December 9, 2009 - Volume 4, #37

Good Morning:
Like many of you, I've got some friends that are pretty hardcore geeks. They measure not just aggregate number of computers in their house, but also the ratio of computers to people. Some are in the 1.5-2 range, and others have embraced personal virtualization, so their ratio is off the charts.

But that isn't a relevant measure for me. I've got my share of devices and I'll be building a lab over the next few months, so my ratio will dramatically "improve," in the eyes of my geeky friends anyway. But I was reading an interview with Tom Petty in Rolling Stone last night, and he made a statement like "it's really was better back then."

Now, to be clear, lots of things are better today then they were. Connectivity, computing power, content have all improved. One place where we've taken a huge step back in flushing power. That's right, I've got angst this morning about the current state of toilets. Don't laugh, this is a serious problem.

You see, I eat a lot of roughage. Being a vegetarian, there isn't much else for me to eat, but it's also good for my digestive system and helps keep my mass in control. But there is a downside to all that roughage. I don't just drop the kids off at the pool, I drop a village. 

Today's low flow toilets are not built for guys like me, who are not small and eat a mostly green diet. With a clog rate hovering around 75-80%, which means I need to have plungers. EVERYWHERE. I basically have close to a 1.5x plunger to bathroom ratio in my house. Well, for most clogs the mini-plunger will do and each bathroom is outfitted with one as standard equipment. But sometimes you need specialized tools, like the plunger with flanges. Or maybe the orange plastic one that looks like an accordion. I've also got 2 different snakes when plunging doesn't get it done.

Yet, sometimes even a toilet snake doesn't work. About once a year (usually corresponding to one of the kids trying to "hide" an entire roll of toilet paper in the toilet) I have to get out the heavy artillery. I have a device that uses compressed air to pretty much blow anything stuck in my toilet clear to the treatment plant. Now that is cool, but I have to remember to wear my Intel bunny suit to keep clean. 

Thankfully my kids haven't figured out the meanest thing they can do to me is to hide the plungers. And I'm counting on all of you to keep my secret. I guess that's kind of like my Kryponite.

I think maybe the Europeans have this one right. They don't worry about low or high flow. They just figure if it can be solved with a toilet brush, it's not really a problem.

Have a great day, and may the force be with your alimentary canal.

Photo: "Poopy the Plunger" originally uploaded by zoomar
Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Follow me on Twitter: @securityincite I'm not sure where I'm going, but I'll get there in 140 characters - or less...

Incite 4 U

1. Cloud security is overblown - Sometimes I just have to laugh at some of the stuff I see in the trade rags. I dug this InformationWeek blog post from Alexander Wolfe out of the archives because after baring my soul about my plunger issues, I figured I needed to take someone else to task for a good dose of idiocy. This guy's position is that cloud security may be overblown because we already have an answer - encryption. That's the answer to everything. We've already got the architecture, and if we'd just encrypt everything it doesn't matter where it resides, right? Uh huh. I guess Hoff needs to find something else to do now, since all the thinking he's been doing about cloud security isn't relevant. Having barely survived the PKI wars in the late 90's, I can't say much besides that encryption isn't a panacea to anything.
2. Next year's PCI emerges - Many in the security industry are looking for what's next. What's going to be the next attack, regulation, widget, etc to spur sales of products that no one needs. I think I found it, it's the HiTrust CSF. Neil Roiter does a bit of work to describe the opportunity to security resellers. Now to be clear, the concept of a framework to protect healthcare information is valuable. I've got no issue with that, but I'm already playing out the fiesta driven by the industry parasites to make whatever widget they are selling today a "key" part of the HiTrust CSF. Of course, healthcare organizations will be able to be "certified" through a HiTrust certification program. Which will likely mean as much as PCI compliance or a SAS70 audit. But I guess I shouldn't complain, I'm just another one of those parasites, feeding off the fat of the land, calling everyone else a parasite.
3. Time to start looking for the BBD? - Over the past 18 months, many security folks have basically kept their head low and tried to make sure they weren't on the list to be downsized. But now with the economy (seemingly) improving, does that mean it's time to start looking for the bigger, better deal (BBD)? It depends. In this CSO article, Jack Phillips from IANS voices the concerns of large company CISOs that are worried their employees might look for greener pastures elsewhere. If you are staff level, I think how your company treated you during the downturn is instructive. If you felt abused and like a piece of meat, I suspect it won't get better during the upturn because that is a cultural issue. The words may change, but the behaviors likely won't. For managers, unfortunately now is the wrong time to try to make it right for team members. If you treated (or were forced to treat) your people like crap, blaming the economy and just letting it happen, you will reap what you have sown. When those employees find something better, don't wonder what happened. And build a culture where people want to work there, regardless of the economy. 
4. Quant comes to the database - I'm a fan of the work Rich and Adrian do in their "Project Quant" initiatives. Every security person struggles with understanding the relevant metrics to track both security and operational efficiency. So spending time to decompose the actual process behind a function and look to quantify those functions (by having folks in the community share their own data) is valuable. The Securosis guys started with the patch management front and are now focusing on database security. This post represents early work on establishing the process model for database security. I suspect the goal is to build Quant models for all the major aspects of security, which will be a great thing for all of us that still can't answer the questions about whether we suck at security or not. At least from an operational perspective.
5. How deep is the moat? - Many of us security talking heads spend a lot of time focusing on what's next. So things like application security and database security are big issues. Unfortunately most of the world is still trying to figure out how an IPS works. Far too many may have spent some time building a moat (in terms of a perimeter security strategy), but really have no idea whether it works and if they are protected from the badness "out there." This piece by Joel Snyder on SearchSecurity reminds us about how and why to validate those perimeter defenses. Now to be clear, the cutting edge stuff represents real attack vectors and I'm not minimizing the importance of those aspects. I'm just reminding myself (and maybe all of you) that most organizations have no idea how to test their defenses, and they really need to learn.
6. Security and Business Strategy, huh? - I'm constantly reminded that most security professionals still think it's about the bad guys. They are our foils and provide us with innovative attacks to keep us on our toes, but we always need to remember security is a means to an end, in that ultimately we have to contribute to helping the company either make money or save money. Here is a link to Part 1 of an interview with SANS Stephen Northcutt talking about some of these issues. I also like to ask security folks whether they know their companies mission statement and how often they get face time with business leaders. For those that don't understand their business, they've got a very small shot at being successful.
7. Finding the impact of what we do - The always entertaining Shrdlu goes in a bit of a tirade here about the "meaning of metrics" and before Thanksgiving did a far better job than I have to isolate the issues with how we count things. The reality is we tend to focus on things we do, not the IMPACT of what we do. I've long held the belief that security folks have to really manage two sets of "metrics." There are operational metrics that indicate how well we do security. And there are other metrics that need to quantify the real business impact (either positive or negative) of what we do. Business folks don't care about operational metrics, but they sure do care if they can't take orders because some hacker group has poked huge holes in the e-commerce application. Operational metrics should be reasonably consistent regardless of what business or size of company you are in. Impact metrics will be very specific to your company and depending on culture may or may not be consistent even within your vertical. For better or worse, the success of most CISOs is directly correlated to how well they understand the impact metrics.