October 4, 2007 - Volume 2, #139

Good Morning:
I recently met up with a friend and he suggested I read "The 4-Hour Workweek" by Tim Ferriss. I had seen the buzz and all the Web 2.0 gurus and marketing gurus and pretty much every other guru talking up its praises. So I wasn't interested, of course. It's my contrarian streak that made it obvious to me that if everyone else liked it, then I would hate it.

So I bought it anyway. I'm not sure why. Maybe I'm just procrastinating reading the last Harry Potter book because I know there won't be any more. It's not like I have a lot of time to read either. But my friends at Amazon dutifully delivered the book and I cracked it open on my golf trip. I really wanted to hate it.

You see I take my responsibility as a role model for my kids VERY seriously. I've seen nuvo riche types that play golf 3-4 days a week and basically screw around all day. They buy their kids BMW's and send them to prep schools and let them become spoiled brats. I see those kids get into high school and do bad stuff. They proceed through college and do more bad stuff with no accountability or consequences. Their folks put them in the best rehab money can buy. Then the kids are flabbergasted when real life hits them in the head and they actually have to apply themselves. Maybe they end up in jail like the girl that stars in "One Night in Paris."

Of course, that's not every kid of every successful entrepreneur or other business person that is fortunate enough to not have to work when their kids are still living at home. Some of these kids have a great work ethic and go on to achieve great things, maybe even surpassing the accomplishments of their accomplished parents. But enough end up screwed up that I plan to set a hard working, get stuff done, take risks and have fun example for my kids. Until they are old enough to provide for themselves anyway. Then I'll play golf 3 days a week. Maybe then my game won't suck.

So that was a long winded way of again making the point that I wanted to hate The 4-hour Workweek. If I only worked for 4 hours a week, what would my kids think? How can I show them the value of working hard and applying themselves if I'm working a little bit each day and screwing off the rest of the time? Being a Solitaire Grand Master is not what I want them to aspire to be.

But I don't hate the book. I actually like it. I think the title is actually a bit misleading. The book is about finding more leverage in your activities. Magnifying your efforts to achieve the most output relative to the input you are willing to make. To automate what you do, so that you don't have to do it so much. Not so that you can screw around for 56 hours a week, but so you can spend those 56 hours doing something more productive. Maybe it's a hobby. Maybe it's donating your time. Maybe it's starting other businesses or mentoring other people and sharing your wisdom. There are lots of things you can do if you can figure out how to apply more leverage to your actions.

Yes, I'm recommending that you read the book. Not every strategy in the book will work for everyone. If you run your own business, you MUST read it. If you work for someone else, read it anyway because some day you may work for yourself (whether you like it or not). The strategies for substantiating accountability and productivity, regardless of location, will help with all of those micromanaging pointy hair bosses.

I'm looking forward to figuring out what good I can do with another 56 hours in my week.

Have a great weekend. By the way, my birthday is on Sunday. Happy friggin' B-day to me. So I'm taking Monday off from publishing. It's a happy coincidence that it's also Columbus Day in the US, so many of you will have the day off as well. Enjoy your long weekend and tip a drink to me as I enter the last year of my 30s.


Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and pre-order your copy today www.securitymike.com

Top Security News

PCI requirements are not new. What's new is accountability.
So what? - This profile in SearchSecurity about how Chevron (the big US oil and gas company) achieved PCI compliance is great. I love these kinds of stories because they really embody a lot of what I've been trying to say over the past two years. The folks at Chevron knew about the need to protect customer data WAY before PCI was an issue. They deployed a layered security model to get things done way probably due to some other regulatory catalyst. Now that PCI compliance is mandatory for Level 1 merchants (as of Sept 30), they are in good shape. So this is good stuff. I also like the idea that security and the attack surface is seriously dynamic. So over time all the regulations should evolve to ensure that they reflect the current methods of the adversaries. PCI, controlled by private entities, is in a much better spot to keep in step. It doesn't require an act of Congress to change it.
Link to this

How big does the botnet need to be?
So what? - Looks like this "Storm" is not going to pass. In the latest episode of the malware that will not die, the Storm worm has allegedly claimed over a million victims, who are again allegedly part of the biggest bot network ever seen. I think the 1 million number makes good headlines, but is pretty irrelevant. The only thing that is relevant is whether you are at risk. Have you (or any of your organization's machines) been compromised? How do you know? How do you clean them up? That's the kind of information I'm interested in and I presume that you are as well. The answer is not to count the number of bots. Or even to worry about how Storm continues to morph and elude malware detection. That's Big AV's problem. It's to monitor your device and your networks and make sure nothing is out of the ordinary (assuming you know what ordinary is). As with any other malware, Storm compromised machines need to do something, whether it's contact the bot master, send out spam, launch other attacks or just scan your internal networks to find out if there are other devices to compromise. This activity leaves a trail. But you need to be monitoring to find the trail and react faster. 
Link to this

Confused about security outsourcing?
So what? - Security "outsourcing" remains a point of contention in a lot of shops. What do you outsource? Does it help? Will it save you money? One of the key messages in the Pragmatic CSO is that you don't (and shouldn't) do everything yourself. There are no awards for being the lone watchman riding the fence between anarchy and chaos. Forrester's Khalid Kark attempts to dispel some of his perceived misconceptions in this SearchSecurity tip. He makes some decent points (outsourcing isn't always cheaper, nor does it fix a broken security environment), but he also misses a key opportunity to stress what's really important. Like the fact that security PROGRAM management should NEVER be outsourced. The execution of the program - fine. Get some additional help - no worries. The definition and communication of what the program needs to achieve and protect and communicating that to the senior team - NO WAY. I also disagree that the outsourcing procurement is different than any other procurement. Whether you are buying a product, service, or bodies - it's all the same. You are trying to achieve your business goals in the most efficient and cost effective way.
Link to this

The Laundry List

Top Blog Postings

HIPAA is in your own hands
Most organizations feel forced to deal with regulations and compliance. Like they wouldn't protect private customer data and do the right thing if the auditors weren't going to show up - which I guess is probably true. Rebecca Herold highlights a HIPAA success story in this post that is great to read. This hospital (Ivinson Memorial Hospital) has taken the ball into their own hands and implemented a training program and also have terminated and sanctioned employees that violate the policies. Remember, I'm a fan of public executions and that is the best way to make a statement that behavior that violates corporate and regulatory policies will not be tolerated. But the auditor won't make you do this stuff. Your senior management has to believe it's the right thing and be committed to enforcing the policies - even though it's painful.   
http://www.realtime-itcompliance.com/privacy_and_compliance/2007/09/a_hospital_actively_enforcing.htm
Link to this

Finally a business case for ISPs to deal with bots
Great post by Arbor's Danny McPherson actually analyzing the true cost to an ISP of having infected machines on their networks. Thanks to Matasano Tom for pointing out to me. The reality is every time they pick up the phone for a customer support request, they lose money on that customer for the year. ISPs love folks like me, who never call and don't need help (except when my DSL modem was fried). They probably hate folks like some of my friends, who just pick up the phone every time they have an issue - as opposed to actually thinking about how to solve the problem. A bot is a microcosm of this situation, where the compromised machine will run slowly or act strangely. Then the customer calls the ISP and says the Internet is broken. Most of the time, the ISP claims no responsibility - so the customer is pissed and the ISP lost money because they had to pick up the phone. The alternative is to proactively deal with the compromised machine, set up an agreement with either a technology provider or pro-serv shop (or both) to fix a machine depending on how screwed up it is, and get them off the main network. Sure it's hard. But it's also hard to have pissed customers and continue building out the network because they choose to not deal with the problem. Or they could license Security Mike's Guide and have all their consumer customers actually take some steps to protect themselves. Are you listening AT&T?
http://asert.arbornetworks.com/2007/09/isp-death-by-a-thousand-duck-bites/
Link to this

Who are you, and what did you do with Amrit?
I'm actually kind of shocked, but glad that Amrit so publicly changed his stance on Jericho. Not that he's now a de-perimeterization bigot (like Hoff), but that he can show humility and admit that his opinion has changed. I've known far too many that would rather go down with the ship than admit being wrong. Part of why I brutally assess my Incites twice a year is to bring some accountability to the prognostication business. I'm a lot harder on grading my positions than anyone else would be, but if I'm wrong I need to call it out and fix it. Not that anyone actually listens to me, but still - the right thing to do is to admit mistakes. Personally, I think the dogma around Jericho is too much to overcome. Yes, I read the commandments and I think a good part of what they are talking about is good. But it's all about evolution, not revolution. In the minds of many security professionals, the Jericho Forum stands for revolution - even though the message now is more about evolution. Larry Seltzer's ill advised rant about turning off firewalls is really indicative of where Jericho is at. So ditch the name, restart the effort and continue adding value to security professionals. Just as some of us admit we make mistakes sometimes, I think it's time for Jericho to admit that their initial positioning was a mistake and that the patient probably can't be saved.
http://techbuddha.wordpress.com/2007/09/25/embracing-humility-enlightened-information-security/
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://securitymike.blogspot.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite