Summary: Boy in the BubbleBy Rich
I’m going to write a fairly innocuous opening to this week’s Friday Summary, despite the gravity of current events. Because some things are best dealt with… not now, and not here.
It’s November 19th as I write this. A week until Thanksgiving, and less than a week until we take a family vacation (don’t worry, one of our relatives stays at our place when we are gone, the advantage of living near in-laws and having the fastest Internet connection in the family). I’m not really sure how that happened, since I’m fairly certain I just took our Christmas lights down a few weeks ago.
When we get back from the trip it will be exactly ten days until Star Wars comes out. At this point some of you are possibly a tad worried about my mental state (especially if the movie sucks) and the depth of my obsession. But based on the private emails, some of you put my to shame. I just happen to have a publishing platform.
Last week I actually engaged my filter bubble. I stopped reading certain news sites, fast forwarded through the commercials on television, and skipped the Japanese trailer with extra footage. That last official trailer was so perfect I don’t have any compelling need to see anything except the film itself. It set the tone, it built the trust, and now it all comes down to the final execution.
Filter bubbles are interesting anomalies. We most often see the term used in a negative way, as people create feedback loops to only reinforce their existing opinions. This isn’t merely a political manifestation, it’s one with profound professional effects, especially in risk and research related fields. It’s one of the first characteristics I look for in a security professional – is a person able to see things outside their existing frames of reference? Can they recognize contradictory information and mentally adjust their models?
For example, “cloud is less secure”. Start with that assumption and you fail to see the security advantages. Or “cloud is always more secure”, which also isn’t true. If you start on either side there is a preponderance of evidence to support your position, especially if you filter out the contradictory data. Or “the truth is somewhere in between”, which is probably true, but it’s rarely dead center, which people tend to assume.
Filter bubbles can be positive, used properly. One of the first things you learn as an emergency responder, at least if you are going to be halfway decent, is how to filter out the things that don’t matter. For example, the loudest patient is usually a low priority. You need a certain amount of energy to scream and it proves you have a good pulse and respirations. It’s the quiet ones you need to worry about.
Same for security. We all know how easy it is to become totally overwhelmed with the flood of data and priorities we face every day. The trick is to pick a place to start, iterate through, and adapt when needed. No, it certainly isn’t easy, but analysis paralysis is a real thing.
My Star Wars filter might not last until December 17th, but I’ll certainly make the effort. Besides, I’ll probably be too busy playing Star Wars: Battlefront on my Xbox to pay attention to pesky things like “the news”, “work”, or “eating”.
Although we’ve been writing more recently, with the holidays kicking in publishing will be more sporadic for a while due to vacations and end of year client work. Thanks, as always, for sticking with us.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- Security Champions Guide to Web Application Security. Gunnar wrote a book.
- Watch the reply of Rich’s webinar on cloud network security
- Rich is presenting a webinar on cloud storage security for Box on December 10th.
- Rich quoted by the Macalope on the dangers of poor security research. Well, the research might have been great, but the report sucked.
- Rich quoted over at TechRepublic on the risks of hybrid clouds.
- Don’t worry, Mike and Adrian are alive, they’ve just been super busy.
Other Securosis Posts
- Cloud Security Best Practice: Limit Blast Radius with Multiple Accounts.
- The Blame Game.
- Summary: Refurbished.
- Critical Security Capabilities for Cloud Providers.
Favorite Outside Posts
- Report: Everyone Should Get a Security Freeze. While you are at it, get one for your kids if you are in a state that allows that.
Research Reports and Presentations
- Pragmatic Security for Cloud and Hybrid Networks.
- EMV Migration and the Changing Payments Landscape.
- Network-based Threat Detection.
- Applied Threat Intelligence.
- Endpoint Defense: Essential Practices.
- Cracking the Confusion: Encryption and Tokenization for Data Centers, Servers, and Applications.
- Security and Privacy on the Encrypted Network.
- Monitoring the Hybrid Cloud: Evolving to the CloudSOC.
- Security Best Practices for Amazon Web Services.
- Securing Enterprise Applications.
Top News and Posts
- Microsoft Invests $1 Billion In ‘Holistic’ Security Strategy. Some services, some internal stuff.
- Attackers Can Use SAP to Bridge Corporate, Operational ICS Networks
- Adobe Pushes Hotfix for ColdFusion. Yep, there’s still a lot of CF out there.
- Carnegie Mellon Denies FBI Paid for Tor-Breaking Research. Follow up from last week’s report.
- Here’s a Spy Firm’s Price List for Secret Hacker Techniques
- Windows’ disk encryption could be easily bypassed in ‘seconds’
Blog Comment of the Week
This week’s best comment goes to Dewight, in response to Cloud Security Best Practice: Limit Blast Radius with Multiple Accounts.
Since one looses the ability to centrally manage the accounts with this practice, can you give an example of how to use automation? In particular for a highly decentralized organization that has a very large IT presents.
See the post’s comments for my reply…