May 7, 2007 - Volume 2, #74

Good Morning:
I get the question a lot about what I miss from the Northeast, now that I'm down in the South (of the US). The answer is not much. Obviously, I miss being around Jodi's family around since they are tremendously helpful, but they come down to visit about once a month, so that is great. I don't miss the weather. I don't miss the hustle and bustle. I don't miss the property values or cost of living.

But I do miss the beach. Or being able to drive to the beach in a couple of hours. I met the Boss at the Delaware shore and the beach been a big part of my life for a long time. Even down in ATL, we try to make it up to Delaware each summer for a family week. I was reminded of that visiting my Dad this weekend on the Jersey shore.

First, Sam did like the airplane. He kept saying, "It's magic," as we were flying. It was very cute and then he'd turn back to the DVD (which is indispensable to keep your kid occupied and quiet on flights). We got delayed in Newark on the way home and we got to see lots of planes taking off and landing. He liked that a lot too. I guess because I've been flying pretty consistently for many years, the wonder of a big tin can lifting off the ground at a high rate of speed has been lost on me. It's too bad, flying really is magic.

Oh yeah, back to the beach. I'll admit that I'm wound pretty tightly most days. Besides starting my own business, I've got a lot of responsibilities on the home front and at the end of the day the bills have to be paid. So I wouldn't say I live a stress-free existence by any stretch of the imagination. But there is something about hearing the crashing waves and seeing the sun rise over the water where I just feel the stress slide right off. It was a great weekend (though a bit cold). It was great to see my Dad and his wife and some other family members who stopped in to visit.

It was also great to spend some alone time with Sam. I tend to forget that he is constantly competing with his sisters for attention. And with Sam being the least squeaky of the squeaky wheels, he usually ends up with the attention short stick. I think both of us benefited from being able to spend some focused time together. He didn't have to shout over his sisters, he could play with whatever toys he wanted, we took him to a boardwalk amusement park and he got to eat lots of French fries. What could be better for a 3 1/2 year old?

Alas, there is a point to this. Reflecting upon the numerous times I led a team (seems so long ago now), I didn't spend enough individual, focused time with my team members. We'd do staff meetings and I'd meet with folks on specific projects. But I never seemed to make the time (besides around annual reviews) to really spend time with my team. There were the guys in my lunch posse and we'd grab a bite almost every day, so I got to know them pretty well, but the other folks - not so much.
 
I think everybody at all levels of the organization needs time with the senior folks to feel like they matter. In retrospect, I should have made the time to grab lunch with the entry level web guy at least every couple of weeks. But I didn't. Life and job got in the way. I have no interest in making amends now because I have no interest in managing a big team anymore. But if you lead a team, give this some thought. How can you provide more support and guidance for EVERYONE on your team, not just direct reports?

That is your big thought for today. Have a great one and go get something done.

Technorati: Information Security, CSO

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Pragmatic CSO Bootcamp Maiden Voyage June 6 in Atlanta Sign up Now! Only 10 slots (and they are filling fast)

Top Security News

Shocker - TJX back in the news
So what? -  In the story that just won't die category, there is a lot more news about TJX. First, according to Dark Reading it seems the "best guess" about the attack vector is emerging, and it's about as clear as mud. I'm kind of shocked to think they snooped wireless traffic between the POS devices from outside. Not that they did that, the technique has been used against folks like Home Depot and Best Buy over the past few years. But that they'd target TJX. If you are going to try to compromise some high falutin' credit accounts, I wouldn't go looking at TJX. What about Bloomies or Sachs? Out of the 45 million, I assume many had pretty restricted credit accounts. But the folks that shop at high end department stores, probably not. Maybe I'm just generalizing here, but you rob banks because that's where the money is. Let me also point to a good post by Larry Hughes Jr. on the Riskbloggers site, regarding some legislation in discussion to impose "full financial responsibility" for losses to the retailers. Larry is right: "None of this is about security. It’s about pushing liability for credit card fraud as far downstream as possible." If this kind of stuff passes, I expect credit card fees to drop through the floor because they'll be taking next to no risk. But that's likely to happen at about the same time hell freezes over. Rob Newby also vents about the stupidity of using WEP, but remember this compromise originally happened years ago, certainly before WEP became evil. All in all, it's still a mess, we are still talking about it and I suspect we will for some time to come as the legislation cycles hit on all cylinders. 
Link to this

Hacking contests are not evil
So what? - I'll jump on the bandwagon here, following up on the general disdain in the blogosphere for the G-men basically saying that hacking contests are evil. Bill Brenner of TechTarget sums it up in his SearchSecurity column. First of all, it's really hard to present all sides of the issue in a short research note, I should know because I've taken my share of sticks in the eye about stuff I've written and I do about 100 words per snippet. So I'll cut Rich Mogull and Greg Young a little bit of slack, but not much. Why? Because there is very little incentive for security researchers to do their job. They are all finding these bugs in their free time. Sure it helps notoriety and is basically a marketing expense, but this isn't how they pay the bills. So putting a little bounty is place isn't a bad thing. Remember, there is a huge community of security researchers out there called the bad guys. They are finding holes and breaking things ALL THE TIME. We need to find ways to allow folks on the right side of the battle to do what they do, and make some money. That's good for all of us. 
Link to this

A WAF of another layer
So what? - RSnake has gotten religion in his Dark Reading column this week about web application firewalls or WAFs. Of course he can break into any application, WAF or not. The top tier security researcher, penetration testers, all around smart guys can do that. But security is as much about the path of least resistance, as it is about really being secure. What do I mean? Basically, if they want to get in, they are going to get in. Period. But if you make it harder, then the bad guys may look elsewhere initially. He brings up a number of good points about why having another layer in front of your application isn't a bad thing. First, you can react faster (which is what being Pragmatic is all about) - changing/patching applications is hard and can't be done instantly. So being able to put a rule in place to block a potential attack until the app can be fixed is a good thing. You can also do some poor man's anomaly detection about different types of attacks across applications. And it's another layers. Sure it's not foolproof and it's an advance technique - but WAFs can help in a lot of circumstances.  
Link to this

The Laundry List

1. Microsoft tries to jump to the ForeFront, releasing the business oriented security product. As with everything Microsoft does, it'll be just OK at first (maybe not even good enough), and then it will get better. Game on! - Microsoft press release
2. SonicWALL amps the hardware. Ain't Moore's law great? - SonicWALL press release
3. Sourcefire announces Q1, in line with the pre-announcement. Now they get to build back investor trust, good luck with that. - Sourcefire earnings release
4. ProofPoint announces "Dynamic Reputation." OK, how is this different? I'll see later this week and keep you posted. - ProofPoint Dynamic Reputation release

Top Blog Postings

More on awareness training
Of course I couldn't let Amrit's rant about awareness training pass by. The session I did with Amrit, Andy Purdy, and Santa was fun, but it was very obvious that Santa sells awareness training (among other things) and Amrit sells products. Thankfully Amrit clarifies things a bit in this follow-up post, but still. Product guys DON'T want you to educate your users. God help them if it actually works. Yes, that is a cynical view, but I'm a cynic - so go figure. It's once again all about layers. Yes you need technology (maybe even security configuration management), but you also need a line of last defense and that is in your user's heads. Consistent security training and education is the ONLY way to get there. There is no product out there to stop users from doing stupid things. None that I'm aware of anyway.
http://techbuddha.wordpress.com/2007/05/02/the-ineffectiveness-of-user-awareness-training/
Link to this

What do you say on your VM?
Security folks should be paranoid, and that is something that some of us forget sometimes. The Security Monkey reminds me of that with this post about what you leave on your voice mail or even those out of office email messages. I do say my last name on my voice mail, but that's about it. I'm way too lazy to change my voice mail greeting every day like some, and it turns out to be a good security technique. I also don't do out of office messages on email because I don't want anyone to know where I am, since it's usually at a coffee shop somewhere. Sadly enough, I guess I never really am out of the office. My Blackberry is pretty much around all the time, so if something really important comes in - I can respond almost immediately. I guess I could be a lot more paranoid and hide my phone numbers and address and the like, but I don't. But at least I adhere to monkey best practices about voice mail.
http://blogs.ittoolbox.com/security/investigator/archives/would-you-mind-0wning-me-while-im-gone-16075
Link to this

BLUE! Let's get back to Old School
Old School was a funny frickin' movie, that's for sure. But I digress. Farnum brings up some good points about old curmudgeons versus young know-it-alls. We all know folks in each category and we may very well be planted in one or the other. The generation gap is something that we've had to deal with through the years and it would be great for the old guys to just fire all the young guys and teach them a lesson. Alas, it's not that simple, so we all have to figure out how to get along. Personally, I don't understand how anyone can be a know-it-all, regardless of whether you are old or young. The day you stop learning is the day you should be pushing up daisies. You can learn from folks young and old - I know I do. So how do you find the common ground? As a manager, you have direct conversations with both. If they still get into frequent cat fights - fire the younger person. Clearly they don't understand they need to learn constantly and you won't have to deal with lawyers in taking out someone over 40. Sure it's Darwinian, but hey that's life in  the big city.
http://www.computerworld.com/blogs/node/5459
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite