Summary: Analyze, Don’t GuessBy Rich
Another week, another massive data breach.
This morning I woke up to a couple interview requests over this. I am always wary of speaking on incidents based on nothing more than press reports, so I try to make clear that all I can do is provide some analysis. Maybe I shouldn’t even do that, but I find I can often defuse hyperbole and inject context, even without speaking to the details of the incident.
That’s a fine line any of us on press lists walk. To be honest, more often than not I see people fall into the fail bucket by making assumptions or projecting their own bias.
Take this Anthem situation. I kept my comments along the lines of potential long-term issues for people now suffering exposed personal information (for example a year of credit monitoring is worthless when someone loses your Social Security Number). I was able to talk about who suffers the consequences of these breaches, trends in long-term impacts on breached companies, and the weaknesses in our financial and identity systems that make this data valuable.
I did all of that without blaming Anthem, guessing as to attribution, or discussing potential means and motivations. Those are paths you can consider if you have inside information (verified, of course), but even then you need to be cautious.
It was disappointing to read some of the articles on this breach. One in particular stood out because it was from a major tech publication, and the reporter seemed more interested in blaming Anthem and looking smarter than anything else. This is the same person who seriously blew it on another story recently due to the same hubris (but no apologies, of course).
There is a difference between analyzing and guessing, and it is often hubris.
Analysis means admitting what you don’t know, and challenging and doubting your own assumptions. Constantly.
I have a huge fracking ego, and I hate being wrong, but I care more about the truth and facts than being right or wrong. To me, it’s like science. Present the facts and the path to your conclusions, making any assumptions clear. Don’t present assumptions as facts, and always assume you don’t know everything and what you do know changes sometime. Most of the time.
And for crap’s sake, enough with blaming the victim and thinking you know how the breach occurred when you don’t have a single verified source (if you have one, put it in the article). Go read Dennis Fisher’s piece for how to play it straight and still make a point.
Unless you are Ranum. We all need to bow down to Ranum, who totally gets it.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Adrian quoted on Tokenization.
- Paper on dynamic authorization by Gunnar Peterson (Registration required).
We know, slow week. We blame random acts of sleep deprivation.
- New Paper: Security and Privacy on the Encrypted Network.
- Incite 2/4/2015: 30x32.
- Applied Threat Intelligence: Use Case #3, Preventative Controls.
Favorite Outside Posts
- Adrian: Spy Agencies Secretly Rely On Hackers. One of the best aspects of this profession is being able to expand your mind based on really cool research from security people. Spy organizations would be crazy not to do the same! Look at the names on the list – half the people I follow to learn from because they do really interesting research.
- Mike: Looking for the Teachable Moments. Never stop learning. It’s a simple as that.
- Rich: Every Frame a Painting. This is a YouTube channel of short segments of film analysis. I’m a big film geek, and I love dissecting a scene or work and learning more about how films are made. The Jackie Chan one is my favorite so far. If you like it you can donate to support it.
- JJ: Use The ‘Fire Model’ When You Get Criticized At Work. Editor’s note: I am so glad I don’t have to deal with things like this. I’m probably unemployable at this point -rich.
- Mortman: The Queen Of Code. History FTW.
- Mortman (2): A Cybersecurity Wake Up Call for Emergency Managers. Rich should appreciate this one.
Research Reports and Presentations
- Security and Privacy on the Encrypted Network.
- Monitoring the Hybrid Cloud: Evolving to the CloudSOC.
- Security Best Practices for Amazon Web Services.
- Securing Enterprise Applications.
- Secure Agile Development.
- Trends in Data Centric Security White Paper.
- Leveraging Threat Intelligence in Incident Response/Management.
- Pragmatic WAF Management: Giving Web Apps a Fighting Chance.
- The Security Pro’s Guide to Cloud File Storage and Collaboration.
- The 2015 Endpoint and Mobile Security Buyer’s Guide.
Top News and Posts
- Cross Site Scripting vulnerability found in IE 11
- Yet Another Flash Patch Fixes Zero-Day Flaw
- The Oracle of Security Flaws via LiquidMatrix
- Marriott Android App Left Credit Card Data Vulnerable
- Security Basics for Docker
- Who’s Hijacking Internet Routes?
- WiFi blocking… blocked. There could be legitimate enterprise problems with this.
- A CIO Perspective on Security in the Cloud
- U.S. Officials Say Chinese Cyberespionage ‘Needs to Stop’