June 15, 2009 - Volume 4, #28

Good Morning:
I have to admit that when I read earlier this month that Dom DeLuise has passed away, I was a bit saddened. Of course, I didn't know him - but I certainly remember the laughter he brought to me during my childhood years. You had to love him in Cannonball Run and the Mel Brooks' classics Blazing Saddles and History of the World: Part 1. He always seemed like he had a love of life. Maybe that was his persona, but I chose to believe it back then.

I also remember his role in the movie Fatso. That one was hard for me to watch back in 1980 because well, um, I was fat. When he went through the binge scene and his inability to get a handle on it, I understood. All too well.

Of course, the movie has a happy ending and Dom's character gets the girl and realizes that it's all about love and that his love for someone else can fill the place of his love of food. Most of the time characters in movies aren't like you. As much as I like to think I'm just like Indiana Jones or Captain Kirk or Tyler Durden, I'm not. 

But I was the Fatso character, and seeing that movie gave me hope. Until I cracked open that bag of semi-sweet chocolate morsels anyway. 

I've been working to address those lifelong demons for the past few years. I'm happy to say I'm making progress. It's a battle every single day, but as I realize what's important and what makes me happy and try my best to do that every day - I find the need to mow through a pizza or bag of chips minimizes.

It's also why I totally got into the Biggest Loser show on TV this past season. The Boss and I used to watch the last few episodes of each season, but this year we saw every single one (thanks to the wonders of DVR). It was amazing to see the transformation of the contestants. Not just on the outside (which was unbelievable), but also on the inside. These are different folks after 6 months. You can only hope they've addressed their demons and can sustain the change.

Maybe it's wrong, but we also let the kids watch the show. Genetically, it's pretty likely they'll all have to be careful with their nutrition. But we've decided the messages shown prominently on the show about eating (you have to eat enough, but the right stuff - starving doesn't get it done) and exercise (you have to do it, and a lot of it) are important for them to learn at as early an age as possible. Obviously you don't want to go overboard and make them crazy, but you also can't expect them to get good habits by hoping.

So with that, have a great day. And I can only hope Dom D is enjoying his 20 course meal in the great cafe in the sky...

Photo: "Dom DeLuise's Stationary" originally uploaded by activitystory
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Follow me on Twitter: @securityincite I'm not sure where I'm going, but I'll get there in 140 characters - or less...

Incite 4 U

It's actually been kind of hard to choose what to highlight in the now "weekly" Incite. So I go to some old favorites and some of the guys that actually do some thinking in this business. Certainly not vendor hacks like me. Enjoy.

1. Understanding the "Phases of Compromise" - Bejtlich is at it again. Pushing us all forward with a series on how to not just understand, but communicate the specifics around incidents. Since he works for BFC (big freakin' company) now, communicating severity of incidents up the food chain is critical. So Richard first discusses a rating system, then rethinks this as it's more of a "classification" concept, and finally distills this into a discussion of the phases of compromise. We can noodle over the specifics of one classification vs. another, but in reality whatever tags you us are fine. Just use them and communicate what they mean, and be consistent. And feel lucky that a guy like Richard continues to share his perspectives for a great price.
   
2. Strategic customer is a two way street - I'm fascinated by the continued attempts of folks to want to feel special. This NetworkWorld article discusses whether it makes sense to look for a "strategic" security provider or focus on best-in-breed offerings? First of all, I don't know what best-in-breed means. But there's a bigger issue. Unless you work for BFC (big freakin' company) and you have a pipe to the vendor's CEO, you are not a STRATEGIC customer for the vendor. Thus, you shouldn't consider the vendor a strategic partner of yours. Sure, you can look to simplify your environment by using products from a select few vendors. But don't delude yourself about how "strategic" you are to the vendor. For the most part, they care about the next PO you generate, not much more. (Salesman nasty grams can be directed to feedback@screwoff.com)
   
3. Fight battles you can win - This post from Gunnar vents a bit about secure coding defeatism, and he's right but more than a little idealistic. We have to continue fighting to get developers to do the right stuff or life will NEVER get better. That being said, you are not going to get everyone on board in one fell swoop. Even if you have a senior mandate (unless you are MSFT). So look for "poster children," those developers that get it and want to do the right thing and are willing to stand up and say so. Make them successful, highlight their successes as an example (quick win) to the other developers. And be realistic about how long it will take to change. Inertia is a really hard thing to combat...
   
4. Letting the "market" give PCI some teeth - Le Mogull vents a bit here about making PCI better. I agree that PCI has been a good thing all things considered, but as we've all discussed, there needs to be real teeth and real accountability about these jokers that do QSAs. Of Rich's ideas, the one requiring merchants to publicly disclose when they change assessors is the most interesting. Clearly doing QSA's is a competitive business and that means unsavory folks will say what the merchant wants them to say and say it for a low price. If you hold them accountable for such shenanigans, then we have a fighting chance of making PCI better. And that involves pulling back the cloak of secrecy on failed assessments and changing assessors.

Last week's Tweets of Note

I'm still trying to figure out how to most effectively do this Twitter thang, but thus far it's been a mix of conversation, banter and some interesting links. I suspect most of you are not interested in the banter or conversation, so I'll just highlight the links I thought were interesting. Please note the links are shortened and if you click on them, it's on you. But that's the way Twitter rolls.

• Today's Dilbert nails it (AGAIN). @arj this is the hamster wheel of CEO wealth. http://dilbert.com/strips/
• Must check this out from Daily Show. Especially if you have g-parents in FLA. Watch the whole thing. http://is.gd/1023o
• Palo Alto to offer traffic shaping. Awesome, that worked pretty well for Check Point 10 years ago. http://is.gd/102P5
• For anyone in a VC funded co: http://is.gd/10356 (via @avc)
• confidential snooping on the rise, says Cyber-Ark. The answer: more cyber-ark product - OF COURSE. http://is.gd/103hm
• Awesome post by the Mogull. Very pragmatic. "All patients die...eventually." No one outruns the GriM reaper. http://bit.ly/13mRFL
• Freeware AV taking share, but not because of price? Yeah right. http://bit.ly/qZtur
• While everyone focuses on iPhone 3GS, I'm most excited about Snow Leopard. Finally will kill Entourage. All for $29. http://bit.ly/64ko5
• Great video for all those dim marketers you deal with daily, including me. http://bit.ly/GCnRx  (via @crankypm)
• This is why location scares the crap out of me. No out of office messages. And I don't tell you where I am. http://bit.ly/Y5Z6e
• This is one school superintendent you shouldn't mess with. Wonder if he used a @Beaker or @jeremiahg armbar? http://bit.ly/RWhLN
• MFE trying to get back in the net security game. Just say "next generation" and "lower ops costs." That's the ticket. http://bit.ly/BcDie
• Interesting backstory on Symantec/Brightmail. Enrique talks about planning the IPO, while working a Big Yellow Check. http://bit.ly/17jAbE
• Steve Riley on proof of work systems to change spam economics. Until stupid people stop buying fr spam, nothing changes. http://bit.ly/dVbtx
• Sec Spnd survey (MetroSITE Group March 2009). most see sec budgets coming down. Compliance main driver. Shocker! http://is.gd/Ybd6 (pdf)
• Oh nos, now it's MSFT free AV going to take down SYMC and MFE. Again. Guess it must be a slow news week. http://is.gd/YQ9s
• June issue of InfoSec Mag posted. Lead story on SIMs. http://is.gd/YQXg - Anyone else miss the hardcopy version? PDF just not the same...
• RSA's new term: hyperextended enterprise. Sounds really painful. Results from @beaker armbar - http://is.gd/Z0YL
• Move to DC: cost $$. Leave fancy job: $$$ Take cyber-security czar job: Not enough $$$ in world. @DennisF speculates. http://bit.ly/o3Fmf
• Pr0n sites targeted by malware. Crap. Guess it's time for Mac AV. http://bit.ly/JQTgO
• Long lost Rob Newby on crack. Encryption no closer now than before. #toodamnhardnotworthmoney http://bit.ly/P2BQB