September 19, 2007 - Volume 2, #133

Good Morning:
I want to thank many of you for such a warm reception for Security Mike's Guide to Internet Security. Given that it is more targeted towards consumers, I was pleasantly surprised by the level of interest in the product from Daily Incite and P-CSO readers. As I mentioned in yesterday's P-CSO Weekly [0], join me in our crusade to build a grass roots effort to change the economics of Internet crime. It's going to be a long battle, but we need to try - the status quo isn't working.

The Boss was kind enough to point out that I screwed up the Security Mike announcement sent out via email last night. So here are the correct links, sorry about that. You can check my blog post on Security Mike [0] and information about the pre-sale [0]. Or you can skip all that and just check out the Security Mike web site [1]. But enough about Security Mike's Guide for a little while. You can check out the Security Mike Blog [2] for more frequent updates on that initiative. Starting tomorrow I'm going to be trying to post a couple of times a day to highlight security topics of interest for consumers.

There are  times when I'm thankful that my autonomous nervous system keeps me breathing, even when I'm not paying attention. Which seems like all the time. Today I had a Level 1 brain fart and got to pay a bit of idiot tax for my trouble. I was in DC yesterday doing a session for the Dulles Chamber of Commerce. It was nice to be back in the DC metro area and to see lots of friends, former colleagues and clients. I just wish I had more time to see everyone.

It was a fine day, up until about 4:30 PM. The session went well. I had a great lunch with a couple of old and new friends. I met up with some other folks, did some writing, and then proceeded to head back to the airport to return my rental car and jump on my next flight. No worries, since I got to Dulles about two hours ahead of my flight. But in my unbelievable idiocy, I neglected to carefully check my itinerary. So imagine my surprise when I got to the ticket kiosk to check in and I was informed my flight WASN'T out of Dulles, it was leaving from NATIONAL. DUMB ASS. With a capital ASS.

I can't tell you the last time that happened. Actually I can. It was when I was with META Group back in the mid-90's. I mistakenly went to National for a flight to Chicago. It was pretty stupid that time also. At that point, I had about an hour to get from Dulles to National at 5 PM, clear security and get to the gate. Fat chance. But I hopped into a cab anyway and was going to give it a try. If you've spent any time in DC, you know that traffic is horrible and merging from the toll road to Route 66 didn't disappoint. Bumper to bumper.

So I got on the phone and tried to figure out what other flights could get me to my destination. None. Oh crap. What about hopping on a flight back to ATL? The last minute seat was only $370. Clearly a bargain at twice the price. I could get a new friggin' iPhone for that. My guilt gene kicked in and I was feeling bad. But then like when Moses got to the Red Sea, the traffic seemed to part. We were cruising. I got to the airport with 28 minutes to spare.

I dashed to the kiosk only to find out that I had to check in 30 minutes ahead of time. Crap. So I pull over one of the ticket agents and he laughs at me and then prints my boarding pass. So then I do an OJ through the terminal. (No, I didn't have time to pull an armed robbery to get some of that Security Mike memorabilia back. I guess he really isn't the sharpest tool in the shed.) I'm jumping over folks, strollers and old ladies. I won't be denied. I'm thankful for all those days on the elliptical machine and StairMaster over the past year. I would have keeled over if it was this time last year. It's hard to make a flight when you are in cardiac arrest.

So I finally get to the gate and see people streaming OFF the plane. Crap, what happened? Are they unloading? Is there a mechanical problem? Did I miss it and the next flight is already deplaning? I ask the gate agent and they kindly tell me (as I start sweating profusely) the inbound flight was a bit delayed and they'd start boarding in about 15 minutes.

So yes, I made the flight. And only had to spend $60 in idiot tax. I also got to practice my hurdling, which is good. I'll definitely be ready for Beijing.

Have a great day.

Technorati: Information Security [3], CSO [4], Security Mike [5], Internet Security [6]

[7] The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [8]

Get Your Special Report: 6 Easy Steps to Protect Your Identity and pre-order your copy today www.securitymike.com [9] [10]

Top Security News

cyber-crime is a bigger "business" than the global drug trade [11] during his pitch at the Information Week 500 conference. Now that is something to be proud of. All our folks should be beaming. I think we need to dust off Nancy Reagan and do a 21st century version of "Just Say No!" for cyber-crime. Then in 25 years something else will become a bigger market than cyber-crime. Just a thought. DeWalt also talks about consolidation, compliance, and data security. On the consolidation front, he's off by an order of magnitude. There are 500 or 600 (not 50 or 60) vendors out there. Actually more. So it's a lot worse for the average customer. Confusion reigns supreme. Compliance is well, compliance and it's not going away. Commence eating crow. I also agree with his thoughts on data protection. Now the real question is when is McAfee going to start making some more decisive moves to start addressing these big trends. Maybe they can buy PGP or something to get exposure on data security. HA! I guess we've all seen that movie before.
Link to this [11]

Barracuda went out and bought struggling application firewall vendor NetContinuum [12] back in July. I guess they let their BusinessWire membership lapse, since they didn't do an announcement until this week. First they need to dust off all that ash from what must have been a fire sale. I can see Dean Drako's economic model on this deal. Do we buy NetContinuum or another pallet of appliances from Taiwan? Candidly, this deal doesn't make sense on the surface. Barracuda needs to jump into established markets with cheap boxes and leverage their distribution and go to (mass) market prowess. Jumping into an early market isn't really their strength. Application firewalls are an early market - assuming it's even a market at all. But let's say - for example - that Barracuda was going to introduce a UTM box. It could happen. Established market. Quite a bit of margin left in the model. Plenty of open source components to build the UTM. But these boxes are a dime a dozen. There are lots of firewall/VPN and IPS toasters out there. What would make a Barracuda UTM interesting? How about an application firewall? Breach already controls the MOD Security open source project, so maybe NetContinuum is their way to control that technology. Yet, I don't think it'll work. In Barracuda's market, those customers believe the firewall already blocks application attacks. So I can see the rationale, but I don't think there is much there.
Link to this [12]

Network Computing (or InformationWeek, I'm not sure if they've folded them in yet) have done their NAC survey again [13]. Evidently only 15% of the survey base have no plans for NAC, down from 46% last year. So the constant hyping of the technology and the market continues to get people to think about the technology. Big whoop. That means the market may hit the big time in 2009. Why do I say that? Basically it's all about the budget cycles. To be clear, I don't believe that NAC is the next anti-spam, which was a perfect storm market. Customers made budget for anti-spam. I don't think they are going to make budget for NAC. It doesn't solve that critical a problem. Some will build NAC deployments into the 2008 budget, but I don't think the technology matures enough and comes into alignment with the budget cycles until 2009. 10, 9, 8, 7, 6, 5, 4, 3, 2, 1 - go check out Shimel's blog because within 10 seconds of posting - I'm sure he'll be happy to tell me why I'm wrong.
Link to this [13]

The Laundry List

Top Blog Postings

Anton in this post [18], really reacted badly to eIQNetworks attempt to get their log format "standardized." So this gives me a good opportunity to rant a bit about standards and how they really don't matter. Standards are defined in the market. The winner is then maybe anointed by the IETF like 5 years after it's a relevant discussion and we move on. Lots of vendors try to circumvent this natural law and it doesn't work. So Anton should keep focused on winning in the market and letting this other stuff just go. Though I think there is a big market for open log underpants. It's very rare that a standard actually drives deployment unless it's plumbing level stuff like TCP/IP. That "standard" kind of was important for interoperability or something like that. But for a log standard? Give me a break. I guess Raffy and Anton figured if they got their dander in an uproar, some folks wouldn't pay attention. Au contraire, they actually probably brought more attention to the announcement than eIQ would have done themselves. Ain't the blogosphere grand?  
http://raffy.ch/blog/2007/09/14/open-log-format-what-a-great-standard-not/ [19]
Link to this [19]

http://1raindrop.typepad.com/1_raindrop/2007/09/secure-coding--.html [20]
Link to this [20]

http://www.realtime-websecurity.com/articles_and_analysis/2007/09/hackersecurity_expert_busted_f.html [21]
Link to this [21]

http://blog.securityincite.com/ [22]

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite [22]