May 12, 2008 - Volume 3, #45

Good Morning:
The signs were ominous. I was awakened at 5 AM by a raging storm. Wind howling. Thunder, lightening. The whole nine yards. I waited for the inevitable cacophony of terrified children wanting the storm to stop. Not the best way to begin Mother's Day. The annual rite of passage where we celebrate those that brought us into the world.

Yet, something was looking out for me on that early Sunday morning. I dozed back off with nary a whisper from the other 3 bedrooms. I wasn't about to argue.

I know I mention how lucky I am pretty frequently. Yesterday was no different. Both my Mom and the Boss' Mom (I guess I should call her the Boss squared) are in town for a Tuesday Dance recital. So for the first time, I think ever, both our parents were in town to celebrate Mother's Day.

Once the Boss awakened from her slumber, the kids presented her with the various arts and crafts they'd been working on. Some families go all out and buy all sorts of presents for these holidays. But not us. I think it's a lot more meaningful for the kids to spend a half-hour writing out a card and doing some artwork. I figure if they are going to write on the walls the other 364 days a year, at least let them write on paper for a day that matters. 

Then we took the kids to a Jumpy place with both Grandmas. The kids thought it was about them, but per Mother's Day rule, we tried to tire them out so they'd be a little passive at dinner. Keep that secret between us, OK? Unfortunately the kids were having none of that, so they were a bit rambunctious at the restaurant. And given the fact that we had 13 people around the table, I'm sure we made a terrible racket.

But it was all good. As I scanned the table, I was very thankful that both of our Moms are healthy and engaged with the kids. That we can get together and enjoy a good meal and just have fun. Which is what family celebrations are about.

Have a great day.

Photo: "May 14, 2006: Happy Mother's Day" originally uploaded by Matt McGee [1]

Technorati: Information Security [2], CSO [3],Security Mike [4], Internet Security [5]

[6] The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [7]

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com [8] [9]

Top Security News

NetworkWorld piece on Microsoft's WiFi network [10] is a case in point. A lot of organization's are scared to deploy WiFi to the masses because it can become a security issue. But there are ways to provide adequate protection and the productivity benefits usually outweigh the risks. Of course, the MSFT folks missed a golden opportunity to talk about how they are deploying NAP to the nether regions (assuming they are) and it's doing all sorts of good stuff, but I'm sure it won't be long before we see them beating the drum about that.
Link to this [11]

Network Computing piece on desktop virtualization [12] is a case in point. VDI (as it's called, I guess) is about delivering a desktop "on demand" and centralizing a lot of the provisioning and management of said endpoint computing infrastructure. Yet, the security advantages of this are a bit obscure to me. I guess if you are rebuilding the desktop every time, then you don't have to worry about Trojans (since they'd be blown away with every "reboot") and ensuring a secure configuration would be easier as well since the desktop is delivered as the admin wants it. But is that a reason to deploy VDI throughout your enterprise? Nope. The real driver (as with most things) is operational savings through better management. Any security benefits are gravy. I know we security folks need to feel important and it's a blow to our self-esteem when time and time again it's proven that no one gives a rat's ass about security (until a breach, that is). But it is what it is. So learn a bit about VDI because I do agree that it's going to happen. And get your nose into the process early, so the VDI infrastructure can be secure from the get-go. But don't be delusional and think it will happen because it adds better security for the mix.   
Link to this [13]

McAfee delivers the Secure Internet [14]," I toss my cookies because those words are just wrong. Of course, I know how the game is played. I know bitching about this is just being naive, but it's still annoying to me. There isn't really anything new here from Little Red. Basically they are just announcing that the secure search offering they are doing with Yahoo will be available via a McAfee website and through the SiteAdvisor toolbar. I suspect Google is soiling their pants with worry. They are also taking the opportunity to launch a new "McAfee Secure" certification. As if there wasn't a big enough target on their heads already. It's not clear if this is a superset or a rebranding of the HackerSafe program, but it seems to be built on the same technology platform. Or maybe this is a more direct Qualys competitor. Got to love those clear press releases. I find these web site "certifications" to be a joke, but the data shows that customers routinely misplace trust these seals, even though month after month, more of these "certified" sites are hacked and are shown to be vulnerable to things like XSS and CSRF. But in my naivety, I forget that most of the world doesn't read the tech trades (if they did, it wouldn't be such a crappy business). So even when these certifications are proven to be bogus - it just doesn't matter. It's mostly about security theater. I shouldn't forget that - even if I want to.   
Link to this [15]

The Laundry List

Top Blog Postings

http://rationalsecurity.typepad.com/blog/2008/05/citrixs-crosby.html [20]
Link to this [21]

http://1raindrop.typepad.com/1_raindrop/2008/05/grc---to-be-or.html [22]
Link to this [23]

http://securosis.com/2008/05/01/best-practices-for-dlp-content-discovery-use-cases/ [24]
Link to this [25]