Post-Blog Report: 26 Short Topics about Security

Aloha and welcome to the post-blog report.  Over the last 5 months, I’ve been writing a blog series called, 26 Short Topics about Security and wanted to share some observations.  First, I went about this since there are so many IT challenges when it comes to security and it’s virtually impossible to cover them all.  Plus, I’m always looking for interesting stats and stories pertaining to security and thought I’d gather them up in one place.  It’s sort of a 2009 ‘Security Greatest Hits’ (or Misses, if you’re a Devo fan).

If you are a blogger and sometimes have difficulty producing a consistent stream of valuable conversations, a blog series will do the trick.  You’re not alone since Perseus reports that 66.0% of surveyed blogs had not been updated in two months, "representing 2.72 million blogs that have been either permanently or temporarily abandoned.”  I had a daily urge to continue my quest and keep the flow going rather than jumping on ‘whatever the topic/crisis of the day’ was and writing about that.  Interestingly, the timing of many of the topics coincided with a recent event, so it worked out well.  Specific keywords in the titles, like Firewall, Virtualization, Twitter or any other term that’s hot (frequently searched) drew the most readers even if the title was a little ‘out there.’  And like any writer, I was a little surprised by the entries that got the most attention.  You know the routine, you think something is fantastic but nobody cares and the ones you feel are a little weak get massive reads.  Go figure.

The other thing I tried during this series is to both include a ton of links (Don MacVittie called it a link-fest) to referring stories along with links to the previous stories in the series for easy perusal.  When one got read, so did multiple others which positively influenced Pages per Visit and Average Time on Site – key metrics for any website.  Finally, I’m thinking about recording the blogs to offer an audio version (à la Audio Whitepapers) of the series.

Now to put a bow on this – All 26 Short Topics about Security:

1. 26 Short Topics about Security: Stats, Stories and Suggestions
2. BREACH is the Word, is the Word, is the Word that you Heard….
3. Remember when we drew big Clouds on whiteboards…
4. Decade old Data Centers
5. The Encryption Dance (plus the A Cappella version)
6. Yelling ‘WebApp Firewall’ in a Crowded Data Center
7. Be Our Guest
8. Hacks, Hackers, Hacking
9. Dumpster Diving vs. The Bit Bucket
10. The Threat Behind the Firewall
11. Keys to the Kingdom
12. Brought to you by the Letter L and the Number 7
13. Reduce your Risk
14. Our H1N1 Preparedness Plan (actually counted as 13.5)
15. Can my PAN ride the LAN out the WAN?
16. F5’s BIG-IP system with Oracle Access Manager
17. This time, it’s Personal
18. Don’t say a Word
19. Will you Comply or just Check the Box?
20. Social Media – Friend or Foe
21. IPv6 and the End of the World
22. You’ve Taken That Out of Context
23. Virtualization is Real
24. Windows Shopping
25. X marks the Games
26. It all comes down to YOU - The User
27. Catch some Zzzzzzzzzzzzz

Bonus blog: Bit.ly, Twitter, Security & You

ps

Catch some Zzzzzzzzzzzzz

It used to be the ‘stuck to our side’ pagers that go off at 3am telling you that a server crashed that would keep you up at night.  You’d drag yourself out of bed (or the chair at the data center that you fell asleep in), tippy-toe to the computer in hopes of gaining remote access or wonder to the car, still in your PJs, to drive to the facility.  In February 2009, InformationWeek & Dark Reading conducted a survey entitled, ‘What Keeps Infosec Pros Awake at Night.’  They asked more than 400 IT pros, among other things, what are their most serious threats, how are they prioritizing their defense of these and what are they going to do to keep their data safe in 2009 and beyond.  At the time, 52% said they were concerned about Internal threats – either employees or partners, accidental or malicious.  This makes sense since there were several articles in early 2009 which looked at Laid-off workers turning to Cybercrime.  They also feared the loss/theft of a laptop/potable storage device which might contain sensitive information that can lead to a corporate security breach.  Their biggest wish was for end users to be smarter about security and understand the risks.  Automated technology allowing IT pros to focus on emerging threats rather than day-to-day firefighting came in 2nd.  They just wanted to have the time to find ways to make their systems more secure, and compliance was driving it.

Recent data from Verizon’s addendum to its Data Breach Investigations Report actually shows that most (73%) data breaches come from External sources, not insiders.  Granted, the InformationWeek data was garnered from a survey (point in time opinion) and the Verizon info was generated by analyzing disclosed/investigated public data breaches (over time) and it doesn’t include undisclosed incidents with internal investigations.  Verizon concluded that breaches which warranted public disclosure were primarily done by external sources.  I’m sure that many internal incidents that didn't affect a large swath of the public were never disclosed, which could slightly sway the results but interesting nonetheless.  So the fear was Insider threats yet the actual data implicates outsiders.  I started wondering if this one of those Perception vs. Reality things or as Stephen Covey puts it, “We see the world, not as it is, but as we are.” 

In February 2009, when the economic crisis was in full swing, layoffs were a daily occurrence.  There were many documented cases in the early 1990’s of crime/fraud that occurred during that recession and many believed it would happen again – but this time with technology's help.  Stories started to appear indicating that this scenario might happen again and when the few that did happen were spotlighted (like the current trial of Terry Childs) - folks believed, or feared, that a new wave was coming.  The data that came out other end, seems to show that those internal threats were less than expected, except maybe in the financial industry.  The other side is that sometimes perception is more important than reality.  With the perceived immanent danger of rogue ex-employees, IT departments had a wake up call to reexamine how they handle access termination, a critical piece of data preservation.  In life and security, our view of the perceived risk is based on our past experiences/beliefs and that ultimately shapes our reality.  My reality and your reality might be very different but we always have the power in how we respond to events, even ones out of your control.  So as 2009 winds down and you get some needed rest (maybe), revel in the fact that this challenging year is almost over, you did the best (hopefully) you could and there will be a whole new set of threats, breaches, viruses, vulnerabilities, scams, malware and many other incidents that put security at risk as thieves typically work through the holidays.  Plan as best you can and take the new ones in stride as a challenge to all of us to get even better at protecting all our critical assets – including the living, breathing ones.

And there you have it – 26 Short Topics about Security.  Yea, we made it!  But wait, there’s more.  Stay tuned for the Post-blog Report where we look back at the series, pick some favorites and share what I’ve learned about putting together a chain of blogs over the course of 5 months covering a single topic.  Should be fun.

ps

• #26 out of 26 Short Topics about Security
• Previous stories: 25, 24, 23, 22, 21, 20, 19, 18, 17, 16, 15, 14, 13.5, 13, 12, 11, 10, 9, 8, 7, 6, 5, 4, 3, 2, 1

Technorati Tags: Pete Silva,F5,security,application security,network security,virus,