We are wrapping up a pretty difficult summer here at Securosis. You have probably noticed from the blog volume as we have been swamped with research projects. Rich, Mike, and I have barely spoken with one another over the last couple months as we are head-down and researching and writing as fast as we can. No time for movies, parties, or vacation travel. These Quant projects we have been working on make us feel like we have been buried in sand. I have been this busy several times during my career, but I can’t say I have ever been busier. I don’t think that would be possible, as there are not enough hours in the day! Mike’s been hiding at undisclosed coffee shops to the point his family had his face put on a milk carton. Rich has taken multitasking to a new level by blogging in the shower with his iPad. Me? I hope to see the shower before the end of the month.
I must say, despite the workload, projects like Tokenization and PCI Encryption have been fun. There is light at the end of the proverbial tunnel, and we will even start taking briefings again in a couple weeks. But what really keeps me going is having work to do. If I even think about complaining about the work level, something in the back of my brain reminds me that it is very good to be busy. It beats the alternative.
By the time this post goes live I will be taking part of the day off from working to help friends load all their personal belongings into a truck. After 26 years with the same employer, one of my friends here in Phoenix was laid off. He and his wife, like many of the people I know in Arizona, are losing their home. 22 years of accumulated stuff to pack … whatever is left from the various garage sales and give-aways. This will be the second friend I have helped move in the last year, and I expect it will happen a couple more times before this economic depression ends. But as depressing as that may sound, after 14 months of haggling with the bank, I think they are just relieved to be done with it and move on. They now have a sense of relief from the pressure and in some ways are looking forward to the next phase of their life. And the possibility of employment. Spirits are high enough that we’ll actually throw a little party and celebrate what’s to come.
Here’s to being busy!
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Seven Features To Look For In Database Assessment Tools.
- Mike’s presentation on Endpoint Security Fundamentals.
- Adrian’s Dark Reading post: Protegrity Gets Aggressive.
- Adrian quoted in TechTarget. And I’ll probably catch hell for this.
Favorite Securosis Posts
- Rich: Monitoring up the Stack: Threats. Knowing what to monitor, and how to pull the value from it, is a heck of a lot tougher than merely collecting data. Mike and Adrian are digging in and showing us how to focus.
- Mike Rothman: Monitoring up the Stack: Threats. This blog series is getting going and it’s going to be cool. Getting visibility beyond just the network/systems is critical.
- David Mortman: Monitoring up the Stack: Threats.
- Adrian Lane: FireStarter: It’s Time to Talk about APT.
Other Securosis Posts
- Government Pipe Dreams.
- NSO Quant: Clarifying Metrics (and some more links).
- Monitoring up the Stack: File Integrity Monitoring.
- Incite 9/22/2010: The Place That Time Forgot.
- New Paper (+ Webcast): Understanding and Selecting a Tokenization Solution.
- NSO Quant: Manage Process Metrics, Part 1.
- Understanding and Selecting an Enterprise Firewall: Selection Process.
- Upcoming Webinar: Selecting SIEM.
Favorite Outside Posts
- Rich: 2010 Website Security Statistics Report. Once again, Jeremiah provides some absolutely amazing numbers on the state of Web site security. He pulled together stats from over 2000 web sites across 350 organizations to provide us all some excellent benchmarks for things like numbers and types of vulnerabilities (by vertical) and time to remediate. Truly excellent, and non-biased, work.
- Mike Rothman: Do you actually care about privacy?. Lots of us say we do. Seth Godin figures we are more worried about being surprised. It makes you think.
- Chris Pepper: evercookie: doggedly persistent cookies. By the guy who XSSed MySpace!
- David Mortman: Cyber Weapons.
- Adrian Lane: Titanic Secret Revealed. A serious case of focusing on the wrong threat!
- Chris Pepper: Little Bobby Tables moves to Sweden.
Project Quant Posts
- NSO Quant: Manage Metrics–Monitor Issues/Tune IDS/IPS.
- NSO Quant: Manage Metrics–Deploy and Audit/Validate.
- NSO Quant: Manage Metrics–Process Change Request and Test/Approve.
Research Reports and Presentations
- Understanding and Selecting a Tokenization Solution.
- Security + Agile = FAIL Presentation.
- Data Encryption 101: A Pragmatic Approach to PCI.
- White Paper: Understanding and Selecting SIEM/Log Management.
- White Paper: Endpoint Security Fundamentals.
- Understanding and Selecting a Database Encryption or Tokenization Solution.
- Low Hanging Fruit: Quick Wins with Data Loss Prevention.
Top News and Posts
- Twitter Worm Outbreak. The most interesting security event of the week.
- New Security Microchip Vuln.
- Mac OS (iOS and OSX) Security Updates.
- New Autofill Hack Variant.
- VMWare Security Hardening Guide (PDF).
- evercookie. Many of you probably saw the re-tweet stream this week. Yes, this looks nasty and a pain in the ass to remove. Maybe I need to move all my browsing to temporary partitions.
- More Conjecture on Stuxnet Malware and some alternate opinions. And some funny quotes on Schneier’s blog.
- My relentless pursuit of the guy who robbed me. Cranky amateur cyber-sleuth FTW!
- DRG SSH Username and Password Authentication Tag Clouds. Nice rendering of human nature (you can call it laziness or stupidity, as you prefer).
Blog Comment of the Week
I think you are oversimplifying the situation regarding te reaons for classifying information. It is well known that information has value, and sometimes that value diminishes if others are aware you know it. Consider the historical case of the Japanese codes in WWII. If the US had publicised that they had deciphered the code, Japan would have switched codes, destroying the value of what had been learned. The same may be true of APT.
If our attackers know that we are aware of their activity and studying it, they will change tactics. LE is better suited to to respond trans-nationally and who knows if they aren’t working with partners to seed their learnings into industry. They’ve been long thought to use thinktanks like Mitre to achieve such goals.
As to the firestarter itself, I think this is another point where security pros are falling behind due to reliance on outmoded tools. IDS/IPS (I’m told, I hate them personally) was swell for preventing attacks when the goal was to root a server using the latest sploit, and firewalls are great for segmenting well defined networks with discrete service needs. Honeypots are nice to learn about attack activity when the attacker is generally opportunistic and uses highly automated methods.
None of this seems very good against a dedicated attacker focused on a very specific goal and armed with very good recon. But we’re all too busy using what few resources we have to manage the technology that doesn’t really work because we don’t know how to do anthing differently.
My cynical view is that anyone in the profession who feels like they are achieving success is either delightfully ignorant or charged with protecting something that no on really wants anyway.