January 24, 2008 - Volume 3, #8

Good Morning:
I got a number of notes over the past few days wondering why I didn't mention the G-men victory and trip to the Super Bowl. It turns out I'm still in a state of shock. A number of folks told me they didn't have a chance in the frozen tundra of Lambeau, and candidly sending Dallas to the off-season was enough for me. Of course, I was rooting hard for my boys, but I was OK with whatever the final score was.

And then the G-men won. I didn't intentionally forget to mention it on Tuesday. With the holiday and all the other stuff floating around in my restricted gray matter, it just didn't happen. Now the anticipation builds. Scarily enough, a lot of the pundits are saying the G-men have a chance. A better chance than they did against the Pack. That'll teach you to listen to pundits. Guess they seem to forget that the Pats are 18-0. I just want the game to be competitive.

But it brings up a bigger thought. What is good enough? The Giants are in the Super Bowl. Is that a good enough outcome for the season? Should I just be happy that the team got to the Big Show?

What about with your own life and job? Many of us are "high achievers." That means for some unknown reason we push and push and push and push and then probably push some more. We fight against internal expectations that don't always seem reasonable, or even useful. 

Yet we do it anyway. I know I do. I've worked for some brutal bosses in my time. Relentless. I mean really relentless. No matter what you accomplished, the expectation was for more. Hardly even a thank-you or an atta-boy for super human feats.

Now I work for myself and I find my boss (that's me, not THE BOSS) to be pretty relentless as well. I find that I can't help it. I want to grow more. I want to do more. I want to do it faster. I'm not sure why, but I do.

At some point, I'm hoping to control those inner demons and learn to be content. Not necessarily satisfied, but content with what I achieve. Every so often I'm able to do that, certainly more now than when I had a "job." I'm making progess, but I'm not there yet. I need to keep working towards a balanced existence. So if the G-men win, I'll be ecstatic. As long as the game is competitive, it'll be a good day. Even if they get blown out, I'm going to try to be happy also. There are 30 other teams that will be sitting on their cans on Feb 3. My favorite team is not one of them. There is something to be said about that.

Don't worry, be happy - and have a great weekend.


Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

All software is vulnerable (even open source)
So what? - Let's tip our hats to the US Department of Homeland Security for a minute. Those folks take a lot of heat. A lot of it is deserved, but every so often they throw their big budget around and really make a difference. Like this project to scan a bunch of open source software, which is described in this SC Mag article. Of course the service provider, Coverity, found a bunch of stuff. That's not a surprise. At least it shouldn't be. If you scan software, you'll find holes. The even better news is that the open source projects are taking that feedback seriously and working hard to fix things. This is how the system gets better folks. Thanks DHS. That was money well spent.
Link to this

The maturation of IPS
So what? - IPS has been around for a while. I mean, Stiennon is still living off the notoriety generated by his original IDS is dead call years ago . Joel Snyder does a pretty flattering review of SourceFire's latest in NetworkWorld this week and it's pretty instructive. I also recently got a pretty detailed demo of SourceFire's latest and integrating behavioral data, signatures, and user information does help to narrow the scope of what security admins need to worry about. The technology is finally maturing enough to be useful and helpful in building a perimeter defense. Note that I said "perimeter defense" because I don't think it's cost effective at this point to deploy IPS everywhere. Not with the current sensor-based model. As IPS and NAC and LAN switches continue to merge, some of this capability will be baked into the fabric of the network, and then it'll make sense to deploy enterprise wide. When is that? Given the economic backdrop, I suspect many companies will be pushing those LAN upgrades out a bit.
Link to this

We are asking the wrong question about NAC
So what? - There has been a lot of NAC blasting so far in 2008. I've probably been contributing to that a bit, although to be clear (and to pat myself on the back), I've been saying since early 2007 that NAC was over-hyped and will clearly disappoint. Bill Brenner comes to the conclusion that NAC is just immature, assembling a bunch of data points to show that folks have decided to wait before jumping headling into a NAC implementation. But let's get back to the fundamentals. Is host integrity checking important? Do you want to know who and what is connecting to your network? Yes. Is access control important? Do you want to make sure that whoever is allowed to connect is allowed to get to only stuff they are authorized to see? Yes again. Those are the two fundamental value propositions of NAC. Here's the rub. NAC is not a stand-alone function. What those users were really saying in the article is that they don't want to build yet another security layer. That's pretty consistent with the conversations I have. What NAC does is important, but it needs to be built into the network infrastructure for the capabilities to really take off.
Link to this

The Laundry List

Top Blog Postings

WAF - not dead yet, actually yet another feature
Jeremiah does some good analysis of the web application firewall space in this post. It's adjacent to what he does for a living, and I agree that anything we can do to give the developers some breathing room until they get a decent secure development process in place is a good thing. So why hasn't the market taken off? As Jeremiah says, "it’s been around for roughly 10 years, still their market really hasn’t taken off (roughly 1,000 deployments by my estimates), but it hasn’t gone away either." That could mean a couple of things, including the products are too hard to use, the customers don't see the value, and most likely the customers think they are taking care of this via some other method. The real issue is that this is a function that should happen in the perimeter firewall. In fact, I suspect most of the perimeter vendors tell their customers they do some of this already, even if it's pretty lame. But with the speed of today's chips, performance is not an issue. Again, more integration. That seems to be a common theme in 2008.
http://jeremiahgrossman.blogspot.com/2008/01/lets-talk-web-application-firewalls.html
Link to this

It's all mainframes to me
I was actually around when mainframes ruled the world. In my first set of technology jobs, I was a developer (it was a LOOOOOOONG time ago) using an early PC to get terminal access to the mainframe. That was the way things were done. Looking at Hoff's set of posts (here and below) about client virtualization and server virtualization and NAC and the like, I just get the sinking suspicion that we are moving back to the terminal to host mentality. Let's step back into the time machine and think about security back then. It was all about O/S level security and fine-grained authorization (remember RACF and Top-Secret)? We didn't worry much about the network because our hosts had a distinct connection. LANs screwed that up quite a bit and the Internet blew up the model. But if we play out this terminal/host thought, the network is no longer relevant - as long as I know who is connecting and making sure they only get access to the right stuff. Is that NAC? Functionality-wise, the answer is yes. But not as the current NAC industry delivers the product. It's more like AC. Just drop the N, since in this world, all networks are created equal. It is about access control, just not network access control. Yes, that's an oversimplification, and it will take years to get there. But those that forget history are doomed to repeat it. 
http://rationalsecurity.typepad.com/blog/2008/01/client-virtuali.html
Link to this

What? Changing your mind is not weak?
Nitesh has a great post here about the stigma of changing our minds. It's true. Changing  direction on something is seen as being weak. Entrepreneurs hate to admit they were wrong. The good ones do it and live to fight another day. The bad ones fly the plane into the mountain. Same goes for IT professionals. They make a big stink to push a project through, and have a really hard time admitting that maybe it wasn't the best idea. Or that they picked the wrong product or architecture. Failing is not acceptable, and that's a problem. I like to screw things up. And that's not just because I'm good at it and have had a lot of practice. I've come to realize that if I'm not making mistakes, then I'm not trying hard enough. The real key is to fail faster. Or in Nitesh's lingo, change your mind faster. Not to the point of flip-flopping or not seeing something through the Dip. But quickly enough to not waste (too) much time and money. 
http://www.oreillynet.com/onlamp/blog/2008/01/what_have_you_changed_your_min.html
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://sm-blog.securitymike.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite