June 17, 2008 - Volume 3, #57

Good Morning:
I hope everyone had a great Father's Day, that is if you are a father or have a father. I know better than to assume the nuclear family still predominates around the world. My day was great. My kids made me cards and were generally on decent behavior. I did try the "behave it's Father's Day" line a few times, but they figured that after the gesture of the card, they were off the hook.

Almost every Sunday I take the kids to the gym and drop them off at the child center. Then I hop aboard the stair machine or the elliptical for my 45 minutes of "exercise." I figure it would be less painful to have my teeth drilled with no novocaine, but I guess running fast to stay in place is good for my heart.

But at least I had my old buddy Tim Russert and Meet the Press on the tube (with fancy closed captioning, so I could listen to music at the same time) to pass the time. Which is why hearing about his death last week was a real blow.

I didn't even know the guy, yet I felt like I did. I've spoken to a bunch of people that have said the same thing. He was like a bit of fresh air, a sort of sanity in what has become a crazy political backdrop. Now he's gone, but clearly won't be forgotten.

Last Thursday I wrote about leaving a legacy and taking the long view. Tim Russert was a great example of that. He single handedly revitalized the Sunday talk show format, and provide ways of describing incredibly boring and nuanced political machinations in a way that even a simpleton like me could understand. I'll never forget that white board during the 2000 Election night. My company that night was my 3 day old daughter (in her bili lamp) and Tim Russert.

Life does go on. The election will go on, but it won't be as much fun. Some other jackass will pull out a white board, but it won't have the same effect.

Most of all, the thing I'll remember about Tim Russert is that he went out doing what he loved - voice overs and prepping for his show. At some point (hopefully a long time in the future), my time will come. And I can only hope I have a big smile on my face because I was doing what I love surrounded by the people I care about.

Have a good trip Tim. And you have a great day.

Photo: "tim russert" originally uploaded by hbushra

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

What? Data leak prevention actually stop leaks?
So what? - Stiennon is at it again. After pining away for Camelot (more on that later), now he sort of takes aim at the DLP business - in his inimitable Stiennon way. The great line from Apocalypse Now always comes to mind whenever Stiennon opens his mouth: "I love the smell of Napalm in the morning." Richard is really saying the DLP emperor has no clothes. That data is in too many places to be adequately protected. And not just electronic places. That's a relief, I wanted to work on my short game today. Richard's assessment that "data leak prevention is impossible," is empirically correct - but besides the point. Building a secure application is also impossible, but does that mean we don't try? Do we not deploy some type of filtering for our email and web traffic to make sure the low hanging fruit is addressed? Do we not try to figure out where our sensitive data is, just in case we get the wild hair to try to protect it? I know, a lot of questions for a Tuesday morning. Actually Richard isn't even talking about electronic DLP, rather controlling paper documents since the UK Secret Service lost a bunch of papers because some idiot left them on a train. This falls into the same bucket as the VA data loss to me. There is probably no reason why this dude had sensitive papers on Al Queda off site, is there? Can you ultimately control it? No. Can you set policies and have public executions if people don't adhere to the policies? Yes - and I believe you should. Nothing like the smell of a public execution in the morning.
Link to this

Is your assessor ISO 9001 certified?
So what? - OK, that is a bit tongue in cheek, but now the PCI Security Standards Council is initiating a quality assurance program for assessors in the fall. This is actually great news and a key facet of scaling the PCI data security requirements. The reality is there are too many retailers and not enough decent assessors. Kind of like the good old days of dealing with the Big 5. The Partner comes in and wows you, and then the college kids show up to bungle the project. It's not that bad relative to PCI assessments - yet. But getting out ahead of it by setting a set of guidelines and then building a feedback loop to shine a light on the weak assessors is a good thing. The thing we all have to watch for is assessor "witch hunts," where the merchant and the assessor have a difference of opinion, maybe about a compensating control or a specific process. Ultimately the Standards Council needs to be careful not to undermine the credibility of their assessors. There is already a process to handle differences of opinion, by working through the payment processors and then ultimately to payment brands themselves. But if the quality program becomes a way for a merchant to get around a challenging assessor, that kind of defeats the purpose, no?
Link to this

The Laundry List

Top Blog Postings

How do we get ahead of it?
RSnake brings up a good point here, which is that we are pushing our developers harder and faster than ever before. Do it faster, get it out there and then iterate quickly. That mentality doesn't really provide the best environment to ensure that applications are somewhat secure before they are released in the world. I agree that the SDLC isn't totally getting the job done and that some of the band-aids (like a WAF or a database activity monitoring offering) can help. But we are treating the symptoms, not necessarily the cause and it's presenting quite a quandary. The mantra of the security folks needs to be "do no harm to the business," but then we tell everyone to move slower, in a world that wants to move faster. Is there an answer? Of course, but it's not really pleasant. We need to start securing THE DATA. At least the important data anyway. Some of the research and big thinking the Mogull and Hoff are doing relative to information-centric security is very interesting. Because I'm pretty sure we aren't going to make the access roads to the data more secure, so we better starting thinking about the problem a bit differently.
http://www.darkreading.com/blog.asp?blog_sectionid=403
Link to this

Tippett changes his tune on IDS
From a disclosure standpoint, I have to admit that I used to work with Peter Tippett at TruSecure and can say his approach and philosophy to security (called the Essential Practices) laid the foundation for the Pragmatic Way. I'm not sure how they did it, but the folks at Verizon have coerced Peter to actually start writing on Verizon's security blog. Maybe $400 million had something to do with it. In this piece, Peter talks about his history of hating IDS (and the associated MSS monitoring services) and I can vouch for the fact that he's been using the submarine analogy for at least 6 years. Is Tippett changing his tune? If anything, Peter is a man of science and he believes the data. Verizon's recent data breach investigations report certainly made some waves, and one of the counter-intuitive findings was that most attacks take weeks before data is actually compromised. Thus, an approach of looking for attacks in the rear view mirror may be worthwhile. Me? I'm not so sure that looking for attack signatures is the best way to do this kind of analysis. I'm still a fan of monitoring, but using network flow data and other security device data - as opposed to strictly relying on a signature engine. Not that there isn't a place for IDS signature (and minimal blocking), but it's not a panacea. Just another data source. It all gets back to REACTING FASTER, which Peter never really bought into. Maybe I'll send him a REACT FASTER t-shirt, now that he's on board.
http://securityblog.verizonbusiness.com/2008/06/10/i-was-an-anti-mss-zealot/
Link to this

If this is Camelot, I'll go look for the Holy Grail
The great thing about the blogosphere is that if you look hard enough, you'll likely find someone that shares your opinions. For 10 minutes, at least. JJ pops Stiennon's Camelot balloon by actually questioning whether this new category called "network-based entitlement control" is really much of anything new. I have to admit, I spoke to Rohati and didn't get it either. I know I'm not the sharpest tool in the shed, so to see someone with technical chops like JJ ask some questions is comforting. Rohati talks about controlling access to applications by applying network-layer filters in a really fast box. This is based on the fact that applications just suck at their own security, so that enterprises should be spending hundreds of thousands of dollars to externalize security from the applications. I guess this comes from the Contact school of procurement. Why build it once, when you can build it twice for twice the price. I do understand that applications like SharePoint are sub-optimal from a security standpoint. But do I need to build another layer of my network security infrastructure to deal with it? I guess it depends on how much private information is in SharePoint. Or maybe I look at moving to a better application platform. Given I'm going to spend a couple million anyway, why wouldn't I buy something that solves the problem in the first place, as opposed to layering a network-based band-aid on top of it. But you have to hand it to Rohati's press engine. They've made it newsworthy that some ex-Cisco engineers started a company, since that's never happened before. I'll follow-up with a similar disclaimer to JJ. I could be wrong, it has happened before. But the jury is out until any of these folks trying to do application specific stuff in the network gain some traction.
http://securityuncorked.squarespace.com/security-uncorked/2008/6/15/network-based-entitlement-a-rose-by-any-other-name.html
Link to this