June 19, 2008 - Volume 3, #58

Good Morning:
Those of you that know me know I hate surprises. I mean REALLY hate surprises. I'm OK with the kind of surprise where you walk into your house and 50 people you sort of like scream surprise and then call you an old fart while they are doing beer funnels. It's the surprise like, "we've had a breach," or "you web site is down and your customers want your head on a stick" kind of surprises that I'm trying to avoid.

I got one of those surprises this week at the gas station. I filled up my old Acura and it cost me $65. Holy crap! $65 smackeroos. That's two months at Starbucks. Or 70% of my DirecTV bill, which is also ridiculous. 

I know my car is old and requires premium, of which I paid $4.40 per gallon, but WTF? I guess I knew gas was skyrocketing and I'd filled my tank within the last couple of weeks, so I shouldn't have been surprised. But I still was. $50 per tank hurt, but it was manageable. $65 is bordering on lunacy.

I'm aware that my friends in Europe pay a pretty pound or Euro for petrol. And these high prices are not news to them, but this has got to impact macro spending patterns. I know it's going to affect mine. Thankfully, I have a pretty good commute - so I'm kind of shielded from the real impact. But others are not so lucky.

Take, for example, my buddy who runs a light and sign company. He's got 4 or 5 trucks on the road every day, and those machines look at fuel efficiency from a gallons to the mile standpoint. I know this is hurting his margins, and he's not alone. Or my other buddy who runs a printing company and spends 6-7 hours a day on the road driving between his customers. I can't imagine what his gas card bill is at this point.

Unfortunately, things are probably going to get worse before they get better. It doesn't seem demand is going to change much, given the booms in China and India and in other emerging economies. It also doesn't seem like we are going to find some mother lode of oil that will impact the supply side. So get ready for $4-5 gas in perpetuity.

I'm still sticking by my macro projections that the 2nd half of the year will be bumpy for IT, and even for security. I know a lot of the economic pundits are thinking we are heading out of the trough, but I'm not so sure. Property values in my neighborhood aren't going anywhere but down. The monthly costs of living (even modestly) aren't going anywhere but up. I know a bunch of folks that are looking for work.

They say the upcoming elections will be all about the economy, and if they are right - it won't be good for the incumbent party.

Have a great weekend and go spend some money. The economy needs your support. Oh crap, isn't that how we got into this mess in the first place?

Photo: "Maui gas prices 5/30/08" originally uploaded by Tarlach

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

First comes love, then comes marriage...
So what? - The Open Group is making some waves this week by announcing their risk-management "taxonomy," which is basically an attempt to standardize the vernacular that we all use (and don't use) about risk. I'm even more interested in some of the work they'll be doing in the fall to help define a risk management "methodology," which hopefully will get everyone at least to start discussing how to measure and address the information risk we deal with every day. The fine folks at Risk Management Insight have their paws all over this one, and it's a great way for them to both increase their exposure and drive some demand for their training and consulting services. I think this is great news, but alas I'm not sure it will make a difference. This underscores the general blog-debate that Jack and I have engaged in for the past few months. I know there is a subset (and I think it's a small subset) of the world that really needs this stuff, and they should be jumping for joy. Yet, the rest of the world just wants the problem to go away. They want good enough security to keep the auditors from peeing in their corn flakes and they want to get on with their day. Yes, these versions of risk management Yin-Yang can co-exist. In fact, that's been happening for years. And I really am excited by the Open Group shouting into a bigger bullhorn about the great work that RMI contributed to the industry. I just have a hard time turning off my real gene.
Link to this

Outsource your Intranet to Facebook?
So what? - I get that a lot of small companies don't have resources to build big, sophisticated Intranets. There are lots of great collaboration services out there to provide a wiki-type thing to store documents, track tasks, and have discussions. I use one to facilitate communications with my business partners. Many of them are free. But to see about mid-way through the story about how Facebook is a business tool, how a company has put all their folks on Facebook in order to facilitate communication, just made me laugh. How friggin' stupid are these folks? They even say only 4% of the stuff out there was company confidential, and they spent time training folks, so the mistakes don't happen again. Great. But Facebook is like being indexed by Google. Once it's out there, it's OUT THERE. There is no pulling it back. And to think the risk of these social networks are overblown is just playing the ostrich game. I think we are underestimating the security and privacy issues of a generation of young people that share personal information by default. I used to laugh at how paranoid the Boss was about personal security. Now I realize that she's been right. You either have the security mindset or you are prey. And far too many people aren't paranoid enough. Maybe Big Pharma should start working on that.
Link to this

This is not your Granddad's SQL injection
So what? - This is a good tip on SearchSecurity from Michael Cobb about how SQL injection attacks have evolved over the past few years. Google is now a favorite attack mechanism to find vulnerable sites, and then the Trojan Armies go out and do the dirty work. The good news is that if your site is vulnerable, the fine folks at the search engines will likely let you know. Of course, by then it's also likely too late. So how do you get ahead of it? Security 101, baby! Run an application scan. Do a code review. Monitor your application logs for funky traffic. Not brain surgery folks, but keep in mind that the bad guys are going to continue evolving their attack methods - and that means we have to keep evolving our defenses. As I've said before, if you want something static, go work on an assembly line. That is, until they replace you with a robot.
Link to this


The Laundry List

Top Blog Postings

Is that a Pink Slip in your pocket?
Reading Adrian's post here about the Pink Slip Virus provides mixed emotions for me. First of all, I feel for the poor saps that will get nailed in this ruse, as it's like the innocent victims of a drive-by shooting. Sometimes there is collateral damage. On the other hand, I do appreciate a new and innovative attack and the idea of planting bad stuff on someone's machine and then removing any trace of the attack is borderline genius. Talk about a new way to play office politics... Yet this attack may actually show a significant unintended consequence. Personally, I think the odds are better than even that this attack introduces REASONABLE DOUBT in any prosecution for someone adding bad stuff to their machine. That's right, when shown the specifics of this attack, any decent defense attorney should be able to create doubt within a jury of our peers as to whether the alleged perpetrator did the deed. I also think that some company's will pull the hair trigger and can some folks, and this will give fuel for employment lawyers to pursue wrongful termination suits. So there you have it, another innovative attack - and the lawyers end up making money. Where's the justice in that?
http://securosis.com/2008/06/17/pink-slip-virus-2008/
Link to this

I won't call you, just find me...
We should call this soap opera "As the Marketing Tactics Turn," as it seems the old way of developing business is getting long in the tooth. You know, do a white paper or webcast and then pound the poor folks that register with a zillion calls until they finally relent and take a meeting. Isn't that successful marketing? You are generating leads,no? Shimmy points to a post from Greg Ness that talks about turning the tables and using a more social media-based approach to get folks to take an action step and register interest. That sounds great, but unfortunately it won't work. Why? Because sales people are in the equation and sales people want leads. Even if they are crappy leads, if they don't have a list of people to call, then they think marketing sucks and they call for the VP Marketing's head on a stick. You don't believe me? Then you've never sat in that seat. Don't get me wrong, it's idiotic because to have sales people pound prospects that are clearly not interested is a waste of everyone's time. But CEO's don't want to hear about the fact that no one wants the product. VP Sales don't want to hear that their sales folks couldn't close a deal with their own mother. They just want their salesforce.com lead queues to be overflowing. There are exceptions to this rule, but they are usually run by former marketing VPs - who realize how stupid the game is and decide not to play it. There is no answer to this, besides not having a sales force and doing your business through a web site. Hmmm. Maybe that's a decent idea.
http://www.stillsecureafteralltheseyears.com/ashimmy/2008/06/is-security-mar.html
Link to this

The two types of research users
It's amazing how naive most people are. Like the folks that never realized that a couple of years ago any white papers issued by Hurwitz or Aberdeen were mostly written by the sponsor. Not sure about the current incarnations of those esteemed research houses, but that's the way the game was played years ago. And on the end user side, things aren't much better. There are two kinds of clients you'd run into as an analyst for "Big Research." The smart ones and the dumb ones. The difference was in how they used the services. The smart ones knew the answer already, they knew what they wanted to buy, and they knew why. They didn't need my help. But they did need my VALIDATION. That's right, they didn't have enough credibility within their own organization, so some analyst blessing a decision made all the difference in the world. They needed me to cover their ass, pure and simple. So for the anonymous person that writes the analystanalyst blog to be frustrated by this shows a serious level of naivety. I guess some folks really have just fallen off the turnip truck. Of course, I can't forget to mention the dumb ones, who are too lazy to actually think for themselves. So they blindly call a bunch of vendors off a MQ or Wave report and then they call the analyst to have them push in the right direction. Yes, those folks actually exist and they even get a paycheck from their employer. Yes, it's a travesty - but it's how things work in the real world. I guess I'm pretty stupid to call bunk on my own profession, but I can't help it. Yet another topic for my next session with the shrink.
http://analystanalyst.wordpress.com/2008/06/14/ass-covers/
Link to this