The Daily Incite - February 7, 2008

Submitted by Mike Rothman on Thu, 2008-02-07 07:28.
::
Today's Daily Incite

February 7, 2008 - Volume 3, #12

Good Morning:
As you get involved in the day to day grind of life, sometimes it's hard to appreciate where we've been and where we are going. A good friend of ours recently had his first child. He's in his 40s and he waited a long time to find the right partner and for the timing to work out. I don't think I ever saw a happier Dad in the pictures sent around. Yet over time, that happiness and sheer joy fades into a morass of deadlines, bills, and responsibilities.

Over 4 years removed from our own little miracle with the twins, sometimes it's hard to remember when they were that little. Yet, it's also hard to appreciate how quickly they are growing up. I seems like yesterday that we were in the hospital and loading up our two infant seats and starting the adventure of parents with twins. On the other hand, it seems so long ago that it's hard to remember a time without three kids running around the house. That memory is a funny thing.

Daddy Daughter DanceYes, there is a point to my nostalgia. Last weekend, I took Leah to our first Father/Daughter dance. We got all dressed up, but only after a couple of attempts. Evidently my first try, a nice sweater and khakis wasn't good enough. So the "little Boss" sent me back to try again. Like mother, like daughter. She wanted me to wear a tie, but that wasn't going to happen. The dress shirt and blazer was a good compromise. It's never too early to teach your kids to negotiate.

Then we went out to a nice dinner. It was a special night, so I didn't give Leah a hard time about only eating French Fries. Normally we force her to eat something else, but not tonight. We looked too fancy to argue.

Then it was off to the dance. Leah started off a bit bashful and wanted to watch for a dance or two. But once she got going, it was great. She's a pretty good dancer and got that from the Big Boss. Me? Not so much. But even I can do the Macarena, Hokey Pokey and Chicken Dance. Boy, I must really love that girl for me to do the Macarena in public. After a few dances, I had lost track of her. She found her way into a pack of girls dancing to the Cha-Cha Slide. That was OK by me because she was having fun.

It was a great time and I'm sure I'll have lots of experiences like that through the years with my girls. There is always something special about the first dance with the oldest daughter. It's hard to have the discipline to remember these times, when you are stuck in the quicksand of daily existence. But it's important because it's too easy to forget.

Thankfully I have an outlet, so I can write about this stuff a couple of times a week. Maybe someday I'll even go back and read some of these posts. That's the plan anyway. Thanks for listening. Who knew that signing up for a security newsletter would make you into a shrink? The check is in the mail. 

Have a great weekend.

 "Daddy Daughter Dance..." picture originally uploaded by Jamie Fender

Technorati: , , ,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com
 Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com

Security Mike's Guide to Internet Security

Top Security News

What does a mandate mean anyway?
So what? - It's been definitively shown that deploying a secure configuration on computing devices helps to protect them. You know, turning off services you don't need and eliminating a lot of the options that enable users (and servers for that matter) to get hurt. Unfortunately a lot of organizations don't employ a standard build, a mandatory configuration or any of these other tactics. So they have hundreds or thousands of lone devices out there waiting to get hammered. The US Feds have gotten religion and have now mandated the Federal Desktop Core Configuration (FDCC). NIST has responded by figuring out an acceptable configuration and certifying a bunch of configuration tools to enforce that configuration. By the way, this is not new. The Center for Internet Security has been offing configuration guides for years. And amazingly enough, they actually work. But only if you use them. So Larry Seltzer is right in point out that FDCC is a good thing, but it's going to be a bear to get all of the wild west (our computing environments) on board anytime soon.
Link to this

Now you need to search yourself
So what? - I use Google Search maybe 50 times a day, and a bunch more on my Blackberry. It's a lot easier to do a mobile search to find what I need than to try to manually type in a URL into the lame BB browser. But what can be used for good stuff, is also used for bad stuff. A couple of months back, a bunch of misconfigured Citrix servers were discovered by looking for a pretty standard configuration file in Google, and there are lots of other nasty things you can do via the Googleplex. SearchSecurityChannel has a piece by Johnny Long (excerpted from his book) that goes through 10 searches that can yield some very interesting results. Tom Bowers also did a video of some additional simple Google hacking techniques, like Google Alerts and the cache. So here is the money shot: Are you Google hacking yourself? If not, you should be. Remember, we don't like surprises and if you aren't using the same techniques the bad folks are using, then you will inevitably be surprised. No question about it.
Link to this

Products and services continue to blur
So what? - With the advent on software as a service (SaaS) offerings, it's really hard to figure out what is a product and what is a service moving forward. The reality is that a lot of vendors will try packaging their stuff as a service for a couple of reasons. The first is because they are having trouble finding an enterprise market for their stuff. Packaging as a "lease to own" type of thing will help reduce the cost and thus the risk to enterprise buyers. Or a lot of companies also do a standard consulting engagement to highlight the benefits of their tools, with the idea that once the customer sees all the tool can do via the consulting project - they'll absolutely need to buy it. Tizor's recent announcement of a content discovery service would seem to fit into the latter bucket. Regardless of how they got there (and they are not unique in offering a service to discover content), for those of you worried about leaking intellectual property - this kind of thing is important. How do you know what is leaking, if you don't even know what you are supposed to be protecting? That's why it's so important to build relationships with business leaders. You don't know what needs to be protected, but they do. And the only way to figure that out is to ask them.
Link to this

The Laundry List

  1. In this month's ebizQ feature, I tackle why the secure software development life cycle (SDLC) is important and how to get there. - The Mike Rothman Security Report
  2. Secure Computing announced Q4, which was light on the revenue line. Given all the other security vendors are announcing blowout Q4 results (but cautious on the 2008 outlook), this doesn't bode well. - Secure Computing earnings release
  3. Check Point joins the bundling crowd, finally integrating PointSec into their new Endpoint Security offering. Original name there too.  - SearchSecurity coverage
  4. Speed is in the eye of the beholder. Shimmy rants a bit about IPS throughput stats and he makes a good point. The vendors will lie about performance, verify their findings. - Shimmy's blog

Top Blog Postings

Test yourself to fight boredom
Bejtlich covers the recent news about TSA testing techniques and makes a number of great points. I'm a big fan of security assurance, and that means testing your defenses - using the tactics the bad guys use. It seems the TSA is a fan of that too and they test on the order of 70,000 threat images every day. Why? The first reason is training. When someone screws up, they can use relevant and REAL context to make sure it doesn't happen again. Second is to keep these folks on their toes. Watching thousands of bags go by will make anyone numb. But knowing that there will be tests and that you will be held accountable certainly helps to keep folks engaged and paying attention. I know some folks think there are ethical issues with running these kinds of tests. I think those folks are wrong. The bad guys don't follow any rules, so why would we?
http://taosecurity.blogspot.com/2008/01/tsa-lessons-for-security-analysts.html
Link to this

How do you prove security?
Interesting post over at the ModSecurity blog about proving the security of a web site. A couple of interesting points here, the first being that just saying "yes!" and praying is not really an answer. You probably chuckled, but a lot of folks do just that. They don't have a plan, they just react to whatever is thrown at their heads today and they hope for the best. Hope is not a strategy. Second, tools are OK - but not necessarily sufficient. Then there is a nugget here that sounds vaguely familiar relative to using PCI to "prove" security: "It is much easier to pass a PCI audit if you are secure than to be secure because you pass a PCI audit." Right. Then it builds to the real answer, which is to track usage patterns (monitoring) and collecting log data to be able to piece together issues, when they arise. Finally, it closes with the idea that you need to test your people and processes to ensure you can respond when something goes down. Amen to that.
http://www.modsecurity.org/blog/archives/2008/01/is_your_website.html
Link to this

Security is a business function, REMEMBER?!?!?!
Hoff rants a bit about security vs. availability here. He's absolutely right. The first Pragmatic CSO "Reason to Secure" is to maintain business system availability. That doesn't say or even intimate that security is part of the plan. Sometimes security and availability are at odds with each other. You need to make the decision that's right for the business, even if it means taking on risk at times. Even a data leak or a corporate liability situation is minor, if you can't take orders or ship products. That's what so many security professionals don't get. Decisions about how much to invest or what to do need to be made within the CONTEXT of the business. It's not about you or a personal indictment of your abilities if you don't get something funded. It's all about resource allocation and someone has decided that they needed to allocate those resources elsewhere. Don't take it personally, but do learn from it. What didn't you do to make the case as to why your project was important? Was is really that important after all? There are a billion ways our organizations can be pwned. You can't stop them all, so you need to focus based upon what is most important to your business.
http://rationalsecurity.typepad.com/blog/2008/02/omg-availabilit.html
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://sm-blog.securitymike.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite