May 12, 2008 - Volume 3, #45

Good Morning:
The signs were ominous. I was awakened at 5 AM by a raging storm. Wind howling. Thunder, lightening. The whole nine yards. I waited for the inevitable cacophony of terrified children wanting the storm to stop. Not the best way to begin Mother's Day. The annual rite of passage where we celebrate those that brought us into the world.

Yet, something was looking out for me on that early Sunday morning. I dozed back off with nary a whisper from the other 3 bedrooms. I wasn't about to argue.

I know I mention how lucky I am pretty frequently. Yesterday was no different. Both my Mom and the Boss' Mom (I guess I should call her the Boss squared) are in town for a Tuesday Dance recital. So for the first time, I think ever, both our parents were in town to celebrate Mother's Day.

Once the Boss awakened from her slumber, the kids presented her with the various arts and crafts they'd been working on. Some families go all out and buy all sorts of presents for these holidays. But not us. I think it's a lot more meaningful for the kids to spend a half-hour writing out a card and doing some artwork. I figure if they are going to write on the walls the other 364 days a year, at least let them write on paper for a day that matters. 

Then we took the kids to a Jumpy place with both Grandmas. The kids thought it was about them, but per Mother's Day rule, we tried to tire them out so they'd be a little passive at dinner. Keep that secret between us, OK? Unfortunately the kids were having none of that, so they were a bit rambunctious at the restaurant. And given the fact that we had 13 people around the table, I'm sure we made a terrible racket.

But it was all good. As I scanned the table, I was very thankful that both of our Moms are healthy and engaged with the kids. That we can get together and enjoy a good meal and just have fun. Which is what family celebrations are about.

Have a great day.

Photo: "May 14, 2006: Happy Mother's Day" originally uploaded by Matt McGee

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Eating some WiFi dog food
So what? - Case studies are the most effective marketing communication pieces. For me anyway. Shiny bezels and flashing lights are cool. Demos can also illuminate points (if they are done well), but at the end of the day - hearing about how a company is actually using the technology to impact business makes it a lot more real. So I enjoy the trumped up stories that talk about a mega-tech is using their own stuff to do things better. This NetworkWorld piece on Microsoft's WiFi network is a case in point. A lot of organization's are scared to deploy WiFi to the masses because it can become a security issue. But there are ways to provide adequate protection and the productivity benefits usually outweigh the risks. Of course, the MSFT folks missed a golden opportunity to talk about how they are deploying NAP to the nether regions (assuming they are) and it's doing all sorts of good stuff, but I'm sure it won't be long before we see them beating the drum about that.
Link to this

Security is not a reason to do something
So what? - It's funny to me that some folks insist on continue to position security as an underlying driver for new architectural models. This Network Computing piece on desktop virtualization is a case in point. VDI (as it's called, I guess) is about delivering a desktop "on demand" and centralizing a lot of the provisioning and management of said endpoint computing infrastructure. Yet, the security advantages of this are a bit obscure to me. I guess if you are rebuilding the desktop every time, then you don't have to worry about Trojans (since they'd be blown away with every "reboot") and ensuring a secure configuration would be easier as well since the desktop is delivered as the admin wants it. But is that a reason to deploy VDI throughout your enterprise? Nope. The real driver (as with most things) is operational savings through better management. Any security benefits are gravy. I know we security folks need to feel important and it's a blow to our self-esteem when time and time again it's proven that no one gives a rat's ass about security (until a breach, that is). But it is what it is. So learn a bit about VDI because I do agree that it's going to happen. And get your nose into the process early, so the VDI infrastructure can be secure from the get-go. But don't be delusional and think it will happen because it adds better security for the mix.   
Link to this

"Secure Internet" my petootie
So what? - A lot of folks think I obsess over the words. Being a reformed marketer, I understand that the only thing most companies have from an external perception standpoint is the words. So when I see a press release headlined "McAfee delivers the Secure Internet," I toss my cookies because those words are just wrong. Of course, I know how the game is played. I know bitching about this is just being naive, but it's still annoying to me. There isn't really anything new here from Little Red. Basically they are just announcing that the secure search offering they are doing with Yahoo will be available via a McAfee website and through the SiteAdvisor toolbar. I suspect Google is soiling their pants with worry. They are also taking the opportunity to launch a new "McAfee Secure" certification. As if there wasn't a big enough target on their heads already. It's not clear if this is a superset or a rebranding of the HackerSafe program, but it seems to be built on the same technology platform. Or maybe this is a more direct Qualys competitor. Got to love those clear press releases. I find these web site "certifications" to be a joke, but the data shows that customers routinely misplace trust these seals, even though month after month, more of these "certified" sites are hacked and are shown to be vulnerable to things like XSS and CSRF. But in my naivety, I forget that most of the world doesn't read the tech trades (if they did, it wouldn't be such a crappy business). So even when these certifications are proven to be bogus - it just doesn't matter. It's mostly about security theater. I shouldn't forget that - even if I want to.   
Link to this

The Laundry List

Top Blog Postings

Yes, virtualization vendors are responsible for security
I'm with Hoff and all the other folks that have been piling on the idiotic comments made by Citrix' Simon Crosby about how the virtualization platform vendors basically don't need to worry about security, since there is a third party system to fix it. Dude, get out of the virtualization business and commercialize the time machine. I vaguely remember Jim Allchin making similar comments when Win XP was a mess and before Trustworthy Computing changed everyone in Redmond's tune about security. Personally, I'll restate something I said a while back. There shouldn't be a third party market for "virtualization security." At this point, the virtualization platform vendors know security is important. They should be building it in. PERIOD. I get that VMware (and Microsoft) will play the game and provide interfaces for these other companies to plug in security modules, but that's more about protecting the status quo and not raising the ire of the anti-trust folks, then it is about good business sense. Once again, I'm working to put myself out of a job, but it's the right thing to do. To have a new operating system (and the hypervisor is an OS) built today and NOT be secure is idiotic.
http://rationalsecurity.typepad.com/blog/2008/05/citrixs-crosby.html
Link to this

Remember who we work for
Gunnar asks the question whether GRC is basically a load of crap (those are my words, not his), and takes a bit of a roundabout way to describe the issue. The fact is compliance is a pain in the ass for big companies, and huge problem for small one's. I remember when I was at a certain pre-IPO company and we were ramping up for the public offering. The investments required in systems for financial controls (courtesy of your friends and mine, Sarbanes and Oxley) were onerous. And we had over 200 people. I can't imagine why a 13-person shop would need to do this. But scale aside, the point Gunnar makes at the end of the post is the right one. It's about survivability or availability or whatever you want to call it. It's about serving the business, NOT THE AUDITORS. If you protect information effectively (which is a key imperative for the business), then the auditors should be kept reasonably happy. And if not, screw them and fight them. Yes, the auditor can make your life a bit harder, but you don't work for them. Keep that in mind.
http://1raindrop.typepad.com/1_raindrop/2008/05/grc---to-be-or.html
Link to this

Best advice for DLP - start small
I haven't poked the DLP folks in the eye in a while, so why not today? I'll even use the words of the Mogull, one of the card carrying DLP-istas to make the point. Rich does a good job of detailing two use cases for how DLP can (and should) work in your environment. The first is when you are trying to prevent credit card data loss (PCI anyone?) and the second is about preventing intellectual property theft. Both are legitimate uses for DLP technologies, and Rich takes you through how the roll-out can go. This is good stuff, but I think the summary is the best stuff of all. His first point is to "start small - with a few simple policies and a limited scanning footprint." I'm sure I'll hear from some of the vendors telling me how "many" of their customers were doing sophisticated blocking within a day of implementing the solution. Uh huh. Just because some folks do it, doesn't make it right, or even the best thing. The Atkins diet comes to mind. Yes, it's possible to start fast, but it's not advisable. And if you disagree, take it up with the red haired guy.
http://securosis.com/2008/05/01/best-practices-for-dlp-content-discovery-use-cases/
Link to this