June 5, 2008 - Volume 3, #54

Good Morning:
Earlier in the week I talked about time flying and the need to prioritize it. I've been trying very hard not to be dominated by my watch or the Gantt chart that floats in my head. Most of my life I've viewed time based upon what I haven't gotten done, rather than what I have. Of course, that is the two ways of looking at the issue, eh? There are half-empty people and there are half-full people.

I can tell you it's very hard for a half-empty person to become half-full, though I am working on it every day. After reading the news clippings about Senator Obama becoming the presumptive Democratic presidential candidate, I finally figured out why I've been obsessing about time lately.

Basically, the US ebbs and flows in 8 year cycles. And yes, it seems (at least throughout my adult life) that the ebbs and flows tend to coincide with regime change in Washington DC. So I've been a bit pre-occupied in thinking about the next 8 years. Probably because of the major and significant life events that have happened over the past 8 years.

Just a few little things like bringing 3 kids into the world, buying and/or selling 6 houses, selling a company, getting fired from two others, moving my residence, starting a new business, and probably a bunch of other "minor stuff." I wonder what the next 8 years have in store. I can look at the issue relative to how I'm not where I thought I'd be back in the fall of 2000. Or I can think about how far I've come since the fall of 2000. I'm going to choose to bask in all of my accomplishments for a few minutes anyway.

I know that time flies. It felt like yesterday that I was up all night watching the returns from the 2000 election, while my 3 day old daughter was lying in a bili light to clear up some post-birth jaundice. Now she's almost 8 and a real person with real opinions, dreams, desires, and perspectives. The twins are getting there shockingly fast as well. It's hard for me to imagine the discussion around the dinner table in the summer of 2016, as we are talking about the next Presidential election.

So I won't. I'll just enjoy how time is flying and do my best to enjoy the ride. Have a great weekend.

Photo: "Time Flies" originally uploaded by sergei.y

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

The enemy of your friend is what?
So what? - Outsourcing is happening. That's a fact. Whether it's looking at having someone manage your email servers, your big iron, or all of your development operations - if someone else can do it cheaper and maybe even better, it's worth a look. That being said, given the regulatory oversight and scrutiny on pretty much every business, a little bit of care and due diligence is required before you hand over the keys to the kingdom. This Network Computing article goes over some of the basics relative to putting a potential outsourcer through the paces. I'm not so concerned about the process, I'm concerned to make sure that at least someone asks this question BEFORE the contract is signed. I know of a lot of deals where the implementation and transition of the services are problematic because no one paid attention to data security, until the data was in someone else's hands.
Link to this

No, this doesn't make Vista any easier to digest
So what? - Not surprisingly, Microsoft Vista's UAC technology, which requires authorization to make O/S level changes in the Registry and to install software, does a good job of stopping rootkits. The product was architected to stop these kinds of intrusions. And it's also not surprising that most of the AV suites suck at rootkits, given that they suck at most things - except finding the stuff we've already seen - maybe. My point is that it's all about the user experience. UAC works, but it's vilified because users hate it. It took 8 years to build that O/S and you're telling me that not one of their focus groups thought the user experience was terrible? Not one? Ultimately Microsoft will fix the issue and make it less obtrusive. You know, kind of like a Mac. (Couldn't resist) Until then, knowing that there is no great desire to move all PC's to Vista, make sure your containment plan is top notch. You are going to need it.
Link to this

Dealing with those "rogue" devices
So what? - I never understood the folks that take a penny-wise and pound-foolish approach to technology. Large companies that make their employees purchase their own productivity tools make me scratch my head. Do they not realize that having to support their remote employees using non-standard technology will cost them more? But that's neither here, nor there. Ultimately these smart-phone things are happening and they are going to show up in your organization. Most likely in your pocket as well. So you may as well start planning and building some defenses and policies to make sure your data isn't at risk and that your support costs don't skyrocket. InformationWeek has a decent article here about how to secure those devices. Simple things like using VPNs and not using Public WiFi. Duh! As I mentioned yesterday, tomorrow's smart-phones (and with next week's imminent announcement of iPhone 2.0, tomorrow is here soon!) are really more like computers than cell phones. So you should treat them like computers and have similar defenses in place. Doesn't seem like brain surgery, but I guess everyone thinks it is.
Link to this


The Laundry List

Top Blog Postings

We can't write secure code - so let's give up!
Most of the time I really like Stuart King's blog. Given that I'm focusing today's blog ramblings on application security, I thought I'd point to a piece that Stuart did on writing secure code. His point is that basically we can't. Things are too complicated, those damn users just want too much functionality and they want it yesterday. So all the training and tools and other stuff we do is for naught. Good! Now I can sit at the pool for the rest of the day, since it's all worthless anyway, right? Then Stuart basically falls back into the tried and true security mentality of throwing a box (a web app firewall) at the problem. That's a cop-out. First of all, a WAF is not a panacea for application security. And just because users want more and faster, doesn't mean they should get it. Everything gets back to a business decision. If the business decides it's worth the risk to roll an application that has holes, so be it. Just make sure they understand that when the dudes in the radioactive suits come in to clean up the mess. By the way, I'm all for WAF as a supplement to application security efforts, WHERE APPROPRIATE. But to give up the ghost on trying to write secure code because it's hard isn't the answer either.
http://www.computerweekly.com/blogs/stuart_king/2008/05/david-lacey-makes-the-importan.html
Link to this

Unfortunately most of the world is doing it wrong...
Clearly it's not "that" they are doing wrong because world population continues to grow. But as Gunnar points out, thinking of software and security as two separate things is kind of besides the point. Seriously besides the point. GP talks about building a "strong center," and making sure that everyone is pulling in the same direction. It sounds kind of Zen-like, but that's a good thing. I sense a ripple in the Force, and that is letting the bad guys have their way with the applications. Kumbaya, you all. That's the answer, kumbaya.
http://1raindrop.typepad.com/1_raindrop/2008/05/software-and-security-separateness---youre-doing-it-wrong.html
Link to this

Someone sign this guy to a book contract
One of the great things about the blogosphere is that there is no lack of folks willing to share their expertise and help educate the masses about a variety of topics. That is certainly the case in the security business, where Dre has contributed this treatise on software security to the world. It's good stuff and a good background about the issues that are facing software developers as they try to make their code better and less holey. Is that a word? Anyhow, even better is that Dre also references supporting material and other links to help folks continue their educational efforts. I suggest newbies (no, not Newby, but new security professionals) bookmark this post and gradually work through Dre's reading list. You'll be a lot smarter for it.
http://www.tssci-security.com/archives/2008/05/29/software-security-a-retrospective/
Link to this