February 25, 2008 - Volume 3, #18

Good Morning:
How many folks can you call when you get into a jam? Seriously. Folks that will drop everything to help. You kind of wonder, but you never really know. Until you need to know. I had to know on Thursday and Friday of last week, and I was overwhelmed by the answer. 

I guess I should provide some context. Our best friends from MD lost a parent last week. It was expected, but it still sucked. The Boss wanted to be there for the service on Friday morning and to help out with all of the events that need to be staged, catered, and cleaned. For some reason Jews think they have to have at least 3 days of solumn gatherings to properly mourn. So you need to buy a ton of food and have people in your house for days, which is the last thing you want to do when you've just lost a loved one. But there was a pretty serious fly in the ointment. I was traveling and couldn't physically get home before Friday morning.

So we made a few calls and found 3 separate families willing to take one of the kids on Thursday night. Note this was on about 2 hours notice and all of these folks have their own kids and crap to take care of. But every single call we made was met with a "no problem, when are you dropping them off?" Unbelievable.

But it gets better. I was supposed to be home around noon on Friday, in plenty of time to collect the kids and get things back into the normal routine. That was SUPPOSED to, but a combination of the horrible Hertz NeverLost interface and my own stupidity put more flies in the ointment. Instead of being directed to the right airport, with an hour to spare. I was directed to the wrong airport with 50 minutes to spare.

That's the issue with those nav systems. I'm a big fan, but there is a tendency to stop thinking when you have the "voice" telling you where to go. I thought I entered the right destination, but I didn't. OH CRAP! When I finally did resume my thinking, I was 50 minutes from the airport - and 60 minutes until my flight was taking off. It didn't look good and it wasn't. I missed the flight, which turns out to be a very bad thing on a Friday when there is bad weather in the Northeast. 

I was lucky to get another flight on Friday and I still had the issue of what to do with the kids. So I got back on the horn. I called some of our friends and family and they came up big. My sister-in-law picked up Leah at the bus and hung out until another friend could pick her up for a sleepover. We had someone else pick up the twins at pre-school and do a play date until I got back (about 8 PM after delays and the like). The kids had fun and they never even knew the depths of their Dad's stupidity.

When I called and said "I'm in a jam." Each one said, "what can I do to help." No hesitation. No thinking. No worrying about their tennis lesson or coffee appointment or anything else. They were just concerned with what they could do to help. Of course, I would do exactly the same thing (and have), but it's still mystifying to me when other people are willing to do that for us.

Those were hard calls for me to make. I'm not one to ask for help. But it's really great to know that when I need it - people that we care about are willing to step up big time. It's all too easy to take these kinds of relationships for granted. I was guilty of that. But I learned a lot of important lessons last week. First, a nav system doesn't give you the right to turn off your brain. When I started learning how to build things, the old adage was "measure twice, cut once." Evidently check the destination twice before you let the nav system direct you.

Second, when someone calls and needs a favor - just say yes. Unless it's not humanely possible to help out, you say yes. You never know when the shoe will be on the other foot. So I've got some homework for you today. Call up 3 good friends and thank them. For nothing in particular, just thank them for dealing with your idiosyncrasies and being there when you need them. They'll be surprised and pleased, and you will too. It's not that hard, and it means a lot.

Have a great day.

PS: This week we'll finish up the Days of Incite. Look for #7 later today.

1. Express Your Inner Bean Counter
2. It's time for an audit revolution
3. Best of Breed DOA
4. Weaving security into the network fabric
5. Night of the Internet Dead
6. Laptop encryption hits the big leagues

Circle of Friends statue available at MexicanImports.com
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

How do you spell xenophobia?
So what? - Last week 3Com and Bain help up their hands and gave up their attempts for the buyout transaction, scuttled (at least publicly) by the US Government's objection to Chinese vendor Huawei's presence as a minority investor. This all seems a bit fishy to me. Stiennon draws some comparisons to the Check Point/Sourcefire deal, but realizes both of these situations are all about politics. My boy Richard was one of the only voices saying CHKP/FIRE was a bad deal, but it wasn't about threat of the Israelis controlling Snort. He just thought it was a crappy deal on fundamental terms, which gets back to Richard's long standing disdain of anything IDS. Given FIRE's two blown quarters right out of the gate, he's not wrong. 3Com's deal falling apart is different. It's largely because of Huawei, but in reality Bain could easily have written a check for the additional investment and taken Huawei out of the deal - if they wanted to close it bad enough. Clearly they didn't, so they didn't. I'm not going to get into a debate about whether Chinese companies can be trusted owning US technology assets. The reality is they already do. Where do you think a lot of the capital that funds our trade deficits comes from? Every big tech company is crawling all over themselves to figure out how to sell more to China. The technology is already there. The US Government's hurdles for foreign ownership of technology assets is now too high, and that means a reasonable exit path for a lot of companies is now out the window. Play out the thread a bit more and it will have a chilling effect on investment (since liquidity is now that much harder to come by) and ultimately on innovation. It's a global world now folks, if global capital can't find a home in the US - it's going to find a home somewhere else - and that isn't good for American competitiveness.
Link to this

VMware desktop vulnerability found - start your hype engines
So what? - The folks at Core Security found another attack vector for the shared folder capabilities within VMware desktop. The attack allows a malicious program to jailbreak through the shared folder capability. VMware hasn't fixed the problem, rather recommending that customers just turn off the shared folders. But the real question is more fundamental, and that is how long will it be before real 0-day's start showing up targeting hypervisors? And does that mean all of this noise about virtualization security will become more than just noise? Basically I'm not there yet. I do believe that the hypervisor is an operating system and thus needs to have all the protection and process to keep that operating system secure. I also believe this is a problem that VMware should be solving. If Microsoft was starting to build Windows from scratch, knowing what they know today, do you think there would be an AV market? So I'm still skeptical there is a long term market for "virtualization security," though I do know that our virtualization needs to be secured.
Link to this

Can Google be trusted with health records?
So what? - You do have to hand it to Google, they are definitely throwing a lot of crap against the wall to see what sticks. The latest effort is partnering with the Cleveland Clinic to pilot a system that allows the sharing of patient medical records. Of course, the privacy hounds are barking at the moon, and it appears that moving your health records to a third party (not a healthcare provider) gets around HIPAA privacy requirements. Who cares? It's not like HIPAA has any teeth anyway. The reality is you can't really manage your own health care records even if you wanted to. They are spread out amongst a variety of providers and getting a comprehensive view is near impossible. So if Google gets involved, it will spur innovation and eventually (after 3-5 iterations) we'll get to something that works for a majority of the patients out there. John Soat has an interesting perspective on his InformationWeek blog. Unfortunately the innovation process is messy. Things will be done wrong, people's information will be compromised. It'll be sad. But it needs to happen because there is no other way to do it. It will take years to gain consensus on how much privacy is enough and how those records can/should be used. That's years we don't have. My take is bravo to Google and the Cleveland Clinic for trying. I'm looking forward to 5 years from now, when we are a lot closer to the right answer - so I can take control of my own medical records.
Link to this

The Laundry List

Top Blog Postings

The quicksand of database encryption
The Mogull and his bionic shoulder are starting a multi-part, multi-level analysis series on database encryption. It's pretty complicated stuff and the only thing DBAs hate more than security people is security people that want to mess with their databases. Understanding why you are thinking about DB encryption is a critical first step. But I'll add one additional layer of complexity, especially to the idea of DB encryption to facilitate separation of duties (and protect content from administrators, compromised machines, etc.), and that is the compensating control. Most organizations think about DB encryption because there is a compliance gun to their heads. Not because they have nothing better to do and DB encryption seems like fun. With PCI's compensating controls clause, these same organizations will be able to put alternative defenses in place to achieve largely the same goals. I suspect there are only a few legitimate use cases where DB encryption is going to make sense, but we'll leave that to the Mogull to say, since that is his bag.
http://securosis.com/2008/02/12/introduction-to-database-encryption/
Link to this

FDE has DLP in an arm bar
Who would win if the data leak prevention market got in the Octagon with full-disk encryption? I feel compelled to steal the thunder of my Day 9 of Incite post (on DLP) because Chandler does a great back of the envelope calculation that shows why full-disk encryption makes a lot more sense in the short-term than DLP. It's all about assessing the real risk to your organization and comparing that to the cost of deploying a solution. I could belabor the point, but this really says it all: "DLP costs more, reduces risk less (including some specific, high-profile regulatory risks), is much harder to implement, much costlier to support, and at the end of all that, is less likely to actually make a difference in our losses (IMHO)." Once again, Chandler is right on the money. Farnum also has some thoughts on the DLP market, and he still has a lot of questions about the ultimate value proposition around the technology. He's not alone.
http://thurston.halfcat.org/blog/2008/02/20/bote-analysis-of-dlp-vs-full-disk-encryption/
Link to this

Get out of the excuses business
Michael Howard (one of the leader's of Microsoft's SDL initiative) has a great post here about what it takes to really adopt a secure software development process. Basically the entire organization needs to change, and the only way that happens is by a top-down edict. If excuses are tolerated, then very little progres will be made. In Microsoft's case, it was Bill Gates telling everyone they are going to change or they can find somewhere else to build software. Ultimately it's a cultural thing. Secure software doesn't get built by hoping it will be secure or by making excuses as to why some changes aren't being made. Every software company can and should learn a lot from Microsoft's journey. Because those that don't remember history are bound to repeat it, and I suspect a lot of software companies are going to learn that lesson the hard way.
http://blogs.msdn.com/sdl/archive/2008/02/21/the-first-step-on-the-road-to-more-secure-software-is-admitting-you-have-a-problem.aspx
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://sm-blog.securitymike.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite