The Daily Incite - October 30, 2007
October 30, 2007 - Volume 2, #148
I had better keep working on my karma because I don't want to spend any time in purgatory when I'm done here. Purgatory scares the hell out of me (no pun intended). You see I have a package of books in Customs purgatory North of the Border (which is Canada for you non-US folks) and it's not a pleasant place to be. Especially when you are trying to take a few days off for family time.
Now I'm not one to give props easily. In fact, I hate most things. Attaboys from me should be put into a little card sleeve and stored to sell at a baseball card convention in about 15 years. It could be as valuable as a Clemens rookie card. Or at least a friggin' Hazelnut Latte (non-fat, of course). But after dealing with FedEx on this little customs issue, the US Postal Service seems like the second coming.
You see I ship a bunch of books to international locations. The Internet truly provides unbelivable global reach. I dutifully fill out the packing slips and print out the international mailing label, which I generate from the USPS web site. I attach the mailing label to the package, drop it off at the post office and go on my merry way. I figured dealing with FedEx was similar. Not so much. I found out I needed to specifically name FedEx as my "broker" to clear customs. That means I need to fill out a form. Of course, the FedEx folks didn't tell me about that form when I dropped off the package. Evidently I'm supposed to just "know" that.
OK, no big deal. I get the form faxed to me and it seems I need a "Canadian Business Number." What is that and how to I get it? It seems no one knows. So I go around and around with FedEx and a host of Canadian agencies until finally I'm directed to the right group that can issue my business number. Of course, only after I fax them a bunch of stuff, including proof of my company's incorporation. Thankfully, I keep everything accessible on either my MacBook or my PC (which is accessible remotely). So I run down to Kinkos, print out the papers and fax the forms.
I do have to say the folks that issued my business number were great. We played phone tag a bit, but they kept trying and we finally got it done - within 4 business hours of my request. Unfortunately my experience with Customs was closer to burning hell fire than anything else. It seems that faxing the proper forms to customs TWICE wasn't enough. When I called this morning to see what the hell was going on with my package, they said they couldn't find the fax. Let's just say I was less than ecstatic, but I kept my cool because bureaucrats and $10/hr call center reps don't take to spit and venom very well.
I did get a call maybe 2 hours later saying the found my fax and now they are just waiting for Customs to approve the form, so then the package could be cleared and my package can finally be delivered.
And to think, I paid about triple the price to get the two day FedEx service last Tuesday to absolutely positively get the package there by last Friday. I could have used the trusty old USPS, gotten the package there today and not had to figure out where the random fax machines were during family time. Thankfully the Boss and the rest of my family are very understanding as I spent time on the phone and peeled off to find Kinkos in the middle of the night.
Argggh. Hopefully the package will get out of purgatory today and get back on it's journey. Have a great day.
Technorati: Information Security, CSO, Security Mike, Internet Security
The Pragmatic CSO:
Read the Intro and Get
"5 Tips to be a Better CSO"
|Get Your Special Report:
6 Easy Steps to Protect Your Identity
pre-order your copy today
Top Security News
Trend jumps on the trend to acquire DLP
So what? - I do have to say that markets accelerate and go through the innovation/consolidation cycle much faster now. DLP is rapidly progressing through the cycle, with the consolidation phase well underway. The latest example is Trend Micro acquiring Provilla and this deal makes a lot of sense. Provilla was pretty small, but had a bunch of OEM partners (including BigFix and Reconnex) that needed a desktop agent for DLP. Though I do think that Trend is still missing some of the true "endpoint" policy management capabilities (like enforcing an endpoint connection policy, etc.) that will be required as endpoint security becomes truly integrated over the next 18 months. That's right, one agent on the desktop to do everything security that you need. Interestingly enough, the DLP market has segmented into desktop stuff (like Provilla and Onigma/McAfee) and gateway/enterprise. The gateway/enterprise folks claim to have robust endpoint agents, but at the end of the day - it's more about integration with the stuff that's already on the desktop. Who the hell wants yet another agent on the desktop to manage? So seeing a Vontu or Vericept integrate with McAfee or Trend's desktop agent would be a good thing for customers. But since everyone still thinks they can "lead" this market - it probably won't happen, but it should. Finally, there aren't a lot of companies left that focus on the desktop side of DLP, if any. That means some other endpoint security vendors are going to be left out in the cold and need to build it themselves, which doesn't help time to market.
Link to this
The PCI moving target
So what? - Thanks to Steve Gold's blog for shining a light on what seems to be Visa moving the PCI target. It seems the DSS is still intact, but there is a new set of initiatives (called PABT - Payment Application Best Practices) that indicate how card holder data should be handled by the payment applications. This will have a serious impact on all of the payment software vendors and all of the small merchants who utilize these shopping carts because they don't have the resources to do it themselves. Like me. If the systems cannot store card numbers AT ALL, then how do you do a recurring payment subscription service? Does that kill my one-click capability at Amazon or any other online merchant where I keep a credit card on file (which is about two)? Obviously there are things that need to be clarified relative to PABT and in general, I think defining how the data can/must be handled is a good thing. But Visa needs to be careful that they don't end up legislating the destruction of markets.
Link to this
Come clean and live to fight another day
So what? - I've long said that every security professional will have incidents. No one is perfect and the bad guys are innovative and that means at some point, you will be pwned. You job "security" (pun intended) is directly correlated to how you handle the incident. As Mich Kabay details in his NetworkWorld column - DON'T LIE. Basically, you need to come clean as early as you can. Get HR involved. Get Legal involved. Make sure the liability of your organization is limited and controlled. Figure out when and if law enforcement needs to be involved. By the way, all of this needs to be documented and structured AHEAD of the breach. For those of you who haven't read the Pragmatic CSO yet, I have an entire step about incident response and damage containment. This piece provides some of the main ideas, but none of the detail. Hint, hint.
Link to this
The Laundry List
- Shareholder activists targeting Websense. Yes, everything is a feature and web filtering is too, so Websense should be finding a bigger, more established partner. Activist shareholders have a way of making that happen. - Seeking Alpha coverage
- SHOCKER! Tumbleweed misses Wall Street estimates (again). Light revenue and slipping competitive position doesn't bode well. The good news for TMWD shareholders is that it can only go to zero. - Tumbleweed earnings release
- More earnings weakness from Secure Computing. The release tries to paint a nice picture of a "record" quarter, but both revenues and earnings were below expectations and Q4 guidance was also light. Wall Street isn't fooled, stock is down over 10% in after hours trading. - Secure Computing earnings release
- Yet another on the "miss" parade. VASCO is light on both the top and bottom lines, relative to expectations. Was trading at 40, now it's at 25. Got to love those haircuts. - VASCO earnings release
- Finally, a smaller public security company that made their numbers. SonicWALL hits the numbers and Q4 guidance. - SonicWALL earnings release
Top Blog Postings
Naraine does a good obituary of the anti-spyware market in this post. I've been saying this since early 2006, but it's good to see some other folks get with the program. Especially those vendors that previously thought there was a market for best of breed anti-spyware - especially after Microsoft decided to give it away, I mean bundle it with Windows Vista. Malware is malware is malware and it needs to be stopped by one agent on my desktop. Or you could always switch everyone to Macs. HA! I guess I'm sort of joking on that for a couple of reasons, mostly in that it's cost prohibitive to send all those PCs to the trash heap. But also that the Mac is vulnerable to attack, but not as vulnerable. But back to the point, I expect that sooner - rather than later - end users are going to realize these standalone anti-spyware things don't really add much value. But stranger things have happened than inertia keeping these jokers alive for a lot longer than anyone expects.
Link to this
Reconnaissance is the first indication of an attack
We are all looking for some early warning that we are under attack. Well we're actually always under attack, but I'm referring to a focused, targeted, sophisticated attack. Jeremiah has a good post here about how crawling plays into the first wave of an attack. His point is about how the web application vuln scanner needs to be much more sophisticated than a typical search engine spider, and since that's the business he's in - it's not surprising that he'd be tooting his own horn on that front. But to me, an important aspect of the REACT FASTER doctrine is to be able to tell the difference between the script kiddies (that are just running automated XSS finders and probing for open ports) and the real attackers. What we don't have right now on the web application front is a good way to establish a baseline for searching, probing and application reconnaissance. At least I don't know about it, if it exists. Kind of like an application-layer analogy to network behavior analysis. Let's call it ABA for Application Behavior Analysis. Crap, I just invented a new security widget. You'll send me royalties right? Scouts honor?
Link to this
Can you have too much risk management?
As Sammy Migues details on the Cigital blog, you absolutely can have too much risk management. In Sammy's words: "The impact of too much risk management is usually too many security controls and, therefore, too much predicted expense in a variety of areas: hardware, software, tools, people, processes, and so on." But before I take Sammy's words too far out of context, he's also correct in stating that the problem is usually too little risk management and security, not too much. The point I want to make is that all risk management (and security for that matter) need to be based on the NEEDS OF THE BUSINESS. If your business is culturally risk-taking, entrepreneurial and nimble, then you are probably going to be on the less side of the risk management continuum. The converse also applies. Just remember to map your security strategy to the characteristics of your business, not the other way around.
Link to this
Find out what Security
Mike is talking about
Check out the
the Security Incite blog
Read the most recent Daily Incite