October 17, 2007 - Volume 2, #143

Good Morning:
Let's play a little game this morning. Remember back to when you were a kid and the technology that you had at your disposal. I was in elementary school in the mid 70's. Cable TV was the shiny new thing, if you could call those brown boxes shiny. We had the dual box set up, with the "remote" (really a channel selector) being a box wired to the 2nd box (which plugged into the TV) with a 15 foot cord. I must have tripped over that friggin' cord 50 times. Ah, the memories.

There were no cell phones. There was no Internet. And the "computer" was the little Timex Sinclair. I did have an Atari game console to play Pitfall and Frogger. Times were a lot simpler then. Why do I bring this up? I guess I'm getting a little nostalgic because every so often I discover new technology that within a month or so, I won't know how I lived without.

Like my cell phone a few years ago. It's seriously aggravating now to not be able to get in touch with the Boss whenever I need to. When I was a latchkey kid, I'd be outside playing with my brother and we'd never hear the phone. I'm sure my Mom never knew where we were when she was working and it probably made her crazy. Today's kids are attached to their phones. Texting everyone, but more importantly - we as parents know where the kids are. The world is also a lot more dangerous now, so this is real progress.

Yes there is a point to all this yearning for the simpler days/times. Since I'm too cheap to buy a new car with a navigation system, I bought one of those portable GPS toys because the Boss drives my car from time to time and let's say in my family I got 150% of the sense of direction. I figured the $270 I spent on the system will be paying dividends for years as I don't have to take the "I'm lost, help me" calls.

It didn't occur to me that I could take the portable GPS with me on business trips. Until Monday. So I put this thing on the windshield of the rental car and miraculously it gets me to my destination. No fuss, no muss. I had a little time before my flight on Monday night, so I figured I grab a cup of coffee. Do a little search on my portable nav for "Starbucks" and within 7 minutes I'm enjoying my Mocha frap light (a guy's got to watch his weight, you know). I needed to fill up the tank before I returned the rental car. My little friend has these cute gas icons right on the map, so I know exactly where to go. 

Will I be late for my meetings? The nav tells me when I should arrive at my destination, so I can call to let them know where I am. Having that kind of information made the trip far more enjoyable. No more chicken scratch on little note cards after spending 30 minutes on Google Maps to figure out the best path to the 3-4 meetings I do on a travel day. The portable nav will quickly just become a part of how I travel. I'm sure my kids will laugh at me in 10 years when I tell them the stories of getting around before there was GPS built into every cell phone and available on little systems you throw in your bag.

Have a great day.


Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and pre-order your copy today www.securitymike.com

Top Security News

Unified communications is the next battle front
So what? - One of my initial Incites back in early 2006 was called "Battle of the Titans" and it had to do with Cisco and Microsoft battling for control of the architecture that we'll build systems on. Cisco comes at things from the network side and Microsoft from the desktop. This is happening and the next battlefront will be this idea of "unified communications." Microsoft announced their next foray into "business communications" yesterday in typical Microsoft fashion. Big shindig, a little Clapton, Bill G on stage, and a couple hundred lemmings announcing new products built on the Office Communications Server platform. Cisco has been investing in this stuff as well. Chambers did his "collaboration" stump speeches at all the big shows earlier this year, they bought WebEx and voice and video is clearly an area of focus within their emerging technology group. Interestingly enough, both are paying lip service to security as a "feature" of their communications platforms. That's right, you can't talk about collaboration without the concept of protecting the data baked right in. Are they there yet? Of course not, but they both are saying the right words. Security is a feature.
Link to this

Don't forget the switch layer
So what? - Back when I was deploying early client/server apps (yes I'm dating myself), inevitably a few of the machines would have wacky results and not be able to connect to the applications properly. More often that not it was either a physical layer issue or some kind of networking stack/protocol problem. Those were the fun days when troubleshooting was kind of trial and error. We take for granted everything running over IP nowadays, but it wasn't that long ago where the user had to reboot their system every time they wanted to share files (which required IPX) or access the Lotus Notes applications (which required NetBEUI). This article by a Cisco engineer on bMighty.com dealing with common switch hacks is kind of the equivalent of those old troubleshooting techniques. Many of us are so focused on higher level application attacks, we kind of forget to make sure the switches aren't exposed. There is good list of switch attacks here (like targeting SNMP) and also how to prevent the issues. It's always good to remind ourselves that if the foundation isn't secure, you may as well build it on quicksand.
Link to this

Is time not money?
So what? - The folks over at the Between the Lines blog on ZDNet covered a Gartner Symposium pitch on "Information Security on the Cheap." I'm not sure if that's what the session was actually called (and it was presented by ATL neighbor Adam Hils), but there were some interesting points. Evaluate patch status, use free anti-spyware and personal firewalls, limit administrator privileges to administrators, and lots of other good tips. Unfortunately none of these are really free. This is very much in line with my Security Mike process for consumer Internet Security, but unless you have less than 10 devices to manage, will be very resource intensive for businesses. That's why for SMB, I favor CHEAP - not free tools. I want some semblance of policy management, even if it's simplistic. I don't want to be going around to 50 desktops to make sure they are all patched. Nor do I want to pay my "guy" to come over once a week and check everything out. Guess I need to add "Security Mike's Guide to SMB Security" to my To-Do list.
Link to this

The Laundry List

Top Blog Postings

The shape of things to come...
Storage and security are brothers in arms. No, that doesn't mean that John Thompson is a genius for putting the two functions under one umbrella, but rather now he's got two businesses that are destined to be features. Maybe not tomorrow, but sooner rather than later. This analysis by Steve Duplessie on how the storage business is pretty much going away is thought provoking. And do a little exercise by replacing "storage" with "security" in the piece and see how it reads. Eerily prescient in my opinion. The big security players need to become "systems" players and bring more value to the table, or sell to someone even bigger that already has that capability. But the idea that there will be a large, stand-alone, pure-play security powerhouse in 7 years is pretty silly to me.
http://esgblogs.typepad.com/steves_it_rants/2007/10/the-end-of-the-.html
Link to this

The problem with SOA Security
Thankfully I can link to something that the Hoff wrote that I could read in less than an hour. I guess TypePad must pay him by the word... But back to the point, Hoff rails a bit about SOA in this post, and makes the point that SOA is stuck in the chasm now because of lots of things - but security isn't one of them. I've done some work recently on the SOA Security market and it's not clear to me that there ever will be a "market" for SOA Security. Sort of like virtualization security. The systems/platform players are making enough noise that the idea of security SOA apps will likely be a feature of the platform you pick to build the apps. That doesn't mean you won't need something to help manage a lot of disparate SOA security components, but that too will be dominated by the IT Management powers. It seems more stuff is getting squeezed in security than in a Minute Maid factory. Maybe it's time to invest in orange groves, rather than yet another security widget. At least you can drink that stuff.
http://rationalsecurity.typepad.com/blog/2007/10/security-is-not.html
Link to this

Do we really need another "PCI?"
Everyone seems to be in an uproar about the Governator terminating a new bill to further require merchants to jump through more hoops, all in the name of tighter data protection. Everyone except Marcin that is. And that's a good thing because Marcin is absolutely right. There is nothing wrong with PCI. The fundamental problem is in how merchants implement the controls specified in the standard. And an even more fundamental problem is the lack of enforcement for folks that violate the standard. I know the new rules just went into force for the biggest merchants, but another regulation in CA is not going to get the retail industry to move any faster. And PCI is already a tremendous drain on mid-sized businesses. Of course, they should do it - but to pile more legislation on top of the sundae is not the answer. And come on, this is the Governor that took out the Predator. He must be right.
http://www.tssci-security.com/archives/2007/10/16/way-to-go-arnold-why-ab-779-was-a-lose-lose-situation-for-small-business/
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://securitymike.blogspot.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite