The Daily Incite - September 16, 2008

Submitted by Mike Rothman on Tue, 2008-09-16 09:00.
::
Today's Daily Incite

September 16, 2008 - Volume 3, #77

Good Morning:
I have to admit, the fall is my favorite part of the year. It wasn't always that way, but in Atlanta - the fall is just awesome. Of course, it's mid-September and it's still 80+ degrees. So fall doesn't really start for another month. But the weather is temperate (as opposed to the summer), the kids are back in school and their routine, and of course, it's football season.  
How'd the golf ball get there?
Have I mentioned that I love football. Of course, when the Giants start 2-0, it's a great start. But seeing Dallas and Philly pound each other into submission last night, I realize how difficult the NFC East is going to be this year. Dallas was lucky to pull that one out. I had no intention of watching the game, I had a lot to do - but I was fixated on seeing each team decimate the other's defense. It's what pro football is all about.

September also brings my annual golf trip, which is the end of this week (so I may not post on Thursday). Which is kind of a joke because I'm not really a golfer. I chase the ball around for 4 days, competing in the high handicap group and basically waiting for the beer cart to swing by. Once we are mercifully done with the round, then we get to drink some more. Sometimes I just like to make sure my liver knows I'm still here.

Last year, everyone was great in giving me all sorts of tips for folks that don't golf too much. Take a shorter backswing, keep your head down, don't leave that double bogey putt short, I heard lots of stuff. Thanks for that, but ultimately it doesn't really help. I just hope my game stays together long enough to win a couple holes for my team.
Unfortunately, I'll contribute a bunch of golf balls to the rewash foundation. Those are the balls that end up in the drink, like the picture above shows. The club hires some divers to collect the balls from the water hazards and then they sell your own balls back to you at half price. It's kind of like being married.

Though this year I did decide to buy a new set of clubs. I've been playing my old Hogan Magnums for about 20 years. No joke, I got them in college. So I went down to Costco and bought the Nicklaus club package. 13 clubs, a bag, and a bunch of head covers for $249, and they make my old clubs (which were top of the line in 1988) look like hickory sticks. Evidently Moore's Law has come to golf clubs as well. I can get a decent set for 25% the price of just my irons years ago.

Of course, I could have spent thousands on a new set of sticks. Between the $500 drivers and the fancy irons, you can really splurge if that's your thing. And I know a bunch of guys that do that. But for me, it's all about good enough. Amazingly enough, I actually live a lot of the crap I spew every day. I went to hit some balls at the range over the weekend, and my new clubs are good enough. They are a lot more forgiving than my old sticks and I suspect it's going to make my trip a lot more enjoyable.

And if not, there is always the drink cart.  

Have a great day.

Photo: "Golf in the deep..." originally uploaded by asbjorn.hansen

Technorati: , , ,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com
 Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com

Security Mike's Guide to Internet Security

Top Security News

Freedom for unsolicited emailer - shocker!
So what? - I'm not sure what Jeremy Jaynes paid his lawyers, but it's not enough. Those guys got the VA Supreme Court to overturn the states spam laws and thus overturn his conviction for being a scummy email profiteer. Whatever. Since I haven't been in the email security business for a few years, I'm pretty sanguine about the entire battle. Basically, people still click on links, thus they are getting pwned, thus there is still a huge economic benefit to sending unsolicited email. And until the economic benefit abates, there will be no progress. Sure the good guys will continue fighting the good fight and the bad guys will continue innovating and finding new ways to compromise the respective inboxes of your employees. Many of the bad guys now reside in places that are really beyond the reach of global law enforcement, but now it's not even clear there is a basis for law enforcement. Guess it's back to the same old same old. 
Link to this

Yes, we need to keep fighting
So what? - Everyone has good days, where they think they can conquer the world (or at least make a dent in their to-do list) and not so good days, where you wonder why you even bother. Since I'm assuming you are human, then this kind of thing is going to happen. The other inevitability of being a security professional is that you are going to have to deal with incidents. Yes, it will happen to you. It's a point that John Sawyer makes on his Dark Reading blog. We still have to protect the flanks, educate the users, and do the best we can with the (limited) time and resources we are given. BUT we also have to plan for the incident and ensure we effectively and quickly contain the damage. Our job is to try our best to prevent the incident, but it's also to make sure a small incident doesn't become a major catastrophe. This is a hallmark of the Pragmatic approach to security, and it's important. So make sure your incident response plan is up to date and maybe schedule another run-through of your process. Remember, you don't want to find a gaping hole in the recovery process in the middle of an incident.
Link to this

Getting back to poor man's DLP
So what? - OK, this is a thinly veiled vendor byline published in Network World (by Blue Coat's Tom Clare), but it makes a couple of interesting points. I got an earful from folks in the DLP space about my thoughts on "poor man's DLP," basically the capabilities that come with your email and web gateways that can check for very simple regular expressions and other content matching algorithms. I maintain that for a lot of customers, this is good enough to meet the spirit of the regulations and also to address the most common data leakages. No, this probably won't wash for a Fortune 50 class mega-enterprise. But Joey-bag-of-donuts and his PCI requirements? Most likely. Now, if budget and time allows a more comprehensive approach to DLP, then I'm all for it. But you are like most of the unfortunate 5 million companies out there with no time and no budget, then looking at a poor man's DLP may be a decent stop-gap until you can be a bit more strategic, or the gateway vendors buy some DLP technology and integrate it.
Link to this


The Laundry List

  1. Have distribution channel, will travel. Cisco takes market share lead in content security gateways, according to box counters at Infonetics anyway. Though I'm surprised Symantec is still listed. When was the last time you heard anything about Brightmail? - Cisco Subnet blog (on NetworkWorld)
  2. Deal: Hat tip to Ferris for catching the sly Quest/Akonix deal. Seems Gartner also caught it at the beginning of the month. Let's just say if it didn't even warrant a press release from Quest (or investor disclosure), they put Akonix out of its misery. It's about time, at least not all of the laws of economics have been repealed by dumb VC money. - Ferris Research
  3. Everyone jumps on the "intelligence in the cloud" bandwagon. Now Blue Coat is talking about their service that looks at 150 million requests a day. Is that a lot? Does it matter? - Blue Coat release
  4. Not dead yet, Borderware announces the new new thing in their security platform. Ready? It's DLP across email and web traffic. Yup, poor man's DLP coming to a gateway near you. - Borderware release

Top Blog Postings

Yes, it's about influence
Sometimes I wonder if I'm talking to myself. I know I'm not, but when on those days when you are hibernating to finish a few writing projects and the most insightful conversation you have is with the Starbucks barista, it's nice to see something totally consistent with my thinking. Stuart King says in one sentence, what takes me an entire book to discuss. "the fact that organisations are beginning to see influencing and negotiation skills as being just as, or more important, than the technical knowledge that got most of us into security as a career in the first place."  Amen. Now to be clear, there is still a real need for technical competence and the ability to actually do things. But those folks don't have the senior security professional title. It's all about persuasion and evangelism. You need to be able to get the rest of the senior team on board with the security program and to think a bit before they do. It's a constant battle and done more over a 3 martini lunch than a keyboard, but that's the way we security folks need to roll. Dale Carnegie here we come.
http://www.computerweekly.com/blogs/stuart_king/2008/09/success-through-influence.html
Link to this

Looking out for #1
Dre takes Jeremiah to task for spreading FUD and perhaps overstating the value of application testing, as opposed to building applications securely in the first place. Though Dre is well spoken and makes a lot of points, there are truths to both sides of the argument. The reality is there is NO PANACEA. Yes, the bad guys are scary, yes we are writing a lot of new code - most of which will never be tested, and yes, that means a lot of folks will be exposed. Dre is right that we can do a lot of great work to fix our applications and it shouldn't take years.  But remember, as charitable as you are, you shouldn't spend a lot of time worrying about them. Spend 99% of your time worrying about YOU. If you do some application testing and if you even make an initial lame attempt at secure applications, you'll be ahead of a vast majority of the other folks out there. Remember, a skilled attacker can beat you. Every single time. But most of the folks out there are pretty lazy, so they are going to go after the paths of least resistance. As long as you make it a bit difficult, the bad guys will move on to the next target. Unless, of course, you work at a high profile web property, then you are basically screwed and all bets are off. Have I mentioned the importance of reacting faster lately?
http://www.tssci-security.com/archives/2008/09/11/web-application-security-tomorrow/
Link to this

Breaking into the security business
I have to say one of the most frequent questions I get from visitors to securityincite.com is how to get into the business. That also goes for my work with SearchSecurity as well. On one hand, given the skills shortage we face in the security business, it's perplexing to me that folks are having a hard time breaking in. But then I remember that most HR departments don't think, they just do keyword searches to find lame candidates on Monster. Let me point you to a new blog called Security Wannabe, which goes into some of these career management issues. If you don't have any relevant experience, then get some. Start volunteering with local organizations that need help configuring their security. Do some pen tests on your friends. Learn the vernacular, maybe take a few courses and get a certification. And if you want to specialize, learn a bit about application security. That's the future of this business and we need all the hands we can get.   
http://securitywannabe.com/blog/2008/03/13/breaking-into-the-it-security-industry-for-fun-and-profit/
Link to this