As I discussed last week, the beginning of the year is a time for ReNewal and taking a look at what you will do over the next 12 months. Part of that renewal process should be clearing out the old so the new has room to grow. It’s kind of like forest fires. The old dead stuff needs to burn down so the new can emerge. I am happy to say the Boss is on board with this concept of renewal – she has been on a rampage, reducing the clutter around the house.

The fact is that we accumulate a lot of crap over the years, and at some point we kind of get overrun by stuff. Having been in our house almost 10 years, since the twins were infants, we have stuff everywhere. It’s just the way it happens. Your stuff expands to take up all available space. So we still have stuff from when the kids were small. Like FeltKids and lots of other games and toys that haven’t been touched in years. It’s time for that stuff to go.

We have a niece a few years younger than our twins, and a set of nephews (yes, twins run rampant in our shop) who just turned 3, we have been able to get rid of some of the stuff. There is nothing more gratifying than showing up with a huge box of action figures that were gathering dust in our basement, and seeing the little guys’ eyes light up. When we delivered our care package over Thanksgiving, they played with the toys for hours.

The benefit of decluttering is twofold. First it gets the stuff out of our house. It clears room for the next wave of stuff tweens need. I don’t quite know that that is because iOS games don’t seem to take up that much room. But I’m sure they will accumulate something now that we have more room. And it’s an ongoing process. If we can get through this stuff over the next couple months that will be awesome. As I said, you accumulate a bunch of crap over 10 years.

The other benefit is the joy these things bring to others. We don’t use this stuff any more. It’s just sitting around. But another family without our good fortune could use this stuff. If these things bring half the joy and satisfaction they brought our kids, that’s a huge win.

And it’s not just stuff that you have. XX1 collected over 1,000 books for her Mitzvah project to donate to Sheltering Books, a local charity that provides books to homeless people living in shelters. She and I loaded up the van with boxes and boxes of books on Sunday, and when we delivered them there was great satisfaction from knowing that these books, which folks kindly donated to declutter their homes, would go to good use with people in need.

And the books were out of my garage. So it was truly a win-win-win. Karma points and a decluttered garage. I’ll take it.

–Mike

Photo credit: “home-office-reorganization-before-after” originally uploaded by Melanie Edwards

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Reducing Attack Surface with Application Control

• The Double Edged Sword

Security Management 2.5: You Buy a New SIEM Yet?

• Negotiation
• Selection Process
• The Decision Process
• Evaluating the Incumbent
• Revisiting Requirements
• Platform Evolution
• Changing Needs
• Introduction

Advanced Endpoint and Server Protection

• Assessment
• Introduction

Newly Published Papers

• What CISOs Need to Know about Cloud Computing
• Defending Against Application Denial of Service
• Security Awareness Training Evolution
• Firewall Management Essentials
• Continuous Security Monitoring
• API Gateways
• Threat Intelligence for Ecosystem Risk Management
• Dealing with Database Denial of Service
• Identity and Access Management for Cloud Services
• The 2014 Endpoint Security Buyer’s Guide
• The CISO’s Guide to Advanced Attackers

Incite 4 U

1. Don’t take it personally: Steven Covey has been gone for years, but his 7 habits live on and on. Our friend George Hulme did a piece for CSO Online detailing the 7 habits of effective security pros. The first is communication and the second is business acumen. I’m not sure you need to even get to #3. Without the ability to persuade folks that security is important, within the context of a critical business imperative – nothing else matters. Of course then you have squishy stuff like creativity and some repetitious stuff like “actively engaging with business stakeholders”. But that’s different than business acumen. I guess it wouldn’t have resonated as well if it was 5 habits, right? Another interesting one is problem solving. Again, not unique to security, but if you don’t like to investigate stuff and solve problems, security isn’t for you. One habit that isn’t on there is don’t take it personally. Security success depends on a bunch of other things going right, so even if you are blamed for a breach or outage, it is not necessarily your fault. Another might be “wear a mouthguard” because many security folks get kicked in the teeth pretty much every day. – MR
2. Out-of-control ad frenzy: Safari on my iPad died three times Saturday am, and the culprit was advertisement plug-ins. My music stream halted when a McDonalds ad screeched at me from another site. I was not “lovin’ it!” The 20 megabit pipe into my home and a new iPad were unable to manage fast page loads because of the turd parade of third-party ads hogging my bandwidth. It seems that in marketers’ frenzy to know everything you do and push their crap on you, they forgot to serve you what you asked for. The yoast blog offers a nice analogy, comparing on-line ads to brick-and-mortar merchants tagging customers with stickers, but it’s more like carrying around a billboard. And that analogy does not even scratch the surface of the crap going on under the covers. So I have to ask, as the media has been barking for months about Snowden-related revelations about NSA spying, why is nobody talking about marketing firms pwning your browser and scraping every piece of data they can? Those of you who don’t examine what web pages do behind the scenes when you visit them – the folks with better things to do – might be surprised to learn that many web sites use over 20 trackers, and send info to a dozen third parties completely unrelated to the content you actually requested. Referrer tags, ghost scripts, framing, re-routing through marketing sites, cookies, intentional data leakage, plug-ins, and browser scraping. We use Google+ here for the Securosis Firestarter, but Google contacts 5 different Google servers every hour to update Google on, among other things, my patch level. Yes, hourly! Do you honestly think we could not buy stuff, or find information, if all this crap was blocked? Let’s find out! I’m going to try out the kickstarter project Ad Trap to see if it increases or reduces web browsing satisfaction. – AL
3. There is timing in everything: The Target attack occurred at the worst possible time for Target, and the best for attackers – what a coincidence! In our research meeting today someone mentioned that by attacking close to the holidays, the attackers likely reduced the effectiveness of credit card fraud detection mechanisms – people buy more weird stuff from new and unusual places at Christmas. It also meant banks were very unlikely to cancel and reissue cards, given the impact that would have on consumers’ ability to spend money they don’t have during the holidays. Sorry Suzie, no Doc McStuffins play set for you – Santa’s magic card doesn’t work any more. This is logical, but it turns out the guy known for Prisoner’s Dilemma research put together a mathematical model for cyberattack timing. On the upside this is something defenders can use to model and prepare for attacks. On the downside I suspect many bad guys have this model instinctively hardwired into their brains. Well, the successful attackers, at least. – RM
4. Gracefully impaling yourself: Dave Lewis uses some of his CSO blog real estate to laud our own Rich for disclosing in gory detail a mistake he made with his AWS account. Dave’s point (and one we reiterated in this week’s Firestarter) is that there is a right way and a wrong way to communicate during a breach. Full disclosure is better. If you don’t know something, say you don’t know. And share information so perhaps someone else can avoid the trap that you fell into. It is hard when you need to juggle the demands of lawyers to limit liability, the desire of customers to figure out what they lost, the heavy hand of law enforcement who needs unspoiled evidence, and the need for someone internally to point the finger elsewhere. The best way to make sure you are ready? A tabletop exercise, which will at least make sure everyone understands their roles and responsibilities. – MR
5. Get some! Investment professionals consistently advising people to “invest in themselves”, as time and money spent on education pays the greatest returns. I am a huge fan of people who are students of their profession and study their craft to get better. Again, it pays dividends in career advancement, which leads to more job satisfaction. I made sure I had training budget to send my team to conferences and training sessions. They always came back stimulated from the new knowledge, and from being away from the daily grind for a couple days. Tom’s Guide has an article on planning your 2014 certifications. If you read the Securosis blog you know we are not huge fans of certifications; many of these rubber stamps don’t prove competency or make people better at their jobs. Lots of people use certificates as a badge of belonging to some club. Or perhaps to get by HR screeners on their next job interview. Whatever. I’m not about to endorse certifications for the sake of accumulating certificates, but it is time to get a plan together for the coming year. Figure out what would be most beneficial for you to learn, get management approval before the budget runs out, and get out there! Whether it’s chasing a certifications or just learning a set of new skills, training is highly beneficial – not only to your employer but also to your psyche. And it doesn’t happen unless you make it. – AL
6. Horse. Dead. Redux: Rumor is Ira Winkler is still pissed at me for letting The Macalope pick on him in the early days of this blog. No, I’m not the Macalope, and Ira deserved the criticism. That said, I do like his take on the so-called RSA boycott. I realize we have been beating on this issue, but like a good late-night talk show host, you work with the material you have. It is a pretty definitive piece – Ira lays out the false assumptions, grandstanding, and hypocrisy grounding most of the echo chamber nonsense on the RSA/NSA issue and accompanying boycott. I can only assume he has gotten over the ribbing he received on our site, because his 2007 particular article was fairly misinformed itself. Who says folks don’t learn from their mistakes? – RM