May 16, 2008 - Volume 3, #47

Good Morning:
It's that time of year again. We're almost at the end of the school year, and that means it's dance recital time. The girls have been working hard (OK, maybe working not so hard) at dance class for the past 10 months, and it's time to show off their stuff. This year, both girls were performing since Lindsay (my younger daughter) started dance also.

I have to admit, the girls looked really cute in their dance outfits with their hair up in that crazy bun. I wear my hair pretty short, so I guess I'm always sporting a bun - but evidently it's a lot of work to get the Gordon Gekko look on 4 and 7 year olds.

I'll also come clean that for me, a dance recital is like going to a foreign country. I don't know if it's good or bad, but it's different. Since besides being forced to watch "So You Think You Can Dance" each summer and maybe a few Justin Timberlake videos, I've seen very little dance. I know it's probably shocking, but I don't go to the ballet or any kind of interpretive dance shows.

If I'm going to see someone perform, they better be playing some kick ass music or making fun of the guy in the front row, so I can laugh my ass off. But being the good Dad that I try to be, we loaded up 13 of us (two sets of grandparents, uncle/aunt and first cousins, and some family friends) to the community center to see the show. Of course, Murphy's Law came to visit and the video camera didn't hold the charge, but being the contingency planner I was able to take some video on the digital camera. I've got nothing on Spielberg - but I can't wait to show the girls that video when they are 25.

I have to say that both of my girls are performers. I don't know if they can dance, but they sure do have some fun in front of a couple of hundred people. Since my boy doesn't play ball yet, I don't know how seeing the girls do their dance numbers will compare the him knocking one out of the park or sacking the QB - but it was really great to see them enjoy themselves in front of the crowd. Yes, one very proud Dad was in the house.

After the big show, we gave the girls some flowers (evidently you are supposed to do that) and they all got ring pops to celebrate. I guess I'll need to budget in some dental fillings, in addition to the endless supply of ballet, jazz and tap shoes and recital outfits for the girls.

Have a great weekend.

Photo: "On Your Toes" originally uploaded by vidguy [1]

Technorati: Information Security [2], CSO [3],Security Mike [4], Internet Security [5]

[6] The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [7]

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com [8] [9]

Top Security News

Mike Chapple's SearchSecurity tip tackles that issue [10] and he has some good guidance. Basically use it as an IDS for a little while, so you can tune the rules and only block a small subset of things you KNOW are bad. How about this new idea called network tolerance [11]? I'm all for tolerance because the approach focuses on containment, not necessary eliminating all attacks. Though this academic approach seems to be applicable only to the biggest shops (and ISPs) that can afford to pull devices down to reimage them every so often. Though this kind of perpetual new suit approach is starting to appear in things like virtualized desktops (where a new image is assembled and streamed every time you "boot" the device), so why not with network servers? It's not today, but it may be something to think about - especially for the big shops - though this is kind of the anti-virtualization technology since it requires a lot more computing cycles (since you are intentionally taking a portion of the engine offline).
Link to this [12]

PCI DSS Requirement 6 kicks in over the next 6 weeks [13]. Whoop de do. Now merchants are expected to have protected their applications. I mentioned this when the standards council issued a clarification on what Requirement 6 actually means. Yet what's the impact if they get their web app firewalls deployed by July 15. Or that software code review done by September 12? Not a damn thing. That's right. Maybe they'll flub their assessment, but in practice - will they? You don't think many of the QSA will give a waiver, if the plans are in motion already. Especially given the late clarification and the imminent release of the PCI DSS 1.2 specs (planned for October [14]). Of course, there is a situation where it does matter. If there is another high profile breach - then whether the merchant got their by June 30 is very relevant. Especially when the card issuers go for the throat and demand their settlements. For merchants? Keep on keeping on. And hope your day doesn't come between June 30 and until you get on target with Requirement 6.
Link to this [15]

Kevin Beaver is venting a bit on his new blog, Security on Wheels [16]. And the billions the US will spend to bail out the bad actors, who have been profiting handsomely for the last 3 years in the mortgage debacle, is nauseating. But is it plausible that the Feds would make it right for consumers that are continually victimized by poor controls and bad information security? I know Kevin is joking here, but let's take a more thoughtful look at the question. Could we fix the issue with a $300 billion investment? I don't think so. You can buy off stupidity and the reality is that many (if not most) security breaches are a direct result of stupidity. A firewall and new laptop for everyone isn't an answer. But it's not like they won't try, the US Feds will allegedly spend $30 BILLION on security stuff over the next 5 years. That's a really big number and I don't think they can digest that much technology and services over that time period. It's like when you eat two ears of corn at your BBQ and your body can't process all the food. You know what happens. You see the corn again in like 16-24 hours. Yuck. But all the same, the Feds may actually spend the money, but I hope they have a lot of shelves for all the shelf-ware that will result.  
Link to this [17]

The Laundry List

Top Blog Postings

posted a letter [22] to clarify why they are doing this. You can also check out the FAQ [23] to get more details. Basically this is a licensing play and Ron is hoping that more of the folks using Nessus will pay because it's the right thing to do. Even colleges and non-profits, although some charities may be able to get a free ProfessionalFeed. That PO from Mother Theresa is hitting the fax right now. Customers do get some additional capabilities (like compliance checks and support), but ultimately it seems that the model is about customers doing the right thing and for $1200 a year - they really should.
http://blog.tenablesecurity.com/2008/05/tenable-updates.html [24]
Link to this [25]

GRC is dead [26]. Alan then needs to poke about Rich just copying Stiennon [27] to try to generate some press. Then Rich pokes back and actually makes a pretty well-reasoned argument [28]. So this cooler head (and when have I ever been a cooler head in a blog fight?) basically says Rich is talking about the compliance work flow engines that a lot of vendors are pushing and calling them GRC silver bullets. I'm in total agreement, and even wrote a piece in SearchFinancialSecurity.com [29] about it. The basic gist is that really big companies can get value from GRC software because they've got a lot of moving pieces and coordination is a pain in the backside. Smaller companies, probably not so much. Shrdlu weighs in as well to really clarify things as well calling these GRC products "compliance-with-a-dashboard." Awesome. But her point is exactly right, in that risk is variable and credibility is king. If you aren't helping the process, you are hurting it and thus your life expectancy (as top security pro anyway) is limited...
http://layer8.itsecuritygeek.com/layer8/r-before-c-especially-after-g/ [30]
Link to this [31]

http://jeremiahgrossman.blogspot.com/2008/05/does-secure-software-really-matter.html [32]
Link to this [33]