August 13, 2007 - Volume 2, #119

Good Morning:
Today is the first day of school here in ATL. Hard to believe the summer is over. It really just flew by, but thankfully the kids still think that school is fun - so they are looking forward to their new academic year. The Boss and I will enjoy that as long as it lasts. When they reach high school age, I'm sure they'll be all fired up for that first day of school - NOT. It'll also be nice to get into a routine again, since pretty much all bets are off during the summer. And the traffic will increase noticeably as well. The good news is I rarely run into too much congestion walking from my kitchen to my office - so I'll hardly notice a thing.

Let's discuss the weather a bit. Not sure where you are, but in ATL it's been hot as hell. Like thank God for air conditioning hot. Like even the pool is hot tub hot. The one place I wouldn't want to be is outside playing golf in the middle of Oklahoma. I'm surprised you didn't have some golfers at the PGA spontaneously combusting by the 13th or 14th hole. But I continue to be thankful for high-def. There is nothing like seeing the beads of sweat cascading off all the golfers in HD. And you thought golf wasn't a real sport... Seeing Tiger Woods winning yet another major (is he great or what?) was also pretty cool. I was there when he won his first major in 1997 at the Masters. If life is good, maybe I'll go again when he breaks Nicklaus' record 18 majors. 

I also want to send a shout out to the folks that read my Symantec rant and offered to send me their AV products. I do appreciate the help, and I hope your products don't suck as well. Too bad no one offered to send me an iMac for my troubles. Come on Apple, call me...

Finally, I'm going to shake up the TDI publishing schedule. Since August tends to be pretty slow and I've kind of liked having Friday off from writing, I'm going to do the TDI on Monday, Wednesday and Thursday for a while. I'll resume publishing the Pragmatic CSO Weekly on Tuesdays. If you get the RSS feed, you'll still get some Incite 4 days a week. If you aren't on the P-CSO mailing list, you can sign up at www.pragmaticcso.com.

Lots to do, so I won't keep rambling. Lots of things to do. Have a great day.

Technorati: Information Security, CSO

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

App-level firewall primer
So what? - There's been a bunch of activity around the net lately to remind folks that what they write will pretty much be out there in perpetuity. Years and years later, folks will find blog rants, so most of us should think about this before we hit publish on our respective blogs. When you write for TechTarget, it seems these pieces also never die. So I missed when I tagged a Michael Cobb tip on application firewalls that it was actually written March. But it's a good piece and makes a couple of points that are missed when you just throw a box in and hope the problem goes away. Like the fact that deep inspection firewalls gather more detailed log files. These logs can be used to figure out if/what happened in the event of an issue. Another interesting aspect is when/how to utilize VLANs and network switches to protect internal networks, given the extra processing power required to do application layer inspection at wire speeds. I'm not big fan of throwing more boxes at the problem, but depending on your applications and architecture - an app-layer firewall may make sense.
Link to this

Standards holding up encryption?
So what? - Just when you thought it was safe to get back in the water, you start hearing about PKI and crypto again. This Network Computing market overview goes into what is now called "enterprise key management" and comes to an initial conclusion that because there is no standard way to manage keys it's what's holding up the entire encryption market. Having spent $30 million of someone else's money to prove there was no real market for application-layer encryption/PKI in the late 90's, I suspect there is a more fundamental issue. I railed a bit a week ago about the lack of market demand for email encryption, and that is applicable to the broader encryption business as well. Yes, there are pockets of technology where encryption makes a lot of sense. And if you have more than a couple of these use cases, then looking at an enterprise encryption "utility" is worthwhile. But one of the first sentences in the article really sums things up: "CIOs don't roll out of their beds and think, "Hey, let's sink a few hundred grand into a cohesive enterprisewide encryption infrastructure."" Amen to that.
Link to this

More NAC stats
So what? - It was only at the end of my marketing "career" that I finally had a venue to plant pretty much whatever spin I wanted in the media. That came in the form of these targeted email (and now RSS-based) newsletters that hone in on a very targeted technology market. When I was doing anti-spam there were a couple of these newsletters and the folks that wrote them were always looking for content. So there was a high likelihood that we could place whatever product launch or other "thought leadership" message we were pushing that week in at least a few newsletters. Looks like NetworkWorld's NAC newsletter is fitting nicely into that vendor/analyst mouthpiece outlet. This week's edition looks at a survey done by Infonetics about why companies are actually deploying NAC. But it seems they forgot the big one, which is that NAC is everything network security. Actually the results are kind of interesting in that the first reason is to "protect corporate resources from unauthorized users" and the next big one is "limiting the impact of security problems." Hmmm. What about making sure everyone's patch level is up to date and AV is working? As I've been saying, the action is around what I call Phase 2 and 3 of NAC. Check out my NAC research from last year (including my NAC attack series) to learn more. 
Link to this

The Laundry List

Top Blog Postings

Where is security going?
Rob Newby asks an interesting question in this post about the future of security. Is it more about industry standard (or even virtualized) hardware? Is it about services? I do agree that the low hanging fruit of security has been picked and now it's more about constant improvement. So we are unlikely to see many (if any) truly innovative solutions out there anytime soon. Of course, I can (and have been) be surprised, but it feels like we are stagnating a bit as an industry. Which kind of makes sense because the reality is security should be a feature of everything we are doing. There will continue to be standalone solutions for security for quite a while, but if I break out the crystal ball and look a decade out - I suspect security will just be "in there," built into the networks, data centers and applications that comprise the business systems that run your organization. Guys like me that live off the fat of the security land will need to figure out some other stuff to do, which is OK by me.
http://robnewby.blogspot.com/2007/08/wheres-security-going.html
Link to this

It's not about you (or them) - it's about the customer
Amen to Dave Lewis' rant about vendor sniping in this LiquidMatrix post. This would make me nuts when I was on the vendor side because the competition between arch-rivals became so personal that we kind of forgot about the customer and solve his/her problems. The reality is that taking the high road is hard when most challengers start the discussion with the customer relative to what they do better than you. Our best sales reps would diffuse that situation straight away. By reminding the customer this isn't about which box does this or that better, but which will solve the entirety of the customer's problems, you can more effectively position. So sales guys (saleswomen have much less of this problem), leave your ego at home and go into the customer meetings focused on them - NOT you and your competition. Remember how Dave closes his post, "If you product is a good one it will sell itself. Don't bash "the other guys" but rather, tell me why yours is good."
http://www.liquidmatrix.org/blog/2007/08/10/security-vendor-bullsht-and-fud/
Link to this

ID theft can (and will) happen to you
Redmonk's Steve O'Grady is the latest victim of ID Theft that has been brave enough to blog about it. Someone compromised his stuff and tried to open a bunch of credit accounts and a few cell phone accounts using his credit. Thankfully (for him) one of the credit card companies actually checked before issuing the credit. Steve then puts a 90 day hold on his credit record, meaning that any organization wishing to issue him credit will need a phone verification of the request. This is a good idea, even if you haven't been compromised. Sure it introduces a bit of a hassle when you want to get that Best Buy credit card to purchase a new big screen TV, but you'll be happier when you don't have to spend weeks cleaning up a mess like this. I don't want to get too specific, but let's say my summer project has some tips on this topic that everyone can use - but you'll need to wait until mid-September to learn more.
http://redmonk.com/sogrady/2007/08/08/identity-theft-i-guess-it-really-can-happen-to-anyone/
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite