Blogs

The Daily Incite - September 24, 2008

Submitted by Mike Rothman on Wed, 2008-09-24 08:58.
Today's Daily Incite

September 24, 2008 - Volume 3, #78

Good Morning:
I remember when I was a kid, one of the "crazy" things we used to do were crank calls. You know, call someone up and call them a name. Or dial the phone at 2 AM and just let it ring. Or call them and say the pizza will be delivered in 15 minutes, thanks for the order. Silly stuff like that. We even took advantage of three way calling phones to put together some ad hoc conference calls. We'd call the really cute girl and then connect her to the not so cool guy. They didn't have a lot to say to each other. Those were a lot of laughs.  
Hello. I'm monkey. Your pizza is ready.
And then called ID became available. And the *69 service to ring back a number that just called. I'm sure it was quite a surprise to the first few crank callers that got a call back from an irate parent about a call at 2 AM. OK, that gig is done. A casualty of technical innovation.

Now it seems that simple hacks are also done. Since they have allegedly identified the Gov. Palin email attacker, through of all things, a proxy log - it's a lot more dangerous to do simple pranks nowadays. Of course, hacking into the email account of a vice presidential candidate is more than just a simple prank, the outcome is the same.

You can run, but you can't hide. Unless you live in Estonia, that is. Script kiddies be warned, unless you fancy a visit from the FBI at an inopportune time (is there an opportune time for a visit from the FBI?), you better improve your obfuscation techniques. Attackers always leave a trail, the question is does the trail lead to your dorm room, or somewhere it would be very hard to track. Like Estonia.

But that's not even the point. They'll make an example out of this Palin email attacker, and they should. It'll be a deterrent for all of the novices that realize they are out of their league. Not in attacking, almost anyone can do that. But not getting caught.

Will something like this public execution deter the general increase in Internet fraud that we've seen? I say nope, not by a long shot. The reality is the risk-reward equation is still heavily weighted in favor of the bad guys. Especially in Estonia. It's prohibitively expensive to prosecute them and it's incredibly lucrative for them to continue stealing. How do you think that ends?

Right, don't leave anything to chance. Monitor your bank accounts and credit cards almost daily. Use strong passwords (and probably a password manager) on the accounts that matter, like your financial accounts, web mail, and ecommerce sites. Teach your friends and family to do the same types of things. Apply the REACT FASTER doctrine to your own personal lives. They'll catch some of the bad guys (especially if they live in the US), but there are always another 10 to fill the wake of the last one.

That's just the way it goes. 

Have a great day.

Photo: "0898 Hot Monkey Talk" originally uploaded by lemur

Technorati: , , ,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com
Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com

Security Mike's Guide to Internet Security

Top Security News

Truth? Who needs that...
So what? - For liars, the lies aren't really lies. They are "spin." We are seeing a lot of that type of crap emanating from the Presidential election (on both sides) and it seems we still see it in our own little technology world. Susan Hanley rails against this kind of crap on her NetworkWorld blog. Sometimes I'd like to have a conversation like I have with my kids. The reality is kids don't think you are any smarter than them. They can't really because the idea of smarter or dumber is an abstract concept. So they figure they can just pull the wool over your eyes and you'll smile and be happy. Of course, they don't realize I pulled the same stunts when I was a kid. But at some point, you grow out of that. At some point you realize that the person on the other side of the conversation isn't dumb and by "spinning" a version of the "truth" that may not be so truthful, you not only alienate them - you piss them off. But it's like the old Cabletron pricing model (why are you three times more expensive? Because 10% of the customers just pay it and we discount for everyone else), they figure a certain percentage of customers won't know the difference and they'll just accept the spin as fact. Personally, I find that perspective appalling and do my best to call it out with great vengeance and furious anger those who would attempt to poison and destroy my brothers.
Link to this

Premature chasmuluation
So what? - Great observations here from Tim Wilson on the dichotomy between what problems customers need to solve today vs. what problems much of the vendor world is talking about. To use yet another political analogy, the house is burning down and all we talk about is lipstick on pigs. He's exactly right and in a lot of cases the media is responsible for this. Fact is, the media gets paid based on page views now. Most of the technology magazines are thin and many others have just gone away. Everything is online nowadays and that means it requires page views to monetize. No one wants to hear about the burning house because everyone knows it's burning. It's not interesting anymore. So the media covers the stuff that is new, maybe sexy, and certainly interesting (like virtualization security) REGARDLESS of the fact that very very few people actually have the problem. You also have another dynamic here which is technology M&A. Emerging vendors need to make their products interesting, and deceive the buyers (acquirers, not enterprises) into think there is a market for the product. Then they can get a big valuation and make market development into the acquirer's problem. And the final factor, most of the folks truly in the trenches don't listen to a lot of the vendor babble. They are too busy getting their ass handed to them every day.
Link to this

Finally, they got the memo - make endpoint security invisible
So what? - It's the fall, so that means many of the AV vendors update their endpoint security suites. You know, they need to put a new box out and increment the year to justify the extra $50-75 per desktop they need to collect to keep themselves fat, dumb and happy. Of course, the past few years have been problematic because most customers have started to notice that their PCs are increasingly sluggish and that makes them unhappy. They don't want to know the AV is working, they don't want to know it's there, and they certainly don't want their machine to bog down every time they open an application. Moreover, they don't want to be interrupted when they are doing something and they don't want to approve everything they are trying to do. Basically they want transparency Until they don't (which is when they are under attack). Finally it seems the Big Yellow was listening, according to Walt Mossberg anyway. And I tend to believe Walt because he's NOT a security guy. He's a tech user and he's much more interested in user experience. This is good news for Symantec, since reducing the nuisance factor will become a big differentiator - absolutely in the consumer space and I also suspect for business users as well.
Link to this


The Laundry List

  1. This is why Cisco has such market share. They've got their own fanboys that save their shekels to buy equipment for a lab to get more Cisco certifications. - Cisco Subnet blog (on NetworkWorld)
  2. Words you live to regret. Evidently Websense sees the economy as a "non-recession." Help me understand the upside of that kind of statement. Especially after the class action attorneys go after them when they miss. - Tech Ticker
  3. Imprivata gets two patents on biometrics, maybe they are looking at a Tumbleweed-esque go to market strategy. Except no one really cares about biometrics. - Imprivata release
  4. Oracle updates their GRC offering, but forgets to mention what the thing does (at least in the release). It's Oracle, just trust them. - Oracle release

Top Blog Postings

Incident response SCRUM
No, this isn't some new game coming from down under. This is a very interesting idea from Cutaway regarding building incident response and disaster recovery plans using a structured development process. I'm a huge proponent of making sure the incident response plan is documented and practiced (Chapter 8 of the P-CSO), but it's the documented part that is a challenge for most security professionals - especially given the number of other fastballs flying at their heads at all times. Don's idea is to use a system development lifecycle to identify the right folks, get their requirements, and then figure out the best way to achieve those requirements. It seems pretty straight forward, and in concept it is. But doing it in practice is a lot harder. But not as hard as cleaning up the mess after you've bungled the incident response.
http://www.cutawaysecurity.com/blog/archives/320
Link to this

Think like a billionaire!
Adam doesn't like that many folks recommend that good guys think like bad guys. It's too hard. We don't know what the bad guys are thinking. Adam suggests they try to think like a professional chef to get a feel for the futility of that kind of approach. How about we think like a billionaire, which is similarly remote? He makes a good point, but it's really a play on words. The concept of thinking like an attacker isn't so much to try to get into their dysfunctional heads, it's to USE THEIR TECHNIQUES. So you need to understand the tools they use and learn how they use them, and then you have a chance to defend yourself. Not to put words in Adam's mouth, but it sounds like he is really asking for is better educational tools to train the next generation of security professionals. Foodies have the Food Network, where if they watch long enough, they kind of can get an idea of how to "think like a professional chef." We don't have the Security Channel, so we've got to do something else to more effectively train personnel.
http://www.emergentchaos.com/archives/2008/09/think_like_an_attacker.html
Link to this

Rich needs to read the Black Swan (and so do you)
The Mogull condemns most risk quantification in this post, mostly because the Financials can figure out how to do it (and they have a lot more at "risk" than us security pukes), so therefore it can't be done. Rich is right on a lot of these points, but ultimately a lot of the issue has more to do with the reality that we CANNOT predict outliers. Every security professional should read The Black Swan. Yes, it's hard to get through. Yes, your eyes will bleed at times. But it really solidified in my mind the reality that we cannot predict the next successful, wide-spread attack, so you have to plan for that. The sin of the Financials is that they didn't foresee a total meltdown of the sub-prime business. It was an outlier and they didn't plan for it and now the US taxpayer will be footing the bill. You couldn't assign a probability to this kind of occurrence, but it did happen which makes Rich question the ultimately value of trying to quantify risk. The Black Swan approach assumes nothing and forces you to know how to react when an unknown happens. And that's how we live to fight another day.
http://securosis.com/2008/09/17/the-fallacy-of-complete-and-accurate-risk-quantification/
Link to this

Deal: McAfee gets more "Secure"

Submitted by Mike Rothman on Mon, 2008-09-22 12:57.

McAfee is proving itself to be the most astute buyer out there in security land. For less than $500 million, they acquired Secure Computing this morning and are now back in the network security business. Pete Lindstrom goes through the weird chronology and I'm thankful that there are other guys in this space as long as I've been - so I don't have to remember everything.

Secure Computing has been struggling. You only need to look at the stock chart over the past year to see that. They were caught in no-man's land. Not big enough to do real deals (Securify is not a real deal), but too big to be nimble or easily acquired. Not at close to a billion dollar valuation (which is where they were only a few months ago) anyway. But at half a billion, a deal become just a matter of time.

Alan points out that things started to turn to the negative for Secure once they bungled the CyberGuard acquisition. And before that deal was even through the alimentary canal, they totally over-leveraged themselves with the CipherTrust deal. McNulty got tossed and Dan Ryan (the new CEO) was faced with rebuilding. The stock got hammered and basically it was going to be a long steep climb back up.

Then McAfee came a knocking, and getting out is probably exactly what the board and the executive team saw as the only feasible option. It seems Dan Ryan is going to stick around and "run" the network security business, and we'll see how much (and who) else decides to stick around.

What's in it for McAfee? Well besides buying more revenue at a good value, they are also filling out the product line. Beside IntruVert (the enterprise IPS product), McAfee had very little exposure to the network security market, so there is very little overlap. Secure brings a bunch of firewalls/UTM devices and the email security gateway (CipherTrust's IronMail).

But the real gem here is Webwasher. McAfee's product in the web gateway space was poor and Secure's is a market leader, and this market continues to grow at a decent clip. McAfee will also try to make a big deal about TrustedSource (Secure's content reputation service), but it's not that novel anymore. Everyone has a reputation service nowadays.

For a long time, UTM and other network security words were counter to McAfee's positioning. But ultimately how can you say you are a legitimate enterprise security provider without having competitive offerings for securing the network? I could make the same case for Symantec (after they moved their gateway business over to Juniper a few years back). Basically you can't, so the pendulum will keep swinging back and forth, as technologies get spun out and subsumed again.

The channel synergy will be pretty good as well. Secure was having a hard time keeping enterprise-class sales folks, so having a lot more to sell and being more competitive will certainly help both retain and recruit better folks in the field. McAfee may also be able to revive the CyberGuard business, given it's mid-market distribution engine. Existing McAfee reps and channels get access to new product lines that can only broaden the value they offer for customers.

And let's not forget the US Feds. They are spending money like it's going out of style, or had been anyway before the Treasury wrote a trillion dollar check over the weekend. Secure had a good position in the Government market and McAfee is pretty strong there too. Definitely synergies in one of security's growth markets.

Of course, synergy on paper doesn't mean a lot until integration and execution happens. Secure Computing proved that many times, so the jury is really out on this deal, but given the price and lack of product overlap - it looks pretty good at first blush.

Photo: "Fish eat fish" originally uploaded by clara

 

Pragmatic CSO Podcast #22 - Homework for Buying Security Products

Submitted by Mike Rothman on Wed, 2008-09-17 08:22.

The dog ate my homework. I swear.

As we jump into Step 6: Buying Security Products, it makessense to understand what kind of homework we are going to have to doprepare for the process. This is homework you need to do, so I don't want to hear any excuses about the dog eating your homework. Remember, it's easy to buy something, it'shard to buy the right thing at the right time for the right price.

So this week we discuss the first 4 steps of the BuyingSecurity Products process I published back in 2006. The first step isto understand the business drivers for your project, then you assemblethe team, then you educate YOURSELF on the market (don't let thevendors educate you), and only then are you ready to engage with a longlist of vendors that can potentially meet the need.

If you want to check out the BuyingSecurity Products ebook, you can sign up for the Daily Inciteemail newsletter. If you read TDI via a blog feed, just send me anemail and I'll forward the guide over to you.

Running time: 7:14

Intro music is Jungle and I finish it up with the Beatles "Can't buy melove" because at the end of the day that little statement should keepeverything in context. 

Direct Download: 22_Pragmatic_CSO_Podcast_22.mp3

SubscribeSubscribein a reader

Photo Credit: iirraa

The Daily Incite - September 16, 2008

Submitted by Mike Rothman on Tue, 2008-09-16 09:00.
Today's Daily Incite

September 16, 2008 - Volume 3, #77

Good Morning:
I have to admit, the fall is my favorite part of the year. It wasn't always that way, but in Atlanta - the fall is just awesome. Of course, it's mid-September and it's still 80+ degrees. So fall doesn't really start for another month. But the weather is temperate (as opposed to the summer), the kids are back in school and their routine, and of course, it's football season.  
How'd the golf ball get there?
Have I mentioned that I love football. Of course, when the Giants start 2-0, it's a great start. But seeing Dallas and Philly pound each other into submission last night, I realize how difficult the NFC East is going to be this year. Dallas was lucky to pull that one out. I had no intention of watching the game, I had a lot to do - but I was fixated on seeing each team decimate the other's defense. It's what pro football is all about.

September also brings my annual golf trip, which is the end of this week (so I may not post on Thursday). Which is kind of a joke because I'm not really a golfer. I chase the ball around for 4 days, competing in the high handicap group and basically waiting for the beer cart to swing by. Once we are mercifully done with the round, then we get to drink some more. Sometimes I just like to make sure my liver knows I'm still here.

Last year, everyone was great in giving me all sorts of tips for folks that don't golf too much. Take a shorter backswing, keep your head down, don't leave that double bogey putt short, I heard lots of stuff. Thanks for that, but ultimately it doesn't really help. I just hope my game stays together long enough to win a couple holes for my team.
Unfortunately, I'll contribute a bunch of golf balls to the rewash foundation. Those are the balls that end up in the drink, like the picture above shows. The club hires some divers to collect the balls from the water hazards and then they sell your own balls back to you at half price. It's kind of like being married.

Though this year I did decide to buy a new set of clubs. I've been playing my old Hogan Magnums for about 20 years. No joke, I got them in college. So I went down to Costco and bought the Nicklaus club package. 13 clubs, a bag, and a bunch of head covers for $249, and they make my old clubs (which were top of the line in 1988) look like hickory sticks. Evidently Moore's Law has come to golf clubs as well. I can get a decent set for 25% the price of just my irons years ago.

Of course, I could have spent thousands on a new set of sticks. Between the $500 drivers and the fancy irons, you can really splurge if that's your thing. And I know a bunch of guys that do that. But for me, it's all about good enough. Amazingly enough, I actually live a lot of the crap I spew every day. I went to hit some balls at the range over the weekend, and my new clubs are good enough. They are a lot more forgiving than my old sticks and I suspect it's going to make my trip a lot more enjoyable.

And if not, there is always the drink cart.  

Have a great day.

Photo: "Golf in the deep..." originally uploaded by asbjorn.hansen

Technorati: , , ,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com
Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com

Security Mike's Guide to Internet Security

Top Security News

Freedom for unsolicited emailer - shocker!
So what? - I'm not sure what Jeremy Jaynes paid his lawyers, but it's not enough. Those guys got the VA Supreme Court to overturn the states spam laws and thus overturn his conviction for being a scummy email profiteer. Whatever. Since I haven't been in the email security business for a few years, I'm pretty sanguine about the entire battle. Basically, people still click on links, thus they are getting pwned, thus there is still a huge economic benefit to sending unsolicited email. And until the economic benefit abates, there will be no progress. Sure the good guys will continue fighting the good fight and the bad guys will continue innovating and finding new ways to compromise the respective inboxes of your employees. Many of the bad guys now reside in places that are really beyond the reach of global law enforcement, but now it's not even clear there is a basis for law enforcement. Guess it's back to the same old same old. 
Link to this

Yes, we need to keep fighting
So what? - Everyone has good days, where they think they can conquer the world (or at least make a dent in their to-do list) and not so good days, where you wonder why you even bother. Since I'm assuming you are human, then this kind of thing is going to happen. The other inevitability of being a security professional is that you are going to have to deal with incidents. Yes, it will happen to you. It's a point that John Sawyer makes on his Dark Reading blog. We still have to protect the flanks, educate the users, and do the best we can with the (limited) time and resources we are given. BUT we also have to plan for the incident and ensure we effectively and quickly contain the damage. Our job is to try our best to prevent the incident, but it's also to make sure a small incident doesn't become a major catastrophe. This is a hallmark of the Pragmatic approach to security, and it's important. So make sure your incident response plan is up to date and maybe schedule another run-through of your process. Remember, you don't want to find a gaping hole in the recovery process in the middle of an incident.
Link to this

Getting back to poor man's DLP
So what? - OK, this is a thinly veiled vendor byline published in Network World (by Blue Coat's Tom Clare), but it makes a couple of interesting points. I got an earful from folks in the DLP space about my thoughts on "poor man's DLP," basically the capabilities that come with your email and web gateways that can check for very simple regular expressions and other content matching algorithms. I maintain that for a lot of customers, this is good enough to meet the spirit of the regulations and also to address the most common data leakages. No, this probably won't wash for a Fortune 50 class mega-enterprise. But Joey-bag-of-donuts and his PCI requirements? Most likely. Now, if budget and time allows a more comprehensive approach to DLP, then I'm all for it. But you are like most of the unfortunate 5 million companies out there with no time and no budget, then looking at a poor man's DLP may be a decent stop-gap until you can be a bit more strategic, or the gateway vendors buy some DLP technology and integrate it.
Link to this


The Laundry List

  1. Have distribution channel, will travel. Cisco takes market share lead in content security gateways, according to box counters at Infonetics anyway. Though I'm surprised Symantec is still listed. When was the last time you heard anything about Brightmail? - Cisco Subnet blog (on NetworkWorld)
  2. Deal: Hat tip to Ferris for catching the sly Quest/Akonix deal. Seems Gartner also caught it at the beginning of the month. Let's just say if it didn't even warrant a press release from Quest (or investor disclosure), they put Akonix out of its misery. It's about time, at least not all of the laws of economics have been repealed by dumb VC money. - Ferris Research
  3. Everyone jumps on the "intelligence in the cloud" bandwagon. Now Blue Coat is talking about their service that looks at 150 million requests a day. Is that a lot? Does it matter? - Blue Coat release
  4. Not dead yet, Borderware announces the new new thing in their security platform. Ready? It's DLP across email and web traffic. Yup, poor man's DLP coming to a gateway near you. - Borderware release

Top Blog Postings

Yes, it's about influence
Sometimes I wonder if I'm talking to myself. I know I'm not, but when on those days when you are hibernating to finish a few writing projects and the most insightful conversation you have is with the Starbucks barista, it's nice to see something totally consistent with my thinking. Stuart King says in one sentence, what takes me an entire book to discuss. "the fact that organisations are beginning to see influencing and negotiation skills as being just as, or more important, than the technical knowledge that got most of us into security as a career in the first place."  Amen. Now to be clear, there is still a real need for technical competence and the ability to actually do things. But those folks don't have the senior security professional title. It's all about persuasion and evangelism. You need to be able to get the rest of the senior team on board with the security program and to think a bit before they do. It's a constant battle and done more over a 3 martini lunch than a keyboard, but that's the way we security folks need to roll. Dale Carnegie here we come.
http://www.computerweekly.com/blogs/stuart_king/2008/09/success-through-influence.html
Link to this

Looking out for #1
Dre takes Jeremiah to task for spreading FUD and perhaps overstating the value of application testing, as opposed to building applications securely in the first place. Though Dre is well spoken and makes a lot of points, there are truths to both sides of the argument. The reality is there is NO PANACEA. Yes, the bad guys are scary, yes we are writing a lot of new code - most of which will never be tested, and yes, that means a lot of folks will be exposed. Dre is right that we can do a lot of great work to fix our applications and it shouldn't take years.  But remember, as charitable as you are, you shouldn't spend a lot of time worrying about them. Spend 99% of your time worrying about YOU. If you do some application testing and if you even make an initial lame attempt at secure applications, you'll be ahead of a vast majority of the other folks out there. Remember, a skilled attacker can beat you. Every single time. But most of the folks out there are pretty lazy, so they are going to go after the paths of least resistance. As long as you make it a bit difficult, the bad guys will move on to the next target. Unless, of course, you work at a high profile web property, then you are basically screwed and all bets are off. Have I mentioned the importance of reacting faster lately?
http://www.tssci-security.com/archives/2008/09/11/web-application-security-tomorrow/
Link to this

Breaking into the security business
I have to say one of the most frequent questions I get from visitors to securityincite.com is how to get into the business. That also goes for my work with SearchSecurity as well. On one hand, given the skills shortage we face in the security business, it's perplexing to me that folks are having a hard time breaking in. But then I remember that most HR departments don't think, they just do keyword searches to find lame candidates on Monster. Let me point you to a new blog called Security Wannabe, which goes into some of these career management issues. If you don't have any relevant experience, then get some. Start volunteering with local organizations that need help configuring their security. Do some pen tests on your friends. Learn the vernacular, maybe take a few courses and get a certification. And if you want to specialize, learn a bit about application security. That's the future of this business and we need all the hands we can get.   
http://securitywannabe.com/blog/2008/03/13/breaking-into-the-it-security-industry-for-fun-and-profit/
Link to this

Bracing for the long, cold winter

Submitted by Mike Rothman on Mon, 2008-09-15 07:33.

I think we all knew the financial industry (mostly here in the US) was in the deep doo-doo. But I don't think the depth of the issues were known to most.

Just over the past weekend, Lehman Brothers has filed for bankruptcy and Merrill Lynch pulled a rabbit out of a hat and got Bank of America to pay a 70% premium to acquire them. It seems BofA wasn't happy with catching a falling knife again (after Countrywide) and turned on the gravity inverter to make it seem like Merrill was worth more, not less than Wall Street figured on Friday.

So over the past few months, Bear Stearns and Lehman are gone. Merrill is subsumed (though their brand will live on within BofA) and you've got a death watch on other major financials like WaMu, Wachovia, and AIG. Will this "crash" rival the issues of the 1930s? I don't know, but we probably need to start planning because our rainy days are upon us.

How will this affect the security industry? Your guess is as good as mine. Alan speculates a bit and I do think that many of the financials will be spending less money ON EVERYTHING, including security. But the US Feds and other verticals (like retail) are picking up the slack. So I think that's probably a break even proposition.

Darwin will re-establish his dominance and I believe we'll see a few more security companies becoming extinct. The strongest (and biggest) will gain market share and the marginal companies will go away. Especially given the reality that VCs have no reasonable exit paths right now, so they aren't going to rescue any of the walking dead in the space. And it's not like you can go down to your bank and get a line of credit nowadays.

From a practitioner's perspective, get ready for the long, cold winter - even if you live in a warm region. The global economy is going to get worse before it gets better. It's fiscally responsible to tighten your belt and focus on the projects that save you money and time, as opposed to those "nice to have" technologies that address emerging attack vectors.

And work on your containment plans. Remember, Bear and Lehman never saw it coming, and you probably won't either. So make sure you are in a good position to REACT FASTER and contain the damage. While the grizzlies are hibernating, we security folks need to make sure there is a world to wake up to when the spring thaw happens a few months from now.

Photo: "Car crash - Stourbridge" originally uploaded by Ian Hampton

The Daily Incite - September 11, 2008

Submitted by Mike Rothman on Thu, 2008-09-11 06:28.
Today's Daily Incite

September 11, 2008 - Volume 3, #76

Good Morning:
Today is a solemn day in the US. It's the day we remember the senseless attack. The fallen innocents. The serious chaos that resulted. We also need to celebrate the resilience of a democratic and free way of life. The terrorists wanted to cower us, and not so much. Our financial markets recovered in days, not weeks. Our country rallied to fight against the common enemies. There is no purpose in winging about still being in the Middle East or any of the other debates smart passionate people argue about today. That is not respectful of the memory of those lost.  
NYC
I was actually in Boston on Sept 11, 2001. I flew into Logan that morning. By the time I got to the office, the first plane hit and they were trying to find the second. CNN.com had crashed, so one knew what was going on. Then my CEO brought out his little TV and we watched until the towers came down on a 4" screen. I finally had to take the train home to DC 2 days later because all the flights were still grounded.

I don't think I was ever so happy to get home and hug my wife and baby (Leah wasn't yet a year old).

As serious as 9/11 is, September 12 is truly a celebration in my house. Tomorrow we'll wish the twins a Happy 5th Birthday. I remember both 9/11 and 9/12 of 2003 like it was yesterday. I was wrapping up a sales rally at TruSecure and hoping to not get the "call" that the Boss was going into labor before I finished up my last presentation for the field. She was 37 weeks pregnant and carrying almost 14 pounds of baby. She could have popped at any time.

But she held on until the scheduled birth on 9/12. The funny thing is that we know another 3 or 4 kids that have 9/12 birthdays as well. We picked that day and evidently we weren't the only one's with this idea. We didn't want the twins to have any kind of stigma to the day they entered the world.

My folks kept telling me that time just flies, and it really does. I look at Lindsay and Sam and I'm just amazed. They were born one minute apart, but they are so very different.Twin Dolls They've got different temperaments, personalities, opinions, and likes/dislikes. Yet, they are best friends. We went to our niece's birthday party last weekend (Happy Birthday Rachel!) and saw the two playing together, they were inseperable. And it was really cute.

Happy Birthday Lindsay and Sam. 

Have a great weekend. 

Photo: "9/11 Reflections" originally uploaded by Sister72

Technorati: , , ,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com
Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com

Security Mike's Guide to Internet Security

Top Security News

Too busy? Nah, just addicted to the status quo
So what? - Running my own business, I know a bit about investing time now to save time later. Whether it's systematizing some business process, outsourcing some busy work, or just trying to do things smarter - sometimes you have to suck it up and invest the time now because you won't be able to scale later. Looking at this Dark Reading article on SIEM reminds me of those decisions. But I think many security managers are missing the point of what a security management platform is supposed to do. It's about control and automation. The reality is no human can wade through the morass of data that comes out of our security devices. Add in a bunch of other devices (like the network) and any shred of monitoring (like NetFlow, for example) and there is just no way a human scales. So you need tools. Saying you're too busy to do your job is a cop-out, pure and simple. Now if it was just about time, then I can accept that. But this is about not being able to do your job, so the too busy excuse just doesn't hunt. But it's not just the customers that are at fault, it's a continued indictment of the security management market that the solutions still don't go in cleanly and with little integration. When a customer doesn't have the time to implement a solution that will change the way they do things (for the better), then lots of things are screwed up.
Link to this

You don't just get honey from that honeypot
So what? - I talk pretty frequently about testing your defenses (Hack Thyself!) and the importance of using the same tools and techniques the bad guys are trying to ensure you are protected. Interesting post here by Jimmy Ray in the NetworkWorld Community about the importance of running your own honeypot. Is this to "trap" the bad guys? Nah, it's to learn. By checking out attack traffic and spending some time analyzing how the honeypot was attacked (and presumably compromised), you can learn what's happening out there. You can see potential new attack vectors that will allow you to tune your defenses. But ultimately you keep your knowledge fresh, and in a business as dynamic as security, that's where the real honey is.
Link to this

99% Guarantee - That's bold!
So what? - I do appreciate bold marketing campaigns, and when I saw this release from Secure Computing guaranteeing 99% effectiveness, I though it's a pretty bold move. Though it would have been a lot more relevant 3 years ago. I can't recall the last time I saw catch rate being used as a differentiator. Doesn't everyone know that all the devices are equally mediocre? Today one is at 98%, tomorrow 93% and the next day 100%. That's the way spam works. It's still a serious arms race. So let's say a customer is swayed by the thought of a 99% guarantee. How do they know? Oh, Secure's appliance tells them what the catch rate is. I wonder if they've hard coded an automatic 99.1% catch rate in the reporting engine. Yes, I'm joking. It's kind of like the fox reporting that they haven't eaten any of the chickens, even though the hen house is empty. So let's say the box does say you only get a 97% catch rate, what then? You get a 3 month extension on your maintenance. Right, it's not like they are going to give you the money back on the box. Or let you pull it out and buy something else. So, don't look behind the curtain and appreciate this for the sound bite that it is.
Link to this


The Laundry List

  1. Symantec claims the "fastest" security products. Does it do 100 gig? Oh, we're talking about AV. And who cares about speed? It's all about reducing the amount of overhead and resource consumption, which they mention as the 2nd bullet. I guess speed is security's attempt at "change" in 2008.  - Symantec release
  2. CIS looks to define security metrics for all of us. I look forward to the output, since metrics is still the gaping hole in our ability to manage our security. - NetworkWorld coverage
  3. Deal: Someone I never heard of acquires CounterStorm, who I though had already gone out of business. Another insider threat thing goes away. - Trusted Computer Solutions release
  4. ArcSight beats the number, promotes COO to CEO, and gets a 10% haircut. Maybe something to do with that decelerating growth rate. - ArcSight earnings release

Top Blog Postings

The business should be managing business information
Interesting nuance here from Shrdlu about separating business information from identity/security information. Anyone that deals with SOX now understands about separation of duties. You don't want any single individual to be able to commit significant transactions. This idea of 'information separation" is similar. The example used is the difference between the IAM system (mostly for authentication and authorization) and a CRM system. The IAM system doesn't need a lot of detail besides who you are and what you are supposed to get to. I get the leverage of integrating disparate silos of data to enable new analysis or new processes, but when we are talking about defense - it's strictly a need to know basis. So stay focused on security, not on data management. You should have other folks to do that for you.  
http://layer8.itsecuritygeek.com/layer8/wonky-thought-for-the-day
Link to this

Are you a playa?
Arthur Treacher makes a great point on Emergent Chaos about whether you are involved in the discussion or not. Basically, pulling an analogy from the fine economic risk management field, if you aren't privy to the wider set of data, you can't do your job. And that's exactly the point for security folks. If you aren't consulted during the architecture phase, if you don't know about mergers or divestitures, if you have no idea about a totally new Internet-based business being launched next week - THEN YOU CAN'T DO YOUR JOB. How to fix the situation? Well, there is no easy answer to helping you build credibility. It's all about evangelizing the program, setting milestones and then hitting the milestones. Yes, it's about being Pragmatic.
http://www.emergentchaos.com/archives/2008/09/risk_managers_are_just_li.html
Link to this

Preventing FOI
No, this isn't a food blog. Following up on Schneier's indictment of security ROI, AndyITGuy coins a new metric that we need to be concerned about. FOI - Failure of Investment. This dovetails nicely with my general perspective that security is pretty binary. As far as your executives care (and they have the only opinions that matter), you have been compromised or you haven't. Of course, the easiest way to ensure a zero FOI is to unplug all your devices fro the network. And it doesn't really help you constantly improve your operations or figure out which investments need to be made. So we don't get off the hook of having to deal with some of these other numbers. But at the end of the day, FAIL is the only thing most people are worried about, so we need to make sure we are doing enough to avoid the FAIL, but not so much that no one can get anything done. Oh yeah, one other things. FAIL happens. So you better be able to recover the FAIL as well, or else you'll be dusting off your resume.  
http://andyitguy.blogspot.com/2008/09/security-roi-debate-continues.html
Link to this

Pragmatic CSO Newsletter #65

Submitted by Mike Rothman on Wed, 2008-09-10 07:02.
Pragmatic CSO Weekly

September 10, 2008 - #65

Mike RothmanMike's Pep Talk:

"It's one thing not to see the forest for the trees, but then to go on to deny the reality of the forest is a more serious matter."
-- Paul Weiss

Can you see the forest for the trees? Take a look at the picture below. Is it a thundering ocean? Or is it a electron microscope image of a piece of fabric? I don't know, it may be both.

But that isn't really the point. One of the hallmarks of the P-CSO is to think about the PROGRAM of security and to emrace the reality that the senior security professionals job is NOT to configure firewalls or ensure 99.999% AV coverage anymore. It's about managing the process of security. It's about persuading your peers on the executive team that security is important and they need to factor that into their own operations.

Micro or Macro? You be the judge...Per usual, Richard Bejtlich summarizes the concepts much more effectively than I could by breaking security up into macro and micro-security disciplines. I tend to work (and think and write) from the macro perspective. This is all about the BUSINESS of security. It involves positioning the value of the security program, evangelizing it, and then selling it to the folks that actually do things.

Micro-security is about what gets done. The day to day operations that drive the security process and hopefully repel the attackers for one more day.

To be clear, both are important. Many folks opt to focus on micro-security because that's what they know and they tend to feel more comfortable with their technical hats on. Even Richard admits: "I think I prefer microsecurity issues but spend time on the macro side when I have to justify my work to management."

And you can get through most days just focusing on the micro. But we need to keep in context that macro security is about more than justifying work to the money men (and women). The work you do on the macro side is about credibility. If you don't have that, you'll likely be sunk when the inevitable incident happens.

And then you'll have a lot of time to figure out the forest from the trees.

Photo credit: Bewdlerian

The Greatest Asset (and Threat)

As Matthew Rosenquist points out on the Intel blog, it's our people that are both our greatest asset and threat. That's why education and evangelizing the importance of security are so important. Your employees don't want to think about security, they want to do their job. But they can do their job with a healthy respect for attackers and a consideration for protecting private data and intellectual property, or not.

Your job is not to make their life hard, but to always be there to remind them about right and wrong. Especially when they first join the company. There I go again, talking about evangelizing and selling. If you want to focus on the micro (see above piece), that's fine - but understand that someone has to focus on the macro, bigger picture security program stuff.

Your job is also to save the employees from themselves by putting layers of defense in to make sure that even when they do stupid things, they don't put themselves or your organization at risk. But we don't need to tell them that, do we?

The Daily Incite - September 9, 2008

Submitted by Mike Rothman on Tue, 2008-09-09 05:51.
Today's Daily Incite

September 9, 2008 - Volume 3, #75

Good Morning:
Should you be totally psyched or appalled when it seems your kids are going to become sci-fi tools like their parents? That's right, one of my first memories of going to the theater was to see the original Star Wars, back in 1976. My Dad, brother and I saw it twice, since it was a bit much for an 8 and 5 year old to get. I'm sure I saw movies before then, but I don't recall being consumed with the Apple Dumpling Gang.
Darth Vader drawing
So when the kids showed an interest in seeing the Star Wars movies, I was hugely fired up. The Boss is into Sci-Fi as well (Twilight Zone is her favorite TV show, EVER), so we figured they were old enough to see the light saber battles and deal with the mature themes of planets blowing up.

So where to start? Do we start with Episode 1, at the beginning? Or do we push them down the path we followed - seeing Episodes 4, 5, and 6 before delving into the prequels? Ultimately we are staying true to the history and started with A New Hope (Episode 4). I forget how great a movie it is, and the kids just loved it.

They were asking questions and trying to understand how the speeders and light sabers and spaceships worked. It provided us a great opportunity to explain about reality vs. imagination and also to reinforce that whatever they dream can be turned into reality, if they work hard enough and don't violate too many laws of physics. It's really just amazing to see how the same movies are having the same effect in expanding my kid's horizons, as they had on me over 30 years ago.

We give them pennies each day when they behave correctly (beatings out by the wood shed are frowned upon by social services nowadays) and all the kids have already allocated their next gift to buying Star Wars toys. I can't wait to see my boy running around with the Darth Vader helmet on and the kids in the middle of a epic light saber battle on the guest bed. It's not hard to see how George Lucas is a billionaire, given the reach and timelessness of his stories.

Have a great day and may the Force be with you. 

Photo: "Hi! I'm Darth Vader" originally uploaded by Official Star Wars Blog

Technorati: , , ,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com
Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com

Security Mike's Guide to Internet Security

Top Security News

Security? Nah, not a problem
So what? - Have I mentioned lately how much I like surveys? I've spoken to a lot of CIOs over the years, and I can't remember even one telling me that security isn't an issue. It wouldn't be politically correct, now would it? They need to pay lip service to the security gods, lest they get nailed for not taking the threats seriously. So seeing this CompTIA survey that, amazingly enough, pinpoints that security is the top concern among 33% of the respondents.  What are they going to say? Even more interesting is the survey Forrester did which says security is now 10% of the IT budget, which is up. Even better (especially if you are a security sales person) is that things seem to be poised to remain strong. I still don't get it. The global economy is going to hell and a hand basket and security is going to remain strong? That would be great, but I'm still a bit skeptical. It's not that I think the CSOs are telling the truth, but I suspect they may not be totally clued into budget gyrations. CSOs not totally in the loop? Never heard of that either.
Link to this

How about running security as a business?
So what? - I remember back to my META Group days, and the ideas about strategic sourcing and running IT as a business were first starting to percolate. I hadn't thought of that term in quite a while, but when I read this column talking about the "limitations" of this philosophy, I remembered the context. Given the drive towards strategic outsourcing, the executive suite started pushing the IT group to benchmark their operations versus what it would cost someone else to do it. 10 years later, it seems the approach has been hit and miss. In some cases, the business mentality has helped provide a more service-oriented perspective. In other cases, it crushes morale because the true inefficiencies of some IT groups become readily apparent. Will this kind of thing help a security group? Ah, not so much because it's not like the IT group is going to really "buy" someone to make their life more difficult. And that kind of "service" mentality could also be dangerous because security isn't about keeping the customer happy, it's about making sure they do the right thing. So IT
Link to this

Let's hear it for Big Art(emis)
So what? - Sometimes you read a release and wonder what are these folks thinking? Evidently yesterday McAfee "reinvented computer security." That's exciting, no? What did they do, come up with a god-box? A Rosetta Stone to decrypt everything (like in Sneakers)? What could it be? Oh, it's a different list of stuff in the cloud that they are calling a slick name called Artemis. So if you don't have a signature and a file seems "suspicious," then they check the cloud and see what's up. Uh, OK. Sounds like PrevX to me. I'm sure it's different and different from the stuff Trend and Panda are doing. It's "reinventing security" after all. Basically, it's still a losing proposition. Banging on the network every time you see something you don't recognize isn't the way to utilize bandwidth effectively and doesn't help performance of the application. But I don't want to be too critical without having the crack testing teams of folks like ICSA and Consumer Reports to bang on it, since they know everything, no?
Link to this


The Laundry List

  1. Does security ROI matter? Probably not, but Schneier makes a couple of good points about keeping the results of the analysis in context. - Schneier blog
  2. Shavlik jumps on the virtualization security bandwagon. Is it more than just the same old stuff, just more and faster? Not according to Hoff, but it's still not clear how this will shake out. - Shavlik release
  3. Blade Server now the panacea? IBM thinks so, and does new innovative things like run Check Point on it. Yep, innovation in the flesh. - IBM release
  4. Jay Chaudhree gets Jayshree to sit on zScaler's board. The 200 page powerpoint announcing the move is on their web site. - 451 security blog

Top Blog Postings

Anything relentless is good by me
Reading Alex's latest series about Hansei-Kaizen brought me back to a time long ago in a place far away. Well, not that far away, rather upstate NY when I was in college. I studied Industrial Engineering and we spent quite a bit of time thinking about Japanese manufacturing techniques (even if they were modeled after a great American business thinker). The Kaizen (constant improvement) aspect of Alex's thinking is a no-brainer. Figuring it out and quantifying it, not as much of a no-brainer since it's not clear what type of metrics will yield the greatest impact from an outcome standpoint. I'll talk about that a bit more on Thursday. But let's zero in on the idea of "relentless reflection" or Hansei and it's an interesting idea. I liken it to one of my mantras - Question Everything. And I mean everything. We can't assume that something is right because the world is too dynamic and attacks are evolving too quickly. So we've got to constantly be reassessing and making sure defenses are where they need to be continuously. I know, it's much better from a job satisfaction perspective to be able to just finish a job and leave it in the rear view mirror, but you work in security - so that's not an option.
http://riskmanagementinsight.com/riskanalysis/?p=393
Link to this

Kind of sounds like "change" to me
The Hoff rants a bit about misuse of the term "next generation" from many of the security marketers out there. He'd give them a 15-yard personal foul, if he could. Maybe even suspend them for 4 games for violating the league's good marketing taste policy. Yet, many of the companies out there have no choice. They need to position their stuff as new and exciting, and at the same time position their competitors as old and stodgy. But then the competitors come back and try to take the high ground using your own words against you. They try to position the shiny new thing as dangerous and not viable. They may be gone tomorrow because they don't have the longevity and the track record to be the safe choice. No I'm not talking about the US Presidential Election - really. But if you want to learn anything about competitive marketing, you should pay attention. Regardless of your affiliation and emotions about the topic, the way both campaigns try to dominate the news flow and constantly position their opponents are great lessons in how to do marketing. It may make you crazy, but for better or worse it works. Because like the US electorate, many of the "customers" out there are ill-informed at best, and mostly dim bulbs so they'll respond to a negative attack. It may not be right, but it's reality.
http://rationalsecurity.typepad.com/blog/2008/09/the-most-overus.html
Link to this

Learning to love evolution and reinvention
Interesting post here by Patrick Foley about the need to constantly reinvent ourselves. That's right, the world is a dynamic place and the skill set you have today probably won't be that useful tomorrow. Especially since you've chosen to go down a technology career path. It wasn't that long ago when COBOL skills were in high demand or Pascal or Fortran (yes, three programming languages I learned way back when). Now, not so much - except to maintain those old systems they just can't turn off. Same goes with your security skill set. You may be a killer firewall analyst, but at some point that will become reasonable automated. You may have some serious pen testing kung fu, but the technical attacks are also showing up in free tools. Of course, that means you need to figure out what isn't automated now and what VALUE you add to the organization and which skills will be most desirable in a few years time. It's kind of like investing, you need to look at the market and figure out the macro trends. Then you need to position your personal skills "portfolio" to be in demand and rising a few years out. But you aren't done, because as with investing, it's easy to buy - but much harder to sell. So you've got to be figuring out when a position needs to be unwound and what other "assets" should be invested in. Yes, you need to manage your own portfolio probably quite a bit more aggressively. They call that career management.  
http://www.bloginfosec.com/2008/09/03/so-why-do-we-need-security-professionals-anyway/
Link to this

Rise up against Mediocrity

Submitted by Mike Rothman on Mon, 2008-09-08 08:42.

A few folks (Emergent Chaos, Risk Analys.is) pointed to probably the best Dilbert I've seen in a long time. A lot are funny, but this one really struck home.


When people asked me what I did for a living for a long time my standard response was: "Fight against mediocrity." And that's kind of how I fancied myself. A crusader against all lameness. Someone who wouldn't just accept "that how we do it," when doing it that way was just stupid.

Part of it is naive idealism. Another part is actually wanting to make a difference.

But over time, you get beaten down. Many incentive systems reward for mediocrity. For doing just enough. And if you consistently don't get rewarded for going the extra mile, after a while you'll stop. No one is so self-motivated that they outperform their peers and blast expectations for an extended period of time without some kind of reward and recognition.

That's why I think change is so important. Changing what you do, maybe who you do it for, what your goals and aspirations are, who you hang out with - anytime you start to feel stale. Stale = mediocre.

We in the security business are particularly guilty of accepting mediocrity. Our brand of mediocrity flies buy under the term compliance, which are basically the best practices that we should adopt - or have our executive officers suffer the mythical perp walks.

One of the things I mention in the P-CSO is the importance of thinking differently and not doing what everyone else is doing from a defense standpoint. Dilbert makes the risk of the lowest common denominator approach abundantly clear. If you do what everyone else does, then your adversaries know what that is, thus THEY KNOW HOW TO BEAT YOU.

I love those old movies like "Home Alone," where the bad guys stumble and bumble into every trap. The little kid set a bunch of non-traditional traps and the bad guys didn't know what to do about it. That's exactly how we need to start thinking about computer security as well. As fun as it would be to spray a hacker with honey and then dump them into a pile of feathers, we need to find the digital equivalent of that.

That's why I continue to beat the drum for Security FIRST! as a mantra. If you do security correctly, then I'm pretty confident you won't have much trouble with compliance.

It's too easy just to push the compliance button and figure everything will be OK. To figure that compliance is the end goal, the finish line. Folks we work in security, THERE IS NO FINISH LINE. Compliance is the lowest common denominator. It's something that everyone is doing (or should be doing) and it represents mediocrity.

And who wants to go through life settling for mediocrity?

Photo: "mediocrity" courtesy of Despair, Inc.

The Daily Incite - September 4, 2008

Submitted by Mike Rothman on Thu, 2008-09-04 08:15.
Today's Daily Incite

September 4, 2008 - Volume 3, #74

Good Morning:
After seeing so many live music shows this year, the sizzle is waning. Sure, it's great to see fantastic, charismatic singers. And folks that can make sounds come out of guitar that boggle the mind. But while I was seeing My Morning Jacket last week or John Mayer over the weekend, I didn't focus on the guitarists (as good as they are). I wanted to pay attention a bit to the unsung heroes that make live music happen.
The anonymous bass player
That's right, let's hear it for the rhythm section - the bass guitarist and the drummer. With very rare exceptions you don't go see a band because you like the bass player or the drummer. Of course, you go to see Rush to remind yourself how great Neil Peart is. I think that Sting guy may be able to sing also. But beyond that, who is the drummer? Who is the bass player?

So at the last two shows I tried my best to pay more attention to the bass player and the drummer. They were good. MMJ's drummer had long hair that seemed to do more damage to the cymbals than his drum sticks. John Mayer's bass player kept the rhythm going, but now a few days after the show, I couldn't tell you what that guy looked like. I guess I'm like everyone else. It's the shiny objects that are memorable, not the rhythm section.

The guitarists get all the money and the chicks (or guys if they swing that way). So this weekend let's try not to forget these other folks, even if they are entirely forgettable. Go find a bass player or a drummer and thank them for the labor they provide during every live show. Tell them without their contributions, you'd only have half a band. Half a band sounds like crap. 

And then get back to staring at the guitarist. Man, those guys can play!

Have a great weekend. 

Photo: "bass player" originally uploaded by davidex

Technorati: , , ,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com
Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com

Security Mike's Guide to Internet Security

Top Security News

All that glitters isn't Chrome
So what? - So Google goes and releases a "browser" and the entire Internet is a flutter. Open Source, ooooh. New JavaScript engine, ahhhh. It's even secure! OK, maybe not, since it seems someone ran a fuzzer on it and found some vulnerabilities already. Not that wasn't expected, but it's still funny. Evidently the browser works OK, according to the folks that have played with it. Dennis Fisher figures won't make a huge dent in market share beyond the digit heads, Mitchell is bitching about having to Q/A another browser platform. Do I think this is earth shattering? Nope. But it's clear that the underlying OS will just be a host for a variety of "application" platforms that are optimized for specific use cases. Chrome will be one, maybe Firefox another, maybe you'll get developers extending Chrome to optimize it for their own environments. And it won't matter if you run Windows or Mac OS X or even Linux on your device. This will likely accelerate the marginalization of the OS, and that's a good thing. Amrit is on the right track about this being a "platform" more than anything else. But let's not anoint Chrome as the best thing since sliced bread from a security standpoint until it's been proven. Google does beta stuff pretty well and until I can get NoScript type of functionality (and a Mac version), I'll be waiting on the sidelines.
Link to this

Private browsing - so much for snooping on your folks
So what? - A lot of organizations have deployed user web monitoring, I mean web filtering in order to make sure their users stay productive. That's how they justified the expense anyway. You have a gateway and it stops users from going to "bad" sites that would burn up most of their day (Facebook anyone?). You also could enforce your acceptable use policies based upon cookies and other cache items left on the browser during an investigation. But now everyone is taking Apple's lead and adding a pr0n mode, I mean privacy mode to their browsers. Maybe that's why most of the Apple users I know are a lot happier than those suffering through with IE. IE8 will have it, and so will Google Chrome. So aside from allowing boys to be boys, what are the risks of these private browsers? Basically these do cut off a significant information source for investigations. As Seltzer points out, it's not clear what the real impact will be for compliance purposes and monitoring the use of technology usage by employees. But all is not lost, since we can still monitor the network. You also may want to (try to) enforce the usage of a VPN for remote employees, so their web traffic is routed through your network. Then you can monitor that too. That one's a bit harder, but it's possible. The action-reaction process continues unabated. At least you know these new actions are happening, so you can plan your reactions. 
Link to this

What about #21: Get some hemlock...
So what? - It's happened to most of us. You are walked into the bosses or maybe the HR persons office and then notified you no longer have a job. It's pretty unsettling, though it gets easier every time it happens. Unfortunately, given the state of the global economy, this is likely to happen more frequently over the next couple of months. NetworkWorld has a good article that provides some tips to dealing with it. Basically, you can't freak out and hopefully you've been making contingency plans all along. If you work for someone else, it's kind of silly to assume things won't change in the business and that you'll always be welcome. This isn't the 1950's folks, there is no guaranteed, lifetime employment and a cushy pension at the back end of 30 years of toil and trouble. If you are too "busy" to take some action and get out and network a bit or to even develop a contingency plan, do a little visioning exercise with me. Vision that you are packing up boxes in your office. Then vision how you are going to pay the bills and keep your significant other in the lifestyle she/he has become accustomed to. Not a pretty picture, right? So make sure you are constantly thinking about what's next. Better to be safe, then dealing with the repo man.
Link to this


The Laundry List

  1. Secure Computing puts Securify out of their misery for $15 million and an earn out. VCs took a bath on this one, but that's life in the big city. And it goes to show even a cat only has 9 lives. - Secure Computing release
  2. Novell introduces the most "advanced compliance management" solution, which evidently is a knife to kill the auditor in the parking lot. All kidding aside, what kind of differentiator is "advanced?" - Novell release
  3. Sick of paying for AV? Build your own, just don't try to manage it for more than a desktop or two. - NetworkWorld
  4. You think Ballmer will be master of his own domain? He's under a lot of stress, you know? Maybe Seinfeld will help them fend off the Mac Guy, but probably not. No Office for You! - Dvorak MarketWatch column

Top Blog Postings

It's a big world and it takes time for them to do anything
Gunnar gnashes his teeth a bit regarding how small the aggregate software security market is. Yep, early markets are like that. You have a couple of big vendors that get 80% of the market share and a bunch of smaller one's that don't. When you add everything up, you get a market size probably 15% of a Big Security player like Check Point. The reason is simple. Everyone has a firewall. Not many do software security YET. And the yet is the point. Emerging markets are all about hype and making customers think they have problems they're not sure they have.  No one questions whether they need a firewall. Of course companies should be spending more on software security, but they don't understand that yet. They haven't seen it and been beaten over the head with it for years. That's what it takes. The firewall has been around for over 15 years, software security has not. It's great the software security market is growing, but don't expect it to become very big anytime soon. Only time can make that happen. 
http://1raindrop.typepad.com/1_raindrop/2008/08/software-security-market.html
Link to this

First person XSS
Let me send out a hat tip to Dave Piscitello for pointing me towards Russ McRee's excellent piece on cross-site scripting in the ISSA Journal. A key to being a good defender is to understand your adversaries. So being able to put yourself into the mind of the criminal is critical to being able to defend yourself. So what do you see here from a XSS attack standpoint? Basically it's something that can happen to anyone, and it's hard (as a user) to defend against. I know I pimp NoScript a lot, but it adds a bit of XSS defense as well to your Firefox browser. From a developer standpoint, there are a few tips at the end to keep in mind. Of course, it's unlikely you are the actual developer, so you'll need to evangelize these points to your developers at every turn. Validate inputs, verify outputs, and look at both web app firewalls and code reviews. Russ forgot to tell you to keep fighting the good fight because behaviors don't change overnight and building secure applications does require a behavioral change. Note the link below is a PDF file.
http://holisticinfosec.org/publications/anatomy_of_an_xss_attack.pdf
Link to this

Is there a silver lining in all these clouds?
Cloud this, SaaS that. Every day it's more crap about clouds and services, services and clouds. What's a guy, who likes to keep his feet on the ground, to do? Amrit's been busy lately. I guess spending some time in the Ashram during his Asian swing was good for his writing and time management skills. This post makes a lot of good points relative to the fact that cloud computing will require a different security model. I'm not sure what that model ultimately is, but it's different. Maybe a little different, maybe a lot different, but it's definitely different. Yet, we are still missing the point about what's most important to do now. Thankfully Amrit didn't as he points out it's all about RECOVERING from the inevitable incident. Remember, whether you are consuming or providing cloud services, if there is a question about the reliability and/or security of those services, it takes everyone down with the ship. So make sure you focus on CONTAINING the damage as you architect these services. It will make or break your business. No joke.  
http://techbuddha.wordpress.com/2008/08/29/saas-and-cloud-computing-change-the-cia-paradigm/
Link to this