The Daily Incite - March 19, 2007
March 19, 2007 - Volume 2, #46
It's an ADD day. That means I have so much on my mind, I'm not sure what will come out and whether there will be any rhyme or reason. Kind of like a stream of consciousness rant. First, after looking at my NCAA basketball brackets, I come to the conclusion that once again it is March SADNESS, not madness. Hardly any upsets, a few exciting games, but it was pretty status quo. And my brackets are a mess. Hopefully this upcoming weekend will be more exciting and I can salvage one of my brackets.
Next up is the weather. What the F? And while I'm throwing some F-bombs, save one for Delta. The best laid plans to go have a boys weekend in NY were scuttled by 12 inches of snow in the Northeast. The nerve. What about global warming? This isn't supposed to happen and certainly not when I'm supposed to be traveling. Big bummer. Even worse was the two hours I spent on hold with Delta trying to salvage my flight plans. When I finally got through (to some jackass in Bombay), the earliest I could get to NY was Monday afternoon. Since I was supposed to return on Monday afternoon, it wasn't going to work. Then I had to wait on hold again to get my money back. F snow, F Delta, and F Mother Nature. Thanks, needed to get that off my chest.
That old adage, "you don't know what you got, till it's gone" (I think that was a Cinderella song - the hair band, not the Princess - from the late 80's) is absolutely true. Foldershare (my sync program) was behaving badly most of last week and I really missed it. The ability to have everything in sync between my various devices has become the foundation of how I work. I instantly looked for similar solutions and found nada. Thankfully by this AM, all was well in Foldershare-land. For a free service (offered by Microsoft), their service folks were remarkably responsive. Not that I feel compelled to pay Microsoft more money, but if they asked for it - I'd gladly pay.
Finally, not sure about you folks, but I have a busy busy busy busy week ahead. Lots of client deliverables to get over the finish line. Need to prep for a few strategy sessions next week. Doing a speaking gig here in ATL, and need to push forward on my big announcement at the end of the month. No rest for the weary as they say. But better to be busy, than not. And I will be eating my own dog food and constantly prioritizing and re-prioritizing my activities based upon business value. When you have too much to do, and not enough time to get it done - that's the only way I know how to do it.
Have a great day.
Technorati: Information Security, CSO
|The Pragmatic CSO is Here! |
Read the Intro and Get
"5 Tips to be a Better CSO"
Top Security News
Your identity - a bargain at any price
So what? - Symantec has published its latest Internet Security Threat Report (here). The wheels of Big Media start to turn and the blogosphere will react in kind. I guess I contribute to that, but hey - you got to pay the bills, eh? The biggest news peg (called out by Shimel already here) is that the bad guys are now selling multiple pieces of identity data, basically enough to compromise your identity for $18. Seems cheap, no? Krebs covers this data point as well here. The point is that identity information is plentiful out there and that means prices are coming down. As Alan points out, that doesn't mean that all of those $18 identities will be compromised. But they could be. That's why I pay "insurance" to a company called LifeLock. I hope I never need it, but if I do - I'd rather have these folks fight the battles with the credit rating companies. I've got too much other stuff to do. Other interesting tidbits in the report are a 30% sequential growth in bots. Makes sense given the rise in spam and ID theft.
Link to this
6 ways to Roto-Rooter yourself
So what? - Leak prevention is hot. And as with every other security market that hits the inflection point, every vendor is trying to position there. Fact is, this is the first of the "information/data security" disciplines to hit the big time. I guess anti-spam and web filtering are information oriented, but in kind of an outside-in way. Leak prevention is really about inside-out protection. These 6 tips in ComputerWorld are pretty good (here) and effectively frame out the problem. I don't need 6 steps, since my process is 4. Identify what data is important and where it is. Profile it (sometimes called fingerprinting) to make sure you'll know when it goes somewhere. Protect it (using layered gateways and endpoint offerings), and finally report on it (to keep the auditors happy). ComputerWorld also added the steps of limiting user privileges, and centralizing intellectual property - which tend to be very difficult in practice.
Link to this
Security - it's in there - but is that a good thing?
So what? - The Taoist points to a recent Infonetics study (here, Infonetics link here) to pat himself on the back that he was right about networking equipment subsuming network security functionality. It's true, it's the trend and as organizations refresh their campus infrastructure over the next two years, why wouldn't they build in some security? They will, but as Hoff points out (here) we do have to worry a bit about mono-culture. And I think Hoff gets a little more leeway than Dan Geer did at @Stake to call bunk (especially when it bolsters his employers positioning, as opposed to endangering a huge contract with Microsoft). That's why I'm calling for a separate "assurance" function in larger enterprises. Operations is responsible to get things done and keep them secure. Assurance makes sure it happens. And not these are not glorified auditors. We are talking a STRICTLY SECURITY function. It's step 10 in the P-CSO is you want to know more.
Link to this
The Laundry List
RSA gets into the Trojan takedown business. Opens opportunity for Durex and Lifestyles. - here
Month of MySpace bugs begin. High schoolers panic. Pedophiles rejoice. - here
FullArmor offers the endpoint side of NAC. Figures it can compete with free. - here
GuardianEdge integrates a bunch of endpoint technologies (encryption and device control), AV suite next? - here
Fortify fortifies .Net applications. - here
Is 7 a lucky number? Vontu will find out with the release of it's release 7. - here
Top Blog Postings
Tao round-up on incident response and detection
I guess Bejtlich has been home a bit lately because he's blogging like a madman. He did two interesting posts last week that I didn't want to let slip because they add some more depth to things that I think are important. Both relate to Step 8 of the P-CSO - Contain the Problem. First, Richard provides 5 points on incident response (here). He says AV isn't an answer when the brown stuff hits the fan and that customers are better off rebuilding compromised machines (as opposed to cleaning). Right on. The other 3 are equally important. His second piece picks up on Joanna Rutkowska's points in the press last week about detection. I disagree a bit in that the industry has been focused on detection since day one. That's what AV is after all, and it used to be called intrusion DETECTION way back when. Her point is that folks have become enamored with stopping the problems, but in reality - you can't. Richard makes the same point. We need to react faster and that's why I'm a big fan of behavior analysis (or Richard's term, network security monitoring) because the best way to know something is amiss is when you see wacky network traffic patterns.
Link to this
Farnum has red hair?
Nope, he's bald. But this post on his ComputerWorld blog is right on. He calls the red-headed step children internal auditors, but I think that's a tarnished term. Let's start calling them "security assurance professionals" and give them a new start. Anything audit definitely has a negative connotation. Because what they do is CRITICAL to ensuring the security of an organization. Farnum's refers to Dr Anton's breakdown of responsibilities (security sets policies, operations gets it done, and audit makes sure it happened) is where things are going to end up, but I'm not sure it's there yet. There is still is big blur between security and operations and it usually has to do with a CSO that is an empire builder. They don't want to part with the "do" resources because their self-esteem is predicated on the number of people in their organization. Distinctly unPragmatic is that approach. As Sting sang, "Free, free, set them free." CSO's set the program and work with the ops teams to implement it. As security becomes an integral part of everything, I don't see it working any other way.
Link to this
What is security risk management again?
I saw this title on a recent Tom Olzak piece and hoped that the enigma that is "Security Risk Management" would finally be solved. Not so much. Tom pokes at articles by Jay Heiser and Donn Parker to make his points. On the pro side, throw in a little risk equation and the business justification of security and... I'm still friggin' confused. What the hell is SRM? On the negative side, we should be protecting anyway - since we can't really model the impact of something that we don't understand. Tom comes to the conclusion that neither a focused security perspective (fix everything) or risk-based mentality (weigh it against all the other uses of resources) is healthy. I end up in a different place and it originates from the need to protect BUSINESS SYSTEMS. The risk part comes from figuring out which business systems present the greatest impact to the business if they have problems. The security part comes in when you do everything you can to keep those most critical systems operating. Clearly nothing in security is exact, but if you focus on the most critical systems - you are doing your organization the greatest service. And I still don't understand what any of this has to do with security risk management.
Link to this
Check out the latest on the Security Incite blog
Read the most recent Daily Incite