From: Securosis Highlights – Incite 10/17/2012 – Passion

Posted on 2012/10/17

a quick re-post from Securosis Highlights

Incite 10/17/2012 – Passion by (author unknown)

One of the things about celebrating a birthday each year is the inevitable reflection. You can’t help but as the questions of yourself: “Another year has gone by, am I where I’m supposed to be? Am I doing what I like to do? Am I moving in the right direction?” But what is that direction? How do you know?

This flower doesn't to much for me, but maybe it's your passion...Reading Adam’s post on the Emergent Chaos blog about following your passion got me thinking about my own journey. The successes, the failures, the opportunities lost, and the long (mostly) strange trip it’s been. If you would have told me 25 years ago as I was struggling through my freshman writing class that I’d make a living writing and that I’d like it, I’m actually not sure what the reaction would be. I could see laughter, but I could also see nausea. And depending on when I got the feedback from that witch professor on whatever crap paper I submitted, I may have smacked you upside the head.

But here I am. Writing every day. And loving it. So you never can tell where the path will lead you. As Adam says, try to resist the paint by numbers approach and chase what you like to do. I’ve seen it over and over again throughout my life and thankfully was smart enough to pay attention. My Dad left Pharmacy when I was in 6th grade to go back to law school. He’s been doing the lawyer thing for 30+ years now and he still is engaged and learning new stuff every day. And even better, I can make countless lawyer jokes at his expense.

My father in law has a similar story. He was in retail for 20+ years. Then he decided to become a stock broker because he was charting stocks in his spare time and that was his passion. He gets up every day and gets paid to do what he’d do anyway. That’s the point. If what you do feels like work all the time, you’re doing something wrong.

I can envision telling my kids this story and getting the question in return: “OK Mr. Smart Guy, you got lucky and found your passion. How do I find mine?” That’s a great question and one without an easy answer. The only thing I’ve seen work consistently is to do lots of things and figure out what you like. Have you ever been so immersed that hours passed that felt like minutes. Or seconds.

Sure, if you could figure out how to play Halo professionally that would be great. But that’s the point, be creative and figure out an opportunity to make money doing what you love. Yes, that’s easier said than done, but it’s a lot better than a sharp stick in the eye working for people you can’t stand doing something you don’t like. Adam’s post starts with a excerpt from Cal Newport’s Follow a career passion?, which puts a different spin on why folks love their jobs:

The alternative career philosophy that drove me is based on this simple premise: The traits that lead people to love their work are general and have little to do with a job’s specifics. These traits include a sense of autonomy and the feeling that you’re good at what you do and are having an impact on the world.

It’s true. At least it has been for me. But to be clear, my kids and everyone else will need to earn this autonomy and gain the proficiency of whatever job they are thrust into. Which is why I put such a premium on work ethic. You may not know what your passion is, but you can work your tail off as you find it. That seems to be a pretty good plan.


Photo credits: Passion originally uploaded by Michael @ NW Lens

Heavy Research

We’re back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too.

Defending Against Denial of Service (DoS) Attacks

Understanding and Selecting Identity Management for Cloud Services

Securing Big Data

Incite 4 U

  1. It’s not Groupthink. The problem is the check box: My pal Shack summarizes one of the talks he does at the IANS Forums in his Infosec’s Most Dangerous Game: Groupthink post. He talks about the remarkable consistency of most security programs and the controls implemented. Of course he’s really talking about the low bar set by compliance mandates, and how that check box mentality impacted how far too many folks think about security. So Dave busts out the latest management mental floss (The Lean Startup) and goes through some concepts to build your security program based on the iterative process used in a start-up. Build something, measure it’s success, learn from the data and pivot to something more effective. It’s good advice, but be prepared for battle because the status quo machine (yea auditors, I’m looking at you) will stand in your way from doing something different. That doesn’t mean it’s not the right thing to do, but it’ll be harder than it should be. — MR

  2. Android gone phishin’: There’s always a lot of hype around mobile malware, in large part because AV vendors are scared people won’t remember to buy the mobile products without a daily reminder of how hosed they are. (I kid). (Not really.) As much as I like to minimize the problem, mobile malware has been around for a while, but it tends to be extremely platform and region specific. For example, it’s a bigger deal in parts of Europe and Asia than North America, and until recently was very Symbian heavy. Now the FBI warns of phishing-based malware against Android. It’s hard to know the scope of the problem based on a report like this, but it does back my assertion in the past that Android really isn’t enterprise ready (but it’s getting better). As you track this issue over time, pay particular attention to the platforms and versions involved – e.g. right now, there is no malware issue on iOS (despite all the dire warnings), and even malware on Android can be very version-specific. It’s still more hype than reality, but worth keeping an eye on. — RM

  3. Poisoning the well: It was only matter of time until malware purveyors began to broaden methods of malware distribution, but infected ‘watering holes’ are evolving and an effective complement to phishing email as a means of infection. Advising people to use AV and ‘don’t be deceived by unsolicited email’ is unhelpful advice as AV does not detect most malware and good social engineering will deceive almost anyone. There are technical controls that can help. For example, phishing messages are fairly easy to defeat if folks avoid clicking any links in email and use outbound firewalls to block traffic to the outside world. But protecting users from hacked web sites is a far more difficult task; there is no straightforward way for a user to protect themselves besides not browsing. Sure, monitoring the resources a web pages tries to drag back to your browser via outbound filtering is an option, but makes for horrid browsing experience to inspect every resource request. Some form of URL reputation inspection and/or sandboxing the browser, done automatically, is the right option here. — AL

  4. Can you know too much?: First of all, how great is it that our pal Wendy is back in action? In her latest Dark Reading post, she examines When Monitoring Becomes a Liability. It’s a legitimate concern, as we get better at detecting breaches and then the regulatory requirement to report them creates a situation where depending on what constitutes a breach could blunt the obscurity most organizations hide behind. I see Wendy’s points, but don’t necessarily agree. First of all, every organization has bots and suffers breaches. Having to divulge that information isn’t the real risk. It’s the consistency of reporting. Let’s say Company A and Company B have similar issues (bots, breaches and the like). Company A discloses because their overactive audit committee wants to avoid the perp walk. Company B pulls an Enron and doesn’t. The downside isn’t monitoring, it’s the consistency of enforcing the rules. I just come from the school that more data is better than less data, even if it makes things a bit messier. — MR

  5. Patch the cloud: I’m in the process of re-writing all the hands on labs for the class we built for the Cloud Security Alliance, so perhaps my brain is a little overly-focused on cloud platform issues. Thus I’m fascinated by a new (now patched) vulnerability in CloudStack that could allow an attacker to make random API calls. Keep in mind, you use the API to do little things like start, stop, and otherwise manage virtual machines, storage, the network, and… umm… everything. The fix in this case is pretty simple (a quick database change), but imagine if something much more serious hits? You can’t assume you won’t need to patch even fundamental components of your cloud, and you have to plan for outages. You also need to think about additional security controls for the management plane, such as XML security gateways to validate API calls since you certainly can’t rely on IPS for attacks against these sorts of vulnerabilities. Not impossible problems, but definitely worth changing how you think. — RM

  6. Click-to-Play in Firefox: Firefox is broken in a lot of ways, but they have continued to add a lot of security features onto an already impressive list of capabilities. The latest enhancement is having the Block-list drill-down coupled with ‘click-to-play’ plug-ins. This means it’s easier to keep certain plug-ins turned off, and when that plug-in is being requested by the page, you can toggle it on and off. Click-to-play is a great feature to keep the browser from loading and running plug-ins unless you want them to, but it’s often safer to leave the plug-ins disabled until you need them. By pushing plug-in enablement into the address bar, it’s just easier to manage what’s running, and easier to verify the plug-ins are up to date. Couple this with your favorite browser checker and NoScript you’ve got IMO the most secure browser out there. — AL

  7. Getting off the treadmill: Whether you want to call it a treadmill, the hamster wheel of pain, or whatever, security can be aggravating and frustrating because we don’t seem to improve the situation. Which isn’t exactly true, but it sure feels that way. Adam (this time on the New School blog) talks about how hospitals are open to the idea of sharing data about their mistakes. He points out that there is huge liability and downside to this, since they are giving the lawyers the rope to hang them. But they’ll do it anyway because if they can save one life, it’s worth it. Why can’t we do that in security? The post refers to the dangers of sharing exploit info and impeding an active investigation. Those are issues, but shouldn’t be excuses. We can (and we must) share information better. Leverage what’s being learned out there. Adam is right with this quote: “Let’s talk about our mistakes and get off the treadmill.” — MR

– Mike Rothman
(0) Comments

Posted in: reading