The Daily Incite - July 17, 2007

Submitted by Mike Rothman on Mon, 2007-07-16 20:50.
::
Today's Daily Incite

July 17, 2007 - Volume 2, #105

Good Morning:
Get your motor runnin' - Head out on the highway - Lookin' for adventure - And whatever comes our way. Of course, the classic Born to Be Wild from SteppenWolf. Well this morning it's a pretty timely tune, since by the time you read this I'll have embarked on a roadtrip with my Dad. Today we drive - from NY to Atlanta. Since he doesn't fly and needs to be in FLA on Sunday, it doesn't leave too many options for transportation. I'm just glad and fortunate that I can peel off for a day or two and handle some of the roadwork. 

There is just something about a roadtrip that just makes me smile. My first experience with the roadtrip was watching Animal House. The Delta House is dire straits, it's on its way out, things look pretty bleak, and what do you do? Of course, ROADTRIP. It just makes me want to shout. I can only hope no one wants to dance with my date along the way. And during my earlier years I did many a Winnebago trip from DC to Ithaca with my boys for Cornell Homecoming. Those were good times.

My Dad and I won't have a keg in the back (at least I don't think so). And since there are only two of us, there really aren't any straws to draw about who drives when. But we will be quite a connected car. I recently got EVDO (Parallels seemed to break my T-mobile hotspot service and after an activation nightmare, EVDO has been pretty liberating as well as more secure!) and he's got Cingular's 3G data service also just in case. We've got a nav system to keep us on track and my 80GB iPod to keep the tunes flowing. Maybe we'll even break out the radar detector to makes sure we don't replay Smokey and the Bandit. There are also a bunch of Starbucks along the way, so there will be lattes a plenty.

We've also got no plan, except to make it to ATL as soon as feasible. We'll probably drive South, but who knows? It'll be great. It's hard to take the time to do trips like this nowadays for both of us, but I'm glad we're going. The plan is to publish on Wednesday, but we'll see. No sleep till ATL! 

Have a great day.

Technorati: ,

The Pragmatic CSO

 The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"
www.pragmaticcso.com

Top Security News

Did you call me a SISA?
So what? - When I was a kid, there wasn't much worse you could do than call someone a sissy. Man, that hurts even now, looking back 30 years or so - definitely fighting words. Back then you'd roll during recess or after school and that would be the end of it. So when I saw the acronym generator was broken and small companies like Cisco, EMC and Microsoft are aligning in a new group pushing a SISA (Secure Information Security Architecture), that was my first thought. I guess I still have work to do with my shrink, eh? Then my Barney-meter went into overdrive. The reality is information sharing amongst government entities is a huge problem, but it's not clear to me that a technology architecture will solve the territorial boundaries and competition between agencies that has prevented intelligence leverage. I can't be sure, but I don't think this is a technology problem. And sharing is also a bit opposed (like diametrically) to protecting the private information that exists in government coffers (VA anyone?). So over the horizon comes riding the 3 technology horsemen (with a few donkeys like Liquid Machines and Swan Island Networks to lug the food) with a white paper and some off-the-shelf products to make everything better. Am I the only one that is mildly skeptical about something like this?
Link to this

Why do you want to "beat" a security audit?
So what? - This Dark Reading article that discusses 8 "sure-fire ways" to pass an audit makes some good points. But the title really annoys me. I think the acrimonious and combative stance that most security folks have towards auditors has run its course. Yes, following some of these practices like having consistent change management processes and giving users access to only data they need is certainly not a bad thing. But I think the best way to "beat" an audit is not to try to BEAT it at all. Some folks view an audit as a criticism of what you are doing. I view it as a milepost to figure out if I have 20 miles to go or just 5. Understand they always seem to move the finish line on you, but if you don't have someone else come in and tell you where you're at - how do you know where you need to go? My approach to audit and compliance is probably a bit unconventional, but it makes sense and it works. Interested? Pick up a copy of the Pragmatic CSO today and check it out (it's Step 12).
Link to this

Pen Testing RFP
So what? - I'm an unabashed fan of penetration testing. While I'm flogging the P-CSO, the pen test is a big part of Step 10, a function I call security assurance. The bad guys are testing your systems every day, thus you should be using the tools and techniques they use to make sure you aren't exposed. So when I saw an "RFP" on pen testing in eWeek, I was intrigued. I like RFPs, since they give customers a way to learn about a technology category and sort-of get an apples to apples comparison between different options. But I was disappointed by this effort. I don't think the information is really useful. It's more like a matrix. Do you support this feature or that feature? Yeah, that is sort of important, but I would have like to see some explanation around each of the questions. Why would you ask that? Why is it important? Basically to provide some context, not a laundry list of features. Forgive me, but would have required some work. I should know better.
Link to this

The Laundry List

  1. Is private equity coming to Big Yellow Land? It would be a big deal and these guys look for cash cows - but this isn't a pipeline or an office building and it's not in Kansas Dorothy. Your "assets" can disappear in a hot minute. But it would generate lots of fees for bankers.  - Naraine blog
  2. Big Yellow helps low-income folks by partnering with One Economy to provide "Internet Safety" content to their portal. Of course, I'm not sure if the content will hit the target, but hats off to SYMC for working to educate a class of consumers that are frequent victims of cyber-crime. - Symantec release
  3. Nice knowing you Alluria. EarthLink cheats on their in-house anti-spyware concubine and beds Sana. Must be Listwin's cool kimono. - Sana release
  4. More security coincidence? Watchfire and Cenzic both announce new releases today. The difference? Watchfire has gotten their payday. - Cenzic release Watchfire release

Top Blog Postings

Crisis communication - Know it, love it
Jeff Hayes points to a very important, but usually underutilized and ill-defined discipline of crisis communications. You know, what you do and say after the brown stuff has hit the fan. In front of every crowd I make the point that the single biggest determinant of whether a CSO lives to fight another day after an incident is how they communicate what happened and what's going to happen. The bad news for most of you is that 1 in a thousand can do this effectively without a plan and practice. Since odds are you aren't the one, you better get that plan in place. How do you do it? Talk to the general counsel and get advice from the marketing team. There is no reason to reinvent the wheel and both of those groups know what they do in a pinch.
http://mycsosolutions.net/2007/07/10/communications-during-a-crisis/
Link to this

Build it in and adapt
Gunnar makes an important point here by using an example we can all understand - things blowing up in combat. The point is that US Humvee's weren't designed to drive over land mines. So when they did, it didn't work out too well. So the military gurus adapted and are rolling out new vehicles that are better prepared to deal with the threat. Do you see the parallels to our little cyber-security world? If not, are you sleeping? Go get some more coffee man. Basically, we can't know all the attack vectors that our enemies will use. Once a new vector appears, test yourself. Will your Humvee blow up? I'd rather find that out in a controlled situation, where I can contain the damage - rather than on the battlefield where I'm taking fire and soldiers are dying. You can architect systems in a flexible manner to facilitate change when you inevitably need to adapt. And you will because I don't know much, but I do know the bad guys will continue to innovate and figure out ways around our tried and true defenses.
http://1raindrop.typepad.com/1_raindrop/2007/07/building-securi.html
Link to this

You can't buy PCI compliance
Thanks to Ron Gula for giving me more fodder to remind folks that you CANNOT buy compliance. It's not a product you pick up at Best Buy. It's not a widget that you can just bolt onto your environment and make the problem go away. Give Ron some kudos for acknowledging that fact. You'd be surprised at the liberties that some vendor folks take when describing how they provide "PCI compliance." The fact is you need to scan to do PCI. I'm not sure if I believe the 90% of certified PCI services use Nessus because it sounds like an 86% of all statistics are made up on the spot statistic. It's probably a high percentage and I wonder what the other 10% use. But I digress. The point is that scanning and every other associated technology are only pieces of the PCI compliance puzzle. Ultimately you need a process that convinces the examiner that you have your act together. You need to document that process and show how it works when something goes awry. Being a fan of testing, I agree with Ron that scanning yourself will give you an idea about what the auditor will find, but it won't print out a little certificate that means anything to anyone. If the vendor says it does, they are lying to you.   
http://blog.tenablesecurity.com/2007/07/can-i-use-nessu.html
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite