It feels like Bizarro World to me. I woke up this morning freezing my backside off. We turned off the heat a few weeks ago and it was something like 65 this morning. Outside it was in the 40s, at the end of April. WTF? And the Northeast has snow. WTF? I had to bust out my sweatshirts, which I had hoped to shelve for the season. Again, WTF?

But even a draft of cold weather can’t undermine my optimism this week. Why? Because it’s NFL Draft time. That’s right, I made it through the dark time between the start of free agency and the Draft. You know it’s a slow time – I have been watching baseball and even turned on a hockey game. But the drought is over. Now it’s time to see who goes where. And to keep a scorecard of how wrong all the pundits are in their mock drafts.

Here’s another thing I learned. There are pundits in every business, and the Internet seems to have enabled a whole mess of people to make their livings as pundits. If you follow the NFL you are probably familiar with Mel Kiper, Jr. (and his awesome hair) and Todd McShay, who man the draft desk at ESPN. They almost always disagree, which is entertaining. And Mike Mayock of NFL Network provides great analysis. They get most of the visibility this week, but through the magic of the Twitter I have learned that lots of other folks write for web sites, some big and most small, and seem to follow the NFL as their main occupation.

Wait, what? I try not to let my envy gene, but come on, man! I say I have a dream job and that I work with smart people doing what I really like. But let’s be honest here – what rabid football fan wouldn’t rather be talking football all day, every day? And make a living doing it.

But here’s the issue. I don’t really know anything about football. I didn’t play organized football growing up, as my Mom didn’t think fat Jewish kids were cut out for football. And rolling over neighborhood kids probably doesn’t make me qualified to comment on explosiveness, change of direction, or fluid hips. I know very little about Xs and Os. Actually, I just learned that an offensive lineman with short arms can’t play left tackle, as speed rushers would get around him almost every time. Who knew?

But I keep wondering if my lack of formal training should deter me. I mean, if we make an analogy to the security business, we have a ton of folks who have never done anything starting up blogs and tweeting. Even better, some of them are hired by the big analyst firms and paraded in front of clients who have to make real decisions and spend real money based on feedback from some punk. To be fair there was a time in my career when I was that punk, so I should know. 20 years later I can only laugh and hope I didn’t cost my clients too much money.

Maybe I should pull a Robin Sage on the NFL information machine. That would be kind of cool, eh? Worst case it works and I’ll have a great Black Hat presentation.


Photo credits: “Windy” originally uploaded by Seth Mazow

Heavy Research

We’re back at work on a variety of our blog series, so here is a list of the research currently underway. Remember our Heavy RSS Feed, where you can access all our content in its unabridged glory.

Vulnerability Management Evolution

Watching the Watchers (Privileged User Management)

Understanding and Selecting DSP

Malware Analysis Quant

Incite 4 U

  1. Don’t go out without your raincoat: I tip my hat to the folks at Sophos. To figure out a way to compare the infection rate of Chlamydia to the prevalence of Mac malware is totally evil genius. That stat really resonates with me, and wasn’t a good thing for some of my buddies at school. So do 20% of Macs really have malware? Not exactly – they include the presence of Windows malware, which obviously doesn’t do much harm on Macs. Only 1 in 36 had actual Mac malware, and I’m sure a bunch of those were Flashback users who downloaded AV only after being infected. Though I guess the malware could spread to PCs via VMs and other unsafe computing practices. Of course the Sophos guys never miss an opportunity make an impassioned plea for Mac AV, especially since it’s free. Reminds me of something my Dad said when I came of age. He told me never to go out without my raincoat on. He was right – just ask my fraternity brothers. I wonder if “The Trojan Man for Mac” would work as the new Sophos tagline? – MR
  2. Killer apps: Will (Mobile) Apps Kill Websites is Jeff Atwood’s question, one I have been mulling over the last few months. All Jeff’s points are spot-on: Well-designed apps provide a kick-ass user experience that few web sites can rival. Fast, simple, and tailored for the environment, they are often just better. And considering that mobile devices will outnumber desktops 10:1 in the future, replacement is not hard to imagine. But Jeff’s list of disadvantages should contain a few security issues as well. Namely none of the protections I use with my desktop browser (NoScript, Ghostery, Flashblock, Adblock, etc.) are available on mobile platforms. Nor do we have fine-grained control over what apps can do, and we cannot currently run outbound firewalls to make sure websites aren’t secretly transmitting our data. Mobile platforms generally offer really good built-in security, but in practice it is gradually becoming harder to protect – and sandbox – apps, similar to challenges we have already face with desktop browsers. It looks like we get to play security catch-up one more time. – AL
  3. Visibility through the clouds: Our contributor Mort is a promiscuous blogger. He writes on Emerging Chaos, right here at Securosis, and most recently for his $DAYJOB at enStratus. His post on cloud logging is awesome, and hits on the very topic of my upcoming Secure360 talk. So if you’re going to the show be sure to check it out. The point about not having visibility into who does what through a cloud console echoes what I wrote in Watching the Watchers on privileged user management in the cloud, and the need for some kind of proxy to link admins to admin functions. And his point about needing to think about how to aggregate logs from public cloud instances also resonates. – MR
  4. HITRUST, low participation: I think it’s great that HITRUST established a Cybersecurity Incident Response and Coordination Center to help the health care industry educate themselves on data security threats and what to do about them. It’s incredibly proactive and helpful. The problem is t hat they are throwing a party no one comes to. They may as well play Dungeon and Dragons on the site. Like Sarbanes-Oxley for financial institutions, firms will not react to HIPPA and HITECH until there is actual risk of real economic loss from noncompliance. Not risk of a breach, which they have already reconciled or ignored, but material risk of fines. Heck, some legal teams don’t even want their people attending these events as documented awareness could be used to show they failed to act with diligence. Plausible deniability in the house! Bravo to HITECH for the effort, but just like with speeding… no one will slow down until the cops start writing tickets. – AL
  5. Just because it’s FUD, doesn’t mean it’s wrong: Jumping on our pal Wendy’s idea for giving out awards for excessive use of FUD, I’ll nominate my pals at TripWire for busting out a 10 month old Ponemon report to try to scare everyone into doing the fundamentals, like hardening systems. Yet wrapped within those layers of FUD is a great point, and that’s the importance of fundamentals in protecting systems. To be clear, I wrote that very same message in a paper on Endpoint Fundamentals back in 2010, and you still see a bunch of breaches reported as being caused by fundamental fail. So before you start worrying about being attacked by the Loch Ness monster (or the APT) make sure you’ve picked the low hanging fruit, or else the attackers will pick it for you. See, I can play the FUD game too. 😉 – MR