logo
Published on Security Incite: Analysis on Information Security (http://securityincite.com)

The Daily Incite - December 20, 2007

By Mike Rothman
Created 2007-12-20 13:48
Today's Daily Incite

December 20, 2007 - Volume 2, #165

Good Morning:
It's hard to believe, but this will be the last TDI of 2007. I know publishing has been a bit lumpy lately, and that's probably annoying to you. Oh well. At times I struggle with what to do and what not to do. Lately, I've been focusing on what pays, as opposed to what doesn't. Maybe that's the wrong decision, but it's a decision nonetheless.

Happy New Year!As I've been grappling with getting everything done, I saw this post on Penelope Trunk's blog [1] and it really resonated with me. I seem to be constantly going through a similar thought process as I get busier and busier. Some stuff inevitably gets ignored, that's for sure. I know some folks think I'm a prick for not responding to their press inquiries or not getting back to them to take a briefing for a 1.6 release of their widget. Some also scratch their heads when I ask for large sums of money to speak in far-away places, but it's all about opportunity cost. I've got to maximize my time because I don't want to work all day and all night anymore. As is, I work too much.

Penelope talks about "redefining her job" every day, and I think that's a good metaphor. You have an opportunity when you make your To-Do list every morning to figure out what kind of day you want it to be. You need to figure out what kinds of things you want to work on, and hopefully that cross-references with the things that your bosses (or clients) think are important. Some days that works out, other days not so much.

But as we put the bow on and wrap up 2007, it's time to think about what we can and should do better in 2008. What are the priorities that you bring into this New Year? I won't talk about resolutions because I think resolutions are mostly to make the two tubs of champagne go down better on New Year's Eve. Personally I set out to do a few things in 2007. I needed to lose some weight and I did. About 35 pounds at last count. I feel a lot better and I'm just getting started.

I wanted to move my business to focus more on products, as opposed to time. The Pragmatic CSO has done well and I continue to carve out a few minutes each day to move the Security Mike content forward. It never happens fast enough, and I'm always thinking about new ideas (even before I finish the old ones), but I'm pleasantly surprised by the positive impact these products have had.

But what about 2008? I'd like more of the same. If I can stay busy, that's great. If I can drop some more weight (another 25 would be nice) and get into better shape, even better. For me, the big theme in 2008 will be finishing what I started. I have a lot of loose ends to tie up relative to the P-CSO and Security Mike, and they need to get done. I have 2-3 other very promising ideas, but until I take care of business - those will just have to wait.

I leave 2007 in a pretty good spot. I know that life is cyclical and I've had enough challenging times to really appreciate the fact that right now things are good. Yes, that is optimistic Mike once again making a cameo appearance. Given all the negativity around security today (and partially by definition), I'm hoping that we all can bring a bit more optimism to what we do.

Finally, I want to once again thank YOU, my readers and customers. The folks that read TDI, those that show up when I'm speaking, and especially any of you that have bought my products - thank you. Without you, I couldn't do this for a living. So with that, I'll sign off. Have a great holiday and I'll see you in 2008!

Happy New Year 2006! image originally uploaded by hsuyo [2]

Technorati: Information Security [3], CSO [4], Security Mike [5], Internet Security [6]

The Pragmatic CSO [7]
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com [8]
 Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com
 [9]
Security Mike's Guide to Internet Security [10]

Top Security News

Scott Berinato's Top 10 Data Breaches of 2007 [11] is going to have to suffice. Now Scott is no Letterman, but at least one of the breaches is titled "urine trouble," so I can get a little bit of potty humor fix. Basically, 2007 was a train wreck relative to data breaches. Of course TJX is number 1, but many of these others are pretty significant as well. And I suspect we are going to see a LOT more in 2008. It will get worse before it gets better. I also did a compliance year in review piece for Search Security [12], so check out what I had to say about 2007.
Link to this [12]

Gartner pegs phishing's economic impact at $3.2 BILLION [13], it's got to be close, which is pretty scary. The reality is, we have no idea what the true cost of phishing is because most of it goes unreported, written off as "shrinkage" by the credit card companies and reflected in higher rates and prices for everything else. So how do we fix the problem? Unfortunately there is no easy answer, but it's likely a combination of more educated consumers and tighter fraud controls. We are going to keep seeing applications we use (like Google Toolbar [14]) increasingly targeted by the bad guys. I'd say enhanced security technology, but the reality is that I'm not sure that's a good answer. Most phishing is done via automated social engineering and it's not clear that technology can really stop the problem. I guess a bit, but not entirely. Given that most users are blissfully unaware, and keep buying stuff online and the fact that tighter fraud controls will add more friction to commerce and I doubt the credit card companies will do that - the cost of phishing will go up next year. I'm not sure what numbers Gartner will make up this time next year, but I feel pretty good in saying it will be bigger.
Link to this [14]

their first annual report on the global state of security [15]. I guess times are tough at Cisco, even if their financial results keep showing that they are growing 3 Check Point's A QUARTER. I guess they just can't afford to dedicate a few folks to write the report bi-annually or maybe even quarterly. You see, an annual report is pretty useless. I guess if you are doing high level trend analysis, that's fine. But it's not something that is going to give you timely enough information to actually make any kind of decisions. They also throw in a few recommendations, which are about as timely as saying the wheel is round. Things like "conduct regular audits" and "consider more than performance when building a secure network." Wouldn't it just be called a fast network if we were only worried about performance? Their focus on education is well placed, but the other stuff left me a bit underwhelmed.
Link to this [15]

The Laundry List

  1. Websense the latest to try to replicate OPSEC with their "Open Endpoint Initiative." Guess what guys? There won't be another OPSEC. And their initial roster of partners is impressive, Lumension and... and... and... Bueller... Bueller... - Websense release [16]
  2. Want to kick start your security assurance/testing efforts? Here is a nice wrap-up from TechTarget on things like Metasploit and port scanning. - Symantec release [17]
  3. We'll see a lot more of email archiving in 2008. It's a mail infrastructure issue, so Mirapoint is better positioned than someone like Barracuda, but that doesn't mean all the security vendors won't be trying to get into the space.  - Mirapoint release [18]
  4. Shavlik jumps on the VMWare bandwagon - like everyone else. But the idea of having better configuration management is important in the increasingly virtualized data center. But it's more than just patching... - Shavlik release [19]

Top Blog Postings

Hoff, The Mogull and Martin did a podcast [20] to go over these trends. Listening to those 3 pontificate for an hour would make my ears bleed, but I'm sure it was wonderful.
http://rationalsecurity.typepad.com/blog/2007/12/and-now-some-us.html [21]
Link to this [21]

http://www.gnucitizen.org/blog/the-next-line-of-defence-web20-you-must-read-this [22]
Link to this [22]


http://sm-blog.securitymike.com [23]

Check out the latest on the Security Incite blog
http://blog.securityincite.com/ [24]

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite [24]

Source URL:
http://securityincite.com/blog/mike-rothman/the-daily-incite-december-20-2007

Links:
[1] http://blog.penelopetrunk.com/2007/12/17/how-to-figure-out-which-tasks-you-can-ignore/
[2] http://www.flickr.com/photos/hsuyo/80257588/
[3] http://technorati.com/tag/information%20security
[4] http://technorati.com/tag/CSO
[5] http://www.tecnorati.com/tag/Security%20Mike
[6] http://www.technorati.com/tag/Internet%20Security
[7] http://www.pragmaticcso.com
[8] http://www.pragmaticcso.com/
[9] http://tdi.securitymike.com
[10] http://tdi.securitymike.com
[11] http://www2.csoonline.com/exclusives/column.html?CID=33366
[12] ttp://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1286583,00.html?track=NL-430&ad=614765&asrc=EM_NLT_2778565&uid=832109
[13] http://blogs.zdnet.com/security/?p=755
[14] http://www.networkworld.com/news/2007/121907-google-toolbar-flaw-opens-door.html
[15] http://biz.yahoo.com/iw/071218/0341142.html
[16] http://biz.yahoo.com/iw/071219/0341747.html
[17] http://searchwindowssecurity.techtarget.com/tip/0,289483,sid45_gci1286584,00.html
[18] http://biz.yahoo.com/bw/071217/20071217005251.html?.v=1
[19] http://biz.yahoo.com/bw/071213/20071213005208.html?.v=1
[20] http://netsecpodcast.com/?p=10
[21] http://taosecurity.blogspot.com/2007/12/feds-plan-to-reduce-then-monitor.html
[22] http://www.gnucitizen.org/blog/the-next-line-of-defence-web20-you-must-read-this
[23] http://sm-blog.securitymike.com
[24] http://blog.securityincite.com/