April 12, 2007 - Volume 2, #61

Good Morning:
It's another pretty slow day in what was a pretty slow news week. Folks are still chattering about SourceFire, especially since they've been so proactive lately. Just the latest example is this insightful press release saying they stopped ANI two years ago with an IDS signature (here). Hmm. I think TippingPoint made the same announcement over a week ago (here). Yep, last Tuesday. I know it's hard adjusting to being a public company, but you either lead or you don't and right now, Sourcefire is reacting. That's not a good thing.

But that's actually not what I want to rant about today. My oldest daughter Leah is participating in a talent show tonight with her kindergarten class. Out of the 100 or so kids, she is one of 10 that is actually doing something - a dance number from High School Musical. The Boss has been working with her non-stop for about two weeks on this, and I'm pretty sure she's ready. If anything, I'm really proud that she has the stones to get up in front of people and dance. For someone with two left feet like me, I'm just glad she has her Mom's dance moves.

This begs the question of talent. How do you find talent for your organization? Recruiting is the one thing that will make or break a manager and a company. Unless you do what I do (work alone), most folks need people to make the system work. Good people. And finding them, keeping the happy, engaged and productive is a real talent. I was always very proud of the teams I built all throughout my career. Of course, there are the folks I wished I canned far earlier because they ended up reflecting poorly on me. But overall, I was able to hire good folks, which never ceased to amaze me.

If you are a manager, remember that it's not about YOU, it's about THEM. First you have to make sure you have the right folks. Take a critical look at your team today. Are these the folks you want in the foxhole with you? Do you trust them? Can you depend on them? If so, ask the question "what can I do to make them more successful?" If not, ask "what can I do to get this person to where they need to be?" If the answer is nothing, get rid of them. Then put it all on a list and start executing. Your people will make or break you, so you should spend time figuring out how you can give them the opportunity to be more successful. Or dust off your resume. The choice is yours.

I'm finally back in ATL today, and later I'll be announcing first P-CSO Bootcamp, which will take place on May 3 - here in Atlanta. This is the maiden voyage, so I'll be making it pretty financially attractive to participate. Keep an eye on the blog for that announcement. Between the bootcamp and the SEN launch later this month, it's another busy time. But that's good. The alternative is not.

Have a great weekend.

Technorati: Information Security, CSO

The Pragmatic CSO is Here! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

Regulation does work (and we can't make any more money)
So what? - I never really understood the whole lobbying game. I lived in Washington DC for almost 15 years and how the inner machinations of the US Government worked is still pretty opaque to me. Maybe that's because I'm far from an influence peddler and would rather focus on getting things done. But that's just me. It seems yet another useless lobbying group, called the Internet Security Alliance, is recommending that we drop regulation in favor of "incentives." Like cybersecurity insurance, awards, and caps on liability for those that adopt "best practices." A full write-up is here, courtesy of CSO. This is a TERRIBLE idea. First of all, how do you define those "best practices?" And who is going to enforce them? Sounds like a ruse for the insurance industry, who have failed miserably to build a business insuring Internet risk. Regulation is a pain in the ass, and hardly enforced - but it HAS increased security awareness. Many organizations are more secure today BECAUSE of regulation. And the technology industry has proven totally incapable of self-regulating anything. I wish there was better enforcement, but I think overall much of the regulation we've seen related to security has been positive.
Link to this

WEP goes the way of the dodo
So what? - If you are still using WEP to protect a wireless network that is important, then go have your head examined. This summary from Network Computing (here) does a good job of making the case for why WPA should be implemented. Dennis Fisher also delivers a eulogy for WEP (here). Yes, I use WPA on my network and it works fine. But this is not news (told you it was a slow news week), WEP has been problematic for quite a while. I also agree with the comments towards the end of the article about fear-based marketing. We didn't see it that much in this instance because WPA has been an option on pretty much any access point shipped for the past couple of years. And pretty much every laptop supports it now too. But some vendors (like AirDefense) are trying to sell another product to give WEP some extra life. That doesn't make sense to me, if you are going to spend money - just get a new access point that supports WPA. It's not that hard, is it?
Link to this

The Feds up to a C-
So what? - Improvement is improvement,no? Per Brian Krebs (here), it seems the Feds have been scored overall at a C- for securing it's computer systems (based on the FISMA guidelines). That's up from a D+ in 2006. Of course, it's still mediocre - but is it any different from what most commercial businesses have achieved? And what is that rating scale based upon? I'd say the VA got a failing grade last year. Probably the IRS too, just based on losing things will a lot of private data on it. I'm still trying to get my arms around relative scales on security metrics because it still seems pretty binary to me. Basically it's pretty much Pass/Fail. Were you owned? How many times? What was lost? Obviously that is over simplified, but it doesn't need to be rocket science either. I just got Jaquith's metrics tome in the mail, so I'll give that a read and see if we can't start pushing things forward a bit on the measurement front. That's been a long time coming.
Link to this

The Laundry List

1. Name your bots, it's the latest craze. Panda says lots of Sdbot and Gaobot. How about Incitebot? - here
2. ICSA introduces anti-spam consortium. Just in time, since we definitely need a group to figure out that spam is a problem. What's the next offering, the consortium for makers of the cotton gin? - here
3. Is your IP on spam blacklists? DNSstuff will now tell you if your IP address shows up on any of the popular spam blacklists. So what? Basically if you end up on a list like this, you are out of business. So it's nice to find out before it becomes a problem. - here
4. Now this is how your rename a company. Symantec continues their stellar acquisition integration execution. Altiris is now known as "Altiris, Now Part of Symantec." Seriously. Check out the press releases from yesterday - here and here

Top Blog Postings

The history of network security monitoring
If I only had time I would go through the Taomaster's archives. He did me that favor by reposting a historical view of Network Security Monitoring. This provides some cool context for what is clearly an important weapon in our ability to "react faster" when under attack. He also pats himself on the back a bit because he was early in calling out the importance of this function. But also clearly not the first, and that is the modesty you'd expect from Senor Zen. Anyhow, regardless of how old the approach is, it's growing in importance as the complexity of our technology environments continues to grow. The network sees everything, so that is a good place to look first when looking for problems.
http://taosecurity.blogspot.com/2007/04/network-security-monitoring-history.html
Link to this

Vulnerability Management Redefined
It's really hard to make the transition from being a respected industry pundit to being just another vendor. I had to make that transition in 1998 and it was humbling. Of course, I didn't write publicly every day, so it wasn't as obvious that my credibility was pretty much shot. Not that I didn't have the same stuff to say, but my business card made it clear there were ulterior motives. This piece from Amrit about how to do Vulnerability management is pretty good. It goes through the folly of the status quo and talks about why vuln management needs to evolve into something bigger - what he calls security configuration management. I actually agree with him, but in the back of my mind I keep thinking that Amrit sells a security configuration product now, and that's why he's thinking this way. The reality is more likely that he believed it first and found a company that was in alignment with his already established vision. At least I hope so. My point is that everyone has an agenda (even me, which is usually along the lines of selling more books), and you can get value from posts like this, but be very clear about what the author is trying to do.
http://techbuddha.wordpress.com/2007/04/12/effective-vulnerability-management-part-1/
Link to this

Monoculture and the PCI
This post from Jimmy Jason Chan on the LogLogic's Logblog is very interesting. We all remember Dan Geer's fateful paper on monoculture that earned him walking papers from @stake. He was right about pointing out some of the issues in depending on one vendor for security. But have times changed? And what does it cost to actually support multiple security stacks, especially in the age of PCI - where basically you are multiplying your workload by dealing with many operating systems and security products. Of course, there is risk and reward in every architectural construct and there are certainly risks in going with a single vendor. But this is a lot of the attraction of integration, both on the perimeter and at the endpoint. One box, one agent, one policy. It reduces costs, but at what price to security and possible to compliance? That's the question we all need to ask ourselves and figure out what makes the most sense for our organization.
http://blog.loglogic.com/2007/04/computing_monocultures_and_pci_compliance/
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite