May 17, 2007 - Volume 2, #81

Good Morning:
For a guy who flies quite a bit and lives in a city with the busiest airport in the world, if you asked me two days ago I'd have said that Hartsfield is no big deal. Sure it's a bit crowded, but it's nothing like O'Hare or LAX. Or so I thought. Basically, I forgot that I tend to fly at off-hours, either very early in the morning or late at night. I am usually spared the crowds and mayhem and general misery that represents flying either out of or through Atlanta.

Take a mental note. Do not fly out of Hartsfield on a Wednesday afternoon. I figured it wouldn't be a big deal. I know that Monday mornings are pretty nutty, even Monday afternoon. But Wednesday? It seems Wednesday afternoon is the busiest time for airport parking. Who knew? Basically, there was no parking. As in zero. Nada. Zilch. Absolutely none on the airport grounds. So I went to Plan B - off-site parking. And oh crap, I've got about 70 minutes before my flight.

Evidently, I wasn't alone in this idea of off-site parking. Of the 7 or 8 different lots off the airport grounds, the first 6 were full and not taking new customers. Oh, did I mention I now had less than an hour before my flight? I actually had left plenty of time, if parking was normal. But it wasn't. So I went to the 7th lot and luckily got a spot. I think it was somewhere near Tennessee. So with about 45 minutes before my flight, I get on the shuttle bus and basically resign myself to missing the flight, blowing dinner with a friend, and hoping I could get a spot on a later flight.

It was actually pretty liberating. Normally, my acid reflux would be in overdrive, chewing away at my esophagus every time we hit a little traffic. But I figured there was no way I'd make the flight, so it wasn't a big deal. Some other folks where panicked and getting all hot under the collar, but not Cool Hand Mike. I figured I'd park outside of the Crown Room for a while and jump onto the WiFi, while I waited for the later flight.

Now I was flying a pretty low traffic route (ATL to Columbus, OH), so I got an upgrade. I get into the 1st class security line and skip most of the traffic through security. Hmmm. 30 minutes to go. The kind lady checking IDs asked how I was and I joked "I'll know in about 30 minutes." She laughed and said I wouldn't have a problem. That's kind of interesting, maybe I'd make the flight after all. A quick stroll through security, which is clearly an oxymoron but for once the queues worked and it also helped that they had about 10 lines open - not the typical 2 when I normally fly, and I was off to my gate. 20 minutes and counting.

The train shows up right as I step off the escalator and my gate is right by the middle of the terminal. It seems the stars aligned because you NEVER get through security and to your gate in 20 minutes. So I settled into my seat at the front of the bus with about 12 minutes to spare and I wasn't even sweating. I kind of like the happy-go-lucky approach. I felt zero stress about the flight and I ended up making it with some time to spare. It was a pleasant departure from my normal Type A self-imposed stomach grinding stress. I could get used to this.

Finally, a big congrats to my friends at TechTarget. They priced their IPO yesterday and presumably will start trading sometime today. As META's CEO Dale Kutnick said the day we went public, "This is not the end, it's the beginning of the next phase of the the company." But in this kind of environment, building the 4th tech media company is a great accomplishment. Let's just hope you have a better handle on your first couple of quarters than SourceFire or Guidance. Now with all that money, I assume we'll be doing a bunch more webcasts, RIGHT?!?!?!?

Have a great weekend and I'll see you on Monday.

Technorati: Information Security, CSO

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Pragmatic CSO Bootcamp Maiden Voyage June 6 in Atlanta Sign up Now! Only 10 slots (and they are filling fast)

Top Security News

Is security integral to everything?
So what? - Despite Network Computing editor Art Wittmann best case, security is usually an afterthought to pretty much everything. In his weekly NWC column, Art points to a few security related stories in this week's book (I linked to the application security overview yesterday), as well as some data about Network Access Control implementations. Unfortunately you still have a pretty significant number of IT professionals that continue to pay lip service to security. You can't say it's not important - that would be heresy. But when you see budgets leveling out and being questions more stringently, and CSOs having their feet held to the fire about delivering measurable change - it needs to remind us that security is still overhead, a cost of doing business. You may be tiring of me flogging my own research (what else can I do? I really believe it), but that's why a Pragmatic approach is so important. Security needs to be integral to technology-enabled business decisions and the only way to get there is to talk business to the business people. And no number of NAC deployments is going to get you there.
Link to this

Road Warrior Safety
So what? - I was very interested in this article called "Safe Computing on the Road" on TheStreet.com by Russell Vines because I was hoping to maybe pick up a tip or two. Though I do this stuff for a living, I don't ever think I know all the answers. Sure I mitigate my risk (Mac OS X, PersonalVPN, No saved passwords, No POP or IMAP, etc.), but I know there is always something else I could do. So the grand advice here? Follow your policies. Huh? I guess that is supposed to remind folks that there is a policy and they should follow it. I get this is an investor-type crowd, but duh! Most companies should have some kind of endpoint security suite to ensure the policies are followed. Another is security software. Double duh! Given that the last survey I saw said 99% of mid to large enterprises have fully deployed AV, not sure this adds much value. The final two tips were basically not to use a public computer and I agree with that. Unless you can connect to a virtual machine, like a Citrix or maybe GoToMyPC (which I use as well) - I don't think public computing is worth the risk. It's very hard to check for keyloggers or other Trojans and even if you clean out the cache, you definitely leave tracks. So this article was mostly useless, and reminds me that it will be years before I can shelve my laptop. Now if only Apple would introduce an ultra-light device...
Link to this

The death of the MSSP is greatly exaggerated
So what? - With the acquisition of CyberTrust this week by Verizon, the talk is starting again about the death of the MSSP. This latest example is on the CSO site. There are only a handful of pure-play MSSPs of size that are left (Perimeter and SecureWorks come to mind), but does that mean the idea of an MSSP is dead. Nope, not a chance. But you'll continue to see a bifurcation in that market. The big are well, the big. Mostly carriers, these guys are going to add security to the price of bandwidth. And they should, it can help them maintain margins, eat their own dog food, and provide a "clean pipes" oriented service. More sophisticated services, like large scale project integration and incident response will largely be lost in a carrier, who basically get how to move bits around. And you'll continue to see a lot of small VARs get into the managed security game. Driven by PCI into the lower regions of the market, these folks can tack up a scanner and an email/web filtering gateway and they are in business. The customer won't know the difference about real security, so that will play pretty well - but only at the low end. And even the folks in the middle (not really big, but not really small either) will continue to grow, but not exponentially and eventually they will be subsumed by larger players. 
Link to this

The Laundry List

1. Where do they get this crap? Evidently, McAfee's money was green enough to get Infonetics to publish that NIPS can save a company $30 million by eliminating downtime. They can save $1 billion by unplugging their network. Of course, they wouldn't sell much stuff, but never mind. - McAfee press release
2. Changes to Patch Tuesday. Not so much, Microsoft is just adding their opinion of criticality, so the automatons that just want to be told what to do can get their priority list. - SearchSecurity coverage
3. PCI in a box? Just ask Forum. And no, I don't believe you get compliant by implementing an XML security gateway. - Forum Systems press release
4. Lockdown looks at Syslog for policy triggers for remediation. Hmm. Tell me again that NAC isn't everything network security. - Lockdown press release

Top Blog Postings

Innovative awareness
Rebecca Herold is ranting a bit about security awareness in this post, and she is right. Awareness does help and it's those small minded folks that can't understand that number of touches, influences, and yes technical safeguards that are required to secure an environment. They figure, users are stupid - so we'll just save them from themselves. Sounds pretty arrogant to me. It's those users that pay your overhead, Mr. Arrogant Security Dude. (I don't see too many arrogant Ms. Security Dudette's). Rebecca also talks about a program she ran in a past life, that included of all things - a real artist. Security awareness is more like marketing than it is like technology, and that's a hard thing for many technically-oriented security folks to grok. Yes, you need to sell your program, so you are in sales. And yes, you also have to market your wares to the consuming public (your user base). And you thought getting to sit in the CSO (or senior security) role was going to be about technology. Think again amigo.
http://www.realtime-itcompliance.com/training_awareness/2007/05/information_security_privacy_a.htm
Link to this

Should you care about your web site reputation?
Dan Sullivan uses Secure Computing's announcement this week of a domain reputation checking service to discuss whether you should care or not. The big innovation from Secure? Actually it doesn't seem like anything, besides a PDF generator attached to their TrustedSource.org site. And they collect your email address. Since they don't specify what they are going to do with my address, I passed on trying out the service. So basically this is a lead gen program. But more to the point, will this help you? I'm all for more data rather than less data, so from a voyeuristic standpoint - I think this information is interesting. But I'm not sure it's going to tell me anything besides maybe that an owned site is running on the shared server at my hosting provider. And I care about that why?  
http://www.realtime-websecurity.com/articles_and_analysis/2007/05/driveby_malware_and_web_site_i.html
Link to this

Frameworks are good - but what do you do?
Cutaway makes an interesting point in this post about frameworks and implementation. Unfortunately there is very little information to correlate the two. So Cutaway took some initiative and started mind-mapping out what 17799 means to his organization. That's a good start, but it highlights the difficulty in dealing with frameworks. Most folks look at a framework as a cookbook. Put in 1 cup of this, 2 pinches of that, a half a smidgen of the other thing and BOOM - you are secure. Well, not so much. You need to figure out how the framework will be applicable to your environment. Then you have to figure out how you culturally get folks where they need to be. Then maybe you think about controls and other techno-goodies that can help get the job done. A cookbook it ain't, but a starting point it is. I'm all for frameworks, just start the process with your eyes open.
http://www.cutawaysecurity.com/blog/archives/144
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite