Mike Rothman's blog

The Daily Incite - 2/11/09 - Rope a Dope

Submitted by Mike Rothman on Wed, 2009-02-11 07:15.
Today's Daily Incite

February 11, 2009 - Volume 4, #15

Good Morning:
Let's talk a bit today about role models. Of course, the issues with Michael Phelps have been picked over like road kill by the media vultures over the past few weeks. I'm still scratching my head. So the kid took a bong hit. Big deal. We forget he's a kid and kids experiment. Sure it was bad judgment, but who as a 23 year old didn't do stupid things.

And now those ass hats in South Carolina are threatening to prosecute him. Give me a break. Though it was good press for the SC Attorney General, which I guess was really the point. Maybe that's how he levitated that fighter...

I understand some of you probably differ with me on this (and I'm sure I'll hear about it in the comments). Security folks are pretty straight laced folks. Unless we're drinking, that is. Yes, possessing dope is against the law. And being a law abiding citizen, I choose not to partake in those behaviors. Plus my lungs are pretty crappy, so I can't breathe too well if I do any kind of inhaling activities. And I lost my "connections" when I moved South. :-)

Beside Phelps there have been a bunch of "scandals" of late regarding folks some consider "role models." You have Barkley drunk driving running stops signs to get closer to his happy ending. You have A-Rod coming clean about juicing. You have movie stars taking inappropriate pictures of each other and having those leak onto the Internet. It never ends and I think it's reflective of the folks we choose to hold up on a pedestal.

Sports and entertainment is a business. A very big business. Yet, the people that are "stars" are human and they make mistakes and they have human urges and in some cases they will do anything to get any kind of advantage. A-Rod makes $27 MILLION a year. You bet he's going to do whatever he can to justify that kind of money. Maybe he's stopped juicing, maybe he's just better at concealing it.

It's only cheating if you get an unfair advantage. Do you really think everyone else isn't doing the same thing?

It's like politicians. They are pretty much all "dirty," but only a few actually get caught. And it gets back to providing alternative role models for our kids. I'll be the first to say that I've got a lot of work to do before I'm a sufficient role model for my kids. And right now, they are young enough that their role models are fictional characters like Luke Skywalker, Yoda (though not the Yoda in the picture) and Obi-Wan.

For now, I'm fine with that. It's been a while since a fictional character has ended up as Page Six fodder in the Post. And by then, who knows - maybe I'll be able to step up and move into that role model role. It's something to shoot for anyway.

Have a great day. And may the Force give you a good high...

Photo: "Yoda Bong" originally uploaded by MadVinyl
Technorati: , , ,

The Pragmatic CSO

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Incite 4 U

Each morning I face a decision. Do I have an apple or a plate of grapes? Actually it's whether I do a commentary piece or just cover a bunch of news items. It seems my pal Shimmy has voted for the news. Yet it seems 30%+ more of you choose to read the commentary. According to my web stats anyway. The answer is actually both. Sometimes I have to get things off my chest (like yesterday's FUD piece), so I do. And at least now I know what I'll be for Halloween this year. A few dog yummies to anyone that can design a cool "FUD whore" costume.

  1. Keeping models on the runway - The Tao Master reminds us of the folly of models in this post, which links to a pretty good piece in the Economist, as well as some older posts from Richard himself. If we could only get the bean counters to understand that risk models don't really equate to risk. Unfortunately there are a lot of practitioner that fall for it as well. That's where we security folks (and Wall Street) get into trouble. If we believe we've mapped out all the risk and quantified it, then we get sloppy. And historically we've been wrong.  
  2. It's that data thing again - Collaboration and security are like magnets with like polarity. It's just hard to get them anywhere near each other. And however hard you push them together, they still repel each other. Data wants to be open and free. Security requires that it isn't and SharePoint is getting a lot of press nowadays in that it's hard to secure. Really? That's shocking to hear. And it has little to do with the tool itself (OK, maybe a little), rather how we use the tool and balancing user experience, which demands access to the information. What to do? Like everything else, try to monitor who is accessing what, when and look for anomalies. And pray. Sometimes that works too.
  3. It can't be that easy - Unfortunately sometimes it is. I'm not a fan of linking to anonymous posts, so I'll let Rob Graham at Errata do my dirty work for me in his analysis of the PHPBB.com hack. It's fascinating to see how the legacy came back to bite those folks. They did the right thing(s) and make the password system strong, but they didn't require existing users to go back and reset their passwords. And they paid for it. Rob did a bunch of analysis on the passwords as well. I guess we'll still need to continue learning (the hard way) about the dangers of letting users keep weak credentials. 
  4. Measuring awareness - Speaking of security awareness (like not using weak passwords), whether someone has a clue tends to be fairly binary. They either get it (1) or they don't (0). Since most fall into the less than 1 camp, we continue to try to teach them right from wrong. Getting back into the archives a bit, I found this post on the Security Catalyst site about "measuring awareness." Julie talks about three ways, but unfortunately in the post I only count one, but it's a decent one and that is to count the number of folks that have been taught. I also favor simple surveys to gauge the collective clue of the employee base. Finally, I think simple metrics like WHETHER YOU'VE BEEN HACKED due to some stupid user error are also pretty decent ways to measure the awareness of your minions.
  5. Now that's a chick you don't mess with - It seems Alan's wife Bonnie has a lot of pull over at StillSecure. Evidently she got sick of Alan being around the house (go figure!), so she made them get him an office in South Florida for him to park. Turns out that office space came with an MSSP, so now Alan gets to wax poetically and philosophically about all things MSSP-like. I'm sure the NAC beat reporters are breathing a sigh of relief. I've been calling for consolidation in the MSSP business for a long time (and it's happened), but this isn't really what I had in mind. Not that there isn't a big and growing need for MSSP services, rather it's REALLY hard to have a services engine exist successfully within a software company. The metrics, models and mindsets are TOTALLY different. Well I wish my friend good luck in integrating and making the deal accretive, he's got his work cut out for himself...
  6. It's hard even for a big company - Speaking of service entities residing within a software company, McAfee recently restructured some of the operational groups and separated out the SaaS activities into it's own business unit. Clearly given the limited traction of Little Red's service offerings to date, this is a positive move. It also allows the unit to drive different sales models and go to market strategies, and that is critical. Selling and delivering services is very very different than selling and shipping software. Remember the 3Ms, metrics, models and mindsets. But that won't make it easy. The new head of services Marc Olesen has his work cut out for himself as well.

No rest for the weary, so Hi Ho, Hi Ho it's off to work I go. I'll try not to be Grumpy dwarf today...


Selling Fear

Submitted by Mike Rothman on Tue, 2009-02-10 12:23.
Today's Daily Incite

February 10, 2009 - Volume 4, #14

Good Morning:
The reason we are all here is because throughout the past millions of years nature has adapted. As organisms, we have adapted as well. The things that didn't work got culled from the gene pool. Basically nature admitted it was wrong and adapted and survived.

Wrong. There is such a stigma to that word, but it's one of the most powerful words in the vocabulary. Because until you admit you are wrong, you cannot adapt and make yourself better. That's why I'm a big fan of wrong. The more times I'm wrong, the closer I am to being right.

Which is my constant rationalization for constantly screwing things up. As I discuss below (and in last week's Compliance is SO a Cost Center rant), there are times to be right and there are times to stay alive. Right now, for us security folks, it's about survival and that means we have to use tactics that may not make us feel great - but are probably the only chance we have.

