Every so often the kids do something that makes me smile. Evidently the Boss and I are doing something right and they are learning from our examples. I am constantly amused by the huge personality XX2 has, especially when performing. She’s the drama queen, but in a good way… most of the time.

The Boy is all-in on football and pretty much all sports – which of course makes me ecstatic. He is constantly asking me questions about players I’ve never heard of (thanks Madden Mobile!); he even stays up on Thursday, Sunday, and Monday nights listening to the prime-time game using the iPod’s radio in his room. We had no idea until he told me about a play that happened well after he was supposed to be sleeping. But he ‘fessed up and told us what he was doing, and that kind of honesty was great to see.

And then there is XX1, who is in raging teenager mode. She knows everything and isn’t interested in learning from the experience of those around her. Very like I was as a teenager. Compared to some of her friends she is a dream – but she’s still a teenager. Aside from her independence kick she has developed a sense of humor that frequently cracks me up.

We all like music in the house. And as an old guy I just don’t understand the rubbish the kids listen to nowadays. Twice a year I have to spend a bunch of time buying music for each of them. So I figured we’d try Spotify and see if that would allow all of us to have individual playlists and keep costs at a manageable level.

I set up a shared account and we all started setting up our lists. It was working great. Until I was writing earlier this week, jamming to some new Foo Fighters (Sonic Highways FTW), and all of a sudden the playlist switched to something called Dominique by the Singing Nun. Then Spotify goes berserk and cycles through some hardcore rap and dance. I had no idea what was going on. Maybe my phone got possessed or something. Then it clicked – XX1 was returning the favor for all the times I have trolled her over the years.

Yup, XX1 hijacked my playlist and was playing things she knew aren’t anywhere near my taste. I sent her a text and she confessed to the prank. Instead of being upset I was very proud. Evidently you can’t live with a prankster and not have some of that rub off. Now I have to start planning my revenge.

But for the moment I will just enjoy the fact that my 14-year-old daughter still cares enough to troll me. I know soon enough getting any kind of attention will be a challenge.

–Mike

Photo credit: “Caution Troll Ahead” originally uploaded by sboneham

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our video podcast, The Firestarter? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail despite Adrian’s best efforts to keep us on track.

• November 25 – Numbness
• October 27 – It’s All in the Cloud
• October 6 – Hulk Bash
• September 16 – Apple Pay
• August 18 – You Can’t Handle the Gartner
• July 22 – Hacker Summer Camp
• July 14 – China and Career Advancement
• June 30 – G Who Shall Not Be Named
• June 17 – Apple and Privacy
• May 19 – Wanted Posters and SleepyCon
• May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Network Security Gateway Evolution

• Introduction

Monitoring the Hybrid Cloud: Evolving to the CloudSOC

• Migration Planning
• Technical Considerations
• Solution Architectures
• Emerging SOC Use Cases
• Introduction

Security and Privacy on the Encrypted Network

• The Future is Encrypted

Newly Published Papers

• Securing Enterprise Applications
• Secure Agile Development
• Trends in Data Centric Security
• Leveraging Threat Intelligence in Incident Response/Management
• The Security Pro’s Guide to Cloud File Storage and Collaboration
• The 2015 Endpoint and Mobile Security Buyer’s Guide
• Open Source Development and Application Security Analysis
• Advanced Endpoint and Server Protection
• The Future of Security

Incite 4 U

1. Flowing downhill: Breaches are ugly. Losing credit card numbers, in particular, can be costly. But after the PCI fines, the banks are always lurking in the background. When Target lost 40 million credit cards, and the banks needed to rotate card numbers and reissue, it isn’t like Target paid for that. And the card brands most certainly will never pay for that. No, they sit there, collect PCI fines (despite Target passing their assessment), and keep the cash. The banks were left holding the bag, and they are sure as hell going to try to get their costs covered. A group of banks just got court approval to move forward with a lawsuit to recover their damages from Target. They are seeking class action status. If the old TJX hack is any indication, they will get it and receive some level of compensation. Resolving all the costs of a breach like this plays out over years, and odds are we will no idea of the true costs for at least 5.
2. Cloud security “grows up”? It’s funny when the hype machine wants to push something faster than it is ready to go. Shimmy argued that Cloud security grows up, but I don’t buy it. His point is that because we have gone from ‘cloudwashing’ (Rich’s term), to point solutions, to a few suites, it’s mature – but that doesn’t actually mean the industry has grown up. It is less about available products and services than about the broader industry having an idea how to secure the cloud. Our cloud security courses show that folks are learning fast, but we still have a long way to go. I consider cloud security more like a toddler now. It will be a few years before it is a pimply teen thinking it has figured everything out. Gosh, enterprise security is barely out of high school, and it can barely read… – MR
3. Trolling along: A huge benefit of offering large bounties for security defects reported in your products is that third parties are incentivized to work with you when they discover issues. When they don’t use bug bounty programs they look like trolls. Google and Microsoft have led the way with bug bounties and shown the benefits of this practice. I have got no idea whether these flaws in Google App Engine are legit or not, but posting the defects to the full disclosure mailing list, given Google’s track record on security response, sure looks like trolling for publicity. And that’s no bueno. – AL
4. What you don’t know… I guess Eddie the Yeti has a job other than drawing and posting cool portraits of security folks on his Twitter feed. A while back he correctly argued that “I didn’t know” isn’t a legitimate excuse when a breach happens. So you run assessment and test yourself frequently. But what do you decide to fix? You can’t address every issue, even if you knew about them all. It comes back to our old tired mantra: risk management. What presents the biggest risk to your environment? Fix that. Duh. But just as important, manage expectations about the priorities you chose. The last thing you want is to make a decision folks are free to disagree with in hindsight, because you never told them you were making the decision. – MR
5. Practical watermarking: Krebs’ recent post on a breach canary discusses an underutilized idea that anyone who sells or shares data with third parties should consider – especially when working with data brokers. The idea is that when you examine breach data, ‘canary’ data can provide enough information to determine the source of records. This would not work as a column of irrelevant data which would be quickly stripped out, leaving only valuable financial or personal data behind. But canary data could work as elements of a larger data set – bogus records to let the original owner recognize their data. [Ed: But why would they want to know they were at fault? Much better to never know for sure you were the source, right??? –pepper] It is a bit like using marked bills when transporting large sums of money. Banks and insurance companies have done this over the last decade, even in production databases, to see if the data they shared with partners gets resold elsewhere. It works well when the recipient cannot differentiate faked ‘watermark’ records from the real ones, and so cannot remove those records to conceal the data set’s origin. – AL
6. It’s never enough: Plenty of folks have been talking about the security skills gap every organization struggles with when trying to fill open positions. Jon Oltsik did a survey and I am a bit surprised that only 30% of folks surveyed feel we have a problematic shortage of security skills in areas like endpoint and network. I guess those other folks aren’t hiring for those positions. But is the answer to just train more folks? That is only a partial solution. The issue with security is that you learn by screwing up. College kids may be able to do simple stuff, but they don’t have the business skills or context to really do security yet. And even more challenging is the job. The fact is that security isn’t for everyone, so we will get a bunch of folks entering the market because supply & demand will grow salaries. But they won’t stay long because many of those folks don’t understand the security mindset, and it will frustrate them to no end. The fact is that we will never have enough security folks to meet demand. So we need to train more folks, embrace better automation and orchestration of security operations, and figure out how to recognize people better for doing their jobs – which, for security folks, means you never see or hear them. – MR