Every so often my mind wanders and I flash back to scenes from classic movies. When I remember Animal House, I can’t help but spend perhaps 15 minutes thinking about all the great scenes in that movie. I don’t even know where to begin, but one scene that still cracks me up after all these years is:

Boon: Jesus. What’s going on?
Hoover: They confiscated everything, even the stuff we didn’t steal.
Bluto: They took the bar! The whole f****** bar!
[Otter grabs a bottle of whiskey and throws it to Bluto, who chugs it all.]
Bluto: Thanks. I needed that.
Hoover: Christ. This is ridiculous. What are we going to do?
Otter & Boon: Road trip.

ROAD TRIP! Just the mere mention of those words makes me smile. Like most folks, I have great memories of the road trips I took in high school, college, as a recent graduate, and even now when my ATL buddies and I make a pilgrimage to go see a SEC football game every year. There isn’t much better than hopping in the car with a few buddies and heading to a different location, equipped with a credit card to buy decent drinks.

Though this past weekend I had a different kind of road trip. I took The Boy to go see the NY Giants play in Charlotte. After a crazy Saturday, we drove the 3.5 hours and even had dinner at Taco Bell on the way. He loves the Doritos shell tacos and since it was Boys weekend, we could suspend the rules of good eating for a day. We stayed at a nice Westin in downtown Charlotte and could see the stadium from our room. He was blown away by the hotel and the view of the stadium at night. It was great to see the experience through his eyes – to me a hotel is a hotel is a hotel.

We slept in Sunday morning, and when I asked him to shower before breakfast, he sent a zinger my way. “But Dad, I thought on Boys weekend we don’t have to shower.” Normally I would agree to suspend hygiene, but I had to sit next to him all day, so into the shower he went. We hit the breakfast buffet and saw a bunch of like-minded transplanted New Yorkers in full gear to see the Giants play. He got a new Giants hat on the walk to the stadium and we got there nice and early to see the team warm-ups and enjoy club level.

Of course, the game totally sucked. The G-men got taken to the woodshed. Normally I’d be fit to be tied – that was a significant investment in the hotel and tickets. But then I looked over and saw the Boy was still smiling and seemined happy to be there. He didn’t get pissed until the 4th quarter, after another inept Giants offensive series. He threw down the game program, but within a second he was happy again. I kept asking if he wanted to stay, and he didn’t want to go. We were there until the bitter end.

After the long trip home, as he was getting ready for bed, we got to do a little post-mortem on the trip. He told me he had a great time. Even better, he suggested we take road trips more often – like every weekend. Even though I didn’t have one drink and the Giants totally sucked, it was the best road trip I’ve ever taken. By far.

–Mike

Photo credit: “Smoke Hole Rd, WV” originally uploaded by David Clow

Heavy Research

We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Firewall Management Essentials

• Quick Wins
• Managing Access Risk
• Optimizing Rules
• Change Management
• Introduction

Continuous Security Monitoring

• Migrating to CSM
• The Compliance Use Case
• The Change Control Use Case
• The Attack Use Case
• Classification
• Defining CSM
• Why. Continuous. Security. Monitoring?

Newly Published Papers

• Threat Intelligence for Ecosystem Risk Management
• Dealing with Database Denial of Service
• Identity and Access Management for Cloud Services
• The 2014 Endpoint Security Buyer’s Guide
• The CISO’s Guide to Advanced Attackers
• Defending Cloud Data with Infrastructure Encryption

Incite 4 U

1. Security According to Security Moses: Evidently Security Moses has descended from Mt. Sinai with the tablets of CISO success: the 10 Golden Rules of the Outstanding CISO by Michael Boelen. Most of this stuff is obvious, but it’s a good reminder that your integrity is important and to focus on the fundamentals. I had a chat with a large enterprise yesterday about that very topic. Don’t forget to be the “master of communication” and not to panic. Although it is easy to panic when the house seems to be burning down. Don’t oversell what you can do, and remember that process beats technology. Again, not brain surgery here, but under duress it’s always good to go back and consult the stone tablets. – MR
2. Emphatic Maybe: A simple statement like “We don’t have backdoors in our products” would address the issue. The problem is that every vendor who has released a statement regarding the NSA compromising their platforms has issued a qualified answer. This time it’s RSA, with “We don’t enable backdoors in our crypto products.” Which means exactly what? You have someone else do it? The NSA dropped the code into your product, so you didn’t have to? Was the RNG subsystem weakened to achieve the same result? Those are all accusations being thrown about, and the released statement does not definitively address them. The recommendation to stop using BSafe’s Dual Elliptic Curve Deterministic Random Bit Generator was a step in the right direction. Still, the ambiguity, which looks intentional, is fueling the fire of what has now become the biggest security story of the year. And it is reducing trust in data security vendors. In fact, it’s generating renewed interest in security at a personal level, with people looking for open source alternatives to vendor products. – AL
3. Collateral Damage: It is hard to understate the importance of cryptography in modern society. Everything from payment systems, to voting in some places, to securely posting selfies on Facebook relies on properly implemented encryption and digital signatures. It is a VERY BIG DEAL when we find fundamental flaws in encryption that are hard to immediately fix. Kudos to RSA for warning developers to avoid a compromised crypto function in the BSAFE product, knowing the negative press that would hit even though they didn’t do anything wrong. Actually, I have to admit that most of the press I have seen is positive. What’s interesting is that this flaw may or may not be an NSA back door, but rather than quietly fixing and hoping the problem would go away, they hit it directly and are running through all their products to figure out where they are using the faulty code themselves. These are tough issues, and I suspect the problem may only get a little worse as we discover flaws introduced into specific products, deliberately or not. As Dennis Fisher said at Threatpost, the real problem is that we don’t know what we can trust and what we can’t, so we must distrust it all. – RM
4. Oh boy. Time for another reset? Security folks hit the reset button pretty frequently. Maybe it’s a new blinky object that promises to solve the problems of the security world. Maybe it’s a new CISO. Maybe it’s the spin required during incident cleanup. Either way, we always seem to be trying to do things differently. So now Paul Proctor at Gartner calls for yet another reset, because mobility and the cloud are screwing things up. This gives you an opportunity to shift the dialogue to risk and business value rather than technology. Ho hum. If you need to reset over and over again you are doing it wrong. Build the program right the first time and adapt as things change. Focus on business value and talk in business terms, because senior management doesn’t give a rat’s ass about your blinky security lights. Or try again when they press the reset button on your job function. – MR
5. Black Hat: Defenders: We have been having some random internal discussions here at Securosis, one of which Gunnar wrote about recently while promoting one of his classes. The premise is that there aren’t any good practitioner conferences that focus on the nuts and bolts of securing things better. We are talking about a real “roll up your sleeves” event focused on showing folks how to do things. Sure, we get a smattering of that at many other conferences, but rarely do we see real implementation details and case studies that aren’t crippled by legal departments. I’m talking about demonstrations, sample code, documented configurations, etc. You know, things you can really use back in the office. Gunnar suggests training, and that’s clearly something I support but I also think there’s a role for a targeted hands-on technical practitioner event, or perhaps a closed-room track at RSA. Let us know what you think, and we’ll pass it on to event organizers. Or let us know if we’re missing something. – RM
6. Security perfection isn’t the goal: I think Tony Bradley has it right when he says “Hack of iPhone 5s fingerprint authentication is irrelevant. The fact that a security control is not invulnerable is not an indictment against using it at all. Anti-malware protection isn’t absolute, but most businesses and individuals still use it.” Indeed. The fact that CCC performed a hack does not support their claim that finger scans are never appropriate – that’s nonsense. In 2FA and for users who don’t currently use a PIN code, finger scanners are a clear security advance – which users won’t try to bypass. – AL