Happy 2013 everybody! At the dawn of a new year, most folks think more proactively about what they want to change – and what they don’t. I have spoken many times about the need to embrace change and even to learn to love change. Change is good. Stagnation is bad. But the trouble lies in how you achieve that change – and how you react when change is forced upon you.

We were in the car the other day, and the Boss asked the kids about their New Year Resolutions. She and XX1 had some great ideas about what they resolved to do in the coming year. Everything they said was outstanding. But here’s the rub. Talk is easy. Resolutions are easy. Writing down resolutions is harder than saying them. And actually doing something consistently is infinitely harder. That’s why so many folks fail year after year regarding their resolutions.

I am working on not putting a pin in every thought balloon floated in my direction. Cynics are trained to deflate ideas before they get airborne. It’s not the most positive feature of my OS. So in an attempt to do things differently, I held off from the typical interrogation that would follow a resolution. My instinct is to dig into the plan. I want everyone to lose weight or communicate better or get in shape or do whatever you’ve resolved to do. But without a plan – and more importantly an accountability partner – the odds are not in your favor. That’s not being pessimistic, it’s being realistic.

You see, resolutions have to do with what you want to change. By the time we get through January, the best laid plans will be totally screwed up by external forces requiring you to adapt. Maybe it’s an injury that inhibits your exercise resolution. Or a new high profile project that gets in the way of family dinners. That’s why I largely stopped setting goals. And I don’t make New Year’s resolutions. Why should I wait until the end of December to do the right thing?

That doesn’t mean I plan to stagnate. I know where I want to get to. But I’m less set on how I get there. Regardless of what happens, I’ll adapt accordingly. I did a bunch of analysis at the end of last year to figure out what needs to happen every month to hit my desired economic outcome. But life will intrude and I’ll need to adapt. I know how I need to eat to maintain my desired weight and how many days I need to exercise to strengthen my body accordingly. Some days I’ll do well, other days I won’t.

My plan is to look back in 12 months and feel good about what I’ve accomplished. But there are no hard or fast rules about what that means. There are no specifically defined goals. It’s about making sure I’m moving in the right direction. I’ll get there when I get there. If I get there. The only thing I specifically focus on is consistent effort. The beauty of not being tied to specific goals is that I can add variety to my actions and my activities. I get that’s an oxymoron.

To me, consistent variety means to work hard every day. Be kind every day. Make good choices every day. And adapt as needed. You know, grind. Do stuff. Make mistakes. But move forward. Always. For a pessimist, I’m pretty optimistic about 2013.


Photo credits: Consistency originally uploaded by Matt Hampel

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Building an Early Warning System

Understanding and Selection an Enterprise Key Manager

Newly Published Papers

Incite 4 U

Editors note: With great pleasure we welcome one of our two favorite Canadians as an Incite contributor. Jamie Arlen (@myrcurial for you Twitterati) will be contributing a piece each week, and his stuff will be tagged JA. So now you know where to send the hate mail…

  1. Monetizing the entire PC: Krebs’ recent post about the market for stolen passwords made me think of the huge markets the Boss and I visited in Barcelona last spring. The butchers there would sell pretty much every part of the animal. You’d look at the display case and think “WTF is that?” There is very little waste. It seems that PCs are silicon goats, and the underground markets Krebs frequents are the places where the parts get traded. By the way, it’s not much different than how Wall Street packages up pretty much everything, slices it, values it, and sells it in various tranches. Then they sell derivatives on the tranches, making transaction fees on every step of the cycle. I don’t think there is a big market for the meat of a lemming, but there is a huge market for consumer PC lemmings. That’s for sure. – MR
  2. Have fun without the echoes: 2012 is in the bag, and for some of us it couldn’t come soon enough. Oh, I had some nice highlights of the year (especially the bit about going to the Tour de France), but it seems I spent too much time sick or buried in less-interesting projects. Despite all that, one thing I avoided was getting caught up in the echo-chamber security BS that sometimes plagues Twitter, blogs, and the press. Almost none of these debates matter in any meaningful way, as Dave Shackleford says so well: “There’s been a lot of acrimonious discussion in the security community this year…and I found myself becoming completely and totally desensitized to much of it. Why? Not because I’m callous or don’t care. No, because I have progressively grown more focused on discourse that actually focuses on real-world issues or things we can do…” Personally, I realized something similar a couple years ago and started changing how I write and engage with folks. I care more about getting the job done and enjoying the rest of life than getting bogged down in debates over Anonymous or disclosure – not that it isn’t fun to poke the bear sometimes. – RM
  3. HSM on the go: Stefan Arentz’s blog post on turning an Arduino into an HSM is one of the coolest security DIY projects I have seen in a long time. In essence he’s storing his Amazon EC2 credentials on the Arduino, and the Arduino is set to securely store the credentials in memory. The application code can then sign API requests. It’s a portable $50 HSM. Seriously. It may not be the most practical format, but for paranoids like me it’s a safe place to keep keys when traveling, especially if you are worried about your laptop being compromised. – AL
  4. Hiding good work under the hype: As many people know, we’re in year number X of the “SCADAs R BROKENED, PLS FIX NAO!!!!” hype cycle. The problem is that much of the good work being done gets lost in the noise of people who have no answers but do have product to move this quarter. This problem is compounded by good people doing good work, who try to leverage the hype machine to be heard. It’s a double edged sword. A perfect case in point is the (actually quite good) talk from 29C3 called SCADA Strangelove: How I Learned to Start Worrying and Love Nuclear Plants by Denis Baranov and company. The talk is about ICS security and it’s great in that context, but completely useless as guidance for securing actual SCADA devices. Baranov and others run a research group at SCADAStrangeLove.org and the content is pretty good, which means you’ll see a limited amount of cyberdouchery. I just wish they’d stay in their lane, as opposed to suggesting (quite incorrectly) that the solution for wide-area SCADA networks is to do a better job at PLC security. It’s like the inverse of schadenfreude, I’m not laughing at the pains the industry is going through – but it’s irritating to see some folks do the right things but screw up communications in a cloud of self-importance and arrogance. And you wonder why we lose respect and are branded Chicken Little? I have been told to just suck it up and accept it, but that’s a cop-out. Why should we settle for anything less than our best work? Of course, I’m an altruistic optimist – my bad. – JA
  5. Ahead of the purchasing curve: At Dark Reading, Erika Chickowski highlights a common issue with database monitoring: It’s only deployed on a small subset of databases in the typical enterprise. The reasons for this are as diverse as the products and companies that use database monitoring. A common issue is that estimated licensing and hardware costs are a fraction of real costs, and companies simply run out of funds long before they run out of databases to protect. This forces firms to prioritize which databases to monitor. Some are thwarted by third-party SLA’s that do not allow the additional overhead of monitoring. Still others run headlong into inter-departmental politics and can’t get permission to access the systems. Most large companies I speak with plan to rollout monitoring for all databases but don’t because they lack the time, skill, or resources to do so. The moral of the story is be realistic about what you can really monitor, and to think in terms of phases as your rollout progresses. – AL
  6. Your SSH keys belong to… oops! As people move more deeply into cloud computing, particularly IaaS, they quickly learn that managing credentials is a bit of a mess. First the good news: this isn’t (generally) due to security weaknesses in cloud platforms, but more because of the sheer volume of credentials to manage. For example, for any given admin or developer you likely have web credentials, access keys, X.509 certs, and then any related SSH keys for accessing instances (or usernames/passwords for Windows instances). And those SSH keys and Windows admin credentials? Yeah, there are a lot of them, plus you probably need to restrict entitlements in the cloud management layer at a granular level because all these credentials are largely unprotected on your endpoints. I have been ignoring the constant spam from this particular company pushing self-serving articles and interviews, but that doesn’t mean the problem isn’t real. This is a new dimension to key management (and cloud identity) for most folks, and one that isn’t a make-believe problem. You have to believe the privileged user management folks are looking very closely at this issue. – RM
  7. Layers are fine, it’s the controls that broke: When something isn’t working, it’s natural to question the foundational concepts. So it’s no surprise to see folks question whether layered security models are still relevant. That article brings up some decent points about the need to do a risk assessment and understand what’s important to protect within your business. And to prioritize security investments to protect the important stuff. It’s a pretty Pragmatic way of thinking. But that doesn’t mean layers don’t work anymore. Trying to detect bad stuff first at the network, then at the device, then within the application, and the within the transaction is smart. Using outdated controls at any of those layers is stupid. Layers still work, folks, but only if the specific controls you implement at each layer keep pace with attacks. – MR