March 28, 2007 - Volume 2, #52

Good Morning:
I, like Rich Mogull (here) and Mike Murray (here), was appalled when I read the story of Kathy Sierra being harassed and threatened by people in the blogosphere. It brought me right back to something that I take very seriously and that's accountability. People need to be responsible and accountable for their actions. They should NOT be allowed to hide behind the shield of anonymity to say whatever they want with no repercussions.

If you can't own up to your statements or positions, then keep you mouth shut. It seems pretty simple to me. A lot of my security blogger friends went around quite a bit last night via email on what we can/should do. The first thing is to talk about it. We all have different takes on the situation, but to bury it or feel bad for her silently is the wrong thing to do. Second, I will no longer publish anonymous comments on my blog. No exceptions. If you don't have enough stones to put your name down and a valid email address, stuff a sock in it. And AnonEMoose (at) someisp.com is not a valid email address. It's also unlikely that your name is JFK or John Doe.

During the discussion last night, one guy pointed out that sometimes things are too sensitive or controversial or unpopular to say, so anonymity allows folks to do that. I call bullshit on that. Anonymity is the tool of a coward. I follow a pretty simple rule, if I wouldn't say it to your face, I won't say it to someone else or write it. It's not that hard. The guys harassing Kathy don't live by the same rule. They probably cower in her presence.

I just hope the authorities find those transgressors and make them pay. We'll see how tough they are when they are pulled out from behind their keyboards and have to own up to what they've done. I'm sure they'll make real purty girlfriends for Bubba and Gus. Maybe they'll luck out and just have Bernie Ebbers or Dennis Kozlowski go medieval on them. I hear those guys are learning all sorts of new "boardroom tactics" in the clink. 

Have a great day.

Technorati: Information Security, CSO

The Pragmatic CSO is Here! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

Incident response dissension
So what? -  Tim Wilson points out that if you get 15 people in a room, you'll probably end up with 25 opinions on how to do incident response "right." (here) This is actually something I talk about frequently and am usually greeted with blank stares. Candidly, I don't think there is a right or wrong answer. And Tim is correct, when the incident goes down - even the most practices and comprehensive plan will need to be adapted on the fly. You can't prepare for every scenario, but you MUST prepare for some. I equate it with my time at Engineering school. I don't do linear optimizations or simulations anymore, but my education taught me how to solve a problem. How to find the resources to get a job done. And how to adapt to changing situations. It's those lessons that have served me throughout my career, not how to find the area on the inside of a sphere. An incident response plan can't teach you how to think, but it will start to get your head around the logical progression of events that need to happen. Depending on the situation, those events may differ a bit, but ultimately you'll need to do certain things (contain the problem, fix the mess, notify the powers that be, etc.) and if you don't practice A LOT, you won't be ready. And you need to be ready.
Link to this

Metasploit 3.0 hits (finally)
So what? - The latest version of the open source penetration testing tool has finally hit, and it was a long time coming. Ryan Narene covers it here. The early reviews have been good and I can't stress the importance of "assurance tools" enough. The bad guys do not adhere to a code of ethics and you need to ensure your environment will stand up to the heat. The only way to do that is to use live ammo. Or at least paint balls. Some folks won't run open source exploits, but there are commercial alternatives. We will increasingly see "security assurance professionals" who's job in life is to test the security of the systems that run your business. Those folks need tools like this, and even if testing is only one (small) part of your job, don't neglect it. I can assure you the bad guys are getting very familiar with Metasploit 3.0 right about now.
Link to this

The compelling case for outsourcing email security
So what? - This profile of a company that recently outsourced their email security really highlights why it makes a lot of sense for many customers (here). It's all about volume. The volume of spam and other bad email ebbs and flows, and fundamentally organizations need to decide if it's their job to manage the flows. Like last November when image spam hit hard. Lots of companies were caught flat footed and they needed to buy a lot more equipment to keep up with the volumes. That's always fun at the end of the year when you are trying to complete your strategic projects. Farming that task out alleviates all of those problems. Volumes are the other guy's problem now. Is it more expensive? Sometimes yes, and sometimes no. And sometimes organizations have very specific policies that can only be implemented on their own site, with their own gateway. My point is that you should at least take a look at a managed alternative when your maintenance renewal comes up. It can't hurt to look, right?
Link to this

The Laundry List

BioPassword updates it's enterprise offering, optimizing for Citrix. - here
Cisco revs IP surveillance technologies. Big Brother is watching. - here
I guess Websense is OK too, announcing an offering exactly like McAfee's OK - but a day late (and probably a dollar short). - here
Finjan discovers that malware still exists and it's coming to a neighborhood near you. - here
Webroot confirms that malware exists. Got to love these quarterly "research" reports. Thank you Captain Obvious. - here

Top Blog Postings

Log U
Dr. A makes a nice little list of the things you should be logging. Even better, you should actually go through your logs regularly to make sure there aren't things that you are missing. And a new blogger guy (Paul Melson) picks apart my SIM column on SearchSecurity (here) and largely comes to the same conclusion, though I'm not sure he realizes it. SIM can be useful for incident response, BUT ONLY IF YOU DON'T MESS WITH THE RECORDS. Any kind of normalization, data reduction or anything else is a no-no. You mess with the data, it ceases to be evidence. And given the amount of data we are talking about, you are probably looking at a purpose-built device to solve the problem.
http://chuvakin.blogspot.com/2007/03/anton-security-tip-of-day-9-but-he.html
Link to this

Slackers are everywhere
I frequently have the same experience that Rebecca Herold describes here. There are folks that do the bare minimum and think that is "good enough." It really depends on the customer's expectations. For some, it may actually be good enough. For others, maybe not so much. But my acid test is whether it's good enough FOR ME. I hold myself to a pretty high standard, and if I do what I think is a good job and someone thinks it isn't. Then there was clearly a disconnect in setting and managing expectations. Rebecca's point is that slackers are definitely impacting the security of your organization, but her message is universal. Weak performers do nothing but cost time and money and they should be removed. It's hard, but it's reality. And if you don't take care it as a manager, it becomes your problem.
http://www.realtime-itcompliance.com/information_security/2007/03/dont_be_a_security_slacker.htm
Link to this

Who did it doesn't matter
Ira Winkler makes a very good point in this post about placing blame. Folks that get things done (let's call them Pragmatic CSOs) don't spend a lot of time trying to figure out why or who, but more how to solve the problem - eliminate the risk and move on. I will differ with Ira a bit in pointing out the importance of a post-mortem. When the shell are exploding over your head, you shouldn't be too worried about how you got there. It just about making it out in one piece. But when the crisis has passed, you NEED to go back and figure out how you got there and take precautions to make sure you don't get there again. Fool me once, shame on you. Fool me twice, shame on me.
http://www.riskbloggers.com/irawinkler/2007/03/the-most-important-thing-in-security-is-responsibility/
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite