March 31, 2008 - Volume 3, #32

Good Morning:
Just got back from a boys weekend with my college buddies. It was a lot of fun and we had a lot to celebrate. Most of us have turned (or are turning) 40 this year, and we still try to get together once a year and get back to the old (bad) habits. We are all family guys, with at least a spouse at home - but once a year we step into the time machine and carry on like frat-boys. Staying out most of the night, running up a pretty scary bar tab, pulling each other out of potential rumbles with guys half our age - you know the deal. 

The first night is always a blow-out. And the second day is painful. Very very painful. You know it's bad when you lie down to take a morning nap and you feel like you are on a merry-go-round - without the cool horses. But it's not like I don't know how to ride out a hangover. I'm just out of practice and that's a good thing.

I also fell off the wagon with my eating over the weekend. The best are the late night (I mean early morning) trips to either Krystal (yes, we were in the South) or a hot dog stand. I say the best because the food sure tastes good at the time. When it's eating away about your intestines for the next 24 hours, not so good. But it's all part of the ritual of remembering why you aren't an adolescent anymore, and that maturing is actually a positive thing.

A weekend away is nice twice or three times a year. I'm thankful the Boss lets me go on these little excursions. It's great to reconnect with my oldest friends and catch up on each other's victories and also our defeats. You can't replace all the shared history I've got with these guys. They've seen me (and I them) at their best and their worst.

But I will say I was certainly happy to get back home. Happy to be back in my routine. Happy to see the wife and kids, and they even seemed happy to see me. So I'll take it.

So now it's time to get back on the wagon. Tighten up my food intake. Get back to the vegetables and salads I know crave. Let my liver recover a bit. Hit the gym a few times this week. And most of all, rest up. Because next week is RSA and I get to do it all over again.

Have a great day.

Photo: "Even Heroes Fall off the Wagon" originally uploaded by TCM Hitchhiker

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

TJX gets 20 to life - snore
So what? - TJX settled with the Federal Trade Commission last week and got 20 years of scrutiny because they admitted to doing all sorts of nasty things that resulted in the data breach. Let's be clear, the settlement is crap. It's all about the FTC saving face and feeling like they got a pound of flesh. In reality, maybe they got a dried up scab. TJX now needs to do difficult things like have someone accountable for security. They also have to do risk assessments. There are three other things in there too, like "Evaluate and adjust their information security programs to reflect the results of monitoring, any material changes to their operations, or other circumstances that may impact the effectiveness of their security programs."  Is this a joke? Basically, TJX agreed to do security for the next 20 years under the watchful eye of the FTC - all of which they need to do anyway if they plan to accept credit cards (PCI still applies to them). And to think the FTC actually assigned people to extract these concessions and these folks probably think justice is served. 
Link to this

Full disk - isn't it built in?
So what? - Given the continued focus on data breaches, it's not surprising that full-disk encryption solutions continue to garner a lot of attention by customers. I dealt with a lot of the fundamental drivers for that in my 2008 Incite on the topic [link]. This profile in Information Security Mag details how a customer got the funding and deployed the solution. It's an interesting read, but the reality is that the FDE category will do OK this year from a growth perspective, as the rest of security turns out to be pretty weak. But can't customers just use the built in tools in Windows and Mac OS X? The answer is yes, but not yet. In order to do FDE and make it useful, it requires a centralized policy that can be audited to show the control is in place. Fact is, neither BitLocker (Microsoft's attempt) nor OS X is there yet. Tony Bradley points out some issues with the first implementation of BitLocker here as well. But if anything Microsoft will improve it and iterate it and plug it into other management hierarchies and in a couple of years it'll be a bulk of the market. That's just how it plays out.
Link to this

Air hacked in 2 minutes - why are you surprised?
So what? - Last week everyone was aflutter about the MacBook Air being owned in about 2 minutes via a Safari flaw. It makes for good news, especially given Apple's stance that they are more "secure," but it doesn't mean anything. There are flaws in software, period. Both Apple's and Microsoft's and lots of third parties as well. Vista was compromised also, but it took a bit longer and it was based on some Adobe software. Again, big deal. Everything is vulnerable. Notice that all of these exploits require the users to navigate to a compromised web site for a drive-by attack. Which is a legit vector, since users do stupid things and click on links they are not familiar with. How about that incident response plan? You can check out my SearchSecurity tip on IR to get some ideas how to get your own, where it needs to be. 
Link to this

The Laundry List

Top Blog Postings

Insurance companies will not drive security
Interesting thought process here by Daniel Miessler speculating about an eventual play for insurance companies in evaluating the effectiveness of security products and how end users actually deploy them. I chatted a bit about cyber-insurance recently, but the reality is that there just isn't enough data to really provide these hard, actionable metrics that Daniel is talking about. And the insurance companies don't seem to be focused on gathering that data in any real way. Accurate pricing of premiums is all based on understanding both financial impact and frequency of successful attacks. The insurance companies can tell you how often some jackass will slip in the supermarket and how much it will cost them in medical claims. They also can tell you how likely the victim will be to get a settlement from the store and how much that will be. Do you know how much a simple firewall breach will cost? I guess that depends on whether the attackers can compromise the back-end databases, and for how long. How often does that happen? I guess I'm being Mr. Wet Towel on this because I know it's hard. I agree with Daniel that it would be great if we had an objective party (the insurance companies don't care as long as their premium clears and they don't get killed on claims) that could verify which products and practices work and demonstrably reduce risk. But until then, we get stuck with the marketers telling us how great their products are. 
http://dmiessler.com/blog/information-security-as-insurance
Link to this

Have we been doing metrics all wrong?
Warren Axelrod rants a bit on the bloginfosec and points to a bunch of resources to get our arms around this metrics morass. This quote says it all: "The bottom line is that the most common and easily obtained security metrics tend to be the least useful, and those that might be the most useful, require much greater effort for them to be measured." Which is true, but not necessarily relevant. I feel a bit schizophrenic on metrics. I know we need them and I know you don't get there overnight. So part of me wants folks to get into the habit of counting something, basically anything and then moving towards those more relevant metrics over time. But that feels a bit like a cop-out. The reality is that we need to get a bunch of smart people together and have them agree on what is relevant and useful. I suspect we'll make some great progress on that in the near term. Let's say a little birdie told me about some activities like this ramping up. 
http://www.bloginfosec.com/2008/03/19/metrics-a-measure-of-security/
Link to this

Spending drivers for security
Thankfully Amrit has started writing again. Given most of the security bloggers are in the middle of their pre-RSA hibernation, at least someone is out there making us think a bit. This piece has to do with the spending drivers for security and also some non-spending drivers. There are lots of reasons that our organizations don't want to spend on security. Those aren't interesting. I want to hone in on the reasons why we should spend. Amrit posits that a security incident, compliance or availability are really the only buying catalysts. For the most part, he's right on the money. But any of these drivers are still based on one intangible, and that is credibility. If a security professional is credible in the eyes of his/her senior management, then they will get some leeway to protect what needs to be protected. Within reason, of course. Now you gain credibility by addressing issues that fall into the other buckets, most often availability (and I've ranted about that hundreds of times). Most of all you need to say what you are going to do and then do it, over a long period of time. You don't get to sit at the table over night. You can't change your culture over night either. You need to chip away at it. One issue at a time. One victory at a time. It's not an easy path, but it's the only one I know that will get security the visibility it needs in the organization. 
http://techbuddha.wordpress.com/2008/03/17/why-should-it-spend-on-security/
Link to this