November 2, 2006 - #148
Good Morning:
It's Thursday and I know I've been pretty quiet on the blog. I'm not an excuses kind of guy, nor do I apologize for much (just ask my wife), but it's been as busy a week as I can remember. Lots of both personal and professional activity that has kept me on the go from sun-up on Monday and will keep me going through tomorrow morning. I'll be casting my vote this morning in next week's election (in GA you can vote up to a week ahead of time) and then taking the boss to see Josh Blue [1] tonight. If you don't know of Josh, he is a comedian with cerebral palsy. He won the Last Comic Standing contest this summer and is really inspirational, while being funny as hell. So I'm really looking forward to seeing him in person tonight.
But enough about me, I feel compelled to poke some holes in some of the stuff I've read today. First, encryption does not equal secure email (here [1]). This article talks about a secure email strategy and leads with encryption. That's kind of like reading James Joyce or Homer as one of your early chapter books. OK, sorry about the random literature remark. No, I don't have my Dennis Miller costume on today. But my point is that of all the things I'd start with in securing my email, encryption ain't it. Next up is a tip on how to harden your network posture and stop zero-day attacks (here [1]). The only problem is that nothing the guy says really stops a zero-day. Details, details. Do these editors not get that people actually read this stuff and sometimes they even follow the advice. Sheeesh.
In blog-land, let me point to one of the burning questions of the day. Are all the contributors on the Security Catalyst site bald (here [1])? There is a bald guy right in the banner, so is that a bad assumption to make? Anyhoo, a new contributor with a hairline to be named later, Joe Knape puts up a post railing on those railing on passwords. Maybe I'll make my new password that everyone knows "I!!AM@@NOT##BALD$$" - that's pretty strong, no? What about those layers? Michael Wright tells a good story (here [1]) about how a layered approach (yes even including IPS) avoided a nasty situation for him. Have I mentioned the importance of layers lately?
Have a great day.
Technorati: Information Security [2]
Top Security News
here [3]). The event went well (I was on my game) and we had a lot of great questions from the audience. So when I looked into my articles from last week and saw this Network Computing piece on email security, I figured it was timely. My problem with the article is that it seems to equate encryption with secure email. That couldn't be further from the truth. Encryption is maybe 10% of the requirement and a pretty specialized one at that. Besides that little issue, the article does a pretty good job of briefing discussing the main options for email encryption and also a bit on stopping spam and viruses at the gateway. They finish up with a little on securing mobile devices (which I don't think is really an issue as long as the device is password protected and will blow up if a brute force attack is attempted). Over all, this is a decent overview - but I think my recent webcast did a better job of summing up the issues. But maybe I'm a bit biased.
http://www.networkcomputing.com/showArticle.jhtml?articleID=193302955 [4]
Link to this [4]
http://www.esj.com/news/article.aspx?EditorialsID=2249 [5]
Link to this [5]
http://searchwindowssecurity.techtarget.com/tip/0,289483,sid45_gci1226686,00.html
[6]Link to this [6]
http://www.emc.com/news/emc_releases/showRelease.jsp?id=4696 [7]
Link to this [7]
http://www.symantec.com/about/news/release/article.jsp?prid=20061101_02 [8]
Link to this [8]
Top Blog Postings
http://www.securitycatalyst.com/2006/11/01/the-death-of-passwords-is-premature/
[9]Link to this [9]
http://mcwresearch.com/archives/338
[10]Link to this [10]
here [10]) to simplify his complicated data protection hierarchy, he's actually doing that. Crap. And even worse, it'll only be available for Gartner clients. Double crap (unless you are a Gartner client, of course). Yes, I'm joking. I look forward to picking apart Rich's latest creation, as a little birdie is sure to send me a care package, and I agree with Rich that this dialog between us professional windbags is new, exciting, and helps to advance security thinking for everyone. But Rich did throw us a bone by repurposing a Gartner press release from this summer providing 5 steps to protect your data. So as to not raise the ire of Gartner's brand police, I'm not going to reprint them here either (check out Rich's post) - but this is good, tactical advice. I've got some ideas as well on how to simplify how we talk about data security, but I'm not giving anyone any more ideas until I have it done.
http://securosis.com/2006/11/01/top-five-steps-to-prevent-data-loss-and-information-leaks/
[11]Link to this [11]
http://blog.ferris.com/2006/11/todays_state_of.html
[12]Link to this [12]