Login  |  Register  |  Contact
Wednesday, July 01, 2015

Incite 7/1/2015: Explorers

By Mike Rothman

When I take a step back I see I am pretty lucky. I’ve seen a lot of very cool places. And experienced a lot of different cultures through my business travels. And now I’m at a point in life where I want to explore more. Not just do business hotels and see the sights from the front seat of a colleague’s car or taxi. I want to explore and see all the cool things this big world has to offer.

It hasn’t always been this way. For the first two decades of my career, I was so focused on getting to the next rung on the career ladder that I forgot to take in the sights. And forget about smelling the roses. That would take time away from my plans for world domination. In hindsight that was ridiculous. I’m certainly not going to judge others who still strive for world domination, but that does not interest me any more.

I’m also at a point in life where my kids are growing up, and I only have a few more years to show them what I’ve learned is important to me. They’ll need to figure out what’s important to them, but in the meantime I have a chance to instill a love of exploration. An appreciation of cultures. And a yearning to see and experience the world. Not from the perspective of their smartphone screen, but by getting out there and experiencing life.

Dora is an explorer

XX1 left for a teen tour last Saturday. Over the next month she’ll see a huge number of very cool things in the Western part of the US. The itinerary is fantastic, and made me wonder if I could take a month off to tag along. It’s not cheap and I’m very fortunate to be able to provide her with that opportunity. All I can do is hope that she becomes an explorer, and explores throughout her life. I have a cousin who just graduated high school. He’s going to do two years of undergrad in Europe to learn international relations – not in a classroom on a sheltered US campus (though there will be some of that), but out in the world. He’s also fortunate and has already seen some parts of the world, and he’s going to see a lot more over the next four years. It’s very exciting.

You can bet I’ll be making at least two trips over there so we can explore Europe together. And no, we aren’t going to do backpacks and hostels. This boy likes hotels and nice meals.

Of course global exploring isn’t for everyone. But it’s important to me, and I’m going to try my damnedest to impart that to my kids. But I have multiple goals. First, I think individuals who see different cultures and different ways of thinking are less likely to judge people with different views. Every day we sees the hazards of judgmental people who can’t understand other points of view and think the answer is violence and negativity.

But it’s also clear that we move in a global business environment. Which means to prosper they will need to understand different cultures and appreciate different ways of doing things. It turns out the only way to really gain those skills is to get out there and explore.

Coolest of all is the fact that we all need travel buddies. I can’t wait for the days when I explore with my kids – not as a parent/child thing, but as friends going to check out cool places.

–Mike

Photo credit: “Dora the Explorer” originally uploaded by Hakan Dahlstroem


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Threat Detection Evolution

Network-based Threat Detection

Applied Threat Intelligence

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Polishing the crystal ball: Justin Somaini offers an interesting perspective on The Future of Security Solutions. He highlights a lot of disruptive forces poised to fundamentally change how security happens over the next couple of. To make the changes somewhat tangible and less overwhelming, Justin breaks the security world into a few buckets: Network Controls Management, Monitoring and Threat Response, Software Development, Application Management, Device Management, and Risk Management/GRC. Those buckets are as good as any others. We could quibble a bit about where the computing stack resides, which is really about the data. But he highlights a lot of concepts we published in our own Future of Security research. Suffice it to say, it really makes no difference whose version of the future world you believe, because we will all be wrong somehow. Just understand that things are changing for security folks, and you’ll either go headlong into the change or get run over. – MR

  2. Less bad: Bruce Schneier offered a personal look into his selection of full disk encryption options for Windows machines. Surprised he didn’t write his own? Don’t be. Design principles and implementation details make this a hard problem to simplify, and that’s what most users need. He calls his selection “the least bad option”, but honestly it’s noteworthy that the industry has (mostly) progressed past some kid fresh out of school forming a new company based on an algorithm he cobbled together during his graduate studies. Historically you couldn’t audit this superduper new encryption code, because it was someone’s intellectual property and might compromise security if anyone else could see it. The good news is that most of you will be fine with any of Bruce’s options, because you just need to make sure the contents of your drive can’t be copied by whoever steals your laptop. As long as you’re not worried about governments breaking into your stuff, you’re good. If you are worried about governments, then you understand how hard it is to defend against an adversary with vast resources, and why “the least bad option” is really the only option for you. – AL

  3. Due care and the profit motive: Given the breach du jour we seem to read about every day, Trey Ford on the Rapid7 blog reiterates a reasonable question he heard at a recent convention from a government employee: “How do you build a standard of due care?” The Feds think putting Mudge in charge of a CyberUL initiative is a good place to start. I can’t disagree – yet. But I still believe we (as an industry) cannot legislate our way out of the issues of crap security and data protection. Trey mentions the need for information sharing (a NTSB of sorts for breaches) and cyberinsurance underwriting based on data instead of voodoo. I agree on both counts, but add that we need a profit driver to focus the innovation on options that make sense for enterprises, large and small. NIST puts out a bunch of great stuff, but it’s not always relevant to everyone. But if they had to pay their own way, Mr. Market says they’d figure out something that works for a large swath of businesses. Or they’d go away. We have threat intel as a business, and have always talked about the need for metrics/benchmarking businesses to help organizations know how they compare to others, and to optimize their limited resources accordingly. Needing to generate money to keep the lights on tends to help organizations narrow their efforts down to what matters, which legislation doesn’t. – MR

  4. The failure of documentation: I had a peer to peer (P2P) session at the RSA Conference this year on moving security into the Agile development process. But that is not what happened – instead security played a small part, and general process failures a much larger one. In fact it was a room filled mostly with people who had recently tried to move to Agile, and were failing miserably. The number one complaint? “How do we handle documentation?” QA, design, and all the other groups demand their specifications. I stepped on my instinct to say “You’re doing it wrong” – documentation is one of the things you are striving to get rid of, but a lack of agility across the rest of the company trips up many Agile efforts. A handful of people in the room had adopted continuous integration and continuous deployment, which offer one or more solutions to the group’s problems. I am not saying all problems are solved by DevOps – just that the failure common modes in that P2P discussion can be traced back to the silos we created in the days of waterfall, and need to be broken up for Agile processes to thrive. Darknet’s discussion on Agile Security raises the same concerns, and reached a similar conclusion. Security – and the rest of the team for that matter – needs to be better integrated with development. Which we have known for a long time. – AL

  5. Bootstrapping the IR report: Too many incident response reports are pretty short. Slide 1: We got owned. Slide 2: Please don’t fire me. Ugh. Okay, maybe not quite that short, but it’s not like the typical practitioner has models and guides to help document an incident – and, more importantly, to learn from what happened. So thank Lenny Zeltser, who posted a template which combines a bunch of threat, intrusion, and response models into a somewhat coherent whole. It is obviously valuable to have a template for documentation, and you can refine the pieces that work for you after a response or ten. Additionally you can use his template to guide your response if you don’t have an established incident response process. Which is really the first thing you should create. But failing that, Lenny’s template can help you understand the information you should be gathering and its context. – MR

—Mike Rothman

Thursday, June 11, 2015

Incite 6/10/2015: Twenty Five

By Mike Rothman

This past weekend I was at my college reunion. It’s been twenty five years since I graduated. TWENTY FIVE. It’s kind of stunning when you think about it. I joked after the last reunion in 2010 that the seniors then were in diapers when I was graduating. The parents of a lot of this year’s seniors hadn’t even met. Even scarier, I’m old enough to be their parent. It turns out a couple friends who I graduated with actually have kids in college now. Yeah, that’s disturbing.

It was great to be on campus. Life is busy, so I only see some of my college friends every five years. But it seems like no time has passed. We catch up about life and things, show some pictures of our kids, and fall right back into the friendships we’ve maintained for almost thirty years. Facebook helps people feel like they are still in touch, but we aren’t. Facebook isn’t real life – it’s what you want to show the world. Fact is, everything changes, and most of that you don’t see. Some folks have been through hard times. Others are prospering.

Dunbar's Ithaca NY

Even the campus has evolved significantly over the past five years. The off-campus area is significantly different. Some of the buildings, restaurants, & bars have the same names; but they aren’t the same. One of our favorite bars, called Rulloff’s, shut down a few years back. It was recently re-opened and pretty much looked the same. But it wasn’t. They didn’t have Bloody Marys on Thursday afternoon. The old Rulloff’s would have had galloons of Bloody Mix preparing for reunion, because that’s what many of us drank back in the day. The new regime had no idea. Everything changes.

Thankfully a bar called Dunbar’s was alive and well. They had a drink called the Combat, which was the root cause of many a crazy night during college. It was great to go into D-bars and have it be pretty much the same as we remembered. It was a dump then, and it’s a dump now. We’re trying to get one of our fraternity brothers to buy it, just to make sure it remains a dump. And to keep the Combats flowing.

It was also interesting to view my college experience from my new perspective. Not to overdramatize, but I am a significantly different person than I was at the last reunion. I view the world differently. I have no expectations for my interactions with people, and am far more accepting of everyone and appreciative of their path. Every conversation is an opportunity to learn, which I need. I guess the older I get, the more I realize I don’t know anything.

That made my weekend experience all the more gratifying. The stuff that used to annoy me about some of my college friends was no longer a problem. I realized it has always been my issue, not theirs. Some folks could tell something was different when talking to me, and that provided an opportunity to engage at a different level. Others couldn’t, and that was fine by me; it was fun to hear about their lives.

In 5 years more stuff will have changed. XX1 will be in college herself. All of us will undergo more life changes. Some will grow, others won’t. There will be new buildings and new restaurants. And I’ll still have an awesome time hanging out in the dorms until the wee hours drinking cocktails and enjoying time with some of my oldest friends. And drinking Combats, because that’s what we do.

–Mike

Photo credit: “D-bars” taken by Mike in Ithaca NY


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Threat Detection Evolution

Network-based Threat Detection

Applied Threat Intelligence

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Vulnerabilities are not intrusions: Richard Bejtlich is a busy guy. As CSO of FireEye, I’m sure his day job keeps him pretty busy, as well as all his external responsibilities to gladhand big customers. So when he writes something on his personal blog you know he’s pissed off. And he’s really pissed that it seems parties within the US federal government doesn’t understand the different between vulnerabilities and intrusions. In the wake of the big breach at the Office of Personnel Management (yeah, the Fed HR department), people are saying that the issue was the lack of implementation of CDM (continuous diagnostic monitoring). But that just tells you what’s vulnerable, and we all know that’s not a defense against advanced adversaries. Even the lagging Einstein system would have had limited success, but at least it’s focusing on the right stuff: who is in your network. Richard has been one of the most fervent evangelicals of hunting for adversaries, and his guidance is pretty straightforward: “find the intruders in the network, remove them, and then conduct counter-intrusion campaigns to stop them from accomplishing their mission when they inevitably return.” Easier said than done, of course. But you never will get there if your answer is a vulnerability management program. – MR

  2. De-Googled: The Internet is a means for people to easily find information, but many large firms use the Internet to investigate you, and leverage it to monitor pretty much everything users do online. Every search, every email, every purchase, every blog comment, all the time – from here to eternity. I know a lot of privacy advocates who read the blog. Heck, I talk to many of them at security conferences, and read their comments on the stuff we post. If that’s you, a recent post from ExpressVPN on How to delete everything Google knows about you should be at the top of your reading list. It walks you through a process to collect and then delete your past Google history. I can’t vouch for the accuracy of the steps – frankly I am too busy to try it out – but it’s novel that Google provided the means, and someone has documented the obfuscated steps to delete your history. Bravo! Of course if you continue to use the embedded Google search bar, or Google+, or Gmail, or any of the other stuff Google offers, you will still be tracked. – AL

  3. What point are you trying to make? There have always been disagreements over the true cost of a lost data record. Ponemon has been publishing numbers in the hundreds of dollars per record for years (this year’s number was $350), and Verizon Business recently published a $0.58 number in the 2015 DBIR. So CSO asks if it’s $350 or $0.58? The answer is neither. There is no standard cost. There is only what it costs you, and how much you want to bury in that number to create FUD internally. Ponemon includes pretty much everything (indirect costs) and then some. Verizon includes pretty much nothing and bases their numbers off insurance claims, which can be supported by objective data. Security vendors love Ponemon’s numbers. Realists think Verizon’s are closer. Again, what are you trying to achieve? If it’s to scare the crap out of the boardroom, Ponemon is your friend. If it’s to figure out what you’ll get from your cyber-insurance policy, you need the DBIR. As we have always said, you can make numbers dance and tell whatever story you want them to. Choose wisely. – MR

