(Belated) InfoSec Predictions for 2013

Now that we are more than halfway through January I feel obligated to make my predictions for what will happen in 2013. Are you ready to have your mind blown?

MORE OF THE SAME!

I know, it is not a pearl of wisdom but with 2013 already bringing us a vulnerability in IE 6, 7 & 8 plus... [wait for it] yet another scary bad Java vuln, the year is off to a helluva start.

And let us not leave out our favorite whipping boy(s)/girl(s) at Adobe - Reader and Flash remain among the best ways to pop a box with our pals at Oracle and their Java write once debug everywhere platform.

So there you have it from the security equivalent of the armchair quarterback.

As they used to say on Hill Street Blues, let's be careful out there.

Peace,

Doug

Welcome to 2013!

Wow, my blog is so very neglected. With Twitter fitting my attention span better, it isn't likely to see many new posts this year either. And I think I am OK with that.

Happy belated new year to all who stumble on this lonely blog. I pray 2013 will be a better year for you and yours. My new year's resolution is to be grateful and appreciate at least one person and/or thing every day. There's a lot of good to be happy about in this life if we open our eyes and make an effort to be aware of it.

Sincerely,

Doug

DefCon 20 (My 1st pilgrimmage)

The summer of 2012 was an eventful one for me - several camping trips with my better half the kids and of course the dog. Two new babies in the family tree - congrats to my brother and sister! Add to all of that my 1st visit to the mother of all InfoSec cons - DefCon XX.

I was very excited when the planets aligned and I received work and home management approval to attend. I've been wanting to go for as long as I can remember, so this was a bucket list-worthy item in my book.

DefCon did not disappoint. Met many new people from across the US and around the world: Brazil, Germany, Romania, and more. I even made a new friend from Canada of all places (hi Carlo!) from working on the scavenger hunt with some friends from Grand Rapids.

I went to a handful of talks each day and wandered around taking in all the other happenings - the contests, gaming areas, the DefCon private cellular network van... The standout talks for me were General Keith Alexander, Mark Weatherford from DHS, Wesley McGrew, and Cutaway - the ones related to critical infrastructure protection, vulnerability research on SCADA HMIs & how breakable many current 'smart' meters are.

I hope to return next year if possible and perhaps take in both Black Hat + DefCon.

Notacon 9 - Cleveland FTW!

So after visiting fabulous Cleveland last weekend I was inspired to make a blog post after almost a year. Blogging is great but unless someone is making me do it regularly it doesn't happen as much as I'd like. That, and the fact that Twitter is way easier b/c it is short and sweet. I tweet now and then as @nibbelink so if you want to know what I am thinking maybe a handful of times per month send me a request.

Back to Notacon - where to begin? Froggy and friends put on a conference like no other - literally. It is a very cool mix of InfoSec, IT, hackers, geeks and people who are fun to meet/talk to and hang out with. Met a guy who has the same Yamaha QY10 sequencer/synth that I have. That almost NEVER happens. Seriously, who had one of these but me - let alone remembers (not so) fondly doing MIDI step programming to put together a basic drum rhythm and bass line?
http://en.wikipedia.org/wiki/Yamaha_QY10

And then there are the talks at Notacon. I am biased b/c I got to present with my friend EggDropX but still - there were fascinating talks on everything from open source music making via algorithms to how to help your kids be good Internet consumers. You aren't going to get that at most other conferences that I've been to. And if you are like me either work won't pay for BlackHat/DefCon or you cannot afford it out of pocket.

And so, let me close this brief shout out with some advice - you owe it to yourself to checkout Notacon 10 in 2013, and also you need to go to GrrCON. It's what put GR on the InfoSec map. This is year 2 and it will blow your mind and if it doesn't there is free beer. Enough said.
www.notacon.org + www.grrcon.org = doubleplusgood

A Fresh Perspective

After returning from a nearly two week vacation I realized how important it is to take a break, get away, relax and recharge. While the first day back at work was a rather painful adjustment to the reality of work and not being able to do whatever I wanted for the day, on day two I realized that I had clarity on some things that had been rather fuzzy before vacation. It was like when the coffee kicks in on a morning after a good night of sleep and suddenly things make sense - only more so.

So my summer 2011 advice is get out of the house, get out of town if you can and spend time with people you love and who love you be it friends or family. Or, if you are so inclined get away for a few days alone. Do something fun, try something new, consider pursuing a hobby completely unrelated to your job. Leave the cell phone at home (or at the very least turn off the pulling of work emails.) I found camping where there is no cell signal whatsoever helps if self control does not allow a completely off the grid getaway.

Know Thyself -> Subtitle: Is DIY always a good idea?

A recent presentation I did at work for management about justifying hosted SIEM (Security Information & Event Management) and some follow-up questions from leadership got me thinking about the do it yourself ethos. I think IT in general and InfoSec specifically are big on DIY and this is for the most part a good thing in my opinion.

Products/solutions like Snort/Wireshark/Metasploit/etc. would not be what they are today without the roll up your sleeves, pour yourself another cup of caffeine, get down to the bits and bytes or hex command line foo.

(You knew the but was coming.) But when does trying to be all ninjas to all people become your achilles heel? If you are in a small IT shop is it realistic to think I (or perhaps you the reader) can be a master of all [CISSP] domains? Could trying to do it all lead to missing important stuff while trying to figure out whether or not to worry about a particular IDS event that may or may not be important.

Maybe this is about trying to reassure myself that the insecurity devil that occasionally sits on my left shoulder saying "YOU ARE A NOOB AND A POSER AND YOU WILL NEVER BE A NINJA" is just a figment of my imagination. Or perhaps I am taking a look in the mirror and trying to have an honest self assessment and admit that I am better off finding a good consulting shop to help me tune my IDS/IPS or perhaps hiring out some security functions such as log/event analysis ala SIEM.

Everyone has different gifts/talents/abilities. Knowing yours and admitting which hats do not fit is sometimes painful but can also be a liberating experience and lead to focusing on what gets you fired up.

Sources:
- This post was inspired in part by a radio program I heard featuring Christian author/speaker Chip Ingram about doing a sober self assessment - identify your 3 greatest strengths and 3 biggest weaknesses, there was more to the talk but this to me was the crux.
- The thinking chimp photo is just something I thought about after watching a Nature episode on monkeys - did you know some monkeys have learned to lie and they also have squabbles between groups which lead to injury and death?

My 2011 prediction = more of the same

Since I am not able to predict the future and I don't have enough big picture expertise in InfoSec to make intelligent and plausible predictions, I am going to take the easy way out. I know it isn't exactly exciting and you might even call it lame, but I predict 2011 will bring more of the same. (I am not a poet, and I know it.)

1. Increasingly frequent financial data breaches ala TJX and Heartland
2. Malware, malware, and STILL MORE malware - and likely even more crafty varieties
3. Finally, the one that freaks me out most of all - more SCADA/Control System activity ala Stuxnet. Even without (alleged ;) government involvement, no doubt the bad guys took careful notes of the possibilities. The terrorists and government sponsored groups are likely pulling down additional copies of Siemens, Schneider, Rockwell, Modicon et al softwarez and likely also buying a representative bunch of PLCs to increase their mad skillz in pawning pumps, valves and variable frequency drives.

Best wishes to you and yours for 2011, and for those of us wearing the InfoSec white hats - as they used to say on Hillstreet Blues: "Let's be careful out there."