November 28, 2007 - Volume 2, #157

Good Morning:
The honesty and innocence of kids is truly inspiring. Every so often one of my offspring will say something that simultaneously has me cracking up and also really appreciating the fact that the world has not beaten them down yet. Over the holidays we got to spend some time with my Mom and step-father. We're having a nice lunch at a buffet and the manager of the place brings each of the twins a little cup of gummy bears and M&Ms. Lindsay tears into the M&Ms and Sam has an affinity for the Gummies. They finish their respective piles and Sam asks for some more Gummy Bears. "Nope" says Dr. No (that's me). 

Sam grumbles a little, but he'll get over it. He always does. Being one to never let a buffet get the best of me, I head up to fill my plate (once again) with some healthy food (yeah, right). While I'm gone, Sam jumps into Lindsay's seat and grabs a few of her Gummies. My step-father Bobby tells Sam he shouldn't have done that. But then being the great example of purity that he is, Bobby suggests that they can keep it a "secret." Sam agrees that its a good idea to keep it a secret and says he won't tell me about the extra Gummy.

I get back to the table, with my plate of vege slaw or something (if you believe that I have some Las Vegas real estate to sell you). Then Sam blurts out, "Dad, I'm not going to tell you about the extra Gummy Bears I had. Bobby told me not to tell you. We're keeping it a secret." I almost fell out of my seat. Mental note - don't entrust Sam with the family secrets just yet.

It gets back to honesty. I'm glad that even with some bad influences (like his Grandpa Bobby), Sam still chose to tell me about the Gummy. I know that won't always be the case, but I'm not going to complain while the kids are still young and innocent. I didn't punish him because he told me the truth. If I took a pound of flesh over the extra Gummy Bears, then the next time he needs to tell me something - he may think twice. That's what I'm trying to avoid as a parent. It's a fine line because you can't just allow bad behavior, even if they come clean. But you also can't provide a huge disincentive to being honest.

There is a bigger message here. We tend not to come clean about the things we screw up. I totally agree with Dennis Fisher's take about the UK Government's data loss. They came clean. They accepted fault and they are going to try to make it right. If they buried the issue under layers of lies, obfuscation and mis-information, then the citizens would be outraged. Instead, it's not an optimal situation, but it's also not a 40 car pile-up.

Let's hope you personally are never tested and put in a place where you have to come clean about something less than savory. But if it happens, remember you always have a choice. Will you fess up about the Gummy Bear? 

Have a great day.

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

It's about finding the "One"
So what? - As I was reading this good data security overview by Network Computing's (now InformationWeek's) Jordan Weins, I thought of the movie "City Slickers." Great flick, but when Curly tells Billy Crystal's character that the secret of life is "one." And he has to find out what that one is for him, it kind of came full circle. I'm in the business of genericizing decisions that are pretty important. I track trends, I project outcomes and ultimately I try to use that information to help organizations make better decisions. But every decision ultimately have to be made within the context of your business. When Jordan started looking at data security, there were over 100 different products that could "fit" the bill. How to you possibly make heads or tails out of so many choices? You need to take a step back and really focus on what problem you are trying to solve. It's hard - I know it's hard. You have lots of distractions and reps calling you all the time to get you to focus on the problems they solve. But don't be deceived. Your success directly depends on how well you solve the problems that are important to YOUR business. Data security is something we all need to address, but exactly how you address it is anything but generic.
Link to this

SANS Top 20, same old same old
So what? - It's that time of year. The big thinkers over at SANS have published their Top 20 report on Internet Security Risks. Attacks are getting more targeted and specific. No kidding. The users are still mostly the weakest link. Right. Technology and complexity within web applications are making things harder to protect. Absolutely. Evidently there were only 18 big risks, so maybe next year we'll see 22 to make it all balance out. The reality is these lists are interesting in that it gives the beat reporters something to do for a few days, but I'm not sure it really helps anyone do anything much better. Remember one of the keys to success in being a security practitioner is to stay current with all the activity happening out there. That means you have to read a lot and figure out how what you read impacts your current list of things to do. But you already know that because you read my drivel each day. I'm more worried about the folks that don't stay current. Seeing what's happening out there once a year just isn't good enough.
Link to this

If a tree falls in the woods, would Webroot buy it?
So what? - Finally, now we know what you do with $100 million in funding, besides paying off the founders to make them go away. Webroot has decided to get into the anti-spam managed services business, by acquiring Email Systems. Huh? Who? For a first acquisition out of the gate, this is kind of strange. Webroot had no managed service presence. Not even a UTM or a vuln scanning thing. Just the various desktop security products. So how do you get into an overcrowded market like anti-spam, where you have no real differentiation with an offering that no one has ever heard of? I guess you get ready to swim upstream for a while. And to spin Email Systems as offering "unrivaled SaaS technology that represents a tipping point in enterprise security." Who writes this stuff, and how can I get some of what they are smoking? Sure Webroot has some customers and they need more stuff to sell them, but it would have made more sense to me to take out something a bit closer to the desktop (maybe like a NAC thing, like Symantec did with Sygate), as opposed to getting into a totally different business. 
Link to this

The Laundry List

Top Blog Postings

Don't understand, or don't care?
Farnum rants a bit about "dumbing down" presentations to executives. His friend Jim rues about the fact that executives at big companies can't comprehend at a 1st grade level. That's a load of crap. Fortune class executives understand exactly what the issues are. The sad truth is that relative to security, for the most part, they just don't care. So we don't need to dumb down our presentations, WE NEED TO MAKE THEM RELEVANT. Farnum suggests that maybe folks dumb down presentations because they don't want executives to really know what's happening. Maybe there is some truth in that, but it's still the wrong way to think about it. Can they not handle the truth? If it relates to how an attacker can bring the business to it's knees and result in data breaches, downtime, and compliance fouls - I assure you they can handle the truth. They just don't want to learn the techno-babble vernacular that most security folks spew. It's not that they can't, it's that they don't want to. If you want to keep your executives in the dark, that's your business. But when the brown stuff hits the fan, if the big wigs don't see it coming - guess who is covered in shit?
http://blogs.computerworld.com/the_coddled_and_shielded_executive
Link to this

Messing with Natural Selection
George Ou handles the murky ethical territory of whether to "fix" someone's security environment without their knowledge. Actually it's not ethically murky at all. By changing the security on a stranger's network, you are breaking the law. Enough said. But there is a bigger picture here. Sure it pains me to see folks I know that have no regard for security. That's why I am writing Security Mike's Guide. But that doesn't mean we should help the folks that aren't smart enough to help themselves. The best analogy I can think of is motorcycle helmet laws. Amazingly enough, there is always a set of Doctors that (not publicly) get bent about helmet laws being passed. Why? Because it cuts off a major source of transplant donors. Sad, but true. Most motorcycle riders that end up splattered on the side of the road are young and relatively fit. Their organs can be put to use in someone hopefully not so dumb as to ride without a helmet. It's Darwinism at work. Same goes for folks with open wireless networks. If they are dumb enough to leave their network open and to not even change the default IP address and password of their router, then even if you "help" them by fixing it, you aren't doing the rest of us any favors. These are the folks that should end up as spots on the cyber-highway. You may delay the inevitable, but you won't stop it.
http://blogs.zdnet.com/Ou/?p=883
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://sm-blog.securitymike.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite