Incite 2/9/2012: Swimming with SharksBy Mike Rothman
What ever happened to the sit-down family dinner? Maybe it’s just me, but growing up, the only time I really experienced it was watching TV. My Mom worked retail pharmacy, so normally I was pulling something out of the freezer to warm up for my kid brother and myself. And nowadays the only time we sit down for dinner is when we go out to a restaurant.
It’s not that we don’t want a sit-down dinner. But we are always carting the kids from one activity to the next, badgering someone to do their homework or get ahead on a project, or maybe letting them play with their friends every so often. We don’t normally stop before 9pm, and that’s on a good day. It is what it is, but I wonder what the impact will be in terms of knowledge transfer.
You hear all those high achievers talking about how their parents talked about current events or business or social issues around the dinner table, and that’s how many life lessons were taught. The Boss and I tend to have more one-on-one discussions with the kids about their challenges and interests. I’m all for allowing kids to focus on what they enjoy, but I want to expose them to some of the things I’m passionate about. That’s why we got tickets to the Falcons. By hook or by crook, these kids will be football fans.
And I was a little skeptical when the Boss started DVRing “Shark Tank” a few weeks ago. A bunch of rich folks (the ‘sharks’) evaluating business ideas and possibly even investing their own capital. The reality TV aspect made me believe it would be overdramatized and they’d be overly harsh just for ratings. But I gave it a chance because one of the sharks, a guy named Robert Herjavec, was a reseller for CipherTrust back in the day. So I got to tell the kids stories about that crazy Canadian.
Truth be told, I was wrong about the show. It was very entertaining, and more importantly it provides a teaching moment for all of us. As you can imagine, I have opinions about pretty much everything. It’s a lot of fun to discuss each of the business ideas, critique their ideas on valuation, pick apart their distribution strategy, and ultimately decide whether that business is a good idea. The best part is the kids got engaged watching. At least for 15-20 minutes, anyway.
They are starting to ask good questions. The Boss is now coming up with business ideas almost daily. XX2 seems to have an interest as well. This is a great opportunity to start talking to my family about my other passion: building businesses. Who knows what my kids will end up being or doing? But for them to see entrepreneurs, some with decent ideas, trying to expand their businesses with the passion that only entrepreneurs can muster is terrific. It gives me an opportunity to explain the concepts of raising capital, marketing, selling, distribution, manufacturing, etc. – and they have some concept of what I’m talking about.
Maybe they’ll even retain some of this information and pursue some kind of entrepreneurial path. Like their father, their father’s father, and their father’s father’s father before them. Nothing would make me happier.
Photo credits: “Amanda Steinstein swims with the sharks!” originally uploaded by feastoffun.com
We’re back at work on a variety of our blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can access all our content in its unabridged glory.
Vulnerability Management Evolution
Watching the Watchers (Privileged User Management)
Understanding and Selecting DSP
Incite 4 U
Don’t leave home without your security umbrella: As the plumber of Securosis, I get to cover the sexy businesses like AV and perimeter firewalls. Thankfully the NGFW movement has made these boxes a bit more interesting, but let’s be candid – folks want to talk about cloud and data protection, not the plumbing. But as Wendy points out, everyone likes to poke fun at these age-old controls, but it would be a bad idea to retire them – they still block the low-hanging fruit. I love her analogy of an umbrella in a hurricane. You don’t throw out the umbrella because you’ll need to stay dry in a hurricane from time to time. Believe it or not, there are still a lot of successful attackers out there who don’t have to drop zero-day attacks to achieve their missions. These “light drizzle” attackers can be stymied even by basic controls. Obviously you don’t stop with the low bar, but you can’t ignore it either. – MR
Build it in or test it out: Part 4 of Fergyl Glynn’s A CISO’s guide to Application Security is live at Threatpost. In this post he discusses technology options for security testing; but the series has been a bit of a disappointment – taking a “test it out” approach to application security rather than “build it in”. With the prevalence of web-based apps today CISOs are more interested in build techniques such as Address Space Layout randomization that make many forms of injection attacks much harder, instead of obfuscation techniques that make reverse engineering distributed code more difficult. Besides, the good hackers don’t really work from source, do they? I’d also suggest security regression tests be included to verify old security defects are not re-introduced – you want to prevent old risks from getting back into the code just as much as “Prevent(ing) the introduction of new risks”. I suspect that Glynn’s focus on measurable reduction of threats/risks/vulnerabilities underserves one of the most effective tactics for application security: threat modeling. We can’t quantify the bugs we don’t have thanks to successful prevention, but you should strive for improvement earlier in the development lifecycle. The series has tended to focus on tools for late dev/released code that generate reports and gathers metrics at the expense of other techniques. The App Center of Excellence post does not even mention coding standards for secure code development to set some baseline do’s & don’ts for coding practices. – AL
Beware the Military-Industrial Whatever: I don’t have a problem with defense contractors. Heck, I do a lot of work for them from time to time, but you should never underestimate the politics of multimillion/billion dollar contracts. Take Lockheed, one of the first to claim they had been subject to APT attacks from China. They just won a $454M contract to help the DoD with cyber counterintelligence. If you think those two items are unrelated, I have a bridge to sell you – cheap! – RM
Decomposing Flashback: As I mentioned above, I’m a student of business, so it’s interesting to see how the recent Mac-targeted Flashback trojan worked. Symantec does a great job of digging into exactly how Flashback compromises devices, drops malware, communicates with its C&C channels, and ultimately inserts an affiliate code in any search traffic. Yup, Flashback is all about click fraud. Stealing data? Compromising financial accounts? Bah. Too much work for these guys – they can just take money from Google. This is the front end of the process, so I wonder how Google is working to stop fraudulent affiliate earnings… If they even care – it’s not like they are paying more than they would to a legitimate affiliate. It would also be interesting to learn how the bad guys are laundering the money. Maybe when Krebs gets tired of chasing down Russian Pharma mobsters, he can dig into click fraud a bit. Hint, hint. – MR
Protect the MAPP: I remember back when it was some sort of big secret that Microsoft shared security intelligence on vulnerabilities with certain vendors before Patch Tuesday. That program, called MAPP, has been public for a while, and is a great way for various vendors to add detection and prevention for those issues into their products, synchronizesd with the public announcement of the patches. This is unlike the Big O (yes n00bs, we are talking about Oracle), who refuses to share much of anything. The problem is that nothing is secret once 2 people know it, and recently it looks like proof-of-concept code released in a MAPP update was used to create a real-world exploit. Oops. Microsoft is making changes to the program to reduce this risk moving forward, and has ejected the culpable vendor. This is a case where the risk is still probably worth the reward… assuming vendors effectively use the info. But that is fodder for another post. – RM
Bigger bug bounties: By any definition we have to consider the Google Bug Bounty program a resounding success. 780 security bugs, across multiple products, at a cost of $460,000? Are you kidding me? Cheap at 10x the price when you consider yourself a target of foreign governments and pranksters. Consider for a minute the cost of programmers, and if we assume the average makes $75k per year; then add in benefits, equipment, software, and training – we are looking at $100k per engineer, minimum. So basically for the cost of 4.5 engineers for one year, Google was able to leverage the very best talents of some 200 security researchers. We’re not talking monkeys on typewriters here, and they’re not just looking for discrepancies compared to specifications! We’re talking about highly skilled people looking for the obscure and abstract. Even more interesting is the total number of eyes looking at Google’s security who did not find serious issues, which means Google has incented thousands to work without payment. We can’t even keep an intern motivated here at Securosis, so I consider Google damned smart to up their bounties to keep these researchers interested. – AL
How do you patch a cloud? As cloud computing becomes increasingly prevalent, many of the tried and true operational tactics used in traditional data centers must evolve. Like patching, which our pal Raf discusses a bit on his HP blog. I totally agree with his statement about the importance of consistency and automation to make this evolution to the cloud manageable. Clearly organizations can rely on traditional methods to patch cloud instances, but is that the most efficient option? The idea of rebuilding the operating systems with the OS already patched (his in-place swap) makes a lot of sense, as reimaging devices every so often helps make sure bad stuff hasn’t slipped under the radar. Will we get there overnight? Of course not, but do you wonder why VMWare would buy a company like Shavlik? They need to support the old, while pushing customers to the new. My point (along with Raf’s, I think) is that the cloud allows you to start questioning all your operational processes and looking for opportunities to do things more efficiently and securely. And even if you end up deciding to keep on keeping on, you have at least made a considered decision. – MR
Bonus: What not to say in a job interview: Our Canadian outpost provides some comic relief for those of you spending far too much time screening crappy candidates. Dave asked folks what not to say in an interview. There are some doozies in there, like “why wouldn’t you just use Telnet for that?” and “I know this guy Greg Evans who can be contacted for a referral…” But the best of the bunch is “This is a 9-5 gig, right?” That last one had me ROFL. – MR