The Daily Incite - 12/03/09 - Not so GRRRRREEEEAAAAATTTTT!!!!
December 3, 2009 - Volume 4, #35Good Morning:
With the holiday season coming up, I know it's hard to get presents for me. I want for nothing and if I do want something, more often than not I just go and buy it. Within reason, of course. So I know it's a challenge for folks in my family to get me anything. But I can only imagine how hard it is to buy a present for a guy like Tiger Woods.
Yes, that Tiger Woods. The
one who makes over a hundred million a year. And who married the
Swedish model. If you were to ask almost everyone, if they could pick a
perfect life - I'd say most would say Tiger's got it pretty good.
Evidently not. I was pretty disturbed when the news of his "transgressions" hit the major media yesterday. First of all, this story has outweighed little issues like sending 30,000 more troops to Afghanistan over the past week. But I shouldn't be surprised. Our celebrity-centric US media engine means they'll sell a lot more page views by talking about Tiger's dick than the tens of thousands now in harm's way. Got to let that one go.
At least Tiger didn't pull a Steve Phillips. The stripper or whatever is pretty decent looking. But still, he married a SWEDISH MODEL. Really seriously I just don't get it. Is this guy's life so good that he has to go and screw it up because he can? Because a dream for 99.999999% of the population has just become commonplace. Please, help me understand it.
Is it the need to exercise power? Is it the feeling of being invincible? I guess all the psychologists out there are having a field day trying to figure it out. I guess now that I'm writing, I'm just sad. Sad that what seems like the perfect life I guess isn't so perfect. Sad that this guy has to face his failings in such a public way. But ultimately sad that once again, human nature has trumped any sense of logic.
That old adage about money doesn't buy happiness, I guess is true. It seems a Swedish model doesn't make you happy either. I guess for Tiger being the best golfer ever is not enough. Having untold riches is not enough. Having a beautiful family isn't enough either. After all, in Tiger-land I guess things aren't really that GRRRRREEEEEAAAATTTTT!!!!.
The Pragmatic CSO:
Read the Intro and Get
"5 Tips to be a Better CSO"
me on Twitter:
I'm not sure where I'm going, but I'll get there in 140 characters - or less...
Incite 4 UIt's nice to be flexing the analytical muscles again. I can say I've gotten a bit soft over the past 15 months. But like all muscle memory, the cynicism, skepticism, and general venom will be back before you know it. Alan and Mitchell invited me to participate in their podcast yesterday, which was great fun. We laughed, we cried, we made fun of people, but mostly we laughed. Enjoy.
- It's not just a job, it's an adventure - Happiness is a fleeting concept. It's here for a few minutes, then it's gone, then it's back. Hopefully it's not gone for too long. I wanted to send a shout out to AndyITGuy for doing some good analysis of where his head was at after he got laid off recently. It was a heartfelt and candid post. We all have days where we feel like that. The reality is security is a hard job - on a good day. And if we are going to find any measure of happiness, you have to be able to understand you can do only what you can do. Sometimes you just need to move on, especially if the organization isn't going to give you the opportunity to be successful. But many of us thrive on challenge and don't believe anything is impossible. That's why you do security.
- If you aren't breaking your stuff... - Someone else is. That's right, it seems driven by the recent Rapid7/Metasploit deal, pen testing software is back in the spotlight. The folks over at Dark Reading did an analysis of the market, and Nick Selby also weighed in on what he expects in that market over the next year. I'm glad folks are starting to see the importance of what I call "security assurance." If you are a company of size, you should have someone on your staff breaking things every day. And they should be using live ammo. Vuln scanners are important too (if only to see the depth of your issues), you really need to take it to the next level and see what can really be exploited. It's also good to see higher level application attacks starting to show up in the app scanners as well.
- Ramping up the "cyberwar" hype cycle - Here is the reality: technology is an intrinsic part of everything today. Why do I need to state some an obvious truism? Because folks continue to want to convince us that there is something new here. Take McAfee, for instance - they recently did a report on "cyberwar," making the point that an increasing number of attacks seem politically motivated. And what's new about that? If you want to sabotage a competitor, why not break into their systems? Or rob a bank? Or bring down critical infrastructure? Or get intel on an enemy's defenses? Of course, a technology attack is the first, best path. You only bring in the Black Ops guys when you really need to. I'm not challenging the findings, I'm just wonder why this is news?
- SMBs like SaaS - Directly from the Duh! files, the folks at Dark Reading are hyping a report they wrote about how SMB organizations should be protecting their stuff. One of the conclusions is that Security as a Service (SaaS) is an attractive alternative. Really? And then they start throwing the numbers out. $38K for a web gateway software vs. $15K for a managed service. If you know how to use Excel, you can make the numbers say anything you want. But the reality is not really about cost savings, it's about expertise and leverage. A lot of these security devices need daily tuning, care and feeding and that just doesn't work for an overworked IT guy in a smaller company. So to me the interesting part of SaaS isn't how much money you can save, which may or may not materialize. It's the leverage that can be gained by having someone else manage the crap you don't have time to manage.
- If Big J says I'm doing it wrong... - We are still very early in the evolution of application security, and that means we are still subjected to religious battles like white box vs. black box testing. Thankfully Jeremiah Grossman provides some much needed perspective here, in terms of making the point that BOTH is the right answer. There are some things that code review are better at finding, and you cannot minimize the need to automate using scanners and other tools. As with everything else in security, there is no one silver bullet for application security. It's about minimizing the risk that you've missed something and using every tool, technique and process at your disposal is just the right thing to do.
- Whitelisting good - Normally reviews don't interest me that much, unless it's really indicative of a changing market. So this piece by Roger Grimes for XWorld (all the IDG properties seem to share content now) testing a bunch of white listing products is really indicative a market that is mature enough to disappear. Huh? That's right, once a large set of products actually work and solve the problem, then the capabilities can and should be subsumed into a bigger category and that's exactly what is happening. First of all, I'm a big believer in white listing. The old way to find malware (checking against signatures) isn't getting it done. And over time, we'll see all of the big AV vendors move to a hybrid "cloud" (meaning the extended sig database is in the cloud) and white list driven approach. And it still won't work, but that's another story for another day.
- Think dummy, think - Adam says it all. We don't do enough of this.
- Damage control, the 30,000 foot view - Sometimes I like to check out "security tips" targeted towards a mass market audience to see how closely some of this stuff maps to reality. The good news from this post on how to respond to an incident from VentureBeat is pretty good. To be clear, it's VERY high level, but for this audience that's fine. They don't want to hear about chain of custody, enCase or BackTrack. They need to understand the general process, not the details. The very high priced forensic guys can worry about the details. But as I've said countless times, it's not about being perfect (you can't), it's about making sure an incident doesn't become a catastrophe.