logo
Published on Security Incite: Analysis on Information Security (http://securityincite.com)

The Daily Incite - March 8, 2007

By Mike Rothman
Created 2007-03-08 10:46
Today's Daily Incite

March 8, 2007 - Volume 2, #41

Good Morning:
I owe many of you an apology. Yesterday's email version of TDI didn't go out until after 2 PM EST. Of course, it was done pretty early yesterday morning and posted to the blog before 8 AM. But much to my chagrin, my outbound email provider - AWeber - was down until 2 PM yesterday. Well, not down. But you couldn't get into their interface to do anything, so it's all the same to me.

And that's what I want to rant about today. Managing customer expectations, coming clean when you have a problem, and having a fall back position. AWeber failed miserably on all fronts yesterday. Absolutely miserably. First, they decided to do a major upgrade during the week. Sure it was supposed to happen overnight, but it wasn't done by the time business starts in the US. That's a no-no. So when I tried to log on, I got some useless message saying the site was down for "periodic maintenance." At 8 AM EST in the morning? No way.

At about 11 AM I actually called. I was working with a client and we took a little break. My heartburn was in overdrive in not being able to send out the newsletter. So when I start asking the customer support rep what was going on, he repeated the company line - periodic maintenance. That's when I lost it. WHAT!?!?!?! Only an idiot would do maintenance in the morning, presumably when most of the email newsletter need to be sent.

So I went down the path of bungling the upgrade. This guy had the gall to tell me that they were just doing a bit more testing on the new interface before it went live. It was like I was born yesterday. I've been in technology for about 20 years. I've seen bungled upgrades. This was a bungled upgrade. The time for QA is NOT when you have thousands of clients out of business because they system is down. I just wanted the guy to say - yeah, we screwed up and we are working our asses off to get things back up. Come clean. It's not like I didn't know what was going on. It was obvious. But they guy on the phone seemed like a boob for towing the company line.

Finally, AWeber should have had a roll-back plan. Clearly the upgrade didn't go smoothly, so they should have rolled-back to the previous version by 7 AM. It's a web application, it's not like they already sent out 10,000 CDs. You work out the kinks and do the upgrade the next night. It's not that hard. People depend on their service and it's their responsibility to keep it up and running. The interface upgrade is AJAXy and nice, but it wasn't worth being down for most of a day.

But now we get to the real problem. These folks are commodity mail blasters. They have thousands of customers who pay about $100 a year. So I could go elsewhere, there are about 1000 of these companies to work with. But would it make a difference? As Hoff says, you get what you pay for and sometimes that's true. But it's the simple things that can make screw-ups go down a lot easier. Think about that the next time you screw something up.

Just a little reminder that there will be no Incite tomorrow. But if you need to hear me rant, sign up for the P-CSO newsletter (here [1]) - those go out on Friday. Have a great day.

Technorati: Information Security [2], CSO [3]

The Pragmatic CSO [4]
 The Pragmatic CSO is Here!


Read the Intro and Get
"5 Tips to be a Better CSO"


www.pragmaticcso.com [5]

Top Security News

here [6]) shows Ed doesn't seem to know the difference between research and hacking. Or maybe he is using the developers definition of "hack," which is to add some functionality, as opposed to the security guys definition of hack, as in a bad guy doing bad things. Now if he's referring to research in this interview, where smart folks pick apart products to find the holes, disclose the issues responsibly, and make the products better - then I'm cool. I guess I object to his use of the word "hack." Something about it annoys me. He also seems to be intimating about the need to poke at your own systems, you know, a pen test. Speaking of pen tests, Ranum and Schneier are at it again in another point/counterpoint about pen testing (here [7]). There are enough caveats (and hot air) between the two of them to heat a small country. It's true, Marcus is right. Organizations should have a good security design and do things right. Maybe it's just me, but I like the idea of having someone else look over my shoulder every so often and keep me honest. That's what pen tests do, but ultimately you don't have to pen test your environment. The bad guys will be happy to do that for you.
Link to this [7]

here [8]), which features maybe the second most recognizable guitar lick in history (behind Clapton's Layla). But PCI is definitely in the limelight now and that means anyone that basically collects money from someone else needs to understand how it impacts them. There is plenty of information out there and hopefully as TJX is chopped into little pieces and fed to the fish for being stupid, folks will realize that it's pretty important to protect customer data. And it was a brilliant risk mitigation move for the credit card processors and banks. I'm sure they'll be reducing fees as their risk exposure reduces, since they'll blame the retailers for everything. Yeah, right. This tip by Joel Dubin provides a pretty good primer on PCI (here [9]). But keep in mind, a scan does not equal PCI compliance, though many vendors will lead you to believe that. And even more vendors will lead you to believe their widget solves the problem. Tune out the noise and focus on what's important, which is that a strong security posture will get you PCI and pretty much every other kind of compliance.
Link to this [9]

here [10]). He hits the high points of the plan, especially having a contact list and defining a set of response steps. He suggests you actually talk to some of the decision makers BEFORE the brown stuff hits the fan, which is also sage advice. Overall, Kevin's plan is pretty consistent with a Pragmatic containment plan (there is much more depth on the topic in the P-CSO), which is a good thing. I don't see where Kevin recommends folks to practice OFTEN, ultimately that is they key arbiter of whether you will contain the damage.
Link to this [10]


The Laundry List

MessageLabs upgrades their email scanning for content and images. Big whoop. - here [11]

Top Blog Postings

http://www.realtime-itcompliance.com/information_security/2007/03/how_good_are_the_security_prac.htm [12]
Link to this [12]

http://ravichar.blogharbor.com/blog/_archives/2007/3/5/2783486.html [13]
Link to this [13]

http://infosecplace.com/blog/2007/03/06/texas-house-says-ssns-not-private-data/
 [14]Link to this [14]

http://blog.securityincite.com/ [15]

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite [15]

Source URL:
http://securityincite.com/blog/mike-rothman/the-daily-incite-march-8-2007

Links:
[1] http://www.pragmaticcso.com
[2] http://technorati.com/tag/information%20security
[3] http://technorati.com/tag/CSO
[4] http://www.pragmaticcso.com
[5] http://www.pragmaticcso.com
[6] http://www.cioinsight.com/article2/0,1540,2101604,00.asp
[7] http://informationsecurity.techtarget.com/magItem/0,291266,sid42_gci1245619,00.html
[8] http://www.lyricsfreak.com/r/rush/limelight_20119942.html
[9] http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1245717,00.html
[10] http://searchwindowssecurity.techtarget.com/general/0,295582,sid45_gci1246404,00.html
[11] http://biz.yahoo.com/iw/070308/0224180.html
[12] http://www.realtime-itcompliance.com/information_security/2007/03/how_good_are_the_security_prac.htm
[13] http://ravichar.blogharbor.com/blog/_archives/2007/3/5/2783486.html
[14] http://infosecplace.com/blog/2007/03/06/texas-house-says-ssns-not-private-data/
[15] http://blog.securityincite.com/