It’s Friday the 13th, and I am in a good mood. I probably should not be, given that every conversation seems to center around some negative aspect of the economy. I started my mornings this week talking with one person after another about a possible banking collapse, and then moved to a discussion of Sirius/XM going under. Others are furious about the banking bailout as it’s rewarding failure. Tuesday of this week I was invited to speak at a business luncheon on data security and privacy, so I headed down the hill to find the side of the roads filled with cars and ATV’s for sale. Cheap. I get to the parking lot and find it empty but for a couple of pickup trucks, all are for sale. The restaurant we are supposed to meet at shuttered its doors the previous night and went out of business. We move two doors down to the pizza joint where the TV is on and the market is down 270 points and will probably be worse by the end of the day. Still, I am in a good mood. Why? Because I feel like I was able to help people.
During the lunch we talked about data security and how to protect yourself on line, and the majority of these business owners had no idea about the threats to them both physical and electronic, and no idea on what to do about them. They do now. What was surprising was I found that everyone seemed to have recently been the victim of a scam, or someone else in their family had been. One person had their checks photographed at a supermarket and someone made impressive forgeries. One had their ATM account breached but no clue as to how or why. Another had false credit card charges. Despite all the bad news I am in a good mood because I think I helped some people stay out of future trouble simply by sharing information you just don’t see in the newspapers or mainstream press.
This leads me to the other point I wanted to discuss: Rich posted this week on “An Analyst Conundrum” and I wanted to make a couple additional points. No, not just about my being cheap … although I admit there are a group of people who capture the prehistoric moths that fly out of my wallet during the rare opening … but that is not the point of this comment. What I wanted to say is we take this Totally Transparent Research process pretty seriously, and we want all of our research and opinions out in the open. We like being able to share where our ideas and beliefs come from. Don’t like it? You can tell us and everyone else who reads the blog we are full of BS, and what’s more, we don’t edit comments. One other amazing aspect of conducting research in this way has been comments on what we have not said. More specifically, every time I have pulled content I felt was important but confused the overall flow of the post, readers pick up on it. They make note of it in the comments. I think this is awesome! Tells me that people are following our reasoning. Keeps us honest. Makes us better. Right or wrong, the discussion helps the readers in general, and it helps us know what your experiences are.
Rich would prefer that I write faster and more often than I do, especially with the white papers. But odd as it may seem, I have to believe the recommendations I make otherwise I simply cannot put the words down on paper. No passion, no writing. The quote Rich referenced was from an email I sent him late Sunday night after struggling with recommending a particular technology over another, and quite literally could not finish the paper until I had solved that puzzle in my own mind. If I don’t believe it based upon what I know and have experienced, I cannot put it out there. And I don’t really care if you disagree with me as long as you let me know why what I said is wrong, and how I screwed up. More, I especially don’t care if the product vendors or security researchers are mad at me. For every vendor that is irate with what I write, there is usually one who is happy, so it’s a zero sum game. And if security researchers were not occasionally annoyed with me there would be something wrong, because we tend to be a rather cranky group when others do not share our personal perspective of the way things are. I would rather have the end users be aware of the issues and walk into any security effort with their eyes open. So I feel good in getting these last two series completed as I think it is good advice and I think it will help people in their jobs. Hopefully you will find what we do useful!
On to the week in review:
Webcasts, Podcasts, Outside Writing, and Conferences:
- In a nepotistic extravaganza during Martin’s absence, this week’s network podcast included both Rich & Adrian, with Rich sharing a few rumors on the Heartland breach.
- Adrian was interviewed by SC Magazine on the Los Alamos Lab’s missing computers.
- Rich wrote up the Mac OS X Security Update for TidBITS.
- Macworld released their Security Superguide, with Rich & Chris as authors. Much to their surprise!
- Rich participated in an SC Magazine webcast on PCI.
- Rich moderated the WhiteHatWorld.com Thought Leadership Roundtable on Cloud Computing Security. (Sorry, replay link isn’t up yet.)
Favorite Securosis Posts:
- Rich: Recent Breaches- How To Limit Malicious Outbound Connections. There are a couple of great comments with additional information, including one from Big Bad Mike Rothman, who is not dead yet.
- Adrian: An Analyst Conundrum for, well, the ten or so reasons I mentioned above.
Favorite Outside Posts:
- Adrian: Showing some love for Dre … Talking about why WAF and Pen Testing are dead. While he is not quite ‘Fake Stiennon‘, he makes some very good points.
- Rich: This post on CGISecurity.com on the role of security training for QA (also covered by Gunnar).
Top News and Posts:
- Melissa Hathaway to head White House Cyber Security.
- I guess Verisign is not buying Certicom after all.
- The Javelin Report came out. Seems data theft has commoditized; the frequency of thefts on the rise and the cost to the individual consumer is getting lower.
- This seems like a bad idea to me. I am not Microsoft bashing, but MS does not have the fervent semi-cult following that draws people to Apple stores, so opening retail outlets looks like a tax write-off waiting to happen.
- Metasploit as a service? Cool! We look forward to getting a complete rundown on what is being offered.
- Alan Shimmel takes good care of the Security Bloggers Network, which this blog is a part of, with SBN moving to a new home on Lijit.
- The scariest thing I have seen in a long time: Money as Debt.
- Everyone loves a scapegoat: Interesting article at Time about who is to blame.
- Microsoft is offering a $250K bounty for the bad guys behind Conflicker, and the industry is rallying to combat it. Cool stuff, and we’ll have more on it next week.
Blog Comment of the Week:
Jack on The Business Justification for Data Security: Measuring Potential Loss:
A question/observation regarding the “qualifiable losses” you describe: Isn’t the loss of “future business” a manifestation of damaged reputation? Likewise, reduced “customer loyalty”? After all, it seems to me that reputation is nothing more than how others view an organization’s value/liability proposition and/or the moral/ethical/competence of its leadership. It’s this perception that then determines customer loyalty and future business. With this in mind, there are many events (that aren’t security-related) that can cause a shift in perceived value/liability, etc., and a resulting loss of market share, growth, cost of capital, etc. In my conversations with business management, many companies (especially larger ones) experience such events more frequently than most people realize, it’s just that (like most other things) the truly severe ones are less frequent. These historical events can provide a source of data regarding the practical effect of reputation events that can be useful in quantified or qualified estimates.
Next week … and all-Rich Friday post!
Comments