There once was a boy from Securosis.
Who had an enormous… to do list.
With papers to write…
And much coding in sight…
It’s time to bag out and just post this.
Okay, not my best work, but the day got away from me after spending all week out in the DC area teaching cloud security for Black Hat. Thanks to a plane change I didn’t have WiFi on the way home, and lost an unexpected day of work.
Next week will likely be our last Firestarter, Summary, and Incite for the year. We will still have some posts after that, then kick back into high gear come January. 2014 was our most insane year yet, with some of the best work of our careers (okay, mine, but I think Mike and Adrian are also pretty pleased.) 2015 is already looking to give ‘14 a run for the money.
And when you run your own small business, “run for the money” is a most excellent problem to have.
Unless it involves cops. That gets awkward.
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
Another quiet week. We promise to return to our media whoring soon.
Favorite Securosis Posts
- Mike Rothman: Summary: 88 Seconds. Rich + tears. I’d need to see that to believe it. But I get it. Very emotional to share such huge parts of your own childhood with your children.
- Rich: 3 Envelopes.
Other Securosis Posts
- Security and Privacy on the Encrypted Network: Use Cases.
- Incite 12/10/2014: Troll off the old block.
- Monitoring the Hybrid Cloud: Migration Planning.
Favorite Outside Posts
- Mike Rothman: Sagan’s Baloney Detection Kit. As an analyst, I make a living deciphering other folks’ baloney. Carl Sagan wrote a lot about balancing skepticism with openness, and this post on brainpickings.org is a great summary. Though I will say sometimes I choose to believe in stuff that can’t be proven. So your baloney may be my belief system, and we shouldn’t judge either way.
- Rich: Analyzing Ponemon Cost of Data Breach. Jay Jacobs is a true data analyst. The kind of person who deeply understands numbers and models. He basically rips the Ponemon cost of a breach number to shreds. Ponemon can do good work, but that number has always been clearly flawed, and Jay clearly illustrates why. Using numbers.
Research Reports and Presentations
- Securing Enterprise Applications.
- Secure Agile Development.
- Trends in Data Centric Security White Paper.
- Leveraging Threat Intelligence in Incident Response/Management.
- Pragmatic WAF Management: Giving Web Apps a Fighting Chance.
- The Security Pro’s Guide to Cloud File Storage and Collaboration.
- The 2015 Endpoint and Mobile Security Buyer’s Guide.
- Analysis of the 2014 Open Source Development and Application Security Survey.
- Defending Against Network-based Distributed Denial of Service Attacks.
- Reducing Attack Surface with Application Control.
Top News and Posts
Due to all the lost time this week I’m a bit low on stories, but here are some of the bigger ones.
- Iran hacked the Sands Hotel earlier this year, causing over $40 million in damage.
- Tripwire acquired by Belden. Didn’t see that one coming. $710M.
- Adobe Patches Flash Player Vulnerability Under Attack.
- Treasury Dept: Tor a Big Source of Bank Fraud. No surprise, and that’s one Tor vector that should be blocked.
Blog Comment of the Week
This week’s best comment goes to Ke, in response to My $500 Cloud Security Screwup.
This is happening to me… Somehow the credential file was committed in git, which is strange because it is in the .gitignore file. I saw the email from AWS and deleted the key in 30 minutes and I found my account restricted at that time. One day after, however, I found a $1k bill in my account. It is also odd that I did not receive the alert email even though I enabled an alert. I am a student and I cannot afford this money 🙁