February 21, 2008 - Volume 3, #17

Good Morning:
I'll admit it, I'm human. Some days I'm just not as motivated as I need to be. My list of things to do is overflowing and there are so many cool projects to do, so why can't I get the motor in gear some days? It's kind of like when you are thinking about dinner and you pop open the fridge and NOTHING looks good. So you go to the pantry, still no dice. What about the freezer? Not so much. So you make a turkey sandwich and watch some bad TV. That usually takes care of it.

The reality is that it's about recovery. As much as I love what I do, there are some days when I'm just fried. Maybe I've been traveling a lot. Maybe I'm a little blocked in driving a writing project to conclusion. Maybe I'd just rather surf the web and do "research" for a large portion of the day.

The good news is that I have the ability to do that. I'm accountable to my clients and readers to get some stuff done, but I do have a lot of flexibility in when I do that stuff. There are some days when I get very little done during the day for any number of reasons. But I kick ass at night after the kids go to sleep.

Ultimately I'm finding a way to align my work processes with my internal rhythms of when I am engaged in my activities and when I'm not. I know, I'm a pretty lucky guy to have such an unstructured gig that lends itself to adapting.

What do you do if there are some days when you feel like you are just going through the motions? Basically, write the day off. Seriously. Figure out the 1 or 2 things that you absolutely need to get done. Periodic laziness shouldn't result in you being thrown out of the car at a high rate of speed. Do those things and do them early in the day. Even if you don't want to. Then work on some other projects. Maybe hit YouTube. Go roam around the shop floor or talk to some users. Call a friend you haven't chatted with in a while. Go work out. You can even play hookie. Your boss probably won't even notice. Just get out of your typical work process because you need a break. 

And don't feel guilty about it. Everyone needs to recover. Be candid with yourself. As opposed to sitting there, looking at your computer screen and revving your guilt engine, go make the day great and memorable. The work will be there tomorrow. I promise.

There are some cultures that embrace this reality, like Google. They force employees to take 20% of their time to work on projects not related to their day job. That is truly prescient. It allows folks to chase their passions, yet also be respectful of the reality that some business needs to get done.

You may not work at Google, but understand that renewal process is important - even if you have to do it informally.

Have a great weekend.

PS: I've posted the next two Days of Incite Posts. 7 will hit today and I'll finish up next week.

1. Express Your Inner Bean Counter
2. It's time for an audit revolution
3. Best of Breed DOA
4. Weaving security into the network fabric
5. Night of the Internet Dead
6. Laptop encryption hits the big leagues

Fishing image uploaded by Altus

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Maybe try a nuke
So what? - I couldn't wait to crack open the CRN article called "SonicWall CEO: How to beat Cisco." It was kind of like waiting for a train wreck. You see the guy sitting in the tracks, blissfully unaware the big train is about to mow him down. The CEO makes the points that technology is a differentiator and Cisco is too expensive, which ultimately means the channel can make more money. The first I don't get. UTM is a commoditizing business, at least in the mid-market SonicWall serves. Those folks don't care about technology, they care about getting it done and saving money. At least the folks I'm talking to. What about the price thing? That is actually true. Cisco is not the low cost provider. They don't have to be, so why would they? In line with this full frontal assault on Cisco, SonicWall also announced a series of bigger UTM boxes. Of course, it's easy to poke at the leader. Cisco probably spends more on toilet paper and soda than SonicWall sells in a quarter. It's not like they are going to respond and squash SonicWall like a bug. Since this is a CRN article, the takeaway is for the VARs. Aggressive vendors will bribe you with higher margins and more attractive accelerators to try to move their boxes. In a lot of cases, that's a good idea. Yet, don't forget to factor in the extra time it will take to sell the deal because you've got to overcome the resistance of not going with the leader. I'm all for competition and like the fact that SonicWall is taking off the gloves. That's good for everyone, it's just entertaining because I've seen this movie so many times before.
Link to this

Value depends on what you are testing
So what? - I'm a big fan of testing, I think I say that once a week. You need to exercise your defenses because the bad guys do that every single day. So what techniques do you use? Most use scanners to pinpoint vulnerabilities. Others take it up a level and have application security personnel try to find the logic flaws in their Internet-facing applications. Some also use automated pen testing tools like Core Impact and Metasploit to pinpoint real exploitable vectors. All of these techniques should be in use as part of a structured security assurance process. Speaking of Metasploit, HD Moore's employer - Breaking Point -  is now sending out gear for reviews. Network Computing puts the BPS-1000 through it's paces and it's pretty impressive. It can break your networking stuff. It also starts at $185,000, so it's not like Joey's Bag of Donuts is going to be taking delivery of one. But if you have to protect an environment where downtime minutes is measured in millions of opportunity cost - then something like this makes sense. Is it a huge market? Nope. But it's definitely an interesting niche.
Link to this

PKI waking from it's NAP?
So what? - With Windows Server 2008 on the streets (or almost), now we are going to start seeing why upgrading is important. I think Microsoft proved with the Vista launch that security isn't really enough of an issue to push upgrades, but that is also for client machines. Doing something to secure servers (where the important information is), certainly makes more sense to consider. You'll be hearing a lot about Network Access Protection (NAP), which is basically Microsoft's NAC approach. This SearchWindowsSecurity tip pokes a bunch of holes in NAP, mostly because of weak enforcement methods (like DHCP). But using NAP in combination with IPSec, does that change things? The concept is that if you have a certificate issued onto a machine, then you can allegedly "trust" the client that is connecting to the network. It's still pretty porous if you ask me. Yet it gets back to NAC with unmanaged vs. managed clients. If your endpoints are managed, then you can install an agent and have more control. If they are unmanaged, IPSec isn't going to help. So once again, you need to think in terms of layers. That's a big change.
Link to this

The Laundry List

Top Blog Postings

Never sell past the close
We are all sales people. I don't care who you are and what you do, you are selling something to someone. Maybe it's your project team at work or your kids at home. If you are trying to persuade anyone to do anything, then that is a sales process. One of the best pieces of advice I ever got was: "Never sell past the close." That means once you have agreement from someone, SHUT UP. Don't talk anymore. Take your win and move onto the next battle. I must say that a couple of times a week to the Boss, once she's "convinced" me of something. Tom Evslin has a great series of posts about training the Nerd CEO, but the ideas (which also include "the power of silence" and the "first employees") are more universal. It's basically just good advice on how to deal with people. Now that you are convinced, I won't press my luck and sell past the close.
http://blog.tomevslin.com/2008/02/morph-of-a-nerd.html
Link to this

Compliance is SUBJECTIVE
Anton makes a good point about whether there is a list of "exactly" what you need to log in order to be PCI compliant. There definitely is not. It's basically based upon the whims of the auditor/assessor that shows up. The process is totally subjective. The good news is that PCI is certainly more specific than any of the previous regulations, but it's by no means a firm checklist of things to do. Sorry, I know a lot of lazy practitioners would rather a bunch of empty suits at the credit card companies to tell them what to do. So you deal with this uncertainty by always focusing on DOING THE RIGHT THING to protect your stuff. Remember - security FIRST! Then your audit becomes more about defending and substantiating the controls you've put in place, rather than trying to compare to some mythical checklist.
http://chuvakin.blogspot.com/2008/02/must-do-logging-for-pci.html
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://sm-blog.securitymike.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite