May 13, 2008 - Volume 3, #46

Good Morning:
I had a strange vision/nightmare recently. I wasn't sleeping, so I guess it's not a nightmare, but it was certainly strange. Let me explain. For a while I've been wondering about the impact of the constant din of advertising that we are subjected to. The research shows each individual is bombarded with thousands of brand images every day. I'm not so worried about me, since I can compartmentalize and ignore most of the stuff I'm not interested in.

I worry about my kids. They are still innocent. They don't understand about how big time marketers play with their emotions to get them to buy things. They haven't realized that material possessions are just things and they can't make you happy. They are like clay and that clay is increasingly being molded by folks at the Disney Channel and Nickelodeon and the folks that run commercials on those networks.

And it's scaring the crap out of me. I worry we are growing a robot army that just numbly walks from one store to the other and waits for the Wall Street big brains to figure out some new derivative to pay for it all.

As a case in point, we just got our new health insurance cards. Normally that's kind of ho-hum, but the new cards were sitting on the counter and Leah (my oldest) picks them up and says, "Dad, what are these?" 

Never missing an opportunity to explain something, I was all ready to launch into a dialog about insurance and paying for the doctors and healthcare and all sorts of other stuff she doesn't care about. But barely after I got the word insurance out, she blurts "Oh, you mean like Progressive..." Oh crap. Did she just regurgitate the brand of an auto insurer back to me.

Yes, she did. My first reaction was "you watch too much TV." Which, by the way, would be the right reaction. But here's the rub. They actually learn a lot from TV (and the Internet) as well. They are taken to places I never got exposed to as a youngster. They are given lessons I had to learn the hard way when Dora or even Hannah Montana get caught up in some trumped up situation that actually delivers a decent message about wrong and right and treating people well.

So I'm torn. Part of my wants to just put them in a bubble and protect them from all the evil marketers out there that equate stuff to happiness. The other part of me knows that this is the world we live in, and I need to accept that and focus on helping them learn to compartmentalize and basically ignore all the branding and figure out what is important for them.

And I'm sure I'll be fighting this battle countless times over the next 15 years as the kids grow and then eventually leave the nest. Have a great day.

I've got all day meetings for the next two days, so the next TDI will be on Friday AM.

Photo: "Robots! Ready your breakfast and eat hearty... For tonight, we dine in Silicon Valley!" originally uploaded by tyreseus

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

An astrophysicist and a security guy walk into a bar...
So what? - If I had a few more comic bones in my body, I'd be able to come up with a decent punchline to accompany Greg Shipley's analogy in this seminal InformationWeek manifesto. OK, maybe not a manifesto, but Greg does rant a bit about how most of us are doing security wrong and I like the messages. Of course, that they echo a lot of points I've been making is a bonus. Greg talks about providing a risk context to what it is we do, but also reminds us that risk needs to be IN CONTEXT of the business. The insurance guys have a different idea of risk than someone in high tech. And that's really the point, technology is technology and it's much easier for technologists to throw technology at the problem. But does it address the root cause of the issue? That's how security folks need to start thinking about our jobs. It's convenient if tactical technology alleviates a potential problem, but does it eliminate the risk? Greg also shows an interesting chart about how security technologies have evolved and merged over time. Which again makes the point that technology comes and goes, and our problems always seem to persist. So let's start focusing on the problems and then get an idea about how to address the root cause of our problems.
Link to this

Monitoring isn't a new requirement
So what? - As I've gotten older, those old "when I was young" analogies actually start to make sense. Not because things were easier or harder back in the 70s, but because it's easy to fall into the trap of thinking that things were less complicated and thus must have been easier. It's true that things are a lot more complex today and things like Web 2.0 are accelerating what seemed to be moving too fast already. But is this a lot different? I mean really? I read this article on Dark Reading about a Web 2.0 security session at Interop and kind of laugh when one of the panelists says: "We're now in a situation where we have to monitor what our employees are doing all day long." You mean you didn't have to do that before? Or you just ignored that requirement? Security monitoring and the need to REACT FASTER are not new. We just didn't do those things very well before and now if we don't get a better handle on things, then it's going to be very hard to keep our heads above water. But if this new buzzword gets folks doing things they should have been doing for a long time, I'm good with it.
Link to this

You. You over there. Selling that stuff. Stop that.
So what? - I'll come clean. I still peruse through my spam folder a couple of times a week. First, although GMail is very good at stopping spam (if I get 5 a week into my inbox that's a lot), but it does stop some legitimate mail every so often (again, maybe 2 or 3 a week). But those 2 or 3 are fairly important, so I still go through the spam just in case. But it's also funny. Some of the techniques are hilarious. I still wonder who actually buys this stuff, but someone must because my spam folder is overflowing. A couple of weeks ago a few of the generic addresses I use started getting hit with bouncebacks. Hundreds of them, so I figured the bad guys got their hands on these addresses and were sending messages out using it. Then I saw this NetworkWorld piece and I was right. I guess those remnants from your address being spoofed is called backscatter. So what do you do? Basically ignore it. I guess you could change your email address, but that's a pain in the butt. You can turn off out-of-office messages and also have your mail server just drop bad address messages (as opposed to sending a notification). You can't stop the backscatter, but you can minimize your part in contributing to the problem.    
Link to this

The Laundry List

Top Blog Postings

Security ROI and metrics and credibility
Intel's Matthew Rosenquist takes on Schneier himself in this post, as he wonders whether trying to measure security ROI is meaningless or not. My interpretation of the post and Matthew's arguments (even though he largely agrees with Schneier) is that it all gets back to credibility. Here is fact: The numbers can be gamed. Period. So how well the numbers will be accepted and whether you'll be able to prove anything gets back to one thing. Your credibility. If you aren't credible, then it doesn't matter what numbers you generate - no one will believe you. And if you are credible, your thinking about the business impact of any kind of security investment will go down a lot easier. So I'd rather folks spend a lot less time worrying about calculating ROI and focus on increasing their credibility. That's a much better investment of time. In one man's opinion anyway.
http://communities.intel.com/openport/blogs/it/2008/05/08/are-security-roi-figures-meaningless
Link to this

Free agent vs. farm team?
Techdulla posts a very insightful thought here about hiring practices. Basically, do you get someone that is more qualified, but may not be as committed to the cause? Or do you go with someone a bit green, but knowing that the investments you make to train those folks will result in some measure of loyalty and hopefully less jumping around? It's a tough call and I think the sports free agent analogy is a good one. Some folks want to win now and they aren't worried about tomorrow. In that case, you go for the experienced guy - who will likely jump on the next big tanker that comes along in a year or two. If you are able to think long term (and not everyone can do this), then you pull someone from the farm system and develop them. Sooner or later the great ones will go somewhere else, but you've gotten a lot of return from that investment of time. Or you could be like me and not hire anyone to keep the drama quotient very low. Either way you go, just understand that it's a choice and as long as you consciously make the choice, it's fine.
http://techdulla.wordpress.com/2008/05/13/the-new-guy-is-here/
Link to this

Buying decisions aren't about technology
Reading this post from Farnum reminds me that I haven't riffed on procurement in a while. For those of you that get TDI via the RSS feed, you should make sure to read my "Buying Security Products" guide. I'll be happy to send it to you, just drop me a note. Basically, Farnum's contention is that as product categories mature, the technology is less important and the intangibles (like management, support, product breadth, financials/viability) become more important. He's absolutely right and I'll raise that one. Part of the buying process is to identity a number of solutions that can meet the need. Then you get the upper hand in negotiations. In today's tech space there are probably 6-10 vendors in every space, even the early markets. You always have choice, and when you have choice you have leverage. Use that leverage to your best advantage. Why wouldn't you? Don't worry, the vendor rep will be able to make the payments on his (or her) BMW. They always do.
http://infosecplace.com/blog/2008/05/02/product-maturation-and-your-business/
Link to this