Login  |  Register  |  Contact
Wednesday, April 23, 2014

Incite 4/23/2014: New Coat of Paint

By Mike Rothman

It is interesting to see the concept of mindfulness enter the vernacular. For folks who have read the Incite for a while, I haven’t been shy about my meditation practice. And next week I will present on Neuro-Hacking with Jen Minella at her company’s annual conference. I never really shied away from this discussion, but I didn’t go out of my way to discuss it either.

Looks like Banksy strikes again

If someone I was meeting with seemed receptive to talking about it, I would. If they weren’t, I wouldn’t. I doesn’t really matter to me either way. Turns out I found myself engaging in interesting conversations in unexpected places once I became open to talking about my experiences.

It turns out mindfulness is becoming mass market fodder. In our Neuro-Hacking talk we reference Search Inside Yourself, which describes Google’s internal program, which is broadening into a mindfulness curriculum and a variety of other resources to kickstart a practice. These materials are hitting the market faster and faster now. When I was browsing through a brick and mortar bookstore last weekend with the Boy (they still exist!), I saw two new titles in the HOT section on these topics. From folks you wouldn’t expect.

10% Happier is from Dan Harris, a weekend anchor for ABC News. He describes his experiences embracing mindfulness and meditation. I am about 75% done with his book, and it is good to see how a skeptic overcame his pre-conceived notions to gain the aforementioned 10% benefit in his life. I also noticed Arianna Huffington wrote a book called Thrive, which seems to cover a lot of the same topics – getting out of our own way to find success, by drawing “on our intuition and inner wisdom, our sense of wonder, and our capacity for compassion and giving.”

At this point I start worrying that mindfulness will just be the latest in a series of fads to capture the public’s imagination, briefly. ‘Worry’ is probably the wrong word – it’s more that I have a feeling of having seen this movie before and knowing it ends up like the Thighmaster. Like a lot of fads, many folks will try it and give up. Or learn they don’t like it. Or realize it doesn’t provide a quick fix in their life, and then go back to their $300/hr shrinks, diet pills, and other short-term fixes.

And you know what? That’s okay. The nice part about really buying into mindfulness and non-judgement is that I know it’s not for everyone. How can it be? With billions of people on earth, there are bound to be many paths and solutions for people to find comfort, engagement, and maybe even happiness. And just as many paths for people to remain dissatisfied, judgmental, and striving for things they don’t have.

I guess the best thing about having some perspective is that I can appreciate that nothing I’m doing is really new. Luminaries and new-age gurus like Ekhart Tolle and Deepak Chopra have put a new coat of paint on a 2,500 year old practice. They use fancy words for a decidedly unfancy practice. That doesn’t make it new. It just makes it shiny, and perhaps accessible to a new generation of folks. And there’s nothing wrong with that.

–Mike

Photo credit: “Wet Paint II originally uploaded by James Offer


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


2014 RSA Conference Guide

In case any of you missed it, we published our fifth RSA Conference Guide. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Understanding Role-based Access Control

NoSQL Security 2.0

Defending Against Network Distributed Denial of Service Attacks

Advanced Endpoint and Server Protection

Newly Published Papers


Incite 4 U

  1. Questions driving the search for answers: Whatever you are doing, stop! And read Kelly White’s 3-part series on Questioning Security (Part 1, Part 2, and Part 3). Kelly’s main contention is that the answers we need to do security better are there, but only if we ask the right questions. Huh. Then he provides a model for gathering that data, contextualizing it, using some big data technologies to analyze it, and even works through an example or two. This echoes something we have been talking about for a long time. There is no lack of data. There is a lack of information to solve security problems. Of course a lot of this stuff is easily said but much harder to do. And even harder to do consistently. But it helps to have a model which provides a roadmap. Without some examples to make the model tangible you woon’t even know where to start. So thank Kelly for a piece of that. Now go read the posts. – MR

  2. Bounties on open source security flaws: The Veracode blog’s latest post is thought-provoking, asking whether it is time to Crowdfund Open Source Software. The post hits the key points on both sides of the open source vs. proprietary software debate, discussed for almost a decade without resolution so far. While I consider the statement “Heartbleed vulnerability puts the lie to the idea of the ‘thousands of eyes’ notion” total BS – software will always have flaws which are not readily apparent – it is good they threw in that point, balanced against Andy Ellis’s “Our lesson of the last few days is that proprietary products are not stronger…” This is the core issue! Enterprise IT never fully trusted open source code, and it would be a lie to say otherwise. But that is more an emotional response than based on fact – they say they don’t trust it but (often unwittingly) use lots of it. Look at it this way: how many major web sites, many of which include substantial proprietary code, rely on OpenSSL? And OpenSSL was in use for years, with this bug undetected. So I throw in a hearty ‘Yes!’. We definitely need to crowdfund open source software security for critical components. This software can benefit from additional scrutiny, the same way we have proven proprietary code does. – AL

  3. Botnet innovation latte: Our pals at Malcovery identified an interesting phishing message targeting Starbucks customers/aficionados (I wouldn’t know any of those). Targeting a large consumer brand with a phishing attack isn’t interesting. But the phishing site’s ability to deliver “the GameOver Zeus variant adding the victim’s machine to a large peer-to-peer botnet and deploy rootkiting tools from the Necurs rootkit to hamper detection and removal of this trojan–all without downloading additional files or contacting a static command and control.” [emphasis mine] That’s interesting. No additional files, and no need to contact a C&C network, because it’s a peer-to-peer botnet. So much for that cool callback detection widget you just deployed, eh? Actually it’s just another opportunity for defenders to take another step to keep pace with attackers. And the beat goes on… – MR

  4. The shape of things to go: Have you noticed all the new security positions listed on job boards? Retail is just now seeing The Rise of the CSO, and this article captures the mindset of those grappling with security for the first time: “We should not be having any breaches …”. Yeah, right. Finance and regulated industries have placed C-level executives in IT security and compliance or the better of the last decade, and understand that breaches will happen, necessitating a balancing act, prevention against detection and response. Retail? On the technology adoption curve, the retail data security vertical is decidedly in the ‘laggard’ category. It is ironic that an industry at the forefront of customer analytics, driven by sensitive data and monetized via just-in-time sales programs, is at the tail end of data security. But clearly the Target breach prompted a collective “Oh crap, am I vulnerable too?!” gasp. While other firms are evolving to distribute security responsibility across different business centers, retail is trying to buy a clue through CSO/CISO hires. – AL

  5. Security lemonade: Not that I’m a fan of Schneier, but every so often he finds a metaphor that makes sense for security folks. He recently wrote on his blog that Security is a Market for Lemons, pointing that like the used car market, the best offerings price themselves out of the market because typical buyers don’t know the difference between options and so opts for the average or even below-average (priced) solution. It is hard to tell real security from snake oil, so we need someone to vouch for a product to help unsuspecting consumers know the difference. Kind of like Consumer Reports. The problem, as Schneier points out, is that there is no real market for this. Product testing labs tend to focus on the stuff they can measure, and as nicely demonstrated by the NSS/FireEye dust-up, they can all to easily get swamped in a messy he-said/she-said deal. And the media can no longer pay for real product testing like in the old days. So what to do? Rely on your friends, of course. They tend to be the most reliable source of information. – MR

–Mike Rothman

Wednesday, April 16, 2014

Incite 4/16/2014: Allergies

By Mike Rothman

It was a crummy winter. Cold. Snowy. Whiplash temperature swings. Over the past few weeks, when ATL finally seemed to warm up for spring (and I was actually in town), I rejoiced. One of the advantages of living a bit south is the temperate weather from mid-February to late November.

But there is a downside. The springtime blooming of the flowers and trees is beautiful, and brings the onslaught of pollen. For a couple weeks in the spring, everything is literally green. It makes no difference what color your car is – if it’s outside for a few minutes it’s green. Things you leave outside (like your deck furniture and grill), green. Toys and balls the kids forget to put back in the garage when they are done. Yup, those are green too. And not a nice green, but a fluorescent type green that reminds you breathing will be a challenge for a few weeks.

Love is not a strong enough word when discussing pollen

Every so often we get some rain to wash the pollen away. And the streams and puddles run green. It’s pretty nasty.

Thankfully I don’t have bad allergies, but for those few weeks even I get some sniffles and itchy eyes. But XX2 has allergies, bad. It’s hard for her to function during the pollen season. Her eyes are puffy (and last year swelled almost shut). She can’t really breathe. She’s hemorrhaging mucus; we can’t seem to send her to school with enough Sudafed, eye drops, and tissues to make it even barely comfortable.

It’s brutal for her. But she’s a trooper. And for the most part she doesn’t play outside (no recess, phys ed, and limited sports activities) until the pollen is mostly gone. Unless she does. Last night, when we were celebrating Passover with a bunch of friends, we lost track of XX2. With 20+ kids at Seder that was easy enough to do. When it was time to leave we found her outside, and she had been playing for close to an hour. Yeah, it rained yesterday and gave her a temporary respite from the pollen. But that lulled her into a false sense of security.

So when she started complaining about her eyes itching a bit and wanted some Benadryl to get to sleep, we didn’t want to hear about it. Yes, it’s hard seeing your child uncomfortable. It’s also brutal to have her wake you up in the middle of the night if she can’t breathe and can’t get back to sleep. But we make it clear to all the kids that they have the leeway to make choices for themselves. With that responsibility, they need to live with the consequences of their choices. Even when those consequences are difficult for all of us.

But this will pass soon enough. The pollen will be gone and XX2 will be back outside playing every day. Which means she’ll need to learn the same lesson during next year’s pollen onslaught. Wash, rinse, repeat. It’s just another day in the parenting life.

–Mike

Photo credit: “I Heart Pollen!” originally uploaded by Brooke Novak


See Mike Speak

Mike will be moderating a webcast this coming Thursday at 2pm ET, discussing how to Combat the Next Generation of Advanced Malware with folks from Critical Assets and WatchGuard. Register here: http://secure.watchguard.com/how-to-survive-an-apt-attack-social.html


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


2014 RSA Conference Guide

In case any of you missed it, we published our fifth RSA Conference Guide. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Understanding Role-based Access Control

NoSQL Security 2.0

Defending Against Network Distributed Denial of Service Attacks

Advanced Endpoint and Server Protection

Newly Published Papers


Incite 4 U

  1. Traitors are the new whistleblowers: A good thought-provoking post by Justine Aitel on how security needs to change and evolve, given some of the architectural and social disruptions impacting technology. She makes a bunch of points about how the cloud and the “compete now/share first/think later mentality, “ impacts risk. It comes back to some tried and true tactics folks have been talking about for years (yes, Pragmatic CSO reference). Things like communications and getting senior folks on board with the risks they are taking – and ignorance is no excuse. She also makes good points about new roles as these changes take root, and that’s where the traitors and whistleblowers in the title comes from. Overall her conclusion: “This game is no longer just for us nerds” rings true. But that’s not new. Security has been the purview of business folks for years. It’s just that now the stakes are higher. – MR

  2. A glimpse of DBSec’s future: From a database design perspective, the way Facebook is customizing databases to meet their performance needs is a fascinating look at what’s possible with modular, open source NoSQL platforms. Facebook’s goals are performance related, but these approaches can also be leveraged for security. For example you can implement tokenization or encryption where FB leveraged compression. And the same way Facebook swapped Corona for Hadoop’s job manager, you could implement identity controls prior to resource grants from the cluster manager. You can install what you want – most anything is possible here! Security can be woven into the platform, without being beholden to platform vendors to design and develop the security model. Granted, most customers want someone else to provide off-the-shelf security solutions, but their modular approach to Hadoop nicely illustrates what is possible. – AL

  3. ‘Marketing’ attacks: The Kalzumeus blog has a really interesting point about how the stickiness of any attack tends to be based on how it is merchandised. Remember Melissa? Or the I Love You virus? Or SQL Slammer? Of course you do – these high-profile attacks got a ton of press coverage and had catchy names. The Heartbleed name and logo were genius. Yes, it is a big issue and worthy of note and remembrance. But will we really remember Kaminsky’s DNS discovery years from now? I probably will because I am a security historian of sorts, but you might not – it doesn’t have a cool name. As an industry we pooh-pooh marketing, but it is integral to many things. But only if you want them to be memorable and drive action. – MR

  4. Helpful ignorance: The question Why should passwords be encrypted if they’re stored in a secure database? makes security professionals go into uncontrollable spasms, but it is a good question! For those new to security, the implicit assumptions underscore areas they don’t understand, and which pieces they need to be educated on. There is no single answer to this question, but “Secured from what?” is a good starting point. Is it secured from malicious DBAs? SQL injection? Direct file examination? The point here is to open a dialog to educate DBAs – and application developers, for that matter – to other types of threats not directly addressed by passwords, user roles, and encrypted backup tapes. – AL

  5. You can’t fight city hall: Actually you can, but it probably won’t work out very well. Case in point: Barrett Brown of allegedly Anon and Stratfor hack fame. He recently agreed to a sealed plea bargain for being an accesssory after the fact on posting the credit card numbers (and other stuff). What he pled to wasn’t even part of the original indictment, and he has already done 2 years in custody. With today’s forensicators and their ability to parse digital trails, it is really hard to get away with hacking. At least over a sustained period of time, and at some point the authorities (or Krebs – whoever gets there first) will find you with a smoking digital gun. So what to do? I know it sounds novel, but try to do the right thing – don’t steal folks’ stuff or be a schmuck. – MR

–Mike Rothman

Wednesday, April 02, 2014

Incite 4/2/2014: Disruption

By Mike Rothman

The times they are a-changin’. Whether you like it or not. Rich has hit the road, and has been having a ton of conversations about his Future of Security content, and I have adapted it a bit to focus on the impact of the cloud and mobility on network security. We tend to get one of three reactions:

  1. Excitement: Some people rush up at the end of the pitch to learn more. They see the potential and need to know how they can prepare and prosper as these trends take root.
  2. Confusion: These folks have a blank stare through most of the presentation. You cannot be sure if they even know where they are. You can be sure they have no idea what we are talking about.
  3. Fear: These folks don’t want to know. They like where they are, and don’t want to know about potential disruptions to the status quo. Some are belligerent in telling us we’re wrong. Others are more passive-aggressive, going back to their office to tell everyone who will listen that we are idiots.

Stop messing with my lawn. I'm happy with it just the way it is.

Those categories more-or-less reflect how folks deal with change in general. There are those who run headlong into the storm, those who have no idea what’s happening to them, and those who cling to the old way of doing things – actively resisting any change to their comfort zone. I don’t judging any of these reactions. How you deal with disruption is your business.

But you need to be clear which bucket you fit into. You are fooling yourself and everyone else if you try to be something you aren’t. If you don’t like to be out of your comfort zone, then don’t be. The disruptions we are talking about will be unevenly distributed for years to come. There are still jobs for mainframe programmers, and there will be jobs for firewall jockeys and IPS tuners for a long time. Just make sure the organization where you hang your hat is a technology laggard.

Similarly, if you crave change and want to accelerate disruption, you need to be in an environment which embraces that. The organizations that take risks and understand not everything works out. We have been around long enough to know we are at the forefront of a major shift in the technology landscape. The last one of this magnitude I expect to see during my working career.

I am excited. Rich is excited, and so is Adrian. Of course that’s easy for us – due to the nature of our business model we don’t have as much at stake. We are proverbial chickens, contributing eggs (our research) to the breakfast table. You are the pig, contributing the bacon. It’s your job on the line, not ours.

–Mike

Photo credit: “Expect Disruption” originally uploaded by Brett Davis


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


2014 RSA Conference Guide

In case any of you missed it, we published our fifth RSA Conference Guide. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Defending Against Network Distributed Denial of Service Attacks

Advanced Endpoint and Server Protection

Newly Published Papers


Incite 4 U

  1. The good old days of the security autocrat: At some point I will be old and retired, drinking fruity drinks with umbrellas in them, and reminiscing about the good old days when security leaders could dictate policy and shove it down folks’ throats. Yeah, that lasted a few days, before those leaders were thrown out the windows. The fact is that autocrats can be successful, but usually only right after a breach when a quick cleanup and attitude adjustment is needed – at any other time that act wears thin quickly. But as Dave Elfering points out, the rest of the time you need someone competent, mindful, diligent, well-spoken and business savvy. Dare I say it, a Pragmatic CSO. Best of all, Dave points out that folks who will succeed leading security teams need to serve the business, not have fixed best practices in mind, which they adhere to rigidly. Flexibility to business needs is the name of the game. – MR

  2. Throwing stones: I couldn’t agree more with Craig Carpenter, who writes in Dark Reading that folks need to Be Careful Beating Up Target. It has become trendy for every vendor providing alerts via a management console to talk about how they address the Target issue: missing alerts. But as Craig explains, the fact is that Target had as much data as they needed. It looks like a process failure at a busy time of year, relying on mostly manual procedures to investigate alerts. This can (and does) happen to almost every company. Don’t fall into the trap of thinking you’re good. If you haven’t had a breach, chalk it up to being lucky. And that’s okay! Thinking that it can’t happen to you is a sure sign of imminent doom. And for those vendors trying to trade on Target’s issue, or pointing fingers at FireEye or Symantec or any of the other vendors Target used, there is a special place in breach hell for you. Karma is a bitch, and your stuff will be busted. And I’ll laugh at your expense, along with the rest of the industry. – MR

  3. CC-DNS: We have been highlighting the role of attacking DNS in Distributed Denial of Service attacks (DDoS), and Dark Reading highlights some other DNS attack vectors. This foundational part of the Internet, designed decades ago, simply wasn’t designed to stand up to 400gbps attacks. Go figure. But it is a real problem – it’s not like you can just swap out DNS in one fell swoop across the entire Internet. And technologies meant to protect the infrastructure like DNSSEC, put in place after the Kaminsky attack was made public, can be used to overload the system. Finally, the article raises the issue of DNS tampering for mobile devices – a key employee in a coffee shop (me, for instance) could be routed to a fake server if the coffee shop’s DNS is busted. So many problems and few solutions – like pretty much everything else. – MR

  4. One log, multiple consumers: Stormy highlights the importance of logging in a DevOps context on Shimmy’s new devops.com site (yes, Rich is an advisor). His point is that you will need to pull information from the technology stack and applications to be sure you understand what’s happening as you move to continuous deployment. Though he draws a distinction between DevOps and Security, which for the time being is fine. Over time we expect the security function (except perhaps program management) to be subsumed within true operational processes. In a DevOps world there are no logical breakpoints for inserting security, which means it really will need to be built in. Finally. – MR

–Mike Rothman

Wednesday, March 26, 2014

Incite 3/26/2014: One Night Stand

By Mike Rothman

There is no easy way to say this. I violated a vow I made years ago. It wasn’t a spur of the moment thing. I have been considering how to do it, without feeling too badly, for a few weeks. The facts are the facts. No use trying to obscure my transgression. I cheated. If I’m being honest, after it happened I didn’t feel bad. Not for long anyway.

It happened and now it's over...

This past weekend, I ate both steak and bacon. After deciding to stop eating meat and chicken almost 6 years ago. Of course there is a story behind it. Basically I was in NYC celebrating a close friend’s 45th birthday and we were going to Peter Luger’s famous steakhouse. Fish isn’t really an option, and the birthday boy hadn’t eaten any red meat for over 20 years. Another guy in the party has never eaten bacon. Never! So we made a pact. We would all eat the steak and bacon. And we would enjoy it.

It was a one night stand. I knew it would be – it meant nothing to me. I have to say the steak was good. The bacon was too. But it wasn’t that good. I enjoyed it, but I realized I don’t miss it. It didn’t fulfill me in any way. And if I couldn’t get excited about a Peter Luger steak, there isn’t much chance of me going back back to my carnivorous ways.

Even better, my stomach was okay. I was nervously awaiting the explosive alimentary fallout that goes along with eating something like a steak after 6 years. Although the familiar indigestion during the night came back, which was kind of annoying – that has been largely absent for the past 6 years – but I felt good. I didn’t cramp, nor did I have to make hourly trips to the loo. Yes, that’s too much information, but I guess my iron stomach hasn’t lost it.

To be candid, the meat was the least of my problems over the weekend. It was the Vitamin G and the Saturday afternoon visit to McSorley’s Old Ale House that did the damage. My liver ran a marathon over the weekend. One of our group estimated we might each have put down 2 gallons of beer on Saturday. That may be an exaggeration, but it may not be. I have no way to tell.

And that’s the way it should be on Boys’ Weekend. Now I get to start counting days not eating meat again. I’m up to 5 days and I think I’ll be faithful for a while…

–Mike

Photo credit: “NoHo Arts District 052309” originally uploaded by vmiramontes


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


2014 RSA Conference Guide

In case any of you missed it, we published our fifth RSA Conference Guide. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Defending Against Network Distributed Denial of Service Attacks

Advanced Endpoint and Server Protection

Newly Published Papers


Incite 4 U

  1. Palo Alto Does Endpoints: It was only a matter of time. After the big FireEye/Mandiant deal and Bit9/Carbon Black, Palo Alto Networks needed to respond. So they bought a small Israeli start-up named Cyvera for $200 million! And I thought valuations were only nutty in the consumer Internet market. Not so much. Although no company can really have a comprehensive advanced malware story without technology on the network and endpoints. So PANW made the move, and now they need to figure out how to sell endpoint agents, which are a little bit different than boxes in the perimeter… – MR

  2. Payment Tokenization Evolution: EMVCo – the Visa, Mastercard, and Europay ‘standards’ organization, has released the technical architecture for a proposed Payment Tokenisation Specification, which will alter payment security around the globe over the coming years. The framework is flexible enough to both enable Near Field Communication (NFC, aka mobile payments) and help combat Card Not Present fraud – the two publicly cited reasons for the card brands to create a tokenization standard in parallel with promotion of EMV-style “smart cards” in the US. The huge jump in recent transactional fraud rates demands some response, and this looks like a good step forward. The specification does not supersede use of credit card numbers (PAN) for payment yet, but would enable merchants to support either PAN or tokens for payment. And this would be done either through NFC – replacing a credit card with a mobile device – or via wallet software (either a mobile or desktop application). For those of you interested in the more technical side of the solution, download the paper and look at the token format! They basically create a unique digital certificate for each transaction, which embeds merchant and payment network data, and wrapped it with a signature. And somewhere in the back office the payment gateways/acquirer (merchant bank) or third-party service will manage a token vault. More to come – this warrants detailed posts. – AL

  3. Vultures are going to vulture: I’m not surprised that Trustwave is being sued as part of the Target breach. Class-action vultures (lawyers) see a company with money, so they sue. It’s the American way. Of course, the assessment contract removes much of the liability in what the customer actually does, but it’s an excuse to try for shakedown money. It would be really disappointing to see anyone settle in this kind of nonsensical case – setting an absolutely horrible precedent regarding liability for auditors/assessors. If there was truly malfeasance, that might be exposed during discovery, and that would be good to know. But pinning the Target breach on a PCI assessor would be ridiculous. – MR

  4. Password Hashing Competition: Most people know hashing as a means of validating someone’s password without actually storing the original value. To a developer hashing algorithms are a handy way to ‘fingerprint’ an object, allowing quick verification of whether an object is still in its original state, or it had been tampered with. But hash algorithms, as noted by Thomas Ptacek, are often employed incorrectly. Still, they remain a core cryptographic tool in the security toolbox. As we get better at breaking stuff, and computational power continues to double every couple years, it is good that a new password hashing competition is under way, with submissions due at the end of the month. If you think you have the math and coding chops, get your submission in! This is community innovation that both makes and breaks security, so give it a try, and maybe they’ll name a standard after you. – AL

  5. The Power of Change: Wendy kills it on her personal blog with her Power of Change post. Her point is that security is all about detecting and controlling change. Of course that is easier said than done, especially with the disruption we are seeing all over the security stack. But she is right on the money. If it is too hard to detect and manage change, you won’t. Until you need to, or perhaps your successor. She closes by pointing out that you don’t need to spend a lot of money to get a handle on change. It is about “knowing what your systems, applications and users are supposed to do,” and then looking for cases when they are doing otherwise. That i also a good metaphor for life, but that’s another story for another day. – MR

–Mike Rothman

Wednesday, March 19, 2014

Incite 3/18/2014: Yo Mama!

By Mike Rothman

It’s really funny and gratifying to see your kids growing up. Over the weekend XX1 took her first solo plane trip. I checked her in as an unaccompanied minor, and she miraculously got TSA Pre-check. Of course that didn’t mean I did with my gate pass. So the TSA folks did their darndest to maintain the security theater, and swabbed my hands and feet.

We had some time so I figured we’d hang out in the airline club. Not so much. I have access to the SkyClub via my AmEx Platinum card, but evidently I have to be flying. So we got turned away at the door. Really? Total fail, Delta. And your club receptionist was mean. But I had XX1 with me, so I mumbled some choice words under my breath and just let her mention that person wasn’t nice.

Then the gate agent called for her, and after a quick goodbye… Okay, not so quick – no goodbye is quick with XX1 – she headed down the jetway and was gone. Of course I got dispatches every 10 minutes or so via text. So I knew when her bag was in the overhead bin, when she got a refreshment, how much she was enjoying Tower Heist on the iPad, when the plane was loaded, and finally when she had to shut down her phone. She made it to her destination in one piece, and met Grandma at the gate. Another milestone achieved.

yo mama and then some

Then on Saturday morning I had the pleasure of taking the boy to breakfast. His sports activities (tennis and LAX) weren’t until afternoon so we had some boy time. As we were chatting I asked him about his friends. He then launched into a monologue about how all his friends tell Yo Mama! jokes now. He even had some pretty funny ones ready to go. He asked me if I had heard of those kinds of jokes. I just had to chuckle. You know those kids today – they invented everything.

Though how they get their material is radically different. It seems they get the jokes on YouTube and then tell them to each other the next day at school. I had to actually read joke books to get my material and my delivery wasn’t very good. It seems to be in good fun, for now. I remember getting into fights with kids over those kinds of jokes, mostly because they weren’t really intended to be joking. And it’s a bit strange to think the Boss is the Mama in question, and at some point he may need to defend her honor. Although the Boy is pretty mild-mannered and very popular, so it’s hard to envision someone telling a joke to get a rise out of him.

All the same, the kids are growing up. And unaccompanied plane rides and Yo Mama! jokes are all part of the experience.

–Mike

Photo credit: “Yo Mama’s Sign” originally uploaded by Casey Bisson


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


2014 RSA Conference Guide

In case any of you missed it, we published our fifth RSA Conference Guide. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Advanced Endpoint and Server Protection

Newly Published Papers


Incite 4 U

  1. Pwn to Pwn: Our friend Mike Mimoso has a great summary of the annual Pwn2Own contest at CanSecWest. This is the one where prizes are paid out to researchers who can crack browsers and other high-value targets (all picked ahead of time, with particular requirements). The exploits are bought up and later passed on to the affected vendors. As usual, all the products were cracked, but the effort required seems higher and higher every year. This level of exploitation is beyond your usual script kiddie tactics, and it’s nice to see the OS and browser vendors make practical security advances year after year. On the downside, BIOS and firmware hacking are going beyond scary. I really feel bad I haven’t made it to CanSecWest (usually due to work conflicts so close to RSA), but I think I need to make it a priority next year. It’s a great event, and a powerful contributor to the security community. – RM

  2. PCI is relevant. Really. It’s just those careless retailers: I’m in the air right now so I can’t check the TripWire folks’ interview with the PCI Standards Council’s Bob Russo at RSA, but some of the quotes I have seen are awesome. “People are studying for the test. Passing the compliance assessment and then leaving things open. They’re being careless,” said Bob Russo. Man, that is awesome. The standards are great – the retailers are just careless. Really? To be clear, Target was careless, but nowhere in the PCI standards do I see anything about locking down third-party access to non-protected information. Or having a network-based malware detection device to detect malware before it exfiltrates data. How about this one? “Russo said it appears the companies affected were covered one way or another in the PCI standards. But if they learn something new, then they will update the standards accordingly.” So they will update the standards in 3 years? That’s how long it takes to implement any change. Listen, I’ll be the first to say that PCI helped 5 years ago. But today its low bar is just too low. – MR

  3. To PIN or not to PIN: If you still don’t believe us that PCI-DSS is just one of many liability-shifting games to improve banking profits, consider Visa and Mastercard’s recent announcement that they will market EMV ‘smart’ payment cards in the US. They want smart cards, but no PIN numbers to validate users – instead they intend to use the same signature-based system we have today. The National Retail Federation has jumped into the fray, saying Easy-to-forge signatures are a virtually worthless form of authentication. Fraud rates with mag-stripe cards in the US are a serious problem, and Chip and Pin style cards have proven to reduce fraud from card cloning and in-person misuse. So what’s the problem? The gripe is that the cards, along with the required systems to set up digital signatures on them, cost about ten times as much – but the real worry is that customers won’t use them. The issuers argue that setting a PIN is too much hassle so people won’t use the cards at all. They believe overall transaction volume would fall off – a no-no for the card brands. Credit cards are a proven financial lubricant, and they consider reductions in usage levels much worse than fraud. But under the shadow of never-ending breaches I suspect we will now get ‘chipped’ cards without PINs. At least for a while. – AL

  4. DDoS goes to 11: We have been hearing a bit less about Distributed Denial of Service attacks (DDoS) recently. Not because they aren’t happening, but many targets are getting better at defending against them and keeping their systems available. But the adversaries are evolving their tactics as well using amplification techniques. So as the fellows from Spinal Tap would say, “This attack goes to 11!” The OpenDNS Lab folks describe DNS amplification attacks in a blog post, with a good overview of the techniques. And they are in a good position to know what’s going on with DNS. Timing is everything, right? I am starting a network DDoS blog series so I will be covering a lot of these topics as well. Keep an eye out for that. – MR

  5. So bad it’s good: Despite the poorly written post, unfiltered vendor hype, and the even-more-horrific term “data lake”, there is something very cool going on with XACML based permissions for big data queries. The real story is the ability to retrofit fine-grained authorization mapping into big data queries. This means that you can implement attribute based authorization – not just typical role-based access controls – without modifying the application! Control down to the data element level is possible, but implemented as a proxy between the application and the database. Note that this does not protect data at rest and assumes that you route queries through a proxy, and you need to actually know what is in your big data repository. But regardless, it is a a viable approach to fine-grained authorization controls for big data clusters. For those identity geeks out there who were skeptical about the adoption of XACML, it just may sneak in through the back door. – AL

  6. Chasm jumping unicorns? Gene Kim has a great post on DevOps.com asking whether DevOps can cross the chasm to mainstream enterprises (disclosure: I’m on the DevOps.com advisory board). Gene, you may recall, wrote The Phoenix Project about the power of DevOps. I’ll be honest: I am biased. But I do believe DevOps operational frameworks can increase agility, resiliency, and security – all at the same time. Gene cites actual statistics, such as twice the change success rate when using DevOps, and 12x faster restorations after breaks (all from a Puppet Labs survey, so beware possible bias). DevOps isn’t the answer for everything, and it comes with its own risks, but once you start learning the patterns it makes a ton of sense. The ability to do things like build an entire application stack automatically and as needed, using templates with embedded security configurations, sure seem like a nifty way to build and fix things. – RM

  7. Understanding the different levels of malware analysis: With more advanced malware out there, many organizations have started dipping their toes into malware analysis to figure out what attacks do. Lenny Zeltser has a good overview of 4 different types of analysis in this post: discussing fully automated analysis, static analysis, interactive (dynamic) analysis, and finally full code reversing. Many of the cloud services out there doing malware analysis do at least the first three, and manage a decent job at this point. Of course you can’t (yet) completely displace a human analyst, so there will be room for carbon-based analysis for a quite a while, to understand the nuances and patterns across attacks. But it is very difficult to find folks who can do reverse code, so automated services may be the only option for many companies. For more detail on what’s involved in malware analysis, check out our Malware Analysis Quant research. – MR

–Mike Rothman

Wednesday, March 12, 2014

Incite 3/12/2014: Digging Out

By Mike Rothman

The ritual is largely the same. I do my morning stuff (usually consisting of some meditation and some exercise), I grab a quick bite, and then I consult my list of things that need to get done. It is long, and seems to be getting longer. The more I work, the more I have to do. It’s a good problem to have, but it’s still a problem.

And going to RSA two weeks ago exacerbated it. I had a lot of great conversations with lots of folks who want to license our research, have us speak at their events, and have us advise them on all sorts of things. It’s awesome, but it’s still a problem.

Just keep digging

Of course you probably think we should expand and add a bunch of folks to keep up with demand. We have thought about that. And decided against it. It takes a unique skill set to do what we do, the way we do it. The folks who understand research tend to be locked up by big research non-competes. The folks who understand how to develop business tend not to understand research. And the very few who can do both generally aren’t a cultural fit for us. Such is life…

But that’s not even the biggest obstacle. It’s that after 4+ years of working together (Rich and Adrian a bit more), we enjoy a drama-free environment. The very few times we had some measure of disagreement or conflict, it was resolved with a quick email or phone call, in a few minutes. Adding people adds drama. And I’m sure none of us wants more drama.

So we put our heads down and go to work. We build the pipeline, push the work over the finish line, and try to keep pace. We accept that sometimes we need to decide not to take a project or see how flexible the client is on delivery or scheduling. As with everything, you make choices and live with them.

And while it may sound like I’m whining about how great our business is, I’m not. I am grateful to have to make trade-offs. That I have a choice of which projects I work on, for which clients. Not that I can’t find work or deal with slow demand. The three of us all realize how fortunate we are to be in this position: lots of demand and very low overhead. That is not a problem. We want to keep it that way. Which is basically my way of saying, where is that shovel again? Time to get back to digging.

–Mike

Photo credit: “Digging out auto” originally uploaded by Boston Public Library


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and well hang out. We talk a bit about security as well. We try to keep these to less than 15 minutes and usually fail.


2014 RSA Conference Guide

In case any of you missed it, we published our fifth RSA Conference Guide. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Advanced Endpoint and Server Protection

Newly Published Papers


Incite 4 U

  1. Incentives drive organizational behavior: I am not sure why Gunnar tweeted a link to something he posted back in October, but it gave me an opportunity to revisit a totally awesome post. In Security Engineering and Incentives he goes through the key aspects of security engineering, and incentives are one of the four cornerstones (along with security policy, security mechanism, and assurance). Probably the most important of the cornerstones, because without proper incentives no one does anything. If you have ever been in sales you know the compensation plan drives behavior. It is that way in every functional part of the business. In the not-so-real world you have folks who do what they are supposed to because they do. And in the real world, those behaviors are driven by incentives, not risk (as GP points out). So when you wonder why the Ops team ignores the security policy and developers couldn’t give less of a crap about your security rules, look at what they are incented to do. Odds are be secure isn’t really on that list. – MR

  2. Persona non grata: The Mozilla Wiki does not really capture the essence of what’s going on with Mozilla’s Persona project, but the gist is that their effort to offer third party identity federation has failed. There is some debate about whether technical or financial derailed the project and prevented it from reaching “critical mass”, but I think the statement “We looked at Facebook Connect as our main competitor, but we can’t offer the same incentives (access to user data)” pretty much nails it. If you wonder why Yahoo is ditching Facebook and Google federation services in lieu of their own offering, understand that identity is the next generation’s “owning the user”, and a key means for data providers (advertising networks) to differentiate their value to advertisers. The goal of federated identity was to offer easier and better identity management across web applications, doing away with user names and passwords. But identity providers have seen the greatest benefit, through enrichment of the data they collect. – AL

  3. Ranum and Turner on whitelisting: Searchsecurity posted a great discussion between Marcus Ranum and Aaron Turner on whitelisting. I have been a huge fan of the technology for years as well, and have been doing a bunch of research on what is now called application control. I will link to our completed AppControl white paper later this week. Aaron provides a bunch of real-world perspective on the challenges, which echo the way I described the Double-Edged Sword. Marcus keeps coming back to the reality that iOS and now OS X can be governed by whitelisting, which is basically the App Store model. So is it just fear that is still preventing folks from embracing this security model? Maybe, but I don’t know that fight is still worth fighting. For those use cases where AppControl is a no-brainer, just do that. For those where you have to think about it or face an onerous application management situation, look at something like advanced heuristics which can do a decent job of protecting a subset of the most targeted applications, as I described in the Prevention post in our Advanced Endpoint and Server Protection series. – MR

  4. You don’t need to see his identification: I like being able to look at the code changes on Github and similar sites – you get to see fixes for serious security bugs like the TLS security bug reported last week. If I read this correctly it was a simple uninitialized return variable. But what bothers me is how this could have gone undetected – the first thing you do when testing SSL/TLS is send bad or odd certificates to see if the user still connects. And uninitialized return variables should pop up in static analysis as well. Much in the same way the goto bug in OS X makes a security paranoid’s hair stand on end, it is hard to imagine how this bug – bypassing one of the three crucial checks – was not caught during normal testing or manual code scans. It also reminds me to put logging code into exception handlers, because executing a routine called ‘fail’ should not be confused with successful operation. – AL

  5. Turning the tables on the adversary: Dave Meltzer has a good line of discussion on TripWire’s blog about increasing the cost to attackers of compromising your devices. His point is that you should make it fiscally irresponsible to exploit you. Great idea, but how? One suggestion is to decentralize your most valuable assets. That makes sense but also increases your cost to manage that data. So you need to trade off increasing the cost to adversaries against screwing up your own financial models. Another suggestion is to force the adversary to burn a very valuable (expensive) 0-day attack. That requires making sure you can defend yourself against widely available tools like Metasploit and the zillion attack kits available on the gray market. It comes back to Corman’s magical HDMoore’s Law. If you can’t defend against Metasploit, you have very little chance to cost an adversary much of anything. So get working on that, okay? – MR

–Mike Rothman

Wednesday, March 05, 2014

Incite 3/5/2014: Reentry

By Mike Rothman

After I got off the plane Friday night, picked my bag up off the carousel, took the train up to the northern Atlanta suburbs, got picked up by the Boss, said hello to the kids, and then finally took a breath – my first thought was that RSA isn’t real. But it is quite real, just not sustainable. That makes reentry into my day to day existence a challenge for a few days.

Bring me homeIt’s not that I was upset to be home. It’s not that I didn’t want to see my family and learn about what they have been up to. My 5 minute calls two or three times a day, while running between meetings, didn’t give me much information. So I wanted to hear all about things. But first I needed some quiet. I needed to decompress – if I rose to the surface too quickly I would have gotten the bends.

For me the RSA Conference is a nonstop whirlwind of activity. From breakfast to the wee hours closing down the bar at the W or the Thirsty Bear, I am going at all times. I’m socializing. I’m doing business. I’m connecting with old friends and making new ones. What I’m not doing is thinking. Or recharging. Or anything besides looking at my calendar to figure out the next place I need to be. For an introvert, it’s hard. The RSA Conference is not the place to be introverted – not if you work for yourself and need to keep it that way.

I mean where else is it normal that dinner is a protein bar and shot of 5-hour energy, topped off with countless pints of Guinness? Last week that was not the exception, it was the norm. I was thankful we were able to afford a much better spread at the Security Blogger’s Meetup (due to the generosity of our sponsors), so I had a decent meal at least one night.

As I mentioned last week, I am not about to complain about the craziness, and I’m thankful the Boss understands my need to wind down on reentry. I make it a point to not travel the week after RSA, both to recharge, get my quiet time, and reconnect with the family.

The conference was great. Security is booming and I am not about to take that for granted. There are many new companies, a ton of investment coming into the sector, really cool innovative stuff hitting the market, and a general awareness that the status quo is no good. Folks are confused and that’s good for our business. The leading edge of practitioners are rethinking security and have been very receptive to research we have been doing to flesh out what that means in a clear, pragmatic fashion.

This is a great time to be in security. I don’t know how long it will last, but the macro trends seem to be moving in our direction. So I’ll file another RSA Conference into the memory banks and be grateful for the close friends I got to see, the fantastic clients who want to keep working with us, and the new companies I look forward to working with over the next year (even if you don’t know you’ll be working with us yet).

Even better, next year’s RSA Conference has been moved back to April 2015. So that gives me another two months for my liver to recover and my brain cells to regenerate.

–Mike

PS: This year we once again owe huge thanks to MSLGROUP and Kulesa Faul, who made our annual Disaster Recovery Breakfast possible. We had over 300 people there and it was really great. Until we got the bill, that is…

Photo credit: “Reentry” originally uploaded by Evan Leeson


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and, well, hang out. We talk a bit about security as well. We try to keep these less than 15 minutes, and usually fail.


2014 RSA Conference Guide

In case any of you missed it, we published our fifth RSA Conference Guide. Yes, we do mention the conference a bit, but it’s really our ideas about how security will shake out in 2014. You can get the full guide with all the memes you can eat.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Leveraging Threat Intelligence In Security Monitoring

Advanced Endpoint and Server Protection

Newly Published Papers


Incite 4 U

  1. TI is whatever you want it to mean: Interesting experiment from FireEye/Mandiant’s David Bianco, who went around the RSA show floor and asked vendors what threat intelligence (TI) meant to vendors who used the term prominently in their booths. Most folks just use the buzzword, and mean some of the less sophisticated data sources. I definitely understand David’s perspective, but he is applying the wrong filter. It’s like of like having a Ph.D. candidate go into a third grade classroom and wonder why the students don’t understand differential equations. Security is a big problem, and the kinds of things David is comfortable with at the top of his Pyramid of Pain would be lost on 98% of the world. If even 40% of the broad market would use IP blacklists more effectively, that would have a huge impact on security posture. The TTPs he discusses are so far beyond the capabilities of most companies that he is talking a different language. But that’s okay. As the TI market matures we will see better and more sophisticated use of information to improve defenses. Until then TI will largely be a marketing bandwagon everyone needs to jump on. – MR

  2. Pandering from within: Rod Trent’s statement that use of cloud computing means corporate data that resides outside of control of IT puts the entire business at risk is an irresponsible assertion and a disservice to IT professionals. You don’t lose control of data by moving it to the cloud. How you deploy security in the cloud differs from what you need to do within your own data centers, and which capabilities are offered varies from vendor to vendor, but cloud services are no more or less inherently secure than your own hardware. As Chris Hoff said in his RSA presentation this year, “Security is more a function of your operational model than cloud vs. on-prem deployments; if your on-prem security sucks today, it’s likely your cloud security deployment will also suck.” Go figure. Cloud services imply engagement with a third party, so you will by definition need some level of trust in the provider, but you get to choose a provider and service delivery model you are comfortable with. Sweeping generalizations like “I’m not sold on the statement that the Cloud is ‘secure enough to use’” are simply ignorant assertions to prop up the author’s thinly veiled security appliance agenda. – AL

  3. People? Process? Bah! Bejtlich gets pretty fired up as he pulls apart Dave Aitel’s post on the pros and cons of certain defensive technologies. Richard’s point is that “Network defense is more than tools and tactics. It’s more often about people and processes.” Amen to that, but we do need to use the tools out there because no human (or team of humans) can scale to the extent of the problem any more. So you need to be very clear about the capabilities – and more importantly limitations – of the tools you will use to defend yourself. Richard’s real point is the need for a programmatic approach to security. Even people and processes must be brought to bear in the same manner as tools and technologies: as part of an integrated security program. – MR

  4. When bad security is not an option: This week we saw about 12.3% of the BTC on Poloniex was stolen, which is shortly after Mt. Gox was shuttered indefinitely. It’s early days for Bitcoin, and this instability has little to do with the viability of Bitcoin as a currency – more sloppy execution by exchanges and services, and failure to protect their systems. These are new companies with shiny new applications, and they will continue to lose bitcoins until they shake out bugs and learn lessons that banks and traditional financial houses have learned over centuries. In the case of Poloniex, it was an attack on application business logic. Hopefully most of these exchanges will take note and hire professionals to come in for threat modeling and penetration testing, to find flaws before attackers. It’s not like they don’t have genuine financial incentive to be secure. If not money will continue to disappear. – AL

  5. Where the humans at? I have never been a fan of highly probabilistic models of risk or vulnerability. They typically involve assumptions on top of assumptions, and that usually leads to faulty decision making. My quant friends argue constantly that I’m being obtuse, and analysis in the right context can assist in decision making. They are probably right. Russell Thomas has been putting forth models for a while to help provide this context. Lately he has gotten into a little discussion (and yes, I’m being kind) about the role of probability in making security decisions. The reality is that at some point someone has to make a decisions about what to do. You want to feel good about that decision. That could involve prayer, it could involve a hard-core model, or it could involve experience – or more likely all of the above. If you can believe the math, I have no issue with models. Given the amount of data we are all dealing with, you need some way to reduce it and make sense of it, and that will involve probabilities in some way, shape, or form. But security is not high-velocity trading. The models have limitations, and I am not about to trade a 20-year security analyst for a risk model any time soon. And I don’t think Russell is either. – MR

–Mike Rothman

Wednesday, February 19, 2014

Incite 2/19/2014: Outwit, Outlast, OutRSA

By Mike Rothman

No, we aren’t talking about Survivor, which evidently is still on the air. Who knew? This week the band of merry Securosis men are frantically preparing for next week’s RSA Conference. We’ll all descend on San Francisco Sunday afternoon to get ready for a week of, well, work and play.

Survivor Gabon

I saw Stiennon tweet about his 50 meetings/briefings, etc. – claiming that’s a new personal record. That’s not #winning. That’s #losing – at least to me. I have way too many meetings scheduled – and that even doesn’t count all the parties I have committed to attending. Pretty much every minute of every day is spoken for.

My liver hurts already. RSA is a war of attrition. By Friday when I fly home I am always a mess. A few years ago I ran into Andy Jaquith on the BART train back to the airport afterwards. He tried his best to make conversation, but I had nothing. I could hardly string three words together. I grunted a bit and scrawled a note that I’d call him the following week. I sleep well on Friday night when I get home. And most of Saturday too. I pray to a variety of deities to fend off the con flu. Usually to no avail – the RSA Conference grinds even the hardiest of souls into dust.

But I really can’t complain much. As much as I whine about the crazy schedule, the lack of sleep, and the destruction of billions of brain cells, I love the RSA Conference. I get to see so many friends I have made over the past 20 years in this business. I get to see what’s new and exciting in the business, validate some of my research, and pick the brains of many smart folks. We are lucky to meet up with many of our clients and provide our view of the security world. I also find out about many new opportunities do work with those clients, and based on early indications March and April should be very busy indeed.

So it’s all good. Based on early RSVPs we expect record numbers at our Disaster Recovery Breakfast Thursday morning. A ton of folks are interested in the talk on mindfulness JJ and I are doing at the show. And the 2014 Security Bloggers Meetup will be bigger and better than ever.

Yes, if you can’t tell, I’m really looking forward to the Conference. And I look forward to seeing many of you there.

–Mike

PS: I learned yesterday that a pillar of the Atlanta security community passed away recently. So I’ll have a drink or ten in honor of Dan Combs. He was a good man. A good security guy. And he will be missed. RIP Dan. It’s just another reminder that our time here is short, so enjoy it, have fun, maximize each day, and live as large as you can. You never know which RSA Conference will be your last…

Photo credit: “Survivor Finale” originally uploaded by Kristin Dos Santos


Securosis Firestarter

Have you checked out our new video podcast? Basically Rich, Adrian, and Mike get into a Google Hangout and, well, hang out. We talk a bit about security as well. We try to keep to less than 15 minutes and usually fail.


2014 RSA Conference Guide

We’re at it again. For the fifth year we are putting together a comprehensive guide to want you need to know if you will be in San Francisco for the RSA Conference at the end of February. The full guide (with tons of memes and other humor that doesn’t translate to the blog) will be available later today.

We will also be recording a special Firestarter video on Thursday, since you obviously can’t get enough of our mugs. Look for that on Friday…

Key Themes

Deep Dives

And don’t forget to register for the Disaster Recovery Breakfast, 8-11am Thursday, at Jillian’s.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

The Future of Information Security

Leveraging Threat Intelligence in Security Monitoring

Advanced Endpoint and Server Protection

Newly Published Papers


Incite 4 U

  1. Call it the Llama Clause: Just to get you in the RSA Conference state of mind, check out this great post from the Denim Group folks who are just learning about the nuances of exhibiting at RSA. Yup, there is a “no animals” restriction. Turns out not only can’t you bring a llama, you can’t bring a rhino either. Which is a bummer because a live rhino would be second only to Nir Zuk as booth catnip. You also can’t have loud noises or bad odors. Neither of which seems to be restricted at DEFCON. Apparently they also have a booth babe clause, or at least the right to ban folks unprofessionally or objectionably dressed. By the way, that would seem to be a bit of a subjective measure, no? For those attendees who don’t get out much, seeing a greeter from the Gold Club would probably make their day. And no robots either. It seems like the organizers are bent on taking all the fun out of RSA. Though I guess you need to get caught first – so do it and then ask for forgiveness later. It’s the trade show credo. – MR

  2. TK-421 – why are you not at your post? 2-Factor authentication has gone mainstream – it is now an option for most cloud services and several payment services using SMS validation. Google has been using 2FA for a while now, and their recent acquisition of SlickLogin provides a peek at where the market is heading: proximity detection. Think of those physical cards you use to get into work, only embedded in your phone and used for more than just physical access. These credentials would log you into your laptop, server, or whatever, automatically as you approach. Freaky, right? Sure, the security hype machine will say your account(s) can be compromised if one of your devices is stolen, or by Android malware, or that Bluetooth (or NFC) opens up another attack vector. The reality is that none of this is absolute security – nothing is. But it is better than what we have today. 2FA and proximity verification with devices will be reality going forward, whether you like them or not. Security is learning what every retailer and credit card brand knows: if something makes your life easier, you’ll use it. – AL

  3. Internet of Pwn: The Internet of Things is all the rage. From fitness trackers to Internet-powered Crock Pots, you can’t swing a dead cat without triggering a motion-controlled ceiling fan. And sure, security is important, but this is just more esoteric garbage nobody needs to worry about yet, right? Well perhaps not – our friends at IOActive have cracked the security of the popular WeMo automation products. You know, devices you can buy down the street at some hardware stores. What fascinates me is that these flaws came down to an encryption implementation flaw. Maybe most people don’t care that someone can monitor movement in your house and turn off your lights, but I know for a fact some of these flaws in other systems can disable alarms, open doors, and trash your HVAC. – RM

  4. You had me at Terry Tate: Rick Holland’s post about his definition of actionable intelligence had me cracking up. Not because threat intelligence (TI) is sure to jump the shark at this year’s show – but instead because he dusted off Terry Tate to deal with vendors misusing the term ‘actionable’. Rick has a pretty good list of characteristics you should be looking for in the intelligence. Things like accuracy, integration, and relevance. We have been doing a bunch of research into threat intelligence over the past year, and Rick’s requirements ring true. Though as with every other hot market, you will see a lot of snake oil as well. So RSA attendees beware. By the end of the week you are likely to be confused about what TI even is. – MR

  5. Swamp cloud loggers: Logging in the cloud historically has been a mess. Netflix even had to build its own proxy for its developers so they could log and control management plane access. In response Amazon released CloudTrail a few months ago, which logs all API calls – even internal ones from their tools to any of your AWS (Amazon Web Services) services. Well, sort of. It only works in two regions (data centers) for a few AWS services, and has a 15-20 minute lag. Fortunately multiple little birdies tell me this is just the start, and that the services should improve quite a bit over the next couple years. Kind of like everything else cloudy. Amazon published a white paper on the best way to use its logging capabilities, and if you mostly use one of the supported regions I highly recommend turning it on. I’m not going to criticize a good start, but there’s nothing wrong with being demanding and having massive expectations, right? – RM

  6. Bad software is not mysterious: The appearance of strange software may be alarming, but it’s not a surprise. In the same way seeing advertisements unexpectedly pop up in your browser should not be a surprise. The fundamental problem is that Windows machines and most browsers are designed to be portals to you. The intent was to make it easy to push crap your way, often when you are unaware. Worse – the crap is very difficult to remove. Put in a CD-ROM, click a link, or update software, and you have no idea what gets installed. The result is that once you install software on your machine, you inherently trust everyone who built it, the third-party libraries they used, and everyone they partner with. It is simply a byproduct of poor software design, but a sad reality for deeply entrenched software. We see this problem on every software platform, OS, or browser designed for advertisers rather than users – all of them. The problem is that users would rather take free stuff and cede control of their machines to advertisers. And that is not going to change. – AL

–Mike Rothman

Wednesday, February 12, 2014

Incite 2/12/2014: Kindling

By Mike Rothman

Sitting at my feet is the brand spanking new Kindle I ordered for XX1. It arrived before the snow and ice storm hits the ATL, so we got pretty lucky. She’s a voracious reader and it has become inefficient (and an ecological crime) to continue buying her paper books. She has probably read the Harry Potter series 5 or 6 times, and is constantly giving me new lists of books to buy. She has books everywhere. She reads on the bus. She gets in trouble because sometimes she reads in class. It’s pretty entertaining that the Boss and I need to try to discipline her, when her biggest transgression is reading in class. I kind of want to tell the teacher that if they didn’t suck at keeping the kid’s attention, it wouldn’t be a problem. But I don’t.

Read much?

I have used the Kindle app on my iOS devices for a couple years. I liked it but my older iPads are kind of heavy, so it wasn’t a very comfortable experience to prop on my chest and read. I also had an issue checking email and the Tweeter late at night. So I bought a Kindle to just read. And I do. Since I got it my reading has increased significantly. Which I think is a good thing.

So I figured it was time to get XX1 a Kindle too. The Boss was a bit resistant, mostly because she likes the tactile feeling of reading a book and figured XX1 should too. Once we got past that resistance, I loaded up the first Divergent book onto my Kindle and let her take it for a test drive. I showed her two features, first the ability to select a word and see it in the dictionary. That’s pretty awesome – how many kids do you know who take the time to write down words they don’t know and look them up later? I also showed her how to highlight a passage. She was sold.

A day and half later, she was ready for book 2 in the Divergent series. Suffice it to say, I loaded up book 3 as well, preemptively. Of all the vices my kids have, reading is probably okay. Before I go to bed tonight I will set up her new device and load up a bunch of books I have which I think she’ll like. We will be snowed in for at least a day, so they will give her something to do. The over/under in Vegas is that she reads two books over the next couple days. I’m taking the over.

What’s really cool is that in a few years, she will hardly remember carrying a book around. That will seem so 2005. Just like it seems like a lifetime ago that I loaded up 40-45 CDs to go on a road trip in college (or cases of cassette tapes when I was in high school). Now I carry enough music on my phone to drive for about 3 weeks, and never hear the same song twice.

It’s the future, and it’s pretty cool.

–Mike

Photo credit: “Stack of Books” originally uploaded by Indi Samarajiva


Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and, well, hang out. We talk a bit about security as well. We try to keep these less than 15 minutes, and usually fail.


2014 RSA Conference Guide

We’re at it again. For the fifth year wea re putting together a comprehensive guide to what you need to know if you will be in San Francisco for the RSA Conference at the end of February. We will also be recording a special Firestarter video next week, because you obviously cannot get enough of our mugs.

Key Themes

And don’t forget to register for the Disaster Recovery Breakfast Thursday, 8-11 at Jillian’s.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

The Future of Information Security

Leveraging Threat Intelligence in Security Monitoring

Advanced Endpoint and Server Protection

Newly Published Papers


Incite 4 U

  1. Hot or Not: We spend a ton of time working with security startups (and lately cloud startups looking for security help). So we will be the first to admit we don’t know all of them, and it can sometimes be hard to evaluate broad market perception – our instincts and research are good but we don’t do quantitative market surveys. Justin Somaini just published his personal survey results on security startups and issues and it’s pretty interesting. (Full disclosure: Justin is Chief Trust Officer at Box, who is licensing a paper of ours). Justin got 500 responses from people rating the perceived value of every security startup he could find, and also teased out a bit on perceived top security issues. I’m sure there is survey bias, but if you want a sense of which startups have the best recognition this is a great start, and Justin published all the results in the open, just the way we like it. (Note to Mike: I call dibs on the new prospect list.). – RM

  2. Attacks are not evenly distributed: You have to love Rob Graham. Words matter to Rob. And when he see words misused he usually pens a very detailed diatribe on the Errata blog. This time he takes Glenn Greenwald and NBC News to task for incorrectly calling an attack DDoS. Rob’s point is that nation-states would not likely launch a DDoS attack because it involves lots of compromised devices taking down networks. Nation-states aren’t likely to use compromised devices when they have more efficient means of knocking things down. The whole rant comes back to Rob’s general expectation that professional reporters should get it right, rather than simply parroting hacktivists without even trying to understand what they are repeating. The hacktivists get a pass because they “are largely unskilled teenagers with a very narrow range of expression.” Kind of sounds like a lot of adults I know as well… But that’s just me. – MR

  3. Facing the unfamiliar: When I was a programmer there was always a ‘dread’ project: a task I dreaded facing because it was new, tough, and would require significant effort to solve. I would drag my feet, worry about the project, and keep pushing it to the bottom of the stack. More often than not, once I jumped in, not only did the task turn out easier than I thought, but the process of learning made the whole effort exciting and fun! “How do you face a programming task you’ve never done before?” brought this to mind, and I can say without reservation, “Jump in and try it.” If you fail, that’s actually okay – we call that “rapid prototyping” now, and it’s part of the learning process. But I’m betting that more often than not new tasks are not as hard as you think, and more rewarding that you imagine! – AL

  4. Snap, Clinkle, Popped: Peter Hesse makes a good case for why even startups need to worry about security with a story of a stealth-mode payment startup called Clinkle getting pwned recently. Was the breach a death blow? Probably not, but it doesn’t look good for a company trying to get established in the payment space. It highlights a key reality of today’s world: you need to think about security early. Like Day 2, right after you open your bank account and make your first Staples run. You can use the cloud for a bunch of stuff, but ultimately you need a security strategy both for your product (whatever it is) and your company. – MR

  5. Let’s talk about trust: I will be publishing my “Security’s Future” paper next week, and one of the key things I call out is the need for cloud providers to establish trust. We have two great examples of trust failures this week, with both Snapchat (again) and Instagram suffering security malfunctions. With a difference: Snapchat is struggling to manage their security responses, while Instagram (owned by Facebook, BTW) fixed things quickly and paid the discoverer a bug bounty. This is the new normal, folks, and cloud providers need to not only bake in security as best they can, but learn to respond like Facebook/Instagram too – nail issues early and work well with researchers. – RM

  6. Proof of concept companies: Normally we provide a detailed writeup when technology vendors in key coverage areas (e.g., WAF, DAM and cloud) go on acquisition sprees like Imperva did last week when they acquired Incapsula and Skyfence in one fell swoop. But these acquisitions are so closely aligned with Imperva’s vision that there was not much to report: both offer SaaS-based security gateways, monitoring and blocking suspicious behavior – albeit for slightly different use cases. In both cases the firms were funded by Imperva’s founder Shlomo Kramer, and Incapsula licensed Imperva’s technology in exchange for an equity stake. It was as if these two firms were externally incubated by Imperva – an astute move in case things did not work out, in which case they wouldn’t have impacted Imperva’s reputation, and the financial cost would have been minimal. But the concepts worked, so once the models were proven they were rolled up into the Imperva stable without much fuss or the typical worries about technology or cultural integration. In the interest of full disclosure, we have been using Incapsula for a number of years here, after Cloudflare failed to offer some of the security features and performance we wanted, and we have been happy with it. Incapsula isn’t the last word in filtering, but it filters out most cruft. – AL

–Mike Rothman

Wednesday, February 05, 2014

Incite 2/5/2014: Super Dud

By Mike Rothman

I’m sure long-time Incite readers know I am a huge football fan. I have infected the rest of my family, and we have an annual Super Bowl party with 90+ people to celebrate the end of each football season. I have laughed (when Baltimore almost blew a 20 point lead last year), cried (when the NY Giants won in 2011), and always managed to have a good time. Even after I stopped eating chicken wings cold turkey (no pun intended), I still figure out a way to pollute my body with pizza, chips, and Guinness. Of course, lots of Guinness. It’s not like I need to drive home or anything.

Not even the Dew can help this dud

This year I was very excited for the game. The sentimental favorite, Peyton Manning, was looking to solidify his legacy. The upstart Seahawks with the coach who builds his players up rather than tearing them down. The second-year QB who everyone said was too short. The refugee wide receiver from the Pats, with an opportunity to make up for the drop that gave the Giants the ring a few years ago. So many story lines. Such a seemingly evenly matched game. #1 offense vs. #1 defense. Let’s get it on!

I was really looking forward to hanging on the edge of my seat as the game came down to the final moments, like the fantastic games of the last few years. And then the first snap of the game flew over Peyton’s head. Safety for the Seahawks. 2-0 after 12 seconds. It went downhill from there. Way downhill.

The wives and kids usually take off at halftime because it’s a school night. But many of the hubbies stick around to watch the game, drink some brew, and mop up whatever deserts were left by the vultures of the next generation. But not this year. The place cleared out during halftime and I’m pretty sure it wasn’t in protest at the chili peppers parading around with no shirts. The game was terrible.

Those sticking around for the second half seemed to figure Peyton would make a run. It took 12 seconds to dispel that myth, as Percy Harvin took the second half kick-off to the house. It was over. I mean really over. But it’s the last football game of the year, so I watched until the end. Maybe Richard Sherman would do something to make the game memorable. But that wasn’t to be, either. He was nothing but gracious in the interviews. WTF?

Overall it was a forgettable Super Bowl. The party was great. My stomach and liver hated me the next day, as is always the case. And we had to deal with Rich being cranky because his adopted Broncos got smoked. But it’s not all bad. Now comes the craziness leading up to the draft, free agency, and soon enough training camp. It makes me happy that although football is gone, it’s not for long.

–Mike

Photo credit: “Mountain Dew flavoured Lip Balm and Milk Duds!!!” originally uploaded by Jamie Moore


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

The Future of Information Security

Leveraging Threat Intelligence in Security Monitoring

Reducing Attack Surface with Application Control

Advanced Endpoint and Server Protection

Newly Published Papers


Incite 4 U

  1. Scumbag Pen Testers: Check out the Chief Monkey’s dispatch detailing pen testing chicanery. These shysters cut and pasted from another report and used the findings as a means to try to extort additional consulting and services from the client. Oh, man. The Chief has some good tips about how to make sure you aren’t suckered by these kinds of scumbags either. I know a bunch of this stuff should be pretty obvious, but clearly an experienced and good CISO got taken by these folks. And make sure you pay the minimum amount up front, and then on results. – MR

  2. Scumbags develop apps too: We seem to be on a scumbag theme today, so this is a great story from Barracuda’s SignNow business about how they found a black hat app developer trying to confuse the market and piggyback on SignNow’s brand and capabilities. Basically copy an app, release a crappy version of it, confuse buyers by ripping off the competitor’s positioning and copy, and then profit. SignNow sent them a cease and desist letter (gotta love those lawyers) and the bad guys did change the name of the app. But who knows how much money they made in the meantime. Sounds a lot like a tale as old as time… – MR

  3. He was asking for it: As predicted and with total consistency, the PCI Security Standards Council has once again blamed the victim, defended the PCI standard, and assured the public that nothing is wrong here. In an article at bankinfosecurity.com, Bob Russo of the SSC says: “As the most recent industry forensic reports indicate, the majority of the breaches happening are a result of some kind of breakdown in security basics – poor implementation, poor maintenance of controls. And the PCI standards [already] cover these security controls”. Well, it’s all good, right? Except nobody is capable of meeting the standard consistently, and all these breaches are against PCI Certified organizations. But nothing wrong with the standard – it’s the victim’s fault. You notice no one from the PCI Council ever mentions Chip and PIN or other structural or technological changes to prevent widespread fraud? Why bother when you can just update a standard every year and decertify anyone stupid enough to be breached? Though the consistency should count for something. – RM

  4. Security Immortal: No matter how many have tried, no matter how much damning evidence appears about its inefficacy, no matter what – AV will survive. I am convinced that even in the event of thermonuclear war, the AV industry will still generate over $4 billion every year. This recent survey from the 451 Group shows the impressive staying power of AV, with 80% of surveyed customers maintaining their level of investment in the technology. Though the comments at the bottom are interesting – especially the one acknowledging the commodity status of the technology. So basically AV is the toilet paper of security. And even in the event of a nuclear meltdown, folks will still need toilet paper. – MR

  5. Security user experience: It has been a while since I harped on user experience, but we got another great example this week from the Google Chrome team. Apparently browser hijacking on Windows is so prevalent that Chrome is adding an automatic reset button every time your settings change. This is a good warning to users, but resetting the browser puts everything back to the default state. This is using a sledgehammer to kill an ant, but I have to admit I don’t see another option if they can’t actually stop the hijacking in the first place. This integrates security into the user experience and could really help users keep control over attackers. For what it’s worth, I like it any time vendors can insert something to make security easier (and more automated) for users, even when they make a mistake. – RM

–Mike Rothman

Wednesday, January 29, 2014

Incite 1/29/2014: Southern Snowpocalypse

By Mike Rothman

I grew up in the northeast. My memories of snow weren’t really good. I didn’t ski, so all that I knew about snow was that I had to shovel it and it’s hard to drive in. It is not inherently hard to drive in snow, but too many folks have no idea what they are doing, which makes it hard.

If you're not the lead dog, the scenery never changes... As I write this, I’ve been in traffic trying to get the 6 miles from the coffee shop to my house. I have been at it for 90 minutes and it’ll probably be another 90. TO GO 6 MILES.

To be clear, this situation is on me. I had an opportunity to go home earlier today. But I wanted my coffee and the comfort of working in a familiar Starbucks, rather than my familiar basement office. Not my brightest decision. I figured most folks would clear out early, so it would be fine later in the day. Wrong. Wrong. Wrong.

Evidently there are an infinite number of people in the northern Atlanta suburbs trying to get home. And they are all on the road at the same time. A few of them have rear wheel drive cars, which get stuck on the mildest of inclines. No one can seem to get anywhere.

I depend on the Waze app for navigation. Its crowdsourced traffic info has been invaluable. Not today. It has routed me in a circle, and 90 minutes later I am basically where I started. Although I can’t blame Waze – you can’t really pinpoint where a car gets stuck and causes gridlock until someone passes by. In case it wasn’t clear, no one is going anywhere.

So I wait. I read my email. I caught up on my twitter feed. I checked Facebook, where I saw that most of my friends in ATL were similarly stuck in traffic. It’s awesome.

My kids have already gone out and played in the snow. I hope the boss took pictures. I missed it. Oh well. Nothing I can do now. Except smile. And breathe. And smile again. At some point I will get home. I will be grateful.

Oh yeah, and next time I will stay home when it threatens to snow. Duh.

–Mike

UPDATE: It took me about 4 1/2 hours to get home. Yes, to travel 6 miles. I could have walked home faster. But it was 20 degrees, so that wouldn’t really have worked well either. Some kids in XX1’s middle school didn’t get home until 10 PM. It was a total nightmare. My family and friends are safe, and that’s all that matters.

Now get these kids out of my hair. I have work to do…

Photo credit: This is an actual picture of sitting in traffic yesterday. What you see was my view for about an hour inching along. And I don’t normally play on the phone when I’m driving, but at that point I wasn’t really driving…


Heavy Research

We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

The Future of Information Security

Leveraging Threat Intelligence in Security Monitoring

Reducing Attack Surface with Application Control

Advanced Endpoint and Server Protection

Newly Published Papers


Incite 4 U

  1. CISOs don’t focus on technology, not for long anyway: Seems like this roundtable that Dan Raywood covered in CISOs have “too much focus on technology” is about 5 years behind the times. I spend a bunch of time with CISOs, and for the most part they aren’t consumed by technology – more likely they are just looking for products to make the hackers go away. They have been focused on staffing and communicating the value of their security program. Yes, they still worry about malware and mobile devices and this cloud thing. But that doesn’t consume them anymore. And any CISO who is consumed by technology and believes any set of controls can make hackers go away should have a current resume – s/he will need it. – MR

  2. You don’t want to know: Sri Karnam writes about the 8 things your boss wants you to know about ‘Big Data Security’ on the HP blog – to which I respond ‘Not!’ The three things your boss wants to know, in a security context, are: 1) What sensitive data do we have in there? 2) What is being done to secure it? 3) Is that good enough? The key missing ingredient from Sri’s post is that your boss wants this information off the record. Bosses know to not go looking for trouble, and just want to know how to respond when they are asked when their boss asks. If you formally tell them what’s going on, they have knowledge, and can no longer rely on plausible deniability to blame you when something blows up. Sure, that’s an ethical copout, but it’s also a career-saver. – AL

  3. Pure vs. applied research: Interesting post on Andrew Hay’s blog about why security vendors need a research group. It seems every security vendor already has a research group (even if it’s a guy paying someone to do a survey), so he’s preaching to the choir a bit. But I like his breakdown of pure vs. applied research, where he posits vendors should be doing 70% of their research in areas that directly address customer problems. I couldn’t agree more. If you’re talking about a huge IT company, then they can afford to have Ph.D.s running around doing science projects. But folks who have to keep the lights on each quarter should be focused on doing research to help their customers solve problems. Because most customers can’t think about pure research while they are trying to survive each day. – MR

  4. Mobile POS: Last week I posited that without EMV or P2P encryption we would continue to see widespread breaches of credit card data. I have talked about EMV and what I call “mobile EMV” – apps that conduct payments from your phone – though I haven’t talked about the competing Near Field Communication. Apple is applying for patents that combine NFC and Bluetooth Low Energy (BLE) technologies at merchant sites. While there will be a cornucopia of technologies at work behind the scenes, in a nutshell, you would move the cash register into your mobile device. NFC and BLE supporting services provide pricing, geo-location, and integration with merchant systems. Authentication – provided in multiple ways – is through mobile devices. Tim Horton’s has some of these basic capabilities today, with other vendors launching more advanced systems. The real impetus here is for merchants to get much more granular customer information and provide dynamic pricing and incentives, and market the value to customers as easier shopping. Still, I think better payment security is a genuine possibility and will represent a fundamental shift in how we do credit card transactions. The question is just when. – AL

  5. Everyone is in sales: Great post by Dan Wooley of the Mach37 accelerator about how the achilles heel of many security start-ups is sales. If the CEO (and the entire team) isn’t laser focused on the first handful of customers and then discovering a scalable sales execution process, they don’t have a chance. By the way, that applies to CISOs and other security practitioners as well. In that context sales is all about pushing the value of the program and persuading technology folks and business leaders to protect the data. This stuff doesn’t just happen by itself. So someone has to go sell, persuade, cajole, and otherwise take accountability for security and information protection. – MR

–Mike Rothman

Wednesday, January 22, 2014

Incite 1/22/2014: The Catalyst

By Mike Rothman

I was on the phone last week with Jen Minella, preparing for a podcast on our Neuro-Hacking talk at this year’s RSA Conference, when she asked what my story is. We had never really discussed how we each came to start mindfulness practices. So we shared our stories, and then I realized that given everything else I share on the Incite, I should tell it here as well.

BooSimply put, I was angry and needed to change. Back in 2006 I decided I wanted to live past 50, so I starting taking better care of myself physically. But being more physically fit is only half the equation. I needed to find a way to deal with the stress in my life. I had 3 young children, was starting an independent research boutique, and my wife needed me to help around the house.

In hindsight I call that period my Atlas Phase. I took the weight of the world on my shoulders, and many days it was hard to bear. My responsibilities were crushing. So my anger frequently got the best of me. I went for an introductory session with a life coach midway through 2007. After a short discussion she asked a poignant question. She wondered if my kids were scared of me. That one question forced me to look in the mirror and realize who I really was. I had to acknowledge they were scared at times. That was the catalyst I needed. I wasn’t going to be a lunatic father. I need to change. The coach suggested meditation as a way to start becoming more aware of my feelings, and to even out the peaks and valleys of my emotions.

A few weeks later I went to visit my Dad. He had been fighting a pretty serious illness using unconventional tactics for a few years at that point. I mentioned meditation to him and he jumped out of his chair and disappeared for a few minutes. He came back with 8 Minute Meditation, and then described how meditation was a key part of his plan to get healthy. He told me to try it. It was only 8 minutes. And it was the beginning of a life-long journey.

These practices have had a profound impact on my life. 6 years later it’s pretty rare for me to get angry. I am human and do get annoyed and frustrated. But it doesn’t turn into true anger. Or I guess I don’t let it become anger. When I do get angry it’s very unsettling, but I’m very aware of it now and it doesn’t last long, which I know my wife and kids appreciate. I do too.

Everyone has a different story. Everyone has a different approach to dealing with things. There is no right or wrong. I’ll continue to describe my approach and detail the little victories and the small setbacks. Mostly because this is a weekly journal I use to leave myself breadcrumbs on my journey, so I remember where I have been and how far I have come. And maybe some of you appreciate it as well.

–Mike

Photo credit: “Scared Pandas” originally uploaded by Brian Bennett


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Reducing Attack Surface with Application Control

Security Management 2.5: You Buy a New SIEM Yet?

Advanced Endpoint and Server Protection

Newly Published Papers


Incite 4 U

  1. SGO: Standard Government Obscurity: The Target hack was pretty bad, and it seems clear it may only be the tip of the iceberg. Late last week the government released a report with more details of the attack so companies could protect themselves. Er, sort of. The report by iSIGHT Partners was only released to select retailers. As usual, the government isn’t talking much, so iSIGHT went and released the report on their own. A CNN article states, “The U.S. Department of Homeland Security did not make the government’s report public and provided little on its contents. iSIGHT Partners provided CNNMoney a copy of its findings.” Typical. If I were a retailer I would keep reading Brian Krebs to learn what’s going on. The feds are focused on catching the bad guys – you are on your own to stop them until the cuffs go on. – RM

  2. Unrealistic expectations are on YOU! Good post on the Tripwire blog about dealing with unrealistic security expectations. Especially because it seems very close to the approach I have advocated via the Pragmatic CSO for years. I like going after a quick win and making sure to prioritize activities. But my point with the title is that if senior management has unrealistic expectations, it’s because your communications strategies are not effective. You can blame them all you want for being unreasonable, but if they have been in the loop as you built the program, enlisted support, and started executing on initiatives, nothing should be a surprise to them. – MR

  3. Other people’s stuff: The recent Threatpost article ‘Starbucks App Stores User Information, Passwords in Clear Text’ is a bit misleading, as they don’t mention that the leaky bit of code is actually in the included Crashylitics utility. The real lesson here is not about potential harm from passwords in log files, which is a real problem, with a low probability of exploitation. It’s that applications built on third party libraries and APIs inherit their level of security (duh!). It is a mistake to abdicate security, assuming the authors of every utility do security right. Make no mistake – we are in the age of APIs and open source leverage. It makes a lot of sense for developers to leverage whatever utilities they can to cut development time or reduce the quantity of code they need to produce. We see a compelling new use case for third party code validation services for apps, and application code security, because development teams are sprinting too fast to vet other people’s stuff. – AL

  4. The PCI protection dance begins: It seems that with every high-profile breach the PCI Security Standards Council goes out of their way to point out how the compromised retailer was clearly not compliant or they couldn’t have been breached. It appears this time with Target will be no different. Dark Reading works through some speculation about what Target did or didn’t have, and how the attackers could have monetized the stolen info. But then you have a PCI forensicator talking about how Target couldn’t have been PA-DSS compliant because those kinds of attacks are specifically protected against in the standard. Uh huh. I’m sure the assessment went through the code line by line, and it seems the malware attacked the underlying POS operating system. But whatever. The machine will rise up to protect the machine. Just the way things go… – MR

  5. SOS (Same old sh##): As the Target breach drags on and it becomes clear that more retailers have been hacked, the Payment Card Industry (PCI) Data Security Standard (DSS) revision 3.0 will undergo major scrutiny. Does the standard go far enough? Is it too prescriptive? Will the PCI Council embrace more detection and forensic requirements? Should merchants focus on additional physical and electronic security controls around PoS? These conversations are fundamentally unimportant, and a red herring for payment card data security. Either the card brands will mandate EMV or point-to-point encryption – both of which somewhat disintermediate merchants from the financial details of transactions – or we will get a few more years of the status quo. And the status quo isn’t working very well right now. Don’t look for changes to PCI-DSS to alter the story one bit – hackers, attackers, and fraudsters have too many ways to game the current US system. Without a fundamental shift in the way payment card security is handled, we will get to continue the breach parade of the last decade. – AL

  6. Pwn me once, shame on me, pwn me twice… Earlier this month some Microsoft blog and Twitter accounts were hacked by the Syrian Electronic Army. Not good for a company that is now known for being darn good with security. Shockingly enough, it appears the attack can be traced back to standard old phishing. Okay, they fixed it and everyone knows these things happen. On the bad side, it happened again this week, with the Office blog. These aren’t Microsoft’s core services, but a string of attacks like this can directly degrade trust. While Microsoft surely (hopefully?) has better back-end controls for the serious stuff, it is hard to maintain a good public perception if you experience multiple, ongoing, public compromises. I feel for them – they have one of the largest attack surfaces in the world – but hopefully they will get all hands on deck before things get worse. – RM

  7. (For vendors) is awareness the problem? When I first saw the title Our biggest problem is awareness on Seth Godin’s blog, I immediately thought of mindfulness. So you see where my head is at. But Seth’s point is that a lot of sales folks vilify marketing because they don’t think there is enough awareness of the company, products, etc. Which really means they want inbound calls from customers ready to write checks. Seth points out that the product and customer experience need to speak for themselves. And when that happens awareness isn’t a problem. He’s right. – MR

–Mike Rothman

Wednesday, January 15, 2014

Incite 1/15/2014: Declutter

By Mike Rothman

As I discussed last week, the beginning of the year is a time for ReNewal and taking a look at what you will do over the next 12 months. Part of that renewal process should be clearing out the old so the new has room to grow. It’s kind of like forest fires. The old dead stuff needs to burn down so the new can emerge. I am happy to say the Boss is on board with this concept of renewal – she has been on a rampage, reducing the clutter around the house.

Oh, that's what the floor looks like

The fact is that we accumulate a lot of crap over the years, and at some point we kind of get overrun by stuff. Having been in our house almost 10 years, since the twins were infants, we have stuff everywhere. It’s just the way it happens. Your stuff expands to take up all available space. So we still have stuff from when the kids were small. Like FeltKids and lots of other games and toys that haven’t been touched in years. It’s time for that stuff to go.

We have a niece a few years younger than our twins, and a set of nephews (yes, twins run rampant in our shop) who just turned 3, we have been able to get rid of some of the stuff. There is nothing more gratifying than showing up with a huge box of action figures that were gathering dust in our basement, and seeing the little guys’ eyes light up. When we delivered our care package over Thanksgiving, they played with the toys for hours.

The benefit of decluttering is twofold. First it gets the stuff out of our house. It clears room for the next wave of stuff tweens need. I don’t quite know that that is because iOS games don’t seem to take up that much room. But I’m sure they will accumulate something now that we have more room. And it’s an ongoing process. If we can get through this stuff over the next couple months that will be awesome. As I said, you accumulate a bunch of crap over 10 years.

The other benefit is the joy these things bring to others. We don’t use this stuff any more. It’s just sitting around. But another family without our good fortune could use this stuff. If these things bring half the joy and satisfaction they brought our kids, that’s a huge win.

And it’s not just stuff that you have. XX1 collected over 1,000 books for her Mitzvah project to donate to Sheltering Books, a local charity that provides books to homeless people living in shelters. She and I loaded up the van with boxes and boxes of books on Sunday, and when we delivered them there was great satisfaction from knowing that these books, which folks kindly donated to declutter their homes, would go to good use with people in need.

And the books were out of my garage. So it was truly a win-win-win. Karma points and a decluttered garage. I’ll take it.

–Mike

Photo credit: “home-office-reorganization-before-after” originally uploaded by Melanie Edwards


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Reducing Attack Surface with Application Control

Security Management 2.5: You Buy a New SIEM Yet?

Advanced Endpoint and Server Protection

Newly Published Papers


Incite 4 U

  1. Don’t take it personally: Steven Covey has been gone for years, but his 7 habits live on and on. Our friend George Hulme did a piece for CSO Online detailing the 7 habits of effective security pros. The first is communication and the second is business acumen. I’m not sure you need to even get to #3. Without the ability to persuade folks that security is important, within the context of a critical business imperative – nothing else matters. Of course then you have squishy stuff like creativity and some repetitious stuff like “actively engaging with business stakeholders”. But that’s different than business acumen. I guess it wouldn’t have resonated as well if it was 5 habits, right? Another interesting one is problem solving. Again, not unique to security, but if you don’t like to investigate stuff and solve problems, security isn’t for you. One habit that isn’t on there is don’t take it personally. Security success depends on a bunch of other things going right, so even if you are blamed for a breach or outage, it is not necessarily your fault. Another might be “wear a mouthguard” because many security folks get kicked in the teeth pretty much every day. – MR

  2. Out-of-control ad frenzy: Safari on my iPad died three times Saturday am, and the culprit was advertisement plug-ins. My music stream halted when a McDonalds ad screeched at me from another site. I was not “lovin’ it!” The 20 megabit pipe into my home and a new iPad were unable to manage fast page loads because of the turd parade of third-party ads hogging my bandwidth. It seems that in marketers’ frenzy to know everything you do and push their crap on you, they forgot to serve you what you asked for. The yoast blog offers a nice analogy, comparing on-line ads to brick-and-mortar merchants tagging customers with stickers, but it’s more like carrying around a billboard. And that analogy does not even scratch the surface of the crap going on under the covers. So I have to ask, as the media has been barking for months about Snowden-related revelations about NSA spying, why is nobody talking about marketing firms pwning your browser and scraping every piece of data they can? Those of you who don’t examine what web pages do behind the scenes when you visit them – the folks with better things to do – might be surprised to learn that many web sites use over 20 trackers, and send info to a dozen third parties completely unrelated to the content you actually requested. Referrer tags, ghost scripts, framing, re-routing through marketing sites, cookies, intentional data leakage, plug-ins, and browser scraping. We use Google+ here for the Securosis Firestarter, but Google contacts 5 different Google servers every hour to update Google on, among other things, my patch level. Yes, hourly! Do you honestly think we could not buy stuff, or find information, if all this crap was blocked? Let’s find out! I’m going to try out the kickstarter project Ad Trap to see if it increases or reduces web browsing satisfaction. – AL

  3. There is timing in everything: The Target attack occurred at the worst possible time for Target, and the best for attackers – what a coincidence! In our research meeting today someone mentioned that by attacking close to the holidays, the attackers likely reduced the effectiveness of credit card fraud detection mechanisms – people buy more weird stuff from new and unusual places at Christmas. It also meant banks were very unlikely to cancel and reissue cards, given the impact that would have on consumers’ ability to spend money they don’t have during the holidays. Sorry Suzie, no Doc McStuffins play set for you – Santa’s magic card doesn’t work any more. This is logical, but it turns out the guy known for Prisoner’s Dilemma research put together a mathematical model for cyberattack timing. On the upside this is something defenders can use to model and prepare for attacks. On the downside I suspect many bad guys have this model instinctively hardwired into their brains. Well, the successful attackers, at least. – RM

  4. Gracefully impaling yourself: Dave Lewis uses some of his CSO blog real estate to laud our own Rich for disclosing in gory detail a mistake he made with his AWS account. Dave’s point (and one we reiterated in this week’s Firestarter) is that there is a right way and a wrong way to communicate during a breach. Full disclosure is better. If you don’t know something, say you don’t know. And share information so perhaps someone else can avoid the trap that you fell into. It is hard when you need to juggle the demands of lawyers to limit liability, the desire of customers to figure out what they lost, the heavy hand of law enforcement who needs unspoiled evidence, and the need for someone internally to point the finger elsewhere. The best way to make sure you are ready? A tabletop exercise, which will at least make sure everyone understands their roles and responsibilities. – MR

  5. Get some! Investment professionals consistently advising people to “invest in themselves”, as time and money spent on education pays the greatest returns. I am a huge fan of people who are students of their profession and study their craft to get better. Again, it pays dividends in career advancement, which leads to more job satisfaction. I made sure I had training budget to send my team to conferences and training sessions. They always came back stimulated from the new knowledge, and from being away from the daily grind for a couple days. Tom’s Guide has an article on planning your 2014 certifications. If you read the Securosis blog you know we are not huge fans of certifications; many of these rubber stamps don’t prove competency or make people better at their jobs. Lots of people use certificates as a badge of belonging to some club. Or perhaps to get by HR screeners on their next job interview. Whatever. I’m not about to endorse certifications for the sake of accumulating certificates, but it is time to get a plan together for the coming year. Figure out what would be most beneficial for you to learn, get management approval before the budget runs out, and get out there! Whether it’s chasing a certifications or just learning a set of new skills, training is highly beneficial – not only to your employer but also to your psyche. And it doesn’t happen unless you make it. – AL

  6. Horse. Dead. Redux: Rumor is Ira Winkler is still pissed at me for letting The Macalope pick on him in the early days of this blog. No, I’m not the Macalope, and Ira deserved the criticism. That said, I do like his take on the so-called RSA boycott. I realize we have been beating on this issue, but like a good late-night talk show host, you work with the material you have. It is a pretty definitive piece – Ira lays out the false assumptions, grandstanding, and hypocrisy grounding most of the echo chamber nonsense on the RSA/NSA issue and accompanying boycott. I can only assume he has gotten over the ribbing he received on our site, because his 2007 particular article was fairly misinformed itself. Who says folks don’t learn from their mistakes? – RM

–Mike Rothman

Wednesday, January 08, 2014

Incite 1/8/2014: ReNew Year

By Mike Rothman

Since I’m on the East Coast of the US, when the ball drops in Times Square that’s it. The old year is done. The new year begins. With some of Dublin’s finest coursing through my veins, I get a little nostalgic. I don’t think about years in terms of “good” or “bad” anymore – instead I realize that 2013 is now merely a memory that will inevitably fade away.

Renewing sign

The new year brings a time of renewal. A time to thoughtfully consider the possibilities of the coming 12 months because 2014 is a blank slate. Not exactly blank because my responsibilities didn’t disappear as the ball descended – nor have yours. But we have the power to make 2014 whatever we want. That’s exciting to me. I don’t fear change, I embrace change. Which is a good thing because change always comes every year without fail. You grow. You evolve. You change.

I can’t wait to try new stuff. As Rich said in Thank You, we will do new things in 2014. Some of the will work, and some won’t. I don’t have the foggiest idea which will fall into each category. Uncertainty makes some folks uncomfortable. Not me. The idea of a certain future is not interesting at all. That would mean not getting an unexpected call to work on something that could be very very cool. But I also might not get any calls at all. You just don’t know. And that’s what makes it exciting.

I can’t wait to learn new things. About technology,because security continues to evolve quickly, which means that if you sit still you are actually falling behind. I am also learning a lot about myself, which is kind of strange for a guy in his mid-40s, but it’s true. In researching the Neuro-Hacking talk I’m doing with JJ at RSA, I am adding to my current practices to improve as a person.

Like everyone else, I find that being reminded of my ideals helps keep them at the forefront of my mind. So over the holiday, I treated myself to a few Hugh McLeod prints to hang in my office. The first is called Abundance and the quote on the picture is: “Abundance begins with gratitude.” It’s true. I need to remain thankful for what I have. That appreciation and a dedication to helping others will keep me on a path to achieve bigger things.

The other is One Day is Dead, which is a reminder to make the most of every day and focus on living right now. This has been a frequently theme in my writing lately and will remain. I write the weekly Incite for me as much as for anyone else. It is a public journal of my thoughts and ideas each week. I also spent some time looking back through some of the archives, and it’s fascinating to see how I have changed over the past few years.

But not half as fascinating as imagining how much I’ll change over the next few. So I jump into 2014 with both feet. Happy ReNew Year.

–Mike

Photo credit: “Renewing shoe” originally uploaded by Adam Fagen


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Security Management 2.5: You Buy a New SIEM Yet?

Advanced Endpoint and Server Protection

What CISOs Need to Know about Cloud Computing

Newly Published Papers


Incite 4 U

  1. FireEye’s Incident Response Play: Of course the one day I decide to take vacation over the holidays, the FireEye folks buy Mandiant for a cool billion-ish. Lots of folks have weighed in on the deal already so I won’t repeat their analysis. Clearly FireEye realizes they need to become more than just a malware detection box/service, because only a broad network security platform player could provide the revenue to support their current valuation. Obviously this won’t be their last deal. Were there other things they could have bought for less money that would have fit better? Probably. But Mandiant brings a ton of expertise and a security brand juggernaut to FireEye. Was it worth $1 BILLION? That depends on whether you think FireEye was worth $5 billion before the deal, because the price was mostly in FireEye stock, which is, uh, generously valued. The question is whether forensics (both services and products) has become a sustainable mega-growth segment of security. That will depend on whether the technology becomes simple enough for companies without a dedicated forensics staff to use. It ain’t there yet. – MR

  2. Me Too: It’s Tuesday as I write this, right after Mike harassed me to get my Incites in. I open up Pocket to check out what stories I have collected over the past couple weeks. Number four on my list is a post by Luke Chadwick on how his Amazon Web Services account was hacked when he accidentally left his Access Keys in some code he published online. That seems strangely familiar. It seems bad guys are indeed scraping online code repositories to find cloud service keys and then use them for mining Litecoins. It also seems even security-aware developers and analysts like myself, despite our best efforts, can mess up and accidentally make life easy for attackers. I encapsulated my lessons in my post, but the thing I learned all of two minutes ago is that I should read my saved stories on a more timely basis. Facepalm. Again. (Oh, and you had darn well better make sure you find out what your developers are up to. Luke and I can’t be the only ones making this error, and this attack is clearly automated). – RM

  3. Statute of Limitations: It seems Martin McKeay will still be going to the RSA Conference. I will be there too. Though it seems that an increasing number of echo chamber inhabitants (Security Twitterati) are pulling out of their speeches. As I said rather strongly in our video Firestarter on Monday, good riddance! Whether these folks are making an ethical stand or grandstanding for PR to address self-esteem issues, it’s all the same to me. If these folks think they know the truth, I posit they are wrong. It appears nobody has actually seen the RSA/NSA contract. But those are just pesky details, right? There is a statute of limitations in the US for everything besides murder and crimes against a court, of between 1 and 7 years. This stuff happened maybe 10+ years ago. But those with RSA speaking slots are welcome exercise their brand of armchair justice and choose not to speak at the conference. Although how many of those folks will show up in SF that week anyway? Business stops for no one, not even the NSA… – MR

  4. The Blind Leading the Uninterested: Darren Platt makes a great observation in his post The Long Tail of appears thatSSO. SaaS providers are slow to enable SAML and other standards-based tools for identity federation. But SaaS providers don’t care about Single Sign-On – what they care about is that their customers can access their services. Their customers drive the market, and all their customers want to make it easy for their users, and it’s users who ask for Single Sign-On. SAML and standards-based identity solutions are not how they think about solving the problem – that is just technical jargon to them. Worse, it’s new technology, which carries its own stigma for IT professionals. No, IT is not looking for something new – they want what they already have to work with SaaS, so they ask their current IAM provider, “Can you get me to the cloud?” And their vendor gets them there, with what they sell today, which means replicating LDAP to the SaaS provider. There are very good reasons we want to take a fresh approach to identity for cloud services, and the standards-based approaches solve a lot of problems. But we have not yet reached a tipping point for demand yet – customers will have to fail with replication before they consider something new. – AL

  5. McAfee’s Last Stand: At first it was beneficial to keep the McAfee brand when Intel acquired McAfee a few years back. Intel had no security credibility so they relied on McAfee’s longstanding brand to gain a foothold in security. Well the eponymous John McAfee’s continuing branding exercise has become just too painful for Intel. So they are rebranding everything to Intel Security. Of course John McAfee wouldn’t fade quietly into the night, so he bombed Intel with one last slight for good measure. He was quoted on the BBC: “I am now everlastingly grateful to Intel for freeing me from this terrible association with the worst software on the planet. These are not my words, but the words of millions of irate users.” You have to hand it to the guy, – he is pretty funny. – MR

  6. A Matter of Perspective: Voltage’s blog carried an interesting discussion of The State of the Art in Key Cracking, looking at the economics of setting up systems to ‘brute-force’ encryption keys. There are a couple missing points I want to raise. First, we don’t always do brute force analysis of keys, which is what is being done here with DES keys. There are techniques to accelerate cracking keys and the software only gets better with time. Second, not all implementations of Triple DES use the more secure scheme with three distinct keys – most only use two, and some terminals use a single for all three phases, which is no more secure than plain old DES. Finally, criminals are not going to pay for a machine like this. They will use stolen credit cards to spin up cloud instances, or swipe AWS credentials from guys like us – this approach may not be as fast as dedicated hardware, but there are more resources at their fingertips, and someone else pays the bill! I think the point of the post is that despite the hype about the NSA and RSA, keys are pretty secure. Which is true, if you are an ordinary individual, for now. Enterprises probably shouldn’t make the same assumption. Just understand that if an organization with significant resources puts the crosshairs on you, they can and will break your stuff (including your encryption keys). So draw conclusions based on context, as always. – AL

  7. Side-channel Consumerization: I don’t use Snapchat so I wasn’t personally affected when hackers exposed data on 4.6 million accounts using a vulnerability that was reported and ignored. That one doesn’t worry me too much compared to services like Mailbox or Sunrise that link into your mail, calendar, and other services to provide enhanced calendars. You know, the sort of thing that is very appealing to worker types juggling way too much data without proper context – including me. But if you read the privacy and security policies of these services, they come down to “trust us, we use SSL.” And it’s not like these companies have access to a huge amount of your organization data. Wait, oops, they do. What is not well understood is that sending data to these services (consumer focused or not) present a far bigger risk than someone using an iPhone. These companies need to grow up, and I sure hope you have policies to govern and technology to monitor their use. – RM

–Mike Rothman

Wednesday, December 18, 2013

Incite 12/18/2013: Flow

By Mike Rothman

As I sit down to write the last Incite of the year I cannot help but be retrospective. How will I remember 2013? It has been a year of ups and downs. Pretty much like every year. I set out to prove some hypotheses I had at the beginning of the year, and I did. I let some opportunities pass by and I didn’t execute on others. Pretty much like every year. I had low lows and very high highs. Pretty much like every year.

Flow baby flow...I have gotten introspective over the second half of this year. And that’s been reflected in my weekly missives. It’s been a period of learning and evaluation for me. Of coming to grips with who I really am, what I like to do, and what I want to be in the next stage of my life. Of course there are no real answers to such existential questions, but it’s about learning to live in a way that is modest, sustainable, and kind.

As I look back, the most important thing I have learned this year is to flow. I spent so many years fighting against myself, pushing to be in a place I wasn’t ready for, and to meet unrealistic expectations for achievement. It has been a process but I have let go of those expectations and made a concerted effort to Live Right Now. And that’s a great thing.

The mental lever that flipped was actually a pretty simple analogy. It’s about being in the river. Sometimes the current is slow and you just float along. You are still moving, but at an easy pace. Those are the times to look around, enjoy the scenery, and catch your breath. Because inevitably somewhere further down river you’ll hit rapids. Things accelerate and you have no choice but to keep focused on what’s right in front of you. You have to hold on, avoid the rocks, and navigate safely through.

Then you look up and things calm down. You have an opportunity at that point to maybe wash up on the shore and take a rest. Or go in a different direction. But trying to slow things down in the rapids doesn’t work very well. And trying to speed things up in a slow current doesn’t work any better. Appreciate the pace and flow with it.

Simple, right? It’s like being in quicksand. You can’t fight against it or you’ll sink. It’s totally unnatural, but you have to just relax and trust that your natural buoyancy will keep you afloat in the denser sand. Resist and struggle and you’ll sink. Accept the situation, don’t react abruptly or unthinkingly, and you have a chance. Yup, a lot like life.

So in 2013 I have learned about the importance of flowing with my life. Appreciate the slow times and prepare for the rapids. Like everything else, easy to say but challenging to do consistently. But life seems to give us plenty of opportunities to practice. At least mine does.

Onward to 2014. From the Securosis clan to yours, have a happy holiday, and the Incite will return on January 8.

–Mike

Photo credit: “Flow” originally uploaded by Yogendra Joshi


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

What CISOs Need to Know about Cloud Computing

Defending Against Application Denial of Service

Newly Published Papers


Incite 4 U

  1. The two sides of predictions: It’s entertaining when Martin McKeay gets all fired up about something. Here he rails against the year end prediction machine and advises folks to just say ‘no’ to their marketing teams when asked to provide these predictions. Like that’s an option. Tech pubs need fodder to post (to drive page views) and marketing folks need press hits to keep their VPs and CEOs happy. Accept it. But here’s the deal: security practitioners need to make predictions continuously. They predict whether their controls are sufficient given the attacks they expect. Whether the skills of their people will hold up under fire. Whether that new application will end up providing easy access for adversaries into the inner sanctum of the data center. It’s true that press friendly predictions have little accountability, but the predictions of practitioners have real ramifications, pretty much every day. So I agree with Martin that those year-end predictions are useless. But prediction is a key aspect of every business function, including security… – MR

  2. The Most Wonderful Time of the Year: This time of year it’s really easy for me to skim security news and articles. All I need to do is skip anything with the words ‘Prediction’ or ‘Top Tips’ in the title, and I can cull 95% of the holiday reading poop-hose. But for whatever reason I was slumming on Network World and saw Top Tips for Keeping Your Data Safe on The Cloud, an article directed at the mass market rather than not corporate users. Rather than mock, in my merry mood, I’ll go one better: I can summarize this advice into one simple actionable item. If you have sensitive data that you don’t want viewed when your cloud provider is hacked, encrypt it before you send it there. Simple. Effective. And now it’s time for me to make sure I have followed my own advice: Happy Holidays! – AL

  3. Sync and you could be sunk: Cool research on the Tripwire blog by Craig Young on how syncing your browser information via Chrome Sync could provide a means for attackers to access your Google account, regardless of whether you have 2-step verification enabled. That’s awesome. I don’t use Chromium sync because Rich has made me paranoid about the evil not-evil folks. I don’t store passwords or credit cards within my browser either. That’s what I use my Password Vault for. So I don’t face much of risk from this attack, but it brings up an important point. You may decide to use Chrome Sync anyway because it makes your life easier and you are willing to increase your potential attack surface. That’s OK – it’s a decision like anything else. My concern is more for the folks who don’t have access to this kind of research and don’t appreciate the trade-offs of this kind of convenience. – MR

  4. What’s the point? Back in 2007 there was a lot of talk about “point to point (P2P) encryption” as the solution to on-line credit card theft. In 2010 the PCI Council released supplemental guidance for P2P on Point of Sale (PoS) devices, and pushed the industry to get its act together and agree on a standard that wasn’t totally ambiguous and filled with loopholes. Troy Leach, CTO of the PCI Council, even said “Buyer Beware” because the available solutions were not point-to-point, but more like point-to-point-to-point and so on. There were simply too many places that the data was unencrypted and exposed. Rather than encrypt at the point of card swipe, if data was encrypted, it was done on a PoS device, often nothing more than a Windows PC, with lots of potential vulnerabilities. Fast forward six years and we still lack P2P encryption in most places, which is a direct reason hundreds of thousands of credit card numbers continue to be stolen from Point of Sale terminals. This is one of those cases where PCI’s goals and guidance have been spot on – merchants have generally been unwilling to adopt some very basic technologies to secure the PAN and track data within their ecosystems. Nowadays merchants can do all their order tracking, customer tracking, relationship management, and repayment without PAN data, and most card-swipe vendors offer P2P, so there is really no excuse to avoid basic security. Besides apathy and laziness, that is… – AL

  5. 2014 buzzword alert: “security analytics”: As we wrap up the 2013 Incites, I offer a view of what we will see a lot of in 2014: noise around “security analytics”. As you can see from this article in Dark Reading, there is no definition of security analytics, and there seem to be many ways to do it. Is it SIEM-next? Is it about business context – whatever that means? I think it is much simpler than everyone is thinking about. It’s about having a platform to identify patterns that you don’t know about. SIEM is great at looking for the stuff you tell it to look for, but not for finding stuff you aren’t actively looking for. But the very difficult attacks don’t fit a common profile, so detecting them requires a different means of analyzing the data you aggregate. Of course there is a lot of nuance to those views, and I look forward to working with Adrian to flesh this out next year… – MR

–Mike Rothman