2013 Year In Review

Quartz had an excellent article summarizing the year in technology as being lackluster.  It is pretty comprehensive for the industry in general.
Short of any significant technology or process breakthroughs, I suspect 2014 will be the same as 2013 which was the same as 2012.

  • PCI/PHI will be leaked, likely in larger and larger quantities.
  • There will continue to be a fear of ICS attacks, no one will fix anything.
  • Hacktivists will continuing hacking and getting arrested.  Overzealous prosecutors will continue to think the law is the solution.  I don’t see Chelsea Manning, Edward Snowden, Jeremy Hammond, or John Kirikou having any legal luck in 2014.
  • I am optimistic that two-factor authentication and default SSL in the personal space will increase in popularity.

As far as a review of my year:

  • I bought a Fitbit.  It is interesting.  I think it has caused me to increase my physical activity.  I wish it could track more than just walking though.
  • DerbyCon was my favorite conference for the second year in a row.  DEF CON was great, but DerbyCon is the best.
  • For personal development, I am trying to learn Python.  I can modify existing code, but I really want to be able to write new code.
  • Professionally, my Splunk deployment is a massive failure.  I’m not blaming the product.  I didn’t get the appropriate level of support to successfully implement the product.  Hopefully the deployment can be recovered in 2014.  I’ve also got a Nessus deployment on my plate for 2014.

SANS Effectiveness – Locus Of Control

Everyone has security controls/tools that work and controls/tools that don’t work.  I’d originally thought a bigger budget would solve a lot of problems.  The community likes to say that budgets don’t solve everything, but even open source needs hardware (cost) and time (cost) to implement / management.

My problem seems to be more of a locus of control issue than a budget issue.  Even if the budget doubled, I question if the security posture would increase.  A security team can easily implement AV, firewalls, malware detection, etc.  The administration and usage is almost entirely the responsibility of the security team.  The locus of control is internal to the team.

On the other hand, a penetration test has an external locus of control.  There is the budget issue, but even a budget won’t solve anything if the problematic systems have admins that won’t resolve an issue.

A web-application firewall is another example.  A network firewall is pretty simple, 80 is either open or closed to a web server.  A WAF requires cooperation between the security team and the server admin for an effective setup.  Once again, the locus of control is external.

Even if the budget keeps increasing, effectiveness won’t increase until external groups buy in.  Fixing that requires more than open source tools, a budget, or security people…

Gift Ideas

These are both pretty cool gift ideas.

A seller named GiantEye offers Lock Pick Earrings on Etsy for $40.  They seem like a good gift idea.  I’m unfamiliar with GiantEye, but the site is advertising the picks can be used.  I don’t know if I’d ever try using them though given their decorative purpose.

Rift Recon is offering a set of small picks called a Bogota.  I was unfamiliar with the term.  It is used to reference smaller lock picks that can be discretely hidden.  These smaller picks are also $40.  I was introduced to Rift Recon at DefCon.  They were demonstrating their Red Team Kit at the Security Sociability party.

I’m considering abandoning Security Onion.  I can’t justify the full packet capture.  I don’t have the hardware resources.  I’m thinking about using a standard Linux install with just Bro and Splunk.  I can’t get in to ELSA and Bro is my favorite part of Security Onion.