The Daily Incite - August 29, 2007

Submitted by Mike Rothman on Wed, 2007-08-29 08:11.
::
Today's Daily Incite

August 29, 2007 - Volume 2, #126

Good Morning:
Overwhelm. That's a tough thing to deal with. You know, when you look at your list and it's really long. Then you look at your deadlines and you are already late. You aren't sure where to start. So you stare at the list a bit. Check your email. See what new stuff showed up in the RSS reader. Check email again. Gosh, starting to drag a bit, better head over the coffee shop for some liquid courage.

You know, overwhelm. I'm there right now. Besides my client work, I'm frantically jamming to get my next product ready for prime time. It'll launch next month, and I'll be announcing it next week. Lots to do.

Sometimes the pressure brings out the best in me. Sometimes it makes me feel like I'm swimming in molasses.

So what to do? Focus on less and do more. That's the topic of a post by Andy Wibbels where he describes a 30 day process to get more done. Only commit to 30 hours of stuff over the next 30 days? What about the other 23 hours in the day? But the approach makes sense. And this isn't a 4 hour workweek type of contraption either.

It's an interesting thought. How much time do you spend doing busy work? Probably a lot. I justify my busy work because it's my job to stay connected and read a crap load of stuff. But truth be told, I could get that done a lot faster when under the gun. Well, I'm under the gun now.

My problem is that I have more than 30 hours of tasks to do and less than 30 days. But I guess the point is to really pare down to the stuff that absolutely must get done and be relentless in getting those things done. The thought is a good one, and I'll be trying some form of it. Right after I check email, my feed reader, and go grab a cup of joe...

Have a great day.

Technorati: ,

The Pragmatic CSO

 The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"
www.pragmaticcso.com

Top Security News

Is it Fred or Herb, or a cop-out?
So what? - Does anyone remember those horrible Burger King ads from a few years ago featuring a dweeb character named Herb? Not sure why I do, but my impression isn't favorable. So when I saw this article on NetworkWorld by James Gaskin about how to implement a "Fred Security System," I instantly thought of Herb, who easily could have been called Fred. What's this Fred stuff about? Basically, Gaskin thinks small companies should have one guy trained in how to scan files and do other security stuff. And then everyone sends their questionable attachments, etc to Fred for processing. So, when does Fred do his day job? And if you are teaching the other employees when something is suspicious enough to send to Fred, why don't you just take another 2 minutes and show them the delete key? I have to say, this may be one of the worst pieces of advice I've seen in a long time. I'm both perplexed and terrified that any small business owner would actually consider doing something like this. The subhead says it all, "Improve security for zero dollars." If you believe that, I have a bridge to sell you. 
Link to this

10-24-split right-OPSEC formation on 2
So what? - It's almost that time. Can you feel it? FOOTBALL. I'm getting my invitations to a variety of suicide pools. My friends can't go drinking because they are futzing with their fantasy football teams. And lo and behold, the college season starts this week. YIPPEE. So I've got the playbook on the brain, which made everything click when I saw Imperva announce a "solution ecosystem" for data security. Yeah right. Given the heritage of Imperva (Check Point's Shlomo Kramer is CEO and Asheem Chandna is on the board), it's not surprising to see them try to take a page out of the CHKP playbook and see if it works. It won't. We tried that when I was in the anti-spam business as well and lots of other folks have tried OPSEC-like programs, all with the same mediocre result. OPSEC will never be repeated again in the security space. Or even RSA's partner program. No one company has that kind of market power in a large space anymore. These vendors can talk ecosystems all they want. Not sure how you substantiate an ecosystem of 3 partners you were already doing business with. This is Barney stuff, but watch all the other database security folks announce their own "partner programs" within the next couple of weeks. Lemmings I say, lemmings.
Link to this

Mix two parts AV, one part IPS and 50 parts of consulting and you get?
So what? - I'd say a witches brew, not an "Easy PCI plan."  At least you have to give McAfee props for building a story around the stuff they have and with a sort-of straight face say "easy" and "PCI" in the same story. When all you have is 3 hammers, I guess everything looks like a PCI nail. At least McAfee positions the package to "ease" the burden of PCI, as opposed to offering some cockamamie 60-day plan to be compliant. The reality is (let me go over this once again) you CAN'T buy compliance, and a triple play will get you on SportsCenter, but it's not going to impress a PCI auditor. The reality is you need a "twelve play" to do PCI, not just meet 3 of the requirements. But those are details and this is marketing, right? I guess I should remember that the truth has a very small place in the pantheon of security marketing. 
Link to this

The Laundry List

  1. Security coming to a chip near you. Intel announces enhanced security in their latest generation of chips. Yep, security's a feature - built into everything. - NetworkWorld coverage
  2. Can you hear the cries in SFO's i-banking community? JT says the Big Yellow won't be doing another big deal - this week anyway. - Reuters coverage
  3. DoS hits the airwaves. Yes, if you go all wireless, a Wi-Fi jammer will make you miserable. Where do you get one of those? That would be fun at DEFCON. - NWW wireless newsletter
  4. They'll let anyone do a survey nowadays. Jericho weighs in by asking their members if de-perimeterization is important. What the hell do you think they are going to say? - Jericho release

Top Blog Postings

Does Tao give it a FAIR shake?
Bejtlich is a pragmatic guy, which is why I pay attention to what he says very closely. In this post, he provides some constructive criticism on Jones and Hutton's eponymous FAIR methodology, basically punching holes in it because it's based on assumptions. No kidding. Every model is based on assumptions. Alex gets defensive in a couple of posts, but I don't really see the purpose in that. The reality is a model is a model. And in my opinion, FAIR is useful not to get five 9's precision on a risk metric, but to provide a metaphor and a structure to tell management a story about how they should be dealing with risk. The numbers will always be totally subjective, but some folks need to see numbers because they have little faith in the opinions of their security leaders. FAIR provides a taxonomy to provide numbers. Gosh, I can't believe I'm actually defending a model for risk quantification here. Personally, I don't care much about Bayesian versus any other contrived ways to produce numbers. I'm interested in whether the logic of the methodology is solid enough to allow me to tell a story, and I think FAIR is. But if you are looking to determine that the amount of risk in your environment is 42, then read Richard's post carefully.
http://taosecurity.blogspot.com/2007/08/thoughts-on-fair.html
Link to this

The downside of social networking
Nitesh Dhanjani has an interesting post here examining the downside of social networking and Web 2.0 technologies. Sure there are lots of risks, but those need to be weighed against the benefits to collaboration and the like. But what about enforcing identity? That would prevent anonymous trolls from launching their guerrilla attacks, now wouldn't it? We can (and have) argued about anonymity at length, thus it's not very interesting to me anymore. But Nitesh actually concisely sums up a lot about what we do: "The job of information security is to make it harder for people to do wrong things." OH MY GOD, that is brilliant. Crisp, concise, yet with so many layers that I could write a 4 page paper. Why the hell didn't I come up with it? Whether it's technical defenses, education or just the inevitability that we can't stop people from doing the wrong things, we can only clean up after them - it's all there in that sentence. 
http://www.oreillynet.com/onlamp/blog/2007/08/social_engineering_social_netw.html
Link to this

Phishing continues to reel in big game
Dancho revisits the economics of phishing in this post, and it's always interesting. Having spent years screwing up marketing programs, I know all too well the brutal, Darwinian economics of direct marketing. If you aren't achieving a sufficient return for a marketing program, you stop. So the fact that a quick scan of my spam folder continues to show lots of Man-XL adverts, someone must be quite a Man nowadays. I wonder if in this year's Darwin Awards whether we'll see a chap bite the dust because of exploding Man-XL nuts? Now that would be funny. Getting back to my spam folder some pretty sophomoric phishing attempts as well, but that's a manifestation of DIY phish kits. The problem is that even though the incremental cost is very little to launch these attacks, there is overhead. If they weren't getting some kind of return, we wouldn't see increasing volumes of this crap. Now who is buying?
http://ddanchev.blogspot.com/2007/08/economics-of-phishing.html
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite

There are a lot of issues
Submitted by Michael Dickey (not verified) on Wed, 2007-08-29 16:40.
There are a lot of issues with wireless. Jamming has been around forever, but it alone is enough for me to say, "You cannot have critical business on wireless." All it would take is one outsider or even a disgruntled insider to sneak in a wireless jammer and all hell would break loose. Only the most advanced and wireless-savvy shops would have the knowledge or gear to locate a jamming signal. And while jammers are illegal in the US, you can still get your hands on them easily enough if you want to. Just don't get caught using it unless you mean business or have a firm grasp on the effects...  Nonetheless, jammers remain a big, quiet problem.
Real men do wires
Submitted by Mike Rothman on Wed, 2007-08-29 18:00.

Of course this is as sexist a comment as you can get, but back in the early 90's as a META Group analyst I was on the networking team. The first incarnations of wireless (networks like ARDIS, etc.) started to appear and we took the opinion that wired networks were the best way to do things. For the most part that is still true, at least for tethered machines that don't move often. But mobility does create a lot of collaboration opportunities and can change the way businesses processes work.

That being said, I'm still comfortable with wireless being a compliment to a set of wired networking infrastructure. As Michael points out, the ability to have your entire network jammed and therefore out of commission is too big a risk to not use this as Plan B.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.