February 1, 2007 - Volume 2, #20

Good Morning:
There are times when I realize that I'm a few cards short of a full deck. So I'm at the airport last night, returning from a great two days working with a client. I'm pretty tired and as I head down the escalator towards the parking garage I see a few new kiosks. Cool, I guess they are putting in some of those pre-pay parking machines at Hartsfield. 

But the kiosks weren't ready yet. The yellow police tape tipped me off. Yet, on the screens was a "Windows XP Embedded" login screen. So the kiosks run XP. Now that's interesting. What's the first thought that comes into my mind? Would it be like 99.9999% of the regular population, that are just happy to maybe streamline their exit from the parking lot? Of course not. My first thought is, "I wonder if I could hack it." Hmmm. Are they wireless? Can I tap into the wire? Maybe some kind of proximity reader would allow me to get access to the OS... No, this is not normal. Yes, I should probably be in therapy.

For a change there is a deal in the security space. BT wasn't done when they bought Counterpane. Not with services companies or with companies headquartered in Silicon Valley. By buying INS (here), they get some security capabilities (though mostly networking expertise), but more importantly for them - they really bolster their technical staff here in the US. And whatever they paid is a rounding error. I guess the Red Coats are coming. Where is Paul Revere when you need him?

I also want to rant a bit about strategy. Here I point to a nice, crisp and concise strategy statement that VASCO put on the wire. Why doesn't every company do this? Instead, most leave the interpretation of their strategy to jokers like me. I'm not a big fan of leaving much to someone else's imagination, so if you are a vendor - you should think really hard about a one page strategy overview.

Finally, both parts of the Pragmatic CSO podcast interview with Alan and Mitchell are now up. Part 1 is here. Part 2 is here. To be clear, this is a LOT of free stuff. I go much deeper than the introduction, as well as tip my hand a bit about what's next for the Pragmatic CSO. Short of buying the book (which you should do anyway), this is the most comprehensive description of the program yet.

Have a great day.

Technorati: Information Security, CSO

The Pragmatic CSO is Here! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

Deal: BT gets INSync with the US services market
So what? - Come on, give me some props here. Where else do you get a boy band reference in a security newsletter? I guess I could have said the Red Coats are coming (again). Or INS goes back to the telecom well (they were acquired by and then spun out of Lucent). Whatever I called the piece, the point is the same. For companies to be truly strategic to large enterprises, they need to be able to provide products and services. Given the complexity of the computing environment, the premium is moving to services. Unless you are Microsoft. But pretty much everyone else has made significant investments in consulting and integration, so this is BT's attempt to get a foothold in the US. Big is the new small. That hasn't changed.
http://www.ins.com/about/pressroom/pr.aspx?id=2061
Link to this

Encryption (not) everywhere
So what? - This puff piece in ESJ about PGP isn't worth too much. But it gives me an excuse to once again talk about STRATEGIC use of encryption. This idea of encrypting everything is stupid. There is a cost to encryption and it's not just the cost of buying PGP (or your favorite other encryption vendor), there is a lot of management and performance overhead. So you encrypt what needs to be encrypted. Sensitive and private information. Intellectual property. You get the drift. But when thinking about encryption, start with the data and work outwards. Not the other way around.
http://www.esj.com/news/article.aspx?EditorialsID=2429
Link to this

My boat anchor desktop doesn't need BitLocker
So what? - So the G-men are upset with Microsoft because they are actually bundling different editions of the Vista operating system and some of the lower end versions don't have the fancy BitLocker encryption capabilities. Seems kind of silly to me, since why would a home desktop user need to encrypt their hard disk? Is someone walking away with their machine? Are they leaving it in a coffee shop? If someone 0wns their machine, BitLocker isn't going to help. Now, I do believe that BitLocker should be available on all laptop versions of Vista. But that is a packaging thing for the system makers. They can choose to only sell the versions of Vista with BitLocker on their laptop offerings. But this isn't Microsoft's problem. Some people don't need BitLocker, why should they pay for it?
http://www.informationweek.com/showArticle.jhtml?articleID=197002225
Link to this

What's your strategy?
So what? - I do a lot of strategy work with clients, and so many of them cannot concisely tell anyone what they are about, what problems they solve, how big their opportunity is, and so on. So they kind of meander through life and wonder why they end up like the living dead. Now you may or may not agree with VASCO's strategy. You may think they are on drugs to say that every company needs their technology. But at least they are saying it. This press release shows a very crisp strategy. They are all about authentication, both front-end and back-end. They will buy what they need, if they can't build it. They are focused on their server platform. Even an investor can understand this stuff. Every company should have a one-page strategy summary. It's not that hard, really.
http://biz.yahoo.com/prnews/070131/aqw004.html?.v=4
Link to this

Top Blog Postings

Risk Management is like NAC
Alex Hutton is sad a bit. It seems that no one understands what Risk Management is, even if he published his framework in the public domain. And I have news for you, my friend, it ain't going to get better in 12 months. Why? Because vendors are co-opting the term "risk management" to mean whatever it is their product does. So that confuses users, which confuses the market, which basically means no one has any idea what the term means. What the hell is NAC? That is the question we are asking now because it means something different to everyone. And everyone is using the term. Sadly enough, the same goes for risk management. I have my own ideas, but I don't have much of a marketing budget. The vendors do, and thus risk management will eventually mean nothing - because it means something different to everyone.
http://riskmanagementinsight.com/riskanalysis/?p=96
Link to this

You are bound to your legacy
Ross brings up a good issue, driven by the latest voice recognition issues that seem to be a problem for Vista. Can Microsoft ever get security right? Not as long as they need to provide compatibility with the old stuff. Basically we need to start over. Build an OS that is secure from the ground up. Some are better than others, but none are there. I'm not even sure it's possible. But I can tell you that as long as Microsoft has to support applications built by other folks (for other operating systems), there will be ways to compromise your systems.
http://technobabylon.typepad.com/tb/2007/01/can_microsoft_g.html
Link to this

Does anyone think Vista is bulletproof?
I find these pieces that say Vista has security flaws to be mildly entertaining, but mostly annoying. No shit Sherlock. Vista is a computer program and to my knowledge, no one has built the perfectly secure computer program yet. So there will be issues, hopefully Vista's better security architecture will minimize the damage and proliferation of those issues. But you shouldn't be throwing out your other defensive mechanisms once you get everyone onto Vista. Layers folks. Layers are still important, even as every layer makes minor improvements. 
http://www.darknet.org.uk/2007/01/visa-security-flaws-prior-to-consumer-release/
Link to this

Save sniping for the sales cycle
Amrit gets a little hot under the collar that I called him out a bit on his Symantec/Altiris post. To be clear, no one (certainly not me) is saying that Symantec is good at integrating acquisitions. And I've said for a long time that once a key vendor gets bought (by anyone, not just Symantec), users need to start moving on Plan B immediately. You may not want to go there, but you also don't want to be locked into a product line driven into the ground by the acquiring company. Again, to make my point, I'm not criticizing Amrit's analysis of the deal. I'm criticizing the fact that he is sniping on Altiris' product line, and that tarnished the usefulness of the piece for me. If he said, "customers should be wary because Symantec usually bungles acquisitions." That's fine and true. But he said that Altiris' product sucked, and it is a competitor to his own product. So customers should take that statement for what it is, blasting a competitor that got a decent exit. 
http://techbuddha.wordpress.com/2007/02/01/biased/
Link to this

Recently on the Security Incite Rants Blog

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite