September 4, 2008 - Volume 3, #74

Good Morning:
After seeing so many live music shows this year, the sizzle is waning. Sure, it's great to see fantastic, charismatic singers. And folks that can make sounds come out of guitar that boggle the mind. But while I was seeing My Morning Jacket last week or John Mayer over the weekend, I didn't focus on the guitarists (as good as they are). I wanted to pay attention a bit to the unsung heroes that make live music happen.

That's right, let's hear it for the rhythm section - the bass guitarist and the drummer. With very rare exceptions you don't go see a band because you like the bass player or the drummer. Of course, you go to see Rush to remind yourself how great Neil Peart is. I think that Sting guy may be able to sing also. But beyond that, who is the drummer? Who is the bass player?

So at the last two shows I tried my best to pay more attention to the bass player and the drummer. They were good. MMJ's drummer had long hair that seemed to do more damage to the cymbals than his drum sticks. John Mayer's bass player kept the rhythm going, but now a few days after the show, I couldn't tell you what that guy looked like. I guess I'm like everyone else. It's the shiny objects that are memorable, not the rhythm section.

The guitarists get all the money and the chicks (or guys if they swing that way). So this weekend let's try not to forget these other folks, even if they are entirely forgettable. Go find a bass player or a drummer and thank them for the labor they provide during every live show. Tell them without their contributions, you'd only have half a band. Half a band sounds like crap. 

And then get back to staring at the guitarist. Man, those guys can play!

Have a great weekend. 

Photo: "bass player" originally uploaded by davidex

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

All that glitters isn't Chrome
So what? - So Google goes and releases a "browser" and the entire Internet is a flutter. Open Source, ooooh. New JavaScript engine, ahhhh. It's even secure! OK, maybe not, since it seems someone ran a fuzzer on it and found some vulnerabilities already. Not that wasn't expected, but it's still funny. Evidently the browser works OK, according to the folks that have played with it. Dennis Fisher figures won't make a huge dent in market share beyond the digit heads, Mitchell is bitching about having to Q/A another browser platform. Do I think this is earth shattering? Nope. But it's clear that the underlying OS will just be a host for a variety of "application" platforms that are optimized for specific use cases. Chrome will be one, maybe Firefox another, maybe you'll get developers extending Chrome to optimize it for their own environments. And it won't matter if you run Windows or Mac OS X or even Linux on your device. This will likely accelerate the marginalization of the OS, and that's a good thing. Amrit is on the right track about this being a "platform" more than anything else. But let's not anoint Chrome as the best thing since sliced bread from a security standpoint until it's been proven. Google does beta stuff pretty well and until I can get NoScript type of functionality (and a Mac version), I'll be waiting on the sidelines.
Link to this

Private browsing - so much for snooping on your folks
So what? - A lot of organizations have deployed user web monitoring, I mean web filtering in order to make sure their users stay productive. That's how they justified the expense anyway. You have a gateway and it stops users from going to "bad" sites that would burn up most of their day (Facebook anyone?). You also could enforce your acceptable use policies based upon cookies and other cache items left on the browser during an investigation. But now everyone is taking Apple's lead and adding a pr0n mode, I mean privacy mode to their browsers. Maybe that's why most of the Apple users I know are a lot happier than those suffering through with IE. IE8 will have it, and so will Google Chrome. So aside from allowing boys to be boys, what are the risks of these private browsers? Basically these do cut off a significant information source for investigations. As Seltzer points out, it's not clear what the real impact will be for compliance purposes and monitoring the use of technology usage by employees. But all is not lost, since we can still monitor the network. You also may want to (try to) enforce the usage of a VPN for remote employees, so their web traffic is routed through your network. Then you can monitor that too. That one's a bit harder, but it's possible. The action-reaction process continues unabated. At least you know these new actions are happening, so you can plan your reactions. 
Link to this

What about #21: Get some hemlock...
So what? - It's happened to most of us. You are walked into the bosses or maybe the HR persons office and then notified you no longer have a job. It's pretty unsettling, though it gets easier every time it happens. Unfortunately, given the state of the global economy, this is likely to happen more frequently over the next couple of months. NetworkWorld has a good article that provides some tips to dealing with it. Basically, you can't freak out and hopefully you've been making contingency plans all along. If you work for someone else, it's kind of silly to assume things won't change in the business and that you'll always be welcome. This isn't the 1950's folks, there is no guaranteed, lifetime employment and a cushy pension at the back end of 30 years of toil and trouble. If you are too "busy" to take some action and get out and network a bit or to even develop a contingency plan, do a little visioning exercise with me. Vision that you are packing up boxes in your office. Then vision how you are going to pay the bills and keep your significant other in the lifestyle she/he has become accustomed to. Not a pretty picture, right? So make sure you are constantly thinking about what's next. Better to be safe, then dealing with the repo man.
Link to this


The Laundry List

Top Blog Postings

It's a big world and it takes time for them to do anything
Gunnar gnashes his teeth a bit regarding how small the aggregate software security market is. Yep, early markets are like that. You have a couple of big vendors that get 80% of the market share and a bunch of smaller one's that don't. When you add everything up, you get a market size probably 15% of a Big Security player like Check Point. The reason is simple. Everyone has a firewall. Not many do software security YET. And the yet is the point. Emerging markets are all about hype and making customers think they have problems they're not sure they have.  No one questions whether they need a firewall. Of course companies should be spending more on software security, but they don't understand that yet. They haven't seen it and been beaten over the head with it for years. That's what it takes. The firewall has been around for over 15 years, software security has not. It's great the software security market is growing, but don't expect it to become very big anytime soon. Only time can make that happen. 
http://1raindrop.typepad.com/1_raindrop/2008/08/software-security-market.html
Link to this

First person XSS
Let me send out a hat tip to Dave Piscitello for pointing me towards Russ McRee's excellent piece on cross-site scripting in the ISSA Journal. A key to being a good defender is to understand your adversaries. So being able to put yourself into the mind of the criminal is critical to being able to defend yourself. So what do you see here from a XSS attack standpoint? Basically it's something that can happen to anyone, and it's hard (as a user) to defend against. I know I pimp NoScript a lot, but it adds a bit of XSS defense as well to your Firefox browser. From a developer standpoint, there are a few tips at the end to keep in mind. Of course, it's unlikely you are the actual developer, so you'll need to evangelize these points to your developers at every turn. Validate inputs, verify outputs, and look at both web app firewalls and code reviews. Russ forgot to tell you to keep fighting the good fight because behaviors don't change overnight and building secure applications does require a behavioral change. Note the link below is a PDF file.
http://holisticinfosec.org/publications/anatomy_of_an_xss_attack.pdf
Link to this

Is there a silver lining in all these clouds?
Cloud this, SaaS that. Every day it's more crap about clouds and services, services and clouds. What's a guy, who likes to keep his feet on the ground, to do? Amrit's been busy lately. I guess spending some time in the Ashram during his Asian swing was good for his writing and time management skills. This post makes a lot of good points relative to the fact that cloud computing will require a different security model. I'm not sure what that model ultimately is, but it's different. Maybe a little different, maybe a lot different, but it's definitely different. Yet, we are still missing the point about what's most important to do now. Thankfully Amrit didn't as he points out it's all about RECOVERING from the inevitable incident. Remember, whether you are consuming or providing cloud services, if there is a question about the reliability and/or security of those services, it takes everyone down with the ship. So make sure you focus on CONTAINING the damage as you architect these services. It will make or break your business. No joke.  
http://techbuddha.wordpress.com/2008/08/29/saas-and-cloud-computing-change-the-cia-paradigm/
Link to this

September 2, 2008 - Volume 3, #73

Good Morning:
As you read this, I'm on my way down into ATL to do my civic duty as a juror. That's right, jury duty. I know it's our responsibility and one of the things we have to do when you live in the US. That doesn't make me any happier. First of all, I need to go into the city. Yes, Atlanta has the worst traffic in the US. I can only hope that most folks decided to take a 4 day weekend and saunter in around 10 AM or later, so I can get into town.

And then there is the waiting. On a good day, I'm impatient, so sitting around for hours, watching Regis and Kelly or whatever other inane crap is on the tube may be the end of me. What about those chairs? They may as well sit us all on beds of nails, as comfortable as those are. Evidently they want to make sure your jury duty experience is as memorable as possible. Call in the chiropractor!

The last time I went down for jury duty, I didn't even get called to audition for a jury. That was lucky. I was bored to tears, but all in all it was just a day and I went along on my merry way. I don't expect to be so lucky this time, so I'm strategizing on how best to make myself as undesirable a juror as exists. My friend told me just to shout "They are all guilty." Maybe that would work, but could also land me in the lock-up.

There are lots of ideas on the Internet on how to avoid being called for the jury. Just Google "get out of jury duty," and all your questions will be answered. The reality is, I'll likely just opt for the truth option. I'm sure I'll get some hate mail from my law enforcement friends, but I don't trust evidence. I know how easy it is to alter and futz with any kind of digital files. Not all evidence is digital nowadays, but a lot is. And the odds most folks are sufficiently skilled in forensically gathering evidence? Probably pretty small.

I'm also pretty hard-headed. So once I make up my mind, it's hard to change it. Not impossible, but pretty hard. Not the general open-minded approach they like to see, I'm hoping. I can be pretty persuasive, at times, so I could muck with a jury something fierce if there are any gray areas regarding the trial. I also have a lot going on right now, so the idea of sitting on a multi-day jury makes me want to puke. If they think I'm generally ill-tempered today, wait until Thursday after I've had to cancel a scheduled business trip and stayed up half the night doing the stuff I should have been doing during the day.

Thankfully my EVDO card should work while I'm waiting, at least I'll be productive. And if not, then I've got enough writing to do to keep a small armada of dilettantes at their keyboards for weeks. I'm sure I'll be able to keep busy and with any good fortune I'll be released right after lunch, having completed my civic duty. Don't get in my way, I've got to get back to my cloistered life of Starbucks, Delta and Hertz.

Have a great day. 

Photo: "jury summons" originally uploaded by Lee Bennett

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

I wasn't kidding about password reset
So what? - I wrote a while back about the evils of password reset. Of course, Shimmy getting owned just seared that into my paranoid psyche, and then I read this story about Herbert Thompson breaking into someone's bank account (with permission) and we can all see how easy it is, especially when you live a reasonably public life. Though when you examine the steps of the hack, there isn't anything really novel here. He started with a bit of information, that gave him a bit of a head start, but it's not a huge amount of stuff. Add to the list of things I mentioned in the password reset post the idea of a nonsensical (and unique) user name. Basically for your bank, there is no reason to use the old first initial, last name user ID. You could use a random string of characters and add to that a random long, very strong password, and it would be hard (again, not impossible - but hard) to find that information out. Using a password manager shields you from the complexity of having a random user ID and a random password. Of course, you could make yourself crazy with all this randomness, so at some point you have to find the balance of security vs. convenience.
Link to this

Don't believe everything you read
So what? - Hopefully I'm constantly reminding you to not believe everything you read. If anything, you should be hyper-skeptical as to most of what you read. Controversy generates page views, thus most tech media (and mainstream media ain't much better) have a great vested interest in finding controversy, even when none exists. If you look at the alleged Best Western breach from last week, we have a number of cases in point. Best Western did have a breach, but the errors they made were more in the art of communicating that, rather than what really happened with the data loss. InformationWeek actually talks to someone at Best Western to get the "real story." You see, they didn't break the news, so they didn't control the story. So the media ran wild with the story, made up some numbers, and were looking for Best Western's head on a stick. It's the mob mentality at it's best. Of course, I'm sure there is some spin happening from the Best Western side as well. The truth is somewhere in that dark, murky middle. The Breach blog presents both sides of the story, and draws the right conclusion: "At the end of the day, I haven't a clue as to what happened in this incident." Stuart King takes the opportunity to maybe share some lessons learned, like the ambulance chasers in the media will jump all over bad news. But more importantly, the breach (however large it was) happened due to a malware infection. Check (and re-check) your defenses, hack thyself and make sure you use these incidents as a reminder of what is at stake.
Link to this

The political impact of NAC
So what? - Lots of folks, me included, have beaten down NAC because of hype and the fact that the market space has not been able to live up to said hype. Clearly there is a role for NAC in protecting information, but it's not the Rosetta stone of all things Internet security. One of the forgotten issues of making NAC work is brought up by the Verizon Business folks (looks like they have some new PR team, since they've gotten more visibility in the last 2 months than in the past 2 years), which is the fact that NAC requires a cross-disciplinary effort to make it work. The network team has to work with the endpoint team, and they all have to work with the security and risk/compliance teams. Yes, big companies have disparate teams to work on all these functions, and in many cases there is a lot of territoriality and angst amongst them. Remember, the enemy is out there, although on many days it seems they are sitting 3 cubes down. Basically any large scale IT initiative is going to require a lot of coordination, buy-in and support (not to speak of funding) from a bunch of different groups. That's why I keep saying that one of the (if not the) most important skill sets for a senior security professional is the ability to persuade. In this heavy political season, there is a lot we security folks can learn by seeing the big dogs do their political thing. Playing politics is part of every job, probably more so for security folks because we don't really "control" anything.
Link to this


The Laundry List

Top Blog Postings

Free may be too much...
I've followed the token authentication business since it began. Yes, that's almost 20 years at this point, and I can tell you that since almost the beginning, it's been a constant search for what will be the killer app to get consumers (or everyone within a business) using a little token fob to log into their stuff. RSnake goes into a bunch of reasons why it won't happen, and I agree with them. He focused mostly on the fact that federation isn't going to work. I think the reason is a bit more simplistic than that. The fact is CONSUMERS DON'T CARE ABOUT SECURITY. Really, they don't. They say they do, and if they've gotten hacked, they certainly do. But as long as it's the neighbor getting their bank account pilfered, they are fine with their predictable user name and weak password. A while back Entrust started the price war with a $5 token, but that was targeted towards business users. VeriSign with partner eBay/PayPal have been trying to push cheap tokens to their users as well. Power sellers don't have to pay for them, but there has been minimal adoption. Right, consumers don't care and it's not like it's a universal token that lets me log into all my sites. Now combine a token with VeriSign's PIP service and maybe things could get a little interesting, but probably not. Tokens get lost and I can just imagine the Boss calling me and complaining that she can't get into her email or web sites because she misplaced the token. Yeah, not interested in taking that call.  
http://www.darkreading.com/blog.asp?blog_sectionid=403&doc_id=161941
Link to this

Yeah, hack your third party vendors as well
You all know I'm a big fan of testing. Test your web apps, your databases, your networks, your systems, your people and pretty much everything else. If it can be hacked, you should be trying to hack it. The bad guys certainly are. Stuart King also reminds us that we've got a cross-enterprises collaboration model in effect now, and that means we've also got to be making sure your third party vendors have adequate defense. So I say, hack them too! At a minimum, scrutinize their security program and look through their pen tests and other reporting mechanisms. They may not want to do that, but I don't view that as an option. Stuart says he frequently visits his vendors and makes sure things are where they need to be. He also learns from what his partners are doing and can apply that to his own environment. Basically, we can't leave data protection to chance and if someone (whether they are internal or external to your organization) has access to your data, then they should be tested.
http://www.computerweekly.com/blogs/stuart_king/2008/08/third-party-vendor-security.html
Link to this

Remember to wear your seat belts
Of course, this falls into the category of "too little, too late" from an advice standpoint. Most folks do a lot of driving over the holiday weekends, so reminding everyone to do that after the holiday weekend is a bit silly, but maybe a good reminder. I bring up the idea of seatbelts because Matthew Rosenquist has a good "fortune cookie security advice" tip which reads: "Security policy is like a seatbelt. It will not protect you every time, but it is guaranteed to fail if you choose not to use it." His other fortune cookies were a bit less interesting, but this one resonates. I'd also replace security policy with [any control] because the statement is a truism. Not security control is perfect, but if you don't use it - I'm pretty sure it's not going to work. Relative to policies, Matthew is absolutely correct in stating they need to be constantly updated - basically living documents. But at the end of the day, policy is grand, strategy is fine, but execution of those policies and strategies are the only thing between us and chaos.  
http://communities.intel.com/openport/blogs/it/2008/08/25/fortune-cookie-security-advice-august-2008
Link to this

August 26, 2008 - Volume 3, #72

Good Morning:
As cool as the Olympics were, I'm a bit perplexed by some of the TV and media coverage. We got all Phelps, all the time (and with good reason), we got lots of ladies gymnastics (for good reason too), some Kobe and LeBron and a good amount of Bolt. All of this makes sense. But we got very little decathlon. I notice these things because the 1976 decathlon (in Montreal) was the first time I really remember following the Olympics.

Of course, that was the year that Bruce Jenner won and became a national fascination. I guess every Olympics has their big stars and unfortunately the guy that won the decathlon, Bryan Clay, isn't on the list. That's right, did you even know an American is the "world's greatest athlete?" I didn't.

Did you know that Bryan Clay took silver in Athens four years ago? Yeah, me neither. What happened to the world-wide fascination we had with the decathlon? Remember Dan and Dave, that Reebok ad campaign before the 1992 games? Then Dan didn't make the Olympic team and Dave sucked wind in Barcelona. Yeah, Reebok took it in the shorts on that one. Then Dan came back four years later in the ATL and took gold. Guess that was the first redeem team. What's Dan O'Brien doing nowadays?

I don't know why this is annoying me. There are a lot of athletes that didn't get much air time, unless you count CNBC coverage at 3 in the morning coverage. But the decathlon is something else. Or at least it used to be. Bruce Jenner's nose job and face lift (how else could the guy still look 35?) gets more coverage than the Olympic gold medalist.

In fact, I couldn't even find a picture of Bryan Clay with his gold medal. Not that I could use without paying a crap load to Getty Images. That's why I pulled this Bruce Jenner mural. It's all I could find that was sort of related to the decathlon. Bryan Clay needs to fire his marketing reps. He may make it onto a Wheaties box because every decathlete seems to do that, but no one will know who he is. And that's a shame because he accomplished something spectacular in Beijing. 

Have a great day. 

Photo: "bruce jenner mural" originally uploaded by MacQ

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Criminals taking the path of least resistance (and least risk)
So what? - We may not like to admit it, but our adversaries are business people like everyone else. They just happen to be in the business of fraud and crime. When you are facing that old career management decision, you have to figure these folks are opting from online fraud because it's a lot safer, with a lot less risk than sticking up a bank - for example. As much as you would have liked to, you probably didn't spray bullets at the person that sent you a phishing message. But there was always the threat of getting caught and then doing time. But evidently that threat isn't much of a threat either, since it seems the US justice system can't seem to figure out what to do with cyber-crime. Thus, it will take some time to figure out how to properly gather evidence and prosecute these folks, and I'm sure many will walk on technicalities and win their trials because the prosecutors are still trying to figure out how to use email. So that means online criminals have a bit of runway before there is an occupational hazard of getting thrown in the slammer. What does that mean to you and your family? You can't count on the "system" to make things right, so you have to protect the people you care about yourself. Train them on how to detect fraud. Configure their machines securely. Monitor your credit cards and banking accounts frequently for signs of something funky. At some point, they'll figure out how to bring these folks to justice, but it will take a while.
Link to this

Outsource your app testing
So what? - Application QA (quality assurance) is hard on a good day. It's hard to find good folks, it's hard to automate the process, it's hard to really map what a user is going to do. And when you do this wrong, you ship crap code and piss off your customers. Normally I don't mention start-ups (because most of them suck), but there is a new company called uTest that has built a community of sub-contractors to help customers test their applications. It's a cool idea, especially the community aspect of it. Kind of like Elance (which I use to find designers), but applied to the application testing markets. These contractors beat on your application from all parts of the world. So you can get a real feel for how the user experience works in both Topeka and Timbuktu. You are also much more likely to find platform/browser specific issues via this method because you can assume the testers all use different technology platforms. It's not clear what kind of security testing they'd do, but that would be an interesting place to specialize and be able to charge significant premiums. But this seems to be a model with long term legs and why wouldn't it? Finding people is very hard, managing them is even harder. If these types of organizations have cracked the code on that, there is a lot of value there.
Link to this

VeriSign becomes your password PI(m)P
So what? - Single sign-on remains the holy grail for many folks. I have accounts with countless web sites and many of them have different password requirements. Given the risk (especially on my financial accounts), I also prefer to use very strong passwords. So 1Password has been a life-saver for me. Now VeriSign is getting into the web SSO business with their Personal Identity Portal, which is described here by TechCrunch. They've got a long list of sites they already integrate with and that will grow over time. You are trusting VeriSign with your credential, but they are in the security business, no? Personally, I like to have control over my data - that's why I steer people towards either 1Password for Mac users or KeePass for Windows (I use both). But that's just me. If the alternative is to use your dog's name or your alma mater as your password for everything, then let VeriSign pimp out your passwords. More security is better than less security, even if it's not perfect.
Link to this


The Laundry List

Top Blog Postings

Yes, security is a process (and mindset), not a product
Schneier has been saying that for years, and he's still right. This post by AndyITGuy reminds me of that, especially about how most organizations don't protect customer data in any way, shape or form. It's not that they don't want to, or blatantly skirt the rules. It's that they just don't realize that actions (like leaving loan applications on their desks or not locking their computers when they walk away) is an invitation to have that data stolen. It's not the people that are broken, it's the process. Now good people can overcome a broken process, but it's hard. Andy points out that looking at log files and having high level interviews won't give you the answers you need to really understand the process. You've got to get out into the field and observe how folks do things, and then you have to fix a broken process and train folks in how to behave properly. Remember, the most dangerous place for a security professional to spend the day is behind their desk. 
http://andyitguy.blogspot.com/2008/08/im-not-expert-in-all-things-security.html
Link to this

Compliance <> Panacea
Rich rants a bit (responding to an Anton post) about the checklist mentality to doing security. I was talking to some of the muckety-mucks from the PCI Standards Council yesterday about the same issue. Many many practitioners are looking for the easy way out. They want someone to tell them EXACTLY what to do, give them a shopping list and then tell them everything will be alright when the auditor shows up. Seriously. So many many vendors try to do exactly that. They make whatever widget they sell look like a compliance panacea. Buy my thingy and the auditor will smile and be happy. Not so much. Rich's point is that many of the regulations are nebulous about specific technologies, which means the vendors are basically making up any firm correlation between the regulation and their product. Remember Security FIRST! Figure out the best way to protect your data, and then the compliance will fall into place.
http://securosis.com/2008/08/18/dont-sell-compliance-if-it-isnt-a-checkbox/
Link to this

Experience makes the nomad
I read Hugh Macleod's blog because I like his artwork. But every so often he posts something that clarifies a lot of what I deal with as a one-man band, whose office is more likely a coffee shop than anywhere else. Digital nomads "can and do work anywhere he or she likes." And it's true. I was at the beach for two weeks over the summer, and if I didn't tell you - you wouldn't have known. Unless I am doing a strategy engagement or a seminar keynote, it really doesn't matter where I am. And that is liberating. But I also have been around long enough to appreciate the technical advances that have made this possible. EVDO being probably the most important, but also better laptops, blogs and communities (to do marketing) make this kind of lifestyle possible. But the one thing that has been most useful to my ability to be an independent analyst is EXPERIENCE. This kind of business, job or lifestyle wouldn't work for a kid right out of school. They don't know anything and they need some structure to learn it before they can head out on their own. I spent over 17 years in the school of hard knocks to earn this privilege. And a privilege it is, I don't ever forget that.  
http://www.gapingvoid.com/Moveable_Type/archives/004651.html
Link to this

August 25, 2008 - Volume 3, #72

Good Morning:
As most of you know, I've been seeing a lot of live music this summer. It's been great. Stone Temple Pilots was the latest on the list. It was kind of amazing to see the number of young people at the show. By young I mean college age (remember, I'm no spring chicken anymore). Weiland did a good job and the band sounded pretty good.

But as I sat down to write this morning, I wanted to mix up the soundtrack a bit. I've been focused on listening to the bands that I'm going to see (so I can remember their songs), but I just had a yen for some Billy Joel this AM. So I busted out "Songs in the Attic." What a classic!

And then I went to check out my bookmarks and realized that there were some great posts that I didn't get around to discussing when they first showed up.

So today I'm going to hit some of the "blog posts in the attic." I'll hit a couple of posts (including a bunch from Richard Bejtlich) that I should have gotten to in the first place. Hopefully you'll still hit a few links and check out the full pieces. They are worth it (or I wouldn't waste time covering them now).

Then it's back to the grind. Lots of client work to get through this week and no travel to distract me.

Have a great day. 

Photo: "a light in the attic" originally uploaded by kevtori

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Blog Posts in the attic

The Tao way to think about the DNS exploit
Bejtlich looks at the DNS exploit from the perspective of "time and relative data." The idea is that the bad guys have the time to complete the picture, even from relatively scant data. This was clearly the case in the DNS situation. Once Dan intimated there was a cat in the bag, lots of people on both sides of the law went about figuring what kind of feline was trapped in the burlap. We make the assumption that Halvar's speculation and Matasano's confirmation were the first examples of this. But in reality, those were only the first that most of us heard about. We can't assume that our adversaries don't already have the exploit. Which is why I'm such a big fan (and card carrying member of the Network Security Monitoring religion) of testing our defenses as often as practical. I don't like to assume the bad guys don't have the attack. The DNS issue is just the latest example of why this approach is important. And Richard even worked a Dr. Who reference in there, which is always good. 
http://taosecurity.blogspot.com/2008/07/dns-and-cyber-tardis-problem.html
Link to this

Do we really want to know about that insider?
#2 on today's Bejtlich hit parade is Richard questioning whether we really want to find those insiders. He uses an example of counterintelligence services not really wanting to find spies because it doesn't make anyone look good. The unfortunately truth is that many folks bury information because they think it will make them look bad. They turn their head at behavior they know is wrong and hope it will go away. Hope is not a strategy and the issues don't go away. They just fester until they blow up. And there is a lot more collateral damage in an explosion. One of the hallmarks that I stress in the Pragmatic CSO is that "it is what it is." Burying the issue won't help. Avoiding the question doesn't help either. Deal with the situation, quickly and candidly. I guarantee you will look worse if the truth comes out and it's not from you. Richard suggests a central group that is in charge of identifying security breaches. Kind of like an IAB (internal affairs bureau) for your organization. If you are really big, these folks are usually called Audit, but we know that's kind of a joke at times as well. Basically, there are lots of potential remedies, but at the end of the day, it depends on PEOPLE. If you and your people do the right thing, this isn't an issue. That's the challenge we all face every day.
http://taosecurity.blogspot.com/2008/07/counterintelligence-worse-than-security.html
Link to this

Buckle up, it's going to be bumpy
Dino talks a bit about the history of security in this great post. Basically his theory is that we are dealing with the hangover from our promiscuous connectivity in the 90's and our focus on exploits over the past few years. It's an interesting idea, but the most compelling aspect of the discussion is the fact that most progress happens in rough evolutionary advances that most people cannot predict. Life is not linear, by any stretch of the imagination. Neither is progress. So we have a lot of status quo, and then our world view is turned upside down and then it settles down. Then repeat. So what does that mean? I have no idea what it means. If I could predict things, I wouldn't be writing a security newsletter. Yet we can prepare for the inevitability of a truly disruptive attack or defense by being able to REACT FASTER, by focusing on how you'll contain the damage, and ultimately by doing the right things every day to not get caught flat footed. You still will be (caught flat footed), but at least you'll sort of be ready. A lot of the Pragmatic CSO is done within the context that you don't know what's around the next corner and trying to figure it out is kind of futile (for the most part). And smarter folks that me continue to assemble stories that validate this view on security.
http://blog.trailofbits.com/2008/07/24/evolution-is-punctuated-equilibria/
Link to this

Wherefore art though quantification?
Shrdlu goes down an interesting path in this post trying to figure out the degree of quantifying the risk of any situation. I've been an outspoken critic of trying to truly model "risk" in any meaningful way, not because I don't think it would be useful, but more because the number of assumptions that need to be layered on top of other assumptions, which are then sent through someone's subjective filter about the true "risk" of any situations makes me skeptical. Shrdlu makes a number of these points, which really get down to the fact that RISK IS IN THE EYE OF THE BEHOLDER. And the amount you are willing to spend to reduce, eliminate or transfer that risk is going to be different than the next guy. This is one of my frustrations with trying to gather objective metrics on security operations as well. The business relevance (after all, what other kind of relevance is there?) is really not something that is going to be consistent between organizations. Not by a long shot. Ultimately it gets down to this: "What matters is the building blocks your executive wants to use to make his risk decisions, and whether they’re dollar figures, colors, or Venn diagrams, you’ll need to make an effort to supply them." Well said.
http://layer8.itsecuritygeek.com/layer8/quant-love
Link to this

Failure happens
Being an entrepreneur at heart, failure is not a big problem for me. In fact, I've been failing at one thing or another for most of my adult life. But that doesn't stop me. In fact, it drives me harder because I know that is the process and the way things work. If I'm not doing some stuff wrong or finding things that don't work, then I'm not pushing beyond my comfort zone and I'm not getting better. There is a ridiculous stigma of "failing" in our society and it's too bad. Part of my family is very risk-averse. Change is hard for them. They actually think I'm an alien, which I get great enjoyment from. I don't think the green suit and bug eyes help, but the thing that makes failure acceptable to me is that I'm pretty confident I won't make the same mistake(s) again. I spend  some time analyzing what worked and what didn't. Whether you are talking about a failed business, product line or even a security incident, the POST-MORTEM is one of your most important tools. Fool me once, shame on you. Fool me twice, shame on me. The post-mortem makes sure this doesn't happen. Check out this post about how one guy's start-up went down and what he learned. It's fascinating and stuff we probably know already. But seeing it reminds us. And reading this post is a lot cheaper than doing it yourself, no?
http://www.alleyinsider.com/2008/7/monitor110-a-post-mortem
Link to this