May 19, 2008 - Volume 3, #48

Good Morning:
As I mentioned on Friday, the school year is rapidly winding down. Here in the south of the US, we end the school year in late May and then camp starts right after Memorial Day. Yes, when you live on the surface of the sun you try to keep the kids inside during the dog days of August.

One of the other rituals that mark the end of the year is Olympic Day. Those are the athletic competitions for each grade. My daughter's school really goes all out, having a full "opening ceremony" that precedes two days of the games. They have a parade and all the kids get t-shirts showing their respective countries.

I guess my kid's teacher drew the short straw because they are Portugal this year. Nothing against Portugal, but it's not like you get that many world-class athletes there. Name one top tier hula-hoop star from Portugal. I dare ya! What about the wet sock toss? Yes, they have some strange games in these Olympics, but they could be stranger. I guess in other parts of Georgia they have the shooting events, but not where I live.

Being the good Dad, I got to the field early to stake out a good position. They were kind enough to set up flags for all the teams, so you'd generally know where your kid was going to stand. But I have a bit of a problem. What the hell does Portugal's flag look like? So I look at a bunch of different one's, like Mexico and Italy and Korea and even Bangladesh. How embarrassing. I'm going to miss out on a prime spot because I don't know what Portugal's flag looks like.

Let's start thinking about excuses I can tell the Boss. Hmmm. I got lost on the way to the field? Nope, that one won't fly. I had to go potty? Not likely. I got mugged getting out of the car? Thankfully no, not really in my neighborhood. I guess I'll just suck it up and be ridiculed at least for the next 12 months until I can redeem myself.

Then the light bulb went off in my head. The Internet. HA! So I whip out the iPhone and do a quick Google search and there it is in all its weird green and red beauty. Once again the iPhone saves the day. The device has already paid for itself in angst avoidance.

Have a great day.

Photo: "Kids Get Olympic Fever" originally uploaded by alokemon

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Ah, how about being relevant?
So what? - It's definitely a sign of the times when the tech books start talking about survival skills to deal with shrinking budgets. I'm a big fan of adversity. Not for me, of course. But for everyone else. All kidding aside, I do think we learn a lot more when times are tough than when you get Carte Blanche to do whatever you want. Now is one of those times. So what does SearchFinancialSecurity think folks can do weather this economic downturn? Focus on low-cost activities, articulate business value and do some career management. Normally I'd beat down the piece for being so damn obvious, but actually that's exactly the pragmatic type of message that we need to be focusing on as an industry. Don't spend a lot of money, if you don't have to. Duh! If you can't justify your existence in the language that your bean counters understand (yes, that means dollars and cents), then you don't have much of a future - now do you? And finally career management is a no-brainer. And that doesn't just mean managing up and maybe looking to broaden responsibilities. It also means networking in your area and maybe looking at external opportunities. If your business tightens its belt to the point you can't be successful, then hopefully you have Plan B to find a place where you can be. Overall, it's about relevance. Either security adds value to the business process or it doesn't. And if it doesn't, you better dust your resume off - you'll need it sooner rather than later.
Link to this

What about "everything is vulnerable" didn't sink in?
So what? - In what was a pretty slow news week, everyone was a bit aflutter about the folks from Core finding a Cisco rootkit that can cause some pretty significant damage. And routers kind of run a little thing called the Internet, so having a bunch of the pwned is a bit problematic. That's the bad news. The good news is that the attack isn't weaponized yet, so without some way to insert the root kit - it's not going to do a lot of damage. Folks, look to your left. Do you see the writing on the wall? Right, it's just a matter of time and this will be weaponized and some routers will start going down and traffic will be misdirected and a lot of folks will gnash their teeth. But I assure you, the sun will rise, the transactions will continue, and most people won't even know the difference. Yet, it is a constant reminder that everything is open to attack and if smart folks focus long enough, they are going to figure it out. Another interesting sub-story will be whether Cisco wields the legal big guns and threatens all sorts of nastiness before the pitch (Mike Lynn anyone?). Maybe they learned their lesson from that Black Hat fiasco, but most likely not.
Link to this

The Laundry List

Top Blog Postings

The root of all evil: "Average Deal Size"
On Friday I talked about the futility of blog wars dealing with GRC. Yet, I need to revisit that topic because a friend of the Mogull (let's call him Mr. X) jotted down some thoughts that are right on the money about why there will always be GRC-like markets and even when GRC goes away (and it will), there will be something else to take its place. Per usual, the issues originate in the funding model for most technology companies today. At some point, someone decided it was just as easy to sell a million dollar deal, as it is to sell a $10,000 deal. So every company starts life as an elephant-hunter, looking for the big game that will keep their investors happy and bring new money to the table. Thus, these folks build businesses around huge average deal sizes. Some work, but many don't. And Mr. X's point of being able to sell twice as much, but at a lower deal size is not only a problem, it hurts valuation. Talk about fuzzy math. Personally, I like the idea of selling a little bit to a lot of companies. But VCs hate it. And until they learn to embrace the idea of smaller deals sizes in the mid-market, nothing is going to change. I expect the latter, but as long as the pension funds and endowments keep the VC tills full up, there really isn't an incentive to change. Don't get me started on that.
http://securosis.com/2008/05/14/grc-average-deal-size-and-the-dangers-of-venture-capital/
Link to this

Yes, IT needs to learn about security
AndyITGuy has been pretty quiet lately. I guess he's like doing security or something. But last week he posted an interesting rant about the need for general IT folks to actually think about security and learn about security and appreciate why securing their stuff is a good thing to do. Well my friend, begging and pleading and even trying to appeal to their rational sides isn't going to cut it. I've been working with people for years that continue to struggle with getting credibility even within the IT group. I probably say the same thing over and over again, but here goes: You earn credibility by doing what you say you are going to do. Sitting in those meetings and pinpointing issues that the IT guys have missed is valuable, but it's not the point. The point is to get into the flow WELL before deployment details are being discussed. The earlier folks start to think about security, the more likely serious issues will be avoided. Now the next task for the security folks? Cloning. That's right. If all the IT folks actually took us up on our offers to be involved, we'd need clones to keep up with the demand. Either that or fembots.
http://andyitguy.blogspot.com/2008/05/life-through-eyes-of-security-geek.html
Link to this

The rules for change management
Bozidar from Macedonia talks a bit about his "8 Golden Rules of Change Management" in this post, and there is some good stuff in here. Like try not to change everything at once (so you can isolate potential issues more effectively) and run test scenarios before you commit to a change. You also want to assign responsibility (read accountability) to a person to make sure you know who to choke if the e-commerce systems go down. These rules are fine, but let's bring the discussion up a level. Ultimately change management and how well you do it has a dramatic impact on your success. If you have a 40 page process to install a patch, your users may deem you unresponsive. But if you don't have a formal process, then your users will figure you are unreliable when the data center goes down for the 20th time this month. So yes, there must be something in the middle. Automation can certainly help, but making sure you have a fall back position and can quickly respond in the event something does go wrong will save your bacon.
http://www.shortinfosec.net/2008/05/8-golden-rules-of-change-management.html
Link to this