logo
Published on Security Incite: Analysis on Information Security (http://securityincite.com)

The Daily Incite - July 17, 2007

By Mike Rothman
Created 2007-07-16 20:50
Today's Daily Incite

July 17, 2007 - Volume 2, #105

Good Morning:
Get your motor runnin' - Head out on the highway - Lookin' for adventure - And whatever comes our way. Of course, the classic Born to Be Wild [1] from SteppenWolf. Well this morning it's a pretty timely tune, since by the time you read this I'll have embarked on a roadtrip with my Dad. Today we drive - from NY to Atlanta. Since he doesn't fly and needs to be in FLA on Sunday, it doesn't leave too many options for transportation. I'm just glad and fortunate that I can peel off for a day or two and handle some of the roadwork. 

There is just something about a roadtrip that just makes me smile. My first experience with the roadtrip was watching Animal House. The Delta House is dire straits, it's on its way out, things look pretty bleak, and what do you do? Of course, ROADTRIP. It just makes me want to shout. I can only hope no one wants to dance with my date along the way. And during my earlier years I did many a Winnebago trip from DC to Ithaca with my boys for Cornell Homecoming. Those were good times.

My Dad and I won't have a keg in the back (at least I don't think so). And since there are only two of us, there really aren't any straws to draw about who drives when. But we will be quite a connected car. I recently got EVDO (Parallels seemed to break my T-mobile hotspot service and after an activation nightmare, EVDO has been pretty liberating as well as more secure!) and he's got Cingular's 3G data service also just in case. We've got a nav system to keep us on track and my 80GB iPod to keep the tunes flowing. Maybe we'll even break out the radar detector to makes sure we don't replay Smokey and the Bandit. There are also a bunch of Starbucks along the way, so there will be lattes a plenty.

We've also got no plan, except to make it to ATL as soon as feasible. We'll probably drive South, but who knows? It'll be great. It's hard to take the time to do trips like this nowadays for both of us, but I'm glad we're going. The plan is to publish on Wednesday, but we'll see. No sleep till ATL! 

Have a great day.

Technorati: Information Security [2], CSO [3]

The Pragmatic CSO [4]

 The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"
www.pragmaticcso.com [5]

Top Security News

Cisco, EMC and Microsoft are aligning in a new group pushing a SISA [6] (Secure Information Security Architecture), that was my first thought. I guess I still have work to do with my shrink, eh? Then my Barney-meter went into overdrive. The reality is information sharing amongst government entities is a huge problem, but it's not clear to me that a technology architecture will solve the territorial boundaries and competition between agencies that has prevented intelligence leverage. I can't be sure, but I don't think this is a technology problem. And sharing is also a bit opposed (like diametrically) to protecting the private information that exists in government coffers (VA anyone?). So over the horizon comes riding the 3 technology horsemen (with a few donkeys like Liquid Machines and Swan Island Networks to lug the food) with a white paper and some off-the-shelf products to make everything better. Am I the only one that is mildly skeptical about something like this?
Link to this [6]

8 "sure-fire ways" to pass an audit [7] makes some good points. But the title really annoys me. I think the acrimonious and combative stance that most security folks have towards auditors has run its course. Yes, following some of these practices like having consistent change management processes and giving users access to only data they need is certainly not a bad thing. But I think the best way to "beat" an audit is not to try to BEAT it at all. Some folks view an audit as a criticism of what you are doing. I view it as a milepost to figure out if I have 20 miles to go or just 5. Understand they always seem to move the finish line on you, but if you don't have someone else come in and tell you where you're at - how do you know where you need to go? My approach to audit and compliance is probably a bit unconventional, but it makes sense and it works. Interested? Pick up a copy of the Pragmatic CSO [8] today and check it out (it's Step 12).
Link to this [8]

an "RFP" on pen testing in eWeek [9], I was intrigued. I like RFPs, since they give customers a way to learn about a technology category and sort-of get an apples to apples comparison between different options. But I was disappointed by this effort. I don't think the information is really useful. It's more like a matrix. Do you support this feature or that feature? Yeah, that is sort of important, but I would have like to see some explanation around each of the questions. Why would you ask that? Why is it important? Basically to provide some context, not a laundry list of features. Forgive me, but would have required some work. I should know better.
Link to this [9]

The Laundry List

  1. Is private equity coming to Big Yellow Land? It would be a big deal and these guys look for cash cows - but this isn't a pipeline or an office building and it's not in Kansas Dorothy. Your "assets" can disappear in a hot minute. But it would generate lots of fees for bankers.  - Naraine blog [10]
  2. Big Yellow helps low-income folks by partnering with One Economy to provide "Internet Safety" content to their portal. Of course, I'm not sure if the content will hit the target, but hats off to SYMC for working to educate a class of consumers that are frequent victims of cyber-crime. - Symantec release [11]
  3. Nice knowing you Alluria. EarthLink cheats on their in-house anti-spyware concubine and beds Sana. Must be Listwin's cool kimono. - Sana release [12]
  4. More security coincidence? Watchfire and Cenzic both announce new releases today. The difference? Watchfire has gotten their payday. - Cenzic release [13] Watchfire release [14]

Top Blog Postings

http://mycsosolutions.net/2007/07/10/communications-during-a-crisis/ [15]
Link to this [15]

http://1raindrop.typepad.com/1_raindrop/2007/07/building-securi.html [16]
Link to this [16]

http://blog.tenablesecurity.com/2007/07/can-i-use-nessu.html [17]
Link to this [17]

http://blog.securityincite.com/ [18]

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite [18]

Source URL:
http://securityincite.com/blog/mike-rothman/the-daily-incite-july-17-2007

Links:
[1] http://www.steppenwolf.com/lyr/brntbwld.html
[2] http://technorati.com/tag/information%20security
[3] http://technorati.com/tag/CSO
[4] http://www.pragmaticcso.com
[5] http://www.pragmaticcso.com/
[6] http://biz.yahoo.com/iw/070710/0275761.html
[7] http://www.darkreading.com/document.asp?doc_id=128368
[8] http://www.pragmaticcso.com
[9] http://www.eweek.com/article2/0,1895,2155859,00.asp
[10] http://blogs.zdnet.com/security/?p=374
[11] http://biz.yahoo.com/iw/070711/0276426.html
[12] http://biz.yahoo.com/bw/070716/20070716005636.html?.v=1
[13] http://biz.yahoo.com/iw/070716/0278206.html
[14] http://biz.yahoo.com/bw/070716/20070716005155.html?.v=1
[15] http://mycsosolutions.net/2007/07/10/communications-during-a-crisis/
[16] http://1raindrop.typepad.com/1_raindrop/2007/07/building-securi.html
[17] http://blog.tenablesecurity.com/2007/07/can-i-use-nessu.html
[18] http://blog.securityincite.com/