Incite 2/5/2014: Super DudBy Mike Rothman
I’m sure long-time Incite readers know I am a huge football fan. I have infected the rest of my family, and we have an annual Super Bowl party with 90+ people to celebrate the end of each football season. I have laughed (when Baltimore almost blew a 20 point lead last year), cried (when the NY Giants won in 2011), and always managed to have a good time. Even after I stopped eating chicken wings cold turkey (no pun intended), I still figure out a way to pollute my body with pizza, chips, and Guinness. Of course, lots of Guinness. It’s not like I need to drive home or anything.
This year I was very excited for the game. The sentimental favorite, Peyton Manning, was looking to solidify his legacy. The upstart Seahawks with the coach who builds his players up rather than tearing them down. The second-year QB who everyone said was too short. The refugee wide receiver from the Pats, with an opportunity to make up for the drop that gave the Giants the ring a few years ago. So many story lines. Such a seemingly evenly matched game. #1 offense vs. #1 defense. Let’s get it on!
I was really looking forward to hanging on the edge of my seat as the game came down to the final moments, like the fantastic games of the last few years. And then the first snap of the game flew over Peyton’s head. Safety for the Seahawks. 2-0 after 12 seconds. It went downhill from there. Way downhill.
The wives and kids usually take off at halftime because it’s a school night. But many of the hubbies stick around to watch the game, drink some brew, and mop up whatever deserts were left by the vultures of the next generation. But not this year. The place cleared out during halftime and I’m pretty sure it wasn’t in protest at the chili peppers parading around with no shirts. The game was terrible.
Those sticking around for the second half seemed to figure Peyton would make a run. It took 12 seconds to dispel that myth, as Percy Harvin took the second half kick-off to the house. It was over. I mean really over. But it’s the last football game of the year, so I watched until the end. Maybe Richard Sherman would do something to make the game memorable. But that wasn’t to be, either. He was nothing but gracious in the interviews. WTF?
Overall it was a forgettable Super Bowl. The party was great. My stomach and liver hated me the next day, as is always the case. And we had to deal with Rich being cranky because his adopted Broncos got smoked. But it’s not all bad. Now comes the craziness leading up to the draft, free agency, and soon enough training camp. It makes me happy that although football is gone, it’s not for long.
Photo credit: “Mountain Dew flavoured Lip Balm and Milk Duds!!!” originally uploaded by Jamie Moore
We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.
The Future of Information Security
Leveraging Threat Intelligence in Security Monitoring
- The Threat Intelligence + Security Monitoring Process
- Revisiting Security Monitoring
- Benefiting from the Misfortune of Others
Reducing Attack Surface with Application Control
Advanced Endpoint and Server Protection
Newly Published Papers
- Eliminating Surprises with Security Assurance and Testing
- What CISOs Need to Know about Cloud Computing
- Defending Against Application Denial of Service
- Security Awareness Training Evolution
- Firewall Management Essentials
- Continuous Security Monitoring
- API Gateways
- Threat Intelligence for Ecosystem Risk Management
- Dealing with Database Denial of Service
- Identity and Access Management for Cloud Services
Incite 4 U
Scumbag Pen Testers: Check out the Chief Monkey’s dispatch detailing pen testing chicanery. These shysters cut and pasted from another report and used the findings as a means to try to extort additional consulting and services from the client. Oh, man. The Chief has some good tips about how to make sure you aren’t suckered by these kinds of scumbags either. I know a bunch of this stuff should be pretty obvious, but clearly an experienced and good CISO got taken by these folks. And make sure you pay the minimum amount up front, and then on results. – MR
Scumbags develop apps too: We seem to be on a scumbag theme today, so this is a great story from Barracuda’s SignNow business about how they found a black hat app developer trying to confuse the market and piggyback on SignNow’s brand and capabilities. Basically copy an app, release a crappy version of it, confuse buyers by ripping off the competitor’s positioning and copy, and then profit. SignNow sent them a cease and desist letter (gotta love those lawyers) and the bad guys did change the name of the app. But who knows how much money they made in the meantime. Sounds a lot like a tale as old as time… – MR
He was asking for it: As predicted and with total consistency, the PCI Security Standards Council has once again blamed the victim, defended the PCI standard, and assured the public that nothing is wrong here. In an article at bankinfosecurity.com, Bob Russo of the SSC says: “As the most recent industry forensic reports indicate, the majority of the breaches happening are a result of some kind of breakdown in security basics – poor implementation, poor maintenance of controls. And the PCI standards [already] cover these security controls”. Well, it’s all good, right? Except nobody is capable of meeting the standard consistently, and all these breaches are against PCI Certified organizations. But nothing wrong with the standard – it’s the victim’s fault. You notice no one from the PCI Council ever mentions Chip and PIN or other structural or technological changes to prevent widespread fraud? Why bother when you can just update a standard every year and decertify anyone stupid enough to be breached? Though the consistency should count for something. – RM
Security Immortal: No matter how many have tried, no matter how much damning evidence appears about its inefficacy, no matter what – AV will survive. I am convinced that even in the event of thermonuclear war, the AV industry will still generate over $4 billion every year. This recent survey from the 451 Group shows the impressive staying power of AV, with 80% of surveyed customers maintaining their level of investment in the technology. Though the comments at the bottom are interesting – especially the one acknowledging the commodity status of the technology. So basically AV is the toilet paper of security. And even in the event of a nuclear meltdown, folks will still need toilet paper. – MR
Security user experience: It has been a while since I harped on user experience, but we got another great example this week from the Google Chrome team. Apparently browser hijacking on Windows is so prevalent that Chrome is adding an automatic reset button every time your settings change. This is a good warning to users, but resetting the browser puts everything back to the default state. This is using a sledgehammer to kill an ant, but I have to admit I don’t see another option if they can’t actually stop the hijacking in the first place. This integrates security into the user experience and could really help users keep control over attackers. For what it’s worth, I like it any time vendors can insert something to make security easier (and more automated) for users, even when they make a mistake. – RM