October 30, 2006 - #145

Good Morning:
Fall back baby! Over the weekend, here in the US anyway we set our clocks back to standard time and gained an hour of sleep on Saturday night (or partying, if that's your thing). The extra hour was good, but I'm surprised by the effect a little sunshine had when I went out to the bus stop with my oldest daughter this morning. Although it was early, it didn't feel as early because it was light. Strange and clearly psychological, but a welcome change from the dark, dreary and cold bus stop runs of the last 2 months.

Today's theme is "going through the motions" and we have a lot of datapoints on that topic today. First, the FBI is going through the motions in protecting the TSA going through their own motions, given a graduate student brazenly put up a web site to print out boarding passes last week (here [0]). You expected a different response? And you hear about some US agencies attempt to apply security metrics (here [0]) and they are clearly going through the motions. Compliance is hard, so you see lots of organizations struggling and putting on their game faces about things like HIPAA (here [0]), but you guess it - they are really going through the motions.

In blog-land, the debate is on about IDS/IPS and its usefulness (here [0]). Again. What these guys are forgetting is that lots of organizations just go through the motions and no one really argues when you want to buy IDS/IPS, so folks build it into the budget and then they buy it - regardless of what it does. Yes, these organizations are going through the motions. But Amrit questions whether we have stopped questioning (here [0]) and this is a great point. Lots of people go through the motions every day. Just like lots of computers are compromised, lots of networks broken into, and lots of fraud perpetrated. But that doesn't mean you have to accept that outcome.

Control the things you can control, and do the best job that you can. Don't accept the status quo and go home knowing you did a good job today. That much we all can do. Have a great day.

Technorati: Information Security [1]

Top Security News

here [2]) that they are focusing on the wrong stuff, but this is how they are playing the game. So no, Chris Soghoian will not pass go and he won't collect $200. He'll be lucky if he just gets a slap on the wrists.
http://blog.washingtonpost.com/securityfix/2006/10/boarding_pass_hacker_gets_visi_1.html [3]
Link to this [3]

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9004538 [4]
Link to this [4]

http://www.gcn.com/online/vol1_no1/42400-1.html
[5]Link to this [5]

http://www.cio.com/archive/101506/comply.html [6]
Link to this [6]

http://www.infoworld.com/article/06/10/26/44NNemailauthentication_1.html [7]
Link to this [7]

Top Blog Postings

http://www.stillsecureafteralltheseyears.com/ashimmy/2006/10/the_peak_of_inf.html
[8]Link to this [8]

http://techbuddha.wordpress.com/2006/10/30/the-allegory-of-the-cave/
[9]Link to this [9]

http://securitysauce.blogspot.com/2006/10/sourcefire-files-s-1.html
[10]Link to this [10]

http://securosis.com/2006/10/27/risk-management-set-your-domain-experts-free/
[11]Link to this [11]

http://securityincite.com/blog/mike-rothman/plan-b-blogging-via-email [11]

Read Friday's Daily Incite
http://securityincite.com/TDI-2006-10-27 [11]