February 9, 2007 - Volume 2, #25

Good Morning:
Click, click, click, click. Can you hear that clicking? Yes, that's me clicking my heels and saying, "There is no place like home. There is no place like home." Hey, it worked for Dorothy, why not me? That's right Toto, I wasn't in Kansas this week and after a week of pot stirring, rabble rousing, and overall carousing, I'm ready to go home. I miss my wife, I miss my kids, and as much as I like my industry friends and relish the few times a year we get together - I'll be a happy guy when we land at Hartsfield later this afternoon.

One of the questions that inevitably gets asked next week of everyone that was at the RSA show is "was it worth it?" I spoke to a number of vendors on the floor that were very happy. I spoke to a number of CSO-types that learned a lot. I also spoke to a lot of folks that were disappointed. The difference between the two: expectations. Of course, you develop expectations largely due to the investment (time, money, resources, opportunity cost) that you make in any initiative.

But I do have to wonder about some of these very small vendors who had 20x20 booths at the show. We are talking a $50,000 investment minimum for that kind of real estate, which may outstrip their sales in a quarter. You show up at the show to be seen, but there is also a point where you are pissing money down a hole. I think a lot of security CEO's will be asking which hole they pissed money down this week.

I'm just going to cover a few blog posts today that I didn't get to this week, since I was so focused on RSA news. If I ran into you this week, it was great to see you. If not, I look forward to my next opportunity to meet you. It really is great to see our business as really an industry as opposed to a hobby nowadays. That's all good for all of us.

Have a great weekend.

Technorati: Information Security, CSO

The Pragmatic CSO is Here! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Blog Postings

Security cannot stop business
Tim Wilson rants a bit about his issues connecting to the RSA show wireless network here. I agree with him, it was a pain in the ass and I didn't spend anytime doing it. I routinely hijacked a wired port (using the well known unplug another computer attack) when I needed to connect. The personal userID password system just didn't work. It was too hard, support costs must have been significant and ultimately it impacted our ability to work. That is the definition of bad security. Anyway, I don't like to use a wireless network at security shows. There are too many people that know too much for me to feel comfortable. It's like walking around in a deer suit at a gun convention. Don't be surprised if you get shot.
http://www.darkreading.com/document.asp?doc_id=116737
Link to this

Is phishing a risk?
Alex Hutton supports PayPal's CSO, who maintains that phishing is a low risk to them. Hmmm. Since Alex loves to talk  about different types of risk, let's play a bit. Is phishing going to cost PayPal a lot of money? Probably not because of their internal fraud detection capabilities, it's unlikely that a bad guy is going to get access to lots of money, and I don't know about you - but I know very few people that have more than a few bucks in their PayPal account. But wait, doesn't PayPal allow you to transfer money to and from your other bank and credit card accounts? Yep. So if a phishing attack works and a bad guy gets into my PayPal account, doesn't he/she then have access to loot my real bank accounts. Yep. Is that not a risk? But I think Alex's point is that it may not be the biggest risk that PayPal is facing, and at the end of the day you need to spend the biggest part of your time to address the risk that is most significant to your business.   
http://riskmanagementinsight.com/riskanalysis/?p=99
Link to this

There is no lack of stuff to do
Over at Simon Riggs blog, he's wondering if the CSO is the next dodo bird. If they aren't Pragmatic, I suspect they are. His points are well taken in that CSO's that practice from an ivory tower and don't understand their business cannot be successful. CSO is a C-title, and that means (to me anyway) that it's a business-oriented role. Maybe you can figure out how to make security generic, but I think defenses need to be tailored to an organization's risk profile - and that's not generic at all.
http://www.simonriggs.com/2007/02/07/is-the-traditional-chief-information-security-officer-the-next-dodo/
Link to this

Why didn't the Root DNS attack work
Rob Graham of Errata Security does a good job here describing why the Root DNS attack largely failed and it shows we've made real progress. Imagine that, we've actually learned something over the past few years. When the attack in 2002 was largely successful, folks changed things. They fortified their defenses, and the DNS environment held up. That's a great sign.
http://erratasec.blogspot.com/2007/02/root-dns-attacked-thats-sooooo-20th.html
Link to this

Even if it's improving, it's still a problem
Farnum (great to meet you in person this week bud) makes a good point here. So what if the amount and number of ID theft situations went down. Do you really believe those numbers? Whether you do or don't, the number of folks that got compromised was not zero, thus it's a problem. And given the aggregate number, it's a big problem. Have we made progress? I say yes. Are we moving in the right direction? Some folks are, and with the focus on data/information security at the RSA conference this week, I'd say we are at least asking the right questions. But like with spam, I wouldn't be spending a lot of time congratulating ourselves just yet. Not by a long shot.
http://www.computerworld.com/blogs/node/4539
Link to this


Don't forget the training
It's funny, but at RSA we see all sorts of products and services to protect things. There were even some universities there that train security professionals. But there wasn't anyone there that was pushing user awareness training. No one that made a big deal of their curriculum and their success in helping organizations defend against attacks because they had smart users. Andy, ITGuy makes the point not to forget this part of the equation, especially for our own IT people. And maybe someday we'll see a company emerge that focuses on user awareness training in a more leveraged fashion. Now that would be a novel idea.
http://andyitguy.blogspot.com/2007/02/users-continue-to-prove-that-security.html
Link to this


Is IM still a threat?
One of the things I didn't see at RSA was talk of IM remaining a "dangerous" vector. Those vendors with a solution certainly weren't talking about it, but rather have broadened their offerings to be more UTM or content security focused. Just goes to show that IMLogic taking the money and running a year ago was exactly the right move. IM security is not a market, it's a tab on your perimeter defense interface. Scott Wright points out that there definitely threats, but I believe they are not separate threats that need a separate capability to solve. Anyone disagree out there?
http://securityviews.com/blog/2007/02/03/instant-messaging-in-the-enterprise-security-threat-privacy-threat-or-useful-tool/
Link to this

Recently on the Security Incite Rants Blog

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite