September 29, 2008 - Volume 3, #79

Good Morning:
It doesn't seem to be common knowledge, but we are in the midst of a gas shortage in northern ATL. I suspect it's all over the metro Atlanta area, but I can only speak for the 10 mile radius I scoured on Friday trying to get gas for my car. I must have passed 15 different stations that had no gas before I got lucky. A friend called with a tip on a station that just got a delivery and had gas. So I dutifully waited in line for about 40 minutes and filled up. Thanks to the iPhone, I could still be reasonably productive - but still, that's 40 minutes I'll never get back.

We also got lucky last week when the Boss went to go fill up the van. She dropped the kids off at school and only had to wait 10 minutes at a local shop. I just drove by that specific station and the line is around the corner to get into both entrances. It's basically a mess.

Of course, it's great when the government is very supportive of the plight of the citizens. Our own esteemed Gov. Purdue thinks the shortage is "self-induced." Evidently he hasn't tried to fill up recently. It doesn't seem easy to govern with your head up your ass, but I guess he's trying.

I was talking to my Mom over the weekend and we talked about the 1973 gas crisis. Obviously I was very young, but I still remember Mom loading my brother and I into the Volvo station wagon at 5 AM to go wait in line to fill up. I guess those were scary times, but 5 year olds don't really understand that. I guess what goes around, comes around and here in the ATL it's coming around.

Tight supplies are being caused by the fallout from Hurricane Ike. Evidently a significant portion of refining capacity is still offline or ramping back up slowly. It reminds me that we are still very very dependent on fossil fuels to drive the economy. And as those fuels wane or become more expensive or are increasingly controlled by unfriendly parties - our economy is at risk. Sure we've got to work through this mortgage mess on Wall Street. But energy is clearly the biggest issue we (as a global community) face over the next 10 years.

We are doing our part by not doing unnecessary driving this week until supplies loosen up. Even though I don't need a new car, I'm seriously thinking about putting my name on a waiting list for a hybrid. Maybe this time I'll actually do it. And as soon as they come out with a hybrid van, we are there. Sure it's a bit more money up front and the direct payback in terms of dollars is a bit suspect. But it's hard to put a price on the heartburn we suffer from driving around on E, hoping the next service station has fuel (and you won't have to wait in line for a couple of hours) before we run out of gas and have to walk home.

And before I forget, Happy Birthday to my kid brother. His birthday was over the weekend. We had a lot of fun hanging out with the kids running around and creating havoc. As tough as things are, you've got to take the time to celebrate the good times. And to step back and enjoy the ride a bit. Sometimes it's hard, but you need to make a specific focus to make it happen.

Have a great day and I should be back on Wednesday, since tomorrow is a holiday for me. L'Shana Tova to all observing tomorrow.

Photo: "No Gasoline" originally uploaded by eschipul

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

And in this corner the white list...
So what? - Larry Seltzer takes in a video interview of Mark Russinovich (yes, the Sony rootkit guy and one of the big brains pushing Microsoft's security strategy) and questions the viability of white lists. To paraphrase Larry, white lists are cool if you can shove a policy down a user's throat (like most corporates can), but they are useless for consumers. To be fair, Larry does say he hopes he's wrong because he buys into the concept of executing only authorized applications. Amazingly enough (especially if you ask the Boss), this situation isn't black and white. The reality is there is a continuum and we need to understand that. Even in the corporate world, there need to be gradations of lock-down, which treat different groups differently. Since the finance team is dealing with very important data, their devices should be locked down tighter than some other group. Same goes for consumers. They should have options to incrementally enforce greater levels of lockdown. You can sort of do that through different browser configuration and parental controls, but it's hard and requires a lot of pieces, and any savvy kid is going to be able to get around it. There is definitely a place for white lists in your security arsenal, but you need to make a choice as to how strictly you enforce them (and subsequently how much clean up you are willing to do).
Link to this

Who are you? What are you doing in my house?
So what? - I love those movies where the main character wakes up and is in a totally strange place, surrounded by "family" that he doesn't even know. Lots of silliness tends to ensue and then the person wakes up and realizes it's been a dream. They learn some heavy lesson and become a better person. You wonder if the folks at IBM look around what's left of ISS and wonder what the hell happened? Most of my contacts at ISS are gone. That's actually to be expected, since it takes a different kind of person to survive and thrive in a Big Blue culture. But what's more interesting is how two years after the deal, the ISS group is trying to become relevant again. Now they are making product announcements and talking about how security fits into IBM's overall strategy. Time flies when you are having fun, no? But two years of fun?!? That's what makes me chuckle about these big deals. How can any semblance of integration, which takes two years, be something to cheer about? IBM dropped $1.3 billion on the deal and as a result ISS has all but dropped off the radar. Of course, I'm sure they show up in a lot of deals that just go to IBM (and wouldn't be seen by a guy like me), but still. $1.3 Big is a lot to spend to wait around for a couple of years to figure out which end is up.
Link to this

Microsoft rides a paper surfboard to the top of the Wave
So what? - The Forresters checked out a bunch of data sheets and decided Microsoft was "top of the NAC heap." Not sure if they used those words, but that's what Tim Greene says were the results of Forrester's NAC wave. That kind of finding is pretty laughable. There is no question that Microsoft will be a player and they will absolutely own the agent that checks desktop device integrity. But to think they've got something that is enterprise-ready is a bit strange to hear. Even better, they put in a disclaimer saying the study isn't based on "units sold or performance tests," but how well the products will "meet the challenges of a set of real-world deployment situations." At least Gartner's ability to execute rating is based largely on company revenues and product sales. So basically this was an RFP process. And Microsoft prepared the best response. Great. People that really buy products understand that a good RFP response gets you into the bake-off. That's when things like "performance tests" start to matter. That's why I find it ridiculous that vendors get judged on this qualitative crap. Ultimately customers only care about whether a product can solve its problem, not whether the vendor gives GOOD RFP. Smart customers understand these types of reports can maybe provide a little perspective on identifying the long list of vendors to chat with. But to base a buying decision on it is irresponsible.
Link to this


The Laundry List

Top Blog Postings

Vulnerability <> Risk
Let's focus on PCI a bit, since within a week DSS 1.2 will be "live" and of course, anyone that want to do credit card business must comply. Rich talks a bit here about what's required to perform a real "scan" that the auditors will accept. Many IPS devices will actually block a number of the scan techniques, which may force the customer to open ports and/or turn off their IPS to let the scan run. Let's get back to the idiocy of counting vulnerabilities. A vulnerability is only important IF it can be EXPLOITED. If the IPS is going to block it, then who cares? What am I missing here? Let's say the vuln could be exploited by launching the attack from inside the network (and then presumably avoiding the IPS). Great, then the scanner should be able to run from the inside of the network to mimic real-life attack vectors. What is so hard about this? Turning off your defenses to complete a test and check a box for an audit is just plain dumb. And an assessor that pushes a customer to do this is bordering on negligent. Hopefully the PCI groups emerging quality assurance efforts will make sure this kind of stuff doesn't happen.
http://securosis.com/2008/09/19/how-to-tell-if-your-pci-scanning-vendor-is-dangerous/
Link to this

Do as I say or do as I want?
Remaining on the PCI topic, Anton brings up a great point about how prescriptive something like PCI (and every other regulation) can/should be. Ultimately the choice is between telling someone exactly what to do, even though that may not be relevant for their environment (like AV on Linux). Or saying you need to "protect private data," but not offer specifics as to what that means and leaving it up to the customer to screw it up. It's a tough call, but over the past 10 years we've shown that just focusing on the outcome desired (as HIPAA, GLBA, and SoX do) is not a recipe for success. Not by a long shot. Of course, PCI is a bit overbearing and it's getting more so every time they have a meeting, but I'd have to say on balance - having more detailed guidance has been much more useful than not. At least folks know which boxes they should be checking.
http://chuvakin.blogspot.com/2008/09/is-pci-dss-prescriptive.html
Link to this

That's right, no one wants to buy encryption
I'm not sure what they are saying most of the time, but the Voltage blog certainly does post a lot of stuff. Yet this post resonated with me because it's reflecting a lot of the anecdotal evidence I've been tracking for a while. No one cares about encryption. It's not that they don't want to protect their data - they do. But they don't really want to delve into the details of how it happens. They want it "built-in." If they look at a SaaS offering, they want it to be secure, their data encrypted and they don't want to worry about it. When they buy applications or have an integrator build them, security should be a feature. Maybe it's encryption, maybe it's not. The customer shouldn't really care. If full disk encryption is important for mobile employees (and it is), they want it built into the endpoint suite. Again, they don't want to worry about it or manage it. Looks like Jim Bidzos had it right all those years ago. Encryption is a tool kit, design-win type of business. The success is based upon having more folks build the encryption into their solutions, than getting customer to bolt it on after the fact. Transparency is still in vogue, especially when thinking about encryption.
http://superconductor.voltage.com/2008/09/whats-going-on.html
Link to this