May 20, 2008 - Volume 3, #49

Good Morning:
Darwin was not wrong. He may not have been right about everything, but when it comes to natural selection - he was right on the money. It's all about adapt or die. We see it every day. In your business, in your life - if you can't see what's happening and act accordingly, it doesn't work out too well for you. Yet, if you can embrace the changes and you get pretty lucky - then you can prosper in the new world order.

I bring this up because this is my summer of concerts. The Boss and I do see a lot of live music. We live pretty modestly, but do enjoy seeing great bands play great music. Tonight I'm going to see the Eagles, and later on this summer I'll see Chicago and the Doobies, Steely Dan, Rush, Boston/Styx, R.E.M, and probably a bunch others. If I wasn't travelling a bit over the summer Dave Matthews and Tom Petty would be on the list as well.

Let's just say TicketMaster loves me.

We do see some contemporary acts as well, but there is nothing like seeing a skeleton with a guitar get up there and play songs I know every word to. And for that I pay a princely sum.

These artists from the 70s and 80s have adapted. Most haven't had a "hit" on the charts for years. But they sell out concert halls at $150 a ticket. Guess where the money is in music nowadays. You have bands giving away their music, if only to stimulate demand for their shows. I know, I know. None of this is new. Bands like the Dead, Phish, and Widespread Panic have used this model for years. And it's worked for them.

And the record companies sit there and haven't adapted. They've sued the crap out of housewives in Wichita and college students in Bakersfield. Even high schoolers as well. Their business has been upended and they haven't adapted. Right, it's ugly and it's going to get even uglier.

The Eagles distributed their last album exclusively through Wal-Mart. That was a pain, since I like to get my music from Amazon, but evidently WMT is paying the band 4 TIMES the royalty payout on each unit. So they'll sell 25% of the number of albums as their Greatest Hits packages, and make just as much. And by the way, Wal-Mart also makes more per unit because they don't have to cut in the record company on the deal. That's called a win-win, unless you are the record company.

But some companies are adapting and bringing new models to the music business. Folks like LiveNation, who have no issue making 9-figure commitments to lock in touring revenue from artists (like Madonna and Jay-Z) that will put asses in seats. Will it pay off for LiveNation? Time will tell. I can only say I'd rather be on the concert side of the business rather than the recorded music business. I personally will spend 20x the amount on concerts this summer as I will on recorded music.

How does that apply to security? I'm not sure. I don't study these other industries and markets because I think everything is directly related to my day job. Although there have been a number of times that I've been able to relate a problem in the security business to something I've seen in another industry. If you are one-dimensional (all security, all the time) then you can't have that perspective.

So fire up iTunes, renew your subscription to Fortune, expand your brain a bit and have a great day.

Photo: "Phil and Justice love to play Califone" originally uploaded by benprks

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Hope that fire alarm has good batteries
So what? - Ryan Naraine (back on his Zero Day perch) brings up some interesting perspectives on Web 2.0 disclosure. He uses an example of a bug in Zoho Writer to illustrate the need (or maybe the not need) to disclose when personal information may have been violated. First of all, how is Zoho going to know when someone has private information in a specific document? Second, if you store your personal information in the cloud, and it doesn't have like 15 layers of security (like the my1password service), then you are an idiot. These online word processors are wonderful for collaboration - but if I'm doing something really sensitive, then I use friggin' Word and I password protect the document. But back to disclosure, given a lot of stuff is going to be in the cloud over time. I have mixed feelings because I know many of us are already numb to the constant flow of data breaches. If you start sending out alerts every time you fix a bug (without confirmation that it's been exploited), then we are going to start ignoring it. Yet, on the other hand (there is always another hand, isn't there?), people have a right to know. So basically, we are right back where we started. A murky vulnerability discourse discussion. And I suspect we'll have a similar outcome. These issues will be disclosed in the press and on blogs and the service providers will respond. 
Link to this

All praise the big disk in the sky
So what? - One of the hallmarks of this new Web 2.0 architecture is that you really have no idea where you data is. In the old days (like 3 years ago), you could be pretty confident it was in a co-lo, probably attached to the servers that were running the application. Nowadays, the data is just as likely to be sitting in an Amazon S3 data repository as anywhere else. Is this a good thing? Of course it is, who wants to remain in the buying and managing storage spindle business? But there are risks and considerations that need to be thought through. This NetworkWorld piece starts to bring up some of the discussion points. Of course, security is always the after-thought, but you being the forward thinking TDI reader that I know you are, can get out ahead of it. Basically, you can't be sure anything is secure in the cloud, so that means you have to secure it yourself. That means building your applications with some semblance of data protection. Yes, it's hard to do and yes, it's a bit more expensive than just doing nothing. But ultimately if you can't prove your data hasn't been tampered with and that it's open for anyone to steal, then I suspect your auditor may have a bit of an issue with that. Over time, I do believe the storage service providers will get this done (since it's certainly in their best interest to take this objection off the table), but in the meantime if your app folks are looking at storing data in the cloud - you probably need to have a clear conversation about how that will impact the data security plans.
Link to this

Green bar <> panacea
So what? - Rich loved my reminding everyone that pretty much everything is vulnerable. And yes Rich, I get that rootkits are different. As if we needed one, here is another reminder that we really can't trust anything. It seems PayPal was open to a XSS attack, but given PayPal's adoption of the extended validation SSL certs (to turn your address bar that wonderful shade of green) - your little XSS attack gets the benefit of the green bar. Once again, the point is that you need to focus as much effort on containment as anything else that you do. XSS and CSRF are going to happen and even the most savvy of people are going to fall for it. Thus, you better have your act together to respond, contain the damage and ensure it doesn't happen again, even though it will. No, what we do isn't futile, but if we expect to be successful all the time - I figure that would be pretty delusional.
Link to this


The Laundry List

Top Blog Postings

Communicating risk. How about: "we're all screwed!"
I hand it to Jack Jones, since he continues to fight the good fight. Clearly we have to do a better job of quantifying risk and managing our security operations based upon what risks are deemed to be most significant to the things that are important. No, not important to you, rather important to the folks that write the check. If you don't get that by now, then apply for a scholarship to get the P-CSO. Jack is now tackling that wonderful job of having to communicate that risk. It can't be done in a Chicken Little fashion, but you also can't minimize it or you'll have no urgency to get anything done. Folks, this is black magic. I had to read Jack's post like 5 times and I'm still not sure I get it. Unstable and/or fragile conditions, probable lost magnitudes, etc. are not terms that your run of the mill security professional really understands. I suspect that is part of the issue, although I'll admit to not being the sharpest tool in the shed. Basically, we need a more effective means of describing the problem that even a mid-market IT guy (where security is only one of their hats) is going to get it. It needs to be simple. It needs to be intuitive. It needs to be "good enough" from a precision standpoint. Dare I say it, maybe even Pragmatic. But that's not even simple enough. And until we get there, we'll need to have a séance every time we need to communicate risk to the senior team.
http://riskmanagementinsight.com/riskanalysis/?p=351
Link to this

People costs are not on the spreadsheet...
Mark Shavlik can only scratch his head when presented with information from the Big G about how inefficient Microsoft's WSUS turns out to be. First of all, G tends to focus on the super-large enterprises and we all know that large enterprise isn't Microsoft's bag, baby! But kidding aside, everyone in a market that competes against a Microsoft or a Cisco or even a Symantec, needs to figure out how to combat good enough. The technology works, but it's usually bundled into a big deal and most procurement processes don't factor in the operational costs of doing something. Sure, there was a push to try to quantify TCO a while back, but in this kind of macro-environment, it's still easier to whip your folks to work a bit harder - then to write a check for technology that may (or may not) make things more efficient. The G says to look at point solutions for patch management, and that may even be the right thing to do. But most companies won't, until they start to measure (and compensate) managers on productivity - as opposed to capital budget efficiency.
http://shavlik.typepad.com/mark_shavliks_blog/2008/05/garnter-note-on.html
Link to this

Will virtualizing security cost more than we save from virtualizing servers?
I've had this post from the Hoff sitting around for a while and finally figured I'd tackle it today. Captain Virtual (yes, he's working on a ride at Universal to appear in 2010) makes the point that most folks aren't thinking much about securing their virtualized environment and thus they have a blind spot in the true operational savings of rolling out an increasingly virtualized data center. I'll make the point that I'm sure I've made before, which is that no one cares. They don't count security as part of the original investment. They bolt it on after they have a problem (or fail an audit) and usually spend more and get less protection. Such is the human condition and I'm kind of tired of fighting it. The fact is virtualization saves a lot in operational costs. Maybe even a lot in capital costs (by using hardware more efficiently). It opens up opportunities to have more flexible building of servers for lots of different reasons. I'm not even sure how many use cases are out there, but there are a lot. To be clear, I suspect most folks don't think security is going to be cheaper in the virtualized world. Not because they are dense or naive. But because they aren't thinking about it. The folks that think a virtualized UTM platform is going to save them a lot of money don't really understand how this new paradigm works. And that's fine because as Chris ends the post, this isn't a problem yet. Until it is, and then we'll see unbudgeted money materialize to fix the problem, which is the way it always works. And hoping that it will be different this time isn't really a strategy.
http://rationalsecurity.typepad.com/blog/2008/05/virtualizing-se.html
Link to this