June 3, 2008 - Volume 3, #53
Good Morning:
I'm in the midst of a nasty tug of war and I feel like I'm losing. I
guess every small business owner deals with the same issues. You know,
do you focus on the foundational aspects of your business, laying the
groundwork for further leverage and growth, or do you take care of the
existing projects on your plate and perhaps run out of time?
It's not
an obvious answer, especially when you have lots of great clients that
want you to continue doing work for them.
To be clear, of all the problems I can have, this is a pretty good one.
But it's still very much a problem. I have great, big plans
for 2008.
I need to continue adding to the Pragmatic CSO content base with some
audio. I have another 2 or 3 major initiatives that can really fill out
the vision of what Security Incite can (and should) become planned and
ready to go into the execution phase.
And there is the reality of being overwhelmed with writing, speaking
and strategy consulting work. I'm almost at the end of Q2, which means
half the year is gone. So I guess I'm a bit panicked. Am I ever going
to get to these other products/projects? Or will they just be cool
ideas on note cards sitting on my desk?
Basically, I need to start saying no. But how do you do that? My
approach is going to be to look at where I spend my time and what can
be streamlined. I don't think it's a productivity thing, it's really a
focus thing. I need to stay focused on FINISHING, not just starting
projects. Based on my conversations with clients, many of you are
struggling with the same issues. You are constantly pulled in many
directions and you may be ticking things off the to-do list (I know I
am), but are they the RIGHT things? That's really the question to be
asking.
For me, I'm going to start by changing my publishing schedule a bit.
Daily Incite's will continue to show up on Tuesdays and Thursdays. I'll
still shoot to do a Pragmatic CSO podcast or newsletter each week
(preferably on Wednesday). And I'll also do a "Special Incite" each
week, which are ideas or opinion pieces or industry commentary (like
the Barracuda/Sourcefire analysis from last week) a bit longer and more
detailed than a TDI snippet.
So that's my plan, what's yours? Have a great day.
Photo: "Tug of War"
originally uploaded
by jphilipson [1]
Technorati: Information
Security [2], CSO [3],Security
Mike [4], Internet
Security [5]
 [6]The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [7] |
Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com [8]  [9] |
Top Security News
how different industries will need to adapt
to the reality of the global, extensive, and yes, free distribution
afforded by the Internet and associated technologies [10]. Geoff
focuses on how to maintain ideas like trust, personalization,
interpretation, and authenticity can be applied in a security context.
But it all feels a little heavy and over thought to me. Maybe it's just
the simpleton in me, but I don't necessarily think we need to spend a
lot of time thinking about how to work in this new world order. If we
would spend a bit more time thinking about how to facilitate business
operations and protect the data that is important to the organization,
and communicate what it is that we are doing - then a lot of these
other details kind of work themselves out. The reality is that we need
to be able to track a user or transaction back to who did it (to
enforce segregation of duties) and all those other great CIA triad
stuff. Most of the major technological jumps over the past decade
haven't been fundamentally different (probably not since the browser),
but it has accelerated both the globalization and the velocity that
things are happening. To phrase it a bit differently, our fundamental
mission hasn't changed, but scope of our operations and the speed at
which we have to work is different.
Link to this [11]
talks about network segmentation in the
context of PCI [12] is yet another reason. Basically, we need to
be able to restrict access to certain systems and data. The author,
Stephen Cobb, used the Hannaford Breach as his case study to show how
better network segmentation would have possibly prevented the credit
card data from being compromised on capture (and before it was
encrypted). Organizations can move to this architecture now. It's
not like devices that can scrutinize endpoints and restrict access to
certain network aren't around today (NAC, duh!), but this is an
expensive architecture to roll out to hundreds or thousands of
locations. Many larger retailers don't have the option to build a
physically segmented network in each of their stores, since the cost of
the devices to enable that would be prohibitive if you have to buy
1,000 of them. But if you are upgrading your store networks sometime
over the next 3-4 years (which you likely will), then why not get
something that can provide a better level of security as well? Of
course, you should. This represents a generational upgrade and that
takes time. In the meantime, you'll likely need to look at some of
those data encryption options - which is not a bad idea anyway since it
represents another layer in your architecture.
Link to this [13]
mobile
malware on SearchSecurity.com [14]. Everyone seems to agree that
it's going to happen, it's just not clear when. In 2004, it was going
to be 2006. In 2006, it was "soon." Now in 2008, it's just around the
corner. I say it'll never happen. Why? Because a simple cell phone is
really too simple to do much with, at least from a security standpoint
- so that's not an interesting target. And smart phones shouldn't be
considered any different than computers. They are really just small
computers, at least my iPhone is. And given that everyone copies
everyone else in this business, you'll see more functional, more
desktop-like operating systems in your pocket sooner rather than later.
And yes, attacks will happen - but they'll be the same attacks that are
working on the other computers. Lots of social engineering. Maybe some
key loggers. One of the points in the article is that there is no
"monoculture" or even duopoly of mobile operating systems to go after
to help the bad guys focus. That's true, but ultimately it won't matter
because the attacks will happen at the application layer and they'll go
after the data. Or they'll coerce consumers to do something stupid.
Which is what has already happened on the desktop. At least we've seen
that movie before.
Link to this [15]
The Laundry
List
- Security management box sprawl is hitting hard. ArcSight announces a bunch more appliances to target smaller enterprises, remote (likely retail sites), and a dedicated PCI logging device. This is actually good news because one size doesn't fit all. - ArcSight release [16]
- Tumbleweed gets a patent for an "email firewall." Looks like the patent litigators will be able to buy those new Porsche's after all. - Tumbleweed release [17]
- Tim Wilson vents a bit about the fact that most companies don't care about security. NSS. Here's a news flash for ya, until security pays the bills - most of these companies will remain blissfully unaware. We've got to "help" them understand and wingeing about it isn't an answer. - Dark Reading blog [18]
- HP updates the SPI application security stuff (it only took a year) and are starting to talk about "services." Shocker, but how do they put dev tools in the cloud? - NetworkWorld coverage [19]
Top Blog Postings
http://www.bloginfosec.com/2008/05/20/moving-beyond-the-cia-triad-the-concept-of-agile-security/ [20]
Link
to this [21]
http://securityuncorked.squarespace.com/security-uncorked/2008/5/31/top-5-why-customers-consider-nac.html [22]
Link
to this [23]
http://riskmanagementinsight.com/riskanalysis/?p=360 [24]
Link
to this [25]