February 11, 2009 - Volume 4, #15

Good Morning:
Let's talk a bit today about role models. Of course, the issues with Michael Phelps have been picked over like road kill by the media vultures over the past few weeks. I'm still scratching my head. So the kid took a bong hit. Big deal. We forget he's a kid and kids experiment. Sure it was bad judgment, but who as a 23 year old didn't do stupid things.

And now those ass hats in South Carolina are threatening to prosecute him. Give me a break. Though it was good press for the SC Attorney General, which I guess was really the point.

I understand some of you probably differ with me on this (and I'm sure I'll hear about it in the comments). Security folks are pretty straight laced folks. Unless we're drinking, that is. Yes, possessing dope is against the law. And being a law abiding citizen, I choose not to partake in those behaviors. Plus my lungs are pretty crappy, so I can't breathe too well if I do any kind of inhaling activities. And I lost my "connections" when I moved South. :-)

Beside Phelps there have been a bunch of "scandals" of late regarding folks some consider "role models." You have Barkley drunk driving running stops signs to get closer to his happy ending. You have A-Rod coming clean about juicing. You have movie stars taking inappropriate pictures of each other and having those leak onto the Internet. It never ends and I think it's reflective of the folks we choose to hold up on a pedestal.

Sports and entertainment is a business. A very big business. Yet, the people that are "stars" are human and they make mistakes and they have human urges and in some cases they will do anything to get any kind of advantage. A-Rod makes $27 MILLION a year. You bet he's going to do whatever he can to justify that kind of money. Maybe he's stopped juicing, maybe he's just better at concealing it.

It's only cheating if you get an unfair advantage. Do you really think everyone else isn't doing the same thing?

It's like politicians. They are pretty much all "dirty," but only a few actually get caught. And it gets back to providing alternative role models for our kids. I'll be the first to say that I've got a lot of work to do before I'm a sufficient role model for my kids. And right now, they are young enough that their role models are fictional characters like Luke Skywalker, Yoda (though not the Yoda in the picture) and Obi-Wan.

For now, I'm fine with that. It's been a while since a fictional character has ended up as Page Six fodder in the Post. And by then, who knows - maybe I'll be able to step up and move into that role model role. It's something to shoot for anyway.

Have a great day. And may the Force give you a good high...

Photo: "Yoda Bong" originally uploaded by MadVinyl
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Incite 4 U

Each morning I face a decision. Do I have an apple or a plate of grapes? Actually it's whether I do a commentary piece or just cover a bunch of news items. It seems my pal Shimmy has voted for the news. Yet it seems 30%+ more of you choose to read the commentary. According to my web stats anyway. The answer is actually both. Sometimes I have to get things off my chest (like yesterday's FUD piece), so I do. And at least now I know what I'll be for Halloween this year. A few dog yummies to anyone that can design a cool "FUD whore" costume.

1. Keeping models on the runway - The Tao Master reminds us of the folly of models in this post, which links to a pretty good piece in the Economist, as well as some older posts from Richard himself. If we could only get the bean counters to understand that risk models don't really equate to risk. Unfortunately there are a lot of practitioner that fall for it as well. That's where we security folks (and Wall Street) get into trouble. If we believe we've mapped out all the risk and quantified it, then we get sloppy. And historically we've been wrong.  
   
2. It's that data thing again - Collaboration and security are like magnets with like polarity. It's just hard to get them anywhere near each other. And however hard you push them together, they still repel each other. Data wants to be open and free. Security requires that it isn't and SharePoint is getting a lot of press nowadays in that it's hard to secure. Really? That's shocking to hear. And it has little to do with the tool itself (OK, maybe a little), rather how we use the tool and balancing user experience, which demands access to the information. What to do? Like everything else, try to monitor who is accessing what, when and look for anomalies. And pray. Sometimes that works too.
   
3. It can't be that easy - Unfortunately sometimes it is. I'm not a fan of linking to anonymous posts, so I'll let Rob Graham at Errata do my dirty work for me in his analysis of the PHPBB.com hack. It's fascinating to see how the legacy came back to bite those folks. They did the right thing(s) and make the password system strong, but they didn't require existing users to go back and reset their passwords. And they paid for it. Rob did a bunch of analysis on the passwords as well. I guess we'll still need to continue learning (the hard way) about the dangers of letting users keep weak credentials. 
   
4. Measuring awareness - Speaking of security awareness (like not using weak passwords), whether someone has a clue tends to be fairly binary. They either get it (1) or they don't (0). Since most fall into the less than 1 camp, we continue to try to teach them right from wrong. Getting back into the archives a bit, I found this post on the Security Catalyst site about "measuring awareness." Julie talks about three ways, but unfortunately in the post I only count one, but it's a decent one and that is to count the number of folks that have been taught. I also favor simple surveys to gauge the collective clue of the employee base. Finally, I think simple metrics like WHETHER YOU'VE BEEN HACKED due to some stupid user error are also pretty decent ways to measure the awareness of your minions.
   
5. Now that's a chick you don't mess with - It seems Alan's wife Bonnie has a lot of pull over at StillSecure. Evidently she got sick of Alan being around the house (go figure!), so she made them get him an office in South Florida for him to park. Turns out that office space came with an MSSP, so now Alan gets to wax poetically and philosophically about all things MSSP-like. I'm sure the NAC beat reporters are breathing a sigh of relief. I've been calling for consolidation in the MSSP business for a long time (and it's happened), but this isn't really what I had in mind. Not that there isn't a big and growing need for MSSP services, rather it's REALLY hard to have a services engine exist successfully within a software company. The metrics, models and mindsets are TOTALLY different. Well I wish my friend good luck in integrating and making the deal accretive, he's got his work cut out for himself...
   
6. It's hard even for a big company - Speaking of service entities residing within a software company, McAfee recently restructured some of the operational groups and separated out the SaaS activities into it's own business unit. Clearly given the limited traction of Little Red's service offerings to date, this is a positive move. It also allows the unit to drive different sales models and go to market strategies, and that is critical. Selling and delivering services is very very different than selling and shipping software. Remember the 3Ms, metrics, models and mindsets. But that won't make it easy. The new head of services Marc Olesen has his work cut out for himself as well.