February 11, 2008 - Volume 3, #13

Good Morning {!firstname}:
I need some help understanding the whole window treatment thing. I spent a good part of the weekend pulling down assorted window treatments and hanging new ones. What is it about curtains that make some people swoon? Personally, I just don't get it. But I was also the guy that used a Felix the Cat sheet hung with thumb tacks as a window shade until I was 25.

I think the root of this confusion is my hatred of clutter. I guess I'm becoming a minimalist in my advancing years. Going into someone's house and looking at all their do-dad's just makes me nuts. Give me 20 minutes and big Hefty bag and I'll take care of business. To each his/her own - I know, I get that - but it's still hard. So when I'm spending my leisure time putting up rods and hanging curtains - I'm just perplexed by the need of it all.

Yet, I know I live with 4 other folks and they like assorted levels of clutter. The Boss tends to favor clean and contemporary decorating and she was very happy with the new window treatments. I don't think Felix the Cat would have gone over so well. There was a side benefit to my efforts over the weekend since I was able to make another deposit in the Jackass bank. That's an account that I can draw on when I'm a jackass and hopefully not end up sleeping in the guest room.

This kids vary widely. I'm surprised Leah can even get into her bed with the amount of crap (between dolls and little decorative pillows) she keeps there. I'm worried she'll end up in the guest room as well - ejected by her American Girl doll, who I suspect is planning a coup at this very moment.

Sam is in the middle, with a bunch of stuffed animals in his bed too. My personal favorite is his Mike Wazowski (from Monsters, Inc.) doll. Though I don't get how having that one eye glare during the night doesn't scare the crap out of him. And then there is Lindsay, who some days even forgets to bring one of her dolls into bed. It really is unbelievable to see how different the kids are. 

Enough about my window treatments at this point. Today the 2008 Incites hit the Street. Yes, my annual rite of predictions and trends. You know what that means, right? Tomorrow starts the Days of Incite. For the next two weeks, I'll be doing a detailed post each day decomposing each of the Incites and explaining how and why I think things are going to shake out in 2008.

I'm also making a new product announcement in the Pragmatic CSO family later today. I'll highlight that in tomorrow's TDI. Looks like it'll be a busy day, for a change.  I hope you enjoy yours.

 "Window Treatments" picture originally uploaded by ::Wendy::

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

What do you mean the earth is round?
So what? - Peter Tippett has been making the same points for the past 10 years. It's got to be pretty frustrating that most folks still look at him like he's an alien when he goes into his spiel about the earth being round and focusing on real risk, as opposed to potential vulnerability. Tim Wilson does a good job of Tippett in 500 words , but you should really consider the wisdom of his messages. Of course, a lot of folks that read TDI and a lot of the other bloggers I routinely point to already get this stuff. But Tippett was one of the first I know of to really hammer home these points. The problem is that it's a lot easier for customers to just buy a product and hope the problem goes away, rather than actually change the way they approach the problem. From a disclosure standpoint, I worked with Tippett at TruSecure and have been heavily influenced by his thinking and approach. It's funny that he still uses the same analogies that he was hammering back in 2003. But the messages still resonate - with me anyway.
Link to this

Cut the price, because they can
So what? - There are some security functions where I wonder why most organizations are still bothering. Anti-spam is one of them. Implementing and managing your own email security gateways seems a bit strange. I guess some large enterprises have some very specific requirements and need to have very granular control over your policies, but if you are somewhat run of the mill - why not let someone else deal with it? When Google bought Postini, it was just a matter of time before they used the old ad revenue stream to disrupt the pricing of the anti-spam services market. First they bundled Postini into the Google Apps Premium offering and now they have sliced the price of the old Postini services. The basic anti-spam stuff is $3 per user PER YEAR. Add in virus detection and some simple outbound filtering and you are at $12 PER YEAR. Right, $1 smackerooni per month. That's maybe a third of what the other guys are getting for basic anti-spam. And it's not like there are significant switching costs. Just point your MX record at a different location. I suspect the mid-market is going to jump on this, if they can figure out that it exists. Maybe Google should run an AdSense program or something.
Link to this

Trolling research's red light district
So what? - It's been a while since I've unleashed on a vendor-sponsored survey, produced by an "independent" research firm. I read this release from Virtela, referencing some research from the folks at Aberdeen Group and I'm instantly transported to some wacky club in Thailand. I hear the faint sound of Sting crooning Roxanne in the background. And I don't have any singles. This must be a bad dream. Thankfully it is, but I guess I've been missing the fact that "...ALL Best-In-Class Companies Leverage Managed Security Services..." Hmmm... What is a best in class company? And how do you define MSS? I know it's just a release and the vendor is trying to differentiate in a very crowded and confusing space. But still, I get pretty chapped when my research brethren go out there with positions than cannot possibly be defendable. I know much better than to use absolutes in any research. There are ALWAYS exceptions, therefore the statement "ALL" is wrong. Thankfully this got very little press coverage on Friday and I can only hope that the beat reporters decide to focus on something real, rather than this trumped up, totally unbelievable "research." I need to go take a shower. This is one of those cases where my profession is making me feel dirty.
Link to this

The Laundry List

Top Blog Postings

Tools vs. people
No, this isn't a Terminator redux, but rather pointing out a great point that Jeremiah makes in this post. He did some great analysis about a year ago saying we'd have to train 10x the number of web application security folks to just cover like 5% of the applications out there. It was horrifying then, and it hasn't gotten any better. The point is that just doing a scan of a web site isn't going to really uncover the business logic flaws that will kill you. To be clear, it's a start and it's better than nothing, but to think it's sufficient to protect your environment is being naive. Maybe the McAfee folks are learning that a bit, now that they've closed the ScanAlert deal. Jeremiah's in the business of putting both technology and people on the problem, but as his friend points out, that isn't always an option. Thus we need some real innovation on the tools front to try to keep pace. That's where some of the big brains in this business should be focusing.
http://jeremiahgrossman.blogspot.com/2008/01/technology-helps-but-people-matter-most.html
Link to this

Tools vs. people - the sequel
Stuart King takes a different spin on the tools vs. people debate wondering whether technology or people management (that means training) is most effective? I know a lot of security folks that are so frustrated in dealing  with the stupid user community, they've all but sworn off education, training and anything else unless it has flashing lights. My position remains the same. The answer is all of the above. Just like you try to eliminate software vulnerabilities at the earliest point in the process (as the application is being built), we should be trying to stop users from doing stupid things, BEFORE they do them. That means they need to be trained as to what is stupid and have that message constantly reinforced. And I mean constantly. Also understand that the training won't impact everyone. But it will impact some, and to me that's worth the effort. Unless you have a yen for hip-boots and enjoy your time cleaning up the crap that uneducated users spill on the floor.
http://www.computerweekly.com/blogs/stuart_king/2008/02/i-participated-in-an-interesti.html
Link to this

What certification matters the most?
It is amazing the number of folks that ask me which security certification matters the most. I get this question via email, when I'm at a speaking gig, or on the treadmill (or so it seems). Personally, I go for none of the above. Certifications indicate a lowest common denominator of skill and the ability to pass a test. Is one test better than another? Who the hell knows? This post on the Art of Information Security blog is pretty interesting because it shows the trend in search volume between the term CISSP and CISA. As Erik points out, "The Google trend data would seem to indicate the overall interest in Information Security certifications has been declining, and that there is little to no difference in interest levels between the CISSP and the CISA." I tend to advise people to spend their time improving their skills (by breaking into stuff or learning about application security), rather than boning up for a test that no one cares about.
http://artofinfosec.com/45/google-trends-cissp-vs-cisa/
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://sm-blog.securitymike.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite