December 20, 2007 - Volume 2, #165

Good Morning:
It's hard to believe, but this will be the last TDI of 2007. I know publishing has been a bit lumpy lately, and that's probably annoying to you. Oh well. At times I struggle with what to do and what not to do. Lately, I've been focusing on what pays, as opposed to what doesn't. Maybe that's the wrong decision, but it's a decision nonetheless.

As I've been grappling with getting everything done, I saw this post on Penelope Trunk's blog and it really resonated with me. I seem to be constantly going through a similar thought process as I get busier and busier. Some stuff inevitably gets ignored, that's for sure. I know some folks think I'm a prick for not responding to their press inquiries or not getting back to them to take a briefing for a 1.6 release of their widget. Some also scratch their heads when I ask for large sums of money to speak in far-away places, but it's all about opportunity cost. I've got to maximize my time because I don't want to work all day and all night anymore. As is, I work too much.

Penelope talks about "redefining her job" every day, and I think that's a good metaphor. You have an opportunity when you make your To-Do list every morning to figure out what kind of day you want it to be. You need to figure out what kinds of things you want to work on, and hopefully that cross-references with the things that your bosses (or clients) think are important. Some days that works out, other days not so much.

But as we put the bow on and wrap up 2007, it's time to think about what we can and should do better in 2008. What are the priorities that you bring into this New Year? I won't talk about resolutions because I think resolutions are mostly to make the two tubs of champagne go down better on New Year's Eve. Personally I set out to do a few things in 2007. I needed to lose some weight and I did. About 35 pounds at last count. I feel a lot better and I'm just getting started.

I wanted to move my business to focus more on products, as opposed to time. The Pragmatic CSO has done well and I continue to carve out a few minutes each day to move the Security Mike content forward. It never happens fast enough, and I'm always thinking about new ideas (even before I finish the old ones), but I'm pleasantly surprised by the positive impact these products have had.

But what about 2008? I'd like more of the same. If I can stay busy, that's great. If I can drop some more weight (another 25 would be nice) and get into better shape, even better. For me, the big theme in 2008 will be finishing what I started. I have a lot of loose ends to tie up relative to the P-CSO and Security Mike, and they need to get done. I have 2-3 other very promising ideas, but until I take care of business - those will just have to wait.

I leave 2007 in a pretty good spot. I know that life is cyclical and I've had enough challenging times to really appreciate the fact that right now things are good. Yes, that is optimistic Mike once again making a cameo appearance. Given all the negativity around security today (and partially by definition), I'm hoping that we all can bring a bit more optimism to what we do.

Finally, I want to once again thank YOU, my readers and customers. The folks that read TDI, those that show up when I'm speaking, and especially any of you that have bought my products - thank you. Without you, I couldn't do this for a living. So with that, I'll sign off. Have a great holiday and I'll see you in 2008!

Happy New Year 2006! image originally uploaded by hsuyo

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Where is Letterman when we need him?
So what? - There are rumors flying around that the late night talk shows will be back on right after New Year's. Writer's strike be damned! I don't care one way or the other because I'm usually asleep way before Letterman comes on. Yes, I'm old. I get that. But I do miss the Top 10 list. So Scott Berinato's Top 10 Data Breaches of 2007 is going to have to suffice. Now Scott is no Letterman, but at least one of the breaches is titled "urine trouble," so I can get a little bit of potty humor fix. Basically, 2007 was a train wreck relative to data breaches. Of course TJX is number 1, but many of these others are pretty significant as well. And I suspect we are going to see a LOT more in 2008. It will get worse before it gets better. I also did a compliance year in review piece for Search Security, so check out what I had to say about 2007.
Link to this

Phishing now bigger than the GDP of Kosovo
So what? - OK, I don't really know what the GDP of Kosovo is, but since Gartner pegs phishing's economic impact at $3.2 BILLION, it's got to be close, which is pretty scary. The reality is, we have no idea what the true cost of phishing is because most of it goes unreported, written off as "shrinkage" by the credit card companies and reflected in higher rates and prices for everything else. So how do we fix the problem? Unfortunately there is no easy answer, but it's likely a combination of more educated consumers and tighter fraud controls. We are going to keep seeing applications we use (like Google Toolbar) increasingly targeted by the bad guys. I'd say enhanced security technology, but the reality is that I'm not sure that's a good answer. Most phishing is done via automated social engineering and it's not clear that technology can really stop the problem. I guess a bit, but not entirely. Given that most users are blissfully unaware, and keep buying stuff online and the fact that tighter fraud controls will add more friction to commerce and I doubt the credit card companies will do that - the cost of phishing will go up next year. I'm not sure what numbers Gartner will make up this time next year, but I feel pretty good in saying it will be bigger.
Link to this

More 2007 security wrap up
So what? - Looks like Cisco is finally getting into the security research game. Actually, they've been in it for years, they just didn't tell anyone. But now they have taken the wraps off their first annual report on the global state of security. I guess times are tough at Cisco, even if their financial results keep showing that they are growing 3 Check Point's A QUARTER. I guess they just can't afford to dedicate a few folks to write the report bi-annually or maybe even quarterly. You see, an annual report is pretty useless. I guess if you are doing high level trend analysis, that's fine. But it's not something that is going to give you timely enough information to actually make any kind of decisions. They also throw in a few recommendations, which are about as timely as saying the wheel is round. Things like "conduct regular audits" and "consider more than performance when building a secure network." Wouldn't it just be called a fast network if we were only worried about performance? Their focus on education is well placed, but the other stuff left me a bit underwhelmed.
Link to this

The Laundry List

Top Blog Postings

Finally some optimism
With all the negativity around 2008 predictions for our security world, it's nice to see Hoff actually think a bit about how things could potentially get better moving forward. He spews off 10 observations about where security needs to go. I do think Chris is ahead of the curve on a few things, like virtualization security (his #1) and also the consumerization of IT (not even sure what that means) because most security folks are not proactive, by definition. So we wait until a sharp spike is driven deeply into our skulls before we take action. Though the idea of Next Generation Networks and more security desktop OS'es are great to think about, I think we all have to get a lot better at the simple blocking and tackling. Things like configuration management (not just our desktops, but servers and network devices as well), monitoring (read anything Bejtlich has to say about that) and education. It's easy and somewhat intoxicating to spend time figuring out how to more effectively protect data, but remember that for most of us, the front door is wide open and maybe you should close that first. Hoff, The Mogull and Martin did a podcast to go over these trends. Listening to those 3 pontificate for an hour would make my ears bleed, but I'm sure it was wonderful.
http://rationalsecurity.typepad.com/blog/2007/12/and-now-some-us.html
Link to this

The Doom Scenario is in the cloud
I really like the GNUCITIZEN blog. I don't know pdp or the other folks that contribute, but they post some great stuff about application security issues and where things are going. Like this post on Web 2.0 pretty much maps out a doom scenario on how things could go down, once the bad guys really figure out how to harness these social networking technologies for evil.

He's right, and when you really think about this - it's hard to be optimistic about how things will potentially get better. The sad truth is that 2008 (and probably 2009) will be hard years. It takes a little while for the necessity of change (at least in the consumer's mindset) to sink in and a lot of folks have to get hurt for it to become "real." Like with seat belts. A lot of folks died until it finally became clear (and then mandated) that seat belts are a good thing. It's not clear what Web 2.0 seat belts are, but a lot of folks will be contributing their money to the bad guys as we figure it out. And to be clear, WE WILL FIGURE IT OUT - but there will be a lot of bodies as we get there.
http://www.gnucitizen.org/blog/the-next-line-of-defence-web20-you-must-read-this
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://sm-blog.securitymike.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite