A couple days ago I was talking with the masters swim coach I’ve started working with (so I will, you know, drown less) and we got to that part of the relationship where I had to tell him what I do for a living.
Not that I’ve ever figured out a good answer to that questions, but I muddled through.
Once he found out I worked in infosec he started ranting, as most people do, about all the various spam and phishing he has to deal with. Aside from wondering why anyone would run those scams (easily answered with some numbers) he started in on how much of a pain in the ass it is to do anything online anymore.
The best anecdote was asking his wife why there were problems with their Bank of America account. She gently reminded him that the account is in her name, and the odds were pretty low that B of A would be emailing him instead of her.
When he asked what he should do I made sure he was on a Mac (or Windows 7), recommended some antispam filtering, and confirmed that he or his wife check their accounts daily.
I’ve joked in the past that you need the equivalent of a black belt to survive on the Internet today, but I’m starting to think it isn’t a joke. The majority of my non-technical friends and family have been infected, scammed, or suffered fraud at least once. This is just anecdote, which is dangerous to draw assumptions from, but the numbers are clearly higher than people being mugged or having their homes broken into. (Yeah, false analogy – get over it).
I think we only tolerate this for three reasons:
- Individual losses are still generally low – especially since credit cards losses to a consumer are so limited (low out of pocket).
- Having your computer invaded doesn’t feel as intrusive as knowing someone was rummaging through your underwear drawer.
- A lot of people don’t notice that someone is squatting on their computer… until the losses ring up.
I figure once things really get bad enough we’ll change. And to be honest, people are a heck of a lot more informed these days than five or ten years ago.
- On another note we are excited to welcome Gunnar Peterson as our latest Contributing Analyst! Gunnar’s first post is the IAM entry in our week-long series on security commoditization, and it’s awesome to already have him participating in research meetings.
- And on yet another note it seems my wife is more than a little pregnant. Odds are I’ll be disappearing for a few weeks at some random point between now and the first week of September, so don’t be offended if I’m slow to respond to email.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- The official Defcon Security Jam waffle iron is up for auction! Not only was this used by David Mortman to produce mouth watering morsels of joy on stage, but Chris Hoff ensured the waffle iron attended the exclusive Ninja Networks party! (Proceeds benefit the EFF).
- Adrian on How to Protect Oracle Database Vault at Dark Reading.
- Rich wrote an article on iOS security over at TidBITS.
- Rich, Martin, and Zach on the Network Security Podcast.
Favorite Securosis Posts
- Gunnar: Anton Chuvakin in depth SIEM Use Cases. Written from a hands on perspective, covers core SIEM workflows inlcuding Server user activity monitoring, Tracking user actions across systems, firewall monitoring (security + network), Malware protection, and Web server attack detection. The Use Cases show the basic flows and they are made more valuable by Anton’s closing comments which address how SIEM enables Incident Response activities.
- Adrian Lane: FireStarter: Why You Care about Security Commoditization. Maybe no one else liked it, but I did.
- Mike Rothman: The Yin and Yang of Security Commoditization. Love the concept of “covering” as a metaphor for vendors not solving customer problems, but trying to do just enough to beat competition. This was a great series.
- Rich: Gunnar’s post on the lack of commoditization in IAM. A little backstory – I was presenting my commoditization thoughts on our internal research meeting, and Gunnar was the one who pointed out that some markets never seem to reach that point… which inspired this week’s series.
Other Securosis Posts
- Gunnar Peterson Joins Securosis as a Contributing Analyst.
- Incite 8/11/2010: No Goal!
- Tokenization: Use Cases, Part 3.
- iOS Security: Challenges and Opportunities.
- Tokenization Topic Roundup.
- When Writing on iOS Security, Stop Asking AV Vendors Whether Apple Should Open the Platform to AV.
- Commoditization and Feature Parity on the Perimeter.
- Tokenization: Use Cases, Part 2.
Favorite Outside Posts
- Adrian Lane: Researchers Hack Your Vehicle (again). Looks like the auto industry will continue making idiotic decisions regarding computers and control systems until they walk head-on into a major hack.
- Mike Rothman: Fuel Not Powerpoint. From our newest contributing analyst Gunnar. Funny how in some industries a cool PowerPoint is not enough.
- Pepper: Anatomy Of An Attempted Malware Scam. I’ve never thought much about ‘badvertising’, but I enjoyed this detective story.
- Rich: National Geographic’s awesome story on DefCon. The reporter really captured the essence of the event.
Project Quant Posts
- NSO Quant: Manage Firewall Process Revisited.
- NSO Quant: Manage Firewall – Audit/Validate.
- NSO Quant: Manage Firewall – Deploy.
- NSO Quant: Manage Firewall – Test and Approve.
- NSO Quant: Manage Firewall – Process Change Request.
Research Reports and Presentations
- White Paper: Endpoint Security Fundamentals.
- Understanding and Selecting a Database Encryption or Tokenization Solution.
- Low Hanging Fruit: Quick Wins with Data Loss Prevention.
Top News and Posts
- Critical Updates for Windows, Flash Player.
- Questions and Answers on the [iPhone] JailbreakMe Vulnerability.
- Wireshark review.
- RBS WorldPay ringleader being extradited to the US.
- Illogical cloud positivism.
- Google CEO says no anonymity on the web.
- First clue to crack the Verizon DBIR contest.
Blog Comment of the Week
Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to ken rutsky, in response to FireStarter: Why You Care about Security Commoditization.
Great post. I think that the other factor that plays into this dynamic is the rush to “best practices” as a proxy for security. IE, if a feature is perceived as a part of “best practices”, then vendors must add for all the reasons above. Having been on the vendor side for years, I would say that 1 and 3 are MUCH more prevalent than 2. Forcing upgrades is a result, not a goal in my experience.
What does happen, is that with major releases, the crunch of features driven by Moore’s law between releases allows the vendor to bundle and collapse markets. This is exactly what large vendors try to do to fight start ups. Palo Alto was a really interesting case (http://marketing-in-security.blogspot.com/2010/08/rose-by-any-other-name-is-still.html?spref=fb) because they came out with both a new feature and a collapse message all at once, I think this is why they got a good amount of traction in a market that in foresight, you would have said they would be crazy to enter…