The Daily Incite - July 5, 2007

Submitted by Mike Rothman on Thu, 2007-07-05 08:15.
::
Today's Daily Incite

July 05, 2007 - Volume 2, #103

Good Morning:
I'll admit that I'm a bit disoriented this morning. I didn't even drink yesterday either. Having a Wednesday holiday kind of does that to me. When I woke up this morning (or was woken up by a screaming boy at 5:20 AM), I wasn't sure if it was Sunday or Monday or what. But first things first, calm down the boy - then get back in bed. Wait 20 minutes for him to start up again. Calm down the boy (again), and get back in bed. Stare at the ceiling a bit, knowing there is no way I'm getting back to sleep. Get up, brush my teeth and get to work. 

But why does it still feel like Sunday? I'm not sure, but given the amount of stuff that needs to get done before I unplug on Friday - there will be no Sabbath for me today or tomorrow for that matter. Though I'll happily accept the disorientation to have a free day with the family during the "work week." Those of us that run our own businesses know that work gets done when work needs to get done - or your family doesn't eat. I'm happy to say the only work that got done yesterday was lathering scads of sunscreen on the kids.

We spent 5 hours at the pool yesterday and by the time we got home and showered, everyone was pretty much catatonic. Not even a few episodes of Justice League Unlimited could get a rise out of my crew. But the kids had a busy day. The weather was perfect and my neighborhood does a great job with July 4th. We have a DJ, a catered lunch, no "adult swims," and a pie contest. And swimming. Lots of fun was had by all.

Alas, today is a new day and even though it feels like Sunday - it's really Thursday. So it's time to make the donuts. Rant a bit. Incite a bit. Write a bit after that, and then start taking care of all of those niggling details that need to get done before we head off on Saturday. YES, VACATION!!! It's been at least 8 years since the Boss and I have gone away for a week without the rats. Yes, that's far too long.

So without further ado, I'll get on with the show and then I'll put the show on pause for a week. No TDI next week. No email or phone calls either. Whatever it is, it'll wait until I return to the office on July 16. Till then, be well and I'll be sure to drink something out of a pineapple with a little umbrella in it for ya - at least 100 times.

Have a great 10 days. I know I will.

Technorati: ,

The Pragmatic CSO

 The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"
www.pragmaticcso.com

Top Security News

Fit the security to what you are protecting
So what? - Dark Reading covers a user panel on "enterprise data protection" in this article. Whatever that means. But the conclusions drawn from the panel are pretty good. First, encryption isn't a panacea, regardless of what PCI dictates. You want to use the "right" level of security based on what you are trying to protect. The CEO's laptop probably warrants some additional protections, relative to the receptionist's desktop - no? But within reason, of course. Maybe you categorize endpoints into 3 risk buckets (High Risk, Some Risk, Little Risk) and design a protection scheme according to the risk. Another good point made is the reality that many folks make things just too hard for themselves. A 15 character password requirement and the last 10 has to change every 90 days? I hope they've got plenty of help desk staffers for all those password resets. 
Link to this

Who dat in your systems?
So what? - With the advent of more outsourcing, out-tasking, selective sourcing, business partnering and whatever other words you want to call letting other folks do some stuff for you - there will be times when the service provider requests access to your systems. As Joel Dubin's SearchSecurity tip points out, this is usually a bad idea. For lots of reasons, but the one I like best (and Joel doesn't mention this specifically) is that YOUR ass is on the line - not the service provider. If a breach happens, even as a result of something the service provider does, who do you think is getting the hot poker in the eye? If you can't possibly figure out a reason why this is bad (that the CIO buys off on anyway), then at least make the service provider jump through a bunch of hoops to get that access. Make them prove to you that their environment is secure. That their personnel are vetted. That your data will be protected. And then monitor the crap out of whatever systems they have access to. Log stuff and make sure the service provider has no access to the logs and they can't be tampered with. Tighten your thresholds on key system health metrics. Finally, segment those devices, so if a machine is compromised - the damage will be contained. There are times when you'll lose the political battle over 3rd party access, but don't lose the war.
Link to this

Amateur night here at the Investor Relations cafe
So what? - You would have thought that the train wreck that was Sourcefire's pre-announcement would have reinforced to some public companies that announcing something when no one is at the office doesn't help your credibility. But I guess the folks at Entrust didn't get the message. Entrust pre-announced a light quarter on JULY 4. I hear lots of investors in the US are paying attention on Independence Day. Come on guys? What are you thinking? The reality is ENTU stock will be punished today for not closing "big deals." And by shipping out the pre-announcement on a national holiday, they will look like jackasses. Like they didn't know on Tuesday? Or it couldn't wait until before the market opens on Thursday. It really is amazing that a company that has been public for years and has experienced board members would pull a stunt like this.
Link to this

The Laundry List

  1. Trend jumps on the reputation bandwagon. Since no one else in the content security gateway business does reputation, Trend figures this is a differentiator. Ah, not so much.  - NetworkWorld coverage
  2. The brainwashing is complete. Cisco users believe the security story. Resistance is futile. - SearchSecurity coverage
  3. LogLogic review. Network Computing likes the box, though you need to know what you are looking for. I guess the ESP feature won't be ready until the next release. - Network Computing coverage
  4. iPhone bugs? Shocker. Errata busted out the fuzzer and found out - it's a Mac, just smaller. - eWeek coverage

Top Blog Postings

Nah, the bad guys wouldn't do that
Despite how numb we are to most data breaches, you still have companies out there that figure bad guys won't do bad things with stolen data. So Certegy (a big check processor) loses a couple million records with information like bank accounts and credit card numbers. And Certegy's president gets interviewed and says because the data was sold to brokers and direct marketers, the information isn't at risk?!?!? Ed Dickson is exactly right, how could this guy make that claim? And sleep at night. Talk about playing the ostrich game. So if you get the letter (saying you were one of the few and proud to have your data stolen), then start more aggressively monitoring all of your accounts. You may already do this (which is great), so exercise even more diligence. Since this involves your checking account, you may want to talk to the bank and have more stringent risk control parameters applied to your account. Credit cards are relatively low risk, but if someone loots your bank account - it's a much bigger pain in the butt. 
http://fraudwar.blogspot.com/2007/07/not-to-worry-check-processing-company.html
Link to this


Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite