June 28, 2007 - Volume 2, #100

Good Morning:
ONE HUNDRED. That's right, I couldn't have planned it better. Incite #100 for 2007 on the last writing day of the first half of the year. That puts me on pace to deliver about 200 this year, which is about what I planned. Actually, I didn't plan much of anything - but it's great when a plan comes together.

I certainly am thankful for the readership growth I've seen in 2007. I've always said, I write the TDI for me - but it's nice to know that other folks find a little value in it. Makes it worth doing on days like today, when the kids woke me up 4 times last night and the idea of a catching a few zzzz's on the couch is pretty compelling.

So to celebrate big #100, I thought I would answer a set of questions I get pretty frequently. Maybe I should come up with a new term. Hmmm. How about FAQ for frequently asked questions? That's pretty catchy. I better be careful someone may confuse me for a marketing guy, or maybe a plagiarist (cough. Hoff. cough. cough.).

1. How do you keep up with all that news? - Well I track over 350 feeds in Google Reader (yes, I've given into the new Borg), scan the newswires, get a lot of press releases via email and am constantly having conversations with folks on all ends of the spectrum to stay on top of things. That's my job and I love it. I'm an information junkie, so it's not like working to me. Things I find interesting I tag either news, blog or laundry in del.icio.us and then can easily get back to things when I'm writing TDI in the AM.
   
2. Will the TDI always be free? - Given the amount of work I devote to the TDI each day, I probably should charge for it. But I'm not planning on that anytime soon. I'm very fortunate to be paying the bills through the other parts of my business (book sales, strategy consulting, speaking), so there is no compelling need for me to try to monetize the TDI. I'll never say never, but right now I'm not planning on going all VentureWire on you.
   
3. Isn't a daily newsletter too much? - Though it seems pretty funny, I've had people unsubscribe from the newsletter because there are too many of them and people fall behind. I guess I could do a weekly, but news happens pretty much every day, no? I guess I'll let you in on a little secret... You don't have to read every single TDI. Of course, you run the risk of missing a flash of brilliance (HA!) or finding out about something trivial going on in my world. But if the volume is too much, I say to unsubscribe or maybe go to the RSS feed, that gives you more control over when/where you consume information. 
   
4. What about other blogging besides the TDI? - My frequency of non-TDI blogging has fallen off the chart, and for that I apologize. It's really a time thing. With 4 monthly columns to write, the daily newsletter, on average 2-3 presentations for webcasts each month, my general research, and some new exciting products I'm working on - it doesn't leave a lot of time for other writing. But in early July I'll be revising my 2007 Incites and doing a special series called "Security Marketing Gone Wild," where I just poke at some really stupid stuff I've collected over the past few weeks. So keep the faith, I'll be back to it at some point.

So with that, I should start Inciting, as opposed to pontificating. Happy 100 to me and to you, and thanks again for reading. It's you folks (and your messages of encouragement and pokes in the eye when I get something wrong) that make this a great gig. Have a great weekend.

FYI: I'm taking the week of July 9 off. I'll be totally off the grid. No laptop, no phone, no nothing. The Boss and I are celebrating 10 years of marital bliss. So there will be no TDI that entire week.

Technorati: Information Security, CSO

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

Application Security still in the spotlight
So what? - Our friend Mr. Wiens at the soon to be defunct Network Computing (his part time gig anyway) weighs in on yet another rolling application scanner product review. This time it's Cenzic. In general he likes it, though it's not real pretty. Guess the Cenzic folks forgot the memo about putting lipstick on the pig, since that's what sells. Worked for Watchfire and SPI, no? Ouch, that was harsh. Relative to product performance, Cenzic did well, fewer false positives and no false negatives, which is big - since that is the biggest time waster for all of these products. And these guys are pretty much the last man standing (in the scanner product game anyway). I should also point to a release the Veracode guys did this week as well. They claim the industry is calling for "Security Insight." Hey, isn't that what I do? They also call their new Software Security Ratings Service a "pragmatic" way to do something that was hard for me to figure out since I'm only seeing red right now. Or maybe they are trying to kiss my butt. Hmm. Not sure about that. They are trying to be the Consumer Reports of software security - good luck with that. 
Link to this

And you thought your customer base was unwieldy
So what? - I know I've said it before, but doing security for a secondary education institution maybe be the 4th ring (of 7) in Hell. Just think if you had over 50,000 students to deal with, as well as all those pesky academics and researchers. Of course, it's critical for everyone that academia can collaborate, but these folks also have to protect the environment. I wonder how much of the traffic is YouTube now? This ESJ interview with the CISO of Ohio State (one of the few non-shill pieces on the site) is pretty instructive. Their environment is highly decentralized, so getting consensus on policy is challenging, but it seems they are using Cisco NAC for pre-admission control. Usually I'm more of a fan of post-admission NAC, but for a college - making sure devices are not cesspools before they jump on is a good thing. They also can't monitor much of anything, given the expectation of privacy and academic freedom. Ouch. Well that takes away a huge set of defensive options. I guess their incident response plan better be top notch.
Link to this

Talk about your hands in the cookie jar
So what? - This SearchSecurity coverage is disturbing, but not shocking. It seems that there are some reports of PCI assessors pitching products and other solutions once the audit is done. I can understand where they are coming from (sure, they only want to help), but I think this is a very bad idea. It's that whole separation of duties thing. If you make it very clear (and yes, you should do this) that the auditor is NOT (did I mention NOT) going to get any follow-on work after the audit, then they are more likely to tell you what really needs to be fixed. Yes, I'm saying PCI auditors are like auto mechanics. Some will do the right thing, and others will sell you a new carburetor for your fuel-injected car, but only if you let them. Once the audit comes back, scrutinize the results, figure out what you really need to fix, what stuff you'll push back on, and then go find someone else to do the work. Remember, it's your ass on the line for the audit results, so you need to take ownership.
Link to this

The Laundry List

Top Blog Postings

Coming to the aid of awareness
Kudos to Arthur, who takes Amrit to task a bit for his continued disdain for user awareness initiatives in his most recent Emergent Chaos post. I'm with Arthur that awareness training must start on Day 1, in fact that what an entire chapter in the P-CSO is about. Of course, Arthur can't help but put his obligatory analyst poke in there, but I'll cut him some slack - since the rest of the post is right on the money. I also found this post from a Kiwi practitioner called John Dierckx (Andy Lark must be beaming) that talks about one instance where monitoring and an all-hands meeting were used to graphically get the point across about what is acceptable behavior and what is not. Now showing explicit video (even if it was pulled off someone's machine) won't fly in anal retentive geographies (like the US, for instance), but if you can get away with it - they say a picture says a 1000 words. Well, a movie says a lot more than that.  
http://www.emergentchaos.com/archives/2007/06/awareness_1.html
Link to this

Get off the crack
When I think of crack ho's in the security business, it's usually those pay for play analysts who will put their name on anything for a buck. But it's nice to see Farnum show the Hoff some plagiarism love by adding crack to the list of addictions us security folks have to deal with. Of course, I call the group the Pragmatic CSO joins in the book "Security Products Anonymous," for all of these reasons. If we cannot make security relevant to the business people as opposed to throwing products at the problem, then we don't have a chance to be successful. So on the good news front, imitation is the sincerest form of flattery, and I'm glad the "addiction" mindset is making it's way into the common vernacular of the security professional. And yes Farnum, I expect my royalty check to be in the mail. Or I may have to send my Martial Arts enforcer, The Mogull, down to Houston to collect. That is if he can stop getting hit in the face.
http://www.computerworld.com/blogs/node/5746
Link to this

Looking for Distant Early Warning
One of the tips I send to the Pragmatic CSO list is the importance of staying current. You need to know about the attacks that are happening now, and what you should do about them. Dancho is all over the map in this post, but he at least links to a few places where folks will share what they know about what's going down. There are also the paid vulnerability alert services, that I also think are a wise investment - if you can afford that. Remember, the point is that we react faster, and a key part of that is to know where the attacks are going to come from. Of course, you never get total certainty on that, but at least you can reduce the attack surface if you are tracking the emerging attack vectors. 
http://ddanchev.blogspot.com/2007/06/early-warning-security-event-systems.html
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite