May 14, 2007 - Volume 2, #78

Good Morning:
Another Monday. It's hard to believe but this school year is pretty much over, down here in the South anyway. The twins have one week left and Leah two weeks and then "school's out for summer." It's actually pretty cute, since the kids still like school, they think it's fun. Which is great, I hope they always think that way. They probably won't, especially with all the pressure to achieve nowadays, but we can hope - right?

It was also a big weekend around the house, with it being Mother's Weekend and all. Right, it's not just a day - it's a weekend. I figure next year, it may be an entire week. We started the festivities by seeing Gwen Stefani on Friday night and she put on a great show, despite torrential rains as everyone was entering the joint. Nothing like having a soaked-through shirt and shorts for a few hours. But it was fun.

Then we did the typical weekend, I get up and head to the gym with the kids each day while the Boss kicks back and enjoys the silence. I do let her sleep in on Mother's Day, which is nice since the twins are battling the Rooster for break of dawn wake up duties. Finally, we've got our neighborhood garage sale this week, so it's time to get rid of all the crap that has accumulated over the past year. It really is scary how much stuff piles up. My new favorite toy is actually an old piece of equipment - the trusty hand-truck [1]. I love my hand-truck. 250 lb TV, no problem. Treadmill - quick work. Did I mention that I love the hand truck. If you don't have one, you are missing out.

Though this year's garage sale will be a little weird, since we are selling the cribs and a big-ass double stroller. It really hits home that the kids are growing up. It's a good thing, since the twins are almost human now and hold "sort of" conversations. We're not ready for Relativity yet, though they are very conversant about Buzz Lightyear [2]. I wonder what Einstein would say about Buzz? The days of inert blobs of mass just hanging out and drooling on themselves are gone, for about 70-80 years anyway. I guess I should start looking forward to the days when they are changing my diaper and putting a bib on me, so I don't drool through my dentures and ruin my shirts.

On that fine note, have a great day.

Technorati: Information Security [3], CSO [4]

[5] The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [6]

Pragmatic CSO Bootcamp Maiden Voyage June 6 in Atlanta Sign up Now! Only 10 slots (and they are filling fast) [7]

Top Security News

acquiring CyberTrust [8], Verizon gets a much bigger brother to their NetSec MSS operation (brought in with the MCI deal) and a global footprint, which every bit hauler needs to get. No word on price, but the rumor mill has it in the 2x revenues range - which is actually pretty good for a services-only play. Strategically the deal makes sense for Verizon, but it'll depend on how much of the security DNA stays around once the deal closes. Security intelligence, ICSA Labs, and a lot of research were the hallmarks of my former employer (I worked for TruSecure, which was one of the pieces of CyberTrust) - but those assets walk out the door every night. Retaining those folks needs to be a top priority for the Verizon brass if the deal has any chance of success. It'll also be interesting to see if Verizon as an entity buys into CyberTrust's Security Management Program and eats their own dog food. They are doing a conference call [9] this morning, but it's only a bunch of marketing folks - not even the CEO of CyberTrust. Guess he's too busy counting his money. 
Link to this [9]

Security MVP article [10] is pretty good. Gideon Rasmussen talks about the need for even security people to understand business and get a line of business orientation for their security operation. Sounds very Pragmatic to me. He mentions the important of "business partnerships" and also the fact that it will likely be a cultural shift for most of the technically-oriented CSOs out there doing their thing. I agree with this stuff whole-heartedly.
Link to this [10]

Comodo say they can do it for $100 [11]. This sets the wrong expectation for customers, but unfortunately there is no accountability required at any level of the stack to prove it one way or the other. I'm sure TJX did some scanning and look where it got them. A scan does not equal PCI compliance, but I'm sure I'll be saying that until I'm blue in the face. What happens if one of these $100 customers is nailed? Probably nothing. Maybe some enterprising beat reporter will pick it up and throw a few stones at these boiler room scanning houses, but their customer base doesn't read InformationWeek or SearchSecurity. So this shell game will continue on and the only good news is that statistically most of these folks won't be targeted, thus they won't be owned, thus they'll think it's $100 well spent. It's not.
Link to this [11]

The Laundry List

1. Those that forget history are destined to repeat it. Tim Wilson reminds of that we've seen most of these "new" security issues before. - Dark Reading Column [12] [13]
2. Cyveillance will tell you if that phishing attack on your brand also contains malware. Like that matters. - Cyveillance press release [14]
3. Blue Coat's K9 gets an Australian kudos, and will leave on walkabout for a year or two. - Blue Coat press release [15]

Top Blog Postings

http://www.emergentchaos.com/archives/2007/05/what_me_worry.html [16]
Link to this [16]

http://www.roer.com/security/archive/2007/may/Two_Factor_authentication_foolproof_and_supersafe [17]
Link to this [17]

[18]Chris Hoff uses Gunnar's recent Security Architecture Blueprint as a way to discuss Chris' long lost work on Unified Risk Management - whatever that means. I guess the term Unified Threat Management was taken, so there you go. Actually someone as smart as Chris always seems to find a way to complicate things dramatically. And that's my biggest problem with the URM. Not that it's wrong, it's actually right. But it's not really comprehendible to the great unwashed. At least Gunnar uses terms that most folks have heard of before (like SDL and Domain Metrics). Chris liberally lathers on a bunch of frameworks (like a risk assessment framework and a IT ops and management framework), but the colors on Chris' diagram sure are pretty. I also know that Chris has eaten his own dog food and used this kind of approach when he was a CSO-type. SO, as opposed to keeping things at a very high, architectural level - it would be very helpful to hear about how this stuff works in practice. Most of the folks I know actually have to do things, as opposed to study them.
http://rationalsecurity.typepad.com/blog/2007/05/unified_risk_ma.html [19]
Link to this [19]

http://blog.securityincite.com/ [20]

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite [20]