The Daily Incite - April 16, 2007

Submitted by Mike Rothman on Mon, 2007-04-16 09:14.
Today's Daily Incite

April 16, 2007 - Volume 2, #62

Good Morning:
Brrrr. I feel like I'm in Bizarro land with the weather. In the 30s each morning, and only getting into the low 50s all weekend, it felt more like an Atlanta February, not mid-April. Not sure what is up with that, but I'm not moving any further South - so I'm hoping spring will return soon.

It was an action-packed weekend in Rothman-land. Taxes, workouts, pool-time, sleepovers, and last night we even ventured into the big city to see Ray Romano and Brad Garrett, who are on a comedy tour. Everyone does love Raymond, but I thought Brad was funnier. Definitely more raw and he was making fun of the folks up front. Lots of improv, which I really enjoy. Ray was funny too, but in that family oriented, father of 4 type of show. I can relate, especially to the stories he told about his twins, but all other things being equal - I'll take a quick witted comedian chopping the audience into little pieces every day of the week.

Also saw this weekend that CA is going after Charles Wang (here). Good for them. How Kumar ends up with years in the big house and millions in restitution and Wang gets off with nothing doesn't seem fair. Maybe he's innocent, but his sense of timing is impeccable. Let's just say, I really doubt the 36 day month originated when Kumar took over as CEO. Maybe justice will prevail after all.

One other thing of note I saw over the weekend is some research being done at UCLA about building a totally new Internet (here). That's right, moving past the existing one and building one with security, mobility, and performance in mind. Is it feasible? Probably not. Is it a good discussion to have? Of course it is. We shouldn't be saddled to our legacy or decide to do things just because that's the way it's been done before. That doesn't make it right. I think Microsoft should be having those discussions as well relative to the OS, especially now that Vista is over the finish line. Can it be done better? Is compatibility that important (as long as some key applications show up on the new platform)? Shame on us if we aren't asking those questions.

On Friday I announced the first P-CSO Bootcamp, which will take place on May 3 in Atlanta (here). Sign up now, there are only 10 spots available.

Have a great day.

Technorati: ,

The Pragmatic CSO
The Pragmatic CSO is Here!

Read the Intro and Get
"5 Tips to be a Better CSO"

Top Security News

77% won't shop @ 0wned stores? - Unlikely
So what? -  More survey madness for ya. It seems folks at a research shop called Javelin have found that 77% of 2,750 consumers would stop shopping at stores that suffer data breaches (here). I think this number is crap. Why? The analogy I'll use is drinking, which is something I can relate to. If you asked me at 10 AM the morning after a bender whether I'd be drinking again, the answer would be no. By 7 PM, my headache had abated and I was ready to rumble again. Of course, those were the good old days, but the point is the same. If you ask someone a question when they have still festering road rash, the answer will be no - every single time. But time heals, memories fade, and venomous anger yields to forgiveness and forgetfulness. So these data breaches are a big PR nightmare, but it'll be interesting in 2 years to see how much they affect real business. One caveat is when a data breach causes a company to become insolvent (think CardSystems), you can't really recover from that as the credit card companies can give you a death sentence. But that's not in the hands of the consumers.
Link to this

Hot start-ups in security?
So what? - I must have gotten asked a hundred times if I saw anything interesting at RSA a couple months ago. The answer then was no and the answer now is still no. There is very little real innovation happening in security right now, and candidly I think that's a good thing. So the folks at Dark Reading can spin their wheels assembling a list of hot start-ups (here). They can get loudmouth analysts (like me) to comment on some of the companies, as I did. There are some interesting ideas, but nothing that makes me think - everyone needs one of those. But ultimately, most security professionals out there don't need innovation, they need to assimilate the stuff they already have. I know the world (especially on the attack side) is dynamic and we need to respond, but I'm still of the opinion that we aren't really dealing with technology problems. Most of our issues relate to process and people. Sure, another technology band-aid can help sometimes, but if we spent as much time fixing the process and training the people as we do looking for the silver bullet, things would work a lot better. 
Link to this

"Encouragement" isn't going to help PCI adoption
So what? - Let's revisit my friend Maslow for a few minutes. I bring up the hierarchy of needs because it seems that Visa doesn't get it, relative to how to get more organizations to take PCI seriously (here). Encouragement, education, even financial bonuses aren't going to help. Sure, call up the CEO and "convince" them why they should be compliant. That'll work - NOT. We need some good, old fashioned ass kicking. A few public executions. A little bit of blood in the street. Right now, no one feels the pain. TJX's data breach was a PR issue. If Visa were to take away their ability to use Visa cards - now that would hurt. And that would get people's attention. And that would be the kind of "encouragement" that could be successful. Fact is, as much as we try to be caring and nurturing and get people to your line of thinking in a constructive fashion, the reality is different. Take away someone's roof in hurricane season and they will listen.     
Link to this

The Laundry List

  1. A look inside Patch Tuesday, from the MSRC front lines. I think I'd rather be on the front line attacking Mordor. - here
  2. Family security education - Big Yellow Style. Symantec is the first of Big Security to get education. Santa has also done some stuff (here) - here


Top Blog Postings

Security vs. convenience
The androgynous Layer8 takes me to task a bit for horrifyingly suggesting that you should strip encrypted .zip attachments out at the gateway. It's "poor man's encryption" don't cha know? That's crap. I've been suggesting this for years and it works. Of course, if you can't show the value to your organization of not letting malware in and can't quantify the time you'll spend cleaning up the mess because of something that could have easily been remedied with a pretty simple command on the gateway - then you've got much bigger problems. It's all about credibility and folks that can't get a simple control implemented that will avoid pretty sophomoric attacks don't have any. There are a lot of workarounds to getting secure information from one location to another. They are not all overly technical and hard to use. Sure .zip is easy, but it creates more risk then the benefit. Of course, that's one man's opinion. The point is that there is always an reason why you can't change a user's expectation or experience. Why it's too hard to get them to do the right thing. I'm not in the excuses business. Don't bitch that your users always shoot their foot off, you are giving them the shotgun and the ammo.
Link to this

RSnake gets insiders
RSnake goes on a little rant about how insiders can attack. This quote kind of says it all: "Have we gotten to an age where we need to protect our companies from our own users, rather than protect our users from the Internet?" Of course we have. That doesn't mean that we can forget about all the badness "out there," but rather we need to take the insider threat a lot more seriously. Should you be logging outbound web traffic through a proxy server? It depends. It's one way to enforce some accountability over what employees do (you can also do that using a web filtering package). More importantly it can help you to identify bad behavior, especially if it's unintended. A machine that has been compromised and added to a bot network will likely be launching attacks, sending spam, etc. The only way to know is to "spy" on what they are doing. I'll reiterate my previous guidance on this. Don't feel bad, don't be ashamed, just monitor network traffic. If an employee is using corporate resources, the corporation has the right to monitor what they are doing and make sure it doesn't create liability. To cover your butt, make this very explicit in the email and web acceptable use policies.
Link to this

Damage Control - Imus style
I was never a fan of Imus. I grew up in New York and he was a staple of the radio culture, but I just didn't think he was funny. Stern is much more my speed. So I didn't shed a tear as CBS fired him on Friday. He made a career of saying stupid things and sooner or later you need to be accountable. Normally I keep blog links focused on security issues, but this analysis of the Imus situation by marketing pundit Laura Ries is a gem. And by the way, it is security related. When you have an incident and the potential is there for outraged customers, you can do it right (Tylenol) or do it wrong (Imus, Veteran's Admin, TJX). This post provides some tips to do it right, and you never know when you'll need to point your marketing/crisis communications folks towards a good resource to keep you out of the boiling oil.
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog

Read the most recent Daily Incite