Incite 5/8/2013: One step at a timeBy Mike Rothman
Do you ever look at your To Do list and feel like you want to just run away and hide? Me too. I talk a lot about consistent effort and not trying to hit home runs, but working for a bunch of singles and doubles. That works great for run rate activities like writing the Incite and my blog series. But I am struggling to move forward on a couple very important projects that are bigger than a breadbox and critical to the business. It is annoying the crap out of me, and I figure publicly airing my issues might help me push through them.
I have tried to chunk up these projects into small tasks. That’s how you defeat overwhelm, right? But here it just means I need to push a bunch of tasks back and back and back in my Todo app rather than just one. I think my problem is that I feel like I need a block of time sufficient to complete a smaller task. But I rarely have a solid block of a couple hours to focus and write so I get stuck and don’t even start.
But that’s nonsense. I don’t have to finish the entire task now – I just need to do a bit every day, and sure enough it will get done. Is that as efficient as clearing the calendar, shutting off Twitter and email, and getting into the zone? Nope. It will definitely take longer to finish but I can make progress without finishing the entire task. Really, I can.
As much as I try to teach my kids what they need to know, every so often I learn from them too. XX1 just finished her big year-end project. It was a multi-disciplinary project involving science, language arts, and social studies. She invented a robot (J-Dog 6.2) that would travel to Jupiter for research. We went to the art store and got supplies so she could mock up the look of the robot; she had to write an advertisement for the product, a user manual, and a journal in the robot’s voice to describe what was happening – among other things. She did a great job. I’m not sure where she got her artistic chops or creativity but the Boss and I didn’t help her much at all.
How does that relate to my issue getting big things done? She worked on the project a little every day. She cut the pieces of the model one day. Painted it the next. Outlined the journal on the third. And so on. It’s about making progress, one step at a time. She finished two days early so she didn’t have to do an all-nighter the day before – like her old man has been known to do.
So I need to take a lesson and get a little done. Every day. Chip away at it. I have an hour left in my working day, so I need to get to work…
Photo credits: XX1 Geobot project – May 2013
We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.
Defending Cloud Data/IaaS Encryption
Security Analytics with Big Data
The CISO’s Guide to Advanced Attackers
Newly Published Papers
- Email-based Threat Intelligence: To Catch a Phish
- Network-based Threat Intelligence: Searching for the Smoking Gun
- Understanding and Selecting a Key Management Solution
- Building an Early Warning System
- Implementing and Managing Patch and Configuration Management
Incite 4 U
I (for the record) am not the world’s greatest lover: I don’t know Troy Hunt but he probably isn’t either. But this awesome post basically supports his claim as the world’s greatest lover by stating “I could quite rightly say that nobody has ever demonstrated that this is not the case and there are no proven incidents that disprove it.” Then he goes on to lampoon the web site security seals from your favorite big security vendor. Not just that they can’t really justify their assurances that something is secure, but showing screenshots of these ‘protected’ sites busted by simple attacks. As funny (in a sad way) as this is, ultimately it won’t make much of a difference because the great unwashed think those seals actually mean something. – MR
Nuclear powered 0-day: This is a bit of a weird one. Internet Explorer 8, and only IE version 8, is being actively exploited in the wild with a 0-day attack. It is always interesting when a vulnerability only works on one version of IE and doesn’t affect earlier or later versions. Additionally the malware was propagated through a US Department of Labor website, and only to people researching illnesses associated with work on nuclear weapons. Clearly the attackers were targeting a certain demographic, but I haven’t seen any reports of actual exploitation, which is the part we should be most interested in (except the DoL website – they totally pwned that one). It seems like a bit of an outlier attack because I don’t expect too many of their targets to look on the DoL site for that information, but what do I know? As we have learned, these espionage attacks are basically a targeted spray and play: attacking every possible path to their desired targets, understanding that the law of averages is in their favor. – RM
Learn it. Know it. Live it.: Security professionals talk about how developers don’t understand security, but the Coverity team throws it right back at them with 10 Things Developers Wished Security People Knew. This is sound advice for security people working with software development. The underlying belief is that all these things require security to get to know the people, process, and code to effectively work with developers. These are good points – developers have a tough enough time getting stuff done without having outsiders muck up processes or change priorities. The theme is to work within the constraints of development and not bolt on a bunch of choke points – as security does all to often. But I don’t agree that security people should know how to fix defects – at a high level, sure, but not at code level. It’s is useful to tell developers you “need bi-directional trust” or “must scrub input variables” – you do not need to know where in the code the defect should be fixed, or all the architectural considerations of a security change, and it’s almost impossible unless you have been fully briefed on the system design. But security people take note: effectiveness requires effort on your part to help developers, not just dropping a metric crap-ton of URGENT CRASH STOP EVERYTHING ELSE work on them. – AL
We still suck at blocking and tackling: It’s nice to see some Big G analysts doing some blogging and not just hiding behind their paywall. Anton talks a bit about patching, which we in the security echo chamber tend to forget because it’s not advanced malware. But we have also been saying that much of our research into advanced attacks and defenses is useless if you get the basics wrong. Remember that advanced attackers are only advanced when they need to be. They would be just as happy to exploit a known vulnerability or get a gullible employee to click a link to get pwned by a drive-by. Just because you love playing in your malware sandbox doesn’t mean you don’t have to do the simple stuff anymore. Got it? – MR
Truth is stranger than satire: This is so meta that it redefines meta (and don’t hurt me for saying ‘meta’). The Syrian Electronic Army hacked The Onion’s twitter account. This group has been behind a lot of Twitter media hacking, in support of the existing Syrian regime. Then, for an hour, they sent out a surreal series of tweets in such perfect parody that, unlike the AP hack, there was a lot of confusion about whether the Onion was really hacked or up to their usual games. Tweets like, “UN retracts report of Syrian chemical weapon use: Lab tests confirm it is Jihadi body odor.” To top it off, in interviews, a SAE representative said things like, “We hope people take it in good humor and understand our people’s suffering,” he added. “The Onion can do a much better job reporting the truth through its satire. Unfortunately even they seem to be biased.” Wow. So follow our Twitter security advice, and remember that thousands are dying over there so it isn’t all that funny. – RM
Simple Storage Service – Secured: Close on the heels of Amazon’s on-demand CloudHSM, Amazon has added encryption to Simple Storage Service (S3) bundled with its Elastic MapReduce (EMR – aka ‘Big Data’) stack. This means S3 buckets that store HDFS files are encrypted automatically and transparently as data is written to disk. It is enabled through a simple configuration parameter in the API, and you are automatically billed for the add-on service. You’ve got to love the public cloud. Truly pay by the drink. Each S3 bucket has its own encryption key, but S3 manages those keys. This makes things simple, and does offer some data security benefits should the S3 images be siphoned off from the cloud, but it doesn’t address most firms’ compliance requirements for segregation of duties. Nor does it protect HDFS images in memory. Regardless, much like Salesforce’s acquisition and integration of Navajo, when vendors embed encryption services it is very difficult for third party encryption vendors to compete. Sometimes good-enough security really is good enough – especially when it’s cheap and you are charged for it on your existing bill. – AL
RIP Neil Roiter: I was saddened to hear of the passing of Neil Roiter. I have known Neil over 10 years, first meeting him when he worked for Infosecurity Magazine back in the days when magazines were actually printed. Bill Brenner does a great job describing Neil, and it is just another reminder that everything passes. Even us. So make the best of the time you have… – MR