January 10, 2008 - Volume 3, #4
I've been very resistant to doing a podcast. I'm not exactly sure why, but I guess it's because I don't really listen to any - so I can't imagine anyone would listen to mine. Honestly, I find most podcasts to be crappy. They are long, drawn out, and generally a waste of time. Not all, but most. I also don't have the patience to sit and listen to an hour of anything, besides music.
I've heard more than once that audio would be a great venue for me. I've been told my voice and speaking style is "unique," which I always figured meant crappy. I do lots of webcasts and try to relay a passion for what I do and I try to be entertaining and kind of wacky. I know how boring it is to listen to streamed audio over your lunch break, so the least I can do is try to make it fun. But do I want to do this a couple of times a month? That's the real question.
There is precedent for this. I've been doing a podcast and feature article for eBizQ (called the Mike Rothman Security Report , if you haven't heard it) for a couple of months and it's been fun. It's trivial to record the audio on my Mac (Skype + AudioHijackPro = easy) and the sound quality has proven to be pretty good.
So I'm going to give podcasting a try. The first Pragmatic CSO podcast will appear tomorrow. It will be short (10 minutes max), sweet and hopefully entertaining. I'll still do the P-CSO newsletter, but probably a bit less frequently (maybe once a month now).
What's going to be the point of the P-CSO podcast? Basically, I want to pull nuggets out of the book and expand on those a bit. I also want to interview practitioners, analysts, auditors, and other security-related folks on topics of interest. But most of all, I want to have fun and learn some new stuff. By talking with smart folks and honing my audio skills, I'll be able to do both.
That's it for today. Lots to do, including figuring out all these podcast details.
Have a great weekend.
The Dutch Couple image originally uploaded by billbarber1 
Technorati: Information Security , CSO , Security Mike , Internet Security 
The Pragmatic CSO:
Read the Intro and Get
"5 Tips to be a Better CSO"
|Get Your Special Report:
6 Easy Steps to Protect Your Identity
get access to Security Mike's Portal today
Top Security News
Tech moves that matter - for good and bad. "
Good isn't very interesting to me, so lo and behold, the #1 bad move in
2007? NAC. That's pretty funny. But it's actually a Joel Snyder induced
rant about NAC standards. Cisco's refusal to play nice with the TCG is
evidently a stupid move. Uh, not so much. What's in it for Cisco to
play along? Why do customers care? What value is a common NAC standard
going to provide? It's not like you are going to buy NAC gear from
multiple vendors. Microsoft had to play nice with TCG, their NAP stuff
isn't ready and won't be ready for most of this year. So that was a
Barney relationship. There is no benefit to Cisco for getting on board.
They'll have agents for all the operating systems and why would they
support heterogeneity? Not when there is too much riding on Cisco
Link to this 
this one on DLP consolidation  and the market impact. It's actually more of a deal book for all the big security vendors out there that don't have a DLP capability yet. Every start-up is represented, so Cara (the author) must have worked really hard to find all of these random vendors to provide comment. But besides that minor entertainment value, we need to keep in mind that the pace of consolidation is inconsistent with the underlying ECONOMIC fundamentals of the DLP market. The big vendors are no longer waiting for a market to really emerge before buying real estate. Thus every new innovative security feature is destined to be assimilated before the market ever gets off the ground. I guess that's a pretty obvious conclusion to draw, but it will have an impact. There is a real liability to being an early adopter now, knowing that sooner - rather than later - whatever you buy will be subsumed into a bigger entity and most likely screwed up.
Link to this 
The Laundry List
- Just what we need, another pundit talking about what's going to happen in security management in 2008. Ho hum. Even when the analyst is me. - Rothman column on 2008 Security Management 
- These aren't 5 immutable laws or anything, but this month's eBizQ feature is a primer on virtualization security. - The Mike Rothman Security Report 
Top Blog Postings
Link to this 
Litchfield did a while back . Of course, he didn't leave anything malicious behind, but the concept is the same. The bad guys build a script to find a bunch of SQL-injection vulnerable sites (a scanner can do this, though it would need to be tuned a bit to not raise a lot of suspicion), then they inject the malware and wait for great stuff to happen. It's not necessarily self-propagating (like SQL*Slammer), but it also shows that massive attacks are still quite possible. What's a user to do? Run a scan against your Internet accessible sites and make sure you are not vulnerable. Do pen tests early and often. Also think about Firefox and NoScript, which would protect client devices that navigate to these compromised websites.
Link to this 
Link to this 
Check out the
the Security Incite blog
Read the most recent Daily Incite