September 4, 2007 - Volume 2, #128

Good Morning:
I'm not a big fan of doing the same thing twice. It seems the most frequent words I say are "what did I just say?" My kids seem to need a bit of repetition, as most kids do, but it still makes me crazy. So the idea of having to fix something that I didn't do right the first time just makes me nuts.

Over the holiday weekend I took some time to work through the Honey-Do list that the Boss has been stockpiling for a while. The twin's B-day party is next weekend and we are having a ton of family come into town, so there was some urgency to get the things on the list done. First and second were fix the towel and toilet paper holders in the kid's bathrooms. Didn't I already do that? What could have happened, so I'd have to rehang a towel ring? Oh yeah, my kids hang on the things, so upon inspection it wasn't surprising that the crappy drywall anchors (the winged plastic crappy anchors) I used didn't hold up. The threaded drywall anchors didn't hold up much better and pretty much shredded the drywall. Fun fun.

So out came the old reliable toggle bolts and the drill. I feel pretty good that the towel ring will give out before the bolts now. I should have used the toggle bolts in the first place. But it was easier to use the crappy anchors bundled with the pieces. It all gets back to using the right tools for the job. I tend to be somewhat creative and very lazy, so I'll wrack my brain for 30 minutes trying to figure out how to pry open a paint can with a butter knife, rather than walk downstairs and get the paint tool. But the end result is pretty much always the same. The butter knife is shredded, the paint can is not open, and I'm 30 minutes behind.

The same lessons apply to security as well. A lot of us tend to be fairly creative and there is definitely a time and place for creativity. But trying to get an old firewall to do deep packet inspection and detect Layer 7 attacks? It's not going to happen folks. So use the right tool for the job. Unless you can get neither the money or resources, and then you get to improvise. But don't be surprised with they tear the anchors right out of the wall and you get to spend a Saturday doing the same job over again.

Have a great day.

Technorati: Information Security, CSO

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

Today's history lesson
So what? - I'm not that much of a history buff. I guess it's because I spend my time looking forward and live in a world of what's to be, not what has already been. That being said, I'm also respectful of the fact that the things we experience today likely originated from what happened yesterday. There are very very very few original ideas, but rather different takes on stuff we've already seen. As I've gotten older, I've gained a perspective not from studying history (which I still don't like to do), but by actually having been around long enough to remember experiencing it the first time. That's pretty scary. So when I see articles like this AP piece which talks about the 25th anniversary of the first "virus," I thought it would provide a good background for many of you security newbies to gain some history about our business. Just because I've been doing this for a long time, certainly doesn't mean I know much of anything. I always figured the first virus was the Morris worm, since I was at Cornell when it happened - I remember what big news it was. You need to learn something new everyday - so now I can go to sleep, since my work is done.
Link to this

Chatting up NAC
So what? - I've certainly had my difference with Joel Snyder, but the reality is that he is very deep on the technology and certainly has his share of opinions. I also understand that sooner or later I tend to have differences of opinion with pretty much everyone. Joel recently exercised his fingers a bit and did a chat for NetworkWorld about NAC. There is some interesting stuff in here, and Joel pinpoints a common frustration that I have with NAC as well. It's the lack of standard definitions and context for what NAC is supposed to do. Note that I didn't say STANDARDS, I don't give a rat's ass about NAC standards. But the lack of standard definitions is stunting this market. Too many customers are too confused. And now Cisco is blending it's 2 NAC flavors together into something called OneNAC? Yeah, that'll clarify things. Enough VC money is being thrown around to gradually educate the market, but it's frustrating that everyone is still trying to jump on the hype train, since when that happens everyone loses.
Link to this

The Laundry List

Top Blog Postings

Does a web site cert mean anything?
I'm actually pretty proud that the Boss thinks security first. She does a decent amount of shopping online and is very wary of some of the random sites she comes across. Where else are you going to find that 8 year old Disney night light for $3. Of course, it costs $20 to ship it, but that's another story for another day. When we sat down over the weekend for a few minutes, she wanted me to check out a web site to make sure it was "secure." She had printed out the product page from the site and specifically pointed me to the Hacker Safe certificate proudly displayed on the page. She asked what the hell that was and did that mean it was really "safe" from hackers? I, of course, went into a 15 minute dissertation about scanning and application layer attacks and the like, when I really should have just said, "Nope. That cert isn't really worth much." The Mogull does a much better job of explaining why. Now to be clear, having any of those certificates isn't a bad thing, but it doesn't mean the web site is secure. It means they are willing to pay at least lip service to security. And sometimes that better than nothing, but only marginally.
http://securosis.com/2007/09/03/certified-site-hacked-no-compliance-checklist-or-certification-can-ever-make-you-totally-secure/
Link to this

What about that CISSP?
Interesting debate on CISSP sparked up last week and continued this AM. Personally I've never been really impressed with the CISSP or any of the certifications. If you want to get from point A to point B and have no way to get there, then maybe a set of letters behind your name will help. I think my Dad still wants me to go get my MBA, but it isn't going to happen. Does a CISSP convince me you know anything about security? Of course not. Martin points out that the CISSP is more of a management certificate because no one can be truly technically deep on all the topics covered by the CISSP. That may be right, but I can tell you that a lot of the CISSP's I know don't know a damn thing about management. They are the one's I wrote the Pragmatic CSO for. They don't teach you about politics or business or getting things done by whatever means necessary in the CISSP training courses, do they? As Dan Miessler points out as well, security people need to have a technical grounding - at least a bit of one. He's right. I am seeing a lot of CSO's come from other parts of the business and that's a good thing. They know how to get things done within the organization and presumably have great relationships with the folks that write the checks. But eventually they'll need to understand general security topics, if only to know when their directors and managers are trying to pull one over on him/her. That doesn't mean your CSO needs to go to FW-1 class, but they need to understand security architecture.
http://www.mckeay.net/secure/2007/08/repeat_after_me_the_cissp_is_n.html
Link to this

How about "Yes, but!"
Shostack makes a great point on the Borg's SDL blog about the dangers of praying to the security Gods, as opposed to making sure the folks that pay the bills are happy. Security is all about trade-offs. Let me say that again because it's a very important point. Security is ALL ABOUT TRADE-OFFS. The most secure device is one that is disconnected from the network and powered down. But that device isn't too productive, now is it? So Adam's point about having a context to make more informed decisions about security is right on the money. Developers can and should do that via a SDL-based process. Other disciplines of security need to find other ways to tell their stories and make the trade-offs clear to the folks that ultimately make the decisions. Remember, our job is to protect the assets of the organization - but not at the cost of doing nothing. So every time you want to just say NO and make the problem go away, try to figure out how you can rephrase your answer as "Yes, but..." It will work wonders for your perception within the organization and your security career longevity.
http://blogs.msdn.com/sdl/archive/2007/08/30/dr-no-and-risk-management.aspx
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite