June 5, 2007 - Volume 2, #87

Good Morning:
Bootcamp - 1. That's right. One day to the P-CSO bootcamp. And boy is today going to be a busy day - wrapping up all the details, printing the workbooks, testing the brand spanking new projector, and basically just making sure I'm ready to put on a good show tomorrow. So I'll do a quick rant, blast through the news, get Leah ready for camp, and hibernate for the rest of the day. I'll be off the grid, so if you are trying to in touch with me, don't take it personally. I'll likely just let you know I'll be back in touch on Thursday, after I take obligatory 5 minutes and bask in the glory of a successful event and get back to work because that's what I do.

I have good news or maybe bad news, depending on how much I annoy you on a daily basis. It seems, based on my Doctor's expert opinion, that I'm going to be around for quite a while to incite you all. Not that I was worried, but hearing someone professional tell you that for a fat (though getting thinner), approaching middle age type of guy, I'm in decent shape. That's OK by me.

And the prostate check was much ado about nothing. I forgot that my Doctor has fine surgeon hands, not plumber or builder or brick mason hands. So that's good. I didn't even have to belt out "Moon River" at any point. Because I'm feeling charitable today, I think I'm going to send a case of Aqua-Glide to the local prison. What the hell? Maybe that would help reform the folks in the big house. Once a year, I regain my appreciation for Aqua-Glide. Any of you dudes out there over the age of 35 know exactly what I'm talking about.

I'm sure I have some more random thoughts, but I better get to Inciting, as opposed to philosophizing. Have a great day. FYI, there will likely be no Incite tomorrow. Maybe a quickie, but probably not. It's all Bootcamp, all the time.

Technorati: Information Security, CSO

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

LAST CHANCE!!! Pragmatic CSO Bootcamp Maiden Voyage THIS WEDNESDAY, June 6 in Atlanta Sign up Now!

Top Security News

How about Vomit 4.0?
So what? - So it looks like Gartner's big thing at this year's security summit is Security 3.0. It's covered here by Bill Brenner of SearchSecurity. I didn't hear the pitch, but the mere thought of it makes me want to puke. Why do we have to number everything today? Do we think things aren't advancing fast enough? Is our industry's self-esteem problem (actually make that the entire tech industry) finally coming too roost. How about SECURITY DONE RIGHT? I don't care if it's 2.0, 3.0 or 15.0. There will always be new applications and new attack vectors and pretty much new everything. And don't these guys know that customers never buy a .0 release?
Link to this

Do you get what you pay for?
So what? - There is an interesting discussion of free vs. paid security software here on CNET's Community site. The question was pretty open ended, but one of the readers is wondering whether she needs to continue paying for security software. There are lots of comments, most coming down on the side that the free stuff is usually good enough. And if you take some simple precautions to lock down your machine and your network, it's definitely good enough. I'm on board with this, and in fact just loaded a free package on my father-in-law's machine last week. I figured he could take us out to dinner with what he'd save on renewing his Big AV subscription. Yes, I locked down his network and hardened his Windows machine.
Link to this

Yes, your customers hate you
So what? - Here is a little love letter to most of the sales folks out there. Your customers can see right through your transparent, borderline desperate pitches trying to convince them of problems they don't have and issues they'd rather not think about. But I do give you sales folks props for getting out there every day and fighting the good fight, until you miss your numbers and need to go hump it to find another job. It's hard out there for a security sales person, but I suspect you aren't really helping yourselves via many of the tactics either. This humor piece on Dark Reading goes through some of the things that customers really don't like about what sales folks do. And I concur with most of them, since I've either aided or abetted many of these things when I was a marketing guy. If you need a yuk, this morning, before you go and bang your head against the wall a few hundred more times, check this out.
Link to this

The Laundry List

Top Blog Postings

Buying every product doesn't make you secure
Steve Riley has a worthwhile post here that delves into the importance of driving policy and process, as opposed to products. He uses the dismissal of an employee, and the resulting actions as a way to make his point. But I want to focus on his preamble, where some guy thinks his network is secure because he buys every security product he can find. It's comments like that which remind me of how much work we have to do as an industry to educate the great unwashed out there. I really believe this guy thinks that because he throws products at the problem, that he'll be secure. This is a huge problem, but it needs to be fixed - BY ALL OF US.
http://blogs.technet.com/steriley/archive/2007/05/31/when-you-say-goodbye-to-an-employee.aspx
Link to this

Web security certs - do they paint a target on your head?
The fine folks over at Ambersail ask a pretty interesting question in this post. We are all familiar with HackerSafe and 7 other dwarfs that offer these badges that go on your web site and allegedly show some level of diligence for security. I've never been sold and if anything, kind of lull commerce providers into a false sense of security. But the reality is that the bad guys basically get a map of how to break your stuff, if you have one of these badges. Since each of these glorified scanning vendors lists pretty much exactly what they are looking for, if something ain't on here, it's pretty likely they don't check for it - so go attack it. Hmmm. Very interesting idea. Which shows why I'm not a bad guy, clearly I'm not thinking out of the box enough.
http://blog.ambersail.co.uk/wordpress/?p=162
Link to this

Sure, let's do everything...
I really love it when someone excerpts some text from the P-CSO introduction and figures they've got the entire process figured out. Here on Slav's Risque Management blog, the point of the post is that folks should try to protect everything - because making choices is evidently too hard. I guess these folks have a money tree out back and have tapped into the fountain of endless resources. I'm not sure where this person works, but try to get a job there. Before I pile on, let me just make the point. YOU CAN'T DO EVERYTHING. Even if you had the money, you don't have the time. YOU MUST MAKE CHOICES. And these choices are hard. The Pragmatic CSO lays out one man's thoughts on how to make those choices, but to think you can protect everything is naive and stupid.
http://msmvps.com/blogs/sp/archive/2007/06/02/pragmatism-doesn-t-always-work.aspx
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite