January 22, 2008 - Volume 3, #7

Good Morning:
I remember the first time I fixed something in my in-laws house. I replaced a light switch or something like that. They were absolutely shocked and wanted to check out my family tree. Guys like me aren't supposed to handy. As long as we have the plumber, electrician and handyman on speed dial, it's all good. I am happy to say that I'm a fairly handy dude. My first car was a VW bug and I spent many a day futzing around with the engine and installing a kick-ass sound system. 

Even today, I routinely do simple plumbing, electrical and home theater wiring. I'm a mean plunger, have sweat soldered copper pipes, and have been known to even change faucets and replace lighting fixtures. The only thing I can't stand is drywall. That is a tough job. To get it smooth and bump free is brutal, and the Boss is a pretty exacting customer. So I leave the drywall to experts.

Over the long weekend, I was called to duty. First there was the case of the leaking sink faucet. Actually, I discovered the leak when we were having a new dishwasher installed. Incite Central is about 8 years old, so things are starting to go kaput, including the dishwasher. The opinion of the installer was to just get another faucet. COOL. Get the tools!

So I dutifully surfed the Internet, found the right faucet and had it shipped. Then I installed the fixture. I kind of looked like that guy on the Birthday cake. Guess I need a new belt or something. I also have had some issues with my loo. It gets stuffed up pretty frequently. Thankfully I discovered maybe the greatest friend an amateur plumber can have... 

Are you excited? It's the Kleer Drain Instant Drain Opener. It's highlighted here on BoingBoing. It's not new, but it's new to me. And boy does it work. Thank the Lord for the splash guard, or things would have gotten really yucky.

As I was mopping up the floor (again), I kind of wondered whether this was a good use of my time. I've read countless people talking about outsourcing things that you can pay someone to do. I'm sure my billing rate is more than what I'd pay a plumber to fight with a faucet and unclog the toilet. Especially when you consider the 5 or 10 trips I need to make to Home Depot during a typical repair mission. (Crap, why didn't I buy that 1.5" o-ring?)

After some quiet contemplation, I became one with my decision to spend time fixing the plumbing myself. Why? Because I actually enjoy it. I'm not great at it and it probably takes me a lot more time than it would someone who knows what they are doing. There is definitely a sense of accomplishment when I get something done. Is it worth the opportunity cost of doing some more work? To me it is. I guess that's why they call it a hobby.

Have a great day.

Plumber's birthday cake originally uploaded by abbietabbie

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Yahoo goes OpenID - where's the trust?
So what? - The identity cognoscenti were all abuzz last week with word that Yahoo! is going to support OpenID 2.0 for authentication. Big whoop. It's not that I don't think a common authentication mechanism wouldn't be great. How cool would it be to actually get REAL single sign-on? But Dana Epp makes the exact point about why this doesn't matter. Everyone wants to jump on the open standards bandwagon, but no one wants to show some trust. In the identity space, that's the crux of the issue. It's wonderful that Yahoo will act as a provider, but it doesn't seem they are going to trust anyone else's OpenID credentials. So this is the same old, same old. There is no web of trust here, it's all one way. And that's not good enough. With the exception of using an open standard, this is no different that Microsoft's ill-fated attempt to get Passport broadly accepted - which went over like a lead balloon.
Link to this

EMC eats their own dog food
So what? - Looks like EMC/RSA has taken the cattle prod to their PR folks. In this NetworkWorld profile, the CSO of EMC talks about security and why it's important to them. EMC is a Fortune 500 company, thus unless they use their own stuff to make operations work better - why would a customer trust them to do the same. This approach worked wonderfully for Cisco through the years. Whether it was how e-business transformed their operations (like closing the books in a day) or how Cisco runs security - it helps to build credibility with the customer base. So what do we learn about EMC here? Not a hell of a lot besides that they encrypt laptops, do data leakage prevention, and take a look at their SIM data. All of which are products that RSA now sells. Hmmm. Funny how that works. 
Link to this

Deal: Arbor sends an olive branch to Ellacoya
So what? - Ah yes, the deals begin again. This time it's Ellacoya being taken out by Arbor Networks. First of all, this is a private company deal, which means Ellacoya couldn't find a real buyer with a real currency to take them out. That's not a good sign. Secondly, as Stiennon points out, this is a bit far afield for Arbor. But in differing with Richard, I don't think that's so much of an issue. Arbor dominates the space for NBA in the carrier market. But there are only 120 or so carriers that can buy their product. You need to do one of two things to keep growing. Sell more to your existing customers or find new customers for your existing products. This deal indicates that Arbor is focusing on the former and using Ellacoya's technology to expand beyond "security." The reality is in a carrier context NBA does a lot more than just security, but that's another post for another day. To net this out, this is just yet another indication that NBA is not a stand-alone market. 
Link to this

The Laundry List

Top Blog Postings

Profit center vs. cost center
I guess I'm a bit perplexed that smart guys like AndyITGuy and Alex Hutton are finally coming to the conclusion that security is a cost center. I'm sure these guys understand that, but based upon a few of these recent posts they are finally GETTING IT. That means the organization will take the path of least resistance and cost to achieve the lowest common denominator goal that is security. For a lot of folks, that lowest common denominator is PCI compliance. So, they are not going to do any more than they think they have to keep the auditor happy. Obviously, that isn't good enough - but what to do? Basically you need to get good at magic. You need to convince the powers that be that your security program is not about compliance, it's about security and compliance comes along for the ride. The secret to this "magic?" It's all about credibility. If you aren't credible, the bean counters will beat down your budget mercilessly. Even if you are credible, they will still beat down your budget, but if you've played the game right - you'll have enough to do what you need to do. Or find somewhere else to do it.
http://andyitguy.blogspot.com/2008/01/pci-compliance-why-bother.html
Link to this

Subliminal marketing 2.0
It seems everyone in vendor-land is blogging and trying to get involved in the conversation. That's not a bad thing, but I'm not sure how effective it is to really generate business. Which is what marketing is supposed to do, unless that's changed in the past two years. It seems to me to be kind of like paying the RSA Conference tax every year. You are conspicuous by your absence, so you need to do it. But if you are looking for some other interesting tactics, check out how Greg Ness of Blue Lane is conditioning the investment community about the need for virtualization security. Huh? Greg doesn't really "blog," but rather posts these long winded diatribes on Seeking Alpha, which is a site targeted towards investors. He liberally sprinkles in references to hot companies like Cisco and VMWare and Microsoft and his thought pieces end up on the desks of lots of high powered investors. This is interesting for a couple of reasons. First, many of these investors work for large companies, who may be prospects for Blue Lane. Next, Blue Lane is private, so at some point they'll need to raise money and Greg is conditioning these folks to be receptive to the idea of virtualization security - even if it's not a real issue yet. 
http://seekingalpha.com/article/60358-security-patch-paradox-not-just-a-problem-for-oracle
Link to this

The CSO's toughest job - hiring
Bejtlich provides a venue for a blog reader to pose a question about hiring competent operations folks in this post. The reader definitely has a pretty focused set of questions to determine the competence of a candidate. But there is a problem, as Richard points out, there just aren't that many folks that are "competent." So what to do? Basically you'll need to grow your own. That means putting a decent amount of training money into the budget and also understanding that many of your junior folks will need mentors and a lot of hand-holding to get them to where they need to be. If there is a positive side to this, you'll get to train these folks correctly and not have to deal with bad habits they've accumulated from the raft of other dysfunctional environments they've worked in. Also check out the ISC2's new site that is focused on hiring. Of course, most of it gets back to why you should hire CISSPs - but if you can look past that dogma, there are some interesting papers there (registration required) including compensation information.
http://taosecurity.blogspot.com/2008/01/how-can-blog-reader-find-competent.html
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://sm-blog.securitymike.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite