July 7, 2009 - Volume 4, #30

Good Morning:
So over the holiday weekend I'm driving out to do some errands (since what else are holiday weekends for but getting through the Honeydew list) and Joe Walsh's Life's Been Good comes on the radio. Oh yeah. "My Maserati does 185, but I lost my license - so now I don't drive." Awesome.

Then I look down and notice I'm wearing one of my various "Life is Good" shirts. And since I don't much believe in coincidence, I figure the fates are playing a trick on me and forcing me to take my foot off the gas for a few minutes and reflect a bit. Of course, this happens on Independence Day weekend in the US, so my first thoughts are how lucky I am to live in a place where I can be judged based on my accomplishments, not my dogma. 

Then I proceed to go down the list. Family, friends, work, home, stuff, etc. "I have a mansion, forget the price - Ain't never been there, they tell me it's nice." Yep. Life's been good.

Of course, I can focus on the stuff that's not so good and unfortunately I spend a fair amount of time doing that. It's the way I'm wired and 40 years of that bad, ulcer inducing habit is hard to break. But I work every day at trying to appreciate what I have, not what I don't. "I can't complain, but sometimes I still do." Right. Life's been good. 

As you dig in to the week ahead and the week after that, and you get kicked in the teeth a few hundred times. And you want to go Postal on your entire organization. And your family makes you crazy. And you gain 5 pounds. And you get a nasty case of indigestion. Just remember, there will be good times and bad times. The deal is to handle both with grace and style. 

"It's tough to handle this fortune and fame. Everybody's so different, I haven't changed." If that's the case, you're doing it wrong. You are always changing - by definition. But YOU dictate the terms of that change. Every day, with every action you take.

Have a great day. And thanks to Joe Walsh, who's words prove timeless over and over again.

Photo: "Life is Good" originally uploaded by Bob.Fornal
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Follow me on Twitter: @securityincite I'm not sure where I'm going, but I'll get there in 140 characters - or less...

Incite 4 U

1. Practice (or suffer the consequences) - Fascinating post here by Schwartz's Marc McClellan pointing to an article about how the US military trains for every possible circumstance, even having to fight without a network. Obviously those in commercial land don't have the resources to literally practice for every possible combination, but you need to ensure your incident/crisis response capability is up to snuff. And that you practice regularly and seriously. Remember, the time to find out your IR plan sucks is not during an incident.
   
2. Key questions to getting started - Jack Danahy of Ounce Labs put together a decent byline for ebizQ on which questions to ask to "avoid security suffering." That language has some Buddhist undertones, so I figured he'd be talking about being in the now and not worrying about what you can't control. But alas, it was just common sense stuff like making sure you know what you are trying to protect and why you are worried about securing it. Though I like to see common sense in print because in the day to day battles, we tend to forget that many of our issues could be addressed with a little dose of common sense.
   
3. OWASP cloud survey - Boaz goes over some results from an OWASP survey about cloud computing. The results are predictable. Most organizations that say "cloud" are really talking about "SaaS." There isn't any additional security budget for those doing computing in the cloud. Most troubling (though not at all surprising) is that most organizations are just rushing headlong into SaaS/cloud (yes, Hoff I use the terms interchangeably to piss you off) without really understanding the security ramifications. Until there is a high speed collision, it's not going to change. But again, as a practitioner you can at least ask the questions of your ops folks and make sure you are on record saying that it's important to think about security. Then you have ammo to present your case at your next set of job interviews.
   
4. The enemy is us (or how to break in an intern - Shrdlu style) - I love fictionalized stories that are really grounded in the truth, but by fictionalizing them we can laugh. Instead of cry. Shrdlu posts a masterpiece on how to "defeat management" by leveraging Sun Tzu and a Taser. Since most of us need a laugh or two a day to stay sane - make this one of them. 
   
5. Yes Scarlett, someday you'll be dead - Hopefully it's no time soon, but the Mogull does a great job of making sure you know what to do in the unlikely event of your untimely demise. Especially given that you are a security person and probably encrypt all of your stuff. The rest of the non-paranoid world probably has it a bit easier in that their survivors just log into their computer, open Quicken and they are done. Everything is there. Us security folks wouldn't dream of making it that easy. But Rich makes the right points about storing everything in a secure password/notes vault (I use 1Password for that) and sending that file, along with instructions on how to open it to your executor/lawyer. Now let's hope none of us have to use those instructions any time soon.
   
6. Digital security helps long term competitiveness? - Uh, most of the time I agree with Bejtlich. But I think he's a bit off the reservation with this post on how digital security can help long term competitiveness. He riffs off a speech from GE's CEO about the need to continue investing in R&D to be a sustained winner in any market. And then wraps that back into a treatise on why securing intellectual property is important to maintaining that competitiveness. To be clear, if a competitor wants to steal your stuff and is willing to organize a coordinated effort, they are going to do it. In fact, Richard's entire team is dedicated to responding to that inevitability. But I think it's a stretch to align security and long term competitiveness. For the simple reason that you could be protecting the next Segway.

Last week's Tweets of Note

I enjoyed Tweeting during the Gartner show last week. Got to provide my real time feedback to what the Big G was up to and got responses from my peeps as well. So that was most of my Twitter action, though yesterday I did pick out a few clips of note to highlight.

• Made it to #gartnersecurity. Will be tweeting interesting tidbits. Not good start. No carpet in hall for breakfast. Budget cuts, I guess.
• Dilbert nails how vendors deal with the online lynch mobs. http://bit.ly/VyBmD  #ihatemarketing
• Big message from #GartnerSecurity keynote. Security folks have to change. Really! Does this really helps practitioners fending off bad guys?
• Now a panel of CIO, CISO,auditor and admin. Like watching a therapy session. Trying too hard to find a purpose. #gartnersecurity
• Impedance mismatch at #gartnersecurity. These guys look 5-10 YEARS out. Practitioners look out 5-10 minutes. #manageexpectations
• Dept of redundancy dept. CISOs need "soft skills," getting to yes. Comms skills. Business acumen. Should give out P-CSO. #gartnersecurity
• @jasonmoliver same crap I've been talking about for years. Understand business. Communicate better. Accept that things will get worse.
• According to king pescatore, new threats don't seem to be new at all. Which I kind of agree with. #gartnersecurity
• Bot like things will be the main malware delivery vehicle for the next 2-3 years. Again I agree. #gartnersecurity #hateagreeingwithgartner
• My conclusion on pescatore's nextgen threats? It's all about data security. But we'll focus on shiny widgets. Like always. #gartnersecurity
• In the risk metrics and measurement at #gartnersecurity. Another content free session. Disappointing. Definitely not @arj (Andy Jaquith) level.
• Metrics are hard. Would be much more interesting to hear what others are doing. Or of all horrors, a big end user profile. #gartnersecurity
• Jeff Wheatman: "can't do a balanced scorecard for security" - challenges in the benefit line. #masteroftheobvious #gartnersecurity
• Bad news is good for media business. Until the point of fatigue. http://bit.ly/zqOKK
• User session at #gartnersecurity is awesome. A real crisis story. Kudos to presenter for sharing. #informationsharingisgood4u
• "Doing the right thing is good for you in the long run." <- true dat. #instantgratificationisnotgratifying #gartnersecurity
• MSSP selection session at #gartnersecurity one of most useful of the day. Specifics on how to frame rqmts and strngths/weakness of providers
• Bad case @gartnersecurity fatigue. Flapping lips in cybercom panel not helping. Time to go home.
• Epiphany alert. Security pros too busy resetting firewalls then learn sec101. So most sessions @ #gartnersecurity for interns-level folks.
• Cisco session @ #gartnersecurity is insultingly basic. Olechowski should scream at someone for making him do this pitch.
• OMG. Nicolett mentioned eIQ in his session at #gartnersecurity. Now I can die a happy man. 
• Total awesomeness: Sturgeon's law. 90% of anything is crap. I challenge you to find exceptions. http://bit.ly/csuhu's_law
• Congrats to #LogMeIn, another successful tech IPO. Let the floodgates open! #1999liquidityisback-NOT! http://is.gd/1p3Pm
• Scathing analysis of insider dealing on the Entrust private equity buy-out... #mgmttriestoscrewsshareholders http://is.gd/1p3Zk
• webroot is very focused on cloud. Though most of business is consumer. Again going after SYMC/MFE on their turf. GLWT http://is.gd/1pb16
• IDaaS is the new new thing. Skeptical that folks would send identity info to cloud, but I've been consistently wrong. http://is.gd/1pbbP
• Rasmussen makes Grumpy Pete and @stiennon look like low self-esteem poster boys. http://is.gd/1pbiH #selfimportancesyndrome-bigtime
• Does anyone really believe Enterasys grew NAC revenues 300%+? http://is.gd/1pbAP #getmesomeofthatfuzzymath
• Quote from Fake Steve about Apple smart phone dominance: "The iPhone is our castle, but the App Store is our moat." http://is.gd/1pW5M