For a football fan, there is nothing like the New Year holiday. You get to shake your hangover with a full day of football. This year was even better because the New Year fell on a Sunday, so we had a full slate of Week 17 NFL games (including a huge win for the G-men over the despised Cowboys) and then a bunch of college bowl games on Monday the 2nd.

That's how Cinderella gets those rockin' arms...Both of my favorite NFL teams (the Giants and Falcons) qualified for the playoffs, which is awesome. They play on Sunday afternoon. Which is not entirely awesome. This means the season will end for one of my teams on Sunday. Bummer. It also means the other will play on, giving me someone to root for in the Divisional round. Yup, that’s awesome again. Many of my friends ask who I will root for, and my answer is both. Or neither. All I can hope is for an exciting and well-played game. And that whoever wins has some momentum to go into the next round and pull an upset in Green Bay.

The end of the football season also means that many front offices (NFL) and athletic departments figure it’s time to shake things up. If the teams haven’t met expectations, they make a head coaching change. Or swap out a few assistants. Or inform the front office they’ve been relieved of their duties. Which is a nice way of saying they get fired. Perhaps in the offseason blow up the roster, or search to fill a missing hole in the draft or via free agency, to get to the promised land. But here’s the deal – as with everything else, the head coach is usually a fall guy when things go south. It’s not like you can fire the owner (though many Redskins fans would love to do that).

But it’s not really fair. There is so much out of the control of the head coach, like injuries. Jacksonville lost a dozen defensive backs to injury. St. Louis lost all their starting wide receivers throughout the year. Indy lost their hall of fame QB. And most likely the head coaches of all these teams will take the bullet. But I guess that’s why they make the big bucks. BTW, most NFL owners (and big college boosters) expect nothing less than a Super Bowl (or BCS) championship every year. And of course only two teams end each year happy.

I’m all for striving for continuous improvement. Securosis had a good year in 2011. But we will take most of this week to figure out (as a team) how to do better in 2012. That may mean growth. It may mean leverage and/or efficiency. Fortunately I’m pretty sure no one is getting fired, but we still need to ask the questions and do the work because we can always improve.

I’m also good with accountability. If something isn’t getting done, someone needs to accept responsibility and put a plan in place to fix it. Sometimes that does mean shaking things up. But remember that organizationally, shaking the tree doesn’t need to originate in the CEO’s office or in the boardroom. If something needs to be fixed, you can fix it. Agitate for change. What are you waiting for? I’m pretty sure no one starts the year with a resolution to do the same ineffective stuff (again) and strive for mediocrity.

It’s the New Year, folks. Get to work. Make 2012 a great one.


Photo credits: “drawing with jo (2 of 2)” originally uploaded by cuttlefish

Heavy Research

We’ve launched the latest Quant project digging deeply into Malware Analysis. Here are the posts so far:

Given its depth we will be posting it on the Project Quant blog. Check it out, or follow our Heavy Feed via RSS.

Incite 4 U

  1. Baby steps: I have been writing and talking a lot more about cloud security automation recently (see the kick-ass cloud database security example and this article. What’s the bottom line? The migration to cloud computing brings new opportunities for automated security at scale that we have never seen before, allowing us to build new deployment and consumption models on existing platforms in very interesting ways. All cloud platforms live and die based on automation and APIs, allowing us to do things like automatically provision and adapt security controls on the fly. I sometimes call it “Programmatic Security.” But the major holdup today is our security products – few of which use or supply the necessary APIs. One example of a product moving this way is Nessus (based on this announcement post). Now you can load Nessus with your VMWare SOAP API certs and automatically enumerate some important pieces of your virtualized environment (like all deployed virtual machines). Pretty basic, but it’s a start. – RM
  2. Own It: It seems these two simple words might be the most frequently used phrase in my house. Any time the kids (or anyone else for that matter) mess something up – and the excuses, stories, and other obfuscations start flying – the Boss and I just blurt out own it. And 90% of the time they do. So I just loved to see our pal Adam own a mistake he made upgrading the New School blog. But he also dove into his mental archives and wrote a follow-up delving into an upgrade FAIL on one of his other web sites, which resulted in some pwnage. Through awstats of all things. Just goes to show that upgrading cleanly (and quickly) is important and hard, especially given the number of disparate packages running on a typical machine. But again, hats off to Adam for sharing and eating his own dog food – the entire blog is about how we don’t share enough information in the security business, and it hurts us. So learn from Adam’s situation, and share your own stories of pwnage. We won’t laugh at your for too long… – MR
  3. Popping the Router: A story that slipped through the cracks during the holiday season was the CERT notification that many common routers have a flaw in the way they perform PIN authentication that can be compromised in as few as 11,000 (10^4 + 10^3) attempts. That may sound like a lot, but someone sitting outside your home with a laptop can probably try that many in a couple hours. Brute force FTW. And the list of affected routers is long: Linksys, D-Link, Buffalo, Belkin, etc. There are something like a gazillion Linksys routers out there, and if you are reading this I bet you have one. At this time I am not aware of a fix, but this would be a good time to start checking into firmware upgrades for these network entry points – for the home as well as the office. I found one of my Linksys routers was running its original firmware (2005!) – and when routers run properly it is easy to forget about keeping them updated. – AL
  4. Make friends and influence people (by pwning their stuff): The easiest way to make a point about how secure (or not) something is typically involves breaking it. Our friendly neighborhood average security guy maps out a very clean approach to breaking in and taking some stuff in what he terms a smash and grab pen test. As Stephen says, it’s not a full-on highly planned, very comprehensive test (as described by the awesome PTES), but it usually works. And when you are making a point sometimes that’s all you need to do. Either that, or you can make a few shekels popping boxes at bar mitzvahs and weddings. – MR
  5. SAD: I honestly can’t say I understand the Anonymous attack on STRATFOR and the other disclosures of paid subscribers and trial registrant data. Their argument that they wanted the credit cards to make charitable donations does not hold water, so I am guessing they did not like the fact that STRATFOR relies on Washington insiders – both political and military – for their analysis. Aside from that, there are two significant security lessons for end users here. First, if you use one password for multiple web sites: Stop! Right! Now! Get yourself a good password manager because right now script kiddies are using your passwords on eBay, Facebook, and any other site they can think of just for the fun of it. Second, you can’t trust merchants (anyone) to store your data securely. Second, this should be a very convincing lesson that credit cards and cash should be your preferred payment mechanisms, as only these payment tools protect you when a merchant is breached. Debit cards, bank accounts, and PayPal don’t limit your exposure or liability if the bad guys get hold of your information. If STRATFOR – who writes about security all the freakin’ time – can screw up by not encrypting credit card data, we all need to assume most merchants screw it up as well. – AL
  6. Mining those network logs: We talk about log analysis all the time, along with the need to monitoring everything, and all that other security management goodness. So check out Kyle Maxwell’s post digging into network traffic log analysis. He delves into what to look for on the egress side, as well as good network indicators of problems on ingress connections. Kyle also makes a great point about looking for network anomalies. “You can’t know what’s anomalous until you know what’s normal. A word of caution here, though: don’t assume your baselines are already secure.” So you have some work to do, but once those baselines stabilize, they provide great indicators for problems. Remember, the network doesn’t lie (okay – rarely lies), so building your monitoring process from the network on up makes a lot of sense. – MR
  7. FedRAMPing up: The feds adopted a “cloud first” model (last year?) to push agencies into using more cloud services. But security requirements and testing have been a big holdup because there was no system to certify and accredit cloud services as suitable for traditional IT assets. So FedRAMP was born to build a policy and governance framework to assess and approve these cloud things. The initial info was just released, and… well, I think Dan Philpott’s article on it is pretty interesting. It includes my favorite quote of the New Year (at least the first 4 days of it): “It has been suggested that there may be too many acronyms and abbreviations involved in a FedRAMP process where the CSP, 3PAO, DHS, PMO and JAB create, evaluate and monitor SSP, CMP, SAP, SAR, POA&M, other SAP, SLA, MOU, MOA and possibly an ICA for a FISMA A&A ATO. There is some truth to this suggestion.”. FedRAMP is going to be very important to both the government and the private sector, so I suggest you cloudy folks pay attention – if for nothing else than the LULZ (Largely Undefined Laughter with Zeal). – RM
  8. Bonus Incite: GTFOOMW and let me innovate: You read all sorts of cool things on the Internet about how innovative companies actually build a culture to foster innovation. Check out Adrian Cockroft’s view on how Netflix innovates by getting out of the way. Clearly this approach won’t work for every organization, but there is probably something you can take from it and apply to your daily existence. Unfortunately I’ve worked in very few organizations which trusted the team enough to actually get the f*** out of their way (GTFOOMW) with failsafes in place to ensure that innovation didn’t spiral out of control. But maybe that’s why I do what I do now. – MR