October 24, 2007 - Volume 2, #146

Good Morning:
It's one of those days, already. I've become an early riser, like 5 AM early. I like to have a little time before the mayhem of my day starts to contemplate world domination, get through the crap that accumulated as I was sleeping, and do my initial pass through my reading list. Then I get my oldest ready for school, put her on the bus and start cranking on TDI.

That's a typical day, but I knew at about 4:45 AM that this day wasn't going to be typical. I was right. All 3 of the kids were up and dressed at 5 AM. I'm not sure what got into their Wheaties, but they were up and ready to go. I wasn't and neither was the Boss. Evidently there are only so many books and Barbies that the kids will play with when I'm trying to keep to my morning ritual.

I saw it in their eyes. Ritual - smitual. They wanted no part of that. I kept hearing "get me some breakfast" and the typical sibling bickering that goes along with little people living in your house. It's hard to contemplate world domination when the kids want more Corn Pops. 

I guess there are days when the rituals just won't work. I'm working on going with the flow better, but it's still a struggle. If I don't take that time first thing in the morning, the day gets off to the wrong start and usually snowballs from there. It takes a lot of thought and planning to dominate the world, I just wish my kids could appreciate that. I hope someday they will - if I do my job right.

On another topic, it seems that Dogbert has figured out where the real money is. It's in being a "security consultant." Check out Dilbert on Saturday and Dilbert on Monday to get a feel for the broad perception of security. I like the part about beating the intruder with a trash can. That sounds like fun. I do think that (for once) Scott Adams missed the boat on these posts. Since Dogbert is the entrepreneurial type, he should be a PCI auditor. That's where the money is.

Have a great day.

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and pre-order your copy today www.securitymike.com

Top Security News

There is no line between home and business
So what? - In Andreas' NetworkWorld column (tip to you buddy, don't make fun of any of NWW's feature stories - if you like your column anyway), he talks about separating work and play - at least from the perspective of computing power. The reality is that there is very little separation nowadays. I don't really know anyone that truly leaves the office. Whether it's the Crackberry or the late nights or the travel, most of my cronies are tied to their job in one way or another. That being said, I do think Andreas makes an important point, which is the criticality of keeping home and business COMPUTING separate. The idea of running a "home" virtual machine on your work device makes sense. But it does add cost and complexity to the equation. I don't think making a virtual machine work is practical for Joe White Collar. The idea of a thumb drive virtual machine is also interesting and more likely to work. I know a lot of folks use GoToMyPC on their home device to get to their files and do stuff. I'm a big believer in Mr. Market and when there is a need, the market will figure out how to fulfill it. Start looking at the personal stuff that people do on their work devices and making a public example of it, and I suspect the need will become a lot more apparent.
Link to this

More layers peel off the TJX onion and it's stinky
So what? - Evidently 45 million identities stolen in the TJX data breach was a bit on the short side. According to Visa and MasterCard anyway. Covered on Evan Schuman's StorefrontBacktalk blog (say that 10 times fast), it seems that 29 million MasterCards and 65 million Visas were pilfered. That's 94 MILLION identities folks. Actually, the most surprising thing is the sheer volume. I mean TJX is a huge company. 94 million customers (or at least that many unique credit cards used in their stores) is a big number. I'm not surprised that the story keeps getting worse, since TJX had no idea what was going on for 3 years, what gives you any confidence that their estimates of loss are going to have any precision? On the bright side, Visa's fraud control seems relatively effective in that losses are now estimated at the high end to be $83 million. $83MM is a significant loss, but given the number of stolen card numbers out there, you'd think it would be more than that.
Link to this

The Feds embrace whole disk
So what? - And who says the US Federal Government doesn't learn from their mistakes? It only took a handful of stolen laptops to draw the spotlight on the fact that whole disk encryption is probably a good idea for mobile devices. GCN has a series of articles discussing the topic. It's such a good idea that Check Point bought PointSec and McAfee is buying SafeBoot. Of course, disk encryption doesn't really stand alone and it's built into Vista and Mac OS X. Maybe not as manageable as these 3rd party options, but nonetheless it's there. This looks to be another example of a market that will take money from other "less urgent" needs, like SIEM, NAC and DLP. This will have an impact on 2008 budgets, but by 2009 expect to see whole disk encryption as a feature of a new "mobile device" security suite. That's right, you heard it here first. You should see the AV vendors start to segment their offerings into a desktop and mobile bundles. The mobile offering adds things like WiFi security, more sophisticated endpoint application control and whole disk encryption. AV vendors, let me know where to send the product management consulting invoices.
Link to this

The Laundry List

Top Blog Postings

Are we out of control?
That's the question that Gunnar asks in this post. Are security folks so enamored with the latest widget or minor attack vector or nebulous technology that we are missing the forest for the trees? Absolutely. This in a nutshell is why I think the Pragmatic CSO is so important. And it's not just that I have a garage full of inventory that I'm trying to move. HA! Actually, the point Gunnar makes is a very good one. Some other IT disciplines (like app development) are all about the business by definition. If you are implementing SAP, you need to know how the business operates and should operate because that's what you are automating. It's a bit less clear in the case of security, but it's no less important. If we can't relate security functions to business value, we will always be relegated to the sidelines waiting for our staff and budget to get cut. I'm not saying the P-CSO process will work for every one or that it's perfect, but if you are struggling with explaining why you do things to management, then you owe it to yourself to at least read the Introduction.
http://1raindrop.typepad.com/1_raindrop/2007/10/it-security---a.html
Link to this

I dub you Darth Stiennon
Evidently there is none of the good left in Stiennon. He has fully moved to the dark side. Now he just needs to slaughter a bunch of Jedi students to make his transition complete. First of all, I should have gone to ITExpo if only to see Stiennon doing booth duty. But this idea of actually blaming the customer for a bunch of price inflated security widgets is a beauty. I guess the answer is to just add a firewall everywhere (between network segments and agencies anyway) and the problems miraculously dissipate. When you sell a hammer, everything looks like a nail, no? The fact is both the users and vendors are to blame for the quicksand we are now in. Users haven't enforced policies or related security to the business. But the vendors have been more than happy to sell more widgets that solve increasingly narrow problems. The customer who raises Stiennon ire actually had the gall to say what I've heard from a bunch of CEOs and CFOs - that they've spent a TON of money on devices and still don't feel secure. 
http://blogs.zdnet.com/threatchaos/?p=483
Link to this

IPS = PCI, not so much
Rob Newby relates a very interesting story about a large retailer getting advice from its QSA to implement IPS in every location. Huh? Unless they connect every location directly to the Internet and take inbound traffic, what the hell is that going to do - besides make some IPS sales guy very very very happy? But this underscores a much bigger point, which is the subjectivity and variability that you'll get in PCI auditor recommendation. There is no generic security posture that will pass the audit and each auditor brings his/her own biases to the table relative to  what "PCI compliance" really means. That's why it's so dangerous to just focus on PCI or any other regulation for that matter. Focus on building and maintaining a STRONG SECURITY POSTURE and these regulations will fall into place. There is nothing in PCI that is so outrageous. In fact, you should have been meeting most of the requirements already. Now you just have to document it.
http://robnewby.blogspot.com/2007/10/pci-project-blues.html
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://securitymike.blogspot.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite