November 12, 2007 - Volume 2, #153

Good Morning:
So I'm watching some TV with the Boss last night, hacking away on the Macbook as I continue to power through building Security Mike's Guide. As we are forwarding through some commercials (don't tell me you actually WATCH commercials anymore!), I see the Mac and PC guy going at it again. I ask the Boss to back up a bit, so I can watch it. It's the one with PC dressed as boxer. Very funny. I guess there are two other new ones that you can catch thanks to TUAW. The podium one is funny as well, and the PR one had me rolling on the floor. 

No, I'm not going to go into a rant about how bad Vista is (you already know that) and how I can't wait until mid-December when I finally buy the iMac I should have bought over the summer. It's almost the holidays after all, so I may even splurge on the Mac Pro - though the real estate required for the Mac Pro makes the iMac pretty compelling. I'm going to talk a bit about inertia here.

That's right, INERTIA. We in the technology space, and specifically the security space act more out of inertia than anything else. We can laugh about seeing Macbook Pros everywhere, but in reality Apple still only has a fraction of the market. Why? Inertia. Everyone just buys the PC because they've got installed base and existing business processes and lots of other reasons why it's just easier to keep doing what they are doing.

Same goes in the security world. Most folks just renew their AV or firewall or token authenticators because it's easy. They just fill out the PO and the day's work is done. It's hard to think about using a methodology like the Pragmatic CSO because it's different and different may not work. Change is hard. Inertia is easy.

Think about it, you are probably doing the same things you did a few years ago. You work probably in the same job (maybe for a different company, but it's the same job), you hang out in largely the same places, probably with largely the same people. It's easy, it's comfortable, it's inertia at work. And that's not necessarily a bad thing - IF YOU ARE HAPPY. But I don't know many people that are truly happy. Which is sad. Everyone has angst about something.

But it's scary to change. It's scary to think about trying something new, about taking a risk. It's scary to swap AV vendors and have to learn a new interface and deal with a new rep and new support environment. It's scary to start a new diet plan or go out on Saturday night with a new couple that you don't know too well.

Some folks thrive on that feeling of uncertainty and fear. Most don't. Yet if you are unsatisfied with something in your existence, unless you fight that inertia - you'll look back in 5 or 10 years and it will be the same old same old. Like if we don't start thinking differently about security (as opposed to saying we are acting differently), it's going to be the same old same old and in our case it means the bad guys will have won.

Have a great day.

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and pre-order your copy today www.securitymike.com

Top Security News

Stakes are increasing in the war on cyber crime
So what? - Amrit has put on his Captain Obvious suit in adding to the discussion regarding the security guy, who was running botnets that was actually indicted under wiretapping laws - as opposed to cyber-crime. Amrito's point seems to be that more severe consequences will drive the criminals to doing even more dastardly and harder to track activities. NSS. What's the point? I'm not a criminal (unless you paid for my book, and then you may have other opinions), so I can't really say definitively goes on in their mind - but I'm not sure they are going to behave differently whether they are subject to 10 years or 3 years in the pokey. Whether the fine is $250,000 or $10 million. I don't know much, but I suspect that most bad guys don't want to get caught. It's kind of like the death penalty. Is it a deterrent? I suspect it is for SOME, but not for all because we still have pre-meditated murder happening. The folks know what's at stake, but they don't think they'll be caught. Same goes for the hackers. I'm all for a much stronger deterrent and hopefully a few public executions as well. It'll make the marginal criminals think about what they are doing. But the ones who are dedicated to their trade will soldier on, even if it means the consequences are far more severe.
Link to this

Salesforce dodges a bullet
So what? - There's been a bit of discussion lately about whether Salesforce.com (SFDC) actually suffered a breach or not. Brian Krebs has done his typical yeoman's work in rustling the bushes to find out the truth. But it really gets a more complicated question about what is a data breach - especially in the context of a service provider. So a SFDC employee falls for a phishing attack and is compromised. The attackers gain access to private SFDC data like customer names and the like. But evidently SFDC's customers data is safe and intact. So, yes - this is a data breach, but it's like every other big company that loses data. Not too big of a deal. Now if SFDC had their customer's data compromised - then it would cause a run on the bank. I do think that a lot of folks continue to be a bit optimistic relative to how safe their data is with a service provider, but that needs to be balanced with the fact that it's probably not a hell of a lot safer (if at all) then having that data internally stored. Finally, I'll point to a marketing blog that I read from Bruce Fryer, who probably makes the most appropriate point of the entire discussion - everyone needs to eat their own dog food, which in this case - SFDC did not.
Link to this


The Laundry List

Top Blog Postings

So this is fame?
Farnum wonders aloud a bit relative to blog motivation and the like. AndyITGuy has also been writing quite a bit about what should motivate us as security professionals. They both agree that we can't be doing this for either the fame or the money. Personally, I kind of like being anonymous. I like that no one at the various coffee shops I frequent knows what I do, except maybe drink some girly coffee drinks and bang furiously at my ever-present Macbook. And what about the money? I know a lot of folks that figure security is hot, so there must be money in it. I guess there is, if you are lucky. You could work for Vontu or any of the other few start-ups that will be acquired for too much money. Maybe you do security for a hot company who's stock surges and you do OK. But you can't really plan for that stuff. What's worse is that security is still viewed as overhead, and that means the organization has a vested interest in keeping your compensation down. So no, don't go into security for the money. Go into security because you are a masochist and can't think of any other way to spend the day than having people attack you, poke you in the eye, tell you no (as in you can't have that funding), and generally don't want to hear from you. And yes, I'm kidding.
http://infosecplace.com/blog/2007/11/07/fame-should-not-be-a-prime-motivator/
Link to this

Sorry man, David is dead
I think it's pretty appropriate that I talked about inertia in my rant this AM. I had forgotten that Shimmy had written up a little invitation to the next David that is going to take down Cisco's Goliath. Sorry dude, David is RIP. Eaten up by the same monster he (or she) wants to take down. Just like Intel in processors and Microsoft in Operating Systems, Cisco is a part of the fabric. Sure there will be little annoying competitors (like Riverbed) that threaten every so often, but no one will reduce the borderline monopolists hammerlock on market share. It will take a truly disruptive tectonic shift in the network to dent Cisco's armor. But this kind of shift WILL happen, yet I'm not sure that today's market dominating companies will be asleep at the wheel, like DEC, Wang or even IBM in the early 90's. Do you really think that Cisco or Microsoft or Intel would let something truly disruptive just fly under the radar? Why wouldn't they just buy it? It was heresy for DEC to think about buying Microsoft, but they could have and things would be different today. These big companies have a virtually unlimited war chest and have shown that they will use it. Everyone talks about how Microsoft isn't relevant anymore, as they blow past $50 BILLION in annual revenues. So as much as many of us would like to see tiny David slay Goliath, it isn't going to happen on a wide scale. But you will be seeing some David's make inroads in very targeted niches and there is always room for David to innovate. Yet if the innovation works, it gets subsumed into the collective. That's right, resistance is futile.
http://www.stillsecureafteralltheseyears.com/ashimmy/2007/11/the-question-is.html
Link to this

It's not only the beer that's different
When you live in the US and most of your business is in the US, sometimes it takes discipline to remember that it's a big world out there. Rob Newby makes this point excellently in this post because he probably sees the issues a lot more than everyone else, being a Brit working for a US company. I always had a lot of respect for our EMEA operations when I was on the vendor side because these folks had to deal with US-centricity every day. They'd have to be the squeaky wheel to get any kind of love and to think of adding functionality for the EMEA crowd. HA! Like that would happen. I've made every one of the mistakes Rob talks about. Nothing like pulling a scab off the road rash first thing on a Monday morning. Of course, today's world is a global one, but problems are solved locally. So we in the US think of "Asia" and those in Asia know that it's 15 different markets, each with different requirements. Again, this is why the deck is stacked in favor of the big companies that actually have the resources to localize their products to meet the needs of each specific market. Big is the new small. Sure, if you solve a big enough problem then they'll use your US-centric product, even in Asia. Until a local company figures it out, which will take 10 days or so.
http://robnewby.blogspot.com/2007/11/5000-miles-and-counting.html
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://securitymike.blogspot.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite