We are wrapping up a pretty difficult summer here at Securosis. You have probably noticed from the blog volume as we have been swamped with research projects. Rich, Mike, and I have barely spoken with one another over the last couple months as we are head-down and researching and writing as fast as we can. No time for movies, parties, or vacation travel. These Quant projects we have been working on make us feel like we have been buried in sand. I have been this busy several times during my career, but I can’t say I have ever been busier. I don’t think that would be possible, as there are not enough hours in the day! Mike’s been hiding at undisclosed coffee shops to the point his family had his face put on a milk carton. Rich has taken multitasking to a new level by blogging in the shower with his iPad. Me? I hope to see the shower before the end of the month.

I must say, despite the workload, projects like Tokenization and PCI Encryption have been fun. There is light at the end of the proverbial tunnel, and we will even start taking briefings again in a couple weeks. But what really keeps me going is having work to do. If I even think about complaining about the work level, something in the back of my brain reminds me that it is very good to be busy. It beats the alternative.

By the time this post goes live I will be taking part of the day off from working to help friends load all their personal belongings into a truck. After 26 years with the same employer, one of my friends here in Phoenix was laid off. He and his wife, like many of the people I know in Arizona, are losing their home. 22 years of accumulated stuff to pack … whatever is left from the various garage sales and give-aways. This will be the second friend I have helped move in the last year, and I expect it will happen a couple more times before this economic depression ends. But as depressing as that may sound, after 14 months of haggling with the bank, I think they are just relieved to be done with it and move on. They now have a sense of relief from the pressure and in some ways are looking forward to the next phase of their life. And the possibility of employment. Spirits are high enough that we’ll actually throw a little party and celebrate what’s to come.

Here’s to being busy!

On to the Summary:

Webcasts, Podcasts, Outside Writing, and Conferences

Favorite Securosis Posts

Other Securosis Posts

Favorite Outside Posts

Project Quant Posts

Research Reports and Presentations

Top News and Posts

Blog Comment of the Week

Remember, for every comment selected, Securosis makes a $25 donation to Hackers for Charity. This week’s best comment goes to ds, in response to FireStarter: It’s Time to Talk about APT .

I think you are oversimplifying the situation regarding te reaons for classifying information. It is well known that information has value, and sometimes that value diminishes if others are aware you know it. Consider the historical case of the Japanese codes in WWII. If the US had publicised that they had deciphered the code, Japan would have switched codes, destroying the value of what had been learned. The same may be true of APT.

If our attackers know that we are aware of their activity and studying it, they will change tactics. LE is better suited to to respond trans-nationally and who knows if they aren’t working with partners to seed their learnings into industry. They’ve been long thought to use thinktanks like Mitre to achieve such goals.

As to the firestarter itself, I think this is another point where security pros are falling behind due to reliance on outmoded tools. IDS/IPS (I’m told, I hate them personally) was swell for preventing attacks when the goal was to root a server using the latest sploit, and firewalls are great for segmenting well defined networks with discrete service needs. Honeypots are nice to learn about attack activity when the attacker is generally opportunistic and uses highly automated methods.

None of this seems very good against a dedicated attacker focused on a very specific goal and armed with very good recon. But we’re all too busy using what few resources we have to manage the technology that doesn’t really work because we don’t know how to do anthing differently.

My cynical view is that anyone in the profession who feels like they are achieving success is either delightfully ignorant or charged with protecting something that no on really wants anyway.