February 12, 2008 - Volume 3, #14
Good Morning:
Yesterday I published my 2008 Incites. You can read the post on the blog [1] or get the PDF [2]. Either way, check
them out and join the conversation. Am I smoking crack? Are some on the
money? Do they help you put the dynamic evolution of the security
business in context? As always, I'm looking for feedback to ensure that
my research and writing hits the mark. Don't be bashful, let me know
what you think.
I know what you are thinking. Why
the hell does he do those things anyway? He acknowledges that if any of
the Incites turn out to be right, it's more luck than anything else.
And those are legitimate questions to be asking. So let me rant a bit
about why I think the Incites are important.
[3]First, I use them
to keep me honest. I synthesize a tremendous amount of information
every day. I try to regurgitate that information back to you in a
clean and concise format, which allows you to skim through it and
figure
out what you need to know. Or at least what I think you need to know.
When you are hammered every day with too much stuff to do, it takes
discipline to take a step back and really think about the big picture.
Truth be told, I don't have that discipline. So I use the Incites as a
process to ensure that I take the time to consider macro-issues and
think big thoughts.
Next is accountability. I know that a lot of end users use IT research
to make purchasing decisions. Sometimes it's mine, sometimes it's other
firm's research. But with that role comes a significant responsibility.
When someone puts trust in my advice, it's because (hopefully) I've
earned that trust. The only way you earn trust is to be credible and
accountable for
what you say. This is my way to be be both.
Lastly, writing the Incites and then revisiting those trends twice this
year (over the Summer with the Incite Redux series and then at the end
of the year with Incite Report Cards) is fun. I know, I have a strange
idea of fun. Since I know a bunch of the Incites will be
off-base, I'll be able to poke fun at myself and the entire industry.
The day I take myself too seriously is the day I need to find something
else to do.
So that, in a nutshell, is why I'll subject you to the Days of Incite
once again this year.
Have a great day.
Where's the Beef commercial image source [4]
Technorati: Information
Security [5], CSO [6],
Security
Mike [7], Internet
Security [8]
 [9]The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [10] |
Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com [11]  [12] |
Top Security News
"powerful, new antiphishing weapon DKIM" [13]
I want to puke. DKIM has been around for 3 years, in development for
over 4. That's new? Come on
now. DKIM was actually ratified by the IETF about this time LAST YEAR.
Next we'll hear that the innovative, ground breaking, steam engine is
making a comeback. I guess what is new is that the vendors now think
DKIM
is hitting critical mass. Yawn. The reality is that DKIM is no panacea.
It gets back to user training. Users can now do some simple header
analysis and figure out (with a high probability) whether a message is
a phishing attack. But 99% of the consumers out there don't know how to
do that. So if all these messages will now be DKIM signed, how will
users
realize that it matters? I guess one way is for the mail houses and
spam gateways to block messages that aren't DKIM signed [14].
That would go over like a lead balloon. There is too much of an
opportunity for false positives, so the idea of blocking is untenable.
But I guess if the vendors get all hot and bothered about it, it must
be happening. Yes, that is the sound of me pulling my hair out.
Link to this [15]
IBM/ISS' X-Force out there taking about why
the vuln count would drop [16], it just seems strange to me. The
X-Force has be dormant externally since the deal (and most would argue
for a couple of years before), so now is the time they decide to let
Rouland loose on the world, and talking about this??? It seems strange
to me. Before I belabor the point too much, I'll just state that I
don't care about vuln counts and neither should you. You should only
care about exploits in the wild that can hurt you. Even with unlimited
resources, sometime in 1995 you passed the point where you could fix
all the "vulnerabilities." So don't even try. How about focusing on
risk? You know, the things that could actually kill you? But that
wouldn't make good PR, now would it?
Link to this [17]
G-people are saying software will grow 8%
this year [18], despite a slowing economy. Gosh, I would love to
have that crystal ball. Yet, the IDC and Forrester's say spending is going
down [19]. That's the problem with opinions, everyone has at
least one. And they change. Do you think any of these folks go
back and says,
"Gosh, we were just plain wrong last year. We figured spending was
going to grow 8% and it only grew 3%. We're a bunch of idiots." Nope,
they'll all just put these projections in the research archive and come
out in 2009 with a similarly nebulous and useless set of aggregate IT
spending numbers. And you'll go about your day because the reality is,
this stuff really doesn't matter to you.
Link to this [20]
The Laundry List
- This laptop will self-destruct in 5 seconds. If the TPM people have their way, every new laptop will ship with the Mission:Impossible theme song built in. No, that's not going to help customers understand why they should care about TPM. - TCG blog [21]
- Varonis tracks unstructured data on Linux now. What? You mean our engineers aren't trustworthy? - Varonis release [22]
Top Blog Postings
up the butt, Bob! [23]). But that's
neither here nor there. Yesterday's post had to do with Common Criteria
Certification. Rich did a very well-thought, politically correct, and
considerate response to basically say it's a sham. The reality is by
the time a product gets certified, there have been two or three
point releases, which would have to be re-tested. So, as much fun as
common criteria certification is for the vendors, the fact is it
doesn't really mean much from a security standpoint. Although it is
still a buying requirement in some Government circles, don't mistake
common criteria with security.
http://securosis.com/2008/02/08/ask-securosis-is-common-criteria-certification-worth-anything/ [24]
Link
to this [25]
http://blogs.ittoolbox.com/security/investigator/archives/the-hectic-ways-of-social-engineering-22276 [26]
Link
to this [27]
http://techbuddha.wordpress.com/2008/02/03/evolving-information-security-part-1-the-herd-collective-vs-swarm-intelligence/ [28]
Link
to this [29]
http://sm-blog.securitymike.com [30]
Check out the
latest on
the Security Incite blog
http://blog.securityincite.com/ [31]
Read the
most recent Daily
Incite
http://securityincite.com/security-incite-rants/daily-incite [32]