July 24, 2009 - Volume 4, #31

Good Morning:
A few weeks ago I took my oldest up North to see her Grandpa. Those are always fun trips, mostly because I can spend focused time with one of the kids. That's hard to do when the three of them are running around, trying to outdo each other. 

Although the Boss is very good about being fiscally responsible, it seems that when I'm away for a weekend she's always moving something, buying new tchotchkes or otherwise screwing around with something in the house.

Me? I'm a minimalist, so I'm not a big fan of more crap in the house. That's mostly because I'm cheap. I have a big ass TV with HD. I have a bunch of computers. I don't need more tchotchkes to make my home feel "complete".

This recent weekend the bedroom was the focus. So I get home and waiting for me on the bed is what I'll call the "pumpkin massacre of 2009." I'm not sure how she pulled it off, but my entire bedroom looked like a Halloween B-movie. I looked over my shoulder to make sure Michael Myers wasn't going to jump out of the bathroom and decapitate me.

Between the comforter in the hue of mashed pumpkin and the 5 new pillows in bright pumpkin, I'm figuring there may be a shortage of orange inventory this fall. Ring ring. Hey Jack O' Lantern just called and he's pissed. He wants his 3 million relatives back from your comforter. Ding dong. Who's there? Landshark? Not quite, it's "Night of the Living Dead Pumpkins" out there. Run for your life! My mind is racing.

Then I'm interrupted by "the question" from downstairs. "Mike, what do you think of the new comforter and pillows?" Brain does quick scenario planning and risk analysis. Then I answer like every other whipped, I mean dutiful, husband: "Looks great honey! Love the color." 

Have a great weekend.

Photo: "Smashing pumpkin" originally uploaded by JamesCalder
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Follow me on Twitter: @securityincite I'm not sure where I'm going, but I'll get there in 140 characters - or less...

Incite 4 U

Catch as catch can, so yes it's Friday and yes the Incite is late. But better late than never, eh? Again, given all the things on my plate, I get to Inciting when I can and hopefully that's every week. But as a bonus, I'll put a few extra snippets in this week to thank everyone for their patience.

1. Does the toaster come in Chrome? - A few weeks ago Googlesoft made a lot of waves by announcing their intention to get into the OS business. So everyone got all speculative and tried to figure out what it was going to be and what security would be built in. The best analysis I saw was by Andrew Jaquith on the Forrester blog. Personally, I think the first few versions of Google O/S will suck, but it will be architecturally secure. We can learn from the Chrome browser that having competing functionality isn't important for Google, and I suspect they'll opt for security over features, which will be an interesting trade-off. My main question isn't about security, it's about working in a disconnected fashion. Will Gears be able to get it done? I'd need some kind of office automation and it needs to be reliable, which means disconnected mode is critical. We'll see.
   
2. $1MM ain't enough - Very interesting series of posts from the Tao-master on how he's spend a million smackers if he was thinking from both a black hat and a white hat perspective. My main conclusion? We are still screwed. I know, that's not a major epiphany, but seeing the numbers makes it all the more apparent. Also interesting to me is how much Richard spends a full third on people to monitor stuff. And another 10% on a pen testing team to break things. Only 15% on tools, since a lot of good enough stuff is available via open source. It's a thought experiment, for sure, but interesting to note how much we are outgunned economically since the bad guys only have to be right once and the good guys have to be right always. Maybe that's why he also spends 12% on a threat operator to reverse engineer bad stuff that gets contracted.
   
3. WAFfling on fixing the code - Big J talks here about why it's still important to fix broken code, even if a web application firewall is in place to block the attack. One of the points? That insiders can still take advantage of the exploit, which is true - but kind of besides the point. Why not just run all traffic through the WAF? If it's a sensitive app, that seems logical. More interesting to me is the code reuse issue. No one likes to actually do work anymore (when you could be Twittering or Facebooking), so there is plenty of reuse of everything (even research positions) and reusing broken code results in more broken code. So yes, code should be fixed but it won't be. Thus back to Bejtlich's point about spending 33% of your budget on people to clean up the mess.
   
4. Start small. Get a quick win. - Adrian provides some sage advice here about the first couple of steps to protecting a database. By the way, these ideas are relevant to pretty much everything. Don't try to boil the ocean initially, you'll fail. Divide and conquer and focus on the most critical thing. Maybe it's an app, maybe it's a DBMS, maybe it's a network device. Whatever it is, protect it and then move onto the next thing. Another idea is to stage funding along the same lines. If you ask for all the economics to really "finish" the job, you'll be waiting a long time. Once you get a quick win, you also have a lot more ammo for the next funding tranche. 
   
5. If you don't get the joke, it's on you... - It seems I'm a bit slow on the uptake relative to sarcasm in online venues. I've been nailed twice by folks doing some sarcasm via Twitter and me just not getting it. Then I read McAfee's blog sometimes and I think I'm missing the joke, but then I realize they may not be joking. For instance, this chap Colin Deaver writes about "Transforming Security from Obstacle to Business Enabler." I figure it's got to be a piece about how we've been trying to do that since the beginning of time and how it doesn't work. No matter what Ken Belva says. But then I learn the joke's on me. This guy is being serious. He's enamored with how McAfee "operates in a flexible and supportive technology environment where security is applied but discrete and transparent in everything we do..." Wow. Maybe they can fix some of those XSS issues in a discrete and transparent way.
   
6. Yes, Richard this is consolidation - It seems I'm just incapable of passing on an opportunity to poke my friend Stiennon about something. So when I saw the recent coverage of SecureWorks closing the VeriSign MSS deal, I wondered if Richard would think a deal like this is "consolidation." Of course it is and the fact that there are only a handful of substantial MSS operations that are not part of a big vendor/telecom/service provider, etc. is pretty telling. Like good old fashioned mainframe outsourcing, the services business is all about scale and that's why SecureWorks has to buy stuff and Perimeter keeps buying stuff and eventually they'll get bought as well. Because basically there are only 10 companies left in the world. And we are all just waiting for the rest of the deals to take place.
   
7. Precision? We don't need no stinkin' precision! - Intel's Matthew Rosenquist makes some good points about the sad tale of security metrics in this post. He's right, the entire discipline is very immature and if expectations are set that there is any kind of real precision about a "risk score," then the offenders get what they deserve when the statisticians laugh their ass out of the room. Where metrics can be useful is in watching the trends. Whether it's OCTAVE or CIS' attempt at metrics or any others, consistent measurement and watching the trends can be very instructive. As long as everyone understan d the answer is 42.
   
8. Who owns "risk" in an organization? - Most CSO's today have no idea how to deal with their business leaders. Yes, there are some that do, but a great many more that don't. I hadn't heard the term "CISO-as-consultant" as described in this post from Daniel Wallace, but it's basically saying the CISO is an advisor to the business and leaves the risk decisions to them. But he's now questioning whether this model is still relevant, especially as budgets tighten. Uh, of course it is. Ultimately how much risk to accept, eliminate or transfer is a BUSINESS DECISION. And business people, who control real revenues and expenses need to ultimately make that decision. I agree that business-centric CISOs can use knowledge of the business to persuade, cajole, blackmail, etc. the business leaders about what direction to go in. But to say that a CISO can "own" that decision seems off the mark.
   
9. Privacy, obscurity and discussion - On one of the security lists I follow, a member asked a question about how he should perform a totally anonymous search for potentially objectionable information. Some other members of the list pushed back because this kind of activity could be malicious in nature. Yeah, and? Some folks mentioned Tor and I recently found a good interview with one of the Tor guys. Others mentioned a variety of other proxies and other techniques, but the reality is discussion is critical. The bad guys are using these techniques to hid their activity from us. So if we don't know how they do it, then we've got no chance to defend ourselves. Even Captain Privacy gets that (I hope).
   
10. Take that in your cloud, Hoff! - There is nothing I like more than getting Chris Hoff all fired up. Though I do run the risk now that he'll lock me in some armbar, twist me into a pretzel and leave me with a nasty cauliflower ear. But when I saw this post from Jeff Hayes about the cloud as "marketing fodder," I knew it's something that should get Hoff all fired up. Jeff makes the point that the issues around cloud are more about controlling multi-tenancy and that all the issues are traditional security issues that have been solved before. I guess Jeff hasn't seen the Frog King and can't be bothered with following monkeys and squirrels. In many use cases, Jeff is right. In others, he's not. But let's hope Chris takes off his pink, calming shirt and ignites some good fireworks.
    
11. Charlatan alert! - The always cynical Rybolov from Guerrilla CSO has an interesting take on the recent study which indicated we've got a severe skills shortage in cyber-security. No kidding. Though I love the derivative analysis undertaken to show that market forces will result in many many snake oil salesmen (and women) trying to expand their skill sets to take advantage of the opportunity. I agree that we'll get plenty of shysters, but they've always been there. And there are questions now about how much of a deficit we really have in IT land generally, given how many good folks I know out of work, it's hard to disagree. The question is how to we get the folks looking for work to see where the opportunities are. Sounds like a job board. You listening Mike Murray?