I’m not sure how it happened, but XX1 turned 15 in November and got her driver’s permit. Wait, what?!?! That little girl can now drive. Like, legally? WTF? Clearly it is now January, and I am still in shock that 15 years has passed by in the blink of an eye.

Now it’s on me to teach her to drive. She’ll take a driver’s ed course in February, so that will help and give her some practical experience with someone who actually drives with teenagers for a living. Is that on the list of worst jobs? Second to elephant cage cleaner at the zoo, driving with inexperienced drivers seems like my version of hell on earth.

Then I remembered back to when I learned to drive. My Dad had a ‘72 Bug for me that he drove around. He picked me up and drove me to the local town pool parking lot. He taught me how to balance the clutch (yes, it was a stick shift) and start, stop, drive in a straight line, and turn. I recall him being extraordinarily patient as I smoked the clutch and stalled out 10 times. But after a while I got the hang of it.

Then he said, “OK Mike. Drive home.” WHAT? I was kind of in shock. It was maybe 3 miles to my house, but it was 3 miles of real road. Road with other drivers on it. I almost crapped my pants, but we got home in one piece. Dad would let me drive most places after that, even on the highway and on bridges. He remained incredibly patient, even when I stalled 10 times on a slight incline with about 50 cars behind me sitting on their horns. Yup, crapped my pants that time too. I remember that like it was yesterday, but it was 31 years ago. Damn.

So before winter break I took XX1 out to the parking lot of the library. She got into the driver’s seat and I almost crapped my pants. You getting the recurring theme here? She had no idea what she was doing. I have an automatic transmission, so she didn’t have to worry about the clutch, but turning the car is a learned skill, and stopping without giving me whiplash was challenging for a little while. She did get the hang of it, but seeing her discomfort behind the wheel convinced me that my plan of having her drive home (like my Dad did to me) wouldn’t be a great idea. Neither for her self-esteem nor my blood pressure.

She’ll get the hang of it, and I have to remember that she’s different than me and I’m a different teacher than my Dad. We’ll get her driving at her pace. After she takes the driver’s ed class I’ll have her start driving when she’s with me. Before we know it, she’ll have 25-30 hours behind the wheel.

But I’m not taking any chances. I plan on sending her to an advanced driving school. My cousin sent me a link to this great program in NC called B.R.A.K.E.S, which provides a 4-hour defensive driving workshop specifically for teens. I’m also going to take her to a Skip Barber racing class or something similar, so she can learn how to really handle the car. Sure it’s expensive, but she’s important cargo, commanding a two-ton vehicle, so I want to make sure she’s prepared.

But I have to understand this is a metaphor for the rest of her life. As parents we can prepare her to the best of our ability. Then we need to let her loose to have her own experiences and learn her lessons. She can count on our support through the inevitable ups and downs. My little girl is growing up.

–Mike

Photo credit: “International Driving Permit” from Tony Webster

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

• Dec 8 – 2015 Wrap Up and 2016 Non-Predictions
• Nov 16 – The Blame Game
• Nov 3 – Get Your Marshmallows
• Oct 19 – re:Invent Yourself (or else)
• Aug 12 – Karma
• July 13 – Living with the OPM Hack
• May 26 – We Don’t Know Sh–. You Don’t Know Sh–
• May 4 – RSAC wrap-up. Same as it ever was.
• March 31 – Using RSA
• March 16 – Cyber Cash Cow
• March 2 – Cyber vs. Terror (yeah, we went there)
• February 16 – Cyber!!!
• February 9 – It’s Not My Fault!
• January 26 – 2015 Trends
• January 15 – Toddler

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

SIEM Kung Fu

• Fundamentals

Building a Threat Intelligence Program

• Success and Sharing
• Using TI
• Gathering TI
• Introduction

Network Security Gateway Evolution

• Introduction

Recently Published Papers

• Threat Detection Evolution
• Building Security into DevOps
• Pragmatic Security for Cloud and Hybrid Networks
• EMV Migration and the Changing Payments Landscape
• Applied Threat Intelligence
• Endpoint Defense: Essential Practices
• Cracking the Confusion: Encryption & Tokenization for Data Centers, Servers & Applications
• Security and Privacy on the Encrypted Network
• Monitoring the Hybrid Cloud
• Best Practices for AWS Security
• The Future of Security

Incite 4 U

1. Security as a business problem: The more things change, the more they stay the same. NetworkWorld’s Overcoming stubborn execs for security sake took me back to 2006, right before I wrote the Pragmatic CSO. Senior management doesn’t get it? Yup. Mid-managers want to circumvent the rules? Yup. On and on it goes, and we run on the hamster wheel for a decade, ending up right back in the same place. Welcome to the rest of your security career. The fact is that as high-profile as security has become to senior management and the Audit Committee, what’s a lot more important to them is making the numbers and hitting their objectives. So how can you get them to understand? You can’t. Not fully anyway. But you can make sure you discuss security in business terms, and that will at least provide some common ground for discussion. The article does a good job of discussing those tactics. – MR
2. Shoot the messenger: Every year some legitimate tool – security or otherwise – gets labeled as a security threat. It’s not just nmap or Metasploit – even Google’s web crawlers can detect certain vulnerabilities and catalog the results (and do), and are therefore called a “hacker tool”, especially after con talks that explain how to use Google to hack. This time the Shodan web crawler was called a threat, as a recent advisory from Checkpoint noted what appeared to be Shodan scans prior to data breaches. The advisory itself is a good thing, but advice to block Shodan scans to deter hacking made the Twitterverse erupt in controversy. Thankfully social media has set everyone straight and the issue is resolved, right? Honestly, there is nothing wrong with blocking external Shodan scans while you address the vulnerabilities, but those pesky skeptics in the security community know blocking will be the ‘solution’ – not merely a starting point. Exactly like last time. – AL
3. 4 tips for IR? Obviously there are more steps an incident response. So this quick post by the CrowdStrike folks was interesting, but I think they did a decent job making a few critical points. First, you have to start with a damage assessment and an understanding of whether the adversary is still active in your environment. Next try to corral the devices in question, and data at risk, in some segmented and monitored environment, being careful to keep systems up to avoid either alerting the adversary or destroying evidence. Then call in the Forensicators. Given the shortage of those folks, and the level of demand, that is a non-trivial effort. But unless you are a Fortune-class enterprise with a group of incident responders you’ll need to work with an external firm. Then you need to notify affected stakeholders, and return systems to a healthy state. Obviously there are dozens of activities behind each of those tips, but they are good things to keep in mind.– MR
4. Down in front: When Firefox stopped connecting via HTTPS to many web sites, some of you might have been frustrated enough to switch to a new browser. Firefox’s latest version stopped accepting SHA-1 signed certificates because the algorithm has been deprecated. But if your company uses DLP or a web security product that performs a ‘man-in-the-middle’ intercept to inspect content, odds are likely it still issues SHA-1 signed certificates. That makes Firefox barf, so you can’t connect. Too bad, so sad. You can use another browser if you choose, but as your requests are already being filtered (thanks, web proxy!), you can configure FF to accept those SHA-1 certificates without concern for degraded privacy or security. But you should ask your security vendor to up their game. – AL
5. Can you change your mindset? This isn’t security related, but interesting enough to mention. There has been a ton of research on growth vs. set mindsets. Psychology Today has a quick article covering the research highlights. People with set mindsets are good with the status quo, and don’t think intelligence changes. Those with growth mindsets believe they can grow intelligence as they push out of their comfort zones and try new things. If you tend toward ‘set’, can you ‘grow’? Or are these fixed aspects of your personality that aren’t easy to change? The article makes it sound like you just decide to grow. Is it that easy? Maybe it should be, but I have my doubts about whether folks can fundamentally change their mindsets. – MR