The Week That Was - 4/22/2013

Hey everybody, thanks for coming back this week.  I've got a couple of interesting articles to cover this week.  Highlights include the ACLU v. Google, CISPA, IAM, vendor management, and batteries. While I'm not entirely convinced that access to software security updates is a civil liberty, I still have to give props to the ACLU for declaring shenanigans on the way Android OS updates are issued, or not, by U.S. mobile providers.  [3]  On the surface it seems as though the mobile providers are withholding updates in the hopes that people will just upgrade hardware and renew their contracts to get the security updates.  The official line from the handset providers is that it is not cost effective to issue updates for all the various hardware platform and OS combinations.   All I'm saying is that Microsoft found a way to do it cost effectively on hardware and bandwidth comparable to what we find int the mobile environment today.  It can be done.  We just need to incent the handset and mobile providers appropriately.

The CISPA ballyhoo continues it's run.  [4], [28]  We need information sharing between the government and the private sector.  We won't get effective sharing until the private sector feels it is free from legal liability around the data it shares and it feels safe that the disclosed data won't adversely affect its stock price.  We need to balance that with the rights to privacy we have here in the U.S.  This is not an easy balance to strike.  While I don't think CISPA is the answer, I think it's moving us in the right direction.  On the downside, the current crop of congressmen/women do not inspire confidence in their ability to strike compromise.  Standby to standby.

Identity and Access Management (IAM) is critical.  I'd argue it is one of the cornerstones to a sound information security program.  Do you really want to outsource such a critical function to Facebook?  [8] seems like it might be a slightly better option, but I'd still be reluctant to hand the keys over to an outside party without rock solid performance and SLAs.  I'm not saying it's impossible, but I am saying you need to think this decision through very carefully in the context of your organization's internal and regulatory requirements.

Vendor Management is becoming an increasingly important consideration for information security and risk management.  [15]  Just because you fling data and services out to the cloud doesn't mean you can just forget about them.  You've delegated responsibility for data stewardship but you still own the data.  If the cloud provider has a bad day, you have a bad day.  Similarly, as a good friend of mine, Kent King, put it:

If you put a crummy process in the cloud, it's still a crummy service.

It's been said before, but bears repeating.  The cloud is just another tool that is good for some situations but not others.  Just because you have a hammer doesn't mean everything is a nail.

Jump start your car with your smartphone. [23]

Link Dump

[1]  R. Rettner, “4 Ways the Gene Patent Ruling Affects You: Scientific American,” Scientific American, 16-Apr-2013. [Online]. Available: [Accessed: 16-Apr-2013].

[2]  G. Dvorsky, “A fascinating new way to visualize your brain’s connections,” io9, 16-Apr-2013. [Online]. Available: [Accessed: 16-Apr-2013].

[3]  K. Zetter, “ACLU Asks Government to Investigate Phone Carriers Over Android Security Threat,” Threat Level, 17-Apr-2013. [Online]. Available: [Accessed: 18-Apr-2013].

[4]  J. Dohnert, “CISPA sails through Congress.” [Online]. Available: [Accessed: 19-Apr-2013].

[5]  S. Ackerman, “Data for the Boston Marathon Investigation Will Be Crowdsourced,” Danger Room, 16-Apr-2013. [Online]. Available: [Accessed: 16-Apr-2013].

[6]  E. Chickowski, “Developing Data Classification For Stronger Database Security,” Dark Reading, 17-Apr-2013. [Online]. Available: [Accessed: 17-Apr-2013].

[7]  A. Gelman, “Excel-bashing,” Statistical Modeling, Causal Inference, and Social Science, 17-Apr-2013. [Online]. Available: [Accessed: 18-Apr-2013].

[8]  E. Chickowski, “Facebook vs. Salesforce: An Identity Smackdown?,” Dark Reading, 18-Apr-2013. [Online]. Available: [Accessed: 18-Apr-2013].

[9]  N. Owano, “Google Glass: Specs on specs, API docs mark busy week,”, 16-Apr-2013. [Online]. Available: [Accessed: 16-Apr-2013].

[10]  “House FISMA-Reform And Cyber R&D Bills Mark Encouraging Step Forward,” Dark Reading. [Online]. Available: [Accessed: 18-Apr-2013].

[11]  A. Lane, “How Do You Use DAM For Blocking? You Don’t,” Dark Reading, 17-Apr-2013. [Online]. Available: [Accessed: 18-Apr-2013].

[12]  L. Widmer, “Is Risk Management Obsolete?,” Risk Management, 12-Apr-2013. [Online]. Available: [Accessed: 18-Apr-2013].

[13]  M. Springer, “Learn How Richard Feynman Cracked the Safes with Atomic Secrets at Los Alamos,” Open Culture, 17-Apr-2013. [Online]. Available: [Accessed: 17-Apr-2013].

[14]  K. Higgins Jackson, “‘Magic’ Malware Uses Custom Protocol And A ‘Magic Code’ Handshake,” Dark Reading, 17-Apr-2013. [Online]. Available: [Accessed: 18-Apr-2013].

[15]  E. Chickowski, “Marrying IT Risk Management With Enterprise Procurement,” Dark Reading, 16-Apr-2013. [Online]. Available: [Accessed: 17-Apr-2013].

[16]  T. Wilson, “Mobile Malware Up 163 Percent In 2012, Study Says,” Dark Reading, 15-Apr-2013. [Online]. Available: [Accessed: 17-Apr-2013].

[17]  D. Smith, “More reasons not to use Excel for modeling,” Revolutions, 17-Apr-2013. [Online]. Available: [Accessed: 18-Apr-2013].

[18]  “NQ Mobile 2012 Security Report.” NQ Mobile, Inc., Apr-2013.

[19]  C. Brook, “NQ Mobile: Android Malware Doubled in 2012,” ThreatPost, 16-Apr-2013. [Online]. Available: [Accessed: 16-Apr-2013].

[20]  J. Clark, “Oracle slaps critical patch on insecure Java,” The Register, 17-Apr-2013. [Online]. Available: [Accessed: 17-Apr-2013].

[21]  “RStudio - Home.” [Online]. Available: [Accessed: 18-Apr-2013].

[22]  K. Higgins Jackson, “Small Businesses Now Bigger Targets In Cyberattacks,” Dark Reading, 16-Apr-2013. [Online]. Available: [Accessed: 16-Apr-2013].

[23]  L. Ahlberg, “Small in size, big on power: New microbatteries the most powerful yet,”, 16-Apr-2013. [Online]. Available: [Accessed: 16-Apr-2013].

[24]  S. Ackerman, “Smoke Color Is Key Clue to Analyzing Boston Marathon Bombs,” Danger Room, 17-Apr-2013. [Online]. Available: [Accessed: 17-Apr-2013].

[25]  C. Shumard, “Three simple steps to determine risk tolerance,” CSO, 16-Apr-2013. [Online]. Available: [Accessed: 16-Apr-2013].

[26]  R. Lemos, “Time To Dump Antivirus As Endpoint Protection?,” Dark Reading, 18-Apr-2013. [Online]. Available: [Accessed: 18-Apr-2013].

[27]  A. Kriebel, “VizWiz: Stephen Few’s Financial Statement Bullet Graph – Every CFO should have one of these! - Data Visualization Done Right,” VizWiz, 18-Apr-2013. [Online]. Available: [Accessed: 19-Apr-2013].

[28]  J. Dohnert, “White House expects to quash revised CISPA bill,”, 17-Apr-2013. [Online]. Available: [Accessed: 17-Apr-2013].