  4. Barn door left open: Apache ZooKeeper is a configuration management and synchronization tool commonly used in Hadoop clusters. It’s a handy tool to help you manage dynamic databases, but it moves critical data between nodes, so the privacy and integrity of its data are critical to safe and secure operations. Evan Gilman of PagerDuty posted a detailed write-up of a ZooKeeper session encryption bug found in an Intel extension to Linux kernel modules and XEN hypervisors which essentially disables checksums. In a nutshell, the Intel support for AES within encryption module aesni-intel, which is used for VPNs and SSL traffic, will – under certain circumstances – disable checksums on the TCP headers. That’s no bueno. The bug should be simple to fix, but at this time there is no patch from Intel. Thanks to the guys at PagerDuty for taking the time to find and document this bug for the rest of us! – AL

  5. Cyber all the VC things…: Mary Meeker survived the Internet bubble as the Internet’s highest profile stock analyst, and then moved west to work with VC big shots Kleiner Perkins. She still writes the annual Internet Trends report and this year security has a pretty prominent place. Wait, what? So, in case you were wondering whether security is high-profile enough, it is. We should have been more careful about what we wished for. She devoted two pages to security in the report. Of course her thoughts are simplistic (Mobile devices are used to harvest data and insiders cause breaches. Duh.) and possibly even wrong. (Claiming MDM is critical for preventing breaches. Uh, no.) But she pinpoints the key issue: the lack of security skills. She is right on the money with that one. Overall, we should be pleased with the visibility security is getting. And it’s not going to stop any time soon. – MR

—Mike Rothman

Wednesday, May 20, 2015

Incite 5/20/2015: Slow down [to speed up]

By Mike Rothman

When things get very busy it’s hard to stay focused. There is so much flying at you, and so many things stacking up. Sometimes you just do the easy things because they are easy. You send the email, you put together the proposal, you provide feedback on the document. It can be done in 15 minutes, so you do it. Leaving the bigger stuff for later. At least I do.

Then later becomes the evening, and the big stuff is still lagging. I pop open the laptop and try to dig into the big stuff, but that’s very hard to do at the end of the day. For me, at least. In the meantime a bunch more stuff showed up in the inbox. A couple more things need to get done. Some easy, some hard. So you run faster, get up earlier, rearrange the list, get something done. Wash, rinse, repeat. Sure, things get done. But I need to ask whether it’s the right stuff. Not always.

Slow down. You're going too fast!

I know this is a solved problem. For others. They’ll tell me about their awesome Kanban workflow to control unplanned work. How they use a Pomodoro timer to make sure they give themselves enough time to get something done. Someone inevitably busts out some GTD goodness or possibly some Seven Habits wisdom. Sigh. Here’s the thing. I have a system. It works. When I use it.

The lack of a system isn’t my problem. It’s that I’m running too fast. I need to slow down. When I slow down things come into focus. Sure, more stuff may pile up. But not all that stuff will need to get done. The emails will still be there. The proposal will get written, when I have a slot open to actually do the work. And when I say slow down, that doesn’t mean work less. It means give myself time to mentally explore and wander. With nowhere to be. With nothing to achieve.

I do that through meditation, which I haven’t done consistently over the last few months. I prioritized my physical practices (running and yoga) for the past few months, at the expense of my mental practice. I figured if I just follow my breath when running I can address both my mental and physical practice at the same time. Efficiency, right? Nope. Running and yoga are great. But I get something different from meditation.

I’m most effective when I have time to think. To explore. To indulge my need to go down paths that may not seem obvious at first. I do that when meditating. I see the thought and sometimes I follow it down a rathole. I don’t know where it will go or what I’ll learn. I follow it anyway. Sometimes I just let the thought pass and return my awareness to the breath. But one thing is for sure – my life flows a lot easier when I’m meditating every day. Which is all that matters.

So forgive me if I don’t respond to your email within the hour. I’ll forgive myself for letting things pile up on my to do list. The emails and tasks will be there when I’m done meditating. It turns out I will be able to work through lists much more efficiently once I give myself space to slow down. Strangely enough, that allows me to speed up.

–Mike

Photo credit: “Slow Down” originally uploaded by Tristan Schmurr


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Network-based Threat Detection

Applied Threat Intelligence

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Don’t believe everything you read: The good news about Securosis’ business is that we don’t have to chase news. Sure, if there is something timely and we have room on our calendar, we’ll comment on current events. But if you look at our blog lately it’s clear we’re pretty busy. So we didn’t get around to commenting on this plane hacking stuff. But if we wait around long enough, one of our friends will say pretty much what I’m thinking. So thanks to Wendy who summed up the situation nicely. And that reminds me of something I have to tell my kids almost every day. Don’t believe everything you read on the Internet. You aren’t getting the full story. Media outlets, bloggers, and other folks with websites have agendas and biases. Consider what you read with a skeptical eye and confirm/validate to ensure you have the full story. Or fall in line with the rest of the lemmings who believe what they read, and react emotionally to what usually amounts to a pile of rubbish. – MR

  2. Super-Fish-er: Dennis Fisher over at ThreatPost wrote a great article highlighting ad injector networks and how attackers are hijacking SSL connections to collect ad revenue for bogus ‘clicks’ from bogus sites. It’s a sobering look at how your computer can be leveraged – with a couple simple alterations – to behave just like another person. So much of browsers’ behavior is hidden from users precisely to hide the avalanche of ads and tracking that it’s fairly easy for attackers to hide within that environment. We will see lots more hacking of ad networks while this remains so profitable. – AL

  3. The monster in the closet: I really like Scott Roberts’ discussion of Imposter Syndrome – basically the fear that you will be found out as a fraud. He looks at it from the perspective of DFIR. We all struggle with it. Our brains, in a misplaced attempt to protect us, make us feel unworthy. It turns out that feeling can shut you down, or motivate you to continue growing and learning. Scott’s recommendations include being aware of the feelings and searching out experts who can help you learn and grow. Every time I question my skills I remember that I do different things differently than most everyone else. I’m not trying to be anyone else so I can’t really be an imposter. And if someone doesn’t appreciate what I do or how I do it, that’s fine by me. You can’t make everyone happy all the time, and that includes your internal imposter. Acknowledge it, and then let it go. – MR

  4. Financial aid: In news that surprised no one, the University of California, Los Angeles (UCLA) announced 800k records were accessed by hackers – far bigger than the 2009 UC Berkeley breach. Some of you with mad crazy math skilz may be saying, “Hey, wait, even at 50k students a year, that’s 16 years of student data!” but the stolen records included application data, including all that financial aid related stuff students provide universities. It’s normally at this point where we ask, “What the frack are you doing keeping all those records?!” and recommend deletion or crypto-shredding to dispose of data, but in this case that does not matter as much – the attackers gained access in 2005. Yeah, ten years, so we’ll just say your odds of detecting a compromise without monitoring are pretty much zero. – AL

  5. Maturity is a thing… A while back (I’m a bit behind in my reading) Brian Krebs posted about security maturity. He presented a couple models to describe how a security program changes based on the maturity of the function. We use this concept a lot because it makes sense, especially to those stepping into a very unsophisticated who and need to advance it quickly. First you have to acknowledge where you are today – honestly. Deceiving yourself is not going to help. But even more importantly, you need to figure out where you want to be. What is your goal? And then you can figure out how much that will cost. Not every organization needs a world-class security program. Ultimately this is a convenient metaphor to manage expectations because it forces everyone to think about the end goal, and we all know how critical that is. – MR

—Mike Rothman

Wednesday, May 06, 2015

Incite 5/6/2015: Just Be

By Mike Rothman

I’m spent after the RSAC. By Friday I have been on for close to a week. It’s nonstop, from the break of dawn until the wee hours of the morning. But don’t feel too bad – it’s one of my favorite weeks of the year. I get to see my friends. I do a bunch of business. And I get a feel for how close our research is to reflecting the larger trends in the industry.

But it’s exhausting. When the kids were smaller I would fly back early Friday morning and jump back into the fray of the Daddy thing. I had very little downtime and virtually no opportunity to recover. Shockingly enough, I got sick or cranky or both. So this year I decided to do it differently. I stayed in SF through the weekend to unplug a bit.

be

I made no plans. I was just going to flow. There was a little bit of structure. Maybe I would meet up with a friend and get out of town to see some trees (yes, Muir Woods was on the agenda). I wanted to catch up with a college buddy who isn’t in the security business, at some point. Beyond that, I’d do what I felt like doing, when I felt like doing it. I wasn’t going to work (much) and I wasn’t going to talk to people. I was just going to be.

Turns out my friend wasn’t feeling great, so I was solo on Friday after the closing keynote. I jumped in a Zipcar and drove down to Pacifica. Muir Woods would take too long to reach, and I wanted to be by the water. Twenty minutes later I was sitting by the ocean. Listening to the waves. The water calms me and I needed that. Then I headed back to the city and saw an awesome comedian was playing at the Punchline. Yup, that’s what I did. He was funny as hell, and I sat in the back with my beer and laughed. I needed that too.

Then on Saturday I did a long run on the Embarcadero. Turns out a cool farmer’s market is there Saturdays. So I got some fruit to recover from the run, went back to the hotel to clean up, and then headed back to the market. I sat in a cafe and watched people. I read a bit. I wrote some poetry. I did a ZenTangle. I didn’t speak to anyone (besides a quick check-in with the family) for 36 hours after RSA ended. It was glorious. Not that I don’t like connecting with folks. But I needed a break.

Then I had an awesome dinner with my buddy and his wife, and flew back home the next day in good spirits, ready to jump back in. I’m always running from place to place. Always with another meeting to get to, another thing to write, or another call to make. I rarely just leave myself empty space with no plans to fill it. It was awesome. It was liberating. And I need to do it more often.

This is one of the poems I wrote, watching people rushing around the city.

Rush
You feel them before you see
They have somewhere to be
It’s very important
Going around you as quickly as they can.
They are going places.

Then another
And another
And another
Constantly rushing
But never catching up.

They are going places.
Until they see
that right here
is the only place they need to be.
– MSR, 2015

–Mike

Photo credit: “65/365: be. [explored]“_ originally uploaded by It’s Holly


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Network-based Threat Detection

Applied Threat Intelligence

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Threat intel still smells like poop? I like colorful analogies. I’m sad that my RSAC schedule doesn’t allow me to see some of the more interesting sessions by my smart friends. But this blow-by-blow of Rick Holland’s Threat Intelligence is Like Three-Day Potty Training makes me feel like I was there. I like the maturity model, and know many large organization invest a boatload of cash in threat intel, and as long as they take a process-centric view (as Rick advises) they can get great value from that investment. But I’m fixated on the not Fortune 500. You know, organizations with a couple folks on the security team (if that) and a budget of a few Starbucks cards for threat intel. What do those folks do? Nothing right now, but over time they will expect and get threat intel built into their controls. Why should they have to spend time and money they don’t have, to integrate data their products should just use. Oh, does that sound like the way security products have worked for decades? Driven by dynamic updates from the vendor who produces the device? Right, back to the future. But a better future with better data, and possibly even better results. – MR

  2. Backwards: In the current round of vulnerability disclosure lunacy, the FBI detained security researcher Chris Roberts – who recently disclosed major vulnerabilities in airline in-flight WiFi systems – for questioning after exiting a recent flight. What makes this story suspect is that Robert was cooperating with airlines and the FBI prior to this. He met with both to discuss the issues, so they were fully aware of his findings. From statements it looks like the FBI performed a forensic analysis of the plane’s systems, and given their desire to examine Roberts’ laptop, it looks like this was an attempt to entrap determine whether Roberts stupidly hacked the plane he was on. The disclosure was a month prior, so the FBI could have pulled Roberts prior to boarding, or gone to his office, or even called and asked him to come in – but that’s not what they did. So far as we know, none of the executives who produce the vulnerable WiFi systems has been pulled from their flights; and more troubling, none of those systems were disabled pending investigation prior to Roberts’ flight. If the threat was serious, quietly disabling in-flight entertainment would be the correct action – not a grandstanding public arrest of a guy openly trying to get vulnerabilities fixed. – AL

  3. Even a mindset shift won’t solve the problem: Working through the round-ups of the RSAC 2015, I found some coverage of RSA President Amit Yoran’s keynote. His main contention was that security issues come down to having a change mindset, as opposed to expecting some new widget to solve all problems. I like that message, because I agree that chasing shiny new products and services, seeking a silver bullet, has moved us backwards. Clearly a mindset shift to focus on the people side is necessary, but it’s not sufficient. I think the goal of stopping attackers is a bit misguided, so that’s what we need to shift. It’s about managing loss, not blocking attacks. Some loss is actually necessary, because loss would be too expensive to completely avoid. But how can you find the right balance? That’s the art of doing security. Balancing the value of what’s at risk with the cost to protect it. Feel better now? – MR

  4. Busting the confusion: When the cloud was new some experts told us it was nothing more than outsourced mainframe computing. Lots of rubbish like that gets thrown out there when people don’t fully comprehend innovative or disruptive technology. Such is also the case with DevOps, and Gene Kim’s recent myth-busting article for DevOps makes some great points to address some of the big misconceptions I hear frequently. For me his first point is the biggest: DevOps does not replace Agile. DevOps helps make the rest of the organization more Agile. Additionally, the Agile with Scrum development methodology continues to work as before, but with less friction and impediments from outside groups. Sure, automation of many IT and QA tasks into a development pipeline is a big part of that, but focusing on that aspect diminishes the importance of addressing Work in Progress, a bigger source of friction. Gene’s comments are right on the mark and required reading – at least for those of you who don’t take the time to read The Phoenix Project. And yes, you should make that time. – AL

  5. Cheaters. Shocking! It seems a bevy of Chinese anti-virus vendors keep getting caught cheating on effectiveness tests, according to Graham Cluley. I find this pretty entertaining, mostly because anyone who buys an AV product based on the results of an effectiveness test is a joke. Additionally, it seems people forget that China plays business by different rules. They have no issue with taking your intellectual property, because they view it differently. So why would anyone be surprised that they think differently about AV comparison tests? It comes back to something we learned early on: you can’t expect other folks to act like you. Just because you won’t cheat doesn’t mean other folks are bound by the same ethics. You need to understand how to buy these products, and if you’re relying on third-party testing you will get what you deserve. – MR

—Mike Rothman

Wednesday, April 15, 2015

Incite 4/15/2015: Boom

By Mike Rothman

I’ve been on the road a bit lately, and noticed discussions keep working around to the general health of our industry. I’m not sure whether we’re good or just lucky, but we security folk find ourselves in the middle of a maelstrom of activity. And that will only accelerate over the next week, as many of us saddle up and head to San Francisco for the annual RSA Conference. We’ve been posting our RSA Conference Guide on the RSA Conference blog (are they nuts?) and tomorrow we’ll post our complete guide with all sorts of meme goodness.

The theme of this year’s Disaster Recovery Breakfast is be careful what you wish for. For years we have wanted more internal visibility for security efforts. We wanted to engage with senior management about why security is important. We wanted to get more funding and resources to deal with security issues. But now it’s happening. CISO types are being called into audit committee meetings and to address the full board (relatively) frequently. Budget is being freed up, shaken loose by the incessant drone of the breach of the day. We wanted the spotlight and now we have it. Oh crap.

balloon go boom

And investors of all shapes and sizes want a piece of cybersecurity. We’ve been engaged in various due diligence efforts on behalf of investors looking at putting money to work in the sector. You see $100MM funding rounds for start-ups. WTF is that about? A friend told me his successful friends call him weekly asking to invest in security companies. It’s like when you get stock tips from a cabbie (or Uber driver), it’s probably time to sell. That’s what this feels like.

But security will remain a high-profile issue. There will be more breaches. There will be additional innovative attacks, probably hitting the wires next week, when there is a lot of focus on security. Just like at Black Hat last year. Things are great, right? The security juggernaut has left the dock and it’s steaming full speed ahead. So why does it feel weird? You know, unreal?

Part of it is the inevitable paranoia of doing security for a long time. When you are constantly trying to find the things that will kill you, it’s hard to step back and just appreciate good times. Another part is that I’ve lived through boom and bust cycles before. When you see low-revenue early-stage start-ups acquired in $200MM+ and $50MM+ funding rounds for, you can’t help but think we are close to the top of the boom. The place to go from there is down. Been there, done that. I’m still writing off my investment tax losses from the Internet bubble (today is Tax Day in the US).

But you know what? What’s the use in worrying? I’m going to let it play out and do a distinctly atypical thing and actually enjoy the boom. I was too young and naive to realize how much fun the Internet boom was on the way up. I actually believed that was the new normal. Shame on me if I can’t enjoy it this time around.

I’ll be in SF next week with a huge smile on my face. I will see a lot of friends at RSAC. Rich, Adrian, and I will offer a cloud security automation learning lab and JJ and I will run a peer-to-peer session on mindfulness. I’ll have great conversations with clients and I’m sure I’ll fill the pipeline for the next couple months with interesting projects to work on. I’ll also do some damage to my liver. Because that’s what I do.

These halcyon days of security will end at some point. There is no beanstalk that grows to the sky. But I’m not going to worry about that now. I’ll ride through the bust, whenever it comes. We all will. Because we’re security people. We’ll be here when the carpetbaggers have moved on to the next hot sector promising untold riches and easy jobs. We’ll be here after the investors doing stupid deals wash out and wonder why they couldn’t make money on the 12th company entering the security analytics business. We’ll be here when the next compliance mandate comes and goes, just like every other mandate.

We’ll be here because security isn’t just a job. It’s a calling. And those who have been called ride through the booms and the busts. Today is just another day of being attacked by folks who want to steal your stuff.

–Mike

Photo credit: “Explosion de ballon Polyptyque“_ originally uploaded by Mickael


Have you registered for Disaster Recovery Breakfast VII yet? What are you waiting for. Check out the invite and then RSVP to rsvp (at) securosis.com, so we know how much food to get…


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Network-based Threat Detection

Applied Threat Intelligence

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Slap in the face: Part of the cellphone security model is locking and/or remotely wiping stolen cellphones. Allowing owners to control transfer of ownership makes stolen phones are almost worthless, and should discourage phone theft. But a giant case of insider fraud at AT&T barely made news last week, because it was positioned in the press as just another data breach. The real story is that a handful of employees in foreign markets accessed customer accounts to allow the transfer and activation of stolen phones. What makes the story so painful is that the criminal organization which got its mules into AT&T profited, the US government got the cost of its investigation covered by the $25M fine, and AT&T enjoyed 500k or so new subscribers on stolen phones and a tax write-down on the fine. The slap is to that people who had phones stolen get worthless “credit monitoring”, while FCC chair Tom Wheeler sprays perfume onto this steaming pile by claiming this is a victory for privacy – which implies the insiders actually stole personal information, rather than just transferring phone ownership. – AL

  2. Lay off my forensicators: In what appears to be another example of a company with too many lawyers, one company is sore another company hired a bunch of their people. MasterCard is suing Nike over former MC employees allegedly taking ‘proprietary’ network configurations to their new employer. But the hook in the suit is that some service providers were now working with Nike instead of MC. So apparently we are not in a free-market economy and service providers have become indentured servants to their clients. Bah. Too many damn lawyers. There has to be a better way to handle this. If they wanted to cut down employee churn, perhaps they could make it more interesting and attractive for employees to stick around. And there isn’t much you can do if an employee leaves, taking their multi-decade relationships with service providers. But when you have lawyers, evidently you need to lawyer up. – MR

  3. You’re the product: It’s not a question of whether your emails are tracked – Wired Magazine explains a browser tool to detect common email tracking elements, nicely illustrating that the only question is by whom and how many firms track each email you receive or send. It’s not uncommon to receive email with several trackers embedded – I get some with a half dozen. In some cases the trackers are added unbeknownst to the sender, instead tacked on by service providers. Most email providers earn money by tracking you, and every marketing manager running a ‘campaign’ demands to know not just who – but how – people are reading their precious content, so pretty much every email is tracked. Be it a browser or a dedicated mail tool, these email viewers don’t offer any insight into what’s being requested, by who, or how much data they pull out. Of course not, because that might interfere with their the ability to monetize you. The web pages you visit are far worse: even the Wired web page for that article serves fourteen trackers from sites you didn’t visit and which don’t serve the content you requested. They are solely to track what you do and how you do it, and that data is likely shared and resold yet again. The tools listed in this Wired article – such as UglyMail – lift just one veil obscuring the horrors underneath. If you really want to see – and control – what your email client and browsers transmit, get an outbound firewall to detect and filter. Remember, if you’re not paying, you’re the product. – AL

  4. Minority Security Report: One of the hot hot hot areas of security for 2015 is insider threat detection. These new security analytics tools look at a bunch of data and have means to determine when an employee is doing something that puts corporate data at risk. It turns out these technologies have been under development for a while for other use cases as well. For instance JP Morgan has a system that looks for signs that a trader is going to go rogue. Evidently they’ve profiled and found patterns that indicate an employee is going to do bad stuff. So they can then put the employee under watch. Is this a slippery slope? Yes and no. There is nothing wrong with monitoring an employee’s behavior if they show indicators of doing something bad for the organization. But how do you deal with false positives? And could the tools be used to curry favor for political purposes within the organization? I guess we should expect the equivalent of the Salem Witch Trials at some point. – MR

  5. Any time now: In 1999 I saw my first television ad proclaiming the amazing benefits of chip-based credit cards, and how they would protect customers and banks from fraud. It was the “Internet Age”, these cards looked Star Trek cool, and I wanted one. Too bad: My bank didn’t carry them. And even if they did, none of the merchants used the chip-based capabilities to counter card cloning. Fast forward to today, 16 frigging years later, and it’s still the same. My bank, sadly, still does not issue EMV-based credit cards. They do have a plan to roll them out, oh, sometime in 2016. So while I think it’s beyond pathetic that food retailers have asked for an extension on the EMV deadline – which shifts card fraud liability onto merchants who do not comply – I get it. It’s not just that they have been dragging their feet, but banks have been dragging as well. But honestly, the only way these cards can supplant magstripes in the US is for the card brands to not extend the deadline and to shift liability. When the financial incentive hits, we’ll see action. 16 years is enough warning. – AL

  6. Not a bad thing: Andreas Gal, Mozilla CTO, offers an interesting rant on limited access to Google search data available to other search engines. Over the last decade search engines have used user query data, more than crawling the Internet, to refine their own search results. Other search engines, ISPs, and telcos used to – ahem – collect user search data entered into Google and leverage that information. The crux of Andreas’ rant is that Google started encrypting its search strings, so only Google has access to user queries. But this is exactly what I want as a user – that the information I entrust ti Google not be shared. I want them to encrypt it and keep it to themselves. Further, this is part of Google’s moat, born from early technical advantages and the “network effect” of providing a service people really like, which is a good thing which Google earned. It requires other firms to innovate to attract users – and to do something unique or better before they can assail Google’s moat. Plus, I think Andreas missed that the embedded search bars in browsers like Firefox offer users a feature they do take advantage of: easy switching between search engines when they don’t like the results from their default option. Only vendors see this as a turf war; users see the value in both privacy and different results from different search tools. – AL

—Mike Rothman

Wednesday, April 01, 2015

Incite 4/1/2015: Fooling Time

By Mike Rothman

As we started recording the Firestarter Monday Rich announced the date. When he said “March 30”, it was kind of jarring. It’s March 30? How did that happen? Wasn’t it just yesterday we rang in the new year? I guess it was almost 90 yesterdays. Thankfully Rich cut me off as I went down the rabbit hole of wondering where the time went.

Hourglass

Every year is getting shorter, never seem to find the time
Plans that either come to naught or half a page of scribbled lines
Hanging on in quiet desperation is the English way
The time is gone, the song is over, thought I’d something more to say
– Pink Floyd, “Time”

Yup, I’m in one of those moods. You know, the mood where you are digging up Pink Floyd lyrics. Though it’s true – every year does seem to get shorter. It’s hard to find the time to do everything you want to. Everything you plan to. You can’t fool time, even on April Fool’s day. Time just keeps moving forward, which is what we all need to do.

I have become painfully aware of the value of time this year. It seems I have been in a cycle of work, run, yoga, travel, car pools, LAX games, and maybe a little sleep now and again. But when I pick my head up every so often, I see things changing. Right before my eyes. XX1 is no longer a little girl. She’s almost as tall as the Boss and is talking to me about getting her driver’s permit in 6 months. What? My little muncha driving? How can that be?

And people you know unexpectedly pass on. Many of us in the security community knew Michael Hamelin (@hackerjoe), and then over the holidays he was gone. Taken in a freak car accident. It makes you think about how you are using the short amount of time you have. I had a wave of inspiration and posted a few things on Twitter that day.

Tweets

I’m fortunate to be a mentor, advisor, and friend to lots of folks who come to me for advice and perspective. I talk about courage a lot with these people. The courage to be who you want to be, regardless of who you ‘should’ be. The courage to make changes, if changes are necessary. The courage to get beyond your comfort zone and grow. It’s not easy to be courageous.

Ticking away the moments that make up a dull day
Fritter and waste the hours in an off-hand way
Kicking around on a piece of ground in your home town
Waiting for someone or something to show you the way
– Pink Floyd, “Time”

Many people choose to just march through life, even if they aren’t happy or fulfilled, and that’s okay. But time will move on, regardless of what you decide to do, or not do. If you think things will change without you changing them, you aren’t fooling time. You are only fooling yourself.

–Mike

Photo credit: “hourglass_cropped“_ originally uploaded by openDemocracy


Have you registered for Disaster Recovery Breakfast VII yet? What are you waiting for. Check out the invite and then RSVP to rsvp (at) securosis.com so we know how much food to get…


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Network-based Threat Detection

Applied Threat Intelligence

Network Security Gateway Evolution

Recently Published Papers


Incite 4 U

  1. Better breach disclosure: I hate it when stuff I use gets breached. I have to change passwords and the like. It’s just a hassle. But it does provide a learning opportunity, if the pwned company will talk about what happened. The latest disclosure darling seems to be Slack. You know, the chat app everyone seems to use. Evidently they had an attacker in their user database and some private information was accessible. Things like email addresses and password hashes. Theor payment and financial information was apparently not accessible (segmentation FTW). Now they don’t know whether user data was actually accessed (but we need to assume it was). Nor do they have any proof passwords were decrypted. But at least they are candid about what they don’t know. And even better, they took action to address the issue. Like turning on two-factor authentication before it was quite ready. And providing a tool for an administrator to log everyone out of the system and force a password reset. As they learn more, we can only hope Slack shares more of the details of this attack. – MR

  2. The wisdom of retailers: Over the last decade I have been involved in two research projects to show how data breaches impacted firm’s brand value and stock prices. And yes, I worked for a security vendor at the time, who had a financial incentive to link them. What did I find? Nothing. The data was inconsistent, bu if anything it suggested breaches and company value were unrelated. Our own Gunnar Peterson has been tracking this topic for as long as I’ve known him, and based solely on stock price, finds that breached companies outperform the market. The Harvard Business Review has done many great case studies on firms that have been breached, going back at least to 2007, but I believe this is the first time the HBR has come out with reasons why data breaches don’t hurt stock prices. But does that mean those retailers with a laissez-faire approach to security were right all along? If breaches are “… an inevitability of doing business …”, does that mean firms should only invest in “cyber insurance” to help pay the costs of cleanup? – AL

  3. Darwin and the WAF: Brian McHenry of F5 calls for the death of WAF as we know it and even references some of Adrian’s and my research. And who says flattery gets you nowhere? Brian’s point is that WAF needs to evolve with the advent of DevOps and more agile development processes, because you can’t tune the WAF to keep up with every application change. He’s right, but it’s a bigger issue than just WAF. Though given Brian is in the WAF business, that is his focus. DevOps and cloud and mobility disrupt the game. You need to rethink security and data protection… or not. As Deming said, “It is not necessary to change. Survival is not mandatory.” It applies to pretty much everything. Technologies, but also processes. If those don’t evolve (and drag technology with it), you’ll be on the endangered species list. But don’t fret – you won’t be lonely. A lot of technologies, vendors and practitioners won’t be able to make the jump. Maybe there is a gig available for a front-end processor engineer. (Old school) – MR

  4. Grab the popcorn: Now that vendors have reassessed their approaches to mobile payments, subsequent to Apple Pay shaking things up, we see new payment products from every corner. Square announced the acquisition of Kili, giving them NFC capabilities. Now merchants using Square can support either card-swipe or NFC transactions. Vodafone will also standardize on NFC communication, but will deliver a SIM card that embeds a secure element to hold the encryption keys needed for secure payment on mobile devices. These secure elements are the preferred choice for carriers, because anyone who wants access must pay the carrier. Unsurprisingly, Visa and Mastercard recently announced they are backing the more open Host Card Emulation approach – effectively a virtual secure hardware element – but now Microsoft has also announced use of HCE for their new Tap To Pay offering on Windows phones. We went from a snail’s pace to hair-on-fire product delivery, which means we can expect implementation flaws and notable hacks during this vendor stampede for market share. – AL

  5. It’s a mobile app – what could possibly go wrong? You all know what a big fan of surveys I am, but sometimes the data makes a point worth making. Without less-than-rigorous math, that is. The Ponemonsters did a survey for IBM which analyzed mobile app security. Basically there isn’t much, which I’m sure is a shock to most of you. In another surprising turn, the rush to get mobile apps out there and to meet customer needs is forcing organizations to take security shortcuts. Really! I know you are shocked. Yes, I took my sarcasm pills today. If there is an upside it is that mobile OSes are inherently better protected than PCs. I did not say fully protected – just better protected. But this is a systemic issue. Why would mobile apps be much different than anything else? Companies feel pressure to ship, they take shortcuts, security suffers. Breach happens, company gets religion. Until next time they have to take a shortcut. Wash, rinse, repeat. And we needed a survey to tell us that? – MR

—Mike Rothman

Wednesday, March 25, 2015

Incite 3/25/2015: Playing it safe

By Mike Rothman

A few weeks back at BSidesATL, I sent out a Tweet that kind of summed up my view of things. It was prompted by an email from a fitness company with the subject line “Embrace Discomfort.” Of course they were talking about the pain of whatever fitness regimen you follow. Not me. To me, comfort is uncomfortable.

Comfort is uncomfortable

I guess I have always been this way. Taking risks isn’t risky from where I sit. In fact playing it safe feels dangerous. Of course I don’t take stupid risks and put myself in harm’s way. At least I don’t any more – now I have a family who depends on me. But people ask me how I have the courage to start new businesses and try things. I don’t know – I just do. I couldn’t really play it safe it I tried.

Not that playing it safe is bad. To the contrary, it’s a yin-yang thing. Society needs risk-takers and non-risk-takers. However you see yourself, make sure you understand and accept it, or it will not end well.

For instance some folks dream of being a swashbuckling entrepreneur, jumping into the great unknown with an idea and a credit card to float some expenses. If you are risk-averse that path will be brutal and disappointing. Even if the venture is successful it won’t feel that way because the roller coaster of building a business will be agonizing for someone who craves stability.

Risk Takers

Similarly if you put an entrepreneur into a big stable company, they will get into trouble. A lot of trouble. Been there, done that. That’s why it is rare to see true entrepreneurs stay with the huge companies that acquire them, after the retention bonuses are paid and the stock is vested. It’s just soul-crushing for swashbucklers to work in place with subsidized cafeterias and large HR departments.

I joked that it was time to leave META Group back in the mid-90s, when we got big enough that there were people specifically tasked with making my job harder. They called it process and financial controls. I called it bureaucracy and stupid paperwork. It didn’t work for me so I started my own company. With neither a subsidized cafeteria nor an HR department. Just the way I like it.

–Mike

Photo credit: “2012_05_050006 Road to Risk Takers Select Committees” originally uploaded by Gwydion M. Williams


Have you registered for Disaster Recovery Breakfast VII yet? What are you waiting for. Check out the invite and then RSVP to rsvp (at) securosis.com, so we know how much food to get…


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Endpoint Defense Essential Practices

Applied Threat Intelligence

Network Security Gateway Evolution

Newly Published Papers


Incite 4 U

  1. We’re hacking your stuff too, eh! All my Canadian friends are exceedingly nice. I’m sure many of you know our contributors from up North, Dave Lewis and James Arlen, and there aren’t any nicer people. They are cranky security people like the rest of us, but they somehow never seem cranky. It’s a Canadian thing. So when you hear about the Canadians doing what pretty much every other government is doing and hacking the crap out of all sorts of things, you say, “Eh? The Canadians? Really?” Even better, the Canadians are collaborating with the NSA to use social engineering and targeted attacks to “garner foreign intelligence or inflict network damage.” The spinmeisters were spinning hard about the documents being old, blah blah blah. Maybe they need a little Rob Ford action in the cyber department to give us the real low-down. But you know what? I’m sure they were very polite guests and left everything exactly as they found it. – MR

  2. He had me at Manifesto: I love a good manifesto. Nothing gets the blood moving like a call to arms, to rally the troops to do something. My friend Marc Solomon of Cisco advocates for CISOs to write their own manifestoes to get the entire organization thinking about security. I’m not sure how you make security “a growth engine for the business”, but a lot of his other aspirations are good. Things like security must be usable, transparent, and informative. Yup. And security must be viewed as a “people problem,” which really means that if you didn’t have all these pesky employees you would have far fewer security problems. Really it’s a sales document. You (as CISO) are selling the security mindset to your organization, and that is a manifesto worth writing. – MR

  3. E-DDoS coming to a cloud near you: One of the newer attack vectors I highlighted in our denial of service research a couple years ago was an economic denial of service. An adversary can hammer a cloud-based system, driving costs up to the victim’s credit limit. No more credit, no more cloud services. I guess that’s the cloud analogue to “No shoes, no shirt, no dice.” [Dude)…] It seems someone in China doesn’t like that some website allows connectivity to censored websites, so they are blasting them with traffic, costing $30,000/day in cloud server costs. These folks evidently have a lot of credit with Amazon and haven’t been forced to shut down. Yet. Aside from the political reality an attack like this represents, it is a clear example of another more diabolical type of attack. A DDoS that knocks your stuff down may impact sales, but not costs. This kind of attack hits you below the belt: right in the wallet. – MR

—Mike Rothman

Wednesday, March 18, 2015

Incite 3/18/2015: Pause

By Mike Rothman

It’s been over a month since I wrote an Incite. It’ is the longest period of downtime since I joined Securosis. I could talk about my workload, which is bonkers right now. But over the years I’ve written the Incite regardless of workload. I could talk about excessive travel, but I haven’t been traveling nearly as much as last year. I could come up with lots of excuses, but as I tell my kids all the time, “I’m not in the excuses business.”

Here’s the reality: I needed a break. I have plenty to write about, but I found reasons not to write. There is a ton of stuff going on in security, so there were many interesting snippets I let fly right on by. But I didn’t write it, and I didn’t really question it. What I needed was what my Tao teacher calls a pause.

Hit the pause button

You could need a pause for lots of reasons. Sometimes you have been running too hard for too long. Sometimes you need to change things up a bit because the status quo makes you unhappy. Sometimes you need some space to recalibrate and figure out what you want to do and where you want to go. Of course, this could be for very little things, like writing the Incite every week. Or very big things. But without taking a pause, you don’t have the space to make objective decisions.

You are reading this, so obviously I am writing the Incite. So during my pause, it became clear that the Incite is an important part of what I do. But it’s bigger than that. It’s an important part of who I am. I have shared the good and the not so good through the years. I have met people who tell me they have experienced what I write about, and it’s helpful for them to commiserate – even if it’s virtual. Some tell me they learn through my Incites, and there is nothing more flattering. But it’s not why I write the Incite.

I write the Incite for me. I always have. It’s a journal of sorts representing my life, my views, and my situation at any given time. Every so often I go back a couple years and read my old stuff. It reminds me of what things were like back then. It’s useful because I don’t spend much time looking backwards. It’s interesting to see how different I am now. Some people journal in private. I do that too. But I have found my public journal is important to me.

The pause is over. I’m pushing Play. In the coming months there will be really cool stuff to share and some stuff that will be hard to communicate. But that’s life. You take the good and the bad without judgement. You move forward. At least I do. So stay tuned. The next few months are going to be very interesting, for so many reasons.

–Mike

Photo credit: “Pause? 272/265” originally uploaded by Dennis Skley


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Cracking the Confusion

Applied Threat Intelligence

Network Security Gateway Evolution

Newly Published Papers


Incite 4 U

(Note: Don’t blame Rich or Adrian for the older Incite… They got me stuff on time – it just took me a month to post it. You know, that pause I talked about above.)

  1. There are no perfect candidates… There is no such thing as perfect security, so why would there be perfect security candidates? Our friend Andy Ellis, CISO of Akamai, offers a refreshing perspective on recruiting security professionals. Andy focuses on passion over immediate competence. If a person loves what they do they can learn the rest. I think that’s great, especially given the competition for those with the right certifications and keywords on their CVs. Andy also chooses to pay staffers fairly instead of pushing them to find other jobs as their skills increase. Again, very smart given the competition for security staff. The #1 issue we hear from CISO types, over and over, is the lack of staff / recruiting challenge. So you need to find folks in places others aren’t looking, and invest in them – knowing a few will leave for greener pastures at some point. That’s all part of the game. – MR

  2. No love: Another encryption vendor got rolled up recently, with Voltage security acquired by HP. But before you lose your train of thought, with jokes about how HP is where tech companies go to die – yeah, we heard a lot of that in the last 24 hours – note this is occurring with encryption firms of all sizes. In case you missed it, Porticor was acquired by Intuit the week before the HP/Voltage deal. And before that, Safenet to Gemalto, Entrust to Datacard, and Gazzang went to Cloudera. You would think selling data encryption in the age of data breaches would be like giving ice cream to kids on a hot day, but the truth is selling is hard because implementing it is hard. Customers view encryption as a commodity, with one AES variant the same as every other, and complain bitterly about cost and key management headaches. Encryption platforms have matured steadily over the last 10 years, and continually evolved to include format preserving encryption, tokenization, transparent encryption, dynamic masking, key storage, and management, all while integrating with storage systems, apps, applications, cloud services and ‘big data’. The trend is clearly to bake data encryption in, but innovation and growing demand for data security mean this market is far from settled. – AL

  3. Bring Your Own Key: I’m a big fan of the cloud, and of encryption, which is why I’m excited to see Box announce their new Enterprise Key Management product. First a little full disclosure: I have known about this for a while and I done some work with Box (which was not a secret). That said, it isn’t like I get paid more if anyone buys the service from them. I’ve been on record for a few years as not a fan of proxy-based encryption for cloud computing. Shoving an appliance (or service) between your users and the cloud platform so you can encrypt a few fields seems like a kludge prone to breaking application functionality. But almost no providers allow customers to manage their own encryption in a way that can protect against misuse by the provider (or snoops, criminal or government). Box’s EKM enables customers to control their own encryption keys, but all the actual work happens within Box. This reduces the likelihood the application will break. It isn’t necessarily completely subpoena proof, but there is no way for anyone besides you to see your data unless you release the key. Amazon is one of the only other cloud providers supporting customer managed keys, and I really hope this trend grows. But as Mike says, “Hope is not a strategy”, so vote with your dollars if you want more customer-controlled cloud key management. – RM

  4. Vulnerability management, still kicking…: I have voiced my disappointment with the fact that modern product reviews are consistently cursory, and rarely useful for procurement decisions. That doesn’t stop folks like SC Mag from continuing to review products, like their recent Vulnerability Management review. Yes, vulnerability management is still a thing – even if Gartner doesn’t think so anymore. That being said, the major players in the market are changing direction, and they all seem to be going in different directions. One is climbing the stack, another focused on identity, a third morphing into a services driven shop, and yet another preoccupied with executive level dashboards. And yes, they all still scan your stuff and generate long reports of stuff you’ll never get to. Same old, same old. Although as you are looking to renew your product and/or service, it makes sense to actually learn about the longer term strategy of your chosen vendor to ensure it still aligns with what you need. If not, make a change since it’s not like all of the vendors can’t scan your stuff. – MR

  5. Smart cards, disrupted: It’s happening again; the threat of EMV cards. The Smart Card Alliance position is the liability shift for not using EMV will push adoption within mass merchants, while Visa representatives claim 525 million cards will be in the ‘ecosystem’ by the end of 2015. Bull$#!*. For the sake of round numbers say there are about 300 million US citizens – minus those under 18 – which would require each US adult to get two Chip and PIN cards over the next 10 months. Even if the US government issues an ID for every citizen, that milestone is not going to happen. Nor will merchants move fast enough with new terminals to support the cards. I understand the smart card industry’s angst – EMV needs to move or be get over in the US. Apple Pay basically virtualized Chip and PIN for payments, simultaneously showing consumers a model for health and ID cards pushed into mobile devices with less cost and pain. It’s not a new idea by any stretch, but Apple upended a bunch of firms who were positioning for the future. As Apple does from time to time. – AL

  6. Eye of Sauron: Big breaches happen, and no matter what anyone tells you they aren’t going way… ever. The goal of your security program is to minimize the potential damage because it can’t be eliminated. Even with all the high-profile breaches, there’s a lack of motivation for companies, even in regulated industries, to protect their data. Everyone ignored the HIPAA security requirements for years and years, until HITECH put baby teeth in place. But heck, with entirely too many friends still in healthcare, even that threat isn’t enough to be a true catalyst for action. So I’m always interested in events that change the economics of security. Like one of the biggest insurance markets taking a close look at insurer cybersecurity. Nothing may happen here – it isn’t like Elliot Spitzer is back in charge, kicking ass and (er… spanking… no… not going to say it) taking names (no mention of black books either…), but it only takes a couple state regulators in the right markets to move the needle and drive change. – RM

—Mike Rothman

Wednesday, February 04, 2015

Incite 2/4/2015: 30x32

By Mike Rothman

It was a pretty typical day. I was settled into my seat at Starbucks writing something or other. Then I saw the AmEx notification pop up on my phone. $240.45, Ben Sherman, on the card I use for Securosis expenses. Huh? Who’s Ben Sherman? Pretty sure my bookie’s name isn’t Ben. So using my trusty Google fu I saw they are a highbrow mens clothier (nice stuff, BTW). But I didn’t buy anything from that store.

My well-worn, “Crap. My card number got pwned again.” process kicked in. Though I was far ahead of the game this time. I found the support number for Ben Sherman and left a message with the magic words, “blah blah blah fraudulent transaction blah blah,” and amazingly, I got a call back within 10 minutes. They kindly canceled the order (which saved them money) and gave me some details on the transaction.

AmEx on my phone

The merchandise was evidently ordered by a “Scott Rothman,” and it was to be shipped to my address. That’s why the transaction didn’t trigger any fraud alerts – the name was close enough and the billing and shipping addresses were legit. So was I getting punked? Then I asked what was ordered.

She said a pair of jeans and a shirt. For $250? Damn, highbrow indeed. When I inquired about the size that was was the kicker. 30 waist and 32 length on the jeans. 30x32. Now I’ve dropped some weight, but I think the last time I was in size 30 pants was third grade or so. And the shirt was a Small. I think I outgrew small shirts in second grade. Clearly the clothes weren’t for me. The IP address of the order was Cumming, GA – about 10 miles north of where I live, and they provided a bogus email address.

I am still a bit perplexed by the transaction – it’s not like the perpetrator would benefit from the fraud. Unless they were going to swing by my house to pick up the package when it was delivered by UPS. But they’ll never get the chance, thanks to AmEx, whose notification allowed me to cancel the order before it shipped. So I called up AmEx and asked for a replacement card. No problem – my new card will be in my hands by the time you read this.

The kicker was an email I got yesterday morning from AmEx. Turns out they already updated my card number in Apple Pay, even though I didn’t have the new card yet. So I could use my new card on my fancy phone and get a notification when I used it.

And maybe I will even buy some pants from Ben Sherman to celebrate my new card. On second thought, probably not – I’m not really a highbrow type…

–Mike


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Applied Threat Intelligence

Network Security Gateway Evolution

Security and Privacy on the Encrypted Network

Newly Published Papers


Incite 4 U

  1. It’s about applying the threat intel: This post on the ThreatConnect blog highlights an important aspect that may get lost in the rush to bring shiny threat intelligence data to market. As lots of folks, notably Rick Holland and yours truly, have been saying for a while. It’s not about having the data. It’s about using it. The post points out that data is data. Without understanding how it can be applied to your security program, it’s just bits. That’s why my current series focuses on using threat intel within security monitoring, incident response, and preventative controls. Rick’s written a bunch of stuff making similar points, including this classic about how vendors always try to one-up each other. I’m not saying you need (yet another) ‘platform’ to aggregate threat intel, but you definitely need a strategy to make the best use of data within your key use cases. – MR

  2. Good enough: I enjoyed Gilad Parann-Nissany’s post on 10 Things You Need To Know about HIPAA Compliance in the Cloud as generic guidance for PHI security in the cloud. But his 10th point really hits the mark: HIPAA is not feared at all. The vast majority of HIPAA fines have been for physical disclosure of PHI, not electronic. While a handful of firms go out of their way to ensure their cloud infrastructure is secure (which we applaud), they aren’t doing security because of HIPAA. Few cloud providers go beyond encrypting data stores (whatever that means) and securing public network connections, because that’s good enough to avoid major fines. Sometimes “good enough” is just that. – AL

  3. 20 Questions: Over the years I have been management or, at Gartner, part of a hiring committee at various times. I have not, however, had to really interview for most of my jobs (at least not normal interviews). The most interesting situation was the hiring process at the FBI. That interview was so structured that the agents had to go through special training just to give it. They tested me not only on answering the questions, but answering them in the proper way, as instructed at the beginning, in the proper time window. (I passed, but was cut later either due to budget reductions at the time, or some weirdness in my background. Even though I eliminated all witnesses, I swear!). But I have always struggled a bit a getting technical hires right, especially in security. The best security pros I know have broad knowledge and an ability to assimilate and correlate multiple kinds of information. I really like Richard Bejtlich’s hiring suggestion. Show them a con video, and have them explain the ins and outs and interpret it. That sure beats the programming tests I used when running dev shops because it gives you great insight into their thought process and what they think is important. – RM

  4. Mixed results: IBM is touting a technology called Identity Mixer as a way for users to both conceal sensitive attributes of their identity, and as a secure content delivery mechanism. But this approach is really Digital Rights Management – which essentially means encryption. This approach has been tried many times for both content delivery and user data protection. The issue is that when allowing a third party to decrypt or access any protected data, the data must be decrypted and removed from its protection. If you use this technology to deliver videos or music it is only as secure as the users who access the data. This approach works well enough for DirecTV because they control the hardware and software ecosystem, but falls apart in conventional cases where the user controls the endpoint. Similarly, sharing encrypted data and keys with a third party defeats the point. – AL

  5. Follow the money: I thought about calling this one “Protection racket”, but even the CryptoLocker guys actually unlock your stuff when you pay them, as promised. It turns out the AdBlock Plus folks take money from Microsoft, Google, and Amazon to allow their ads through. The company’s business model is built on whitelisting ‘good’ ads that comply with their policies (which often includes payment to the AdBlock Plus developers). And they do acknowledge this on their site. That change was made around the end of January 2014 (thank you, Internet Archive). I get it, everyone needs to make money, and not all ads are bad. Many good sites rely on them, although that’s a rough business. I would actually stop blocking most ads if they would stop tracking me even when I don’t click on them. But a business model like this is dangerous. A company becomes beholden to financial interests which don’t necessarily align with its users’. That’s one reason I have been so excited by Apple seeing privacy of customer data as a competitive advantage – as much as companies commit to grand ideals (such as “Don’t be evil.”), it sure is easier to stick to them when they help you make piles of money. – RM

  6. Hack your apps (before the other guys do): This has been out there for a while, but it’s disturbing nonetheless. Marriott collected lots of private information about customers, which isn’t a problem. Unless that information is accessible via a porous mobile app – as it was. I know many organizations take their mobile apps seriously, treating them just like other Internet-facing assets in terms of security. It may be a generalization but that last statement cuts both ways. Organizations that take security seriously do so on any customer-facing technology – with security assessments and penetration tests. And those that don’t… probably don’t. Just understand that mobile apps are a different attack vector, and we will see different ways to steal information. So hack your own apps – otherwise an adversary will. – MR

—Mike Rothman

Wednesday, January 28, 2015

Incite 1/28/2015: Shedding Your Skin

By Mike Rothman

You are constantly changing. We all are. You live, you learn, you adapt, you change. It seems that if you pay attention, every 7-9 years or so you realize you hardly recognize the person looking back at you from the mirror. Sometimes the changes are very positive. Other times a cycle is not as favorable. That’s part of the experience. Yet many people don’t think anything changes. They expect the same person year after year.

I am a case in point. I have owned my anger issues from growing up and my early adulthood. They resulted in a number of failed jobs and relationships. It wasn’t until I had to face the reality that my kids would grow up in fear of me that I decided to change. It wasn’t easy, but I have been working at it diligently for the past 8 years, and at this point I really don’t get angry very often.

Done with this skin says the snake

But lots of folks still see my grumpy persona, even though I’m not grumpy. For example I was briefing a new company a few weeks ago. We went through their pitch, and I provided some feedback. Some of it was hard for them to hear because their story needed a lot of work. At some point during the discussion, the CEO said, “You’re not so mean.” Uh, what? It turns out the PR handlers had prepared them for some kind of troll under the bridge waiting to chew their heads off.

At one point I probably was that troll. I would say inflammatory things and be disagreeable because I didn’t understand my own anger. Belittling others made me feel better. I was not about helping the other person, I was about my own issues. I convinced myself that being a douche was a better way to get my message across. That approach was definitely more memorable, but not in a positive way. So as I changed my approach to business changed as well. Most folks appreciate the kinder Incite I provide. Others miss crankypants, but that’s probably because they are pretty cranky themselves and they wanted someone to commiserate over their miserable existence.

What’s funny is that when I meet new people, they have no idea about my old curmudgeon persona. So they are very surprised when someone tells a story about me being a prick back in the day. That kind of story is inconsistent with what they see. Some folks would get offended by hearing those stories, but I like them. It just underscores how years of work have yielded results.

Some folks have a hard time letting go of who they thought you were, even as you change. You shed your skin and took a different shape, but all they can see is the old persona. But when you don’t want to wear that persona anymore, those folks tend to move out of your life. They need to go because don’t support your growth. They hold on to the old.

But don’t fret. New people come in. Ones who aren’t bound by who you used to be – who can appreciate who you are now. And those are the kinds of folks you should be spending time with.

–Mike

Photo credit: “Snake Skin” originally uploaded by James Lee


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Applied Threat Intelligence

Network Security Gateway Evolution

Security and Privacy on the Encrypted Network

Newly Published Papers


Incite 4 U

  1. Click. Click. Boom! I did an interview last week where I said the greatest security risk of the Internet of Things is letting it distract you from all of the other more immediate security risks you face. But the only reason that is even remotely accurate is because I don’t include industrial control systems, multifunction printers, or other more traditional ‘things’ in the IoT. But if you do count everything connected to the Internet, some real problems pop up. Take the fuel gauge vulnerability just released by H D Moore/Rapid 7. Scan the Internet, find hundreds of vulnerable gas stations, all of which could cause real-world kinetic-style problems. The answer always comes back to security basics: know the risk, compartmentalize, update devices, etc. Some manufacturers are responsible, others not so much, and as a security pro it is worth factoring this reality into your risk profile. You know, like, “lightbulb risk: low… tank with tons of explosive liquid: high”. – RM

  2. How fast is a fast enough response? Richard Bejtlich asks a age-old question. How quickly should incidents be responded to? When he ran a response team the mandate was detection and mitigation in less than an hour. And this was a huge company, staffed to meet that service level. They had processes and tools to provide that kind of response. The fact is you want to be able to respond as quickly as you are staffed. If you have 2 people and a lot of attack surface, it may not be realistic to respond in an hour. If senior management is okay with that, who are you to argue? But that’s not my pet peeve. It’s the folks who think they need to buy real-time alerts when they aren’t staffed to investigate and remediate. If you have a queue of stuff to validate from your security monitors, then getting more alerts faster doesn’t solve any problems. It only exacerbates them. So make sure your tools are aligned with your processes, which are aligned with your staffing level and expertise. Or see your alerts fall on the floor, whether you are a target or not. – MR

  3. Positive reviews: What do you do if you think the software you’re using might have been compromised by hostile third parties? You could review the source code to see if it’s clean. It’s openness that encouraged enterprises to trust non-commercial products, right? But what if it’s a huge commercial distribution, and not open source? If you are talking about Microsoft’s or Apple’s OS code, not only is it extremely tough (like, impossible) to get access, but any effort to review the code would be monstrous and not feasible. In what I believe is unprecedented access, China has gotten the okay to search Apple’s software for back doors to give them confidence that no foreign power has manipulated the code. But this won’t be limited to code – it includes an investigation of build and delivery processes as well, to ensure that substitutions don’t occur along the way. A likely – and very good – outcome for Apple (given the amount of business they do in China), and the resulting decreased pressure from various governments to insert backdoors into the software. – AL

  4. Sec your aaS: One weird part of our business that has cropped up in the past year is working more with SaaS companies who actually care about security. Some big names, many smaller ones, all realizing they are a giant target for every attacker. But I’d have to say these SaaS providers are the minority. Most just don’t have money in the early stages (when it’s most important to build in security) to drop the cash for someone like me to walk in the door. So I enjoyed seeing Bessemer Venture Partners publish a startup security guide. More VCs and funds should provide this kind of support, because their investment goes poof if their companies suffer a major data loss. Or, you know, hire us to do it. – RM

  5. You fix it: It’s shocking that Chip and PIN cards, a technology proven to drastically reduce fraud rates in dozens of other countries, have not been widely adopted in the US. But it’s really sad when the US government beats the banks to market: The US is rolling out Chip and PIN cards for all federal employees this year to promote EMV compliant cards and usage in the US. Chips alleviate card cloning attacks and PINs thwart use of stolen cards. In the EU adoption of Chip and PIN has virtually eliminated card-present fraud. But the people who would benefit the most – banks – don’t bear the costs of deploying and servicing Chip and PIN; issuers and merchants do. So each party acts in its own best interest. Leading by example is great, but if the US government wanted to really promote Chip and PIN, they would help broker (or mandate) a deal among these stakeholders to fix the systemic problem. – AL

  6. Same problem. Different technology… During his day job as a Gartner analyst, Anton gets the same questions over and over again. Both Rich and I know that situation very well. He posted about folks now asking for security analytics, but really wonders whether they just want a SIEM that works. That is actually the wrong question. What customers want are security alerts that help them do their jobs. If their SIEM provided it they wouldn’t be looking at shiny new technologies like big data security analytics and other buzzword-friendly new products. Customers don’t care what you call it, they care about outcomes – which is that they have no idea which alerts matter. But that’s Vendor 101: if the existing technology doesn’t solve the problem, rename the category and sell hope to customers all over again. And the beat goes on. Now back on my anti-cynicism meds. – MR

—Mike Rothman

Wednesday, January 21, 2015

Incite 1/21/2015: Making the Habit

By Mike Rothman

Over halfway through January (already!), how are those New Year’s resolutions going? Did you want to lose some weight? Maybe exercise a bit more? Maybe drink less, or is that just me? Or have some more fun? Whatever you wanted to do, how is that going?

If you are like most the resolutions won’t make it out of January. It’s not for lack of desire, as folks that make resolutions really want to achieve the outcomes. In many cases the effort is there initially. You get up and run or hit the gym. You decline dessert. You sit with the calendar and plan some cool activities.

Good habits are hard to break too...

Then life. That’s right, things are busy and getting busier. You have more to do and less to do it with. The family demands time (as they should) and the deadlines keep piling up. Travel kicks back in and the cycle starts over again. So you sleep through the alarm a few days. Then every day. The chocolate lava cake looks so good, so you have one. You’ll get back on the wagon tomorrow, right?

And then it’s December and you start the cycle over. That doesn’t work very well. So how can you change it? What is the secret to making a habit? There is no secret. Not for me, anyway. It’s about routine. Pure and simple. I need to get into a routine and then the habits just happen.

For instance I started running last summer. So 3 days a week I got up early and ran. No pomp. No circumstance. Just get up and run. Now I get up and freeze my ass off some mornings, but I still run. It’s a habit. Same process was used when I started my meditation practice a few years back. I chose not to make the time during the day because I got mired in work stuff. So I got up early. Like really early. I’m up at 5am to get my meditation done, then I get the kids ready for school, then I run or do yoga. I have gotten a lot done by 8am.

That’s what I do. It has become a routine. And a routine enables you to form a habit. Am I perfect? Of course not, and I don’t fret when I decide to sleep in. Or when I don’t meditate. Or if I’m a bit sore and skip my run. I don’t judge myself. I let it go.

What I don’t do is skip two days. Just as it was very hard to form my habits of both physical and mental practice, it is all too easy to form new less productive habits. Like not running or not meditating. That’s why I don’t miss two days in a row. If I don’t break the routine I don’t break the habit.

And these are habits I don’t want to break.

–Mike

Photo credit: “Good, Bad Habits” originally uploaded by Celestine Chua


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Network Security Gateway Evolution

Monitoring the Hybrid Cloud: Evolving to the CloudSOC

Security and Privacy on the Encrypted Network

Newly Published Papers


Incite 4 U

  1. Doing attribution right… Marcus kills it in this post on why attribution is hard. You need to have enough evidence, come up with a feasible motive, corroborate the data with other external data, and build a timeline to understand the attack. But the post gets interesting when Marcus discusses how identifying an attacker based upon TTPs might not work very well. Attackers can fairly easily copy another group’s TTPs to blame them. I think attribution (at least an attempt) can be productive, especially as part of adversary analysis. But understand it is likely unreliable; if you make life and death decisions on this data, I don’t expect it to end well. – MR

  2. The crypto wars rise again: Many of you have seen this coming, but in case you haven’t we are hitting the first bump on a rocky road that could dead end in a massive canyon of pain. Encryption has become a cornerstone of information security, used for everything from secure payments to secure communications. The problem is that the same tools used to keep bad guys out also keep the government out. Well, that’s only a problem because politicians seem to gain most of their technical knowledge from watching CSI: Cyber. In the past couple weeks both Prime Minister Cameron in the UK and President Obama have made public statements that law enforcement should have access to encrypted content. The problem is that there is no technically feasible way to provide ‘authorized’ access without leave encryption technology open to compromise. And since citizens in less… open… countries use the same tech this could surrender any pretense of free speech in those areas as well. The next few years will be messy, and could very well have consequences even for average security Joes. There isn’t much we can do, but we sure need to pay attention, especially those of you on the vendor side. I know, not the funnest Incite of the week, but… sigh. – RM

  3. Nobody cares: If my credit card number is stolen I don’t bear the costs of the fraud and I am usually issued a new card within days to replace the old one. Lord knows I need to keep making card purchases, and nothing will stand in the way of commerce! So other than having to update the dozen web sites that require autopay why would I care about my card being stolen? The only answer I can discern is neurosis. Though apparently I am not alone – Brian Krebs’ How Was Your Credit Card Stolen? discusses the most common ways these numbers are harvested. My Boy Scout sense of fair play has prompted me in the past to put in the work to understand the fraud chain – twice – only to face subsequent frustration when neither local law enforcement nor the card brands cared. So, holiday shoppers, checking your credit statements is about all you can do to help. – AL

  4. More CISO perspective: I have been hammering on CISO-level topics for the past few weeks because folks still want to climb the ladder to get the big title (and paycheck). That’s fine, so I’ll keep linking to tips from folks in the field about how to sit in the top security seat. And then I’ll pimp the PragmaticCSO. Gary Hayslip provides some decent perspective on his 5-step process for the CISO job. It starts with “walk about” and then goes through inventory/assessment, planning, and communication. Seems pretty pragmatic to me. I like the specific goal of walking around for a certain amount of time every day. That’s how you keep the pulse of the troops. The requirements of the CISO job are pretty straightforward. Executing on them successfully? That’s a totally different ballgame. – MR

  5. Soft core payments: Google is reportedly looking to buy Softcard, presumably in an effort to kickstart their stalled mobile payment efforts. Google found that “If you build it they will come” only applies to bad Hollywood scripts – anyone can write a mobile ‘digital wallet’ app, but without cooperation from the rest of the ecosystem you won’t get far. The banks, payment processors, and (just as important) mobile carriers all have a stake in mobile payments, and will get their pound of flesh. For years the carriers have been unwilling to allow others to use the embedded “secure element” on phones for payments unless they got a transaction fee, which meant either pay the carrier tax or go home. Details are slim but Softcard is a carrier-owned business so apparently Google would get a carrier-approved interface to devices and the business relationships needed to make their payment app relevant again. – AL

  6. Bait bike: I’m a cyclist. Bicycle theft is a pretty big business, especially in cities and college towns. In the past few years some police departments have started planting GPS-enabled bait bikes in areas to catch the bad guys. They have done the same thing with cars, but it’s probably easier to plant a bike. That’s why I’m amused by the hackers for hire site. Need someone to break into your ex’s Facebook account? Steal that customer list? Just come on down to Billy Bob’s Trusted Hackers! Send us what’s left of your Bitcoin and we’ll hook you up with the most professional script kiddie in our network! Look, this probably isn’t a bait site, but now that it’s in the New York Times, what are the odds the FBI or Interpol isn’t already scanning the database, tracking clients, and prepping cases? We all know how this story is going to end: with jail time. – MR

—Mike Rothman

Wednesday, January 14, 2015

Incite 1/14/2015: Facing the Fear

By Mike Rothman

Some folks just naturally push outside their comfort zones as a matter of course. I am one of them. Others only do things that are comfortable, which is fine if it works for them. I believe that while you are basically born with a certain risk tolerance, you can be taught to get comfortable with pushing past your comfort zone.

For example, kids who are generally shy will remain more comfortable holding up the wall at a social event, but can learn to approach people and get into the mix. It’s tough at first but you figure it out. There is always resistance the first few times you push a child beyond what they are comfortable with, and force them to try something they don’t think they can do. But I believe it needs to happen. It comes back to my general philosophy that limitations exist only in our minds, and you can move past those limitations once you learn to face your fear.

Faces of Fear

The twins’ elementary school does a drama production every year. XX1 was involved when she was that age, and XX2 was one of the featured performers last year. We knew that she’d be right there auditioning for the big role, and she’d likely get one of them (as she did). But with the Boy we weren’t sure. He did the hip hop performance class at camp so he’ll perform, but that’s a bit different than standing up and performing in front of your friends and classmates. Though last year he did comment on how many of his friends were in the show, and he liked that.

We were pleased when he said he wanted to try out. The Boss helped him put together both a monologue and a song to sing for the audition. He knew all the words, but when it came time to practice he froze up. He didn’t want to do it. He wanted to quit. That was no bueno in my book. He needed to try. If he didn’t get a part, so be it. But he wasn’t going to back out because he was scared. He needed to push through that fear. It’s okay to not get the outcome you hope for, but not to quit.

So we pushed him. There were lots of tears. And we pushed some more. A bit of feet stomping at that point. So we pushed again. He finally agreed to practice for us and then to audition after we wore him out. Sure, that was a little heavy-handed, but I’m okay with it because we decided he needed to at least try.

The end result? Yes, he got a part. I’m not sure how much he likes the process of getting ready for the show. We’ll see once he gets up on stage and performs for everyone whether it’s something he will want to do again. But whether he does it again doesn’t matter. He can always say he tried, even when he didn’t want to. That he didn’t let fear stop him from doing something. And that’s the most important lesson of all.

–Mike

Photo credit: “Faces of fear!” originally uploaded by John Seb Barber


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Security Best Practices for Amazon Web Services

Network Security Gateway Evolution

Monitoring the Hybrid Cloud: Evolving to the CloudSOC

Security and Privacy on the Encrypted Network

Newly Published Papers


Incite 4 U

  1. Full discraposure: Google discovers a bug in a Microsoft product. Google has a strict 90-day policy to disclose, no matter what. Microsoft says, “Hey, we have a fix ready to go on Patch Tuesday, can we get a few extra days?” but Google releases anyway. I’m sorry, but who does that help? Space Rogue summed it up best; he has a long history in the disclosure debate. In his words, “The entire process has gotten out of hand. The number one goal here should be getting stuff fixed because getting stuff fixed helps protect the user, it helps defeat the bad guys and it helps make the world a better place.” Another great quote is: “And so the disclosure debate continues unabated for over a hundred years. With two of the giants in our industry acting like spoiled children we as security professionals must take the reigns from our supposed leaders and set a better example.” Marry me, Space Rogue. Marry me. – RM

  2. The impact of Sony in 2015? FUD! Okay, I am being a little facetious by saying the Sony breach will enable the security industrial complex to launch a new wave of Fear, Uncertainty, and Doubt at organizations in 2015. But it already has folks using tried and true tactics in an attempt to create urgency for whatever widget they are selling today. Ben Rothke is a little more constructive in his analysis for CSO. He makes some good points about the reality that improving security requires ongoing investment and that shiny security products/services are not a complete answer. The one I like best is “a good CISO is important; great security architects are critical.” Amen to that. We believe that as security increasingly gets embedded within the cloud and continuous deployment environments, the security architect will emerge as one of the most valued members of the team. So study up on your architecture, kids! – MR

  3. Making the effort: Gunnar has another really good post, challenging folks to think differently about security. It’s very popular to accept defeat because the odds are stacked against defenders. To mail it in because you will be pwned anyway. And that much is true. You can make progress, but only if you make the effort to improve. Always quick with good analogies, GP refers to how smog was reduced in Los Angeles by 98% over the past 50 years, which most thought was impossible 60 years ago. And how the Scandinavian countries don’t have airplane delays because of snow. They just don’t because they made the effort to figure out how to optimize their processes. I guess another way to put it is a quote I use frequently: “I’m not in the excuses business.” And neither is your senior management, so as Gunnar says: “There is a lot to do, can’t get started any sooner than right now. No such thing as bad winter weather, only opportunities to improve bad snow removal equipment, dysfunctional teams and processes.” Truth. – MR

  4. Free, as in crapware: I seem to have a ‘crap’ theme for my submissions this week. A couple of writers over at HowToGeek decided to go to CNET’s Downloads.com [no link, for obvious reasons and obviousness] to see what happens if they download and install the top 10 apps listed. Hilarity ensues. Spyware, ads, browser hijackers, and more… all from a site that claims its downloads are safe. I frequently see links to these sorts of sites when I search for an application. Sometimes search engines show these contaminated links before the software developer’s site. This is especially common when I look for anything more obscure or no longer maintained. I never download from those sites and I’m on a Mac, but this highlights the ridiculous dangers facing normal Windows users (including your employees). Needless to say, this is why I’m a fan of app stores for PCs, even the open ones (where stuff can still sneak through). I suspect Microsoft will need to move in that direction for the same reasons Apple did, and kill the economic model of bundling and installing backdoors. As long as I always still have the option to go outside the store, I am down with it. – RM

  5. You want a seat, Mr./Ms. CISO? Good luck. I wanted to dig into the archives a bit to mention research that confirms what many of you already know. CISOs are not considered players at the big table. ThreatTrack commissioned a study last summer and came away with some disturbing numbers. 74% of respondents said CISOs should not be part of the organization’s leadership team. 54% don’t think CISOs should be responsible for security purchasing. 28% say the CISO’s decisions negatively impacted financial health. Holy crap! It’s time for a reality check. This is clearly a failure to communicate with folks in senior management. And it needs to be fixed ASAP. It is not like we are going to see fewer attacks or breaches, so if these folks don’t understand what you do and why, that needs to be job #1. Or polishing up your resume will be job #2. – MR

—Mike Rothman

Wednesday, January 07, 2015

Incite 1/7/2014: Savoring the Moment

By Mike Rothman

Early December is a big deal in our house. It’s Nutcracker time, with both girls working all fall to get ready for their dance company’s annual production of the Xmas classic. They do 5 performances over a weekend, and neither girl wants it to end. We have to manage the letdown once that weekend is over. It has been really awesome to see all of the dancers grow up, via the Nutcracker. They start as little munchies playing party boys and girls in the first scene, and those who stick with it become Dew Drop or possibly even the Sugarplum Fairy.

The big part for XX1’s group this year was Party Clara. It’s on Pointe and it’s a big and featured role in Act 1. She has been dreaming about this part for the past 4 years, and when we heard she got it for one of the performances this year, we knew it was going to be a special Nutcracker. She also got a featured Rag Doll part for another performance and was on stage 4-5 times during the show.

XX2 wasn’t left out, and she got a number of featured parts as well. I used to dread that weekend but the girls didn’t really do much, so I could get away with going to one performance and being done with it. Now I attend 3 out of the 5 performances, and would go to all 5 if the girls had sufficient parts. I’m pretty sure the Boy wouldn’t be happy going to 5 performances, but he’ll get over it. I even skipped a home Falcons game to see the Sunday afternoon performance (I did!).

Savor the moment

One of the things I am working on is to pause during the big stuff and just enjoy it. You could call it smelling the flowers or something like that. For me it’s about savoring the moment. To see XX1 with a grin ear to ear performing as Party Clara was overwhelming for me. She was so poised, so in command, so happy. It was incredible. During those 3-4 minutes the world fell away. There was only my girl on stage. That’s it.

Some folks watch their kids perform through a camera viewfinder. Or a cellphone screen while taking video. Not me. I want to experience it directly through my own eyes. To immerse myself in the show. I want to imprint it in my memory. Yes, we’ll buy the DVD of the performance, but that’s for the folks who weren’t there. I don’t need it. I was fully in that moment, and I can go back any time I want. And I do.

–Mike

Photo credit: “P1-VS-P2” originally uploaded by MoreInterpretations


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Security Best Practices for Amazon Web Services

Network Security Gateway Evolution

Monitoring the Hybrid Cloud: Evolving to the CloudSOC

Security and Privacy on the Encrypted Network

Newly Published Papers


Incite 4 U

  1. Security deadly sin: offensive envy: I dug up Richard Bejtlich’s awesome post from right before New Year, where he dismantles a list from Microsoft’s John Lambert and calls him out for minimizing the potential of defensive security. It is true that hacking stuff is sexy, and the chicks & dudes dig it. But still, the fact that many defenders work off checklists doesn’t mean all do. Because the defenders seem to come up on the losing end of some breach every day doesn’t mean their efforts are pointless. It means it’s a hard job, pure and simple. And glorifying the adversary only provides a defeatist attitude before you even start playing. Which I guess is the adversary’s plan… – MR

  2. No hands: I just love it when someone comes up with an entire class of security vulnerability – and if it might affect an Apple product guess what’s in the headlines? Like the general GSM wireless issue that was hyped as “iPhones Vulnerable” (every GSM phone was vulnerable). That hype sometimes does the issue a disservice, as highlighted in this piece at the Huffington Post on Jan Krissler recreating thumbprints from normal photographs at the Chaos Computer Club. It’s a fascinating and brilliant idea as we progress towards ubiquitous high-definition cameras throughout the world. Not merely for hacking phones, but for all the CSI-spinoff episodes it will inspire. Practically speaking, today I think the barriers to successfully executing this attack are high enough to keep this from becoming a major issue now, and anyone in a sensitive position should never rely on biometrics alone, but in 10 or years? Oh, and don’t forget to read the bit at the end about researchers pulling pass codes from over 100 feet away via screen reflections in someone’s eye via high def video. – RM

  3. Leadership: I think I was too young to understand what the term ‘leadership’ meant when I was promoted to CTO for the first time. Blindly stepping into a role I knew nothing about, I was blessed with a CEO who did not mince words: “If I catch you coding again, you’re fired!” That forced me to focus on the CTO job, which was leading the development team – communicating vision and providing direction on how we were going to deliver product. Over at Security Uncorked JJ wrote a thought-provoking piece on the mental challenges of changing – or even expanding – one’s role in Infosec. Releasing your grip on the hands-on work that got you where you are today is not easy. It’s not just learning leadership and management skills, but also giving up many things you enjoy in your current job. No college offers a “Security Leadership and Management 101” course, and as a new profession we don’t have that many resources to draw on. Bravo to JJ for sharing the angst of this transition. – AL

  4. In the real world, it depends… Wendy kills it again, pointing out that compliance is a pretty low bar, highly dependent on the competence of the assessor and with “the(ir) ability to measure objectively, not just answer questions.” A control can be implemented in such a way that it fails to protect anything. And the process may be in place, but if no one uses it, who cares? This isn’t really about maligning compliance (again), but the fact that prescriptive lists in mandates must be considered the lowest of low bars; once they are taken care of you can start really thinking about how to protect your stuff. So is compliance even helpful? Well, it depends… – MR

  5. Unintended consequences: If I were to redirect cellular tower traffic or interfere with cell transmissions, I would be prosecuted and go to jail for a very long time. If it’s illegal for me, shouldn’t law enforcement need a warrant to do it? The FBI says ‘No’: search warrants are not needed to use ‘stingrays’ in public places to perform mass surveillance of voice and data traffic on everyone in the area. Our government is spurring an interest in security I never thought would make the mainstream. Accusations like monitoring a CBS journalist – true or not – are so creepy that they will keep this story in the limelight for a while. Even at the giant Consumer Electronics Show in Vegas this week, vendors are competitively positioning consumer products with security features, and the keynote touched on the Sony hack. We are moving into a culture of digital security. Whodathunk that a few years ago? – AL

  6. Airway. Breathing. Cyberattack. As a geek and paramedic I became involved fairly early in healthcare IT. I still remember almost being fired for hacking into our manager’s computer because he accidentally locked us out of an important application that was only on his PC but required for our job, and he wouldn’t answer his landline or pager (yeah, I’m dating myself). Nothing fancy – I just found his password for the app in a plain text file via legit access we already had. Anyhow… Pre-Gartner I helped design an EMR app (and implement it in a clinic) for replacing dictation. I also have some more recent experience due to family connections in the industry. So it was no surprise to read Jack Daniel’s story of witnessing multiple hospital IT failures while visiting friends. Forget about security – this is an industry with massive structural issues in IT management. The situation is so much worse than you think, and despite all the security headlines fundamental reliability will consume healthcare dollars for a long time. Hop over to any healthcare forum (especially the physician ones) to see how bad things are, and be glad your providers would all prefer to go back to paper charting and orders in the first place. – RM

  7. The other EMET: I’m a football head, so when I hear the name “Emmitt” I always think of those times Emmitt Smith ran into the end zone to finish off the Giants as I was growing up. But I’m not talking about that Emmitt. I’m referring to EMET, Microsoft’s Enhanced Mitigation Experience Toolkit, which should be implemented on all your Windows devices. And it’s good that TrustedSec’s Dave Kennedy found some time (when he wasn’t hugging it out with the entire industry) to document how to install EMET. Is EMET perfect? Of course not. But it definitely makes it much harder to compromise Windows devices, so you should have it in your anti-malware toolkit. Yes, there are other cool technologies emerging to help on endpoints, but EMET is free, so why not use it? – MR

—Mike Rothman

Wednesday, December 10, 2014

Incite 12/10/2014: Troll off the old block

By Mike Rothman

Every so often the kids do something that makes me smile. Evidently the Boss and I are doing something right and they are learning from our examples. I am constantly amused by the huge personality XX2 has, especially when performing. She’s the drama queen, but in a good way… most of the time.

The Boy is all-in on football and pretty much all sports – which of course makes me ecstatic. He is constantly asking me questions about players I’ve never heard of (thanks Madden Mobile!); he even stays up on Thursday, Sunday, and Monday nights listening to the prime-time game using the iPod’s radio in his room. We had no idea until he told me about a play that happened well after he was supposed to be sleeping. But he ‘fessed up and told us what he was doing, and that kind of honesty was great to see.

trollolololol

And then there is XX1, who is in raging teenager mode. She knows everything and isn’t interested in learning from the experience of those around her. Very like I was as a teenager. Compared to some of her friends she is a dream – but she’s still a teenager. Aside from her independence kick she has developed a sense of humor that frequently cracks me up.

We all like music in the house. And as an old guy I just don’t understand the rubbish the kids listen to nowadays. Twice a year I have to spend a bunch of time buying music for each of them. So I figured we’d try Spotify and see if that would allow all of us to have individual playlists and keep costs at a manageable level.

I set up a shared account and we all started setting up our lists. It was working great. Until I was writing earlier this week, jamming to some new Foo Fighters (Sonic Highways FTW), and all of a sudden the playlist switched to something called Dominique by the Singing Nun. Then Spotify goes berserk and cycles through some hardcore rap and dance. I had no idea what was going on. Maybe my phone got possessed or something. Then it clicked – XX1 was returning the favor for all the times I have trolled her over the years.

Yup, XX1 hijacked my playlist and was playing things she knew aren’t anywhere near my taste. I sent her a text and she confessed to the prank. Instead of being upset I was very proud. Evidently you can’t live with a prankster and not have some of that rub off. Now I have to start planning my revenge.

But for the moment I will just enjoy the fact that my 14-year-old daughter still cares enough to troll me. I know soon enough getting any kind of attention will be a challenge.

–Mike

Photo credit: “Caution Troll Ahead” originally uploaded by sboneham


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our video podcast, The Firestarter? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail despite Adrian’s best efforts to keep us on track.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Network Security Gateway Evolution

Monitoring the Hybrid Cloud: Evolving to the CloudSOC

Security and Privacy on the Encrypted Network

Newly Published Papers


Incite 4 U

  1. Flowing downhill: Breaches are ugly. Losing credit card numbers, in particular, can be costly. But after the PCI fines, the banks are always lurking in the background. When Target lost 40 million credit cards, and the banks needed to rotate card numbers and reissue, it isn’t like Target paid for that. And the card brands most certainly will never pay for that. No, they sit there, collect PCI fines (despite Target passing their assessment), and keep the cash. The banks were left holding the bag, and they are sure as hell going to try to get their costs covered. A group of banks just got court approval to move forward with a lawsuit to recover their damages from Target. They are seeking class action status. If the old TJX hack is any indication, they will get it and receive some level of compensation. Resolving all the costs of a breach like this plays out over years, and odds are we will no idea of the true costs for at least 5.

  2. Cloud security “grows up”? It’s funny when the hype machine wants to push something faster than it is ready to go. Shimmy argued that Cloud security grows up, but I don’t buy it. His point is that because we have gone from ‘cloudwashing’ (Rich’s term), to point solutions, to a few suites, it’s mature – but that doesn’t actually mean the industry has grown up. It is less about available products and services than about the broader industry having an idea how to secure the cloud. Our cloud security courses show that folks are learning fast, but we still have a long way to go. I consider cloud security more like a toddler now. It will be a few years before it is a pimply teen thinking it has figured everything out. Gosh, enterprise security is barely out of high school, and it can barely read… – MR

  3. Trolling along: A huge benefit of offering large bounties for security defects reported in your products is that third parties are incentivized to work with you when they discover issues. When they don’t use bug bounty programs they look like trolls. Google and Microsoft have led the way with bug bounties and shown the benefits of this practice. I have got no idea whether these flaws in Google App Engine are legit or not, but posting the defects to the full disclosure mailing list, given Google’s track record on security response, sure looks like trolling for publicity. And that’s no bueno. – AL

  4. What you don’t know… I guess Eddie the Yeti has a job other than drawing and posting cool portraits of security folks on his Twitter feed. A while back he correctly argued that “I didn’t know” isn’t a legitimate excuse when a breach happens. So you run assessment and test yourself frequently. But what do you decide to fix? You can’t address every issue, even if you knew about them all. It comes back to our old tired mantra: risk management. What presents the biggest risk to your environment? Fix that. Duh. But just as important, manage expectations about the priorities you chose. The last thing you want is to make a decision folks are free to disagree with in hindsight, because you never told them you were making the decision. – MR

  5. Practical watermarking: Krebs’ recent post on a breach canary discusses an underutilized idea that anyone who sells or shares data with third parties should consider – especially when working with data brokers. The idea is that when you examine breach data, ‘canary’ data can provide enough information to determine the source of records. This would not work as a column of irrelevant data which would be quickly stripped out, leaving only valuable financial or personal data behind. But canary data could work as elements of a larger data set – bogus records to let the original owner recognize their data. [Ed: But why would they want to know they were at fault? Much better to never know for sure you were the source, right??? –pepper] It is a bit like using marked bills when transporting large sums of money. Banks and insurance companies have done this over the last decade, even in production databases, to see if the data they shared with partners gets resold elsewhere. It works well when the recipient cannot differentiate faked ‘watermark’ records from the real ones, and so cannot remove those records to conceal the data set’s origin. – AL

  6. It’s never enough: Plenty of folks have been talking about the security skills gap every organization struggles with when trying to fill open positions. Jon Oltsik did a survey and I am a bit surprised that only 30% of folks surveyed feel we have a problematic shortage of security skills in areas like endpoint and network. I guess those other folks aren’t hiring for those positions. But is the answer to just train more folks? That is only a partial solution. The issue with security is that you learn by screwing up. College kids may be able to do simple stuff, but they don’t have the business skills or context to really do security yet. And even more challenging is the job. The fact is that security isn’t for everyone, so we will get a bunch of folks entering the market because supply & demand will grow salaries. But they won’t stay long because many of those folks don’t understand the security mindset, and it will frustrate them to no end. The fact is that we will never have enough security folks to meet demand. So we need to train more folks, embrace better automation and orchestration of security operations, and figure out how to recognize people better for doing their jobs – which, for security folks, means you never see or hear them. – MR

—Mike Rothman

Wednesday, December 03, 2014

Incite 12/3/2014: Winding Down

By Mike Rothman

As I sit in yet another hotel, banging out yet another Incite, overlooking yet another city that isn’t home, this is a good time to look back on 2014 because this is my last scheduled trip for this year. It has been an interesting year. At this point the highs this year feel higher, and the lows lower. There were periods when I felt sick from the whiplash of ups and downs. That’s how life is sometimes. Of course my mindfulness practice helps me handle the turbulence with grace, and likely without much external indication of the inner gyrations.

But in 5 years how will I look back on 2014? I have no idea. I have tried not to worry about things like the far future. At that point, XX1 will be leaving for college, the twins will be driving, and I’ll probably have the same amount of gray hair. Sure, I will plan. But I won’t worry. I have been around long enough to know that my plans aren’t worth firing the synapses to devise them. In fact I don’t even write ‘plans’ down any more.

Start me up...

It is now December, when most of us start to wind down the year, turning our attention to the next. We are no different at Securosis. For the next couple weeks we will push to close out projects that have to get done in 2014 and start working with folks on Q1 activities. Maybe we will even get to take some time off over the holidays. Of course vacation has a rather different meaning when you work for yourself and really enjoy what you do. But I will slow down a bit.

My plan is to push through my handful of due writing projects over the next 2 weeks or so. I will continue to work through my strategy engagements. Then I will really start thinking about what 2015 looks like. Though I admit the slightly slower pace has given me opportunity to be thankful for everything. Certainly those higher highs, but also the lower lows. It’s all part of the experience I can let make me crazy, or I can accept bumps as part of the process.

I guess all we can do each year is try to grow from every experience and learn from the stuff that doesn’t go well. For better and worse, I learned a lot this year. So I am happy as I write this although I know happiness is fleeting – so I’ll enjoy the feeling while I can. And then I will get back to living in the moment – there really isn’t anything else.

–Mike

Photo credit: “wind-up dog” originally uploaded by istolethetv


The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.


Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.


Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Network Security Gateway Evolution

Monitoring the Hybrid Cloud: Evolving to the CloudSOC

Security and Privacy on the Encrypted Network

Newly Published Papers


Incite 4 U

  1. CISO in the clink… I love this headline: Can a CISO serve jail time? Duh, of course they can. If they deal meth out of the data center, they can certainly go to jail. Oh, can they be held accountable for breaches and negligence within their organization? Predictably, the answer is: it depends. If you are clearly negligent then all bets are off. But if you act in the best interests of the organization as you see them … it is hard to see how a CISO could be successfully prosecuted. That said, there is a chance, so you need to consult a lawyer before taking the job to understand where your liability begins and ends (based on your agreement), and then you can make an informed decision on whether to take the job. Or at least build some additional protection into your agreement. – MR

  2. Productivity Killer: Sometimes we need a reminder that security isn’t all about data breaches and DDoS. Sometimes something far far worse happens. Just ask Sony Pictures. Last week employees showed up to work to find their entire infrastructure compromised and offline. Yep, down to some black hat hax0rs graphic taking over everyone’s computer screens, just like in… er… the movies. I don’t find any humor in this. Despite what Sony is doing to the Spider-Man franchise, they are just a company with people trying to get their jobs done, make a little scratch, and build products people will pay for. This isn’t as Earth-shattering as the completely destructive Saudi Aramco hack, but it seems pretty close. Destructive hacks and data breaches are not the same things, even though breaches and APTs get all the attention and need to be covered in the threat model. – RM

  3. Friends make the CISO: Far too many CISOs end up in the seat without proper training in what their real job is: coercion and persuasion. Not in a bad way, but the fact is that if a CISO cannot convince their peers to think about security, they cannot succeed. So I enjoyed a piece on securityintelligence.com for describing the CISO’s best friends. The reality is that the CISO job isn’t a technical one – it is a people management job, and far too many folks go into it without understanding. That doesn’t end well. – MR

  4. Understated: I have been reading Adam Shostack’s stuff since I started in security. He is known for offering well-reasoned opinion, devoid of hype and hyperbole, based on decades of hands-on experience. But sometimes that understated style shorts a couple very important points, as in his recent post Threat Modeling at a Startup. Adam focused on the operational aspects, but did not address two important aspects – essentially why threat modeling is so important for startups. First because threat modeling has a pronounced impact at earlier stages of platform development, while the foundation of an application is being designed and built. Second, threat modeling is one of the most cost-effective ways to improve security. Both these facets are critical for startups, who need to get security right out of the blocks, and don’t have a lot of money to burn. – AL

  5. You know the breach is bad when… You need to do a media blitz about hiring a well-known forensic shop to clean up the mess. Yup, the Sony Pictures folks had their damage control people make a big deal about hiring FireEye’s Mandiant group to clean up the mess of their breach. As Rich described above, the breach was pretty bad, but having to make a big deal about hiring forensic folks doesn’t instill confidence that anyone in-house knows what they are doing. But I guess that’s self-evident from two very high-profile breaches one after another. And to the executive who gave the green light to The Interview, it’s all good. Fortunately the North Koreans aren’t vindictive or anything… –MR

—Mike Rothman