Research

Organizations have traditionally viewed vulnerability scanners as tactical products, largely commoditized and only valuable around audit time. How useful is a 100-page vulnerability report to an operations person trying to figure out what to fix next? Although those 100-page reports make auditors smile, as they offer a nice listing of audit deficiencies to address in the findings of fact. But the tide is definitely turning. We see a clear shift from a largely compliance-driven orientation to a more security-centric view. We document this evolution to a vulnerability/threat management platform in our new Vulnerability Management Evolution paper. No organization, including the biggest of the big, has enough resources. So you need to make tough choices. Things won’t all be done when they need to be. Some things won’t get done at all. So how do you choose? Unfortunately most organizations don’t choose at all. They do whatever is next on the list, without much rhyme or reason determining where things land on it. It’s the path of least resistance for a tactically oriented environment. Oil the squeakiest wheel. Keep your job. It’s all very understandable, but not very effective. Optimally, resources are allocated and priorities set based on their value to the business. In a security context, that means the next thing done should reduce the most risk to your organization. We would like to thank all our sponsors for supporting our research, including nCircle, Qualys, Rapid7, and Tenable. As long as compliance is in play you will need to scan for vulnerabilities. At least make use of a more functional platform to do that and more. Download: Vulnerability Management Evolution This paper is based on the following posts: Introduction Scanning the Infrastructure Scanning the Application Layer Core Technologies Value-Add Technologies Enterprise Features and Integration Evolution or Revolution Share:

Wasn’t it just yesterday that we put XX1 on the bus for her first day of kindergarten? I guess if yesterday was August of 2006, that would be correct. Man, six years have gone by fast! On Friday she moves up to Middle School. As we watched the annual Field Day festivities with all the kids dressed up in their countries’ garb yesterday, the kindergartners seemed so small. And they are. Six years doesn’t seem so long, but against the growth of such a child it’s a lifetime. I have to say I’m proud of my oldest girl. She did very well in elementary school, and is ready to tackle 7 different teachers and a full boat of advanced classes next year. Of course there will be stumbles and challenges and other learning experiences. As my army buddies say, “she has an opportunity to excel.” Despite our desire to make time slow down, it’s not going to happen. She’s ready for the next set of experiences and to continue on her path. Whether we like it or not. Whether we are ready or not. We have heard story after story about how difficult middle school is, especially for girls. Between raging hormones, mean girls, and a much heavier course load, it requires a lot of adjustment. For all of us. It seems XX1 will have to learn organizational skills and focus a lot earlier than I had to. I kind of coasted until I got to college, and then took a direct shot upside the head from the clue bat, when I learned what it took to thrive in a much more competitive environment. She needs to learn that achievement is directly correlated to work and decide how hard she wants to work. She will have to learn to deal with difficult people as well. Too bad it’s not only in middle school that she’ll come across idiots. We all have to learn these lessons at some point. But that’s tomorrow’s problem. I don’t want to think about that stuff right now. Of course life marches on. That’s the way it’s supposed to be. As she goes through the ceremony on Friday I will be one proud father. I hope she’s as proud of herself as we are of her. I will celebrate the passing of one milestone without thinking about the next. I appreciate the person she has become, with a healthy respect for where we’ve been. From first holding her right after her birth, to putting her on that kindergarten bus, to packing her off for sleepaway camp, to now watching her leave elementary school, and everything in between. Steve Miller was right, Time keeps on slippin’ into the future… Every single day. –Mike Photo credits: “Me on graduation day” originally uploaded by judyboo Heavy Research We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Understanding and Selecting Data Masking Introduction Vulnerability Management Evolution Enterprise Features and Integration Evolution or Revolution? Understanding and Selecting DSP Use Cases Incite 4 U Don’t fear the Boobs: About 15+ years ago I was working as a paramedic in New Jersey and volunteered with the local fire department. This was a temporary sojourn back east because I was making $6.25 an hour as a paramedic in Colorado, but could pull down $16 an hour in Jersey. Something about “hazard pay”. Anyway, this particular department had a culture that was both racist and sexist. They refused to authorize ‘females’ to full firefighter status due to concerns that a 120-pound women who ran marathons couldn’t haul their 300-pound asses out of a fire. (I figured it wouldn’t be a problem after enough of the fat melted off.) I won’t lie – I have engaged in locker room talk on more than one occasion, and I recognize that men and women really are different, but I simply don’t understand sexism in the workplace. Jack Daniels wrote a great rant (as usual) on the recent reemergence of sexism and its expression at conferences. There’s no place for this in IT, certainly no place for it in security, and I think it’s largely a lot of dudes with very little self-confidence who are afraid of women. Get over it, lose the ‘bro’ culture, and dump the booth babes. All it reflects is weakness. – RM Firewall dead? Meh. Every couple months somebody proclaims some established control dead. This week’s transgressor is Roger Grimes, who tells us why you don’t need a firewall. Come on, man! Evidently the only attack firewalls can block is buffer overflows, so they are destined for the trash bin. Give me a break. And most traffic comes through port 80 or 443 – but evidently this NGFW thing, with its application awareness, is news to Roger. He points out that firewalls are hard to manage, which is true. And that developers and other folks always push to open up this port or that, basically obviating the security model. That’s not wrong either. But we have been through this before. As Corman says, we never retire controls. Nor should we, as Wendy points out rather effectively. Jody Brazil of Firemon piles on with more reasons it’s a bad idea to kill your firewall. I suspect Grimes gets paid per page view, so maybe he’ll be able to buy a few extra beers this week. But that doesn’t make him right. – MR Tokens <> Tokenization: MasterCard announced their PayPass Wallet Services for mobile devices, an “App designed to complete with PayPal and Google” wallets, or at least that is how the press is describing it. I think this is a pure marketing move to make sure app developers don’t forget MasterCard has a horse in this race. Technically, MasterCard is not offering a wallet

One of the things I truly love about writing for Securosis and TidBITS is that I am rarely put in a position where I need to be first to write about something. As a writer, and occasionally a journalist, I consider time the ultimate luxury. Unfortunately, few journalists have this liberty, and even fewer appreciate it. Yesterday was a perfect and tragic expression of the state of modern media, where writers are forced to report – not only as quickly as possible, but often without any facts or sources. It all started with a computing.co.uk article quoting the CTO of Kaspersky claiming they were “working with Apple” to analyze OS X (at Apple’s request). To anyone with any knowledge of Apple this was obviously less likely than me giving birth to a flying monkey. There were three possible options here: Kaspersky lied. The reporter didn’t hear correctly. The reporter lied. Kaspersky was telling the truth, in violation of whatever NDA they signed with Apple. Here’s where it got interesting. After that initial article, all sorts of other outlets started reporting the news – from CNet and TUAW, to The Verge and Ars Technica. All quoting the same source – the computing.co.uk article. Within a few hours Kaspersky’s CTO walked back the claim and said he was quoted out of context. computing.co.uk claimed they asked the question multiple times for clarity and the claim was clear and explicit. Then all the other articles issued updates and corrections. This isn’t about Apple, and this isn’t about Kaspersky. It isn’t even a flagellation of the media – they are effectively forced to ‘report’ stories without sources or confirmation, due to their market conditions. But as readers (and for some of us, writers), it’s important to understand that environment – especially where security is concerned. Few media outlets rely on multiple sources and traditional journalistic standards anymore. Many issue ‘definitive’ articles based on tweets, blog posts, or something they heard while sitting quietly on the crapper (if they work for News Corp). The first reports are usually wrong. The second reports are usually copies of the first report. The third round of articles is where the truth might start creeping in. Every time I witness one of these throwdowns or walkbacks, I feel incredibly fortunate that my livelihood isn’t dependent on capturing page views. Share:

Data masking has been around a long time. I have been masking since the early ’90s to create test data from production copies of customer insurance records, as well as to alter database columns before sending database exports out for “data cleansing”. At the time masking was little more than UNIX shell scripts or home grown Perl scripts to alter particular columns in .csv files. A few years later I was giddy with excitement to have my first masking ‘program’, running on a paleolithic version of Windows, which actually had a ‘wizard’ for walking through the process. No, it did not help with extraction of information from a database, but it identified the columns to be altered, provided a list of masks to apply, and dumped an error file when it ran into trouble. That saved a lot of tweaking scripts and manually reviewing dump files. And all this was several years before I heard anyone mention ‘ETL’ (Extract, Transform, Load) because ODBC and JDBC drivers to connect to databases were just arriving on the scene, and nobody had automated bulk loads back into another database. That was still science fiction. Masking products don’t look like that any longer – now they are full-blown data security and management platforms. It feels a bit nostalgic to review data masking technologies, and somewhat surprising to find how far they have evolved into full production-quality enterprise platforms. I have been following data masking for almost two decades, and seen more evolution in the last couple years than over the first dozen. These advancements have come in two forms. First, evolution of the technology in recent years, building the capability to handle just about any type of database or data source, full automation, workflow integration, and a dozen or so data obfuscation techniques. Second, in response to substantial market demand from IT security and compliance departments, the way these tools are used has changed. Increased demands from new buying centers have forced changes in workflow, user interface, and how core capabilities are packaged. It only took a couple public breaches, where production data was easily exfiltrated from unsecured test databases, to drive masking into companies’ production data flows. Compliance requirements such as PCI-DSS cemented the need and are now a principal driver for adoption. The upshot is that most of these tools have seen significant advancement, and now include multiple robust user interfaces to support both technical and non-technical users, as well as pre-packaged solutions for different compliance mandates. Somewhere along the way, masking grew up! I started following this vertical again because we received a number of customer questions, specifically around compliance. We have been seeing steady growth in adoption of masking over the last four years – perhaps 20% YoY – as more customers use masking to reduce information risk. In some ways it’s a more elegant solution than encryption; and for several deployment models masking is cheaper and easier than surrounding sensitive data with layers of security controls such as user rights management, encryption, database security, and various firewall technologies. When you think about securing Big Data, data analytics systems, HIPPA compliance, and using public cloud computing resources, there is plenty of reason to believe masking’s rapid adoption will continue. I have written a lot about masking on the blog, but never a focused research paper; it seems to be time for a thorough explanation of what masking does and how it helps security. So I am excited to launch a new series: Understanding and Selecting Data Masking Solutions. I have designed this series to help would-be buyers understand what to look for in a product, and show existing customers how to leverage their investments to solve emerging problems. I’ll delve into the technology, deployment models, data flow, and management capabilities. I will discuss the four principal use cases and how the technology solves certain compliance and security issues, and close out with a brief buyers’ guide on what features to look for based upon your criteria. The outline follows: Core Features: We’ll define masking, introduce the basic technology, and discuss how it’s applied to data. We will also define the major masking options (shuffling, averaging, substitution, field nulling/redaction, and mathematical transposition) and de-identification methods. And we’ll explain the need for data type & format preservation, uniqueness, and semantic & referential integrity. How It Works: We will examine how masking works, focusing on how data flows through it and how information is secured. We’ll describe different options for sources, destinations, extraction methods, loading options, and where & how masking is performed. We will contrast masking against encryption and tokenization to frame advantages of particular techniques for specific use cases later. Technical Architecture: Deployment models (ETL, in-place, and the various options for dynamic masking), issues, and concerns with each. We will discuss support for files and databases, and how masking integrates with these platforms. We’ll include diagrams to compare and contrast the models. Advanced Features: We’ll cover current trends in data discovery, risk & criticality assessment, and mask validation. We will talk about centralized policy management, data set management, and secure data transfer. We’ll discuss integration with other systems such as trouble ticketing, encryption, tokenization, and DLP for automated workflow. Use Cases: We will outline both traditional and new use cases, bringing together the evolving requirements with ongoing changes to masking technologies, along with how these use cases prompt new deployment models. This section will focus on specific customers requirements that have come up in our research; we’ll also evaluate specific masking alternatives to meet security and compliance mandates. We will cover automated workflows and scripting, as well as use of pre-defined templates for defining masks. We’ll discuss compliance masks and pre-built regulatory options, as well as control reporting. Evaluate Your Needs: We’ll wrap up by mapping out evaluation criteria and a process to guide a customer buying decisions. We will distinguish between “must-have” and “nice-to-have” requirements, compliance, integration, setup, and management. As with all Securosis research projects, we are focused on

