Research

They say when industries go nutty with consolidation and high-dollar M&A deals, the only folks who really make money are the bankers and the lawyers. Shareholders end up holding the bag, but these folks have moved on to the next deal. Given all the recent retail sector breaches (there are too many to even link), let’s take a look at who is going to profit. Mostly because we can. The forensicators are first in line. They are running the investigations and figuring out how many millions of identities and credit cards have been stolen. The next group feeding at the breach trough are the credit monitoring folks, who get a bulk purchase agreement each time to cover consumers who were compromised this time. The crisis communication PR folks also generate hefty bills. Customers are pissed and the retailer is on the evening news – not for the new store design. The company needs to start driving the message, which means they need PR heavies to start spinning like a top. Ka-ching. Of course security vendors win as well. There is no time to grab security budget like right after a breach. Senior management doesn’t ask why – they ask whether it is enough. Every security salesperson tells tall tales about how their products and services would have stopped the breach. Who cares if the offering wouldn’t have made a difference? Don’t let the truth get in the way of the new BMW payment! It’s a feeding frenzy for a few quarters after the breach. Sell, sell, sell! But it doesn’t end there – lawyers always get their piece of the action by launching a variety of class-action suits against the retailer. We haven’t yet (to my knowledge) seen a successful judgement against a company for crappy security resulting in lost identities, but it’s coming. Although it is usually just easier to settle the class action rather than fight it. The lucky winners in the class action might each get a $5 gift card. The lawyers walk away with 20-30% of the judgement. Yes, that’s a lot of gift cards. Internally the company needs to make sure this kind of thing doesn’t happen again. So they fire the existing CISO and look for another one. Then the security recruiters spring into action. The breached retailer is looking, but many others will either try to fill their own positions, or perhaps decide to make a change before they find themselves in the same unhappy place. Of course the new CISO had better take advantage of the first few quarters during the honeymoon, with a mandate to fix things. Lord knows that doesn’t last long. Soon enough retailers always realize they are still in a low-margin business, and spending on security technology like a drunken sailor hasn’t helped sell more widgets. But that flyer in the Sunday paper offering a 35% discount sure did. Finally, let’s not forget the shareholders. You’d think they’d be losers in this situation, but not so much. Wall Street seems to be numb to breaches by now. The analysts just build the inevitable write-down into the model and move on. If anything it forces companies to button down some leaky operational issues and might even improve performance. Of course the loser is the existing CISO and maybe the CIO, who get thrown under the bus. But don’t feel too bad for them. They will probably write a book and do some consulting while they collect the severance package and the road rash heals. Then they’ll get back in the game by being candid about what they learned and how they will do it differently next time. We have all seen this movie before. And we’ll see it again. And again. And again. Photo credit: “Pigs at trough, 1927” originally uploaded by King County, WA Share:

Sometimes life sneaks up on you. Often when I am introduced to new clients and professional contacts, it is as “Analyst and CEO of Securosis; he used to be at Gartner”. I am fully cognizant of the fact that not only is Gartner where I started my analyst career, but also that my time and title there are the reason I was able to start Securosis. Not only did I learn how to be an analyst, but the Gartner name (as much as it pains some people) still carries a lot of weight. Leaving as a VP carries even more (a gift from my former boss, who knew he could never get my pay where it needed to be). It still carries weight to this day. We have a hell of a good brand in Securosis, but large swaths of the world have never heard of us. “Former Gartner” still helps open those doors. Even though the kind of work we do today carries very little resemblance to what I did back at the G. To be honest, I’m not even sure we are analysts anymore. It’s still part of what we do, but only one facet. Recently I have run into more of my former colleagues at various events. Black Hat, Boxworks, and other random analyst days and conferences. Most of them still work there, and all are shocked when I mention that I have now been running Securosis longer than I was at Gartner. This summer we passed the 7-year mark as a company. That’s exactly as long as I was at Gartner, and I wasn’t even an analyst for my first year. It’s longer than any other professional job I have held, and almost as long as I spent at the University of Colorado (8 years for my undergrad – it’s a Boulder thing). I still remember the first few months of the company. How I could barely sleep at night because I was so excited about what the next day would hold. Waking up early and jumping on my computer to blog, research, and spend entirely too much time on Twitter. Seven years is a long to maintain that enthusiasm. Since then I have added three children to my family, been through two major medical challenges, and built up the stress and overhead that comes from moving from a one-person shop with no clients… to one with partners, contributors, software platforms, and dozens of active clients (not counting all the one-off projects). I now literally lose entire days purely to dealing travel plans, invoices, and expenses. And really, no one with three kids under the age of five ever wakes up, on their own, with enthusiasm. But despite the overhead, chronic sleep deprivation, and stress of deadlines and commitments, this is the single most exciting time of my career. I may wake up a little rough around the edges, and feel like there is never enough time in the day, but I am engaged in my most compelling and challenging work since I first entered the workforce as an underweight security guard. About four or five years ago I placed a bet on cloud computing, and later on what is now known as DevOps. Those bets are paying off bigtime as those entangled disruptive forces trigger massive changes in how we deliver and consume technology. Aside from paying off financially (apparently there still aren’t that many people who really understand cloud and DevOps security out there), the work is… exciting. It’s a hell of a lot of fun. Every day I wake up not only with something new to learn, but with the confidence that I can use it to support my family as I gain and expand that knowledge. It is really hard to imagine a better job (without zero gravity or secret lairs). Although being interviewed by the Wall Street Journal on celebrity nudes was still kind of a surprise. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences Rich quoted in the Wall Street Journal on the celebrity hacks. Rich’s article on the same issue at TidBITS. And a zillion other articles on the story. Mike quoted on context-aware security in SearchNetworking. Mike quoted on Wendy Nather being named a “Power Player” in Security. Wendy is awesome and one of our favorite people in the industry. Mike couldn’t be happier to be quoted in the piece. Mike’s “Change Agent” – Trusted Information Systems. Mike did a blog post/video for Digital Guardian naming a “change agent” that had an impact on how security has evolved… Check it out. Mortman Quoted about DevOps by the Hulminator. Chasing consistency across the wild seas of enterprise IT Favorite Securosis Posts Let’s be honest: we only had three posts by Mike this week, so we’ll call them all favorites. Other Securosis Posts Feeding at the Data Breach Trough. Incite 9/3/2014: Potential. PR Fiascos for Dummies. Favorite Outside Posts Mike Rothman: Infosec is a strange industry. Gunnar is right. There are many parallels between security and finance (another ‘strange’ industry). I’d add another to the list. Success in security is when nothing happens. If that’s not strange, I don’t know what is… Adrian Lane: 11 Reasons Email Is the Worst. This is fascinating – not for the insights into the limitations of email, but for its astute examination of human behavior. Worth the read! Rich: Not Safe for Not Working On by Dan Kaminsky. Dan really addresses the root issue here, at both psychological and practical levels. Must read. Gunnar: Hacker Breached HealthCare.gov Insurance Site. “If this happened anywhere other than HealthCare.gov, it wouldn’t be news,” a senior DHS official said.” Not the best excuse. Mortman: Bringing new security features to Docker. Research Reports and Presentations The 2015 Endpoint and Mobile Security Buyer’s Guide. Analysis of the 2014 Open Source Development and Application Security Survey. Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of

It starts with a blank slate. Not entirely blank because some stuff has happened over the past few months, which offers hints to where things will go. But you largely ignore that data because you want to believe. Maybe this time will be different. Or maybe it will be the same. All you can see is potential. Yet soon enough the delusions of grandeur will be shown to be exactly that – delusions. No, I’m not talking about self-help or resetting your personal or professional lives. I’m talking about the NFL season. It starts on Thursday night and I’m pumped. I’m always pumped for football. Sure, there were some college games over the weekend, and I enjoyed watching those. But for me nothing compares to the pro game. Will my teams (the Giants and Falcons) recover this year? Will their off-season efforts be enough? Will the other teams, who have been similarly busy, be even better this year? Can I look forward to being excited about the NFL playoffs in January because my teams are in, or will I be paying attention to the bowl games to look for high draft picks for next year? Like I did this past January/February. So many questions, but all I have now is optimism. Why not? I’ve been following the beat reporters covering my teams every day. They tweet and file reports about practices and injuries and dissect meaningless pre-season games. It’s fun for me and certainly better than chasing down malware-laden sites claiming to have celebrity nudie pictures. My teams have holes, but that’s OK. You forget about those in the build-up to the first week. There is plenty of time over the next four months to grind my teeth and wonder why they cut this guy or call that play. No second-guessing yet – there isn’t much to second guess. Until next Tuesday morning anyway. Soon enough we’ll know whether the teams are real. It’s always fun to see which teams will surprise and which will disappoint. Soon the suspense will be over. It’s time. And I’m fired up. I’ll be in the GA Dome on Sunday. You know, that guy losing his voice as the Falcons take on the Saints. Same as it ever was. –Mike Photo credit: “NFL Logo” originally uploaded by Matt McGee The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. August 18 – You Can’t Handle the Gartner July 22 – Hacker Summer Camp July 14 – China and Career Advancement June 30 – G Who Shall Not Be Named June 17 – Apple and Privacy May 19 – Wanted Posters and SleepyCon May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling May 5 – There Is No SecDevOps April 28 – The Verizon DBIR April 14 – Three for Five Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. The Security Pro’s Guide to Cloud File Storage and Collaboration Additional Security Features Core Security Features Overview and Baseline Security Introduction Leveraging Threat Intelligence in Incident Response/Management Quick Wins The (New) Incident Response & Management Process Model Threat Intelligence + Data Collect = Responding Better Really Responding Faster Introduction Trends in Data Centric Security Deployment Models Tools Introduction Use Cases Understanding Role-based Access Control Advanced Concepts Introduction NoSQL Security 2.0 Understanding NoSQL Platforms Introduction Newly Published Papers The 2015 Endpoint and Mobile Security Buyer’s Guide Open Source Development and Application Security Analysis Advanced Endpoint and Server Protection Defending Against Network-based DDoS Attacks Reducing Attack Surface with Application Control Leveraging Threat Intelligence in Security Monitoring The Future of Security Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7 Incite 4 U Foole and Boobage: As alluded above, the Intertubes exploded over the weekend – not with news of things that matter, like global unrest, tentative ceasefires, NASCAR, college football, or even more ice-bucketry. Everyone was aflutter about seeing some celebrity boobies. Everyone now has an opinion about how the hack happened, even your general mass media sites chock full of security expertise. Yes, that was sarcasm folks. As usual, don’t believe everything you read on the Internet – a lot of speculation is wrong. I have no inside information and neither does our resident Apple Fan Boi, the Rich Mogull. Which means those folks probably don’t either, so they are coming up with plausible threat models that could have resulted in an attacker (or group of attackers) gaining access to the Photostreams of these celebrities, who evidently like to take pictures of themselves without shirts on. I’m certainly not judging that, despite the fact that folks get pretty uptight about seeing breasts in the US. I am judging the baseless speculation. At some point we may find out how it happened. Or we may not. At the end of the day, if you take nudie pictures and store them in a cloud service, other people may see them. Not that it’s right, but it’s reality. (PS: Dog yummy to anyone who gets the reference in the title.) – MR Customer centric: Owen Thomas discusses the gaps Apple needs to address before they can enter the payments market, but his arguments assume Apple wants to go all in. If their goal is to provide mobile payments Apple

If you are the head of communications for a big company and one of your executives goes off-script and says something … ill advised … and puts the foot in the mouth, what can you do? You curse the gods for putting you in that job and you long for the days when someone else was in the hot seat, when you have to go into damage control. What else could the head of Trend Micro’s marketing be thinking when CISO Tom Kellermann basically said Russians are smarter than Americans. Evidently he really said this. I don’t even know where to start and I’ve known Tom for years. He’s not dumb, but that’s a dumb statement. Thereby making a strong argument for his hypothesis: Tom, you see, is an American. The lengths people go to be proven right continue to astound me. Maybe he means that Russian attackers take a more strategic view of their jobs. And that they view hacking as a national area of focus (like the Chinese). But the money shot, where he states Russians are ‘smarter’ is not a conclusion you can legitimately draw. Not without coming off sounding like a jackass. If we are going to dabble in crass generalizations, it seems like Stuxnet was pretty strategic but didn’t come from Russia. So there’s that. But let’s be real and understand that kind of statement is bait for every clickwhore. Graham Cluley jumps on it and basically calls it what it is: an idiotic statement. Though I do take issue with Graham attributing the statement to Trend Micro as a whole, rather than just Kellermann shooting from the hip to hit himself in the head with a shotgun blast. Trend’s research seems to have been focused on Russia’s strategic approach to hacking – not a generic question about the intelligence of the American populace. But I’m sure Graham got lots of clicks for his assessment as well, so the beat goes on… Photo credit: “profile picture” originally uploaded by vtbrak Share:

Wendy (again) states things that we should already know in such an easy to understand way, that you smack yourself upside the head and wonder why you didn’t think of it. Her post on the 451 blog about The hierarchy of IT needs makes very very clear why you continue to have problems making the case for security in your organization. I won’t just pirate her image, but go look at it and it will feel like a gut punch. Of course there are exceptions to this hierarchy. Like in the few quarters after a high-profile breach. Then blow up the pyramid and spend all the money you can. It won’t last long. Soon enough senior management will forget the pain and get back to allocating resources based on your business needs. Wendy also offers a secret that can help get funding for those security projects you know you need to do, but can’t get senior management to understand. If you can tie security to one of the lower requirements (lower than compliance, that is), you’ll have a much better chance at getting it incorporated more frequently. And to net it out, more wisdom: This hierarchy of needs also explains why security is an afterthought, and how even in the most mature of environments, it gets abandoned if one of the lower layers is suddenly threatened. It’s why holes get left in firewalls, why the accounts of terminated employees are still running services, and why back doors are left in systems. It’s all about keeping things working. This is our reality. You can certainly resist it and bang your head against the wall repeatedly. But the only thing that will accomplish is to give you a headache. You won’t get any more funding, because the hierarchy of IT needs is alive and well. Photo credit: “Hierarchy of Letter Boxes” originally uploaded by Michael Coghlan Share:

As you are likely out of the office much of today, preparing for a long weekend, I will keep this week’s summary short and to the point. Another three-star set of nits to pick. *** With Apple’s new product announcements just a couple weeks away, Wired’s Will Apple Kill Off the Credit Card Like It Did the Compact Disc? asks the wrong question. I don’t claim any specific knowledge of what Apple is thinking when it comes to payments, but I am willing to bet they would not describe their strategy as replacement of credit cards. In fact, just asking whether Apple is looking to kill off credit cards is myopic. It’s like asking if smartphones were out to kill land lines – ultimately they did, but powerful mobile handheld computers transformed many facets of daily life, including basic things like our definition of ‘computer’ and how we use information. The move to mobile payments by Apple and other platform providers is more about fundamental long-term transformation of payments to something more convenient, more ubiquitous and…probably…more secure. *** The Opportunity Cost of Automating Database Auditing should have a big NOT in the title. Not in that Borat ‘NOT!’ way, but better to consider the opportunity cost of not auditing databases as an information source. As a former vendor of database monitoring and auditing products, I always felt it would have been prudent for some of the compliance mandates to include database infrastructure in their lists of required controls. The database offers more accurate information than most other sources, and can help bypass a lot of manual work if done correctly. And certainly the repository that holds the bulk of enterprise data – relational databases have been king of the data management platforms for a couple decades – warrants some special mention. But they don’t get it. PCI? Nope. CA-1386? Nope. Basel II? Nada. Not even Sarbanes-Oxley, which is a special case given that Worldcom – one of the law’s poster children – was convicted based on analysis of database transaction records. But database auditing is not part of the requirement. The key ROI cost discrepancy is not between different kinds of database auditing – it is between database auditing and other types of auditing which require more effort for lower-quality results. *** Tim Raines wrote recently on the Microsoft blog about Major Rights Management Update to Office on Azure. This is less about user entitlements than enforcement. Look at the provided examples: it is app-layer Digital Rights Management. Yes, platform providers (such as Apple and Google) have a unique advantage as they control the cloud servers and the mobile applications that use them. In essence this offers control over who can view/use data under what circumstances, but it is more interesting when the data owner can control rights in the data management solution context. Most existing DRM options require learning third-party products, and disassociate where you set policy from where the data is managed. This is essentially what many firms are attempting to accomplish with MDM solutions and various mobile containers. On to the Summary: Webcasts, Podcasts, Outside Writing, and Conferences James Arlen quoted in Cybersecurity’s hiring crisis: A troubling trajectory. Favorite Securosis Posts Adrian Lane: Shipping Decent Breach Notification. David Mortman: Respect the Hierarchy. Mike Rothman: The Data Breach Triangle. This is a classic from back in 2009. And a concept I still use in almost every meeting, so it has aged pretty well. Other Securosis Posts Incite 8/27/2014: It takes a village. Friday Summary: STEM. Favorite Outside Posts Adrian Lane: Point-of-sale malware has now infected over 1,000 companies in US. A thousand that they know about. We could reach an inflection point with mobile devices where we simply move financial transactions out of retail establishments… Which should have happened a long time ago. Rich: Trolls drive Anita Sarkeesian out of her house to prove misogyny doesn’t exist. This upsets and depresses me beyond belief. Tech overall has a problem with how we treat women, and security is no exception. I’m not saying we are any better or worse, but this is an important read to see how extreme the problem is, and to remember we are far from immune. Gunnar: Sabermetrics vs. second-hand knowledge. Mike Rothman: Netflix releases home-grown DDoS detectors. I’m digging how Netflix continues to contribute their security tools to the community. This is great for everyone. Research Reports and Presentations The 2015 Endpoint and Mobile Security Buyer’s Guide. Analysis of the 2014 Open Source Development and Application Security Survey. Defending Against Network-based Distributed Denial of Service Attacks. Reducing Attack Surface with Application Control. Leveraging Threat Intelligence in Security Monitoring. The Future of Security: The Trends and Technologies Transforming Security. Security Analytics with Big Data. Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7. Eliminate Surprises with Security Assurance and Testing. Top News and Posts Update on reviewing our data practices and Bugzilla development database disclosure. Did Arizona turn over its counterterrorism database to a Chinese spy? It is difficult to tell whether this is political poop-flinging or there is real evidence of crime, but an interesting discussion. Cyber attack reveals data on at least 25,000 workers at the US Department of Homeland Security. FBI investigating Russian links to JPMorgan hacking. Don’t waste time on Code Reviews. Compromised Facebook accounts create scam events. Masscan does STARTTLS. Creators of New Fed-Proof Bitcoin Marketplace. DQ Breach? HQ Says No, But Would it Know? White House Going With ‘Security By Obscurity’ As Excuse For Refusing To Release Healthcare.gov Security Details. End to End. Espionage programs linked to spying on former Soviet targets. Share:

The first couple weeks when the kids are back in school can be a little rough. We don’t have the routine down so there is some inevitable confusion and miscommunication. There are just so many details. Who is picking up which kid, from where? We drive that carpool which night? What is the address of the 3rd kid to grab for LAX practice? You know, that kind of thing. And that’s just the logistical stuff the Boss and I need to figure out. Complicating matters is the alternative schedules we have to maintain. One when I’m in town, and the other for when I’m on the road working with clients. Obviously things are a bit easier when I can lend a hand and grab this kid from there and/or take the other kid to the dance studio. We have found it really does take a village to raise kids nowadays. I remember when I was growing up and my Mom worked in a retail pharmacy. Some nights she would have the afternoon shift and then have to close the store. I was a latchkey kid, so once we were old enough to go home and fend for ourselves for a couple hours (probably late in elementary school for me) I would take my brother home and we’d play until Mom got home. Sometimes I’d go to a friend’s house and play a game of pick-up football. Another kid had an Intellivision so we went to his house a lot. I became pretty self-sufficient. My Mom would cook a bunch of meals over the weekend, and I’ll pull one out of the freezer and throw it (whatever it was) into a pan and boom! Dinner. If my clothes were dirty I put them in the wash. She would get home after a long day of work standing in the pharmacy and make sure we got our homework done, and we all had to lend a hand to get everything done. That’s just the way it was for us. Nowadays that wouldn’t work very well. Sure my kids can do laundry and probably even warm up their food (through the magic of the microwave!) But the kids can’t get themselves to dance practice 4 days a week. I guess the Boy could walk down to his tennis practices in the neighborhood, but he can’t walk the 10 miles to LAX practice Monday nights. Actually he could, but probably not in time for 6pm practice. So we work it out with the other parents. We drive some nights and pick up others. With 3 kids and overlapping activity schedules, there isn’t really any other way – especially given my travel schedule. Though we got a little smarter this year. I put the kid’s schedule in my phone, so I know which practices are what days and where. We discuss who is doing what at the beginning of the week, so I know where I’m expected to be, and I put it in my calendar. The goal is to minimize confusion and so far it’s working. And we took another step towards what emancipation looks like for 10-year-olds this year. We got them pre-paid cell phones, so when they are tooling around the neighborhood or at their various practices, and we make the inevitable mistakes, they can just call. It’s very helpful to just dial them up and figure out where they are. My Mom didn’t have that option – she sometimes had to drive around the neighborhood to figure out which back yard I was playing in. Yes, things are more complicated now, but we have much better tools to handle them. But the thing that hasn’t changed? The relationships you build with people who can lend a hand when you need one. And where you lend a hand when they need one. No magic device or web-based service can replace that. –Mike Photo credit: “The Village Store and Tea Shop” originally uploaded by Alison Christine The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. August 18 – You Can’t Handle the Gartner July 22 – Hacker Summer Camp July 14 – China and Career Advancement June 30 – G Who Shall Not Be Named June 17 – Apple and Privacy May 19 – Wanted Posters and SleepyCon May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling May 5 – There Is No SecDevOps April 28 – The Verizon DBIR April 14 – Three for Five Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. The Security Pro’s Guide to Cloud File Storage and Collaboration Additional Security Features Core Security Features Overview and Baseline Security Introduction Leveraging Threat Intelligence in Incident Response/Management Quick Wins The (New) Incident Response & Management Process Model Threat Intelligence + Data Collect = Responding Better Really Responding Faster Introduction Trends in Data Centric Security Deployment Models Tools Introduction Use Cases Understanding Role-based Access Control Advanced Concepts Introduction NoSQL Security 2.0 Understanding NoSQL Platforms Introduction Newly Published Papers The 2015 Endpoint and Mobile Security Buyer’s Guide Open Source Development and Application Security Analysis Advanced Endpoint and Server Protection Defending Against Network-based DDoS Attacks Reducing Attack Surface with Application Control Leveraging Threat Intelligence in Security Monitoring The Future of Security Security Management

Many folks have strong opinions about the right way to perform breach notification. More to the point, many folks think they know what not to do. But that’s okay – the great thing about opinions is that everyone gets their own. Recently the UPS Store, a franchised chain of shipping stores, reported a breach. In the incident information they detailed about how many of their stores were impacted. They listed dates when they determined the store systems were breached, and dates the systems were cleaned up. They also provide a fairly comprehensive FAQ about what happened and what affected consumers should do. Additionally they are providing credit monitoring services for the impacted. As a security guy, it would be great to have learned more about the specific malware and other technical details of the incident and the cleanup. But that level of detail would be lost on most folks impacted by this breach. The notification and FAQ told consumers what they need to know and to do. Complicating matters is the fact that the franchises are independently owned, and UPS doesn’t control their networks. So the fact that they clearly investigated all 4,470 stores is impressive as well. Kudos to UPS and the UPS Store folks. Among all the breach notification fiascos we see, it is good to see one done well. Photo credit: “UPS Store” originally uploaded by Mike Mozart Share:

A few days after returning from DEF CON my family experienced an inevitable life-changing event you cannot really prepare for. Kindergarten. That’s right. If you have been following this site since it started 8 years ago, you have watched as I went from a newly married dude in his 30’s traipsing around the world, to a… and I find this really hard to say… responsible parent with school-aged children. My life schedule is now officially defined by the State of Arizona and the Paradise Valley Unified School District. So long off-week Disney trips; hello PTO, early dismissal days, and parent/teacher meetings. To be honest, it’s pretty exciting. For some reason American society thinks that if you manage to keep your kids alive for the first five years, then the state should step up and provide a little support and education. Those of you who ran through the private daycare gauntlet know exactly what I am talking about. The thing my daughter is most excited about? The idea of a teacher sticking around for more than three months. We actually went ahead and got our 5-year-old accepted to a charter school that’s closer to our home than the school she would normally go to (due to the vagaries of subdivisions). It’s actually a normal public school, but they get a little extra funding and have a STEM program, and it is considered an in-district transfer. We got our 3-year-old into the pre-K program at the same school. I have already experienced some highs and lows with the STEM program. It was very important to me – even if my kids go into non-technology careers, a solid technical foundation will help in whatever they do. Also, I hoped going to a STEM-enhanced school would help compensate for the many issues with technology and science education for girls. I wasn’t certain how often they had STEM class, but quickly learned they attend every week. Not bad for a group of kids who generally cannot read yet. Then again, last week our conversation went like this. “How was school? What did you do?” “We did this thing called STIM?” “Awesome! That’s STEM! It’s science and technology! What did you do” “We colored a picture of a scientist.” “Oh.” This week they talked about what scientists do. It wasn’t terrible, and she learned that science is about asking questions. On the other hand, over the weekend we played Robot Turtles and started learning about how that board game teaches programming. And how we can use it to program our Lego robot. And the next day the kids begged me to do science, so I pulled out our polymer lab kit and we experimented with making fake snow, absorbing water, and making goo. The weekend before they asked to go the the Arizona Science Center and we had a total temper tantrum pulling them out of the paper airplane exhibit because her helicopter design wasn’t working. Heck, I took them to HacKid and they loved it, even the 3-year-old. I really hope the classes go hands-on soon, because talking about something is no way to foster lifelong interest. We live in a golden age for science and technology education. Instead of learning to program to move a fake turtle on a screen (let’s be honest, it was barely a pixel), our kids can move real robots in the real world… without knowing how to read. 3D printers, microscope lenses for phones, cheap bio sensors, drones, microprocessors – technology has never been more accessible (at least if you live in an affluent area – let’s be honest). My kids will get this all at home. Those are my hobbies, and I hope my love of science and technology influences them. It will be nice if school reinforces that, but I will not rely on it. There is one exception to my golden age comment – it’s a crappy time for chemistry sets thanks to terrorists and meth dealers. Or an overly-paranoid government and stupid DHS rules. Or something like that. On to the Summary: Favorite Securosis Posts Adrian Lane: CISO’s Head Asplode. Mike Rothman: Firestarter: You Can’t Handle the Gartner. I’ll admit it. I don’t watch other folks videocasts or listen to their podcasts. But I would watch/listen to ours. Mostly because it’s entertaining, and even helpful. And yes, we actually have a good time recording it. Rich: APT hits the ER. There is much more to this than you think. I know of some big healthcare breaches that originated overseas but haven’t been made public. Other Securosis Posts Incite 8/20/2014: Better get a Bucket. 21st Century Shakedown. Favorite Outside Posts Adrian Lane: 96% decline in NYC car theft. Interesting how a single innovation can thwart an entire class of security issues. Mike Rothman: Visualization for Security. We (as an industry) aren’t very good at visualization. So check out this deck from Raffael Marty, who is one of the leading visualization dudes in the industry. And learn some stuff. Rich: Apple begins storing user data in China. It’s going to be interesting to see how Apple handles user privacy overseas, considering their intense focus on privacy as a competitive differentiator here in the US. The fact is you simply cannot offer these services in some countries without opening them to the local government, in ways you don’t have to here, even with all our recent NSA concerns. Gunnar Peterson: Michael Daniel’s Path to the White House: CyberSec Coordinator Tells Why Lack of Tech Know-How Helps. What’s next? A Treasury Secretary who brags about not knowing about banks? You can’t make it up. I get that execs (a czar counts as an exec, right?) cannot be down “in the weeds” but you have to be able to tell a weed from a flower or a vegetable. Rich adds: this astounds me. It shouldn’t but it does, and the fact that he sees this as an advantage means he is completely unqualified for his job. Dave Lewis: The Puerile

So I am finally home for a few weeks, coinciding with the kids starting school. As usual I grab my messenger bag first thing in the am and head out on my nomadic journey. With about 10 local Starbucks with Google WiFi, I am typically in one of those. I get faster Internet at Starbucks than I do at home (57mbps down FTW). It does make me a little more predictable, so that’s a bit alarming. But I’ll trade 50mb downloads for the anemic DSL speeds of AT&T WiFi every day of the week. After a long day of reading tweets, drinking coffee, and trolling the team in our chat room, I come home to see the kids outside with a bucket. Yes, they were challenged to the Ice Bucket Challenge, an awareness campaign originated by Pete Frates – a former Boston College baseball player – suffering from ALS that has gone viral over the past week. There is a great ESPN profile of Pete and the challenges of ALS. NFL coaches and players, celebrities, families, and evidently school-age kids are dumping buckets of ice water on their heads. Though to be candid, I was kind of annoyed. Most of the celebrities and sports stars mention ALS and talk about the cause – if only for a few seconds. But do these kids even know why they are doing it? I asked, and they had no idea. So I saw a teaching moment. I dictated that before any ice water was dumped, they would need to understand about ALS and commit to not just dousing themselves, but to giving money to the cause. After extracting a $20 commitment each, and making sure they read the online description of the disease, they dumped the water. And all was right in the universe. Then I remembered that I saved the fantastic “A Football Life” episode on Steve Gleason because it was awesome and inspiring. The former New Orleans Saint suffers from ALS, and that show documented his life and his adventure climbing Machu Pichu. Yes, I forced the kids to watch that too. I am good with viral campaigns. I’m ecstatic that this campaign has increased donations to research for an ALS cure tenfold. That is awesome. And it would be even more awesome if everyone who dumped a bucket of ice water on their heads actually understood why they were doing it. Then instead of just being funny, it would be educational as well. –Mike PS: The picture above is Bill Gates (yes, that Bill Gates) doing the ice bucket challenge. Click here to see the full clip in all its animated GIF glory. Photo credit: “Bill Gates ice bucket challenge” originally uploaded by Waseem Ashraf The fine folks at the RSA Conference posted the talk Jennifer Minella and I did on mindfulness at the conference this year. You can check it out on YouTube. Take an hour and check it out. Your emails, alerts and Twitter timeline will be there when you get back. Securosis Firestarter Have you checked out our new video podcast? Rich, Adrian, and Mike get into a Google Hangout and.. hang out. We talk a bit about security as well. We try to keep these to 15 minutes or less, and usually fail. August 18 – You Can’t Handle the Gartner July 22 – Hacker Summer Camp July 14 – China and Career Advancement June 30 – G Who Shall Not Be Named June 17 – Apple and Privacy May 19 – Wanted Posters and SleepyCon May 12 – Another 3 for 5: McAfee/OSVDB, XP Not Dead, CEO head rolling May 5 – There Is No SecDevOps April 28 – The Verizon DBIR April 14 – Three for Five Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, with our content in all its unabridged glory. And you can get all our research papers too. The Security Pro’s Guide to Cloud File Storage and Collaboration Additional Security Features Core Security Features Overview and Baseline Security Introduction Leveraging Threat Intelligence in Incident Response/Management Quick Wins The (New) Incident Response & Management Process Model Threat Intelligence + Data Collect = Responding Better Really Responding Faster Introduction Trends in Data Centric Security Deployment Models Tools Introduction Use Cases Understanding Role-based Access Control Advanced Concepts Introduction NoSQL Security 2.0 Understanding NoSQL Platforms Introduction Newly Published Papers The 2015 Endpoint and Mobile Security Buyer’s Guide Open Source Development and Application Security Analysis Advanced Endpoint and Server Protection Defending Against Network-based DDoS Attacks Reducing Attack Surface with Application Control Leveraging Threat Intelligence in Security Monitoring The Future of Security Security Management 2.5: Replacing Your SIEM Yet? Defending Data on iOS 7 Incite 4 U The path of least resistance: Clearly the easiest way to pwn an organization is just to find some Windows XP and use old malware. In our App Control paper we said there are a bunch of reasons XP may still exist in your environment. But if you still have unpatched XP you just suck at operations and security. Again, there are some mitigating circumstances (perhaps you cannot patch), but then you need some kind of whitelisting on the device to lock it down. Seriously – it’s 2014, folks. MSFT is trying their best to stop supporting the product. It’s time to upgrade. – MR Form letter: “Company {name} was the victim of unauthorized access to our customer systems, and attackers stole {number} of credit cards between {date1} and {date2}. Company {name} said: ‘Our customer’s trust is a top priority, and we’ve taken steps to address the {vulnerabilityXXXXXx10^3} and help law enforcement catch those naughty, malicious evil-doers that are now looting your bank account. As an added precaution we will make available {worthless-service} to protect your identity, and ask all of our customers to reset their passwords ASAP.’” There you go: an open source breach letter