March 19, 2008 - Volume 3, #28

Good Morning:
Man, what a week and it's only Wednesday. I feel like I'm in tar. The more I get done, the more that isn't getting done. Got to love the old hamster wheel. But that's not what I want to talk about today. Basically, it's about peer pressure. I hate peer pressure, but that's just what I got at SourceBoston regarding Twitter. When I questioned the value of telling everyone what I'm up to at every minute of the day - it was like I'm an alien. Or as Martin so kindly put it, a "Luddite!" Although I do know how to spell.

To be fair to Twitter, I can see how useful it is during a conference. You can heckle someone without getting punched in the head. You and your friends can share jokes about the smelly AV guy (and the AV guy at SourceBoston was quite smelly - take a shower bro!). And it does seem to be quick. But for daily activities - I still don't get it. Right, I'm a Luddite.

So I figured I'd share how Twitter would go down for me on a typical day.

But of course, I can't forget the social aspect of Twitter.

Right. I don't quite get the value, but that doesn't mean I'm not going to try Twitter. I probably will. But when I want to. Like when my Mom offered me $100 to lose weight when I was 17. I promptly gained another 20. I guess I'm just difficult that way. I do stuff when I want to - not when everyone else wants me to.

Have a great day.


Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Do as I say, not as I do
So what? - You knew it was bound to happen. A big name security vendor would be embarrassingly hacked and made to look foolish. Yes, the HackerSafe fiasco earlier this year was a bit of a black eye for McAfee and folks have found some XSS issues on some other vendor's sites - but to have a server compromised and serving up malware is something entirely different. Evidently that's what happened to Trend Micro. Guess who is now looking for a job? Right, probably the CSO of Trend. Or he/she should be. Bill Brenner of SearchSecurity.com covered it last week. Of course other vendors - like Sophos - jumped on with a push to use of their web gateway. Funny thing is Trend offers a Web security gateway. Did they not have it running on that site? Did it not work? I'd love to see Trend do a public post-mortem. But I doubt they would. The reality is that everyone's number comes up at some point. EVERYONE. We could all learn from how Trend handled the situation, but I guess that maintaining the perception of invincibility is more important - which is a joke.
Link to this

7 habits - sloth, greed, gluttony, etc...
So what? - The Forresters have come out with research they call the "7 habits of effective CISOs." I know Steven Covey's lawyers are probably picking through the piece to find something to sue them over. At least I can feel good that I'm not the only person Forrester's security team blatantly rips off. Morality, patience. This sounds more like the Purpose-Driven life than a set of tactics that security professionals should adopt. But there is some decent stuff in there like running security like a business (damn that copyright lawyer that told me the term was too generic), and to be the king maker, not the king. That's a key clearly. The job of the CSO is clearly becoming one of influence and persuasion - NOT empire-building and mandating action. Ultimately the reason we see a lot more CSOs coming from the business is because they know how to get things done, and that is the #1 habit of an effective anything.
Link to this

If we can't block it - let's secure it
So what? - While I'm picking on the other analysts out there, I may as well through a little love to the big G. They think that security folks need to reject the typical response of security folks to just block everything. We should embrace Web 2.0 "providing a secure means of developing and deploying such applications." Hat tip to Tekrati for tracking the zillions of releases the big G send out. How do I provide this "secure means?" Fact is, Web 2.0 is happening and there isn't a damn thing the security folks can do about it - even if we wanted to. I guess you could block Twitter and IM and even blogs - but your users will hate you and they'll go somewhere else. Especially the 20-somethings that actually realize they have a choice about where they can work. I do agree we want to set some policies and maybe even police things a bit, but that's why I take such a pro-monitoring stance. I know we can stop this crap. I just want to know when it puts the rest of my stuff at risk. Then I can REACT FASTER. I know, you are shocked I worked that into the piece.
Link to this

The Laundry List

Top Blog Postings

Post-mortems are valuable
Following up on my thought that Trend should do a public post-mortem about what resulted in their web sites being compromised, Shostack points to a good example of this from the operations world. A hallmark of my incident response approach is to do a very formal and very defined post-mortem. Yes, it's painful. Yes, you have to actually admit that something went wrong and that you are not perfect. But if you don't do that, you are pretty likely to have the same issue down the road. And then you'll be doing more than admitting fault. You'll be looking for another job. No one is perfect, get over it.
http://www.emergentchaos.com/archives/2008/03/you_cant_say_that_bloggin.html
Link to this

Information centricity - Name that tune.
Of course, the Hoff needs to pile on to Rich's post about information-centric security. He even finds means to pick apart a number of my statements. Now that he is back from down under, maybe he could even show us some examples of how a DLP solution is doing anything like information-centricity. Or maybe I'm just confused by the uber-brain of the Hoff and how he thinks maybe 500 steps ahead of everyone else. Based on my limited brain capacity, the DLP vendors can profile and maybe even classify the types of data. But that information is neither self-describing, nor is it portable. So once I make it past the DLP gateway, the data is GONE baby GONE. In my world of information-centricity, we are focused on what the fundamental element of data can do and who can use it. It needs to be enforced anywhere that data can be used. Yes, I mean anywhere. Name that tune, Captain Hoff. I'd love to see something like this in use. I'm not going to be so bold as to say it isn't happening, but it's nothing I've seen before. Please please, edumacate me.
http://rationalsecurity.typepad.com/blog/2008/03/the-walls-are-c.htmlhow
Link to this

Seven deadly sins of pen testing
Looks like Dave G crawled out from under his gold-lined rock long enough to give us mere mortals some tips about how not to do a pen test. This is good stuff, especially the first one about managing time. The fact is, a patient attacker cannot be stopped. They will get in, sooner or later. That's something we need to keep in mind. I also like the point about over-automation. I'm a big fan of pen testing tools, but you still have to focus a bit on the human aspect. Both in using those tools in innovative ways, but also in doing things like social engineering that most tools don't do very well. Remember, the attackers don't have to follow any rules. They are just focused on getting in. Think unconventionally when you are testing a network, system or application - the bad guys are.
http://www.matasano.com/log/1026/seven-deadly-pen-test-sins/
Link to this