April 23, 2007 - Volume 2, #66

Good Morning:
Traveling on Sunday is a kick in the groin. Sometimes it's unavoidable, like yesterday. I've got a morning speaking engagement today, so I physically couldn't get there in time by leaving Atlanta this morning. But it really screws up your Sunday. I left pretty late, so I had most of the day with the family, but I found myself looking at the clock and not enjoying the time as much as I should have.

Which is too bad because the kids were exceptionally funny this weekend. My oldest has been doing pretty well and we give her points (actually stickers on a poster board) when she takes care of her chores, gets a perfect progress report from school, etc. She got enough points last week to get a gift. She picked a kids camping set, complete with tent and sleeping bag. I'm not big on camping (something about pine needles in my underwear isn't too interesting), so I offered to set up the tent in the basement and I could sleep down there with her. We'd do our own little camping trip.

But she figured, why not just put the tent in her room? So that's what we did. It was very cute to see her sleeping in the tent on Saturday night. She is my daughter though, so by the next morning she was back in her bed. Guess camping to her means a 3-star hotel... It was also cute to see the kids playing in the tent on Sunday afternoon, until I had to leave for the airport. Arghhh.

Seems the investment bankers aren't taking any time for camping trips. A few more mega-mergers today, including Astra-Zeneca buying MedImmune (here [1]). This one hits a bit close to home because MedImmune is headquartered around the corner from my brother-in-law in Maryland. That boxy looking white building is worth $15 BILLION. I guess it's what's going on in there. A big merger in Europe also, as Barclays and ABN Amro are merging (here [2]). That one is for $91 Billion, though I'm not sure if that's dollars or drachma.

I know what you are thinking, who cares? What's a few more big ass mergers? Actually there are always security implications to these mergers because when mixing up two cultures, integrating systems and platforms, and changing brands - there is risk all over the place. The CSOs of the acquiring companies are always busy, hopefully doing due diligence before the deal closes (to make sure there isn't a deal-breaker), but more likely going in right after the deal closes to figure out where the holes are.

Then the painful integration starts. Evaluating people, looking at protection, defenses, and controls. Figuring out what needs to stay and what needs to go. All this while the rest of the business is presumably operating at acceptable organic growth levels. Yeah, there are security implications in big deals, and this was a good opportunity to remind folks of that.

On Friday I announced the first P-CSO Bootcamp, needed to be moved from early May to early June. It seems the first date I picked conflicts with another analyst firms annual security conference (you know the guys, start with a G and end with -artner), so I'm revisiting the date (here [2]). Regardless of where and when (those are only details, right?) Sign up now, there are only 10 spots available.

Have a great day.

Technorati: Information Security [3], CSO [4]

[5]	The Pragmatic CSO is Here! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [6]

Top Security News

here [7]. He gets $10,000, a friend of his gets the Macbook (because he was at the conference) and Mac fanboys get a lot of angst. So let's go over this again. NOTHING is 100% secure. Smart guys (like Dino) can break your stuff, and it will only take a few hours. Overall, I think the Macbooks actually did pretty good, though it just goes to show that nothing is totally safe, layers are critical and be careful what you are surfing to, since it was a client-side exploit that did the trick. Another interesting article about 0days here [8] at TechTarget. The conclusion? Finding 0days is hard and working with the vendor can also be challenging. That's why I have a lot of respect for the security research community. They are very smart folks and call them "hackers" "white hats" or whatever, they are finding things and pushing vendors (hopefully responsibly) to fix things. That's A-OK in my book.
Link to this [8]

here [9] about about basically botnets competing with each other. They patch a compromised machine, so someone else can't compromise it. Kind of entertaining. But the idea that bots are commodities and the bot masters are trying what seems to be "hostile takeovers" of someone else's assets is kind of weird. But this is the free market economy (even if this stuff is practiced where the economy isn't exactly free) at work. Though it will be interesting to see how the investment bankers figure out a way to profit from these "transactions." You know some low level i-banking grunt is getting reamed right now because he missed out on the fees of some dude in Romania taking over a Brazilian botnet. 
Link to this [9]

here [10]. The reason I call it the skinny is that it's pretty thin. Not the analysis that was done, but basically only Cisco and Juniper were evaluated. That's pretty skinny to me when there are 20 or so other providers that can bring solutions to market. Restricting an analysis of a big market category to two folks, one of which is not really considered a leader in the space seems light to me. You know, skinny. Neither are known to have ground breaking technology either. But the conclusions are what you would expect, pre-admission stuff works pretty well (after 3 years - it better), but post-connect enforcement is tough and management is still a nightmare. But keep in mind, that's for THESE TWO VENDORS.        
Link to this [10]

The Laundry List

1. McAfee start to "focus" on SMB renewals. Duh! That would be called market share loss in my book. - here [11]
2. Mainframe security for the mid-sized company??? Talk about being house poor, but I guess there are lots of suckers buying big iron in that segment, which amazes me but they need security too. - here [12]
3. The security lobbying group, CSIA, wants a federal breach notification law. Complying with each state is too expensive? How about protecting your data in the first place?!?! - here [13]
4. RSA jumps on the PCI bandwagon and partners with nCircle and Qualys to pull some more data into Network Intelligence. If it's a bandwagon, I guess RSA needs to be on it. - here [14]

Top Blog Postings

http://www.ethicalhacker.net/content/view/131/24/ [15]
Link to this [15]

http://www.realtime-itcompliance.com/identity_theft/2007/04/smbs_identity_theft_insider_th.htm [16]
Link to this [16]

http://www.securityskeptic.com/arc20070401.htm#BlogID609 [17]
Link to this [17]

http://blog.securityincite.com/ [18]

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite [18]