Rich and I – with help from Chris Pepper – compiled the Understanding and Selecting a Database Security Platform series into a research paper, and provided it to a number of people for initial review. We got a lot of valuable feedback and observations back. Commenters felt several topics were under-served, they believe others were over-emphasized, and more we failed to mention. We’re not too proud to admit when we’re wrong, or when we failed to capture the essence of customer buying decisions, so we are happy to revisit these topics. We believe their feedback improves the paper quite a bit. In keeping with our Totally Transparent Research process we want all discussions that affect the paper out in the open, so we are posting those comments here for review. If you have additional comments, or responses to anything here, we encourage you to chime in. This series took longer to produce than most of our other research papers, and some readers had trouble following along from beginning to end. For the sake of continuity I have listed all the blog posts: Understanding and Selecting a Database Security Platform: Introduction Defining DSP Core components and the evolution of DAM to DSP Event collection Technical architecture Core features Extended features Administration and management Use cases And for reference, the original Understanding and Selecting a Database Activity Monitoring Solution research paper and the first DAM 2.0 posts offer additional insight. Once we have discussed all the comments and pulled all relevant feedback into the paper, we will release the final version. Share:

Rich here. It amazes me how something completely mundane can be utterly fascinating the first time you experience it. This morning I woke up about 5:45 as I heard my younger daughter waking up herself. If history held, she had been up for a little while and was ready to get out of her crib. Now!!! Nothing new there, and I started the painful process of getting out of bed (I d hammered my bad shoulder a little too much during my swim workout yesterday, leading to a painful night). Here’s the cool bit. Our older daughter (who is only 3) came barging in to tell us her little sister wanted out of the crib. This is the same 3-year-old who was still calling for us to get her out of her toddler bed a mere week or so ago. Oh, she could easily extricate herself, but the habit of yelling for us to get her was deeply ingrained. She’d sit there yelling for one of us while clutching her stuffed animals and blanket, only to hand them over so she could climb out. So I got out of bed, went down the hall to the little one’s open door, and carried her downstairs. Then I noticed big sister’s stuff already there on her spot on the couch. “Have you been up for a while?” “Yes.” “What were you doing?” “I was giving the cat some treats.” This is, relatively speaking, nothing. We all get out of bed ourselves in the morning and start our days. But it was the first time one of our kids got out of bed, took her stuff downstairs, and played with the cat without waking anyone else up. And 20 years from now the odds are I won’t remember it. But damn – for this one moment I was more impressed and proud of this tiny little thing we all do, and all kids do, than any “big” accomplishments (whatever those are). The best part? She’d even put the cat treats away in the drawer. I think I like this parenting thing. Despite the lack of sleep, large amounts of vomit I’m occasionally covered with, and all the interesting places I’ve now gotten to clean shit out or off of. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Mike quoted on cloud security on ServicesAngle. Rich quoted on 10 years of Microsoft’s Trustworthy Computing Initiative. Adrian quoted in SecurityWeek on WAF & SDLC. Adrian quoted in Tech Republic on User Behavior Monitoring.. Favorite Securosis Posts Adrian Lane: FireStarter: Policy Wonks and Pests. Yes, my own post. But as Rich said, this is a huge beef we have and we see it all too often with cloud security. Rich: Okay, we were a little light on blogging this week. I promise to make up for it next week! Other Securosis Posts Incite 2/9/2012: Swimming with Sharks. Favorite Outside Posts Mike Rothman: How to make money online. This post actually isn’t about making money. It’s about being successful in today’s online environment. And Godin is a philosopher king, so ignore his guidance at your own risk. Adrian Lane: Citadel Trojan Outgrowing Its Zeus Origins. Interesting post on the RSA blog about the Citadel Trojan – see how attackers improve their code. Rich: Joss Whedon interview at GQ. I’m sorry, but I’m an intense geek and the fact that some studio tossed Joss $220M (far more than most security companies are worth) just tickles me pink. Research Reports and Presentations Watching the Watchers: Guarding the Keys to the Kingdom. Network-Based Malware Detection: Filling the Gaps of AV. Tokenization Guidance Analysis: Jan 2012. Applied Network Security Analysis: Moving from Data to Information. Tokenization Guidance. Security Management 2.0: Time to Replace Your SIEM? Fact-Based Network Security: Metrics and the Pursuit of Prioritization. Top News and Posts Random network security tip if you are on TV. Amusing. Getting started with OpenStack in your lab. Now where were you when I was building the CCSK class labs? Sigh. Apple hardens Safari and OS X with latest update. FBI warns travelers about hotel Internet connections. Gee, China anyone? Blog Comment of the Week This would have required us to, uh, blog… so no comment this week. Share:

What ever happened to the sit-down family dinner? Maybe it’s just me, but growing up, the only time I really experienced it was watching TV. My Mom worked retail pharmacy, so normally I was pulling something out of the freezer to warm up for my kid brother and myself. And nowadays the only time we sit down for dinner is when we go out to a restaurant. It’s not that we don’t want a sit-down dinner. But we are always carting the kids from one activity to the next, badgering someone to do their homework or get ahead on a project, or maybe letting them play with their friends every so often. We don’t normally stop before 9pm, and that’s on a good day. It is what it is, but I wonder what the impact will be in terms of knowledge transfer. You hear all those high achievers talking about how their parents talked about current events or business or social issues around the dinner table, and that’s how many life lessons were taught. The Boss and I tend to have more one-on-one discussions with the kids about their challenges and interests. I’m all for allowing kids to focus on what they enjoy, but I want to expose them to some of the things I’m passionate about. That’s why we got tickets to the Falcons. By hook or by crook, these kids will be football fans. And I was a little skeptical when the Boss started DVRing “Shark Tank” a few weeks ago. A bunch of rich folks (the ‘sharks’) evaluating business ideas and possibly even investing their own capital. The reality TV aspect made me believe it would be overdramatized and they’d be overly harsh just for ratings. But I gave it a chance because one of the sharks, a guy named Robert Herjavec, was a reseller for CipherTrust back in the day. So I got to tell the kids stories about that crazy Canadian. Truth be told, I was wrong about the show. It was very entertaining, and more importantly it provides a teaching moment for all of us. As you can imagine, I have opinions about pretty much everything. It’s a lot of fun to discuss each of the business ideas, critique their ideas on valuation, pick apart their distribution strategy, and ultimately decide whether that business is a good idea. The best part is the kids got engaged watching. At least for 15-20 minutes, anyway. They are starting to ask good questions. The Boss is now coming up with business ideas almost daily. XX2 seems to have an interest as well. This is a great opportunity to start talking to my family about my other passion: building businesses. Who knows what my kids will end up being or doing? But for them to see entrepreneurs, some with decent ideas, trying to expand their businesses with the passion that only entrepreneurs can muster is terrific. It gives me an opportunity to explain the concepts of raising capital, marketing, selling, distribution, manufacturing, etc. – and they have some concept of what I’m talking about. Maybe they’ll even retain some of this information and pursue some kind of entrepreneurial path. Like their father, their father’s father, and their father’s father’s father before them. Nothing would make me happier. –Mike Photo credits: “Amanda Steinstein swims with the sharks!” originally uploaded by feastoffun.com Heavy Research We’re back at work on a variety of our blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can access all our content in its unabridged glory. Vulnerability Management Evolution Enterprise Features and Integration Evolution or Revolution? Watching the Watchers (Privileged User Management) Clouds Rolling in Integration Understanding and Selecting DSP Use Cases Incite 4 U Don’t leave home without your security umbrella: As the plumber of Securosis, I get to cover the sexy businesses like AV and perimeter firewalls. Thankfully the NGFW movement has made these boxes a bit more interesting, but let’s be candid – folks want to talk about cloud and data protection, not the plumbing. But as Wendy points out, everyone likes to poke fun at these age-old controls, but it would be a bad idea to retire them – they still block the low-hanging fruit. I love her analogy of an umbrella in a hurricane. You don’t throw out the umbrella because you’ll need to stay dry in a hurricane from time to time. Believe it or not, there are still a lot of successful attackers out there who don’t have to drop zero-day attacks to achieve their missions. These “light drizzle” attackers can be stymied even by basic controls. Obviously you don’t stop with the low bar, but you can’t ignore it either. – MR Build it in or test it out: Part 4 of Fergyl Glynn’s A CISO’s guide to Application Security is live at Threatpost. In this post he discusses technology options for security testing; but the series has been a bit of a disappointment – taking a “test it out” approach to application security rather than “build it in”. With the prevalence of web-based apps today CISOs are more interested in build techniques such as Address Space Layout randomization that make many forms of injection attacks much harder, instead of obfuscation techniques that make reverse engineering distributed code more difficult. Besides, the good hackers don’t really work from source, do they? I’d also suggest security regression tests be included to verify old security defects are not re-introduced – you want to prevent old risks from getting back into the code just as much as “Prevent(ing) the introduction of new risks”. I suspect that Glynn’s focus on measurable reduction of threats/risks/vulnerabilities underserves one of the most effective tactics for application security: threat modeling. We can’t quantify the bugs we don’t have thanks to successful prevention, but you should strive for improvement earlier in the development lifecycle. The series has tended to focus on tools

I’ve spent more hours than I can count studying compliance and governance. Reading and re-reading PCI requirements, Sarbanes-Oxley law, theory, and applied theory. Spent mind-numbing hours combing through BASEL and BASEL II docs. I’ve spent many long weeks with external auditors, internal auditors, assessors, risk management personnel, corporate governance officers, and government officials – trying to understand their jobs, their roles, and how the world functions from their perspectives. I’ve spent months mapping those ideas and processes into policy implementations, process modifications, and the rules that actually enforce policies. I’ve written audit reports for these various compliance and policy management frameworks to demonstrate policy compliance and efficacy. When you sell security and risk management software these efforts are necessary, because compliance drives your company’s revenue. So I feel I understand policy and compliance pretty darn well, but I am bothered by the trend toward policy being the focus – at the expense of the task it was originally designed to govern. I got started on this thread during a review of an instructional “how-to” on the secure-software development lifecycle (SDLC). The more I read of this SDLC description, the more I realized that it was not SDLC at all. It was a risk and management process to gauge the effectiveness of the SDLC program. It contained next to nothing on SDLC itself! There were very few instructions on tools, processes, or things you need to know to actually develop under an SDLC – just management and policy oversight. Don’t get me wrong – risk management and development management policies are very important for SDLC. When we track and monitor we get a better idea of whether what we are doing is having a positive effect, weigh the relative merits of different types of security efforts, and over time learn whether we are getting better. But policy and management are not for the sake of policy and management – they only exist to ensure the core effort (in this case SDLC) is actually working. I find that a lot of this stems from people developing policy when they have never done whatever the policies are meant to govern. And sometimes that’s okay. It’s not a requirement that you have developed code, managed teams of developers, or been responsible for process development to comment on SDLC and SDLC governance. But without that experience in whatever practice you are trying to manage, efforts to improve it rarely work out well – the policy mindset does not mesh well with the development mindset. Agile programming even has a name for these people: chickens! From the parable of Chickens and Pigs, the Chickens have lots of input but are not part of the actual process. And developers make this distinction because chickens can be detrimental to the process of developing software. This particular brand of chicken I usually call “policy wonks”, and I am convinced they do at least as much harm as good. I’m pretty pragmatic. I prefer easy over hard, and when it comes down to it I just want to get my work done and move on. In fact all of us at Securosis are this way – Mike so much that he authored the Pragmatic CSO guide that remains in use and gets downloaded pretty much every week. Developers, if I can be so bold as to generalize on the culture as a whole, are usually anti-bureaucracy and anti-policy. It’s whatever works quickly and effectively. And I have this trait in a big way. But after years spent with policy development and compliance, gathering metrics and measuring outcomes, I know they actually are critical. But I keep running into people who only do policy, who only give us the (to steal a phrase from David Mortman) Utopian Policy Ideal, without any consideration whatsoever for actually getting $#)^! done! Policy is to help us avoid repeating mistakes and guide us on how to get work done the way we want to get it done. But it’s not all about policy. Policy is not the work to get done. Are policy and governance important? Hell, yeah! But if we keep spending 50% of our time on this 5% of the picture, we will suck at the other 95% of the stuff that needs to happen in order to get things done. You know – real work. Note from Rich: Adrian asked me to review this before posting so I thought I’d insert a line. This is my single biggest pet peeve in security today. Especially in cloud. Far too many people seem to want to be policy wonks and focus on GRC to the exclusion of actual security. Share:

My conversation started like this: “Do you know where the recorder is?” she asked. “The what?” I replied. “The tape recorder we bought you!” After a long pause, I replied: “You mean the Panasonic cassette tape recorder you bought me in 1974?” “Yes, that one! I want to record myself playing the piano.” My brain froze momentarily, as I processed the many implications of this statement. After another long pause I asked: “Mom, did you really call me up to ask me about a cassette recorder? From the 70’s? And for the record, no, I’ve not seen it in – uh – three decades. I think we threw it out when the batteries corroded the insides. That would have been in the early 80’s.” “Oh, darn!” “If you don’t mind my asking, why not use the computer? Or one of those dictaphones you’ve got scattered around the house. Or your phone should – wait, don’t you have a smartphone?” “No, your father and I do not have cell phones.” This conversation occurred last month. I literally put down the phone after that comment to think about what that meant. They didn’t go all Amish on me, did they? I consider myself a ‘late’ adopter because my first phone that was more than a basic phone was the iPhone 4. I still use email. I have really just started to appreciate Twitter, placed my entire music library on a computer, and started streaming television over WiFi. But I have owned cell phones for 15 years or so. This is a whole different universe of thought and perception. Other than their DVD player and the ‘recent’ upgrade to Windows XP, it seems my parents stopped advancing with technology a long time ago. My wife has a theory that you can tell someone’s ‘heyday’ when you walk into their home, by looking at the period decor. I have got lots of friends who are 10, 15, even 25 years older than me; and it seems to hold true. For my parents it’s velour, brass, and mauve – you do the math. Some people continue to modernize but most just stop at some point. I think that there is an economic component to the lack of change – it’s expensive to just replace things for the sake of modernization. But this is different. An old couch is a long way from not having a cellphone. I grew up hearing about the generation gap, and I mostly ignored the discussion about the digital divide as – in Berkeley at least – it came across as some socialist rant against what was perceived as a technological caste system. But I am starting to see the point, not in the “technological literacy” sense, but more about humans’ willingness to adapt or sample new things, or just try something different. But damn, this is still shocking. And I’m their offspring – could this happen to me too? Is it because you own a device that already does something similar, so you figure “Why buy a new one?” Do you need a robot vacuum cleaner when the Hoover upright still functions? Do you need voicemail when your answering machine still works? If the Mr. Coffee still cranks out brown water, why invest in a single-cup espresso maker with those fancy foil packs? Why replace the refrigerator that’s been working great for 30 years? If IE6 still browses the Internet, why change? Do you need LED lights when you have an incandescent desk lamp? Mom was more comfortable with a cassette tape recorder than any other recording device invented in the last 40 years. She was headed to the store to see if she could find a new one. I told her that her best bet was [snark]Office Max[/snark]. The good news is that I have figured out the perfect Christmas gift – I’ll send them the Patrick Nagel prints I have stored in the garage. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich with Nir Zuk on Coming to Grips with Consumerization. Adrian at Dark Reading: Security Bugs And Proofs Of Concept. Written before the TNS poisoning disclosure. Rich mentioned in Entrepreneur.com. Adrian’s paper on User Activity Monitoring. Mike’s PCI: Dead Man(date) Walking? at Dark Reading. Favorite Securosis Posts Mike Rothman: Friday Summary: TSA Edition. Rich nails the issue with airport security in his intro to last week’s Summary. He’s right – more security theater will be coming to an airport near you. Adrian Lane: Stupid Human Tricks: Security Job Interviews. The LiquidMatrix guys are like family, so this is my favorite ‘inside’ post of the week. Guaranteed to make the most cynical security people laugh out loud! Rich: FireStarter: Policy Wonks and Pests. Have I mentioned how little respect I have for people who want to govern things they don’t understand? Other Securosis Posts Incite 5/2/2012: Refi Madness. Vulnerability Management Evolution: Evolution or Revolution? Favorite Outside Posts Mike Rothman: 8 Things To Expect Shopping At Microsoft’s Non-Apple Apple Store. Imitation is the sincerest form of flattery. And then there is copying. If you’ve never been to a Microsoft store, Conan has it nailed. Especially the Zune meet-ups. Should provide your LOL of the day. Adrian Lane: TNS Poison – straight from the researcher. Fascinating tale of FAIL. Rich: Don’t be an evangelist. Okay, I get mentioned in this one, but there really isn’t any place for religion in tech. You need to be able to adapt to the times. Project Quant Posts Malware Analysis Quant: Index of Posts. Malware Analysis Quant: Metrics–Monitor for Reinfection. Malware Analysis Quant: Metrics–Remediate. Malware Analysis Quant: Metrics–Find Infected Devices. Malware Analysis Quant: Metrics–Define Rules and Search Queries. Malware Analysis Quant: Metrics–The Malware Profile. Malware Analysis Quant: Metrics–Dynamic Analysis. Research Reports and Presentations Watching the Watchers: Guarding the Keys to the Kingdom. Network-Based Malware Detection: Filling the Gaps of AV. Tokenization Guidance Analysis: Jan 2012. Applied Network Security Analysis: Moving from Data to Information. Tokenization Guidance. Security Management 2.0: Time to

It all started with an innocent call from my mortgage broker. He started with, “What if I could shave 75 basis points off your note, with no cost to you?” As you might have noticed, I’m a skeptical type of fellow. I asked, “What’s the catch?” He laughed and said, “No catch, I can get you from 4.25% to 3.5% and I’ll pay the costs.” I responded again, “There must be a catch. What am I missing?” He maked some wise remark about Groundhog Day and then told me there really is no catch. I can save a couple hundred bucks a month I’m currently paying the bank. Done. But you see, there was a catch. There is always a catch. The catch this time was having to once again bear witness to the idiocy that is the mortgage process (in the US anyway). So I gather together all the financial information. My broker asks if he needs to send a courier over to pick up the stuff. Nope, an encrypted zip file he can download from Dropbox suffices. That was a lot easier, so maybe it won’t be a total clusterf*** this time. Yeah, I was being too optimistic. I knew things were off the rails last Tuesday when I got copied on an email to my home insurance broker needing a quick verification of the policy ahead of a Friday closing. Uh, what? What Friday closing? Is there a Friday closing? Shouldn’t they have shared that information with me, since I’m pretty sure I have to be there? So we schedule the closing for Friday. About midway through Thursday I get a call asking about a credit inquiry from the idiots who do our merchant account for Securosis. Why they inquired about my personal credit is beyond me, but I had to take some time to fill out their stupid form, explaining that the world consists mostly of idiots and those idiots’ checklists, run personal credit reports for business accounts. Did I mention how much I like checklists? Then I got a call Friday morning. Yes, the day we were supposed to close the note. They need to verify the Boss’s employment. But the Boss works for my company and I’m the managing member and sole officer of my company. They say that’s no good and they need to verify with someone who is not a party to the loan. I respond that there are no officers who aren’t a party to the loan. I figure they understand that and we’re done. Then Rich calls me wondering why he keeps getting calls from a bank trying to verify the Boss’s employment. Argh. I call the bank and explain that the Boss doesn’t work for Securosis and that she works for a separate company (that happens to own a minority share of Securosis). Idiots. At this point, I still haven’t received the settlement statement from the bank. Then I get a call from the closing attorney wondering if I could meet them at a Starbuck’s for the closing Friday night. Sure, but they’ll have to send a babysitter to my house to watch my kids. They didn’t think that was funny. So the lawyer agrees to come to my house to close the note. We go through all the paperwork. I verify that I’m neither committing mortgage fraud nor a terrorist. And yes, I really had to sign papers attesting to both. The lawyer (who does about 15-20 closings a week) can’t recall anyone actually admitting to committing mortgage fraud or being a terrorist, but we sign the documents anyway. And then we are done. Or so we thought. I figured it’s 2012 so I should just wire the money, rather than writing a check to cover the prepaid items like escrow, etc. So I dutifully wake up early Monday morning (in NYC) and log into my bank website to transfer the money. Of course, the web app craps out, I’m locked out of the wire transfer function, and the Boss needs to drop whatever she is doing and head over the bank to wire the money. Yes, that was a pleasant conversation. If getting kicked in the nuts 10 times is your idea of pleasant. But all’s well that ends well. We closed the note and we’ll save a crapload of money over the next 10 years. But man, the process is a mess. These folks give a new meaning to just in time. For those of you looking for someone to manage incidents or fill another role that require an unflappable perspective, maybe check out some of these loan processors. They’d laugh at having to only coordinate legal, forensics, law enforcement, and the ops folks. That would be a day in the park for those folks. Seriously. -Mike Photo credits: “rEEFER mADNESS” originally uploaded by rexdownham Heavy Research We’re back at work on a variety of our blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can access all our content in its unabridged glory. Vulnerability Management Evolution Enterprise Features and Integration Evolution or Revolution? Watching the Watchers (Privileged User Management) Clouds Rolling In Integration Understanding and Selecting DSP Use Cases Incite 4 U Human context: Great summary by LonerVamp on some of our very own Myrcurial’s thoughts at this year’s Schmoocon. There is a lot of stuff in there and I agree with most of it. But the idea that resonated most was “knowledge of analysts vs. knowledge of tools,” as I had that very conversation with 15 Fortune-class CISOs this week. And there was no contest. These folks have budget for tools, they have budget for people, and they are still losing the battle. They can’t find the right people. The right folks understand how the data applies to their environment. They have context, which tools just can’t provide. No matter what a vendor tells you. – MR State of fear: