logo
Published on Security Incite: Analysis on Information Security (http://securityincite.com)

The Daily Incite - June 17, 2008

By Mike Rothman
Created 2008-06-17 08:49
Today's Daily Incite

June 17, 2008 - Volume 3, #57

Good Morning:
I hope everyone had a great Father's Day, that is if you are a father or have a father. I know better than to assume the nuclear family still predominates around the world. My day was great. My kids made me cards and were generally on decent behavior. I did try the "behave it's Father's Day" line a few times, but they figured that after the gesture of the card, they were off the hook.
Tim Russert
Almost every Sunday I take the kids to the gym and drop them off at the child center. Then I hop aboard the stair machine or the elliptical for my 45 minutes of "exercise." I figure it would be less painful to have my teeth drilled with no novocaine, but I guess running fast to stay in place is good for my heart.

But at least I had my old buddy Tim Russert and Meet the Press on the tube (with fancy closed captioning, so I could listen to music at the same time) to pass the time. Which is why hearing about his death last week was a real blow.

I didn't even know the guy, yet I felt like I did. I've spoken to a bunch of people that have said the same thing. He was like a bit of fresh air, a sort of sanity in what has become a crazy political backdrop. Now he's gone, but clearly won't be forgotten.

Last Thursday I wrote about leaving a legacy and taking the long view. Tim Russert was a great example of that. He single handedly revitalized the Sunday talk show format, and provide ways of describing incredibly boring and nuanced political machinations in a way that even a simpleton like me could understand. I'll never forget that white board during the 2000 Election night. My company that night was my 3 day old daughter (in her bili lamp) and Tim Russert.

Life does go on. The election will go on, but it won't be as much fun. Some other jackass will pull out a white board, but it won't have the same effect.

Most of all, the thing I'll remember about Tim Russert is that he went out doing what he loved - voice overs and prepping for his show. At some point (hopefully a long time in the future), my time will come. And I can only hope I have a big smile on my face because I was doing what I love surrounded by the people I care about.

Have a good trip Tim. And you have a great day.

Photo: "tim russert" originally uploaded by hbushra [1]

Technorati: Information Security [2], CSO [3],Security Mike [4], Internet Security [5]

The Pragmatic CSO [6]
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com [7]
 Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com
 [8]
Security Mike's Guide to Internet Security [9]

Top Security News

Camelot [10] (more on that later), now he sort of takes aim at the DLP business [11] - in his inimitable Stiennon way. The great line from Apocalypse Now always comes to mind whenever Stiennon opens his mouth: "I love the smell of Napalm in the morning." Richard is really saying the DLP emperor has no clothes. That data is in too many places to be adequately protected. And not just electronic places. That's a relief, I wanted to work on my short game today. Richard's assessment that "data leak prevention is impossible," is empirically correct - but besides the point. Building a secure application is also impossible, but does that mean we don't try? Do we not deploy some type of filtering for our email and web traffic to make sure the low hanging fruit is addressed? Do we not try to figure out where our sensitive data is, just in case we get the wild hair to try to protect it? I know, a lot of questions for a Tuesday morning. Actually Richard isn't even talking about electronic DLP, rather controlling paper documents since the UK Secret Service lost a bunch of papers because some idiot left them on a train. This falls into the same bucket as the VA data loss to me. There is probably no reason why this dude had sensitive papers on Al Queda off site, is there? Can you ultimately control it? No. Can you set policies and have public executions if people don't adhere to the policies? Yes - and I believe you should. Nothing like the smell of a public execution in the morning.
Link to this [12]

PCI Security Standards Council is initiating a quality assurance program for assessors [13] in the fall. This is actually great news and a key facet of scaling the PCI data security requirements. The reality is there are too many retailers and not enough decent assessors. Kind of like the good old days of dealing with the Big 5. The Partner comes in and wows you, and then the college kids show up to bungle the project. It's not that bad relative to PCI assessments - yet. But getting out ahead of it by setting a set of guidelines and then building a feedback loop to shine a light on the weak assessors is a good thing. The thing we all have to watch for is assessor "witch hunts," where the merchant and the assessor have a difference of opinion, maybe about a compensating control or a specific process. Ultimately the Standards Council needs to be careful not to undermine the credibility of their assessors. There is already a process to handle differences of opinion, by working through the payment processors and then ultimately to payment brands themselves. But if the quality program becomes a way for a merchant to get around a challenging assessor, that kind of defeats the purpose, no?
Link to this [14]

The Laundry List

  1. Sourcefire names John Burris as CEO. I figured it would be a BOD member, but I picked the wrong one (I had money on Becker). Burris has been looking for a CEO gig for a while, and now he found one. Be careful what you wish for. - Sourcefire release [15]
  2. It's not quite the Secret Service, but Obama is looking for a web app specialist. Maybe after this gig, you could write a book and get on Meet the Press. - NetworkWorld coverage [16]
  3. This advice on how to supplement Snort with other tools isn't just for VARs. The Tao Master provides some high level concepts of what other data to collect to verify the findings from Snort. - SearchSecurityChannel coverage [17]
  4. Looking at NAC (even if Stiennon says not to)? Check out NetworkWorld's NAC buyers guide, which if anything provides a list of vendors. - NetworkWorld buyers guide [18]

Top Blog Postings

http://www.darkreading.com/blog.asp?blog_sectionid=403 [19]
Link to this [20]

http://securityblog.verizonbusiness.com/2008/06/10/i-was-an-anti-mss-zealot/ [21]
Link to this [22]

Camelot [23] balloon by actually questioning whether this new category called "network-based entitlement control" is really much of anything new. I have to admit, I spoke to Rohati and didn't get it either. I know I'm not the sharpest tool in the shed, so to see someone with technical chops like JJ ask some questions is comforting. Rohati talks about controlling access to applications by applying network-layer filters in a really fast box. This is based on the fact that applications just suck at their own security, so that enterprises should be spending hundreds of thousands of dollars to externalize security from the applications. I guess this comes from the Contact [24] school of procurement. Why build it once, when you can build it twice for twice the price. I do understand that applications like SharePoint are sub-optimal from a security standpoint. But do I need to build another layer of my network security infrastructure to deal with it? I guess it depends on how much private information is in SharePoint. Or maybe I look at moving to a better application platform. Given I'm going to spend a couple million anyway, why wouldn't I buy something that solves the problem in the first place, as opposed to layering a network-based band-aid on top of it. But you have to hand it to Rohati's press engine. They've made it newsworthy that some ex-Cisco engineers started a company, since that's never happened before. I'll follow-up with a similar disclaimer to JJ. I could be wrong, it has happened before. But the jury is out until any of these folks trying to do application specific stuff in the network gain some traction.
http://securityuncorked.squarespace.com/security-uncorked/2008/6/15/network-based-entitlement-a-rose-by-any-other-name.html [25]
Link to this [26]

Source URL:
http://securityincite.com/blog/mike-rothman/the-daily-incite-june-17-2008

Links:
[1] http://www.flickr.com/photos/hbushra/2576603681/
[2] http://technorati.com/tag/information%20security
[3] http://technorati.com/tag/CSO
[4] http://www.tecnorati.com/tag/Security%20Mike
[5] http://www.technorati.com/tag/Internet%20Security
[6] http://www.pragmaticcso.com
[7] http://www.pragmaticcso.com/
[8] http://tdi.securitymike.com
[9] http://tdi.securitymike.com
[10] http://www.networkworld.com/community/node/28837
[11] http://www.networkworld.com/community/node/28864
[12] http://securityincite.com/TDI-2008-06-17#TSN1
[13] http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1317307,00.html
[14] http://securityincite.com/TDI-2008-06-17#TSN2
[15] http://biz.yahoo.com/bw/080616/20080616006438.html?.v=1
[16] http://www.networkworld.com/news/2008/061108-obama-campaign-hopes-for-better.html
[17] http://searchsecuritychannel.techtarget.com/tip/0,289483,sid97_gci1315209,00.html
[18] http://www.networkworld.com/buyersguides/guide.php?cat=866251
[19] http://www.darkreading.com/blog.asp?blog_sectionid=403
[20] http://securityincite.com/TDI-2008-06-17#TBP1
[21] http://securityblog.verizonbusiness.com/2008/06/10/i-was-an-anti-mss-zealot/
[22] http://securityincite.com/TDI-2008-06-17#TBP2
[23] http://www.networkworld.com/community/node/28837
[24] http://en.wikipedia.org/wiki/Contact_%28film%29
[25] http://securityuncorked.squarespace.com/security-uncorked/2008/6/15/network-based-entitlement-a-rose-by-any-other-name.html
[26] http://securityincite.com/TDI-2008-06-17#TBP3