logo
Published on Security Incite: Analysis on Information Security (http://securityincite.com)

The Daily Incite - September 29, 2008

By Mike Rothman
Created 2008-09-29 07:24
Today's Daily Incite

September 29, 2008 - Volume 3, #79

Good Morning:
It doesn't seem to be common knowledge, but we are in the midst of a gas shortage in northern ATL. I suspect it's all over the metro Atlanta area, but I can only speak for the 10 mile radius I scoured on Friday trying to get gas for my car. I must have passed 15 different stations that had no gas before I got lucky. A friend called with a tip on a station that just got a delivery and had gas. So I dutifully waited in line for about 40 minutes and filled up. Thanks to the iPhone, I could still be reasonably productive - but still, that's 40 minutes I'll never get back.
No Gas for U
We also got lucky last week when the Boss went to go fill up the van. She dropped the kids off at school and only had to wait 10 minutes at a local shop. I just drove by that specific station and the line is around the corner to get into both entrances. It's basically a mess.

Of course, it's great when the government is very supportive of the plight of the citizens. Our own esteemed Gov. Purdue thinks the shortage is "self-induced [1]." Evidently he hasn't tried to fill up recently. It doesn't seem easy to govern with your head up your ass, but I guess he's trying.

I was talking to my Mom over the weekend and we talked about the 1973 gas crisis. Obviously I was very young, but I still remember Mom loading my brother and I into the Volvo station wagon at 5 AM to go wait in line to fill up. I guess those were scary times, but 5 year olds don't really understand that. I guess what goes around, comes around and here in the ATL it's coming around.

Tight supplies are being caused by the fallout from Hurricane Ike. Evidently a significant portion of refining capacity is still offline or ramping back up slowly. It reminds me that we are still very very dependent on fossil fuels to drive the economy. And as those fuels wane or become more expensive or are increasingly controlled by unfriendly parties - our economy is at risk. Sure we've got to work through this mortgage mess on Wall Street. But energy is clearly the biggest issue we (as a global community) face over the next 10 years.

We are doing our part by not doing unnecessary driving this week until supplies loosen up. Even though I don't need a new car, I'm seriously thinking about putting my name on a waiting list for a hybrid. Maybe this time I'll actually do it. And as soon as they come out with a hybrid van, we are there. Sure it's a bit more money up front and the direct payback in terms of dollars is a bit suspect. But it's hard to put a price on the heartburn we suffer from driving around on E, hoping the next service station has fuel (and you won't have to wait in line for a couple of hours) before we run out of gas and have to walk home.

And before I forget, Happy Birthday to my kid brother. His birthday was over the weekend. We had a lot of fun hanging out with the kids running around and creating havoc. As tough as things are, you've got to take the time to celebrate the good times. And to step back and enjoy the ride a bit. Sometimes it's hard, but you need to make a specific focus to make it happen.

Have a great day and I should be back on Wednesday, since tomorrow is a holiday for me. L'Shana Tova to all observing tomorrow.

Photo: "No Gasoline" originally uploaded by eschipul [2]

Technorati: Information Security [3], CSO [4], Security Mike [5], Internet Security [6]

The Pragmatic CSO [7]
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com [8]
 Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com
 [9]
Security Mike's Guide to Internet Security [10]

Top Security News

video interview of Mark Russinovich [11] (yes, the Sony rootkit guy and one of the big brains pushing Microsoft's security strategy) and questions the viability of white lists. To paraphrase Larry, white lists are cool if you can shove a policy down a user's throat (like most corporates can), but they are useless for consumers. To be fair, Larry does say he hopes he's wrong because he buys into the concept of executing only authorized applications. Amazingly enough (especially if you ask the Boss), this situation isn't black and white. The reality is there is a continuum and we need to understand that. Even in the corporate world, there need to be gradations of lock-down, which treat different groups differently. Since the finance team is dealing with very important data, their devices should be locked down tighter than some other group. Same goes for consumers. They should have options to incrementally enforce greater levels of lockdown. You can sort of do that through different browser configuration and parental controls, but it's hard and requires a lot of pieces, and any savvy kid is going to be able to get around it. There is definitely a place for white lists in your security arsenal, but you need to make a choice as to how strictly you enforce them (and subsequently how much clean up you are willing to do).
Link to this [12]

Now they are making product announcements and talking about how security fits into IBM's overall strategy [13]. Time flies when you are having fun, no? But two years of fun?!? That's what makes me chuckle about these big deals. How can any semblance of integration, which takes two years, be something to cheer about? IBM dropped $1.3 billion on the deal and as a result ISS has all but dropped off the radar. Of course, I'm sure they show up in a lot of deals that just go to IBM (and wouldn't be seen by a guy like me), but still. $1.3 Big is a lot to spend to wait around for a couple of years to figure out which end is up.
Link to this [14]

Tim Greene says were the results of Forrester's NAC wave [15]. That kind of finding is pretty laughable. There is no question that Microsoft will be a player and they will absolutely own the agent that checks desktop device integrity. But to think they've got something that is enterprise-ready is a bit strange to hear. Even better, they put in a disclaimer saying the study isn't based on "units sold or performance tests," but how well the products will "meet the challenges of a set of real-world deployment situations." At least Gartner's ability to execute rating is based largely on company revenues and product sales. So basically this was an RFP process. And Microsoft prepared the best response. Great. People that really buy products understand that a good RFP response gets you into the bake-off. That's when things like "performance tests" start to matter. That's why I find it ridiculous that vendors get judged on this qualitative crap. Ultimately customers only care about whether a product can solve its problem, not whether the vendor gives GOOD RFP. Smart customers understand these types of reports can maybe provide a little perspective on identifying the long list of vendors to chat with. But to base a buying decision on it is irresponsible.
Link to this [16]


The Laundry List

  1. Security budgets are still all over the map. Jim Reavis does a seriously unscientific poll and finds predicting budget impact to be a shot in the dark. I'm still standing by my thinking that the next 18 months will be bumpy - even for security folks. - Risk Bloggers [17]
  2. I'd say Fortinet breaks out the wallet again, but it's likely a change purse. They acquire Secure Elements and become firmly established as the first guys to call in a fire sale. - Secure Elements release [18]
  3. Astaro tries to out-barracuda Barracuda with a $499 email security appliance, which includes encryption. Keep a lookout for their new billboard and radio campaigns. Maybe they can get Astro from the Jetson's to be their corporate spokes-dog. - Astaro release [19]
  4. John Sawyer reminds us that Fort Knox isn't secure, if you leave the door open through a faulty configuration. Same goes for firewalls. - Dark Reading blog [20]

Top Blog Postings

http://securosis.com/2008/09/19/how-to-tell-if-your-pci-scanning-vendor-is-dangerous/ [21]
Link to this [22]

http://chuvakin.blogspot.com/2008/09/is-pci-dss-prescriptive.html [23]
Link to this [24]

http://superconductor.voltage.com/2008/09/whats-going-on.html [25]
Link to this [26]

Source URL:
http://securityincite.com/blog/mike-rothman/the-daily-incite-september-29-2008

Links:
[1] http://www.ajc.com/metro/content/business/stories/2008/09/25/gasgov.html
[2] http://www.flickr.com/photos/eschipul/2853415571/sizes/s/
[3] http://technorati.com/tag/information%20security
[4] http://technorati.com/tag/CSO
[5] http://www.technorati.com/tag/Security%20Mike
[6] http://www.technorati.com/tag/Internet%20Security
[7] http://www.pragmaticcso.com
[8] http://www.pragmaticcso.com/
[9] http://tdi.securitymike.com
[10] http://tdi.securitymike.com
[11] http://www.eweek.com/c/a/Security/Mark-Russinovich-On-The-Future-Of-Security
[12] http://securityincite.com/TDI-2008-09-29#TSN1
[13] http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1332042,00.html
[14] http://securityincite.com/TDI-2008-09-29#TSN2
[15] http://www.networkworld.com/newsletters/vpn/2008/091508nac1.html
[16] http://securityincite.com/TDI-2008-09-29#TSN3
[17] http://www.riskbloggers.com/jimreavis/2008/09/security-budgets/
[18] http://www.secure-elements.com/news/SE_Fortinet_Announcement.htm
[19] http://www.astaro.com/newsroom/press_releases/astaro_enters_dedicated_mail_security_market
[20] http://www.darkreading.com/blog.asp?blog_sectionid=447&doc_id=164564
[21] http://securosis.com/2008/09/19/how-to-tell-if-your-pci-scanning-vendor-is-dangerous/
[22] http://securityincite.com/TDI-2008-09-29#TBP1
[23] http://chuvakin.blogspot.com/2008/09/is-pci-dss-prescriptive.html
[24] http://securityincite.com/TDI-2008-09-29#TBP2
[25] http://superconductor.voltage.com/2008/09/whats-going-on.html
[26] http://securityincite.com/TDI-2008-09-29#TBP3