January 15, 2008 - Volume 3, #5

Good Morning:
I hate crowds. Yes, I'm getting old. But the old days of standing around without any room to move is just not interesting. Regardless of whether I'm at a concert or party or anywhere else, if there are too many people - I'm heading for the door. So I was very chagrined this weekend, when I piled the kids into the van and headed over to the gym.

My gym is fantastic. It's about a year old, absolutely huge, and they have a great child center which will keep the kids out of trouble for two hours a day, while I work out. I'm happy to say I'm still working out a couple of times a week, and they make it a lot easier when I can win points with the Boss by taking the kids with me on the weekends.

But I guess I'm not the only one to think the gym is fantastic. I could hardly get a parking spot - and this parking lot is HUGE. Oh crap, my gym has passed the Tipping Point and now I'm screwed. I hate waiting, almost as much as I hate crowds. 

But I didn't know the half of it. So I shrug it off and walk the kids in. Through the ID check, no worries. All the way back to the child center (which is literally as far away from the front door as can be - which is a good thing, since most kids wouldn't be able to find their way out if they did manage to escape the child center), and they are FULL. Huh? This place is friggin' huge - how can the child center be full? Nope, it's full.

And now I'm pissed. Even with my new Zen persona, I still can get a bit hot under the collar sometimes. And this was one of those times. How friggin' hard would it have been to just call to the front desk and say they were full or within 10% of capacity? Maybe even map out a few options for parents hoping to get a work out in, like sit in the cafe for a while and have a juice on them? Unfortunately that would have required thinking. So instead I was surprised when I walked into the child center and then I got pissed and I growled at the 16 year old behind the desk.

The little things make a big difference. I then went up to the front desk manager and calmly (for me anyway) suggested a new process when it does get crowded on weekends. I tried to explain that it's all about managing expectations and that the little things go a long way towards keeping happy customers. The manager nodded his head, made some notes, and probably ignored me.

But that's OK. There will be maybe another 3 or 4 weekends like this. January is tough because all the fat bastards decide they need to get back in shape as their New Year Resolution. Like me last year. They pile into the gym and annoy all the folks that are there consistently through the year. Then they lose interest, sprain their ankles, or decide it would be better to have a plate of chicken wings. So by March, all will be back to normal - the gym will be empty and I won't have to worry about skirting the crowd.

I just need a little patience. A commodity I have precious little of. Have a great day.

Huge crowd in line image originally uploaded by HarlanH

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

The second most challenging security job
So what? - I definitely feel for everyone that does security in the EDU space. I think that it's toughest in secondary education (colleges and universities). Those poor folks have no ability to tell students not to do anything, and most of the students are old enough to pretty much do what they want. But it seems doing security in a K-12 environment is not walk in the park either. This NetworkWorld profile highlights the downside of having very technically literate adolescents. Those meddling kids basically figure out ways around the system. Whether it's cheating on tests using iPods and the like or skirting the web filter and surfing some bad mojo, the kids seem to have the system by the, well you know. If you are tasked with protecting these environments, what do you do? I'm not sure there is a lot to do. A determined and skilled adversary (even if they can't even drive yet) will get around your defenses. Thus, it's critical to monitor your networks, so you know if a device has been compromised. And it's critical to enforce the policies. I know it's harsh to think about a kid being expelled for inappropriate Internet use, but the reality is there is HUGE liability if kids are exposed to stuff their parents don't think is cool. Ask Julie Amero about that.
Link to this

I've seen the enemy, and it is me.
So what? - As we head down to Mr. Rogers (Grimes) neighborhood, his weekly column focuses on the fact that users can still get hurt, even if they run as a standard user (without admin privileges). Right, malware isn't the biggest threat out there, it's users doing stupid things that puts their identities at risk, opens up bank accounts to be looted, and in general is a very bad thing to do. But to be clear, running with lower privileges DOES HELP. Without admin privileges the amount of damage that can be done by a virus or worm is pretty contained. Obviously it's not a panacea, since nothing is. Roger thinks he has a potential answer to this issue, but won't tell us about it until next week. I'm not a real patient guy, so that is kind of annoying.
Link to this

There is no half pregnant
So what? - It's good to see some of the big computer makers eating their own dog food and using their own products and infrastructure to impact their business. It's hard to convince a big company that you can help them, if you can't even help yourself. So this profile of HP's CIO and his efforts to remake the IT systems of the monolith makes a great point about making a commitment to a new set of systems. There is no half way, which is why when I speak to some end user companies and they always have excuses why some security processes are not rolled out to the entire company, I push back a bit. Security is a lowest common denominator activity. The bad guys are doing reconnaissance on EVERYTHING. So strengthening some areas, and others not so much is not a recipe for success. The bad guys will find your weak points, so make sure those weak points protect stuff that isn't that valuable. Yes, I'll repeat myself for the 10,000th time. Focus your efforts on protecting the most important stuff, and yes, you should know what that is in your environment.
Link to this

The Laundry List

Top Blog Postings

Where is the blog and wiki?
The Tao Master unveils his Defensible Network Architecture 2.0 in this post. The difference between v1 and v2.0? And no, it's not the addition of a YouTube video or a cool wiki. But it is stuff like inventorying your assets and also defining policies based on who owns that asset and how they use it (claimed). He also adds the concept of "assessed" to reflect that fact that testing your stuff is a good thing to do. Old stalwarts like monitoring (you didn't really think Bejtlich could forget about that?), controlling, and minimizing are included as well. Richard's most important point is that this architecture is not something you buy - it's a state of mind. You get there over a period of years, not months or even quarters. It's also not something you can do yourself. You've got to reach out and work with the asset owners, in order to make sure the most appropriate defenses are put in place for a specific asset. Remember, what you think is important doesn't matter. You need to get off your butt and go talk to the business leaders and really understand what THEY think is important.
http://taosecurity.blogspot.com/2008/01/defensible-network-architecture-20.html
Link to this

Wide and deep? - Good luck with that
It's good to see the topic of software security front and center in 2008. Gary McGraw is getting out there and publishing some good stuff. The folks at Fortify are doing some kind of video thing (the blogosphere is buzzing about that) to highlight the importance of securing the code and I expect another good year for the folks that sell tools and consulting services to help organizations make some progress on this front. Gunnar makes a good point here that getting the process started is hard and requires specialized knowledge. The money quote is: "...to deploy any of the current cutting edge stuff in software security at scale, requires technical depth and deployment width." That is a hard to find combination, that's for sure. GP then goes on to discuss what I'll call the Tiger team approach, which swoops in to address a specific issue and then moves to the next one. He finishes with another important point, which is "executive buy in." That is absolutely critical because any software security pro worth a damn will find stuff in applications, it's the organization's commitment to fixing it and then amending the process to ensure it doesn't happen again that makes the difference between success and failure.
http://1raindrop.typepad.com/1_raindrop/2008/01/go-wide-and-dee.html
Link to this

Check box security programs
AndyITGuy's new gig is definitely expanding his mind. As he now works in a sizable enterprise, the observations he's making ring very true to how screwy most big companies are. This time he focuses on the idea of the "security program," which is near and dear to my heart. Andy's point is that it's easy to document a program on paper and meet the request of the latest audit. It's very hard to live it every day. It all starts with support, which is why Step 1 of the P-CSO process is so critical to any security officer's success. Andy says it as well as can be said, 

He also talks about the need for perseverance and a good attitude. No one ever said this was an easy gig, but it is important. That's probably little consolation for your ulcer, eh?
http://andyitguy.blogspot.com/2008/01/is-your-information-security-program.html
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://sm-blog.securitymike.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite