August 12, 2008 - Volume 3, #68

Good Morning:
I forgot how cool the Olympics are.  I can hardly remember what I had for breakfast, the odds of remembering anything that happened 4 years ago is remote. On Sunday night, I remembered. Athletes from around the world, competing mostly for national pride. Not entirely, but mostly. I'll admit to getting caught up in the drama, the background stories, and ultimately the sacrifice that these athletes make for years at a time to chase one shining moment.

And if they screw it up, it's gone. Likely to never come around again. It's the ultimate drama.

By now, most (if not all) of you should have heard about the American 4x100 freestyle relay team. What a race! The Boss and I were literally screaming at the TV at midnight. Yes, we woke up the kids. And yes, we paid dearly for the hour after the race was over. The last time I got that fired up watching sports was the Super Bowl, and before that I can't even remember.

We were also totally engaged in the women's gymnastics preliminaries. Although "women's" is probably a misnomer. It seemed a bunch of those competing were girls. Little girls at that. But those girls can flip, turn, tumble, and vault like nobodies business. They are fearless and focused.

To me, the best part is to see the athletes dig deeper than they thought they could. They routinely do things no one thinks is possible - even themselves. They push through the limits and show the world what they are made of. I tip my hat to all the Olympians. Whether they take Gold or just show up and compete. It's a tremendous accomplishment.

The best seat in the house is usually right in front of my big ass HDTV. But I'm thinking the Olympics is something you should attend at least once, if the opportunity presents and fortune smiles upon you. By the 2012 Summer Games in London, the kids may be old enough to appreciate it. Hmmmm. I better start saving now.

Have a great day. 

Photo: "YEAH, USA!!!" originally uploaded by mbtrama

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

What kind of parachute fits on a pwnie?
So what? - Have you ever seen a flying pwnie? You will. With Delta offering WiFi in the sky, there is no doubt some enterprising "researcher" will bust out xStumbler and WireShark to see what he/she can find. How would anyone actually catch them? A little spoofing action and they are in the clear. And it's not like the Air Marshals are going to be much help. Do you think Delta is going to give up a revenue seat for a security pro? Yeah, right. I know WiFi in the sky is probably good for their revenue, but it's bad for unsuspecting customers, who couldn't defend themselves from a grade school crook. So basically they are sending a bunch of lambs to potential slaughter. I guess the best news is that a bad guy can only compromise 200 or so people at a time. Though flying on the A380 could yield a fiesta. Let's just say I'll remain happy to do some unconnected writing on my flights. Even if I do have WiFi.
Link to this

Countrywide...You are the weakest link.
So what? - So now it seems the Countrywide data breach could/should have been averted because they had a policy (and even some software) to shut down the USB ports. Except on the machine the nefarious insider used to pilfer the data. And there you have it. The weakest link is always the one that gets nailed. Moreover, the policy isn't worth the paper it's written on, if it's not enforced. Seriously. Countrywide gets an A for preventative controls. But they get an F for implementation. As my friend told me when I was trying to sell my house, "it only takes one." I guess Countrywide gets that now too.
Link to this

Yes, monitor your web apps too
So what? - I thought this new capability on Imperva's web application firewall to monitor the malicious inputs (amongst other things) and help provide actionable reports to developers as fascinating. You all know I'm a big fan of monitoring, and all other things being equal, I'll choose to monitor not just the network - but the servers, databases, and apps as well. As helpful as the monitoring info is to REACT FASTER, it would be great if you didn't actually have to react every time. So you could get attacked, find the issues in the application and then fix them. Of course, it's the "fix" part that is the most challenging because us security folk don't control that. So it still gets back to building and nurturing a good relationship with the development team and continue to evangelize why it's a good thing to eliminate issues before deployment, and this is just more data to make the point.
Link to this


The Laundry List

Top Blog Postings

Too much GRC? It's more about tactical vs. strategic
Normally I wouldn't point to a vendor byline generally making the case for a GRC thingy. But Gordon Burnes of OpenPages makes a couple of good points in this article on the IT-Finance Connection blog. Basically his point is that "For each new regulation or risk discipline, organizations typically implement a new technology point-solution aimed at the specific mandate." Clearly there are problems with this approach. First you get no leverage. I know sometimes there are different operating groups that are responsible for different aspects of managing risk and ensuring compliance, but if there is no SINGLE coordinating point, what's the purpose. Remember that old story about the weakest link? Right, you have no idea what is weak or strong if you don't have a single view of the risk environment. The same can (and should) be applied to security (as if you can separate security from risk) in taking a SINGLE and holistic (hopefully not delusion) view of the security environment. That's why I push for the CISO to be focused on managing the program, as opposed to implementing and operating the controls. If he/she is too busy fighting fires, they miss the forest for the trees, and sooner or later they have to bring those fire department planes in to control the forest fire.
http://www.it-financeconnection.com/risk-and-compliance/standardizing-grc/
Link to this

A bug is a bug is a bug is a bug
Fortify's Roger Thornton rants a bit about this recent debate about open source security. I guess we just can't quite remember that every piece of software has bugs, and those bugs sometimes result in security issues. Roger's point is that open source is no panacea and is still going to have bugs. Yet, many in the open source community view these realities as personal affronts and strike back with venom and rage. Get over it. I agree with Roger that security issues are issues just like performance and functional issues. Especially if the application provides access to private data and/or intellectual property. But it's not sexy to focus on security issues and we security folk have to keep evangelizing the need to make the software better (over time) and focus on eliminating the defects sooner and better. And that goes for open source, commercial grade or home grown stuff. The attackers don't make a distinction and neither should you. 
http://extra.fortifysoftware.com/blog/2008/07/the_empty_debate_over_open_sou.html
Link to this

Only the rear view mirror knows your potential
I'm going to wrap today with an off-topic post. One of the things that frustrates me most about some folks I know is they are pre-occupied with what everyone else thinks of them. Other peoples perception drives what they do and how they feel about themselves. I work very hard to not give a crap. I do what I think is best for ME and my family and if someone else doesn't like it... Oh well. This post on Penelope Trunk's blog really sums up the entire discussion. Her main contention is that our only purpose in life is to be kind, and she's right. I spent a long long time not being kind, rather chasing some arbitrary dollar figure and stepping on lots of folks in the process. I was grumpy and I felt like a failure because I didn't have a plane (don't laugh, it's true). Then I stopped worrying about it. I started worrying more about having fun than making money. I figured it would work out in the end, so I just did things that seemed right, as opposed to what was the consensus view of how to do things. And I will continue to do that. I suspect people will be constantly scratching their heads at the stuff I do. Just know, you opinion - though interesting - is irrelevant. I'm not worried about what anyone else thinks about my choices. Anyhow, I figure I'm in the win column already, since my kindergarten teacher figured I'd never amount to much of anything. So now I'm playing with the house's money. Just have fun and stop worrying about everyone else. It's a much better way to live.
http://blog.penelopetrunk.com/2008/08/08/living-up-to-your-potential-is-bs/
Link to this