October 15, 2007 - Volume 2, #142

Good Morning:
When should you quit? I'm not being specific here, but basically to stop doing something. Maybe it's your job. Maybe it's a hobby. Maybe it's a new business or a product line or anything that you could stop doing. Breathing wouldn't be high on that list. Today I'm going to point you towards Seth Godin's The Dip [1]. I just finished it and scarily enough it took me a couple of days to get through it. Since it's 80 small pages, that's just an indication of all the other stuff I have going on.

It's worth reading because it's something that we all struggle with. When should we quit and when should we stick with it. I have to make these kinds of decisions every day. Should I continue to write the Daily Incite? It does take a lot of time a couple of days per week. What about the Pragmatic CSO [2], do I keep doing that newsletter each week? And know I'm in the hard phase of Security Mike's Guide [3]. It's turned into a bigger project than I envisioned and although I know it's needed - it sure would be easier to get an extra hour or two of sleep and maybe take a day off here or there.

There is clearly a balance between persistence and stupidity. Sometimes you have to just come to grips with the fact that it isn't going to get better. A discussion broke out on a mailing list I'm on over the weekend about how to deal with some anonymous work colleagues that sucker-punched a blogger who writes about work (albeit anonymously) on his blog. Does he fire back at them on his blog? Does he just quit?

A lot of that depends on his boss. Will his boss back him up? Has his boss even read his blog to know whether there are issues with what is being written? Or is the boss just parroting the lame detractors who don't want to change and are pushing for the status quo? It's certainly easier to parrot the lame and get out of the way. And if that's the case, this guy should probably start looking at Plan B.

Godin talks a lot about "If you aren't going to be #1, then you should quit now." I don't quite buy that, certainly not in a security role. There is no #1. There is no contest or play-off or even BCS rankings to show who is better than someone else. Maybe you get invited to Black Hat or DEFCON to show your stuff, but lots of folks get that. It's about being able to be successful - based on your (and your senior management's) definition of success, which usually means nothing bad happens. A good day is a day when nothing happens.

When things get tough, he does mention 3 questions that I think are right on the money:

1. Are you panicking?
2. Who are you trying to influence?
3. What sort of measurable progress am I making?

I do suggest you read the book to get the full understanding of these questions. Suffice it to say that as I think about the questions that I asked up front - most of my thinking is based on laziness, so the good news is that I'm not really going to quit anything that I'm doing right now. I'm investing a lot of effort right now in getting my products completed and once that is done, I'm going to focus more on my go to market strategies - which have been suffering because I'm focused on building.

But I am going to be a lot more focused next year. I do want to be #1 in a lot of things - and I think I can. But I also need to start failing faster. I need to try more stuff and see what works and what doesn't. I counsel countless people and tell them they are trying to do too much. Right now I fall into that category and this will persist for a little while. I'm considering my work overload as an investment right now because I'm focused on getting through the various "Dips" that I'm facing and getting through to the other side.

Think about what you do every day. Is is futile? Are you having fun? Will anything change? If not, then figure out Plan B. We all need to have Plan B. Have a great day.


Technorati: Information Security [4], CSO [5], Security Mike [6], Internet Security [7]

[8] The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [9]

Get Your Special Report: 6 Easy Steps to Protect Your Identity and pre-order your copy today www.securitymike.com [10] [11]

Top Security News

David Utter rails a bit in this article about apathy [12] and basically comes to the conclusion that users aren't going to change and thus educational efforts are a waste of time. I'm still not there. Maybe I'm stupid. Maybe I'm too persistent. I know how painful it is when the same users continue to do the same things and screw everything up - no matter how many times we tell them not to. But I think a lot of this anti-user awareness is based on a misplaced trust in the security tools that we are using and quite a bit about the last 2 questions that Godin asks: Who are we trying to influence? How do we measure it? Basically we are going to lose some battles. Some employees will never get it. But a lot of them will. We need to think about the process in it's entirety - NOT based on a couple of bad actors. If we can reach 80% of the people - is that not worth the effort?
Link to this [12]

Fortify have found that some open source software may include some exploits [13] that they've dubbed "Cross-Build Injections." It's important to test these code bases (maybe with a source code analyzer, HA) to make sure the code you integrate into your applications is clean. Hmmm. I guess it was just a matter of time, but there is huge leverage to a bad guy sneaking some evil code into an open source distribution. Talk about some easy distribution. Do I check my Drupal site against any kind of analyzer? Nope, I basically trust the folks that send out the distribution because they seem like a good group of folks and I'm joined by thousands of others that trust these folks. But that does go against the dictum of "Trust No One." It gets back to doing a risk/reward scenario. Sure I should test my own site, but the reality is there isn't really anything to steal there. Sure they could hijack the page and put up some bad pictures. Maybe call me names and that would be bad. But I wouldn't be facing PCI violations or violating my customer's trust. So the reward is pretty low for what would take a lot of my time. But if you do use a bunch of open source software in whatever you do, then you should check out Fortify's research and see how it applies to your environment.
Link to this [13]

eWeek does a good job here of telling both sides of the story. [14] But is this Citrix' problem, given that they do provide a lot of tools to secure their environment and anyone can set a robots.txt file to stop Google from indexing the inside of your underwear? Does GM get vilified every time some drunk guy (or gal) runs into something and people get hurt? Nope. If the tools are there, it's the responsibility of the administrators to use them. Though we should tip our hat to PDP, who has emerged as a security research marketing force of late. A lot of folks are paying attention to his work.
Link to this [14]

The Laundry List

Top Blog Postings

series of articles on CIO [19] that details how some of these Internet crime rings work. It's pretty interesting, but anyone that reads Fortune or Forbes knows that this isn't unique. It's pretty much like any other industry, which is scary.
http://jeremiahgrossman.blogspot.com/2007/10/malware-as-service.html [20]
Link to this [20]

http://rationalsecurity.typepad.com/blog/2007/10/everybody-wing-.html [21]
Link to this [21]

http://ddanchev.blogspot.com/2007/10/managed-spamming-appliances-future-of.html [22]
Link to this [22]

http://securitymike.blogspot.com [23]

Check out the latest on the Security Incite blog
http://blog.securityincite.com/ [24]

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite [24]