March 31, 2008 - Volume 3, #32

Good Morning:
Just got back from a boys weekend with my college buddies. It was a lot of fun and we had a lot to celebrate. Most of us have turned (or are turning) 40 this year, and we still try to get together once a year and get back to the old (bad) habits. We are all family guys, with at least a spouse at home - but once a year we step into the time machine and carry on like frat-boys. Staying out most of the night, running up a pretty scary bar tab, pulling each other out of potential rumbles with guys half our age - you know the deal. 

The first night is always a blow-out. And the second day is painful. Very very painful. You know it's bad when you lie down to take a morning nap and you feel like you are on a merry-go-round - without the cool horses. But it's not like I don't know how to ride out a hangover. I'm just out of practice and that's a good thing.

I also fell off the wagon with my eating over the weekend. The best are the late night (I mean early morning) trips to either Krystal (yes, we were in the South) or a hot dog stand. I say the best because the food sure tastes good at the time. When it's eating away about your intestines for the next 24 hours, not so good. But it's all part of the ritual of remembering why you aren't an adolescent anymore, and that maturing is actually a positive thing.

A weekend away is nice twice or three times a year. I'm thankful the Boss lets me go on these little excursions. It's great to reconnect with my oldest friends and catch up on each other's victories and also our defeats. You can't replace all the shared history I've got with these guys. They've seen me (and I them) at their best and their worst.

But I will say I was certainly happy to get back home. Happy to be back in my routine. Happy to see the wife and kids, and they even seemed happy to see me. So I'll take it.

So now it's time to get back on the wagon. Tighten up my food intake. Get back to the vegetables and salads I know crave. Let my liver recover a bit. Hit the gym a few times this week. And most of all, rest up. Because next week is RSA and I get to do it all over again.

Have a great day.

Photo: "Even Heroes Fall off the Wagon" originally uploaded by TCM Hitchhiker [1]

Technorati: Information Security [2], CSO [3],Security Mike [4], Internet Security [5]

[6] The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [7]

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com [8] [9]

Top Security News

TJX settled with the Federal Trade Commission last week [10] and got 20 years of scrutiny because they admitted to doing all sorts of nasty things that resulted in the data breach. Let's be clear, the settlement is crap. It's all about the FTC saving face and feeling like they got a pound of flesh. In reality, maybe they got a dried up scab. TJX now needs to do difficult things like have someone accountable for security. They also have to do risk assessments. There are three other things in there too, like "Evaluate and adjust their information security programs to reflect the results of monitoring, any material changes to their operations, or other circumstances that may impact the effectiveness of their security programs."  Is this a joke? Basically, TJX agreed to do security for the next 20 years under the watchful eye of the FTC - all of which they need to do anyway if they plan to accept credit cards (PCI still applies to them). And to think the FTC actually assigned people to extract these concessions and these folks probably think justice is served. 
Link to this [11]

This profile in Information Security Mag [12] details how a customer got the funding and deployed the solution. It's an interesting read, but the reality is that the FDE category will do OK this year from a growth perspective, as the rest of security turns out to be pretty weak. But can't customers just use the built in tools in Windows and Mac OS X? The answer is yes, but not yet. In order to do FDE and make it useful, it requires a centralized policy that can be audited to show the control is in place. Fact is, neither BitLocker (Microsoft's attempt) nor OS X is there yet. Tony Bradley points out some issues with the first implementation of BitLocker here as well [13]. But if anything Microsoft will improve it and iterate it and plug it into other management hierarchies and in a couple of years it'll be a bulk of the market. That's just how it plays out.
Link to this [14]

the MacBook Air being owned in about 2 minutes [15] via a Safari flaw. It makes for good news, especially given Apple's stance that they are more "secure," but it doesn't mean anything. There are flaws in software, period. Both Apple's and Microsoft's and lots of third parties as well. Vista was compromised also, but it took a bit longer and it was based on some Adobe software. Again, big deal. Everything is vulnerable. Notice that all of these exploits require the users to navigate to a compromised web site for a drive-by attack. Which is a legit vector, since users do stupid things and click on links they are not familiar with. How about that incident response plan? You can check out my SearchSecurity tip on IR [16] to get some ideas how to get your own, where it needs to be. 
Link to this [17]

The Laundry List

Top Blog Postings

http://dmiessler.com/blog/information-security-as-insurance
[22]Link to this [23]

http://www.bloginfosec.com/2008/03/19/metrics-a-measure-of-security/ [24]
Link to this [25]

http://techbuddha.wordpress.com/2008/03/17/why-should-it-spend-on-security/ [26]
Link to this [27]