August 24, 2007 - Volume 2, #124

Good Morning:
I remember back to my wedding (scarily enough, almost 11 years ago) and we were trying to figure out what songs we didn't want the band to play. I took a hard line on the Chicken Dance [1]. I just couldn't imagine with the festivities of my nuptials to let that fiasco play out. Although amazingly enough, the Boss and I took some heat about it from a guest. Let's just say I wasn't in much of a negotiating mood on my wedding day. But I relented on HOT-HOT-HOT [2]. I'm not a big fan of the whole Conga line thing, but for the first time of many - I bit my tongue, smiled a bit, and enjoyed the fact that everyone else seemed to have a great time.

I had that pretty random memory because the Sun Gods are hitting hard. It's friggin' hot in the ATL. On Wednesday it was 104, a record for all of August. That's like take your breath away when you walk out of the A/C hot. I know some of my friends that choose to live in the desert will have little sympathy (104 is a cold spell for them), but I migrated southward to avoid nasty winters, not cook eggs on my sidewalks. The kids can't even go outside for recess at school. It's that hot.

Yes, there is a point to this rambling and it's not just that it's Friday and I'm mailing it in. Basically there are things that are out of your control - always will be. Like the weather. So if you have opened up shop in Jamaica, expect that a hurricane will rain on your parade at some point every year. Part of the skill of pretty much anything, but especially in security, is knowing what you can influence and what you can't. To bring it back to our security world, you aren't going to tell the Sr. VP of anything not to go after a multi-million dollar business opportunity because it creates security challenges. You aren't going to tell the CTO that iPhone is a cool gadget, but get it off my network. 

So we need to get good at planning for the inevitable. That's why I harp on incident response and containment in pretty much every speaking engagement, strategy session, water cooler chat and even phone call. You can't envision all the different ways you can get nailed, but you should try. And for those that you can visualize, make sure your defenses will maintain the integrity of your systems. For those you can't - make sure you practice your incident response plan - a lot.

And learn to enjoy the uncertainty. That's why you do this, right? If you want predictability, go work on an assembly line. But you don't. You made your bed, now you get to sleep in it. I'm just trying to make sure it's not a bed of nails.

Have a great weekend.

Technorati: Information Security [3], CSO [4]

[5]	The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [6]

Top Security News

InfoWorld figures the business is maturing fast [7], which are code words for low growth and not too much excitement. Hoff makes a great point about whether security service providers are "more" secure or not, or whether it even matters [8]. To be clear, there are some activities that are better suited to a service - like vulnerability scanning (externally anyway), anti-spam, and firewall monitoring. Basically trained monkeys can do that, so you should be focusing on more "strategic" activities. And the news peg that elicited this rant is that hot on the heels of raising $50 million, Perimeter eSecurity is raising another $50 bills and acquiring USA.net [9] - a messaging service provider. But it kind of makes sense, based on what the eventual outcome for any independent MSP must be - an acquisition by a carrier-like entity. Carriers would love to sell email to their base as well, so security + email could be kind of interesting. But aren't those different buying centers? In a large enterprise - yes. In a mid-sized business, probably not. So this is an interesting deal, you just hope (for their sake) that they don't have a prohibitively high valuation that will make it hard to get an upstream deal done unless you can find dumb money (ahem, CyberTrust, ahem).
Link to this [9]

it took Monster.com about 5 days to disclose the data breach [10] where the personal information of a whole mess of grumpy job seekers, hoping that posting their resumes on Monster would result in a life of happiness and prosperity, got stolen. I can't answer the question about whether 5 days was too little or too much, but I can give you an idea about what you need to know before you disclose. You need to know what happened, how much was stolen, who was affected, and what you are going to do to make sure it doesn't happen again. Maybe not five 9's precision on what happened or who the perpetrator(s) were, but enough to know generally what broke, so that you can assure customers you will fix it. This ultimately comes down to a trust game, and I'd advise someone to have more information (even if it takes a few days extra), then less. Saying "we're screwed, we just don't know how big the pole is" doesn't engender confidence in your customer base. If you can't get that information after a certain amount of time, then you need to disclose anyway - but understand you're going to be pummeled (see exhibit A - TJX). Again, that's why I harp time and time again about incident response. It's going to happen to you, it's just not clear when.
Link to this [10]

the shockingly obvious conclusion from Current Analysis that Cisco is leading the mindshare game for NAC [11]. NSS, arghhh. And in second place? Right, Microsoft - which doesn't even have a product. More arghhh. Second on the hit parade is the hardest working guy in the survey business, Larry Ponemon, being kind enough to take Redemtech's money to show that it's lost laptops that result in a bulk of data breaches [12]. Arghhh some more. Is that what it takes to sell a security product nowadays? You have to have some trumped up survey results to create some false urgency with an organization? I guess logic and good, old fashioned project planning are out of style. Arghhh. Finally, RSA gets Forrester's red-headed stepchild (that's the consulting group for those of you that don't get how analyst firms work) to draw the once again shockingly obvious conclusion that most firms are reactive when it comes to data security [13]. Looks like I'm going to have to order some more Captain Obvious awards, since these folks are coming out of the woodwork at an alarming rate. 
Link to this [13]

The Laundry List

Top Blog Postings

http://ravichar.blogharbor.com/blog/_archives/2007/8/18/3166459.html [16]
Link to this [16]

http://www.emergentchaos.com/archives/2007/08/no_breach_notification_se.html [17]
Link to this [17]

http://infosecplace.com/blog/2007/08/17/product-knowledge-versus-real-knowledge/ [18]
Link to this [18]

http://blog.securityincite.com/ [19]

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite [19]