Remember, you don't have to adapt. I think it was Deming that said, "It is not necessary to change. Survival is not mandatory." He was right.

Have a great day.

Technorati: , , ,

The Pragmatic CSO

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Selling Fear

Give me a "F." Give me a "U." Give me a "D." What does that spell? That's right, fear, uncertainty and doubt. FUD FUD FUD.

I guess I have cheerleading on the brain. My 5 year old daughter is a cheerleader and she has a competition this weekend. So I'll be hanging out with over 50,000 of my closest cheerleading buds waiting for the 2 minutes she gets to do her routine. That will be the best 2 minutes of the weekend, but the good old fashioned F U D cheer got me thinking about how we security folks can "sell" our projects and agenda.

I spent many years trying to paint security in a positive light. It streamlines your business. It helps you roll out new business processes with trading partners. It allows you to me more mobile. It's all a load of crap. It's really just insurance, and the insurance folks have a much longer history of trying to sell the benefits of their stuff. To make life insurance a "positive" thing.


This is your new security sales guy...As anyone who's had to sit through a life insurance pitch knows, they do a pretty good job of convincing you some of the plans are really an "investment." They've had decades to refine their pitch. Yet, I wonder how many new Universal Life policies the insurance folks are selling nowadays.

I suspect it's not many because when everyone is tightening their belt, one of the last things on the list is an "investment" in some  insurance policy that will grow over time. So has the life insurance business gone away? 

I don't think so. I know most insurance brokers have morphed into financial advisors and have more in their bag than just life insurance, but play along with me. If there are any stand-alone brokers left, I suspect many will need to go back to selling fear, though I don't know this for a fact and I'm sure all my insurance buddies will tell me what an idiot I am. 

That's what I would do (which is maybe why I pimp security management software and not life insurance). Why not remind the customer they could get hit by a bus? Of course, I hope not - but it could happen. So the customer can protect themselves for the least amount of money possible, which is likely a term life policy. Sure the assets are not growing, but most folks are more worried about making sure they have assets. 

Can you see the parallel with security? I sure hope so. So my good old FUD cheer can really be reduced to: Give me a "F!" Because uncertainty and doubt don't really come into play right now. It pains me to say it, but security projects need to driven by fear right now. Maybe it's fear of a compliance "problem." Maybe it's fear of a data breach. Maybe it's fear of some time in Leavenworth. Maybe it's fear of bad press. In today's environment pretty much any kind of fear is going to be your friend. Embrace the fear. Love the fear. It could save your backside. 

I know, this is making you sick. It's not why you got into security. You wanted to fight the bad guys. Not be a fear-mongering type. OK Brainiac, let's examine how we'd do it without fear. How about reducing staff through automation. I know a lot about that because that's what I do in my day job. It's not going to work because many staffs are already cut to the bone. I've had many conversations with folks and reducing staff is not enough to get a project through anymore. 

What about reducing risk? That's certainly something that every CEO and CIO are worried about. The words out of their mouths say they are worried about it, but economic turmoil increases an organization's tolerance for risk. It's all about resource allocation and when the decision comes down to funding a security project (which DOES NOT add value to the organization) or a new product, new facility, or maybe not cutting a bunch of heads, the security project is going to lose. 

That's why fear is maybe the only way to go nowadays. Get to know Ponemon's most recent data breach numbers.Hello Mr. CEO... I can't believe I just said that, but it's all about living to fight another day. He says a breach costs $202 per lost record. I think those numbers could fertilize half of America, but your CEO and CIO don't know that. Use Heartland and TJX and Hannaford Brothers to make your points. Discuss the hundreds of millions will takes to clean up these messes. Talk about recent breaches. Put together a slide with breaches from just the last month and add up the numbers (at $202 per record, of course). Make the number at the bottom of the slide REALLY big. Ask your senior management how they look in orange (jumpsuits). 

That's right, get your Chicken Little on. Fear is a tremendous motivator. This is what I mean about adapting to your environment because in this kind of economy, it may be the only motivator we have. So stop being so proud and do what you have to do. And then go home and take a scalding hot shower, knowing what you did was for the greater good. Which is to ensure you don't get thrown under the bus.

Photo credits: "three" originally uploaded by Hil; “The Grim Reaper” originally uploaded by helico 


Compliance is SO a Cost Center

Submitted by Mike Rothman on Thu, 2009-02-05 10:52.
Today's Daily Incite

February 5, 2009 - Volume 4, #13

Good Morning:
Another quick intro because I found such a "compelling" post on McAfee's blog that I just had to vent a bit. Enjoy.

Have a great day.

Technorati: , , ,

The Pragmatic CSO

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Compliance is SO a cost center

Holy crap, I thought the idea of position security and/or compliance as a "profit" center died along with the dreams of millions Internet entrepreneurs during the .com implosion a few years ago. Evidently I was wrong. Check this out on McAfee's blog:

Is information security compliance a cost center?

No. Absolutely and unequivocally not. I am drawing the line in the sand. Business leaders need to understand there is no more need for proper security to justify itself over and over again. It saves you time and money (period).

 

OMG. I figured a big company like McAfee would have a drug testing policy, but evidently not. I want some of what this guy is on. But it gets better. Here are the justifications the author (Lawrence Pingree) uses to justify his position.

Normally I would excerpt an entire post, but this is too good to let it go. Check this out.

A compliance driven company GAINS these:

Business process improvements

    * Security streamlines and clearly defines roles and responsibilities making information flow more quickly through an organization
    * Security separates duties so decisions that occur are more accurate and accountable
    * Security provides checks and balances reduce internal risks thus saving costs
    * Security reduces business impacts of change
    * Security background checks eliminate the need to wade through candidates that cannot be trusted for sensitive positions saving on hiring costs.
    * … and much more

Technical Improvements

    * Firewalls clearly reduce un-needed load on the network saving bandwidth costs
    * Anti-Virus software has clear cut costs (that happen to be measurable) in saving response times from IT helpdesk personnel
    * Anti-Malware saves individuals and companies by reducing the threat of identity theft and having to disclose a breach
    * Data Loss Prevention software clearly enhances control of data for eDiscovery legal processes, managing information and backup/recovery of that data into single repositories not to mention enforcement of where that data goes (saving intellectual property)
    * Encryption clearly reduces costs by enabling collaboration with third parties (in fact it enables all businesses on the internet to do payment processing) something we sometimes forget.
    * Virtual Private Networks (VPN) enable remote access which means workers can work after hours or remotely while traveling (FOR FREE!)
    * Banks offer employees online access directly from work (the old days you had to leave work to go to the bank)
    * Risk & compliance means that systems are patched and maintained all in a similar fashion with similar configurations which leads to huge troubleshooting time saved since systems are less customized individually.
    * Customers are now able to interact with companies quicker and more efficiently than ever when these security controls have been put in place.
    * …and much more

Threat Reduction

    * Lower reporting costs for disclosure laws
    * No bad PR to respond to
    * Lower liability to your customers
    * Less outbreaks of worms/viruses (less system damage repair/replace)
    * … and much more!


Get me some of that crazy....It's hard to know even where to start. My first comment would be that a "Compliance Driven Company" is the next Heartland or TJX. Listen I've been trying to position security as a benefit and "revenue center" for the better part of my career. I'VE FAILED MISERABLY. And the rest of our industry has as well. Because of a very simple truth, which hurts my ego, but is absolutely true in the real world:

CEOs don't care about security or compliance. 

Period. They only care to the degree that they 1) end up in an orange jump suit, 2) end up on the front page of the Wall Street Journal. Other that than, they don't care.

And even better, they don't want to spend money on avoiding either of those cases because it's not going to happen to them. Seriously. They see the headlines, they ask some questions about whether they are "secure," the CSO lies to them, and they go back to their mahogany conference room and check on the sales numbers.

All of the points in the post are not really false, but they are irrelevant. Most of that stuff is simple business common sense, but is still like pulling teeth - especially in a down economy. For instance, "Security separates duties so decisions that occur are more accurate and accountable." That's actually false because security doesn't separate duties. A business process (which is usually driven by Sarbanes-Oxley) may be defined to require separation of duties, but that requires more people. That costs more money, no? And there is no guarantee that the decisions will be either more accurate or accountable. It just means you have more cooks in the kitchen. 

How about this one: "Anti-Malware saves individuals and companies by reducing the threat of identity theft and having to disclose a breach" Spoken like someone that works for an anti-malware company and hasn't really read the paper lately. Or even worse actually believes the crap in the marketing slicks. The best way to reduce the threat of identity theft is to fire all your employees or take away their computers. And even if this were true, how does reducing identity theft make security less of a cost center?

Like I said, Little Red needs to check what's in this guy's water bottle. It ain't water. 

I could literally dismantle almost every statement in the post, but you get the picture. Folks like me have been trying to position security as revenue positive for a long time and it's not going to happen. So we sell using fear, uncertainty and doubt and we try to convince the buyers (whether you work internally or for a vendor, it's all the same) that it's cheaper in the long run to do the right thing. But you never go in trying to position squishy security benefits. CEOs and CIOs will slice you into little pieces and feed you to the fish.

OK, off soapbox. And part of me appreciates Lawrence's idealism. But I've just seen too much through the years to believe this will really change. So, click the link, get your chuckle for the day and get back to work fighting the good fight to convince your senior executives to do the right thing and accept the reality that we ARE a cost center.

Photo credit: “crazy bus” originally uploaded by bunchofpants


The Daily Incite - 2/4/09 - Being Offensive

Submitted by Mike Rothman on Wed, 2009-02-04 09:15.
Today's Daily Incite

February 4, 2009 - Volume 4, #12

Good Morning:
So I've been in a bit of a funk, to be honest. I usually get that way in early February. It has nothing to do with the weather or the colds and viruses that seem to be going around. It's because football is over and no the Pro Bowl doesn't count. So I'm faced with the prospect of no football for 7 months and it's got me bummed out. Yes, last Sunday was the Super Bowl and it really was Super.  See you next year...

I would have loved to see the Cards pull it out, and they made a valiant attempt, especially given the fact that between ridiculous errors (letting a linebacker go 100 yards with an INT return) and stupid penalties it was like they were playing with an albatross around their neck. But you have to hand it to the Steelers, they got it done.

But the game made me think about offense vs. defense. As they played the "10 Greatest Super Bowls" over and over again in the build-up to this years classic, it seemed that many of the great games were made great by a drive late in the 4th quarter. Sometimes the drive went for the victory and other times it didn't (Scott Norwood anyone?), but it was the offense that made it happen with the game on the line.

We in security have a problem. We play defense. Sometimes the defense is so overpowering ('86 Bears and '00 Ravens come to mind) that the offense never gets a chance to get anything started. But that isn't the way it is for us security folks, now is it? Our game is not linear. The offense is not restricted staying on the field, nor are they restricted to 11 men. And as we know, a good offense tends to get it done in the 4th quarter more often than not.

So what to do? And sulking with a party platter of chicken wings and case of beer is not an answer... for more than a few days anyway. Basically, we need to protect against the big play. That's something that Pittsburgh didn't do, letting Fitzgerald get free for that long TD. And it's also not something that Arizona did either, letting Santonio rip them up on that last drive. Incidents are going to happen, it's our job to make sure they don't become catastrophes.

And also understand that you will not win every game. Sometimes the offense gets the best of you. But you better do a post-mortem and figure out how you got beat, and make sure your game plan for next year takes that into account. It's OK to make mistakes, but don't make the same one twice.

Have a great day.

PS: I do have to admit it was strange to be at my Super Bowl party with a huge platter of wings and to not eat any of them (it's that vegetarian thing). Or most of them, as I've done in the past. But I did have considerably less indigestion the day after, so that is some consolation.


Photo: "All the fans are gone now..." originally uploaded by KM Photography
Technorati: , , ,

The Pragmatic CSO

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Incite 4 U

There is still a lot of discussion around PCI and whether it's still relevant. In fact, I've given a bunch of media interviews about the very topic and that's really been driven by the media meat grinder, which always needs more stuff to pump through their 24/7 Internet machines. In reality, there is clearly value in PCI, at least to set a lowest common denominator for what the base level of security is going to bring. Over time, that low bar becomes irrelevant when everyone realizes that it doesn't take too much talent to jump over it. The real question is given the reality that PCI is not enough, how do you get organizations to move beyond that lowest common denominator? That's the question of the day.

  1. More details on Heartland - Great story last week by Evan Schuman regarding some more details about the Heartland breach. It seems the malware was FOUND in an unallocated portion of the server's disk. So, of course, everyone is jumping to a conclusion that the malware happened outside of the O/S and that would render traditional server monitoring tools as useless as anything else. And maybe they are right. But you could also make the case that the malware was deleted from the O/S when the bad guys realized there were forensic analysis going on, and that's why the code seemed to be in an unallocated area. Who knows? I just hope we get more details to make sure we don't make the same mistakes again. And maybe in 2-3 years PCI will require defenses for this attack (yes, that is my tongue firmly in cheek).  
  2. Is Windows 7 less secure? - There were a bunch of media stories last week about whether some of the new changes to User Account Control (UAC) in the forthcoming Windows 7 introduces security issues. Dana Epp does a good overview of this and gets to the real issue, which is usability. Personally I think UAC is a major pain in the butt. I had to install and reinstall some software on my one remaining PC running Vista and UAC was a big hassle. But to answer the question, security is relative. I believe Windows 7 will be more secure than XP. But if the security gets in the way of the user experience and forces folks to turn it off (hello Vista), then everyone loses. Personally, I think the way Mac OS X addresses the required authorizations works well. It's not onerous, to me anyway. But I am a fanboy after all.
  3. What about 7 clean secrets?- Why are secrets always "dirty?" Serious, why doesn't anyone come up with the 7 clean secrets about something? I guess it gets back to that media grinder thing. Kidding aside, Josh Corman from IBM published a list of 7 dirty secrets of the security industry, and tries to slay a bunch of the common knowledge (without a clear IBM slant, HA). Things like the end of the perimeter (no kidding) and the reality that doing risk management means you'll likely spend less money on security widgets (good thing IBM sell plenty of services, eh?). Ultimately it seems the security industry is more to blame for issues than anything else. Sadly there is probably a bit of truth to that, but users don't care who is to blame. They want answers, and I'm not sure focusing on "secrets" is a good way to provide them.
  4. The honor system for PCI - Interesting idea here from Andrew Conry-Murray of InformationWeek about basically tossing PCI into the circular bin. What would replace it then? Basically a "honor system" that would make it clear to banks and retailers that if they suffer a breach, there will be stiff financial penalties. And the organizations need to figure out what the right types of security will be. Hmmm. I think we tried that already and that was B.PCI (before PCI). And if I recall it didn't work out too well, which is why we have PCI in the first place. Now I've been very vocal about what PCI needs to do to remain relevant (reacting faster to known attack vectors is a start), but I don't think throwing it out is the right answer either. It needs to evolve faster because the attackers are. There will always be breaches. What we want to do is make sure the breaches aren't because of something stupid, and PCI (for the most part) eliminates a lot of the stupidity that we dealt with before.
  5. Do Ask, Don't Tell - I'm glad it was reported last month that Symantec is continuing to invest a lot of money in R&D. It's definitely showing. Deals like this one with Ask.com, where Symantec will provide a SiteAdvisor-like function on search pages are pretty innovative. Huh? You mean partnering up to do the same thing as everyone else on a mostly irrelevant web property isn't innovative? Not so much. I'm surprised this didn't make Stiennon's list of security innovations.
  6. Toss this fortune cookie - I'm usually a big fan of Matthew Rosenquist's monthly "Fortune Cookie Security Advice." I think he nets out a lot of the discussion into a short sentence and that is real talent. But the one for January just didn't do it for me. "Insider threats will always outpace external threats." He then goes on to explain it a bit, but I disagree with the basic contention. I don't believe it makes sense to segment out "insiders vs. outsiders" to any great degree anymore. To be clear, there are different risk profiles for different groups of folks accessing my stuff. But ask Heartland if it's external threat outpaced the internal issues it faced. And I want to provide similar defenses, regardless of where folks are or who writes their payroll checks. Ultimately trying to distinguish between these classes of attacks forces you to choose which one you are going to focus on more, and I think that's a dangerous thing.

Ah, the siren call of PPTs, marketing programs and all the other fun stuff that vendor hacks get to deal with every day. It could be a lot worse and I know it.


The Daily Incite - 1/29/09 - Learning from Squirrels

Submitted by Mike Rothman on Thu, 2009-01-29 07:25.
Today's Daily Incite

January 29, 2009 - Volume 4, #11

Good Morning:
Another day, another set of announced layoffs. And imminent layoffs. I have a friend who sells for a big pharma company that is involved in a big merger. He's very good at what he does and has been there a long time. But he's not safe. No one is. So we had to put our plans for a spring break jaunt to Mexico on hold.  Cute, yes. Until he takes your nuts...

It's disappointing, but it was the right decision. For him, definitely and also for us. Sure we are disappointed. Who doesn't want to go to Mexico and drink some margaritas and eat chips and guac? A post on terminal23 really brought that home to me (insanely enough, it was inspired by something I wrote). Michael used the term "affluence-addiction" and it hit me square in the nuts.

I'm guilty as charged. I don't really care about cars or many of the outward signs of affluence. I guess my house is pretty OK. But it's the other things that my good fortunate (and talent for moving my mouth a lot and not saying too much) have allowed from a lifestyle standpoint. I'm used to just buying it. Or just going on that trip. I didn't worry about it.

But that was the wrong approach, and I think the economic situation provides an opportunity to reset the lifestyle. I know that's how I'm looking at it. We are starting to scrutinize every expenditure. Some we do, others we push out until the spring, when we'll re-evaluate. It seems like the smart thing to do.

I guess it gets back to taking some of our lessons from nature. Squirrels are pretty annoying when they are eating all your birdseed, but they are a good model for how we probably should live. They are savers. During the fall (and it seems every other time) they are gathering food and storing it. Then in the cold winter, when the food isn't as plenty - they have something to eat.

To be clear, it's hard to do this. It's not comfortable and it's annoying. We want what we want when we want it. And for a long time we could have it. But not anymore. So get your squirrel on and put those nuts away for the winter. It's pretty cold now, but I suspect the economy is going to get a bit colder through the rest of the year.

Have a great day.


Photo: "Baby Squirrel" originally uploaded by odalaigh
Technorati: , , ,

The Pragmatic CSO

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Incite 4 U

Deals and earnings. Earnings and deals. Both are inevitable in this environment. So to wrap up the week, I'll talk a bit about some of the deals we saw this week. There seems to be a lot of kindling out there because we've got fire sale after fire sale, and that's OK. That's how it's supposed to work. But I doubt we'll see more than a handful of higher multiple deals this year. Attractive companies that are growing well (even now) aren't going to do a deal now because they figure multiples will expand in 12-18 months. And hopefully they'll be right.

  1. Can you consolidate a market that doesn't exist - The fine folks at Archer have shot an arrow made of Bain Capital gold and taken down Brabeion. For an alleged $6 million. The "market" I refer to is GRC and I still don't know what that means. The reality is this was probably a good opportunity for Archer to add a few large customers to their system and provide some type of migration path to their offering. Brabeion also had some interesting content that would be useful. 
  2. You can talk about how stupid users are, or you can train them - Mich Kabay goes into some interesting research about why users can't seem to detect (after repeated training) a phishing message. I think it gets back to how we are training them. I think back to how I like to learn, and it's basically when I don't think I'm learning. That's the key. If it's some boring lecture or a cringe-inducing online tutorial, the folks will sleep. If it's a game, you've got a chance. So think about how you are doing user awareness training, since that is probably a lot cheaper than cleaning up a worm outbreak (and yes, worm outbreaks are back).
  3. Do we now call them Websensio?- In Deal #2 today, Websense bought Defensio, which was building some technology to address social networking attacks. To be clear, this was clearly a feature from day 1, but given the expanding definition of the "web," folks like Websense need to have better answers for sites like Facebook - given there is increasingly a business requirement to play there. You know, 200 million users can't be that wrong, so we better figure out how to secure it, rather than continue to ignore it.
  4. Cisco puts on their green suit - (not security) The last deal I want to highlight today is Cisco buying some technology to manage building systems more effectively using, of all things, an IP network. This is part of a new initiative Cisco is calling "EnergyWise" and they once again have done a great job of building a PPT with some eventual product delivery to address an issue that is top of mind. That's how market dominators stay market dominators. They see an emerging market, and they figure out how to freeze it without actually delivering anything, besides writing a check for some technology.
  5. Compliance weakening security? Do tell. - I didn't want to miss a great post by Alex Hutton that puts compliance in it's proper place. The reality is many security folks want to take an easier path, and the compliance crack gives them that. Just work off the check list, get your funding and go home and play on the Wii. Right? Well, Pragmatic CSOs (and lots of other folks) use compliance as a FUNDING MECHANISM. Just because that's how you position the project to get the money, doesn't mean that's how you've figured out you need that project to happen. As Alex says, our organization's need folks that will be consultative and tell them the truth. Separate out the decision of what to buy, with the mechanics of how you can buy it.
  6. Q4 holding up in security-land - Given the macro mayhem, it does make sense to mention that some companies are still hitting their numbers. Check Point and Websense being two of them. Symantec announced decent numbers as well. Some companies are refusing to give guidance or it's a bit lower, but in general security is holding up. Which is good news for those of us in the business. But I'm still very skeptical and I do think we'll take a hit in Q1 and Q2 of this year. I do believe that our little space will be the last to go and the first to come back, but we should all be planning for some level of slowdown in the near term.

Back to running around and trying to get through the list.


The Daily Incite - 1/27/09 - Scum Watch

Submitted by Mike Rothman on Tue, 2009-01-27 09:09.
Today's Daily Incite

January 27, 2009 - Volume 4, #10

Good Morning:
It's the little things that indicate things are going to get worse, before they get better. It's not just the daily drum of layoffs from one big company after another. It's the fact that at least twice over the past week, I haven't been able to get a seat at Starbucks to do some writing. Maybe it's just anecdotal, but I think there are a bunch more folks considered "free agents" because they are looking for their next gig.  This is one way to clean up the scum...

With my job history, I've been there. I know it's much better to stick with the daily routine, even though you've got no where to go. It's important to dress nicely, get out of the house, have lunch with folks, make lots of calls, send lots of emails and keep the activity level up.

I get a lot of messages from folks asking if I know of this or that. Sometimes I do see a fit and I'm happy to make an intro. Other times I don't and I feel bad. Because I've been there.

We shall overcome. This too shall pass. It always does. But this post from Fred Wilson got me thinking about greed, especially given the job carnage. The stimulus package in the US will hit at some point over the next few months. And the Government will be spending money. It's impossible to manage $750+ BILLION in spending. There will be waste, there will be pork, and there will be corruption.

It'll be interesting to see where cyber-security ends up on the list. I think the Federal investment will continue (at least that's what I'm seeing in my day job), and part of me is happy about that. That big part of me that has to write the mortgage check every month and wants to be able to provide a comfortable lifestyle for my family.

I can only hope at least some of us have gotten past the greed of the past 20 years. I know that's being way too idealistic, but we can hope, no? Given the reality that there will still be shyster's in the mix that are focused on gaming the system as opposed to making it stronger, my real hope is that there is proper oversight to find  egregious corruption and make a public example of them.

Yes, I hope some of that stimulus is earmarked to expand the Federal penal system, so there is plenty of room for the white collar scum that will inevitably emerge. Have a great day.


Photo: "Using vinegar for a natural clean" originally uploaded by elycefeliz
Technorati: , , ,

The Pragmatic CSO

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Incite 4 U

It's amazing how much buzz continues to permeate around the Heartland breach. We'll get to that in a bit, but I do want to address Anton's position that I've gone insane based on my rant yesterday about the Irrelevance of PCI. Firstly, I've been insane for a long time. But no one has convinced me that I'm wrong. Maybe it'll take 3-4 years (HIPAA was still an area of focus for 3-4 years after it started it's long downward slope towards irrelevance), but unless something changes - it'll happen. There are lots of different perspectives regarding how to address these issues and new attacks, and it'll take a while until the right path becomes clear. But my position remains, the PCI Security Standards Council can get a little proactive and dictate the path or they can let the hackers continue to  set the agenda. It's their call.

  1. In the category of too little, too late - Speaking of Heartland, now the CEO is pushing the "industry" to adopt end to end encryption. It's interesting that this guy has gotten religion once he's been front page fodder for a week. But more importantly, I wonder if everyone realizes that end to end encryption isn't a panacea either. Sure it's better and would have eliminated the sniffers stealing track data off the wire. But if the servers and/or applications are pwned, encryption is not going to help.
  2. Mort's crystal ball - Looks like my friend David Mortman has stepped into my slippers as security management expert at SearchSecurity. Here are his thoughts on 2009. Pretty straightforward stuff. Compliance remains the driver (driven by new notification laws) and web-based app security continues to garner a lot of attention. Then he throws in the virtualization word, but within the context of more outsourcing and the further embracing of service providers to help execute on security strategies. I agree with most of the stuff, but to me the biggest issue for 2009 is how to do more with less. We ain't getting more resources folks, regardless of what the budget says.
  3. Justifying data security, good luck with that - You have to hand it to the Securosis guys. Besides being fun to hang out with, they are pretty fearless when it comes to trying to slay conventional wisdom and put numbers towards justifying data security. As they are finding out, it's hard to do. Because every company is different and every culture will respond to different pressure points. Oh, the other issue is that logic tends to have very little place in the discussion, when the decision is to protect data or upgrade a factory. Maybe it's just me, but the factory usually wins. But I do hope Rich and Adrian do make progress because a taxonomy on how to stage the discussion is critical.
  4. Where is Barnum when you need him? - A few weeks ago I was appalled that Certicom was fending off a hostile takeover attempt from RIMM. It turns out I was wrong. It seems PT Barnum was right and VeriSign is today's sucker - rescuing Certicom and paying $73 million for the company. Huh? That's a really big number for a toolkit. But I do have to hand it to the bankers for Certicom. They found maybe the only guy that's been able to truly monetize a toolkit - Jim Bidzos. That's right, the RSA guy is back, but on the other side of the deal this time. I guess he forgets that the RSA deal made him rich, but didn't help the Security Dynamics guys all that much.
  5. Virtualization Security - Big Hat, No Cattle - Andreas and his Nemertes colleagues recently did a security survey and they found out that no one really cares about virtualization security. Just 10% of the respondents have anything deployed and I guess I'm wonder what's the matter with them. That seems about 8% too high, especially in this environment. But it's a matter of time. At some point, the risks will become clear and we'll need to act. The question is whether future versions of our existing tools will get us there, not whether it'll be an issue. And the good news is we won't have to worry about it too much this year.
  6. Would you like that crow baked or fried, Mr. Schultze? - On one hand, it's embarrassing to hit the fire alarm, when there is no fire. Especially when you have to send a note to your customers saying, "Never mind." But you also have to give credit to the folks at Shavlik that did the right thing. They owned up to the mistake. Yet this is a direct effect of the vulnerability/exploit mania that is much of the security business today. From both a PR and a defense standpoint, it's literally a race to evaluate the patches and assess them. And mistakes are going to be made. The good news is that most customers have change control processes that forces them to think before they act. Most of the time that's a good thing.

Now time to go take my lithium or whatever were in the magic pills that Anton sent me to address my insanity. Hopefully he has plenty in his own stock to get through the day. My holiday present to him should have been a rope, since being the PCI guy, his house is built on quicksand.


The Increasing Irrelevance of PCI

Submitted by Mike Rothman on Mon, 2009-01-26 09:20.
Today's Daily Incite

January 26, 2009 - Volume 4, #9

Good Morning:
Quick intro today, since I spent most of my allocated TDI time ranting about PCI. It's got a major problem of relevance, given the second (that we know of) massive data breach on a PCI "compliant" organization. So what will they do? Let's just say I have some ideas about what they should do... 

PS: Last call for the Pragmatic CSO Forum I'm launching with the Business of Security folks. We start the Forum sessions tomorrow, so this is the last opportunity you'll have to learn the methodology. We're running a promotion now for anyone that signs up for the Forum will get a PDF of the book included.


Have a great day.

Technorati: , , ,

The Pragmatic CSO

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

The Increasing Irrelevance of PCI

This is a hard post for me to write. I've been a big fan of PCI, pretty much since it's inception. It was a lot more specific than previous regulations. I may not agree with all of the requirements (like the AV mandate), but at least there were a list of things that merchants could do to start on the road to security.

I'm a pretty Pragmatic guy, so I knew that most folks would look at the 12 requirements and figure that's all they needed to do. That once the PCI Assessor delivered the report, that they'd be secure and their credit card data would be safe. Of course, they would be wrong - but I figured we needed to start somewhere and PCI was a good start.

PCI = FailAnd it was for a little while, but it's like sending your playbook to the opponent before the big game. Your adversaries know exactly how you plan to defend against them. It's not too hard to devise a new attack to circumvent those lowest common denominators. Which is exactly what the attackers that successfully compromised both Hannaford and most recently, Heartland did. 

I wrote on the eIQ blog about how I think we can add incremental defenses to protect against these new attacks, but that still doesn't answer the crisis of confidence facing PCI right now. Sure the 12 requirements are a good start, but clearly they are not enough and the general consensus-based process of updating the requirements means PCI is always solving the attacks of 2 years ago. For instance, the mandate to eliminate WEP from wireless networks is only going into effect this year. WEP has been severely broken for over 2 years.

So I believe the PCI Security Standards Council has some serious soul searching to do. The Council needs to act quickly and decisively to stem the rising tide of irrelevance. Or else they'll need to acknowledge that PCI is the next HIPAA and organizations will continue to due the bare minimum to comply, while secretly snickering at the ridiculous hoops they have to jump through to little benefit.

The first step is to announce they are going to do a 45 day review of the current set of requirements to determine if they are still relevant and to pinpoint gaps, maybe even publish some new guidance and clarification on the weakest requirements (or the one's that just aren't working). The first step is always the hardest, and thus far the public stance from the Council has been one of "not my problem." They only set the rules, they don't enforce them. That's the wrong answer, but it's the predictable one.

In terms of the massive change needed, as you would expect, I have some ideas about how the requirements should evolve. The reality is that security is not binary. No one set of guidelines is reasonable for every organization out there. Larger organizations (with more to lose) should spend more than a mom and pop shop. The current process of requiring a real assessment for Tier 1 merchants (as opposed to a self-assessment) tries to factor this in, but everyone is working off the same set of requirements and that's wrong. 

I would define a set (probably 3) of different security levels. The lowest level would be today's bar. We know it's not sufficient, but again it's a start. Then they add at least two more levels beyond that, including maybe a full monitoring level and perhaps an end to end encryption level, depending on the merchant's threshold for risk, their size and their willingness to invest in security.

The sad truth is that it's probably not cost effective for every retailer to get to the highest level. Even if they do suffer a breach, the cost of doing whatever the highest level may be (especially if it involves widespread use of encryption) may outweigh the cost of cleaning up the mess. Not for everyone, but for enough that requiring the highest level of security doesn't make sense for them.

Saving Private PCIBut how is this different? So what if there are three levels of security (that merchants can market to), where is the catalyst to get anyone to the highest level of security? Drum roll please.... the answer is TRANSACTION FEES. Merchants live and die on transaction fees. It's a huge part of their cost model and if they can reduce those fees, then investments can easily be justified.

I believe the only way to get retailers to adopt higher levels of security is to make it a good business decision. They need to be able to make a reasonable return on their investment, and then it will happen. That's the way free market economies work. Thus, we set different levels of transaction fees, depending on what level of security the organization achieves.

By the way, this makes sense for the upstream side of the equation as well. Given the potential risk of having a low level of security and the associated fraud costs that accrue to the system, issuing banks and credit card brands can also make money by reducing the transaction fees - for an increased level of security.

I've spent two decades paying attention to the drivers of what makes businesses do things. I've spent a lot of other people's money proving that you cannot make a market. Latent demand needs to be there based on a good business decision for the customer. They need to be able to either save money or make money by deploying technology. It's a simple as that. So it's just simple economics that drives me to believe the only thing that will get organizations to invest in security is to help them reduce their costs. If they can't see a clear cost savings, they'll do the least amount possible. Not many organizations do security because it's the right thing to do.

It's Monday and I guess I'm being a bit idealistic, eh? The likelihood this will happen is very small. There are a lot of folks within the council that can't afford to rock the boat too much, and the occasional black eye isn't enough to truly agitate for longer term change. So with each data breach PCI becomes weaker and weaker until it ends up similar to HIPAA. Unless something changes organizations will continue to pay lip service to it, customers won't trust it (to the degree they even know about it), and it becomes just another report that is generated out of the security reporting system, which is my definition of irrelevance.

Photo credit: “Fail (19/08/07 137)” originally uploaded by The Happy Robot


The Daily Incite - 1/22/09 - Start me up

Submitted by Mike Rothman on Thu, 2009-01-22 14:19.
Today's Daily Incite

January 22, 2009 - Volume 4, #8

Good Day:
I drive a lot of cars. Most folks that travel do. Regardless of marketing jingle, I find most rental car companies are "not exactly" great. The last few times I've flown into Boston, they didn't have a car ready for me. So I've had to wait from 5 to 15 minutes to get some crap box. And that's what those rental cars are. For the most part they are low end domestic sedans that are non-descript and pretty boring to drive.  Fire up the engines...

Yet, I have to say this week I was pleasantly surprised. I flew in and per usual, my car wasn't ready. As the steam was gathering to blow out of my ears and take out two innocent bystanders, they gave me my ticket and showed me to my car. An Infiniti FX35. That's the sort of SUV thing. Huh? An Infiniti for a rental?

At first I was quite disoriented. I couldn't find the keys. Then I realized, the car has NO keys. Just the key fob and a start/stop button. So I hit the button and the car fired right up. Wow, that's pretty cool, though I do have to say I missed the tactile feel of turning the key and having the ignition engage.

But I got used to it pretty quickly. The drive was comfortable, it had adequate power and with built-in XM, I could listen to the inauguration as I was driving around the countryside.

Kind of got me thinking about my 10 year old Acura. It still drives great (with only a touch over 70K miles, it better) and I haven't had to put much money into it at all. I'm sure I could get a great deal on a new one and there is some interest in getting something that gets a bit better gas mileage. It would be great to have a technically advanced car with lots of cool Bluetoothy gadgets.

Then I felt the hard slap of reality hit me. My car works fine. It's comfortable. I have a portable navigation device should I find myself in unfamiliar surroundings. I've weaned myself off my Bluetooth headset - real men do wires, don't you know? - so integration with the car isn't a factor.

And I got it. The car companies are screwed. Even more screwed than I thought. I think a lot of folks have cars that are "good enough" and in this kind of economy (in the US anyway) there is little sense to taking on another note. And they have extraordinarily high fixed costs (not even including the union entitlements) and that means continued government hand-outs may not save that patient. Not all of them anyway.

Have a great weekend. Yes I know it's only Thursday and many of you do work on Fridays (and probably Saturdays and Sundays too), including me. But I figure it's a good way to get into that end of week, get things done frame of mind.


Photo: "Toyota Auris 2007" originally uploaded by Titanas
Technorati: , , ,

The Pragmatic CSO

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Incite 4 U

Let's get to it...

  1. PCI = FAIL - Yes, you've heard about Heartland. Yet another PCI compliant company is massively breached. I'm thinking about the future of PCI a lot in the wake of another mishap, and the news isn't good. Clearly something has to change. The specifics of Heartland are still emerging, but based upon the early analysis it's clear that Requirement 10 requiring log collection is NOT good enough. I did some analysis on that aspect of the breach on the eIQ blog. Head over there to see how to not be the next Heartland.
  2. Let's build a fire out by the Riverbed - and we can serve up some Mazu. Riverbed takes Mazu out for $25MM and an earn out [LINK]. Clearly I'm not the only one that thinks NBA is a network management activity, NOT security. I remember interviewing for the marketing job at Mazu in 2002 and telling them that trying to position in security is pretty dumb. It was clearly a networking technology that will appeal to network managers. Amazingly enough, with security companies still being funded during the Internet bubble burst, they didn't like that idea. I was right. It'll be interesting to see how Riverbed tries to move from tactical WAN optimization to something more "strategic." Good luck with that.
  3. Jeremiah the breaker - How cool would it be to see Jeremiah Grossman and RSnake doing some break dancing at this year's Black Hat? Actually, probably not that cool. But Big J brings up an important point in this post about the ongoing role of "breakers" vs. "builders" in web app security. I know I've said this a lot, but it's still important and true. You need both. Clearly software needs to be built in a more secure fashion, period. But without a continued focus on pen testing those apps and finding out their break points, you don't really know how something will hold up in the real world. And as I like to say, your defenses are being tested every day, whether it's you doing it or not.
  4. The hazards of penny wise and pound foolish - AndyITGuy reminds us about the dangers in not spending on what really needs to be done, even in this kind of environment. And that's a big part of the security professionals job this year in this kind of economy. We need to provide the information about what may happen if some projects don't get proper funding. Ultimately the business guys and bean counters will make the call as to what really gets done and you can help your cause by showing how each project improves efficiency and saves money, while reducing risk (like a security and compliance management platform, for instance). But it's as important to understand how much the downside risk may represent, as that needs to be factored into the equation.
  5. And by the way... you still suck - Not sure how many of you saw Tina Fey's great acceptance speech at the Golden Globes where she told some of the folks on message boards to "suck it." Awesome. Speaking of suck, this list on SANS goes thru a number of things that you can do to suck at information security. It's a good list and pretty funny. And I know none of you would possibly engage in any of the sucky activities, RIGHT?
  6. Whack the mole with the teeth - Chris Wysopal makes an impassioned plea here for security companies to take "theoretical" exploits far more seriously and to fix these issues BEFORE an exploit is in the wild and thus before anyone would get hurt. It's a great theory, but in practice it's not like the vendors are sitting there with their thumbs in their butts waiting for the exploit code to ship before they spring into action. Odds are, they are adding functionality to the software to increase competitiveness in the market. Or maybe they are fixing defects that impact the user experience, which is costing them money or losing them deals. A security attack goes on the list like anything else, and the product manager (and development organization) need to prioritize which of the issues get fixed and when. And they do this based upon economic impact, either good or bad. So it's pretty easy to see why most theoretical attacks drop to the bottom of the list of things to fix. Although I think Chris is right, I don't think anything will change. If you've got one hammer and two moles. You whack the one that could bite you.
We should start a pool or something on who is going to be the next huge data breach and whether it will be the same sniffer-based attack as Heartland. Any takers?


The Daily Incite - 1/20/09 - Fight for Your Right

Submitted by Mike Rothman on Mon, 2009-01-19 19:45.
Today's Daily Incite

January 20, 2009 - Volume 4, #7

Good Morning:
Today is a historic day. Period. In the US, we will inaugurate a new President - who will face a series of crises not seen for 50 years. The new President seems like the right guy at this point in time, but it's not clear Hercules or even Zeus could get us out of this mess.  Your mom took away your best arty mag...

But given that yesterday was the MLK holiday and today is the inauguration, I wanted to comment a bit on fighting for what is right. You see, it's easy to turn a blind eye to the injustices of the world. Just go along, on your merry way without a care about a lot of folks doing the wrong thing.

Whether it's folks putting one over on the system by stealing money or taking advantage of the defenseless, there are lots of folks that are pretty much despicable. But there are a number of folks that don't accept the status quo and they do what is right.

Even when it's dangerous and hard.

Like the folks that spearheaded the civil rights movement, which we celebrated yesterday and will celebrate during the inauguration. Or the folks that fought against Nazi oppression by protecting families marked for death based on what they believed. Or the folks in South Africa that rose up against Apartheid. There are tons of examples and lets celebrate those folks as well.

Unfortunately as we continue on through history, there will be no lack of folks that do the wrong thing. So those of us that fancy ourselves to be good people will have plenty of opportunities to try to make it right. It seems human nature is like that.

Have a great day.


Photo: "You gotta fight for your right to be arty" originally uploaded by marcusjb
Technorati: , , ,

The Pragmatic CSO

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Incite 4 U

It's brutal out there. I keep hearing day after day about other people I know that have been laid off, many by technology firms. It seems the "in" thing to do was to lay off 10-15% of staff during the holiday period. Talk about a Grinch. But the reality is that we are going to see a lot more of that, since I don't think we've scratched the surface on the slowdown that is coming. I hope I'm wrong and I also hope that my many friends looking for new gigs have a quick search. But in case I'm not, make sure you are clear about your value proposition to your organization and that you are thinking about Plan B. Hopefully you won't need to use it.

  1. Is "Security First" a generic term? - Probably, so I guess I wouldn't have been able to copyright it. Though it is good to see a number of folks like Martin using the Security First concept to illuminate one of the most important concepts we all face. Compliance is how we get things funding, but security is how we do our jobs. If you aren't clear on that, then there is a Breach blog post with your name on it. Anton has been ranting about the dangers of compliance first for a while, and he's exactly right.
  2. They are all talking, but I don't think many are listening - The folks in the software security business are great folks. I know most of them and they are passionate evangelists that spend much of their time urging developers to do the right thing. They've used logic, fear, guilt, and lots of other tactics to get the message across. Jack Danahy of Ounce makes many of these arguments in his See No Evil byline in NetworkWorld (which must be pretty desperate for page views to give a vendor this much real estate). Jack makes a great case, but unfortunately the folks that need to listen are not, and these are the same folks that fought the standardization of things like seat belts. They represent the status quo and until there is OVERWHELMING evidence of the true costs of not dealing with the issue, I'm afraid that they won't. Which is bad for everyone.
  3. The anal probe won't hurt a bit - Shrdlu rants a lot about a post regarding how to interview "geeks" and I'm totally in agreement. Hiring is tough and making a bad hire costs your organization a LOT of time and money. That means that any hiring process is going to be invasive, intrusive and likely uncomfortable for the candidate. We doing the hiring are looking for the good, the bad and the ugly and sometimes that means we need to ask questions that may not make sense to the "geek." That's fine, if and when they geek gets into management and has to be accountable for what their group produces, then they'll understand. I'm pretty fortunate in that I usually know most of the folks that would be working directly with me, or know other folks very well that can vouch for them. But I still ask a lot of questions and I don't feel bad about that.
  4. Big Yellow R&D yields... - Not a lot. When was the last time you thought of Symantec as innovative? Right, it's been a while. The market leader typically has a disincentive to be innovative because it risks upsetting the apple cart being pulled by their cash cow. Can I mix a few more bad cliches in there? Jon Oltsik makes the case that Symantec is now investing in R&D. I hope he's right because sooner or later the cash cow gets slaughtered and if there aren't a number of calves running around. You become Novell. It would be interesting to do an analysis of SYMC's revenue streams and see how much of their net new revenue each year comes from in-house development vs. acquired technology. I honestly don't know the answer and maybe it's just a marketing problem. But when I think innovation, it tends not to have a yellow tint.
  5. I'm still a sucker for cool hardware - I don't know what it is, but there is still something to flashing lights and lots of throughput. Maybe I appreciate the challenge of hardware engineering. Maybe I yearn for the days when our biggest decisions were Cisco or Wellfleet. Nowadays for most companies it's about which model of Cisco gear to use, and when you see how David Newman put the new ASR 1000 through it's paces, you see this ain't your Daddy's router. It runs 20Gbps through the box while doing QoS, security and a bunch of other stuff. Obviously targeted at large enterprises and small service providers, this isn't a box for everyone. But when thinking of the sheer horsepower required to actually do security within the network fabric, and we'll need these kinds of boxes. Especially as Moore's Law continues to take hold and drive costs inevitably down.
  6. Maturity and hammers - I've used the saying, "when all you have is a hammer, everything looks like a nail."  Alex's idea that maturity is based on the ability to measure (from this early December post) is true, but only if you are focused on quantifying risk. There are a lot of different ways to qualify security maturity, especially program maturity and not all of them involve measurement. A mature security program has as much to do with perception as it does with metrics. In my opinion anyway. I believe that some programs that are weak on metrics (how many do we know that have strong metrics) can still be mature in perception, where the CISO is respected and part of the discussion. That only happens with maturity. Though Alex may disagree, mostly based on what he does for a living, I'd still argue that metrics are only one piece of security maturity.

OK, another day another plane. I'll be posting from the road on Thursday and maybe will even have something else to say tomorrow. You never know.


The Daily Incite - 1/16/09 - Out of Control

Submitted by Mike Rothman on Fri, 2009-01-16 00:49.
Today's Daily Incite

January 16, 2009 - Volume 4, #6

Good Morning:
I'm on the road driving down the highway with one of my VP of Sales. He checks his email and blurts out, a plane went down in NY. Ditched in the Hudson River. Oh crap. The words a guy who flies as much as I do never want to hear. I understand statistics, I know it's a lot safer to fly than to drive. But you still hate to hear about an accident.  I feel better already...

Then I checked the news and read the story about how everyone survived. That's miraculous and the pilots are heroes. And why didn't those birds migrate down South? It's friggin' cold in the North East this time of year.

It got me thinking about control. The reason that I don't worry in the car is that I'm in control. That's misplaced confidence because there are a lot of idiots and bad drivers out there. And in the air, there are significantly less. But I'm not in control once I strap in. I have to trust the pilot, the air traffic controller, the maintenance people and the equipment. For a control freak like me, it's a lot of trust.

I have the same issues at work. I'm not really a good delegator. It's not that I don't have confidence in the people that I work with - I do. But I'm just used to doing everything myself, so half the time I don't think to delegate or outsource or anything but roll up my sleeves and get things done.

The problem is that it doesn't scale and my list isn't getting any shorter. So ceding control is really a survival instinct. You need to trust in your team, as much as you trust your pilot. Given my personality, it's a fight I'll need to wage daily, but it's one that is worth fighting. Life is too short to do everything yourself.

Have a great weekend.


Photo: "everything's under control" originally uploaded by Lorrie McClanahan
Technorati: , , ,

The Pragmatic CSO

The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com

Incite 4 U

The RSA speaking slots are out and I'm happy to say that I was selected to sit on 4 panels and to do a Peer to Peer session. Oh crap. What the hell is that about? Sure the panels were good, but not that good. I wonder if there were as many submissions this year. Or whether they all just sucked. In any case, I wonder how many of you plan on attending RSA this year. I should do a survey or something, but I hate surveys. So just send me an email if you plan to be there. Hopefully none of my sessions conflict with the important stuff, like the Bloggers meet-up.

  1. It's hot out there. AVG stokes an "inSana" fire sale - I was thinking about calling this one "Reality 1, Listwin 0" in honor of the great Listwin, who not even his sizable talents could save Sana. AVG acquired Sana Security for what must have been a Czech jig or something like that. Do the Czech's even jig? If you look at the press release, no one from Sana is even quoted. The reality is that we'll see a bunch of these deals and even a high profile executive cannot turn a feature into a company.
  2. I guess they ran out of wishes - The folks at SafeNet can celebrate, they won the war of attrition to acquire Aladdin for less money than they initially offered. It's not a Yahoo!-like fiasco (what could top that?), but still the gravitas of the genies in a bottle cost their shareholders some coin. Great, now what the hell does SafeNet do with it? I hear there isn't much competition in the content security space, though some of the software security technology they have may fit nicely with SafeNet's business.
  3. Sure they can run a pen test... - I was reading this piece by Michael Cobb on SearchSecurity about how to "increase security with a decreasing budget" and I was interested. That's clearly something that is top of mind for customers. Unfortunately, don't waste your time reading the piece. The big idea is to merge physical and logical security groups. Huh? I can just imagine the bruisers who patrol the building are well qualified to bust out a pen testing tool and take down the defenses. That approach allows you to cut one headcount (the manager of either group). The answer, my friends, is automation. And not just because that's what I pawn for a living. OK, probably because that's what I pawn for a living.
  4. Midnight Express - AWESOME - So one of the guys that did the TJX hack is getting 30 years in a Turkish prison. WOW! It's been a long time since I've seen Midnight Express, but I think I need to watch it again. Just to see where the new bar is set for prosecuting a hacker. In Turkey anyway. In most other countries, that are as untouchable as MC Hammer. The hope is that this proves a deterrent to some, but the reality is it'll have no impact on most. Why? Because it's easy money, especially compared to what else would need to be done to make a similar wage in these emerging countries. That kind of stuff would land you 30 years in a Turkish jail.
  5. Just what we need, another unenforceable mandate - So the great State of NY (my birthplace) is blazing the legislative trails in drafting some language that would require "secure code" if you want to sell software to any NY State agency. Yeah right. How do you enforce that? Let's see, maybe require a new set of assessments and spur a new industry, the secure code police. Give me a break. It focuses on the Top 25 programming mistakes and I think the list is good, the regulation is not. 
  6. Speaking of the lowest common denominator - Yes, the CWE/SANS Top 25 Most Dangerous Programming Errors is quite a list. As mentioned above, the list is good - but only to the degree that developers give a crap about it. The challenge hasn't really been knowing what to do, it's in getting the developers to do it. Does this list help with that? Not really. But at least it will get the hackers to focus on whatever should have been #26-50, since those won't be addressed by 98% of the developers out there. Who am I kidding? Only a small minority of developers will give a rat's ass about 1-25...
  7. 2009 To Do List (Gunnar style) - Though I'm sure it's cold in the Twin Cities, Gunnar is thinking oh so clearly. A few days ago, he put together a to-do list for security professionals. #1 on the list is to educate on software development state of the art. Remember, most of the attacks nowadays are directly on your apps. So understanding how these apps are being built is the first step in protecting it. Next up is to eat lunch with developers - another GREAT tip. Even pay for lunch, you'll learn far more than doing anything else. There are a few more, but ultimately success is about constant renewal and always learning. Gunnar reminds us how important that is.
Finally, I have a favor to ask all of you. Please give Hoff something to do. Seriously. We all know he's busy doing something architect-like for his overlords. He spends a bunch of time doing sweaty grappling with other guys, as well as P90x-ing for 90 minutes a day. Yet he still has time for some good, old fashioned potty humor. Literally. As funny as this is and as much as I appreciate it, I'm thinking Hoff has found some type of rift in the space-time continuum that allows him to fit 48 hours in a day. With all this time, I suggest we all just send Hoff random tasks to do and that will allow him to adequately fill his daily 48 hours. You know where to find him.