Gunnar Peterson posted a presentation a while back on how being an investor makes him better at security, and conversely how being in security makes him better at investing. It’s a great concept, and my recent research on different investment techniques has made me realize how amazing his concept is. Gunnar’s presentation gets a handful of the big ideas (including defensive mindset, using data rather than anecdotes to make decisions, and understanding the difference between what is and what should be) right, but actually under-serves his concept – there are many other comparisons that make his point. That crossed my mind when reading An Investor’s Guide to Famous Last Words.

Black Swan author Nassim Taleb: “People focus on role models; it is more effective to find antimodels – people you don’t want to resemble when you grow up.”

The point in the Fool article is to learn from others’ mistakes. With investing mistakes are often very public, and we share them as examples of what not to do. In security, not so much. Marcus Ranum does a great presentation called the Anatomy of The Security Disaster, pointing out that problem identification is ignored during the pursuit of great ideas, and blame-casting past the point of no return is the norm. I have lived through this sequence of events myself. And I am not arrogant enough to think I always get things right – I know I had to screw things up more than once just to have a decent chance of not screwing up security again in the future. And that’s because I know many things that don’t work, which – theoretically anyway – gives me better odds at success. This is exactly the case with investing, and it took a tech collapse in 2001 to teach me what not to do. We teach famous investment failures but we don’t share security failures. Nobody wants the shame of the blame in security.

There is another way investing makes me better at security and it has to do with investment styles, such as meta-trending, day trading, efficient market theory, cyclic investing, hedging, shorting, value investing, and so on. When you employ a specific style you need to collect specific types of data to fuel your model, which in turn helps you make investment choices. You might look at different aspects of a company’s financials, industry trends, market trends, political trends, social trends, cyclic patterns, the management team, or even disasters and social upheaval as information catalysts. Your model defines which data is needed. You quickly realize that mainstream media only caters to certain styles of investing – data for other styles is only a tiny fraction of what the media covers. Under some investment styles all mainstream investment news is misleading BS. The data you don’t want is sprayed at you like a fire hose because those stories interest many people. We hear about simple and sexy investment styles endlessly – boring, safe, and effective investment is ignored.

Security practitioners, do you see where I am going with this?

It is very hard to filter out the noise. Worse, when noise is all you hear, it’s really easy to fall into the “crap trap”. Getting good data to base decisions on is hard, but bad data is free and easy. The result is to track outside of your model, your style, and your decision process. You react to the BS and slide toward popular or sexy security models or products – that don’t work. It’s frightfully easy to do when all anyone talks about are red herrings.

Back to Gunnar’s quote… Know what you don’t want your security model to be. This is a great way to sanity check the controls and processes you put into place to ensure you are not going down the wrong path, or worrying about the wrong threats.

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

Favorite Securosis Posts

  • Mike Rothman: Securing Big Data: Operational Security Issues. This stuff looks a lot like the issues you face on pretty much everything else. But a little different. That’s the point I take away from this post and the series. Yes it’s a bit different, and a lot of the fundamentals and other disciplines used through the years may not map exactly, but they are still useful.
  • Adrian Lane: Incite: Cash is King. How many startups have I been at that hung on the fax machine at the end of every quarter? How many sales teams have I been with where “the Bell” only rang the last three days of a quarter? Good stuff.
  • Rich I’m picking my Dark Reading post this week. It stirred up a bit of a Twitter debate, and I think I need to write more on this topic because I couldn’t get enough nuance into the initial piece.

Other Securosis Posts

Favorite Outside Posts

  • Mike Rothman: DDoS hitmen for hire. You can get anything as a service nowadays. Even a distributed denial of service (DDoS). I guess this is DDoSaaS, eh?
  • Adrian Lane: Think differently about database hacking. Lazlo Toth and Ferenc Spala’s DerbyCon presentation shows how to grab encryption keys and passwords from OCI clients. A bit long, but a look at hacking Oracle databases without SQL injection. Yes, there are non-SQL injection attacks, in case you forgot. Will we see this in the wild? I don’t know.
  • Rich: Antibiotic Resistant security by Valsmith. What he’s really driving at is an expansion of monoculture and our reliance on signature-based AV, combined with a few other factors. It’s a very worthwhile read. The TL;DR version is that we have created an environment where the only things that get in are the ones we can neither detect nor stop, at least using our current toolset and mindset.

Project Quant Posts

Research Reports and Presentations

Top News and Posts

Blog Comment of the Week

Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to rybolov, in response to Defending Against DoS: The Attacks.

Hi Mike, one small correction for you:

“Likewise the RefRef attack leverages SQL injection to inject a rogue .js file on a server, which then hammers a backend database into submission with seemingly legitimate traffic originating from an application server.” That’s what RefRef was supposed to do and was hyped to the press as “giving a beast a carrot then watching it choke to death on that carrot” (paraphrased). In the end, there was no RefRef and security researchers now figure it was all a hoax to get R&D donation money.

The only code that was released was which uses the MySQL benchmark function to execute a particular query numerous times. It’s similar to SQL Injection attack but the goal is to create a large workload on the database server instead of extracting information out of the database.