October 1, 2007 - Volume 2, #137

Good Morning:
Well, I made it back from my Boy's Golf Weekend in one piece, though my golf game was not so good. Liver hurts a bit too. I'll go to bed a bit early for a couple of days to recover. A good time was had by all. I usually don't take the time to play golf, there are lots of worse ways to spend a day than walking around (actually, riding around) some pretty scenic places, hanging with buddies and having some fun.

I did get to catch a decent amount of sports while away and the upsets in football this weekend were unbelievable. When the 3 (Oklahoma),4 (Florida),5 (WVU), 7 (Texas) and 10 (Rutgers) in the AP Top 25 college football teams go down, it's a pretty interesting week. The NFL was no more settled. You wanted parity, you got parity. What happened to da Bears and the Bolts? Both looked terrible. But the G-men are rejuvenated. Or the Eagles just suck. Either way, I'm a happy guy. For this week anyway. Happiness is fleeting when you are a sports fan.

But that's not really the point. Spending a long weekend with folks that are (for the most part) not in technology and certainly not in security is a great thing. I know a lot of my security friends tend to hang with other security folks. Yes, we can be a paranoid bunch and other folks may not totally appreciate our nuances - but it's important to not have tunnel vision.

For example, one guy on the trip runs a retail camera store. It was very interesting to hear about how digital cameras have fundamentally changed his business and what they are trying to do to survive. I got to stretch my strategy muscles a bit on something other than convincing folks to buy security products they may not even need.

Another guy runs a flooring company and a home design superstore. To chat with him about how the housing downturn has affected his business was totally interesting. In that business, it's important to have size since many of the marginal folks are forced to leave high growth businesses when they become slow (or no) growth businesses. Yet another is a real estate agent. His business will be about flat this year. Which is actually a great thing given the downturn. Why? Because the marginal real estate agents that jumped on when the going was good have left and he has enough of a foundation to gain share in his market.

These conversations and many others make me a more rounded person. Actually, I think it was the chicken wings, onion rings and beer that made me more rounded, but I digress. When I go on these trips, I like to listen and learn. Maybe I've got an opinion about stuff, but it's more about learning about things I don't normally get exposed to by staying in my bubble of security.

So are there any big lessons learned? It's actually reinforcing a trend I already am tracking in security. Big is the New Small, even in businesses totally different than security. It's very hard to compete unless you have either tremendous scale (and the associated efficiencies) or something truly differentiated. So regardless of what you do and what business you are in, make an honest assessment of your organization's chances of prospering moving forward.

We all know there isn't too much room to invest in security if you've got no underlying business. And get out a bit, see some non-security and non-technology friends. Learn about what they do. Become a bit more balanced. The worst thing that can happen is that you pick up a few ideas that can be helpful in our world.

Have a great day. I'm back to a normal publishing schedule this week. So blog readers will see the P-CSO Weekly tomorrow and TDI Wednesday and Thursday. Also check out Security Mike's blog. I'm doing some interesting stuff there.


Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and pre-order your copy today www.securitymike.com

Top Security News

Default to being pwned
So what? - This may be stating the obvious, but it's important enough that I'll revisit it as many times as I need to. You need to change the default passwords on ANYTHING that is Internet facing. I know, what kind of jackasses don't do that? Evidently you'd be surprised because I keep coming across examples where the bad guys weren't smart - they just tried the default password and broke into systems. InformationWeek has an interview with convicted hacker Robert Moore, who went off the big house last week. He and a buddy broke into some routers and VoIP switches and then stole the minutes. This guy made about $20K and his buddy took in about a million and is currently on the run. As you can see, Moore is evidently not the sharpest tool in the shed, but with a scanner and knowledge of some default passwords - you look like a genius. So go check those devices and make sure the passwords are changed. Also get into the habit of monitoring the boxes and looking for strange traffic. React faster, remember?
Link to this

The PCI day of reckoning
So what? - That's right, the PCI deadline for Tier 1 merchants has come. Tier 2 needs to get their act together by the end of the year. Will folks be ready? Of course not, as Tim Wilson reports in his Dark Reading column. This won't be the last you hear of it either. There will be a ton on vendors ready to tell you all about it over the next few months. The reality is PCI compliance isn't the goal - security is. I'm probably sound a bit like a broken record, so check out what Stuart King has to say about the topic. Right, it should sound familiar. If you do security well, PCI compliance should be in the bag. But many organizations don't, so they are in a world of hurt. The real question is how much of a world of hurt. When will the enforcement actions start? When will they be publicized? I've been hearing back channel rumors about fines being levied, but I don't think that will move the needle until there is a public execution. And it's not like there aren't a lot of folks that could be strung up at this point. It's just whether it will happen or not.
Link to this

Deal: 3Com goes private
So what? - I guess 3Com is still around, but not for long - as a public company anyway. They announced at the end of last week a deal to be taken private by Bain Capital and Huawei in a $2.2 billion transaction. Even more interesting is that the deal was run out of Bain's Hong Kong office. Hmmm. So this is all about China, not about any of the other markets (both geographic and product) that 3Com has squandered over the past 5 years. For security folks, the real issue becomes if and how TippingPoint is affected by all of these corporate gyrations. There was already a move to spin out TP and take them public (again), but we'll see whether that continues to move forward. I suspect it will because the private equity guys are always looking to sell off some assets and free up cash to pay down the debt. Also don't forget about the national security impact of the deal - as speculated on by Financial Times. Since Bain is the lead, I don't think it will raise the ire of the regulators, but having Huawei involved (even with less than a 20% stake) does create that risk. 
Link to this

The Laundry List

Top Blog Postings

Will threat modeling work?
Shostack has another good post on Microsoft's SDL blog about threat modeling. It's definitely hard, but as you can see from the process Adam describes, it gets everyone focusing on security early in the development process. That is just critical to head a lot of pretty big issues off at the pass, before the issues become really expensive to fix. Of course there are obstacles, like getting everyone on board and making sure the process is managed and appropriate feedback is delivered. There are also folks that have a hard time thinking like a bad guy. These are all problems that can be fixed, mostly through good process and strong oversight. Yet it's the intangible issue that can kill threat modeling before it begins, and that's getting the organization's culture to change and embrace the process - and that's really hard. The developers (and everyone else) need to understand that building a threat model is a key step in the dev process - PERIOD.  
http://blogs.msdn.com/sdl/archive/2007/09/26/the-trouble-with-threat-modeling-2.aspx
Link to this

Security - Texican style
In this post, Cutaway interviews his Texas neighbor Farnum about logging. I guess Farnum needs to start pushing some log management. This is actually a good overview of why log management is a pretty important thing to do, especially relative to operational and investigatory requirements. I've been doing a lot of work around log management lately and I agree that folks are starting to realize that it's different than SIEM, although most of the SIEM vendors are moving towards log management. The biggest adoption issue with log management is that it's on the list behind lots of other stuff. If an incident occurs, then it jumps to the front, especially when the forensics guys can't figure out what the hell happened. He even throws a few SMB log management tips into the mix. On another note, I actually prefer these email interviews - as opposed to podcasts. I read a lot faster than even Shimel can talk - so it's a better use of my time.
http://www.cutawaysecurity.com/blog/archives/193
Link to this

More unintended consequences
I suspect the battles over OpenID is just beginning. I've gotten some requests from folks to support it, even though I don't really have a community site yet. I'm hopeful that because Security Mike's Guide will target less sophisticated users that most won't have any idea about OpenID, so I can continue to monitor it's progress and ride the fence for a while. Dan Sullivan points out that there are some real issues with OpenID, especially from the standpoint of phishing. I'm not deep enough into the technology to know whether the issues are insurmountable or whether the technology is just a bit immature and over time it will get to where we security folks need it to be. The reality is that OpenID fills a compelling need, in terms of providing a sort of single sign-on environment for Web applications. But as Dan says, "I for one am not trading security and privacy for convenience." That's pretty much sums it up.   
http://www.realtime-websecurity.com/articles_and_analysis/2007/09/openid_and_the_phishing_gold_r.html
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite