Through the looking glass....

Security Bistro - Vendor-as-Publisher done right

Elizabeth Safran — Fri, 20 Jan 2012 16:31:00 -0500

My friend and former client, Aimee Rhodes, is vice president of Marketing at Corero Networks, an IPS vendor some might remember as Top Layer Networks. She's a brilliant Marketeer, and Corero is lucky to have her. Corero’s new blog, Security Bistro, is just one case in point.

Security Bistro is not designed to be a corporate blog where everything maps back to the primary business of the vendor. Neither is it a showcase for the vendor's resident security guru, which, even if the guru has free rein to blog about whatever they want, all blog content implicitly links back to the vendor because everyone knows that's where the guru works.

Its aspirations are more along the lines of ThreatPost, a dedicated news outlet funded by Kaspersky Labs, but Threatpost has three full time journalists on staff and is more of a traditional news outlet. Security Bistro aims to be an online salon, of sorts; it’s geared to foster conversations (which makes us PR folks salivate:-), and features analysis from three well known and respected personalities from the IT security press/blogosphere.

The only way it will work is if we support it, and the kick-off posts are varied and interesting. I won't deny that one of its launch posts, written by Network World mainstay Linda Musthaler, about the findings a recent firewall management survey conducted by my client Tufin Technologies, added extra warm fuzzies. But Tufin gets a ton of blog coverage. I’m not posting this as a public thank you, I'm writing this because I want Security Bistro to be all it’s setting out to be. As a dedicated, neutral and self-guided infosec forum, it offers the (infosec) PR community an opportunity to add a lot of value. We can pitch ideas that might not fly in anywhere else, not to mention drive the conversation via comments.

A few years back I tried an experiment with Tom Foremski of Silicon Valley Watcher. We wanted to launch a sister site called Silicon Valley Minute, featuring 60 second videos of vendor CEO's. The premise was that they had a minute to explain what their company did. Our strategy was that we would rely on PR firms to pitch their client CEO's, giving us a powerful channel and ensuring we would have a viable queue of companies to feature.

Despite our best-laid plans, Silicon Valley Minute didn't make it, and what remains online is not even close to what I had envisioned (another story for another time). But Security Bistro has the same opportunity to leverage the best of what the PR community has to offer. Any smart PR person will immediately get what an asset the site can be for their clients and for them.

So go check out the site – I particularly liked Richard Steinnon’s post of LinkedIn scammers. I’ll be interested to see how the site fares over time – if it successful, it is sure to be copied, which means that product vendors can in fact be publishers, which gives the whole notion of citizen journalism a big boost.

Nice job Aimee!

Security Bistro blogger and Corero's Director of Research, Neil Roiter, also deserves a shout out. On Neil's watch, the site is sure to stick to its editorial knitting.

You can also follow SecurityBistro on Twitter - @securitybistro

Online privacy - civil liberty or oxymoron?

Elizabeth Safran — Tue, 06 Sep 2011 14:37:27 -0400

Yah, I know, I am spamming my Facebook and Twitter pages with content I just published,but so it goes, until I remember to title my blog posts before publishing them.

Live and learn, right?

Perhaps the only good thing about making an embarrassing mistake in public is that it facilitates what experts at Wombat Security call a 'teachable moment'....and what is a teachable moment, you ask?

Ah...fodder for another post, coming in triplicate to my blog, Facebook and Twitter pages shorty...

Until then...below is a slightly revised version of my original, untitled post,

The latest on DigiNotar hack...however you chose to interpret the information, or whatever you make of how it was done, given that the Google webmail of as many as 300,000 Iranians *may* have been intercepted, it's fair to say that nothing online is really private these days: http://bit.ly/negcxJ,

Note:I am making an assumption that the 300,000 accounts belong to "average" Gmail users, or in this case, average Iranian Gmail users, who, if they are anything like their U.S. counterparts, may not take great pains to secure their email communications.

When I talk to my friends about how easy it is for their email to be compromised, I often hear that they don't care, or that they doubt anyone really cares enough about them to snoop.

Famous last words.

Net/net: If you want to keep your private business private, don't talk about it over email...

DefCon Kids - what does that tell ya?

Elizabeth Safran — Wed, 03 Aug 2011 14:10:09 -0400

I'm not sure whether I think Defcon Kids is really cool or really scary - hacking fundamentals for kids as young as eight, assuming they are accompanied by a parent.

Let's say they learn some mad skillz - with the way case law is evolving around what consititues illegal behavior in cyberspace, those parents better be willing to sign on to the implications of any future bad behavior! Check out the Rolling Stone article here.

So, all my friends that were kiddie hackers chatting each other up on ICQ from their Commodores are younger than I am. Now they are sending their kids to DefCon?

Wow....Talk about through the looking glass...

It's been along time since I've rock and rolled....

Elizabeth Safran — Mon, 01 Aug 2011 16:27:04 -0400

It's been a long time since I rock-and-rolled
It's been a long time since I did the Stroll
let me get it back, let me get it back, let me get it back
baby, where I come from
It's been a long time, been a long time
Been a long lonely, lonely, lonely, lonely, lonely time

Well, it really has been a long time - since November 2010, to be exact - since I have published a post, if you want to call my last post a post. My tendency to over think what i want to say has resulted in analysis paralysis - and it's taken longer than anticipated to "get it back," whatever the hell the "it" is.

it hasn't been lonely though - that much is for damn sure! As for the reason I have been out of the blogging mix for so long, let me introduce you to my seven-month-old (on Friday) son, Raphael Eduardo Safran Nau. We call him Rafe, or Raffi.

Yah, he really is that cute, and I'm not saying that just because I'm his mom, or he's my first. He is a ton of fun, but I have yet to win the lottery and so....back in to the mix I go.

I will say this much - having a kid has definitely shifted my notions of security. it has also emphasized the fact that the most sophisticated, robust technology in the world is only as good as the people using it. So much of innovation in informaton securty is tied to automation, and all too often vendors are loathe to promote the impact of that out of concern that they may eventually automate their customers out of a job that we soften the message to those that need to hear it the loudest.

There might be some validity to doing that, but my guess is that companies will never be willing to invest in the level of automation they need to get ahead of the curve - they will always be playing catch up. And we are a long way from automating knowledge workers out of existence. Behind every security management dashboard there is a person (or persons) drawing conclusions, making decsions, or at least trying to do something with the data in front of them. If any one vendor can offer such radical automation as to threaten their job, well then, they should be talking to that person's boss, and not that person, right? I know, easy for me to say, I'm armchair quarterbacking it, but the bottom line is that infosec (like most of IT) is still about people (first and foremost), process and technology. You can choose to address each component seperately but they do not operate in a vacuum.

The best technology will only be as effective as the "worst" user - and conversely, a savvy security guy (or gal) can make the best of medicore technology. At the end of the day, corporate security people are tasked with securing information assets from other people (bad guys or other prying eyes), for other people (bosses, customers, etc), and rely on other people (vendors, consultants, other staff) to make sure it gets done right. Sometimes I think as an industry we focus too much on technology and not enough on people or process, or how technology supports people and their processes. And by the way, vendors are people too....

But I digress. With as much as has been going on this recently - Wikileaks, Anonymous, Lulzsec, all the ensuing havoc, it has been a surprisingly quiet summer for my clients, who have been doing some interesting things. Of course I am way behind on getting the word out on my blog about what some of those cool things are, but stay tuned

One of the good things about having your own blog is that when no one else is covering your clients you can. Rather than just shill for them, I would like to point to some of the (public) conversations they are having, which hopefully will be of some sort of interest to whatever readers I have left:-). So please check back soon for a deeper dive, but until then check out http://www.tufin.com/blog, http://www.identropy.com, and http://www.wombatsecurity.com.

Cheers,

Liz

So much for a dramatic (re) entrance...

Elizabeth Safran — Fri, 29 Jul 2011 18:05:57 -0400

Well, today I wrote this nifty little post explaining my extended online silence (what. me quiet??)

Until I finish editing it, you'll have to make due with a pointer to this article in InfoWorld on common sense tips to avoid a breach . What is so great about them is that they are focused on things people can do, as opposed to buying technology. If I have a theme or focus for the rest of 2011, it's people. When it comes to information security, or any securty, really, people are and will always be the weakest link - that is, until we are subjugated to a life in the Matrix by the very technology we created to serve us (who me, paranoid?).

Until then....Happy reading....

Elizabeth Safran — Mon, 29 Nov 2010 09:50:47 -0500

This is priceless - from the Liquidmatrix Security Digest...
FUD, from the belly of the beast...

http://www.liquidmatrix.org/blog/2010/11/13/fud-marketing-fail/comment-page-1/#comment-73954

Wall Street - risk management fairy tale or pipe dream?

Elizabeth Safran — Wed, 21 Apr 2010 15:02:25 -0400

A Reuters story making the rounds on Monday assessed the various outcomes of the fraud charges filed this past Friday against Goldman Sachs.

The article states "On Friday, the U.S. Securities and Exchange Commission charged Goldman with hiding from investors the involvement of a prominent hedge fund manager in helping it structure a subprime mortgage debt product that he was betting against."

According to the complaint, investors lost more than $1billion, and "Goldman vowed to vigorously defend itself against the charges and denied that it had structured a portfolio that was designed to lose money, claiming that the firm itself invested in the equity portion of the deal.

So...this makes me wonder why we have yet to see the expected (stringent) regulatory response to last years economic crisis (which according to the cover of this week's Newsweek, is over), and what else needs to happen before the Captains of Industry that created this mess are held accountable. There is a lot of talk about transparency and accountability in the IT security industry, but the problem is that the people that warrant the most watching are the ones who dictate what gets watched, yet it seems that the rules don;t apply to them. Why is that?

And why aren't people more pissed off?

Personally, I'm a bit leery of the success of our economic recovery - I just don't believe it. And while it may not be too wise for me to bite the hand that indirectly feeds me (financial services companies buy LOTS of security products), I find it somewhat frightening that no one is putting the screws to financial services CEOs. Restricting the stock portions of their pay and bonuses so that they vest their millions over a few years instead of immediately just doesn't seem...restrictive enough.

I remember a few years back at RSA I attended a session on GRC (Governance, Risk and Compliance) where the presenter - a smart, articulate guy who worked at one of the Final Four consulting firms - outlined the role IT plays in creating and enforcing controls. When I asked a question about ethics, I was told in very a polite but condescending way that ethics was not a factor in automating governance.

I was shocked to hear him say that but that's a whole other post. Putting the fact that I completely disagree with him aside for a moment....let's suppose he was right (maybe I missed his context), given the ongoing scandal parade that has plagued the financial services industry from the meltdown to Madoff a on, what else needs to happen before it becomes one?

Governance, by definition (according to dictionary.com) means "(1) government; exercise of authority; control. (2) a method or system of government or management."

Risk is defined as" exposure to the chance of injury or loss; a hazard or dangerous chance"

Compliance is the act of conforming, acquiescing, or yielding.

So, in the case of the economic crisis, one could argue that the high level execs presented the greatest risk. While their job, by nature, requires them to govern - -- it is unclear what form of governance, if any, they were subjected to.

Even worse, they seem to not have suffered consequences of any real significance. No wonder why nothing's changing!

Let's use John Thain as an example, as he makes a great poster boy for corporate excess (the following comes from his Wikipedia entry):

Thain suggested to directors that he receive a bonus in 2008 of as much as $10 million, because he "saved Merrill" by selling it off to Bank of America. After the compensation committee at Merrill resisted the request, Thain reportedly dropped his request on December 8, 2008.^[10]^[11]
On January 22, 2009, it was revealed that, in early 2008, Thain spent $1.22 million in corporate funds to renovate two conference rooms, a reception area, and his office, including $131,000 for area rugs, a $68,000 antique credenza, guest chairs costing $87,000, a $35,000 commode, and a $1,400 wastebasket. Thain subsequently apologized for his lapse in judgment, and reimbursed the company in full for the costs of the renovation.^[12]^[13]^[14]^[15]
Thain accelerated approximately $4 billion in bonus payments to employees at Merrill just prior to the close of the deal with Bank of America. Bank of America was aware of the decision, as the payout was reportedly one of the conditions under the merger agreement. Speculation mounted that TARP funds were used for the bonus payments, but the TARP recipients are yet to disclose how TARP funds were segregated, or what they were used for.

SO..let's make sure I got this straight:

His stewardship of Merrill leads to its end.
He "agrees to resign" from B of A for awarding bonuses in light of item# 1 and some admitted lapses in judgment prior to it.
NY Attorney General Andrew Cuomo subpoenas him in a probe into the bonuses he paid and received just days before the Bank of America takeover. You woudl think this guy would be dead in the water after all this but as punishment for behaving badly....
CIT Group hires him in Feb 2010?!?????

This makes absolutely no sense to me - you would think that he woudl be ostracized, blacklisted by his peers and by those who lost their jobs, their money, and lord knows what else..

So - they get all the perks and bear none of the consequences - I ask again...why should they change?

You might not be able to regulate how ridiculously rich and entitled CEO's think, but you can regulate how they act. Take the Sarbanes-Oxley Act of 2002 (aka SOX) which forced CEO's to be personally accountable for the integrity of their financial statements.

And frankly, the buck may have stopped with them but it didn't necessarily start with them - meaning other executives can step up. Blogger Steven Minksy wrote a good post in eBizq.com on how a more holistic approach, which he says is ERM for Enterprise Risk Management - would have identified the conflict of interest with the vendor partner because it would have added reputational risk as a vector for analysis.

Well...maybe. Given the level of greed that (still) seems to predomiate the top ranks of Wall Street, I find that to be a stretch, but he raises a good point. I think it's time for some fresh blood to step in to navigate a course correction and make sure some real checks and balances are in place.

SOX was in response to the business practices that brought down Enron, and the potential consequences of non-compliance, which included jail time (for non-compliant CEOs). Note to that RSA GRC presenter...um...what was that about G-R-C for COMPLIANCE having no ethical bearing? Okay, there was a lot of law breaking going on at Enron, so you could frame it as a legal issue, but come on...they are often deeply intertwined, right?

While SOX had its shortcomings, it sent a message, and things began to change. It's not a matter of the government knowing best, but in this case it makes a lot of sense to step in, as a shareholder, and as the law Let's hope they don't roll over.

It's also worth noting that SOX was major shot in the arm of the IT security industry and we've been hooked on compliance ever since. Clearly, an argument can be made that laws with ethical teeth are good for the IT security industry.

So how about a few more aimed at Wall Street?

Perhaps the latest RSA post...ever?

Elizabeth Safran — Mon, 22 Mar 2010 08:47:03 -0400

Given I have (for all intensive purposes) nothing to say and hardly any pictures (most of them were not-so-good), the delay is hard to explain.

Oh well....

Lousy economy or not, RSA is always a fun parade and the security community appeared to be out in full force. It was good to be a part of it (thank you Aimee Rhodes!!!), and even better to spend some time with people I don't get to see that often.

Along those lines, a few quick shout-outs:

Robin Lutchansky - I haven't laughed so much so early in the morning in years - thanks again for giving me my start in PR. Stay in touch and stay away from Feta cheese:-)

Alan Shimel - not sure if you recall our chat at the bloggers meet-up, but...it is most definitely on:-)!

Ziad Sarrieddine - it really has been that long, hasn't it...

Here are a few photos:

Randall Gamby - former Burton Analyst, current security architect at Mass Mutual, guest columnist for Information Security Magazine/Tech Target, and one of the few with enough patience to be my friend:-)

Tufin CEO Ruvi Kitov (Smiling as he should, Tufin is on the up and up...)

smoke break during the one rainy day of the week

Shaul Efraim of Tufin catching up with Mike Rothman of Securosis...it's hard not not crack a smile around Mike...

Alan Shimel and Rick Moy of NSS Labs

A very tanned Mark Kadrich of The Security Consortium...

Jennifer Jabbusch and Martin McKeay at the bloggers meetup...

Me and my old friend Ziad Sarieddine (of Cisco)...apparently all long and winding roads lead to RSA...

coolest show swag (imho) - mini-reading flashlight/laser from Black Box Security

Latest and greatest from the Ministry of Truth....

Elizabeth Safran — Wed, 17 Mar 2010 21:10:39 -0400

Big Brother is alive and well -- http://www.newsweek.com/id/233916 .

I know geo-location tracking technology is not new (hell, I watch CSI.) What I don't know is how sophisticated it is and who besides cops and spooks have knowledge, skills and access to it. Being the Blackberry addict I am, the idea that I could be both tracked and hacked at the same time pushes my paranoia button, big time...

What Microsoft will tell the cops about your online life if asked...

Elizabeth Safran — Thu, 25 Feb 2010 18:58:48 -0500

Computerworld blogger Preston Galla reports on Microsoft's (apparently) soon to be abandoned effort to prevent its 'Global Criminal Compliance Handbook' from landing in the public domain. It gives the skinny on what data Microsoft is required to give to police about people using its online services - Hotmail, search, IM, etc - and the process required for them to get it. Read his full post, with links to additional stories and a link where you can download the handbook here.

The net/net - they get access to just about everything - email, chat strings, logs of when people logged on, for how long, and more. Basically, they get full access into the good, bad, ugly and boring.

Talk about the power of an audit trail...

So...how many of us have used web mail to have conversations we don't want sitting on corporate servers? Ever send an email that you would never want anyone outside the recipient to see? One of the most powerful things about email is the level of abstraction it provides. Who hasn't used email to say something to someone they couldn't or wouldn't say to them in person.... I know I have.

I am guessing that it is possible for a corporate mail server to log a users Gmail or Hotmail activity if enabled to do so (Yes?? No?? If someone knows can they please comment on it?)

Even if that's not possible, those emails are still being stored on corporate servers - Microsoft's. If they aren't being mined to figure out how to make you spend more time and money with Microsoft, we now know how cops - and fraudsters - can access your personal accounts and all the secrets that lie within them. If there were a special heaven for voyeurs, this handbook would be in the reception area.

I don't know about you, but I’m permanently deleting everything in my webmail folders. I am guessing if the need arose it could be restored, but I'm sure not going to make it easy for anyone to snoop through my (not so) personal communications. Am I being smart? Paranoid? Both?