Mike Rothman's blog
Pragmatic CSO Podcast #12 - The Business Plan
This week we get back into the Pragmatic CSO methodology, and jump into Section 2: Building Your Pragmatic Security Environment. The first step in S2 is Step 4 or Building Your Security Business Plan. Why do we need a business plan anyway? What's the point?
All is revealed in podcast #12. Well OK, not all - but I lay the groundwork on why the business plan is probably the most important of the 12 steps and what goes into building it. Over the next 2 months or so, we'll be delving deeply into the business plan and the associated efforts to "sell" the strategy to the senior team.
So, buckle up as we take off for the next leg of the P-CSO journey.
Running time: 5:52
Intro music is Jungle and I sign off with Acquiese from Oasis'
Masterplan album. Since the security business plan is YOUR Masterplan,
I thought that was appropriate.
Direct Download: 12_Pragmatic_CSO_Podcast_12.mp3
Subscribe
in a reader
Photo Credit: Peter J. Bury - IRC
Pragmatic CSO Podcast now on iTunes
Now you can take the P-CSO on your iPod with you. This is great news, so now I can haunt you in your car, on an airplane, or even when you are running. Although since all of the podcasts are 6-7 minutes, it wouldn't be much of a run I guess.
To get the podcast, click this link and then it should direct you to iTunes to subscribe to the podcast. Screenshot of what you should see is below.
The Daily Incite - May 8, 2008
May 8, 2008 - Volume 3, #44
Good Morning:
If I've said it once, I've said it a thousand times, success in
anything that you do is based on how well you manage expectations. When
you expect little, you tend to be surprised on the upside. When you
expect a lot, well... you know. Reading Shimmy's post on the Iron Man movie
made me think about why I go to movies and what I expect to get from
the time and money I spend.
Basically for me,
movies are about escaping. Not that my life is bad, quite the contrary,
but every so often taking a few hours to go into the land of someone
else's imagination is very useful for me. I do my best not to get into
the dogma of reality vs. unreality. Plot lines that don't make sense
just roll off my psyche, and I spend very little time trying to
understand the "true" meaning of any of these movies.
Why? Because they are movies. If I want reality, I'll go over to CNN
and remind myself how screwed up things are. If I want to be
overwhelmed, I'll just spend a few hours trying to keep up with my
kids. When I want to escape, I take in a movie or curl up with a
suspense, mystery or science fiction novel. Then I can shut off the
world, if only for a little while.
Personally, I thought Iron Man was a great movie. So I guess I'm with Farnum on that. I don't
know a lot about the comic book lineage, so I wasn't worried about how
true they were to the Iron Man history. Robert Downey Jr. was very
believable as the main character. And the idea of a supersonic flight
suit? Why not? Again, if I want reality - I'll watch
Survivor - since that's very real.
I guess it's about mental health. All work and no play makes Mikey a
dull boy. And given the schedule I keep and the crap I consistently add
to my overflowing list of things to do, sometimes I just need to shut
down for a few hours and go into someone else's world. The Boss has
mandated that Friday nights are now movie night. No more catching up on
the crap that didn't get done during the week. No more watching some
crappy TV. Now it's about escaping from the week that was and setting
the stage for the weekend to come. I think it's a great idea.
That's my story and I'm sticking to it. Have a great weekend.
Photo: "Iron Man Suit"
originally uploaded
by kevitivity
Technorati: Information
Security, CSO,Security
Mike, Internet
Security
The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com |
Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com |
Top Security News
NAC is dead! Long live NAC!
So what? -
It was only a matter of time before the esteemed Stiennon tried to
relive his glory days and proclaim some other security technology as
"dead" and try to ride that to additional worldwide infamy, I mean
notoriety. Not surprisingly, he's decided that NAC is on death row
and is awaiting it's three-drug cocktail into an eternity of hell fire
and disappointed VCs. Of course, Shimel takes this as validation that NAC is
for real, and it's not like he needs an excuse to jump on the
bully pulpit and wax poetic about all things NAC-virtuous. The reality
is the truth is somewhere in the middle. NAC clearly has it's
challenges, I've been one of the (only) voices that drove that point
home back in 2006, until it became popular to beat down NAC. Though
there are still
legitimate use cases for all three aspects of NAC (admission control,
access control and containment). It seems Richard forgets about the
first law of security (or he's gotten the mind-meld from Matasano),
which is to layer your defenses. Of course, NAC isn't going to stop a
clean computer from entering your network, but who says that NAC is the
answer to every problem? Maybe that's where everyone is getting hung
up. Let's try this again. Repeat after me, there is no silver bullet.
There is no silver bullet. There is no silver bullet. There is no
silver bullet.
Link to this
Are drive-bys an endangered
species?
So what? -
Wouldn't it be nice to live in Larry Seltzer's skewed view of reality?
Sometimes the stuff he writes is pretty good. Other times, he's taken a
wrong turn and fallen off the end of the world. The world is flat,
don't you know. Like this week's piece about browser defenses getting better.
Huh? So Vista does some ASLR and DEP (XP has limited DEP capabilities
too), so what? The applications have to use those defenses, which is
slow in coming. Also everyone has to have these latest operating
systems and have everything patched, and we certainly know that's not
the case in the real world. Larry even takes a shot at the beloved
NoScript, and now he's crossed the line. Listen, a web without
JavaScript is certainly sub-optimal. And I do spend a fair bit of time
authorizing different scripts on the various web sites I visit. But the
point is that I am making that decision, not some jackass web developer
that would rather drink Red Bull than ensure my browser can't be owned
via a XSS. NoScript gives me the power to
choose what scripts I want to run, and which I don't. To just blame all
the ills
of browser-based attacks on stupid users and social engineering is
missing the point. Attackers will take the path of least resistance,
and now that is through the user. Something like NoScript makes it a
bit harder, and that's why I tell everyone that will listen to use
it.
Link to this
Hope for everyone that isn't the
market share leader
So what? - What
do you do when your biggest competitor is Cisco and your main value
proposition is lower cost? You commission a survey that says 77% of IT decision makers
would buy network security equipment from an "alternative" vendor.
Meaning an "organization other than the market share leader." Hmmm.
That's interesting data. So how does Cisco (and Check Point, etc.)
maintain their huge market shares if all these customers will consider
another vendor. Thinking... Thinking... I got it. They are considering
the other vendor for
leverage. You'd be an idiot not to "consider" another vendor because
that gives you a bit of power (however small) over the incumbent to
break a bit on price. That's negotiating 101. I'm interested in the
other 23%, who basically say they'll buy from the market leader no
matter what. Just goes to show that you can get a survey to say
anything you want, you just need to phrase the questions correctly.
Such as, "would you consider buying a technology from an "alternative"
vendor (not the market share leader) that provides more functionality
at a lower price?" Hmmm. How many folks would say no? I guess around
23%. And that's why I'm such a big fan of these surveys.
Link to this
The Laundry
List
- Yahoo shrugs off the Microsoft deal and embraces McAfee's SiteAdvisor to warn search users that some sites may be bad. This is cool, but I'm still using Google. - NetworkWorld coverage
- Add USB thumb drives to the 10 most wanted list. They could bring malware in and take data out. Of course, we already knew that, but sometimes it's good to be reminded - Network Computing Daily blog
- It was just a matter of time. Now other application dev shops are embracing security as a feature. Parasoft talks about their new application security offerings, built into the dev tools - of course. - Parasoft release
- Funny post on the NoticeBored blog about how not to do security awareness training. Idiotic questions are my favorite. - Noticebored blog
Top Blog Postings
New boss is same as the old boss
As I gradually tear through the blog posts that have piled up, I come
across Sir Verbiage, otherwise known as Greg Ness of Blue Lane. I
actually appreciate the fact that Greg is a card-carrying member of the
why say it in 100 words when you can say it in 1000
club. That's right, Hoff is the president, but I'll get to
that next. This post lays out Greg's view of 5 critical requirements of
data center security, and amazingly enough they are pretty consistent
with other aspects of security. Like accuracy (or no false positives0,
which I hear is pretty important in an IPS system as well.
Comprehensive protocol "intelligence," which basically means you need
to understand not just the pipes, but also the application context. Uh
huh. Appropriate exploit response, meaning diffuse the risk without
killing the patient (or disrupting operations anyway, the patient may
already by dead). I'm pretty sure most security folks start with a "do
no harm" mantra in other parts of the environment as well.
Exception-based detection? Yup, sounds like anomaly-centric views as
well. Finally the last is "virtsec readiness," and that just means you
need to be able to deal with both physical and virtual servers. Again,
nothing we are seeing in the data center is so different than what
we've seen before, there is just more of it and it happens faster. Some
of the defensive architectures of latter days won't scale to the needs
of the new virtualized data center, but it's not like the tactics are
changing all that much.
http://gregness.wordpress.com/2008/04/25/data-center-security-five-critical-requirements/
Link
to this
Where is Roget when you need it???
Since my brain doesn't hurt enough this morning, let me tackle a few
Hoffian posts, just to ensure I'm a bumbling idiot within 10 minutes.
You see, I can't concentrate enough to follow Hoff if I worry about
things like fine motor skills and breathing. I'm glad I've been sucking
pure oxygen for the past 20 minutes and hopefully I'll be able to wade
through Hoff's clarifying the ideas of securing virtualization vs.
virtualizing security before I pass out. The good news is that even for
folks of average intelligence like me, I get this. I think. Securing a
virtualized data center is about doing the same stuff we did for a
physical data center, but more and faster. Sure we've got a new OS
(hypervisor) to protect, but the attack vectors are largely stuff we
know. Until it's not and some big brained bad guy invents a new attack
vector anyway. I don't think people are being intentionally obtuse and
ignoring the risks of this new virtualized reality, I just think that
lacking a real attack vector that can demonstrably show that there are
additional risks, people are focusing on the stuff they can control.
Which isn't much. Unfortunately Hoff doesn't touch on his ideas
of "virtualizing security," since it's a totally different
ballgame and is about bringing security intelligence as an overlay to
the pipes and boxes that make up the fabric of your computing
environment. But if I need my fix of virtualized security goodness I
can always wade through some rational security archives. But since my
air is about to run out, I better get on with it.
http://rationalsecurity.typepad.com/blog/2008/04/clouding-the-is.html
Link
to this
Utopia RSnake-style
Ah, to see the light bulb of rationalization flicker on is a sight to
behold. Yes RSnake, the good guys need the bad guys. Or else we enter a
world depicted in Demolition Man, where police are unnecessary. Until
they are. But the bigger point is to try to find the root cause of the
issue and try to address it. And unfortunately, fraud has been around
way before computers and will be around long after I'm gone. There is
no panacea, there aren't any "punishment(s)
that actually deter crime or a security solution that prevents it from
happening entirely." Half the world figures if they become
a martyr they'll live in eternity with a posse full of virgins, and
they may not be wrong. So the idea of a punishment to deter crime is
not feasible. People have been rationalizing bad behavior since the
beginning of time, and I doubt they are going to stop anytime soon. And
the only security solution I know that prevents fraud
is the on/off switch. The point is not to make the problem go away, but
rather to make sure you are not the lowest hanging fruit for the bad
guys. Over time, perhaps we can tip the scales a bit in our favor and
make it cost a bit more to do cyber-crime, but I'm not holding my
breath on that one. I appreciate the frustration brother, but this is
the world we live in, and I don't have a lot of cycles to contemplate
why it sucks. So I don't.
http://www.darkreading.com/blog.asp?blog_sectionid=403
Link
to this
The Daily Incite - May 6, 2008
May 6, 2008 - Volume 3, #43
Good Morning:
I was wrong. It's not the first time it's happened, and I'm pretty sure
it won't be the last. I figured the Microsoft/Yahoo! deal was a slam
dunk [link]. Intuitively it made sense. The premium was 62% and that
was before the start of negotiations. Both Microsoft and Yahoo have
been sucking Google's exhaust for years. Neither had been executing
well
to gain market share. The market is rapidly maturing and that means the
big companies need to get bigger to survive.
I
could go on for
days, but I'd still be wrong. My fatal flaw (once again) is to look at
the situation from a
logical standpoint. There were lots of reasons for the deal to go
through. What logical CEO would walk away from that kind of premium,
knowing how fun it is to get your teeth kicked in by Google every day?
I know Microsoft is the universal enemy of these companies, but why not
just box up the whole things and make it Redmond's problem.
Who knew
that Yahoo! would become a blowfish once in Microsoft's clutches?
I usually get the analysis right, but I also tend to forget about the
human part of the equation. In this case, it's the sin of EGO. That's
right, ego killed this deal. I
think buyer's remorse had a bit to do with it as well (which made it
easier for MSFT to walk away), but ultimately
Jerry Yang's arrogance killed this deal. They walked away because they
couldn't squeeze another 10% out of the deal. Unbelievable. It will be
years before Yahoo's stock sees $33 again. Maybe it never
will.
So
now the Yahoo's! will get to deal with mopping up 3 months of
diversion, a couple emboldened competitors, and a couple hundred class
action lawsuits.
The old adage, "be careful what you wish for," seems very appropriate
now. Yahoo! is again independent, carving their own trail. Yang and his
executive team made
some big promises to make the case for independence. Now they'll need
to deliver. Notwithstanding this is a team that has executed poorly for
years. I doubt it will be any different moving forward. Personally, I
used to be on Yahoo! pretty much all day. Now, if I'm there once a day
- that's a lot. I'm on Google now all day. And I'm not alone.
Good luck to the Yahoo's. They are going to need it, especially when
Google's search results drive 2x the cash flow of Yahoo's internal
systems.
They may as well just burn the place to the ground. It would save us
all a lot of time.
Have a great day.
PS: My "shut down day" experiment went swimmingly. I didn't touch the
computer all day and my cell phone was off for an entire 24 hours. You
know what happened? Life went on. I was with the Boss all day, so she
had her phone - in case of emergency, but the trains ran on time. The
kids got up and went to sleep (with no help from us), we got to where
we needed to be and even ate a few meals. Basically it was a good
reminder that I can (and should) unplug more often.
Photo: "Microsoft is taking over Yahoo!"
originally uploaded
by gnal
Technorati: Information
Security, CSO,Security
Mike, Internet
Security
The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com |
Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com |
Top Security News
A good bot is still a bot.
So what? -
This SearchSecurity
story
brings up a
pretty interesting ethical quandary. If you had the ability to
neutralize compromised machines and eliminate the Trojan that is
controlling it, should you? At first glance, the answer is probably no.
Sony got hammered a few years ago when it came to light that they were
using stealth rootkit technology to drive their DRM function. If the
good guys use the same techniques as the bad guys, how do you know the
difference? What if you dig a bit deeper and maybe use a healthcare
analogy? If your kids had a dormant virus that at some point would
awaken and turn them into a criminal, and you had a way to eliminate
the virus without them ever knowing they'd been infected, would you?
That seems like a no-brainer, right? Of course, in the court of public
opinion it's not a no-brainer. A few vociferous individuals could
create an uprising against tactics like these, even if they are good
for you. And then as opposed to focusing on doing the right thing, the
company creating the vaccine is defending themselves. No wonder why
it's usually just a lot easier to let folks blow each other up.
Link to this
Should PAM stand alone?
So what? -
NetworkWorld published a
review of a couple of privilege account
management tools (PAM) last week. These tools basically
protect the account information and passwords for root and
administrator accounts. Why is that an issue? Basically it's about
separation of duties and accountability, mostly from a compliance
standpoint. Administrators typically just use root to make whatever
system level changes are required. They share the root password amongst
themselves and they go about their business. But what if a machine is
compromised? And it turns out it was because of a change that was made
by the root account? How do you know who to investigate? How can you
prove compliance and that you are protecting user data, when you can't
say which administrator made what changes? Right, you can't. So for big
companies, these kinds of tools can make sense. But why isn't this a
function of the server and system management hierarchies that are
already in place? Right. It will be, it's just a question of
when.
Link to this
Everyone wants it... but no one
wants to pay.
So what? - I
love these little profiles of Internet luminaries that have made their
money and now play. I remember Dan Lynch from the Interop days when I
was just a lowly networking analyst at META Group. Networld+Interop was
the networking worlds RSA and it was a great show. Things were still
new and shiny. Dan
made some investments, I guess he made
some money, and now he teaches. That's fantastic. Evidently
he is still investing in some start-ups, but it seems his investment
strategy is a lot less cogent than his analysis of the security market.
He says: "Security
isn’t easy to monetize, he says. “Everyone wants it
but no one is willing to pay much for it. And even if you have a
security solution, getting it adopted usually means a serious change to
something someone’s doing.” I don't
think any of us argue that case. But if I was an independent investor,
and I knew Dan's statement to be true, do you think I'd be investing
money in the latest, shiniest security widget? Especially when I could
maybe find some other things that could be more easily monetized. Ah,
another quandary of the security industry. Ultimately a few start-ups
will make money, but most won't. And I understand that, so even if I
could invest in security start-ups (I can't), I wouldn't.
Link to this
The Laundry
List
- Webroot is the "first" to offer web filtering in the cloud to SMBs? Really? I suspect MessageLabs, ScanSafe, WebSense's Black Spider and bunch others would differ. Could a beat reporter do a little bit of homework (and maybe not take a vendor claim at face value) before he writes something asinine, please? - NetworkWorld coverage
- But it's an excuse to poke at Microsoft? The spat about Microsoft's COFFEE incident response toolkit is much ado about nothing. I guess you need to let the Captain Privacy's out there run wild every so often. They don't get out much. - John Sawyer's Dark Reading blog
- Didn't hear much interesting out of Interop, but at least Barney makes an appearance. Blue Coat gets Vericept to join their partner program. Wonder if I could pick 35 PURPLE at the roulette table? - Blue Coat release
- If you are interested in CSRF attacks (and you should be), check out Jeremiah's slide deck on the topic. - Slideshare presentation
Top Blog Postings
Mirror mirror on the wall...
How many of you out there spend more time bitching than doing
something? Be honest. Do you go home and kick your dog because your
executives don't really care about security or what you do? It wouldn't
be surprising and you certainly wouldn't be alone. It's time to take a
look in the mirror. Yes, it will probably tell you that the VP of the
Data Center is the fairest one of all. He/she does have the halo of
virtualization over their head right now. In this post, Micki Krause
talks
about a self-assessment products by Billi Lee that can provide some
insight for you. Amazingly enough, she even has a "12-step" program, or
at least 12 questions to distill where your head is at. Personally, I
never really found it useful to fill out a form to tell me what I
already know. If you are grumpy, acknowledge it. If you feel
marginalized in your environment, you need to accept that fact. Then
you have some decisions to make. Is this the right line of work for
you? Is it still your passion? Has the game beaten you down and now you
dread making the commute to work? You already know the answer(s), but
fear may be clouding your objectivity. I get it, I've been it. Now I'm
past it. And it's a good place. Now go do 10 hours of meditation. Your
boss probably won't even miss you and maybe you'll get some clarity.
http://www.bloginfosec.com/2008/04/08/are-you-a-savvy-ciso-learn-how-to-assess-yourself/
Link
to this
Is Defense in Depth overrated?
Friggin' Matasano Thomas. He wakes up to write every couple of weeks
and hurts my head. Fact is, I've gotten away from a lot of the
knee-deep technology and it's been many years since I wrote code. So
when he writes a provocative piece questioning the validity of defense
in depth as a legit application architecture, I need to shake out a
bunch of cobwebs and really think. It's much easier to not think, so
that annoys me from the get-go. The first distinction I'd make is that
Thomas (and his other big brained Matasano fellows) is talking about
application architecture. I'm still a fan of full system defense in
depth (you know, some layers on the network, some on the data center,
some within the database and more within the application). Though you
could probably make a lot of the same arguments, given if you can
compromise the application then you will likely get a free pass through
a lot of the other layers. The Matasanos basically dismantle a lot of
the old, tried and true security architecture ideas, like attrition,
delay, deterrence, and predictability. The answer seems to be one
single "well-defined" defense. Is that kind of like the "1' that Curly
talks about in City Slickers? This single defense should work, but what
if it
doesn't? Or something changes. So it worked yesterday, but it's not
going to work tomorrow. Kind of makes me want to pack it in. But I
can't do that, since my mirror (see above) says I need to keep
fighting. Maybe I spend less on trying to stop attacks and more on
figuring out I'm being successfully attacked and containing damage.
Hmmm... Maybe there is a way to not just react faster, but to react
BETTER.
http://www.matasano.com/log/1044/defense-in-depth-reconsidered-is-information-security-anything-like-war/
Link
to this
The Mogull hits the doo-doo list
I always know a good piece of analysis because I get pissed that I
didn't think of it. Per usual, the Mogull takes a minute to expand my
own pea brain with what should be the 2nd corollary of the REACT FASTER
doctrine. You need to react not just FASTER, but BETTER. Argh. So
simple, so elegant, and so correct. I wonder how many hours of
meditation it took Rich to spit out that insight. Probably not too
many, and that's why he's on the doo-doo list. Of course Rich uses an
emergency medicine metaphor to discuss his point, but don't lose the
applicability to security. Rich says it a lot better than I could: "Don’t just react- have
a response plan with specific steps you don’t jump over until
they’re complete. Take the most critical thing first, fix it,
move to the next, and so on until you’re done. Evaluation,
prioritize, contain, fix, and clean."
Of course, a lot of
Rich is talking about is laid out in Step 8 of the Pragmatic CSO
(Contain the Damage), and amazingly enough it works. But only if you do
the work AHEAD OF TIME. The wrong time to find out your incident
response plan is crap is when you are in the middle of an incident.
http://securosis.com/2008/05/02/react-faster-and-better-with-the-a-b-cs/
Link
to this
The Daily Incite - May 1, 2008
May 1, 2008 - Volume 3, #42
Good Morning:
I tend to be one of those hyper-connected guys. I don't do twitter, but
besides that I don't really have email too far away and I can be found
in my RSS reader a couple of times a day. I like to think I'm "in the
loop." A lot of the time I'm not
sure how healthy it is. At night, there are times when I have to
specifically repress the need (dare I say addiction) to hit the iPhone
slider and see what has accumulated in my inbox.
Believe me, there
isn't that much interesting stuff in my email. But I like to see it
anyway. And it's a constant battle. I suspect many of you fall into
that category as well, battling those same demons.
Thus, when I saw this post on Web Worker Daily about "Shut Down
Day," I was intrigued. The picture to the left is called "Unplug for
safety," but this concept is more about unplugging for SANITY. Can I
actually shut down my machine(s) and not be connected? Yes, even my
iPhone. For a full 24 hours? Is it possible?
The honest truth is that I don't know. But I'm going to try. It'll be
easier for me for a couple of reasons. First, it's not like I'm trying
to do this during the week. Saturdays are somewhat manageable and
although I've been known to work a bit over the weekends, it's
definitely possible for me to skip it.
Second, the Boss and I will be tied up all day at an event. And I mean
all day. So now I have a fighting chance, since it would be a lot
harder to unplug if I was in the house watching some crappy baseball
game.
So we'll see how it goes. I'm kind of excited by the
possibility of becoming the master of my domain again. I don't expect
to need to unplug very often, but it will be nice to know that I can.
Have a great weekend.
Photo: "Unplug for safety"
originally uploaded
by mag3737
Technorati: Information
Security, CSO,Security
Mike, Internet
Security
The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com |
Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com |
Top Security News
DEFCONs just want to have fu-un. DEFCONs
just want to have fun.
So what? -
When the s*storm hit last week about the
new contest to come up with interesting ways around malware detection
suites, I could only laugh. Of course, Cyndi Lauper's "Girls
just want to have fun" was also thundering in my eardrums because
that's what this is about. In the immortal words of Sgt. Hulka, the AV
vendors need to "Settle down, Francis." It's like the PwnToOwn context
at CanSec. Some folks will find some interesting holes and the vendors
will patch them. Same deal here. Maybe the AV vendors are worried that
the crazy kids at DEFCON will pierce their veil of their marketing
hype. Maybe the big world of all those stupid lemmings will finally
realize that any machine can be owned at any time by some rather
mediocre hacking talents. We wouldn't want them to learn that now would
we? And I'll also punch a hole in the idea that there are already
enough samples to keep researchers busy. Who knows, maybe with a minor
financial incentive, the DEFCONs will find something interesting.
Something (oh the horrors) that we may not already know about. I'm good
with this contest and I think these are valuable endeavors. First, you
get kind-of smart folks trying to break things in a semi-controlled
environment. Second, you are teaching these folks how to think like
hackers, which is one of the first things that security professionals
need to master.
Link to this
NAC client game is over
So what? -
Tim Greene makes a decent point (even if it was spoon fed to him by
MSFT PR folks) about the imminent death of the NAC client at the
hands of the bundled NAP client. With Windows XP SP3 being
deployed over the next few months (it takes a few months for these
things to be widely deployed), the NAP client will be within most of
the Windows devices out there. That means this idea of client vs.
client-less is largely done. Of course, it's been a moot argument for
quite a while since the answer has always been both. For some managed
devices, a client makes sense. For other devices you don't control, you
need a client-less option, and pretty much all the NAC vendors can do
both. We could split hairs about disolveable vs. Nessus-based plug-in's
vs. active-x, but it's all the same to me. If I put on my Stiennon
suit, does that mean I'll trust the endpoints any more than I did
before? Of course not. I still need to verify who they are, and more
importantly monitor what they are doing. Just in case. But having the
client out there can't really hurt NAC adoption. But I'm not sure it's
going to help either. Hold that thought for a few seconds...
Link to this
NAC less interesting to users,
which may
be a good sign
So what? - It's
funny in that every market goes through a series of phases. Jim Rapoza gets it mostly right in this
eWeek slideshow. My classic "Farce of Market Sizing" post back
from 2006 hits the same topic, but from a different angle. And NAC as a
market has certainly gone through a bunch of phases. This latest NWC reader survey about NAC
doesn't bring good news on the surface. Fewer customers are
interested in NAC this year, than last year. Isn't that bad? Maybe not.
Given the macro-economic backdrop, I suspect most users are focusing on
those projects they absolutely need to get done, and the one's that are
a bit less critical get put on the back burner. At least it seems the
users are being honest with themselves about where NAC falls on the
priority list. But this isn't really bad, it's natural. There is no
question that the concept of LAN Security (bigger than just NAC, more
about campus network evolution) will take root. The question is when. I
think if the hype around NAC deflates a bit, then folks can think a bit
more rationally about how best to move towards a secure LAN
environment. Which is really what they should have been thinking about
all along.
Link to this
The Laundry
List
- Learn about Stiennon's new gig. Ask him to bring back a koala when he goes to visit the mother ship. - NetworkWorld coverage
- NetworkWorld jumps into the time machine and goes back to when Voltage first introduces IBE. A PKI without keys? How novel! And how irrelevant how it actually works. Slow news week, I guess. - NetworkWorld coverage
- Prevent online theft? Authentium claims their SafeCentral "prevents" malware. Big claims for sure, and seems too good to be true. - Authentium release
- Secure Computing also asks us to jump into the time machine and forget that pretty much every other security vendor runs their stuff in a VM image now as well. The good news is that I don't forget. - SCUR release
Top Blog Postings
PCI: DOA in UK?
James T. Newby gets on his Trek suit (don't know if they make 7 foot
tall Captain Kirk costumes) and talks about some of the differences
between how security companies are marketing in the UK vs. the US. It's
nice to see I have more to like about the UK than room temperature
pints of ale. I hesitate to call the Brits more enlightened (Boston Tea
Party anyone?), but being a smaller market with less desperate
competition (and presumably a less noisy security market) they seem to
have gone through the cycle a lot faster than in the US. I don't need
to rehash my recent ranting, but I've hardly talked to
anyone in the space over the past two weeks that hasn't wholeheartedly
agreed with my contentions that Easy PCI marketing is a sham. Yet, if
everyone is agreeing with me, why do I expect to continue seeing these
ridiculous positions and claims for years to come? Basically because
I've seen the movie before and as long as their are customers that want
to believe, the vendors will be there to feed them a plate of crap.
http://robnewby.blogspot.com/2008/04/captains-blog-supplemental-pci-is-dead.html
Link
to this
Endangered species - The CISO
Since I'm piling on many of my positions today, let's go over another
one, which is the inevitable demise of the security "role" in an
organization. Stuart King talks about his experiences in a mock trial
of the CISO at Infosec that resulted in the CEO and CIO going to the
big house. I guess that would be the mock big house with the mock Bubba
pounding the mock CEO in places where the sun don't shine. But nasty
imagery aside, the point is the point. I suspect we'll see the demise
of the CISO first in the mid-sized businesses and then we'll get a very
Innovators Dilemma evolution, where the security role will generally be
subsumed higher and higher up the F5000 chain. Do I think the CSO of a
Fortune 50 company goes away? Nah. Those organizations are so big and
so complex that there will always be a role for a new CSO every 18
months to take the fall when someone on the ops team screws something
up.
http://www.computerweekly.com/blogs/stuart_king/2008/04/on-trial-role-of-the-ciso.html
Link
to this
Hands-off Pwnage
In yesterday's P-CSO newsletter, I did a little thinking out loud about
staging a data breach and using it as a means to educate the employee
base about what they can and can't do. Another key education mechanism
is the idea of phishing your own folks and getting them to click on
links and go to sites that they shouldn't. Of course, as long as they
are sites you control, it's all cool. And as long as you use the
opportunity to instruct, it's even better. Ed Dickson talks a bit in
this post about some of the nastiness that's out there nowadays. So
maybe after you get a set of your employee dimwits to click on a bad
link, then you hammer the message home with a little video to show just
how easy it is for people to be compromised. Even good people. I think
this two step 2x4 educational mechanism may have a better chance than
most run of the mill user awareness training. This is a topic I'll
cover in a bit more depth next week.
http://fraudwar.blogspot.com/2008/04/nowadays-all-you-need-to-do-is-visit.html
Link
to this
Pragmatic CSO Newsletter #53
April 30, 2008 - #53
Mike's
Pep Talk:
"When choosing between two evils,
I always like to try the one I've never tried before." - Mae
West
A lot of security folks like to think of the daily battle as a good vs. evil type of thing. You know, the bad guys are evil (and wear black hats) and we - the security professionals - are the good guys. We wear white hats and ride on a fine stallion called Silver.
Let's get one thing straight. You are not the Lone Ranger.
This is not about good and evil. This is about dealing with the lesser
of two evils. The reality is that your environment will be compromised,
and you have been entrusted by your organization to stop it.
In a nutshell, you are in a
lose-lose situation. We all are. That is the cold harsh reality of
practicing security. Whether it's physical security, cyber-security, or
any other type of security - ultimately this is not a game we play to
"win." It's a game we play to survive.
Why the dour tone today? Did someone piss in my Wheaties? Not exactly,
since this is a concept I discuss pretty frequently in all of my
publications. I read news clipping like this one in NetworkWorld
about most employees intentionally skirting enterprise security controls,
and part of me wants to hold my hands up and start serving Blizzards at
Dairy Queen.
At least then I know I'll have a job, since DQ is owned by Berkshire Hathaway and they aren't going anywhere.
Every time I
start to feel this way, I need to purge a bit. I need to rant and I
need to get it out of my system. Here's the deal: Our customers don't
know who is good and who is evil. They can't tell the difference. If
they are intentionally going around our controls, then WE ARE SCREWING
UP. We are at a fork in the proverbial road, and we need to figure out
how to get more relevant and work better within the context of our
business. It's as simple as that.
I understand that little things like PCI and SarBox make a certain set of controls totally necessary, but ultimately we have to start thinking a bit more like risk managers and not draconian control freaks. We have to start understanding where the breakpoints are in our organizations. How tightly can you really lock something down, before the natives start getting restless?
Do you know the answer to that question? Do your corporate policies reflect that reality? If not, then you have a lot of Pragmatic work ahead of you. If the employees can't tell whether you wear a black or a white hat, then you better start looking for a more palatable middle ground.
Photo credit: Buggs
Thinking out loud: A new type of IR practice
Sometimes I have random thoughts, and although I tend to vet many of these ideas with my trusted circle of contacts, I want to bounce some ideas around in a more public forum. Thus a new section here called "Thinking out loud." I'll just throw something out there, and it would be great to hear whether you think I'm nuts (or not).
Based on my rant above about employees not knowing who the good guys are anymore, let me suggest perhaps a different way to "educate" our trusty employees. The reality is most employees will do the right thing, if they understand what is right and what is wrong. They go around security controls and flout policies, not because they are bad people (although statistically some will be), but rather because they don't really understand what is so wrong about what they are doing.
So I suggest we show them, in a way they haven't seen before.
You should have a defined incident response plan (discussed in Step 8 of the P-CSO) and you should be practicing it frequently. Or at least practicing sometimes. Most of that practice is for you and your team, to make sure the security (and risk and ops, etc.) team will respond appropriately when the brown stuff hits the fan.
What if we brought a few more folks into the "practice?" What if you staged a "data breach" within your organization, and played it out? What if you sent out a note to all of your employees talking about how your private data was breached, where the data handling errors were, and that some employees have been terminated due to those actions. Then you take the opportunity to remind them of the policies.
Of course,
the breach didn't really happen. It would be staged. But that would
seem to me to be a very powerful means to get the point across to the
employees about WHY they need to follow the policies.
I know, I know. Intentionally deceiving employees is kind
of an April Fool's joke gone wild. I'm sure there would be a number of
folks pretty steamed when the truth that the breach was staged gets
disclosed. And you'd need approval at the highest levels to pull off
something like this, and how many CEOs would go for this kind of plan?
The odds are long that this kind of thing would work, but
something tells me this idea may have some legs. Let me know if the
comments section about my "thinking out loud."
The Daily Incite - April 28, 2008
April 28, 2008 - Volume 3, #41
Good Morning:
Friday night I went to go see the Boss. No, not the Boss that I live
with, but THE BOSS. That's right, Bruce Springsteen and the E Street
Band. I do have to admit that I'm not the biggest Bruce fan. I do love
his classic stuff. But he jumped the shark with Born in the US and was
in a slump for a couple of decades. A few years ago, things started
moving in the right direction (IMO anyway). The Rising was OK and
showed some life and the
new album (Magic) is fantastic.
But that's the
recorded music. If
Springsteen comes to your town, you go. Those folks put on a great
show. They played for about 2:45 and took like no breaks. The band was
tight, really tight. You can check out the set list,
but what was most impressive was the number of audibles they called
during the show. Bruce would pull a poster naming a song out of the
crowd, motion to the band, and they'd launch into it.
You can tell, even after doing this for 35+ years, they all still love
it. It's their passion. There isn't anything they'd rather be doing. It
was inspiring and got me to thinking about how many of us can say the
same thing. Is there anything else you'd rather be doing right now? Do
you feel that way more often than not?
That's a pretty instructive question. Be honest with yourself. If the
answer isn't what you think it should be, then start thinking about
what changes you can make. Life is too short to be doing stuff you
hate. It's not always possible, but you can strive for it, no?
Which brings me to my next topic, of a guy that has maybe too much
passion. The NFL draft was this weekend, which means that loudmouth Mel Kiper,
Jr. was everywhere at all times. What a gig that guy has. I'm
not sure what he does for the other 11 months of the year, but starting
at the NFL combine, all you hear is Kiper. He's less grating then he
used to be, but still. Thankfully we won't have to hear from him again
until next March.
The G-men had a pretty good draft and being a Falcons season
ticket holder, I'm hoping Matt Ryan lives up to the hype. The few days
after the draft are always about what could be. Living in the future is
OK, but sooner or later you need to get on the field and play. When
does training camp start again?
It doesn't feel like Monday, does it? I think the weeks just keep
running and running and running. I'm taking some time off towards the
end of the week. So I'll be doing a P-CSO newsletter tomorrow and then
the final TDI for the week on Wednesday. Many miles to traverse between
now and then.
Have a great day.
Photo: "Bruce Springsteen & The
E-Street Band en Madrid"
originally uploaded
by Bisharron
Technorati: Information
Security, CSO,Security
Mike, Internet
Security
The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com |
Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com |
Top Security News
Great, 2.7 million people that have no
idea what's going on
So what? -
It must be good to be the ISC2 nowadays. If you believe the survey they commissioned Frost and
Sullivan to do, there will be 2.7 million security
professionals by 2012. The survey also goes into a bunch of skills these security professionals
need. Amazingly enough getting a CISSP is top of the list.
I'm kidding. The survey is interesting, but (and I know you are
shocked) I have a different opinion. I think there will be 0
security professionals in 2012. That's right, ZERO. I think there will
be network folks that specialize in security, and also some data center
folks and even more application folks that are security specialists.
OK, these are word games and a bit of semantics, but I think it's an
important point. If anyone thinks their only job is going to be
security in 4 years, I suspect they'll end up as a petroleum product
sooner rather than later. OK, maybe not 2012, but I'm with most of the
big mouth security pundits in saying security as a business will be
going away within a reasonable long term planning horizon (7-10 years).
So start practicing, "I do secure networks." Not "I do network
security." There is a big difference.
Link to this
Will the ASA be pretty too?
So what? -
You have to hand it to Scott Weiss. After he made mincemeat of all the
anti-spam players (his IronPort does more in a quarter than the other
anti-spam appliance vendors combined, or pretty close to it), now
Chambers has given him the keys to the entire security car. I suspect
he has his branding folks working on new bezels for all of the security
appliances. A pretty box is a box that sells, don't you know. OK, sour
grapes and kidding aside, Weiss is out flogging the idea of reputation on all of
the security devices. This isn't a unique story (Secure and
BorderWare have also been espousing reputation everywhere), but there
is something there. If I can get a clue about the intent of someone
trying to connect to my networks, then I have a better chance of
reacting a bit faster to what they are doing, as opposed to waiting for
my IPS to figure out it's really an attack. Reputation has worked very
well in the anti-spam business. Its utility isn't as clear in the web
filtering space and even less on the firewalls, but the concept makes
sense.
Link to this
NAC differentiation is hard to
come by
So what? - Sometimes
I just have to laugh. Or I'd probably string myself up from a tall tree
in the neighborhood. Dana
Hendrickson lampoons a recent Impulse Point release talking about
"Green NAC." No, that's not a NAC appliance you leave outside
too long and it gets all mossy. These folks figure they can save you
92% in energy costs. Is that a key NAC differentiator? That would be
first I heard of that. And the basis of the argument isn't that their
industry standard appliance is any more power efficient than the other
guys. It's that they require fewer appliances. Boy, that's a stretch.
Let's suspect disbelief and think for a minute if this was true, why
not just get one of the UTM devices that claims to do NAC as well?
Wouldn't that save even more power because everything is on one box.
While we are at it, why don't we just run VMware on the mainframe and
have everything virtualized on the Big Iron. Power to the People. Bring
back the mainframe. Bring it back right now! Who knows how to tie a
noose?
Link to this
The Laundry
List
- The answer to PCI is SSO? According to an SSO vendor it is. But the byline reads like news and some unsuspecting sap is going to actually believe it. - TechNewsWorld coverage
- Virtual UTM is coming. You heard it here first. Blue Lane adds a firewall to their VirtualShield. Soon it'll have VPN and anti-spam. We don't need no stinkin' 1U's. - Blue Lane release
- Outsource incident response? Why not, if you can't do it internally? SecureWorks announces a set of services around planning incident response and then doing forensics. - SecureWorks release
- IBM ISS targets the mid-market with security "as a service." I guess if you can't sell them products anymore, you may as well try to sell a service or 10. - IBM release
Top Blog Postings
Maybe a grapefruit will work better?
Chandler rues a bit on the challenges of building a set of security
and/or risk metrics that are relevant to mahogany row. It's hard and it
usually means that we security folks have to keep a few different
"sets" of books. The reports that are focused on business relevance and
the reports that are operationally centric and help to figure out what
is going on. There are probably more. Chandler's main point is that the
risk folks and the security folks (in financials you usually get a lot
of organizational separation and disparity) aren't on the same page
relative to accepting risk by enforcing policy compliance. Yeah, that's
mouthful, but the reality is that the risk folks don't want to accept
anything besides everyone else working to eliminate all risks. Then
they can point the finger when something goes down. Not that I'm
pointing fingers because it's a natural reaction. But the reality is
many of these metrics are actually apples and oranges and Chandler's
first (and most important) point is that many of the metrics we track
do not compare well "across industries or even within industries."
That's a big problem because without a relative point of comparison,
you have no idea how you are performing.
http://thurston.halfcat.org/blog/2008/04/14/metrics-and-oranges/
Link
to this
Another 5 from Amrit
This time the BigFixer is focused on 5 security metrics that matter.
Amazingly enough, they all can be pumped out of his configuration
management system. OK, low blow, but I know AW can take it. The reality
is that we've already proven that having managed devices that adhere to
a strong security configuration can help eliminate issues. But how many
of us keep metrics along those lines? Do you just assume that all of
the devices use these standard configurations? Amrit's 5 metrics aren't
brain surgery, but I tend to think most practitioners can't answer
these questions with data. Which is, of course, a huge problem. But as
Chandler's post also intimates, we've made very little progress
relative to security metrics and that's because it's hard. I'm talking
a lot of the smartest folks out there on this topic and there are still
a lot of disagreements about what should be counted, why and how. Until
we get on our own page, how can we expect the rest of the
organization(s) to get on board as well?
http://techbuddha.wordpress.com/2008/04/24/5-security-metrics-that-matter/
Link
to this
Has marketing figured out metrics
any better?
Since I'm not that smart, I try to find other analogies or comparisons
that can serve to show how a security problem can be solved by what
someone else has done in some other business. Being somewhat of a
marketing hack (or former marketing hack anyway) myself, I thought I'd
see if the marketing folks have figured out a way to hold ourselves
accountable and prove value because marketing is an "overhead" function
as well. At least if you ask most CEOs and sales folks. Sports fans,
the news is not good. According to Francois, "Not only are some
companies measuring the wrong things, a majority of them have no
ability to measure anything at this stage." Sound familiar? It gets
better. Most marketing organizations that can't prove marketing ROI
have no one assigned to drive a metrics process. And a lot of marketing
ROI is negative, so there is an inherent disincentive to really count
and become accountable. The similarities are frankly a bit unsettling.
Marketing has been around a lot longer than security as a discipline,
and they've made very little progress. Are we wasting our breath even
talking about this metrics stuff? Should we just stick our head in the
sand and how we can still get our projects funded from the grace of a
higher being? Or maybe we just learn how to tie
that noose.
http://www.emergencemarketing.com/2008/04/16/measuring-marketing-effectiveness-is-hard…/
Link
to this
The Daily Incite - April 24, 2008
April 24, 2008 - Volume 3, #40
Good Morning:
If I had a couple of bucks for every CTO that has tried to school me in
marketing, I wouldn't have to be peddling Pragmatic CSO books at every
opportunity. If I had one for every CEO who thought they could do the
job better than me, I'd be spending a lot more time at the
beach. But thus is the frustration of marketing. Everyone thinks they
can do it, until they have to, and then they realize stress testing
athletic cups is a more rewarding position.
At
least Misha of AlertLogic was funny in his attempt to tell me why I was
wrong to call out his company for their blatantly misleading "PCI is
easy" marketing campaign. He figures there are some days I
fill your inbox with baloney. I love baloney. Actually I like salami
better, but I don't eat meat much anymore - so I maybe sending around
some baloney is my way of making peace with the meat gods - who
I now shun.
His tactics are pretty predictable. Make light of your critic and try
to undermine their credibility. Compare the work to some well
known gossip rags. Right out of the Campaign '08 play book. Maybe Misha
fancies himself a roll in the political arena after he's done with this
nasty security work.
If you read the comments on Misha's post, he's got it right about me
and my ability to take a counter-punch. I'm a big boy and I don't share
a controversial opinion without expecting some return fire back. That's
all good. In fact, I know quite a bit about their offering, and exactly
how it can help with compliance and how it can't. This isn't about
their service. It's about their marketing. It's when you read the other
comments (especially from my friend Farnum) that you see that Misha has
missed the point entirely.
It's not just a webcast title. Or an email marketing subject line. It's a philosophy.
Most folks think that if no one outright complains about something that
it's OK. They seem to forget that most folks vote with the delete
button. The vendor just loses attention and awareness and ultimately
that impacts a company's credibility. Farnum is exactly right, that
kind of sensationalist marketing is abrasive and annoying to folks that
are in the trenches trying to do the right thing every day. Most
technical folks don't understand how marketing impacts the perception
of their organization. They think it's about the product (or service).
They don't get that until you do marketing right, you don't get a
chance to even show your product.
No CSO is going to take the time to send any offender (and of course,
there are more folks guilty of "easy compliance" than AL) a note
telling them they have stepped over the line. They just shop somewhere
else. I guarantee AlertLogic loses every deal they don't see.
And that's the point. A long-term sustainable business is based on
building credibility with buyers and then meeting their expectations
every day. You can target the mid-market with National Enquirer-esque
headlines and that will work for a while. But if you can't deliver,
then Mr. Market will catch on. He always does. You can run, but you
can't hide. Unless they figure out a way to sell out to some big dumb
security company and get out of Dodge before Mr. Market figures it out.
To be clear, I'm saying that AlertLogic cannot make PCI compliance
easy, simple or affordable. No
vendor can because security is neither easy, simple or affordable.
It has nothing to do with their service. It has to do with how hard it
is to protect information. If Misha had a way to make security easy, I
guarantee his company would own the security business - and
unfortunately (at this point in time anyway) they don't.
Security marketers have a choice. They can try to focus on customer
problems or they can go with sensationalist headlines. I've done both
through my career. I've found that taking the "easy" route is always
harder. Always.
Have a great weekend. And buy my book (I thought I'd just throw some
more baloney in there for good measure).
Photo: "Spotted at Berkeley Bowl: I
didn't know that you can buy sour grapes"
originally uploaded
by Raymond
Yee
Technorati: Information
Security, CSO,Security
Mike, Internet
Security
The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com |
Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com |
Top Security News
ITIL ya to pay attention
So what? -
Don't we have to get somewhere before we start worrying about process
improvement. I'm fascinated by the worldwide infatuation with ITIL. I
know a lot of big companies basically print out the frameworks and
figure they've been entrusted with the holy tablets from Mt. Sinai.
They haven't. I understand it's convenient to have someone else do the
thinking about a big "framework" that tells you all about all the
things you need to do. And for mature operational functions (think
network and mainframe), I think the idea of a nicely cogent framework
makes a lot of sense. This NetworkWorld newsletter on networking
stuff has some stats to back up the adoption rate of these
frameworks. But for security? I guess it's the same issue I have with
27001/2 and COBIT. If folks think this is a silver bullet and it's
going to give them a cookbook on how to do their job, then they are on
some kind of funky peyote. But if they understand the framework is a
starting point to figure out where they need to focus and to break the
project up into digestible chunks, then I'm OK with it. I just fear we
have a lot more of the former than the latter.
Link to this
Digging deeper into Hannaford
So what? -
Never one to let the lying dogs lie, Brian
Krebs digs a bit deeper into the Hannaford Bros. breach.
Evidently they were PCI compliant and had some sophisticated defenses
in place. Unfortunately they weren't the right ones. So now these folks
will spend millions more to close probably every possible hole. Oh
yeah, that's not possible. So they'll close a lot of holes, they'll
spend a lot of money and they'll probably be OK. Note I said probably
because they can't get to everything. Krebs focuses a lot on how to
attack data in transit and that is clearly a new and clearly
exploitable attack vector. So the arms race goes on. The early adopters
will be start making some investments to more effectively segment
networks where payment data resides (to protect it from insiders or
compromised inside devices). The standards folks will work that into
PCI 3.0, and most of the world will get there in 5-7 years - maybe. And
between now and then there will be a lot more Hannaford's.
Link to this
My network security box is killer
So what? - I
think McAfee's new branding (along the lines of "killer security" and
"McAfee hacks hackers") don't really get the message across about what
they do, but I don't really understand the whole describe your business
in a sentence type of approach. Anyhoo, the Little Red is getting back
into the network security business with a new blade server platform.
They say it's the fastest thing since sliced bread. Whatever. It'll run
their IPS (now called just the Network Security Platform, since IPS is
all you need - don't you know?) and their content security blades. Both
as separate
boxes and it seems as a suite. Yes sports fans it's 75% of
a UTM solution, running on a blade server. Maybe those Crossbeam were
on to something. But MFE doesn't have a firewall or a VPN or
authentication to put on the blades. But they do have a checkbook, so
this is a problem that can be solved with money.
Link to this
The Laundry
List
- Hershey + Rack = Passwords. Like you are surprised? Yes, we still have a lot of security awareness training to do. - WSJ coverage
- News Flash: We have an email security problem. Yes, it's April 2008, not 2005. Someone should tell the author of this piece he's about 3 years late. - eWeek article
- Laptop theft preventable? Sure, just weld the device to your CEO's hands. - SearchCIO-midmarket tip
- McNulty out at Secure Computing without a reason, besides maybe the blown Q1. Ryan is interim, and a CEO search is beginning. - Secure Computing release
Top Blog Postings
CISO's aspire to be CIO? Really?
This post over on bloginfosec.com by Frank Cassano is pretty
interesting. He wonders whether security officers should be in line to
ascend to the CIO position at some point. Clearly (as Frank contends)
many are overlooked, but are they qualified? A small percentage (dare I
say the Pragmatic one's) probably would make good CIOs. They understand
the business, have good relationships with the business leaders, and
are skilled in persuasion amongst their peers. All good qualities for
the CIO. But are they the political animals that many CIOs have to
become? I'm not so sure. Frank believes a key skill for the new CIO is
to be able to manage risk. Isn't that everyone's job? I guess it's how
you define risk. Personally, I think the CIO should come from the
business most of the time. The CIO job is also focused not just on the
systems that run the business, but also how to get things done in an
organization. Getting someone from the outside can be dangerous, unless
they are a superstar and come with so much credibility that no one gets
in their way.
http://www.bloginfosec.com/2008/04/11/cio-the-next-career-step-after-being-the-ciso-why-not/
Link
to this
Bejtlich's Ten
The Zen master has been hitting the road, doing the conference circuit
a
bit and has drawn some conclusions about the themes of these shows. A
few are about grokking the reality that we are hosed. That's right,
compromises happen and almost everyone is being targeted, especially
the low hanging fruit. I know it's hard to believe, but most of these
themes fit very nicely into the network security monitoring religion
Richard has been preaching for years. The awful truth is that we are
hosed, and as theme #2 states: "We can not stop intruders, only raise
their costs." I know that's an uplifting message for today, but it's
the cold hard truth. So why bother? Because raising their costs is one
of the best defenses. Many of these folks go after the easy targets. If
you aren't easy, then you probably aren't worth the effort.
http://taosecurity.blogspot.com/2008/03/ten-themes-from-recent-conferences.html
Link
to this
Pragmatic CSO Podcast #11 - The Fixer
This week I take another tangential journey to discuss a concept I call "The Fixer." You know, when a senior staffer is airlifted in to "fix" security. The Fixer knows how to get things done in your organization, and can certainly be viewed as a threat and as indicative of the fact that security is broken.
How should you deal with the Fixer? Why is he (or she) there? Can you turn this into an advantage?
Check out podcast #11 and find out...
Running time: 6:40
Intro music is Jungle and I sign off with the classic Kool and the Gang
anthem "Jungle Boogie," which is the song I associate most with Pulp Fiction.
Yes, that's where I stole the term "The Fixer."
Direct Download: 11_Pragmatic_CSO_Podcast_11.mp3
Subscribe
in a reader
The Daily Incite - April 22, 2008
April 22, 2008 - Volume 3, #39
Good Morning:
After my little heretical rant yesterday, I decided to take a step back
and wonder why I'm so skeptical and cynical. It makes the Boss crazy. I
question everything. If I ask "why?" or "help me understand" one more
time, I may get a 12" saute pan in the cranium.
It's not that I
am trying to be difficult. For me, it's all about PROVE IT. I've been
known to just blurt out "Name that Tune" in meetings and people look at
me like I'm nuts. This happens when I just don't believe what I'm
hearing. So I challenge the folks around the table to do it, prove me
wrong. Or to use a bad 70's game show analogy - name that tune in 3
notes.
We are security folks, and I don't think security folks ask nearly
enough questions. I guess some of us are scared of how we'll be
perceived. Or that we'll lose credibility because we don't know all the
answers. That's why many of us need to keep looking for new jobs every
18 months or so.
We should be questioning the senior team about strategy, especially as
it relates to letting "outsiders" and customers into our systems. We
should be questioning whether that remote sales person really needs a
database of every friggin' customer on their laptop. We should also ask
about the web application architecture before it goes live. Just so we
understand the threat vectors. Yes, this can be annoying, so you have
to learn to be a good, not annoying, interrogator.
I start almost every strategy meeting with a standard disclaimer. It's
along the lines that I don't have any answers, but I have some ideas
and I have a lot of questions. And I proceed to pepper the subjects
with question after question after question. These folks probably feel
subjected to a KGB interrogation. I ask all of these questions for a
couple of reasons. First is so that I can understand the client's
perception of the situation and then gage how realistic their views
are. If they are living in fantasy-land, I need to shake them out of
that pretty quickly.
Another reason I ask questions is that I'm looking for the patterns.
You know, something I can grab on to and draw either a comparison or a
contrast. It's usually very helpful for most folks to understand that
they aren't alone, that other folks have been where they've been and
probably screwed up what they are trying to do. I truly live by the old
adage that if you fail to remember history, you are doomed to repeat
it.
So make a little mid-year resolution. Ask a lot more questions. Don't
accept what people tell you as the rule of law or as the truth. Make
them defend their positions and justify why they are doing something.
At the end of the day, we as security folks can't stop them (for the
most part), but we can make sure they understand the risks and
ramifications of what they are doing.
And the only way I know to do that is to ask questions. Are
you having a great day? See, asking questions isn't so hard.
Photo: "Question
Everything"
originally uploaded
by dullhunk
Technorati: Information
Security, CSO,Security
Mike, Internet
Security
The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com |
Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com |
Top Security News
"A nice little company"
So what? -
I love positioning and the little barbs rival CEOs leave for each
other. Looking at this NetworkWorld interview of Symantec's John
Thompson makes me laugh. Thankfully he's owning up to having
some issue with the Veritas deal, but that's water under the bridge.
The reality is it's still not clear how the go to market model needs to
work between security and storage. Despite JT's protestations, the jury
is still out on that. But what makes me hysterical is when he's asked
about McAfee and calls them a "a
nice little company and they do a nice job." Ouch.
Personally, I think this is a pretty ridiculous way to look at the
competition. One of the problems with big security is that they are
fat, dumb and happy. They are pleased to milk their cash cow a bit and
haven't done much to really change the way things are done. If there is
one thing you can say about McAfee right now, it's that they are not
comfortable. The new regime is questioning everything (see above),
challenging the way things are done, and basically executing much
better. He similarly dismisses Microsoft's efforts in security. I'm
pretty sure that one of the seven deadly sins is arrogance. Of course,
I have no interest (nor am I even remote capable) in running a
multi-billion dollar behemoth (I can barely run a one person shop),
but I would use McAfee as a rallying cry to get my troops focused on
the threats and basically uncomfortable about market position and light
a fire under their backsides. But that's just me.
Link to this
Manage up or manage down? That's
a challenge for every CSO
So what? -
Yes, I'm still working my way through the "big thoughts" put forth at
RSA. This will be the last week I still refer back to the Big Show. But
when I was looking through my bookmarks, I just couldn't resist Dark Reading's coverage of CA's Dave
Hansen's
pitch at RSA. He made the point that CSOs need to become more
relevant to the business. He even spurts an interesting statistic,
which is that 46% of CSOs spend up to a third of their day just
analyzing security event reports. Maybe that number is true or maybe
it's not. The reality is I don't have an issue with a CSO analyzing
reports for a portion of their day because they need to know what is
going on in their environment. They need to see when something is
misbehaving and dispatch an expert to figure out if it's really an
issue. Hopefully before it becomes a real issue. Though I'm not going
to minimize the need to become relevant in the boardroom. That's
crucial to being considered a player. And it doesn't happen overnight.
The CSOs job is clearly becoming one of persuasion, and that takes time
playing the game. Maybe even 2/3rd of your time. But with the other
1/3, I don't have an issue with checking out dashboards and trying to
REACT FASTER to what is going on out there. You are definitely not
relevant if an attacker is in your grill for years, while you are
hobnobbing down mahogany row.
Link to this
Next up for the Bay City Rollers:
NBA
So what? - So
I may have some fundamental issues with Network Computing's Rolling
Review process, but they are certainly looking at some interesting
technologies. They've done web app scanners and both inline and out of
band NAC boxes. Next up is network behavior analysis products. I'm glad
to hear that because hopefully it will become more clear how important
the idea of baselining your networks and systems and monitoring that
baseline is. Now I'm not saying NBA as a stand-alone product category
is meeting that need. For those very large enterprises and carriers, it
probably does. But over time, this is functionality that must be
embedded in either an integrated security management platform or
directly within the element management systems of the network and/or
the systems. The NBA review kick-off gives a good
overview of the technology and what it purports to do. I'm looking
forward to seeing if the NWC folks think it actually helps them run and
secure their networks. I'm also looking forward to seeing who actually
shows up.
Link to this
The Laundry
List
- PayPal says "No Safari for you." What do they have against tigers and leopards? - ebizQ coverage
- Make sure to send SearchSecurityChannel a holiday card this year. They give you lessons and tips from Bejtlich for free. This one is how to use Snort and Argus together to analyze the network. - SearchSecurityChannel tip
- DBAs start your patch engines. Oracle fixes 41 problems in this quarter's update. - SearchSecurity coverage
- Aladdin misses Q1 and cuts the 2008 outlook. Is this the shape of things to come or is Check Point's pretty good results? We'll know more over the next few weeks as other security companies announce. - Aladdin earnings release
Top Blog Postings
Less invasive than a proctologist exam
I read Dennis Fisher's coverage of one of Microsoft's RSA sessions and
I wonder if they are occupying the same world that the rest of us are.
They are trying to make security "less annoying." Hmmm. I guess that's
good news. Clearly Vista's security architecture is head and shoulders
above XP, and that's a good thing. But at the end of the day, users
don't want to know that security is even there. They don't want prompts
(I mean the UAC nightmare), they don't want to be constantly challenged
for authentication credentials, and they don't want to make a decision
about a piece of code that hasn't been signed by an approved authority.
Focusing on things like application whitelisting is a good thing. I'm
not sure why they just didn't buy Securewave when they were shopping
themselves a few years back. Regardless of anything else, you do have
to give Microsoft props, they are going to spend a lot of money to
solve a problem. I'm just not sure what problem they are
trying to solve.
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1309350,00.html
Link
to this
Be Secure, and You'll be Compliant
Most people think I just talk to hear myself speak. Or just to sell a
few books. But I actually think sometimes the things I say may sort of
have some merit. Like this idea of Security FIRST. My pal Nitesh
Dhanjani believes in this approach as well and he refers to Equifax's
Tony Spinelli's ideas around letting compliance drive security. I like
it. But let's hit a fairly important nuance here. The CSO (or security
professional) needs to be a bit schizo. On one hand, operationally,
it's all about security. But from a funding standpoint, sometimes it's
easier to justify an expenditure based on an audit finding or a new
regulation or something else that will receive less scrutiny than most
of the stuff we security people want to do. No use in beating this
horse anymore, I just wanted to point out another like minded
individual (who I think is pretty smart).
http://www.oreillynet.com/onlamp/blog/2008/04/be_secure_and_youll_be_complia.html
Link
to this
Next in the Octagon: Belva and
Shrdlu
After hearing of Hoff and Jeremiah facing off in some martial arts
hijinx, I figured it would be fun to think about how Ken Belva would
love to face off against Layer
8's Shrdlu after she hammered him with some naivety comments
on a recent post of Ken's. My opinion is that Ken is off the
reservation a bit with this one. So I'm going to act a Big John
McCarthy and call the fight with a 1st round tap out. I wonder where
Shrdlu learned to apply that arm bar. Basically, the original post (on
Slashdot) was more whining about the fact that most executives will
choose to line their pockets rather than address a security issue. I
think that's a fair assessment. The point is risk is totally
SUBJECTIVE. Ultimately the point of what we do is to provide enough
information to the senior folks so they can make a relevant and
data-based decision about how much risk to take on. Shrdlu's point is
that without some objective set of risk measurements (perhaps like Jack's FAIR process) the
executives can (and will) continue to do whatever they want. If
anything the Slashdot guy is not naive, he's just frustrated because of
the way the world works. Based on Ken's vitriolic response, I guess he
doesn't take too kindly to being put in an arm bar.
http://www.bloginfosec.com/2008/04/18/slashdot-post-on-security-ethics-demonstrates-professional-naiveness/
Link
to this
Recent comments
2 days 4 hours ago
1 week 6 hours ago
1 week 7 hours ago
3 weeks 3 hours ago
3 weeks 3 hours ago
3 weeks 19 hours ago
3 weeks 6 days ago
5 weeks 1 day ago
5 weeks 2 days ago
5 weeks 3 days ago