On Monday night I did a guest lecture for some students in Kennesaw State’s information security program. It is always a lot of fun to get in front of the “next generation” of practitioners (see what I did there?). I focused on innovation in endpoint protection and network security, discussing the research I have been doing into threat intelligence. The kids (a few looked as old as me) seemed to enjoy hearing about the latest and greatest in the security space.

t also gave me a forum to talk about what it’s really like in the security trenches, which many students don’t learn until they are knee-deep in the muck. I didn’t shy away from the lack of obvious and demonstrable success, or how difficult it is to get general business folks to understand what’s involved in protecting information. The professor had a term that makes a lot of sense: security folks are basically digital janitors, cleaning up the mess the general population makes.

When I started talking about the coming perimeter re-architecture (driven by NGFW, et al), I mentioned how much time they will be able to save by dealing with a single policy, rather than having to manage the firewall, IPS, web filter, and malware detection boxes separately. I told them that would leave plenty of time to play Tetris. Yup, that garnered an awkward silence. I started spinning and asked if any knew what Tetris was? Of course they did, but a kind student gently informed me that no one has played that game in approximately 10 years. Okay, how about Gears of War? Not so much – evidently that trilogy is over. I was going to mention Angry Birds, but evidently Angry Birds was so 12 months ago. I quit before I lost all credibility.

There it was, stark as day – I have no game. Well no video game anyway. Once I got over my initial embarrassment, I realized my lack of prowess is kind of intentional. I have a fairly addictive personality, so anything that can be borderline addictive (such as video games) is a problem for me. It’s hard to pay my bills if I’m playing Strategic Conquest for 40 hours straight, which I did back in the early 90’s. I have found through the years that if I just don’t start, I don’t have to worry about when (or if) I will stop.

I see the same tendencies in the Boy. He’s all into “Clash of Clans” right now. Part of me is happy to see him get his Braveheart on attacking other villages, Game of Thrones style. He seems pretty good at analyzing an adversary’s defenses and finding a way around them, leading his clan to victory. But it’s frustrating when I have to grab the Touch just to have a conversation with him. Although at least I know where he gets it from.

Some folks can practice moderation. You know, those annoying people who can take a little break for 15 minutes and play a few games, and then be disciplined enough to stop and get back on task. I’m not one of those people. When I start something, I start something. And that means the safest thing for me is often to not start. It’s all about learning my own idiosyncrasies and not putting myself in situations where I will get into trouble. So no video games for me!

–Mike

Photo credit: “when it’s no longer a game” originally uploaded by istolethetv

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Firewall Management Essentials

Continuous Security Monitoring

API Gateways

Newly Published Papers

Incite 4 U

  1. Good guys always get DoS’ed: Django learned the hard way that if you give hackers an inch they’ll take a mile – and your site too. Last week they suffered a denial of service attack when users submitted multi-megabyte passwords – the “computational complexity” of generating strong hashes for a few requests was enough to DoS the site. Awesome. The mitigation to this kind of attack is input validation. Sure, as a security expert I still get pissed when sites limit me to 8 character passwords, but it’s unreasonable to accept the Encyclopedia Britannica as valid field input. I am sorry to be smiling as I write this – I feel bad for the Django folks – but it’s funny how no good security intentions go unpunished. Thanks for patching, guys! – AL
  2. DHS gets monitoring religion (to the tune of $6B): Not sure how I missed the award of a $6 billion DHS contract to implement continuous detection and mitigation technology. Evidently this is the new term for continuous monitoring, and it seems every beltway bandit, and scanning and SIEM vendor, is involved. So basically nothing will get done – I guess that’s the American way. But this move, which started with NIST’s push to continuous monitoring and continues with DHS’s rebranded CDM initiative, is going in the right direction. Will they ever get to “real time” monitoring? Does it matter? They can’t actually respond in real time, so I don’t think so. If any of these gold-plated toilet seats provides the ability to see a vulnerability with a few days (rather than showing up on a quarterly report, and being ignored), it’s an improvement. As they said in Contact, “baby steps…” – MR
  3. FUD filled vacuum: When working with clients I am often still surprised at how often even mature organizations underestimate the eventual misinterpretations of their public statements. From breach notifications, to vulnerability advisories, to product updates and marketing campaigns – time and again these folks are frustrated when their messages get twisted and manipulated, no matter how clearly they state them. Articles like this one on Apple’s Touch ID fingerprint sensor are a prime example. You will notice the article uses selective quotes to discount Apple’s direct statements on the technology, some of which can be confirmed through a little research. Clearly the writer had an agenda and slanted the piece to fit. Apple didn’t do themselves any favors by not releasing enough detail, but this would have happened to some degree regardless of what they said. RSA had a similar experience during their breach, and I know this situation all too well from being involved in the Kaminsky DNS bug disclosure. If you make statements without backing them up with details, the spin machine will fill the vacuum… and not in your favor. – RM
  4. Foundation lacking: Our man up North, Dave Lewis, weighs in yet again with a very insightful post on CSOOnline about Innovation and the Law of Unintended Consequences. Dave’s point, developed by seeing his employers screw it up time and time again, is that without a clear security governance framework, any efforts at innovation are bound to cause security issues. Mostly because security isn’t very good at the fundamentals, and asking them to go off-menu doesn’t end well – although sometimes the issue is that the policies don’t reflect the business needs. I have a slightly different opinion – I believe that the business needs to do what’s in its own best interest. And there is no way security can (or should) get in the way of that. That doesn’t mean our perspectives are at odds. You can have a strong security foundation and still be able to support innovation. But my point is that you aren’t going to stop progress, even if it creates a security risk. Trying just makes you an endangered species. – MR
  5. Writing about code: Garann Means wants the developer community to blog more, and gives some helpful tips in how to blog about code and give zero fscks. Developers are notoriously bad bloggers, especially during a death march to release, but for many other reasons as well. Gosling? Anyone? But Garann really does nail it – stop thinking about it and just write! Don’t be self-conscious, don’t try to impress anyone, just freakin’ write! We Are in a fascinating time for code development, and there is so much new that even common development tactics are totally new to many readers. Talking about it helps others learn, and perhaps even expand on your work. Blogging fosters discussion, starts debates, and provides a forum to work through disagreements. These kinds of discussions get us thinking critically. And best of all, they help coders put their projects into words, getting them away from the code for a bit, which helps clarify and refocus when they come back to coding. – AL
  6. Called it: I am about to toot my own horn (no, get your mind out of the gutter!). In 2008 I started talking about linking web browsers to gateways to secure applications. If I were really smart I would have built a product, especially in light of IBM’s acquisition of Trusteer, and now F5’s acquisition of Versafe. The original idea came to mind after spending too much time talking with Jeremiah Grossman and Robert Hansen, realizing browsers are nearly impossible to secure as an interface to applications without some fundamental changes, and WAFs are very hard to get right. These in-browser technologies cannot work with every web application out there, but they are worth a look for anything serious where you don’t control the endpoint. And hey, it’s always nice to see someone like F5 chasing after IBM. – RM
    1. Defining ‘awareness’ more effectively: At some point we will figure out these niggling issues around verbiage and definitions. Going back into the archives yet again this week, I found a post from Bill Brenner on Security Awareness Programs: Better than Nothing. He seems to get into an argument with Dave Marcus about what awareness is. It seems like a silly argument to me – how can you make employees aware of anything without showing them? If their issue is the idea that ‘awareness’ is just the stupid PowerPoint training done when an employee shows up for the first day, I agree. But from where I sit, social engineering your folks, trying to compromise physical defenses, and applying some gamification techniques are increasingly critical to preparing employees to defend themselves. And I will be starting up a blog series to delve into these topics over the next few weeks, so stay tuned. – MR
Share: