Securosis Blog

You may have noticed our posting was down a bit this week.

Okay, pretty much non-existent. But take a look at the links in this Summary for what we have been reading and thinking about.

We all know and love the firewall. The cornerstone of every organization’s network security defense, firewalls enforce access control policies and determine what can and cannot enter your network. But, like almost every device you have had for a while, you take them for granted and perhaps don’t pay as much attention as you need to. Until a faulty rule change opens up a hole in your perimeter large enough to drive a tanker through. Then you get some religion about more effectively managing these…

A couple years ago, when I decided to lose weight and change my eating habits, I did it with a view to living until I was at least 90. That was the number I envisioned, and given my family history, it should be achievable. So as I celebrated my 45th birthday this week, it was strange to realize that I’m close to halfway done. WTF? How did that happen?

I was never a big fan of the Rolling Stones. Heard them on the radio all the time growing up but never bought any of their stuff. It was good but not good enough to spend my hard-earned money. Recently a friend, a hardcore Stones addict, convinced me I needed some in my music collection. A couple clicks on Amazon, and three days later I had a big box of music waiting for me when I got back from the Splunk conference. In need of a little rest after a hectic few weeks, I cracked open the package…

A few months back I did a series of posts demonstrating a proof of concept for implementing some basic software defined security (using AWS, Chef, and Ruby). This ended up being the basis for my KickaaS Security with APIs and Cloud talk at Black Hat.

I’m really looking forward to this, although my skills will keep me in the back of the room:

October 2013 Chicago Crypto-For-Developers Class

Threatpost has another good piece on exploit disclosure (I swear I still read other sites). This is the other side of vulnerability disclosure, where you need to decide on releasing exploit details based on factors such as detecting live exploits in the field.

Brian Krebs breaks another story:

Prosecutors in New York today said that federal agencies have taken over the Silk Road, a sprawling underground Web site that has earned infamy as the “eBay of drugs.” On Tuesday, federal agents in San Francisco arrested the Silk Road’s alleged mastermind. Prosecutors say 29-year-old Ross William Ulbricht, a.k.a “Dread Pirate Roberts” (DPR), will be charged with a range of criminal violations, including conspiracy to commit drug trafficking, and money…

17 years. That’s a long time. The last time the US Government shut down was December 1995 through January 1996. I was working for META Group at the time, probably on an airplane heading to a meeting with some client. I wasn’t married yet. I could sleep in on a Saturday. Those were the days. Life was fundamentally different. Looking back I don’t remember the specifics of what happened during the last shutdown, as that group of politicians battled each other over funding this, that, or the other…

It seems everyone has an opinion about security awareness training, and most of them are negative. Security luminaries have largely panned awareness training as ineffective and a waste of time and money. They use weird analogies, claiming things like we cannot train folks not to eat fast food, so training never works. Are they wrong? We have all sat through endless PowerPoint slides telling us what we can do and cannot do on the Internet. They threaten you with termination unless you follow the…