March 22, 2007 - Volume 2, #49

Good Morning:
Mortality. That's pretty deep. With the Boss's birthday yesterday, we were thinking a bit about aging and health and other nice light topics on a day of celebration. But we've been thrown some curve balls lately that really makes you think. A good friend had a random pulmonary embolism over the weekend. Thankfully, his ER doctor had a clue and they diagnosed it correctly, remedied it and he's almost good as new.

Another friend got diagnosed with the Big C. He's not even 40 yet, but we think they caught it early and it'll be a quick procedure and all will be well. That's what we are praying for anyway. A third detected a genetic cholesterol issue. What the hell is going on here? When did I get old?

Deep cleansing breaths. 1, 2, 3, 4, 5. OK, I'm OK now. But it's scary stuff. I'm not bulletproof, and thankfully besides carrying an extra Yugo around my waist, I'm in pretty good shape. Is it all downhill from here? I don't think so. I know a lot of guys in their 70's that look like they are 60. They are active, engaged, and having fun. They work because they want to and they can contribute, as opposed to having to. It's a nice place to be.

What is your prime? And how do you know you've gotten there? I have no idea and I hope to never find out. I always talk about change and renewal and I really believe it. As I look back on the almost 20 years of my career, it's kind of worked out that way. But I also believe that renewal comes from within. Murray pushes you to find your calling (here), lots of other folks have similar processes to get you there. Check out the self-help section in any bookstore and you'll find plenty of folks that will tell you their ideas.

Where is all this coming from? Dilbert, of course. Check out today's (here) and tell me it doesn't make you think. 10 years into it and Scott Adams still finds new things to talk about, important things. Now that is really impressive.

Have a great day.

Technorati: Information Security, CSO

The Pragmatic CSO is Here! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

Visible vs. invisible security
So what? -  So I ranted a bit yesterday about how convergence of physical and IT security may be bunk. I see this interview with the head of "security" for Starbucks (here) and I'm getting more convinced. IT people and physical security people see things differently, we talk a different language. Sure we need to collaborate, but it may actually be counter-productive to merge these two functions. Why? Because this interview tells me that the "perception" of safety is paramount to enabling Starbuck's mission and that makes sense. These folks are in physical danger with every customer that walks into the store. Besides the fact that I don't like most people, that's another reason I was never cut out for a career in retail. The role of the IT security function is to be INVISIBLE. Do the least amount to impact the user experience of the folks that make the money, while keep systems operating and protecting data. I guess there is some deterrent activity that has to happen on the IT side, but that can be achieved by an execution in the public square to remind folks that you are watching. I just think physical and IT security are fundamentally two different disciplines. Tell me why I'm wrong.
Link to this

Why mess around, just re-image...
So what? - It was funny. I did a breakfast seminar this morning (which is why the Incite is a bit delayed) and I was talking to a reseller who services mostly small business. He says he spends a lot of time cleaning up crap and spyware from the machines. This tip from Kevin Beaver reflects the common knowledge (here), which is to get a tool (or multiple tools), then scan the machine. You'll find some spyware, clean it up and hope things are remedied. Hope is not a strategy. Just start over. The reseller told me that if cleanup is going to take more than 30 minutes, he just re-images the machine, which is what I've been saying for a while. Keep your data somewhere centrally (you should do this for backup purposes anyway), have a standard desktop build, and if you have a problem on the desktop - start over. It will save you time and money in the long run. 
Link to this

Another reason why compliance isn't the goal
So what? - Ed Adams goes on a bit of a tirade in this piece (here) about the PCI standard. He's right, but I'll use this as a metaphor to once again make the point that compliance DOES NOT equal security. Not by a long shot. As Ed points out, a web application firewall and a code review are not alternatives - they are complimentary. The fact is, I would opt for the WAF first every time as well. The code review fixes one program, and there is leverage in the WAF. Also in that it will be kept up to date to defend against new attacks (if the vendor doesn't suck, that is). But if you are just looking for "compliance" you can have one application reviewed and be on your way. And that, my friends, does not make you secure. Think security first. Always think security first, and compliance will follow. Interestingly enough, I figured that Ed was going to rant about compensating controls (which he should have), but that's another story for another day.
Link to this

The Laundry List

FISMA backlash in full swing. This is good news because whatever FISMA supposed to be doing - it's not working. - here
Master of the obvious alert. Data center attacks 3 times more likely to be an "inside job." And... - here
Are the companies the culprits of stock spam? Will shutting them down make a difference? I'm not sold, I think it's promoters and pump and dump traders that do this, not the companies. - here
Trackback spam is a problem. That's news, duh! That's why I had to shut down trackbacks. - here
Imperva adds change detection to their box. This is actually pretty big and shows that both blocking and monitoring are critical for every security discipline. - here
Mac fanboys, get out your swords. Another list of Mac security issues. - here

Top Blog Postings

NAC backlash is awesome
This will be a case study of how to go from hero to goat in record time. It was just months ago that everyone was talking about how NAC was changing everything. Now it's dead, just look at the coverage and recent panel discussions at some of these windbag shows. Farnum questions why any of this stuff is related to NAC at all in this post. The truth is somewhere in the middle. To be very very very very clear, what NAC does is important. Checking devices as they get on the network and monitoring their behavior once they are there is critical. It's all in how you do it and how you get there. To be clear, this is a problem that we as the security industry created. We over-hyped this technology and now folks are inevitably running for cover. It's actually pretty sad to see. Shimel may be right, this may give the industry a chance to breath, find it's sea legs and solve the problems (NOT every problem, but a few problems). Or maybe not. Just remember who was out ahead of things, telling you NAC was going to disappoint in 2007... Yes Alan, I'm baiting you and yes, you're still my friend (though I look crappy in a pancho) - even if the Sellout says nasty things about you. Tell that pu**y to show his/her face if they are so tough.
http://www.computerworld.com/blogs/node/5226
Link to this

Commodity is everywhere, but not for everyone
My former colleague Michelle McLean reacts a bit to Stiennon in this post about commodity hardware in the network space. As a guy who grew up in the networking space, let me tell you a bit about networking folks (and this can apply to lots of other disciplines as well). It's not always about price. Many companies (maybe even a majority) will opt for low price per port and then overlay whatever minimal security they need to get the auditors off their back. These folks exist and I won't deny that. They are already owned, but they go along blissfully unaware and that works for them. But there are also folks that see the need for more integral security capabilities within their networking fabric, and they are willing to pay a premium for that. For the management leverage, for the additional capabilities and ultimately because it's a better way to architect your infrastructure security defenses. And as volumes increase, you'll see prices on these secure switch ports come down. Not to the commodity level, but down. One size doesn't fit all, it never has. But you'll see, the big switch player will build security into their platform as well. They make too much money by selling separate boxes right now, so there is no incentive for them to lead, but they'll be there. Probably in 2008.
http://blog.consentry.com/blog/2007/03/the_problem_wit.html
Link to this

How valuable is that data?
It's been a while since I linked to Ken Belva, but this post got me thinking about how many folks don't ask that question. They either protect everything or nothing. We are far too binary. Fact is, there is some information that doesn't need 50 layers of protection. And some that probably needs more. But until you get out there and ask the powers that be what's important (step 1 of the P-CSO), you can't know. And if you don't know, you can't optimize your security strategy. And if your security strategy is sub-optimal, then you are wasting your money. And if you are wasting your money, then your CEO is going to ask you what is important and how you can streamline (mean reduce) the amount of money you are spending. Yes, if you give a mouse a cookie is one of my favorite kids books.
http://www.bloginfosec.com/?p=162
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite