There are things you just can’t explain. No amount of dogma, perceived slights, or anything can excuse a senseless act of violence on unsuspecting, innocent people. Yes, I’m talking about the Boston Marathon attack, but it applies extends to any act of terrorism. I believe in karma, and the perpetrators will get their just rewards. Maybe out of the view of the public eye, but they will. Though I’m not really a fan, Schneier has it right in his post, “Keep Calm and Carry On”. We cannot live in fear. That’s what the terrorists want. We can’t legitimize their cause and we can’t impinge on our personal freedoms. Because then they win. Truth be told, we in the US are spoiled. There are many parts of the world where a bombing like yesterday wouldn’t even make the news. Where terror is an everyday occurrence. I feel very fortunate that isn’t my life and it’s not the life of my kids. We won the birthplace lottery and we must not forget that. But we do have to deliver some kind of message to the younger generation. Try to explain the unexplainable. In today’s iPhone (and iPod touch) driven society, the kids are tuned in whether we like it or not. XX1’s Instagram blew up with pictures and prayers, and she started asking questions right when she got home from school. XX2 and the Boy learned of it soon after because news travels like wildfire in my house. All we could do is explain that some people are misguided souls and they harm each other for no apparent reason. We are security folks. We understand how this works. That you can be aware of what’s around you and not put yourself unnecessarily at risk, but you cannot eliminate this kind of attack. Schneier mentions (correctly) your extreme unlikelihood of being personally impacted by this kind of attack. That’s little consolation to my friend who was at the finish line yesterday, who still has a ringing in his ears and concussive effects from the explosion. And it’s clearly no consolation to the families the people hurt in the attack, picking up the pieces of their lives today. But ultimately the balance is tipped heavily towards the good. Just think of the emergency responders running into the blast area. The folks carrying the wounded out of harm’s way. People opening their homes to displaced strangers. Good people doing good deeds when called upon. The best viewpoint I saw yesterday came from comedian Patton Oswalt on Facebook. He makes exactly the right point at exactly the right time: But the vast majority stands against that darkness and, like white blood cells attacking a virus, they dilute and weaken and eventually wash away the evil doers and, more importantly, the damage they wreak. This is beyond religion or creed or nation. We would not be here if humanity were inherently evil. We’d have eaten ourselves alive long ago. So when you spot violence, or bigotry, or intolerance or fear or just garden-variety misogyny, hatred or ignorance, just look it in the eye and think, “The good outnumber you, and we always will.” Well said, Mr. Oswalt. Well said. –Mike Photo credits: good and evil originally uploaded by Scotto Bear Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. The CISO’s Guide to Advanced Attackers Sizing up the Adversary Understanding Identity Management for Cloud Services Buyers Guide Architecture and Design Integration Newly Published Papers Email-based Threat Intelligence: To Catch a Phish Network-based Threat Intelligence: Searching for the Smoking Gun Understanding and Selecting a Key Management Solution Building an Early Warning System Implementing and Managing Patch and Configuration Management Incite 4 U Can we sacrifice PCI yet? Dave Elfering makes a number of good points in Worshipping at the Alter of Best Practices. It is basically stuff you know, but we see folks fall into the same trap over and over again. Not you but other folks, of course. Looking for the prescriptive guidance rather than doing the work. “Unfortunately we in security and IT often succumb to the microwave dinner approach to solving business issues.” Should we call this the Hungry Man approach to security? But Dave is exactly right – mandates start in the right place, but ultimately “often cross over into zealotry complete with dueling and echelons of priestly orders.” How many of you will be at the Temple of Bob Russo on Sunday? Yeah, that’s a scary thought… – MR Cloud FUD-tastic: Things must be getting ugly in the competitive battle between cloud vendors if Verizon is pulling out the FUD card by claiming that you’re ‘endangering’ your business by selecting Amazon as a cloud service provider. Many data centers did get flooded by hurricane Sandy, so Verizon’s dodging of that bullet makes them look smart by comparison, but that is a long way from claiming Amazon AWS endangers your business. Any cloud provider basing their competitive claims on 100% uptime is likely to be embarrassed in the future – it is unreasonable to expect a cloud service to be 100% reliable. And if Amazon AWS is having more security issues that competitors, I am willing to bet tha it’s because they have a lot more customers, with a far larger number who don’t take security seriously. If other cloud infrastructure providers want to cast stones, look at issues of lock-in and why more customers don’t have failover contingencies to multiple regions. Those are more compelling concerns. – AL Awareness and security training – not mutually exclusive: This is wading into the discussion a couple weeks late, but two of the biggest windbags in security, Bob Schneier and Ira Winkler, got into it over security training. Stephen Cobb provided a good summary and better perspective on the issues. Suffice it to say we need more and better of both security awareness