April 22, 2008 - Volume 3, #39

Good Morning:
After my little heretical rant yesterday, I decided to take a step back and wonder why I'm so skeptical and cynical. It makes the Boss crazy. I question everything. If I ask "why?" or "help me understand" one more time, I may get a 12" saute pan in the cranium.

It's not that I am trying to be difficult. For me, it's all about PROVE IT. I've been known to just blurt out "Name that Tune" in meetings and people look at me like I'm nuts. This happens when I just don't believe what I'm hearing. So I challenge the folks around the table to do it, prove me wrong. Or to use a bad 70's game show analogy - name that tune in 3 notes.

We are security folks, and I don't think security folks ask nearly enough questions. I guess some of us are scared of how we'll be perceived. Or that we'll lose credibility because we don't know all the answers. That's why many of us need to keep looking for new jobs every 18 months or so. 

We should be questioning the senior team about strategy, especially as it relates to letting "outsiders" and customers into our systems. We should be questioning whether that remote sales person really needs a database of every friggin' customer on their laptop. We should also ask about the web application architecture before it goes live. Just so we understand the threat vectors. Yes, this can be annoying, so you have to learn to be a good, not annoying, interrogator.

I start almost every strategy meeting with a standard disclaimer. It's along the lines that I don't have any answers, but I have some ideas and I have a lot of questions. And I proceed to pepper the subjects with question after question after question. These folks probably feel subjected to a KGB interrogation. I ask all of these questions for a couple of reasons. First is so that I can understand the client's perception of the situation and then gage how realistic their views are. If they are living in fantasy-land, I need to shake them out of that pretty quickly.

Another reason I ask questions is that I'm looking for the patterns. You know, something I can grab on to and draw either a comparison or a contrast. It's usually very helpful for most folks to understand that they aren't alone, that other folks have been where they've been and probably screwed up what they are trying to do. I truly live by the old adage that if you fail to remember history, you are doomed to repeat it.

So make a little mid-year resolution. Ask a lot more questions. Don't accept what people tell you as the rule of law or as the truth. Make them defend their positions and justify why they are doing something. At the end of the day, we as security folks can't stop them (for the most part), but we can make sure they understand the risks and ramifications of what they are doing.

And the only way I know to do that is to ask questions.  Are you having a great day? See, asking questions isn't so hard.

Photo: "Question Everything" originally uploaded by dullhunk [1]

Technorati: Information Security [2], CSO [3],Security Mike [4], Internet Security [5]

[6] The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [7]

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com [8] [9]

Top Security News

NetworkWorld interview of Symantec's John Thompson [10] makes me laugh. Thankfully he's owning up to having some issue with the Veritas deal, but that's water under the bridge. The reality is it's still not clear how the go to market model needs to work between security and storage. Despite JT's protestations, the jury is still out on that. But what makes me hysterical is when he's asked about McAfee and calls them a "a nice little company and they do a nice job." Ouch. Personally, I think this is a pretty ridiculous way to look at the competition. One of the problems with big security is that they are fat, dumb and happy. They are pleased to milk their cash cow a bit and haven't done much to really change the way things are done. If there is one thing you can say about McAfee right now, it's that they are not comfortable. The new regime is questioning everything (see above), challenging the way things are done, and basically executing much better. He similarly dismisses Microsoft's efforts in security. I'm pretty sure that one of the seven deadly sins is arrogance. Of course, I have no interest (nor am I even remote capable) in running a multi-billion dollar behemoth (I can barely run a one person shop), but I would use McAfee as a rallying cry to get my troops focused on the threats and basically uncomfortable about market position and light a fire under their backsides. But that's just me.
Link to this [11]

Dark Reading's coverage of CA's Dave Hansen's pitch at RSA [12]. He made the point that CSOs need to become more relevant to the business. He even spurts an interesting statistic, which is that 46% of CSOs spend up to a third of their day just analyzing security event reports. Maybe that number is true or maybe it's not. The reality is I don't have an issue with a CSO analyzing reports for a portion of their day because they need to know what is going on in their environment. They need to see when something is misbehaving and dispatch an expert to figure out if it's really an issue. Hopefully before it becomes a real issue. Though I'm not going to minimize the need to become relevant in the boardroom. That's crucial to being considered a player. And it doesn't happen overnight. The CSOs job is clearly becoming one of persuasion, and that takes time playing the game. Maybe even 2/3rd of your time. But with the other 1/3, I don't have an issue with checking out dashboards and trying to REACT FASTER to what is going on out there. You are definitely not relevant if an attacker is in your grill for years, while you are hobnobbing down mahogany row.
Link to this [13]

NBA review kick-off [14] gives a good overview of the technology and what it purports to do. I'm looking forward to seeing if the NWC folks think it actually helps them run and secure their networks. I'm also looking forward to seeing who actually shows up.
Link to this [15]

The Laundry List

Top Blog Postings

http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1309350,00.html
[20]Link to this [21]

http://www.oreillynet.com/onlamp/blog/2008/04/be_secure_and_youll_be_complia.html [22]
Link to this [23]

Layer 8's Shrdlu after she hammered him [24] with some naivety comments on a recent post of Ken's. My opinion is that Ken is off the reservation a bit with this one. So I'm going to act a Big John McCarthy and call the fight with a 1st round tap out. I wonder where Shrdlu learned to apply that arm bar. Basically, the original post (on Slashdot) was more whining about the fact that most executives will choose to line their pockets rather than address a security issue. I think that's a fair assessment. The point is risk is totally SUBJECTIVE. Ultimately the point of what we do is to provide enough information to the senior folks so they can make a relevant and data-based decision about how much risk to take on. Shrdlu's point is that without some objective set of risk measurements (perhaps like Jack's FAIR [25] process) the executives can (and will) continue to do whatever they want. If anything the Slashdot guy is not naive, he's just frustrated because of the way the world works. Based on Ken's vitriolic response, I guess he doesn't take too kindly to being put in an arm bar.
http://www.bloginfosec.com/2008/04/18/slashdot-post-on-security-ethics-demonstrates-professional-naiveness/ [26]
Link to this [27]