I didn’t get the whole idea of high school football. When I was in high school, I went to a grand total of zero point zero (0.0) games. It would have interfered with the Strat-o-Matic and D&D parties I did with my friends on Friday listening to Rush. Yeah, I’m not kidding about that.

A few years ago one of the local high school football teams went to the state championship. I went to a few games with my buddy, who was a fan, even though his kids didn’t go to that school. I thought it was kind of weird, but it was a deep playoff run so I tagged along. It was fun going down to the GA Dome to see the state championship. But it was still weird without a kid in the school.

Then XX1 entered high school this year. And the twins started middle school and XX2 is a cheerleader for the 6th grade football team and the Boy socializes with a lot of the players. Evidently the LAX team and the football team can get along. Then they asked if I would take them to the opener at another local school one Friday night a few weeks ago. We didn’t have plans that night, so I was game. It was a crazy environment. I waited for 20 minutes to get a ticket and squeezed into the visitor’s bleachers.

The kids were gone with their friends within a minute of entering the stadium. Evidently parents of tweens and high schoolers are strictly to provide transportation. There will be no hanging out. Thankfully, due to the magic of smartphones, I knew where they were and could communicate when it was time to go.

The game was great. Our team pulled it out with a TD pass in the last minute. It would have been even better if we were there to see it. Turns out we had already left because I wanted to beat traffic. Bad move. The next week we went to the home opener and I didn’t make that mistake again. Our team pulled out the win in the last minute again and due to some savvy parking, I was able to exit the parking lot without much fuss.

It turns out it’s a social scene. I saw some buddies from my neighborhood and got to check in with them, since I don’t really hang out in the neighborhood much anymore. The kids socialized the entire game. And I finally got it. Sure it’s football (and that’s great), but it’s the community experience. Rooting for the high school team. It’s fun.

Do I want to spend every Friday night at a high school game? Uh no. But a couple of times a year it’s fun. And helps pass the time until NFL Sundays. But we’ll get to that in another Incite.

–Mike

Photo credit: “Punt” originally uploaded by Gerry Dincher

Thanks to everyone who contributed to my Team in Training run to support the battle against blood cancers. We’ve raised almost $6000 so far, which is incredible. I am overwhelmed with gratitude. You can read my story in a recent Incite, and then hopefully contribute (tax-deductible) whatever you can afford. Thank you.

The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the 2014 conference. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back.

Securosis Firestarter

Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail.

• Aug 12 – Karma
• July 13 – Living with the OPM Hack
• May 26 – We Don’t Know Sh–. You Don’t Know Sh–
• May 4 – RSAC wrap-up. Same as it ever was.
• March 31 – Using RSA
• March 16 – Cyber Cash Cow
• March 2 – Cyber vs. Terror (yeah, we went there)
• February 16 – Cyber!!!
• February 9 – It’s Not My Fault!
• January 26 – 2015 Trends
• January 15 – Toddler
• December 18 – Predicting the Past
• November 25 – Numbness
• October 27 – It’s All in the Cloud
• October 6 – Hulk Bash
• September 16 – Apple Pay

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too.

Pragmatic Security for Cloud and Hybrid Networks

• Cloud Networking 101
• Introduction

Building Security into DevOps

• Introduction

Building a Threat Intelligence Program

• Gathering TI
• Introduction

Network Security Gateway Evolution

• Introduction

Recently Published Papers

• EMV Migration and the Changing Payments Landscape
• Applied Threat Intelligence
• Endpoint Defense: Essential Practices
• Cracking the Confusion: Encryption & Tokenization for Data Centers, Servers & Applications
• Security and Privacy on the Encrypted Network
• Monitoring the Hybrid Cloud
• Best Practices for AWS Security
• Securing Enterprise Applications
• Secure Agile Development
• The Future of Security

Incite 4 U

1. Monty Python and the Security Grail: Reading Todd Bell’s CSO contribution “How to be a successful CISO without a ‘real’ cybersecurity budget” was enlightening. And by enlightening, I mean WTF? This quite made me shudder: “Over the years, I have learned a very important lesson about cybersecurity; most cybersecurity problems can be solved with architecture changes.” Really? Then he maps out said architecture changes, which involve segmenting every valuable server and using jump boxes for physical separation. And he suggests application layer encryption to protect data at rest. The theory behind the architecture works, but very few can actually implement. I guess this could be done for very specific projects, but across the entire enterprise? Good luck with that. It’s kind of like searching for the Holy Grail. It’s only a flesh wound, I’m sure. Though there is some stuff of value in here. I do agree that fighting the malware game doesn’t make sense and assuming devices are compromised is a good thing. But without a budget, the CISO is pissing into the wind. If the senior team isn’t willing to invest, the CISO can’t be successful. Period. – MR
2. Everyone knows where you are: A peer review of meta data? Reporter Will Ockenden released his personal ‘metadata’ into the wild and asked the general public for an analysis of his personal habits. This is a fun read! It shows the basics of what can be gleaned with just cell phone data. But it gets far more interesting when you do what every marketing firm and government does – enrichment by adding additional data sources, like web sites, credit card purchases. Then you build a profile of the user; marketing organizations look at what someone might be interested in buying, looking at trends from similar user profiles. Governments look for behavior that denotes risks, and creates a risk score based upon behavior – or outliers of your behavior – and also matches this against the profile of your contacts. It’s the same thing we’ve been doing with security products for the last decade (you know, that security analytics thing), but turned on the general populous. Just as the reviewers of Ockenden’s data found, some of their findings are shockingly accurate. Most people, like Ockenden, get a little creeped out knowing that there are people focusing something akin to invisible cameras on their lives. Once again, McNealy was right all those years ago. Privacy is dead, get over it. – AL
3. Own it. Learn. Move on.: I love this approach by Etsy of confessing mistakes to the entire company and allowing everyone to learn. Without the stigma of screwing up, employees can try things and innovate. Having a culture of blamelessness is really cool. In security, sharing has always been frowned upon. Practitioner thinks the adversaries will learn how to break into their environment. It turns out the attackers are already in. Threat intelligence is helping to provide a value-add for sharing the information and that’s a start. Increasingly detailed breach notifications given everyone a chance to learn. And that’s what we need as an industry. The ability to learn from each other and improve. Without having to learn everything the hard way. – MR
4. Targeted Compliance: Target says it’s ready for EMV having made their transition to EMV card enabled devices at the point of sale. What’s more, they’ve taken the more aggressive step in using chip and PIN, and opposed to chip and signature, as that offers better security for the issuing banks. Yes, the issuing banks benefit, not the consumer. But they are marketing this upgrade to consumers with videos to show them how to use EMV ‘chipped’ cards – which need to stay in the card reader for a few seconds, unlike mag stripe cards. I think Target should be congratulated on going straight to chip and PIN, although it’s probably not going yield much loss prevention as most of the chip cards are being issued without a PIN code. But the real question most customers and investors should be asking is “Is Target still passing PAN data from the terminal in the clear?” Yep, just because they’re EMV compliant does not mean that credit card data is being secured with Point to Point Encryption (P2PE). One step forward, one step back. Which leaves us in the same place we started. Sigh. – AL
5. Lawyers FTW. Cyber-insurance FML. You buy cyber-insurance to cover a breach, right? At least to pay you for the cost of the clean-up. And then your insurer rides a loophole to reject the claim, which basically protects them from having to pay in the case of social engineering. Yup, lawyers are involved and loopholes are found because that’s what insurance companies do. They try to avoid liability and ultimately force the client into legal actual (yes, that’s a pretty cynical view of insurers, but I’ll tell you my healthcare tale of woe sometime as long as you are paying for the drinks…). At some point in 3-4 years some kind of legal precedent regarding whether the insurer is liable will be established. Until then, you are basically rolling the dice. But you don’t have a lot of other options, now do you? – MR