August 15, 2008 - Volume 3, #69

Good Morning:
I know I harp on the importance of managing expectations frequently, mostly because I keep seeing data points everywhere that reinforce the point. As I continue to binge on the Olympics, the concept continues to resonate. The US Men's Gymnastic team got a Bronze. It was very unexpected, given the injuries to the Hamm brothers. So they are ecstatic. Yet, the women's team was disappointed with the Silver. Why? Expectations. The girls thought they could win after 2 rotations.

Even magical Michael Phelps was pissed off after the 100 butterfly event. He won Gold, set a world record and he's still pissed. Turned out his goggles were leaking, so he was swimming blind. And he still expected to swim faster. Again, expectations.

Now it's time for the NFL season to start. I'm taking the boy to the opening pre-season Falcons game on Saturday, exercising my new season tickets. It's very exciting, even though I expect the Falcons to suck this year. I just love to watch football, even if it's not the NY Giants.

Matt Ryan is poised to step in as the starter and future of the franchise sometime over the season. This year, the expectations are low. Over time, they won't be. But he should enjoy the fact that he can learn this year and not really be raked over the coals when the Falcons make some dumb mistakes and lose some games. It's all about managing expectations.

Brett Favre meanwhile is in exactly the opposite position. The NY Jets want him to come in and have an immediate impact. He's got little wiggle room to learn the system and to be the hyper-aggressive Favre that ends up making as many mistakes as he makes great plays. It's not like NY is a forgiving place. I'm sure the crazy New Yorkers will be jumping Eli when he throws an INT or 10. Super Bowl ring or not, it's always about what have you done lately.

The good news is that you probably don't have millions of fans hanging on your every move. That takes off the immediate pressure and ensures you likely won't be tabloid fodder, but that doesn't mean you shouldn't always be paying attention to expectations. You need to. If you do it wrong, you are certain to disappoint people. If you do it right, you are a super-star. Even if you accomplish exactly the same thing. 

Have a great weekend. And meet those expectations.

Photo: "BRETTS" originally uploaded by nationalparodyleague

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Don't hold your breath for the demise of passwords
So what? - I've been in this game for a long time. Almost as long as I've been in the game, people have been calling for the end of passwords. And there have been lots of "contenders," positioning to replace the good old fashioned password. It still hasn't happened yet, and I don't expect it to happen anytime soon. This latest discussion by SJSU professor Randall Stross talks about the fact that passwords aren't secure. It's all stuff we've heard before. Widespread use of strong authentication techniques is cost prohibitive and doesn't solve the problems of identity theft or phishing. Personally, I try to eliminate the issues I know can get me. Like a dictionary attack. So I use strong passwords with a password manager (I use 1password) to eliminate the complexity. RoboForm is pretty well regarded on the Windows side. Will a strong password stop a well crafted XSS, MITM or CSRF attack. Nope. But it will stop some basic attacks and I think over time the data has shown that it tends to be the basic that is most successful.
Link to this

Reducing the Fed's attack surface
So what? - Evidently the US Feds have been watching the Weakest Link and figured that maybe it was a bad idea to have 8,000 different connections to the Internet. The initiative is called Trusted Internet Connection (TIC). Clearly the more connections the more places to screw up a configuration and leave a hole. So this idea of reducing the number of connections to about 100 is kind of interesting, but I'm not sure it's feasible. Those would need to be some pretty big ass pipes and there is little room for error. Sure you can throw a lot of money on monitoring and managed services and the like. But if you are wrong, the bad guys get access to not just a small section of the US Fed networks, but large swathes of territory. It's also interesting that the pendulum is swinging back to private networks. It wasn't too long ago that it was all about moving away from private packet services and using branch to branch VPNs to cheapen transport. Now I guess it'll swing back to connecting sites via private network backbones and aggregating the access to only a few points. What's old is new again, though it's funny we are pulling out the bell bottoms of networks due to a security issue.
Link to this

7 years later we're thinking about TLD contingencies
So what? - How the Internet stays up with reasonable uptime continues to amaze me. Especially when I hear about initiatives like the Registry Failure Task Force that are formed in 2001 and just now starting to move forward with an architecture that would provide a bit more resilience into the system. Nothing in how Larry Seltzer describes the plan seems too groundbreaking. You know, who should do what and then who should they tell. They even claim they are going to practice their response. Good luck with that. It's a great idea and I'm pleased that the idea of containing the damage is alive and well from the folks that run the Internet. Ultimately it doubt it'll be any of the current attack vectors that bring the Internet to its knees. But sooner or later something will emerge and we won't be ready, but at least there will be a plan to recover. And that's about the best we can do.
Link to this


The Laundry List

Top Blog Postings

He blinded me with science....SCIENCE
Thomas Dolby lives and not just as some wacky podcasting dude. The Mogull brings up a good point in his Dark Reading column about actually having some data regarding vulnerability disclosure. That would be novel. Right now it's very much a he-said, she-said activity. We think it's bad that HD published the DNS attack in Metasploit. But are we sure? Does security by obscurity work? And for how long? These are all very interesting questions, and a topic rife with dissension and opinion. Data would solve the problems. But gathering the data, not so easy. Rich asks you do to a poll, and you should do that. Is that data? Nope. It's opinion. Were you hurt or helped is getting at people's opinion. There are enough folks tracking enough exploits that I think there is probably enough data out there to start drawing some conclusions. But getting there will require a significant amount of sharing and cooperation, which isn't necessarily the strong suit of the security industry.
http://www.darkreading.com/document.asp?doc_id=160415
Link to this

Ding dong, SIM is dead? Yeah, not so much...
I wish everyone would just remember that the security business is like Night of the Living Dead. We can never kill anything off, it just hangs out in the cemetery until some desperate producer decides to roll another zombie movie. So Raffy's first post that SIM is dead was really kind of ridiculous. Thankfully he saw fit to clarify what he's saying in this post, which is SIM is dead - unless... My opinion is that the first generation of SIM didn't do what it needed to. It was too hard, too expensive, took too long to see value. There are lots of folks that are working on those issues. Of course, we still aren't there yet, but the industry is making progress. And the biggest reason I don't see the idea of SIM dying (although the implementation will clearly change and evolve) is because CUSTOMERS NEED IT. Unless someone comes up with some magic fairy dust that all of a sudden tells users what's going on with their systems and what they should be focusing on RIGHT NOW, then we need security management capabilities. But anytime you pronounce something dead it generates lots of page views, eh? 
http://blogs.splunk.com/raffy/2008/07/18/sim-is-dead-unless/
Link to this

Lets start the hype engine for 2009
Stuart King works for a conference producer (amongst many other things that his employer does), so obviously the folks on the "product" side of the house can and should consult him about what's hot in security. I guess it is getting towards the end of 2008, which means we all have to start thinking about topics for 2009. Great. For the 5th year in a row, I suspect 2009 will be very much like 2008. We are still bailing out the leaky boat with a small cup. Sure, there are new and different attack vectors. And things like "the cloud" are causing us to revisit our general security architectures. And compliance certainly isn't going away as a key issue for security folks everywhere. BUT, maybe in 2009 we can start actually implementing the stuff we bought in 2006 and making sure we are more effectively doing the blocking and tackling that we all know can use some improvement. But alas, that isn't too sexy for a conference producer. Do you wonder why most of these folks don't really ask my opinion?
http://www.computerweekly.com/blogs/stuart_king/2008/08/2009securitypredictions.html
Link to this