August 13, 2007 - Volume 2, #119

Good Morning:
Today is the first day of school here in ATL. Hard to believe the summer is over. It really just flew by, but thankfully the kids still think that school is fun - so they are looking forward to their new academic year. The Boss and I will enjoy that as long as it lasts. When they reach high school age, I'm sure they'll be all fired up for that first day of school - NOT. It'll also be nice to get into a routine again, since pretty much all bets are off during the summer. And the traffic will increase noticeably as well. The good news is I rarely run into too much congestion walking from my kitchen to my office - so I'll hardly notice a thing.

Let's discuss the weather a bit. Not sure where you are, but in ATL it's been hot as hell. Like thank God for air conditioning hot. Like even the pool is hot tub hot. The one place I wouldn't want to be is outside playing golf in the middle of Oklahoma. I'm surprised you didn't have some golfers at the PGA spontaneously combusting by the 13th or 14th hole. But I continue to be thankful for high-def. There is nothing like seeing the beads of sweat cascading off all the golfers in HD. And you thought golf wasn't a real sport... Seeing Tiger Woods winning yet another major (is he great or what?) was also pretty cool. I was there when he won his first major in 1997 at the Masters. If life is good, maybe I'll go again when he breaks Nicklaus' record 18 majors. 

I also want to send a shout out to the folks that read my Symantec rant and offered to send me their AV products. I do appreciate the help, and I hope your products don't suck as well. Too bad no one offered to send me an iMac for my troubles. Come on Apple, call me...

Finally, I'm going to shake up the TDI publishing schedule. Since August tends to be pretty slow and I've kind of liked having Friday off from writing, I'm going to do the TDI on Monday, Wednesday and Thursday for a while. I'll resume publishing the Pragmatic CSO Weekly on Tuesdays. If you get the RSS feed, you'll still get some Incite 4 days a week. If you aren't on the P-CSO mailing list, you can sign up at www.pragmaticcso.com [1].

Lots to do, so I won't keep rambling. Lots of things to do. Have a great day.

Technorati: Information Security [2], CSO [3]

[4]	The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [5]

Top Security News

Michael Cobb tip on application firewalls [6] that it was actually written March. But it's a good piece and makes a couple of points that are missed when you just throw a box in and hope the problem goes away. Like the fact that deep inspection firewalls gather more detailed log files. These logs can be used to figure out if/what happened in the event of an issue. Another interesting aspect is when/how to utilize VLANs and network switches to protect internal networks, given the extra processing power required to do application layer inspection at wire speeds. I'm not big fan of throwing more boxes at the problem, but depending on your applications and architecture - an app-layer firewall may make sense.
Link to this [6]

Network Computing market overview goes into what is now called "enterprise key management" [7] and comes to an initial conclusion that because there is no standard way to manage keys it's what's holding up the entire encryption market. Having spent $30 million of someone else's money to prove there was no real market for application-layer encryption/PKI in the late 90's, I suspect there is a more fundamental issue. I railed a bit a week ago about the lack of market demand for email encryption, and that is applicable to the broader encryption business as well. Yes, there are pockets of technology where encryption makes a lot of sense. And if you have more than a couple of these use cases, then looking at an enterprise encryption "utility" is worthwhile. But one of the first sentences in the article really sums things up: "CIOs don't roll out of their beds and think, "Hey, let's sink a few hundred grand into a cohesive enterprisewide encryption infrastructure."" Amen to that.
Link to this [7]

NetworkWorld's NAC newsletter [8] is fitting nicely into that vendor/analyst mouthpiece outlet. This week's edition looks at a survey done by Infonetics about why companies are actually deploying NAC. But it seems they forgot the big one, which is that NAC is everything network security. Actually the results are kind of interesting in that the first reason is to "protect corporate resources from unauthorized users" and the next big one is "limiting the impact of security problems." Hmmm. What about making sure everyone's patch level is up to date and AV is working? As I've been saying, the action is around what I call Phase 2 and 3 of NAC. Check out my NAC research from last year (including my NAC attack series) to learn more. 
Link to this [8]

The Laundry List

Top Blog Postings

http://robnewby.blogspot.com/2007/08/wheres-security-going.html [9]
Link to this [9]

http://www.liquidmatrix.org/blog/2007/08/10/security-vendor-bullsht-and-fud/ [10]
Link to this [10]

http://redmonk.com/sogrady/2007/08/08/identity-theft-i-guess-it-really-can-happen-to-anyone/ [11]
Link to this [11]

http://blog.securityincite.com/ [12]

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite [12]