April 15, 2008 - Volume 3, #36

Good Morning:
Oh yeah, April 15. That's right. Everyone in the US knows this as Tax Day. Most folks have their taxes done way ahead of time, especially if they are getting a refund. But not me. No sir. I'd rather let the Feds sit on my refund as long as they can. I wait until the very last minute to get the taxes done. And I mean the VERY last minute. A few years ago, I remember driving up to the post office (who thankfully stays open until midnight) at maybe 11:30 PM to drop off my little package - and make sure it is post-marked for April 15. No, it's not very smart. I get that.

This was, of course, before the time of e-filing. Now I sit in the comfort of my office and bang out the taxes on April 14 or 15, and then hit send. E-filing really has changed the way these things are done. Now I can wait until 11:55 PM on April 15 and not worry about the traffic to the Post Office. Of course, this convenience for me probably hurts the USPS revenues, but oh well. Welcome to the 21st century.

And yes, I still do my taxes myself. Although I'm not really sure why. For the last 15 years I've been using TurboTax, and it works fine. My friends keep telling me I'm an idiot and that I should have someone "professional" do my taxes. You mean the folks at those strip mall tax shops (H&R Block or Jackson Hewitt) are professionals? Seems to me they are basically baristas at Starbucks that make a little extra beer money over tax season.

I'll take TurboTax every day of the week over the barista. Good latte. Schedule C, not so much. Yet, I think my friends are referring to a "real" accountant. Someone that does this stuff every day. They tell me someone versed in tax law will save me lots of money, above and beyond what TurboTax will. Maybe they are right, but it's unlikely I'll find out. I guess I just like doing the taxes. Once a year, going through my finances and seeing how the numbers turned out. I know, that's kind of strange.

Yet, I'm not a big fan of paying taxes. I try to maximize my deductions where I can, without going to jail - of course. It's not that I don't think I need to help keep the country running. But I'd rather direct my funds to charities I believe in, rather than the multi-trillion dollar charity called the US Government. I'd rather send some money to Jerry's Kids or the Cancer Society (and I do), than the fat cat society of back room deals and pork barrel politics.

But every time I grind my teeth thinking about all the waste within the Beltway, I remember back to some great advice my Dad gave me when I was just out of college. I started investing in mutual funds very early and I got my first set of capital gains distributions and the net was that I owed quite a bit on my taxes. I called up my Dad and started bitching.

He asked me a simple question: "Did you make the money?" I said: "Of course I did." Then he said: "Pay the tax. And shut up. Be happy you made money. Now get back to work and make some more." He's right. The US affords guys like me an opportunity I wouldn't have elsewhere. So I'll pay the tax.

And I'll also get back to work. The day is young, I still have tax forms to wade through. Have a great day.

Photo: "Have Fun & Get Your Taxes Done" originally uploaded by Rachel Smith

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

RSA Session: Groundhog Day
So what? - Unfortunately I don't get to attend many of the sessions at RSA. I know there are a lot of top flight speakers and folks there that have things to say. There are a lot of vendor snake oil salespeople as well doing sessions, but statistically that always going to be the case. One of the best panels I've participated on for a long time was the "Groundhog Day" panel on Thursday morning. I was accompanied by Ron Woerner, the Mogull, Dave Mortman, and Martin McKeay. We attempted to draw parallels between what has happened before and how we can apply those lessons to the challenges we face today. There were a couple of key takeaways from the panel, and most of them centered around business relevance, as opposed to technical aptitude. There was also a lot of focus on the folly of vulnerability-centric thinking and also the importance to get application folks to think about security sooner rather than later. Finally, we all got to the place that compliance is NOT a hammer, but rather a door opener that gets us security folk visibility at the highest levels of the organization. But unless you say something interesting when you are there, all the compliance in the world isn't going to help you get what you need. Buy the tape, it's worth it.
Link to this

The future of security business models
So what? - I get approached pretty frequently by companies looking to leverage my network to find great people. Both on the marketing and sales side. I should probably figure out how to monetize that a bit better, but for now I'm happy connecting friends of mine and hoping something good happens. RSA was no different, in that I talked to lots of companies looking for great people and lots of great people trying to figure out what's next. I hope those top dollar marketing and sales folks get their money out soon because the idea of a large enterprise-centric sales force, selling multi-hundred thousand dollar security widgets is going to be the exception not the rule. I'll also admit to being a kind of a S-1 (that's the SEC filing for an IPO) junkie. I haven't had my fix in quite a while, but recently I got pointed to the Solarwinds S-1. You learn a lot about business models and how things work by reading those things. If you are running a security company and you aren't familiar with Solarwinds' business model, you better figure it out. Thousands of customers, average deal size less than $6K, web-based lead generation, inside sales fulfillment. Huge leverage. Huge margins. Huge profitability. This kind of model can apply to  most technology sectors, but it's especially applicable to security - where it hurts to write a big check without the promise of accelerating revenues. Check out it. You'll thank me later.
Link to this

Why the RSA show floor doesn't matter
So what? - Later this week I'll get back to the industry and news commentary, I promise. But RSA is such a firehose of information, it usually takes me a few days to internalize what happened and what it means to the rest of the business. Another mild epiphany I had at the show was the irrelevance of the show floor. That's right, it doesn't really matter what the vendors are talking about. So Stiennon says it's SIM, there was a lot of activity around virtualization, data leak prevention and, of course, PCI and compliance. But it doesn't really matter in the real world. That's the big message here. The real world does not care about the RSA show floor. The real world is trying to integrate the ridiculous number of agents on the desktops that are resource hogs and inefficient. They are trying to get that IPS deployed, though it probably looks like an integrated UTM. A lot of folks are still trying to figure out how to deal with spam and web filtering issues (and yes, the right answer is a managed service). They are worried about losing laptops, so laptop data encryption is interesting to them. I'm not sure whether the show floor is 2 or 3 years ahead of the mass market, but those overhyped technologies highlighted at trade shows are a head fake. The lunatic fringe is fun, but it's not reality. 
Link to this

The Laundry List

Top Blog Postings

A smidgen of data about awareness training results
Over on the BlogInfoSec site, Sam Dekay tackles one of my hot buttons and that's security awareness training. Lot of folks think it's a waste of time, but I'm still out there pushing the fact that users are our last line of defense and they need to be taught what is right and what is wrong. They don't get this intuitively, so we have to show them. But does it work? Sam mentions three separate (though none very wide-spread with lots of data points) "studies" and the data is all over the map. Given my general perspective, I'll point the study that shows if you send a user a phishing email and get them to click on it, then have a web site tell them what an idiot they are - it actually works. You can talk until you are blue in the face, the users will tune out. But if they screw it up themselves, they are much more likely to learn the lesson and learn it permanently. Not everyone will respond, but a lot will. So yes, hack yourself and social engineer your people. And call it training...
http://www.bloginfosec.com/2008/04/03/does-security-awareness-work-some-answers-from-experimental-research/
Link to this

Firewall 2.0? What's next - Dentures 8.0?
Earlier this month, Jim Reavis talked about some focus groups he did on the future of the firewall. Personally, I think that's a little strange because I'm not sure what a firewall is moving forward. It's certainly not the stateful inspection thingy we have implemented today that just looks at protocols. Though that's probably a misnomer as well, since a lot of the "firewalls" out there today do some level of deep packet inspection and semi-IPS stuff. Most can be packaged as a UTM device and all of this integration is kind of making the firewall term a bit passe. Though I do agree that it's not just about securing the application. We do need to evolve our perimeter defenses to keep in step with the attack vectors. I'd rather call it "Perimeter Next," because that indicates it's about more than just the firewall - and it is.
http://www.riskbloggers.com/jimreavis/2008/04/whats-wrong-with-firewalls/
Link to this

now i understand where kurt is coming from
As an April Fool's joke I was going to write about my undying devotion to kurt, who rants about stuff he seems to have no idea about. But I didn't bother because it wasn't worth the time. But I saw this post a few days after that and it all came clear. kurt says in his own post: "i get away with the things i say in part because i'm not actually in the anti-malware industry, when i say someone's doing something bad there's little or no possibility for my actions to be attributable sour grapes..." I'm not sure exactly what he gets away with, but the fact that he's actually not in the anti-malware business or evidently a practicing security professional makes things a bit more clear. And he owes a debt of gratitude to the IDE where he must spend a bunch of his time. Evidently it capitalizes things for him. Since there isn't much more annoying than not having the courtesy to hit the shift key once in a while. BTW, kurt does bring up a decent point about the folly of Panda trying to fight the av-comparatives folks, but in the end it doesn't matter. I have a hard time believing a lot of customers are doing in depth malware testing as part of their selection criteria. Maybe in 1998, but not today.
http://anti-virus-rants.blogspot.com/2008/03/av-comparatives-vs-panda.html
Link to this