April 14, 2008 - Volume 3, #35

Good Morning:
Ah, can you smell it? It's the smell of spring, not of a steaming brown bag. Of course, spring usually means spring cleaning. Some of my friends have spouses who like to do the garage spring cleaning every other week, but not the Boss. We wade through the crap we've accumulated through the year right about the time of the neighborhood garage sale. That's a great time to take a look at the stuff that the kids never play with anymore, and get rid of it.

Of course, once you indicate you are getting rid of something, the kids all of a sudden become smitten with it again. But that's the way it works, I guess.

I forgot the power of doing a spring cleaning on my computer as well. Since the hard drive on my MacBook was DOA, I needed to rebuild the machine over the weekend. I put a 250 GB drive in, reinstalled the OS and started building the machine. Rather than just do what I always do, I used this downtime to figure out what I needed and clean things up a bit.

I'm happy to say, my backup "system" worked like a champ. I took an old 60GB drive and loaded up all my data files from my desktop iMac (including my Parallels VM images). Within an hour, all my data was restored.

Then it was just about reinstalling all the applications. I did only the stuff that was really necessary. Of course, it was still about 20 different apps and utilities, but overall I think the restore took me a couple of hours - as I was doing a bunch of other things around the house. No lost data. Zero. Nada. Zilch. Yes, I got lucky. But there also was some planning involved - amazingly enough.

So now it's on to important stuff, like wading through my notes and follow-ups from RSA. That will take me a bulk of the day, as well as the things I should have been doing last week - if it weren't for the demise of my hard drive.

If I ran into you last week, it was great to see you. I always enjoy running into old friends and making some new ones. I got some great feedback on the work I'm doing. Thanks so much for the positive feedback. Believe it or not, it helps. And I even ran into some folks that bought the P-CSO and seemed to like it.

I'm just happy no one slugged me in the head. I tend to have that effect on people, though I am mellowing out a bit. Although my liver may tell a different story.

Have a great day.

Photo: "spring cleaning 1" originally uploaded by animakitty

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

RSA keynotes: Why do they even bother?
So what? - So I'll admit it, I missed Art's keynote and the big musical number they always start the RSA conference with. My breakfast meeting ran late and candidly, my time was better spent with an old friend. I'm not even sure why they bother with the keynotes, since I didn't run into one person that thought they weren't a joke. SearchSecurity does a good overview of Art's and also John Thompson's (which I did see). Actually, the answer is $300,000. That's the going rate for a sponsorship with a keynote attached. That's a lot of coin to say nothing. Art's big thing was Information Risk Management and not being Dr. No. Ho hum. We all know it's about storage + security. The guy works for EMC, after all. As I mentioned last week, there is nothing new. Or not much anyway.  John Thompson was all about "Information Centric Security." HA! I can't wait for Hoff to get JT to hold up a sign saying he copied the Hoff. And if you think I was sitting around for luminaries like Val Rahmani and Gene Hodges to wax poetically why their companies still matter - you are nuts. But alas, I seemed to be the only one of this opinion, since the keynote halls were PACKED. I had a hard time even getting a seat. Unbelievable.
Link to this

What I didn't see at RSA
So what? - Perhaps the most surprising thing I didn't see at RSA was acquisitions. The big guys (especially RSA themselves) usually wait until the show to announce the things they have picked from the bargain bin. I can't remember the last time RSA came and went and there were no deals announced. I didn't do a comprehensive scan of the wires from last week, but nothing jumped out at me. That doesn't bode well for the private companies trying to stretch until they can get taken out. It means to me that the big guys are in a holding pattern. I know Big Security was looking at all sorts of things (the busiest guys at RSA are always the investment bankers and the corp dev guys), but they are in no rush. It's not like any of these privates are really blowing the doors off, so the folks with the cash can afford to wait. Unfortunately it means we'll see some more Lockdown's (companies shutting the doors) before we see another Vontu (big $$$ acquisition). We'll also see a bunch of fire sales. Welcome to the "new" security business. It's a lot of fun, right?
Link to this

The problem with PCI
So what? - I've always said it's better to be lucky than good. I've been lucky to be on the selection committee for RSA's Peer2Peer program. That's when about 30-40 folks get into a room and have a facilitated discussion. No pitches, just a bunch of practitioners talking shop. It also means I get to do a session of my choosing at the show. This year, I picked to do a session on PCI and there was great response. They even asked me to do a bonus session to meet demand. I picked up a bunch of tidbits, a few of which I'll even share. The number one concern? QSA inconsistency. That's right, the fact that the QSA's have opinions about how to "do" PCI is a problem. The PCI Standards Council is aware of this (they were even in the session), but it's a hard problem to solve. Next was the challenge of getting senior management to think about security as a process, not just an audit. A bunch of the folks in there had already passed their audits, and they had to fight for resources to keep the program going. Not surprising, but it just confirms that we continue to have a lot of evangelizing left to do. Finally, a message that came across loud and clear is that the QSA is not the final authority. Some folks told stories of a few asinine things the QSA was taking a hard stance on. So these folks went through their clearing banks and to the PCI council themselves to get what they needed. Sure it took a lot of time, but just remember there is an escalation process - if need be. And that's all I have to say about that... 
Link to this

Top Blog Postings

Do companies do application security testing?
That's the question posed by Cigital's John Steven in this post. I guess it depends on what you mean by "security testing." John (based on what he does for a living) is focused on application security issues, and nets it out by saying testing involves not just having test cases that trace back to security requirements, but also a process to make sure defects that are found actually end up in a bug tracking system and get addressed at some point. I also believe this is pretty advanced based on what I see. But I'm not surprised. Most folks run scanners on their apps, if anything at all. That's always the first step. Companies don't just jump to the point of fixing something until they know it's broken. Scanners help to validate that something is broken, and then it's about how to fix it. End users will try to take the easy way out (buying a source code analysis tool, etc.) rather then fix the process that results in the broken software anyway - but again, this is predictable stuff. We are very early in the application security renaissance. There will be lots of jousting and ax throwing before we realize the true nature of the problem. Turkey leg anyone? (Yes, these are renaissance festival jokes) 
http://www.cigital.com/justiceleague/2008/03/31/how-do-companies-address-security-testing/
Link to this

Understanding the true cost of a breach
Amrit asks an interesting question in this post, which basically makes the point that a lot of companies spend more protecting their assets than they may suffer in losses, if breached. I guess if you just consider the cost of cleaning up an incident, then most security investments are a bad deal. If you can contain the issue quickly (by REACTING FASTER, by the way) and then clean it up, it may not be worth going to multiple layers of protection after all. But what about the compliance fines, the brand impact, and the downtime costs of a breach? I'm not sure how the CSI made up their incident loss numbers, but if those aren't included - then the numbers are worthless. Anyhow, it's a legitimate question and sometimes the answer is going to be do build a factory, rather than upgrade your campus with those shiny new LAN Security switches. And that's OK. Our job is not to make those decisions. It's to provide enough information to the decision makers so they can make rational, well-informed decisions.
http://techbuddha.wordpress.com/2008/03/14/is-the-cure-costlier-than-the-disease/
Link to this

Can you measure return on security investments?
One of the side sessions I attended last week at RSA was mini-Metricon. This is where a bunch of the luminaries of security (at least in their own mind, which is why I was there) talk about how we should count the things we do. When I'm with that group, I have to keep in context the way borderline academics address many problems, as opposed to how entrepreneurs attack problems. But intellectual antennae rubbing aside, I got to see Intel's Matthew Rosenquist talk about their process to justify security investments. Then I remembered I had bookmarked this blog post months ago to remind me to go read the information. This presentation was one of the highlights of my week and it was maybe 15 minutes. The process Matthew outlined is a pragmatic as it gets, in that clearly it very very difficult to get hard numbers about the "payback." But in an environment like Intel, where downtime impact (even maintenance windows) is measured in figures with 8 zeros at the end, having a process is critical. No it's not perfect and I could poke holes in the assumptions and the like. BUT IT'S A START. Many of the numbers show what we already intuitively knew, but that is the first step towards a more regimented and quantitative method for telling us what we may not know. And that's the entire point.
http://communities.intel.com/openport/blogs/it/2007/12/11/whitepaper-measuring-the-return-on-it-security-investments
Link to this