As a guy who pretty much always looks forward, I still find it useful at the end of each calendar year to look backwards and evaluate where I am in life and what (if anything) I want to focus on in the coming year. 2015 has been a very interesting year, both personally and professionally. I’m at an age where transformation happens, and that has been a real focus for me. I’ve spent a long time evaluating every aspect of my life and making changes, some small and some very significant. Trying to navigate those changes gracefully requires focus and effort.

From a business perspective, it’s a pretty good time to be in the security industry. You have seen a slowdown in our blog activity over the past couple months because our business continues to evolve and we’ve been doing a lot more work out of the public eye. We’ve been called in to do a lot more strategic advisory, and we’re even starting to do security architecture work for some enterprise organizations, typically around cloud initiatives.

We’re also increasingly being called into diligence efforts for companies considering acquisitions, and investors considering putting large sums of money to work in this space. These are pretty intense gigs and that usually means more external projects lag a bit. We also aren’t sure how long the good times will continue to roll, so we usually jump on diligence projects.

Personally, suffice it to say things are substantially different for me, though I’m not going to go into detail at this point. Different is scary for most people, but I’ve always embraced change, so my challenge is more about having the patience to let the world around me adapt. My kids continue to amaze me with how they are growing into fantastic people, and this past year they’ve navigated new schools and additional workload with minimum drama and angst. You can’t entirely avoid drama and angst (not as a teenager anyway), but their Mom and I are proactive about making them aware of the drama.

Physically I’m still working my program, running two half marathons and continuing my yoga practice. I’m making many new friends who provide different perspectives on life, and I’ve been able to fulfill a need for social activity I didn’t even know I had. As I look back at 2015, I realize that the signs of significant disruption were there both personally and professionally. It has been a long road, and I finally feel that my world is opening up and I’m moving toward my potential, away from my self-imposed limitations.

I’m really excited for what’s next. All is see ahead is blue sky. As I wrap up the Incite next week, I’ll ruminate a little into what the path ahead looks like.

–Mike

Photo credit: “Emu (Dromaius novaehollandiae) looking backwards at Auckland Zoo” from Wikimedia Commons

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour. Your emails, alerts, and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and… hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

• Dec 8 – 2015 Wrap Up and 2016 Non-Predictions
• Nov 16 – The Blame Game
• Nov 3 – Get Your Marshmallows
• Oct 19 – re:Invent Yourself (or else)
• Aug 12 – Karma
• July 13 – Living with the OPM Hack
• May 26 – We Don’t Know Sh–. You Don’t Know Sh–
• May 4 – RSAC wrap-up. Same as it ever was.
• March 31 – Using RSA
• March 16 – Cyber Cash Cow
• March 2 – Cyber vs. Terror (yeah, we went there)
• February 16 – Cyber!!!
• February 9 – It’s Not My Fault!
• January 26 – 2015 Trends
• January 15 – Toddler

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Building Security into DevOps

• The Role of Security in DevOps
• Tools and Testing in Detail
• Security Integration Points
• The Emergence of DevOps
• Introduction

Building a Threat Intelligence Program

• Using TI
• Gathering TI
• Introduction

Network Security Gateway Evolution

• Introduction

Recently Published Papers

• Pragmatic Security for Cloud and Hybrid Networks
• EMV Migration and the Changing Payments Landscape
• Applied Threat Intelligence
• Endpoint Defense: Essential Practices
• Cracking the Confusion: Encryption & Tokenization for Data Centers, Servers & Applications
• Security and Privacy on the Encrypted Network
• Monitoring the Hybrid Cloud
• Best Practices for AWS Security
• Securing Enterprise Applications
• Secure Agile Development
• The Future of Security

Incite 4 U

1. R marks the spot: NetworkWorld ran a great article examining how the Verizon Data Breach report folks use R to do the analysis and generate the charts in their widely read report. I personally haven’t played with statistical programs since I was in college, but there is an increasing need for math people (although we call them data scientists now) to perform the analysis to mine through all of that security data and figure out what’s going on. I tell many younger folks, who ask what they should focus on, to dust off their programming/scripting skills – security automation is coming. The other thing I now suggest is for the math-inclined to study a lot more statistics and get to know these kinds of tools. The future is here and it seems to require math (so says the writer). – MR
2. Pre-owned: If you’re wondering how the credit card you just got two weeks ago already got popped, here is on possible answer. Samy Kamkar demonstrated that AmEx-based new card numbers are predictably generated from the previous numbers allowing crackers to guess the number of the next card they issue you. If you’re an application developer, this is why you need to be careful with sequence generators – they tend to leak information attackers can (and do) exploit. This attack does not compromise the CVV, and other protections are embedded in credit card magstripes, but there are enough cracks in the credit card ecosystem for attackers to trick terminals with bogus card-present transactions. And if history repeats itself, it will only take one phony transaction to trigger an AmEx card re-issue, so you’ll get to re-enter your next number at the dozen or so websites you use. Again. – AL
3. Keep your enemies closer… Running a big business can be messy at times, and it seems it’s tough to scale ethics. I can’t say I’m surprised to hear that Walmart spies on the employees who advocate for change and agitate its workforce. I’m also not surprised they hired Lockheed to run their intelligence gathering program. I am a bit surprised they got FBI Joint Terrorism Task Force help, but I guess they made the case that they were worried about a terrorist strike against a store. And that’s how a lot of surveillance is justified. It’s about knowing before something bad happens. I don’t know that there is a clear answer, because most folks gladly will cede privacy for a perception of security. Of course, as we’ve seen all too frequently, any sense of personal security is a myth. And as we in the security industry know, computer security is a myth as well. I guess the only thing to accept is that Big Brothers are watching. And yes, that’s intentionally plural. – MR
4. Payments for nothin’, chips for free: Speaking of cracks in the payment system: University College London researchers are reporting an uptick of card present fraud, specifically with Chip and PIN cards. It seems hackers are using stolen cards with embedded EMV chips, without their PIN codes. So to perpetrate the fraud the attacker forces the terminal into a “referral mode” where the merchant transmits the code from the PIN pad. But the attacker has possession of the terminal to enter their secret PIN while the alternative authorization occurs. To add insult to injury, it seems no one ever tested this procedure – because transactions are accepted even with bogus authorization codes. Security! It’s amazing that so many financial processes seem to lack any kind of threat modeling prior to rollout, as we also saw with the banks’ failure to vet cards in the so-called “Apple Pay Hack”, and Starbucks mobile account takeovers with automatic replenishment. This is threat modeling 101. This attack should be short-lived – whether prevented with payment terminal patches or mitigated through merchant employee training. – AL
5. Attacks never go away either: We joke as security professionals that we can never get rid of a control – we just keep adding to the mix. Go into your telecom room and check out the link encryptors if you don’t believe me. It seems old attack kits never go away either. Peter Stephenson assembled information from a bunch of sources to show that NEK (Nuclear Exploit Kit) is back. This shouldn’t be a surprise – folks are inherently lazy. Unless you are doing something totally novel (like StuxNet), why wouldn’t you use stuff that already exists as a starting point. We do that in development now (just ask your developers to list the external and open source libraries they use in an app), we do it with monitoring (leveraging existing patterns), and we recycle pretty much everywhere. Why wouldn’t attackers do the same? Peter’s conclusions (use multiple AV products, LOL) are suspect, but if most attacks seem familiar it’s because they are. – MR