August 24, 2007 - Volume 2, #124

Good Morning:
I remember back to my wedding (scarily enough, almost 11 years ago) and we were trying to figure out what songs we didn't want the band to play. I took a hard line on the Chicken Dance. I just couldn't imagine with the festivities of my nuptials to let that fiasco play out. Although amazingly enough, the Boss and I took some heat about it from a guest. Let's just say I wasn't in much of a negotiating mood on my wedding day. But I relented on HOT-HOT-HOT. I'm not a big fan of the whole Conga line thing, but for the first time of many - I bit my tongue, smiled a bit, and enjoyed the fact that everyone else seemed to have a great time.

I had that pretty random memory because the Sun Gods are hitting hard. It's friggin' hot in the ATL. On Wednesday it was 104, a record for all of August. That's like take your breath away when you walk out of the A/C hot. I know some of my friends that choose to live in the desert will have little sympathy (104 is a cold spell for them), but I migrated southward to avoid nasty winters, not cook eggs on my sidewalks. The kids can't even go outside for recess at school. It's that hot.

Yes, there is a point to this rambling and it's not just that it's Friday and I'm mailing it in. Basically there are things that are out of your control - always will be. Like the weather. So if you have opened up shop in Jamaica, expect that a hurricane will rain on your parade at some point every year. Part of the skill of pretty much anything, but especially in security, is knowing what you can influence and what you can't. To bring it back to our security world, you aren't going to tell the Sr. VP of anything not to go after a multi-million dollar business opportunity because it creates security challenges. You aren't going to tell the CTO that iPhone is a cool gadget, but get it off my network. 

So we need to get good at planning for the inevitable. That's why I harp on incident response and containment in pretty much every speaking engagement, strategy session, water cooler chat and even phone call. You can't envision all the different ways you can get nailed, but you should try. And for those that you can visualize, make sure your defenses will maintain the integrity of your systems. For those you can't - make sure you practice your incident response plan - a lot.

And learn to enjoy the uncertainty. That's why you do this, right? If you want predictability, go work on an assembly line. But you don't. You made your bed, now you get to sleep in it. I'm just trying to make sure it's not a bed of nails.

Have a great weekend.

Technorati: Information Security, CSO

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

Security services - My SaaS
So what? - As with everything, there is a time and a place for security as a service. Yet, this is not a high growth market. It's dominated by telecom carriers and a few independents who are trying to figure out how to get bought by a telecom carrier. InfoWorld figures the business is maturing fast, which are code words for low growth and not too much excitement. Hoff makes a great point about whether security service providers are "more" secure or not, or whether it even matters. To be clear, there are some activities that are better suited to a service - like vulnerability scanning (externally anyway), anti-spam, and firewall monitoring. Basically trained monkeys can do that, so you should be focusing on more "strategic" activities. And the news peg that elicited this rant is that hot on the heels of raising $50 million, Perimeter eSecurity is raising another $50 bills and acquiring USA.net - a messaging service provider. But it kind of makes sense, based on what the eventual outcome for any independent MSP must be - an acquisition by a carrier-like entity. Carriers would love to sell email to their base as well, so security + email could be kind of interesting. But aren't those different buying centers? In a large enterprise - yes. In a mid-sized business, probably not. So this is an interesting deal, you just hope (for their sake) that they don't have a prohibitively high valuation that will make it hard to get an upstream deal done unless you can find dumb money (ahem, CyberTrust, ahem).
Link to this

Is 5 days fast enough?
So what? - One of the big news pegs that you'll hear about today is that it took Monster.com about 5 days to disclose the data breach where the personal information of a whole mess of grumpy job seekers, hoping that posting their resumes on Monster would result in a life of happiness and prosperity, got stolen. I can't answer the question about whether 5 days was too little or too much, but I can give you an idea about what you need to know before you disclose. You need to know what happened, how much was stolen, who was affected, and what you are going to do to make sure it doesn't happen again. Maybe not five 9's precision on what happened or who the perpetrator(s) were, but enough to know generally what broke, so that you can assure customers you will fix it. This ultimately comes down to a trust game, and I'd advise someone to have more information (even if it takes a few days extra), then less. Saying "we're screwed, we just don't know how big the pole is" doesn't engender confidence in your customer base. If you can't get that information after a certain amount of time, then you need to disclose anyway - but understand you're going to be pummeled (see exhibit A - TJX). Again, that's why I harp time and time again about incident response. It's going to happen to you, it's just not clear when.
Link to this

August survey fiesta - the Captain Obvious triumvirate
So what? - Yes it's the dog days of August. Since there isn't much going on, why not keep the survey monkeys busy over the summer and have something to say right before Labor Day. No less than 3 separate surveys (and a few I'm sure I missed) hit this week about a variety of topics. First on the hit parade is the shockingly obvious conclusion from Current Analysis that Cisco is leading the mindshare game for NAC. NSS, arghhh. And in second place? Right, Microsoft - which doesn't even have a product. More arghhh. Second on the hit parade is the hardest working guy in the survey business, Larry Ponemon, being kind enough to take Redemtech's money to show that it's lost laptops that result in a bulk of data breaches. Arghhh some more. Is that what it takes to sell a security product nowadays? You have to have some trumped up survey results to create some false urgency with an organization? I guess logic and good, old fashioned project planning are out of style. Arghhh. Finally, RSA gets Forrester's red-headed stepchild (that's the consulting group for those of you that don't get how analyst firms work) to draw the once again shockingly obvious conclusion that most firms are reactive when it comes to data security. Looks like I'm going to have to order some more Captain Obvious awards, since these folks are coming out of the woodwork at an alarming rate. 
Link to this

The Laundry List

Top Blog Postings

Lost laptop <> lost data
Ravi Char usually writes up good stuff about life in the trenches. Yet the title of this post (lost laptop = lost data) is a bit misleading and defeatist. The reality is that a lost laptop means lost hardware. If you are losing data, then you better revisit your backup strategy. Aside from my issues with the title, Ravi highlights some tips from Microsoft to avoid losing your laptop. You know, flashes of brilliance like don't carry a bag with a big target on the side asking you to steal the laptop. And to actually take off the yellow sticky with all your passwords before you put the laptop in your bag. But some of the advice is contradictory. Like you aren't supposed to carry an obvious laptop bag, but you are always supposed to keep an eye on the laptop. Unless your bag is transparent, how do you do that? And shouldn't you be focusing on the person you are talking to, and not your laptop? Yes, I'm nitpicking, but the words are actually kind of important. A lot of the advice is repetitive as well. Like keep an eye on the laptop, carry it with you, don't leave it on the floor, and don't leave it in a hotel room. Those aren't all the same? Not sure why it took them 9 tips to say not to leave your laptop lying around and encrypt the data, but whatever.   
http://ravichar.blogharbor.com/blog/_archives/2007/8/18/3166459.html
Link to this

A breach is inevitable
When I first saw this Dark Reading column that Shostack takes to the woodshed, I let it go. But since I'm just the kind of guy to jump on, here goes. I agree whole-heartedly with Adam on this one. Because a company would subscribe to a breach notification service has nothing to do with whether they think they are going to be breached. It has to do with whether they think they can handle the notification effectively and efficiently. Or am I missing something? The reality is that many many companies will have some type of breach. I'd say all companies, but the sun shines on a monkey's ass every so often, so that's probably a bit too general. Secondly, how would I know ahead of time that a company is buying this kind of breach notification? Do they need to report it in their SEC filings? Are they going to announce it to the world? So basically, the Dark Reading article sucked. Thanks to Adam for pointing that out and giving me an opportunity to get in a few shots as well.
http://www.emergentchaos.com/archives/2007/08/no_breach_notification_se.html
Link to this

Your VAR isn't going to sell for you
If you've been following the security market long enough, you see the same patterns emerge time and time again. I beat up on Shimmy a couple of weeks ago about trying to bribe the channel to even talk to him, since the only way to get channel mindshare (for a small company anyway) is to bring them deals. Duh! Based on this post from Farnum, many "manufacturers" (that's VAR-speak for vendors) still don't get how to work with their channel. So let me explain it in 100 words or less. If you are in an early market, the vendor does most (if not all) the heavy lifting. To expect the VAR SE, who has to be conversational about 25-30 different products (or more), to do as good a job as your own SE is both stupid and delusion. You want someone to do a detailed product demo, bring your own guy. Don't make faces at the VAR folks - remember they have a choice in terms of who they bring along to meetings. Farnum, you shouldn't apologize for anything. Ultimately you did what was the right thing to do. Figure out about the customer's problem and then work with them to visualize a set of possible solutions. The rules change a bit in more mature markets, in that the technology is fairly stable - so it's not out of the realm of possibility for VAR staffers to have been through more than a few installs and understand how the product works. I'm not sure why this is so hard to understand, but I keep seeing the same mistakes over and over again.
http://infosecplace.com/blog/2007/08/17/product-knowledge-versus-real-knowledge/
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite