May 1, 2008 - Volume 3, #42

Good Morning:
I tend to be one of those hyper-connected guys. I don't do twitter, but besides that I don't really have email too far away and I can be found in my RSS reader a couple of times a day. I like to think I'm "in the loop." A lot of the time I'm not sure how healthy it is. At night, there are times when I have to specifically repress the need (dare I say addiction) to hit the iPhone slider and see what has accumulated in my inbox.  

Believe me, there isn't that much interesting stuff in my email. But I like to see it anyway. And it's a constant battle. I suspect many of you fall into that category as well, battling those same demons.

Thus, when I saw this post on Web Worker Daily about "Shut Down Day," I was intrigued. The picture to the left is called "Unplug for safety," but this concept is more about unplugging for SANITY. Can I actually shut down my machine(s) and not be connected? Yes, even my iPhone. For a full 24 hours? Is it possible?

The honest truth is that I don't know. But I'm going to try. It'll be easier for me for a couple of reasons. First, it's not like I'm trying to do this during the week. Saturdays are somewhat manageable and although I've been known to work a bit over the weekends, it's definitely possible for me to skip it.

Second, the Boss and I will be tied up all day at an event. And I mean all day. So now I have a fighting chance, since it would be a lot harder to unplug if I was in the house watching some crappy baseball game.

So we'll see how it goes. I'm kind of excited by the possibility of becoming the master of my domain again. I don't expect to need to unplug very often, but it will be nice to know that I can.

Have a great weekend.

Photo: "Unplug for safety" originally uploaded by mag3737

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

DEFCONs just want to have fu-un. DEFCONs just want to have fun.
So what? - When the s*storm hit last week about the new contest to come up with interesting ways around malware detection suites, I could only laugh. Of course, Cyndi Lauper's "Girls just want to have fun" was also thundering in my eardrums because that's what this is about. In the immortal words of Sgt. Hulka, the AV vendors need to "Settle down, Francis." It's like the PwnToOwn context at CanSec. Some folks will find some interesting holes and the vendors will patch them. Same deal here. Maybe the AV vendors are worried that the crazy kids at DEFCON will pierce their veil of their marketing hype. Maybe the big world of all those stupid lemmings will finally realize that any machine can be owned at any time by some rather mediocre hacking talents. We wouldn't want them to learn that now would we? And I'll also punch a hole in the idea that there are already enough samples to keep researchers busy. Who knows, maybe with a minor financial incentive, the DEFCONs will find something interesting. Something (oh the horrors) that we may not already know about. I'm good with this contest and I think these are valuable endeavors. First, you get kind-of smart folks trying to break things in a semi-controlled environment. Second, you are teaching these folks how to think like hackers, which is one of the first things that security professionals need to master.  
Link to this

NAC client game is over
So what? - Tim Greene makes a decent point (even if it was spoon fed to him by MSFT PR folks) about the imminent death of the NAC client at the hands of the bundled NAP client. With Windows XP SP3 being deployed over the next few months (it takes a few months for these things to be widely deployed), the NAP client will be within most of the Windows devices out there. That means this idea of client vs. client-less is largely done. Of course, it's been a moot argument for quite a while since the answer has always been both. For some managed devices, a client makes sense. For other devices you don't control, you need a client-less option, and pretty much all the NAC vendors can do both. We could split hairs about disolveable vs. Nessus-based plug-in's vs. active-x, but it's all the same to me. If I put on my Stiennon suit, does that mean I'll trust the endpoints any more than I did before? Of course not. I still need to verify who they are, and more importantly monitor what they are doing. Just in case. But having the client out there can't really hurt NAC adoption. But I'm not sure it's going to help either. Hold that thought for a few seconds...
Link to this

NAC less interesting to users, which may be a good sign
So what? - It's funny in that every market goes through a series of phases. Jim Rapoza gets it mostly right in this eWeek slideshow. My classic "Farce of Market Sizing" post back from 2006 hits the same topic, but from a different angle. And NAC as a market has certainly gone through a bunch of phases. This latest NWC reader survey about NAC doesn't bring good news on the surface. Fewer customers are interested in NAC this year, than last year. Isn't that bad? Maybe not. Given the macro-economic backdrop, I suspect most users are focusing on those projects they absolutely need to get done, and the one's that are a bit less critical get put on the back burner. At least it seems the users are being honest with themselves about where NAC falls on the priority list. But this isn't really bad, it's natural. There is no question that the concept of LAN Security (bigger than just NAC, more about campus network evolution) will take root. The question is when. I think if the hype around NAC deflates a bit, then folks can think a bit more rationally about how best to move towards a secure LAN environment. Which is really what they should have been thinking about all along.
Link to this

The Laundry List

Top Blog Postings

PCI: DOA in UK?
James T. Newby gets on his Trek suit (don't know if they make 7 foot tall Captain Kirk costumes) and talks about some of the differences between how security companies are marketing in the UK vs. the US. It's nice to see I have more to like about the UK than room temperature pints of ale. I hesitate to call the Brits more enlightened (Boston Tea Party anyone?), but being a smaller market with less desperate competition (and presumably a less noisy security market) they seem to have gone through the cycle a lot faster than in the US. I don't need to rehash my recent ranting, but I've hardly talked to anyone in the space over the past two weeks that hasn't wholeheartedly agreed with my contentions that Easy PCI marketing is a sham. Yet, if everyone is agreeing with me, why do I expect to continue seeing these ridiculous positions and claims for years to come? Basically because I've seen the movie before and as long as their are customers that want to believe, the vendors will be there to feed them a plate of crap.
http://robnewby.blogspot.com/2008/04/captains-blog-supplemental-pci-is-dead.html
Link to this

Endangered species - The CISO
Since I'm piling on many of my positions today, let's go over another one, which is the inevitable demise of the security "role" in an organization. Stuart King talks about his experiences in a mock trial of the CISO at Infosec that resulted in the CEO and CIO going to the big house. I guess that would be the mock big house with the mock Bubba pounding the mock CEO in places where the sun don't shine. But nasty imagery aside, the point is the point. I suspect we'll see the demise of the CISO first in the mid-sized businesses and then we'll get a very Innovators Dilemma evolution, where the security role will generally be subsumed higher and higher up the F5000 chain. Do I think the CSO of a Fortune 50 company goes away? Nah. Those organizations are so big and so complex that there will always be a role for a new CSO every 18 months to take the fall when someone on the ops team screws something up.
http://www.computerweekly.com/blogs/stuart_king/2008/04/on-trial-role-of-the-ciso.html
Link to this

Hands-off Pwnage
In yesterday's P-CSO newsletter, I did a little thinking out loud about staging a data breach and using it as a means to educate the employee base about what they can and can't do. Another key education mechanism is the idea of phishing your own folks and getting them to click on links and go to sites that they shouldn't. Of course, as long as they are sites you control, it's all cool. And as long as you use the opportunity to instruct, it's even better. Ed Dickson talks a bit in this post about some of the nastiness that's out there nowadays. So maybe after you get a set of your employee dimwits to click on a bad link, then you hammer the message home with a little video to show just how easy it is for people to be compromised. Even good people. I think this two step 2x4 educational mechanism may have a better chance than most run of the mill user awareness training. This is a topic I'll cover in a bit more depth next week.
http://fraudwar.blogspot.com/2008/04/nowadays-all-you-need-to-do-is-visit.html
Link to this