October 5, 2006 - #130

Good Morning:
I really admire those people that are wired to be optimistic. You know who I'm talking about. The folks that keep smiling even as the house is burning down. The one's that you just can't get into a grumpy mood, no matter what you throw at them. Maybe they go home and dissect frogs or something, but when you see them they are always happy. That ain't me, though some days I wish I could always see the bright side.

Today most of the news is bleak. I'm sure it'll test your optimistic mettle. Security budgets are decreasing (here). Folks are calling for the death of the CISO (here). Compliance is hitting another industry to add to an already withering workload for security folks (here). Vendors are focusing on smacking each other (here) and generating useless stats (here), as opposed to trying to solve the problem. Or at least move the conversation forward.

You know what gets me through days like this? "This too shall pass." Seriously. When I lived in VA, someone had taped a "This too shall pass" sticker right under the change basket on the toll booth where I exited each day. Every day I'd drive by and see the sticker, which put the rest of my day into context. Unless a brick fell on my head (which thankfully hasn't happened), I'd get through the day and wake up tomorrow and do it again. So I say to focus. Figure out what really needs to be done and do it. Don't get bogged down in misery and malaise. You don't have time for that.

I'd like to take the opportunity to again welcome new readers. It seems the NetworkWorld flare-up has created a lot more interest in what I'm doing, which has resulted in more email subscribers, more RSS readers and the single highest page view total on my web site yesterday. I'm sure that is the law of unintended consequences. For you newbies, let me know what you think (you can either post a comment or send me a note - mike.rothman (at) securityincite (dot) com) and if you like it - tell all your friends. I grow by word of mouth and your referral means a lot.

Have a great day.

Technorati: Information Security

Top Security News

Security budgets are contracting
So what?- For those of you with an extra $349 lying around, you can get Forrester's latest report on security spending. They found that security budgets are decreasing as a percentage of IT spend, but it remains a priority. Fact is, this is a trend that is going to continue. We are going to get less money and be expected to do a lot more with it. Expectations don't change (keep us secure), but the funding to do it will and not in a positive direction. So what's a CISO to do? As I've said many times before, cover your ass. First, rethink your security architecture. Do you really need all this stuff? After that analysis, if you still don't have enough money, start managing expectations and discussing risks. The bean counters may decide the risk is worth taking because the money just isn't there. But make sure they clearly understand the downside of not spending the money.
http://www.forrester.com/Research/Document/Excerpt/0,7211,40317,00.html
Link to this

The Fathi strikes back
So what? - A major topic this week has been Symantec and McAfee attacking Microsoft over the 3rd party AV vendors ability to control the Vista OS. It's been mostly a one sided conversation, until I found this interview with Microsoft's Ben Fathi in PC Magazine. I think he did a good job telling Microsoft's side of the story and questioning the motives of the other guys. I agree with his positions and reasoning as to why the OS needs to be locked down tighter (even to MSFT's own AV team) in order to move things forward. This quote says it all: "They're [Symantec and McAfee] asking us to ship a less secure operating system to keep the patients sick so they can keep serving up the medicine; but instead of doing that they need to innovate just like we have." Amen to that. Innovate or die. If you don't like it, find another business to be in.
http://news.yahoo.com/s/zd/20061003/tc_zd/190351
Link to this

Utilities under the compliance gun as well
So what? - Just when you thought it was safe to go back in the water, lest you get accosted by some vendor hawking PCI wares. Now you'll become very familiar with the NERC standards that have been put in place to protect the critical infrastructure and systems of the US power grid. Every security vendor will be talking about it before too long. Let me point to a package the Big Yellow is introducing to address the issue, and I think this is a good thing. Companies under the gun want solutions, not to piecemeal an answer. They don't have time for that, so this favors big vendors like Symantec that can bring full solutions to the table, including services and products. Security practitioners still have their day job and figuring out these new hoops to jump through and reporting regimes takes time. This isn't a big deal for organizations that already maintain a strong security posture, but that is the exception rather than the rule in energy (from what I've seen anyway). So these folks need help. As much as I hate to say it, vendors can help if the scope is managed effectively and expectations set appropriately. Just keep in mind there are no silver bullets.
http://www.marketwire.com/mw/release_html_b1?release_id=169580
Link to this

Threats models hit the runway
So what? - Not that runway. I'm talking about modeling threats, and pointing to a review about a Microsoft free tool that can help you understand (and manage) the threats to the applications. It's been a long, long time since I've built software myself (think 15 years), but I've been knee deep in the process from the product management side and many of these new capabilities will require developers to fundamentally change their process. This tool helps to figure out a threat model for an application before it's built. There are some holes and warts according to the review, but ultimately there always will be. It's about standardizing process. Understanding where you are going to be exposed BEFORE you start even coding is great. Doing code analysis throughout the process is also important, to make sure you didn't miss anything. Then banging on the application with a scanner before it's deployed ensures no holes were introduced into the environment. I'm no secure coding expert, but as these processes increasingly get adopted (and they will) - we'll see much better code and far fewer patches.
http://www.darkreading.com/document.asp?doc_id=104945
Link to this

Zix has found the money tree
So what? - How else can you explain how a company that is happy reducing cash burn to just under $5 million this QUARTER stays in business? And they are making progress, next quarter they'll only burn $3-4 million. This is not an indictment of Zix or their products. From what I heard, they do a good job encrypting email and their reports are pretty. They are growing revenues and meeting expectations, so I guess I'm just wondering for how long do investors keep pumping money into anything that consistently loses money. I can't say I understand what drives investment decisions (and of course, I don't hold any stocks in companies that I cover), but I'd recommend making company viability a critical piece of vendor selection criteria. Not that you don't do this already (and not that Zix should get more scrutiny than anyone else), but it's important that your technology providers are around tomorrow to bail you out of the next jam.
http://investor.zixcorp.com/phoenix.zhtml?c=108645&p=irol-newsArticle&ID=912094
Link to this

Top Blog Postings

CISO RIP?
Mike Murray waxes poetically here about the death of the CISO. I think there are strong points to his position, like security for security's sake (or compliance's sake, for that matter) is not the key to success anymore. It's about putting security in the context of the business problem. Mike calls this "managing risk," I'm not sure about the term - but I'm there with the concept. But I'm not willing to start throwing dirt on the CSO title just yet because I don't think the game is over. I think that CSO's need to evolve with the times like anyone else. The days of spending like drunken sailors and compliance-funded orgies are long gone. Now it's time to figure out what security really means to your business, and plan, build and run (to use an old META-ism) accordingly.
http://episteme.ca/cblog/index.php?/archives/38-The-Death-of-the-CISO.html
Link to this

Where is McGruff when you need him?
Thanks to Tim Wilson for giving me a chuckle this AM. He pretty much picks apart the National Cyber Security Awareness month as useless and not solving the problem. I am a fan of education and awareness training, but you don't solve the problem in a month. That's why I was so excited about McGruff getting involved (here) in cyber-security training. I'm not sure whether the faithful companion is prominent in this months activities, but he should be. Or else it's a wasted opportunity. Actually, the whole initiative is just crappy marketing. If they had positioned this month as the "kick-off" in a multi-year effort to use education to help consumers protect their own cyber-spaces, it would go over a lot better. Sure it's fine to focus efforts for a month. But don't think it's the only month you need to pay attention.
http://www.darkreading.com/blog.asp?blog_sectionid=327
Link to this

Stats are a PR tool
My buddy Eric Ogren vents a bit here about the futility of vendor provided malware statistics. He's right, of course, but missing the point. Stats were a huge part of PR outreach in my last two jobs. The media needs content. There are a seemingly infinite number of outlets that need to file an infinite number of stories every day. No vendor (unless you are huge - like IBM or Cisco) does something EVERY DAY. But there are opportunities for PR every day. By having stats, even if they point to the futility of what you are doing (as Websense's report does), you get the opportunity to play. Even worse, now you need stats to stay in the PR game. So as opposed to one vendor driving decent stats (like the old RipTech Internet Threat Report) now you have literally hundreds of vendors flogging their own stats. Most of them suck. So like everything else in security marketing, we are numb and don't care. But the machine keeps plugging away because it's all about keeping up with the Joneses.
http://www.computerworld.com/blogs/node/3651
Link to this

Do you have a password that everyone knows?
It made me shudder, but reading this quick post from Brad Feld was a real eye-opener. Of course you have a password that everyone knows. Hopefully you use it for inconsequential websites and the like and NOT for the critical data that will get folks in trouble if it's compromised. So what? It means you need more layers. For some data assets, passwords (even one's that everyone knows) are enough. For other stuff, you need more. Maybe it's multi-factor authentication. Maybe it's auditing the use of that data to ensure no foul play. Maybe it's maintaining persistent control of the data as it leaves your enterprise. But we are definitely moving to a two-class system. Those resources that need minimal protection and those that require tight protection. And you don't get to protect everything, there isn't the money for that (here).
http://www.feld.com/blog/archives/001970.html
Link to this

Recently on the Security Incite Rants Blog

NetworkWorld just doesn't get it
It was just a matter of time, but NetworkWorld had to tell their side of the story. Unfortunately, John Dix delegated it to hatchet man Paul McNamara, who literally had no involvement in the situation. I, for one, fight my own battles - but whatever. Paul makes some suppositions and assumptions about responsibility and it seems the NetworkWorld folks were a bit deluded about how important writing for them was to my business, and more disturbingly what a "business partnership" means. In what will be the final comment on this matter (promise!), I respond to his statements and put it to bed. Some other interesting reading on the situation comes from Shimel (here) and Ashley (here). I like the term Dinosaur 2.0 to describe big media that doesn't get the blogosphere. They can ignore it (and as Alan says) or do a half-assed job of putting up feedback forums, but the conversation is commencing and it will fundamentally change the tech media business.
http://securityincite.com/blog/mike-rothman/networkworld-just-doesnt-get-it

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-10-04