October 15, 2007 - Volume 2, #142

Good Morning:
When should you quit? I'm not being specific here, but basically to stop doing something. Maybe it's your job. Maybe it's a hobby. Maybe it's a new business or a product line or anything that you could stop doing. Breathing wouldn't be high on that list. Today I'm going to point you towards Seth Godin's The Dip. I just finished it and scarily enough it took me a couple of days to get through it. Since it's 80 small pages, that's just an indication of all the other stuff I have going on.

It's worth reading because it's something that we all struggle with. When should we quit and when should we stick with it. I have to make these kinds of decisions every day. Should I continue to write the Daily Incite? It does take a lot of time a couple of days per week. What about the Pragmatic CSO, do I keep doing that newsletter each week? And know I'm in the hard phase of Security Mike's Guide. It's turned into a bigger project than I envisioned and although I know it's needed - it sure would be easier to get an extra hour or two of sleep and maybe take a day off here or there.

There is clearly a balance between persistence and stupidity. Sometimes you have to just come to grips with the fact that it isn't going to get better. A discussion broke out on a mailing list I'm on over the weekend about how to deal with some anonymous work colleagues that sucker-punched a blogger who writes about work (albeit anonymously) on his blog. Does he fire back at them on his blog? Does he just quit?

A lot of that depends on his boss. Will his boss back him up? Has his boss even read his blog to know whether there are issues with what is being written? Or is the boss just parroting the lame detractors who don't want to change and are pushing for the status quo? It's certainly easier to parrot the lame and get out of the way. And if that's the case, this guy should probably start looking at Plan B.

Godin talks a lot about "If you aren't going to be #1, then you should quit now." I don't quite buy that, certainly not in a security role. There is no #1. There is no contest or play-off or even BCS rankings to show who is better than someone else. Maybe you get invited to Black Hat or DEFCON to show your stuff, but lots of folks get that. It's about being able to be successful - based on your (and your senior management's) definition of success, which usually means nothing bad happens. A good day is a day when nothing happens.

When things get tough, he does mention 3 questions that I think are right on the money:

1. Are you panicking?
2. Who are you trying to influence?
3. What sort of measurable progress am I making?

I do suggest you read the book to get the full understanding of these questions. Suffice it to say that as I think about the questions that I asked up front - most of my thinking is based on laziness, so the good news is that I'm not really going to quit anything that I'm doing right now. I'm investing a lot of effort right now in getting my products completed and once that is done, I'm going to focus more on my go to market strategies - which have been suffering because I'm focused on building.

But I am going to be a lot more focused next year. I do want to be #1 in a lot of things - and I think I can. But I also need to start failing faster. I need to try more stuff and see what works and what doesn't. I counsel countless people and tell them they are trying to do too much. Right now I fall into that category and this will persist for a little while. I'm considering my work overload as an investment right now because I'm focused on getting through the various "Dips" that I'm facing and getting through to the other side.

Think about what you do every day. Is is futile? Are you having fun? Will anything change? If not, then figure out Plan B. We all need to have Plan B. Have a great day.


Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and pre-order your copy today www.securitymike.com

Top Security News

Apathy is in the Dip
So what? - Continuing on my theme of "The Dip" this morning, let's talk about security awareness and basically user apathy. We know that most consumers don't know or don't care about security stuff (which is why I'm spending so much time on Security Mike right now), and I think that needs to change. But what about business users? David Utter rails a bit in this article about apathy and basically comes to the conclusion that users aren't going to change and thus educational efforts are a waste of time. I'm still not there. Maybe I'm stupid. Maybe I'm too persistent. I know how painful it is when the same users continue to do the same things and screw everything up - no matter how many times we tell them not to. But I think a lot of this anti-user awareness is based on a misplaced trust in the security tools that we are using and quite a bit about the last 2 questions that Godin asks: Who are we trying to influence? How do we measure it? Basically we are going to lose some battles. Some employees will never get it. But a lot of them will. We need to think about the process in it's entirety - NOT based on a couple of bad actors. If we can reach 80% of the people - is that not worth the effort?
Link to this

I guess we should test open source stuff too
So what? - The folks at Fortify have found that some open source software may include some exploits that they've dubbed "Cross-Build Injections." It's important to test these code bases (maybe with a source code analyzer, HA) to make sure the code you integrate into your applications is clean. Hmmm. I guess it was just a matter of time, but there is huge leverage to a bad guy sneaking some evil code into an open source distribution. Talk about some easy distribution. Do I check my Drupal site against any kind of analyzer? Nope, I basically trust the folks that send out the distribution because they seem like a good group of folks and I'm joined by thousands of others that trust these folks. But that does go against the dictum of "Trust No One." It gets back to doing a risk/reward scenario. Sure I should test my own site, but the reality is there isn't really anything to steal there. Sure they could hijack the page and put up some bad pictures. Maybe call me names and that would be bad. But I wouldn't be facing PCI violations or violating my customer's trust. So the reward is pretty low for what would take a lot of my time. But if you do use a bunch of open source software in whatever you do, then you should check out Fortify's research and see how it applies to your environment.
Link to this

Does GM get pummeled when someone drives through a plate glass window?
So what? - Citrix took a beating last week when GNUCITIZEN's PDP showed how a brute force attack can be used to compromise Citrix environments. The news hook was that some jackass administrators don't have their networks configured correctly, so a simple Google search will show you where some pretty sensitive implementations of Citrix reside. Like the DoD and other sites you probably wouldn't want compromised. eWeek does a good job here of telling both sides of the story. But is this Citrix' problem, given that they do provide a lot of tools to secure their environment and anyone can set a robots.txt file to stop Google from indexing the inside of your underwear? Does GM get vilified every time some drunk guy (or gal) runs into something and people get hurt? Nope. If the tools are there, it's the responsibility of the administrators to use them. Though we should tip our hat to PDP, who has emerged as a security research marketing force of late. A lot of folks are paying attention to his work.
Link to this

The Laundry List

Top Blog Postings

Hackers are business people too
And very good ones, by the way. Actually some of them are very good, most of them are mediocre. The business of hacking looks more and more like any other business. You've got arms dealers (or shovel makers) that are supplying folks with tools and information to get in the business. You have a lot of people who are chasing the promise of riches through fraud. Finally you have the trailblazers, the one's that are thinking up these new attacks and running to the bank. Or wherever it is that their money shows up after it's fully laundered. Jeremiah points to a series of articles on CIO that details how some of these Internet crime rings work. It's pretty interesting, but anyone that reads Fortune or Forbes knows that this isn't unique. It's pretty much like any other industry, which is scary.
http://jeremiahgrossman.blogspot.com/2007/10/malware-as-service.html
Link to this

The best defense is a good offense
Or so goes the old parable from military, sports and lots of other references. Hoff rails a bit about Qwest's attempts to deal with bots and to help clean up some of the zombies on their networks. I was positive about this last week (what's the matter Chris, you don't link love me anymore? Is Seltzer your new muse?). First of all, the way I interpreted the announcement was that they are monitoring and helping to fix - NOT BLOCKING OR QUARANTINING. So Aunt Bessie is not going to be sent to the penalty box because her machine is a cesspool. Maybe Qwest is blocking some folks, but they haven't said that. But on to the bigger point, which is whether offense makes sense and how ISPs should be dealing with this bot infestation. Chris takes a long time (and a lot of words) to basically make no point. Yes, there is a likelihood that the customer was infested even with Qwest's network-based protections. Ah, what network-based protections? We all know that unless they were web filtering EVERYTHING, they couldn't stop a drive-by Trojan attack. Even if they were web filtering everything, they still couldn't. As I've been preaching, we cannot totally STOP the attacks and the incidents, you need to be able to REACT FASTER to fix things and contain the damage. That's how I view Qwest's initiative. Not about preventing the issue, customers won't pay for clean pipes. But containing the damage - which ultimately will save Qwest money and possibly result in a better experience for all of their customers. I guess those happy pills are working.
http://rationalsecurity.typepad.com/blog/2007/10/everybody-wing-.html
Link to this

Managed spamming appliances - Arghhh.
Dancho points out the total automation of address harvesting and the ability to "rent" out a spamming service to deliver your message. Actually, none of this is new. Appliances that send bulk mail have been on the market for years (Cisco paid $830 million for one of them, HA) and the bad guys have inevitably gotten their hands on them and used them to blast our inboxes into oblivion. There have been simple software programs that have been able to access spam lists for $30. It didn't take a lot of sophistication to be a spammer. But things are a bit harder now. You have to control a bot net because if you try to send messages out yourself, you'll get nailed. So this idea of a "managed spamming service" is kind of interesting. It's the next wave of the business model, including technical support for those truly unsophisticated hacks. And from all the crap that's been showing up in my inbox lately, it's working. I got pounded with spam this weekend. How about you?
http://ddanchev.blogspot.com/2007/10/managed-spamming-appliances-future-of.html
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://securitymike.blogspot.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite