January 26, 2007 - Volume 2, #16

Good Morning:
Another day, another P-CSO review. This time Kelly Jackson Higgins of Dark Reading weighs in on the Pragmatic CSO. Her post is here. "Mike's group therapy at each of the 12 steps makes an inherently dry topic more digestible and fun to learn." Fun. Wow, that's a novel concept for a security book, eh? Get yours today at www.pragmaticcso.com.

At the end of what seemed to be a very long week, there isn't much new in security-land. Dennis Fisher figures that database encryption will solve all the privacy ills (here) and Eric Ogren posts some love about the Cisco/IronPort deal (here). Nothing new, really. Not much in blog-land either, except a funny post from Dr. Anton about the ROI of getting your ass kicked (here). It's probably more of opportunity cost, but that's splitting hairs.

It must be Friday. So without further ado, get on with your day, get home to your family and friends, and enjoy the weekend. All this crap will be here when you return on Monday. Have a great weekend.

Technorati: Information Security, CSO

The Pragmatic CSO is Here! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

The problem is bigger than database encryption
So what? - I'm not sure we have all the information to understand what happened at TJX. But Dennis Fisher figures they should have encrypted the database and that would have protected the data. Maybe yes, maybe no. I made this point earlier in the week, but no one control or defense is a surefire solution to a problem. Although it's easy to just look at interesting technology and throw it at the problem, it's the wrong approach. Clearly things like database encryption can make it harder for a hacker to access data directly, but there are other ways to get it. They could compromise the application server, for instance. So the issue is bigger than just encrypting some data, although I'm sure lots of enterprises will do that out of fear. Unfortunately it won't stop (or even slow down) the number of data and privacy breaches. But it'll make the encryption vendors happy.
http://searchsecurity.techtarget.com/columnItem/0,294698,sid14_gci1239802,00.html
Link to this

Quick Network Security Planning
So what? - Dare I say it, but this tip in Enterprise Systems Journal is very pragmatic. Everyone needs a plan, but those that spend all day planning, spend very little time doing. So plan quick, do stuff, adapt and repeat. The steps here are right on. Threat assessment, so you can figure out what's exposed and at risk. Categorization and then prioritization. What is most important to the business that you do RIGHT NOW? That's the key question that you need to ask yourself every single day. Oh yeah, then get something done. Told you it was pragmatic.
http://www.esj.com/news/article.aspx?EditorialsID=2418
Link to this

EO shows Cisco some love
So what? - Unfortunately my friend EO (Eric Ogren) is a bit misinformed relative to what an E-MAIL reputation system is going to get Cisco. In this love note to Cisco, congratulating them on the IronPort deal, Eric does make a good point relative to the power of reputation to all sorts of things over time. But that's not reality now, that's vision. And Cisco has the resources to do that themselves. They didn't need IronPort to build a big-ass database. As I said in my analysis, Cisco needed IronPort because they need more exposure up the application stack and into the content realm. Reputation is nice and all, but let's not buy into the hype meisters convincing us that the reputation stuff is done for more than email and a little bit of bad web sites, it ain't.
http://www.darkreading.com/document.asp?doc_id=115061&WT.svl=column1_2
Link to this

Tick tick tick tick tick BOOM!
So what? - Notification seems to be throwing some of these larger organizations for a loop. I'm not sure what the issue is, but it shouldn't take companies like TJX or Nationwide Health Plans 3 months to figure out there was a problem and to tell someone about it. Once you discover the issue, you use your containment plan to coordinate the damage control, including a forensics investigation. You figure out what happened, assess the damage and notify the appropriate parties. What does that take, a week max? 3 months is ridiculous and these folks should be raked over the coals. That's why having a plan and actively doing damage control is so critical because these folks have managed to make a bad situation into a train wreck.
http://www.darkreading.com/document.asp?doc_id=115517
Link to this

Top Blog Postings

The ripple effect
Folks use that image of the rock dropping into the pond and the resulting ripples to represent serenity. For security folks, it's more like the old fortified wine called Ripple. Seems like a good idea at the time, but you end up with a kick-ass hangover the next morning. Perry points out about the law of unintended consequences and that is what we as security folks spend an awful lot of time dealing with. Every time something changes, there could be a regression impact to the security posture. New application, new location, new user, new visitor/consultant - your IT ecosystem is a dynamic place and that's why a consistent assurance process to ensure your defenses are up to sniff is critical to being a successful CSO (Step 10 in the P-CSO). Perry points to an entertaining story that illuminates the point, but that's another reason why CSOs need to have a seat at the senior management table. If you don't know the rock is hitting the water until the ripples have become a tsunami that takes out your coastline, that's not too good, eh?
http://securityrenaissance.com/2007/01/25/explaining-the-law-of-unintended-consequences-via-cows/
Link to this

Windows investigation primer
The Security Monkey points to a Microsoft guide on how to investigate Windows machines. He says it's pretty good, so I'm going to check it out. Of course there are folks that do forensics and investigations for a living (like the monkey), but every CSO needs to have some basic investigating skills to even figure if and what the problem(s) may be. As if I didn't have enough to do this weekend...
http://blogs.ittoolbox.com/security/investigator/archives/howto-investigating-windows-machines-14129
Link to this

Ass whooping ROI calculator
Dr. Anton provides the laugh of the day with this post about the futility of most ROI calculations. Starting with the ROI of not jumping off a building and proceeding on to figuring out the ROI of sharing a cell with Bubba. His point is that trying to compute an ROI for something like compliance, which you HAVE to do if you are in a regulated industry, is a waste of time. I agree. Build a strong security program, document it, and you will find yourself in compliance.
http://chuvakin.blogspot.com/2007/01/roi-on-not-getting-your-ass-whooped.html
Link to this

What the hell is NAC?
If you can get around the hyperbole in my friend Rob Chiampa's post here about NAC, there is an important message. But I'm not sure what it is because there is so much NAC confusion spread around, I need a machete to get through it. Is NAC important? What problem does it solve? It's now a life or death technology? Yeah, not so much. Actually I'm not even sure what NAC is anymore. I have my definition and ideas, but as Rob points out - every security vendor is a NAC vendor now. That creates confusion. I hate confusion, even though it's good for my business. As opposed to talking about how a virus outbreak in a hospital endangers people's lives and NAC is the answer to that, let's talk about why? Why does NAC solve that problem? How do you define NAC? There are 31 flavors (if not more) of NAC out there and this constant vendor rumbling is further evidence that NAC has nowhere to go but down in 2007. Too many people are talking about it, but not enough know what it means.
http://knowidentity.typepad.com/tnt/2007/01/31_flavors_of_n.html
Link to this

Recently on the Security Incite Rants Blog

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite