The Daily Incite - April 3, 2007

Submitted by Mike Rothman on Tue, 2007-04-03 09:24.
Today's Daily Incite

April 3, 2007 - Volume 2, #55

Good Morning:
Sacked. That is not a pleasant word, and it's even less pleasant when it happens to you. As reported by Ryan Naraine (here), Ross Brown has been sacked by eEye. I spoke to Ross yesterday about content management systems. It wasn't a conversation you have with a dead man walking, and that saddens me. I have no idea what was really going on inside eEye. It may be the best thing for eEye and even for Ross in the long run. I'm not in a position to judge that.

I'm saddened because Ross was surprised. I've been there. It's painful. You give everything you have to a company, nights, weekends - you sacrifice time with your family, you make a difference, and then you are gone. No warning, hardly any thanks - just a conversation about a crappy package with some lawyer. Yes, I've been there. When someone gets canned and it's a surprise to them - the system is just not working. This problem manifests itself usually from a set of cowardly executives and board members that don't want to have a candid conversation with someone that isn't meeting expectations. Or they don't know what their expectations are and they figure if they change horses, everything will be fine. It rarely works out that way.

I've only surprised a team member of mine once. Part of it was him, in that he didn't see the signs. But a big part of it was me in that I couldn't get him to where he needed to be and I used him to try to save myself. It was a selfish move, it was wrong, and ultimately it didn't work. I got sacked anyway. Thankfully he believes in forgiveness and we are now friends.

The day after I left my last job (probably THE last job I'll have), I was incredibly happy. Just goes to show how miserable I had let my job situation become. But it was actually my family that grounded me and got me focused on what was important. When I got home that day, nothing was different. I was just Dad. I realized that they don't care what I do for work. They don't base their judgment of me as a person based on what some CEO thinks is a good job or not. It was then that I knew I had to take a different path.

I had no idea what that path was, but I've always had a lot of confidence in myself and I knew I would figure it out. I just needed to follow my passion and put myself in a situation where I could have fun again. That meant no full-time marketing gigs. No crazy CEOs. No turnarounds where I'm fixing a mess made by someone else. None of that.

I needed to be in control of my destiny. I wanted my success or failure to be based on my efforts. That's why I am doing Security Incite. That's why I wrote the Pragmatic CSO. That's why I'm launching the Security Education Network with Santa (here). I know I can and will make a difference, but it will be on my terms.

Ross, I feel for you man. But change is good, change is necessary, and in time (and it won't be that much time) you will gain perspective on what happened. You will move on and you will find success. And you will be better for the experience. If you don't have bad times, you can't appreciate the good times.

Have a great day.

Technorati: ,

The Pragmatic CSO
The Pragmatic CSO is Here!

Read the Intro and Get
"5 Tips to be a Better CSO"

Top Security News

Can we rise to the challenge?
So what? -  I read this post from Dark Reading's Tim Wilson last week and it really resonated with me (here). There really is no place to run, no place to hide. Even a friggin' cursor is subject to attack now. Part of me wants to unplug everything and go back to paper and pencil. Not sure I want to even use my cell phone. But the other part of me wants to fight. Guess which one is going to win? It's always darkest before the dawn, and it's probably going to get a bit darker in the near term. I remember I stopped watching the local news (when I lived in DC) because it was all about murder, robbery and other mayhem. Sometimes it's best not to pay attention to what's going on out there, but to focus on what you need to do today. Obviously you can't be totally oblivious because you need to educate your users about specific attacks (like the friggin' cursor), but you also don't need to read about every data theft in great detail. It will make you crazy. The only way to rise to the challenge is to get things done. Pragmatic CSOs focus on what is in their control, and they get things done. We can unplug or we can fight. I choose to fight.
Link to this

The end of free love open source?
So what? - StillSecure launched their new platform yesterday called Cobia (here). It's basically an integrated network and security platform. From a disclosure standpoint, Alan and Mitchell (the most visible of the StillSecure guys) are friends and clients. I've known about Cobia for a long time. Actually a Cobia is a pretty mean fish. My suggested tag line was "Cobia - one bad-ass fish." Maybe that's why I'm not in marketing anymore. Read the release or Alan's explanation (here) about the functionality. I want to do a little preview of a piece I'm working relative to open source in the security business. Security open source is a myth. Actually, it's more of a distribution strategy nowadays. Sometimes it's used to kick a competitor in the nuts. We really need to take a step back and come to some conclusions about what open source is and what it isn't. Matasano Thomas asks a number of great questions along these lines here. Alan responds here. My point is that the free love 60's era ended for a reason and maybe we are seeing the end of the free-love open source era. I'll have a lot more to say about this later this week. 
Link to this

AT&T starts to get serious about security
So what? - It was just a matter of time before the big carriers figured out they could start flexing their muscles in the security space. Years ago, I knew a bunch of sales guys at the former UUnet (bought by Worldcom, renamed MCI, now part of Verizon) that would tell me that they made very little commission on selling T1s. It was all about the upsell and the easiest of those upsells was the network firewall. So the carriers have known about security for a long time, but they haven't been particularly adept at positioning it or selling a security solution. They aren't there yet, but they are assembling a lot of the pieces. BT bought Counterpane and INS to add some security DNA to the mix. AT&T is relying on OEM products and services to solve specific problems. Last week they introduced an anti-DDoS service for SMBs (here), since a lot of SMB's get crushed by a DDoS. Yesterday they announced a web filtering service (here). What they haven't announced is a security solution architecture that is believable and makes sense. AT&T is going to sell a lot of security stuff just do to their breadth and reach. But they won't be considered a real player until they communicate a cohesive story. 
Link to this

The Laundry List

Kaspersky tries to protect the open spaces. Kind of seems like an endpoint security offering to me. - here
Where's the air marshal when you need him? Fortify announces a new attack vector called JavaScript Hijacking. - here
ForeScout visits the Oracle to get more detailed identity information. - here
IBM ISS takes IPS down market, and seems to have adopted the IBM arcane mainframe naming policies. Get your IBM ISS Proventia Network IPS GX3002! Say that 10 times fast. - here
MessageLabs figures out that SMBs are being attacked too. Thanks Captain Obvious! - here

Top Blog Postings

Regulation - Enforcement = Empty Suit
Alex Bakman makes a few interesting points about PCI and compliance in general in this post. His main idea is that the regulations will evolve over time. PCI may not be perfect now, but 1.1 is perhaps better than 1.0 and with a new standards council overseeing the regulation, it will continue to get better. With compensating controls as part of 1.1, I'm not sure it is better. But requiring some focus for application layer security is a good thing. The thing I really jumped on in Alex's post is enforcement. There must be enforcement. Sure, security folks will sell some stuff in the near term because of the TJX mess. But they won't be committed to long term change UNLESS they know there are penalties and they are going to be levied. To date, pretty much every regulation has been an empty suit. I think a lot of folks are doing the right thing relative to security and that these regulations were the catalyst, but the folks that haven't, won't. Because they don't need to. The grim reaper isn't showing up on anyone's doorstep, so there is no compelling need or urgency.
Link to this

Defense in depth Next
Matasano Thomas expands on a piece that Nate Lawson did relative to what's new in system and application security design. I've always been a fan of defense in depth or layered security or whatever you want to call it. By using a couple of simple diagrams, Thomas goes through chain, layers, and finally mesh architectures. I agree with his assertions that if you can design a system where every check depends on another check, you exponentially increase the security of the environment. But how? I'm not mathematician, nor am I a hard-core developer. So I'm in the same boat as the rest of you - waiting for Nate and Thomas to tell us more and give us some actionable advice on how to strengthen our security designs.
Link to this

TJX WAS a victim
A lot of folks think I harp on incident response and crisis communications because I like to hear myself speak. Well, I do - but as I was reading Bejtlich's piece from last week on TJX, I know Richard's heart is in the right place, but he's barking up the wrong tree. Of course TJX has been victimized by hackers. But in the court of public opinion, they are the villains here. They weren't compliant, whatever that means. They didn't offer much help or information to the folks that were compromised. These are all issues that could have been addressed by doing the right thing once they found out about the issue. Most importantly, It all gets back to revenge, retribution and ultimately money. Since we can't really find most of the fraudsters and they don't have any money anyway - we go after the big company. Why? Tort lawyers, who only get paid if they recover some money. Obviously going after a petty thief isn't interesting to them.
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog

Read the most recent Daily Incite