May 8, 2007 - Volume 2, #75

Good Morning:
Have you ever noticed that some folks just have a very high opinion of themselves? These folks don't think twice about telling their life story to the guy three seats down in an airplane, basically yelling so the rest of us are subjected to the drivel. Now I'm glad this dude is so content with himself to think anyone cares, but at least do it at a manageable decibel level. When you are way louder than the engines on a 767, maybe it's time to get those ears checked.

Praise Steve Jobs and my iPod and noise-isolating headphones. Ray Charles (Genius Loves Company) was a pleasant diversion from the life story of that jackass. That brings up a big thing about self-esteem. Some call it confidence, others (pretty much those that don't have it) call it arrogance. It's pretty much a swagger in the way you carry yourself. It's something that is very hard to teach.

Another little aside, on the drive home from the airport on Sunday - I passed a beautiful black Ferrari convertible. Huh? Me in my Acura passing a Ferrari? You bet, the dude was going 55 in the middle lane. All that horsepower - going 55 in the middle lane. Besides it being somewhat hazardous, since no one in Atlanta drives 55, it was all about the show. That seems to be self-esteem run a bit amok, once again. Maybe it's just me and my security mindset - but I don't want anyone to know what I do, how much I have, etc. Sure, I buy things to make my life and that of my family comfortable - but showy displays of wealth just aren't my style.

Back to self-esteem. This week, I figure I'll give some managing people tips from all the times I screwed that up. I don't believe in a one-size fits all management style. Some folks need to be built up (those with low self-esteem), while others need to be put in their place at times. Some want to be micro-managed and others don't want to see you until the project is done or they run into a problem. You aren't going to change folks, so you need to figure out the best way to manage them.

That is, if you care. To be clear, if you don't head back into the technical side of things. Your firewall and IPS don't need any motivation and they don't care about your latest exploits in your Ferrari going 55 in the middle lane. But that is some folk's comfort zone, and who am I to say it's bad? Just don't make the mistake to think you'll be successful as a manager. Technical skills don't mean crap when you are managing people.

Have a great day.

Technorati: Information Security, CSO

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Pragmatic CSO Bootcamp Maiden Voyage June 6 in Atlanta Sign up Now! Only 10 slots (and they are filling fast)

Top Security News

Change is hard, but Pavlov was right
So what? - Roger Grimes rants a bit in his InfoWorld column about why people fight changes that improve security? He uses a few examples, like folks that don't do simple things (like password protect your screen saver) or patch when a vulnerability exists. It's all about the pain. These folks don't feel the pain, so they aren't willing to make whatever change is necessary. And unfortunately, your words will ring hollow when you describe the pain and tell them how much it will hurt. Some folks just have to experience it for themselves. So let them. That's right, I said to let them fall on their sword - ONCE. Hopefully, once they have some major issue and it takes them a long time to clean it up and they take a shot to their credibility, they'll get it. If they live to fight another day, then they will likely be much more willing to chat about good security practices. I guess I still subscribe the teachings of Pavlov - let them fry a bit and then help them learn from the pain. 
Link to this

You don't have to block encrypted zip files
So what? - A few weeks ago, I talked about the need to block things like encrypted zip files at the gateway. I got a virtual earful from some practitioners about how it would be too hard to teach employees to use more secure methods of file transfer, so they have to accept encrypted zip files. Good for them, but you need to budget in some time to clean up the mess. My position is clear. Block encrypted zip files at the gateway. If you needed any more reminders about why this is important, this InfoWorld article should do the trick. The Storm Trojan, hidden in an encrypted zip file makes your perimeter defenses moot. Again, you can choose to allow the files through, but then you better have some top flight user security training, so they know what they should open and what they shouldn't.
Link to this

Welcome to another edition of Patch Tuesday
So what? - Not being in an operational role, sometimes I forget the run rate activities that make up a bulk of the day. This being the second Tuesday of the month it's the wonderful monthly ritual known as Patch Tuesday. Microsoft is formally fixing the DNS issue and a bunch of other fairly minor stuff. You can check out SC Magazine's coverage for a few more details. But as opposed to going through the motions (test, patch, repeat), maybe in this light month, take a look at your process. Do you test enough? Maybe too much. Would it be easier to deploy a tool? Is a patching tool enough or should you be looking at a configuration management engine? You should always be trying to improve the system and the process. Then you'll have time to focus on the things you really need to get done. 
Link to this

The Laundry List

1. 25% don't secure wireless. Long live Jericho. Too bad these folks don't seem to know they are obviating their perimeter. - Dark Reading column
2. No slowing the malware train. In this month's stats round-up, spam volumes explode and web attacks predominate. Starting to feel like Groundhog Day. - Postini press release SonicWALL press release Fortinet press release
3. TripWire still standing after 10 years. Is that something to celebrate? - TripWire press release
4. In the maybe better late than never files, Secunia enters the vuln scanning game. Though the leveraging their alerts database is a bit different, though not unique. - Naraine blog post

Top Blog Postings

Is your webmail owned?
This is a great tip from Jeremiah about how to see if your webmail is owned. It's so simple, it's stunning and I'm sure it will work. Kind of like putting a fresh piece of cheese in the mouse trap. There is no way the mouse would be able to resist and then you know you've got a problem. And given the prevalence (and convenience) of webmail, it's a good idea to keep tabs on it. I don't do anything of a sensitive nature in my Yahoo account, but all the same - this is a great idea and I'll be doing it sometime this week. Thanks Jeremiah!!!
http://jeremiahgrossman.blogspot.com/2007/05/how-to-check-if-your-webmail-account.html
Link to this

Oh crap, I forgot to...
LonerVamp makes a list of 7 things that sysadmins forget to do. It's bad to "forget" to eliminate a former employee's access rights. Though not all of these forgets have to do with technology. Things like knowledge transfer and courtesy also make the list. Though everything is a good point here, the list is kind of disjoint - without a real theme. There are lots of other things that folks forget to do (like test a new firewall rule set), but any list that reminds you of stuff you should be doing is a good thing. Remember, security is a process, not a product - and if your processes are not well defined and managed to, you will forget things as well - and it will be bad.
http://www.terminal23.net/2007/05/seven_things_sysadmins_forget.html
Link to this

Are we ready for clean pipes?
Looks like Chris Hoff is back from wherever he was, since he's unleashed a few long posts over the last day or so. This one deals with clean pipes. Chris does a fairly detailed analysis of whether services that promise security from a carrier will ever happen. Basically, it seems that EMEA is far ahead of the rest of the world in dealing with these issues. And they kind of have to be. With the privacy laws over there and the need to protect data as more of a lifestyle than a regulatory mandate - the carriers are doing the right thing and adding security to the pipe. Will it happen in other parts of the world anytime soon? Probably not, I agree with Chris there. These folks are bit haulers through and through and getting them to understand (and be able to sell) a higher valued clean pipe type of offering is way beyond them. I do think it's the right thing to do, but they aren't getting there anytime soon. That being said, even if a carrier offers me all sorts of security - I STILL DO MY OWN THING. Maybe less of it or I focus more heavily on security monitoring, but if you think I'm trusting everything to someone that is not me - you are nuts. It will be YOU, not the service provider in the CEO's office if something goes down.
http://rationalsecurity.typepad.com/blog/2007/05/clean_pipes_les.html
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite