The Ashimmy Blog

Continuing my series of podcasts on all things Risk, I have another great one in this episode.  I am joined by an all star panel of HD Moore, CSO of Rapid7 and founder of Metasploit, Ron Gula, CEO and CTO of Tenable Network Security and Jody Brazil, founder and President of Firemon. With that kind of talent, this is not just another Risk Podcast!

The four of us discuss some common mistakes people make in risk management.  How vulnerability and pen testing figure into the Risk equation. We even manage to discuss scenario based risk management as exemplified in the Firemon Risk Analyzer. 

Having smart people on the show makes my job easy and fun. This was a very easy and fun podcast. I hope you enjoy!

Wow, January is flying by! Today is the 20th of the month already. That means there is only one week left to vote for this years Social Security Bloggers Awards.  Of course winners will be announced at the Security Bloggers Meet up at the RSA Conference in San Francisco.

Here are the finalists as nominate by our judges, Kelly Jackson Higgins, Bill Brenner, Larry Walsh and Wendy Nather:

Best Corporate Security Blog:

Fortinet Security Blog http://blog.fortinet.com/

Denim Group http://blog.denimgroup.com/

Trend Micro Cloud Security Blog http://cloudsecurity.trendmicro.com/

Veracode Security Blog http://www.veracode.com/blog/

Kaspersky Lab Blog https://www.securelist.com/en/

Sophos Naked Security Blog http://nakedsecurity.sophos.com/

Best Security Podcast:

Threat Post http://threatpost.com/en_us/podcast

The Network Security Podcast http://netsecpodcast.com/

Eurotrash Security Podcast http://www.eurotrashsecurity.eu/index.php/Main_Page

Pauldotcom http://pauldotcom.com/

Exotic Liability http://www.exoticliability.com/

The Southern Fried Security Podcast http://www.southernfriedsecurity.com/

You can also write in your podcast vote.

The Most Educational Security Blog:

Cognitive Dissidents http://blog.cognitivedissidents.com/

Tao Security http://taosecurity.blogspot.com/

F-Secure blog http://www.f-secure.com/weblog/

The New School Security Blog http://newschoolsecurity.com/

AppSecInc Blog http://blog.appsecinc.com/

Evil Bytes/John Sawyer http://www.darkreading.com/blog/archives/evil-bytes/index.html

The Most Entertaining Security Blog:

Rational Survivability http://www.rationalsurvivability.com/blog/

Andrew Hay's Blog http://www.andrewhay.ca/

Uncommon Sense Security/Jack Daniel http://blog.uncommonsensesecurity.com/

New School Of Information Security/Adam Shostack http://newschoolsecurity.com/

Naked Security http://nakedsecurity.sophos.com/

Securosis Blog http://securosis.com/blog

The Blog That Best Represents The Security Industry:

Krebs On Security http://krebsonsecurity.com/

Uncommon Sense Security http://blog.uncommonsensesecurity.com/

SANS Internet Storm Center http://isc.sans.org/

Securosis blog https://securosis.com/blog

The Single Best Blog Post or Podcast Of The Year:

Martin McKeay, Curing the Credit Card Cancer http://www.mckeay.net/2011/11/28/curing-the-credit-card-cancer/

Veracode Blog http://www.veracode.com/blog/2011/08/musings-on-custers-last-stand/

Moxie Marlinspike's ThoughtCrime Labs http://blog.thoughtcrime.org/authenticity-is-broken-in-ssl-but-your-app-ha

Idoneous Security http://idoneous-security.blogspot.com/2011/12/what-your-analyst-wishes-you-knew.html

The First Two Members Of The Security Bloggers Hall Of Fame: (please pick 2)

Adam Shostack (Emergent Chaos, New School of Security)

Brian Krebs (Washington Post, Krebs on Security)

Rich Bejtlich, Tao Security

Chris Hoff, Rational Survivability

Graham Cluley, Naked Security

Bruce Schneier, Schneier On Security

You can vote if you like, right now by clicking here. There is only a week left and most of the categories are very, very close.

With last weeks announcement of the finalists for this years Social Security Bloggers Awards there has been the usual buzz about the awards, the Security Bloggers Network and the bloggers meet up.  I want to say from the outset that in total all of the blogs/podcasts nominated as finalists belong there.

Of course there are so many blogs and podcasts that inevitably some worthy ones don’t make the list. This year there has been some questioning of how we pick the finalists and questioning of why certain blog/podcasts were left out. I should say that it seems mostly centered in the podcast category.

As a result I have made a write in option available for qualified voters(more on that in a second) to write in their own selection for best podcast. So far I have a received a handful of write in votes.  That being said though, I wanted to go over how we pick the finalists and what the Social Security Bloggers Awards are all about.

First of all you should know that this year at RSA Conference we will be hosting the 6th annual Security Bloggers Meet up.  You can find out more about it at the RSA Conference blog for Bloggers Meet up, the Bloggers Meet up Facebook page and the Security Bloggers Network.

This is also the 4th year for the Social Security Bloggers Awards. Again you can read more about them on the links above. The idea behind the blogger awards was to recognize some of the leading bloggers in the security arena.  When I first came up with the idea I didn’t think people would get that excited about it.

In the first year of the awards we had judges nominate their choices for finalists (as we have every year since), then we let anyone who registered vote. Well it turned out like so many awards run by other organizations, nothing more than a popularity contest with some people trying to stuff the ballot box.  That was not the spirit that I envisioned with these awards.

The awards really grew out of the Security Bloggers Network which I started 6 or more years ago. While a blog or podcast does not have to be in the SBN to be considered or win an award, it was in that same sense of fostering a community among the security blogging space. 

So going forward I changed the voting for the awards. While our all star panel of judges still picked the finalists, voting was only open to security bloggers.  Each voter had to give their blog or podcast URL with their vote for us to verify. In this way it was an award “by the bloggers, for the bloggers”.  This of course drastically cut down the amount of votes cast, but made it a peer based award similar to the Screen Actor Guild SAG awards.  I thought that was pretty cool.

Each year I try to bring some fresh blood into the judges pool to get new views on what the best blogs and podcasts are.  I also refine and add new categories to hopefully better represent the market. But no matter what is done, there are always going to be some people who feel left out.

So for next year I am already thinking of how we can do this differently. I am open to suggestions. But I will reserve the right on behalf of myself and the bloggers meet up organizing committee to choose what we think is the best method. I want to keep the awards free from ballot box stuffing.

In the meantime I want you all to know that I and many others appreciate all of the great content that the security industry turns out in blogs and podcasts. Thanks to all of you for creating and consuming it. Being nominated or even winning an award is not the payback for why we do this, it is educating and joining in the conversation that keeps us doing it.  So please keep blogging and podcasting!

No I am not announcing the choices for the Oscars.  Something even better.  It is time to announce the nominees for the 2012 Social Security Bloggers Awards.  Voting will open today and remain open until January 30th.  Of course the winners will be announced live at the 6th annual Security Bloggers Meet up at RSA Conference!

So before we get to our nominees, a word from our sponsors:

Actually a few other things to mention first as well:

1. Our judges - The nominees for the Social Security Blogger Awards are made by our blue ribbon panel of judges.  We did not announce their names before hand this year to limit the "lobbying" that they have been subjected to in the past. But now that the nominations are public, they are open to be influenced by food, liquor, baubles or other means.  Seriously a huge thank you to our judges:

Kelly Jackson Higgins

Bill Brenner

Larry Walsh

and special guest judge:

Wendy Nather

2. Eligibility - In years past anyone associated with organizing the bloggers meet up was DQ'ed from being nominated. Frankly that was silly. The fact is that Rich, Martin, Jen and Jeanne (my organizing committee fellow members), don't have a lot to do with the awards.  So the only one not eligible for any awards is me. It isn't fair to keep good blogs and people down.  Also judges could not nominate their own work, but other judges could nominate someone who is judging.  So for instance, Wendy Nather was nominated by another judge unbeknownst to her.

3. New Category - This year we are adding a new category for Security Bloggers Hall of Fame. I will be adding this to the Security Bloggers Network Site after RSA. This category is sort of a lifetime achievement award for security bloggers.  But it doesn't mean they are on their last leg.  This first year we are going to add two bloggers to the Hall of Fame.  In future years we will add one new blogger a year.

4. Who can vote - Again, I did not want to go through the ballot box stuffing that we had a few years back. So only security bloggers and podcasters can vote. If you write on security and have a URL to prove it, you can vote. Me and my election commission members will be going through each vote by hand, so please don't even bother trying to game this. Don't ruin a fun event with bad form.

OK with that out of the way, here are the nominations for the 2012 Social Security Bloggers Awards:

Best Corporate Security Blog:

Fortinet Security Blog http://blog.fortinet.com/

Denim Group http://blog.denimgroup.com/

Trend Micro Cloud Security Blog http://cloudsecurity.trendmicro.com/

Veracode Security Blog http://www.veracode.com/blog/

Kaspersky Lab Blog https://www.securelist.com/en/

Sophos Naked Security Blog http://nakedsecurity.sophos.com/

Best Security Podcast:

Threat Post http://threatpost.com/en_us/podcast

The Network Security Podcast http://netsecpodcast.com/

Eurotrash Security Podcast http://www.eurotrashsecurity.eu/index.php/Main_Page

Pauldotcom http://pauldotcom.com/

Exotic Liability http://www.exoticliability.com/

The Southern Fried Security Podcast http://www.southernfriedsecurity.com/

The Most Educational Security Blog:

Cognitive Dissidents http://blog.cognitivedissidents.com/

Tao Security http://taosecurity.blogspot.com/

F-Secure blog http://www.f-secure.com/weblog/

The New School Security Blog http://newschoolsecurity.com/

AppSecInc Blog http://blog.appsecinc.com/

Evil Bytes/John Sawyer http://www.darkreading.com/blog/archives/evil-bytes/index.html

The Most Entertaining Security Blog:

Rational Survivability http://www.rationalsurvivability.com/blog/

Andrew Hay's Blog http://www.andrewhay.ca/

Uncommon Sense Security/Jack Daniel http://blog.uncommonsensesecurity.com/

New School Of Information Security/Adam Shostack http://newschoolsecurity.com/

Naked Security http://nakedsecurity.sophos.com/

Securosis Blog http://securosis.com/blog

The Blog That Best Represents The Security Industry:

Krebs On Security http://krebsonsecurity.com/

Uncommon Sense Security http://blog.uncommonsensesecurity.com/

SANS Internet Storm Center http://isc.sans.org/

Securosis blog https://securosis.com/blog

The Single Best Blog Post or Podcast Of The Year:

Martin McKeay, Curing the Credit Card Cancer http://www.mckeay.net/2011/11/28/curing-the-credit-card-cancer/

Veracode Blog http://www.veracode.com/blog/2011/08/musings-on-custers-last-stand/

Moxie Marlinspike's ThoughtCrime Labs http://blog.thoughtcrime.org/authenticity-is-broken-in-ssl-but-your-app-ha

Idoneous Security http://idoneous-security.blogspot.com/2011/12/what-your-analyst-wishes-you-knew.html

The First Two Members Of The Security Bloggers Hall Of Fame: (please pick 2)

Adam Shostack (Emergent Chaos, New School of Security)

Brian Krebs (Washington Post, Krebs on Security)

Rich Bejtlich, Tao Security

Chris Hoff, Rational Survivability

Graham Cluley, Naked Security

Bruce Schneier, Schneier On Security

OK, there you have it. Your 2012 Nominees for the Social Security Blogger Awards. You can vote if you like, right now by clicking here

So the security twittersphere is a buzz this morning about a post by Brian Martin on SecurityErrata raising some serious questions about the Security B-sides “organization” and Mike Dahn in particular.

Let me say from the outset that I don’t consider myself a B-sides insider and have only even attended a few B-sides events. The early ones were a bit too edgy for me. However, I have followed the growth of b-sides closely. I have been very proud of the way Mike, Jack Daniels and others have really taken these events up a notch.

Also from running the Security Bloggers Network and Bloggers Meet up and Awards at RSA these past years, I have a little experience with some of this type of stuff.

Rather than be constrained to 140 characters, I wanted to get my thoughts down here in long form. Call me old fashioned.

1. It is not easy setting up an organization as a non-profit, especially if you have never done it before. The smart thing is to hire a lawyer and accountant and let them deal with it, but that costs money too. It is especially harder if this is not your full time gig.

2. Running any organization including delegating responsibility and authority is also something that if you have not done it before is not easy.

3. Most sponsors for b-sides don’t sponsor because it is a non-profit. They sponsor to be associated and reach the attendees. Non-profit or not, they write off the sponsorship as marketing expense. I don’t think they take a tax write off as a charitable donation. In fact I have checked this with at least one sponsor of a b-sides event and the non-profit status was not an issue to them at all.

4. I know Jack Daniels and tend to believe him that the dollar amounts mentioned in the blog post are erroneous. I am waiting to see Mike Dahn’s response today and fully expect the facts around this to come out.

5. Running the bloggers meet up and awards we take in 20k to 30k a year for the party from sponsors. We don’t say we are a non-profit and we are not. However, we spend every cent every year on the party and awards(and sometimes poor Rich Mogul winds up with a tax liability). We are not transparent with the funding, but no one has ever asked frankly, including the sponsors. I would assume it is probably similar with B-sides.

6. I understand the echo chamber of Twitter, but 140 characters doesn’t give enough room for depth. Instead it shrieks loudly. Multiply that by the amount of people tweeting and it takes on a mob feel. Lets give pause and let Mike respond and let the facts come out.

7. I hope as a result of this B-sides will come out of it bigger and better than ever with a wider, deeper management team.

7. We have a great community in InfoSec, lets celebrate it at this time of year!

Happy Hanukah, Merry Christmas, Happy New Year and any other holiday you celebrate. Love your fellow man and give them the benefit of the doubt before rushing to judgement.

In order to effectively manage risk, we need to be able to effectively measure risk.  Before we can ever hope to effectively measure risk, we should all agree on exactly what is the definition of risk.  When something as elementary as defining risk can sow confusion, caveats and so many questions, you know we need to do a better job.

I am joined on this episode of the Security.Exe Podcast by some experts in risk.  I have Alex Hutton, formerly of Verizon and now a top risk officer at a top 25 financial institution, Ben Tomhave (@falconsview) of LockPath and finally last but not least, Jody Brazil of Firemon.

Of course as most of you know I have been looking at risk an awful lot lately as part of working with Jody and the Firemon guys around their Risk Analyzer product. But getting a few really smart people to talk about a concept is a great way to learn. I learned a lot listening to the folks on this episode. I think you will too!

I am thinking of expanding this discussion into perhaps a panel for a conference talk. Let me know what you think.

Enjoy!

This is copied from the post I just put up at the RSA Conference Blog at:

https://365.rsaconference.com/blogs/security-blogger-meetup/2011/12/16/its-that-time-of-the-year

Christmas is just a week or so away, New Years is just around the corner.  You know what is next? Of course you do, it is RSA Conference Week and with that the 6th Annual Security Bloggers Meetup!   Can you believe it has been a whole year since we last gathered in San Francisco? More than that, can you believe this is the 6th annual Security Bloggers Meetup?  Of course the 4th annual Social Security Blogger Awards will be presented as well.

Our little get together has certainly grown since Martin McKeay, Rich Mogull and I talked about getting together with a few bloggers way back when. Of course it couldn't have gotten to where it is today without all of the hard work of Jennifer Leggio who does so much of the heavy lifting.  Add to the mix the tireless effort of Jeanne Friedman of RSA Conference and you have one hard working organizing committee.  We literally meet year round planning this event, lining up sponsors, entertainment, etc.

Speaking of sponsors, we are very proud to have a great mix of old and new sponsors for this years event.  Returning are RSA Conference, Qualys, Fortinet, Barracuda Networks and Core Trace.  Joining the mix this year are new sponsors Sourcefire and Akamai.  Thank you to each and everyone of them for allowing us to put this event on this year!

Well invites or more appropriately this year, registration requests are going out today. We are doing things a little differently this year. If you were on our list you will receive an event registration request. You need to follow the link and register for the event.  Let me warn you up front, you need to give your name, email address and blog URL.  Each registration will be reviewed by a live human (how quaint) and approved or disallowed. The usual no marketing/PR please rules apply.  Of course it is not that we don't love marketing/PR people, it is just that we built a tradition of a party by the bloggers, for the bloggers with the bloggers only.

If you think you should get a registration request but have not received one yet (check your spam folder, sometimes they get stuck there), please email Jennifer at mediaphyter@gmail.com. She will get one right out to you.

A couple of other things about this years event:

1. The Social Security Blogger Awards are back for their 4th year.  We will announce finalists for voting right after January 1. Our judges are already hard at work making their nominations.

2. Interesting entertainment and activities during the party

3. Hopefully same great food and drink

4. STILL THE BEST GROUP OF PEOPLE YOU WANT TO MINGLE WITH IN THE SECURITY INDUSTRY!

So don't wait, due to space we have to limit the number of people we can register to attend. If you got your invite, head on over and register now!

On behalf of Jennifer, Jeanne, Martin, Rich, myself and our sponsors, thanks and  can can't wait to see you!

This is copied from the post I just put up at the RSA Conference Blog at:

https://365.rsaconference.com/blogs/security-blogger-meetup/2011/12/16/its-that-time-of-the-year

Christmas is just a week or so away, New Years is just around the corner.  You know what is next? Of course you do, it is RSA Conference Week and with that the 6th Annual Security Bloggers Meetup!   Can you believe it has been a whole year since we last gathered in San Francisco? More than that, can you believe this is the 6th annual Security Bloggers Meetup?  Of course the 4th annual Social Security Blogger Awards will be presented as well.

Our little get together has certainly grown since Martin McKeay, Rich Mogull and I talked about getting together with a few bloggers way back when. Of course it couldn't have gotten to where it is today without all of the hard work of Jennifer Leggio who does so much of the heavy lifting.  Add to the mix the tireless effort of Jeanne Friedman of RSA Conference and you have one hard working organizing committee.  We literally meet year round planning this event, lining up sponsors, entertainment, etc.

Speaking of sponsors, we are very proud to have a great mix of old and new sponsors for this years event.  Returning are RSA Conference, Qualys, Fortinet, Barracuda Networks and Core Trace.  Joining the mix this year are new sponsors Sourcefire and Akamai.  Thank you to each and everyone of them for allowing us to put this event on this year!

Well invites or more appropriately this year, registration requests are going out today. We are doing things a little differently this year. If you were on our list you will receive an event registration request. You need to follow the link and register for the event.  Let me warn you up front, you need to give your name, email address and blog URL.  Each registration will be reviewed by a live human (how quaint) and approved or disallowed. The usual no marketing/PR please rules apply.  Of course it is not that we don't love marketing/PR people, it is just that we built a tradition of a party by the bloggers, for the bloggers with the bloggers only.

If you think you should get a registration request but have not received one yet (check your spam folder, sometimes they get stuck there), please email Jennifer at mediaphyter@gmail.com. She will get one right out to you.

A couple of other things about this years event:

1. The Social Security Blogger Awards are back for their 4th year.  We will announce finalists for voting right after January 1. Our judges are already hard at work making their nominations.

2. Interesting entertainment and activities during the party

3. Hopefully same great food and drink

4. STILL THE BEST GROUP OF PEOPLE YOU WANT TO MINGLE WITH IN THE SECURITY INDUSTRY!

So don't wait, due to space we have to limit the number of people we can register to attend. If you got your invite, head on over and register now!

On behalf of Jennifer, Jeanne, Martin, Rich, myself and our sponsors, thanks and  can can't wait to see you!

Cooperstown, Canton, Springfield, Cleveland, what do all of these places have in common? They all are homes to a Hall of Fame. Now the Security Bloggers Awards will be joining them with Security Bloggers Hall of Fame too! 

It is Christmas time, so you know RSA Conference is not far away. If RSA is almost here, you know that is almost time for the annual Security Bloggers Meet up and Social Security Bloggers Awards. 

All of the plans have been made, the judges selected and the finalists will be announced after New Years.  As in years past all security bloggers are eligible to vote. But you will have to give your name, email and blog address.

Last years categories will return this year:

Best Corporate Security Blog

Best Security podcast

Most educational security blog

Most entertaining security blog

Security Blog that best represents the industry

The single best security blog post of the year

Additionally this year we will elect the first two members of the Security Bloggers Hall of Fame!

I will announce our judges and other information between Christmas and New Years.  This year all blogs are eligible except mine and the judges. Also be on the lookout for save the dates going out soon if you are on our list. If you are not on the list, send an email to info@securitybloggersnetwork.com or leave a comment requesting an invite. You must blog on security and no marketing/PR stuff please!

Yesterday I wrote in response to Bill Brenner’s Salted Hash post about the Google-funded, Accuvant conducted browser security study which found (surprise) Chrome on top.

In my post yesterday I mentioned that one company that I thought is doing product  reviews right was NSS Labs.  Well Rick Moy of NSS Labs wrote me last night, having read my post.  The NSS Labs folks have had a look at what was publicly available.

Vik Phatak, CTO of NSS Labs has a blog post up on the subject here. More importantly Vik and team have put out a more complete analysis of problems they see with the way this study was conducted and some issues in Google’s behavior. You can read the analysis here.

It is a very interesting read and you should take a look for sure.  It certainly raises some questions about what went on with this browser study and calls into question some very questionable practices by Google. 

It just proves that product reviews are a dirty business and why any reader has to look at and weigh all factors in deciding how much faith to put in them.

Image via Wikipedia

My friend Bill Brenner has a post up on his Salted Hash blog today about a recent browser security study done by Accuvant LABS. The study shows that Google Chrome was the safest browser tested. Like Bill, I use Chrome too and agree with the Accuvant study.

The problem for Bill is that the study was sponsored by Google, the makers of Chrome. The fact that they paid for this study in Bill’s mind and in many other people’s minds calls the legitimacy of the entire study into question. Even if it is correct, it just doesn’t sit well with Bill.

Frankly I have the same problems with most product reviews, bake offs, analysis reports, etc. I have written about this before as well. In my mind it is a big reason why no one seems to pay attention to product reviews anymore.

It doesn’t make a difference if it is an “independent lab” doing the testing, a magazine’s testing department, industry awards or an analyst firm analyzing the market, the first thing I look at is who is paying for it. Sometimes finding out who is paying for it is not so easy or transparent either.

To be fair, some firms like Securosis for instance will say upfront that some research they are doing is being financed by a paying customer. Such was the case when Mike, Rich and Adrian did a dive on “fact based security security metrics”. The boys said upfront and at the bottom of the page that they thanked Red Seal for sponsoring the research.

Now does that mean that everything they wrote was for the benefit of Red Seal? I know Rich, Mike and Adrian too well to believe that. But it does give me pause when I read the report to remember that fact.

But I will say that over time I have come to soften my attitude on this issue (I must be getting old). For me it is a case of forewarned is forearmed and I take that disclosure in terms of evaluating how much weight to give the research. The same way a juror has to weigh the testimony of a witness depending on their believability.

In the case of Bill’s browser study, same thing. The chances that Google had a heavy hand in the study by Accuvant is pretty low, but it is something to consider. That is just the way it is.

But for Bill and the other doubting Thomas’s out there, what is the alternative?

One alternative is what Rick Moy and the guys at NSS Labs are doing. They have turned this equation on its head. They make their money from the end user, so the vendors being tested have little to no influence.

As Bill says just because Google paid for it doesn’t mean the study is wrong, but it does give you something else to consider. But since no one wants to do these tests or studies for free, someone has to pay and that is the truth of it.

For those of you who may be wondering, yes there will be a killer Security Bloggers Meet up at RSA this year. There will also be another Social Security Blogger Awards with some new categories as well. More on those in another blog. But the reason I write today is something Rich Mogull said on our blogger meet up organizing committee call.

Rich said “lets face it, the security blogger’s community isn’t what it used to be”. While I don’t disagree with Rich, I went back and looked at some of the numbers and some of the security blogs. While Rich is right, we don’t see as many as blog posts from the community as we used to, I think we all agree that Twitter probably plays a significant role in that. In fact the Tripwire 25 most influential people in security list seems pretty skewed towards twittter users. But that being said, there are still plenty of security blog posts being posted. The SBN feed is still fresh with lots of new posts every day.

One thing I do see is many of the posts come from corporate security blogs rather than individuals. Many of the corporate blogs don’t develop the personality that a good personal blog does. More importantly what has changed is another thing Rich brought up. We don’t comment anymore. We don’t blog back anymore.

People are blogging and putting their 2 cents into the conversation, but no one is repsonding. Oh, maybe they respond on twitter, on but it doesn’t make it into the blog. Blogging has always been and will always be a two way street. A blog should be a multi-party conversation with the blogger putting forth his ideas and others responding. They can agree, disagree, or concur, but they put their thoughts into the conversation.

One of the great things about reading a hot blog post was following the thread of comments, that was where the real action took place. Whether it was a Rothman post on Security Incite/Securosis or Tom Pcatek on Matasano, a good threat with 50 comments kept you reading for more.

Now maybe Twitter is where blog comments have gone and some of the discussion. Can we have a plug in that captures the real time of twitter comments and discussions back to the original blog post? Doesn’t sound too hard.

How about writing a blog post in response to another blog post? That is part of carrying on the conversation as well. Need something good to blog about? Go look at what your community is writing and join in.

Adam Shostack over on Emergent Chaos has a post up about Threat Modeling as a result of a conversation he had with Wendy Nather, who has her own good blog post about “what your analyst wishes you knew” (and she is not talking about your psychoanalyst either).

I am going over to both of those blogs and adding my voice to the conversation. I already tweeted Wendy’s post, but I realize that is not enough. If we are going to keep the Security blogging community strong and vibrant we have to add our voice on blogs.

What about you? Are you ready to rejoin the conversation?  If so, head over to your favorite security blog and join in.  Or better yet, write a blog in response to someone else’s blog.  It starts with you and you and you.

Most of us in the information security industry long ago recognized that we could not eliminate every risk and threat to our data and networks. Instead we have tried to manage that risk to acceptable levels, with acceptable being in the eye of the beholder. An entire information security risk management industry has sprung up over this time. But, have we missed the boat on risk? Has the risk management space been hijacked by the vulnerability management crowd?

We have settled on a formula for risk being:

Risk (R)= Threat (T) x Vulnerability (V)

But is that the correct formula to use? Are there other factors that need to be considered?

I am joined on this podcast by Jody Brazil, President of Firemon and Gary Fish, CEO of Firemon to discuss these questions in light of Firemon's new Risk Analyzer product.

Risk Analyzer offers a new way to look at risk using risk based scenarios. Introducing concepts such as reachability, exposure and asset value into the equation, it gives us a better measure of risk. Risk Analyzer also gives us another way of prioritizing different risks to make us more efficient.

As many of you know, I have been working with Firemon for a few months and have watched Risk Analyzer develop. The folks at Firemon have taken a great engine that was developed at the MIT Lincoln Labs and developed some great front end features to make this a complete product. I am very excited by what it offers and I think you will be too.

Have a listen as I discuss this with Jody and Gary.

Also be advised that there was a clicking in the recording (which we obviously didn't know about when we recorded this). I have done my best using my not very considerable sound engineering skills to remove it. It is still there, but it is the best I can do and I thought the quality of the conversation was much more important than the quality of the sound.

Enjoy!

I am really happy to report that the Trustworthy Computing Group at Microsoft has decided to partner with and sponsor the Security Bloggers Network.  On behalf of the 300+ blogs in the SBN we are happy to have Microsoft as a sponsor and strongly encourage all of you to check out their new Security Intelligence Report. You can click the graphic below to head over to Microsoft and check out the report.

Also RSA Conference will be here before you know it and we are already planning on the next Security Bloggers Meet up and the Social Security Blogger Awards.  We will be announcing and sending out save the dates soon!

Reprinted from my Network World Blog

Security costs too much for many organizations, is open source security the answer?

Having been in the infosec world for more than 10 years, I have learned the hard way that there are some real issues around effective security for everyone.  One of them is that security is hard and seems to be getting harder. As a result security is also very expensive.  So expensive that only the largest of organizations who put a high value on securing their assets can afford it.  In fact some studies show that large organizations spend on average of about 3.5 million dollars a year on security.  Frankly, even that is not enough given the current state of cybersecurity.  But even assuming that number is adequate, who has 3.5 million to spend today?

The fact is that most organizations live "below the security poverty line".  One of my friends in the infosec world and someone who many follow is Wendy Nather, director of research for enterprise security at the 451 Group.  Wendy has real world experience as a CISO at both private and public organizations. She is extremely bright and dialed into the infosec scene.  She co-authored a report titled "Security Below the Poverty Line".  Wendy's research shows that most organizations don't have anywhere near the resources required to do security right. 

I actually wrote a follow on to Wendy's report on Secure Cloud Review (another place I blog) titled, "Brother Can You Spare A Dime: Life Below The Security Poverty Line". In it I detailed that like the real poor today, security poor organizations may make due on a "high carb" diet of security that lacks "protein". By that I mean they have minimal security that gets them "fat" but doesn't really do the job. Anyone who is working in security recognizes this as a real problem we all face.

I wanted to speak to Wendy about what role open source security can play to raise organizations above the security poverty line.  The open source security community has always been an innovative and dynamic one. In just about every security area there is a viable open source project.  So could open source be the secret weapon in the war on security poverty? 

