August 30, 2007 - Volume 2, #127

Good Morning:
I used to wonder why my Bubbie (that's what we called my Mom's Mom) got up so early. When we'd visit her outside of Boston, she'd be up early. I was little, so I didn't really know exactly what time it was, but it was early. By the time we got up, she'd already have baked something, made breakfast, straightened up (since my brother and I probably made an awful mess) and probably ran 2 or 3 miles. Well, not the latter - she wasn't big on exercise, but she got more done before I got up then most folks do in an entire day.

I, on the other hand, was never really a morning person. My Mom used to have to do a war dance on my head to get me up for school. My counselors at sleepaway camp would need to literally pull me out of my sleeping bag and dump me on the floor. I'd be the guy that would sleep till noon on the weekend, and in college I wouldn't get going until 10 or 11 PM.

But kids change everything. My kids didn't know that Dad and Mom are night owls. They'd get up when they'd get up, which usually meant 6 or 7 AM and my kids are good sleepers. If the Boss and I were dragging ass, it wasn't their problem. So through the years as a parent, I've gotten used to being up pretty early. Especially now that Leah (my oldest) needs to get up at 6:45 AM for school. Last year, I would set the alarm for 5 minutes before she had to get up, I'd throw a pair of shorts on (working at home does have it's privileges), primp a little (you don't think I look so handsome without work, do you?) and then get her ready.

Yet, most days I was behind. I wouldn't start my reading until after I dropped her off at the bus. Since it takes me about two hours to wade through all the crap I read, and then another 30-45 to actually write the TDI, it was really hard to get it done by 10 AM. Even if everything went right. I wasn't responding to anything, filling orders or starting my other work until 11 AM or noon, and if I had meetings - forget it. If I was on the road, double forget it. I was getting up at the break of dawn to get TDI over the finish line before my day started.

Then one day about a month ago, I couldn't sleep. One of the kids woke me up (bad dream or something) at about 3 AM. I tossed and turned for an hour and then gave in. I got up, primped and went down to my office around 4:30 AM. I had 75% of TDI done before I had to get Leah up. And I also took some time for quiet reflection before the usual frenetic activity of the day overtook me.

I loved it. I was kind of tired a bit earlier that night, so I got in bed a little earlier. We have a DVR, so it's not like I'm missing that important 10 PM TV show. Having an hour or so before needing to deal with anyone else gave me time to shake out the cobwebs, assemble my daily task list, wade through the first wave of email and do most of my reading. I was much less stressed through the rest of the day and I couldn't believe how that allowed me to get much more done.

So I've become an early riser. Some days I look cross at my alarm clock as it blinks 5:00 at me. And the Boss thinks I'm nuts because there is no way she'd get up at 5 AM unless there was some kind of natural disaster. But it's working for me and that's what counts.

Since it's Labor Day weekend here in the US, I'll be taking Monday off. Well, not really - but humor me. So next week's publishing schedule is a bit wacky, Tuesday and Thursday will be TDI and I'll do the P-CSO weekly on Wednesday. Have a great (and safe) holiday weekend.

Technorati: Information Security, CSO

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

Should I buy a tank or a UTM box?
So what? - It's hard to believe, but it's the end of August. That means all of the POs for the US Federal Government need to be in process and working through the system in order to have any chance of closing before the end of the fiscal year on Sept 30. So starts the waiting game, where all sorts of technology vendors (not just security) wait on pins and needles to figure out what funding will drop and how much. Q3 quarterly results swing based on how much funding drops. Last year was disappointing and lots of my contacts are hopeful that this year will be better. But given the lame duck status of the current administration, it's not clear what will happen. Selling security stuff to the US Feds continues to be a good opportunity, though frustrating funding and procurement nuances aside. As pointed out in this CRN article, a bunch of standards (like the OMB's standard desktop initiative) and FISMA assessment debacles are driving continued investment. But no matter how much money they throw at the problem, results will pretty much always be mediocre. There is too much ground to cover, too many layers of bureaucracy, and too many attack vectors. On another good news tidbit, evidently the Feds have come to the conclusion that telecommuting is safe. Really? That is until some other jackass decides to take a database full of private information with him/her and leave it in a Starbucks.
Link to this

Hey Norton! Is that the 2008 version?
So what? - A couple of weeks ago, I vented pretty harshly about how much I didn't like Symantec's 2007 version of their AV suite. It came loaded on my new PC and it got in my way. Since then I've shut off the personal firewall, installed Zone Alarm Free, and am reasonably productive. At least I can log into LiveMeeting now (yes, the firewall wouldn't let me navigate to LiveMeeting until I shut it off). Since it's about Labor Day, it must be time for the 2008 update of Norton. This year's model adds some new stuff (like Identity protection and a browser plug-in to stop drive-by attacks), and it's much faster - according to them anyway. At least it's nice to see the Big Yellow ask for a Mulligan on the 2007 version. They are supposed to send me 2008 (being a loudmouth does have some privileges) when it ships. I'll install it (in a VM, thank you very much) and let you know whether it still sucks. Oh yeah, while I'm ranting, let me spray a little of my own Yellow on JT for once again claiming that Microsoft's AV pricing is predatory. Give me a break man. Sorry that you are pulling a little less milk from your cash cow, but I'm afraid it doesn't have much to do with pricing, which over time does go down in technology markets as products commoditize. It has to do with product quality. Maybe 2008 will be better.
Link to this

Is big STILL the new small?
So what? - If there was one published work that got the whole Incite ball rolling, it was my seminal piece wondering whether Big is the New Small and the follow up. I've revisited the topic a few times over the past 18 months and have come to the conclusion that it still is. And though I'm no mathematician, when you have over 800 companies in a market that should really be a feature - something's got to give. So I don't have any issue with Bill Brenner questioning whether smaller security vendors are stable or viable. The cold hard truth (sorry Alan) is that a majority of these vendors are NOT viable. There are about a million things they can do wrong, and most of them will. Lots of customers will end up holding the bag over time as these companies get acquired for chump change or they just fade away. You'll always have innovation and you'll have a small minority of the companies that actually make something of themselves. But buyer beware, it's gotten more risky for end users to buy products from smaller companies. It doesn't mean it's always the wrong thing to do, but just be careful - that's my point. The last thing you want is to go and eat crow to your boss when you have a bunch of pretty expensive door stops that are not supported anymore by a defunct vendor. 
Link to this

The Laundry List

Top Blog Postings

I'm not the only guy who hates vendor numbers...
Steve Duplessie also hates the ritual of vendor's making up numbers or taking them so far out of context to make themselves feel good. I totally agree with Steve's assessment of why vendors use numbers, but the shocking thing is that some customers actually care. I've seen buying decisions made because one vendor had 700 customers and another only 100. Now the reps for the smaller company need to be shot - because shame on them for letting the deal become about viability and not product capability and fit. Shame also on the customer, who is opting for the easy way out. They still remember the good old days when no one got fired for buying from IBM. Until 1993, that is and then you had a bunch of old mainframe heads that were left out in the cold. Only Y2K saved those folks from being destitute. The point is that vendors will make up numbers to claim the perception of leadership in whatever market category they play in. Customers need to find solutions to solve their business problems. DO NOT get the two confused. If you still don't get how to buy security products (and read this on RSS), drop me a note and I'll send you my Buying Security Products guide.
http://esgblogs.typepad.com/steves_it_rants/2007/08/whats-in-a-numb.html
Link to this

Vista SP1 coming - get big AV a tissue
The blogosphere is buzzing with news about the SP1 release of Vista, that should be here sometime in Q1. Naraine goes through the specifics in this post. Is there anything from a security perspective that is interesting? Not really. They are opening up the Security Center and also implementing the APIs that resulted from SYMC and MFE crying to the Euro anti-trust Gods just prior to the release of Vista. Hopefully this will shut those folks up, so they can maybe focus on shipping products that don't suck. I can only hope SP1 is more stable and the drivers work better. Just yesterday I discovered my HP All-in-One duplex driver is screwed up. So my stuff doesn't print out correctly. Annoying. I've got my implementation mostly stable, but I still regret not spending the money for the iMac when I had the chance. Maybe the Hanukkah fairy will drop one off before the end of the year, so I can make this Vista boat anchor into a file server. 
http://blogs.zdnet.com/security/?p=480
Link to this

Not sure what Zen has to do with risk assessment
Looks like every company is jumping on the blogging bandwagon. The folks at Intel have an IT blog now and this post deals with risk assessment. Brian Willis makes some decent points about the need to scope the assessment and make sure the right folks are involved. All of this is pretty basic stuff, but as he points out - most users continue to screw up the basics. I'm in favor of a more Pragmatic approach. This is described in Steps 1 and 2 of the P-CSO. You don't know the questions you need to answer until you understand why you are doing security in the first place. That answer isn't in your office, so get yer' ass off of that comfy Aeron chair and go talk to some folks. They'll tell you what questions you need to answer and then you can do a more sophisticated baseline to figure out where you are at. Again, not brain surgery, but most folks can't even put on a Band-Aid correctly.
http://blogs.intel.com/it/2007/08/zen_and_the_art_of_risk_assess.html
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite