March 4, 2008 - Volume 3, #22

Good Morning:
I don't know when it happened, but it happened. I got old. Yeah, the gray hair is the first indication, but I have a genetic thing there - my hair has been graying rapidly since I was about 28. I'm getting some of those wrinkle lines around my eyes and on my forehead, but I figured that's because my face was scrunched up most of the time to avoid saying something mean. I'm sure my facial expressions speak volumes, but I've been trying to not say what I think to people I don't know well.

But this has nothing to do with the physical side. In fact, I feel as young as I have in a long time. It's my mentality. I'm sitting in a lunch deli grabbing a vege sandwich and two adolescents walk in. At least they looked like adolescents. I couldn't believe either of them could drive. Then they proceed to start throwing F-bombs and talking about the need to go score some alcohol.

Evidently one of them turned 21 that very day, and he wanted to exercise his newfound freedom. As opposed to remembering (or not remembering) my 21st birthday (yes, I still have the empty bottle of Jose Cuervo), all I could think of was how much I wanted to hit both of these kids with a bat. I'm not even sure why, but that's what I was thinking. Yes, it's a good thing that I work alone most of the time.

Then I got it. I'm friggin' old. I don't get MySpace. I'm not on Facebook. I don't Twitter, but that's a topic for another day. My liver is tired, I guess. Sure, a few times a year I'll tie one on. I can still drink enough to sink a battleship when I get going. But most of the time I'm not into it. My kids will jump on me just the same at 7 AM that next morning, and it's no fun when my head is pounding BAD. No amount of Gatorade and Advil can make that 7 AM wake up call feel good.

The Boss doesn't drink anymore, so without a drinking partner, it's kind of lame to get all liquored up and then puke on the carpet. I never wanted to be that guy that gets hammered in the comfort of his own living room by himself. I guess it's true. I'm old. But all is not lost. I figure I still have a few great stories left in me. Like my Dad, who passed out ON the bar at my wedding. Literally. We had to get a wheelchair to cart him upstairs. Then he booted all night and most of the drive back to NY. His Boss was none too pleased, but we were - especially since we took pictures. Those images still bring a huge smile to everyone who was there.

But the fact remains that I'm much closer to the end of my binge drinking career than the beginning. I'll just let those kids be and hope they don't get behind the wheel when they are tanked and hurt someone. I'll be happy that I actually lived to tell the tales of some of the really stupid things I've done. And I'll be grateful that I'll actually have relevant advice when my kids get to the point that they are all fired up to go and exercise their newfound ability to buy booze.

I can tell them I've been there, done that and puked on the T-shirt.

Have a great day.

PS: I finished up all of the Days of Incite last week (YAY!). You can check out all the posts using the "Days of Incite" tag on the Security Incite site (say that 10 times fast).

Photo credit: Happy Hour uploaded by chiwan

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

McDreamy on international cybercrime
So what? - Who knew the actor from Grey's Anatomy was a cybercrime expert? In this Internet Evolution column Patrick J. Dempsey talks about international cybercrime and why most governments are horribly unprepared to defend themselves or their citizens. It gets back to the money quote: "The fact is that Internet crimes are almost always international crimes." That's right and further complicating the fact is that most of the perpetrators hide behind layers and layers of zombies and other obfuscation techniques to stay hidden. Organized crime-based money laundering engines clean the money and it is increasingly becoming a well-oiled machine. And it's not clear how to stop it, and I doubt McDreamy's idea of Internet governance has any legs. Gosh, we can't even get consensus in the US between our two major parties, the idea that we are going to agree with China and Chechnya about how to regulate the Internet - not likely. It would be great, but it's not likely. Thus we continue to focus on trying to contain the "shrinkage" to a manageable number and realize, like every other business, fraud adds some drag to the system. And no, this Patrick Dempsey is not the actor.
Link to this

Cyber-crime assurance - testing cuts both ways
So what? - I've long been a fan of security testing, pen testing, security assurance or whatever you want to call hacking yourself. I even wrote a 2008 Incite called Hack Thyself dedicated exclusively to it. But if it's good for the goose, evidently it is good for the gander as well. According to Panda, the bad guys are starting to test their malware to make sure it works as intended and can skirt the common defenses. This isn't novel, by the way. Spammers have been banging their creations against all sorts of spam gateways to test their stuff for years. With the availability of free and/or cheap services, why wouldn't the bad guys take their stuff on a test run? Stay focused on the prize, if the bad guys have figured out that testing is important, what are you waiting for? Sure I know the list is long, but how do you know what to do unless you know what's really exposed?
Link to this

The Security skills gap is here
So what? - I spend a good part of my days just confused. The data I get is contradictory and in some cases, just doesn't make sense. I get a lot of questions asking me how to "break into" the security business. First of all, break into probably isn't the right vernacular to use with security people. Then I read surveys that show about the severe skills shortage in the security business. Here's the issue in a nutshell: Most organizations are not realistic in what they are looking for. The reality of the CSO's job today is that they need to also be a talent creator. The talent isn't there, so we have to grow it. Look to places like the network team or the help desk to find internal talent. Or go to a bunch of the technical colleges that now have specializations in security. These folks are motivated and they want to make a difference, but they keep being stonewalled by short-sighted companies that think paying Lee Kushner a boatload of coin is going to solve their problem. It's good for the experienced folks, since their perceived value goes up - but remember if these experienced folks are so willing to follow the money to your shop - what makes you think they won't continue following the money? Establish a farm system. Invest in it. Give some of these folks a chance. Or continue to complain about why you can't find qualified folks to do the job. The choice is yours.
Link to this

The Laundry List

Top Blog Postings

The true cost of a data breach
Interesting challenge discussed in this post from Stuart King. What is the real cost of a data breach? If you look at the foil of anyone who talks about security - TJX - you see that their financial results have suffered minimally due to the Titanic of all data breaches. At least on the top line. But the reality is that TJX is getting lucky. The US economy is in the crapper (whether the current administration wants to believe it or not) and that means people are looking for bargains. TJX is in the bargain business, so they will do well. If this was 1999 and they had this kind of data breach, would the song remain the same? That's a great question, and one that we can only speculate on. Stuart's point is that he won't be able to convince everyone of the need to protect customer data. Some organizations will culturally roll the dice and how their don't roll craps. Others will do the right thing. If your organization doesn't take data protection seriously, then you need to really think about whether you can be successful in that role in that organization. If the answer is no, then get out NOW! You don't want to be a ground zero when the number comes up.  
http://www.computerweekly.com/blogs/stuart_king/2008/02/a-few-days-ago-i.html
Link to this

Different secure application deployment models
As Gunnar writes in this post, we recently did a panel together about SOA Security. One of the most interesting topics is how to deploy these secure apps, and it's not totally intuitive. These first couple of models really just scratch the surface on what security folks need to know. What's more apparent to me is the real knowledge gap between the application folks and the security folks that are trying to make sure Internet-facing Swiss cheese is minimized. Training (check out Gunnar's training course for more details) is a key first step, but the reality is we are a number of years behind in application security, relative to other security disciplines. Since applications are the path of least resistance right now, we need to fill the gap quickly. That's why I keep telling folks that want to get into the security business to learn all they can about applications and to do it quickly. That's where the real skills gap remains in the security business.
http://1raindrop.typepad.com/1_raindrop/2008/02/security-deploy.html
Link to this

Availability will always win (over C and I), and it should
There are lots of reasons that the CIA triad (confidentiality, integrity, and availability) should be equal. Hoff talks a bit about them in a few prior posts and in this post uses the Pakistani YouTube fiasco to make the point about everyone being a good citizen, which keeps the Internet trains running on time. The reality is I have mixed feelings on the idea. I think Availability trumps the others for good reason. If you can't conduct business, whether the information is confidential or stored with integrity is meaningless. When I came up with the P-CSO Reasons to Secure, "maintaining business system availability" is the first. I also say in front of a crowd that availability is Job #1. Yes, before protecting intellectual property, limiting corporate liability, safeguarding the corporate brand, and enduring compliance. Without availability, you have nothing. The real challenge is to strike a balance. At some point we need to compromise and find a set of secure infrastructure and protocols that can also work within the availability constraints we are willing to fund. And yes, we will continue to have a number of security issues that impact availability. That's when we really find out how important security is to the organization. If the powers that be aren't willing to pay for it, then it's not that important.
http://rationalsecurity.typepad.com/blog/2008/02/availability-co.html
Link to this