logo
Published on Security Incite: Analysis on Information Security (http://securityincite.com)

The Daily Incite - November 12, 2007

By Mike Rothman
Created 2007-11-12 09:14
Today's Daily Incite

November 12, 2007 - Volume 2, #153

Good Morning:
So I'm watching some TV with the Boss last night, hacking away on the Macbook as I continue to power through building Security Mike's Guide. As we are forwarding through some commercials (don't tell me you actually WATCH commercials anymore!), I see the Mac and PC guy going at it again. I ask the Boss to back up a bit, so I can watch it. It's the one with PC dressed as boxer. Very funny. I guess there are two other new ones that you can catch thanks to TUAW [1]. The podium one is funny as well, and the PR one had me rolling on the floor. 

No, I'm not going to go into a rant about how bad Vista is (you already know that) and how I can't wait until mid-December when I finally buy the iMac I should have bought over the summer. It's almost the holidays after all, so I may even splurge on the Mac Pro - though the real estate required for the Mac Pro makes the iMac pretty compelling. I'm going to talk a bit about inertia here.

That's right, INERTIA. We in the technology space, and specifically the security space act more out of inertia than anything else. We can laugh about seeing Macbook Pros everywhere, but in reality Apple still only has a fraction of the market. Why? Inertia. Everyone just buys the PC because they've got installed base and existing business processes and lots of other reasons why it's just easier to keep doing what they are doing.

Same goes in the security world. Most folks just renew their AV or firewall or token authenticators because it's easy. They just fill out the PO and the day's work is done. It's hard to think about using a methodology like the Pragmatic CSO because it's different and different may not work. Change is hard. Inertia is easy.

Think about it, you are probably doing the same things you did a few years ago. You work probably in the same job (maybe for a different company, but it's the same job), you hang out in largely the same places, probably with largely the same people. It's easy, it's comfortable, it's inertia at work. And that's not necessarily a bad thing - IF YOU ARE HAPPY. But I don't know many people that are truly happy. Which is sad. Everyone has angst about something.

But it's scary to change. It's scary to think about trying something new, about taking a risk. It's scary to swap AV vendors and have to learn a new interface and deal with a new rep and new support environment. It's scary to start a new diet plan or go out on Saturday night with a new couple that you don't know too well.

Some folks thrive on that feeling of uncertainty and fear. Most don't. Yet if you are unsatisfied with something in your existence, unless you fight that inertia - you'll look back in 5 or 10 years and it will be the same old same old. Like if we don't start thinking differently about security (as opposed to saying we are acting differently), it's going to be the same old same old and in our case it means the bad guys will have won.

Have a great day.

Technorati: Information Security [2], CSO [3], Security Mike [4], Internet Security [5]

The Pragmatic CSO [6]
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com [7]
 Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
pre-order your copy today

www.securitymike.com
 [8]
Security Mike's Guide to Internet Security [9]

Top Security News

Amrito's point seems to be that more severe consequences will drive the criminals to doing even more dastardly and harder to track activities. [10] NSS. What's the point? I'm not a criminal (unless you paid for my book, and then you may have other opinions), so I can't really say definitively goes on in their mind - but I'm not sure they are going to behave differently whether they are subject to 10 years or 3 years in the pokey. Whether the fine is $250,000 or $10 million. I don't know much, but I suspect that most bad guys don't want to get caught. It's kind of like the death penalty. Is it a deterrent? I suspect it is for SOME, but not for all because we still have pre-meditated murder happening. The folks know what's at stake, but they don't think they'll be caught. Same goes for the hackers. I'm all for a much stronger deterrent and hopefully a few public executions as well. It'll make the marginal criminals think about what they are doing. But the ones who are dedicated to their trade will soldier on, even if it means the consequences are far more severe.
Link to this [10]

Brian Krebs has done his typical yeoman's work in rustling the bushes to find out the truth [11]. But it really gets a more complicated question about what is a data breach - especially in the context of a service provider. So a SFDC employee falls for a phishing attack and is compromised. The attackers gain access to private SFDC data like customer names and the like. But evidently SFDC's customers data is safe and intact. So, yes - this is a data breach, but it's like every other big company that loses data. Not too big of a deal. Now if SFDC had their customer's data compromised - then it would cause a run on the bank. I do think that a lot of folks continue to be a bit optimistic relative to how safe their data is with a service provider, but that needs to be balanced with the fact that it's probably not a hell of a lot safer (if at all) then having that data internally stored. Finally, I'll point to a marketing blog that I read from Bruce Fryer [12], who probably makes the most appropriate point of the entire discussion - everyone needs to eat their own dog food, which in this case - SFDC did not.
Link to this [12]


The Laundry List

  1. I'm late, I'm late for a very important date. My column this month on SearchSecurity is about what to do if you are late to the PCI game. Check it out.  - Rothman SearchSecurity Column [13]

Top Blog Postings

http://infosecplace.com/blog/2007/11/07/fame-should-not-be-a-prime-motivator/ [14]
Link to this [14]

http://www.stillsecureafteralltheseyears.com/ashimmy/2007/11/the-question-is.html [15]
Link to this [15]

http://robnewby.blogspot.com/2007/11/5000-miles-and-counting.html [16]
Link to this [16]


http://securitymike.blogspot.com [17]

Check out the latest on the Security Incite blog
http://blog.securityincite.com/ [18]

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite [18]

Source URL:
http://securityincite.com/blog/mike-rothman/the-daily-incite-november-12-2007

Links:
[1] http://www.tuaw.com/2007/11/11/apple-posts-3-new-get-a-mac-ads/
[2] http://technorati.com/tag/information%20security
[3] http://technorati.com/tag/CSO
[4] http://www.tecnorati.com/tag/Security%20Mike
[5] http://www.technorati.com/tag/Internet%20Security
[6] http://www.pragmaticcso.com
[7] http://www.pragmaticcso.com/
[8] http://tdi.securitymike.com
[9] http://tdi.securitymike.com
[10] http://techbuddha.wordpress.com/2007/11/11/federal-wiretapping-law-used-to-indict-botnet-operator/
[11] http://blog.washingtonpost.com/securityfix/2007/11/salesforcecom_acknowledges_dat.html
[12] http://brucefryer.blogs.com/weblog/2007/11/salesforce-do-a.html
[13] http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1280396,00.html
[14] http://infosecplace.com/blog/2007/11/07/fame-should-not-be-a-prime-motivator/
[15] http://www.stillsecureafteralltheseyears.com/ashimmy/2007/11/the-question-is.html
[16] http://robnewby.blogspot.com/2007/11/5000-miles-and-counting.html
[17] http://securitymike.blogspot.com
[18] http://blog.securityincite.com/