Securosis Blog

After many years in the wilderness of non-innovation, there has been a lot of activity in the network security space over the past few years. Your grand-pappy’s firewall is dead and a lot of organizations are in the process of totally rebuilding their perimeter defenses. At the same time, the perimeter gradually becomes even more a mythical beast of yesteryear, forcing folks to ponder how to enforce network isolation and segmentation while the underlying cloud and virtualized technology…

Gunter Ollmann (now of IOActive) offers a very interesting analysis of why vulnerability disclosures don’t really matter any more.

But I digress. The crux of the matter as to why annual vulnerability statistics don’t matter and will continue to matter less in a practical sense as times goes by is because they only reflect ‘Disclosures’. In essence, for a vulnerability to be counted (and attribution applied) it must be publicly disclosed, and more people are finding it advantageous to not do…

Microsoft and Symantec today announced they have jointly taken down the command and control infrastructure of the Bamital botnet, which managed a massive click-fraud scheme. From Yahoo news:

It’s over. Sunday night, when the confetti fell on the Ravens and we finished cleaning up the residual mess from the Super Bowl party, the reality set in. No NFL for months. Yeah, people will start getting fired up about spring training, but baseball just isn’t my thing. Not as a spectator sport. I can take some comfort that in the NFL being a 12-month enterprise now. In a few weeks the combine will give us a look at the next generation of football stars. Then we’ll start following free agency…

Our recently published Early Warning paper put forth the idea of leveraging external threat intelligence to better utilize internal data collection, further shortening the window between weaponized attack and ability to detect said attack. But of course, the Devil is in the details and taking this concept to reality means delving into actually putting these ideas into practice. There are number of different types of “threat intelligence” that can (and should) be utilized in an Early Warning…

Between WikiLeaks imploding, the LulzSec crew going to jail, and APT becoming business as usual, you might think data security was just so 2011, but the war isn’t over yet.

Game on!

It’s hard to imagine, but this year we are hosting the Fifth Annual RSA Conference Disaster Recovery Breakfast, in partnership with SchwartzMSL and Kulesa Faul (and possibly one more surprise guest).

At the Kaspersky summit in San Juan, Puerto Rico, Chris Soghoian discussed the problem of Android user’s not updating their mobile devices to current software revisions. From Threatpost:

Thanks to your friends at Accuvant labs.

Very worth reading for security pros. Peter Morgan, Ryan Smith, Braden Thomas, and Josh Thomas did an excellent job breaking it down. Here’s the security risk:

In response to this SC Magazine article (thanks @pauljudge), I tweeted:

An important distinction to keep in mind when you read these articles.