March 24, 2008 - Volume 3, #29

Good Morning:
It seems every year I remember why they call it March Madness. After I look at my brackets from the first weekend, I'm pretty mad. Make that very mad. So I have some good news for all of you Incite readers. There is no risk that I'm going to pack up, move to Vegas, and decide to make a living figuring out which teams will do well in the NCAA tournament.

I've done the same 3 brackets for the last 4 years. Inevitably I come in the bottom quartile. Some years I get lucky and end up in the 2nd quartile in one of the 3, but that doesn't mean much, since my payout is the same - nada, zilch, zero, the big o-ring. Thankfully I just use beer money to play these brackets.

As annoyed as I get at my own picking prowess, the tournament is great fun. You do need to appreciate how some teams come out of nowhere and rise to the occasion. Davidson? Come on now. That's a great story. Son of a former NBA star, that all the major schools passed on, rocks a powerhouse like G-town. That's just great drama. And next weekend, we'll probably see more. There is always a Cinderella, at least up to the Elite 8. Then reality usually sets in, but until then you've got to enjoy the fact that these unknown guys and teams get to play on a national stage.

For me, the Madness is a time to hang with my posse. I get together with a bunch of buddies for lunch on the 1st Thursday and Friday of the Madness. We drink some cocktails, watch the games, shoot the breeze and basically have a great time. Then the working stiffs go back to their offices, and me and two other buddies (who also work for themselves) tend to hang around for the next game or 3. Drinking more cocktails, shooting some more breeze and having lots more fun.

I do feel for my buddies that have a "job," but not that much. In exchange for stability, good health benefits, and a steady paycheck - they get to go back to work. They probably watched the games at their desk via streaming video (unless they got put in waiting room, shown above) - but they certainly weren't enjoying cocktails. It's all a trade-off, since they also don't have to worry about billing, collections, cash flow, pipelines, delivery, fulfillment, new products, monthly deliverables, grumpy clients, and all the other crap that I deal with on a daily basis.

Would my buddies trade places? I suspect some of them would. Some wish they had the stones to go out on their own and stop working for the man. Others are quite happy doing what they do. Would I change places? Not a chance. I've come to realize that I'm just not cut out to work for the man. No way, no how. I'll never say never - but it's pretty much never. The last thing I want to deal with is telling a boss why I need to take half a day on the first two days of the Madness. But that's just me.

Have a great day.

Photo credit: The Shifted Librarian

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Good night, and Good Luck to Lockdown
So what? - OK, I could gloat a bit now. I've been talking about the fundamental issues in the NAC market for a while, but that's not my style. OK, maybe a little, but I feel for the Lockdown folks. I've been there. To unceremoniously have to close your doors, leaving your customers in the lurch is terrible. It's very frustrating to build something and have no one else see value in it. All that time and money...poof. There's been lots of coverage, though I'll tip my hat to Network Computing for having the most balanced perspective. The little tidbit about how a NWC contributor Syracuse lab (oh, I mean the college) actually wanted to pay for a solution and having mediocre success is very telling. Not just for StillSecure, which got bounced out - or Lockdown - which clearly couldn't answer the call. Of course, the NACsters are spinning madly talking about the "execution problems" and how "they are different." OK, Shimel is spinning madly, but you have to expect that. Unfortunately, this isn't the last we've seen of this kind of outcome for a NAC vendor. Fact is, the big publics and privates with big bankrolls don't see any value in acquiring assets in the NAC space right now. That doesn't mean that they won't, but not right now. To be clear, I do think there is value in NAC, especially the access control part. But this is not the Messiah technology, never has been. Despite what the vendors want you to believe...
Link to this

Should you hire a hacker?
So what? - Gosh, the dilemma posted in this InformationWeek article is really a dilemma. Sort of. The reality is that vendors and security service providers CANNOT afford to employ black hats. Period. End of discussion. Their customers put a lot of trust in these companies and hiring a convicted hacker would circumvent that trust. But what about end user organizations? It's not as cut and dry. For some it is, but they are wrong. The fact is security is a very resource constrained environment. Why would a talented professional (with a clean record) go work for a 100,000 person organization in a smoke stack industry, when they can see the world and make a lot better money doing consulting or going the vendor route? There is something to be said about the training that bad guys get as well. In order to really stop hackers, you need to think like one. Who is better at thinking like one than a former black hat? Ultimately it gets down to trust, as it always does. Do you trust the rehabilitation process? Can criminals reform? Do people get second chances? In any case, you should have a number of backstops to make sure that a bad actor doesn't take down your entire shop. Fact is, it's usually not the black hats that have been caught perpetrating insider fraud. If I was in that position, I probably wouldn't pull the trigger on bringing on a convicted hacker. Too much of an opportunity for others to say "I told you so." But if I had no other options? Glad I don't have to make that decision on a daily basis.
Link to this

That's a mighty fine L0pht you have
So what? - There are few iconic organizations in security, but the L0pht is one of them. At the SourceBoston show, a number of the members got together for the first time in years to reminisce about the old times. I had to fly out, so I couldn't see the panel, but SearchSecurity does a good job of capturing the spirit of the guys. Those were the wild and woolly days of security, before it was a business. When it was still fun. Now it's a business, and not as much fun. Now we see what good security researchers can do to shred a web site or application, and it's kind of commonplace. We aren't surprised by the 10,000th exploit for QuickTime or the way folks can get around pretty much any security system. But back in the mid-90's we were surprised. We had to be. That was real innovation. Something that is sorely missing from our business that has become an industry.
Link to this

The Laundry List (crappy M&A edition)

Top Blog Postings

That was some expensive Boar's Head
Another day, another data breach. This time it's New England grocer Hannaford Brothers. And they don't really know what happened or why? The Mogull decomposes the public statements with a fine tooth forensic comb to try to decipher the public statements, but the reality is we may never know exactly what happened. And I differ with him about whether PCI is worthless. PCI is no magic bullet, but it does provide a decent guideline for those organizations that have no idea even where to begin. Bill Brenner notes that it's all about living to fight another day when you have a data breach. Martin points out that thankfully HB had separated customer data from credit card data, so hopefully the damage will be minimized. Remember hope is not a strategy. I (for a change) take a bit of a different perspective on the data breach. It's going to happen, so you better be ready. Right, you need to be monitoring your stuff to try to detect these issues faster and get to the bottom of them sooner. Will people stop shopping at HB stores? Of course not. Will they continue paying with credit cards. I suspect they will. But HB will now be fighting years of class action lawsuits and other fees to clean up the mess. And in a 2% margin business, it definitely will hurt.
http://securosis.com/2008/03/18/picking-apart-the-hannaford-breach-what-might-have-happened/
Link to this

Security vendor caught in Hannaford Brother's cookie jar
No one wants to be the security vendor that was watching the store when the store was looted. Even more so, no one wants to get caught trying to cover it up. Rapid7 was both when they got caught removing HB's name from their client lists. Ryan Naraine does a good job presenting both sides of the equation on his Security Watch blog. Then Rapid7 has the nerve to throw their client under the bus and say THE CLIENT wanted to be removed from the web site. Huh? If I'm in the middle of cleaning up a data breach, the first thing I think about is to remove my logo from a vendor's web site. Right... Next they concoct some type of ridiculous press release about how none of the systems R7 was scanning was involved in the breach? Huh squared? It seems HB doesn't know what the hell happened, so them being able to say that R7 wasn't involved seems a bit wacky to me. Fact is, a scanner doesn't equal security. PCI compliance doesn't equal security. Anyone can be had at any time. Period. And some vendors will try to make it look like it wasn't them or their fault. Ultimately it's not. A tool is just a tool. But these vendors that claim "Easy PCI" anything should beware. There is nothing easy about security.
http://securitywatch.eweek.com/hannaford_data_breach_the_security_vendor_conundrum.html
Link to this

It's not about fear, it's about doing the right thing
Shimmy brings up a real conundrum, which is how to sell security. Historically, it's been sold by fear. Just like all insurance has been. Fear of the unknown. Fear of being hacked. Now it's fear of compliance issues. Fear fear fear. The reality is that fear only works for a short amount of time. And I suspect we are running out of time on holding the gun to the CFOs head and asking for a big check. Sure compliance is still a major driver, and there are a lot of very big security companies that won't go away overnight. But my long standing position holds, which is that security is a feature. At least Alan gave me some props to mention I've been singing this song for a long time. You don't have to hold a gun to the CFOs head if security is built into whatever else you are doing. We are a long ways from that, but it's happening. So all CSOs that continue to trade on fear, as opposed to making deposits in the credibility bank, your days are numbered. And just remember, you heard it here first.
http://www.stillsecureafteralltheseyears.com/ashimmy/2008/03/sitting-on-your.html
Link to this