December 17, 2009 - Volume 4, #40

I tend to be fairly grumpy, but no time more than during the holidays. I'm not a fan of the cold weather. And I've been a Xmas hater. That's right, I was Scrooge personified. Bah humbug was a mantra of mine from the time lights go up in my neighborhood Thanksgiving weekend to the day after New Year's when (thankfully) most folks pull them down.

You know, this classic South Park song [1] says it all. But this year is different. I'm not sure whether it's the fact that the stress of my old job is now gone. Or whether I've just mellowed out, but all the same - I'm not as grumpy. And I can appreciate the lights and the even some of the pomp and circumstance of the holiday season. I didn't instantly hush one of the kids that spontaneously broke into a Xmas song.

Yet, I'm still human and there are the little annoyances. Like the guy whose lights burn up more power than an Eastern European village (hackers and all). I'm still not digging the constant sound of the Xmas Muzak pretty much wherever I am. A week ago I was having sushi with the Boss and the joint was playing Xmas tunes. Just can't see Santa digging on a Spicy Tuna roll, but maybe he does. Right after the big pull off the hookah.

And what's the deal with the emergence of Rudolf as a pitch reindeer? Come on now, if Santa uses AT&T's wireless network everyone is screwed. I can just imagine it, the dude is traipsing around the world at almost light speed, he calls Mrs. Claus to make sure she's got the hot coco ready when he gets home and the call drops. Maybe Steve Jobs can get Santa one of those new iPhones that runs on the Verizon network...

I'm even kind of looking forward to Xmas day this year. I'll spend it as most of my ilk do every year. I'll go see a movie (maybe Up in the Air) and eat a Chinese food feast with my family. And I'll get to do some of those tasks that always get lost in the haze that is my to-do list. Like updating my web site.

So it's all good. I don't think I'll go caroling this year, but you never know about next year. But before you get any big ideas, don't be sending my any of those fruit cakes. You have to draw the line somewhere.

Have a great weekend.

Photo: "Santa has a side job" originally uploaded by ktylerconk [2]
Technorati: Information Security [3], CSO [4],Security Mike [5], Internet Security [6]

[7] The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [8]

Follow me on Twitter: @securityincite [9] I'm not sure where I'm going, but I'll get there in 140 characters - or less...

Incite 4 U

1. More "shortcuts" to PCI compliance - Arghhh. Just as I was in a happy mood, I see yet another "shortcut" story for compliance. NetworkWorld's Cisco blogger [10] has a nugget of wisdom "By now we all know that the key to becoming PCI compliant is all about how well you can control the number of in-scope devices." Ah, not so much. A merchant with only 10 in-scope devices that gets pwned because they read this kind of crap is still pwned, right? What we all better know by now is that PCI compliance is NOT the goal. It's protecting the private data, right? So then there are 5 tips in the post about things like segmentation and tunneling and other stuff. Not sure I get the one about client certificates vs. tokens, but all the same. I kind of shut down when the first sentence shows this guy got hit with the security no-clue bat.
   
2. Great, now we are all accountants - Santa takes a bit of time away from getting his house on wheels ready for the adventure [11] (good luck man, I tend to like to know my house is in the same place every day, but whatever floats your boat) to try to draw the parallel between IT folks and finance folks. You see, evidently finance folks understand that all of their actions will be audited and therefore they act accordingly. Us IT Yahoos have no idea, so we do crazy stuff. He suggests we build a "culture of compliance, [12]" so everyone knows their actions will be audited and they'll do the right thing. How about building a CULTURE OF SECURITY? You know, where we protect data first and fill out reports second. I hope that's what Santa means, but the idea of a culture of compliance irks me. It's bad enough compliance funds everything we do, now everyone wants to make that the end goal. Which is just wrong.
   
3. Attack of the Prediction Stories 1 - Now I'm starting to remember why I hated the holidays. All these freakin' 2010 prediction stories that say the same damn thing. More hackers. More breaches. We're screwed. Enjoy the Yule log and maybe OD on egg nog. It'll make the pain go away. Imperva is calling for "industrialized hacking," [13] as if that hasn't been the case for years. We all know there are warehouses full of folks in 3rd world nations banging away on netbooks hacking your stuff. And a move from "reactive to pro-active security." Man, the bile that just rose from my gut didn't taste too good. Come on guys. Mediocre attempt here.
   
4. Attack of the Prediction Stories 2 - Next up on the prediction hit list is Russ Cooper from Verizon Business [14]. He's got some gems in there like the social network sites will protect themselves. Ah, do you think Facebook wants to be a cesspool of malware? Miraculously they'll figure it out in 2010? Looks like Russ bypassed the egg nog and went right for the heroin. How about consumers getting smarter? Evidently he hasn't left his lake house in rural Canada in YEARS. If what I see in coffee shops or hear at holiday parties is any indication, consumers are on the express train to Dumbville. But he does pinpoint two predictions I'm digging. The first being China will be blamed for everything (shouldn't they be) and the other is that nothing of note happens to "non-PC's."
   
5. Attack of the Prediction Stories 3 - Finally, let me call out a piece in CSOOnline getting predictions from security luminaries [15], including Mark Weatherford (CISO of CA) and Dan Kaminsky. There is stuff here from Weatherford on hiring and maintaining talent (good call) and moving some security functions into the cloud (ho hum). Kaminsky talks about how prosecution for cyber-crime will accelerate (that would be great) and some ineffective security techniques will be called out (much to the chagrin of Big AV). This one isn't bad as far as prediction stories, but the only prediction I have is that the electricity required to power Kaminsky's ego causes a Xmas brownout in Seattle. Put that in your stocking. Yeah, I couldn't help it. It was right there calling to me. Like Russ Cooper's heroine.
   
6. NSS kicks some IPS vendors in the nuggets - I tend to disregard most reviews and "certification" programs because well, folks have this nasty habit of not biting the hand that feeds them. Except me maybe (remember the NetworkWorld debacle [16]?) So kudos to the NSS folks that call some crappy IPS products to the carpet [17] and actually print effectiveness results. Of course, in the press release they don't say which vendor got 17% effectiveness (it was Juniper [18]) and which was 89% (yay for SourceFire), but I'm sure the happy vendors plunked down their $1800 to buy the report and will be happy to share it with you. The sad vendors are well, sad and trying to figure out how to poke holes in the methodology. Here's a hint: Kevin Tolly is waiting by the phone for your call. For $50K, he'll run at test that shows 100% catch rate and make the problem go away.
   
7. Hi, I'm Mike and I'm a... - In today's personal development selection, let's look at a post on the 37Signals blog called "Step one is admitting you have a problem. [19]" The point here is about work addiction and that the start-up world tends to breed many work addicts. They ask the right questions about time vs. effectiveness and the impact of that to your health. Is that work done between 10 PM and 2 AM productive? Is it good work? I guess during the holiday season the message is that we should be questioning everything and potentially acknowledging our problems and building 2010 plans to address them. And maybe relaxing a bit for the slog that is 2010.