March 10, 2008 - Volume 3, #24

Good Morning:
I've been in Europe for the past couple of days. As you are reading this, I'll be doing the keynote speech for a customer conference held on the Continent. Between a couple of 9-12 hour flights, and a few days to think (since the Boss kindly let me come in a day early to check out the sites), I've drawn some conclusions.

First of all, I have a love/hate relationship with travel. For my job, it is a necessary evil. If I'm at home for too long, then I'm not getting out there seeing the people. I'm not as good at my job, if I can't field test my positions and do real research by talking to real people about the issues they have. Sure I rely on my network of contacts, but there is nothing like getting out there and chatting with folks.

Travel also takes me away from my family. I've come to embrace the homebody that likes to get up with the kids in the morning and get them ready for school. I stop working (most nights) in time to help clean up dinner and then get them ready for bed. I really enjoy that time and jealously guard it.

Yet, there is so much to see out in the World. In the US, we think old is like 200 years. You take your kids to see battlefields and the like. The stuff in the US just isn't that old. In Europe their stuff is thousands of years old. THOUSANDS. The moss on some of the ruins over here is older than the US Constitution. Now that is old, and unless you get out of your little comfortable existence - you don't get to experience that stuff. So as much as I hate being away from home, you can't see the world unless you travel a bit.

I saw a lot of families traveling together, and that is what I'm waiting for. When the kids are old enough to appreciate trips to far away lands. Not when they are pissing and moaning because the chicken nugget doesn't look the same as Wendy's. In maybe 4 or 5 years they'll be ready. And so will I. I didn't get the chance to do any of this stuff when I was a kid. It wasn't an option. But I've been very fortunate and it is an option for my family.

I can't wait to answer questions like, "Dad, why don't they have a shower door in the bathroom." For the life of me, I don't know. I've been to many countries around the world, and most of them see no problem with getting water all over the friggin' bathroom when you shower. Some have half-doors, some have no doors. Some don't even have stalls. The shower head is pretty much in the middle of the bathroom. When I'm traveling solo, it isn't an issue. But if I had 5 people around, it would be quite a mess.

I'll sure I'll make up some answer for the kids. There must be something on Wikipedia about it. Maybe I'll even ask some of my European friends why there is no need for a shower door. Today that just seems a lot more important than what's the latest and greatest on IPS, but maybe that is just me.

Have a great day.

Photo credit: "Our shower had half a door" uploaded by Gary and Kristie

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Security metrics: Just do something!
So what? - Dan Geer is out beating the drum for anchoring a security program with some kind of metrics. He and Andy Jaquith and Pete Lindstrom deserve props for being evangelical about this topic well before most others. Though I got to the party a bit late, and still have serious questions about the stuff we like to count versus the stuff we have to count to be relevant with the folks that pay the bills, I believe Dan is right on in this SearchSecurity interview. Just do something! It doesn't have to be perfect. You don't need 5 9's precision, but you do need to start somewhere. Most folks remain paralyzed by the sheer daunting nature of all the things that can be counted, but now is not the time for analysis/paralysis. Buy Andy's book. Buy my book. Look at Dan's presentation (all 426 slides of it!) on the topic and do something. Remember, time waits for no one, especially the CFO who is still waiting for you to tell him/her why you are relevant.
Link to this

Secure USB thumb drives cut both ways
So what? - The sanctity and integrity of corporate data is always a concern. Thus, there are now plenty of options to ensure the data on USB thumb drives is protected. InformationWeek goes over 12 of them in this article. Similar to full disk encryption, ensuring that data stored, transfered or otherwise pilfered on a thumb drive should be a priority given the downside of not doing so is informing all of your customers that their data has been compromised. That being said, this blade cuts both ways in that the capabilities of these secure thumb drives could easily be turned inside out and used against you. Organizations have a few options to deal with this issue, the first being a move to turn off the USB ports on their devices. That's a pretty binary remediation and usually goes over like Castor Oil, but it's an option. For those investing in stand-alone DLP solutions (yes, despite my projections that the market stalls this year, companies will be deploying the technology), ensuring the solution provides endpoint protection is important. 
Link to this

Anti-bot? No surprise.
So what? - It's amazing how tech media always tries to make old news into something new. Like this eWeek article about a new class of "anti-bot" technology that is filling the gap where AV doesn't get it done. Why is this a surprise? It's the innovation, integration, consolidation cycle making yet another appearance. There will always be new threats, and the big companies cannot innovate fast enough to keep pace. So a bunch of new VC-backed companies show up to meet the perceived "need" until Big Security gets their act together. Maybe they build it or maybe they buy it, but eventually they get it. And then the need for these new companies goes away. Those that aren't consolidated, go away. Wash, rinse, repeat. Jaquith has it right in his quote, the anti-spyware market that isn't a market is a great analogy. Though it's not clear there is enough of a difference in bot-based attacks to warrant a new class of technology. The reality is there have always been gaps in what AV does, and there always will be. That's why layers of security are still important.
Link to this

The Laundry List

Top Blog Postings

Virtualization is different, but how much?
Grumpy Pete picks up the ball from the Hoff in questioning the use cases for virtualization security. Pete is right on this account. We certainly don't deploy security for every 15-20 nodes in a physical environment, why would we do it for the virtualized world? The answer is... Drum roll please... There is no answer yet. We just don't know to what degree virtualized machines will be used across what needs to be strong, physically segmented boundaries. We don't know what technologies like VMotion will really do when the masses start to deploy it. We also don't know what the attacks will look like because we haven't seen (m)any yet. A lot of smart guys spend a lot of time trying to figure out plausible use cases and doing threat models, and that's a great thing. But in reality, we aren't going to know, until we know. Yes, it will be too late - but it gives us yet another opportunity to REACT FASTER. Rip Van Shavlik weighs in on the topic here, which must be his first substantive blog posting in a long time. Fact is, every configuration management vendor needs to figure out how and when they are going to deal with the virtualization threat. It may be a paper tiger now, but at some point it won't be. The real question is when. It would be very handy to have a crystal ball.
http://spiresecurity.typepad.com/spire_security_viewpoint/2008/03/virtualization.html
Link to this

Counter logic from Jeremiah
Great post here from Jeremiah talking about the folly of 100% security. Yes, we have to balance resources and investment against risk. Everyone knows that. But the interesting part of the discussion is when Big J talks about whether professional fraudsters or troublemakers create more of a problem. He's absolutely right that fraudsters always look for the path of least resistance. There are a lot of sites to attack out there, so if yours is a bit harder to crack - the bad guys will move on to the next. The troublemakers may spend a bit more time because it's a labor of love for them - not a business. The good news is that most troublemakers don't have the skills to penetrate adequate defenses, which is good for those that have adequate defenses. But they will try and try again, and that would/should represent a different type of activity on your networks and applications. Yes, I'm beating the drum for monitoring again, and this is yet another reason. Monitoring will help you to understand when a persistent troublemaker continues to bang away at your stuff. Or you can wait until their patience pays off (for them).
http://jeremiahgrossman.blogspot.com/2008/03/100-secure-websites.html
Link to this

The Mogull's Big Information-Centric Security Thought
The Mogull just laid out your work for the next 10 years. You just probably don't know it yet. Yes, it's all about ensuring that the fundamental elements of your data are protected, however and wherever they are used. Rich has broken it up into 4 thoughts. The first one made my head explode: "Information (data) must be self-describing and defending." Now I have to clean up the mess. Sure things like DRM are a bad start, and have tarnished how we think about information-centric security, but you do have to start somewhere. The reality is this is a really long term vision of a problem where I'm not sure how you get from Point A to Point B. We all talk about the lack of innovation in security. And how the market just isn't exciting anymore. What Rich lays out here is exciting. It's also a really really really big problem. If you want a view of what the next big security company does, it's those 4 things. And believe me, if I knew how to do it, I'd be doing it - not talking about the need to do it.
http://securosis.com/2008/03/05/principles-of-information-centric-security/
Link to this