October 1, 2007 - Volume 2, #137
Good Morning:
Well, I made it back from my Boy's Golf Weekend in one piece, though my
golf game was not so good. Liver
hurts a bit too. I'll go to bed a bit early for a couple of days to
recover. A good time was had by all.
I usually don't take the time to play golf, there are lots of
worse ways to spend a day than walking around (actually, riding around)
some pretty scenic places, hanging with buddies and having some
fun.
I did get to catch a decent amount of sports while away and the upsets
in football this weekend were unbelievable. When the 3 (Oklahoma),4
(Florida),5 (WVU), 7 (Texas) and 10 (Rutgers) in the AP Top
25 college football [1] teams go down, it's a pretty interesting
week. The NFL was no more settled. You wanted parity, you got parity.
What happened to da Bears and the Bolts? Both looked terrible. But the
G-men are rejuvenated. Or the Eagles just suck. Either way, I'm a happy
guy. For this week anyway. Happiness is fleeting when you are a sports
fan.
But that's not really the point. Spending a long weekend with folks
that are (for the most part) not in
technology and certainly not in security is a great thing. I know a lot
of my security friends tend to hang with other security folks. Yes, we
can be a paranoid bunch and other folks may not totally appreciate our
nuances - but it's important to not have tunnel vision.
For example, one guy on the trip runs a retail camera store. It was
very interesting to hear about how digital cameras have
fundamentally changed his business and what they are trying to do to
survive. I got to stretch my strategy muscles a bit on
something
other than convincing folks to buy security products they may not even
need.
Another guy runs a flooring company and a home design superstore. To
chat with him about how the housing downturn has affected his business
was totally interesting. In that business, it's important to
have size since many
of the marginal folks are forced to leave high growth businesses when
they become slow (or no) growth businesses. Yet another is a real
estate agent. His business will be about flat this year. Which is
actually a great thing given the downturn. Why? Because
the marginal real estate agents that jumped on when the going was good
have left and he has enough of a foundation to gain
share in his market.
These conversations and many others make me a more rounded person.
Actually, I think it was the chicken wings, onion rings and beer
that made me more rounded, but I digress. When I go on these trips, I
like to listen and learn. Maybe I've got an opinion about stuff, but
it's more about learning about things I don't normally get exposed to
by staying in my bubble of security.
So are there any big lessons learned? It's actually reinforcing a trend
I already am tracking in security. Big is the New Small, even in
businesses totally different than security. It's very hard to compete
unless you have either tremendous scale (and the associated
efficiencies) or something truly differentiated. So regardless of what
you do and what business you are in, make an honest assessment of your
organization's chances of prospering moving forward.
We all know there isn't too much room to invest in security if you've
got no underlying business. And get out a bit, see some non-security
and non-technology friends. Learn about what they do. Become a bit more
balanced. The worst thing that can happen is that you pick up a few
ideas that can be helpful in our world.
Have a great day. I'm back to a normal publishing schedule
this
week. So blog readers will see the P-CSO Weekly tomorrow and TDI
Wednesday and Thursday. Also check out Security
Mike's blog [2]. I'm doing some interesting stuff there.
Technorati: Information
Security [3], CSO [4],
Security
Mike [5], Internet
Security [6]
 [7]The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [8] |
Get Your Special Report: 6 Easy Steps to Protect Your Identity and pre-order your copy today www.securitymike.com [9]  [10] |
Top Security News
InformationWeek has an interview with
convicted hacker Robert Moore [11], who went off the big house
last week. He and a buddy broke into some routers and VoIP switches and
then stole the minutes. This guy made about $20K and his buddy took in
about a million and is currently on the run. As you can see, Moore is
evidently not the sharpest tool in the shed, but with a scanner and
knowledge of some default passwords - you look like a genius. So go
check those devices and make sure the passwords are changed. Also get
into the habit of monitoring the boxes and looking for strange traffic.
React faster, remember?
Link to this [11]
Tim Wilson reports in his Dark Reading column [12].
This won't be the last you hear of it either. There will be a ton on
vendors ready to tell you all about it over the next few months. The
reality is PCI compliance isn't the goal - security is. I'm probably
sound a bit like a broken record, so check out what Stuart King has to say about the topic [13].
Right, it should sound familiar. If you do security well, PCI
compliance should be in the bag. But many organizations don't, so they
are in a world of hurt. The real question is how much of a world of
hurt. When will the enforcement actions start? When will they be
publicized? I've been hearing back channel rumors about fines being
levied, but I don't think that will move the needle until there is a
public execution. And it's not like there aren't a lot of folks that
could be strung up at this point. It's just whether it will happen or
not.
Link to this [13]
They announced at the end of last week a
deal to be taken private by Bain Capital and Huawei in a $2.2 billion
transaction [14]. Even more interesting is that the deal was run
out of Bain's Hong Kong office. Hmmm. So this is all about China, not
about any of the other markets (both geographic and product) that 3Com
has squandered over the past 5 years. For security folks, the real
issue becomes if and how TippingPoint is affected by all of these
corporate gyrations. There was already a move to spin out TP and take
them public (again), but we'll see whether that continues to move
forward. I suspect it will because the private equity guys are always
looking to sell off some assets and free up cash to pay down the debt.
Also don't forget about the national security impact of the deal - as speculated on by Financial Times [15].
Since Bain is the lead, I don't think it will raise the ire of the
regulators, but having Huawei involved (even with less than a 20%
stake) does create that risk.
Link to this [15]
The Laundry List
- It's Security Awareness Month - do you know where your kids are? Probably online hanging out with their "friends" on social networks. Let's hope they are friends anyway. - Shimel's blog [16]
- Will a force field protect you from milking your installed base? CHKP announces a new consumer browser virtualization product, Forcefield. I don't think this is ultimately a stand alone product, but bundled into their ZoneAlarm suite - it is kind of differentiated. - Check Point release [17]
- Can you hear your data leaking? Probably not because it goes out over stealth Web 2.0 applications, like Meebo. You probably can't stop the apps, but you better monitor their traffic. - Palo Alto Networks release [18]
- When you can someone, maybe look for signs they are back in and doing damage. Former Cox guy hacks in after he's "asked" to resign. About that provisioning software... - Atlanta Business Chronicle [19]
Top Blog Postings
http://blogs.msdn.com/sdl/archive/2007/09/26/the-trouble-with-threat-modeling-2.aspx [20]
Link
to this [20]
http://www.cutawaysecurity.com/blog/archives/193 [21]
Link
to this [21]
http://www.realtime-websecurity.com/articles_and_analysis/2007/09/openid_and_the_phishing_gold_r.html [22]
Link
to this [22]