July 3, 2008 - Volume 3, #62

Good Morning:
It's really cool when your kids hit milestones. For instance, yesterday the tooth fairy came to visit our house for the first time. And quite a visit it was, since my oldest has been a bit "slow" on the tooth front. So our dentist removed 4 in one fell swoop to make room for the two that already emerged behind the baby teeth. So at least now we can ditch the shark costume we had picked out for October.

So the fairy comes (with handwriting amazingly similar to the Boss) and leaves an envelope filled with a $20 spot. Four teeth * $5/tooth (evidently inflation strikes everywhere) and the kid is cleaning up. She was happy and that is all that matters. 

Of course, when thinking about the costs of dental care, I'm not happy. And it's not the $20 tooth fairy tax. Of course, you can't have a kid with teeth like a shark - so we had to do something. But dental insurance is a total joke. Except it's not funny. I carried a policy last year and paid out a ton in premiums. Given the deductibles and the "usual and customary fees," which evidently aren't really customary where I live - I got maybe 10% of the dental costs covered by the policy. Yes, that's crap. 

As I've described before, once I got out of engineering school - my Math skills went down the tube, but even I can see this is no deal. So I dropped the dental and bought a discount card - which gives me better pricing at a couple of local dentists. After our costs this week, we are already in the positive return column for the discount card.

But it's a real shame that health care costs and insurance is so screwed up here in the US. I mean really really really really screwed up. Thankfully, I've been very fortunate and I can pay for decent insurance (if you call a multi-thousand dollar deductible "decent") and cover whatever out of pocket expenses crop up. Not many are fortunate, so they suffer with crappy care or can't get the drugs or access to specialists that can help them.  

Something's got to give because soon enough if my insurance premiums keep rising at 15% per year (like they did last year), I'll be paying more for insurance than I bring in. I can only hope that the next administration takes a look at the fundamental drivers of out-of-control health costs and tries to address them. Normally I'm a fan of free markets, but that's clearly not working in healthcare. Not by a long shot.

So do me a favor and stay healthy.

Have a great holiday weekend for those of you in the US. I'm laying low a bit during July, so I posted a publishing schedule for the rest of July yesterday, just so you aren't surprised as I hibernate.

Photo: "Tooth Fairy" originally uploaded by mouse

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

SE(e) IM later, luv!
So what? - The folks at NetworkWorld enlisted Greg Shipley to put some SIEM solutions through their paces. And the results are pretty mediocre. To be clear, the biggest dog in the space, ArcSight decided not to show - but the remaining ones were pretty underwhelming. Sure, each had some strengths, and Q1 (the winner) got some decent props, but overall the category is still too hard to use, takes too long to set up, and doesn't deliver enough value without a lot of tuning and integration. After 7-10 years, that's ridiculous. To me, this is a critical issue because the security management platform is one of the key aspects to being able both REACT FASTER, do investigations, and generate reports for that pesky auditor. I can only hope (I've been doing a lot of hoping lately) that the vendors take Greg's issues to heart and continue rapidly iterating on their offerings. It would also be interesting to see a Barracuda-like shop enter the market, with a $5K toaster that is good enough for what most customers want. You know, gather some data, set some realistic thresholds, and generate some useful reports. If you need a PhD to set these things up, then someone is missing the point of the mass market. 
Link to this

Now that is multi-touch marketing
So what? - McAfee made some news a while back with their "experiment" to have 50 people around the world answer unsolicited messages and pursue the offers. NetworkWorld has an overview of one person's experience using the pseudonym Penelope Retch. Great name BTW. What did they learn? That the unsolicited email is the first step in a very sophisticated and aggressive set of marketing campaigns. It's sad, but if all of our respective companies were as responsive in following up as these fraudsters and snake oil sales folks, we'd all probably double revenues. Now good luck to Ms. Retch in cleaning up her snail mail, since evidently she had stuff mailed to her house. I hear they are just as aggressive at removing the names from the lists as well. But for the money shot, McAfee aims to prove that all this spyware slows down the PC. Which means you need something to clean it, eh?
Link to this

Crappy data means crappy results
So what? - Big Dennis Fisher's latest is probably the best argument that I've seen showing that Shostack and Stewart's New School is highlighting a huge issue. I've seen this myself as well. No one in this business can agree on what to count and even if we could, no one is willing to share the data. There isn't enough benefit to warrant real clinical trial type environments to anonymously gather data and protect the subjects, so we don't. And this means the statisticians don't have enough relevant data to figure out which way the bubble are going. Thus we just muddle through our days, not really sure if we are good or if we suck at security. Then we jump from job to job because our bosses and senior management can't figure out if we're good or if we suck either. I know there are a bunch of folks that are trying to address the issue, and I was too. But it's pretty frustrating when people don't want to help themselves. Oh well.
Link to this


The Laundry List

Top Blog Postings

One vote for WAF (with caveats)
Since PCI 6.6 is in the house, I'll point to a bunch of WAF (web application firewall) posts over the next few weeks as the folks that didn't get them deployed before the deadline will frantically push to get it done before the next audit. Yesterday I pointed to Dre's reasons why WAFs aren't much use. But there is always a flip side, and Jeremiah does a good job of saying what I was trying to say. WAFs are not a panacea, nothing is. But if you use the tool with your eyes open and understand the limitations of what it can and can't do, then having a layer to get rid of certain app attack vectors can help protect the applications. Of course, that doesn't get you off the hook of looking at the code and doing pen tests (J is big and all BJJ and stuff - so I don't want to piss him off). Big J also goes through how a bunch of logic flaws can be addressed with the WAF to illustrate his points. Regardless of what you think about WAFs, you can learn a lot by checking out the post and reading the comments.
http://jeremiahgrossman.blogspot.com/2008/06/can-wafs-protect-against-business-logic.html
Link to this

Fast Patching + PCI = what?
One of the great things about the blogosphere is that a bunch of smart folks are always noodling over new data and using it to challenge and question whether some of the status quo is still correct. This post has Jeff Lowder wondering (based on Verizon's data) whether patching within 30 days (as proscribed by PCI) should still be a key aspect of compliance, given that patching wouldn't have addressed too many of the breaches Verizon found and can introduce regression issues and other vulnerabilities. Jeff's main issue is not with patching, but with the 30 day requirement. I can see Bob Russo talking that PCI DSS is guidance, not a firm mandate over and over again. Some companies have change control procedures that don't allow patches to happen as quickly. So those companies need to make a case to the assessor why the 30 days doesn't make sense for them. It's GUIDANCE, and the assessors have the flexibility to give an exception if it's warranted. The good news is that it seems that not getting it done within 30 days will have minimal impact. But given that many companies wouldn't patch EVER without this kind of guidance, I'm fine with a 30 day suggestion. 
http://www.bloginfosec.com/2008/06/27/pci-dss-position-on-patching-may-be-unjustified/
Link to this

Metrics Burton-style
Aside from my whining and wingeing about the inability for the industry to gain any semblance of agreement on metrics, the folks at Burton put things back in perspective. First Eric Maiwald reminds us about the need to relate things to business value. Who knew? That's a big duh, now isn't it. But it still important to see it every so often. Then the irrepressible Grumpy Pete presents 10 metrics he thinks are important. A lot are focused on transactions and then some hocus pocus stuff like total number of inline control events and costs of controls. He also mentions things like total losses. Without reading the entirety of the research and getting a feel for what these numbers really represent and how to gather the data - it's hard for me to really assess the likelihood that many/any end user organizations would have this kind of data. It doesn't mean we shouldn't be focusing on gathering this stuff. Maybe we should. I guess I'm still looking for some kind of poor man's set of metrics. Numbers that are readily available to end mid-sized companies. Data that can be spit out of a SIEM type apparatus (ah back to my frustration about how hard it is to make SIEM work) or some other set of tools. But those types of metrics are usually deemed too unsophisticated to mean anything. So I guess I'll just keep wingeing and whining. I don't want to be critical of His Grumpiness, since we've got to keep throwing stuff against the wall to make progress. But we need to think about the problem from the simpleton's perspective as well.
http://srmsblog.burtongroup.com/2008/06/your-top-ten-st.html
Link to this