April 10, 2007 - Volume 2, #59

Good Morning:
Since it's a slooooow news day, let's talk a bit about my favorite topic, which is me. Did you expect me to say anything different? Come on now. One of my favorite things is to go to the mailbox each day. I used to hate it. Overflowing with crappy catalogs from companies I don't want to buy anything from and notifications of class action lawsuits from my tech investing days during the bubble. Didn't they settle all those frivolous suits already? We also get lots of birthday party invites for the kids. Nothing too interesting came in the mail because of the wonders of direct deposit. My paycheck would just show up in my bank account every two weeks and we could go about our business of spending it.

But not any more. No more paychecks. Now I need to dutifully check the mailbox every day to see what's there. Some days there is even a check or two. Those days are fun. I love checks, especially when they are made out to Security Incite. The boss loves checks too. But yesterday we got a big surprise! Of all things to be waiting for me in my mailbox, I received a pair of brand spanking new credit cards.

And I didn't even ask for them. You know that that means don't you? And remember to phrase your answer in the form of a question, Jeopardy contestant. OK Alex Trebek, how about "Who is another victim of the TJX data breach?" That's right Mike. Very good, you and the Boss can join the infamous 45 million in the penalty box for trying to save a few shekels by shopping at TJ Maxx and Marshalls. That'll teach me to be fiscally responsible.

But actually it wasn't that big of a deal. I had to change out my monthly payments that were charged to the old card automagically, so that was 30 minutes I didn't have. And I I also needed to reconfigure Quicken to check my new account. But I'm on top of my credit cards, so up to now I haven't been compromised. But the day is not over yet...

Just remember, everyone is vulnerable. We are all exposed and the only backstop we have is to be on top of our card activity. Look for anomalous behavior. Kind of like network security. You can't exactly prevent the attack, but you can certainly react faster and contain the damage quicker. That and think long and hard about using a credit reporting/protection service, just in case.

Have a great day and if you're in Milwaukee, come visit. I'm speaking to the ISSA group there today and it'll be a great show. More info here.

Technorati: Information Security, CSO

The Pragmatic CSO is Here! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

So security is a feature, and a differentiator
So what? -  Take note sports fans, TechTarget's coverage of last week's Cisco partner conference was pretty interesting. Check it out here. The message was that Cisco's networking-centric resellers can differentiate their networking stuff by selling "security" in every deal. Hmmm. Someone check for Chris Hoff's pulse. This, obviously, is not a surprise and it lays the gauntlet for both security companies and networkers. Security folks need to find more specific differentiation. And saying "well you shouldn't buy everything from Cisco" doesn't really count. And for those networkers that are not Cisco, you better figure out how to sell security and build out your offerings fast. Anyone interested in the "Selling to the Pragmatic CSO" training program? 
Link to this

Crow's Nest - I don't get it
So what? - Phishing is obviously a problem and a big one at that. Lots of folks are trying to figure how to solve the problem, ranging from mutual authentication to EV SSL certs to increasingly sophisticated anti-spam and web filtering techniques to contain the damage. According to this article (here), a dude named Ben has put a site to track how long new domains have been registered based on keywords. They I guess they do some testing to figure out whether it's legit or not. So what? The main issue here is that it will require the USER to know not to click on something. I guess the ISPs could prevent a site from going up until the domain has been been cleared by this system, but how do they make that pay for the $5 a month they get paid by cheap skates like me? It's actually a bit more complicated than that, but unless you have some humans looking at the sites, I don't get how you do this with any level of precision. Will this help vigilante's like PIRT? Is this something that RSA's Cyota (who also has a phishing take down service) could use? I'm interested in seeing what this looks like when it hits. And yes, it's a slow news day.
Link to this

SourceFire clarifies the miss
So what? - Yes, yes - a very slow news day. So let's talk about SourceFire some more. I talked with quite a few of my friends on Wall Street and most were similarly appalled at the SourceFire miss. Not that they missed, that happens. But that they didn't communicate anything to the Street. That's a big no-no and the timing of the release (late on Friday afternoon of Easter weekend) was soundly thrashed. Seems someone at SourceFire must have been listening because they graced us with another two paragraphs of pithy explanation (here) at 3:35 PM yesterday afternoon. Big deals + no close = significant miss. Shockingly enough they pointed the fingers at the Feds. Yeah, send a few more missiles over to Iraq or buy some IPS gear? Tough choice. And a new customer didn't buy as much as they expected. Go figure, maybe they wanted to test the product out a bit before they bought millions of dollars of stuff. Lots of folks are also saying that FIRE went public too soon and they may have been right because this is clearly indicative of a lumpy revenue model. Public companies should have their quarters sway on 2 or 3 large deals. I know it happens, I wasn't born yesterday, but it shouldn't. Yet the Catch-22 is that FIRE needs public market currency to buy things to build out the platform to make the business a bit less lumpy. Anyhow, my Street contacts were unanimous in saying that it will take 3 or 4 quarters of flawless executive for FIRE to get back in the good graces of the investing Gods.     
Link to this

The Laundry List

1. UK company guarantees no spam. (Hat tip to Steve Gold) Yeah right and I can guarantee I can make a monkey fly out of Hoff's butt. Doesn't mean it's going to happen. I've got the same chance as these guys do of stopping 100% of spam. OK maybe my chances are a bit better, since you never know what you can bring home from Kilimanjaro. Especially when you need to hide it from Customs. - here

Top Blog Postings

Compliance is not a goal
Adam Dodge on the Security Catalyst blog reiterates something I talk about frequently. Adam phrases it a little differently saying, "Compliance as a goal is a recipe for failure." But his point is spot on. Security professionals cannot start the process saying they need to be compliant. That should be a result of a strong programmatic security approach that also happens to generate documentation of controls that are in place. The documentation is used to prove compliance. Security first - take that one to the farm and hope TJX isn't guarding the hen house.
http://www.securitycatalyst.com/2007/04/09/compliance-as-a-goal-is-a-recipe-for-failure/
Link to this

Regulatory Enforcement
Speaking of regulations, Rebecca Herold points to some indications that HIPAA is going to be more strictly enforced next year. I think we were talking about monkey's flying out of people's butts earlier and I throw this into the same category. First of all, I'm all for enforcement. Nothing like a nice public execution to get the heart pumping. I also think it would be a good message to send to folks up and down the healthcare food chain that they need to protect customer data. That it isn't an option. That setting aside $100K to deal with any compliance issues, as opposed to spending a lot more to fix the issue is the wrong thing to do. Unfortunately, the numbers still don't work out. Until the cost of compliance is less than the cost of NOT being compliant, you'll still have a lot of folks that just roll the dice. Unfortunately the dice in this case is our respective health records. I'm in the camp of "I'll believe it when I see it."
http://www.realtime-itcompliance.com/government/2007/04/hipaa_security_rule_and_privac.htm
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite