December 13, 2006 - #171

Good Morning:
I've come to the conclusion that sleep is not overrated. Not by a long shot. I've been burning the midnight (and then some) oil working on the Pragmatic CSO of late and I'm feeling it. I'm not as young and sprightly as I used to be (not sure if I was every sprightly), that's for sure. But we can all try to take care of ourselves to at least feel young and sprightly. So I'm starting my 2007 resolutions a bit early and beginning a fitness plan TODAY. I'm getting a fitness assessment at my new health club and it's going to be a train wreck. I'm perpetually tired, festively plump (which is being very kind), and horrifically out of shape after not exercising consistently for about 3 years.

They say a journey of 1000 miles starts with a single step, so that's what I'm going to do. There is no use crying over the hundreds of consumed burritos over the past few years. Since part of the Pragmatic CSO process is accepting that "it is what is is" and taking a baseline to figure out where you are in the beginning of the process, this is my own personal fitness baseline. My hope is that I'll be less of a Fat Bastard when I see many of you at RSA in February, but I am still dead sexy - at least according to the boss.

I'm going to rant a bit about analysts again, since it seems the esteemed NY Times has decided not to consult my brethren to support their technology stories. Honestly, good for them. Too many analysts are whores and they need the PR exposure to build an aura of legitimacy to mask the fishnet stockings and killer pumps they wear to work. Most of the time they don't add much value to the stories anyway (myself included). There is an interesting post on the InformationWeek blog about the topic (here) and that post references a piece in The Register over in the UK which calls hypocrisy on the entire thing.

What everyone keeps forgetting is the responsibility of the end user. Ultimately it's the end users job to make the best decision for their business. They need to assemble data points, some of which may come from analysts, and apply a "credibility filter" to all of those data points. The dirt you get from a competitor should be roughly equal to the perspective of a whoring analyst. It's an opinion and you need to take it for what it is.

Personally, I'm going to keep writing and expressing my opinions as long as people keep reading and telling me they find value. If you don't like it or don't think I'm credible. Bully for you. Everyone is entitled to an opinion. Anyone, at any time has the ability to opt-out and not interact with me. So sayonara NY Times, I hardly knew ya. Don't let the door hit you in the ass on the way out.

Have a great day.

Technorati: Information Security

Coming January 2, 2007

Top Security News

Do you think it was USC?
So what?- It seems UCLA had a massive data breach that was disclosed yesterday. 800,000 Bruins were interrupted from their hibernation and told that a hacker has been running roughshod through their systems for over a year. Ouch. This is indicative of the new new attack methodology. Low and slow, and remain undetected for as long as possible. This is another justification for security layers that include the data center and could catch anomalous activity in the databases. But there is no silver bullet to detect these attacks once they breach the perimeter. So we are going to see a lot more notifications next year. One other thought: Given the fact that the USC guy broke their systems to make a point, do you think some enterprising Trojans decided to even the score after the football debacle? Or is that just my conspiracy nerve acting up?
http://www.informationweek.com/showArticle.jhtml?articleID=196603485
Link to this

Narrow and Targeted in 2007
So what? - Speaking of new types of attacks, Larry Seltzer makes the point that "things are getting better for the average user over time." I also agree with this assessment, but things are getting worse for the enterprise as a whole, at least from a security perspective. Aren't those counter to each other? Yes, but the facts are the facts. Users are not being mass targeted anymore, so there aren't really attacks that take down millions of devices at a time. As Seltzer says, the new attacks are narrow and targeted and focus on a small subset of the community. That means millions of others can stay blissfully unaware that they are exposed for an extended period of time. That's progress. Until they get nailed, then it's not progress. So is there an answer? I vote for continued education for the users, so that when their number is called - they are ready to defend.
http://www.eweek.com/article2/0%2C1895%2C2070583%2C00.asp
Link to this

The bad guys are better teachers
So what? - Speaking of education, we all complain quite a bit about how hard it is to educate the youngsters and other consumers about how to behave online. It seems the bad guys are having no problems teaching a new generation of bad guys the ropes. According to McAfee, we have 14 year olds being trained as the new corps de esprit of the hackers. Sounds more and more like traditional crime to me. Drug dealers recruit kids all the time, they do less jail time if they get nailed and unfortunately - many are deemed "expendable" as terrible as that is. Same goes for cyber-criminals, and getting shot doesn't seem to be as much of an occupational hazard - so this is another topic I think we'll be hearing a lot more about.
http://www.mcafee.com/us/about/press/corporate/2006/20061212_191010_e.html
Link to this

12 vendors ent-ah, one vendor leaves
So what? - Network Computing does it again. In their new (or maybe not so new, but I didn't know about it) NAC battleground, they let 12 vendors make a pitch about what NAC means to them and why their products are better. Kind of like Mad Max Thunderdome, no? At some point, I'll read some of this stuff because it'll be interesting to see how each vendor is spinning their differentiation in a horribly undifferentiated market. In the Buying Security Products Guide, I talk about the education phase, and resources like this are critical to get smart on a topic quickly. Of course, the information is largely biased and you need to keep that in mind - but at least it's centralized. There is value in that.
http://nacbattleground.nwc.com/
Link to this

Your email is a sieve!
So what? - Going to an institution of higher learning that pretty much sucked in sports had it's drawbacks. Especially when I see how my Gator and Buckeye friends go absolutely nuts for their teams all year. But the Cornell Big Red did have a decent hockey team in its day. And a load of peppermint schnapps definitely warmed up the arena as we serenaded the opposing goalie with choruses of "You are a sieve!" Looks like the schnapps is flowing in messaging land because users are starting to understand that a malcontent only has to hit send and you've got a leak. Thus the rise in leak or extrusion prevention gear that attempts to stop the behavior. Phishing also presents a nonstop threat, so basically messaging security remains a topic of interest and will for some time to come. 
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1233873,00.html
Link to this

Top Blog Postings

This guy could be Pragmatic
So Shimel tells some sob story about a friend of his that is getting pummeled during a PCI audit. His management doesn't understand and he's been evangelizing to do the right things for months, but they won't listen. First, let's pick on Alan's statement that a lot of customers come to them (and other vendors) to help them pass an audit. Thankfully Alan points out the folly of that endeavor. No "product" is going to help anyone pass an audit. Again, I don't know Alan's friend, but it seems that he needs a different approach to talk to senior management about why security is important. That's what the Pragmatic CSO is all about. But there is some likelihood that a CSO will get to the point where they don't think they can be successful, and Alan's friend seems to be in that camp. It's time for him to go. Will it look bad because his shop failed a PCI audit? That depends. If this guy screwed up and his sob story is trying to cover his ass, then prospective employers will see right through that. But if this guy is legit and his story holds water, then the fact that he opted out, as opposed to flying the plane into the mountain will bode well for him. I always looked for folks that had screwed things up and worked in challenging environments. They are much better prepared to deal with reality.
http://www.stillsecureafteralltheseyears.com/ashimmy/2006/12/whats_a_poor_se.html
Link to this

Everyone is a "security professional"
Farnum brings up a good point on his CW blog in that most IT professionals will need to become security-aware, regardless of what their day job is. Why? Because security is everywhere and it just doesn't make sense to have the enforcement happen in a central group over time. The CSO (as I mentioned yesterday) conceives, sells and manages the program, but that is a position of INFLUENCE, not of OPERATIONS. The security operations will happen within the network, data center, and application teams. It'll take a while to get there (especially for bigger companies) and this is another example of the centralization/decentralization pendulum swinging back and forth, but suffice it to say security is moving out.
http://www.computerworld.com/blogs/node/4157
Link to this

The Ripple Effect
No I'm not talking about what happens when you drink too much cheap wine. Personally, I preferred Mad Dog, but those days are long gone until I get together with my college buddies again. I'm talking about the point that Adam Dodge makes on the Security Catalyst site about incidents not being singular events. This is great advice because where there is smoke, there is usually fire - even if the fire isn't readily apparent. If one machine has been compromised, there is a high likelihood that others will be too. Another key tenet of the Pragmatic CSO to have a structured and well-practiced containment strategy. A document that specifies what to do in the event of an incident. Adam's process here is OK as well, but we are both talking the same language. You need to make sure you are truly containing the damage, not just putting a band-aid on a festering, septic wound.
http://www.securitycatalyst.com/2006/12/07/security-breaches-are-not-singular-events/
Link to this

Everything is public now
The Mogull makes a great point here about the fact that we do not control, nor is there any good way to control our data. Lacking any kind of rights management environment that is plausible to use on an enterprise scale, we have to accept that our data may become public. So what does that mean? If you don't want someone else to know it, don't write it down. Rich's point about taking out both parties to a secret just to make sure it stays secret is spot-on. There is no way to contain the spread of data or information, so be careful about what you write because it can come back to "surprise" you in strange ways. Like how this week Jim Allchin is back-pedaling because he wrote back in 2004 that if he didn't work for Microsoft, he's buy a Mac. And this is the guy that runs the Windows group. My personal philosophy is to be very consistent in my direct and 3rd party discussions. You won't hear I badmouthed you to someone else, unless I've already told you about it directly.
http://securosis.com/2006/12/12/if-you-release-it-you-cant-control-it/
Link to this

Recently on the Security Incite Rants Blog

SearchSMB Top 10 Tips of 2006
David Letterman must have a ton of angst that he never enforced his Top 10 list copyright. He'd be cleaning up given all the Top 10 lists we see every day. Oh, he is already cleaning up for getting trounced by Leno for years at a time. Yeah, I guess I don't feel that bad for him. But this Top 10 list is interesting because 7 out of the most popular tips were security-related. Even more interesting is that 3 of the 7 were written by me and I only wrote for SearchSMB for about half the year. So check out the list and see if you can learn something.
http://securityincite.com/blog/mike-rothman/searchsmbs-top-10-tips-in-2006

Read the most recent Daily Incite
http://securityincite.com/TDI-2006-12-12