May 16, 2008 - Volume 3, #47

Good Morning:
It's that time of year again. We're almost at the end of the school year, and that means it's dance recital time. The girls have been working hard (OK, maybe working not so hard) at dance class for the past 10 months, and it's time to show off their stuff. This year, both girls were performing since Lindsay (my younger daughter) started dance also.

I have to admit, the girls looked really cute in their dance outfits with their hair up in that crazy bun. I wear my hair pretty short, so I guess I'm always sporting a bun - but evidently it's a lot of work to get the Gordon Gekko look on 4 and 7 year olds.

I'll also come clean that for me, a dance recital is like going to a foreign country. I don't know if it's good or bad, but it's different. Since besides being forced to watch "So You Think You Can Dance" each summer and maybe a few Justin Timberlake videos, I've seen very little dance. I know it's probably shocking, but I don't go to the ballet or any kind of interpretive dance shows.

If I'm going to see someone perform, they better be playing some kick ass music or making fun of the guy in the front row, so I can laugh my ass off. But being the good Dad that I try to be, we loaded up 13 of us (two sets of grandparents, uncle/aunt and first cousins, and some family friends) to the community center to see the show. Of course, Murphy's Law came to visit and the video camera didn't hold the charge, but being the contingency planner I was able to take some video on the digital camera. I've got nothing on Spielberg - but I can't wait to show the girls that video when they are 25.

I have to say that both of my girls are performers. I don't know if they can dance, but they sure do have some fun in front of a couple of hundred people. Since my boy doesn't play ball yet, I don't know how seeing the girls do their dance numbers will compare the him knocking one out of the park or sacking the QB - but it was really great to see them enjoy themselves in front of the crowd. Yes, one very proud Dad was in the house.

After the big show, we gave the girls some flowers (evidently you are supposed to do that) and they all got ring pops to celebrate. I guess I'll need to budget in some dental fillings, in addition to the endless supply of ballet, jazz and tap shoes and recital outfits for the girls.

Have a great weekend.

Photo: "On Your Toes" originally uploaded by vidguy

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Is NIPS finally ready? If no, how about intrusion tolerance?
So what? - It's funny how technologies capture the imagination of the market for years and then they don't. Yet, in the real world, especially the mid-market, where budgets and deployments are years behind the media and hype cycles - these technologies keep clicking along. Clearly we don't think too much about network IPS anymore, besides when one vendor makes a wild claim about speed over another vendor. Yet are these things safe for your network? Mike Chapple's SearchSecurity tip tackles that issue and he has some good guidance. Basically use it as an IDS for a little while, so you can tune the rules and only block a small subset of things you KNOW are bad. How about this new idea called network tolerance? I'm all for tolerance because the approach focuses on containment, not necessary eliminating all attacks. Though this academic approach seems to be applicable only to the biggest shops (and ISPs) that can afford to pull devices down to reimage them every so often. Though this kind of perpetual new suit approach is starting to appear in things like virtualized desktops (where a new image is assembled and streamed every time you "boot" the device), so why not with network servers? It's not today, but it may be something to think about - especially for the big shops - though this is kind of the anti-virtualization technology since it requires a lot more computing cycles (since you are intentionally taking a portion of the engine offline).
Link to this

Companies will miss the PCI deadline? Shocker!
So what? - So PCI DSS Requirement 6 kicks in over the next 6 weeks. Whoop de do. Now merchants are expected to have protected their applications. I mentioned this when the standards council issued a clarification on what Requirement 6 actually means. Yet what's the impact if they get their web app firewalls deployed by July 15. Or that software code review done by September 12? Not a damn thing. That's right. Maybe they'll flub their assessment, but in practice - will they? You don't think many of the QSA will give a waiver, if the plans are in motion already. Especially given the late clarification and the imminent release of the PCI DSS 1.2 specs (planned for October). Of course, there is a situation where it does matter. If there is another high profile breach - then whether the merchant got their by June 30 is very relevant. Especially when the card issuers go for the throat and demand their settlements. For merchants? Keep on keeping on. And hope your day doesn't come between June 30 and until you get on target with Requirement 6.
Link to this

Security bailout?
So what? - I get that my bud Kevin Beaver is venting a bit on his new blog, Security on Wheels. And the billions the US will spend to bail out the bad actors, who have been profiting handsomely for the last 3 years in the mortgage debacle, is nauseating. But is it plausible that the Feds would make it right for consumers that are continually victimized by poor controls and bad information security? I know Kevin is joking here, but let's take a more thoughtful look at the question. Could we fix the issue with a $300 billion investment? I don't think so. You can buy off stupidity and the reality is that many (if not most) security breaches are a direct result of stupidity. A firewall and new laptop for everyone isn't an answer. But it's not like they won't try, the US Feds will allegedly spend $30 BILLION on security stuff over the next 5 years. That's a really big number and I don't think they can digest that much technology and services over that time period. It's like when you eat two ears of corn at your BBQ and your body can't process all the food. You know what happens. You see the corn again in like 16-24 hours. Yuck. But all the same, the Feds may actually spend the money, but I hope they have a lot of shelves for all the shelf-ware that will result.  
Link to this

The Laundry List

Top Blog Postings

Tenable continues to push the open source model
You have to hand it to Ron Gula. He has consistently pushed to more effectively monetize Tenable's open source scanner, the ubiquitous Nessus, and yet there hasn't been the predictable backlash that a lot of other "monetization" efforts tend to suffer. First, to be clear, Ron should be monetizing Nessus as effectively as possible. The reality is it's his company's intellectual property and at the end of the day he needs to make some kind of return on that asset. So what's new about the changed licensing model? Basically Tenable has collapsed the 7 day "free" feed, in favor of a new HomeFeed - that gets the scanner updates in real time. Of course, you can't use this (legally anyway) in your business. Then you need to buy the "ProfessionalFeed" for the same $1200/year that the direct feed used to cost. Ron and Renaud posted a letter to clarify why they are doing this. You can also check out the FAQ to get more details. Basically this is a licensing play and Ron is hoping that more of the folks using Nessus will pay because it's the right thing to do. Even colleges and non-profits, although some charities may be able to get a free ProfessionalFeed. That PO from Mother Theresa is hitting the fax right now. Customers do get some additional capabilities (like compliance checks and support), but ultimately it seems that the model is about customers doing the right thing and for $1200 a year - they really should.
http://blog.tenablesecurity.com/2008/05/tenable-updates.html
Link to this

GRC war, what is it good for?
Absolutely nothin' - say it again! That's right, the Mogull and Shimmy shimmy cocoa puff got into it this week about GRC. Of course, Alan is a lawyer - which means he's picking apart words and looking for nuance. Rich started it with a call that GRC is dead. Alan then needs to poke about Rich just copying Stiennon to try to generate some press. Then Rich pokes back and actually makes a pretty well-reasoned argument. So this cooler head (and when have I ever been a cooler head in a blog fight?) basically says Rich is talking about the compliance work flow engines that a lot of vendors are pushing and calling them GRC silver bullets. I'm in total agreement, and even wrote a piece in SearchFinancialSecurity.com about it. The basic gist is that really big companies can get value from GRC software because they've got a lot of moving pieces and coordination is a pain in the backside. Smaller companies, probably not so much. Shrdlu weighs in as well to really clarify things as well calling these GRC products "compliance-with-a-dashboard." Awesome. But her point is exactly right, in that risk is variable and credibility is king. If you aren't helping the process, you are hurting it and thus your life expectancy (as top security pro anyway) is limited...
http://layer8.itsecuritygeek.com/layer8/r-before-c-especially-after-g/
Link to this

Despair, futility and the right question to ask
It's tough to ask the hard questions, especially of yourself. What happens if the answer comes back and it's not what you want, or what you need? What if it turns your entire world view upside down? Is that a good thing or a bad thing? Since I'm a fan of constantly questioning everything, I figure it won't be long before the answer becomes clear. You can choose to see the writing on the wall or wait for the train to run you over. That rambling preamble is really about Jeremiah asking whether secure software matters anyway? Hmmm. Should we even try, since secure coding really only ensures we don't get nailed by the stuff we know about. Double hmmm. Basically, it's about low hanging fruit and containment. Jeremiah is exactly right that you can't catch everything. But most of the attackers out there are looking for the low hanging fruit. Easy SQL*Injection or XSS vulnerabilities, and there are hundreds of thousands of vulnerable sites to choose from. Make sure yours are not on that list and you should be OK. Until you aren't, and that's where containment comes into play. It will happen to you, so you should be ready. If anything asking this kind of question reinforces my world view. So I'm glad it was asked.
http://jeremiahgrossman.blogspot.com/2008/05/does-secure-software-really-matter.html
Link to this