Friday Summary: July 29, 2011By Adrian Lane
It’s that time of year again. It’s time for me and most of the Securosis crew to travel to cooler climes and enjoy the refreshing breeze of the Nevada desert. Well, it’s cooler than Phoenix, anyway. Yes, I am talking about going to the Black Hat and Def Con security conferences in Las Vegas this August 1-7th. Every year I see something amazing – from shipping iPhones loaded with malware to hack whatever passes by to wicked database attacks. Always educational and usually a bit of fun too. It is Las Vegas after all!
We’ll be participating in a couple talks this year at Black Hat. James Arlen is presenting on Security when Nano-seconds count. I have heard the backstory and seen the preview, so I can tell you the presentation is much more interesting than the published outline. What I knew about these networks only scratched the surface of what is going on, so I think you will be surprised by Jamie’s perspective on this topic. I have spoken to many vendors over the last couple months, claiming they can secure these networks – to which I respond “Not!” You’ll understand why Thursday, August 4th, at 1:45 in the Augustus V + VI room(s). Highly recommend.
I will be on the “Securing Applications at Scale” panel with Jeremiah Grossman, Brad Arkin, Alex Hutton, and John Johnson. We have been talking about the sheer scale of the insecure application problem for a number of years, but things are getting worse, not better. Many verticals (looking at you, retail) are just beginning to understand how big the problem is and looking at what appears to be the insurmountable task of fixing their insecure code. We’ll be talking about the threats and our panelists’ recommendations for dealing with insecure code at scale. The session is Thursday, August 4th, at 10:00am in Augustus V + VI – just after the keynote. Come and check it out and bring your questions!
Oh, and if you are new to these conferences, CGI Security has a good pre-conference check list for how to keep your computers and phones from being hacked. There will be real hackers wandering around and they will hack your stuff! My phone got hit two years ago. Just about everything with electricity has been hit at one time or another – including the advertising kiosks in the halls and elevators. Take this stuff seriously. And if you must use wireless, I recommend you look at setting up Tunnelblick before you go.
Oh, I almost forgot Buzzword Bingo!
See you there!
On to the Summary:
Webcasts, Podcasts, Outside Writing, and Conferences
- James Arlen’s presentation covered in eWeek.
- Adrian quoted on tokenization.
- Rich’s Palisades DLP Webinar.
- The business-security disconnect that won’t die. Mike pontificates on understanding the business at Network World.
Favorite Securosis Posts
- Adrian Lane: The Scarlet (Security) Letter.
- Mike Rothman: How can you not understand the business? Yes, it’s lame to favorite your own piece, but I think this one is important. It’s about knowing how to get things done in your business, which means you have to understand your business.
- James Arlen: Donate Your Bone Marrow. You could save a life. Do it now.
Other Securosis Posts
- Accept Apathy – Save Users from Themselves and You from Yourself.
- Incite 7/27/11: Negotiating in front of the crowd.
- Question for Oracle Database Users.
- FireStarter: The Time for Corporate Password Managers.
- Hacking Spikes and the Real Time Media.
- Friday Summary: July 22, 2011.
- Rise of the Security Monkeys.
Favorite Outside Posts
- Adrian Lane: Big Data…Where Data Analytics and Security Collide. Chris does a nice job of explaining the issue – this is what some security vendors are scrambling to deal with behind the scenes. Especially with federated data sources.
- Mike Rothman: Risk Analysis is a Voyage. Jay Jacobs sums up a lot of what I’ve been saying for a long time. No model is perfect. Most are bad. But at some point you have to start somewhere. So do that. Just get started. Adapt and improve as you learn.
- James Arlen: Automated stock trading poses fraud risk
Project Quant Posts
- DB Quant: Index.
- NSO Quant: Index of Posts.
- NSO Quant: Health Metrics–Device Health.
- NSO Quant: Manage Metrics–Monitor Issues/Tune IDS/IPS.
- NSO Quant: Manage Metrics–Deploy and Audit/Validate.
- NSO Quant: Manage Metrics–Process Change Request and Test/Approve.
Research Reports and Presentations
- Security Benchmarking: Going Beyond Metrics.
- Understanding and Selecting a File Activity Monitoring Solution.
- Database Activity Monitoring: Software vs. Appliance.
- React Faster and Better: New Approaches for Advanced Incident Response.
- Measuring and Optimizing Database Security Operations (DBQuant).
- Network Security in the Age of Any Computing.
- The Securosis 2010 Data Security Survey.
- Monitoring up the Stack: Adding Value to SIEM.
Top News and Posts
- Feds Bust MIT Student. In the current climate the Feds are so desperate to get any success against hackers they sometimes go too far. They want 35 years in prison for a crime that demands 5 hours of community service. What a waste of time.
- Windows Malware Tricks Victims into Transferring Bank Funds.
- Cisco’s “unmitigated gall”.
- Police arrest ‘Topiary’.
- Sniffer hijacks secure traffic from unpatched iPhones.
- Korean Mega-hack.
- Earnings call transcript: Symantec.
- Earnings call transcript: Citrix Systems.
- Earnings call transcript: Fortinet.
- Apple Laptop Batteries Can Be Bricked.
- House panel approves data breach notification bill.
- Anti-Sec is not a cause, it’s an excuse.
- Azeri Banks Corner Fake AV, Pharma Market via Krebs.
- SIEM Montage. Gotta be a Montage!
- Anonymous Declares War on .mil.
- Apple Patches iOS PDF Exploit.
- Microsoft Patches Bluetooth Hole in July’s Patch Tuesday.
- Intego Releases iPhone Malware Scanner. Jury’s still out.
Blog Comment of the Week
I think the key to Jack’s post (as you note) is “In order to improve security in your organization, you need to understand how your organization works, not how it should work.” and the key to yours is “A senior-level security position is not a technical job. It’s a job of persuasion. It’s a job of sales.”
I think the disconnect is that some people are of the opinion, I think, that every person who calls themselves an infosec professional needs to “fully understand the business”. Really? The dude taking your 2am call at the SOC needs to understand how your company cash flow cycle works or what motivates the CTO to make the decisions she makes? Pffft – that dude needs to understand basic infosec blocking & tackling and know how to implement the processes and procedures.
On the other hand a senior level person, to your point, needs to know how to Get Things Done. That person better understand how the budgeting cycle really works, which executives need to know about security initiatives and have bought into them, and (most importantly) have the stature/status to get meetings when needed to make their case. Otherwise they are wasting valuable oxygen…