June 28, 2007 - Volume 2, #100

Good Morning:
ONE HUNDRED. That's right, I couldn't have planned it better. Incite #100 for 2007 on the last writing day of the first half of the year. That puts me on pace to deliver about 200 this year, which is about what I planned. Actually, I didn't plan much of anything - but it's great when a plan comes together.

I certainly am thankful for the readership growth I've seen in 2007. I've always said, I write the TDI for me - but it's nice to know that other folks find a little value in it. Makes it worth doing on days like today, when the kids woke me up 4 times last night and the idea of a catching a few zzzz's on the couch is pretty compelling.

So to celebrate big #100, I thought I would answer a set of questions I get pretty frequently. Maybe I should come up with a new term. Hmmm. How about FAQ for frequently asked questions? That's pretty catchy. I better be careful someone may confuse me for a marketing guy, or maybe a plagiarist (cough. Hoff [1]. cough. cough.).

1. How do you keep up with all that news? - Well I track over 350 feeds in Google Reader (yes, I've given into the new Borg), scan the newswires, get a lot of press releases via email and am constantly having conversations with folks on all ends of the spectrum to stay on top of things. That's my job and I love it. I'm an information junkie, so it's not like working to me. Things I find interesting I tag either news, blog or laundry in del.icio.us and then can easily get back to things when I'm writing TDI in the AM.
   
2. Will the TDI always be free? - Given the amount of work I devote to the TDI each day, I probably should charge for it. But I'm not planning on that anytime soon. I'm very fortunate to be paying the bills through the other parts of my business (book sales, strategy consulting, speaking), so there is no compelling need for me to try to monetize the TDI. I'll never say never, but right now I'm not planning on going all VentureWire on you.
   
3. Isn't a daily newsletter too much? - Though it seems pretty funny, I've had people unsubscribe from the newsletter because there are too many of them and people fall behind. I guess I could do a weekly, but news happens pretty much every day, no? I guess I'll let you in on a little secret... You don't have to read every single TDI. Of course, you run the risk of missing a flash of brilliance (HA!) or finding out about something trivial going on in my world. But if the volume is too much, I say to unsubscribe or maybe go to the RSS feed [2], that gives you more control over when/where you consume information. 
   
4. What about other blogging besides the TDI? - My frequency of non-TDI blogging has fallen off the chart, and for that I apologize. It's really a time thing. With 4 monthly columns to write, the daily newsletter, on average 2-3 presentations for webcasts each month, my general research, and some new exciting products I'm working on - it doesn't leave a lot of time for other writing. But in early July I'll be revising my 2007 Incites and doing a special series called "Security Marketing Gone Wild," where I just poke at some really stupid stuff I've collected over the past few weeks. So keep the faith, I'll be back to it at some point.

So with that, I should start Inciting, as opposed to pontificating. Happy 100 to me and to you, and thanks again for reading. It's you folks (and your messages of encouragement and pokes in the eye when I get something wrong) that make this a great gig. Have a great weekend.

FYI: I'm taking the week of July 9 off. I'll be totally off the grid. No laptop, no phone, no nothing. The Boss and I are celebrating 10 years of marital bliss. So there will be no TDI that entire week.

Technorati: Information Security [3], CSO [4]

[5]	The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [6]

Top Security News

rolling application scanner product review [7]. This time it's Cenzic. In general he likes it, though it's not real pretty. Guess the Cenzic folks forgot the memo about putting lipstick on the pig, since that's what sells. Worked for Watchfire and SPI, no? Ouch, that was harsh. Relative to product performance, Cenzic did well, fewer false positives and no false negatives, which is big - since that is the biggest time waster for all of these products. And these guys are pretty much the last man standing (in the scanner product game anyway). I should also point to a release the Veracode guys did this week [8] as well. They claim the industry is calling for "Security Insight." Hey, isn't that what I do? They also call their new Software Security Ratings Service a "pragmatic" way to do something that was hard for me to figure out since I'm only seeing red right now. Or maybe they are trying to kiss my butt. Hmm. Not sure about that. They are trying to be the Consumer Reports of software security - good luck with that. 
Link to this [8]

ESJ interview with the CISO of Ohio State [9] (one of the few non-shill pieces on the site) is pretty instructive. Their environment is highly decentralized, so getting consensus on policy is challenging, but it seems they are using Cisco NAC for pre-admission control. Usually I'm more of a fan of post-admission NAC, but for a college - making sure devices are not cesspools before they jump on is a good thing. They also can't monitor much of anything, given the expectation of privacy and academic freedom. Ouch. Well that takes away a huge set of defensive options. I guess their incident response plan better be top notch.
Link to this [9]

SearchSecurity coverage [10] is disturbing, but not shocking. It seems that there are some reports of PCI assessors pitching products and other solutions once the audit is done. I can understand where they are coming from (sure, they only want to help), but I think this is a very bad idea. It's that whole separation of duties thing. If you make it very clear (and yes, you should do this) that the auditor is NOT (did I mention NOT) going to get any follow-on work after the audit, then they are more likely to tell you what really needs to be fixed. Yes, I'm saying PCI auditors are like auto mechanics. Some will do the right thing, and others will sell you a new carburetor for your fuel-injected car, but only if you let them. Once the audit comes back, scrutinize the results, figure out what you really need to fix, what stuff you'll push back on, and then go find someone else to do the work. Remember, it's your ass on the line for the audit results, so you need to take ownership.
Link to this [10]

The Laundry List

Top Blog Postings

Kiwi practitioner called John Dierckx [12] (Andy Lark must be beaming) that talks about one instance where monitoring and an all-hands meeting were used to graphically get the point across about what is acceptable behavior and what is not. Now showing explicit video (even if it was pulled off someone's machine) won't fly in anal retentive geographies (like the US, for instance), but if you can get away with it - they say a picture says a 1000 words. Well, a movie says a lot more than that.  
http://www.emergentchaos.com/archives/2007/06/awareness_1.html [13]
Link to this [13]

stop getting hit in the face [14].
http://www.computerworld.com/blogs/node/5746 [15]
Link to this [15]

http://ddanchev.blogspot.com/2007/06/early-warning-security-event-systems.html [16]
Link to this [16]

http://blog.securityincite.com/ [17]

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite [17]