May 8, 2007 - Volume 2, #75

Good Morning:
Have you ever noticed that some folks just have a very high opinion of themselves? These folks don't think twice about telling their life story to the guy three seats down in an airplane, basically yelling so the rest of us are subjected to the drivel. Now I'm glad this dude is so content with himself to think anyone cares, but at least do it at a manageable decibel level. When you are way louder than the engines on a 767, maybe it's time to get those ears checked.

Praise Steve Jobs and my iPod and noise-isolating headphones. Ray Charles (Genius Loves Company) was a pleasant diversion from the life story of that jackass. That brings up a big thing about self-esteem. Some call it confidence, others (pretty much those that don't have it) call it arrogance. It's pretty much a swagger in the way you carry yourself. It's something that is very hard to teach.

Another little aside, on the drive home from the airport on Sunday - I passed a beautiful black Ferrari convertible. Huh? Me in my Acura passing a Ferrari? You bet, the dude was going 55 in the middle lane. All that horsepower - going 55 in the middle lane. Besides it being somewhat hazardous, since no one in Atlanta drives 55, it was all about the show. That seems to be self-esteem run a bit amok, once again. Maybe it's just me and my security mindset - but I don't want anyone to know what I do, how much I have, etc. Sure, I buy things to make my life and that of my family comfortable - but showy displays of wealth just aren't my style.

Back to self-esteem. This week, I figure I'll give some managing people tips from all the times I screwed that up. I don't believe in a one-size fits all management style. Some folks need to be built up (those with low self-esteem), while others need to be put in their place at times. Some want to be micro-managed and others don't want to see you until the project is done or they run into a problem. You aren't going to change folks, so you need to figure out the best way to manage them.

That is, if you care. To be clear, if you don't head back into the technical side of things. Your firewall and IPS don't need any motivation and they don't care about your latest exploits in your Ferrari going 55 in the middle lane. But that is some folk's comfort zone, and who am I to say it's bad? Just don't make the mistake to think you'll be successful as a manager. Technical skills don't mean crap when you are managing people.

Have a great day.

Technorati: Information Security [1], CSO [2]

[3] The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [4]

Pragmatic CSO Bootcamp Maiden Voyage June 6 in Atlanta Sign up Now! Only 10 slots (and they are filling fast) [5]

Top Security News

InfoWorld column [6] about why people fight changes that improve security? He uses a few examples, like folks that don't do simple things (like password protect your screen saver) or patch when a vulnerability exists. It's all about the pain. These folks don't feel the pain, so they aren't willing to make whatever change is necessary. And unfortunately, your words will ring hollow when you describe the pain and tell them how much it will hurt. Some folks just have to experience it for themselves. So let them. That's right, I said to let them fall on their sword - ONCE. Hopefully, once they have some major issue and it takes them a long time to clean it up and they take a shot to their credibility, they'll get it. If they live to fight another day, then they will likely be much more willing to chat about good security practices. I guess I still subscribe the teachings of Pavlov - let them fry a bit and then help them learn from the pain. 
Link to this [6]

InfoWorld article [7] should do the trick. The Storm Trojan, hidden in an encrypted zip file makes your perimeter defenses moot. Again, you can choose to allow the files through, but then you better have some top flight user security training, so they know what they should open and what they shouldn't.
Link to this [7]

SC Magazine's coverage [8] for a few more details. But as opposed to going through the motions (test, patch, repeat), maybe in this light month, take a look at your process. Do you test enough? Maybe too much. Would it be easier to deploy a tool? Is a patching tool enough or should you be looking at a configuration management engine? You should always be trying to improve the system and the process. Then you'll have time to focus on the things you really need to get done. 
Link to this [8]

The Laundry List

1. 25% don't secure wireless. Long live Jericho. Too bad these folks don't seem to know they are obviating their perimeter. - Dark R [9]eading column [10]
2. No slowing the malware train. In this month's stats round-up, spam volumes explode and web attacks predominate. Starting to feel like Groundhog Day. - Postini press release [11] SonicWALL press release [12] Fortinet press release [13]
3. TripWire still standing after 10 years. Is that something to celebrate? - TripWire press release [14]
4. In the maybe better late than never files, Secunia enters the vuln scanning game. Though the leveraging their alerts database is a bit different, though not unique. - Naraine blog post [15]

Top Blog Postings

http://jeremiahgrossman.blogspot.com/2007/05/how-to-check-if-your-webmail-account.html [16]
Link to this [16]

http://www.terminal23.net/2007/05/seven_things_sysadmins_forget.html [17]
Link to this [17]

http://rationalsecurity.typepad.com/blog/2007/05/clean_pipes_les.html [18]
Link to this [18]

http://blog.securityincite.com/ [19]

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite [19]