June 12, 2008 - Volume 3, #56

Good Morning:
First things first, I need to send a shout out to my Dad. Today he turns 65. Happy Birthday!!!! Yup, he's no spring chicken anymore - but that's OK. I'm sure he likes to think he's getting better with age. I can say I hope that my kids learn as much for as long from me, as I have from my Dad. Even today I find that I learn new stuff from him all the time, which is quite a feat since I already know everything. Evidently he knows more.

But as we all pass milestone birthdays (I have one coming up in October as well), you can't help but think about your legacy. What is it that you are leaving behind in your wake? If you have kids, it's easiest to look at them as your legacy - but it's more than that. Have you influenced the folks you spend time with? Your colleagues at work? Your friends? People you don't even know? Most of us don't ask those questions. Mostly because we don't want to know the answer.

They say to live today like it will be your last. Carpe Diem. Blah blah blah. I'm not sure I buy that anymore. I'm thinking I want to think about what kind of impact I can have over decades. You can't change the world in a day or even a week. But over a decade? Maybe. I know, that's a bit arrogant to think I can change much of anything by being a talking head and writer about something as arcane as information security. But you have to start somewhere no?

For a long time, I treated my career and my life as a sprint. Run fast. Run faster. Never satisfied. It made my hair gray and my general attitude pretty damn grumpy. Maybe it's better to think about things as a marathon. What is the long view of what you want to accomplish in the short time we are here? Do you have a plan to get there? Can you be flexible enough when that plan doesn't work out?

This line of thinking extends to the courageous decision that Bill Gates made to step down from his "job" at Microsoft and focus on his foundation. Talk about a legacy. A lot of the tech trade are doing retrospective pieces about Gates' impact on technology and society, and that is all good and well. But I don't think the guy is quite done yet. In fact, I think his most impactful work is yet to come.

I remember the old saying from Spider-Man: "With great power comes great responsibility." I'm not sure I know of truer words than that. We all have our own power and with that power comes responsibility. It's easy to get mowed under the responsibilities of the day, but every couple of weeks you really should peel off for an hour or two and take the long view. Use that time to determine which course corrections are necessary. If you don't, the time just flies and you end up where you end up. I don't want to look back and found I've squandered my own power. But that's just me.

My Dad is 65 today. My Mom is there too. I hope they are happy where they are. They should be. They've both accomplished much (not like Bill Gates, but a lot), and should be proud. Now I think I'll get back to work and keep chipping away at my own legacy. Whatever that turns out to be. Have a great weekend.

Photo: "Spring Chicken" originally uploaded by themuuj

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

You know you are a redneck security professional when...
So what? - Roger Grimes tries to add some levity to what is a pretty downtrodden profession in his column last week. It's structured as one of those Jeff Foxworthy type bits, "you know when you are a security professional when..." Some are pretty funny and a few I certainly can empathize with. But part of this entire idea of being a "security professional" is besides the point of what security professionals need to evolve to. I ask a lot of folks who happen to be practitioners whether they are security professionals. Most answer yes, almost immediately. They are then shocked when I tell them they are wrong. Tomorrow's security professional is not a security professional at all, not in the sense that we think of security practitioners today. They are business people, who happen to help protect the critical information and systems of the organization. Yes, it's a nuance. Yes, it's mincing words. But the perspective and the philosophy are important. We serve the business. We don't chase hackers. Sometimes we get to chase hackers to serve the business, but we can NEVER forget who we work for and what we do for them. But to jump on Roger's idea: You know you are a security professional when you are happy that jackass from LifeLock got his identity stolen. Serves him right for running that advertising campaign publishing his SSN#.
Link to this

How do you say "oh, crap" in Hindi
So what? - It was just a matter of time before a huge data breach from an off-shore outsourcer came to light. I'm sure the one mentioned this week in NetworkWorld isn't the first, but it does remind us about the dangers of these new collaborative business processes. The reality is that outsourcing is happening, and there are risks there. Too many risks to do something? Probably not, but risks that should be considered. You should be looking at the security infrastructure of the outsourcer as part of the diligence process. But can you really avoid something like this? In reality, this is no different than an unscrupulous insider stealing stuff and selling it to the competition. Why is an outsourcer different? You need to consider them part of your extended enterprise, and protect things accordingly. This is another critical reason why we need to start thinking about security from an inside-out perspective (starting at securing the data), as opposed to just an outside-in viewpoint. We pay a lot of lip service to the insider threat, but most of the technologies and tactics used to deal with it are just the same crap we did on our perimeter, inside the network. If you are looking for the next place to disrupt the security apple cart - look at the data. That's where the next wave of security innovation needs to be focused.
Link to this

Yes, but will it stop a Wolverine?
So what? - It seems the folks at Ohio State have discovered a means to more effectively control the spread of a mass-proliferating worm. Evidently by quarantining devices that try to do 10,000 scans, you can dramatically reduce the impact of an outbreak. First of all, when was the last self-proliferating worm spotted in the wild? A new one? I can't even remember. Code Red was like 7 years ago and SQL Slammer was 5 years ago. It seems that most attacks today are focused on remaining low and slow and not being detected. Taking over a machine and blasting out 10,000 scans probably isn't a good way to stay under the radar. Although the general concept does make sense, but I can't say it's really new. I figure the NBAD folks have some good data about how they monitor the network and can find a bad actor way before they send out 10,000 scans. But forgive my transgression, I know we wouldn't want to inflict real life on an academic study.
Link to this


The Laundry List

Top Blog Postings

That's what we do is a bad answer
AndyITGuy makes a great point here, which is that we live in a dynamic world. So why would we expect our defenses and tactics to stay static? It gets back to a few of the scariest words I hear: "Because that's what we've always done." OK, I'll admit that it's easy for me, as an outsider, to come in and ask questions and call bunk on stuff that just doesn't make sense. Most people are embarrassed to blame inertia on the way they do things, so they fess up and then move quickly to address the issue with tactics that may actually work. Yet, what happens when an outsider isn't there to poke you in the eye? Most of the time nothing happens, and that's a big problem. The bad guys are changing and adapting. That means the good guys have to change and adapt as well. And don't ever accept the status quo as sufficient. Unless you actually enjoy looking for another job.
http://andyitguy.blogspot.com/2008/05/i-don-care-how-you-always-done-it.html
Link to this

Why stop at WAFs? Everything needs to work better
The Mogull makes the point here (referencing a keynote that the inimitable Jeremiah did at a SAN conference) that we have a lot of work to do on the web application firewall front. Given the fact that it will take hundreds of years to analyze all the code that's already been built, the odds that we'll get full coverage from a secure development lifecycle perspective is nil. So we've got to have other tactics to protect our applications. WAF is one. Providing additional layers (as Rich says, like database monitoring) is important as well. His point about being able to react faster to emerging exploits by adding rules to the WAF in real-time is interesting. But there are some concerns with this kind of approach. What about false positives? I took a dump on the G's idea of the "adaptive security architecture" yesterday because I don't think our detection capabilities are sophisticated enough to do it well, without adding a bunch of false positives to the mix. Thus, I'm not sure I trust Jeremiah's band of merry men (and women) to reprogram my WAF in real time and not start blocking legitimate app traffic. I hope they can, I think that would be great. But until you start seeing a bunch of public success stories, I'll keep my cynical hat on.
http://securosis.com/2008/06/02/web-application-security-we-need-web-application-firewalls-to-work-better/
Link to this

Is that a big lock in the cloud?
I'm fascinated by hail. As long as I'm inside (and my cars are safely in the garage), it's kind of cool to watch the hail stones raining down on my deck. Now that most technology architects are figuring out how and what should be moved into the "cloud," I guess the cyber equivalent of a hail storm is to have locks falling from the sky. That would probably hurt. Kidding aside, it's good to see mass media publications like GigaOm starting to talk about the need to provide more adequate security in the cloud. The reality is that we are moving towards a multi-tenant world. And if you thought the data segregation and identity management challenges of a typical enterprise were awe inspiring, think about how you do that for millions of customers - all consuming compute cycles and storage services from a big time sharing machine in the sky. The hope of the post is that the cloud computing companies will find economies of scale in security, and that they can more effectively battle the bad guys because they can amortize those investments over a lot more customers and a lot more data. In theory, that's about right. But in practice, it's not clear how seriously any of these providers take security. Most of them rely on the "trust us" security by obscurity approach, which maintains they have smart guys working on the problem, and therefore it isn't much of a problem. Of course, we all know that isn't really an answer, but until a high profile breach happens on data stored in the cloud, that answer will be good enough.
http://gigaom.com/2008/06/10/the-amazon-outage-fortresses-in-the-clouds/
Link to this