May 16, 2007 - Volume 2, #80

Good Morning:
I'm a bad boy, a very bad boy. I stayed up WAY too late last night and I'm sure to paying for it for the rest of the week. But something has to give, it always does. In my world, all too often it's sleep. That's what falls off the plate. And it wasn't like I was sitting around watching ESPN (which would have been nice). I spent last night with my family and then getting started on a non-work project that has taken on some urgency. Sometimes you have to do that.

I'm a pretty focused and intense guy. Always have been. But that means I have a tendency to get tunnel vision. Serious blinders to almost everything around me, especially when I'm fully engaged on a work project. I am finally coming to realize that isn't the way to go, it's not the path to balance, happiness and success. You need slow down sometimes, recuperate, invest in YOU, not just your business. I hear those stories about the one dimensional folks, who only work. Their work is their personal lives. I guess I can understand how it can happen, but it seems very sad. These folks are really missing out and they probably don't have any idea. Did anyone else think this profile of management guru Ram Charan was really strange? That's being pretty judgmental, but I guess the point is that kind of lifestyle has worn thin for me.

I know sometimes I don't give you proper context on my rants. Last night, I cut out of work a bit early and went to my daughter Leah's dance recital. The Boss and the twins were there (they actually sat sort of still for 90 minutes) and it was great. Not just Leah's performance, but the entire show. First of all, I don't know much about dance recitals because I have no sisters. The closest I got to a dance recital growing up was doing my war dance on my younger brother's head two or three times a day. Never mind the fact that I probably had 80 pounds on him or so. A win is a win, no? So now I'm fascinated with things like dance recitals. All of the girls seem to have so much fun. It's really great to see.

But we were out late. Of course we had to celebrate the performance by going to get ice cream at 9 PM. So we didn't get home until 10 PM, then we got the kids to bed, had a very late dinner (yes, I should have eaten before we left) and then sat back down to figure out how to burn an audio cassette to MP3 so I could load it up onto my iPod for my non-work stuff. It seems my computer doesn't have an audio cassette player anymore. Somewhere around 12:30 AM I started to panic as I remembered all the other work-related stuff that needed to get done before my trip this afternoon.

At about 1:30 AM, I realized the futility of panic. Again, break down the list. What needs to get done right now and what can wait until the morning? That's what I did. I figured out my audio project, got it done and then went to bed. The proposals will wait. The TDI will wait. Packing for my trip will wait. It'll all get done, it always does. I seem to forget that when I'm in the grips of panic.

And I am dragging a bit this AM, but it's OK. As always, I got tremendous satisfaction from figuring something out. I thrive on being creative and solving the problem. I can tinker with something for hours with boundless energy until I figure it out and the time passes in the blink of an eye. I'm just glad I took a few minutes this morning and realized how much I enjoyed being engaged in non-work stuff last night. All work and no play has made Mikey a dull boy. That needs to change.

Have a great day.

Technorati: Information Security, CSO

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Pragmatic CSO Bootcamp Maiden Voyage June 6 in Atlanta Sign up Now! Only 10 slots (and they are filling fast)

Top Security News

Securing Web 2.0
So what? - Not to sound snobby or to look down on my journalistic friends because everyone has to start somewhere, but it feels like Jordan Wiens should be doing something bigger than writing reviews for Network Computing. This is the guy that won the application hacking contest at RSA, so he's got some cred and this introduction to web application security is great work. When I was working at META, I hired some of our best talent from the more technical trade pubs (folks like Johna Till Johnson, Michelle McLean, and Bruce Robertson) and I suspect it won't be long before a guy like Jordan starts looking at other things. But I digress, application security is critical and Jordan really provides a look from all sides of the issue. This is actually the precursor to a "rolling review" on web app scanners and other application security goodies, and the more I think about it, the more I don't like this rolling concept. If I'm making a decision now, I don't want to wait until Network Computing gets around to publishing the findings. I get that this is a real-time world and the media needs to change, but dribbling out reviews doesn't seem like it's going to help users make decisions any better. 
Link to this

What do the benefits look like?
So what? - Larry Walsh relays an interesting interview he had with Websense's Gene Hodges about whether the good guys can compete with the bad guys in his CRN column. There have always been front organizations for organized crime to do things like provide benefits. It's amazing what you can learn from watching the Soprano's for 8 years. I guess the bad guys are now competing for computer talent, which is just plain old supply and demand in action. Adam Smith lives!!! Folks have a choice every day, whether to fight the good fight or the bad fight. Hodges draws the conclusion that we need to act differently and break the "rules." I'm not sure what that really means, but clearly the status quo isn't working. And the idea of a fringe group to do things outside of the corporate boundaries is not a new idea. That's pretty much what every security research group does. The problem is that as companies get bigger they have a harder time accepting innovation and it slows them down, and positions them to be disrupted by an upstart. But Clayton Christenson probably didn't envision that upstart being an organized, well-run crime faction, eh?
Link to this

Nuthin But a "G" thang
So what? - Farnum gave Martin a hard time yesterday about his pimping for Cobia. Of course, that is Martin's job. My buddy Amrit also has a job and that's to pimp for his employer and this "byline" in ESJ is a big pimp job. Here Amrit does his former analyst best at picking apart NAC and making the case for why "continuous policy enforcement" is the right answer. Guess what business Amrit is in? I just love when these rat holes get opened time and time again. If NAC began and ended with pre-admission control, Amrit would have some legitimate points. But actually thinking about the network oriented stuff that has to happen (at least in my definition of NAC) in additinoal to host integrity checking would be a bit inconvenient, since Amrit's company doesn't do that kind of stuff. That's why NAC is sure to disappoint. The term has been misused and manipulated and driven through the hype-grinder. I think everyone should just get out of the NAC business and focus on what problems they solve. As this piece shows, NAC means too many things to too many different people to be useful.
Link to this

The Laundry List

1. The power of a deterrent. PayPal's CSO talks about doing things, even before they are done. If they know you are watching, they act differently. - InformationWeek piece
2. Congrats to Joanna Rutkowska as she steps into breach, starting her own company. Somehow I doubt she'll have a hard time finding work. - Dark Reading coverage Naraine blog
3. HP brings a (sen)sage in to help with SCADA monitoring. Interesting approach, since you can't really test brittle SCADA equipment. - NetworkWorld coverage
4. Get IBM an ice pack. That lost employee data will leave a nice shiner. And maybe they should use their own encryption stuff. That would be novel. - TechTarget coverage

Top Blog Postings

Metrics futility
I was cracking up when I saw Dilbert this AM. I was going to mention it in my rant, but Hutton beat me to it. How does Scott Adams keep his stuff so relevant and biting? But he brings up the old topic of metrics and Alex follows that up with some of his own thoughts on security metrics in this post. Metrics continues to be a challenge, even though we are at least getting closer to a common vernacular. I'm doing a panel on metrics in Columbus, OH on Friday at the ISSA/InfraGard meeting and it will be very interesting to see what we come up with. We've got a lot of stuff to talk about and I'm going to be pushing the panelists for actionable information. I'm also going to be at MetriCon 2.0 this summer and hopefully we can continue pushing the agenda forward.
http://riskmanagementinsight.com/riskanalysis/?p=133
Link to this

Yeah, but will the new law mean dick?
Brian Krebs sums up some of the new legislation being considered in the US to deal with cyber-crime. To be clear, I'm all for making the penalties as severe as possible and giving prosecutors more leeway to go after cyber-villains. But ultimately, I don't think it matters. The RICO laws have been in place for years and there is still a lot of organized crime. As much as before? Who knows. Maybe not, but this has been a concerted effort over many years. And organized crime's traditional businesses are local. You don't have folks that can play on a national and international stage and steal money from an international community, in places where you can't really prosecute them. So I'm all for folks trying, but I suspect this is a situation where for every Mitnick that gets caught, you'll have 10,000 soldiers working away on their keyboards, robbing folks blind.
http://blog.washingtonpost.com/securityfix/2007/05/a_cyber_crime_enforcement_tune.html
Link to this

The evidence is there (you just have to find it)
On the Windows Incident Response blog (ain't Google blog search great?), Harlan states the "First Law of Computer Forensics," which is that there is evidence of every action. Absolutely, but you need to be a bit strategic and forward thinking to figure out what you should keep, for how long, and where to store/index the data - so when the brown stuff hits the fan, you'll have the data you need to react faster. Harlan then complicates things a bit by saying if there is no evidence, then that is evidence of tampering. Hmmm. You know, I like the idea of sending all those logs and other information to a box, hashing the records and ensuring they aren't tampered with. This should be a no-brainer for larger enterprises and something that even mid-sized companies should look into. Or wait until your forensics guys tell you that you don't have the data they need to figure out what happened.
http://windowsir.blogspot.com/2007/05/forensic-laws.html
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite