Recently in infosec Category

Ten Feet Tall and Covered in Mud

Those who know me know that I'm not overly concerned with being liked, per se, so long as I'm not often wrong and not generally thought an idiot. However, by the same token, it's sometimes nice to be wanted, and maybe even appreciated, from time to time. Now more so than in the past, heading into RSA 2016 in a few short weeks, I'm starting to realize that the temporary career boost from my time at Gartner has faded and my dance card for the event is remarkably empty.

This phenomenon of transitioning from "leading analyst firm" to "mere mortal" has been interesting. While I'm now enjoying my new environs, it certainly did not start out that way with the first post-analyst experience. If nothing else, it has certainly confirmed my concerns over the state of the industry, instilled throughout my time as an analyst.

Specifically, it seems that no matter how far we'd like to think we've come as an industry, we're still generally losing ground and - more importantly - losing the battle and the war. A friend and I were just discussing earlier today the abysmal state of things and just how bleeding common it has become to encounter teams and organizations where everyone is running around with their hair on fire, trying to "do something to help," but as often as not simply making things worse.

How did we come to such a point in the industry wherein we're able to stand on the shoulders of giants and still be mired in mud? Paradoxical, to say the least, but also greatly distressing. Are we so far behind in our maturity and technological advancement? Alas, I think it may be true that for every step we take forward as the security industry, we're continually leapfrogged by our adversaries, who neither think linearly, nor have to worry about dealing with an asymmetric environment wherein we must succeed all the time and they must only be lucky once. It hardly seems fair.

Fortunately, I think there's an out, if we're only savvy and brave enough to entreat it. Alas, pricing on various automation tools still seems to be relatively high, and continually targeted at the F250 companies. However, less expensive options, such as Ansible, Puppet, Chef, and even Jenkins (to name a few), increasingly provide a reasonable starting point for security automation and orchestration, not to mention the FOSS tool FIDO from Netflix, as well as the potential for greater market accessibility for Invotas Security Orchestrator, which has been acquired by FireEye.

We'll have to see how things pan out, but I'm cautiously optimistic that we may eventually get our collective heads above water... but only by shifting away from human-dependent paradigms to ones underpinned by creative, proactive automation that scales.

I contributed a piece to the Norse Security Dark Matters blog a few weeks back.

It's Time to Kill the General Purpose Browser

Another week, another critical Adobe Flash vulnerability (CVE-2015-3113), complete with active exploit in the wild. Adobe encourages everyone to patch right away, but is there more you should do?

In fact, here in 2015, with a constant stream of broken apps, broken browser, broken plugins, and breach after breach after breach, I'm left to wonder: Why are we still using general purpose browsers at all anymore? Are they, and their associated plugins, doing more harm than good?

Continue reading here...

From January 2015...

As you've undoubtedly heard by now, President Obama renewed calls for increased cybersecurity legislation, all apparently because Sony Pictures Entertain (SPE) got hacked? If you've not heard, check out the mainstream press coverage here...

Continue reading here...

From January 2015...

Now that we can soundly close the book on 2014, it's perhaps a good time to take a quick think back as we consider our best path forward. 2014 was indeed the year of infosec insanity, based on the sheer number of large breaches, number of breaches, number of "major, earth-shattering" vulnerability disclosures, etcetera etcetera etcetera (if you didn't read that last bit in the voice of the King of Siam, then check it out here).

Continue reading here...

From December 2014...

I was awoken around 5am post-Thanksgiving Saturday by multiple text messages from Facebook instructing me to click a link and enter a code to reset my password. It seems someone decided to try and takeover my account. This led me to conclude that now would be a good time to quit putting-off enabling 2-factor authentication (2FA) for my account. What should have been a very simple process was complicated (slightly) by a degree of true derpitude: in order to enable 2FA for my account, Facebook first insisted that I change my browser configuration (or use a different browser) that wasn't set to clear cookies after each session.

Continue reading here...

GBN: NAC NAC (Who's There?)

Posted on my Gartner blog...

"We're currently working on an update to the GTP document "Architectural Alternatives for Enforcing Network Access Control Requirements" (Doc# G00227091). As part of this process, we've spoken with vendors, vendor references, and clients about what they're doing with NAC, what sort of technical and social challenges they may be encountering..."

Continue reading here...

GBN: All the World's a Cloud

Posted on my Gartner blog...

"No, not really. But it could be. Consider, if you will, the five essential characteristics of cloud computing (via SP800-145, as well as the CSA Security Guide):


  • On-demand self-service

  • Broad network access

  • Resource pooling

  • Rapid elasticity

  • Measured service


"Keeping these in mind, let's look at three quick scenarios where shifting the mindset to a cloud services approach, even within traditional IT shops, can help reduce cost, improve efficiency, and improve security qualities."


Continue reading here...

Bruce Schneier would have us believe that security awareness training is pointless. People have inadequate incentive to change, and thus why waste the time, money, or energy? And, to a degree, he is certainly correct. The old-fashioned once-per-year computer-based training modules to which many (if not all) of us have been subjected are, in fact, completely worthless. After all, these training modules are a mere blip on the radar of one's life, with no foundation in reality, and making no meaningless impact on how we conduct our jobs.

However, that is not the state of practice in the industry. Or, more specifically, it's not the leading edge state of practice. Moreover, his comments ignore much that we know about approaches, learning styles, incentives, etc., based on research from the past few years.

Unless you were off-planet last week, you've probably heard about President Obama's latest Executive Order, directing various agencies to step up their game on "critical infrastructure" cyber security. As part of this directive, NIST will be building a new framework oriented toward critical infrastructure that will help document processes, standards, best practices, etc, etc, etc. Gah!

The 1980s called and they want their lousy idea back. The 1990s also called, but they just repeated the prior point. The 2000s called and said "What is this, the '80s?!"

If frameworks were going to get the job done, then the job would be done. If securing data and operations was really such a simple task, then we would not be having this conversation, nor would we be reading reports, like Mandiant's big "APT1" blow-out from yesterday (you know, the big shocker that revealed that China is, in fact, hacking everyone... ok, not a shocker... or even really news... since we pretty much already know all that, right?).

Maybe Your "Good Enough" Isn't

A theme I've seen surface lately is this notion that "good enough isn't good enough." My response to this is quite simple: if what you're doing isn't commercially reasonable and legally defensible, then your notion of "good enough" is itself flawed. At the end of the day, businesses should be aiming for "good enough" insomuch as that means doing as much as is reasonable and appropriate without wasting resources.

I would submit that anybody who argues against aiming for "good enough" simply doesn't understand how business operates, nor do they truly understand risk management. Infosec is not some zero-sum game where we can magically defeat all threats, eliminate all vulnerabilities, and go home "winners." Rather, it's a journey, not a destination. Every day we have to account for new threats and new vulnerabilities. However, we should not be focusing exclusively or obsessively on them. Instead, we should be focusing on the business and what it values and has of value.

My Other Pages

Support Me

Support EFF


Bloggers' Rights at EFF

Creative Commons License
This blog is licensed under a Creative Commons License.
Powered by Movable Type 5.2.10