January 07, 2008 - Volume 3, #2
Good Morning:
Two of my favorite words are "ROAD TRIP." Though "NY Giants Win" are
close behind. :-) Road trips were a staple of my early adulthood.
Whether it was my pledge trip as a freshman (we went to visit
fraternity brothers at Bucknell) or the many Winnebago trips we took
from DC to Ithaca for Homecoming, the road trip always meant good times
with good friends, lots of shenanigans, and many lost brain cells.
Nowadays the road trip is
still a big part of my existence, but not like it used to be - that's
for sure. Packing up 3 kids, the Boss, and way too much stuff into our
van for the 10-11 hour trip from Atlanta to Maryland (and back) to
visit the Boss'
family is, well, a bit different.
I have to thank the heavens for a couple of things. First is the
portable DVD player. I have been very resistant to getting a DVD built
into the van because I don't think my kids should expect to watch
movies every time they get in the car. They watch
plenty of TV already, and having video only a PLAY button away is very
tempting when they are acting up.
So I bought this contraption to mount a portable DVD player between the
driver
and passenger seats. It works great. The kids watch the movies and for
the most part are pretty well behaved. The Boss tells tales of her 20+
hour car trips to FLA as a kid. No video, no Leapster, no Nintendo DS?
OHMYGOD. They actually had to talk or count license plates or do
whatever kids did on long trips... Yes, we are pretty spoiled nowadays.
The other thing I'm thankful for is my iPod. I put the headphones on
(only one when I'm driving, of course...) and tune out, so I can focus
on the road and
not who did what to whom or who's not sharing what with the others. It
makes the trip go a lot faster for me, and since it's all about me -
that's a good thing.
Until my iPod blew up. Actually, it didn't blow up - it just died. 15
months after I bought it. Totally dead. Good night. The day before my
10+ hour car trip. A lot of conspiracy theorists have talked about
planned obsolescence and this is a great case in point. The standard
warranty is a year. So I'm potentially out of luck. What's another $300
between friends, eh?
But for once in my life, I actually got the AppleCare service contract
with the device. So I just brought it into the Apple Store (after I
made my appointment at the Genius Bar over the web), they confirmed the
unit was DOA and they gave me a brand new one. OK, maybe it's not brand
new - but it works.
I've never been a big fan of service contracts because the insurance
companies that underwrite these policies make lots of money from
suckers like me. But anything with a hard drive, I get the extra
coverage. And I haven't been disappointed yet. I've had Tivo's die,
computers die, and pretty much every other kind of electronic product
go south. Right after the standard warranty runs out - of course. Not
sure how the planned
obsolescence thing works, but it works.
Have a great day.
Roadtrip image originally uploaded
by stellarjandri [1]
Technorati: Information
Security [2], CSO [3],
Security
Mike [4], Internet
Security [5]
 [6]The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [7] |
Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com [8]  [9] |
Top Security News
download the report from E&Y's
website [10]. There isn't really anything in there that we don't
already know - but at least a lot of the stuff I say is consistent with
what everyone else is saying. I guess that's good because I was there
12-18 months ago. One interesting tidbit continues to be the lack of
skilled IT security personnel. That is great for folks that are
skilled. Supply and demand means that your skills will be more highly
valued. But it also means we need to do a better job of building our
farm system, and more systematically in making security a desirable
profession for those folks just getting out of school and looking for a
specialty.
Link to this [11]
interview with the Big Yellow's John
Thompson and McAfee's Dave DeWalt [12]. What was interesting is
that both are defending the trend towards big is the new small. DeWalt
has the best answer to that and it gets back to the customers. If a
product area is mature, why would a big company (or even a small
company for that matter) want to mess around with a start-up? Right,
they wouldn't. Also some interesting discussion around DLP. This is
where the strategies of SYMC and MFE really diverge. Basically Thompson
wrote a big check to buy a leadership position in a very early market.
McAfee is trying to build it themselves, based on some very early
technology they acquired about 18 months ago. The reality is that MFE
has time to get established in this market, but not that much. They can
probably wait another 6-9 months as the market starts to shake out.
It'll either hit the inflection point and they'll pay up for whatever
they buy. Or it won't and they'll get a good bargain. Or they'll do
nothing (like with anti-spam) and totally miss the market. But they
aren't
the only shop that will be shopping for something this year (IBM/ISS,
MSFT, probably Cisco too), so DLP will see some more consolidation this
year too.
Link to this [13]
This
one asks the question about who is responsible for information security? [14]
You better have said everyone. Yes, it's a cultural thing and it's
important that everyone feel some ownership for the protection of
corporate digital assets. You'll need to swim upstream against apathy
and other obstacles, but with a good security awareness program in
place - you'll make inroads this year. But I don't think that was
really the question. So if I turn it around a little and say, who is
ACCOUNTABLE for information security? The answer is the Board of
Directors, and thus the CEO - who usually assigns a Chief Security
Officer to manage the program and be on top of the details. The author
of the Q&A, Dan Swanson, gets it mostly right saying the Board,
managers and internal audit need to work together to get it done. But
you can't fire everyone, so when I think about accountability - it
really needs to reside with one person and that's the CSO. There are
also a bunch of good resources on security and audit topics at the
bottom of the column, so check it out.
Link to this [15]
The Laundry List
- Maybe telling the Feds how to assess FISMA will make it relevant? If they don't even know how to test it, the odds they've done it right are nil. - GCN coverage [16]
- ID theft services will be big in 2008. How many times do you need to get nailed before you actually take action? Maybe a few, but lots of folks are there. - Tim Wilson's Dark Reading blog [17]
- We could use a storm in GA, but not this kind of Storm. The infamous regenerating worm morphs into a rootkit. Darwin would be proud how this one is evolving. - NetworkWorld coverage [18]
- What? A positive earnings pre-announcement? Entrust say Q4 gets back to profitability. They are trading at about 1.1x sales, even with today's 8% bump. They coulda been a contenda, if PKI ever happened. - Entrust release [19]
Top Blog Postings
http://riskmanagementinsight.com/riskanalysis/?p=315 [20]
Link
to this [21]
Matt Hines [22] and then covered by
Shimel and Hoff [23], is the "herd" mentality.
Basically, all of the anti-malware vendors should get together and
share information, so that a more automated response can help us react
faster. It'll never happen. Remember, I can be the cynic and say the
Big Security vendors don't really want to solve the problem. If they
got out ahead of malware, what would happen to their cash cows? Wow,
that was cynical. Anyway, many of the vendors already share malware via
the Wild List, so some of this does happen - although not fast enough.
The spam vendors also have millions of honey pots out there to gather
data about good and bad mail. You also need to consider how much data
makes any vendor's conclusions statistically reliable? Your telling me
Symantec doesn't have enough data to figure out new malware attacks?
Doubtful. If anything, they don't have enough resources to wade through
all the data they already have. But the overlooked portion of Andy's
report is his focus on REACTING FASTER via monitoring as a critical
corollary to new malware defenses. This is why Andy's head isn't just
in the clouds (even though he's like 6'5"). He understands that no
matter how many zebra we get in the herd, there will always be attacks
we don't anticipate. So you better monitor your stuff as well and be
able to react when something goes down.
http://www.stillsecureafteralltheseyears.com/ashimmy/2007/12/it-security-lev.html [24]
Link
to this [25]
http://www.darkreading.com/document.asp?doc_id=140979 [26]
Link
to this [27]
http://sm-blog.securitymike.com [28]
Check out the
latest on
the Security Incite blog
http://blog.securityincite.com/ [29]
Read the
most recent Daily
Incite
http://securityincite.com/security-incite-rants/daily-incite [30]