Holy crap, what a year!
I have been in the security business for a while now. I wouldn’t say I am necessarily jaded, but… yeah. Wow.
First, the news. This was the year of Target and Sony. Symantec finally breaking up. All sorts of wacky M&A. The year family members checked in for the first time in decades, after reading my quotes in articles with “celebrity nudes” in the headlines. Apple getting into payments. My guidance counselor totally left that out when we discussed infosec as a career option.
Not that infosec was a career option in the late 80’s, but I digress.
As I have often said, life doesn’t demarcate itself cleanly into 365 day cycles. There is no “year of X” because time is a continuum, and events have tendrils which extend long before and after any arbitrary block of time. That said, we will sure as hell remember 2014 as a year of breaches. Just like 2007/2008, for those who remember those ancient days. It was also a most excellent year for general security nonsense.
Then there was the business side. 2014 was an epic year for Securosis on every possible level. And thanks to the IRS and our fiscal year being the calendar year, we really do get to attribute it to 2014. We cranked out a bunch of papers (mostly Mike) and engaged in some insanely fun projects (mostly me). A year or so ago I wasn’t sure there was enough of a market for me to focus so much of my research on cloud and DevOps. Now I wonder if there’s enough of me to support all the work.
We were so busy we didn’t even get around to announcing a new research product: Securosis Project Accelerators. Focused workshops for end users and (for now) SaaS providers tied to specific project initiatives (like our Cloud Security for SaaS Providers package). On the upside, we sold a bunch of them anyway.
The main thing that suffered was this blog. We mostly kept up with our scheduled posts and open research, but did drop a lot of the random posts and commentary because we were all so busy. I wish I could say that’s going to change, but the truth is 2015 looks to be even busier.
Personally this has been my favorite work year yet, due to the amount of primary research I have been able to focus on (including getting back to programming), working more with end-user organizations on projects, and even getting to advise some brand-name cloud providers on technical aspects of their security.
I am not sure whether I mentioned it on the site, but my wife stopped working after RSA due to an acute onset of “too many children”. We decided it was no longer worthwhile for both of us to work full time. And changes in the healthcare system meant we were no longer so reliant on her employee benefits. That reduced a lot of home scheduling stress, but also meant I was short on excuses to stay off airplanes. I was definitely away from home a lot more than I liked, but when I am home, I get to be far more engaged than a lot of parents.
On the non-work front it was also an awesome year. We are done with babies (but not diapers), which means we are slowly clawing back some semblance of a life outside being parents. Our older two started in public school, which is like some kind of fantasy after years of paying a prison company to keep our children mostly alive and intact (daycare… shudder). We spent a month in Boulder, a week in Amsterdam, and a weekend in Legoland. I am running as fast as I was in my 20’s, over longer distances, and I am almost not embarrassed on the bike. (Remember, triathlon is latin for “sucks at three sports”).
So on the overall good/bad scale I would mark 2014 as “awesome”. Mostly because I don’t work for a retailer or a film studio.
And, without going into details, 2015 has some serious potential for epic.
As I like to do every year before we close down for the holidays, I would really like to thank all of you for supporting us. Seriously, we are 3 guys and a half-dozen friends with a blog, some papers, and a propensity to sit in front of webcams with our clothes on. Not that many people get to make a living like this, and we can only pull it off due to the tremendous support you have all given us for over 7 years.
I may not be religious but I sure am thankful.
On to the Summary (our last this year):
Webcasts, Podcasts, Outside Writing, and Conferences
Favorite Securosis Posts
- Mike Rothman: Firestarter: Predicting the Past. I can only hope you had half as much fun watching as we had recording the year-end FS. That’s right vendors – think twice before making those predictions. Even if you’re our friends, we will still call you out!
- Rich: Ditto. Natch.
Other Securosis Posts
- Security Best Practices for Amazon Web Services: Third Party Tools.
- Security Best Practices for Amazon Web Services: Built-In Features.
- Security and Privacy on the Encrypted Network: Selection Criteria and Deployment.
- Firestarter: Predicting the Past.
- Summary: Nantucket.
Favorite Outside Posts
- Adrian Lane: Analyzing Ponemon Cost of Data Breach. Jay Jacobs does an excellent job analyzing Ponemon’s breach cost calculation model. And I even learned a new word: heteroskedasticity.
- Mike Rothman: Analyzing Ponemon Cost of Data Breach. Don’t screw with Jay Jacobs on data stuff. Just don’t do it. This is a gem: “And in this analysis I will not only show that the approach used by Ponemon is not just overly simple, but also misleading and even may be harmful to organizations using the Ponemon research in their risk analyses.” Damn. Jay wins.
- Rich: I suppose I should choose something else. How about… An Interview with CIA’s Chief Information Officer, Doug Wolfe, on Cloud Computing at the Agency. Fascinating how they strive to build a project-driven culture of innovation, and cloud was the way to pull it off.
Research Reports and Presentations
- Securing Enterprise Applications.
- Secure Agile Development.
- Trends in Data Centric Security White Paper.
- Leveraging Threat Intelligence in Incident Response/Management.
- Pragmatic WAF Management: Giving Web Apps a Fighting Chance.
- The Security Pro’s Guide to Cloud File Storage and Collaboration.
- The 2015 Endpoint and Mobile Security Buyer’s Guide.
- Analysis of the 2014 Open Source Development and Application Security Survey.
- Defending Against Network-based Distributed Denial of Service Attacks.
- Reducing Attack Surface with Application Control.
Top News and Posts
- Sony hack shows that the company kept passwords stored in a folder called “Password”
- The Evidence That North Korea Hacked Sony Is Flimsy
- In Damage Control, Sony Targets Reporters. Really, Sony?
- The Parabola of Reported WebAppSec Vulnerabilities
- ICANN HACKED: Intruders poke around global DNS innards
- Over 9,000 PCs in Australia infected by TorrentLocker ransomware
- Google considers warning internet users about data risks
And a major one for us DevOps types:
Blog Comment of the Week
This week’s best comment goes to Ilia, in response to Firestarter: Predicting the Past..
There is a grain of joke in every joke 😉 As freaky as it sounds, wifi connected light bulbs were hacked already – as a proof of concept so far, but the folks from Contextis explain how they could steal home WiFi credentials via light bulbs: http://contextis.co.uk/resources/blog/hacking-internet-connected-light-bulbs/
(Disclosure: yes, I work for the guys you’ve never heard of. And yes we’re working to fix that.)