July 05, 2007 - Volume 2, #103
Good Morning:
I'll admit that I'm a bit disoriented this morning. I didn't even drink
yesterday either. Having a Wednesday holiday kind of does that to me.
When I woke up this morning (or was woken up by a screaming boy at 5:20
AM), I wasn't sure if it was Sunday or Monday or what. But first things
first, calm down the boy - then get back in bed. Wait 20 minutes for
him to start up again. Calm down the boy (again), and get back in bed.
Stare at the ceiling a bit, knowing there is no way I'm getting back to
sleep. Get up, brush my teeth and get to work.
But why does it still feel like Sunday? I'm not sure, but given the
amount of stuff that needs to get done before I unplug on Friday -
there will be no Sabbath for me today or tomorrow for that matter.
Though I'll happily accept the disorientation to have a free day with
the family during the "work week." Those of us that run our own
businesses know that work gets done when work needs to get done - or
your family doesn't eat. I'm happy to say the only work that got done
yesterday was lathering scads of sunscreen on the kids.
We spent 5 hours at the pool yesterday and by the time we got home and
showered, everyone was pretty much catatonic. Not even a few episodes
of Justice League Unlimited could get a rise out of my crew. But the
kids had a busy day. The weather was perfect and my neighborhood does a
great job with July 4th. We have a DJ, a catered lunch, no "adult
swims," and a pie contest. And swimming. Lots of fun was had by all.
Alas, today is a new day and even though it feels like Sunday - it's
really Thursday. So it's time to make the donuts. Rant a bit. Incite a
bit. Write a bit after that, and then start taking care of all of those
niggling details that need to get done before we head off on Saturday.
YES, VACATION!!! It's been at least 8 years since the Boss and I have
gone away for a week without the rats. Yes, that's far too long.
So without further ado, I'll get on with the show and then
I'll put the show on pause for a week. No TDI next week. No email or
phone calls either. Whatever it is, it'll wait until I return to the
office on July 16. Till then, be well and I'll be sure to drink
something out of a pineapple with a little umbrella in it for ya - at
least 100 times.
Have a great 10 days. I know I will.
Technorati: Information
Security [1], CSO [2]
 [3] |
The
Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [4] |
Top Security News
Dark Reading covers a user panel on
"enterprise data protection" [5] in this article. Whatever that
means. But the
conclusions drawn from the panel are pretty good. First, encryption
isn't a panacea, regardless of what PCI dictates. You want to use the
"right" level of security based on what you are trying to protect. The
CEO's laptop probably warrants some additional protections, relative to
the receptionist's desktop - no? But within reason, of course. Maybe
you categorize endpoints into 3 risk buckets (High Risk, Some Risk,
Little Risk) and design a protection scheme according to the risk.
Another good point made is the reality that many folks make things just
too hard for themselves. A 15 character password requirement and the
last 10 has to change every 90 days? I hope they've got plenty of help
desk staffers for all those password resets.
Link to this [5]
Joel Dubin's SearchSecurity tip [6]
points out, this is usually a bad idea. For lots of reasons, but the
one I like best (and Joel doesn't mention this specifically) is that
YOUR ass is on the line - not the service provider. If a breach
happens, even as a result of something the service provider does, who
do you think is getting the hot poker in the eye? If you can't possibly
figure out a reason why this is bad (that the CIO buys off on anyway),
then at least make the service provider jump through a bunch of hoops
to get that access. Make them prove to you that their environment is
secure. That their personnel are vetted. That your data will be
protected. And then monitor the crap out of whatever systems they have
access to. Log stuff and make sure the service provider has no access
to the logs and they can't be tampered with. Tighten your thresholds on
key system health metrics. Finally, segment those devices, so if a
machine is compromised - the damage will be contained. There are times
when you'll lose the political battle over 3rd party access, but don't
lose the war.
Link to this [6]
Entrust pre-announced a light quarter on
JULY 4 [7]. I hear lots of investors in the US are paying
attention on Independence Day. Come on guys? What are you thinking? The
reality is ENTU stock will be punished today for not closing "big
deals." And by shipping out the pre-announcement on a national holiday,
they will look like jackasses. Like they didn't know on Tuesday? Or it
couldn't wait until before the market opens on Thursday. It really is
amazing that a company that has been public for years and has
experienced board members would pull a stunt like this.
Link to this [7]
The Laundry List
- Trend jumps on the reputation bandwagon. Since no one else in the content security gateway business does reputation, Trend figures this is a differentiator. Ah, not so much. - NetworkWorld coverage [8]
- The brainwashing is complete. Cisco users believe the security story. Resistance is futile. - SearchSecurity coverage [9]
- LogLogic review. Network Computing likes the box, though you need to know what you are looking for. I guess the ESP feature won't be ready until the next release. - Network Computing coverage [10]
- iPhone bugs? Shocker. Errata busted out the fuzzer and found out - it's a Mac, just smaller. - eWeek coverage [11]
Top Blog Postings
http://fraudwar.blogspot.com/2007/07/not-to-worry-check-processing-company.html [12]
Link
to this [12]