Wendy and I discuss just this and what her research shows.  You can listen to our 15 minute discussion below.  But let me give you some insight even if you don't listen to the podcast.  The costs of security are not only the hardware and software of the security products.  The human costs of security are equally expensive.  Even deploying open source security projects will take experienced, qualified security know how. That costs money, more money than many organizations can afford.  So open source in and of itself is not going to be a panacea here. 

There are other potential ways to address this problem. Outsourcing security is one way that can spread the cost of security over time. Buying security a slice at a time instead of the whole pie at once.  But again even security as a service so to speak can be more than some companies will budget for security. 

This is an age old problem that those of us in the security space no well.  Every survey done always indicates that security is in the top two or three priorities for every CIO.  However, when it comes time to pony up the money often times their arms are too short to reach their pockets.

Wendy Nather is a great person to learn from, please take the time to listen in and hear more pearls of wisdom from her in our discussion. Also, here is to a speedy and full recovery to Wendy, who was nice enough to record this with me just a few days before having some medical procedures performed. Good thoughts and prayers to you my friend! The security world will not be the same until you are back up to full speed!

Finally many thanks to The 451 Group for making a copy of Wendy's report available for free from the link in this post, it was previously only available to paying customers of the 451 Group.

Trainer Communications and Susan Thomas who is always there to help out with the Security Bloggers Network and Bloggers Meet up is looking for an Account Director for their security practice.

Here is the description from Trainer:

Does the concept of “Crazy Good Client Satisfaction” seem natural to you?  If so, we should talk! Ready to take a strong group of PR executives and accelerate its growth?  This may be the job for you!  Growing wicked fast, Trainer Communications, is a national award-winning high tech PR and marketing agency seeking a seeking a rock star Director of our Security Practice. The perfect person for this position knows the ins and outs of vulnerability management to zero-day threats and CAs to access management and malvertizing plus can manage up to five account teams: ensuring all metrics, deliverables and deadlines are met; and instinctively keeps pushing themselves to deliver the next greatest thing in PR and marketing.

The person we are looking for will have the chops to be considered a technology insider in the security market, can counsel clients “on the fly,” can speak to the big picture while minding the details, and be fanatical about client satisfaction.  This person enjoys building and managing a team, and can evaluate the many new client opportunities that come into Trainer on a monthly basis.  We won’t keep you chained to a desk; our directors forge new partnerships with marketing and international PR companies, attend training to facilitate career growth, and routinely share their knowledge with team members and support the agency in bringing on new clients.

Not satisfied with status quo? That’s great – we significantly invest in training and development to ensure our team continues to grow. In fact, 50 percent of our Trainer team has been promoted in the last 18 months!

All About You!

• Agency history of managing a group of at least four accounts at once with strong client satisfaction
• Can immediately get an audience with at least three prominent analysts or thought leaders
• Has a reputation for being easy to work with – and has built loyal teams that will verify how they enjoyed working with this leader
• Has committed to memory two or three personal facts about their top five “go-to” reporters and can score media results for clients very quickly
• Understands the process for creating websites, sales enablement collateral, and direct email campaigns
• Has current connections to deliver phenomenal lead gen results
• Understands lead gen options, and can guide "newbie" clients through the process
• Likes to compete and has a awards, trophies, and credentials to show for it
• Is equally effective sharing opinions in an email, one-on-one, or presenting to a group

Trainer Communications is located in the heart of Silicon Valley East (Pleasanton-based headquarters) conveniently located near BART.  Trainer offers a no-politics culture, competitive compensation and an excellent benefits package.

If this sounds like something that is perfect for you, contact Trainer

Trainer Communications
5000 Hopyard Road
Suite 125
Pleasanton, California 94588
925.271.8200

hr@trainercomm.com

No this is not about a new VP of marketing at some security vendor. I was reading an article today about a presentation at RSA Europe by Lee Parrish, VP and CISO of construction firm Parsons Corporation. At a time when most of the departments and budgets in his company where shrinking, Parsons nearly doubled his security budget and was hiring more people. 

I know you think they must have had a really poor security department, suffered a breach and so finally security got the attention it deserved.  You would be wrong.  How did Parrish accomplish this feat?  Easily, he “marketed security” internally to the board and stakeholders at his company.

This is a topic I have written about over the years before.  Too many times we hear security folks lament the fact that they just can’t get management to take the threats seriously. They just don’t care enough to approve the budget and resources needed to do security right.

Usually these same people will turn their nose up at marketing types. The marketing and sales people are as reptilian as Queen Anna was in the V series to these folks.  Whether it be security vendors or not, often times security admins will want to take a long hot shower after spending time with marketing and sales types.  What a mistake!

The point Parrish makes is that you need to market security. In the case of security admins you have to market to your own buyers. The decision makers and purse holders at your own company.

Parrish gives a great example of seeing that apps were being downloaded that were not approved and presented a security issue.  But these rogue apps also were driving help desk call numbers through the roof.  So instead of talking about the security threat of these rogue apps he talked about buying technology that would thwart the downloading of rogue apps which would drive help desk calls down by X% saving Y$ per year.  That is the kind of message the business managers understood and they gladly approved the budget.

If you are going to sell (and as I have said before we are all sales people in one way or another) you have to understand your customer. What is it that keeps him up at night, what are his buttons.  So start thinking of your stakeholders internally as your customers and you have to sell them. Before the sale, you have to market to them.  Think like a marketing person and you just might get the security budget you need to make your job fun again.

Image via Wikipedia

First of all let me wish my condolences and sympathies to the family, friends and colleagues of Steve Jobs.  To say he was a visionary with a profound effect on the technology world for years to come, somehow comes up short to truly describe the genius of the man.

While I was never a big Apple fan, you have to admire what he accomplished in two different stints at the company. You also have to admire his vision in buying Pixar from George Lucas and turning into yet another multi-billion dollar property.

While there are no shortage of tributes and homages to Jobs being written tonight. I wanted to go on a slightly different path. That path is to challenge the next Steve Jobs out there to go out and grab greatness.

That is right, there might be more than one next Steve Jobs out there, there are even a few not Steve Jobs out there. But take the lessons of Job’s life and his advice, go out and make it happen.

This country, this world, humanity needs more Steve Jobs. We need them to imagine, create and give us ideas and products which will make the world better. To advance the human experience in ways that make us all better.

With all of the heartfelt sympathy pouring out about Steve Jobs now, I hope it does inspire others to be the next Steve Jobs.

There is also another lesson in this all to early death of Steve Jobs. That is at the end of the day, death is the great equalizer. It makes no difference how much money you have, how much of a genius you are or even how much good you did for your fellow man.  We are all here at the grace of God. When he decides it is time to go, we have no say, we obey. That is at the end of the day the ultimate human condition that not even Steve Jobs could avoid.

I just wanted to give a shout out to a new mobile security company I became aware of called Fixmo. Fixmo has several solutions around mobile security including some powered by technology acquired via a technology transfer agreement with the NSA.

As part of their relationship with the US Government, Fixmo offers mobile security solutions for free to government agencies.  Part of this is the Fixmo SafeZone. Fixmo SafeZone empowers the secure use of personal devices on a government networks by establishing a “secure container” on these devices. The organization controls the data and applications within the SafeZone, while employees control all their personal data and applications outside of this zone. This product was developed as a result of Fixmo’s CRADA with the NSA.

I am digging in trying to find out more about Fixmo, but for those who say innovation is not happening in security and that mobile needs to be more secure. Here is a new company that may be worth looking into!

Having gone to my share of security conferences over the years, I have seen more than my share of the “uniqueness” of the security industry.  I passed through the stage of the large multi-color Mohawks, the piercings that set off the metal detectors at TSA stations in a 75 mile radius and yes even the attraction to wearing a good, old kilt to let things “air out” a bit.

Over the years I have always liked to watch at BlackHat/Defcon all of the lock picking stuff.  I wasn’t quite sure if it made sense for HackKid Con, but hey who am I to judge if people want their kids to learn to pick locks.

However, I just don’t see why we are seeing such large crowds around the lock picking table at the recent security shows I have attended.  I mean really. Is that what we as an industry should be putting our time and focus into?  At the same time we run around as Chicken Little about how hard and insurmountable our jobs are, we devote hours picking deadbolts and other locks?

Figuring that I am just an old crab (not a security curmudgeon mind you, that is reserved for old guys with long beards) I thought I would ask some folks what is with the locks? The variety of answers confirmed my thoughts.  Security people play with locks for the same reasons dogs lick themselves, that is because they can.

Here is a sample of some of the answers I heard:

1. Lock picking is sort of like security. It is about keeping people out from what you are trying to protect, so it is adjacent.

2. It keeps my kids interested in security and that is a good thing.  My kids need to know how these things work.

3. It is a great family fun activity

4. Security people love a good puzzle and picking locks is sort of like a good puzzle. It keeps us sharp

5. We fail so miserably at protecting our networks and data, it feels good to get a “win” when we pick a lock.

6. It is just a fetish and really has nothing to do with security at all (I respect the honesty)

So, as you can see the answers were a bit all over the map. This leads me to believe we are grasping at straws to justify our behavior.  So lets just say picking locks does not help us manage risk on our networks. But it feels good.

OK, now that we have that out of the way, why stop at locks?  Andrew Storm would like a Makers Fair at his security shows.  Misha Govshteyn would like a “foodie” table. Security shows are what we make of them.

I just returned home from the UNITED Security Summit in San Francisco. Besides speaking myself at the show I had a chance to sit in on some great presentations by some familiar and some not so familiar (to me anyway) folks.  While overall the tracks were great, one theme that was pretty constant was the pessimism in general about the security industry.  The feeling was we are losing the battle, nothing is changing and without “radical change” we are doomed to repeat the same mistakes and failures.

This doom and gloom is contagious and becomes a self-fulfilling prophesy. I think while the challenges are certainly great, we should not forget where we came from.  I am reminded of a bit by the comedian Louis CK.

It is like the guy who complains about the WiFi not working on a plane.  Think about it. You are sitting on a huge hunk of metal, flying through the air at over 500 miles an hour at almost 40,000 feet altitude. The plane is directing an antenna at a satellite in space sending and receiving data at speeds that were unimaginable just 20 or 25 years ago even if you wired to a computer. Every once in a while it doesn’t work and you complain.  Hey guys we live in amazing times!

The same is true of IT in general. The speed of evolution (not revolution mind you) is staggering. Yes, the security industry has not been able to overtake the pace and is struggling to keep up, but we are running as fast as we can. 

Let us not forget that just 15 or 20 years ago there really wasn’t an information security industry to speak of. We have built and developed an awful lot in that time frame. I am not saying we need to rest on our laurels, but that half-empty glass is half-full too.

Another thing I hear at these shows is that the security industry is maturing and we crave better metrics to make better decisions and better strategies.  I agree with that, but for such a “mature” industry we are terribly self-centered. While security is the most important thing to us, in spite of the self-deluding analysis we receive, it truly is not the most important thing to business. The most important thing to business is profits, followed closely by revenue.  Dotted lines and potential liabilities are all fine and dandy. But at best organizations put a small (3% to 4%) of their budget into security.  If something only is taking 3 to 4 percent of your budget, it probably only gets 3 to 4 percent of your time and attention.

This is the sad truth that a “mature” industry like ours has to realize. Until the problems and threats are felt by the business owners to warrant more than 3 to 4 percent investment, we are not going to see a radical change.

So lets be more positive about what we can do. Lets take our small wins and build on them instead of ridiculing them. We have come a long way and yes we have a long way to go. The rest of IT and the world will not wait for us, they will continue evolving at the breakneck pace they have been. 

But setting attainable goals, taking our wins when we can and trying to keep people positive about the mission is I think a better strategy then preaching doom and gloom that the sky is falling, even if maybe some days it seems like it is.

Image via Wikipedia

I had yet another eye opening experience today dealing with AT&T. It showed me once again why at the end of the day AT&T could care less about their customers and just want to grab as much money as they can.

Over the last year I have fired them from being my internet provider at home, my local and long distance phone company and even bundling my satellite TV through them. The only thing I am stuck with them with is our family cell service because we have iPhones from way back.

My son though doesn’t have an iPhone. I bought him an Android HTC phone a few months ago. Today his phone was stolen out of his backpack at school. We will dive more into that later on, but for now let me tell you about AT&T.

I called the 611 number and pressed the option to report a lost or stolen phone. Of course I couldn’t get a live person with that option. The only I could do was deal with the automated service to shut off the phone number.  I did that but it wasn’t good enough for me. I called back and didn’t fall into the automated trap. I got a live person on the phone and asked what we could do.

The rep told me that I could have signed up for a 10 dollar a month phone location service, but since I didn’t there was nothing they could do. I would have to pay data and phone charges on the account for the rest of the term of the contract.

I then asked what if someone brought my son’s phone into an AT&T store. Would they check and see the serial number was stolen? Like trying to register a stolen car. The rep said what a great idea, but no they wouldn’t do that. If someone wants to open an AT&T account they don’t care what phone they use. Can you imagine? They condone people using stolen phones.

Think about it. If they would have a stolen phone registry that was checked when phones were turned on, that would take the bottom out of the stolen phone business. But AT&T doesn’t care, so they won’t.

As it turns out the Android Market has a great free app called Plan B.  It installs over the air and locates your phone for you.  How cool was that.  Do you think the AT&T rep might tell someone reporting a phone lost or stolen about it? Nah, no money it for them.

As it turns out my son’s phone wasn’t stolen. It was hidden in the bottom of his book bag.  But that is not the point. AT&T should be better than this.

I wanted to drop a quick note to all of my friends and acquaintances in the Bay Area.  Especially those in the tech/security media and analyst space.  A cool new security summit is being put on by Rapid7, Firemon and some other companies called the UNITED Security Summit on Sept 19th and 20th.

The show is unique in that it is anchored around the “anatomy of a breach”.  They have a great line up of speakers including HD Moore, Chris Hoff and others. Even I am speaking on the Risk Management Big Top.  If you are in the bay area, I think this is a great event to come on down to learn.

If you are in the media or analyst space, Rapid7 has media/analyst passes available. They are also really going the extra mile to help make it a great summit.  If you are in the area, you should most definitely attend!

As I have written before I do some writing and consulting for several companies. One of them is Alert Logic, who offer a great line up of cloud-based, Security-as-a-Service solutions. 

Today Alert Logic announced their new CAPP program which allows most any security vendor to leverage the AL cloud based platform, turning their security solution into a cloud based managed security service. 

I wrote about over on SecureCloudReview.com, but wanted to mention it on here as well. Here is the article from over on SCR:

Today Alert Logic announced a significant new program that they are calling CAPP (Cloud Acceleration Partner Program). CAPP allows just about any security solution to plug into the Alert Logic Security-as-a-Service, cloud based architecture and become a cloud-based managed service.

This should be a huge development in the security marketplace.  Using the rich APIs developed for the CAPP program, security vendors seeking to integrate into the Alert Logic Security-as-a-Service offering can allow the cloud based platform to “ingest, correlate and analyze security data from individual security tools”.

The first CAPP partner announced for the program is Rapid7, the company behind the Nexpose VM solution and the Metasploit pen testing suite (Rapid7 is also hosting an exciting new conference called UNITED next week). Utilizing the CAPP API’s Alert Logic and Rapid7 now offer ASV PCI scanning as a service.  Other partners should be announced soon.

The CAPP program means that security solution providers don’t have to invest in developing a cloud-based delivery and management solution. They can concentrate on making their own solutions better, yet still enjoy a managed, cloud based option.

From the Alert Logic point of view it allows them to build on their strengths. They have invested millions of dollars and years of time developing their cloud-based Security-as-a-Service platform.  Now in addition to the solutions they already offered via this platform, a new wide range of solutions will be available as well.

It should be very interesting to see what new solutions come via the cloud as a result of CAPP.  It is certainly a program and technology whose time has come.

I was going to rerun the 9/11 post I wrote 5 years ago to commemorate the 10th anniversary of that terrible terrorist attack that took my wife’s beautiful older sister from her family. But I am not going to post that, you can read it here if you like.

Instead I want to write about a change of my world view with the passing of 10 years since that attack on our country and our way of life. Watching all of the 10 year anniversary stuff these past few days had a cumulative effect on me.  With each passing story of someone’s tragedy on 9/11, I grew more dark, more angry, more resentful.

On top of this I look around our world and realize that after 10 years of more families losing loved ones as they fight far from our own shores, what do we have to show for it? Yes we killed OBL.  We have even killed a decent amount of the leaders of the terrorists. But what have we really accomplished?

The system that spawned these monsters still exists. We have seen an “Arab Spring” overthrowing dictators in several Arab states. But what are they replaced with? We delude ourselves if we think pro-Western regimes are springing up in the MidEast.  Even Iraq where we have spent trillions of dollars and thousands of lives, is not a stable democracy.  As soon as we leave there, Iran will exert even more influence.  Egypt, that takes billions of dollars in aid from us every year is ruled by mobs that rape female journalists. Saudi Arabia, “our friend” in the Arab world buys off their people with the oil money they suck from our veins, but the kings of Arabia have a short horizon and are themselves radically out of line with our world view.

Afghanistan will be as twisted as it ever was on the day we finally leave there.  The fact is we have few if any friends in that part of the world. Lets stop spending our money trying to change an unchangeable fact. Lets not spill any more of our blood trying to make them “safe for democracy”.  We are going to be fighting a war against these anti-American, anti-Western foes for a long time. 

The Hamas, Hezbollah and the rest are not going to be made over, they are what they are.  We need to treat them as such. They are our enemies and we need to destroy our enemies. 

Let them build the next memorials to their dead and grieve for loved ones. I don’t want any more sacred memorials to our innocent dead here.

Is that harsh? Is that just? Frankly I don’t care, it is what we need to do.