A few weeks ago I was out in California, transferring large sums of my personal financial worth to a large rodent. This was the third time in about as many years I engaged in this activity – spending a chunk of my young children’s college fund on churros, overpriced hotel rooms, and tickets for the privilege of walking in large crowds to stand in endless lines.

As a skeptical sort of fellow, I couldn’t help but ask myself why the entire experience makes me So. Darn. Happy. Every. Single. Time.

When you have been working in security for a while you tend to become highly attuned to the onslaught of constant manipulation so endemic to our society. The constant branding, marketing lies, and subtle (and not-so-subtle) abuse of psychological cues to separate you from every penny you can borrow on non-existent assets – at least that’s how it works here in Arizona. When I walk into a Disney park I know they fill the front with overpriced balloons, time the parades and events to distribute the crowd, and conveniently offer a small token of every small experience, all shippable to your home for a minor fee.

Even with that knowledge, I honestly don’t give a crap and surrender myself to the experience.

This begs the question: why don’t I get as angry with Disney as I do with the FUD from security vendors? It certainly isn’t due to the smiles of my children – I have been enjoying these parks since before I even conceived (get it?) of having kids. And it isn’t just Disney – I also tend to disable the skepticnator for Jimmy Buffett, New Zealand, and a few (very few) other aspects of life.

The answer comes down to one word: value.

Those balloons? We bought one once… and the damn thing didn’t lose a mole of helium molecules over the 5 days we had it before giving it away to some incoming kid while departing our hotel. I think her parents hate us now.

As expensive as Disney is, the parks (and much of the rest of the organization) fully deliver value for dollar. You might not agree, but that isn’t my problem. The parks are the best maintained in the business. The attention to detail goes beyond nearly anything you see anywhere else. For example, at Disneyland they update the Haunted Mansion with a whole Nightmare Before Christmas theme. They don’t merely add some external decorations and window dressing – they literally replace the animatronics inside the ride between Halloween and Christmas. It’s an entirely different experience.

Hop on Netflix and compare the animation from nearly any other kids channel to the Disney stuff – there is a very visible quality difference. If you have a kid of the right age, there is no shortage of free games on the website. Download the Watch Disney app for your iDevice and they not only rotate the free shows, but they often fill it with some of the latest episodes and the holiday ones kids go nuts for.

I am not saying they get everything right, but overall you get what you pay for, even if it costs more than some of the competition. And I fully understand that it’s a cash extraction machine. Buffett is the same way: I have never been to a bad concert, and even if his branded beer and tequila are crap, I get a lot of enjoyment value for each dollar I pay. Even after I sober up.

It seems not many companies offer this sort of value. For example, I quite like my Ford but it is crystal clear that dealerships ‘optimize’ by charging more, doing less, and insisting that I am getting my money’s worth despite any contradictory evidence.

How many technology vendors offer this sort of value? I think both Apple and Amazon are good examples on different ends of the cost spectrum, but what percentage of security companies hit that mark? To be honest, it’s something I worry about for Securosis all the time – value is something I believe in, and when you’re inside the machine it’s often hard to know if you are providing what you think.

With another kid on the way the odds are low we’ll be getting back to Disney, or Buffett, any time soon. I suppose that’s good for the budget, but to be honest I look forward to the day the little one is big enough to be scared by a six foot rat in person.

On to the Summary:

Once again our writing volume is a little low due to extensive travel and end-of-year projects…

Webcasts, Podcasts, Outside Writing, and Conferences

• Mr. Mortman on cloud security at VentureBeat.
• Adrian gets a nod on big data security.

Favorite Securosis Posts

• Adrian Lane & David Mortman: Incite 11/7/2012: And the winner is… Math.
• Mike Rothman: Defending Against DoS Attacks [New Paper] and Index of Posts. Yes it’s a paper I wrote and that makes me a homer. But given the increasing prevalence of DoS attacks, it’s something you should get ahead of by reading the paper.

Other Securosis Posts

• Implementing and Managing Patch and Configuration Management: Leveraging the Platform.
• Implementing and Managing Patch and Configuration Management: Configuration Management Operations.
• Implementing and Managing Patch and Configuration Management: Patch Management Operations.
• Implementing and Managing Patch and Configuration Management: Defining Policies.
• Building an Early Warning System: Internal Data Collection and Baselining.
• Building an Early Warning System: The Early Warning Process.
• Incite 11/14/2012: 24 Hours.
• Securing Big Data: Security Recommendations for Hadoop and NoSQL [New Paper].

Favorite Outside Posts

(A few extras because we missed last week)

• Rich: Wher is Information Security’s Nate Silver?
• David Mortman: Maker of Airport Body Scanners Suspected of Falsifying Software Tests.
• Dave Lewis: Are you scared yet? Why cloud security keeps these 7 execs up at night.
• Mike Rothman: Superstorm Sandy Lessons: 100% Uptime Isn’t Always Worth It. Another key question is how much are you willing to pay to ensure 100% availability. There is clearly a point of diminishing returns and a lot of companies probably found it as a result of this storm. How many organizations are really moving equipment or making significant additional reliability investments in the aftermath?
• Pepper: Megaupload and the Government’s Attack on Cloud Computing. Not so much a ‘favorite’, but something to worry about.
• Mike Rothman: DDoS marketing stunt backfires, entrepreneur jailed for nine months. Really? I guess no one told this guy that attacking a stock exchange as part of a marketing promotion would turn out badly. He’ll probably won’t make that mistake again. Probably.
• Adrian Lane: Visa stats: US Tops World in Data Breaches. 67% of fraud in the US is a startling number. I have not seen the data, so I don’t know how accurate this is. Of course this is another data point in Visa’s favor for moving to EMV.
• David Mortman: Pots of Gold.
• Adrian Lane: A lesson in math … and risk. Well stated.
• Mike Rothman: The Huawei Security Problem Isn’t the Hardware, It’s Engineers Fixing the Bugs. Interesting perspective here from Greg Ferro about the real threat of buying networking (or security) equipment from a foreign supplier. Folks are worried about back doors in the hardware, when perhaps they should worry a bit more about letting an adversary in through the front.
• Adrian Lane: Summary and Guidance for the “I Know…” series. Good roundup of browser basics. I don’t know where Jeremiah found the cartoon frame with the three kids – but the post is worth recommending just for that visual.
• David Mortman: Rainbow Farting Unicorns….
• Mike Rothman: Inside the Mansion–and Mind– of Kim Dotcom, the Most Wanted Man on the Net. Having big money allows you to be, uh, “eccentric.” This guy definitely is that…
• Mike Rothman: An Open Letter to Ann Coulter. It’s usually best to ignore the vitriol and negativity from political trolls. But sometimes a well thought out, inspiring response is perfect. Just perfect.

Research Reports and Presentations

• Defending Against Denial of Service (DoS) Attacks.
• Securing Big Data: Security Recommendations for Hadoop and NoSQL Environments.
• Tokenization vs. Encryption: Options for Compliance.
• Pragmatic Key Management for Data Encryption.
• The Endpoint Security Management Buyer’s Guide.
• Pragmatic WAF Management: Giving Web Apps a Fighting Chance.
• Understanding and Selecting Data Masking Solutions.
• Evolving Endpoint Malware Detection: Dealing with Advanced and Targeted Attacks.

Top News and Posts

• Major power grid insecurity featured in a report… that DHS classified for 5 years.
• Cybersecurity bill killed, get ready for an executive order.
• Chevron was a victim of Stuxnet.
• Incapsula vs. Cloudflare : Security Review & Comparison. We urge readers to consider potential biases here, but this article is an interesting discussion on web app security as a service.
• The [95%] Confidence of Nate Silver via Jay Jacobs.
• Skype Password Reset, Queue Zombie Apocalypse. Showing, yet again, that public disclosure prompts action.
• Malware Spy Network Targeted Israelis, Palestinians.
• Microsoft Patches 19 Security Holes.
• Cracked passwords from the alleged ‘Egyptian hacker’ Adobe breach.
• Adobe Ships Critical Fixes for Shockwave Player.
• Vermont Credit Union Tosses Out Unencrypted Data For 85,000.
• Ethiopian kids hack OLPCs in 5 months with zero instruction.

Blog Comment of the Week

Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to Chris, in response to Implementing and Managing Patch and Configuration Management: Introduction [New Series].

I’m excited to see the rest of this paper. I am currently dealing with implementation issues and maintenance for one of my customers.

Which is not to say that I haven’t been dealing with it for the last 4 years that I have been working with this customer, there is new pressure from outside entities (read: findings)