February 17, 2009 - Volume 4, #16

Good Morning:
Sometimes it's easier to just give in. That's right, as much as I huff and puff most of the time, there are some fights that I'm not going to win and therefore I shouldn't fight. Last year, I railed about Valentine's Day (pretty funny if I do say so myself) and the holiday still doesn't make much sense to me.

But it makes perfect sense to all those chickadees out there. So this year, I finally gave in. I bought the Boss flowers. A dozen tulips and no joke, she was smiling from ear to ear. So it works. Buy some flowers, Boss smiles and gives me some more rope to hang myself. Which I will manage to do within a few days, so I'll take it.

But now I have a quandary. Do I go back to my default behavior and opt for the nice card next year? Or do I get the flowers and see them wilt and die right before my eyes? And I don't want to hear "both" from any of your wise guys out there. Life is about choices and to do both would be playing right into the hands of both the floral industry, and the card makers.

One I can handle. Both will make me nuts.

If I had to guess, I think I'll opt for the card next year. I am a decent writer and a couple of times a year I can come up with some sentimental prose to describe how I feel about my beloved. Flowers just don't do that. Not in my world anyway. And flowers die.

Since I'm so big on managing expectations, if I do flowers again next year, there is a high likelihood that the Boss will expect flowers every year. We can't set those expectations, now can we?

So I'll likely just go back to flowers every couple of years to keep her on her toes. Oh, she does read the TDI as well, so I also could be engaging in some disinformation. That's been known to happen...

Have a great day.

Photo: "dead flowers" originally uploaded by sindesign
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Incite 4 U

I guess there is no recession for overpriced encryption algorithms. After Jim Bidzos rode in on his white horse trying to save Certicom from a dreaded RIMM job, it seems the Blackberry folks just had to have it, and they were willing to pay $106 MM for it. That's right, over $100 million for Certicom. Unbelievable. I thought $60MM was way too much. Maybe that's why I do what I do, and they do what they do. In any case, the Certicom shareholders should erect a statue of their CEO somewhere. He deserves it.

1. Yes Scarlett, budgets are coming down - Finally an IT budget survey that seems to reflect the reality of a tight economy. SearchCIO-Midmarket talked to their mid-market readers and it seems that 30% are cutting budgets and another 30% are keeping them level. Turns out 40%+ of larger enterprises are cutting budgets as well. Personally, that doesn't seem enough to me. I suspect a lot of folks still have happy ears about the projects they want to push through in 2009. Let's see what the CFO has to say about that. 
   
2. Little Red gets it done - That's right, McAfee keeps on going, like the Energizer bunny. 22% growth on the top line. Of course, some of that is due to acquired technology (like SafeBoot and Reconnex - yes, that's a joke), but it's also clear that MFE is executing well in the field. In North America anyway, which I guess is why they hired a new head of EMEA this past quarter. Will it continue? They are predicting modest growth in Q1, so I guess things are all roses. The new regime in Big Yella-land has it's work cut out for it.
   
3. Can't unplug? Watch outbound connections - I joke during speaking engagements that the only way to ensure data won't be stolen is to unplug a device from the network, which is true. Yes, that's clearly not practical. So what to do? Rich brings up the age old concept of managing outbound connections. Clearly data needs to be exfiltrated to be useful to an attacker (though the exfiltration could be via USB thumb drive or iPod) and that usually involves some kind of outbound connection. If you are looking for anomalous outbound connections, then you should see the data be stolen. He has some ideas about using firewalls and web security gateways to scrutinize the traffic. I added my two cents in the comments and also mentioned that monitoring NetFlow is another way to track outbound connections. However you do it, it's a pretty good idea. 
   
4. 4 years later, a FISMA update - That's right. The fine folks at NIST are finally revisiting FISMA for the first time since 2005. Awesome. Just in time. Comments on this draft(pdf) are due March 27. There is good news and bad news about this. The good news is that some agencies have moved well beyond what is mandated by FISMA anyway. The bad news is that most haven't and a bunch can't even get old FISMA right. What makes us think they'll get it right now, as the bar is moved even further away to deal with the new attacks and be more in line with industry frameworks like ISO 27001/2. Anyhow, that's kind of indicative of the world right? Some go beyond the standard and most don't. Why would the Feds be any different?
   
5. Protect those passwords (in your web apps) - The folks at Veracode are tired of passwords being pilfered time after time from leaky web sites. So they are kindly providing some pointers to make sure your passwords are stored securely. You know, simple things like no storing them in the clear. No kidding. Things like one-way hashes and salts actually work. But I'm sure there are many millions of sites out there that still screw this up. They also address issues like doing password reset correctly and the like. Remember, these guys can break your stuff, so you probably should listen when they are trying to help.
   
6. 4 points about security metrics - It's true, we've all been waiting for a set of security metrics we can work with, and it's been slow in coming. I believe the Center for Internet Security will be publishing their cut at security metrics in the near future. They've been at it for over a year, so hopefully consensus is near. Grumpy Pete weighs in here about getting a bit more strategic relative to metrics, and defines 4 points that need to be factored into any metrics discussion. The first are transactions, then we have value, controls is next and finally incidents are last. OK, it's hard to argue that most things that we count can be abstracted to have components of all four. But I'm still a bit at a loss, since this seems more like a hierarchy to build a security architecture, not necessarily count what is going on. Hopefully Pete will flesh things out more (a lot more).