It’s just another day. So what that, many years ago, you happened to be born on that day. Yes, I am talking about birthdays. Evidently when it’s your birthday it means people should treat you nicely, let you do what you want, write you cards, and shower you with gifts. We’d probably all like that treatment the other 364 days too, right? But on your birthday I guess everyone deserves a little special treatment. Well, my birthday was this past weekend, and it was pretty much perfect.

The day started like any other Sunday, but things were a bit easier. I got the kids up and they didn’t give me a hard time. No whining about Sunday school. No negotiating outfits. I didn’t once have to say “that’s not appropriate to wear to Temple!” They made their own breakfast, not requiring much help. The kids had made me nice cards that said nice things about me. I guess one day a year they can get temporary amnesia. I dropped them off for Sunday school and headed over to my usual Sunday spot to catch up on some work. Yes, I work on my birthday.

To put myself in a good mood, I started with my CFO tasks. Think Scrooge McDuck counting his stacks of money. That’s me. Scrooge McIncite making sure everything adds up and every cent is accounted for. I did some writing – Scrooge McIncite gets things done. I got ahead of my mountain of work before I head out on my golf weekend.

Then I got to watch football. All day. The Falcons won. The Giants won. The Panthers, Eagles, and Redskins lost. It was a pretty good day for my teams. The Giants game was televised on local TV, and through the magic of DVR I could record both the Falcons and the Giants and not miss anything. How lucky is that?

Then my family took me out to a great dinner. I splurged quite a bit. Huge breakfast burrito for dinner. That’s right, I can eat a breakfast burrito for dinner. It’s my birthday, and that’s how I roll. Then I had some cheesecake to top off the cholesterol speedball. When was the last time I did that? Evidently rules don’t apply on your birthday. The servers had no candles, and they sang Happy Birthday to me, which I didn’t let ruin my day.

In fact, nothing was going to ruin my day. Even when the Saints came back and won the Sunday night game. As I snuggled into my bed at the end of a perfect day, I did take a minute to reflect on how lucky I am. I don’t allow myself to do that too often or for too long, because once he’s done counting today’s receipts Scrooge McIncite starts thinking about where tomorrow’s money is going to come from. But the next day will be here soon enough, so one day a year I can doze off thinking happy thoughts.

–Mike

Photo credits: Scrooge McDuck: Investment Counselor window in Mickey’s Toontown originally uploaded by Loren Javier

Heavy Research

We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Defending Against Denial of Service (DoS) Attacks

• Defense, Part 1: The Network
• Attacks

Understanding and Selecting Identity Management for Cloud Services

• Introduction

Securing Big Data

• Recommendations and Open Issues
• Operational Security Issues

Incite 4 U

1. The DDoS future is here today: I mentioned it in last week’s Incite, but we have more detail about the DDoS attack on financial firms that happened last week thanks to this great article by Dan Goodin at Ars Technica. As I continuing to push the DoS blog series forward, one of our findings was the need to combine defenses, because eventually the attackers will combine their DoS tactics… like any other multi-faceted attack. Last week’s attacks showed better leverage by using compromised servers instead of compromised consumer devices, providing a 50-100x increase in attack bandwidth. The attacks also showed an ability to hit multiple layers from many places, or one target at a time. This is clear attack evolution, but that doesn’t mean it was state sponsored. It could as easily be more disinformation, attempting to obscure the real attackers. So the DoS arms race resumes. – MR
2. OAuthorized depression: For many years I deliberately avoided getting too deep into identity and access (and now, entitlement) management. Why? Because IAM is harder than math. That has started to change as I dig into cloud computing security, because it is very clear that IAM is not only one of the main complexities in cloud deployments, but also a key solution to many problems. So I have been digging into SAML, OAuth, and friends for the past 18 months. One thing that has really depressed me is the state of OAuth 2.0. As Gunnar covers at Dark Reading, we might be losing our dependence on passwords, but OAuth 2.0 stripped out nearly all the mandatory security included in OAuth 1. This is a very big deal because, as we all know, most developers don’t want (and shouldn’t need) to become IAM experts. OAuth 1 effectively made security the default. OAuth 2 is full of a ton of crap, and developers will need to figure out most of it for themselves. This is a major step backwards, and one of the many things fueling the security industry’s alcohol abuse problem. – RM
3. Human intel: The headline U.S. banks could be bracing for wave of account takeovers hits the FUD button in yet another attention whoring effort to get more page views with less content. But there is an interesting nugget in the story – not the predicted (possible) bank attacks, but how opinions have formed. In the last year many CISOs of large enterprises have engaged third party providers to collect intel on possible threats. No, not looking at log files – we are talking about actively collecting Internet intel by scraping hacker sites and actively chatting. These companies use that intel to adapt their defenses and staff up SoCs when they anticipate attacks. It’s not the “threat intel” many vendors use describe their attack signatures – what real attackers are talking about doing to you soon is much more interesting and valuable. This is another indicator of the inflection point Rich was talking about a couple weeks ago. – AL
4. BYOD here, there, everywhere: Yes, we will look back on 2012 and see it as the year of BYOD. Of course that doesn’t really mean anything – the avalanche of mobile devices has been underway for years. And this idea of pushing employees to buy their own devices is still a conspiracy concocted by CFOs trying to move fast-depreciating devices off their balance sheets. The IW folks have 6 tips for dealing with mobile devices, and make some reasonable points. We will see just about every vendor pushing some kind of solution to deal with BYOD. But we tend to forget the basics, as my BYOD pitches this year have pointed out. First assess risk, then define policies, and only then think about enforcement. There are many options for managing and securing devices, which are inherently more secure than PCs. But until you know what you are trying to protect against, you are just blindly throwing technology at the problem. Again. – MR
5. Social media may not be a security risk, but your policy is: I will be honest – I think most of the hype around social media risks we have seen over the past few years is totally overblown. Yes, personal information can be used for targeted attacks – big deal. Operational security has always been an issue, and if your security program relies on locking people into closets, odds are it won’t work. One area I do worry about, though is the risk your organization exposes itself to by not having a reasonable social media policy, or by failing to educate your employees. Take this case of a former executive who had her LinkedIn account hijacked when she left the company. This judge sided with the company, even though it was a dick move, but I think this case is far from over. But we see more and more clashes between corporate desires, personal wants, and social norms. You need to write out a clear policy, have it approved by legal, communicate it to users, and enforce it consistently. And don’t assume your policy is legal because employees essentially sign it under duress – even in work-for-hire states there are limits to what you can force people to do or not do outside work hours. – RM
6. That’s the smell? Must be your developers: Charlie Kindel has the right idea, but drew the wrong conclusion in Paying Developers is A Bad Idea. He’s right that paying developers to build stuff nobody wants is a waste of capital. It’s like putting the circus in Alviso off the 237 in San Jose – people might stop by with their kids because they see the Ferris wheel, but it still smells like Alviso so they won’t stay. That does not mean paying developers is a bad idea if you want to get something done. Monetary incentives have been very successful as bug bounties, where highly specialized security tests are performed by select developers looking to make some beer money. But paying for BlackBerry application development is the mobile equivalent of building new line printers – just because it’s there does not mean people will use it. – AL
7. The Hackin9 spam beat goes on: Even after the D*CKS fiasco and a promise of changes from the publishers of Hackin9, did you really think anything would change? According to this post by the digininja it hasn’t. Shocker. But the Twitter echo chamber is a small subset of the security community. There are plenty of other folks who don’t pay attention, think guys like Greg Evans are experts, and have never heard of attrition.org. That’s a shame, but there has always been a market for snake oil, and that’s not about to change. So I just change the channel. I’m pretty sure that at some point I blacklisted all those Hackin9 and associated addresses in our email security service, so I don’t see them anymore. They aren’t going to stop because some suckers write for them, and lots of folks evidently read it. Getting pissed about it won’t change anything. – MR