The Daily Incite - July 24, 2007

Submitted by Mike Rothman on Tue, 2007-07-24 09:40.
::
Today's Daily Incite

July 24, 2007 - Volume 2, #108

Good Morning:
I'm hoping it's true that "an apple a day keeps the doctor away." Never one to go for the mean, I'm going for 5-7 apples daily for the next 7 days (actually next 5 days because I started on Sunday). As I mentioned yesterday, I kind of fell off the health and wellness wagon for two weeks and it was time to get back on. But I do have other motives for the Apple plan, and it not just because I love my MacBook and iPods.

There is a history of colon cancer in my family. Colon cancer has some bad juju, especially if you don't catch it early. Though not yet 40, I've got my first colonoscopy scheduled for next month. My Doctor said the age of diagnosis is trending downward. That's not good news. I'm opting for knowing, rather than playing the odds that I've got no problems. Given that I had been a bad boy lately and the news of my imminent scoping, I'm not waiting to get back into fighting form. So what the hell, I decided to try a cleansing and detox program for a week. Then I'll be clean as a whistle for Black Hat.

I could have done a juice-only cleanse or even a full-on fast. But that is a little hardcore, even for me. So I went with the "apple cleanse." All I do is eat apples until dinner. For dinner I have a small entree (200-300 calories - no meat) and lots of steamed vegetables. I take some supplements and fiber to accelerate the cleansing, and it's working. I'll do this for a week. Today (which is day 3), I'm feeling good. My Mom warned me not to stray too far from the bathroom this week, but it hasn't been bad at all. I do keep a pretty high fiber diet most of the time anyway (lots and lots of salad), so I guess it's not that much of a departure.

One more thing, I'm sure many of you couldn't care less about my health trials and tribulations. Sorry about that, but as I've always said - I write the Incite for me and I'm just fortunate that other folks find value in it. This is what I feel like writing about this AM. Now back to our regularly scheduled programming, since I need to go drop the kids off at the pool.

Have a great day.

Technorati: ,

The Pragmatic CSO

 The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"
www.pragmaticcso.com

Top Security News

iPhone hacked
So what? - Ryan Naraine (and pretty much everyone else on the planet) is hyping up the big new iPhone exploit. Funny that the Errata guys haven't weighed in on this hole, since they tend to push the Apple security bandwagon as much as anyone. Of course, the Apple fanboys come rushing to the defense of 1 Infinite Loop, but the reality is it's a losing battle. Everything can be broken and the unprecedented hype around the iPhone makes it a plum target for the bad guys. Not that this attack is so special, though getting access to the password vault could be problematic for those folks doing banking or trading on their iPhone. What it really shows to me is the need for anyone with an Internet connected device to know about good security practices. Like not storing your very sensitive passwords on the iPhone, for instance. As Naraine points out, this drive-by attack doesn't require the user to do anything but connect to a bogus hotspot or web site. Unfortunately, this is going to be the first of many issues identified with the iPhone. So if you have one, make sure to keep it up to date and patch it immediately when an update hits. Connect to WiFi only in trusted places, and don't click on random links. Not a lot different than what you should be doing with your laptop.
Link to this

GE brings encryption to light
So what? - We really should see more case studies out there, but that's a big problem because most organizations don't like to talk about what they do or don't do from a security standpoint. Can't say I disagree with the "don't ask, don't tell" approach, since the last thing you want to do is give a bad guy any intelligence about what you do. This InformationWeek piece on how GE Healthcare has embraced encryption is interesting, they are phasing it in (starting with laptops and then moving on to structured and unstructured data, storage, backup tapes, and USB drives) and clearly they plan to encrypt everything. The risks of bad guys compromising the data are real, but the complexity of managing the keys to all of that data is also significant. Not sure this is an indication that encryption is really ready for prime time, wide-scale deployment - but we'll see. We need to protect data, the question is what's the best way to skin that cat.
Link to this

Back to school
So what? - I've always been a fan of constant learning, which is a good thing since that's pretty much my job nowadays. But it's good to see more business oriented curriculum being developed for the technology staffers out there. Like this program Wharton is running with a little help from their friends at Gartner. Technology is a business function, yet so many technical people are not trained and really don't understand pretty simple business acumen. I do wonder how a CIO would be placed in the position without some semblance of business skills, but I'm probably not supposed to think that hard about it. For those of you that enjoy breaking things, you can check out this program to become Masters in security stuff. Just bring your check for $21K and pray these folks get accredited. The reality is you are much better off looking at existing programs. I'm all for start-ups, but not when I'm investing 20 grand for a piece of paper. I need to make sure the parchment will be worth the plaque it's mounted on.
Link to this

The Laundry List

  1. Looks like NAC is taking off in education and government. Not surprising, though anyone care to bet which vendor this is - with over 1,000 NAC customers? I'd bet it starts with C and ends with -isco. - NetworkWorld VPN newsletter
  2. Check Point's quarter doesn't suck. Who knew? Certainly not the Street, as CHKP beats Wall Street estimates. - Check Point earnings release
  3. EMC also announces. RSA is doing well, showing over 20% growth to a $125M top line. Worth $2.1B? Not clear yet, but 20% growth is pretty good. - EMC earnings release

Top Blog Postings

Who's going to get fired?
I'm almost done digging through my Web archives from when I was away and I didn't want Jack Jones' treatise on who makes the risk decisions to go by without comment. The first thing I'll note is that Jack is a really smart guy. I've met him and he knows what he's talking about. One slight stylistic problem is the old adage of "I would have made it shorter, but I didn't have the time." Jack has a book somewhere in him, just dying to come out. I guess he needs to adjust to the feed reader mentality of short and sweet summaries. I should send him to the Joaquin Gonzalez school of writing. Yeah, inside joke. But back to topic, Jack in his roundabout way gets to the point that business people probably should be making the really significant risk decisions based on comprehensive, unbiased information provided by the security folks. Right right right. But ultimately it gets back to what I'll call the "fired" doctrine. If you are going to get fired if you choose wrong, then maybe you want to ask someone else. Of course, at some point, the buck has to stop somewhere. But there is no need to take a comfy seat in the electric chair if you don't need to. 
http://riskmanagementinsight.com/riskanalysis/?p=228
Link to this

Auditors... Minutia... No?!?!?
Ron (at least I think it's Ron) puts up a good post on the Catalyst site regarding how most SOX auditors have it wrong. He suggests they should be focusing their audits on gaging "knowledge and intent," as opposed to the checklist oriented minutia that they tend to focus on. Without totally offending every auditor out there (because I know there are a lot of them that can add value and do think on their job), you cannot assume that your auditor is anything more than a checklist monkey. And you should know if the auditor is a big plus or a big minus very early in the process. Moreover, you should be prepared for both. Right, have Plan A and Plan B. If they can help, then go with the Program Audit (as described in the P-CSO). If not, then give them what they need to fill out their checklist and send them on their way. You can go crazy trying to make someone into something they aren't. Don't make that mistake with your auditor.
http://www.securitycatalyst.com/2007/07/20/the-psychology-of-fraud-revisited/
Link to this

Seven Deadly Sins - what about coveting your neighbor's wife?
Finally getting through the archives, I wanted to give this great post by Jeremiah some props. Of course, leave it to me to get the Seven Deadly Sins and the Ten Commandments a bit confused, but I was never much of a history buff. The post is very innovative and pretty insightful. The reality is, dealing with website vulnerabilities is very much like every other incident. You need to have a plan and ignoring, obfuscating, blaming, or firing back at the messenger are pretty bad ways to respond. Remember, how you deal with incidents will dictate whether you get to keep your security job. Period. What have you done lately is alive and well. And if you don't get incident response correct, you will be neither.    
http://jeremiahgrossman.blogspot.com/2007/07/7-deadly-sins-of-website-vulnerability.html
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite