May 14, 2007 - Volume 2, #78

Good Morning:
Another Monday. It's hard to believe but this school year is pretty much over, down here in the South anyway. The twins have one week left and Leah two weeks and then "school's out for summer." It's actually pretty cute, since the kids still like school, they think it's fun. Which is great, I hope they always think that way. They probably won't, especially with all the pressure to achieve nowadays, but we can hope - right?

It was also a big weekend around the house, with it being Mother's Weekend and all. Right, it's not just a day - it's a weekend. I figure next year, it may be an entire week. We started the festivities by seeing Gwen Stefani on Friday night and she put on a great show, despite torrential rains as everyone was entering the joint. Nothing like having a soaked-through shirt and shorts for a few hours. But it was fun.

Then we did the typical weekend, I get up and head to the gym with the kids each day while the Boss kicks back and enjoys the silence. I do let her sleep in on Mother's Day, which is nice since the twins are battling the Rooster for break of dawn wake up duties. Finally, we've got our neighborhood garage sale this week, so it's time to get rid of all the crap that has accumulated over the past year. It really is scary how much stuff piles up. My new favorite toy is actually an old piece of equipment - the trusty hand-truck. I love my hand-truck. 250 lb TV, no problem. Treadmill - quick work. Did I mention that I love the hand truck. If you don't have one, you are missing out.

Though this year's garage sale will be a little weird, since we are selling the cribs and a big-ass double stroller. It really hits home that the kids are growing up. It's a good thing, since the twins are almost human now and hold "sort of" conversations. We're not ready for Relativity yet, though they are very conversant about Buzz Lightyear. I wonder what Einstein would say about Buzz? The days of inert blobs of mass just hanging out and drooling on themselves are gone, for about 70-80 years anyway. I guess I should start looking forward to the days when they are changing my diaper and putting a bib on me, so I don't drool through my dentures and ruin my shirts.

On that fine note, have a great day.

Technorati: Information Security, CSO

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Pragmatic CSO Bootcamp Maiden Voyage June 6 in Atlanta Sign up Now! Only 10 slots (and they are filling fast)

Top Security News

Deal: Verizon to acquire CyberTrust
So what? - Verizon follows BT's lead and does a deal in the security services space. By acquiring CyberTrust, Verizon gets a much bigger brother to their NetSec MSS operation (brought in with the MCI deal) and a global footprint, which every bit hauler needs to get. No word on price, but the rumor mill has it in the 2x revenues range - which is actually pretty good for a services-only play. Strategically the deal makes sense for Verizon, but it'll depend on how much of the security DNA stays around once the deal closes. Security intelligence, ICSA Labs, and a lot of research were the hallmarks of my former employer (I worked for TruSecure, which was one of the pieces of CyberTrust) - but those assets walk out the door every night. Retaining those folks needs to be a top priority for the Verizon brass if the deal has any chance of success. It'll also be interesting to see if Verizon as an entity buys into CyberTrust's Security Management Program and eats their own dog food. They are doing a conference call this morning, but it's only a bunch of marketing folks - not even the CEO of CyberTrust. Guess he's too busy counting his money. 
Link to this

Business first (even if you do security)
So what? - I guess Microsoft gives their Security MVPs a monthly venue on TechNet to wax poetic about whatever comes to mind. This Month's Security MVP article is pretty good. Gideon Rasmussen talks about the need for even security people to understand business and get a line of business orientation for their security operation. Sounds very Pragmatic to me. He mentions the important of "business partnerships" and also the fact that it will likely be a cultural shift for most of the technically-oriented CSOs out there doing their thing. I agree with this stuff whole-heartedly.
Link to this

$100 PCI should hit the commode
So what? - I love how some vendors figure that doing a scan and providing a questionnaire will make someone PCI compliant. And the jokers from Comodo say they can do it for $100. This sets the wrong expectation for customers, but unfortunately there is no accountability required at any level of the stack to prove it one way or the other. I'm sure TJX did some scanning and look where it got them. A scan does not equal PCI compliance, but I'm sure I'll be saying that until I'm blue in the face. What happens if one of these $100 customers is nailed? Probably nothing. Maybe some enterprising beat reporter will pick it up and throw a few stones at these boiler room scanning houses, but their customer base doesn't read InformationWeek or SearchSecurity. So this shell game will continue on and the only good news is that statistically most of these folks won't be targeted, thus they won't be owned, thus they'll think it's $100 well spent. It's not.
Link to this

The Laundry List

1. Those that forget history are destined to repeat it. Tim Wilson reminds of that we've seen most of these "new" security issues before. - Dark Reading Column
2. Cyveillance will tell you if that phishing attack on your brand also contains malware. Like that matters. - Cyveillance press release
3. Blue Coat's K9 gets an Australian kudos, and will leave on walkabout for a year or two. - Blue Coat press release

Top Blog Postings

This is why people don't give a crap about security
Last week everyone in the security business was in a huff about the billions or so that it supposedly will cost TJX to fix the data breach. First, as I said last week, I don't believe those numbers, not for a second. Unless the class action vultures win big (this ain't tobacco folks, people are not dropping dead), TJX will settle a few years from now for a couple hundred million. Meanwhile, as the Emergent Chaos guys point out, TJX sales are growing. 7% year over year. Not astounding growth (by our snobby tech idea of growth), but you'd intuitively think all of this brand damage would have an impact on sales. Guess not. Ultimately, we can assume the consumer out there cares more about being able to put food on the table, than if their data is kept private. Go figure.
http://www.emergentchaos.com/archives/2007/05/what_me_worry.html
Link to this

Two-factor is no panacea
Kai Roer (say that 10 times fast) reminds us that two-factor authentication is a good thing, but not the only thing. Tokens are still vulnerable to a man in the middle attack (though it would have to be a good one) and it's still important to train users about what to look for. I think mutual authentication is important (where the web site authenticates to you as well), but it's horribly underused and even more horribly communicated. Yahoo actually uses mutual authentication on their login page, so when I need to log in - I get to see a cute picture of my kids to show me it's the right site. But is it? Could even the picture be spoofed and taken by doing a remote database call on the picture server? Don't know, but it's possible. So once again, layers are good, education is good and at the end of the day - there is no 100% security.
http://www.roer.com/security/archive/2007/may/Two_Factor_authentication_foolproof_and_supersafe
Link to this

Hoff gives good gradient
Chris Hoff uses Gunnar's recent Security Architecture Blueprint as a way to discuss Chris' long lost work on Unified Risk Management - whatever that means. I guess the term Unified Threat Management was taken, so there you go. Actually someone as smart as Chris always seems to find a way to complicate things dramatically. And that's my biggest problem with the URM. Not that it's wrong, it's actually right. But it's not really comprehendible to the great unwashed. At least Gunnar uses terms that most folks have heard of before (like SDL and Domain Metrics). Chris liberally lathers on a bunch of frameworks (like a risk assessment framework and a IT ops and management framework), but the colors on Chris' diagram sure are pretty. I also know that Chris has eaten his own dog food and used this kind of approach when he was a CSO-type. SO, as opposed to keeping things at a very high, architectural level - it would be very helpful to hear about how this stuff works in practice. Most of the folks I know actually have to do things, as opposed to study them.
http://rationalsecurity.typepad.com/blog/2007/05/unified_risk_ma.html
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite