As I sit down to write the last Incite of the year, I can’t help but be retrospective. How will I remember 2013? It’s been a year of ups and downs. Pretty much like every year. I set out to prove some hypotheses I had at the beginning of the year, and I did that. I let some opportunities pass by and I didn’t execute on others. Pretty much like every year. I had low lows and very high highs. Pretty much like every year.
I’ve gotten pretty introspective over the 2nd half of the year. And that’s been reflected in my weekly missives. It’s been a period of learning and evaluation for me. Of coming to grips with who I really am, what I like to do, and what I want to be in the next stage of my life. Of course, there are no real answers to such existential questions, but it’s about learning to live in a way that is modest, sustainable, and kind.
As I look back, the most important thing I’ve learned this year is to flow. I spent so many years fighting against myself, pushing to be in a place I wasn’t ready for, and to meet unrealistic expectations of achievement. It’s been a process, but I’ve let go of those expectations and made a concerted effort to Live Right Now. And that’s a great thing.
The mental lever that flipped was actually a pretty simple analogy. It’s about being in the river. Sometimes the current is slow and you just float along. You are still moving, but at an easy pace. Those are the times to look around, enjoy the scenery and catch your breath. Because inevitably somewhere further down the river you’ll hit the rapids. Things accelerate and you have no choice but to keep focused on what’s right in front of you. You have to hold on, avoid the rocks and navigate safely through.
Then you look up and things calm down. You have an opportunity at that point to maybe wash up on the shore and take a rest. Or go in a different direction. But to try to slow things down in the rapids won’t work very well. And to try to speed things up in a slow current doesn’t work any better. Appreciate the pace and flow with it.
Simple, right? It’s like being in quicksand. You can’t fight against it or you’ll sink. It’s totally unnatural, but you have to just relax and trust that your natural buoyancy will keep you afloat in the more dense sand. Resist and struggle and you’ll sink. Accept the situation, don’t react and you have a chance. Yup, that’s seems a lot like life.
So in 2013 I’ve learned about the importance of flowing with my life. Appreciate the slow times and prepare for the rapids. Like everything else, easy to say and challenging to do consistently. But life seems to give you plenty of opportunities to practice. At least mine does.
Onward to 2014. From the Securosis clan to yours, have a happy holiday, and the Incite will return on January 8.
-Mike
Photo credit: “Flow” originally uploaded by Yogendra Joshi
Heavy Research
We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.
What CISOs Need to Know about Cloud Computing
Adapting Security for Cloud Computing
How the Cloud is Different for Security
Introduction
Defending Against Application Denial of Service
Building Protections In
Abusing Application Logic
Attacking the Application Stack
Newly Published Papers
Security Awareness Training Evolution
Firewall Management Essentials
Continuous Security Monitoring
API Gateways
Threat Intelligence for Ecosystem Risk Management
Dealing with Database Denial of Service
Identity and Access Management for Cloud Services
The 2014 Endpoint Security Buyer’s Guide
The CISO’s Guide to Advanced Attackers
Incite 4 U
The two sides of predictions: It’s entertaining when Martin McKeay gets all fired up about something. In this post, he rails against the year end prediction machine and advices folks to just say “no” to their marketing team when asked to provide these predictions. Like that’s an option. The tech pubs need fodder to post (to drive page views) and the marketing folks need press hits to keep their VP and CEO happy. Accept it. But here’s the deal, security practitioners need to make predictions on a continuous basis. They are predicting whether their controls are sufficient given the attacks they expect to see. Whether the skills of their people will hold up under fire. Whether that new application will end up providing easy access to adversaries into the inner sanctum of your data center. It’s true that press friendly predictions have little accountability, but the predictions practitioners make have real ramifications, pretty much every day. So I agree with Martin that year-end predictions are useless. But prediction is a key aspect of every business function, including security… — MR
The Most Wonderful Time of the Year: This time of year it’s really easy for me to skim security news and articles. All I need to do is skip anything with the words ‘Prediction’ or ‘Top Tips’ in the title and I can cull 95% of the holiday reading poop-hose. But, for whatever reason, I was slumming on Network World and saw Top Tips for Keeping Your Data Safe on The Cloud, an article directed at the mass market, not corporate users. Rather than mock, in my merry mood, I’ll do one better: I can summarize this advice into one simple actionable item. If you have sensitive data that you don’t want viewed when your cloud provider is hacked, encrypt it before you send it there. Simple. Effective. And now it’s time for me to make sure I’ve followed my own advice — Happy Holidays! — AL
Sync and you could be sunk: Cool research on the Tripwire blog by Craig Young showing how syncing your browser information via Chrome Sync could provide a means for attackers to access your Google account, regardless of whether you have 2-step verification enabled. That’s awesome. Personally, I don’t use Chromium sync because Rich has made me paranoid about the evil, not evil folks. I don’t store passwords or credit cards within my browser either. That’s what I use my Password Vault for. So I don’t have a lot of risk from this attack, but it brings up an important point. You may decide to use Chrome sync anyway because it makes your life easier and you are willing to increase your potential attack surface. That’s OK, it’s a decision like anything else. My concern is more for the folks that don’t have access to this kind of research and don’t appreciate the trade-offs of this kind of convenience. — MR
What’s the Point?: Back in 2007 there was a lot of talk about ‘point to point (P2P) encryption’ being the solution to on-line credit card theft. In 2010, the PCI Council released supplemental guidance for P2P on Point of Sale (PoS) devices, and pushed the industry to get there act together and agree upon standard that wasn’t totally ambiguous and filled with loopholes. Troy Leach, CTO of the PCI Council even said “Buyer Beware” because the solutions were not point to point, rather point to point to point and so on. There were simply too many places that the data was unencrypted and exposed. Rather than encrypt at the point of card swipe, if data was encrypted, it was done on a PoS device, often nothing more than a Windows PC, with lots of potential vulnerabilities. Fast forward six years and we still lack P2P encryption in most places, and a direct reason why hundreds of thousands of credit card numbers continue to be stolen from Point of Sale terminals. This is one of those cases where PCI’s goals and guidance has been spot on; merchants in general have been unwilling to adopt some very basic technologies to secure the PAN and track data within their eco-system. Nowadays, merchants can do all of the order tracking, customer tracking, relationship management and repayment without PAN data, and most card-swipe vendors offer P2P, so there is really no excuse to avoid basic security. Besides apathy and laziness, that is… — AL
2014 Buzzword Alert: “Security Analytics”: As we wrap up the 2013 Incites, I think I’ll give you a view of what you’ll see a lot of in 2014, and that’s noise around “security analytics.” As you can see from this article in Dark Reading, there isn’t a definition of security analytics and there seem to be lots of ways to do it. Is it SIEM-next? Is it about business context (whatever that means)? I think it’s a lot simpler than everyone is thinking about. It’s about having a platform to identify patterns that you don’t know about. SIEM is great at looking for the stuff you tell it to look for. Not so good at finding stuff you aren’t looking for. But the very difficult attacks don’t fit in a common profile, so detecting it requires a different means of analyzing the data you aggregate. Of course, there is a lot of nuance to those views and I’m looking forward to working with Adrian to flesh this stuff out next year… — MR
- Mike Rothman
(0) Comments
Subscribe to our daily email digest