As I sit down to write the last Incite of the year I cannot help but be retrospective. How will I remember 2013? It has been a year of ups and downs. Pretty much like every year. I set out to prove some hypotheses I had at the beginning of the year, and I did. I let some opportunities pass by and I didn’t execute on others. Pretty much like every year. I had low lows and very high highs. Pretty much like every year.

I have gotten introspective over the second half of this year. And that’s been reflected in my weekly missives. It’s been a period of learning and evaluation for me. Of coming to grips with who I really am, what I like to do, and what I want to be in the next stage of my life. Of course there are no real answers to such existential questions, but it’s about learning to live in a way that is modest, sustainable, and kind.

As I look back, the most important thing I have learned this year is to flow. I spent so many years fighting against myself, pushing to be in a place I wasn’t ready for, and to meet unrealistic expectations for achievement. It has been a process but I have let go of those expectations and made a concerted effort to Live Right Now. And that’s a great thing.

The mental lever that flipped was actually a pretty simple analogy. It’s about being in the river. Sometimes the current is slow and you just float along. You are still moving, but at an easy pace. Those are the times to look around, enjoy the scenery, and catch your breath. Because inevitably somewhere further down river you’ll hit rapids. Things accelerate and you have no choice but to keep focused on what’s right in front of you. You have to hold on, avoid the rocks, and navigate safely through.

Then you look up and things calm down. You have an opportunity at that point to maybe wash up on the shore and take a rest. Or go in a different direction. But trying to slow things down in the rapids doesn’t work very well. And trying to speed things up in a slow current doesn’t work any better. Appreciate the pace and flow with it.

Simple, right? It’s like being in quicksand. You can’t fight against it or you’ll sink. It’s totally unnatural, but you have to just relax and trust that your natural buoyancy will keep you afloat in the denser sand. Resist and struggle and you’ll sink. Accept the situation, don’t react abruptly or unthinkingly, and you have a chance. Yup, a lot like life.

So in 2013 I have learned about the importance of flowing with my life. Appreciate the slow times and prepare for the rapids. Like everything else, easy to say but challenging to do consistently. But life seems to give us plenty of opportunities to practice. At least mine does.

Onward to 2014. From the Securosis clan to yours, have a happy holiday, and the Incite will return on January 8.

–Mike

Photo credit: “Flow” originally uploaded by Yogendra Joshi

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

What CISOs Need to Know about Cloud Computing

• Adapting Security for Cloud Computing
• How the Cloud is Different for Security
• Introduction

Defending Against Application Denial of Service

• Building Protections In
• Abusing Application Logic
• Attacking the Application Stack

Newly Published Papers

• Security Awareness Training Evolution
• Firewall Management Essentials
• Continuous Security Monitoring
• API Gateways
• Threat Intelligence for Ecosystem Risk Management
• Dealing with Database Denial of Service
• Identity and Access Management for Cloud Services
• The 2014 Endpoint Security Buyer’s Guide
• The CISO’s Guide to Advanced Attackers

Incite 4 U

1. The two sides of predictions: It’s entertaining when Martin McKeay gets all fired up about something. Here he rails against the year end prediction machine and advises folks to just say ‘no’ to their marketing teams when asked to provide these predictions. Like that’s an option. Tech pubs need fodder to post (to drive page views) and marketing folks need press hits to keep their VPs and CEOs happy. Accept it. But here’s the deal: security practitioners need to make predictions continuously. They predict whether their controls are sufficient given the attacks they expect. Whether the skills of their people will hold up under fire. Whether that new application will end up providing easy access for adversaries into the inner sanctum of the data center. It’s true that press friendly predictions have little accountability, but the predictions of practitioners have real ramifications, pretty much every day. So I agree with Martin that those year-end predictions are useless. But prediction is a key aspect of every business function, including security… – MR
2. The Most Wonderful Time of the Year: This time of year it’s really easy for me to skim security news and articles. All I need to do is skip anything with the words ‘Prediction’ or ‘Top Tips’ in the title, and I can cull 95% of the holiday reading poop-hose. But for whatever reason I was slumming on Network World and saw Top Tips for Keeping Your Data Safe on The Cloud, an article directed at the mass market rather than not corporate users. Rather than mock, in my merry mood, I’ll go one better: I can summarize this advice into one simple actionable item. If you have sensitive data that you don’t want viewed when your cloud provider is hacked, encrypt it before you send it there. Simple. Effective. And now it’s time for me to make sure I have followed my own advice: Happy Holidays! – AL
3. Sync and you could be sunk: Cool research on the Tripwire blog by Craig Young on how syncing your browser information via Chrome Sync could provide a means for attackers to access your Google account, regardless of whether you have 2-step verification enabled. That’s awesome. I don’t use Chromium sync because Rich has made me paranoid about the evil not-evil folks. I don’t store passwords or credit cards within my browser either. That’s what I use my Password Vault for. So I don’t face much of risk from this attack, but it brings up an important point. You may decide to use Chrome Sync anyway because it makes your life easier and you are willing to increase your potential attack surface. That’s OK – it’s a decision like anything else. My concern is more for the folks who don’t have access to this kind of research and don’t appreciate the trade-offs of this kind of convenience. – MR
4. What’s the point? Back in 2007 there was a lot of talk about “point to point (P2P) encryption” as the solution to on-line credit card theft. In 2010 the PCI Council released supplemental guidance for P2P on Point of Sale (PoS) devices, and pushed the industry to get its act together and agree on a standard that wasn’t totally ambiguous and filled with loopholes. Troy Leach, CTO of the PCI Council, even said “Buyer Beware” because the available solutions were not point-to-point, but more like point-to-point-to-point and so on. There were simply too many places that the data was unencrypted and exposed. Rather than encrypt at the point of card swipe, if data was encrypted, it was done on a PoS device, often nothing more than a Windows PC, with lots of potential vulnerabilities. Fast forward six years and we still lack P2P encryption in most places, which is a direct reason hundreds of thousands of credit card numbers continue to be stolen from Point of Sale terminals. This is one of those cases where PCI’s goals and guidance have been spot on – merchants have generally been unwilling to adopt some very basic technologies to secure the PAN and track data within their ecosystems. Nowadays merchants can do all their order tracking, customer tracking, relationship management, and repayment without PAN data, and most card-swipe vendors offer P2P, so there is really no excuse to avoid basic security. Besides apathy and laziness, that is… – AL
5. 2014 buzzword alert: “security analytics”: As we wrap up the 2013 Incites, I offer a view of what we will see a lot of in 2014: noise around “security analytics”. As you can see from this article in Dark Reading, there is no definition of security analytics, and there seem to be many ways to do it. Is it SIEM-next? Is it about business context – whatever that means? I think it is much simpler than everyone is thinking about. It’s about having a platform to identify patterns that you don’t know about. SIEM is great at looking for the stuff you tell it to look for, but not for finding stuff you aren’t actively looking for. But the very difficult attacks don’t fit a common profile, so detecting them requires a different means of analyzing the data you aggregate. Of course there is a lot of nuance to those views, and I look forward to working with Adrian to flesh this out next year… – MR