March 1, 2007 - Volume 2, #37

Good Morning:
Let's talk about vindication today. My friend Dave Maynor sort of got his yesterday at Black Hat DC. Dave was front and center in the Apple WiFi driver exploit fiasco at last year's Vegas Black Hat, and he's finally gotten to tell his side of the story (here). Lots of press coverage (here, here, here) ensued. But does it matter?

The answer to that question is yes and no. First, Dave need to clarify his role. There is still lots of confusion about who did what, but there can be no shred of a doubt that Dave (and Jon Ellch) sent Apple stuff and they used it in some capacity. But on the other hand, Apple has not and will not fess up to Dave's role in helping them find the bugs. The Apple fanboys still think Dave is a direct descendant of the Devil (even though he has as much Mac gear as anyone I know) and telling his story at Black Hat isn't going to change it. I imagine he's not doing this to regain the love of the Apple fanboys.

But ultimately, it was a story that had to be told. If only to get some free marketing for Dave's new shop, Errata Security. Given my background in marketing, figuring out a way to get into all the major security pubs is a big PR coup. Even with the HID/IOActive issue, Errata has gotten a lot of press. So Dave hit a double with this one, he told his side of the story and got lots of PR. It's all good.

And for any of you that think I shy away from criticism and only like to poke at other folks - think again. Cutaway blasts me for only providing a piece of the puzzle of training the next generation of CSOs (here) and a self-serving piece as well. I'll have more to say in tomorrow's P-CSO weekly (you can get that either through the RSS feed or via email - sign up at www.pragmaticcso.com), and he's made some good points. Points I need to think long and hard about.

As if I didn't have enough to do today....

Have a great day.

Technorati: Information Security, CSO

The Pragmatic CSO is Here! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

Security Pros - Get Soft!!!
So what? - At the risk of having Cutaway take a few more potshots at me, if any of you security professionals out there aren't getting the message about having to think more like a business person, check out these two stories. The first deals with the fact that people skills are becoming more important and Gartner puts some numbers behind that (here). The numbers you can take with a grain of salt, but the point is important. "IT employees will need to speak the same language as business stakeholders." Now if that isn't Pragmatic, I don't know what is. The second has to do with applying Six Sigma to security operations (here). Huh? Well, it doesn't get any more business- focused than Six Sigma. This quote says a lot as well, "This has been the key for success: talking about business value provided, supported by the "metrics" we developed using Six Sigma tools." I know Andy Jaquith's new book on metrics hits at the end of this month (here), so it will be interesting to see how this kind of dialog and Andy's thoughts maybe are able to push the metrics discussion forward. After a long time moving backwards.
Link to this

Drive-by storming
So what? - It's hard to keep up with all the different techniques the bad guys are using to compromise machines. This new variant of the Storm worm is a case in point (check out coverage here). It starts with a spam attack, but then proliferates by adding links to other Internet applications (like blogs, for instance). Folks that go to the bad website are then compromised (assuming they don't have adequate protection) and the cycle starts again. Devilishly innovative. But it continues to highlight some of the problems we continue to see with browsers. Mozilla security head Window Snyder comments on what the Firefox team is doing to fix some of the issues (here). Suffice it to say, the browsers will always be playing catch up and that's why a layered defense is critical. You need to have protections at the gateway and on the endpoints because you can't depend on the application folks to get it right soon enough.   
Link to this

You can run, but you can't HIDe
So what? - The fallout from the HID/IOActive Black Hat dust up is just beginning. Jennifer Granick weighs in with a decidedly legal perspective in this Wired column (here) and it's interesting. If you look at it from a security perspective, I'm not sure interesting is the word I'd use. HID has managed to paint a big target on their head. I agree. Steve Hunt suggests folks upgrade to a more "secure" platform (here), and I'll leave that to him - since I don't know a hell of a lot about RFID security. Dark Reading's Terry Sweeney also weighs in (here) with a great title (Lawyers, Guns and Money). Clearly this is a big faux pas by HID and my guess is that they will pay a severe price for their "sue first, think second" approach. But if anything, this really highlights some of the RFID problems that need to be discussed. So I guess maybe we should be thanking HID as well, in a smack them upside the head way.
Link to this


The Laundry List

Whit Diffie hits the PR circuit and he has some interesting stuff to say. - here

Top Blog Postings

All Hoff, all the time
Chris Hoff is back. And we all rejoice. Chris has picked up on a couple of my themes this week including virtualization security and SOA. In the first post (here), Chris adds some depth to the virtualization discussion. Of course, he can't resist poking Cisco in the eye when the "data center" and associated network functions may be in the confines of a single box. Obviously the nature of what we consider the "network" changes in this new world and he's right in saying the old way of just putting a bump in the wire to protect things won't really work. It'll be interesting to watch. Then Chris jumps on that poor sap that figured that SOA will make his life easier (here) without really factoring in the seismic shift of decomposing applications. And this is a classic quote: "Paying for sins of the past with currency of the future and confusion in the present isn't exactly showing alignment to the business as an enabler." Brilliant. But you need to read it about 10 times to let the depth of that sentence really sink in. How does he come up with this stuff?
Link to this

Business speak 101
There used to be a very defined business track and technology track in most companies. But these two need to cross-polinate a lot more effectively. Alex Hutton tells a case study of how so many technical folks still don't get how to talk to the business because they can't find the common ground. For financial institutions, that tends to be "risk," but it will vary by industry. Unless your business IS technology, you better become well versed in what your company does and couch whatever you are talking about in a language your senior team is going to understand. I suspect we are going to see a lot of security industry specialization in the near term, where training is going to emerge about how to best secure different industries. It really needs to go that way because it's just not novel to learn how to manage a firewall nowadays. Applications are the critical point of attack and the business processes they automate are exposed. Security folks need to learn the basics (kind of like med school for doctors), but also need to specialize and learn about the nuances of their specific industry. Hopefully not the hard way. Hmmm. That's kind of interesting. I need to think about that quite a bit more too.
http://riskmanagementinsight.com/riskanalysis/?p=114
Link to this

What about that managing expectations?
While I'm on this topic of business relevance, Andy, ITGuy (nice family pic, BTW) rants a bit about the expectations. He's exactly right in pointing out the vendors expect the IT guys to "get" why their stuff is important and different. Senior management expects the IT guys to take care of the problem, and end users don't want to worry about it. Fundamentally, everyone's expectations are a bit off-kilter. Vendors don't really get that IT guys couldn't care less about their technical do-dads and goodies. They want to solve problems. Senior management doesn't understand that a security mindset needs to come from the top. And end users don't get that they need to take on some of the responsibility for fixing the problem by learning what's good and what's bad. So the answer? Being a Pragmatic CSO (of course - sorry Cutaway, couldn't help it). Of course, reading a book won't solve your problems. But it will give you context on what you need to do. Will an MBA (or other business training)? Yes, but only within the context of making sure you understand how your business works. You don't need to go to school to learn that, just ask some business people about what they do and why. I'll add a bit to what Andy says: "Security isn't a second class citizen anymore and we can't continue to treat it like it is."  Security will actually continue to be a second class citizen until we earn credibility by proving value to the business. How do you do that? Run your security operation like a business and achieve your milestones.
http://andyitguy.blogspot.com/2007/02/business-or-security-experience.html
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite