January 10, 2008 - Volume 3, #4

Good Morning:
I've been very resistant to doing a podcast. I'm not exactly sure why, but I guess it's because I don't really listen to any - so I can't imagine anyone would listen to mine. Honestly, I find most podcasts to be crappy. They are long, drawn out, and generally a waste of time. Not all, but most. I also don't have the patience to sit and listen to an hour of anything, besides music.

I've heard more than once that audio would be a great venue for me. I've been told my voice and speaking style is "unique," which I always figured meant crappy. I do lots of webcasts and try to relay a passion for what I do and I try to be entertaining and kind of wacky.  I know how boring it is to listen to streamed audio over your lunch break, so the least I can do is try to make it fun. But do I want to do this a couple of times a month? That's the real question.

There is precedent for this. I've been doing a podcast and feature article for eBizQ (called the Mike Rothman Security Report, if you haven't heard it) for a couple of months and it's been fun. It's trivial to record the audio on my Mac (Skype + AudioHijackPro = easy) and the sound quality has proven to be pretty good. 

So I'm going to give podcasting a try. The first Pragmatic CSO podcast will appear tomorrow. It will be short (10 minutes max), sweet and hopefully entertaining. I'll still do the P-CSO newsletter, but probably a bit less frequently (maybe once a month now).

What's going to be the point of the P-CSO podcast? Basically, I want to pull nuggets out of the book and expand on those a bit. I also want to interview practitioners, analysts, auditors, and other security-related folks on topics of interest. But most of all, I want to have fun and learn some new stuff. By talking with smart folks and honing my audio skills, I'll be able to do both.

That's it for today. Lots to do, including figuring out all these podcast details.

Have a great weekend.

The Dutch Couple image originally uploaded by billbarber1

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Now why do NAC standards matter again?
So what? - It was kind of nice that NAC faded into the background during Q4 a bit. But like a phoenix rising from the depths of hell, NAC is back in early 2008. The move by the artist formerly known as Vernier's exit from the NAC business has brought some of the market issues back into focus. I was tooling around during my daily reading and came across this NetworkWorld piece on the "Tech moves that matter - for good and bad." Good isn't very interesting to me, so lo and behold, the #1 bad move in 2007? NAC. That's pretty funny. But it's actually a Joel Snyder induced rant about NAC standards. Cisco's refusal to play nice with the TCG is evidently a stupid move. Uh, not so much. What's in it for Cisco to play along? Why do customers care? What value is a common NAC standard going to provide? It's not like you are going to buy NAC gear from multiple vendors. Microsoft had to play nice with TCG, their NAP stuff isn't ready and won't be ready for most of this year. So that was a Barney relationship. There is no benefit to Cisco for getting on board. They'll have agents for all the operating systems and why would they support heterogeneity? Not when there is too much riding on Cisco everywhere.
Link to this

Yes, DLP is a feature
So what? - It's a slow news day, so I'll point to another NetworkWorld piece, this one on DLP consolidation and the market impact. It's actually more of a deal book for all the big security vendors out there that don't have a DLP capability yet. Every start-up is represented, so Cara (the author) must have worked really hard to find all of these random vendors to provide comment. But besides that minor entertainment value, we need to keep in mind that the pace of consolidation is inconsistent with the underlying ECONOMIC fundamentals of the DLP market. The big vendors are no longer waiting for a market to really emerge before buying real estate. Thus every new innovative security feature is destined to be assimilated before the market ever gets off the ground. I guess that's a pretty obvious conclusion to draw, but it will have an impact. There is a real liability to being an early adopter now, knowing that sooner - rather than later - whatever you buy will be subsumed into a bigger entity and most likely screwed up. 
Link to this

The Laundry List

Top Blog Postings

Metrics in a nutshell: "Absolutely accurate and utterly wrong"
Chandler is throwing himself headlong into a metrics program this year. But here's the catch, it's not clear what to actually measure. He's still gathering a list of "potential metrics" and trying to figure out what's going to make the most sense. Unfortunately, he's not alone. There is no consensus on what makes a good security metrics program, and what should be counted. As the money quote in this post indicates, "it is entirely possible to be both absolutely accurate and utterly wrong." Awesome, and true. There are lots of ideas and Lindstrom and Jaquith have been pushing theirs for years. Securitymetrics.org is at least a forum for the discussion, but it's not clear that anything productive has come from that effort thus far. It feels that we are spinning our wheels. Andy's book is great, but not really actionable. It's a thought-generator, but most security professionals don't have time to think, they need a simple list of things to count. No list I've seen is simple, and that's the crux of the issue.
http://thurston.halfcat.org/blog/2008/01/04/let-the-metrics-begin/
Link to this

How'd they do that mass SQL attack?
I was having dinner with a client on Tuesday night and he mentioned a massive SQL injection attack that was starting to get some buzz. LonerVamp points to it in this post and it's kind of interesting, but not that mystifying in terms of tactics. Although the level of automation is kind of interesting. Basically these folks did a similar kind of analysis that Litchfield did a while back. Of course, he didn't leave anything malicious behind, but the concept is the same. The bad guys build a script to find a bunch of SQL-injection vulnerable sites (a scanner can do this, though it would need to be tuned a bit to not raise a lot of suspicion), then they inject the malware and wait for great stuff to happen. It's not necessarily self-propagating (like SQL*Slammer), but it also shows that massive attacks are still quite possible. What's a user to do? Run a scan against your Internet accessible sites and make sure you are not vulnerable. Do pen tests early and often. Also think about Firefox and NoScript, which would protect client devices that navigate to these compromised websites.
http://www.terminal23.net/2008/01/mass_sql_injection.html
Link to this

Even security hosters are vulnerable
First it comes to light that yet another ScanAlert customer is hacked. So much for "Hacker Safe." Now it seems that C I Host, which does security stuff, had a data center robbed at gunpoint and a bunch of equipment was stolen. Actually, this attack happened last year, but it's now coming to light. Tom Olzak does an interesting post-mortem on the attack to show where the physical security techniques left quite a bit to be desired. I don't know a hell of a lot about physical security, but locking the doors and windows would seem to be pretty important. This is a DATA CENTER, after all. Yet how much do you really know about your data center physical security? Big companies likely control their own data centers, so you better know. But what about small companies? I personally have no idea what physical security structures are in place for the hosting companies I use. I've got data replication and redundancy tactics in use to make sure I don't lose data, and I'm not sure it's worth my time to go any deeper than that.
http://blogs.ittoolbox.com/security/adventures/archives/anatomy-of-a-physical-security-breach-21650
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://sm-blog.securitymike.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite