February 11, 2009 - Volume 4, #15
Good Morning:
Let's talk a bit today about role models. Of course, the issues with
Michael Phelps have been picked over like road kill by the
media vultures over the past few weeks. I'm still scratching my head.
So the kid took a bong hit. Big deal. We forget he's a kid and kids
experiment. Sure it was bad judgment, but who as a 23 year old didn't
do stupid things.
And now those ass hats in South Carolina are threatening to prosecute
him. Give me a break. Though it was good press for the SC Attorney
General, which I guess was really the point. 
[1]
I understand some of you probably differ with me on this (and
I'm sure I'll hear about it in the comments). Security folks are pretty
straight laced folks. Unless we're drinking, that is. Yes, possessing
dope is against the law. And being a law abiding citizen, I choose not
to partake in those behaviors. Plus my lungs are pretty crappy, so I
can't breathe too well if I do any kind of inhaling activities. And I
lost my "connections" when I moved South. :-)
Beside Phelps there have been a bunch of "scandals" of late
regarding folks some consider "role models." You have Barkley drunk
driving running stops signs to get closer to his happy ending. You have
A-Rod coming clean about juicing. You have movie stars taking
inappropriate pictures of each other and having those leak onto the
Internet. It never ends and I think it's reflective of the folks we
choose to hold up on a pedestal.
Sports and entertainment is a business. A very big business. Yet, the
people that are "stars" are human and they make mistakes and they have
human urges and in some cases they will do anything to get any kind of
advantage. A-Rod makes $27 MILLION a year. You bet he's going to do
whatever he can to justify that kind of money. Maybe he's stopped
juicing, maybe he's just better at concealing it.
It's only cheating if you get an unfair advantage. Do you really think
everyone else isn't doing the same thing?
It's like politicians. They are pretty much all "dirty," but only a few
actually get caught. And it gets back to providing alternative role
models for our kids. I'll be the first to say that I've got a lot of
work to do before I'm a sufficient role model for my kids. And right
now, they are young enough that their role models are fictional
characters like Luke Skywalker, Yoda (though not the Yoda in the
picture) and Obi-Wan.
For now, I'm fine with that. It's been a while since a fictional
character has ended up as Page Six fodder in the Post. And by then, who
knows - maybe I'll be able to step up and move into that role model
role. It's something to shoot for anyway.
Have a
great day. And may the Force give you a good high...
Photo: "Yoda
Bong" originally uploaded by MadVinyl [2]
Technorati: Information
Security [3], CSO [4],
Security
Mike [5], Internet
Security [6]
 [7] |
The
Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [8] |
Incite 4 U
Each morning I face a decision. Do I have an apple or a plate of grapes? Actually it's whether I do a commentary piece or just cover a bunch of news items. It seems my pal Shimmy has voted for the news [9]. Yet it seems 30%+ more of you choose to read the commentary. According to my web stats anyway. The answer is actually both. Sometimes I have to get things off my chest (like yesterday's FUD piece), so I do. And at least now I know what I'll be for Halloween this year. A few dog yummies to anyone that can design a cool "FUD whore" costume.
- Keeping
models on the runway - The Tao Master reminds us of the folly of models in this post [10],
which links to a pretty good piece in the Economist, as well as some
older posts from Richard himself. If we could only get the bean
counters to understand that risk models don't really equate to risk.
Unfortunately there are a lot of practitioner that fall for it as well.
That's where we security folks (and Wall Street) get into trouble. If
we believe we've mapped out all the risk and quantified it, then we get
sloppy. And historically we've been wrong.
- It's that
data thing again
- Collaboration and security are like magnets with like polarity. It's
just hard to get them anywhere near each other. And however hard you
push them together, they still repel each other. Data wants to be open
and free. Security requires that it isn't and SharePoint is getting a lot of press
nowadays in that it's hard to secure [11]. Really? That's shocking
to hear. And it has little to do with the tool itself (OK, maybe a
little), rather how we use the tool and balancing user experience,
which demands access to the information. What to do? Like everything
else, try to monitor who is accessing what, when and look for
anomalies. And pray. Sometimes that works too.
- It can't be
that easy - Unfortunately sometimes it is. I'm not a fan
of linking to anonymous posts, so I'll let Rob Graham at Errata do my
dirty work for me in his analysis of the PHPBB.com hack [12].
It's fascinating to see how the legacy came back to bite those folks.
They did the right thing(s) and make the password system strong, but
they didn't require existing users to go back and reset their
passwords. And they paid for it. Rob did a bunch of analysis on the
passwords as well. I guess we'll still need to continue learning (the
hard way) about the dangers of letting users keep weak
credentials.
- Measuring
awareness - Speaking of security awareness (like not using
weak passwords), whether someone has a clue tends to be fairly binary.
They either get it (1) or they don't (0). Since most fall into the less
than 1 camp, we continue to try to teach them right from wrong. Getting
back into the archives a bit, I found this post on the Security Catalyst site about "measuring
awareness." [13] Julie talks about three ways, but unfortunately
in the post I only count one, but it's a decent one and that is to
count the number of folks that have been taught. I also favor simple
surveys to gauge the collective clue of the employee base. Finally, I
think simple metrics like WHETHER YOU'VE BEEN HACKED due to some stupid
user error are also pretty decent ways to measure the awareness of your
minions.
- Now that's a
chick you don't mess with - It seems Alan's wife Bonnie
has a lot of pull over at StillSecure. Evidently she got sick of Alan
being around the house (go figure!), so she made them get him an office
in South Florida for him to park. Turns out that office space came with an MSSP [14],
so now Alan gets to wax poetically and philosophically about all things
MSSP-like. I'm sure the NAC beat reporters are breathing a sigh of
relief. I've been calling for consolidation in the MSSP business for a
long time (and it's happened), but this isn't really what I had in
mind. Not that there isn't a big and growing need for MSSP services,
rather it's REALLY hard to have a services engine exist successfully
within a software company. The metrics, models and mindsets are TOTALLY
different. Well I wish my friend good luck in integrating and making
the deal accretive, he's got his work cut out for himself...
- It's hard
even for a big company - Speaking of service entities
residing within a software company, McAfee recently restructured some
of the operational groups and separated out the SaaS activities into it's
own business unit [15]. Clearly given the limited traction of
Little Red's service offerings to date, this is a positive move. It
also allows the unit to drive different sales models and go to market
strategies, and that is critical. Selling and delivering services is
very very different than selling and shipping software. Remember the
3Ms, metrics, models and mindsets. But that won't make it easy. The new
head of services Marc Olesen has his work cut out for himself as well.