June 3, 2008 - Volume 3, #53

Good Morning:
I'm in the midst of a nasty tug of war and I feel like I'm losing. I guess every small business owner deals with the same issues. You know, do you focus on the foundational aspects of your business, laying the groundwork for further leverage and growth, or do you take care of the existing projects on your plate and perhaps run out of time?  It's not an obvious answer, especially when you have lots of great clients that want you to continue doing work for them.

To be clear, of all the problems I can have, this is a pretty good one. But it's still very much a problem. I have great, big plans for 2008. I need to continue adding to the Pragmatic CSO content base with some audio. I have another 2 or 3 major initiatives that can really fill out the vision of what Security Incite can (and should) become planned and ready to go into the execution phase.

And there is the reality of being overwhelmed with writing, speaking and strategy consulting work. I'm almost at the end of Q2, which means half the year is gone. So I guess I'm a bit panicked. Am I ever going to get to these other products/projects? Or will they just be cool ideas on note cards sitting on my desk?

Basically, I need to start saying no. But how do you do that? My approach is going to be to look at where I spend my time and what can be streamlined. I don't think it's a productivity thing, it's really a focus thing. I need to stay focused on FINISHING, not just starting projects. Based on my conversations with clients, many of you are struggling with the same issues. You are constantly pulled in many directions and you may be ticking things off the to-do list (I know I am), but are they the RIGHT things? That's really the question to be asking.

For me, I'm going to start by changing my publishing schedule a bit. Daily Incite's will continue to show up on Tuesdays and Thursdays. I'll still shoot to do a Pragmatic CSO podcast or newsletter each week (preferably on Wednesday). And I'll also do a "Special Incite" each week, which are ideas or opinion pieces or industry commentary (like the Barracuda/Sourcefire analysis from last week) a bit longer and more detailed than a TDI snippet.

So that's my plan, what's yours? Have a great day.

Photo: "Tug of War" originally uploaded by jphilipson

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Security in the age of Web 2.0
So what? - Geoff Leeming expands in NetworkWorld on some work done early in the year about how different industries will need to adapt to the reality of the global, extensive, and yes, free distribution afforded by the Internet and associated technologies. Geoff focuses on how to maintain ideas like trust, personalization, interpretation, and authenticity can be applied in a security context. But it all feels a little heavy and over thought to me. Maybe it's just the simpleton in me, but I don't necessarily think we need to spend a lot of time thinking about how to work in this new world order. If we would spend a bit more time thinking about how to facilitate business operations and protect the data that is important to the organization, and communicate what it is that we are doing - then a lot of these other details kind of work themselves out. The reality is that we need to be able to track a user or transaction back to who did it (to enforce segregation of duties) and all those other great CIA triad stuff. Most of the major technological jumps over the past decade haven't been fundamentally different (probably not since the browser), but it has accelerated both the globalization and the velocity that things are happening. To phrase it a bit differently, our fundamental mission hasn't changed, but scope of our operations and the speed at which we have to work is different.
Link to this

How many more reasons do we need for security in the network?
So what? - I ranted a bit last week about why it's inevitable that network security will eventually be subsumed into the network fabric. This SearchSecurity tip, which talks about network segmentation in the context of PCI is yet another reason. Basically, we need to be able to restrict access to certain systems and data. The author, Stephen Cobb, used the Hannaford Breach as his case study to show how better network segmentation would have possibly prevented the credit card data from being compromised on capture (and before it was encrypted). Organizations can move to this architecture now. It's not like devices that can scrutinize endpoints and restrict access to certain network aren't around today (NAC, duh!), but this is an expensive architecture to roll out to hundreds or thousands of locations. Many larger retailers don't have the option to build a physically segmented network in each of their stores, since the cost of the devices to enable that would be prohibitive if you have to buy 1,000 of them. But if you are upgrading your store networks sometime over the next 3-4 years (which you likely will), then why not get something that can provide a better level of security as well? Of course, you should. This represents a generational upgrade and that takes time. In the meantime, you'll likely need to look at some of those data encryption options - which is not a bad idea anyway since it represents another layer in your architecture.
Link to this

Is that a computer in your pocket or are you just happy to see me?
So what? - Neil Roiter asks the age-old question about mobile malware on SearchSecurity.com. Everyone seems to agree that it's going to happen, it's just not clear when. In 2004, it was going to be 2006. In 2006, it was "soon." Now in 2008, it's just around the corner. I say it'll never happen. Why? Because a simple cell phone is really too simple to do much with, at least from a security standpoint - so that's not an interesting target. And smart phones shouldn't be considered any different than computers. They are really just small computers, at least my iPhone is. And given that everyone copies everyone else in this business, you'll see more functional, more desktop-like operating systems in your pocket sooner rather than later. And yes, attacks will happen - but they'll be the same attacks that are working on the other computers. Lots of social engineering. Maybe some key loggers. One of the points in the article is that there is no "monoculture" or even duopoly of mobile operating systems to go after to help the bad guys focus. That's true, but ultimately it won't matter because the attacks will happen at the application layer and they'll go after the data. Or they'll coerce consumers to do something stupid. Which is what has already happened on the desktop. At least we've seen that movie before.
Link to this


The Laundry List

Top Blog Postings

Is agility the answer to relevance?
Jeff Lowder is now blogging over at BlogInfoSec.com and his first piece is about the overarching concept of "agile security." It's a good read and a strong concept. Agility (in Jeff's idea anyway) is really focused on finding the right balance between security and the agility required by today's business environment. A quote in the piece really illuminates the situation: "In the private sector, there are just business requirements. Those requirements may include security, but at the end of the day security is only relevant to the extent it contributes to the business." Amen to that. I'm looking forward to reading more from Jeff on the concept (welcome to the neighborhood Jeff!), because I think it's very complimentary to my own brand of Pragmatism.
http://www.bloginfosec.com/2008/05/20/moving-beyond-the-cia-triad-the-concept-of-agile-security/
Link to this

Why NAC? Why now?
NAC remains a lightning rod for pretty much everyone nowadays. Since I'm a contrarian by nature, and a cynic by practice - I was one of the early guys calling out the sector for too much hype. A couple of years later, my tune hasn't changed, but I am doing a great deal of research into the underlying drivers for why NAC may be interesting to some customers. JJ does a good job of summarizing the big one's in this post. Endpoint compliance is her number 1, and she's right on the money is saying it's the "most hyped and possibly least significant." When all you have is a hammer, everything looks like a nail - and the early NAC technology was focused on host integrity checking - so that's what customers got conditioned to want. I think the others (at least 3 of them) are much more interesting. Guess access being probably the initial killer app, although "edge port security" is maybe a possibility. Her #4, user and resource accounting is really a compliance thingy and that doesn't seem like enough to get someone to write a check - it doesn't hurt. Finally she talks about Dynamic VLAN assignment, but that starts to straddle between security and network ops. In a smaller shop, that may be organizationally possible, but in larger enterprises there is usually a lot of push back to use "security" devices in a network ops context. Ask the NBAD guys about that. To wrap up, I do believe the capabilities NAC brings are important. The question is how soon you need them, and most importantly whether a stand alone device is the way to go about solving the problem.
http://securityuncorked.squarespace.com/security-uncorked/2008/5/31/top-5-why-customers-consider-nac.html
Link to this

Physicians, medics and the good fight
One of the great things about security is that you can look at it from any number of different perspectives and levels. Jack Jones, in a follow up to one of my rants, really does a great job of both nailing my focus and intentions - as well as bring forward a great analogy to how the practice of security can differ depending on your situation, expertise, and organizational dynamics. Jack is exactly right in calling me a "medic," in that I'm focused on stabilizing the patient and making sure we live to fight another day. Since I focus on research for the "everyman" (and woman for that matter), most of the folks I write for don't have the advanced training and resources that your typical "physician" would have. The great news is that there is definitely a place for both in the practice of security. And to be clear, I am looking forward to the physicians coming up with some great new techniques and tactics to help us medics be more effective in the field.
http://riskmanagementinsight.com/riskanalysis/?p=360
Link to this