Securosis

Research

Have a Small Business? Use Quickbooks Online? Better Upgrade… NOW!!!

Computerworld yesterday reported on a US-CERT advisory for the popular Quickbooks Online Edition. I know it’s popular because I use it. And I’m popular. Aren’t I? Really? Oh… Don’t tell my mom, okay? I just started using QuickBooks Online to run the business side of Securosis. I think it’s a great idea, but they REALLY need to re-think the architecture. IE only ActiveX controls are like totally 1990s. I have to run Parallels to enter expenses (since I’m on a Mac). Web 2.0 guys, it’s totally “in”. Either that, or update QB Pro on the Mac to have all the features of the Windows version, instead of a subset. Like they’re reading this blog. Oh well, that’s what I get for giving them money even though I’m not totally happy with the service. I only have myself to blame. Where’s that shaker of salt again? Share:

Share:
Read Post

About Securosis

Securosis, L.L.C. is a security consulting practice dedicated to thought leadership, objectivity, and transparency. Our consultants have all held executive level positions and are dedicated to providing the highest value strategic consulting available. We provide services in four main areas: Publishing and Speaking: including independent, objective whitepapers, webcasts, and in-person presentations. Strategic Consulting for Vendors: including market and product analysis and strategy, technology guidance, product evaluations, and merger and acquisition assessments. Strategic Consulting for End Users: including product selection assistance, technology and architecture strategy, education, and security management evaluations, and risk assessments. Investor Consulting: including product and market evaluations, available in conjunction with deep product assessments with our research partners. Our clients range from stealth startups to some of the most well known technology vendors and end users. Clients include large financial institutions, institutional investors, startups, mid-sized enterprises, and major security vendors. Securosis is partnered with security testing labs to provide unique product evaluations that combine in-depth technical analysis with high level product, architecture, and market analysis. Share:

Share:
Read Post

Securosis, The Company, Is Up And Running

Since most of you blog readers don’t care about how I feed myself I don’t intend on using the blog for boring corporate updates, but I’m going to indulge myself for a moment. Securosis, L.L.C. is up, running, and available for any of your security consulting needs. I’ll be keeping the About Securosis page updated with services and programs as I get them more formalized. For now, I’m filling in a good pipeline of project based work, with some webcasts. Although I’m no longer an analyst, I still feel that objectivity is the most important trait I bring to the table. Once my name loses value, this gig is over. To that end any content you see with my name on it was developed in isolation from the vendor community. Not that they’re evil, but I want to minimize any concerns of “selling out” as much as possible. I have some webcasts coming up, and although sponsored by vendors I develop the content on my own, and it’s their option to use it as is, or to walk away from the table. I may not get paid, but in the long run I think it’s the best approach to maintain my “brand”. I’m also lining up some longer-term consulting projects. One thing I’m looking forward to is helping out with some in-depth strategy development and the occasional product evaluation. A downside of being an analyst is you never get to work a project from start to finish, and I’ve missed that from my pre-analyst consulting days. I’m talking with some security research teams to combine my higher-level product/market analysis with their in-depth product testing, which could end up being pretty interesting. Finally, feel free to ping me on email or IM with your random security questions. I’m securosis on AIM, and rmogull on Skype. Have a great day, and thanks for all the early support. Share:

Share:
Read Post

Tying Security To The Business: Guerilla CISO Style

I had a little back and forth with rybolov in the comments on my military post, and he introduced me to something called the Business Reference Model right out of some government publications and NIST 800-60. Kicking ass, as only a Guerilla CISO can, he responded with two great blog posts showing how we can steal from this model and adapt it to the enterprise world. On the surface (haven’t had time to dig in yet) it looks like an interesting way to help align business priorities, data classification, and security priorities. While I’m not a fan of complex models, I’m a big fan of anything that can help bridge the language divide between the business and IT. Check out his posts here and here. Share:

Share:
Read Post

My Editor Also Blogs, And Has 1300 OS X Bugs

For those of you who don’t know, this is a blog with an editor. Chris Pepper is a long-time friend, UNIX wizard, web host, and tech writer himself. You can track his work at Extra Pepperoni, his somewhat-recently revamped blog. Chris is also one of the most in-depth Mac guys I know, and has submitted 1300 bug reports to Apple, many for Mac OS X 10.5 (the next version of the Mac operating system). They aren’t all “bugs” in the traditional sense, but when you peel off that shrink wrap from your colorful operating system upgrade, the odds are really darn high that the software you install will be better thanks to Chris. To boost his ego a little, when I was at DefCon I met up with a support guy at Apple who knew Chris from his bug reports and blog. Share:

Share:
Read Post

Christopher Hoff, Security Poet Laureate

Mr. Rothman was concerned that Mr. Hoff may, perhaps, have a little too much spare time on his hands. I’ve seen Senior Hoff at work, and he definitely isn’t winning any Slacker of the Year awards. I personally have a theory that he’s really just the earthly expression of a multidimensional being beyond our comprehension. Chris definitely outdid himself on this post. A short excerpt, (Read to the cadence of ‘Twas the Night Before Christmas) Remember when firewalls were firewalls, my friend? it suggested our security problems would end. They promised the perimeter breach to abate, but alas became products we just loved to hate. The attackers got smarter, and the exploits malicious, the perimeter’s holes made the threatscape pernicious. Sadly the breaches were never quite stopped, whilst we measured our value in per packets dropped! (read the rest here) Share:

Share:
Read Post

My Stalker is a Newby Again

If you read the security blogs, you may have seen that I have a stalker- Rob Newby over at IT Security, The View From Here. Rob’s a data security weenie like myself. Rob just left Spain to return home to the UK for a new job with Ingrian (database encryption). Congrats Rob, and glad to see you happy and healthy in your home nation again… Share:

Share:
Read Post

Security Isn’t Rocket Science

There’s been a lot of debate lately on quantitative vs. qualitative risk, frameworks, models, metrics, certifications, standards, and all sorts of other organizational junk we seem to burden ourselves with. Oh, I’m no better, having authored a risk management framework, data security hierarchy, and similar tools in my past. At times, I step back and realize we’re losing the big picture in this morass of acronyms and long documents with words like “Section 248, Subsection B, Paragraph A, Revision 42”. While I hate to knock my own industry off its pedestal, we sometimes forget that we are just the complex implementation of a very basic need. Thus it’s time to dumbify security and kick it old skool. Here’s my n-step guide for the perfect, basic, security program: Figure out what’s important, and why: We often get wrapped up in pet projects, personal biases, or other distractions. When you look at your business, what’s really important, and what can you live without? Yes, I’m over-simplifying, but that’s the point of this post. I’ve seen n-degree complex risk analyses that still fail to capture what’s important. You’ll use those models later, but at some point just take a step back and really look at what could hurt you in a big way. That’s the most important stuff, and it deserves more attention than everything else. Decide if anyone stands to gain by stealing it or breaking it: Just because it’s important to you doesn’t mean it’s important to anyone else. In this step, just ignore the noise of the constant background threats (what my friend Richard Stiennon calls background radiation) and focus on directed threats- where someone has something financial to gain. Know how it’s protected: What security is in place? Figure out where the holes are: There are always holes; where are they? How hard are they to find and use? Back in physical security days we’d walk around the facility before an event, figure out all the ways in… including obscure ones like climbing buildings (those Dead Heads are seriously dedicated), and how hard they’d be to take advantage of. Block the holes, until it’s too expensive to block the holes: At this point you know your priorities, you know the threats, and you know the weaknesses. Now it’s just a matter of layering security until risk is reduced to an acceptable level. That’s all we do. We figure out what’s important, what the risk is to it, and how to best reduce that risk. Every single one of you reading this knows that, but we still get so wrapped up in agendas, frameworks, internal politics, and compliance that we sometimes forget we’re just there to help the business take the greatest amount of risk it wants to take, in the safest way possible. I don’t care what complex risk/security framework you’re using… stick to the basics. Know what’s important, have a rough idea of how much it’s worth to you, and drop in enough layers until you think it’s protected well enough. All those complex models should be tools to help you achieve the basics, not the other way around. We protect stuff, pure and simple. Yes, you still need metrics and frameworks, but you can’t define security as just a bunch of metrics and checklists. I also highly recommend a good 12 step program… Share:

Share:
Read Post

Infinite Switching Costs: When Market Forces Fail

Just a day after I talked about how it takes sustained failures for consumers to leave a company and go to a competitor, we have an example where switching isn’t really an option. Over at Dark Reading we learn that Phizer has suffered it’s third employee privacy breach in a row. At least they’re doing the “right” thing by involving law enforcement and offering credit monitoring. I suspect, since these made the press, they’re also improving security. That said, you have to feel for the employees who don’t have much of a choice to go anywhere “more” secure. Actually, neither do you. The last time my info was breached was at the student healthcare center at the University of Colorado. My SSN was stolen out of old records. How about you? I suspect every one of you has personal data sitting around old healthcare providers, never mind financial institutions, retail stores, government databases, old utilities providers, and subscriptions to “those” services under fake names, still billed to your real credit card. You no longer have a relationship with these providers (or one you can’t sever), yet they still represent a real risk to your security. Market forces can’t fix this one. Share:

Share:
Read Post

Co-Hosting The Network Security Podcast

Back when I started this blog one of the only security blogs I knew about was Martin McKeay’s Network Security Blog. As can happen in the blogging community, Martin and I eventually got in touch and developed a friendship. Heck, anyone I’ve gone drinking with in 3 different cities in less than a year is definitely a friend. With my return to blogging last week Martin invited me to join him on his podcast- as a guest host, not a guest. You can check it out here, or subscribe through iTunes. This week was mostly an introduction and our first attempt at joint podcasting. We spend a little time talking about point of sale terminal security, and a bit more time talking about the value of a CISSP certification (Martin changed my opinion a bit while we were recording). I have a short introduction on communicating with executives, and the podcast finishes up with an interview Martin did with Winn Schwartau. We’re planning on doing more of these, so please send your feedback. We know this week clocks in a little long, and we already have some ideas to improve the format. Check it out here: Network Security Podcast, Episode 75 Share:

Share:
Read Post

Totally Transparent Research is the embodiment of how we work at Securosis. It’s our core operating philosophy, our research policy, and a specific process. We initially developed it to help maintain objectivity while producing licensed research, but its benefits extend to all aspects of our business.

Going beyond Open Source Research, and a far cry from the traditional syndicated research model, we think it’s the best way to produce independent, objective, quality research.

Here’s how it works:

  • Content is developed ‘live’ on the blog. Primary research is generally released in pieces, as a series of posts, so we can digest and integrate feedback, making the end results much stronger than traditional “ivory tower” research.
  • Comments are enabled for posts. All comments are kept except for spam, personal insults of a clearly inflammatory nature, and completely off-topic content that distracts from the discussion. We welcome comments critical of the work, even if somewhat insulting to the authors. Really.
  • Anyone can comment, and no registration is required. Vendors or consultants with a relevant product or offering must properly identify themselves. While their comments won’t be deleted, the writer/moderator will “call out”, identify, and possibly ridicule vendors who fail to do so.
  • Vendors considering licensing the content are welcome to provide feedback, but it must be posted in the comments - just like everyone else. There is no back channel influence on the research findings or posts.
    Analysts must reply to comments and defend the research position, or agree to modify the content.
  • At the end of the post series, the analyst compiles the posts into a paper, presentation, or other delivery vehicle. Public comments/input factors into the research, where appropriate.
  • If the research is distributed as a paper, significant commenters/contributors are acknowledged in the opening of the report. If they did not post their real names, handles used for comments are listed. Commenters do not retain any rights to the report, but their contributions will be recognized.
  • All primary research will be released under a Creative Commons license. The current license is Non-Commercial, Attribution. The analyst, at their discretion, may add a Derivative Works or Share Alike condition.
  • Securosis primary research does not discuss specific vendors or specific products/offerings, unless used to provide context, contrast or to make a point (which is very very rare).
    Although quotes from published primary research (and published primary research only) may be used in press releases, said quotes may never mention a specific vendor, even if the vendor is mentioned in the source report. Securosis must approve any quote to appear in any vendor marketing collateral.
  • Final primary research will be posted on the blog with open comments.
  • Research will be updated periodically to reflect market realities, based on the discretion of the primary analyst. Updated research will be dated and given a version number.
    For research that cannot be developed using this model, such as complex principles or models that are unsuited for a series of blog posts, the content will be chunked up and posted at or before release of the paper to solicit public feedback, and provide an open venue for comments and criticisms.
  • In rare cases Securosis may write papers outside of the primary research agenda, but only if the end result can be non-biased and valuable to the user community to supplement industry-wide efforts or advances. A “Radically Transparent Research” process will be followed in developing these papers, where absolutely all materials are public at all stages of development, including communications (email, call notes).
    Only the free primary research released on our site can be licensed. We will not accept licensing fees on research we charge users to access.
  • All licensed research will be clearly labeled with the licensees. No licensed research will be released without indicating the sources of licensing fees. Again, there will be no back channel influence. We’re open and transparent about our revenue sources.

In essence, we develop all of our research out in the open, and not only seek public comments, but keep those comments indefinitely as a record of the research creation process. If you believe we are biased or not doing our homework, you can call us out on it and it will be there in the record. Our philosophy involves cracking open the research process, and using our readers to eliminate bias and enhance the quality of the work.

On the back end, here’s how we handle this approach with licensees:

  • Licensees may propose paper topics. The topic may be accepted if it is consistent with the Securosis research agenda and goals, but only if it can be covered without bias and will be valuable to the end user community.
  • Analysts produce research according to their own research agendas, and may offer licensing under the same objectivity requirements.
  • The potential licensee will be provided an outline of our research positions and the potential research product so they can determine if it is likely to meet their objectives.
  • Once the licensee agrees, development of the primary research content begins, following the Totally Transparent Research process as outlined above. At this point, there is no money exchanged.
  • Upon completion of the paper, the licensee will receive a release candidate to determine whether the final result still meets their needs.
  • If the content does not meet their needs, the licensee is not required to pay, and the research will be released without licensing or with alternate licensees.
  • Licensees may host and reuse the content for the length of the license (typically one year). This includes placing the content behind a registration process, posting on white paper networks, or translation into other languages. The research will always be hosted at Securosis for free without registration.

Here is the language we currently place in our research project agreements:

Content will be created independently of LICENSEE with no obligations for payment. Once content is complete, LICENSEE will have a 3 day review period to determine if the content meets corporate objectives. If the content is unsuitable, LICENSEE will not be obligated for any payment and Securosis is free to distribute the whitepaper without branding or with alternate licensees, and will not complete any associated webcasts for the declining LICENSEE. Content licensing, webcasts and payment are contingent on the content being acceptable to LICENSEE. This maintains objectivity while limiting the risk to LICENSEE. Securosis maintains all rights to the content and to include Securosis branding in addition to any licensee branding.

Even this process itself is open to criticism. If you have questions or comments, you can email us or comment on the blog.