March 7, 2008 - Volume 3, #23

Good Morning:
17 years. Man, that's a long time. Let's see, if it's 2008, then 17 years ago was 1991. I was in my first year of employment at AMS (in Arlington, VA) working on a 200 person project building telecom billing systems. That was a long time ago. It's funny, I'm still in touch with a few folks from back then. Amazingly enough, a couple have made their way into the security field. Small world.

Remembering back to 1991 really puts 17 years into context for me and how much my life has changed in those 17 years. So you can't really blame a guy like Brett Favre for deciding to hang up his helmet after 17 years. It's not like I have 300 pound defensive linemen falling on me for 7 months out of the year. And I'm really tired. I can't even imagine what Favre feels like.

What a legacy the guy leaves behind. Every major QB record. Three consecutive MVP awards. A Super Bowl win (and another appearance). An ironman streak of 253 straight regular season starts (275, if you count the playoffs). He's going out on top, having his best season in years in 2007. Truly amazing stuff.

Yet, the thing I like most about Brett Favre is that he's a regular guy. Or he seems that way anyway. In the off season he's a farmer. He showed up to his retirement press conference in jeans. You know this morning he's back in Mississippi on a tractor doing some field work. There is no bling. Maybe he has a decked-out F150, but you don't see him as being the kind of guy who buys a Ferrari. And that's what's really cool.

Even more impressive are his charity endeavors. Sports Illustrated did a great profile of him last year naming him Sportsman of the Year, and what really resonated with me is the impact he's had on people. Another great example of a guy really giving back. When you heard him speak at the press conference yesterday, you got the feeling he knew how lucky he was. He didn't want to tempt the fates any more, so he said enough.

I'm a NY Giant fan, so I was happy when the G-men beat the Pack to march to the Super Bowl. But truth be told, if the Pack had won, I wouldn't have been that disappointed. I'm also a Brett Favre fan, like the rest of the country. He's going to lay low for a while and let the road rash of 17 years heal, but then I suspect he'll be back in the public eye - doing good for people. That's what regular guys, who find themselves in irregular circumstances, do.

Thanks for the memories Brett Favre. Have a great weekend.

Photo credit: Brett Favre uploaded by Maitri

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

What's in your bag, Mr. Social Engineer?
So what? - Interesting column here by Steve Stasiukonis (say that 10 times fast) on the tools he uses in legal (and ethical) social engineering engagements. I keep harping on the need to test all of your defenses and I'll keep on harping on that need until every company I talk to has a specific process centered around security assurance. This list of stuff gives you a pretty good indication about what social engineering is all about. Night vision goggles, lock picks, copper tubing, you name it - it's in the bag. Ultimately it's not about being elegant or pretty, it's about being effective and getting the job done. The folks that are trying to penetrate your defenses don't get paid unless they are successful, so they will be pretty creative to that end. It also means that we (as the defenders of the free world) need to be equally creative.
Link to this

Vendors rallying around NAP
So what? - In the "of course they are" category is this NetworkWorld coverage of a bunch of vendors (Foundry, McAfee, Symantec, and others) that are climbing aboard the NAP (network access protection) bandwagon now that Windows Server 2008 has hit the streets. Let's remember the score here. As much as guys like me get a bit blinded by the cool metallic hue of my iMac looking back at me, 85%+ of the rest of the world is looking at Windows. That means 85% of the rest of the world will be connecting to our networks via Windows. All those Windows devices (even XP, when SP3 ships in March) will have a NAP client. So yes sports fans, that means if you are a NAC vendor, you need to support NAP. Will this help NAC adoption? Nope. The reality is that client support isn't one of the obstacles to NAC deployment. NAP will help a bit in supporting unmanaged devices, but that's minimal. Basically there is a bandwagon, so the security industry lemmings are jumping right on - like they always do.
Link to this

Deal: Microsoft decides to U-Prove it
So what? - Microsoft is breaking out the checkbook again. This time buying Credentica's U-Prove technology. Huh? I hadn't heard of U-Prove either, but then again I'm far from being Captain Privacy. Though I hear Martin is being promoted, so now we need to call him Colonel Privacy. Evidently U-Prove allows users to only disclose certain and specific information during a web transaction. You can check out more about U-Prove on their site. Candidly, I don't get it - but that's because I don't feel like taking the 30 minutes I'd need to internalize what they are doing. Instead I'll draw a higher level conclusion. Technologies that help us to protect our identities are not markets of themselves, they are components of the underlying computing fabric. So Microsoft is doing a good thing by continuing to integrate technologies into their core operating systems and applications that can help protect information. In other words, I won't pay for it - but I'll be happy it's in the stuff I'm already using.
Link to this

The Laundry List

Top Blog Postings

VCs and Recruiters - two sides of a tarnished coin
Reading RSnake's latest missive about security oriented venture capitalists and also recruiters made me cringe. I've got a lot of experience with both of these animals and I can tell you there are a lot of snake oil salesmen on both sides of that aisle. Maybe that's why they love RSnake. To be clear, there are very good VCs and very good recruiters. They do the right thing for the company and they add value (beyond money or headcount). But those very good eggs tend to get lost in a sea of shysters. I can't tell you how many people call me and basically want to siphon my brain and experience for free. It's not like a recruiter is sending me a finder's fee out of their $50,000 fee for placing a VP. When was the last time a VC peeled off some of their carry (which is in the MILLIONS even when they hit a crappy outcome) for the folks that help them get there. Seriously. RSnake may not see it like this, but VCs and recruiters like to take. They take your contacts, they take your perspectives and they very rarely give back. A lot of people are nice to them because they think 1) at some point they'll need to raise money, so they better not alienate the VC, and 2) at some point they may need a job, so they better not alienate the recruiters. Well well well. I'm in a position now where I cannot see the need for either venture money or a job in the foreseeable future. So I'm going to call it like I see it. Be wary of headhunters or VCs asking for a "favor." Odds are it's all about them.
http://www.darkreading.com/blog.asp?blog_sectionid=403&doc_id=146975
Link to this

Why are CIOs so misdirected?
It's very easy to point the finger at many dimwit CIOs and laugh at their general idiocy. They just don't understand security. They figure it's really just a technology thing, and as long as they are compliant they are good. James McGovern had a lot of good points in his post, which was then expanded by Hoff. LonerVamp also weighed in with some of his own. But here's the thing. No one (not of these three anyway) is pointing the finger where I think it should be pointed. And that is right back AT US. That's right. If your CIO doesn't get it, it's because YOU SUCK at telling it to him (or her). If your CIO is only thinking about security, and not risk - it's because you don't have the credibility to change his/her viewpoint. You can sit on your hands and whine about it, or you can get out there and start to change their perceptions - one person, one conversation at a time. There is no other way to do it. A CIO has a lot of crap to worry about. If they aren't taking security seriously or they aren't thinking along the lines that you think they should be thinking - that isn't their problem - it's yours.
http://rationalsecurity.typepad.com/blog/2008/02/mcgoverns-ten-m.html
Link to this

Fail often, but fail fast (and hopefully cheap)
I'll let you guys in on a little secret. When I left my last job in August of 2005, I started working on a totally different idea. I knew marketing, and I knew the security reseller channel, and I also knew that the security VARs didn't know too much about marketing. So I came up with this idea called "Varketing," where I was going to do some marketing for the VARs, and also build up a content base which the VARs could use to produce newsletters to send out to their customers and prospects. So I built a plan, and started working on some content, and then started talking to my contacts in the VAR community. What I found? VARs don't really know what they don't know, and they certainly weren't going to pay a lot of money to do marketing. Most of them are sales folks and until they get big they don't do much marketing at all. They sell. Without a real market to target, I shuttered the idea and Security Incite was Plan B. The point? It's summed up in this Found+Read piece "Failure, A Step Toward Success." I fail at stuff all the time. I try to do it quickly and I try not to lose a lot of money doing it. There will always be some "idiot tax" involved in learning that something doesn't work - but I try to minimize that. I don't know any other way to find something that works, than to screw a bunch of stuff up along the way. Don't sweat doing things wrong, it's part of the process.
http://foundread.com/2008/03/05/thought-of-the-day-failure-a-step-toward-success/
Link to this