February 4, 2009 - Volume 4, #12

Good Morning:
So I've been in a bit of a funk, to be honest. I usually get that way in early February. It has nothing to do with the weather or the colds and viruses that seem to be going around. It's because football is over and no the Pro Bowl doesn't count. So I'm faced with the prospect of no football for 7 months and it's got me bummed out. Yes, last Sunday was the Super Bowl and it really was Super. 

I would have loved to see the Cards pull it out, and they made a valiant attempt, especially given the fact that between ridiculous errors (letting a linebacker go 100 yards with an INT return) and stupid penalties it was like they were playing with an albatross around their neck. But you have to hand it to the Steelers, they got it done.

But the game made me think about offense vs. defense. As they played the "10 Greatest Super Bowls" over and over again in the build-up to this years classic, it seemed that many of the great games were made great by a drive late in the 4th quarter. Sometimes the drive went for the victory and other times it didn't (Scott Norwood anyone?), but it was the offense that made it happen with the game on the line.

We in security have a problem. We play defense. Sometimes the defense is so overpowering ('86 Bears and '00 Ravens come to mind) that the offense never gets a chance to get anything started. But that isn't the way it is for us security folks, now is it? Our game is not linear. The offense is not restricted staying on the field, nor are they restricted to 11 men. And as we know, a good offense tends to get it done in the 4th quarter more often than not.

So what to do? And sulking with a party platter of chicken wings and case of beer is not an answer... for more than a few days anyway. Basically, we need to protect against the big play. That's something that Pittsburgh didn't do, letting Fitzgerald get free for that long TD. And it's also not something that Arizona did either, letting Santonio rip them up on that last drive. Incidents are going to happen, it's our job to make sure they don't become catastrophes.

And also understand that you will not win every game. Sometimes the offense gets the best of you. But you better do a post-mortem and figure out how you got beat, and make sure your game plan for next year takes that into account. It's OK to make mistakes, but don't make the same one twice.

Have a great day.

PS: I do have to admit it was strange to be at my Super Bowl party with a huge platter of wings and to not eat any of them (it's that vegetarian thing). Or most of them, as I've done in the past. But I did have considerably less indigestion the day after, so that is some consolation.


Photo: "All the fans are gone now..." originally uploaded by KM Photography
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Incite 4 U

There is still a lot of discussion around PCI and whether it's still relevant. In fact, I've given a bunch of media interviews about the very topic and that's really been driven by the media meat grinder, which always needs more stuff to pump through their 24/7 Internet machines. In reality, there is clearly value in PCI, at least to set a lowest common denominator for what the base level of security is going to bring. Over time, that low bar becomes irrelevant when everyone realizes that it doesn't take too much talent to jump over it. The real question is given the reality that PCI is not enough, how do you get organizations to move beyond that lowest common denominator? That's the question of the day.

1. More details on Heartland - Great story last week by Evan Schuman regarding some more details about the Heartland breach. It seems the malware was FOUND in an unallocated portion of the server's disk. So, of course, everyone is jumping to a conclusion that the malware happened outside of the O/S and that would render traditional server monitoring tools as useless as anything else. And maybe they are right. But you could also make the case that the malware was deleted from the O/S when the bad guys realized there were forensic analysis going on, and that's why the code seemed to be in an unallocated area. Who knows? I just hope we get more details to make sure we don't make the same mistakes again. And maybe in 2-3 years PCI will require defenses for this attack (yes, that is my tongue firmly in cheek).  
   
2. Is Windows 7 less secure? - There were a bunch of media stories last week about whether some of the new changes to User Account Control (UAC) in the forthcoming Windows 7 introduces security issues. Dana Epp does a good overview of this and gets to the real issue, which is usability. Personally I think UAC is a major pain in the butt. I had to install and reinstall some software on my one remaining PC running Vista and UAC was a big hassle. But to answer the question, security is relative. I believe Windows 7 will be more secure than XP. But if the security gets in the way of the user experience and forces folks to turn it off (hello Vista), then everyone loses. Personally, I think the way Mac OS X addresses the required authorizations works well. It's not onerous, to me anyway. But I am a fanboy after all.
   
3. What about 7 clean secrets?- Why are secrets always "dirty?" Serious, why doesn't anyone come up with the 7 clean secrets about something? I guess it gets back to that media grinder thing. Kidding aside, Josh Corman from IBM published a list of 7 dirty secrets of the security industry, and tries to slay a bunch of the common knowledge (without a clear IBM slant, HA). Things like the end of the perimeter (no kidding) and the reality that doing risk management means you'll likely spend less money on security widgets (good thing IBM sell plenty of services, eh?). Ultimately it seems the security industry is more to blame for issues than anything else. Sadly there is probably a bit of truth to that, but users don't care who is to blame. They want answers, and I'm not sure focusing on "secrets" is a good way to provide them.
   
4. The honor system for PCI - Interesting idea here from Andrew Conry-Murray of InformationWeek about basically tossing PCI into the circular bin. What would replace it then? Basically a "honor system" that would make it clear to banks and retailers that if they suffer a breach, there will be stiff financial penalties. And the organizations need to figure out what the right types of security will be. Hmmm. I think we tried that already and that was B.PCI (before PCI). And if I recall it didn't work out too well, which is why we have PCI in the first place. Now I've been very vocal about what PCI needs to do to remain relevant (reacting faster to known attack vectors is a start), but I don't think throwing it out is the right answer either. It needs to evolve faster because the attackers are. There will always be breaches. What we want to do is make sure the breaches aren't because of something stupid, and PCI (for the most part) eliminates a lot of the stupidity that we dealt with before.
   
5. Do Ask, Don't Tell - I'm glad it was reported last month that Symantec is continuing to invest a lot of money in R&D. It's definitely showing. Deals like this one with Ask.com, where Symantec will provide a SiteAdvisor-like function on search pages are pretty innovative. Huh? You mean partnering up to do the same thing as everyone else on a mostly irrelevant web property isn't innovative? Not so much. I'm surprised this didn't make Stiennon's list of security innovations.
   
6. Toss this fortune cookie - I'm usually a big fan of Matthew Rosenquist's monthly "Fortune Cookie Security Advice." I think he nets out a lot of the discussion into a short sentence and that is real talent. But the one for January just didn't do it for me. "Insider threats will always outpace external threats." He then goes on to explain it a bit, but I disagree with the basic contention. I don't believe it makes sense to segment out "insiders vs. outsiders" to any great degree anymore. To be clear, there are different risk profiles for different groups of folks accessing my stuff. But ask Heartland if it's external threat outpaced the internal issues it faced. And I want to provide similar defenses, regardless of where folks are or who writes their payroll checks. Ultimately trying to distinguish between these classes of attacks forces you to choose which one you are going to focus on more, and I think that's a dangerous thing.