June 26, 2008 - Volume 3, #60

Good Morning:
I know the exact moment that I lost my taste for math. It was sophomore year of engineering school in my 4th semester of calculus. The lesson for the day was to figure out some wacky theorem on how to calculate the area on the inside of a sphere. WHAT? Right, I would much rather have been drinking beer, but I decided I wanted to study engineering - so I persevered.

Now I have a lot of respect for the folks that are actually interested in counting things in Angstroms and calculating the resistance of a nanotube. These folks have come up with some of the great innovations of our time. But I've also come to appreciate the fact that high level math isn't that interesting to me.  

Yet, my disdain for math can be a bit of a challenge at times. Last week I was ranting about how expensive gas is, and many of you sent me comments and even pictures showing how crazy prices are where you live. I appreciate that.

So earlier this week, I decided to do my part and search around for a cheaper tank. Not a cheaper ride, like a Prius or something. As much as I like the new car smell, the idea of dropping $30K on a new ride right now is distinctly uninteresting - if only to save a few bucks at the pump.

So I figured I would drive over to my local Costco and fill the tank. Everyone knows Costco has the cheapest gas around, no? So I diligently left Starbucks, checked out the price of premium at the gas station that I passed on the way ($4.29) and then drove about 10 minutes to Costco. 

Drum roll please... The price at Costco was $4.24. That's right, I saved a nickel a gallon - which for the 14 gallons I needed, added up to a whopping 70 CENTS. Yes, I should pay more attention to the math. Between the 30 minutes of wasted time driving out of my way and the extra gas I burned to hike over to Costco - I probably lost money on the deal.

And that is one of the problems we all suffer. It's context. We (OK, I won't speak for you), I mean I get fired up about something and then engage in a Pyhrric victory that ended up having the exact opposite effect. Maybe the law of unintended consequences is rearing its wily head or something like that. But I'm going to try to take a deep breath before I go on my next wild goose chase to save less than a buck. 

Have a great weekend.

Photo: "NooNoo studying calculus" originally uploaded by __dino__

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

More VirtSec ramblings
So what? - Hype begets more hype and we are certainly seeing VirtSec as front and center in the hype cycle. Which is fine, it is what it is. Again, just because I don't see a near term revenue opportunity for all the vendors that are trying to focus (and push on the string) on it, doesn't mean it's not an issue or that we should be thinking about how to architect our environment to make it secure virtualization-friendly. TechTarget figured out a way to get Matasano Thomas to put pen to paper and bang out a tip on building security into a virtualized server environment. Read it and think about it. The idea of not running financial applications on virtualized shared hosting is a bit of heresy, but it's certainly something to think about. It also seems that virtualization is front and center at Burton's annual soiree. They are beating the drum for solving the operational issues of virtualization, as opposed to throwing the latest security widget at it. At least many of the talking heads are in agreement about that. Which means it's probably wrong, but we'll play it out for a little while anyway.  
Link to this

Finally, a use for that certification
So what? - It seems the US Feds are now putting the final touches on a new mandate that will require a security certification for workers in civilian agencies. This actually could have far ranging impacts on the security education market, in that these certifications would have to be accredited by the Feds to be accepted. Then you'd have a huge demand for all the security professionals out there to get their papers, so they can continue to work. We all know there is very little correlation between certifications and competency, right? So is this about improving security or putting a bunch more beaurocrats to work to administer these kinds of ridiculous programs. I guess when the current administration decided to throw billions after security, they didn't specify between products, services or education. Arghhh. Not to be a conspiracy theorist, but it seems that SANS is pretty well connected in the halls of the Beltway and they would be probably the biggest beneficiary of this kind of mandate - no? Too bad I don't eat meat anymore because this is going to be quite a pork barrel.
Link to this

Encryption + DLP = Not new
So what? - Hmmm. It seems that the "newest" capability of DLP is encryption. You mean you'd actually want to protect data at rest, and that you'd maybe think about encrypting a mail message or file with confidential information in it BEFORE it hits the big, bad Internet? Of course you would, but I don't get what's new about this. The email security gateways have done outbound filtering for years. They've also had partnerships with the encryption vendors to actually remediate on the policy violations detected by the filters. I've called the outbound email (and web) filtering stuff "poor-man's DLP" and they've been doing encryption, so is it a surprise - or even novel - that the DLP vendors are jumping on that bandwagon? And is this new even for them? It's not. Through the wonders of a 10-second search on Google, I found a partnership release from PGP and Vontu. Right, it's dated May of 2005. That's pretty new.
Link to this


The Laundry List

Top Blog Postings

You've got no privacy - get over it
I know a lot of folks like to don their Privacy Suits and take on the role of fighting for the rights of all mankind, but ultimately it seems futile. I know Martin just soiled his pants at the thought (I just hope it wasn't his purple suit), but unfortunately it's true. There is data everywhere and lots of unscrupulous folks ready, willing and able to take advantage of it. Check out this post from Mark Gibbs about how easy it is for a collection agent to get all sorts of information about you or to look at some indirect methods of finding you. It's true that I don't like most people, but I really don't like collection agents. These folks couldn't care less about anything, except to get the money they think you owe and to pull their rather hefty fees off the top. They use sophisticated databases and mining tools to try to find connections to track people down. And this stuff is legal. Yeah, forget privacy - start monitoring all your financial accounts. Your information is digitized and stored in just too many places. There is no way to keep it safe.  And on that cheery note, go use your credit card some more...
http://www.networkworld.com/columnists/2008/061908-backspin.html
Link to this

How do you define compliance?
You know, it's that thing I sort of have to do to stay in business, right? This interesting post on the RSA blog goes about trying to define a nebulous concept. Of course, they point out that most folks think compliance in terms of regulatory compliance. But we had rules and policies before we had regulations. Isn't that compliance as well? I like the definition of compliance: "the act of conforming, acquiescing, or yielding." Right. Yielding is one of my favorite things to do. Up there with root canal and athletic cup testing. That is pretty much what we are forced to do. Regulatory compliance has forced the world of security to adopt the lowest common denominator. It's all about passing the audit - NOT protecting the information or the intellectual property. Sad but true. What's the difference between a mediocre and a great security professional? Not a hell of a lot, to be honest. The great one's do just a little bit more than the lowest common denominator, and thus are not the low hanging fruit for the bad guys. But alas, this LCD-itis (as in lowest common denominator) is how most overhead functions are treated. So the secret? Make sure security isn't perceived as an overhead function - even though it really is. No, I'm not talking out of both sides of my mouth - I'm just being Pragmatic.
http://www.rsa.com/blog/blog_entry.aspx?id=1295
Link to this

The evolution of threat modeling
As Shostack shows that his day job isn't necessarily pointing out chaos, he comes to the conclusion that threat modeling is not just one thing, but many things and really a process to figure out "what could go wrong." That would seem to me to be a pretty important way to think about pretty much everything. Sure there is the formal threat models that can and should be built early on in the app development process (and what Adam calls SDL Threat Modeling), but it should also apply to everything else. You may not have to build a formal, documented threat model, but anytime someone asks you to do something - you should be thinking about what can go wrong and how to avoid it. A lot of us (that have a reasonably mature security mindset) already think this way. At least now we have a term for it, as opposed to paranoia and general grumpiness. I'm not grumpy - I'm a threat modeler! I wonder if the Boss will buy that one.
http://blogs.msdn.com/sdl/archive/2008/06/17/sdl-threat-modeling-past-present-and-future.aspx
Link to this