March 19, 2007 - Volume 2, #46
Good Morning:
It's an ADD day. That means I have so much on my mind, I'm not sure what will come out and whether there will be any rhyme or reason. Kind of like a stream of consciousness rant. First, after looking at my NCAA basketball brackets, I come to the conclusion that once again it is March SADNESS, not madness. Hardly any upsets, a few exciting games, but it was pretty status quo. And my brackets are a mess. Hopefully this upcoming weekend will be more exciting and I can salvage one of my brackets.
Next up is the weather. What the F? And while I'm throwing some F-bombs, save one for Delta. The best laid plans to go have a boys weekend in NY were scuttled by 12 inches of snow in the Northeast. The nerve. What about global warming? This isn't supposed to happen and certainly not when I'm supposed to be traveling. Big bummer. Even worse was the two hours I spent on hold with Delta trying to salvage my flight plans. When I finally got through (to some jackass in Bombay), the earliest I could get to NY was Monday afternoon. Since I was supposed to return on Monday afternoon, it wasn't going to work. Then I had to wait on hold again to get my money back. F snow, F Delta, and F Mother Nature. Thanks, needed to get that off my chest.
That old adage, "you don't know what you got, till it's gone" (I think that was a Cinderella song - the hair band, not the Princess - from the late 80's) is absolutely true. Foldershare (my sync program) was behaving badly most of last week and I really missed it. The ability to have everything in sync between my various devices has become the foundation of how I work. I instantly looked for similar solutions and found nada. Thankfully by this AM, all was well in Foldershare-land. For a free service (offered by Microsoft), their service folks were remarkably responsive. Not that I feel compelled to pay Microsoft more money, but if they asked for it - I'd gladly pay.
Finally, not sure about you folks, but I have a busy busy busy busy week ahead. Lots of client deliverables to get over the finish line. Need to prep for a few strategy sessions next week. Doing a speaking gig here in ATL, and need to push forward on my big announcement at the end of the month. No rest for the weary as they say. But better to be busy, than not. And I will be eating my own dog food and constantly prioritizing and re-prioritizing my activities based upon business value. When you have too much to do, and not enough time to get it done - that's the only way I know how to do it.
Have a great day.
Technorati: Information Security [1], CSO [2]
 [3] | The Pragmatic CSO is Here! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [4] |
Top Security News
here [5]). The wheels of Big Media start to turn and the blogosphere will react in kind. I guess I contribute to that, but hey - you got to pay the bills, eh? The biggest news peg (called out by Shimel already here [6]) is that the bad guys are now selling multiple pieces of identity data, basically enough to compromise your identity for $18. Seems cheap, no? Krebs covers this data point as well here [7]. The point is that identity information is plentiful out there and that means prices are coming down. As Alan points out, that doesn't mean that all of those $18 identities will be compromised. But they could be. That's why I pay "insurance" to a company called LifeLock [8]. I hope I never need it, but if I do - I'd rather have these folks fight the battles with the credit rating companies. I've got too much other stuff to do. Other interesting tidbits in the report are a 30% sequential growth in bots. Makes sense given the rise in spam and ID theft.
Link to this [8]
here [9]) and effectively frame out the problem. I don't need 6 steps, since my process is 4. Identify what data is important and where it is. Profile it (sometimes called fingerprinting) to make sure you'll know when it goes somewhere. Protect it (using layered gateways and endpoint offerings), and finally report on it (to keep the auditors happy). ComputerWorld also added the steps of limiting user privileges, and centralizing intellectual property - which tend to be very difficult in practice.
Link to this [9]
here [10], Infonetics link here [11]) to pat himself on the back that he was right about networking equipment subsuming network security functionality. It's true, it's the trend and as organizations refresh their campus infrastructure over the next two years, why wouldn't they build in some security? They will, but as Hoff points out (here [12]) we do have to worry a bit about mono-culture. And I think Hoff gets a little more leeway than Dan Geer did at @Stake to call bunk (especially when it bolsters his employers positioning, as opposed to endangering a huge contract with Microsoft). That's why I'm calling for a separate "assurance" function in larger enterprises. Operations is responsible to get things done and keep them secure. Assurance makes sure it happens. And not these are not glorified auditors. We are talking a STRICTLY SECURITY function. It's step 10 in the P-CSO [13] is you want to know more.
Link to this [13]
The Laundry List
RSA gets into the Trojan takedown business. Opens opportunity for Durex and Lifestyles. - here [14]
Month of MySpace bugs begin. High schoolers panic. Pedophiles rejoice. - here [15]
FullArmor offers the endpoint side of NAC. Figures it can compete with free. - here [16]
GuardianEdge integrates a bunch of endpoint technologies (encryption and device control), AV suite next? - here [17]
Fortify fortifies .Net applications. - here [18]
Is 7 a lucky number? Vontu will find out with the release of it's release 7. - here [19]
Top Blog Postings
here [20]). He says AV isn't an answer when the brown stuff hits the fan and that customers are better off rebuilding compromised machines (as opposed to cleaning). Right on. The other 3 are equally important. His second piece picks up on Joanna Rutkowska's points in the press last week about detection. I disagree a bit in that the industry has been focused on detection since day one. That's what AV is after all, and it used to be called intrusion DETECTION way back when. Her point is that folks have become enamored with stopping the problems, but in reality - you can't. Richard makes the same point. We need to react faster and that's why I'm a big fan of behavior analysis (or Richard's term, network security monitoring) because the best way to know something is amiss is when you see wacky network traffic patterns.
http://taosecurity.blogspot.com/2007/03/way-to-go-joanna.html [21]
Link to this [21]
sang [22], "Free, free, set them free." CSO's set the program and work with the ops teams to implement it. As security becomes an integral part of everything, I don't see it working any other way.
http://www.computerworld.com/blogs/node/5188 [23]
Link to this [23]
http://blogs.techrepublic.com.com/security/?p=180
[24]Link to this [24]