logo
Published on Security Incite: Analysis on Information Security (http://securityincite.com)

The Daily Incite - October 4, 2007

By Mike Rothman
Created 2007-10-04 09:11
Today's Daily Incite

October 4, 2007 - Volume 2, #139

Good Morning:
I recently met up with a friend and he suggested I read "The 4-Hour Workweek [1]" by Tim Ferriss. I had seen the buzz and all the Web 2.0 gurus and marketing gurus and pretty much every other guru talking up its praises. So I wasn't interested, of course. It's my contrarian streak that made it obvious to me that if everyone else liked it, then I would hate it.

So I bought it anyway. I'm not sure why. Maybe I'm just procrastinating reading the last Harry Potter book because I know there won't be any more. It's not like I have a lot of time to read either. But my friends at Amazon dutifully delivered the book and I cracked it open on my golf trip. I really wanted to hate it.

You see I take my responsibility as a role model for my kids VERY seriously. I've seen nuvo riche types that play golf 3-4 days a week and basically screw around all day. They buy their kids BMW's and send them to prep schools and let them become spoiled brats. I see those kids get into high school and do bad stuff. They proceed through college and do more bad stuff with no accountability or consequences. Their folks put them in the best rehab money can buy. Then the kids are flabbergasted when real life hits them in the head and they actually have to apply themselves. Maybe they end up in jail like the girl that stars in "One Night in Paris."

Of course, that's not every kid of every successful entrepreneur or other business person that is fortunate enough to not have to work when their kids are still living at home. Some of these kids have a great work ethic and go on to achieve great things, maybe even surpassing the accomplishments of their accomplished parents. But enough end up screwed up that I plan to set a hard working, get stuff done, take risks and have fun example for my kids. Until they are old enough to provide for themselves anyway. Then I'll play golf 3 days a week. Maybe then my game won't suck.

So that was a long winded way of again making the point that I wanted to hate The 4-hour Workweek. If I only worked for 4 hours a week, what would my kids think? How can I show them the value of working hard and applying themselves if I'm working a little bit each day and screwing off the rest of the time? Being a Solitaire Grand Master is not what I want them to aspire to be.

But I don't hate the book. I actually like it. I think the title is actually a bit misleading. The book is about finding more leverage in your activities. Magnifying your efforts to achieve the most output relative to the input you are willing to make. To automate what you do, so that you don't have to do it so much. Not so that you can screw around for 56 hours a week, but so you can spend those 56 hours doing something more productive. Maybe it's a hobby. Maybe it's donating your time. Maybe it's starting other businesses or mentoring other people and sharing your wisdom. There are lots of things you can do if you can figure out how to apply more leverage to your actions.

Yes, I'm recommending that you read the book. Not every strategy in the book will work for everyone. If you run your own business, you MUST read it. If you work for someone else, read it anyway because some day you may work for yourself (whether you like it or not). The strategies for substantiating accountability and productivity, regardless of location, will help with all of those micromanaging pointy hair bosses.

I'm looking forward to figuring out what good I can do with another 56 hours in my week.

Have a great weekend. By the way, my birthday is on Sunday. Happy friggin' B-day to me. So I'm taking Monday off from publishing. It's a happy coincidence that it's also Columbus Day in the US, so many of you will have the day off as well. Enjoy your long weekend and tip a drink to me as I enter the last year of my 30s.


Technorati: Information Security [2], CSO [3], Security Mike [4], Internet Security [5]

The Pragmatic CSO [6]
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com [7]
 Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
pre-order your copy today

www.securitymike.com
 [8]
Security Mike's Guide to Internet Security [9]

Top Security News

This profile in SearchSecurity about how Chevron (the big US oil and gas company) achieved PCI compliance [10] is great. I love these kinds of stories because they really embody a lot of what I've been trying to say over the past two years. The folks at Chevron knew about the need to protect customer data WAY before PCI was an issue. They deployed a layered security model to get things done way probably due to some other regulatory catalyst. Now that PCI compliance is mandatory for Level 1 merchants (as of Sept 30), they are in good shape. So this is good stuff. I also like the idea that security and the attack surface is seriously dynamic. So over time all the regulations should evolve to ensure that they reflect the current methods of the adversaries. PCI, controlled by private entities, is in a much better spot to keep in step. It doesn't require an act of Congress to change it.
Link to this [10]

Storm worm has allegedly claimed over a million victims [11], who are again allegedly part of the biggest bot network ever seen. I think the 1 million number makes good headlines, but is pretty irrelevant. The only thing that is relevant is whether you are at risk. Have you (or any of your organization's machines) been compromised? How do you know? How do you clean them up? That's the kind of information I'm interested in and I presume that you are as well. The answer is not to count the number of bots. Or even to worry about how Storm continues to morph and elude malware detection. That's Big AV's problem. It's to monitor your device and your networks and make sure nothing is out of the ordinary (assuming you know what ordinary is). As with any other malware, Storm compromised machines need to do something, whether it's contact the bot master, send out spam, launch other attacks or just scan your internal networks to find out if there are other devices to compromise. This activity leaves a trail. But you need to be monitoring to find the trail and react faster. 
Link to this [11]

Forrester's Khalid Kark attempts to dispel some of his perceived misconceptions in this SearchSecurity tip [12]. He makes some decent points (outsourcing isn't always cheaper, nor does it fix a broken security environment), but he also misses a key opportunity to stress what's really important. Like the fact that security PROGRAM management should NEVER be outsourced. The execution of the program - fine. Get some additional help - no worries. The definition and communication of what the program needs to achieve and protect and communicating that to the senior team - NO WAY. I also disagree that the outsourcing procurement is different than any other procurement. Whether you are buying a product, service, or bodies - it's all the same. You are trying to achieve your business goals in the most efficient and cost effective way.
Link to this [12]

The Laundry List

  1. It's good to be Google. Spend $625 million on Postini and basically give it away. By adding Postini to Google Apps Premier for $50/user/year, Google shows yet again that security is a feature. - InfoWorld coverage [13]
  2. Big Yellow jumps on the bot bandwagon. Adds "bot intelligence" to their MSS offerings. Like they didn't track compromised machines before? - Symantec release [14]
  3. This is different how? Secure Computing announces their Secure Web 2.0 anti-threat (SWAT) initiative. Good acronym, but it's all the same stuff. I guess they call that marketing.  - Secure Computing release [15]
  4. Securify is still around, and their 3rd (or 4th) incarnation looks like an NBA thingy with identity. Now if users would get on board with more active monitoring. - Securify release [16]

Top Blog Postings

http://www.realtime-itcompliance.com/privacy_and_compliance/2007/09/a_hospital_actively_enforcing.htm [17]
Link to this [17]

Security Mike's Guide [18] and have all their consumer customers actually take some steps to protect themselves. Are you listening AT&T?
http://asert.arbornetworks.com/2007/09/isp-death-by-a-thousand-duck-bites/ [19]
Link to this [19]

http://techbuddha.wordpress.com/2007/09/25/embracing-humility-enlightened-information-security/ [20]
Link to this [20]

http://securitymike.blogspot.com [21]

Check out the latest on the Security Incite blog
http://blog.securityincite.com/ [22]

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite [22]

Source URL:
http://securityincite.com/blog/mike-rothman/the-daily-incite-october-4-2007

Links:
[1] http://www.4hourworkweek.com/
[2] http://technorati.com/tag/information%20security
[3] http://technorati.com/tag/CSO
[4] http://www.tecnorati.com/tag/Security%20Mike
[5] http://www.technorati.com/tag/Internet%20Security
[6] http://www.pragmaticcso.com
[7] http://www.pragmaticcso.com/
[8] http://tdi.securitymike.com
[9] http://tdi.securitymike.com
[10] http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1275162,00.html
[11] http://www.networkworld.com/news/2007/092707-storm-largest-botnet.html
[12] http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1274374,00.html
[13] http://news.yahoo.com/s/infoworld/20071003/tc_infoworld/92308
[14] http://biz.yahoo.com/iw/071003/0310181.html
[15] http://biz.yahoo.com/iw/071003/0310457.html
[16] http://biz.yahoo.com/bw/071002/20071002005263.html?.v=1
[17] http://www.realtime-itcompliance.com/privacy_and_compliance/2007/09/a_hospital_actively_enforcing.htm
[18] http://www.securitymike.com
[19] http://asert.arbornetworks.com/2007/09/isp-death-by-a-thousand-duck-bites/
[20] http://techbuddha.wordpress.com/2007/09/25/embracing-humility-enlightened-information-security/
[21] http://securitymike.blogspot.com
[22] http://blog.securityincite.com/