September 4, 2007 - Volume 2, #128

Good Morning:
I'm not a big fan of doing the same thing twice. It seems the most frequent words I say are "what did I just say?" My kids seem to need a bit of repetition, as most kids do, but it still makes me crazy. So the idea of having to fix something that I didn't do right the first time just makes me nuts.

Over the holiday weekend I took some time to work through the Honey-Do list that the Boss has been stockpiling for a while. The twin's B-day party is next weekend and we are having a ton of family come into town, so there was some urgency to get the things on the list done. First and second were fix the towel and toilet paper holders in the kid's bathrooms. Didn't I already do that? What could have happened, so I'd have to rehang a towel ring? Oh yeah, my kids hang on the things, so upon inspection it wasn't surprising that the crappy drywall anchors (the winged plastic crappy anchors) I used didn't hold up. The threaded drywall anchors didn't hold up much better and pretty much shredded the drywall. Fun fun.

So out came the old reliable toggle bolts and the drill. I feel pretty good that the towel ring will give out before the bolts now. I should have used the toggle bolts in the first place. But it was easier to use the crappy anchors bundled with the pieces. It all gets back to using the right tools for the job. I tend to be somewhat creative and very lazy, so I'll wrack my brain for 30 minutes trying to figure out how to pry open a paint can with a butter knife, rather than walk downstairs and get the paint tool. But the end result is pretty much always the same. The butter knife is shredded, the paint can is not open, and I'm 30 minutes behind.

The same lessons apply to security as well. A lot of us tend to be fairly creative and there is definitely a time and place for creativity. But trying to get an old firewall to do deep packet inspection and detect Layer 7 attacks? It's not going to happen folks. So use the right tool for the job. Unless you can get neither the money or resources, and then you get to improvise. But don't be surprised with they tear the anchors right out of the wall and you get to spend a Saturday doing the same job over again.

Have a great day.

Technorati: Information Security [1], CSO [2]

[3]	The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [4]

Top Security News

this AP piece which talks about the 25th anniversary of the first "virus," [5] I thought it would provide a good background for many of you security newbies to gain some history about our business. Just because I've been doing this for a long time, certainly doesn't mean I know much of anything. I always figured the first virus was the Morris worm [6], since I was at Cornell when it happened - I remember what big news it was. You need to learn something new everyday - so now I can go to sleep, since my work is done.
Link to this [6]

a chat for NetworkWorld about NAC [7]. There is some interesting stuff in here, and Joel pinpoints a common frustration that I have with NAC as well. It's the lack of standard definitions and context for what NAC is supposed to do. Note that I didn't say STANDARDS, I don't give a rat's ass about NAC standards. But the lack of standard definitions is stunting this market. Too many customers are too confused. And now Cisco is blending it's 2 NAC flavors together into something called OneNAC [8]? Yeah, that'll clarify things. Enough VC money is being thrown around to gradually educate the market, but it's frustrating that everyone is still trying to jump on the hype train, since when that happens everyone loses.
Link to this [8]

The Laundry List

Top Blog Postings

http://securosis.com/2007/09/03/certified-site-hacked-no-compliance-checklist-or-certification-can-ever-make-you-totally-secure/ [11]
Link to this [11]

As Dan Miessler points out as well [12], security people need to have a technical grounding - at least a bit of one. He's right. I am seeing a lot of CSO's come from other parts of the business and that's a good thing. They know how to get things done within the organization and presumably have great relationships with the folks that write the checks. But eventually they'll need to understand general security topics, if only to know when their directors and managers are trying to pull one over on him/her. That doesn't mean your CSO needs to go to FW-1 class, but they need to understand security architecture.
http://www.mckeay.net/secure/2007/08/repeat_after_me_the_cissp_is_n.html [13]
Link to this [13]

http://blogs.msdn.com/sdl/archive/2007/08/30/dr-no-and-risk-management.aspx [14]
Link to this [14]

http://blog.securityincite.com/ [15]

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite [15]