June 19, 2008 - Volume 3, #58
Good Morning:
Those of you that know me know I hate surprises. I mean REALLY hate
surprises. I'm OK with the kind of surprise where you walk into your
house and 50 people you sort of like scream surprise and then call you
an old fart while they are doing beer funnels. It's the surprise like,
"we've had a breach," or "you web site is down and your customers want
your head on a stick" kind of surprises that I'm trying to avoid.
I got one of those surprises this week at the gas station. I filled up
my old Acura
and it cost me $65. Holy crap! $65 smackeroos. That's two months
at Starbucks. Or 70% of my DirecTV bill, which is also
ridiculous.
I know my car is old and requires premium, of which I paid $4.40 per
gallon, but WTF? I guess I knew gas was skyrocketing and I'd filled my
tank
within the last couple of weeks, so I shouldn't have been surprised.
But I still was. $50 per tank hurt, but it was manageable. $65 is
bordering on lunacy.
I'm aware that my friends in Europe pay a pretty pound or
Euro for petrol. And these high prices are not news to them, but this
has got to impact macro spending patterns. I know it's going to affect
mine. Thankfully, I have a pretty good commute - so I'm kind of
shielded from the real impact. But others are not so lucky.
Take, for example, my buddy who runs a light and sign company. He's got
4 or 5 trucks on the road every day, and those machines look at fuel
efficiency from a gallons to the mile standpoint. I know this is
hurting
his margins, and he's not alone. Or my other buddy who runs a printing
company and spends 6-7 hours a day on the road driving between his
customers. I can't imagine what his gas card bill is at this point.
Unfortunately, things are probably going to get worse before they get
better. It doesn't seem demand is going to change much, given the booms
in China and India and in other emerging economies. It also doesn't
seem like we are going to find some mother lode of oil that will impact
the supply side. So get ready for $4-5 gas in perpetuity.
I'm still sticking by my macro projections that the 2nd half of the
year will be bumpy for IT, and even for security. I know a lot of the
economic pundits are thinking we are heading out of the trough, but I'm
not so sure. Property values in my neighborhood aren't going anywhere
but down. The monthly costs of living (even modestly) aren't going
anywhere but up. I
know a bunch of folks that are looking for work.
They say the upcoming elections will be all about the economy, and if
they are right - it won't be good for the incumbent party.
Have a great weekend and go spend some money. The economy needs your
support. Oh crap, isn't that how we got into this mess in the first
place?
Photo: "Maui
gas prices 5/30/08"
originally uploaded
by Tarlach [1]
Technorati: Information
Security [2], CSO [3],Security
Mike [4], Internet
Security [5]
 [6]The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [7] |
Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com [8]  [9] |
Top Security News
announcing their risk-management "taxonomy," [10]
which is basically an attempt to standardize the vernacular that we all
use (and don't use) about risk. I'm even more interested in some of the
work they'll be doing in the fall to help define a risk management
"methodology," which hopefully will get everyone at least to start
discussing how to measure and address the information risk we deal with
every day. The fine folks at Risk
Management Insight [11] have their paws
all over this one, and it's a great way for them to both increase their
exposure and drive some demand for their training and consulting
services. I think this is great news, but alas I'm not sure it will
make a difference. This underscores the general blog-debate that Jack
and I have engaged in for the past few months. I know there is a subset
(and I think it's a small subset) of the world that really needs this
stuff, and they should be jumping for joy. Yet, the rest of the world
just wants the problem to go away. They want good enough security to
keep the auditors from peeing in their corn flakes and they want to get
on with their day. Yes, these versions of risk management Yin-Yang can
co-exist. In fact, that's been happening for years. And I really am
excited by the Open Group shouting into a bigger bullhorn about the
great work that RMI contributed to the industry. I just have a hard
time turning off my real gene.
Link to this [12]
the story about how Facebook is a business
tool [13], how a company has put all their folks on Facebook in
order to facilitate communication, just made me laugh. How friggin'
stupid are these folks? They even say only 4% of the stuff out there
was company confidential, and they spent time training folks, so the
mistakes don't happen again. Great. But Facebook is like being indexed
by Google. Once
it's out there, it's OUT THERE. There is no pulling it back. And to
think the risk of these social networks are overblown is just playing
the ostrich game. I think we are underestimating the security and
privacy issues of a generation of young people that share personal
information by default. I used to laugh at how paranoid the Boss was
about personal security. Now I realize that she's been right. You
either have the security mindset or you are prey. And far too many
people aren't paranoid enough. Maybe Big Pharma should start working on
that.
Link to this [14]
tip on SearchSecurity from Michael Cobb
about how SQL injection attacks have evolved [15] over the past
few years. Google is now a
favorite attack mechanism to find vulnerable sites, and then the Trojan
Armies go out and do the dirty work. The good news is that if your site
is vulnerable, the fine folks at the search engines will likely let you
know. Of course, by then it's also likely too late. So how do you get
ahead of it? Security 101, baby! Run an application scan. Do a code
review. Monitor your application logs for funky traffic. Not brain
surgery folks, but keep in mind that the bad guys are going to continue
evolving their attack methods - and that means we have to keep evolving
our defenses. As I've said before, if you want something static, go
work on an assembly line. That is, until they replace you with a robot.
Link to this [16]
The Laundry
List
- Is traditional signature-based AV dead? It's definitely on life-support, as Trend announces a cloud-based something or other. Will it work? Who knows, but clearly the sacred cow of AV will be served for dinner sooner rather than later. - Trend Micro release [17]
- Deal: Third Brigade jumps on the open source as lead generation bandwagon by acquiring the OSSEC project. This kind of model makes sense. Let a prospect play with an open source tool and then be there when they decide they need a commercial product. - Third Brigade release [18]
- Mercy killing, I mean, Deal: Fortinet puts IPLocks US ops out of its misery. Database security is just like UTM, right? - NetworkWorld coverage [19]
- Take that F5! Imperva integrates their WAF with scanners from Cenzic, HP, IBM, and NTO. Adding a bit more intelligence to the WAF (in terms of dynamic rules) is a good thought, but will customers really block based on what a scanner says? - Imperva release [20]
Top Blog Postings
http://securosis.com/2008/06/17/pink-slip-virus-2008/ [21]
Link
to this [22]
decent idea [23].
http://www.stillsecureafteralltheseyears.com/ashimmy/2008/06/is-security-mar.html [24]
Link
to this [25]
http://analystanalyst.wordpress.com/2008/06/14/ass-covers/ [26]
Link
to this [27]