April 22, 2008 - Volume 3, #39

Good Morning:
After my little heretical rant yesterday, I decided to take a step back and wonder why I'm so skeptical and cynical. It makes the Boss crazy. I question everything. If I ask "why?" or "help me understand" one more time, I may get a 12" saute pan in the cranium.

It's not that I am trying to be difficult. For me, it's all about PROVE IT. I've been known to just blurt out "Name that Tune" in meetings and people look at me like I'm nuts. This happens when I just don't believe what I'm hearing. So I challenge the folks around the table to do it, prove me wrong. Or to use a bad 70's game show analogy - name that tune in 3 notes.

We are security folks, and I don't think security folks ask nearly enough questions. I guess some of us are scared of how we'll be perceived. Or that we'll lose credibility because we don't know all the answers. That's why many of us need to keep looking for new jobs every 18 months or so. 

We should be questioning the senior team about strategy, especially as it relates to letting "outsiders" and customers into our systems. We should be questioning whether that remote sales person really needs a database of every friggin' customer on their laptop. We should also ask about the web application architecture before it goes live. Just so we understand the threat vectors. Yes, this can be annoying, so you have to learn to be a good, not annoying, interrogator.

I start almost every strategy meeting with a standard disclaimer. It's along the lines that I don't have any answers, but I have some ideas and I have a lot of questions. And I proceed to pepper the subjects with question after question after question. These folks probably feel subjected to a KGB interrogation. I ask all of these questions for a couple of reasons. First is so that I can understand the client's perception of the situation and then gage how realistic their views are. If they are living in fantasy-land, I need to shake them out of that pretty quickly.

Another reason I ask questions is that I'm looking for the patterns. You know, something I can grab on to and draw either a comparison or a contrast. It's usually very helpful for most folks to understand that they aren't alone, that other folks have been where they've been and probably screwed up what they are trying to do. I truly live by the old adage that if you fail to remember history, you are doomed to repeat it.

So make a little mid-year resolution. Ask a lot more questions. Don't accept what people tell you as the rule of law or as the truth. Make them defend their positions and justify why they are doing something. At the end of the day, we as security folks can't stop them (for the most part), but we can make sure they understand the risks and ramifications of what they are doing.

And the only way I know to do that is to ask questions.  Are you having a great day? See, asking questions isn't so hard.

Photo: "Question Everything" originally uploaded by dullhunk

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

"A nice little company"
So what? - I love positioning and the little barbs rival CEOs leave for each other. Looking at this NetworkWorld interview of Symantec's John Thompson makes me laugh. Thankfully he's owning up to having some issue with the Veritas deal, but that's water under the bridge. The reality is it's still not clear how the go to market model needs to work between security and storage. Despite JT's protestations, the jury is still out on that. But what makes me hysterical is when he's asked about McAfee and calls them a "a nice little company and they do a nice job." Ouch. Personally, I think this is a pretty ridiculous way to look at the competition. One of the problems with big security is that they are fat, dumb and happy. They are pleased to milk their cash cow a bit and haven't done much to really change the way things are done. If there is one thing you can say about McAfee right now, it's that they are not comfortable. The new regime is questioning everything (see above), challenging the way things are done, and basically executing much better. He similarly dismisses Microsoft's efforts in security. I'm pretty sure that one of the seven deadly sins is arrogance. Of course, I have no interest (nor am I even remote capable) in running a multi-billion dollar behemoth (I can barely run a one person shop), but I would use McAfee as a rallying cry to get my troops focused on the threats and basically uncomfortable about market position and light a fire under their backsides. But that's just me.
Link to this

Manage up or manage down? That's a challenge for every CSO
So what? - Yes, I'm still working my way through the "big thoughts" put forth at RSA. This will be the last week I still refer back to the Big Show. But when I was looking through my bookmarks, I just couldn't resist Dark Reading's coverage of CA's Dave Hansen's pitch at RSA. He made the point that CSOs need to become more relevant to the business. He even spurts an interesting statistic, which is that 46% of CSOs spend up to a third of their day just analyzing security event reports. Maybe that number is true or maybe it's not. The reality is I don't have an issue with a CSO analyzing reports for a portion of their day because they need to know what is going on in their environment. They need to see when something is misbehaving and dispatch an expert to figure out if it's really an issue. Hopefully before it becomes a real issue. Though I'm not going to minimize the need to become relevant in the boardroom. That's crucial to being considered a player. And it doesn't happen overnight. The CSOs job is clearly becoming one of persuasion, and that takes time playing the game. Maybe even 2/3rd of your time. But with the other 1/3, I don't have an issue with checking out dashboards and trying to REACT FASTER to what is going on out there. You are definitely not relevant if an attacker is in your grill for years, while you are hobnobbing down mahogany row.
Link to this

Next up for the Bay City Rollers: NBA
So what? - So I may have some fundamental issues with Network Computing's Rolling Review process, but they are certainly looking at some interesting technologies. They've done web app scanners and both inline and out of band NAC boxes. Next up is network behavior analysis products. I'm glad to hear that because hopefully it will become more clear how important the idea of baselining your networks and systems and monitoring that baseline is. Now I'm not saying NBA as a stand-alone product category is meeting that need. For those very large enterprises and carriers, it probably does. But over time, this is functionality that must be embedded in either an integrated security management platform or directly within the element management systems of the network and/or the systems. The NBA review kick-off gives a good overview of the technology and what it purports to do. I'm looking forward to seeing if the NWC folks think it actually helps them run and secure their networks. I'm also looking forward to seeing who actually shows up.
Link to this

The Laundry List

Top Blog Postings

Less invasive than a proctologist exam
I read Dennis Fisher's coverage of one of Microsoft's RSA sessions and I wonder if they are occupying the same world that the rest of us are. They are trying to make security "less annoying." Hmmm. I guess that's good news. Clearly Vista's security architecture is head and shoulders above XP, and that's a good thing. But at the end of the day, users don't want to know that security is even there. They don't want prompts (I mean the UAC nightmare), they don't want to be constantly challenged for authentication credentials, and they don't want to make a decision about a piece of code that hasn't been signed by an approved authority. Focusing on things like application whitelisting is a good thing. I'm not sure why they just didn't buy Securewave when they were shopping themselves a few years back. Regardless of anything else, you do have to give Microsoft props, they are going to spend a lot of money to solve a problem. I'm just not sure what problem they are trying to solve.
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1309350,00.html
Link to this

Be Secure, and You'll be Compliant
Most people think I just talk to hear myself speak. Or just to sell a few books. But I actually think sometimes the things I say may sort of have some merit. Like this idea of Security FIRST. My pal Nitesh Dhanjani believes in this approach as well and he refers to Equifax's Tony Spinelli's ideas around letting compliance drive security. I like it. But let's hit a fairly important nuance here. The CSO (or security professional) needs to be a bit schizo. On one hand, operationally, it's all about security. But from a funding standpoint, sometimes it's easier to justify an expenditure based on an audit finding or a new regulation or something else that will receive less scrutiny than most of the stuff we security people want to do. No use in beating this horse anymore, I just wanted to point out another like minded individual (who I think is pretty smart).
http://www.oreillynet.com/onlamp/blog/2008/04/be_secure_and_youll_be_complia.html
Link to this

Next in the Octagon: Belva and Shrdlu
After hearing of Hoff and Jeremiah facing off in some martial arts hijinx, I figured it would be fun to think about how Ken Belva would love to face off against Layer 8's Shrdlu after she hammered him with some naivety comments on a recent post of Ken's. My opinion is that Ken is off the reservation a bit with this one. So I'm going to act a Big John McCarthy and call the fight with a 1st round tap out. I wonder where Shrdlu learned to apply that arm bar. Basically, the original post (on Slashdot) was more whining about the fact that most executives will choose to line their pockets rather than address a security issue. I think that's a fair assessment. The point is risk is totally SUBJECTIVE. Ultimately the point of what we do is to provide enough information to the senior folks so they can make a relevant and data-based decision about how much risk to take on. Shrdlu's point is that without some objective set of risk measurements (perhaps like Jack's FAIR process) the executives can (and will) continue to do whatever they want. If anything the Slashdot guy is not naive, he's just frustrated because of the way the world works. Based on Ken's vitriolic response, I guess he doesn't take too kindly to being put in an arm bar.
http://www.bloginfosec.com/2008/04/18/slashdot-post-on-security-ethics-demonstrates-professional-naiveness/
Link to this