November 5, 2007 - Volume 2, #150

Good Morning:
You ever have one of those weekends where you blink your eye and it's over? Yeah, this past weekend was like that. It all started with the Boss and I heading into the big city (if you consider ATL a big city) to see Ben Harper at the "Fabulous Fox Theater." Don't tell me you've never heard of Ben Harper. He's one of my favorites. And to see him live is really an experience. His band, the Innocent Criminals, are very tight and his voice is a powerhouse. It's also very cool to see a maestro play the slide guitar.

It was our second time seeing Harper and we'll keep going back every time he's in town. Yes, he's that good live. The Fox provided a more intimate setting (he's playing theaters on this tour, as opposed to sheds or arenas), and although the acoustics of a theater are much better - there was a downside. It seems that everyone likes to talk during a concert. I mean EVERYONE. The acoustics of the theater carried everyone's conversations pretty much everywhere. I guess I'm getting old because it annoyed the crap out of me.

Yet from all the stumbling and bumbling 20-somethings we saw in the audience, a good time was had by all.

Then Saturday was all about Leah's birthday party. 20 girls doing a Libby Lu party. Right, 7 years olds prancing around doing their hair and make-up and all other sorts of grown-up things. Why can't they just stay little? I'm sure I'm not the first Dad to rue the fact that his girl is growing up faster than I want, and I won't be the last.

Thankfully Leah does still like to do little girl stuff, which involves a phenomenon I'm not familiar with - The American Girl doll. Evidently this is a huge business for 7-10 year old girls to get very expensive dolls and dress them up in all sorts of outfits. In a few locations (including Atlanta), they have a restaurant attached to the store and the girls take their dolls out for lunch. It all seems pretty strange to me, but I didn't grow up with any sisters. The Boss told me to stop trying to figure it out and enjoy the fact that Leah is having fun. I guess she's right.

Then on Sunday is was all about party clean up and waiting for the New England/Indy game. Since the G-men are off this week, I didn't really have anything else to fixate on. After 12 days of intense family stuff, it was kind of nice to relax a bit. If returning borrowed tables, fighting with the 400 digital pictures I took, and taking my mother-in-law to the airport is relaxing.

The big game didn't disappoint either. The Pats actually looked human, but maybe it's because the Colts are that good too. We'll probably see the same two teams on a cold Sunday in January battling for the AFC championship. I suspect the $3 million the Pats are paying to Randy Moss may be the bargain of the century. How do you stop that guy? The '72 Dolphins should be concerned.

Have a great day.

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and pre-order your copy today www.securitymike.com

Top Security News

Yes, social engineer yourself
So what? - Mich Kabay has been running a series on some of the ethical considerations of social engineering as a pen testing technique in his NetworkWorld column. It's a good series and I'm looking forward to reading the 4th piece as well. I can understand where these guys (Mich and one of his colleagues have written the pieces) are coming from, relative to the preparation and also some of the concerns about violating trust with employees. But I still get back to the main point that employees need to learn about these techniques and a security awareness newsletter isn't going to provide the proper level urgency or understanding. I guess there are lines that shouldn't be crossed (like asking an employee to send customer data or intellectual property off site), but nonetheless I'd rather a more aggressive social engineering stance than being entirely politically correct. Farnum weighs in on the conversation on his CW blog as well, but is more thinking about saving money than educating employees. But to have an external party (which is how he looks at the problem, since that's what he does for a living) run the tests probably isn't the best way to teach your employees.
Link to this

IBM - Big security commitment, little security strategy
So what? - I mentioned IBM's big $1.5 BILLION dollar commitment to security in Thursday's laundry section. But that kind of spend warrants a bit more analysis. If you check out the press release announcing the "strategy," it's still all over the map and uses lots of good buzzwords (like "security risk management"), but little in the way of actually aligning resources to solve the problem. This quote is great: "...today's wide array of security technologies, implemented tactically in silos, are not sufficient to deal with the new reality of risk." Lest we forget that IBM's security capabilities are implemented in multiple silos across their OWN organization. ISS is in the Global Services business, Watchfire is in the Rational Tools Group, the mainframe guys do their own z/OS level security, and their Identity Management stuff is in the Tivoli business. IBM Research does their own stuff, and who knows who actually controls the MessageLabs relationship? You'll also probably see a lot of the vendors mentioned specifically for data protection, like AppSec, PGP and Verdasys - try to trumpet how big an opportunity this is, but in reality - they just got into a press release. Navigating the IBM field force is like searching the Labyrinth for the Minotaur. They better bring their ball of string to find their way out, and they also better be careful what they wish for, since they may find it. But back to IBM - until they centralize their security operations or at least name a figurehead to run an overlay operation, this is all Barney stuff.
Link to this

Free is more complicated than you'd think
So what? - Scott Adams (the Dilbert guy) pens a great op-ed piece in last week's Wall Street Journal about giving away content on the Internet. He uses his own experience to illuminate a lot of points. He publishes his comic on the web site every day, but that has resulted in many more licensees. That's a good thing. But he also gave away a free book, hoping to spur sales of the follow-on. That's one didn't work out so well. I continue to give a LOT of stuff away, pretty much every day. Sometimes I wonder whether it makes a difference, especially given the fact that my newsletters are very time consuming. Is it helping my business? How do I more effectively monetize what I hope is the goodwill I'm building by giving away research? I'm not sure I know the answer to any of those questions, but it does make you think. A lot of companies are increasing using free tools as a ramp onto the sales cycle. Musicians are jumping into the act as well (Radiohead is the biggest example of that), most likely to drive interest for their live shows - where they make the most money. I haven't seen any kind of definitive study as to whether this is working, and I'd love to know. My gut says it does (since my business continues to grow), but this may just be a reinvention of marketing - as opposed to a new kind of disruptive business model.
Link to this

The Laundry List

Top Blog Postings

They usually call this "intangibles"
Stuart King attacks the nasty topic of hiring the right security folks in this post, and brings up a lot of good points. As security becomes more ingrained in business operations, those folks doing security need to become more business-savvy. They need to be more effective communicators and understand the business impact of not allowing an executable or protocol or USB thumb drive. Yes, these folks are hard to find, which is why those that can actually learn a business and understand how security makes it better are worth their weight in gold. How do you do that? Going to another hacker class or conference probably isn't the best way. Yes, I'm biased, but I think the Pragmatic CSO is exactly the kind of philosophy and process that can get you there. Did I mention I was biased?
http://www.computerweekly.com/blogs/stuart_king/2007/10/personality-in-security.html
Link to this

The Zen Ostrich
My favorite Zen-master is railing about how many organizations continue to have their heads buried in the sand about where the real attacks are coming from. Candidly, I'm not sure if insider or outside threats are more important. To me they are all just threats and I have to deal with them accordingly. Clearly a lot of folks figure their perimeters are reasonably secure, so they are focusing on "insider" threats - whatever that means. Richard's point (I think) is that we can hardly distinguish "inside" vs. "outside" anymore, given the fact that many of our devices may be pwned and part of a bot army. The devices are "inside," but being controled by the outside. Your folks may be unsuspecting accomplices, providing the distributed computing horsepower that is driving the spread of malware. That's why I'm such a big proponent of Richard's Network Security Monitoring philosophy. The network doesn't lie, since bot masters can't control bots without a network. Hackers can't break applications without a network. And for the most part, insiders can't steal data without first using a network to put the data into a place where they can take it. If we watch our networks closely - it will tell us where there are POTENTIALLY problems. Then we get to investigate and see what the real story is.
http://taosecurity.blogspot.com/2007/10/wake-up-corporate-america.html
Link to this

How's that containment plan?
It will happen to you. In every public appearance and pretty much every week on this blog, I talk about the inevitability of being hacked. If you are in the security business long enough, it will happen to you. Although I'm sure Kim Cameron had a painful day last week, we can learn from how he got hacked. He goes through the lineage of the issue (which was a WordPress vulnerability) and also why he is committed to open source software, even though he works for Microsoft. I think it's pretty funny that people were using this as an excuse to talk about how MSFT's software was exposed, even though he doesn't use it on the site. But that's an aside, ultimately this was a bit of an inconvenience. Microsoft still sold lots of Vista and Office, even if Cameron's blog was heisted. But will YOU be so lucky? Can you afford your main web presence to be hacked? How long can you afford it to be down? If the answer is NO to any of those questions, then you better make sure your incident response plan is in good shape and that you practice responding to issues every couple of months. You don't want to learn that your plan sucks when your web presence is pwned.
http://www.identityblog.com/?p=890
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://securitymike.blogspot.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite