes that the IT security industry is not consolidating. He has numbers. Numbers! That prove there is a steadlily increasing number of companies ‘selling’ security. I guess that is one way to look at it. I think it’s a pretty myopic way of assessing an industry, but hey, what do I know? Here’s a fact. Of the 1,400+ companies on Stiennon’s list, how many are actually selling anything (above $10MM in sales, or even $1MM for that matter?)? How many will be around in 18 months? 12 months? Does it even matter how many companies are in the space? I say no, because here’s what I hear all the time. Security pros want to deal with fewer vendors. Period. It turns out that Mr. Market is not wrong over the long term. There will be a shake-out in the industry, and it will begin soon. Maybe the total number of companies will continue to increase. Evidently there is an infinite number of crappy, undifferentiated ideas for security companies. The real question is what happens to share of wallet, and I’m confident that buyers will be consolidating their spending. – MR

  2. Which way do I go? When it comes to threat analytics, there are many, many services out there. For firms wishing to mine their own data, there are lots of technologies to parse dissimilar data types, and many platforms to do “big data analytics”. But at Dark Reading Kelly Jackson Higgins points out that Threat Intelligence has a Big Data Problem as firms are getting too much of a good thing. Enterprise security’s problem is not a lack of data, analytics tools, or threat feeds. Nor is it a question of whether in-house SoC is better than external services. It’s not even about false negatives or even false positives per se – rather the key questions are “Which analyzed data should I pay attention to?” and “How do I really prioritize?” Having 11 threat feeds is at best information overload, and third party ‘criticality’ rankings are often out of touch with the real risks a company faces. It classic analysis paralysis, as firms figure out which reports are meaningful, map them to risks, and then figure out what they can address in… let’s call it an “enterprise time frame”: the coming year. Having the analysis is the first step, but making it useful is still in the works. We’ll get back to you on dealing with the problems. – AL

  3. Sometimes it is better to be lucky than good… And that is the story of my career, and most of the folks I know. I really liked this coverage on the RSA Conference blog of the Centrify CEO’s talk on how his company was targeted by financial fraud and it almost worked. You have heard this story a hundred times. Email comes from the CEO to accounting to initiate a funds transfer. The funds are moved, and then it becomes apparent that the request was fraudulent. Thankfully Centrify had a policy that required multiple approvals on substantial wire transfers, otherwise the money would be gone. Kudos for sharing. And this is a good reminder that separation of duties and multiple approvals are good things. – MR

  4. Big data, small adoption: O’Reilly published Spiderbook’s research on the size of The Big Data Market, conducted by data mining public press releases, forums, job postings, and the like. And there is some interesting data in the survey: results suggest that only a small percentage of companies in the world use Hadoop, and many that do struggle due to a shortage of technical talent. Does anyone not lack technical talent today? Spiderbook went on to say that outside financial services adoption is low, but they found that large firms are much more likely to embrace big data than small ones. To which I say “Duh!” – large enterprises with huge amounts of interesting data went looking for something that could provide analytics at scale without costing millions of dollars. Our research shows large enterprises have a better than 50% Hadoop adoption rate, but it is only being used for select new projects. I maintain Spiderbook’s adoption numbers are likely on the low side; both because organizations are not particularly open about their use of Hadoop given the ‘skunkworks’ nature of many projects, and because attendance at industry trade shows for the major commercial Hadoop vendors suggests more companies are actively running it – or too much idiotic VC money being burned on campfires. Which is our way of saying you probably have Hadoop in your company, and if you’re in IT security, you’ll be dealing with a cluster full of sensitive data sooner rather than later. Get ready. – AL

  5. Is anything good or bad? I generally refute the premise of this recent NetworkWorld article: Is DevOps good or bad for security? The reality is that some aspects of DevOps (just like anything else) are ‘good’ while others are ‘bad.’ Getting poked in the eye is ‘bad’, right? Unless it’s an optometrist removing fixing cataract. Then it’s good. DevOps clearly put pressure on security teams. That may be bad because there is a distinct lack of skills. But it’s good because it forces security teams to embrace automation, and insert security into development and deployment processes. That article is basically a lovefest, talking about the benefits of DevOps, but if you do it wrong it’s a security train wreck. As with most things, there are no absolutes. Wnd we believe in the long-term value of DevOps (we’re betting the company on it), but we aren’t naive – we know that there are challenges. – MR

  6. BONUS: Generalissimo Franco is still dead! This breaking news just in: Oracle stuns the industry by moving ‘The Cloud’, big data and DevOps – all of it – into a single machine. News at 11. – AL

—Mike Rothman

Thursday, March 24, 2016

Incite 3/23/2016: The Madness

By Mike Rothman

I’m not sure why I do it, but every year I fill out brackets for the annual NCAA Men’s College basketball tournament. Over all the years I have been doing brackets, I won once. And it wasn’t a huge pool. It was a small pool in my office, when I used to work in an office, so the winnings probably didn’t even amount to a decent dinner at Fuddrucker’s. I won’t add up all my spending or compare against my winning, because I don’t need a PhD in Math to determine that I am way below the waterline.

Like anyone who always questions everything, I should be asking myself why I continue to play. I’m not going to win – I don’t even follow NCAA basketball. I’d have better luck throwing darts at the wall. So clearly it’s not a money-making endeavor.

extra large bracket

I guess I could ask the same question about why I sit in front of a Wheel of Fortune slot machine in a casino. Or why I buy PowerBall tickets when the pot goes above $200MM. I understand statistics – I know I’m not going to win slots (over time) or the lottery (ever).

They call the NCAA tournament March Madness – perhaps because most people get mad when their brackets blow up on the second day of the tournament when the team they picked to win it all loses to a 15 seed. Or does that just happen to me? But I wasn’t mad. I laughed because 25% of all brackets had Michigan State winning the tournament. And they were all as busted as mine.

These are rhetorical questions. I play a few NCAA tournament brackets every year because it’s fun. I get to talk smack to college buddies about their idiotic picks. I play the slots because my heart races when I spin the wheel and see if I got 35 points or 1,000. I play the lottery because it gives me a chance to dream. What would I do with $200MM?

I’d do the same thing I’m doing now. I’d write. I’d sit in Starbucks, drink coffee, and people-watch, while pretending to write. I’d speak in front of crowds. I’d explore and travel with my loved ones. I’d still play the brackets, because any excuse to talk smack to my buddies is worth the minimal donation. And I’d still play the lottery. And no, I’m not certifiable. I just know from statistics that I wouldn’t have any less chance to win again just because I won before. Score 1 for Math.

–Mike

Photo credit: “Now, that is a bracket!” from frankieleon


We’ve published this year’s Securosis Guide to the RSA Conference. It’s our take on the key themes of this year’s conference (which is really a proxy for the industry), as well as deep dives on cloud security, threat protection, and data security. And there is a ton of meme goodness… Check out the blog post or download the guide directly (PDF).

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Shadow Devices

Building a Vendor IT Risk Management Program

Securing Hadoop

SIEM Kung Fu

Building a Threat Intelligence Program

Recently Published Papers


Incite 4 U

  1. Enough already: Encryption is a safeguard for data. It helps ensure data is used the way its owner intends. We work with a lot of firms – helping them protect data from rogue employees, hackers, malicious government entities, and whoever else may want to misuse their data. We try to avoid touching political topics on this blog, but the current attempt by US Government agencies to paint encryption as a terrorist tool is beyond absurd. They are effectively saying security is a danger, and that has really struck a nerve in the security community. Forget for a minute that the NSA already has all the data that moves on and off your cellphone, and that law enforcement already has the means to access the contents of iPhones without Apple’s assistance. And avoid wallowing in counter-examples where encryption aided freedom, or illustrations of misuse of power to inspire fear in the opposite direction. These arguments devolve into pig-wrestling – only the pig enjoys that sort of thing. As Rich explained in Do We Have a Right To Security?, this is a simple question of whether anyone (companies or individuals) can have security. Currently the US government (at least the executive branch) says ‘No!’ – as does the UK government. – AL

  2. The US blinks… Following up Adrian’s rant above, the US government decided after all that they may not need Apple to open the San Bernadino iPhone after all. Evidently a third party would be happy to sell the US government either an exploit or another means to get access to the locked phone. Duh. Like we didn’t already know that was possible. As many of us argued, this case was much more about establishing a precedent for the FBI than about accessing that specific phone. Now that it looks like an uphill climb to win that motion, it’s time to save face and do what they should have done in the first place. Pay someone to break the phone, if they think it’s that important. We have huge respect for law enforcement and what they do, but we could do with less grandstanding and backdoors. Backdoors are stupid. – MR

  3. Hindsight is 20/20: In the Beretta files goes the case of a Ryan Collins, who was behind the attacks on celebrity iPhones. This is the attacker who stole the pictures. It’s not clear how much he made by selling them, but it was probably not worth the felony violation he will plead to or the associated jail time. They are still looking for the person who actually posted the pictures. But that guy is even dumber – he didn’t make any money, apparently because content wants to be free. All I have to say is: idiots. – MR

  4. Getting chippy: Better than 75% of stores I go into still have tape over their EMV chipped card slots on payment terminals. While it seems merchants are tardy in getting their work done, it’s not always that they are dragging their feet – it may also be the card networks. It appears some merchants who are actively processing EMV cards are getting charged for fraud and chargeback fees because they have yet to complete a certification audit by the card networks. To reverse these charges that supermarket chain filed suit, and is pushing for quick certification. The suit may halt the “liability shift” entirely, which has gotten the card brands’ attention. This entire game of “Pass The Liability” will continue to entertain us until we stop passing credit card numbers around. – AL

  5. Security faith healers: Adam Shostack posted an interesting piece at Dark Reading about how the concepts in The Gluten Lie apply to security. In a nutshell, the health industry has vilified gluten, and besides the people who have legitimate celiac disease, the data doesn’t seem to support the general position that gluten is bad. Adam makes the analogy that telling people to be secure isn’t going to help. Nor is telling them not to do things (like surf pr0n). And folks should drop the fear-based marketing. Yeah, right. A lot of technology marketing is selling snake oil, and it’s as bad in security as anywhere else. But as long as a tactic works (including vilifying gluten to sell more gluten-free stuff) free market economics say that that tactic will continue to be used. Go figure. – MR

—Mike Rothman

Wednesday, March 09, 2016

Incite 3/9/2016: Star Lord

By Mike Rothman

Everything is a game nowadays. Not like Words with Friends (why yes, since you ask – I do enjoy getting my ass kicked by the women in my life) or even Madden Mobile (which the Boy plays constantly) – I’m talking about gamification. In our security world, the idea is that rank and file employees will actually pay attention to security stuff they don’t give a rat’s ass about… if you make it all into a game. So get departments to compete for who can do best in the phishing simulation. Or give a bounty to the team with the fewest device compromises due to surfing pr0n. Actually, though, it might be more fun to post the link that compromised the machine in the first place. The employee with the nastiest NSFW link would win. And get fired… But I digress.

I find that I do play these games. But not on my own device. I’m kind of obsessed with Starbucks’ loyalty program. If you accumulate 12 stars you get a free drink. It’s a great deal for me. I get a large brewed coffee most days. I don’t buy expensive lattes, and I get the same star for every drink I buy. And if I have the kids with me, I’ll perform 3 or 4 different transactions, so I can get multiple stars. When I get my reward drink, I get a 7 shot Mocha. Yes, 7 shots. I’m a lot of fun in the two hours after I drink my reward.

And then Starbucks sends out promotions. For a while, if you ordered a drink through their mobile app, you’d get an extra star. So I did. I’d sit in their store, bust open my phone, order the drink, and then walk up to the counter and get it. Win! Extra star! Sometimes they’d offer 3 extra stars if you bought a latte drink, an iced coffee, and a breakfast sandwich within a 3-day period. Well, a guy’s gotta eat, right? And I was ordering the iced coffee anyway in the summer. Win! Three bonus stars. Sometimes they’d send a request for a survey and give me a bunch of stars for filling it out. Win! I might even be honest on the survey… but probably not. As long as I get my stars, I’m good.

Yes, I’m gaming the system for my stars. And I have two reward drinks waiting for me, so evidently it’s working. I’m going to be in Starbucks anyway, and drinking coffee anyway – I might as well optimize for free drinks.

star lord

Oh crap, what the hell have I become? A star whore? Ugh. Let’s flip that perspective. I’m the Star Lord. Yes! I like that. Who wants to be Groot?

Pretty much every loyalty program gets gamed. If you travel like I do, you have done the Dec 30 or 31 mileage run to make the next level in a program. You stay in a crappy Marriott 20 miles away from your meeting, instead of the awesome hotel right next to the client’s office. Just to get the extra night. You do it. Everyone does.

And now it’s a cat and mouse game. The airlines change their programs every 2-3 years, to force customers to find new ways to optimize milage accumulation. Starbucks is changing their program to reward customers based on what they spend. The nerve of them. Now it will take twice as long to get my reward drinks. Until I figure out how to game this version of the program. And I will, because to me gaming their game is the game.

–Mike

Photo credit: “Star-Lord ord” from Dex


We’ve published this year’s Securosis Guide to the RSA Conference. It’s our take on the key themes you’ll see at this year’s conference (which is really a proxy for the industry), as well as deep dives on cloud security, threat protection, and data security. And there is a ton of meme goodness… Check out the blog post or download the guide directly (PDF).

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Securing Hadoop

SIEM Kung Fu

Building a Threat Intelligence Program

Recently Published Papers


Incite 4 U

  1. An expensive lie: Many organizations don’t really take security seriously. It has never been proven that breaches cause lost business (correlation is not causation), nor have compliance penalties been sufficient to spur action. Is that changing? Maybe. You can see a small payment processor like Dwolla getting fined $100K for falsely claiming that “information is securely encrypted and stored”. Is $100K enough? Does it need to be $100MM? I don’t know, but at some point these regulations should have enough teeth taht companies start to take them seriously. But you have to wonder, if a fintech start-up isn’t “securely encrypting and storing” customer data, what the hell are they doing? – MR

  2. Payment tokens for you and me: NFC World is reporting that Visa will retire alternate PANs issued to host card emulators for mobile payments, without giving an actual EOL date. We have been unable to verify this announcement, but it’s not surprising because that specification is at odds with EMVco’s PAR tokenization approach, which we discussed last year – which is leveraged by ApplePay, SamsungPay, and others. This is pretty much the end of host card emulation and any lingering telco secure element payment schemes. What is surprising many people is the fact that, if you read Visa and Mastercard’s recent announcements, they are both positioning themselves as cloud-based security vendors – offering solutions for identity and payment in cars, wearables, and other mobile devices. Visa’s Tokenization Services, Mastercard’s tokens, and several payment wallets all leverage PAR tokens provided by various Tokenization-as-a-Service offerings. And issuing banks are buying this service as well! For security and compliance folks this is good news, because the faster this conversion happens, the faster the enterprise can get rid of credit cards. And once those are gone, so too are all the supporting security functions you need to manage. Security vendors, take note: you have new competitors in mobile device security services. – AL

  3. Well, at least the pace of tech innovation is slowing… I can do nothing but laugh at the state of security compliance. The initiative that actually provided enough detail to help lost organizations move forward, the PCI-DSS, is evidently now very mature. So mature that they don’t need another major update. Only minor updates, with long windows to implement them, because.. well, just because. These retailers are big and they move slowly. But attackers move and innovate fast. So keeping our current low bar forever seems idiotic. Attackers are getting better, so we need to keep raising the bar, and I don’t know how that will happen now. I guess it will take another wave of retailer hacks to shake things up again. Sad. – MR

  4. No need to encrypt: Future Tense captures the essence of Amazon’s removal of encryption from Fire devices: Inexpensive parts, like weak processors, would be significantly burdened when local encryption was on, and everything would slow down. This is not about bowing to federal pressure – it is cost-cutting on a money-losing device. And let’s be honest – these are not corporate devices, and no one reading this allows Amazon Fires onto their business networks. Not every mobile device deserves security hardening. Most people have a handful of devices with throw-away data, and convenience devices need very little security. The handful of people I know with Kindle or Fire devices consider them mobile infotainment systems – the only data on the device is a Gmail account, which has already been hacked, and the content they bought from Amazon. Let’s pick our battles. – AL

  5. I don’t get it, but QUANTUM! I wish I knew more about things like quantum computing, and that I had time to read papers and the like to get informed. Evidently progress is being made on new quantum computing techniques that will make current encryption obsolete. Now they have a 5-atom quantum computer. I have no idea what that even means, but it sounds cool. Is it going to happen tomorrow? Nope. I won’t be able to get a quantum computer from Amazon for a while, but the promise of these new technologies to upend the way we have always done things is useful reminder. Don’t get attached to anything. Certainly not technology, because it’s not going to be around for long. Whichever technology we’re talking about. – MR

—Mike Rothman

Monday, February 29, 2016

Incite 2/29/2016: Leap Day

By Mike Rothman

Today is leap day, the last day of February in a leap year. That means the month of February has 29 days. It happens once every 4 years. I have one friend (who I know of) with a birthday on Leap Day. That must have been cool. You feel very special every four years. And you just jump on the Feb 28 bandwagon to celebrate your birthday in non-leap years. Win/win.

The idea of a four-year cycle made me curious. What was I doing during leap day in 2012? Turns out I was doing the same thing I’ll be doing today – running between meetings at the RSA Conference. This year, leap day is on Monday, and that’s the day I usually spend at the America’s Growth Capital Conference, networking with CEOs and investors. It’s a great way to take the temperature of the money side of the security industry. And I love to moderate the panels, facilitating debate between leaders of the security industry. Maybe I’ll even interject an opinion or two during the event. That’s been known to happen.

leap day

Then I started looking back at my other calendar entries for 2012. The boy was playing baseball. Wow, that seems like a long time ago since it seems like forever he’s been playing lacrosse. The girls were dancing, and they had weekend practices getting ready for their June Disney trip. XX1 was getting ready for her middle school orientation. Now she’s in high school. The 4 years represent less than 10% of my life. But a full third of the twins’ existence. That’s a strange thought.

And have I made progress professionally? I think so. Our business has grown. We’ll have probably three times the number of people at the Disaster Recovery Breakfast, if that’s any measure of success. The cloud security work we do barely provided beer money in 2012, and now it’s the future of Securosis. I’ve deepened relationships with some clients and stopped working with others. Many of my friends have moved to different gigs. But overall I’m happy with my professional progress.

Personally I’m a fundamentally different person. I have described a lot of my transformation here in the Incite, or at least its results. I view the world differently now. I was figuring out which mindfulness practices worked for me back in 2012. That was also the beginning of a multi-year process to evaluate who I was and what changes I needed for the next phase of my life. Over the past four years, I have done a lot of work personally and made those changes. I couldn’t be happier with the trajectory of my life right now.

So this week I’m going to celebrate with many close friends. Security is what I do, and this week is one of the times we assemble en masse. What’s not to love? Even cooler is that I have no idea what I’ll be writing about in 2020.

My future is unwritten, and that’s very exciting. I do know that by the next time a leap year comes along, XX1 will be midway through college. The twins will be driving (oy, my insurance bill!). And in all likelihood, I’ll be at the RSA Conference hanging out with my friends at the W, waiting patiently for a drink. Most things change, but some stuff stays the same. And there is comfort in that.

–Mike

Photo credit: “60:366” from chrisjtse


We’ve published this year’s Securosis Guide to the RSA Conference. It’s our take on the key themes you’ll see at this year’s conference (which is really a proxy for the industry), along with deep dives into cloud security, threat protection, and data security. And there is a ton of meme goodness… Check out the post or download the guide directly (PDF).

It’s that time of year again! The 8th annual Disaster Recovery Breakfast will once again happen at the RSA Conference. Thursday morning, March 3 from 8 – 11 at Jillians. Check out the invite or just email us at rsvp (at) securosis.com to make sure we have an accurate count.

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Securing Hadoop

SIEM Kung Fu

Building a Threat Intelligence Program

Recently Published Papers


Incite 4 U

  1. Phisherman’s dream: Brian Krebs has written a lot about small and mid-sized companies being targets for scammers over the last couple years, with both significant financial losses directly from fraud, and indirectly from the ensuing court battles about who ends up paying the bill. Through friends and family, we have been hearing a lot more about this in relation to real estate transactions, captured in recent article from the Arizona Association of Realtors Hackers Perpetuate Wire Transfer Fraud Scams. Hacking the buyers, mortgage brokers, and title companies, scammers are able to both propel a transaction forward through fake authorizations, and direct funds to the wrong accounts. And once one party is compromised it’s fairly easy to get the other parties too, meaning much of the process can be orchestrated remotely. What’s particularly insidious is that these attacks naturally lead all parties into making major security misjudgments. You trust the emails because they look like they are coming from people you are waiting to hear from, with content you want to see. The result is large sums of money willingly transferred to the wrong accounts; with buyers, sellers, agents, banks, and mortgage brokers all fighting to clean up the mess. – AL

  2. EMET and the reality of software: This recent story about a defect in Microsoft’s EMET which allows attackers to basically turn it off, presents an opportunity to highlight a number of things. First, all software has bugs. Period. This bug, found by the folks at FireEye, turns EMET against itself. It’s code. It’s complicated. And that means there will be issues. No software is secure. Even the stuff that’s supposed to secure us. But EMET is awesome and free. So use it. The other big takeaway from this is the importance of timely patching. Microsoft fixed this issue last Patch Tuesday, Feb 2. It’s critical to keep devices up to date. I know it’s hard and you have a lot of devices. Do it anyway. It’s one of the best ways to reduce attack surface. – MR

  3. My list: On the Veracode blog Jeff Cratty explains to security pros the 5 things I need from you. Discussions like this are really helpful for security people trying to work with developers. Understanding the challenges and priorities each side faces every day makes working together a hell of a lot easier. Empathy FTW. I like Jeff’s list, but I could narrow down mine to two things. First, get me the “air cover” I need to prioritize security over features. Without empowerment by senior management, security issues will never get worked on. DevOps and continuous integration has been great in this regard as teams – for the first time ever – prioritize infrastructure over features, but someone needs to help get security onto the queue. Second, tell me the threats I should really worry about, and get me a list of suitable responses so I can choose what is best for our application stack and deployment model. There are usually many ways to address a specific risk, and I want options, not mandates. – AL

  4. Cutting through the fog of endpoint security marketing: If you are considering updating your endpoint protection (as you should be), Lenny Zeltser offers a great post on questions to ask an endpoint security startup. It’s basically a primer to make any new generation endpoint security player educate you on why and how they are different. They’ll say, “we use math,” like that’s novel. Or “we leverage the cloud” – ho hum. Maybe they’ll drop “deep forensics” nonsense on you. Not that any of those things are false. But it’s really about understanding how they are different. Not just from traditional endpoint protection, but also from the dozens of other new endpoint security players. Great job, Lenny. It’s hard to separate marketing fiction from fact in early markets. Ask these questions to start figuring it out. And make sure your BS detector is working – you’ll need it. – MR

—Mike Rothman

Wednesday, February 03, 2016

Incite 2/3/2016: Courage

By Mike Rothman

A few weeks ago I spoke about dealing with the inevitable changes of life and setting sail on the SS Uncertainty to whatever is next. It’s very easy to talk about changes and moving forward, but it’s actually pretty hard to do. When moving through a transformation, you not only have to accept the great unknown of the future, but you also need to grapple with what society expects you to do. We’ve all been programmed since a very early age to adhere to cultural norms or suffer the consequences. Those consequences may be minor, like having your friends and family think you’re an idiot. Or decisions could result in very major consequences, like being ostracized from your community, or even death in some areas of the world.

In my culture in the US, it’s expected that a majority of people should meander through their lives; with their 2.2 kids, their dog, and their white picket fence, which is great for some folks. But when you don’t fit into that very easy and simple box, moving forward along a less conventional path requires significant courage.

Courage

I recently went skiing for the first time in about 20 years. Being a ski n00b, I invested in two half-day lessons – it would have been inconvenient to ski right off the mountain. The first instructor was an interesting guy in his 60’s, a US Air Force helicopter pilot who retired and has been teaching skiing for the past 25 years. His seemingly conventional path worked for him – he seemed very happy, especially with the artificial knee that allowed him to ski a bit more aggressively. But my instructor on the second day was very interesting. We got a chance to chat quite a bit on the lifts, and I learned that a few years ago he was studying to be a physician’s assistant. He started as an orderly in a hospital and climbed the ranks until it made sense for him to go to school and get a more formal education. So he took his tests and applied and got into a few programs.

Then he didn’t go. Something didn’t feel right. It wasn’t the amount of work – he’d been working since he was little. It wasn’t really fear – he knew he could do the job. It was that he didn’t have passion for a medical career. He was passionate about skiing. He’d been teaching since he was 16, and that’s what he loved to do. So he sold a bunch of his stuff, minimized his lifestyle, and has been teaching skiing for the past 7 years. He said initially his Mom was pretty hard on him about the decision. But as she (and the rest of his family) realized how happy and fulfilled he is, they became OK with his unconventional path.

Now that is courage. But he said something to me as we were about to unload from the lift for the last run of the day. “Mike, this isn’t work for me. I happened to get paid, but I just love teaching and skiing, so it doesn’t feel like a job.” It was inspiring because we all have days when we know we aren’t doing what we’re passionate about. If there are too many of those days, it’s time to make changes.

Changes require courage, especially if the path you want to follow doesn’t fit into the typical playbook. But it’s your life, not theirs. So climb aboard the SS Uncertainty (with me) and embark on a wild and strange adventure. We get a short amount of time on this Earth – make the most of it. I know I’m trying to do just that.

Editors note: despite Mike’s post on courage, he declined my invitation to go ski Devil’s Crotch when we are out in Colorado. Just saying. -rich

–Mike

Photo credit: “Courage” from bfick


It’s that time of year again! The 8th annual Disaster Recovery Breakfast will once again happen at the RSA Conference. Thursday morning, March 3 from 8 – 11 at Jillians. Check out the invite or just email us at rsvp (at) securosis.com to make sure we have an accurate count.

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Securing Hadoop

SIEM Kung Fu

Building a Threat Intelligence Program

Recently Published Papers

* The Future of Security

Incite 4 U

  1. Evolution visually: Wade Baker posted a really awesome piece tracking the number of sessions and titles at the RSA Conference over the past 25 years. The growth in sessions is astounding (25% CAGR), up to almost 500 in 2015. Even more interesting is how the titles have changed. It’s the RSA Conference, so it’s not surprising that crypto would be prominent the first 10 years. Over the last 5? Cloud and cyber. Not surprising, but still very interesting facts. RSAC is no longer just a trade show. It’s a whole thing, and I’m looking forward to seeing the next iteration in a few weeks. And come swing by the DRB Thursday morning and say hello. I’m pretty sure the title of the Disaster Recovery Breakfast won’t change. – MR

  2. Embrace and Extend: The SSL/TLS cert market is a multi-billion dollar market – with slow and steady growth in the sale of certificates for websites and devices over the last decade. For the most part, certificate services are undifferentiated. Mid-to-large enterprises often manage thousands of them, which expire on a regular basis, making subscription revenue a compelling story for the handful of firms that provide them. But last week’s announcement that Amazon AWS will provide free certificates must have sent shivers through the market, including the security providers who manage certs or monitor for expired certificates. AWS will include this in their basic service, as long as you run your site in AWS. I expect Microsoft Azure and Google’s cloud to follow suit in order to maintain feature/pricing parity. Certs may not be the best business to be in, longer-term. – AL

  3. Investing in the future: I don’t normally link to vendor blogs, but this post by Chuck Robbins, Cisco’s CEO, is pretty interesting. He echoes a bunch of things we’ve been talking about, including how the security industry is people-constrained, and we need to address that. He also mentions a bunch of security issues, s maybe security is highly visible in security. Even better, Chuck announced a $10MM scholarship program to “educate, train and reskill the job force to be the security professionals needed to fill this vast talent shortage”. This is great to see. We need to continue to invest in humans, and maybe this will kick start some other companies to invest similarly. – MR

  4. Geek Monkey: David Mortman pointed me to a recent post about Automated Failure testing on Netflix’s Tech blog. A particularly difficult to find bug gave the team pause in how they tested protocols. Embracing both the “find failure faster” mentality, and the core Simian Army ideal of reliability testing through injecting chaos, they are looking at intelligent ways to inject small faults within the code execution path. Leveraging a very interesting set of concepts from a tool called Molly (PDF), they inject different results into non-deterministic code paths. That sounds exceedingly geeky, I know, but in simpler terms they are essentially fuzz testing inside code, using intelligently selected values to see how protocols respond under stress. Expect a lot more of this approach in years to come, as we push more code security testing earlier in the process. – AL

—Mike Rothman

Wednesday, January 20, 2016

Incite 1/20/2016 — Ch-ch-ch-ch-changes

By Mike Rothman

I have always gotten great meaning from music. I can point back to times in my life when certain songs totally resonate. Like when I was a geeky teen and Rush’s Signals spoke to me. I saw myself as the awkward kid in Subdivisions who had a hard time fitting in. Then I went through my Pink Floyd stage in college, where “The Wall” dredged up many emotions from a challenging childhood and the resulting distance I kept from people. Then Guns ‘n Roses spoke to me when I was partying and raging, and to this day I remain shocked I escaped largely unscathed (though my liver may not agree).

But I never really understood David Bowie. I certainly appreciated his music. And his theatrical nature was entertaining, but his music never spoke to me. In fact I’m listening to his final album (Blackstar) right now and I don’t get it. When Bowie passed away last week, I did what most people my age did. I busted out the Ziggy Stardust album (OK, I searched for it on Apple Music and played it) and once again gained a great appreciation for Bowie the musician.

Bowie Changes

Then I queued up one of the dozens of Bowie Greatest Hits albums. I really enjoyed reconnecting with Space Oddity, Rebel Rebel, and even some of the songs from “Let’s Dance”, if only for nostalgia’s sake. Then Changes came on. I started paying attention to the lyrics.

Ch-ch-ch-ch-changes (Turn and face the strange) Ch-ch-changes Don’t want to be a richer man Ch-ch-ch-ch-changes (Turn and face the strange) Ch-ch-changes Just gonna have to be a different man Time may change me But I can’t trace time – David Bowie, “Changes”

I felt the wave of meaning wash over me. Changes resonates for me at this moment in time. I mean really resonates. I’ve alluded that I have been going through many changes in my life the past few years. A few years ago I reached a crossroads. I remembered there are people who stay on shore, and others who set sail without any idea what lies ahead. Being an explorer, I jumped aboard the SS Uncertain, and embarked upon the next phase of my life.

Yet I leave shore today a different man than 20 years ago. As the song says, time has changed me. I have more experience, but I’m less jaded. I’m far more aware of my emotions, and much less judgmental about the choices others make. I have things I want to achieve, but no attachment to achieving them. I choose to see the beauty in the world, and search for opportunities to connect with people of varied backgrounds and interests, rather than hiding behind self-imposed walls. I am happy, but not satisfied, because there is always another place to explore, more experiences to have, and additional opportunities for growth and connection.

Bowie is right. I can’t trace time and I can’t change what has already happened. I’ve made mistakes, but I have few regrets. I have learned from it all, and I take those lessons with me as I move forward. I do find it interesting that as I complete my personal transformation, it’s time to evolve Securosis. You’ll learn more about that next week, but it underscores the same concept. Ch-ch-ch-ch-changes. Nothing stays the same. Not me. Not you. Nothing. You can turn and face the strange, or you can rue for days gone by from your chair on the shore.

You know how I choose.

–Mike

Photo credit: “Chchchange” from Cole Henley


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

SIEM Kung Fu

Building a Threat Intelligence Program

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Everyone is an insider: Since advanced threat detection is still very shiny, it’s not a surprise that attention has swung back to the insider threat. It seems that every 4-5 years people remember that insiders have privileged access and can steal things if they so desire. About the same time, some new technology appears that promises to identify those malicious employees and save your bacon. Then it turns out finding the insiders is hard and everyone focuses on the latest shiny attack vector. Of course, the reality is that regardless of whether the attack starts externally or internally to your network, at some point the adversary will gain presence in your environment. Therefore they are an insider, regardless of whether they are on your payroll or not. This NetworkWorld Insider (no pun intended and the article requires registration) does a decent job of giving you some stuff to look for when trying to find insider attacks. But to be clear, these are good indicators of any kind of attack. Not sure to track insiders. Looking for DNS traffic anomalies, data flows around key assets, and tracking endpoint activity are good tips. And things you should already be doing… – MR

  2. Scarecrow has a brain: On first review, Gary McGraw’s recent post on 7 Myths of Software Security best practices set off my analyst BS detector. Gary is about as knowledgable as anyone in the application security space, but the ‘Myths’ struck me as straw man arguments; these are not the questions customers are asking. But when you dig in, you realize that the ‘Myths’ accurately reflect how companies act. All too often IT departments fail to comprehend security requirements and software developers taking their first missteps in security fall into these traps. They focus on one aspect of a software security program – maybe a pen test – not understanding that security needs to touch every facet of development. Application security is not a bolt-on ‘thing’, but a systemic commitment to delivering of secure software as a whole. If you’re starting a software security program, this is recommended reading. – AL

  3. What’s next, the Triceratops Attack? Yes, I’m poking fun at steganography, but pretty much every sophisticated attack (and a lot of unsophisticated ones) entails hiding malicious code in seemingly innocuous files through this technique. So you might as well learn a bit about it, right? This pretty good overview by Nick Lewis on SearchSecurity (registration required here too, ugh) describes how steganography has become commonplace. With an infinite number of places to hide malicious code, we always come back to the need to monitor devices and activity to find signs of attack. Sure, you should try to prevent attacks. But, as we’ve been saying for years, it’s also critical to increase investment in detection, because attackers are getting better at hiding attacks in plain sight. – MR

  4. Winning: Jeremiah Grossman has a good succinct account of the ad-blocking wars, capturing the back and forth between ad-tech and personal blocker technologies. He also nails the problem people outside security are not fully aware of, that “the ad tech industry behaves quite similarly to the malware industry, with both the techniques and delivery” and – just like malware – advertisers want to pwn your browser. I guess you could make a case that most endpoint security packages are rootkits, but I digress. Although I disagree with his conclusion that “ad tech” will win. Many of us are fine with not getting content that requires registration, having our personal data siphoned off and sold, or paying for crap. With so many voices on the Internet you can usually find the same (or better) content elsewhere. Trackers and scripts are just another indication that a site does not have your best interests at heart. So yes, you can win… if you choose to. – AL

  5. Increasing the security of your (Mac): As a long-time security person, I kind of forget the basics. Sure I write about fundamentals from time to time on the blog, but what about the simple stuff we do by habit? That’s the stuff that our friends and family need to do and see. Some understand because they have been around folks like us for years. Others depend on you to configure and protect their devices. Being the family IT person is OK, but it can get tiring. So you can thank Constin Raiu for documenting some good consumer hygiene tactics on the Kaspersky blog. Yes, this is obvious stuff, but probably only to you. Yes, it’s allegedly Mac-focused. But the tactics apply to Windows PCs as well. And we can debate how useful so-called security solutions are. Yet that’s nitpicking. You can’t stop every attack (duh!), but you (and the people you care about) don’t need to be low-hanging fruit for attackers either. – MR

—Mike Rothman

Wednesday, January 13, 2016

Incite 1/13/2016: Permitted

By Mike Rothman

I’m not sure how it happened, but XX1 turned 15 in November and got her driver’s permit. Wait, what?!?! That little girl can now drive. Like, legally? WTF? Clearly it is now January, and I am still in shock that 15 years has passed by in the blink of an eye.

Now it’s on me to teach her to drive. She’ll take a driver’s ed course in February, so that will help and give her some practical experience with someone who actually drives with teenagers for a living. Is that on the list of worst jobs? Second to elephant cage cleaner at the zoo, driving with inexperienced drivers seems like my version of hell on earth.

Then I remembered back to when I learned to drive. My Dad had a ‘72 Bug for me that he drove around. He picked me up and drove me to the local town pool parking lot. He taught me how to balance the clutch (yes, it was a stick shift) and start, stop, drive in a straight line, and turn. I recall him being extraordinarily patient as I smoked the clutch and stalled out 10 times. But after a while I got the hang of it.

drivers permit

Then he said, “OK Mike. Drive home.” WHAT? I was kind of in shock. It was maybe 3 miles to my house, but it was 3 miles of real road. Road with other drivers on it. I almost crapped my pants, but we got home in one piece. Dad would let me drive most places after that, even on the highway and on bridges. He remained incredibly patient, even when I stalled 10 times on a slight incline with about 50 cars behind me sitting on their horns. Yup, crapped my pants that time too. I remember that like it was yesterday, but it was 31 years ago. Damn.

So before winter break I took XX1 out to the parking lot of the library. She got into the driver’s seat and I almost crapped my pants. You getting the recurring theme here? She had no idea what she was doing. I have an automatic transmission, so she didn’t have to worry about the clutch, but turning the car is a learned skill, and stopping without giving me whiplash was challenging for a little while. She did get the hang of it, but seeing her discomfort behind the wheel convinced me that my plan of having her drive home (like my Dad did to me) wouldn’t be a great idea. Neither for her self-esteem nor my blood pressure.

She’ll get the hang of it, and I have to remember that she’s different than me and I’m a different teacher than my Dad. We’ll get her driving at her pace. After she takes the driver’s ed class I’ll have her start driving when she’s with me. Before we know it, she’ll have 25-30 hours behind the wheel.

But I’m not taking any chances. I plan on sending her to an advanced driving school. My cousin sent me a link to this great program in NC called B.R.A.K.E.S, which provides a 4-hour defensive driving workshop specifically for teens. I’m also going to take her to a Skip Barber racing class or something similar, so she can learn how to really handle the car. Sure it’s expensive, but she’s important cargo, commanding a two-ton vehicle, so I want to make sure she’s prepared.

But I have to understand this is a metaphor for the rest of her life. As parents we can prepare her to the best of our ability. Then we need to let her loose to have her own experiences and learn her lessons. She can count on our support through the inevitable ups and downs. My little girl is growing up.

–Mike

Photo credit: “International Driving Permit” from Tony Webster


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

SIEM Kung Fu

Building a Threat Intelligence Program

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Security as a business problem: The more things change, the more they stay the same. NetworkWorld’s Overcoming stubborn execs for security sake took me back to 2006, right before I wrote the Pragmatic CSO. Senior management doesn’t get it? Yup. Mid-managers want to circumvent the rules? Yup. On and on it goes, and we run on the hamster wheel for a decade, ending up right back in the same place. Welcome to the rest of your security career. The fact is that as high-profile as security has become to senior management and the Audit Committee, what’s a lot more important to them is making the numbers and hitting their objectives. So how can you get them to understand? You can’t. Not fully anyway. But you can make sure you discuss security in business terms, and that will at least provide some common ground for discussion. The article does a good job of discussing those tactics. – MR

  2. Shoot the messenger: Every year some legitimate tool – security or otherwise – gets labeled as a security threat. It’s not just nmap or Metasploit – even Google’s web crawlers can detect certain vulnerabilities and catalog the results (and do), and are therefore called a “hacker tool”, especially after con talks that explain how to use Google to hack. This time the Shodan web crawler was called a threat, as a recent advisory from Checkpoint noted what appeared to be Shodan scans prior to data breaches. The advisory itself is a good thing, but advice to block Shodan scans to deter hacking made the Twitterverse erupt in controversy. Thankfully social media has set everyone straight and the issue is resolved, right? Honestly, there is nothing wrong with blocking external Shodan scans while you address the vulnerabilities, but those pesky skeptics in the security community know blocking will be the ‘solution’ – not merely a starting point. Exactly like last time. – AL

  3. 4 tips for IR? Obviously there are more steps an incident response. So this quick post by the CrowdStrike folks was interesting, but I think they did a decent job making a few critical points. First, you have to start with a damage assessment and an understanding of whether the adversary is still active in your environment. Next try to corral the devices in question, and data at risk, in some segmented and monitored environment, being careful to keep systems up to avoid either alerting the adversary or destroying evidence. Then call in the Forensicators. Given the shortage of those folks, and the level of demand, that is a non-trivial effort. But unless you are a Fortune-class enterprise with a group of incident responders you’ll need to work with an external firm. Then you need to notify affected stakeholders, and return systems to a healthy state. Obviously there are dozens of activities behind each of those tips, but they are good things to keep in mind.– MR

  4. Down in front: When Firefox stopped connecting via HTTPS to many web sites, some of you might have been frustrated enough to switch to a new browser. Firefox’s latest version stopped accepting SHA-1 signed certificates because the algorithm has been deprecated. But if your company uses DLP or a web security product that performs a ‘man-in-the-middle’ intercept to inspect content, odds are likely it still issues SHA-1 signed certificates. That makes Firefox barf, so you can’t connect. Too bad, so sad. You can use another browser if you choose, but as your requests are already being filtered (thanks, web proxy!), you can configure FF to accept those SHA-1 certificates without concern for degraded privacy or security. But you should ask your security vendor to up their game. – AL

  5. Can you change your mindset? This isn’t security related, but interesting enough to mention. There has been a ton of research on growth vs. set mindsets. Psychology Today has a quick article covering the research highlights. People with set mindsets are good with the status quo, and don’t think intelligence changes. Those with growth mindsets believe they can grow intelligence as they push out of their comfort zones and try new things. If you tend toward ‘set’, can you ‘grow’? Or are these fixed aspects of your personality that aren’t easy to change? The article makes it sound like you just decide to grow. Is it that easy? Maybe it should be, but I have my doubts about whether folks can fundamentally change their mindsets. – MR

—Mike Rothman

Wednesday, January 06, 2016

Incite 1/6/2016 — Recharging

By Mike Rothman

The last time I took 2 weeks off was probably 20 years ago. As I write that down, it makes me sad. I’ve been been running pretty hard for a long time. Even when I had some forced vacations (okay, when I got fired), I took maybe a couple days off before I started focusing on the next thing. Whether it was a new business or a job, I got consumed by what was next almost immediately. I didn’t give myself any time to recharge and heal from the road rash that accumulated from one crappy job after another.

Even when things are great, like the past 6 years working with Rich and Adrian, I didn’t take a block of time off. I was engaged and focused and I couldn’t wait to jump into the next thing. So I would. I spent day after day during the winter holidays as the only person banging away at their laptop at the coffee shop while everyone else was enjoying catching up with friends over Peppermint Mocha lattes.

recharge

I rationalized that I could be more productive because my phone wasn’t ringing off the hook and I wasn’t getting my normal flow of email. There wasn’t much news being announced and my buddies weren’t blogging at all. So I could just bang away at the projects I didn’t have time for during the year. Turns out that was nonsense. I was largely unproductive during winter break. I read a lot, spent time thinking, and it was fine. But it didn’t give me a chance to recharge because there was no separation.

The truth is I didn’t know how to relax. Maybe I was worried I wouldn’t be able to start back up again if I took that much time away. It turns out the projects that didn’t get done during the year didn’t get done over break because I didn’t want to do them. So they predictably dragged on through winter break and then into the next year.

That changed this year. I’m just back from two weeks pretty much off the grid. I took a week away with my kids. We went to Florida and checked out a Falcons game in Jacksonville, the Kennedy Space Center in Cape Canaveral, and Universal Studios in Orlando. We were able to work in some family time in South Florida for Xmas before heading back to Atlanta. I stayed on top of email, but only to respond to the most urgent requests. All two of them. I didn’t bring my laptop, so if I couldn’t take care of it on my iPad, it wasn’t getting done.

Then I took a week of adult R&R on the beach in Belize. I’m too cheap to pay for international cellular roaming, so my connectivity was restricted to when I could connect to crappy WiFi service. It was hard to check email or hang out in our Slack room during a snorkeling trip or an excursion down the Monkey River. So I didn’t. And the world didn’t end. The projects that dragged through the year didn’t get done. But they weren’t going to get done anyway and it was a hell of a lot more fun to be in Belize than a crappy coffee shop pretending to work.

I came back from the time off recharged and ready to dive into 2016. We’ve got a lot of strategic decisions to make as the technology business evolves towards cloud-everything and we have to adapt with it. I don’t spend a lot of time looking backwards and refuse to judge myself for not unplugging for all those years. But I’ll tell you, there will be more than one period of time where I’ll be totally unplugged in 2016. And I’ll be a hell of a lot more focused and productive when I return.

–Mike

Photo credit: “Recharging Danbo Power” from Takashi Hososhima


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Building a Threat Intelligence Program

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Cloud vs. on-prem. Idiotic discussions continue: Do me a favor and don’t read this article trying to get to the bottom of whether the public cloud or on-prem is more secure. It’s an idiotic comparison because it depends on way too many factors to make a crass generalization. Period. You can architect a public cloud environment that is more secure than an environment built on-prem. But for a different use case you could make a case for the converse. It’s not about the environment an application and technology stack is built and run in, it’s about how it’s architected and how it takes advantage of the native capabilities of each option. We believe (and are making pretty significant corporate bets) that a public-cloud environment can be more secure than something built on-prem. But it depends, and we cannot wait until everyone is doing their innovative work in the cloud, and then discuss how to make the public cloud as secure as possible, instead of whether it’s more secure than something else. – MR

  2. In front of our eyes: Volkswagen was discovered to have modified diesel vehicles engine management software to reduce emissions temporarily, during the emissions testing process. Think about it for a minute: millions of vehicles were tested each year, by trained techs with tools and software designed to audit vehicle emissions, and yet software designed to circumvent the audits went undetected for years. While that story has nothing to do with security per se, the ‘attack’ used to bypass the test (and therefore the certification process), and the third-party discovery, is a story we see played out over and over with IT breaches. When you have a sophisticated and motivated adversary, they will be aware of (and work around) your defenses and assessment techniques. A single static test with an unquestioned binary response does not cut it. Think about that the next time you are looking to catch fraud or look for compromised systems in a complicated environment. – AL

  3. The invisible malware: With all of the innovation happening around malware detection, it’s getting easier to detect attacks, right? Yeah, not so much. Turns out it’s getting harder. As Dark Reading described, the newly discovered Latentbot uses so much obfuscation it’s largely invisible to current-generation detection tools. It’s a good thing China isn’t hacking so much (according to FireEye’s last earnings call anyway) because that gives researchers plenty of time to find cool botnets. And it’s interesting to learn how this new malware injects code multiple times, never stays installed for too long, and exploits device at multiple levels to ensure persistent access and control over them. Yeah, it is clear you can’t stop attacks like this, so focusing on detecting lateral movement and exfiltration are your best options for finding pwned devices. – MR

  4. Banking on irrelevance: SSL and (to a lesser extent) TLS 1.0 have a handful of known vulnerabilities and weaknesses, depending on how they are deployed. The PCI Council previously required firms to update before the end of 2015, but recently the Council pushed its mandatatory migration date from SSL to TLS out to June 2018. Because, well, the big retailers pulling the PCI-DSS strings couldn’t get there in time. Attackers have bags full of tricks for attacking these older protocols and accessing the network sessions they were designed to protect. It’s not clear how the Council decided pushing back the date two and a half years made any sense, but since they don’t mandate end-to-end encryption and pass card data in clear text, you are probably thinking “What is the point?” And from a PCI assessment perspective, if Apple Pay, Samsung Pay, and the like continue to gain acceptance, in three years payment tokens will likely make most of current PCI compliance irrelevant. But sometimes compliance drives needed change, and migrating to TLS 1.2 will be beneficial to data security. At some point, if it ever happens. – AL

  5. The few, the proud, the cyber: It’s good to see the military continuing to invest in cyber capabilities. The Army National Guard is standing up new cyber units to help do surveillance and recon for the nation’s adversaries. Ho hum, right? Actually it’s interesting because the National Guard may be able to get access to security professionals otherwise gainfully employed by commercial entities. It’s a big sacrifice to do security for military pay, when commercial organizations have totally different pay scales. But being able to help out (via the National Guard) could be a good alternative for patriotic folks who want commercial jobs. – MR

—Mike Rothman

Wednesday, December 16, 2015

Incite 12/15/2015: Looking Forward

By Mike Rothman

In last week’s Incite I looked backwards at 2015. As we close out this year (this will be the last Incite in 2015), let me take a look forward at what’s in store for 2016.

Basically I don’t have any clue.

I could lie to you and say I’ve got it all figured out, but I don’t. I fly by the seat of my pants pretty much every day of my life. And any time I think I have things figured out, I get a reminder (usually pretty harsh) that I don’t know squat. One thing I’m comfortable predicting is that things will be changing. Because they always do. Some years the change is very significant, like in 2015. Other years less so. But all the same, change is constant in my world.

looking forward

We’re going to do some different things at Securosis next year. We are very pleased with how we have focused our research toward cloud security, and plan to double down on that in 2016. We’ll roll out some new offerings, though I’m not exactly sure when or what they’ll be. We have a ton of ideas, and now we have to figure out which of them make the most sense, because we have more ideas than time or resources. Rich, Adrian, and I will get together in January and make those decisions – and it will involve beer.

Personally, I’ll continue my path of growth because well, growth. That includes trying new things, traveling to new places, and making new friends. I’m not going to set any goals besides that I want to wake up every morning, maintain my physical health, and continue my meditation and spiritual practices. My kids are at an age where they need my presence and guidance, even though they will likely not listen, because teenagers know everything. Which basically means I’ll also need to be there to pick them up when they screw things up (and they will), and try to not say I told you so too many times.

I’ll also tell my story of transformation through the year. I’m not ready to do that yet, but I will because it’s an interesting story and I think it will resonate with some of you. It also ensures that I will remember as time marches on. I spent some time earlier in the year reading through old Incites and it was a great reminder of my journey.

Overall I’m very excited about 2016 and continuing to live with a view toward potential and not limitations. I’m focused on making sure those I love know they are special every single day. I’m committed to being happy where I am, grateful for how I got here, and excited for what is to come. I’ll ring in the New Year in a tropical paradise, and play the rest by ear.

All of us at Securosis are grateful for your support, and we wish you a healthy and happy 2016.

–Mike

Photo credit: “looking forward to” from Elizabeth M


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Building a Threat Intelligence Program

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Good deed for the holidays: You too can help make software security better! OWASP, the Open Web Application Security Project, is developing a new set of secure coding guidelines for software developers. This document will be a great aid to developers who want to get up to speed on secure coding. It offers a succinct set of code examples – in most of the widely used programming languages – which address the top ten security coding flaws. And what developer doesn’t love easy to understand code examples? But wait, there’s more! This effort is truly open, so you get to participate in building the guidelines: the document I referenced is open for public comments and direct editing! So if you think the document is missing something, or there are better examples to be offered, or you think something is wrong, you can improve it. Do a good deed for the holidays and contribute. – AL

  2. Happy Holidays. Let’s make some crap up… It’s the holiday season. So obviously we will be subjected to everyone’s predictions of what’s in store for 2016. As you can tell from our last FireStarter of the year, we don’t buy into predictions. But the IDC folks don’t have any issue making things up. Their cousins at NetworkWorld (both have the same corporate parent IDG) have some bait posted about an upcoming IDC predictions webcast, and one of their predictions is that by 2020 data breaches will affect 25% of the world’s population. What does that even mean? How could you tell if it’s right? And who cares anyway? How will that prediction do anything to change what you are doing on a daily basis? Right, it won’t, because odds are you have already been affected by a data breach. So this is the worst kind of prediction. It can’t be proven or disproven, and it’s not relevant to your daily activity. Bravo IDC. I hope the others are a little better, but I won’t know, because I have better stuff to do than listen to nonsense. – MR

  3. Black Friday, Cyber Monday, and Liability Tuesday: As I have been out and about a lot this month, showing relatives around Arizona, my credit cards have gotten a lot of use. Restaurants, gift shops, museums, pet stores, big box retail, national parks, and even a place called “The Hippie Emporium” (don’t ask). And you know what I have seen? Outside Target, not a single merchant had adopted EMV. EMV-ready PoS devices are in place, but the EMV functionality is not operational. Got that? All that hype about merchant liability and almost zero adoption. A couple weeks back Branden Williams asked (paraphrasing) will sucky and slow EMV chip readers will cause people stay home and shop at Amazon or other online retailers. To which I respond ‘No’: they are not in wide enough use to have a detrimental effect. Amazon is getting a ton of new traffic this year, and I hear so are Etsy and even the ecommerce sites of traditional brick-and-mortar stores. It’s not because of EMV readers – it’s just getting easier to shop online, and more people are comfortable with it. But it does mean we are going to see the effects of the liability shift soon – ‘tis the season for credit card scams and fraud, and we will see some merchants get hammered. – AL

  4. Step by step malvertising: I enjoy blow-by-blow descriptions of recent attacks, so thanks to the Malwarebytes folks, who posted a detailed analysis of a recent malvertising campaign targeting Xfinity. What’s interesting is how this attack combines malvertising, an exploit kit, phishing (to collect personal data), and then a tech support scam. Now that’s leverage. Of course there are clues it’s a scam, including a different domain for the first linked site. Malwarebytes also posted a set of indicators so you can be ready for this kind of attack if your employees or family tend to click. – MR

—Mike Rothman

Wednesday, December 09, 2015

Incite 12/9/2015: Looking Backwards

By Mike Rothman

As a guy who pretty much always looks forward, I still find it useful at the end of each calendar year to look backwards and evaluate where I am in life and what (if anything) I want to focus on in the coming year. 2015 has been a very interesting year, both personally and professionally. I’m at an age where transformation happens, and that has been a real focus for me. I’ve spent a long time evaluating every aspect of my life and making changes, some small and some very significant. Trying to navigate those changes gracefully requires focus and effort.

From a business perspective, it’s a pretty good time to be in the security industry. You have seen a slowdown in our blog activity over the past couple months because our business continues to evolve and we’ve been doing a lot more work out of the public eye. We’ve been called in to do a lot more strategic advisory, and we’re even starting to do security architecture work for some enterprise organizations, typically around cloud initiatives.

We’re also increasingly being called into diligence efforts for companies considering acquisitions, and investors considering putting large sums of money to work in this space. These are pretty intense gigs and that usually means more external projects lag a bit. We also aren’t sure how long the good times will continue to roll, so we usually jump on diligence projects.

Emu

Personally, suffice it to say things are substantially different for me, though I’m not going to go into detail at this point. Different is scary for most people, but I’ve always embraced change, so my challenge is more about having the patience to let the world around me adapt. My kids continue to amaze me with how they are growing into fantastic people, and this past year they’ve navigated new schools and additional workload with minimum drama and angst. You can’t entirely avoid drama and angst (not as a teenager anyway), but their Mom and I are proactive about making them aware of the drama.

Physically I’m still working my program, running two half marathons and continuing my yoga practice. I’m making many new friends who provide different perspectives on life, and I’ve been able to fulfill a need for social activity I didn’t even know I had. As I look back at 2015, I realize that the signs of significant disruption were there both personally and professionally. It has been a long road, and I finally feel that my world is opening up and I’m moving toward my potential, away from my self-imposed limitations.

I’m really excited for what’s next. All is see ahead is blue sky. As I wrap up the Incite next week, I’ll ruminate a little into what the path ahead looks like.

–Mike

Photo credit: “Emu (Dromaius novaehollandiae) looking backwards at Auckland Zoo” from Wikimedia Commons


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Building Security into DevOps

Building a Threat Intelligence Program

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. R marks the spot: NetworkWorld ran a great article examining how the Verizon Data Breach report folks use R to do the analysis and generate the charts in their widely read report. I personally haven’t played with statistical programs since I was in college, but there is an increasing need for math people (although we call them data scientists now) to perform the analysis to mine through all of that security data and figure out what’s going on. I tell many younger folks, who ask what they should focus on, to dust off their programming/scripting skills – security automation is coming. The other thing I now suggest is for the math-inclined to study a lot more statistics and get to know these kinds of tools. The future is here and it seems to require math (so says the writer). – MR

  2. Pre-owned: If you’re wondering how the credit card you just got two weeks ago already got popped, here is on possible answer. Samy Kamkar demonstrated that AmEx-based new card numbers are predictably generated from the previous numbers allowing crackers to guess the number of the next card they issue you. If you’re an application developer, this is why you need to be careful with sequence generators – they tend to leak information attackers can (and do) exploit. This attack does not compromise the CVV, and other protections are embedded in credit card magstripes, but there are enough cracks in the credit card ecosystem for attackers to trick terminals with bogus card-present transactions. And if history repeats itself, it will only take one phony transaction to trigger an AmEx card re-issue, so you’ll get to re-enter your next number at the dozen or so websites you use. Again. – AL

  3. Keep your enemies closer… Running a big business can be messy at times, and it seems it’s tough to scale ethics. I can’t say I’m surprised to hear that Walmart spies on the employees who advocate for change and agitate its workforce. I’m also not surprised they hired Lockheed to run their intelligence gathering program. I am a bit surprised they got FBI Joint Terrorism Task Force help, but I guess they made the case that they were worried about a terrorist strike against a store. And that’s how a lot of surveillance is justified. It’s about knowing before something bad happens. I don’t know that there is a clear answer, because most folks gladly will cede privacy for a perception of security. Of course, as we’ve seen all too frequently, any sense of personal security is a myth. And as we in the security industry know, computer security is a myth as well. I guess the only thing to accept is that Big Brothers are watching. And yes, that’s intentionally plural. – MR

  4. Payments for nothin’, chips for free: Speaking of cracks in the payment system: University College London researchers are reporting an uptick of card present fraud, specifically with Chip and PIN cards. It seems hackers are using stolen cards with embedded EMV chips, without their PIN codes. So to perpetrate the fraud the attacker forces the terminal into a “referral mode” where the merchant transmits the code from the PIN pad. But the attacker has possession of the terminal to enter their secret PIN while the alternative authorization occurs. To add insult to injury, it seems no one ever tested this procedure – because transactions are accepted even with bogus authorization codes. Security! It’s amazing that so many financial processes seem to lack any kind of threat modeling prior to rollout, as we also saw with the banks’ failure to vet cards in the so-called “Apple Pay Hack”, and Starbucks mobile account takeovers with automatic replenishment. This is threat modeling 101. This attack should be short-lived – whether prevented with payment terminal patches or mitigated through merchant employee training. – AL

  5. Attacks never go away either: We joke as security professionals that we can never get rid of a control – we just keep adding to the mix. Go into your telecom room and check out the link encryptors if you don’t believe me. It seems old attack kits never go away either. Peter Stephenson assembled information from a bunch of sources to show that NEK (Nuclear Exploit Kit) is back. This shouldn’t be a surprise – folks are inherently lazy. Unless you are doing something totally novel (like StuxNet), why wouldn’t you use stuff that already exists as a starting point. We do that in development now (just ask your developers to list the external and open source libraries they use in an app), we do it with monitoring (leveraging existing patterns), and we recycle pretty much everywhere. Why wouldn’t attackers do the same? Peter’s conclusions (use multiple AV products, LOL) are suspect, but if most attacks seem familiar it’s because they are. – MR

—Mike Rothman

Thursday, December 03, 2015

Incite 12/2/2015: Grateful Habits

By Mike Rothman

A week ago most folks in the US were in food comas from the Thanksgiving feast. Of course this is a great time of year to be grateful for what you have. Whether it’s family, health, work, or anything else. This morning I got a great reminder that expressing gratitude is a habit, which requires daily work – especially for security people.

I was doing a speaking gig for a client in Atlanta, and I ran into an old friend who traveled in for the seminar. We were catching up and he mentioned how busy he was and that it was a bit overwhelming. I jumped right in because we at Securosis are pretty busy ourselves. But then I got a flash of awareness and decided I had to break the cycle. I specifically asked whether he remembered 10 years ago when no one cared about security?

I certainly do. A lot of you (like Rich, Adrian, and myself) did security before security was cool. You remember talking to blank stares when evangelizing the importance of security. You remember cleaning the same malware off the same person’s device, over and over again, because they just couldn’t understand why they can’t click ads on questionable sites. You also remember looking for a new job when the senior team needed a scapegoat after yet another breach, after they didn’t listen to what you said the first time.

It’s a different situation now. Many folks still don’t understand what they need to do, but they don’t really argue about the importance of security any more. Most of us have a bigger issue finding talent to fill open positions, rather than making the case for why any security people are needed. These are things to be grateful for.

It turns out that a little gratitude leads to a lot. So if you have any interest, don’t just think about being thankful around the holidays. Start the day by making a list of 2 or 3 things you are grateful for every day. It’s hard to get into the right mindset to get things done, when you wake up overwhelmed by the amount of stuff that needs to get done. So break that cycle too. Think about what’s working in your life. It doesn’t have to be a lot. Just a little thing. Take a small step toward feeling gratitude every day.

I do this consistently, every day. It puts me in the right frame of mind. I’m thankful for so many things, but none more than the habits I have established over the past few years, which have made a huge difference in my life.

–Mike


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Building Security into DevOps

Building a Threat Intelligence Program

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Can security be fixed? Is it broken? I’ve gotta send a hat tip to my friend Don, who pointed out this article on TechCrunch explaining how Humility, Accountability And Creative Thinking Can Fix IT Security. Really? A lot of the security folks I know are pretty humble and creative. It’s not like they sit around and talk about how great they are while the city is burning. But aside from the clickbait title, there are some decent points in that post. I especially like the idea of killing silver bullet syndrome. There is no single answer for dealing with sophisticated adversaries. I also agree that security will need to evolve as the cloud and mobility continue to take root. Inflection anyone? The article also points out the need to share information, and that’s all about Threat Intelligence. But I still push back on the contention that security is broken. It’s not broken, because that supposes that it can be fixed. I posit that you don’t win security – you just survive to fight another day. – MR

  2. Student jobs: It appears the FBI is funding security vulnerability research; not for bug bounties, but to conduct surveillance. Recently they paid University students to hack Tor networks so they could inspect Tor traffic and de-anonymize Tor users. The FBI’s disclosed target could have been tracked financially, and Tor offers law enforcement other means to locate users, which implies (shockingly) their goal was something more than they disclosed. The problem is that they used the same techniques legitimate security researchers use to find flaws – efforts which the FBI is more known for prosecuting than for sponsoring. So we come back to the sad fact that some folks in law enforcement think the rules are importang, but don’t apply to them. – AL

  3. Volunteering to get started in security: Recently I highlighted a great article from Lesley Carhart about getting started in infosec. Given the skills gap, all the help we can offer interested parties who want to join us in security is welcome. So check out this interview with Ron Woerner on Michael Santarcangelo’s blog. Ron points out the Catch-22 that security jobs demand experience, but most entry-level folks have no way to get it. Ron suggests volunteering on open source projects or with local organizations, such as schools and religious organizations. Maybe even your doctor’s or dentist’s office. Ron also suggests reading. A lot. He’s right – there are so many talks and so much content out there free, that anyone can familiarize themselves with the practice. Of course nothing replaces the experience of screwing things up, so reading isn’t enough. But these are all good ways to get onto the path of security ‘bliss’. LOL. – MR

  4. Delusional: The claim that Snowden’s leaks contributed to the Paris bombings is so outrageous I thought at first I would not comment on it at all. But in our daily jobs, helping firms deploy encryption, I realize how few communications – email, voice, data, text messages. etc. – are actually encrypted even after we learned mass surveillance is a reality. I have used encryption on and off during my professional career for both personal and professional communications. Most of the time I have used encryption during the development phases of new encryption, key management, and PRNG modules to protect us from both eavesdropping and code tampering. But even most paranoids like myself don’t use it most of the time, because it is too hard to use except for the most sensitive communications. But after the Snowden revelations I am still surprised how little of our critical infrastructure is encrypted and private. But maybe I shouldn’t be. – AL

  5. Screwing up is part of the process: Fahmida posted a pretty entertaining article on 10 dumb security mistakes that sys admins make. It’s mostly simple stuff like using sudo and making changes as root. I mean, the list is the list, and dumb mistakes are made all day, every day. My point is that screwing up is an integral part of learning security. Those with a future in this practice mess things up all the time. They try stuff. They hack together solutions to problems no one has ever seen, and sometimes they work. But often they don’t. That’s part of the learning process, and as security folks we always need to be learning. So don’t stigmatize mistakes – embrace them. Just don’t make the same mistakes more than once. – MR

—Mike Rothman

Wednesday, November 04, 2015

Incite 11/4/2015: The Taper

By Mike Rothman

As I mentioned, I’m running a half marathon for Team in Training to defeat blood cancers. I’ve raised a bunch of money and still appreciate any donations you can make. I’m very grateful to have made it through my training in one piece (mostly), and ready to go. The race is this coming Saturday and the final two weeks of training are referred to as the taper, when you recover from months of training and get ready to race.

This will be my third half, so by this time in the process I’m pretty familiar with how I feel, which is largely impatient. Starting about a month out, I don’t want to run any more because my body starts to break down a bit after about 250+ miles of training. I’m ready to rest when the taper starts – I need to heal and make sure I’m ready to run the real deal. I want to get the race over with and then move on with my life. Training can be a bit consuming and I look forward to sleeping in on a Sunday morning, as opposed to a 10-12 mile training run. It’s not like I’m going to stop running, but I want to be a bit more balanced. I’m going to start cycling (my holiday gift to myself will be a bike) and get back to my 3x weekly yoga practice to switch things up a bit.

The Taper

The taper is actually a pretty good metaphor for navigating life transitions. Transitions are happening all the time. Sometimes it’s a new job, starting a new hobby, learning something new, relocating, or anything really that shakes up the status quo. Some people have very disruptive transitions, which not only shake their foundations but also unsettle everything around them. To live you need to figure out how to move through these transitions – we are all constantly changing and evolving, and every decade or so you emerge a different person whether you like it or not. Even if you don’t want to change, the world around you is changing, and forces you to adapt. But if you can be aware enough to sense a transition happening, you can taper and make things more graceful – for everyone.

So what does that even mean? When you are ready for a change, you likely want to get on with it. But another approach is to slow down, rest a bit, take a pause, and prepare everyone around you for what’s next. I’ve mentioned the concept of slowing down to speed up before, and that’s what I’m talking about. When running a race, you need to slow down in the two weeks prior to make sure you have the energy to do your best on race day. In life, you need to slow down before a key transition and make sure you and those impacted are sufficiently prepared.

That requires patience and that’s a challenge for me and most of the people I know. You don’t want to wait for everyone around you to be ready. You want to get on with it and move forward, whatever that means to you. Depending on the nature of the transition, your taper could be a few weeks or it could be a lot longer. Just remember that unless you are a total hermit, transitions reverberate with those around you. It can be a scary time for everyone else because they are not in control of your transitions, but are along for the ride. So try to taper as you get ready to move forward. I try to keep in mind that it’s not a race, even when it’s a race.

–Mike

Photo credit: “graff la rochelle mur aytre 7” originally uploaded by thierry llansades


Thanks to everyone who contributed to my Team in Training run to battle blood cancers. We’ve raised almost $6,000 so far, which is incredible. I am overwhelmed with gratitude. You can read my story in a recent Incite, and then hopefully contribute (tax-deductible) whatever you can afford. Thank you.

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Building Security into DevOps

Building a Threat Intelligence Program

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Getting started in InfoSec: Great post/resource here from Lesley Carhart about how to get started in information security. Right up at the top the key points comes across loud and clear: you need to understand how things work to hack them (or defend them). YES! That’s why a degree in security is useful, but the reality is that students coming out of these programs aren’t ready because they don’t know how everything works. That takes a few years in the coal mines, so you need to grow folks to meet demand, but it’s a multi-year investment. You can’t just send them to a SANS class and figure they’ll be ready to take on sophisticated adversaries. The other point right up front is on passion about security. It’s not a 40-hour-a-week job (not even in France), and it’s thankless. So if you don’t really like it, it’s a slog to do security for years. If you have folks who are interested in getting into our little area of the world, have them read this post. – MR

  2. Infinite primes, wasted: Remember back in high school, when your teachers said “Math is important!” You muttered under your breath, “When am I ever going to use this stuff? Combinatorials? Prime numbers? Never again!” Well guess what? Your math teacher was right. J. Alex Halderman and Nadia Heninger, in How is NSA breaking so much crypto?, offer a plain english explanation of how nation-state hackers are likely able to eavesdrop on HTTPS sessions. They go on to discuss the economics, and the incentives for governments to invest in crypto hacking hardware to keep pace with networks and technology. Because of a common implementation failure in the use of prime numbers – using the same ones every time – the NSA and other nation-states can leverage a few hundred million in custom hardware to crack the majority of secured sessions – and what’s a few hundred million between friends (or enemies). The brute force cracking is not rocket science, nor is the discovery of the simple mistake in usage of prime numbers, but combined they allow determined parties to eat ‘secure’ sessions for lunch. – AL

  3. Mobile + Pr0n = Pwn: I highlighted this link in last week’s Friday Summary, but it’s worth a broader discussion: porn sites are the top mobile infection vector. Mostly because it’s about pr0n. HA! But that brings up a good point about the path of least resistance. Attackers find ways to figure out the easiest way to achieve their mission, and folks who use tablets and phones to consume adult content are pretty low-hanging. No pun intended, but the key points here are that malvertising is a key attack vector now and some sites are going to be more careful about it, and that porn sites probably aren’t among the best of them. So what to do? Abstinence? Just say no? As Nancy Reagan turns over in her grave, the answer is to make sure you are following the same practices you follow on your PC devices. Don’t click on stupid links, and make sure your device is patched and up to date. – MR

  4. Fast pass to replacement: In the last two weeks Mastercard has launched the MasterPass Mobile App with full tokenization of credit cards (i.e., PAN) through the MasterPass Digital Enablement Service – a fancy name for their tokenization gateway. This is important as they are directly linking issuing banks to mobile apps like Android Pay, Apple Pay, and Samsung Pay. In The EMV Migration and the Changing Payment space we explained that EMV cards are almost trivial in the bigger picture. The transition to mobile is where the real security benefits will be derived. And here is we will see full end-to-end tokenization and merchants no longer getting access to card numbers. The road will continue to be bumpy for a while, as card-not-present fraud forces banks to reissue cards (and reissue them again), and consumers are forced to sit on their phones (if you’re like me) explaining to their bank that they are putting another new credit card number into Apple Pay, and asking why the $@#! the bank can’t automate this process! The answer in both cases is fraud, which will continue to escalate until this migration to more secure (i.e., mobile) platforms, which can help combat both card cloning and card not present fraud. – AL

  5. Patience is hard: Most of the folks in your organization aren’t security people. Sure you can bust out the platitudes like “security is everyone’s job” and other such puffery, but the reality is these folks have demanding jobs, and security isn’t in their job descriptions. So how long does it take them to become aware? Sometime between forever and forever? The news isn’t that bad, but it will take time and repetition, with some gamification and possibly some public shaming, for everyone to get the picture. And there will always be those ‘special’ folks who won’t ever get it, but you have to tolerate them (and clean up their messes) because they are too important. Maybe show them the article linked above about mobile and porn – I’m sure that has never been an attack vector for these folks. – MR

—Mike Rothman

Wednesday, October 21, 2015

Incite 10/21/2015: Appreciating the Classics

By Mike Rothman

It has been a while since I’ve mentioned my gang of kids. XX1, XX2 and the Boy are alive and well, despite the best efforts of their Dad. All of them started new schools this year, with XX1 starting high school (holy crap!) and the twins starting middle school. So there has been a lot of adjustment. They are growing up and it’s great to see. It’s also fun because I can start to pollute them with the stuff that I find entertaining.

Like classic comedies. I’ve always been a big fan of Monty Python, but that wasn’t really something I could show an 8-year-old. Not without getting a visit from Social Services. I knew they were ready when I pulled up a YouTube of the classic Mr. Creosote sketch from The Meaning of Life, and they were howling. Even better was when we went to the FroYo (which evidently is the abbreviation for frozen yogurt) place and they reminded me it was only a wafer-thin mint.

horse teeth

I decided to press my luck, so one Saturday night we watched Monty Python and the Holy Grail. They liked it, especially the skit with the Black Knight (It’s merely a flesh wound!). And the ending really threw them for a loop. Which made me laugh. A lot. Inspired by that, I bought the Mel Brooks box set, and the kids and I watched History of the World, Part 1, and laughed. A lot. Starting with the gorilla scene, we were howling through the entire movie. Now at random times I’ll be told that “it’s good to be the king!” – and it is.

My other parenting win was when XX1 had to do a project at school to come up with a family shield. She was surprised that the Rothman clan didn’t already have one. I guess I missed that project in high school. She decided that our family animal would be the Honey Badger. Mostly because the honey badger doesn’t give a _s**t_. Yes, I do love that girl. Even better, she sent me a Dubsmash, which is evidently a thing, of her talking over the famous Honey Badger clip on YouTube. I was cracking up.

I have been doing that a lot lately. Laughing, that is. And it’s great. Sometimes I get a little too intense (yes, really!) and it’s nice to have some foils in the house now, who can help me see the humor in things. Even better, they understand my sarcasm and routinely give it right back to me. So I am training the next generation to function in the world, by not taking themselves so seriously, and that may be the biggest win of all.

–Mike

Photo credit: “Horse Laugh” originally uploaded by Bill Gracey


Thanks to everyone who contributed to my Team in Training run to battle blood cancers. We’ve raised almost $6,000 so far, which is incredible. I am overwhelmed with gratitude. You can read my story in a recent Incite, and then hopefully contribute (tax-deductible) whatever you can afford. Thank you.

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Building Security into DevOps

Building a Threat Intelligence Program

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. The cloud poster child: As discussed in this week’s FireStarter, the cloud is happening faster than we expected. And that means security folks need to think about things differently. As if you needed more confirmation, check out this VentureBeat profile of Netflix and their movement towards shutting down their data centers to go all Amazon Web Services. The author of the article calls this the future of enterprise tech and we agree. Does that mean existing compute, networking, and storage vendors go away? Not overnight, but in 10-15 years infrastructure will look radically different. Radically. But in the meantime, things are happening fast, and folks like Netflix are leading the way. – MR

  2. Future – in the past tense: TechCrunch recently posted The Future of Coding Is Here, outlining how the arrival of APIs (Application Programming Interfaces) has ushered in a new era of application development. The fact is that RESTful APIs have pretty much been the lingua franca of software development since 2013, with thousands of APIs available for common services. By the end of 2013 every major API gateway vendor had been acquired by a big IT company. That was because APIs are an enabling technology, speeding integration and deployment, and making it easy to leverage everything from mobile to the Internet of Things. And don’t even bother trying to use cloud services without leveraging vendor APIs. But the OWASP Top Ten will not change any time soon, as traditional web-facing apps and browsers still provide too many attractive targets for attackers to forsake them. – AL

  3. Cheaters gonna cheat: Crowdstrike published some interesting research recently, discussing how they detected the Chinese hacking US commercial entities, even after the landmark September 25 agreement not to. Now, of course, there could have been a lag between when the agreement was signed and when new marching orders made it to the front lines. Especially when you send the message by Pony Express. Turns out there are things like email, phones, and maybe even these newfangled things called “web sites” to make sure everyone knows about changes in policy. But did you really expect a political agreement to change anything? Me neither. So just like cheaters are gonna cheat, nations states are gonna hack. – MR

  4. Stealing from spies: Hackers have figured out how to uncloak advertising links embedded in iFrames by exploiting the relationship between two frames. For those of us who think iFrames are an attack vector themselves, it’s no surprise that this dodgy means of tracking users and supporting ad networks was cracked by bad (worse?) guys. The good news is that it does not expose any additional user information, but it does allow attackers to manipulate ad clicks. Most tricks, hacks, and sneaky methods of scraping data or force user browsers to take action were pioneered by some marketing firm to game the system. The problem is that dodgy habits are endemic to how many very large companies make money, so we get hacked solutions to compensate for the hacks these firms leverage to satisfy their own profit motive. Until the economics change, hackers will have plenty of ‘features’ from ad, social, and analytics networks to exploit and profit. – AL

  5. A cyberinsurance buffet: Warren Buffett has done pretty well by sticking to things he can understand. OK, maybe that’s the understatement of the millennium. His Specialty Insurance business getting into underwriting cyber policies seems to run counter to that philosophy. He wouldn’t even invest in tech companies, but now he’s willing to value something that you pretty much can’t value (cyber-exposure). Of course it’s not Warren himself writing the policies. But all the same, and maybe it’s just me, but it is not clear how to write these policies – even the best defenses can be breached at any time by sophisticated attackers. I’m happy to hear explanations, because I still don’t get this. – MR

—Mike Rothman