January 07, 2008 - Volume 3, #2

Good Morning:
Two of my favorite words are "ROAD TRIP." Though "NY Giants Win" are close behind. :-) Road trips were a staple of my early adulthood. Whether it was my pledge trip as a freshman (we went to visit fraternity brothers at Bucknell) or the many Winnebago trips we took from DC to Ithaca for Homecoming, the road trip always meant good times with good friends, lots of shenanigans, and many lost brain cells.

Nowadays the road trip is still a big part of my existence, but not like it used to be - that's for sure. Packing up 3 kids, the Boss, and way too much stuff into our van for the 10-11 hour trip from Atlanta to Maryland (and back) to visit the Boss' family is, well, a bit different.

I have to thank the heavens for a couple of things. First is the portable DVD player. I have been very resistant to getting a DVD built into the van because I don't think my kids should expect to watch movies every time they get in the car. They watch plenty of TV already, and having video only a PLAY button away is very tempting when they are acting up.

So I bought this contraption to mount a portable DVD player between the driver and passenger seats. It works great. The kids watch the movies and for the most part are pretty well behaved. The Boss tells tales of her 20+ hour car trips to FLA as a kid. No video, no Leapster, no Nintendo DS? OHMYGOD. They actually had to talk or count license plates or do whatever kids did on long trips... Yes, we are pretty spoiled nowadays.

The other thing I'm thankful for is my iPod. I put the headphones on (only one when I'm driving, of course...) and tune out, so I can focus on the road and not who did what to whom or who's not sharing what with the others. It makes the trip go a lot faster for me, and since it's all about me - that's a good thing.

Until my iPod blew up. Actually, it didn't blow up - it just died. 15 months after I bought it. Totally dead. Good night. The day before my 10+ hour car trip. A lot of conspiracy theorists have talked about planned obsolescence and this is a great case in point. The standard warranty is a year. So I'm potentially out of luck. What's another $300 between friends, eh?

But for once in my life, I actually got the AppleCare service contract with the device. So I just brought it into the Apple Store (after I made my appointment at the Genius Bar over the web), they confirmed the unit was DOA and they gave me a brand new one. OK, maybe it's not brand new - but it works. 

I've never been a big fan of service contracts because the insurance companies that underwrite these policies make lots of money from suckers like me. But anything with a hard drive, I get the extra coverage. And I haven't been disappointed yet. I've had Tivo's die, computers die, and pretty much every other kind of electronic product go south. Right after the standard warranty runs out - of course. Not sure how the planned obsolescence thing works, but it works.

Have a great day.

Roadtrip image originally uploaded by stellarjandri

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

E&Y's findings? - Be Pragmatic
So what? - Add another big shop that espouses the benefits of being Pragmatic. I know, I know - I'm starting to sound like a broken record. But I can't help it. I just scanned through the first few pages of the 2007 E&Y Global Information Security Survey and I'm shocked to see that their first "key finding" is that security must be more closely aligned with the business. You can download the report from E&Y's website. There isn't really anything in there that we don't already know - but at least a lot of the stuff I say is consistent with what everyone else is saying. I guess that's good because I was there 12-18 months ago. One interesting tidbit continues to be the lack of skilled IT security personnel. That is great for folks that are skilled. Supply and demand means that your skills will be more highly valued. But it also means we need to do a better job of building our farm system, and more systematically in making security a desirable profession for those folks just getting out of school and looking for a specialty. 
Link to this

Big security goes on the offensive in 2008
So what? - InfoWorld's Matt Hines does a pretty interesting interview with the Big Yellow's John Thompson and McAfee's Dave DeWalt. What was interesting is that both are defending the trend towards big is the new small. DeWalt has the best answer to that and it gets back to the customers. If a product area is mature, why would a big company (or even a small company for that matter) want to mess around with a start-up? Right, they wouldn't. Also some interesting discussion around DLP. This is where the strategies of SYMC and MFE really diverge. Basically Thompson wrote a big check to buy a leadership position in a very early market. McAfee is trying to build it themselves, based on some very early technology they acquired about 18 months ago. The reality is that MFE has time to get established in this market, but not that much. They can probably wait another 6-9 months as the market starts to shake out. It'll either hit the inflection point and they'll pay up for whatever they buy. Or it won't and they'll get a good bargain. Or they'll do nothing (like with anti-spam) and totally miss the market. But they aren't the only shop that will be shopping for something this year (IBM/ISS, MSFT, probably Cisco too), so DLP will see some more consolidation this year too.
Link to this

Today's Meatball: Who is responsible for Information Security?
So what? - The IT Compliance Institute has started publishing some Q&A pieces. This one asks the question about who is responsible for information security? You better have said everyone. Yes, it's a cultural thing and it's important that everyone feel some ownership for the protection of corporate digital assets. You'll need to swim upstream against apathy and other obstacles, but with a good security awareness program in place - you'll make inroads this year. But I don't think that was really the question. So if I turn it around a little and say, who is ACCOUNTABLE for information security? The answer is the Board of Directors, and thus the CEO - who usually assigns a Chief Security Officer to manage the program and be on top of the details. The author of the Q&A, Dan Swanson, gets it mostly right saying the Board, managers and internal audit need to work together to get it done. But you can't fire everyone, so when I think about accountability - it really needs to reside with one person and that's the CSO. There are also a bunch of good resources on security and audit topics at the bottom of the column, so check it out.
Link to this

The Laundry List

Top Blog Postings

Tilting at Risk Management windmills
Of course, since I continue to express skepticism about building risk models (in a recent SearchSecurity column, no less), Jack Jones and Alex Hutton continue to play Risk Management Don Quixote and Pancho in defending the fine practice against all skepticism. Actually, Jack makes a well-thought out and cogent response to some of my concerns. Which is not surprising because Jack is a good guy that knows his stuff. And he is still tilting a windmills a bit because most practitioners cannot even tie their shoes, and Jack and Alex are set on teaching them how to shave a few tenths of a second off their 40-yard split times. My main point is not to disagree with the fact that risk management (or mitigation or whatever you want to call it) is important - it is. We need to know what to focus on. My point is that building models may not be the best way to get at that answer. In some organizations (like the financial shops where Jack cut his teeth, who UNDERSTAND risk), it can work. But in most, it's not the best use of time. I do quite a bit of windmill tilting myself, so I don't have an issue with Jack taking umbrage at my continued skepticism - but risk modeling is like a graduate level course in security, and unfortunately way too many folks that call themselves security professionals are still in elementary school.
http://riskmanagementinsight.com/riskanalysis/?p=315
Link to this

Giddee up cowboy, where is that herd again?
Andy Jaquith is a big thinker. Besides his great work on metrics, he's also thinking about how we can keep up with the flood of new malware that is plaguing us all. His answer, according to Matt Hines and then covered by Shimel and Hoff, is the "herd" mentality. Basically, all of the anti-malware vendors should get together and share information, so that a more automated response can help us react faster. It'll never happen. Remember, I can be the cynic and say the Big Security vendors don't really want to solve the problem. If they got out ahead of malware, what would happen to their cash cows? Wow, that was cynical. Anyway, many of the vendors already share malware via the Wild List, so some of this does happen - although not fast enough. The spam vendors also have millions of honey pots out there to gather data about good and bad mail. You also need to consider how much data makes any vendor's conclusions statistically reliable? Your telling me Symantec doesn't have enough data to figure out new malware attacks? Doubtful. If anything, they don't have enough resources to wade through all the data they already have. But the overlooked portion of Andy's report is his focus on REACTING FASTER via monitoring as a critical corollary to new malware defenses. This is why Andy's head isn't just in the clouds (even though he's like 6'5"). He understands that no matter how many zebra we get in the herd, there will always be attacks we don't anticipate. So you better monitor your stuff as well and be able to react when something goes down.
http://www.stillsecureafteralltheseyears.com/ashimmy/2007/12/it-security-lev.html
Link to this

Pass the audit or protect the data?
Gary McGraw of Cigital goes down an interesting road in this Dark Reading column, relative to whether the end goal is to be compliant or to be secure. If you've been reading TDI for any length of time, you know where I fall relative to the discussion. It's about security FIRST and if you do a good job at security, then you will be compliant. Unfortunately, I think this is one of the windmills that I personally tilt at all too often. The reality is many security folks live from audit to audit. They try to get through their list from the last audit before it comes time for the next audit. The idea of actually trying to contribute to the business? HA! Gary goes after web application firewalls as his metaphor to show this issue. Sure a WAF (what a crappy acronym - no wonder the market has stagnated) will help achieve Requirement 1 and 6 in PCI-speak, but it certainly doesn't do much to stop insiders or attacks that target endpoints. Since McGraw is in the secure software business, he pushes the idea of building software more securely - which is right, but a long term solution. At least he acknowledges that there are some short term benefits to a WAF. Yet we shouldn't forget the bigger point here, which is get your security house in order and the compliance stuff is a lot easier.
http://www.darkreading.com/document.asp?doc_id=140979
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://sm-blog.securitymike.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite