December 5, 2007 - Volume 2, #160

Good Morning:
All's fair in love and war - or so the saying goes. "Fair" is kind of ahard concept to grok, especially for a kid. Last night was the firstnight of Hanukkah, so the kids were very excited - especially when the Boss lined up all the presents by the fireplace. But then there is the inevitable, why did he (or she) get more presents? THAT'S NOT FAIR!

Of course, the fact that we got Lindsay a bunch of fake jewelry that in total amounted to about half the price of the High School Musical 2 calendar that we got Leah was totally lost. It's not about the value - it's about the sheer number. The boy was enamored with his Pirates of the Caribbean towel, so we didn't hear a peep from him. I'm thinking that next year we'll just get the kids 20 M&M's next year. Then they'll have nothing to bitch about - except the 3 cavities they'll get.

Talking about fair, down in the ATL there was a lot rumbling about how the BCS just isn't fair. The hometown Bulldogs were ranked 4, didn't play, the top two teams lost and they still ended up ranked 5 and in the lowly Sugar Bowl. How does that work? IT'S NOT FAIR.

But does it really matter? Part of me wants to tell the kids and the Bulldog nation the cold hard truth that life IS NOT fair. Why do some folks pick the right company and get rich, without doing much? Is it fair that the first masseuse at Google retired 4 years ago and now has her own foundation? Is it fair that an IT guy that is in charge of a high profile manufacturing system can actually become a hero and us security folks are lucky to not get a sharp stick in the eye on a typical day?

Life is not fair, deal with it. Personally I used to get all bent out of shape about things like this. It gets back to my hyper-competitive nature. I would see red when a competitor copied my announcement or fabricated features or basically just did the things that aggressive start-ups do to keep the lights on. I never got an ulcer, but I definitely could have. I took all of that stuff very personally.

I can say that working for myself has been therapeutic in that regard. Now I don't need to compete anymore, with anyone. I know what my numberis every month and if I can do that, I'm a happy guy. That doesn't mean that I don't enjoy working with clients that are competing in their respective markets. Or working with companies that are trying to treat security more strategically. That's a lot of fun and really the part of my job that I love the most. But not having to own it has been great for my quality of life.

Not that everyone can just step off the hamster wheel and make it work. I know how lucky I am that I can and have. But as we are entering the holiday season and we all need to take a look at 2007 somewhat critically before we head into 2008, really take a look at what is fair, what isn't, and whether it really matters at the end of the day. If you aren't happy doing what you are doing, put a plan in place to make some changes.

You don't want to look back in 20 years and say it wasn't fair. Have a great day.

Technorati: InformationSecurity, CSO,SecurityMike, InternetSecurity

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

TopSecurity News

Oh crap, now it's the new new firewall
So what? -Sometimes tracking and understanding patterns is a real liability. So when I see news items like the "next generation" firewall (as covered in Dark Reading), my conspiracy theory gene goes into high gear. Like with every new version of Microsoft Office - do we really need any of this new crap? Is there any reason that we need to think about upgrading our firewalls? Don't they work pretty OK? As opposed to the office automation business, the attack surface is changing quickly enough that it does make sense to revisit the functionality that is built into our base defenses. So the new new thing in firewalls is this "application awareness," with folks like Palo Alto trying to convince customers that the firewall emperor has no clothes and they need to know more about applications. But the existing firewall powers will not lie down and they all are saying they already look into the application traffic. Do they? Who knows? Does it matter? Probably not. As long as the vendors say they do it, most customers are willing to believe them. Sad but true. It also turns out that the new new firewall also does alot of other stuff, like Check Point basically adding anti-spam to their UTM box. Is it best of breed? Do you care? Is it good enough? Probably. So we continue to see stand-alone markets go the way of the dodo bird. Big is the new small, haven't you heard?
Link to this

It's a global world, but still local
So what? - Interesting column here from Paul Raines,who is a well-traveled CSO, railing about the differences between US, British, German and French speakers. His comments about the US speakers actually hit a bit too close to home, and there is definitely truth to the characterizations of the other geographies and cultures. So what? Basically, as a security practitioner within a global organization, you need to factor in specific cultures in how you tell your stories. The reality is the day of the CSO having an empire is over. The job is all about persuasion nowadays. You need to convince these folks that doing security well and adhering to the program and protecting the data is in their best interest. But just as each business unit will have different hot buttons depending on what they are responsible for, each geography will need to hear the story in the way that will resonate with them. And if you can't tune your message accordingly, your chance of success in persuasion is nil.
Link to this

Reconnex gets the Cisco kiss of death
So what? - Yesterday, Reconnex announced an OEM for their DLPappliance with Cisco's IronPort group. This is great news for a fledgling start-up, no? Doesn't this legitimize Reconnex as a playerin the DLP space, especially given that they are one of the only remaining start-ups? Well, yes and no. Clearly Cisco can pick and choose who they want to work with, so this does validate Reconnex's technology. But not the DLP business. If it was that real, then Cisco would have bought, as opposed to "renting." For some more bad news, let's remember that Cisco tends to NOT acquire the technology that they OEM. Anyone remember that host IPS technology that Cisco dealt with? I can't even remember the name, maybe Entercept. The history keeps repeating itself. Cisco figures out they can actually sell it, and if that works then they go shopping for the solution they really want. In the HIPS example it was Okena. Customers that bought Entercept be damned. There are examples of this in network management and lots of other spaces. So all that glitters may not be gold. UPDATE: I got this wrong. Please refer to December 6th Incite for more details.
Link to this

The Laundry List

TopBlog Postings

Microsoft's Jones thrown out the Window
You think Microsoft is concerned about the traction that Firefox is getting? Not that they'd ever admit it, but you've got to figure that anytime market share dips below 90%, they start to feel squeamish. How else do you explain Jeff Jones statistical analysis of vulnerabilitiesin IE vs. Firefox. Could there be a less relevant set of statistics? Thankfully Window has a well thought out response to why the number of vulnerabilities doesn't really matter. Other Mozillans have been less politically correct in how they've responded to Jones report (check out George Ou's blog for more detail). The reality of the situation is that both browsers have issues and will continue to be subject to attacks. Period. So to think that one is going to take the high road on security is just ridiculous. But the media needs something to write about, so this will get a lot more airtime than it deserves.
http://blog.mozilla.com/security/2007/11/30/critical-vulnerability-in-microsoft-metrics/
Linkto this

Will the real VoIP risks please stand up?
Mitchell talks about convergence on his new NetworkWorld blog. A recent topic deals with VoIP attacks. Yes, the attacks are possible, but what's really the risk? You get some spam? Join the club, just open up your email if you want spam. Your IP devices can be compromised and maybe calls be redirected through your infrastructure. And? Aren't all calls in the Internet free? And Lord knows someone can do a lot of damage if they pwn my IP phone. I'm being a bit tongue in cheek here, but for once I think Mr. Hype and Mr. Market are in alignment. The market has spoken and there is no standalone VoIP security market. Despite Mr. Hype's efforts, people are just not getting all fired up about the threats to their VoIP. Are we being naive? Maybe. But given all the cycles we spend to try to stay out ahead of the attacks that can really happen, it's nice to see us basically ignore the attacks that are less likely.
http://www.networkworld.com/community/node/22541
Linkto this

Recentlyon the Security Incite's Blogs

Find out what Security Mike is talking about
http://sm-blog.securitymike.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite