Login  |  Register  |  Contact
Wednesday, March 25, 2015

Incite 3/25/2015: Playing it safe

By Mike Rothman

A few weeks back at BSidesATL, I sent out a Tweet that kind of summed up my view of things. It was prompted by an email from a fitness company with the subject line “Embrace Discomfort.” Of course they were talking about the pain of whatever fitness regimen you follow. Not me. To me, comfort is uncomfortable.

Comfort is uncomfortable

I guess I have always been this way. Taking risks isn’t risky from where I sit. In fact playing it safe feels dangerous. Of course I don’t take stupid risks and put myself in harm’s way. At least I don’t any more – now I have a family who depends on me. But people ask me how I have the courage to start new businesses and try things. I don’t know – I just do. I couldn’t really play it safe it I tried.

Not that playing it safe is bad. To the contrary, it’s a yin-yang thing. Society needs risk-takers and non-risk-takers. However you see yourself, make sure you understand and accept it, or it will not end well.

For instance some folks dream of being a swashbuckling entrepreneur, jumping into the great unknown with an idea and a credit card to float some expenses. If you are risk-averse that path will be brutal and disappointing. Even if the venture is successful it won’t feel that way because the roller coaster of building a business will be agonizing for someone who craves stability.

Risk Takers

Similarly if you put an entrepreneur into a big stable company, they will get into trouble. A lot of trouble. Been there, done that. That’s why it is rare to see true entrepreneurs stay with the huge companies that acquire them, after the retention bonuses are paid and the stock is vested. It’s just soul-crushing for swashbucklers to work in place with subsidized cafeterias and large HR departments.

I joked that it was time to leave META Group back in the mid-90s, when we got big enough that there were people specifically tasked with making my job harder. They called it process and financial controls. I called it bureaucracy and stupid paperwork. It didn’t work for me so I started my own company. With neither a subsidized cafeteria nor an HR department. Just the way I like it.

–Mike

Photo credit: “2012_05_050006 Road to Risk Takers Select Committees” originally uploaded by Gwydion M. Williams


Have you registered for Disaster Recovery Breakfast VII yet? What are you waiting for. Check out the invite and then RSVP to rsvp (at) securosis.com, so we know how much food to get…


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Endpoint Defense Essential Practices

Applied Threat Intelligence

Network Security Gateway Evolution

Newly Published Papers


Incite 4 U

  1. We’re hacking your stuff too, eh! All my Canadian friends are exceedingly nice. I’m sure many of you know our contributors from up North, Dave Lewis and James Arlen, and there aren’t any nicer people. They are cranky security people like the rest of us, but they somehow never seem cranky. It’s a Canadian thing. So when you hear about the Canadians doing what pretty much every other government is doing and hacking the crap out of all sorts of things, you say, “Eh? The Canadians? Really?” Even better, the Canadians are collaborating with the NSA to use social engineering and targeted attacks to “garner foreign intelligence or inflict network damage.” The spinmeisters were spinning hard about the documents being old, blah blah blah. Maybe they need a little Rob Ford action in the cyber department to give us the real low-down. But you know what? I’m sure they were very polite guests and left everything exactly as they found it. – MR

  2. He had me at Manifesto: I love a good manifesto. Nothing gets the blood moving like a call to arms, to rally the troops to do something. My friend Marc Solomon of Cisco advocates for CISOs to write their own manifestoes to get the entire organization thinking about security. I’m not sure how you make security “a growth engine for the business”, but a lot of his other aspirations are good. Things like security must be usable, transparent, and informative. Yup. And security must be viewed as a “people problem,” which really means that if you didn’t have all these pesky employees you would have far fewer security problems. Really it’s a sales document. You (as CISO) are selling the security mindset to your organization, and that is a manifesto worth writing. – MR

  3. E-DDoS coming to a cloud near you: One of the newer attack vectors I highlighted in our denial of service research a couple years ago was an economic denial of service. An adversary can hammer a cloud-based system, driving costs up to the victim’s credit limit. No more credit, no more cloud services. I guess that’s the cloud analogue to “No shoes, no shirt, no dice.” [Dude)…] It seems someone in China doesn’t like that some website allows connectivity to censored websites, so they are blasting them with traffic, costing $30,000/day in cloud server costs. These folks evidently have a lot of credit with Amazon and haven’t been forced to shut down. Yet. Aside from the political reality an attack like this represents, it is a clear example of another more diabolical type of attack. A DDoS that knocks your stuff down may impact sales, but not costs. This kind of attack hits you below the belt: right in the wallet. – MR

—Mike Rothman

Wednesday, March 18, 2015

Incite 3/18/2015: Pause

By Mike Rothman

It’s been over a month since I wrote an Incite. It’ is the longest period of downtime since I joined Securosis. I could talk about my workload, which is bonkers right now. But over the years I’ve written the Incite regardless of workload. I could talk about excessive travel, but I haven’t been traveling nearly as much as last year. I could come up with lots of excuses, but as I tell my kids all the time, “I’m not in the excuses business.”

Here’s the reality: I needed a break. I have plenty to write about, but I found reasons not to write. There is a ton of stuff going on in security, so there were many interesting snippets I let fly right on by. But I didn’t write it, and I didn’t really question it. What I needed was what my Tao teacher calls a pause.

Hit the pause button

You could need a pause for lots of reasons. Sometimes you have been running too hard for too long. Sometimes you need to change things up a bit because the status quo makes you unhappy. Sometimes you need some space to recalibrate and figure out what you want to do and where you want to go. Of course, this could be for very little things, like writing the Incite every week. Or very big things. But without taking a pause, you don’t have the space to make objective decisions.

You are reading this, so obviously I am writing the Incite. So during my pause, it became clear that the Incite is an important part of what I do. But it’s bigger than that. It’s an important part of who I am. I have shared the good and the not so good through the years. I have met people who tell me they have experienced what I write about, and it’s helpful for them to commiserate – even if it’s virtual. Some tell me they learn through my Incites, and there is nothing more flattering. But it’s not why I write the Incite.

I write the Incite for me. I always have. It’s a journal of sorts representing my life, my views, and my situation at any given time. Every so often I go back a couple years and read my old stuff. It reminds me of what things were like back then. It’s useful because I don’t spend much time looking backwards. It’s interesting to see how different I am now. Some people journal in private. I do that too. But I have found my public journal is important to me.

The pause is over. I’m pushing Play. In the coming months there will be really cool stuff to share and some stuff that will be hard to communicate. But that’s life. You take the good and the bad without judgement. You move forward. At least I do. So stay tuned. The next few months are going to be very interesting, for so many reasons.

–Mike

Photo credit: “Pause? 272/265” originally uploaded by Dennis Skley


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Cracking the Confusion

Applied Threat Intelligence

Network Security Gateway Evolution

Newly Published Papers


Incite 4 U

(Note: Don’t blame Rich or Adrian for the older Incite… They got me stuff on time – it just took me a month to post it. You know, that pause I talked about above.)

  1. There are no perfect candidates… There is no such thing as perfect security, so why would there be perfect security candidates? Our friend Andy Ellis, CISO of Akamai, offers a refreshing perspective on recruiting security professionals. Andy focuses on passion over immediate competence. If a person loves what they do they can learn the rest. I think that’s great, especially given the competition for those with the right certifications and keywords on their CVs. Andy also chooses to pay staffers fairly instead of pushing them to find other jobs as their skills increase. Again, very smart given the competition for security staff. The #1 issue we hear from CISO types, over and over, is the lack of staff / recruiting challenge. So you need to find folks in places others aren’t looking, and invest in them – knowing a few will leave for greener pastures at some point. That’s all part of the game. – MR

  2. No love: Another encryption vendor got rolled up recently, with Voltage security acquired by HP. But before you lose your train of thought, with jokes about how HP is where tech companies go to die – yeah, we heard a lot of that in the last 24 hours – note this is occurring with encryption firms of all sizes. In case you missed it, Porticor was acquired by Intuit the week before the HP/Voltage deal. And before that, Safenet to Gemalto, Entrust to Datacard, and Gazzang went to Cloudera. You would think selling data encryption in the age of data breaches would be like giving ice cream to kids on a hot day, but the truth is selling is hard because implementing it is hard. Customers view encryption as a commodity, with one AES variant the same as every other, and complain bitterly about cost and key management headaches. Encryption platforms have matured steadily over the last 10 years, and continually evolved to include format preserving encryption, tokenization, transparent encryption, dynamic masking, key storage, and management, all while integrating with storage systems, apps, applications, cloud services and ‘big data’. The trend is clearly to bake data encryption in, but innovation and growing demand for data security mean this market is far from settled. – AL

  3. Bring Your Own Key: I’m a big fan of the cloud, and of encryption, which is why I’m excited to see Box announce their new Enterprise Key Management product. First a little full disclosure: I have known about this for a while and I done some work with Box (which was not a secret). That said, it isn’t like I get paid more if anyone buys the service from them. I’ve been on record for a few years as not a fan of proxy-based encryption for cloud computing. Shoving an appliance (or service) between your users and the cloud platform so you can encrypt a few fields seems like a kludge prone to breaking application functionality. But almost no providers allow customers to manage their own encryption in a way that can protect against misuse by the provider (or snoops, criminal or government). Box’s EKM enables customers to control their own encryption keys, but all the actual work happens within Box. This reduces the likelihood the application will break. It isn’t necessarily completely subpoena proof, but there is no way for anyone besides you to see your data unless you release the key. Amazon is one of the only other cloud providers supporting customer managed keys, and I really hope this trend grows. But as Mike says, “Hope is not a strategy”, so vote with your dollars if you want more customer-controlled cloud key management. – RM

  4. Vulnerability management, still kicking…: I have voiced my disappointment with the fact that modern product reviews are consistently cursory, and rarely useful for procurement decisions. That doesn’t stop folks like SC Mag from continuing to review products, like their recent Vulnerability Management review. Yes, vulnerability management is still a thing – even if Gartner doesn’t think so anymore. That being said, the major players in the market are changing direction, and they all seem to be going in different directions. One is climbing the stack, another focused on identity, a third morphing into a services driven shop, and yet another preoccupied with executive level dashboards. And yes, they all still scan your stuff and generate long reports of stuff you’ll never get to. Same old, same old. Although as you are looking to renew your product and/or service, it makes sense to actually learn about the longer term strategy of your chosen vendor to ensure it still aligns with what you need. If not, make a change since it’s not like all of the vendors can’t scan your stuff. – MR

  5. Smart cards, disrupted: It’s happening again; the threat of EMV cards. The Smart Card Alliance position is the liability shift for not using EMV will push adoption within mass merchants, while Visa representatives claim 525 million cards will be in the ‘ecosystem’ by the end of 2015. Bull$#!*. For the sake of round numbers say there are about 300 million US citizens – minus those under 18 – which would require each US adult to get two Chip and PIN cards over the next 10 months. Even if the US government issues an ID for every citizen, that milestone is not going to happen. Nor will merchants move fast enough with new terminals to support the cards. I understand the smart card industry’s angst – EMV needs to move or be get over in the US. Apple Pay basically virtualized Chip and PIN for payments, simultaneously showing consumers a model for health and ID cards pushed into mobile devices with less cost and pain. It’s not a new idea by any stretch, but Apple upended a bunch of firms who were positioning for the future. As Apple does from time to time. – AL

  6. Eye of Sauron: Big breaches happen, and no matter what anyone tells you they aren’t going way… ever. The goal of your security program is to minimize the potential damage because it can’t be eliminated. Even with all the high-profile breaches, there’s a lack of motivation for companies, even in regulated industries, to protect their data. Everyone ignored the HIPAA security requirements for years and years, until HITECH put baby teeth in place. But heck, with entirely too many friends still in healthcare, even that threat isn’t enough to be a true catalyst for action. So I’m always interested in events that change the economics of security. Like one of the biggest insurance markets taking a close look at insurer cybersecurity. Nothing may happen here – it isn’t like Elliot Spitzer is back in charge, kicking ass and (er… spanking… no… not going to say it) taking names (no mention of black books either…), but it only takes a couple state regulators in the right markets to move the needle and drive change. – RM

—Mike Rothman

Wednesday, February 04, 2015

Incite 2/4/2015: 30x32

By Mike Rothman

It was a pretty typical day. I was settled into my seat at Starbucks writing something or other. Then I saw the AmEx notification pop up on my phone. $240.45, Ben Sherman, on the card I use for Securosis expenses. Huh? Who’s Ben Sherman? Pretty sure my bookie’s name isn’t Ben. So using my trusty Google fu I saw they are a highbrow mens clothier (nice stuff, BTW). But I didn’t buy anything from that store.

My well-worn, “Crap. My card number got pwned again.” process kicked in. Though I was far ahead of the game this time. I found the support number for Ben Sherman and left a message with the magic words, “blah blah blah fraudulent transaction blah blah,” and amazingly, I got a call back within 10 minutes. They kindly canceled the order (which saved them money) and gave me some details on the transaction.

AmEx on my phone

The merchandise was evidently ordered by a “Scott Rothman,” and it was to be shipped to my address. That’s why the transaction didn’t trigger any fraud alerts – the name was close enough and the billing and shipping addresses were legit. So was I getting punked? Then I asked what was ordered.

She said a pair of jeans and a shirt. For $250? Damn, highbrow indeed. When I inquired about the size that was was the kicker. 30 waist and 32 length on the jeans. 30x32. Now I’ve dropped some weight, but I think the last time I was in size 30 pants was third grade or so. And the shirt was a Small. I think I outgrew small shirts in second grade. Clearly the clothes weren’t for me. The IP address of the order was Cumming, GA – about 10 miles north of where I live, and they provided a bogus email address.

I am still a bit perplexed by the transaction – it’s not like the perpetrator would benefit from the fraud. Unless they were going to swing by my house to pick up the package when it was delivered by UPS. But they’ll never get the chance, thanks to AmEx, whose notification allowed me to cancel the order before it shipped. So I called up AmEx and asked for a replacement card. No problem – my new card will be in my hands by the time you read this.

The kicker was an email I got yesterday morning from AmEx. Turns out they already updated my card number in Apple Pay, even though I didn’t have the new card yet. So I could use my new card on my fancy phone and get a notification when I used it.

And maybe I will even buy some pants from Ben Sherman to celebrate my new card. On second thought, probably not – I’m not really a highbrow type…

–Mike


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Applied Threat Intelligence

Network Security Gateway Evolution

Security and Privacy on the Encrypted Network

Newly Published Papers


Incite 4 U

  1. It’s about applying the threat intel: This post on the ThreatConnect blog highlights an important aspect that may get lost in the rush to bring shiny threat intelligence data to market. As lots of folks, notably Rick Holland and yours truly, have been saying for a while. It’s not about having the data. It’s about using it. The post points out that data is data. Without understanding how it can be applied to your security program, it’s just bits. That’s why my current series focuses on using threat intel within security monitoring, incident response, and preventative controls. Rick’s written a bunch of stuff making similar points, including this classic about how vendors always try to one-up each other. I’m not saying you need (yet another) ‘platform’ to aggregate threat intel, but you definitely need a strategy to make the best use of data within your key use cases. – MR

  2. Good enough: I enjoyed Gilad Parann-Nissany’s post on 10 Things You Need To Know about HIPAA Compliance in the Cloud as generic guidance for PHI security in the cloud. But his 10th point really hits the mark: HIPAA is not feared at all. The vast majority of HIPAA fines have been for physical disclosure of PHI, not electronic. While a handful of firms go out of their way to ensure their cloud infrastructure is secure (which we applaud), they aren’t doing security because of HIPAA. Few cloud providers go beyond encrypting data stores (whatever that means) and securing public network connections, because that’s good enough to avoid major fines. Sometimes “good enough” is just that. – AL

  3. 20 Questions: Over the years I have been management or, at Gartner, part of a hiring committee at various times. I have not, however, had to really interview for most of my jobs (at least not normal interviews). The most interesting situation was the hiring process at the FBI. That interview was so structured that the agents had to go through special training just to give it. They tested me not only on answering the questions, but answering them in the proper way, as instructed at the beginning, in the proper time window. (I passed, but was cut later either due to budget reductions at the time, or some weirdness in my background. Even though I eliminated all witnesses, I swear!). But I have always struggled a bit a getting technical hires right, especially in security. The best security pros I know have broad knowledge and an ability to assimilate and correlate multiple kinds of information. I really like Richard Bejtlich’s hiring suggestion. Show them a con video, and have them explain the ins and outs and interpret it. That sure beats the programming tests I used when running dev shops because it gives you great insight into their thought process and what they think is important. – RM

  4. Mixed results: IBM is touting a technology called Identity Mixer as a way for users to both conceal sensitive attributes of their identity, and as a secure content delivery mechanism. But this approach is really Digital Rights Management – which essentially means encryption. This approach has been tried many times for both content delivery and user data protection. The issue is that when allowing a third party to decrypt or access any protected data, the data must be decrypted and removed from its protection. If you use this technology to deliver videos or music it is only as secure as the users who access the data. This approach works well enough for DirecTV because they control the hardware and software ecosystem, but falls apart in conventional cases where the user controls the endpoint. Similarly, sharing encrypted data and keys with a third party defeats the point. – AL

  5. Follow the money: I thought about calling this one “Protection racket”, but even the CryptoLocker guys actually unlock your stuff when you pay them, as promised. It turns out the AdBlock Plus folks take money from Microsoft, Google, and Amazon to allow their ads through. The company’s business model is built on whitelisting ‘good’ ads that comply with their policies (which often includes payment to the AdBlock Plus developers). And they do acknowledge this on their site. That change was made around the end of January 2014 (thank you, Internet Archive). I get it, everyone needs to make money, and not all ads are bad. Many good sites rely on them, although that’s a rough business. I would actually stop blocking most ads if they would stop tracking me even when I don’t click on them. But a business model like this is dangerous. A company becomes beholden to financial interests which don’t necessarily align with its users’. That’s one reason I have been so excited by Apple seeing privacy of customer data as a competitive advantage – as much as companies commit to grand ideals (such as “Don’t be evil.”), it sure is easier to stick to them when they help you make piles of money. – RM

  6. Hack your apps (before the other guys do): This has been out there for a while, but it’s disturbing nonetheless. Marriott collected lots of private information about customers, which isn’t a problem. Unless that information is accessible via a porous mobile app – as it was. I know many organizations take their mobile apps seriously, treating them just like other Internet-facing assets in terms of security. It may be a generalization but that last statement cuts both ways. Organizations that take security seriously do so on any customer-facing technology – with security assessments and penetration tests. And those that don’t… probably don’t. Just understand that mobile apps are a different attack vector, and we will see different ways to steal information. So hack your own apps – otherwise an adversary will. – MR

—Mike Rothman

Wednesday, January 28, 2015

Incite 1/28/2015: Shedding Your Skin

By Mike Rothman

You are constantly changing. We all are. You live, you learn, you adapt, you change. It seems that if you pay attention, every 7-9 years or so you realize you hardly recognize the person looking back at you from the mirror. Sometimes the changes are very positive. Other times a cycle is not as favorable. That’s part of the experience. Yet many people don’t think anything changes. They expect the same person year after year.

I am a case in point. I have owned my anger issues from growing up and my early adulthood. They resulted in a number of failed jobs and relationships. It wasn’t until I had to face the reality that my kids would grow up in fear of me that I decided to change. It wasn’t easy, but I have been working at it diligently for the past 8 years, and at this point I really don’t get angry very often.

Done with this skin says the snake

But lots of folks still see my grumpy persona, even though I’m not grumpy. For example I was briefing a new company a few weeks ago. We went through their pitch, and I provided some feedback. Some of it was hard for them to hear because their story needed a lot of work. At some point during the discussion, the CEO said, “You’re not so mean.” Uh, what? It turns out the PR handlers had prepared them for some kind of troll under the bridge waiting to chew their heads off.

At one point I probably was that troll. I would say inflammatory things and be disagreeable because I didn’t understand my own anger. Belittling others made me feel better. I was not about helping the other person, I was about my own issues. I convinced myself that being a douche was a better way to get my message across. That approach was definitely more memorable, but not in a positive way. So as I changed my approach to business changed as well. Most folks appreciate the kinder Incite I provide. Others miss crankypants, but that’s probably because they are pretty cranky themselves and they wanted someone to commiserate over their miserable existence.

What’s funny is that when I meet new people, they have no idea about my old curmudgeon persona. So they are very surprised when someone tells a story about me being a prick back in the day. That kind of story is inconsistent with what they see. Some folks would get offended by hearing those stories, but I like them. It just underscores how years of work have yielded results.

Some folks have a hard time letting go of who they thought you were, even as you change. You shed your skin and took a different shape, but all they can see is the old persona. But when you don’t want to wear that persona anymore, those folks tend to move out of your life. They need to go because don’t support your growth. They hold on to the old.

But don’t fret. New people come in. Ones who aren’t bound by who you used to be – who can appreciate who you are now. And those are the kinds of folks you should be spending time with.

–Mike

Photo credit: “Snake Skin” originally uploaded by James Lee


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Applied Threat Intelligence

Network Security Gateway Evolution

Security and Privacy on the Encrypted Network

Newly Published Papers


Incite 4 U

  1. Click. Click. Boom! I did an interview last week where I said the greatest security risk of the Internet of Things is letting it distract you from all of the other more immediate security risks you face. But the only reason that is even remotely accurate is because I don’t include industrial control systems, multifunction printers, or other more traditional ‘things’ in the IoT. But if you do count everything connected to the Internet, some real problems pop up. Take the fuel gauge vulnerability just released by H D Moore/Rapid 7. Scan the Internet, find hundreds of vulnerable gas stations, all of which could cause real-world kinetic-style problems. The answer always comes back to security basics: know the risk, compartmentalize, update devices, etc. Some manufacturers are responsible, others not so much, and as a security pro it is worth factoring this reality into your risk profile. You know, like, “lightbulb risk: low… tank with tons of explosive liquid: high”. – RM

  2. How fast is a fast enough response? Richard Bejtlich asks a age-old question. How quickly should incidents be responded to? When he ran a response team the mandate was detection and mitigation in less than an hour. And this was a huge company, staffed to meet that service level. They had processes and tools to provide that kind of response. The fact is you want to be able to respond as quickly as you are staffed. If you have 2 people and a lot of attack surface, it may not be realistic to respond in an hour. If senior management is okay with that, who are you to argue? But that’s not my pet peeve. It’s the folks who think they need to buy real-time alerts when they aren’t staffed to investigate and remediate. If you have a queue of stuff to validate from your security monitors, then getting more alerts faster doesn’t solve any problems. It only exacerbates them. So make sure your tools are aligned with your processes, which are aligned with your staffing level and expertise. Or see your alerts fall on the floor, whether you are a target or not. – MR

  3. Positive reviews: What do you do if you think the software you’re using might have been compromised by hostile third parties? You could review the source code to see if it’s clean. It’s openness that encouraged enterprises to trust non-commercial products, right? But what if it’s a huge commercial distribution, and not open source? If you are talking about Microsoft’s or Apple’s OS code, not only is it extremely tough (like, impossible) to get access, but any effort to review the code would be monstrous and not feasible. In what I believe is unprecedented access, China has gotten the okay to search Apple’s software for back doors to give them confidence that no foreign power has manipulated the code. But this won’t be limited to code – it includes an investigation of build and delivery processes as well, to ensure that substitutions don’t occur along the way. A likely – and very good – outcome for Apple (given the amount of business they do in China), and the resulting decreased pressure from various governments to insert backdoors into the software. – AL

  4. Sec your aaS: One weird part of our business that has cropped up in the past year is working more with SaaS companies who actually care about security. Some big names, many smaller ones, all realizing they are a giant target for every attacker. But I’d have to say these SaaS providers are the minority. Most just don’t have money in the early stages (when it’s most important to build in security) to drop the cash for someone like me to walk in the door. So I enjoyed seeing Bessemer Venture Partners publish a startup security guide. More VCs and funds should provide this kind of support, because their investment goes poof if their companies suffer a major data loss. Or, you know, hire us to do it. – RM

  5. You fix it: It’s shocking that Chip and PIN cards, a technology proven to drastically reduce fraud rates in dozens of other countries, have not been widely adopted in the US. But it’s really sad when the US government beats the banks to market: The US is rolling out Chip and PIN cards for all federal employees this year to promote EMV compliant cards and usage in the US. Chips alleviate card cloning attacks and PINs thwart use of stolen cards. In the EU adoption of Chip and PIN has virtually eliminated card-present fraud. But the people who would benefit the most – banks – don’t bear the costs of deploying and servicing Chip and PIN; issuers and merchants do. So each party acts in its own best interest. Leading by example is great, but if the US government wanted to really promote Chip and PIN, they would help broker (or mandate) a deal among these stakeholders to fix the systemic problem. – AL

  6. Same problem. Different technology… During his day job as a Gartner analyst, Anton gets the same questions over and over again. Both Rich and I know that situation very well. He posted about folks now asking for security analytics, but really wonders whether they just want a SIEM that works. That is actually the wrong question. What customers want are security alerts that help them do their jobs. If their SIEM provided it they wouldn’t be looking at shiny new technologies like big data security analytics and other buzzword-friendly new products. Customers don’t care what you call it, they care about outcomes – which is that they have no idea which alerts matter. But that’s Vendor 101: if the existing technology doesn’t solve the problem, rename the category and sell hope to customers all over again. And the beat goes on. Now back on my anti-cynicism meds. – MR

—Mike Rothman

Wednesday, January 21, 2015

Incite 1/21/2015: Making the Habit

By Mike Rothman

Over halfway through January (already!), how are those New Year’s resolutions going? Did you want to lose some weight? Maybe exercise a bit more? Maybe drink less, or is that just me? Or have some more fun? Whatever you wanted to do, how is that going?

If you are like most the resolutions won’t make it out of January. It’s not for lack of desire, as folks that make resolutions really want to achieve the outcomes. In many cases the effort is there initially. You get up and run or hit the gym. You decline dessert. You sit with the calendar and plan some cool activities.

Good habits are hard to break too...

Then life. That’s right, things are busy and getting busier. You have more to do and less to do it with. The family demands time (as they should) and the deadlines keep piling up. Travel kicks back in and the cycle starts over again. So you sleep through the alarm a few days. Then every day. The chocolate lava cake looks so good, so you have one. You’ll get back on the wagon tomorrow, right?

And then it’s December and you start the cycle over. That doesn’t work very well. So how can you change it? What is the secret to making a habit? There is no secret. Not for me, anyway. It’s about routine. Pure and simple. I need to get into a routine and then the habits just happen.

For instance I started running last summer. So 3 days a week I got up early and ran. No pomp. No circumstance. Just get up and run. Now I get up and freeze my ass off some mornings, but I still run. It’s a habit. Same process was used when I started my meditation practice a few years back. I chose not to make the time during the day because I got mired in work stuff. So I got up early. Like really early. I’m up at 5am to get my meditation done, then I get the kids ready for school, then I run or do yoga. I have gotten a lot done by 8am.

That’s what I do. It has become a routine. And a routine enables you to form a habit. Am I perfect? Of course not, and I don’t fret when I decide to sleep in. Or when I don’t meditate. Or if I’m a bit sore and skip my run. I don’t judge myself. I let it go.

What I don’t do is skip two days. Just as it was very hard to form my habits of both physical and mental practice, it is all too easy to form new less productive habits. Like not running or not meditating. That’s why I don’t miss two days in a row. If I don’t break the routine I don’t break the habit.

And these are habits I don’t want to break.

–Mike

Photo credit: “Good, Bad Habits” originally uploaded by Celestine Chua


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Network Security Gateway Evolution

Monitoring the Hybrid Cloud: Evolving to the CloudSOC

Security and Privacy on the Encrypted Network

Newly Published Papers


Incite 4 U

  1. Doing attribution right… Marcus kills it in this post on why attribution is hard. You need to have enough evidence, come up with a feasible motive, corroborate the data with other external data, and build a timeline to understand the attack. But the post gets interesting when Marcus discusses how identifying an attacker based upon TTPs might not work very well. Attackers can fairly easily copy another group’s TTPs to blame them. I think attribution (at least an attempt) can be productive, especially as part of adversary analysis. But understand it is likely unreliable; if you make life and death decisions on this data, I don’t expect it to end well. – MR

  2. The crypto wars rise again: Many of you have seen this coming, but in case you haven’t we are hitting the first bump on a rocky road that could dead end in a massive canyon of pain. Encryption has become a cornerstone of information security, used for everything from secure payments to secure communications. The problem is that the same tools used to keep bad guys out also keep the government out. Well, that’s only a problem because politicians seem to gain most of their technical knowledge from watching CSI: Cyber. In the past couple weeks both Prime Minister Cameron in the UK and President Obama have made public statements that law enforcement should have access to encrypted content. The problem is that there is no technically feasible way to provide ‘authorized’ access without leave encryption technology open to compromise. And since citizens in less… open… countries use the same tech this could surrender any pretense of free speech in those areas as well. The next few years will be messy, and could very well have consequences even for average security Joes. There isn’t much we can do, but we sure need to pay attention, especially those of you on the vendor side. I know, not the funnest Incite of the week, but… sigh. – RM

  3. Nobody cares: If my credit card number is stolen I don’t bear the costs of the fraud and I am usually issued a new card within days to replace the old one. Lord knows I need to keep making card purchases, and nothing will stand in the way of commerce! So other than having to update the dozen web sites that require autopay why would I care about my card being stolen? The only answer I can discern is neurosis. Though apparently I am not alone – Brian Krebs’ How Was Your Credit Card Stolen? discusses the most common ways these numbers are harvested. My Boy Scout sense of fair play has prompted me in the past to put in the work to understand the fraud chain – twice – only to face subsequent frustration when neither local law enforcement nor the card brands cared. So, holiday shoppers, checking your credit statements is about all you can do to help. – AL

  4. More CISO perspective: I have been hammering on CISO-level topics for the past few weeks because folks still want to climb the ladder to get the big title (and paycheck). That’s fine, so I’ll keep linking to tips from folks in the field about how to sit in the top security seat. And then I’ll pimp the PragmaticCSO. Gary Hayslip provides some decent perspective on his 5-step process for the CISO job. It starts with “walk about” and then goes through inventory/assessment, planning, and communication. Seems pretty pragmatic to me. I like the specific goal of walking around for a certain amount of time every day. That’s how you keep the pulse of the troops. The requirements of the CISO job are pretty straightforward. Executing on them successfully? That’s a totally different ballgame. – MR

  5. Soft core payments: Google is reportedly looking to buy Softcard, presumably in an effort to kickstart their stalled mobile payment efforts. Google found that “If you build it they will come” only applies to bad Hollywood scripts – anyone can write a mobile ‘digital wallet’ app, but without cooperation from the rest of the ecosystem you won’t get far. The banks, payment processors, and (just as important) mobile carriers all have a stake in mobile payments, and will get their pound of flesh. For years the carriers have been unwilling to allow others to use the embedded “secure element” on phones for payments unless they got a transaction fee, which meant either pay the carrier tax or go home. Details are slim but Softcard is a carrier-owned business so apparently Google would get a carrier-approved interface to devices and the business relationships needed to make their payment app relevant again. – AL

  6. Bait bike: I’m a cyclist. Bicycle theft is a pretty big business, especially in cities and college towns. In the past few years some police departments have started planting GPS-enabled bait bikes in areas to catch the bad guys. They have done the same thing with cars, but it’s probably easier to plant a bike. That’s why I’m amused by the hackers for hire site. Need someone to break into your ex’s Facebook account? Steal that customer list? Just come on down to Billy Bob’s Trusted Hackers! Send us what’s left of your Bitcoin and we’ll hook you up with the most professional script kiddie in our network! Look, this probably isn’t a bait site, but now that it’s in the New York Times, what are the odds the FBI or Interpol isn’t already scanning the database, tracking clients, and prepping cases? We all know how this story is going to end: with jail time. – MR

—Mike Rothman

Wednesday, January 14, 2015

Incite 1/14/2015: Facing the Fear

By Mike Rothman

Some folks just naturally push outside their comfort zones as a matter of course. I am one of them. Others only do things that are comfortable, which is fine if it works for them. I believe that while you are basically born with a certain risk tolerance, you can be taught to get comfortable with pushing past your comfort zone.

For example, kids who are generally shy will remain more comfortable holding up the wall at a social event, but can learn to approach people and get into the mix. It’s tough at first but you figure it out. There is always resistance the first few times you push a child beyond what they are comfortable with, and force them to try something they don’t think they can do. But I believe it needs to happen. It comes back to my general philosophy that limitations exist only in our minds, and you can move past those limitations once you learn to face your fear.

Faces of Fear

The twins’ elementary school does a drama production every year. XX1 was involved when she was that age, and XX2 was one of the featured performers last year. We knew that she’d be right there auditioning for the big role, and she’d likely get one of them (as she did). But with the Boy we weren’t sure. He did the hip hop performance class at camp so he’ll perform, but that’s a bit different than standing up and performing in front of your friends and classmates. Though last year he did comment on how many of his friends were in the show, and he liked that.

We were pleased when he said he wanted to try out. The Boss helped him put together both a monologue and a song to sing for the audition. He knew all the words, but when it came time to practice he froze up. He didn’t want to do it. He wanted to quit. That was no bueno in my book. He needed to try. If he didn’t get a part, so be it. But he wasn’t going to back out because he was scared. He needed to push through that fear. It’s okay to not get the outcome you hope for, but not to quit.

So we pushed him. There were lots of tears. And we pushed some more. A bit of feet stomping at that point. So we pushed again. He finally agreed to practice for us and then to audition after we wore him out. Sure, that was a little heavy-handed, but I’m okay with it because we decided he needed to at least try.

The end result? Yes, he got a part. I’m not sure how much he likes the process of getting ready for the show. We’ll see once he gets up on stage and performs for everyone whether it’s something he will want to do again. But whether he does it again doesn’t matter. He can always say he tried, even when he didn’t want to. That he didn’t let fear stop him from doing something. And that’s the most important lesson of all.

–Mike

Photo credit: “Faces of fear!” originally uploaded by John Seb Barber


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Security Best Practices for Amazon Web Services

Network Security Gateway Evolution

Monitoring the Hybrid Cloud: Evolving to the CloudSOC

Security and Privacy on the Encrypted Network

Newly Published Papers


Incite 4 U

  1. Full discraposure: Google discovers a bug in a Microsoft product. Google has a strict 90-day policy to disclose, no matter what. Microsoft says, “Hey, we have a fix ready to go on Patch Tuesday, can we get a few extra days?” but Google releases anyway. I’m sorry, but who does that help? Space Rogue summed it up best; he has a long history in the disclosure debate. In his words, “The entire process has gotten out of hand. The number one goal here should be getting stuff fixed because getting stuff fixed helps protect the user, it helps defeat the bad guys and it helps make the world a better place.” Another great quote is: “And so the disclosure debate continues unabated for over a hundred years. With two of the giants in our industry acting like spoiled children we as security professionals must take the reigns from our supposed leaders and set a better example.” Marry me, Space Rogue. Marry me. – RM

  2. The impact of Sony in 2015? FUD! Okay, I am being a little facetious by saying the Sony breach will enable the security industrial complex to launch a new wave of Fear, Uncertainty, and Doubt at organizations in 2015. But it already has folks using tried and true tactics in an attempt to create urgency for whatever widget they are selling today. Ben Rothke is a little more constructive in his analysis for CSO. He makes some good points about the reality that improving security requires ongoing investment and that shiny security products/services are not a complete answer. The one I like best is “a good CISO is important; great security architects are critical.” Amen to that. We believe that as security increasingly gets embedded within the cloud and continuous deployment environments, the security architect will emerge as one of the most valued members of the team. So study up on your architecture, kids! – MR

  3. Making the effort: Gunnar has another really good post, challenging folks to think differently about security. It’s very popular to accept defeat because the odds are stacked against defenders. To mail it in because you will be pwned anyway. And that much is true. You can make progress, but only if you make the effort to improve. Always quick with good analogies, GP refers to how smog was reduced in Los Angeles by 98% over the past 50 years, which most thought was impossible 60 years ago. And how the Scandinavian countries don’t have airplane delays because of snow. They just don’t because they made the effort to figure out how to optimize their processes. I guess another way to put it is a quote I use frequently: “I’m not in the excuses business.” And neither is your senior management, so as Gunnar says: “There is a lot to do, can’t get started any sooner than right now. No such thing as bad winter weather, only opportunities to improve bad snow removal equipment, dysfunctional teams and processes.” Truth. – MR

  4. Free, as in crapware: I seem to have a ‘crap’ theme for my submissions this week. A couple of writers over at HowToGeek decided to go to CNET’s Downloads.com [no link, for obvious reasons and obviousness] to see what happens if they download and install the top 10 apps listed. Hilarity ensues. Spyware, ads, browser hijackers, and more… all from a site that claims its downloads are safe. I frequently see links to these sorts of sites when I search for an application. Sometimes search engines show these contaminated links before the software developer’s site. This is especially common when I look for anything more obscure or no longer maintained. I never download from those sites and I’m on a Mac, but this highlights the ridiculous dangers facing normal Windows users (including your employees). Needless to say, this is why I’m a fan of app stores for PCs, even the open ones (where stuff can still sneak through). I suspect Microsoft will need to move in that direction for the same reasons Apple did, and kill the economic model of bundling and installing backdoors. As long as I always still have the option to go outside the store, I am down with it. – RM

  5. You want a seat, Mr./Ms. CISO? Good luck. I wanted to dig into the archives a bit to mention research that confirms what many of you already know. CISOs are not considered players at the big table. ThreatTrack commissioned a study last summer and came away with some disturbing numbers. 74% of respondents said CISOs should not be part of the organization’s leadership team. 54% don’t think CISOs should be responsible for security purchasing. 28% say the CISO’s decisions negatively impacted financial health. Holy crap! It’s time for a reality check. This is clearly a failure to communicate with folks in senior management. And it needs to be fixed ASAP. It is not like we are going to see fewer attacks or breaches, so if these folks don’t understand what you do and why, that needs to be job #1. Or polishing up your resume will be job #2. – MR

—Mike Rothman

Wednesday, January 07, 2015

Incite 1/7/2014: Savoring the Moment

By Mike Rothman

Early December is a big deal in our house. It’s Nutcracker time, with both girls working all fall to get ready for their dance company’s annual production of the Xmas classic. They do 5 performances over a weekend, and neither girl wants it to end. We have to manage the letdown once that weekend is over. It has been really awesome to see all of the dancers grow up, via the Nutcracker. They start as little munchies playing party boys and girls in the first scene, and those who stick with it become Dew Drop or possibly even the Sugarplum Fairy.

The big part for XX1’s group this year was Party Clara. It’s on Pointe and it’s a big and featured role in Act 1. She has been dreaming about this part for the past 4 years, and when we heard she got it for one of the performances this year, we knew it was going to be a special Nutcracker. She also got a featured Rag Doll part for another performance and was on stage 4-5 times during the show.

XX2 wasn’t left out, and she got a number of featured parts as well. I used to dread that weekend but the girls didn’t really do much, so I could get away with going to one performance and being done with it. Now I attend 3 out of the 5 performances, and would go to all 5 if the girls had sufficient parts. I’m pretty sure the Boy wouldn’t be happy going to 5 performances, but he’ll get over it. I even skipped a home Falcons game to see the Sunday afternoon performance (I did!).

Savor the moment

One of the things I am working on is to pause during the big stuff and just enjoy it. You could call it smelling the flowers or something like that. For me it’s about savoring the moment. To see XX1 with a grin ear to ear performing as Party Clara was overwhelming for me. She was so poised, so in command, so happy. It was incredible. During those 3-4 minutes the world fell away. There was only my girl on stage. That’s it.

Some folks watch their kids perform through a camera viewfinder. Or a cellphone screen while taking video. Not me. I want to experience it directly through my own eyes. To immerse myself in the show. I want to imprint it in my memory. Yes, we’ll buy the DVD of the performance, but that’s for the folks who weren’t there. I don’t need it. I was fully in that moment, and I can go back any time I want. And I do.

–Mike

Photo credit: “P1-VS-P2” originally uploaded by MoreInterpretations


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Security Best Practices for Amazon Web Services

Network Security Gateway Evolution

Monitoring the Hybrid Cloud: Evolving to the CloudSOC

Security and Privacy on the Encrypted Network

Newly Published Papers


Incite 4 U

  1. Security deadly sin: offensive envy: I dug up Richard Bejtlich’s awesome post from right before New Year, where he dismantles a list from Microsoft’s John Lambert and calls him out for minimizing the potential of defensive security. It is true that hacking stuff is sexy, and the chicks & dudes dig it. But still, the fact that many defenders work off checklists doesn’t mean all do. Because the defenders seem to come up on the losing end of some breach every day doesn’t mean their efforts are pointless. It means it’s a hard job, pure and simple. And glorifying the adversary only provides a defeatist attitude before you even start playing. Which I guess is the adversary’s plan… – MR

  2. No hands: I just love it when someone comes up with an entire class of security vulnerability – and if it might affect an Apple product guess what’s in the headlines? Like the general GSM wireless issue that was hyped as “iPhones Vulnerable” (every GSM phone was vulnerable). That hype sometimes does the issue a disservice, as highlighted in this piece at the Huffington Post on Jan Krissler recreating thumbprints from normal photographs at the Chaos Computer Club. It’s a fascinating and brilliant idea as we progress towards ubiquitous high-definition cameras throughout the world. Not merely for hacking phones, but for all the CSI-spinoff episodes it will inspire. Practically speaking, today I think the barriers to successfully executing this attack are high enough to keep this from becoming a major issue now, and anyone in a sensitive position should never rely on biometrics alone, but in 10 or years? Oh, and don’t forget to read the bit at the end about researchers pulling pass codes from over 100 feet away via screen reflections in someone’s eye via high def video. – RM

  3. Leadership: I think I was too young to understand what the term ‘leadership’ meant when I was promoted to CTO for the first time. Blindly stepping into a role I knew nothing about, I was blessed with a CEO who did not mince words: “If I catch you coding again, you’re fired!” That forced me to focus on the CTO job, which was leading the development team – communicating vision and providing direction on how we were going to deliver product. Over at Security Uncorked JJ wrote a thought-provoking piece on the mental challenges of changing – or even expanding – one’s role in Infosec. Releasing your grip on the hands-on work that got you where you are today is not easy. It’s not just learning leadership and management skills, but also giving up many things you enjoy in your current job. No college offers a “Security Leadership and Management 101” course, and as a new profession we don’t have that many resources to draw on. Bravo to JJ for sharing the angst of this transition. – AL

  4. In the real world, it depends… Wendy kills it again, pointing out that compliance is a pretty low bar, highly dependent on the competence of the assessor and with “the(ir) ability to measure objectively, not just answer questions.” A control can be implemented in such a way that it fails to protect anything. And the process may be in place, but if no one uses it, who cares? This isn’t really about maligning compliance (again), but the fact that prescriptive lists in mandates must be considered the lowest of low bars; once they are taken care of you can start really thinking about how to protect your stuff. So is compliance even helpful? Well, it depends… – MR

  5. Unintended consequences: If I were to redirect cellular tower traffic or interfere with cell transmissions, I would be prosecuted and go to jail for a very long time. If it’s illegal for me, shouldn’t law enforcement need a warrant to do it? The FBI says ‘No’: search warrants are not needed to use ‘stingrays’ in public places to perform mass surveillance of voice and data traffic on everyone in the area. Our government is spurring an interest in security I never thought would make the mainstream. Accusations like monitoring a CBS journalist – true or not – are so creepy that they will keep this story in the limelight for a while. Even at the giant Consumer Electronics Show in Vegas this week, vendors are competitively positioning consumer products with security features, and the keynote touched on the Sony hack. We are moving into a culture of digital security. Whodathunk that a few years ago? – AL

  6. Airway. Breathing. Cyberattack. As a geek and paramedic I became involved fairly early in healthcare IT. I still remember almost being fired for hacking into our manager’s computer because he accidentally locked us out of an important application that was only on his PC but required for our job, and he wouldn’t answer his landline or pager (yeah, I’m dating myself). Nothing fancy – I just found his password for the app in a plain text file via legit access we already had. Anyhow… Pre-Gartner I helped design an EMR app (and implement it in a clinic) for replacing dictation. I also have some more recent experience due to family connections in the industry. So it was no surprise to read Jack Daniel’s story of witnessing multiple hospital IT failures while visiting friends. Forget about security – this is an industry with massive structural issues in IT management. The situation is so much worse than you think, and despite all the security headlines fundamental reliability will consume healthcare dollars for a long time. Hop over to any healthcare forum (especially the physician ones) to see how bad things are, and be glad your providers would all prefer to go back to paper charting and orders in the first place. – RM

  7. The other EMET: I’m a football head, so when I hear the name “Emmitt” I always think of those times Emmitt Smith ran into the end zone to finish off the Giants as I was growing up. But I’m not talking about that Emmitt. I’m referring to EMET, Microsoft’s Enhanced Mitigation Experience Toolkit, which should be implemented on all your Windows devices. And it’s good that TrustedSec’s Dave Kennedy found some time (when he wasn’t hugging it out with the entire industry) to document how to install EMET. Is EMET perfect? Of course not. But it definitely makes it much harder to compromise Windows devices, so you should have it in your anti-malware toolkit. Yes, there are other cool technologies emerging to help on endpoints, but EMET is free, so why not use it? – MR

—Mike Rothman

Wednesday, December 10, 2014

Incite 12/10/2014: Troll off the old block

By Mike Rothman

Every so often the kids do something that makes me smile. Evidently the Boss and I are doing something right and they are learning from our examples. I am constantly amused by the huge personality XX2 has, especially when performing. She’s the drama queen, but in a good way… most of the time.

The Boy is all-in on football and pretty much all sports – which of course makes me ecstatic. He is constantly asking me questions about players I’ve never heard of (thanks Madden Mobile!); he even stays up on Thursday, Sunday, and Monday nights listening to the prime-time game using the iPod’s radio in his room. We had no idea until he told me about a play that happened well after he was supposed to be sleeping. But he ‘fessed up and told us what he was doing, and that kind of honesty was great to see.

trollolololol

And then there is XX1, who is in raging teenager mode. She knows everything and isn’t interested in learning from the experience of those around her. Very like I was as a teenager. Compared to some of her friends she is a dream – but she’s still a teenager. Aside from her independence kick she has developed a sense of humor that frequently cracks me up.

We all like music in the house. And as an old guy I just don’t understand the rubbish the kids listen to nowadays. Twice a year I have to spend a bunch of time buying music for each of them. So I figured we’d try Spotify and see if that would allow all of us to have individual playlists and keep costs at a manageable level.

I set up a shared account and we all started setting up our lists. It was working great. Until I was writing earlier this week, jamming to some new Foo Fighters (Sonic Highways FTW), and all of a sudden the playlist switched to something called Dominique by the Singing Nun. Then Spotify goes berserk and cycles through some hardcore rap and dance. I had no idea what was going on. Maybe my phone got possessed or something. Then it clicked – XX1 was returning the favor for all the times I have trolled her over the years.

Yup, XX1 hijacked my playlist and was playing things she knew aren’t anywhere near my taste. I sent her a text and she confessed to the prank. Instead of being upset I was very proud. Evidently you can’t live with a prankster and not have some of that rub off. Now I have to start planning my revenge.

But for the moment I will just enjoy the fact that my 14-year-old daughter still cares enough to troll me. I know soon enough getting any kind of attention will be a challenge.

–Mike

Photo credit: “Caution Troll Ahead” originally uploaded by sboneham


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our video podcast, The Firestarter? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail despite Adrian’s best efforts to keep us on track.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Network Security Gateway Evolution

Monitoring the Hybrid Cloud: Evolving to the CloudSOC

Security and Privacy on the Encrypted Network

Newly Published Papers


Incite 4 U

  1. Flowing downhill: Breaches are ugly. Losing credit card numbers, in particular, can be costly. But after the PCI fines, the banks are always lurking in the background. When Target lost 40 million credit cards, and the banks needed to rotate card numbers and reissue, it isn’t like Target paid for that. And the card brands most certainly will never pay for that. No, they sit there, collect PCI fines (despite Target passing their assessment), and keep the cash. The banks were left holding the bag, and they are sure as hell going to try to get their costs covered. A group of banks just got court approval to move forward with a lawsuit to recover their damages from Target. They are seeking class action status. If the old TJX hack is any indication, they will get it and receive some level of compensation. Resolving all the costs of a breach like this plays out over years, and odds are we will no idea of the true costs for at least 5.

  2. Cloud security “grows up”? It’s funny when the hype machine wants to push something faster than it is ready to go. Shimmy argued that Cloud security grows up, but I don’t buy it. His point is that because we have gone from ‘cloudwashing’ (Rich’s term), to point solutions, to a few suites, it’s mature – but that doesn’t actually mean the industry has grown up. It is less about available products and services than about the broader industry having an idea how to secure the cloud. Our cloud security courses show that folks are learning fast, but we still have a long way to go. I consider cloud security more like a toddler now. It will be a few years before it is a pimply teen thinking it has figured everything out. Gosh, enterprise security is barely out of high school, and it can barely read… – MR

  3. Trolling along: A huge benefit of offering large bounties for security defects reported in your products is that third parties are incentivized to work with you when they discover issues. When they don’t use bug bounty programs they look like trolls. Google and Microsoft have led the way with bug bounties and shown the benefits of this practice. I have got no idea whether these flaws in Google App Engine are legit or not, but posting the defects to the full disclosure mailing list, given Google’s track record on security response, sure looks like trolling for publicity. And that’s no bueno. – AL

  4. What you don’t know… I guess Eddie the Yeti has a job other than drawing and posting cool portraits of security folks on his Twitter feed. A while back he correctly argued that “I didn’t know” isn’t a legitimate excuse when a breach happens. So you run assessment and test yourself frequently. But what do you decide to fix? You can’t address every issue, even if you knew about them all. It comes back to our old tired mantra: risk management. What presents the biggest risk to your environment? Fix that. Duh. But just as important, manage expectations about the priorities you chose. The last thing you want is to make a decision folks are free to disagree with in hindsight, because you never told them you were making the decision. – MR

  5. Practical watermarking: Krebs’ recent post on a breach canary discusses an underutilized idea that anyone who sells or shares data with third parties should consider – especially when working with data brokers. The idea is that when you examine breach data, ‘canary’ data can provide enough information to determine the source of records. This would not work as a column of irrelevant data which would be quickly stripped out, leaving only valuable financial or personal data behind. But canary data could work as elements of a larger data set – bogus records to let the original owner recognize their data. [Ed: But why would they want to know they were at fault? Much better to never know for sure you were the source, right??? –pepper] It is a bit like using marked bills when transporting large sums of money. Banks and insurance companies have done this over the last decade, even in production databases, to see if the data they shared with partners gets resold elsewhere. It works well when the recipient cannot differentiate faked ‘watermark’ records from the real ones, and so cannot remove those records to conceal the data set’s origin. – AL

  6. It’s never enough: Plenty of folks have been talking about the security skills gap every organization struggles with when trying to fill open positions. Jon Oltsik did a survey and I am a bit surprised that only 30% of folks surveyed feel we have a problematic shortage of security skills in areas like endpoint and network. I guess those other folks aren’t hiring for those positions. But is the answer to just train more folks? That is only a partial solution. The issue with security is that you learn by screwing up. College kids may be able to do simple stuff, but they don’t have the business skills or context to really do security yet. And even more challenging is the job. The fact is that security isn’t for everyone, so we will get a bunch of folks entering the market because supply & demand will grow salaries. But they won’t stay long because many of those folks don’t understand the security mindset, and it will frustrate them to no end. The fact is that we will never have enough security folks to meet demand. So we need to train more folks, embrace better automation and orchestration of security operations, and figure out how to recognize people better for doing their jobs – which, for security folks, means you never see or hear them. – MR

—Mike Rothman

Wednesday, December 03, 2014

Incite 12/3/2014: Winding Down

By Mike Rothman

As I sit in yet another hotel, banging out yet another Incite, overlooking yet another city that isn’t home, this is a good time to look back on 2014 because this is my last scheduled trip for this year. It has been an interesting year. At this point the highs this year feel higher, and the lows lower. There were periods when I felt sick from the whiplash of ups and downs. That’s how life is sometimes. Of course my mindfulness practice helps me handle the turbulence with grace, and likely without much external indication of the inner gyrations.

But in 5 years how will I look back on 2014? I have no idea. I have tried not to worry about things like the far future. At that point, XX1 will be leaving for college, the twins will be driving, and I’ll probably have the same amount of gray hair. Sure, I will plan. But I won’t worry. I have been around long enough to know that my plans aren’t worth firing the synapses to devise them. In fact I don’t even write ‘plans’ down any more.

Start me up...

It is now December, when most of us start to wind down the year, turning our attention to the next. We are no different at Securosis. For the next couple weeks we will push to close out projects that have to get done in 2014 and start working with folks on Q1 activities. Maybe we will even get to take some time off over the holidays. Of course vacation has a rather different meaning when you work for yourself and really enjoy what you do. But I will slow down a bit.

My plan is to push through my handful of due writing projects over the next 2 weeks or so. I will continue to work through my strategy engagements. Then I will really start thinking about what 2015 looks like. Though I admit the slightly slower pace has given me opportunity to be thankful for everything. Certainly those higher highs, but also the lower lows. It’s all part of the experience I can let make me crazy, or I can accept bumps as part of the process.

I guess all we can do each year is try to grow from every experience and learn from the stuff that doesn’t go well. For better and worse, I learned a lot this year. So I am happy as I write this although I know happiness is fleeting – so I’ll enjoy the feeling while I can. And then I will get back to living in the moment – there really isn’t anything else.

–Mike

Photo credit: “wind-up dog” originally uploaded by istolethetv


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Network Security Gateway Evolution

Monitoring the Hybrid Cloud: Evolving to the CloudSOC

Security and Privacy on the Encrypted Network

Newly Published Papers


Incite 4 U

  1. CISO in the clink… I love this headline: Can a CISO serve jail time? Duh, of course they can. If they deal meth out of the data center, they can certainly go to jail. Oh, can they be held accountable for breaches and negligence within their organization? Predictably, the answer is: it depends. If you are clearly negligent then all bets are off. But if you act in the best interests of the organization as you see them … it is hard to see how a CISO could be successfully prosecuted. That said, there is a chance, so you need to consult a lawyer before taking the job to understand where your liability begins and ends (based on your agreement), and then you can make an informed decision on whether to take the job. Or at least build some additional protection into your agreement. – MR

  2. Productivity Killer: Sometimes we need a reminder that security isn’t all about data breaches and DDoS. Sometimes something far far worse happens. Just ask Sony Pictures. Last week employees showed up to work to find their entire infrastructure compromised and offline. Yep, down to some black hat hax0rs graphic taking over everyone’s computer screens, just like in… er… the movies. I don’t find any humor in this. Despite what Sony is doing to the Spider-Man franchise, they are just a company with people trying to get their jobs done, make a little scratch, and build products people will pay for. This isn’t as Earth-shattering as the completely destructive Saudi Aramco hack, but it seems pretty close. Destructive hacks and data breaches are not the same things, even though breaches and APTs get all the attention and need to be covered in the threat model. – RM

  3. Friends make the CISO: Far too many CISOs end up in the seat without proper training in what their real job is: coercion and persuasion. Not in a bad way, but the fact is that if a CISO cannot convince their peers to think about security, they cannot succeed. So I enjoyed a piece on securityintelligence.com for describing the CISO’s best friends. The reality is that the CISO job isn’t a technical one – it is a people management job, and far too many folks go into it without understanding. That doesn’t end well. – MR

  4. Understated: I have been reading Adam Shostack’s stuff since I started in security. He is known for offering well-reasoned opinion, devoid of hype and hyperbole, based on decades of hands-on experience. But sometimes that understated style shorts a couple very important points, as in his recent post Threat Modeling at a Startup. Adam focused on the operational aspects, but did not address two important aspects – essentially why threat modeling is so important for startups. First because threat modeling has a pronounced impact at earlier stages of platform development, while the foundation of an application is being designed and built. Second, threat modeling is one of the most cost-effective ways to improve security. Both these facets are critical for startups, who need to get security right out of the blocks, and don’t have a lot of money to burn. – AL

  5. You know the breach is bad when… You need to do a media blitz about hiring a well-known forensic shop to clean up the mess. Yup, the Sony Pictures folks had their damage control people make a big deal about hiring FireEye’s Mandiant group to clean up the mess of their breach. As Rich described above, the breach was pretty bad, but having to make a big deal about hiring forensic folks doesn’t instill confidence that anyone in-house knows what they are doing. But I guess that’s self-evident from two very high-profile breaches one after another. And to the executive who gave the green light to The Interview, it’s all good. Fortunately the North Koreans aren’t vindictive or anything… –MR

—Mike Rothman

Wednesday, November 12, 2014

Incite 11/12/2014: Focus

By Mike Rothman

Interruption is death for a writer. At least it is for me. I need to get into a flow state, where I’m locked in and banging words out. With my travel schedule and the number of calls I make even when not traveling, finding enough space to get into flow has been challenging. Very challenging. And it gets frustrating. Very frustrating.

There is always some shiny object to pay attention to. A press release here. A tweet fight there. Working the agenda for a trip two weeks from now. Or something else that would qualify as ‘work’, but not work.

get your head right and concentrate...

Then achiever’s anxiety kicks in. The blog posts that get pushed back day after day, and the conflicts with projects needing to get started. I have things to do, but they don’t seem to get done. Not the writing stuff anyway. It’s a focus thing. More accurately a lack of focus thing. Most of the time I indulge my need to read NFL stories or do some ‘research’. Or even just to think big thoughts for a little while.

But at some point I need to write. That is a big part of the business, and stuff needs to get done. So I am searching for new ways to do that. I shut down email. That helps a bit. I don’t answer the phone and don’t check Twitter. That helps too. Maybe I will try a new writing app that basically shuts down all the other apps. Maybe that will help ease the crush of the overwhelming to-do list.

Of course my logical mind knows you just start writing. That I need to stop with the excuses and just write. I know the first draft is going to be crap, especially if it’s not flowing. I know that the inbound emails can wait a few hours. I know my Twitter timeline will be there after the post is live on the site. Yet my logical mind loses, as I just stare at the screen for a few more minutes. Then check email and Twitter. Again.

Oy. Then I go into my pipeline tracker and start running numbers for the impact of not writing on my wallet. That helps. Until it doesn’t. We have had a good year, so the monkey brain wonders whether it’s not really a bad idea to just sandbag some of the projects and get 2015 off to a roaring start. But I still need to write.

Then at some point, I just write. The excuses fall away. The words start to flow, and even make some sense. I get laser focused on the research that needs to get done, and it gets done. The blog fills up with stuff, and balance is restored to my universe. And I resign myself to just carrying around my iPad when I really need to write, because it’s harder to multi-task on that platform.

I’ll get there. It’ll just take a little focus.

–Mike

Photo credit: “Focus” originally uploaded by Michael Dales


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Network Security Gateway Evolution

Monitoring the Hybrid Cloud: Evolving to the CloudSOC

Building an Enterprise Application Security Program

Security and Privacy on the Encrypted Network

Newly Published Papers


Incite 4 U

  1. Master of the Obvious: Cloud Edition: On my way to the re:Invent conference I read the subhead of a FUD-tastic eWeek article: IT Losing the Battle for Security in the Cloud, which is “More than two-thirds of respondents to a Ponemon Institute survey say it’s more difficult to protect sensitive data in the cloud using conventional security practices.” Um. This is news? The cloud is different! So if you want to secure it you need to do so differently. The survey really shows that most folks have no idea what they are talking about, expected in the early adoption phase of any technology. It is not actually necessarily harder to protect resources in the cloud. I just laugh and then cry a bit, as I realize the amount of education required for folks to understand how to do things in the cloud. I guess that is opportunity for guys like us, so I won’t cry too long… – MR

  2. Here we go again: There are a half dozen tokenization working groups proposing standards by my count. Each has vagueness baked into its published specification – many intentionally, I suspect. There are issues the internal steering groups can’t agree upon, issues they want to let the market settle before they commit, and still other issues they simply did not think about. Eduard Kovaks at SecurityWeek offers a good overview on current tokenization issues for the payment space – including re-usable tokens (or not), where original PAN data may be stored, and whether “cryptographically reversible” tokens (not actual tokens – really encrypted data) should be accepted. A technology as simple and easy to understand as tokenization is entering another phase of debate, largely because many firms see having their fiefdoms threatened by change to the insecure payment status quo – so they propose something that doesn’t actually satisfy the goal: not to surrender a consumer credit card to a merchant. – AL

  3. FinServ productizes threat intel: The financial services industry has been at the forefront of information security for years. I guess when an industry is such a large target they didn’t really have a choice. The FinServ folks have also been aggressive about sharing information because they know attackers use the same methods against multiple banks. Now the FS-ISAC (FinServ’s main security information sharing group) has built a technology platform to facilitate information sharing called Soltra Edge. It is (yet another) offering for threat intel… because there weren’t any in the market already, apparently. Will it work and gain traction? Who knows? I do know that being in the software business is quite a bit different than running an information sharing group, but more structured sharing of information is generally a good thing. – MR

  4. Just call, baby: During each of the last two Christmas seasons I have noticed small charges on my credit cards. When I called the bank they explained they were seeing those charges across a wide number of cards (a rare admission!) and re-issued the card – assuming it was compromised. And it’s getting close to that time of year again, when you use your credit card so many times you can’t really remember what you spent. Bill Brenner has a very good list of tips for Online Holiday Spending to make sure someone does not sneak charges onto your account. It is the list same I would have created last week – these are good basic tips to follow. But after this Sunday I have another tip: call the merchant! On the phone. I know that seems so… 1995… but it works. Two sites I was using had issues getting credit card payments to process from the web, so I emailed, and they called me back! On Sunday. Both firms had people working to help with orders. Each took my order and processed the payment, and it actually happened faster than I could have done it online. And one of those firms accepts user credentials without SSL, so the phone was much safer. – AL

—Mike Rothman

Wednesday, November 05, 2014

Incite 11/5/2014: Be Like Water

By Mike Rothman

You want it and you want it now. So do I. Whatever it is. We live in an age of instant gratification. You don’t need to wait for the mailman to deliver letters – you get them via email. If you can’t wait the 2 days for Amazon Prime shipping, you order it online and pick it up at one of the few remaining brick and mortar stores. Record stores? Ha! Book stores? Double ha!! We live in the download age. You want it, you buy it (or not), and you download it. You have it within seconds.

But what happens when you don’t get what you want or (egads!) when you have to wait? You are disappointed. We all are. We get locked into that thing. It’s the only outcome we can see. Maybe it’s a thing, maybe it’s an activity. Maybe it’s a reaction from someone, or more money, or a promotion. It could be anything, but you want it and you get pissy when you don’t get it – now!

Be Like Water -- Bruce Lee

The problem comes down to attachment. Disappointment happens when you don’t get the desired outcome in the timeframe you want. Disappointment leads to unhappiness, which leads to sickness, and so it goes. I have made a concerted effort to stop attaching myself to specific outcomes. Sure, there are goals I have and things I want to achieve. But I no longer give myself a hard time when I don’t attain them. I don’t consider myself a failure when things don’t go exactly as I plan. At least I try not to…

But I was struggling to find an analogy to rely on for this philosophy, until earlier this week. I was in a discussion in a private Facebook group, and I figured out the concept in a way I can easily remember and rely on when my mind starts running amok.

I think many of us fall into the trap of seeing a desirable outcome and getting attached to that. I know I do. I’m trying to flow like water. Water doesn’t care where it ends up. It goes along the path the provides the least resistance at any given time. Not that we don’t need resistance from time to time to grow, rather we need to be flexible to adapt to the reality of the moment.

Be like water. Water takes the shape of whatever vessel it’s in. Water flows. Water has no predetermined goal and can change form as needed. As the waves crash they show the awesome power of harnessed water. The analogy also works for me because I like being by the water, and the sound of water calms me. But I am not the only one who likes the water. Bruce Lee figured this out way before me and talked about it in this classic interview.

Maybe the concept works for you, and maybe it doesn’t. It’s fine either way for me – I’m not attached to a particular outcome…

–Mike

Photo credit: “The soothing sound of flowing water” originally uploaded by Ib Aarmo


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Monitoring the Hybrid Cloud: Evolving to the CloudSOC

Building an Enterprise Application Security Program

Security and Privacy on the Encrypted Network

Secure Agile Development

Newly Published Papers


Incite 4 U

  1. Shiny attack maps for everyone: I hand it to Bob Rudis and Alex Pinto for lampooning vendors’ attack maps. They have issued an open source attack map called IPew, which allows you to build your own shiny map to impress your friends and family. As they describe it, ‘IPew is an open source “live attack map” simulation built with D3 (Datamaps) that puts global cyberwar just a URL or git clone away for anyone wanting to display these good-for-only-eye-candy maps on your site.’ Humor aside, visualization is a key skill, and playing around with their tool may provide ideas for how you can present data in a more compelling way within your own shop. So it’s not all fun and games, but if you do need some time to decompress, set IPew to show the Internet having a bad day… War Games FTW. – MR

  2. Not for what you think: Occasionally we need to call BS on a post, and Antone Gonsalves on Fraudster Protection for Websites qualifies. His claim is that IBM’s patented new technology can detect fraud by monitoring a user’s interaction with their browser, examining the duration between clicks and how they scroll. The concept is that you understand what a user does normally, so anything different is fraud. What could go wrong? The fundamental problem is that hackers don’t use browsers – at least nothing like an average user’s browser. This press release was obviously created by a guy who thinks all hackers wear ski masks to work. The use cases for this type of technology are marketeers wanting to watch customers use their web sites (to figure out and optimize click streams), and law enforcement looking for a better determination of who is behind the keyboard. It is a type of malware. For security it is surprisingly bad because of false positives – in the same way financial trading models completely fail under any unusual circumstances, which is why this approach failed in 2004 when it first made the rounds. – AL

  3. Outsourcing responsibility: Raj Samani and Brian Honan’s post about the (In)Security of Cloud Computing on the Wired Blog is thought provoking. They are conflating all the varieties of cloud computing together, despite several key nuances. Though it is true that ultimately the responsibility for data protection resides with you – not a cloud provider. Whether it is malware targeting a SaaS provider, or a social engineering attack trying to gain a foothold in your cloud environment, a cloud provider will do whatever they do, and you will still be responsible. We have said for years that you can outsource almost anything – except accountability. So ask questions, do your diligence, and get comfortable with the fact that you will have less visibility (at least initially) and control over the cloud infrastructure. But not forever – as the cloud matures we are betting that cloud security will leapfrog what is possible to secure traditional infrastructure. But that is a discussion for another day. – MR

  4. Quietly important: Microsoft’s latest additions to the Azure cloud are very important – not because of IOT Streaming Analytics, but because they provide all of the infrastructure needed to produce a security event analysis and analytics platform within the cloud. Stream analytics provides a way to insert real-time security analytics and anti-fraud services into the cloud technology stack; the data factory aggregates data to pipe into SIEM, log management, and data warehouses. Microsoft is positioning their data factory and event hubs to be the ultimate repository, but customers are likely to demand the opposite, choosing Hadoop or whatever platform best serves their analytics requirements – exactly what NoSQL excels at. But this core infrastructure is critical for enterprises looking to move to the cloud. – AL

  5. Get your pen test on: We have been vociferous supporters of penetration testing for a long time. Obviously folks who know what they are doing cost money. And you should be testing on an ongoing basis anyway. Maybe you bought a tool (or fired up Metasploit), but you may not know where to start. Fortunately for you Stephen Haywood has decided he is less of a promoter and more of a tester, and open sourced his Beginner’s Guide to Pentesting. I checked out the Table of Contents (and plan to read it over the holidays) and it is a good overview of the things you will need to pen test your own stuff. Including intelligence gathering and reconnaissance, wireless testing, web app testing, and phishing. You will still need to work to actually figure out how it works, but Stephen’s book provides a basis to guide your experimentation, so send some beer to thank him for the effort. You can send that beer to our main Securosis address and we’ll make sure he gets it… LOL. – MR

—Mike Rothman

Wednesday, October 29, 2014

Incite 10/29/2014: Short Memory

By Mike Rothman

Sometimes a short memory is very helpful. Of course as you get older, it may not be a choice. But old guy issues aside, there are times you need to forget what just happened and move on to the next thing. Maybe it’s a deal you lost, or a project you couldn’t get funded, or a bungled response to an incident. If you live to fight another day then you need to learn, put it in the past, and move forward.

The Boy learned that lesson a few weeks back playing tennis. He’s a decent player and was teamed with his friend in a doubles match. The other kids were pretty good but our team sprinted out to a 7-2 lead. The first to 8 wins. He has it in the bag, right? They dropped the next game, so it was 7-3. Not a problem. Then it was 7-5 and the Boy started to panic. I could see it. He was on the verge of breaking down.

win

And the thing about tennis is that coaches (and parents) cannot get involved during the match. So besides a few hand signals I sent his way to calm down, there wasn’t anything I could do other than see him come apart at the seams. His partner was panicking as well, especially as the score went to 7-6, and then ultimately 7-7. You could see the Boy and his partner were broken. They dropped 5 games in a row and lost their confidence.

It was hard to watch. Really hard. For a guy used to controlling most of his environment, it was brutal to be so powerless. But this wasn’t about me. It’s about him. The Boy served in that next game and held serve. He hit a couple of winners and got his mojo back. You could see the confidence return. They dropped the next game and went into a tiebreaker. The first to 7 would win the match.

They split the first two points on the opponents’ serve, so that was a mini break. The Boy then held their serve, so it was 3-1. Then they broke again. 5-1. The other team scrapped and they had a few good rallies, but the Boy and his partner prevailed 7-3. He was happy but could only shake his head about blowing such a huge lead.

I pulled him aside and said this illustrates a number of very important lessons. First about fighting through. They didn’t give up, and they persevered to get the win. I was very proud of them for that. But the real lesson I wanted to communicate was the importance of having a short memory. The fact that he hit a bad shot doesn’t mean he’s a bad player. He needs to trust his training and the work he put in. He can’t lose confidence, and needs to just move on to the next thing. It is not productive to get lost in his own head – he needs to understand the battle is less important than the war, and to know the difference.

Of course the lesson wasn’t about tennis. It was about life. But I don’t need to tell him that. Not yet, anyway…

–Mike

Photo credit: “The Bryan Brothers” originally uploaded by Boss Tweed


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Building an Enterprise Application Security Program

Security and Privacy on the Encrypted Network

Secure Agile Development

Newly Published Papers


Incite 4 U

  1. Card of the Sith: Thanks to Chris Pepper for pointing out CurrentC Is The Big Retailers’ Clunky Attempt To Kill Apple Pay And Credit Card Fees. In a nutshell, a large group of merchants – including Rite Aid, CVS, Walmart, Target, K-Mart, and Kohl’s – are putting together a “mobile payment” app to avoid paying credit card processing fees. Rather than extend a small loan like a credit card, CurrentC will pull money directly and immediately from your bank account. Yes, those very same firms who vigorously market your personal data – and keep getting breached by hackers – now want to build their own payment system and on top of direct access to your bank account. What could possibly go wrong? The biggest issue is one of the very real benefits of credit cards: limited liability in case of fraud. If someone gets hold of your credit card or breaches the payment system, your liability is sharply limited. Your bank account has no such protection, would likely be drained, and you’d be out the money. Debit cards are somewhere in the middle – they have protections but not nearly as strong as real credit cards. The icing on this steaming pile of customer unfriendliness is that these merchants won’t accept ApplePay – essentially a secure way to use your credit card, which is exactly what the merchants want to get away from. CurrentC promises to deliver the merchants from credit card transaction fees, PCI-DSS security requirements, and liability – all with direct access to your money. Customers get all the liability, most of the hassle (the checkout process promises to be painful for both purchases and clerks), and less security. Somewhere Darth Sidious is laughing at the fiendish genius of it all. – AL

  2. It’s about the relationships: Just in case you were still under the misapprehension that the CISO job is about technical chips, it’s not. Dark Reading has a good profile of RSA’s new CISO, Janet Levesque. Her path was similar to mine, starting as a COBOL programmer (old school!). But I went into networking and then security. She became an auditor and then ended up doing security. She also did a dotcom and turned off the lights (been there, done that). But here is the killer quote: “Levesque says the company was most interested in hiring her because of her relationship-building skills – something that has become more important for RSA as it expands its hosting services business, and for CISOs across the board as companies outsource more of their IT functions.” As you climb the ladder on the security team, understand that your success criteria and skills must evolve as well. – MR

  3. Security wisdom? Where can I buy that? Martin McKeay has a good point in The Knowledge Pyramid on securityintelligence.com. He starts with “The marketing treadmill around security intelligence and big data the last few years really annoys me.” Yes! It bugs me too! Martin begins building the pyramid with data, placing information (analysis of that data) next. Above that is intelligence, which provides context of what that information means to you. On top Martin places wisdom, which connects disparate information – mostly via experience. That’s why SkyNet is not going to displace your SOC staff any time soon. Sure, there are things you can analyze in a more automated fashion, but even very qualified alerts need to triage and validate. But here’s the issue: wisdom, in the form of experienced security practitioners, is hard to come by. That’s why every conversation reminds me of the security skills gap, which continues to grow. – MR

  4. Driving business: Amazon has opened a new data center in Germany, and it appears likely they picked it as their second EU location because of stronger data protection laws in Germany. It’s not that Amazon’s security is driving customers to them, but firms that want cloud services need a provider who can guarantee their data will remain local and secure from foreign governments (specifically the US). Some EU nations won’t allow citizen data to travel across national boundaries – encrypted or not – due to fear that keys will be compromised. This constrains many companies to doing business with local cloud providers, and Amazon appears to be stepping into a market with pent-up demand. Couple that with allowing customers to manage their own encryption keys, and it won’t matter if a secret court orders Amazon to divulge data archives – they can simply (and honestly) explain that the information is encrypted, and Amazon cannot decrypt it. Security concerns over spying will continue to drive IT buying decisions for a long time. – AL

  5. Analyst 101: There is nothing like a former analyst teaching folks how to deal with analysts. Being out of the machine provides some perspective on how it can be done better. In his first post for a new series, Aneel Lakhani provides an introduction to the types of analysts and what they do. It’s close enough to provide a feel for how the business works. I caution you not to draw conclusions about firms due to their funding model. Or perhaps you can, but be ready to make exceptions – there are firms which cannot be bought (like us), even though we advise and license content to vendors. Aneel offers a good description: “Fundamentally, what analysts do is information arbitrage.” That’s about right. I prefer the term “information broker”, but it’s the same thing. I’ll follow the series and mention it again if there is anything else of value in there. – MR

—Mike Rothman

Wednesday, October 22, 2014

Incite 10/21/2014: Running Man

By Mike Rothman

There were always reasons I wasn’t a runner. I was too big and carried too much weight. I was prone to knee pain. I never had good endurance. I remember the struggle when I had to run 3 miles as a pledge back in college. I finished, but I was probably 10 minutes behind everyone else. Running just wasn’t for me. So I focused on other methods of exercise. I lifted weights until my joints let me know that wasn’t a very good idea. Then I spent a couple years doing too many 12-ounce curls and eating too many burritos. For the past few years I have been doing yoga and some other body weight training.

But it was getting stale. I needed to shake things up a bit. So I figured I’d try running. I had no idea how it would go, given all my preconceived expectations that I couldn’t be a runner. I mentioned it to a friend and he suggested I start with a run/walk program espoused by Jeff Galloway. I got his 5K app and figured I’d work up to that distance over the summer. I started slowly during my beach vacation. Run 2 minutes, walk 1 minute. Then I ran 3 minutes, etc. Before I knew it, I had worked up to 3 miles.

At some point my feet started hurting. I knew it was time to jettison my 5-year-old running shoes and get a real pair. I actually went to the running store with the boy and got fitted for shoes. It made a world of difference. I was running 3 days a week and doing yoga another 3 days.

run!

I was digging it. Though over the summer it wasn’t that hard. I’d get out early before it got too hot and just run. After conquering the 5K I figured I’d work up to a 10K, so I started another training program to build up to that distance. I made it to the 6-mile mark without a lot of fuss. Even better, I found myself in cool places for work and I’d run there. It’s pretty okay to start the day with a run along Boulder Creek or the Embarcadero. Life could be worse.

I was routinely blowing past the suggested distance in the 10K program. I banged out almost 7 miles on one run and wasn’t totally spent. That’s when it hit me. Holy crap, I’m a runner. So I decided to run a half marathon in March. I figured that was plenty of time to get ready and a couple buddies committed to run with me. I did 8 miles and then 10 miles. Just to see if I could, and I could.

Then I thought, what the hell am I waiting for? My sister-in-law is running a half in early November and she is just working up to 10 miles. I signed up to run a half this Thanksgiving. I even paid $15 for the race t-shirt (it’s a free race, so the shirt was extra). That’s in about a month and I’ll be ready. If there is one thing I have learned from this, it’s that who I was doesn’t dictate what I can accomplish. I can overcome my own perceptions and do lots of things I didn’t think I could, including running.

–Mike

Photo credit: “Day 89 – After the Run” originally uploaded by slgckgc


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Security and Privacy on the Encrypted Network

Secure Agile Development

Trends in Data Centric Security

Newly Published Papers


Incite 4 U

  1. Attitude > technical chops: It seems every day someone bitches to me about the difficulty in finding good people to staff the security function. Thom Langford thinks a lot of folks are looking in the wrong places, and that good potential security folks may already be in your organization – just not doing security. Thom added an executive assistant to the security team and it has worked out well for him because of her attitude and understanding of how to get things done within the organization. “Technology and hard skills are things that can be taught in relatively short periods of time; attitude is something that takes a lot longer to learn, decades even.” Actually, a lot of folks never learn the right attitude. But all the same, when you face a skills shortage you need to grow your own, and the right folks may already be right in front of you. – MR

  2. No shared secrets: I confess I get most of my iOS security knowledge from Rich, who reviews pretty much all things Apple from a security perspective, but I ran across a really good post on naked security which describes iOS 8.1 security fixes. Beyond addressing vulnerabilities for the POODLE, Apple closed a hole by no longer allowing Bluetooth devices to connect unencrypted, making it much harder to spoof communication with the device. Next they fixed a threat that let someone who got hold of your device gain access to an encrypted file without knowing your passcode. We don’t often see the whole of Apple’s strategy to use encryption pretty much everywhere, use encryption keys only accessible to you, and not to share data or trust with third parties… including Apple and law enforcement. Which is the right way to do things. – AL

  3. How to get the CISO seat: Uh, don’t. Okay, all kidding aside some folks do aspire to sit in the senior security seat of an organization. This Dark Reading article goes through some of the trends, like it’s easier to get a CISO job if you have already been one (duh). And CISSP isn’t a necessary certification (my friends JJ and Dave may not be happy to hear that). Also CISOs are more likely to have a technical background. Which is curious because it is not really a technical position any more. My suggestion is to learn about the business. Understand how security helps achieve corporate goals. Get some quick wins for projects you lead. And then wait. Within 18 months the current CISO will be gone, and then you can fill in while they try to recruit from the outside. During that window, get some more quick wins and then roll out a strategy for a more effective security program. Even if you don’t get that job you will be ready to put your hat in the ring for other CISO jobs. But always remember to have your resume up to date – it’s not like CISO offers much job security. – MR

  4. Pull along: We have said on this blog many times that the only way to improve user security is to first make any new technology easier, and then sneak better security in with it. MasterCard realizes this too, as shown by their announcement of embedded fingerprint scanners on credit cards. The “easier to use” part is using a fingerprint scan to replace a PIN. Well, that and the fact that you no longer need to run it through a card swipe device – instead you just hold the card somewhere near the terminal for authentication. If this looks similar to Apple Pay without an iDevice, you’re right – user experience will be very similar, with the same merchant terminals. Again, none of this technology is new, but for the first time the US market has a shared vision of how to push security forward by making it easier for users to pay, with multiple options for providers. And who knows – maybe eventually we won’t need to replace cards every three months after the latest credit card data breach… – AL

  5. Another day, another retail breach. Staples, come on down! Krebs does it again. He discloses the Staples breach, leveraging his sources in the banking industry. Those folks would know, even if the organization doesn’t. Was it the same kind of malware? Don’t know. The same set of attackers? Don’t know. Brian’s sources believe it was a bunch of stores in the northeast. I’m sure we’ll know soon enough. Though you have to wonder now if we should switch to tracking retailers who haven’t lost credit card data… How long will it be before whitelisting is baked into these embedded Windows POS terminals? – MR

—Mike Rothman

Wednesday, October 15, 2014

Incite 10/15/2014: Competing

By Mike Rothman

A few years ago I had to stop competing. The constant need to win – whatever that even meant – was making me unhappy. Even when things were going well, I found some reason to feel like a loser. So I got off the hamster wheel and put myself in positions where I wasn’t really competing against others. I am always trying to improve, but I stopped doing that in terms of others. Set a goal. Work toward it. Adjust as needed.

The only time I even sort of compete now is my annual golf trip. Except for four rounds that weekend, I don’t play golf. It’s not that I don’t enjoy the game, but it just takes too much time. So every year 9-11 buddies and I go to a nice resort town and play a tournament Ryder Cup style. There is a draft and this year we used Potato Head dolls to represent the players. Mine was a riot, as you can see in the picture below. The captains negotiate handicaps and set the line-ups, and we play. The winners make some beer money and the losers… well, there aren’t actually any losers – we are hanging with buddies on a ridiculous beachfront property and playing golf every day.

Do NOT let your kids play with this toy

Since I’m not a good golfer, I am usually the high handicapper. But it’s not like that helps me much. At multiple points over four days, my game falls apart. I typically shoot between 120 and 130, usually losing the match. Except there are no losers, right? But this year was different. I missed last year’s trip so I hadn’t picked up my clubs in 2 years. I went to the new TopGolf near my house the day before the trip to hit some balls, and I was hitting solid and straight. But I entered the weekend with zero expectations about playing decent golf.

Without those expectations I was calm on the course. I just enjoyed being outside in a beautiful place. I had a few beers. OK, maybe more than a few. I kept my ego in the bag and swung nice and easy – even as some of the gorillas in my group hit 50-60 yards past me. I shot pretty well the first day (111) and with my handicap we smoked the other team. Huh. The next day I was playing a heads-up match. I shot a 101 and closed out my opponent on the 13th hole, which is apparently pretty good. Strange. My game didn’t fall apart. What’s going on here?

By this time I had a pretty sizable lead in the overall. The other guys on the trip started talking about how evidently I’m a golfer and wondering if I had secretly taken a crapload of lessons. Then I actually believed maybe I was a golfer, and I wanted to win. I started feeling bad when I hit a bad shot. Predictably my game fell apart and I shot 61 on the front.

Then I remembered that I don’t need to win, I just want to be credible. That is the key. It’s about not getting attached to the outcome and just having fun instead. So that’s what I did. Suffice it to say I shot 44 on the back and had a grand old time. I finished up Sunday with a 117 and took home the overall. That means I will be one of the captains next year – a place I never thought I’d be. I lost the final day match, but my team won the cup as well. So I won by not needing to win.

What was the difference? Without sounding corny, it’s all the mindfulness work I’m doing. I used body awareness and scanned my body for tension points before every swing to make sure I was relaxed. I visualized a good shot, not skulling the ball into the water hazard. I recognized that my increasing desire to win was causing tension, which resulted in bad shots. I had a short memory, so when I hit a bad shot I’d just let it go. Then I’d hit a good shot. Or not. I’d look up at the sky and be grateful that I was on the course. Then drink another beer.

At some point during the trip I made the connection. Golf is mostly a mental game, as is most of life. The work I’m doing to be more mindful translates directly – even to my golf trip. Controlling my own self-imposed expectations and decreasing the pressure I put on myself allowed me to compete without stressing out. Being able to maintain that for four days was a real victory. Winning the golf trophy is besides the point. At least for me…

–Mike

Photo credit: Incite Potato Head uploaded by MSR


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Security and Privacy on the Encrypted Network

Secure Agile Development

Trends in Data Centric Security

Newly Published Papers


Incite 4 U

  1. Inside man (or woman): The Standard ran a short article about an attack in planning which will attempt to steal $1B from banks, based on penetrating chat rooms and various other intel. Two facets of this warrant discussion. First, any heist at this level is likely to require an inside person. Like the RBS ATM heist two years ago, without someone or something on the inside (either a legit employee or a compromised device) to squelch risk management alarms, they are likely to get caught. Which goes to show with every major attack at some point, everyone is an insider. Second, I am not confident in the validity of their intelligence. If they had a smoking gun there would have been arrests. It’s not like they need a PR campaign to inform some banks they are being targeted. It feels more like a PR stunt. But we need to deal with inside men sooner or later. – MR

  2. Old school meet new school: To date there has been no public breaches of Big Data systems, but they are inevitable. Altiscale announced they would support SQL queries on their cloud Hadoop service. This is just a couple weeks after Apache announced the availability of Drill, which also provides a SQL query gateway to Hadoop. What could possibly go wrong with that? Both are likely to see adoption – not everyone wants to run MapReduce queries and not every programmer wants to learn the intricacies of a new query language during the development cycle. So bolting a SQL query parser onto Hadoop is a big win for people familiar with SQL. For security this means two things: attackers will begin to target Hadoop clusters with SQL injection attacks, and companies will begin to retrofit database activity monitoring and firewalls onto Hadoop to intercept these attacks. Both are well understood but SQL injection is trivially easy for attackers, so it will be used as a probing attack just to see what works. Sooner than later it will… – AL

  3. What retailer isn’t pwned? The list of secure retailers is likely a lot shorter than the ones we know have been pwned. Kmart is The latest to hit the wires, but they won’t be the last. So we will see a surge in security spending in retail, and folks will buy a bunch of shelfware. Then attackers will lose interest and hit another industry. The retailers will go back to their old practices. And so it goes. Unless the entire world starts using Apple Pay for everything and then the problem is solved. Yes, that’s a joke. But the sad truth isn’t really a laughing matter. In a business with small margins, retailers never invested in proper security, and now they are paying. Combine that with a lot of new technology going into stores and we have a recipe for disaster. Which is exactly what we are seeing. – MR

  4. Not news: We wondered if Apple would offer a sync capability to push Apple Pay credit card tokens to iPhones, to help banks cost-effectively push new credit card data out to consumers – that would be convenient, but likely an attack vector as well. Instead Apple will use a nagware approach to having users update credit card numbers for iTunes and Apple devices. This simply means that if the card is out of date, the Apple Pay token won’t work around the issue, so you won’t be able to buy stuff with an expired card. Same as it ever was. You will be reminded that you need to enter a new card to use the service. We would expect nothing less, but we are often surprised by a lack of common sense when it comes to payment cards. Apple will also omit personal customer information from sales receipts – instead printing just the last four credit card digits with card type. – AL

  5. Keep your friends closer: Everyone is spying on everyone else. So it’s no surprise that the FBI used Sabu as a pawn to attack all sorts of countries, including allies like the UK and Australia. Of course to stay on the right side of an ethical line, the FBI used Jeremy Hammond to actually attack – under Sabu’s direction. And then arrested him. Not that those were the only attacks he was responsible for, but still… It comes back to Baretta’s line: “Don’t do the crime if you can’t do the time.” Though you can imagine the State Department received a number of fun calls from allies wondering what data they stole. I guess that’s all part of the diplomatic life… – MR

—Mike Rothman

Wednesday, October 01, 2014

Incite 10/1/2014: Stranger in my own town

By Mike Rothman

I had a bit of a surreal experience earlier this week. Rich probably alluded to it a few times on the Twitter, but we are all as busy as we have been since we started the new Securosis 5 years ago. I m traveling like a mad man and it’s getting hard to squeeze in important meetings with long-time clients. But you do what you need to – we built this business on relationships, and that means we pay attention to the ones that matter.

So when a Monday meeting on the west coast is the only window you can meet with a client before an important event, you do it. I flew out Sunday and had a good meeting Monday. But there was a slight complication. I was scheduled to do the mindfulness talk with JJ at the ISC2 Congress Tuesday morning in Atlanta. I had agreed to speak months ago and it’s my favorite talk, so there was no way I was bailing on JJ.

Use the soap Luke

That means the red-eye. Bah! I hate the red-eye. I have friends who thrive on it. They hate the idea of spending a working day in the air. I relish it because I don’t have calls and can mute the Tweeter. I get half a day of solid thinking, writing, or relaxing time. With in-flight networking I can catch up on emails and reading if I choose. So I can be productive and compensate for my challenges sleeping on planes. If I get a crappy night’s sleep the next couple of days are hosed, and that’s not really an option right now.

Thankfully I got an upgrade to first class, which is about as rare as sniffing unicorn dust. I poured my exhausted self into my first-class seat, plugged in my headphones, and slept pretty well, all things considered. It wasn’t solid sleep, but it was sleep. When we landed in ATL I felt decent. Which was a lot better than I expected. So what now?

Normally I’d get in the car and drive home to get all pretty for the conference. But that wouldn’t work this week because I needed to be in another city Tuesday afternoon, ahead of another strategy day on Wednesday. I didn’t have time to go home, clean up, and then head back downtown for my talk. I made some calls to folks who would be at the ISC2 conference and was graciously offered the use of a shower. But that would involve wading into some man soup in a flop room, so I was grateful for the offer, but kept looking for alternatives.

Then I realized the ATL airport has showers in some of its Sky Clubs. So I trudged down to the International Terminal and found a very spacious, comfortable changing room and shower. It was bigger than some hotel rooms I’ve had in Europe. I became a stranger in my own town. Showering up at my home airport to do a talk in my city before heading back to the airport to grab another flight to another city. The boy told me it was cool to be in 3 cities in less than a day. I told him not so much, but it’s what I do.

It’s a strange nomadic existence. But I’m grateful that I have clients who want to meet with me, and a family who is understanding of the fact that I love my job…

–Mike

Photo credit: “Darth Shower” originally uploaded by _Teb


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Security and Privacy on the Encrypted Network

Secure Agile Development

Trends in Data Centric Security

Newly Published Papers


Incite 4 U

  1. Gorillas in the mist: In case you missed it, was another important vulnerability was disclosed last week, aside from Shellshock. It was a flaw with the network security library used by Firefox and Google’s Chrome that allows an attacker to create forged RSA signatures to confuse browsers. In practice someone can fake a certificate for eBay or Amazon – or any other SSL connection – and act as a man-in-the-middle, collecting any private data sent down the pipe. You’d think that we would have beaten on SSL libraries enough to uncover these types of flaws, but just as with the bash shell vulnerability we will be discussing critical vulnerabilities in foundational pieces of the Internet for a very long time. Now go update your browsers. – AL

  2. You have a plan – now what? Some more survey magic here – the Ponemons have figured out that just because an organization has an incident response plan doesn’t mean they are actually equipped to respond to incidents. There is a lot more to it, and without throwing around the arbitrary, I mean ‘survey’, numbers. let’s just say it takes a real commitment of people, process, and technology to get good at IR/M (Incident Response and Management). Oh yeah, and a lot of practice – fortunately, as we all know, there is no lack of practice for IR/M teams nowadays. But I don’t want to be a wet blanket – it is good to see more organizations with plans and IR/M teams. The point is that’s only the beginning of the story. It needs to be written, implemented, and evolved over a long period. – MR

  3. Sharing intel: With each indictment of (mostly) financially motivated attackers around the world, we see proof of better global collaboration among law enforcement. Interpol is stepping up its efforts by putting a new facility in Singapore as the coordination point for Asian cyber-collaboration among public and private entities. This is great because when countries become less territorial and work together more, it becomes much harder for attackers to escape the increasingly long arm of the law. Of course history shows that over time law enforcement becomes more territorial and less collaborative, so it is a bit early to declare victory, but this is a clear step in the right direction. – MR

  4. Scrupulously dishonest: “When they are talking, they are lying and when they are quiet they are stealing,” was a phase I first heard used by Berkshire Hathaway’s co-chair Charlie Munger to describe Congressmen Jay Gould and Russell Sage. But I find it highly applicable to the FBI chief’s recent claim that Apple and Google’s new cell phone encryption allows people to put themselves above the law – playing the old and familiar kidnapping and terrorist trump cards as reasons we cannot have data security. Side-stepping the obvious problem of a key US law enforcement officer who is evidently unaware of the Constitution’s affirmation of privacy and human liberty, we need strong encryption to protect the basic infrastructure we rely upon. As we use our devices for health and fitness, for payments and finance, for family relations and whatever else we want to do, bad security serves criminals as well as law enforcement. If data – cloud or mobile – can be compromised by the US government, it will inevitably also be compromised by others for whatever purposes they deem necessary. That is unacceptable. – AL

  5. Following the money: It was just a matter of time before Kevin Mitnick started really trading on his name and selling zero-day exploits. He claims to leverage both in-house research and external attackers to sell guaranteed exclusive attacks priced at no less than $100,000. This is a guy who gets something like $10k to sign books, so it’s not surprising he’d pump up the prices with some Mitnick inflation to sell exploits. As smarmy as it feels, it’s probably a good idea. Anonymous attackers can leverage Mitnick’s reputation, and he gets to skim a bunch off the top for interesting attacks. Who he will ultimately sell exploits to is a slippery slope, but Kevin seems to know how to make money, so odds are it will be lucrative with some moral ambiguity thrown in for good measure. – MR

—Mike Rothman