November 7, 2007 - Volume 2, #151

Good Morning:
It seems like years ago, but I recall watching the execution of Saddam Hussein earlier this year with macabre curiosity - 4 times. The thoughts running through my mind were along the lines of, "so this is how a despot ends." Candidly, I think the unauthorized coverage made the situation a lot more real to everyone across the globe, not just in Iraq. Sure there were lapses of judgment in an emotional situation - but the point was made that this was a new time and Iraq had the opportunity for a new beginning. Whether they take it is another story, but I'm definitely not going there.

The same kind of thinking went through my mind when I checked my newsreader this AM and saw the story of Microsoft's CIO being "terminated" for a violation of company policy. It's not clear what the violation was, but suffice it to say it probably was bad. It needs to be to warrant a public execution like that. A C-level public execution in Redmond. Yes, that sends a strong message about culture, about acceptable behavior and about Microsoft's willingness to enforce the policies. I feel for the guy who's head is now mounted on the stick, but I suspect everyone at Microsoft got a pretty strong wake up call.

Similarly when Boeing shot Harry Stonecipher for sending inappropriate emails and having an affair with a junior employee, it sent ripples of fear through other Fortune 100 mahogany board rooms. Oh crap, it can happen to anyone. Will it change behavior? Probably not, people are people and it's hard to deter human nature - but maybe they'll be more careful about covering their tracks.

Yes, there is a point and that's the value of the public execution. I talk about it frequently in my Pragmatic CSO writings, both the book and the weekly blog post. For the most part, I think many of the large public companies take ethics pretty seriously and enforce their policies, if only to limit the liability of the board members. But I'm not so sure about mid-sized companies. Those companies where taking out the rainmaker because he has a drug habit or a likes to watch - well you know - at work, would perhaps be a fatal blow to the business.

In that case, enforcing the policies may not be such a clear cut decision. Of course, it should be - but it isn't. Then again, it's not my rainmaker that I have to can and it's not my business that would be at risk. I guess the only certainty is that it will cost money to handle the situation. You either pay now to replace the business that the rainmaker takes with him/her or you pay later to settle the hostile work environment and harassment suits.

I guess those are the kinds of choices that need to be made every day. I'm just glad I don't have to make them anymore.

Have a great day.

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and pre-order your copy today www.securitymike.com

Top Security News

Is there money in security information
So what? - One of the ideas I floated in my 2007 Incites was the idea of a real market for security research and information. As far as I know, it hasn't happened. There is plenty of research out there, produced by some superstars. But it's usually to generate interest and leads for their consulting, products or other types of businesses. Yet, now I see the Big Yellow announcing a managed service to focus on analyzing targeted malware. There are other folks (like Cyveillance) that can scour the Internet for phishing and other brand attacks. But is the a niche or a market? At this point, it still feels like a niche. Sure, if I'm a huge customer with a seriously valuable brand name, I'd sure like to know when some scumbag is trying to capitalize on it. So I'll pay some money. But what about the broader market? Personally, I use Google alerts to track when folks use my name (or research) in vain. And the price is right. So it's an interesting concept, but I'm not sure it's a market. Yet, as long as there are 800 security vendors, there will be a business in selling them information. A case in point is Bit9, where it's not clear if their business is selling endpoint control solutions, or whether they sell access to their application executable database to folks like Kaspersky. In terms of what will be most lucrative over time, just think CommTouch is in the business of selling anti-spam signatures. Right, not too lucrative.
Link to this

Is data encryption growing?
So what? - According to NetworkWorld it is, but it's not clear if that is just optimism coming from venture capitalists involved in the space and vendor's who hope to make a shekel from selling it. We keep thinking that encryption infrastructure is something that all companies should have, but I'm not sure that's the case. I do think every organization needs to protect their data, but I'm not so sure they need a centralized key management infrastructure to do it. Sure there is leverage in centralizing things, but it also adds a lot of cost and overhead to many management processes. Per usual, it's back to the Future, where we saw RSA do very well in the mid to late 90's by selling shovels to gold prospectors, I mean encryption toolkits and libraries to companies that needed security. OK, maybe a bad analogy, but the point is that key management should be transparent and dare I say it - perhaps a managed service. I want it embedded within my applications and I don't want to think about arcane and obscure interfaces and key management technicalities. I know many of the crypto vendors are increasingly bundling their stuff into other solutions, as well as bringing their own self-contained offerings into the market. I think that's the right path, but ultimately the entire business is yet another feature. Isn't everything nowadays?
Link to this

Buy an award and get bought by Cisco - is that right?
So what? -The last time I mentioned the jokers at the Information Security Products Guide, I said I wouldn't give these guys any more airtime. But like an addict, I just can't help myself. Check out this press release, which is somehow trying to take credit for Securent getting bought by Cisco. "Another Information Security Products Guide Hot Company bought by Cisco." Like these guys are actually looking for "hot companies." Actually, in order to qualify, you don't need anything but a checkbook and an envelope to send the check to them. If it was so easy to buy an award and then get bought, everyone would be doing it. Oh that's right, it seems everyone IS doing it. Maybe one of these days some self respecting marketing person will finally realize that it's about your product and your market, NOT the pay for play awards that get you bought by Big Security. While I'm putting together my wish list, maybe these same folks would realize that customers don't care about these "awards" either.
Link to this

The Laundry List

Top Blog Postings

TJX finger pointing in full swing
As my buddy Martin observes, it's easy to blame PCI for the fact that somehow TJX passed their PCI audit. Perhaps the assessor had a bit too much to drink the night before. Or maybe someone had unflattering photos of the assessor assessing. But it's not the right thing to do. TJX continues to be a fiasco and it seems that every day the depth of the malaise is still being uncovered. To be clear, there is nothing fundamentally wrong with the PCI requirements. Are they perfect? Of course not. Nothing is perfect. Should TJX have passed the audit? I'd say instinctively NO, but you can't tell. Savvy criminals are able to hide fraud from auditors all the time (Worldcom, Enron, and Adelphia come to mind). Not that I'm saying they did this, but TJX could have misled the assessor. Anything is possible. I sound like a lawyer now, eh? We need to be clear on the fact that even companies that pass PCI audits can be compromised and will be. And companies that don't pass may not. PCI is a starting point, and a decent one at that. But it's no panacea.
http://www.mckeay.net/secure/2007/11/blame_tjx_and_the_assessors_no.html
Link to this

I'll take C, all of the above
A nice little battle is ensuing between Fratto and the folks at Nevis regarding whitelisting vs. blacklisting, relative to network attack detection. I just love religious dogma, and Nevis Joe defends their position to adopt a largely whitelisting-based approach vehemently. But it's still dogma. I remember we had many of the same discussions regarding endpoint anti-virus and my position is consistent. The answer is both. We DO NOT want to get owned by an attack that we've seen before. That would just be stupid. So we use a blacklisting technique, usually based on signatures to make sure that doesn't happen. But of course, it's not enough because there are attacks that we don't know about. Thus, we need to do some measure of whitelisting as well. If I had to pick, I'd say to adopt a default deny stance on your perimeter and within your applications first. In fact, I do recommend that in the operations section of the P-CSO. That doesn't mean it's easy - it's not. If you want easy, turn off your friggin' firewall. If you want secure, you are probably looking at some kind of hybrid option. To be clear, I don't think we should turn off our IDS or stop using signatures on the desktop. You know the old adage, those that fail to remember history are doomed to repeat it.
http://www.nevis-blog.com/2007/11/why-blacklistin.html
Link to this

Where's the Securosis tip jar?
You should all send a couple hundred bucks to the Mogull for teaching you about CMF (his former employers acronym for DLP) and now database monitoring and auditing. Rich's series of posts are just great. I do agree with Hoff that it's not a great sign when you need 10,000 words to adequately explain a market, but Rich is going for depth and completeness, as opposed to brevity. And the criticism comes from the king of 10,000 word posts. The fact that you can get this kind of depth and analysis for no cost is really a huge change in the research business. Part of it is the advent of blogs that give independent guys like Rich and I a means to get to a decent sized audience. At some point, the two of us and all the other folks like us have to figure out what the business model for this stuff looks like. The RedMonk guys think they've figured it out, but the idea of vendor sponsorship for pretty much everything doesn't sit well with me. I don't want to be like Scott Adams and set the perceived value of my research to zero. Yet, I still publish most every day and still give it away. Oh yeah, at some point, I'll probably come back to Rich's post because I think the database monitoring business is kind of interesting - if only because it's another data source to allow you to REACT FASTER to attacks. But I digress.
http://securosis.com/2007/11/06/understanding-and-selecting-a-database-activity-monitoring-solution-part-2-technical-architecture/
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://securitymike.blogspot.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite