February 19, 2008 - Volume 3, #16

Good Morning:
The Boss went away for the long President's Day weekend. So it was me and the kids all weekend. Talk about the inmates running the asylum. I did a quick check of the paper to see what fun activities we could do. We've been to the Children's Museum and the Aquarium plenty of times. Then I saw it. THE CIRCUS. Not any crappy circus. Ringling Brothers. The real deal. The Greatest Show on Earth. Now that will be fun.

We'll even make it truly an adventure by taking the train into the city. Yeah, we could have driven, but what fun would that be? Nothing like mixing up with the residents of our fine city. I guess I shouldn't have been surprised, when a clown walked up to us as we were waiting for the train. This guy was in fully clown get-up. Thankfully the kids don't have an aversion to clowns. Not yet anyway.

This wasn't any plain clown. This was Beebo the Wonder Clown. Think Roscoe P. Coltrain (from the Dukes of Hazzard) as a clown. A beer belly, a think Southern drawl and pocketful of balloons. And a pile of business cards, just in case I wanted to hire Beebo for the kid's next Birthday party. Thanks, but I'll pass.

Then we got to the arena. And the merchandising began. $14 for an elephant mug. Not a chance. $28 for 2 lemonades and 2 popcorns. Wow, I'm glad I went through the couch and got that extra change before we left. It wasn't going to be one of those budget activities.

The kids loved it. The acrobats and the clowns (normal clowns, not Beebo) and the tigers and the elephants. They drank it up. Truth be told, when the trainer was surrounded by the 10 tigers, I was amazed that the fellow didn't become dinner. Even one tiger could have made quick work of that little guy with the whip. I'm glad they were behaved. I shudder to think of the therapy bills for the kids if they saw that dude get mauled. 

As we were on the way home, I asked each kid what their favorite part of the circus was. The twins liked it when a clown got out of a very little car. They thought that was cool. Leah couldn't make up her mind. She liked it all.

What was my favorite part? Seeing the look of wonder as my kids got to experience the Greatest Show on Earth. That was priceless.

Have a great day.

PS: I've posted the next two Days of Incite Posts.

1. Express Your Inner Bean Counter
2. It's time for an audit revolution
3. Best of Breed DOA
4. Weaving security into the network fabric

Scary Clown Cake II image uploaded by meltzerbakery

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

ArcSight gets the deal done
So what? - In a horrible market, ArcSight got their public offering done last week. It went out at $9 (at the low end of the range) and traded between $8 and 9 Thursday and Friday. It's a tremendous accomplishment to get a security public offering done, so the team at ArcSight should be congratulated. But now what? The business is lumpy and security management is well...security management. George Hulme talks a bit about the SIEM market, but it's pretty much yesterday's analysis. He goes into the history of why many of the SIEM vendors have struggled. By the way, it's not about firewalls and IPS maturing, it's about time to value. Yet driven by regulations, security management is evolving, integrating traditional SIM with log management and a bunch of other stuff. The latest example of this trend is NitroSecurity's new box, which brings a lot of these functions together. The real question is whether a public, standalone security company makes sense anymore. I suspect not, and we'll see how it plays out. Sourcefire certainly had a train wreck in their first two quarters as a public company. 
Link to this

Do they make Rolaids for fast-flux phishing?
So what? - I'm always intrigued by how the bad guys constantly innovate all in the name of masking their identities and covering their trails. This SearchSecurity tip by Ed Skoudis details a new technique called fast-flux. This entails the bad guys using round robin DNS to distribute their phishing sites among a large number of bots. This eliminates the single point of failure issue (when the ISP takes down the site) and also puts yet another layer of abstraction between the victim and the criminal. If it wasn't nefarious, I'd say it was really cool. OK, it's really cool. What would be cooler was if we could get these folks to apply some of their innovation to the right side of the law. Alas, being good pays like crap, so it's not going to happen. Especially when these guys continue to find ways to make it a lot harder to find them and bring them to justice.
Link to this

Firefox 3 coming up - security takes front and center
So what? - Mozilla continues their evolution of the Firefox browser. I've been a FFX user for many years, although I have cheated at times with Safari and Camino. Yet, I always go back to the Fox. It's really all about the plug-ins. As Ryan Naraine reports, Firefox 3 is getting close and there is a lot of new security goodness in there. Beta 3 is out, which means hopefully we'll see the finished version by mid-year, if not sooner. New phishing filters and other structures to make it a bit safer for browsing use. But there is only so much they can do. At the end of the day, it's still a browser and it's still software, which means there will still be problems. So why do I push Firefox whenever I can? NoScript. It's as simple as that. Mozilla really should just integrate NoScript into the main core. Unfortunately that would probably scare off a lot of mass market users because it does break a lot of Internet stuff. Of course, it's the stuff that should be broken (like evil scripts, XSS attacks, and malicious Java), but that's beside the point. Ease of use trumps security - every time.
Link to this

The Laundry List

Top Blog Postings

TJX is still a good example to use
Interesting post here on Cigital's blog from Sammy Migues about the fact that TJX hasn't really suffered from a business standpoint due to the data breach. The reality is unless the identity theft results in a lot of lost money or lost time and heartburn to recover that lost money, most consumers don't care. They get a new credit card and they go about their business. As Sammy says, TJX runs a good sale - so lots of consumers go back and buy stuff. And truth be told, the consumers should. The idea of paying for everything in cash to avoid potential identity theft is ludicrous. We will all have our identity stolen, multiple times, and there isn't much we can do about it. I guess you could move to a remote island, but they'll probably find a way to get to you there also. More of the point is whether TJX has lost its luster as a train wreck that will shock dimwit executives into spending some money on security. My answer is still a resounding yes. Remember that train wrecks are used to GET ATTENTION, not get funding. You need to make a case as to why the expense is important to get the funding and TJX couldn't do that for you. Even if they went out of business, TJX couldn't do that for you. But the couple hundred million bucks TJX will spend cleaning up the mess will open some eyes in the board room. Now their eyes are open, what are you going to show them?
http://www.cigital.com/justiceleague/2008/02/07/please-dont-fud-the-animals/
Link to this

Chandler's excellent metrics adventure
I love the blogosphere. Why? Because everyone can now be exposed to the sausage factory, you know, how the things we do are done. For a long time, there were only a set of in-the-know insiders who really understood what was going on and aggregated information from lots of sources and popped out some trends. Companies used to pay tens of thousands of dollars a year for access to these insiders. A lot of companies still pay for IT research, but the value will continue to go down as more of this information is now available for free. Folks just need to know where to look. Like Chandler's ongoing series about his struggles with metrics. It's great to see how his thinking is evolving and over time what is working and what isn't. We need discussions like these to get some level of consensus about what should be counted and how to count it. I'll point to a couple of posts that bear reading. First, Chandler's KPI #1, which is about understanding the % of hosts centrally managed and "protected." I'm not sure what protected means, but it's certainly a good place to start. His second KPI is trying to gauge "how secure they are?" by focusing on risk assessment gaps that are closed vs. made exceptions and where in the process the gaps occur. My issue with this one is that each application is different and it'll be hard to get apples to apples comparisons. But I'm a fan of trying stuff, so it'll be interesting to see if this yields any useful trending analysis over time. If not, then he can tune it. And we'll be able to watch and learn. That's what it's all about.
http://thurston.halfcat.org/blog/2008/02/14/kpi-2-how-secure-are-we/
Link to this

We are role models...
Cutaway wonders about whether our personal activity can and should be held up as examples to the rest of the organization. He uses the news peg about the Sacramento Kings cheerleaders that were caught in pictures partying their asses off. Does that same thing apply to us? Per usual, the answer is yes and no. Personally, I don't care if Cutaway dresses in drag on his own time. And those of you that know him, know how funny that would be. I do care if he is caught doing some illegal computer work. I also care if he has his passwords taped to the bottom of his keyboard and whether he sends personal email to his work account. Why? Because we have to LEAD BY EXAMPLE. We can't expect everyone else to follow the rules if we don't. It's as simple as that. For security related things, every security professional must be a role model. And I've heard getting big, tough, military dudes to dress in drag for security awareness training day works wonders. Anyone want to suggest that to Cutaway?
http://www.cutawaysecurity.com/blog/archives/224
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://sm-blog.securitymike.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite