August 15, 2008 - Volume 3, #69
Good Morning:
I know I harp on the importance of managing expectations frequently,
mostly because I keep seeing data points everywhere that reinforce the
point. As I continue to binge on the Olympics, the concept continues to
resonate. The US Men's Gymnastic team got a Bronze. It was very
unexpected, given the injuries to the Hamm brothers. So they are
ecstatic. Yet, the women's team was disappointed with the Silver. Why?
Expectations. The girls thought they could win after 2 rotations.
Even magical Michael Phelps was pissed off after the 100 butterfly
event. He won Gold, set a world record and he's still pissed. Turned
out his goggles were leaking, so he was swimming blind. And he still
expected to swim faster. Again, expectations.
Now it's time for the NFL season to start. I'm taking the boy to the
opening pre-season Falcons game on Saturday, exercising my new season
tickets. It's very exciting, even though I expect the Falcons to suck
this year. I just love to watch football, even if it's not the NY
Giants.
Matt Ryan is poised to step in as the starter and future of the
franchise sometime over the season. This year, the expectations are
low. Over time, they won't be. But he should enjoy the fact that he can
learn this year and not really be raked over the coals when the Falcons
make some dumb mistakes and lose some games. It's all about managing
expectations.
Brett Favre meanwhile is in exactly the opposite position. The NY Jets
want him to come in and have an immediate impact. He's got little
wiggle room to learn the system and to be the hyper-aggressive Favre
that ends up making as many mistakes as he makes great plays. It's not
like NY is a forgiving place. I'm sure the crazy New Yorkers will be
jumping Eli when he throws an INT or 10. Super Bowl ring or not, it's
always about what have you done lately.
The good news is that you probably don't have millions of fans hanging
on your every move. That takes off the immediate pressure and ensures
you likely won't be tabloid fodder, but that doesn't mean you shouldn't
always be paying attention to expectations. You need to. If you do it
wrong, you are certain to disappoint people. If you do it right, you
are a super-star. Even if you accomplish exactly the same
thing.
Have a great weekend. And meet those expectations.
Photo: "BRETTS"
originally uploaded
by nationalparodyleague [1]
Technorati: Information
Security [2], CSO [3],
Security
Mike [4], Internet
Security [5]
 [6]The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [7] |
Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com [8]  [9] |
Top Security News
This latest discussion by SJSU professor
Randall Stross talks about the fact that passwords aren't secure [10].
It's all stuff we've heard before. Widespread use of strong
authentication techniques is cost prohibitive and doesn't solve the
problems of identity theft or phishing. Personally, I try to eliminate
the issues I know can get me. Like a dictionary attack. So I use strong
passwords with a password manager (I use 1password) to eliminate the
complexity. RoboForm is pretty well regarded on the Windows side. Will
a strong password stop a well crafted XSS, MITM or CSRF attack. Nope.
But it will stop some basic attacks and I think over time the data has
shown that it tends to be the basic that is most successful.
Link to this [11]
The initiative is called Trusted Internet
Connection (TIC) [12]. Clearly the more connections the more
places to screw up a configuration and leave a hole. So this idea of
reducing the number of connections to about 100 is kind of interesting,
but I'm not sure it's feasible. Those would need to be some pretty big
ass pipes and there is little room for error. Sure you can throw a lot
of money on monitoring and managed services and the like. But if you
are wrong, the bad guys get access to not just a small section of the
US Fed networks, but large swathes of territory. It's also interesting
that the pendulum is swinging back to private networks. It wasn't too
long ago that it was all about moving away from private packet services
and using branch to branch VPNs to cheapen transport. Now I guess it'll
swing back to connecting sites via private network backbones and
aggregating the access to only a few points. What's old is new again,
though it's funny we are pulling out the bell bottoms of networks due
to a security issue.
Link to this [13]
Nothing in how Larry Seltzer describes the
plan seems too groundbreaking [14]. You know, who should do what
and then who should they tell. They even claim they are going to
practice their response. Good luck with that. It's a great idea and I'm
pleased that the idea of containing the damage is alive and well from
the folks that run the Internet. Ultimately it doubt it'll be any of
the current attack vectors that bring the Internet to its knees. But
sooner or later something will emerge and we won't be ready, but at
least there will be a plan to recover. And that's about the best we can
do.
Link to this [15]
The Laundry
List
- Clear sailing ahead. The TSA takes CLEAR out of the penalty box after the misplaced laptop incident. Now they are going to encrypt laptops. Imagine that. - BTNmag coverage [16]
- More from the "I pulled numbers out of my ass" category, Aberdeen says best in class vulnerability and threat management yields 91% marginal ROI. Huh? What is marginal ROI? What is best in class anything? Who cares, I'm sure the vendors are happy. - Aberdeen release [17]
- Security Innovation takes a page out of the TruSecure book. When you have a methodology that works, but no one knows what it is, then just call it a "certification," give the customers a piece of paper, and jack up the price twofold and life is good. Fact is, having someone credible like SI say your software security program is up to snuff is a good thing, but the certification angle. Meh. - Security Innovation release [18]
- Where is Lenin when you need him? Google announces the KeyCzar, for "simple and safe crypto." I don't think I've ever seen those three words (simple, safe, crypto) together in one sentence. Let's just hope developers don't start shooting off their feet with these safe and simple libraries. - Google Security Blog [19]
Top Blog Postings
http://www.darkreading.com/document.asp?doc_id=160415 [20]
Link
to this [21]
SIM is dead [22] was really kind of
ridiculous. Thankfully he saw fit to clarify what he's saying in this
post, which is SIM is dead - unless... My opinion is that the first
generation of SIM didn't do what it needed to. It was too hard, too
expensive, took too long to see value. There are lots of folks that are
working on those issues. Of course, we still aren't there yet, but the
industry is making progress. And the biggest reason I don't see the
idea of SIM dying (although the implementation will clearly change and
evolve) is because CUSTOMERS NEED IT. Unless someone comes up with some
magic fairy dust that all of a sudden tells users what's going on with
their systems and what they should be focusing on RIGHT NOW, then we
need security management capabilities. But anytime you pronounce
something dead it generates lots of page views, eh?
http://blogs.splunk.com/raffy/2008/07/18/sim-is-dead-unless/ [23]
Link
to this [24]
http://www.computerweekly.com/blogs/stuart_king/2008/08/2009securitypredictions.html [25]
Link
to this [26]