Mike Rothman's blog

Pragmatic CSO Podcast #12 - The Business Plan

Submitted by Mike Rothman on Wed, 2008-05-07 10:24.

This shouldn't be your business plan

This week we get back into the Pragmatic CSO methodology, and jump into Section 2: Building Your Pragmatic Security Environment. The first step in S2 is Step 4 or Building Your Security Business Plan. Why do we need a business plan anyway? What's the point?

All is revealed in podcast #12. Well OK, not all - but I lay the groundwork on why the business plan is probably the most important of the 12 steps and what goes into building it. Over the next 2 months or so, we'll be delving deeply into the business plan and the associated efforts to "sell" the strategy to the senior team.

So, buckle up as we take off for the next leg of the P-CSO journey.

Running time: 5:52

Intro music is Jungle and I sign off with Acquiese from Oasis' Masterplan album. Since the security business plan is YOUR Masterplan, I thought that was appropriate.

Direct Download: 12_Pragmatic_CSO_Podcast_12.mp3

SubscribeSubscribe in a reader

Photo Credit: Peter J. Bury - IRC

 

Pragmatic CSO Podcast now on iTunes

Submitted by Mike Rothman on Tue, 2008-01-29 07:21.

Now you can take the P-CSO on your iPod with you. This is great news, so now I can haunt you in your car, on an airplane, or even when you are running. Although since all of the podcasts are 6-7 minutes, it wouldn't be much of a run I guess.

To get the podcast, click this link and then it should direct you to iTunes to subscribe to the podcast. Screenshot of what you should see is below.

 

P-CSO Podcast on iTunes

 

The Daily Incite - May 8, 2008

Submitted by Mike Rothman on Thu, 2008-05-08 10:13.
Today's Daily Incite

May 8, 2008 - Volume 3, #44

Good Morning:
If I've said it once, I've said it a thousand times, success in anything that you do is based on how well you manage expectations. When you expect little, you tend to be surprised on the upside. When you expect a lot, well... you know. Reading Shimmy's post on the Iron Man movie made me think about why I go to movies and what I expect to get from the time and money I spend.

Iron Man Rocks!Basically for me, movies are about escaping. Not that my life is bad, quite the contrary, but every so often taking a few hours to go into the land of someone else's imagination is very useful for me. I do my best not to get into the dogma of reality vs. unreality. Plot lines that don't make sense just roll off my psyche, and I spend very little time trying to understand the "true" meaning of any of these movies.

Why? Because they are movies. If I want reality, I'll go over to CNN and remind myself how screwed up things are. If I want to be overwhelmed, I'll just spend a few hours trying to keep up with my kids. When I want to escape, I take in a movie or curl up with a suspense, mystery or science fiction novel. Then I can shut off the world, if only for a little while.

Personally, I thought Iron Man was a great movie. So I guess I'm with Farnum on that. I don't know a lot about the comic book lineage, so I wasn't worried about how true they were to the Iron Man history. Robert Downey Jr. was very believable as the main character. And the idea of a supersonic flight suit? Why not? Again, if I want reality - I'll watch Survivor - since that's very real. 

I guess it's about mental health. All work and no play makes Mikey a dull boy. And given the schedule I keep and the crap I consistently add to my overflowing list of things to do, sometimes I just need to shut down for a few hours and go into someone else's world. The Boss has mandated that Friday nights are now movie night. No more catching up on the crap that didn't get done during the week. No more watching some crappy TV. Now it's about escaping from the week that was and setting the stage for the weekend to come. I think it's a great idea.

That's my story and I'm sticking to it. Have a great weekend.

Photo: "Iron Man Suit" originally uploaded by kevitivity

Technorati: , ,,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com
Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com

Security Mike's Guide to Internet Security

Top Security News

NAC is dead! Long live NAC!
So what? - It was only a matter of time before the esteemed Stiennon tried to relive his glory days and proclaim some other security technology as "dead" and try to ride that to additional worldwide infamy, I mean notoriety. Not surprisingly, he's decided that NAC is on death row and is awaiting it's three-drug cocktail into an eternity of hell fire and disappointed VCs. Of course, Shimel takes this as validation that NAC is for real, and it's not like he needs an excuse to jump on the bully pulpit and wax poetic about all things NAC-virtuous. The reality is the truth is somewhere in the middle. NAC clearly has it's challenges, I've been one of the (only) voices that drove that point home back in 2006, until it became popular to beat down NAC. Though there are still legitimate use cases for all three aspects of NAC (admission control, access control and containment). It seems Richard forgets about the first law of security (or he's gotten the mind-meld from Matasano), which is to layer your defenses. Of course, NAC isn't going to stop a clean computer from entering your network, but who says that NAC is the answer to every problem? Maybe that's where everyone is getting hung up. Let's try this again. Repeat after me, there is no silver bullet. There is no silver bullet. There is no silver bullet. There is no silver bullet.
Link to this

Are drive-bys an endangered species?
So what? - Wouldn't it be nice to live in Larry Seltzer's skewed view of reality? Sometimes the stuff he writes is pretty good. Other times, he's taken a wrong turn and fallen off the end of the world. The world is flat, don't you know. Like this week's piece about browser defenses getting better. Huh? So Vista does some ASLR and DEP (XP has limited DEP capabilities too), so what? The applications have to use those defenses, which is slow in coming. Also everyone has to have these latest operating systems and have everything patched, and we certainly know that's not the case in the real world. Larry even takes a shot at the beloved NoScript, and now he's crossed the line. Listen, a web without JavaScript is certainly sub-optimal. And I do spend a fair bit of time authorizing different scripts on the various web sites I visit. But the point is that I am making that decision, not some jackass web developer that would rather drink Red Bull than ensure my browser can't be owned via a XSS. NoScript gives me the power to choose what scripts I want to run, and which I don't. To just blame all the ills of browser-based attacks on stupid users and social engineering is missing the point. Attackers will take the path of least resistance, and now that is through the user. Something like NoScript makes it a bit harder, and that's why I tell everyone that will listen to use it.   
Link to this

Hope for everyone that isn't the market share leader
So what? - What do you do when your biggest competitor is Cisco and your main value proposition is lower cost? You commission a survey that says 77% of IT decision makers would buy network security equipment from an "alternative" vendor. Meaning an "organization other than the market share leader." Hmmm. That's interesting data. So how does Cisco (and Check Point, etc.) maintain their huge market shares if all these customers will consider another vendor. Thinking... Thinking... I got it. They are considering the other vendor for leverage. You'd be an idiot not to "consider" another vendor because that gives you a bit of power (however small) over the incumbent to break a bit on price. That's negotiating 101. I'm interested in the other 23%, who basically say they'll buy from the market leader no matter what. Just goes to show that you can get a survey to say anything you want, you just need to phrase the questions correctly. Such as, "would you consider buying a technology from an "alternative" vendor (not the market share leader) that provides more functionality at a lower price?" Hmmm. How many folks would say no? I guess around 23%. And that's why I'm such a big fan of these surveys. 
Link to this

The Laundry List

  1. Yahoo shrugs off the Microsoft deal and embraces McAfee's SiteAdvisor to warn search users that some sites may be bad. This is cool, but I'm still using Google. - NetworkWorld coverage
  2. Add USB thumb drives to the 10 most wanted list. They could bring malware in and take data out. Of course, we already knew that, but sometimes it's good to be reminded - Network Computing Daily blog
  3. It was just a matter of time. Now other application dev shops are embracing security as a feature. Parasoft talks about their new application security offerings, built into the dev tools - of course. - Parasoft release
  4. Funny post on the NoticeBored blog about how not to do security awareness training. Idiotic questions are my favorite. - Noticebored blog

Top Blog Postings

New boss is same as the old boss
As I gradually tear through the blog posts that have piled up, I come across Sir Verbiage, otherwise known as Greg Ness of Blue Lane. I actually appreciate the fact that Greg is a card-carrying member of the why say it in 100 words when you can say it in 1000 club. That's right, Hoff is the president, but I'll get to that next. This post lays out Greg's view of 5 critical requirements of data center security, and amazingly enough they are pretty consistent with other aspects of security. Like accuracy (or no false positives0, which I hear is pretty important in an IPS system as well. Comprehensive protocol "intelligence," which basically means you need to understand not just the pipes, but also the application context. Uh huh. Appropriate exploit response, meaning diffuse the risk without killing the patient (or disrupting operations anyway, the patient may already by dead). I'm pretty sure most security folks start with a "do no harm" mantra in other parts of the environment as well. Exception-based detection? Yup, sounds like anomaly-centric views as well. Finally the last is "virtsec readiness," and that just means you need to be able to deal with both physical and virtual servers. Again, nothing we are seeing in the data center is so different than what we've seen before, there is just more of it and it happens faster. Some of the defensive architectures of latter days won't scale to the needs of the new virtualized data center, but it's not like the tactics are changing all that much.
http://gregness.wordpress.com/2008/04/25/data-center-security-five-critical-requirements/
Link to this

Where is Roget when you need it???
Since my brain doesn't hurt enough this morning, let me tackle a few Hoffian posts, just to ensure I'm a bumbling idiot within 10 minutes. You see, I can't concentrate enough to follow Hoff if I worry about things like fine motor skills and breathing. I'm glad I've been sucking pure oxygen for the past 20 minutes and hopefully I'll be able to wade through Hoff's clarifying the ideas of securing virtualization vs. virtualizing security before I pass out. The good news is that even for folks of average intelligence like me, I get this. I think. Securing a virtualized data center is about doing the same stuff we did for a physical data center, but more and faster. Sure we've got a new OS (hypervisor) to protect, but the attack vectors are largely stuff we know. Until it's not and some big brained bad guy invents a new attack vector anyway. I don't think people are being intentionally obtuse and ignoring the risks of this new virtualized reality, I just think that lacking a real attack vector that can demonstrably show that there are additional risks, people are focusing on the stuff they can control. Which isn't much. Unfortunately Hoff doesn't touch on his ideas of  "virtualizing security," since it's a totally different ballgame and is about bringing security intelligence as an overlay to the pipes and boxes that make up the fabric of your computing environment. But if I need my fix of virtualized security goodness I can always wade through some rational security archives. But since my air is about to run out, I better get on with it.
http://rationalsecurity.typepad.com/blog/2008/04/clouding-the-is.html
Link to this

Utopia RSnake-style
Ah, to see the light bulb of rationalization flicker on is a sight to behold. Yes RSnake, the good guys need the bad guys. Or else we enter a world depicted in Demolition Man, where police are unnecessary. Until they are. But the bigger point is to try to find the root cause of the issue and try to address it. And unfortunately, fraud has been around way before computers and will be around long after I'm gone. There is no panacea, there aren't any "punishment(s) that actually deter crime or a security solution that prevents it from happening entirely." Half the world figures if they become a martyr they'll live in eternity with a posse full of virgins, and they may not be wrong. So the idea of a punishment to deter crime is not feasible. People have been rationalizing bad behavior since the beginning of time, and I doubt they are going to stop anytime soon. And the only security solution I know that prevents fraud is the on/off switch. The point is not to make the problem go away, but rather to make sure you are not the lowest hanging fruit for the bad guys. Over time, perhaps we can tip the scales a bit in our favor and make it cost a bit more to do cyber-crime, but I'm not holding my breath on that one. I appreciate the frustration brother, but this is the world we live in, and I don't have a lot of cycles to contemplate why it sucks. So I don't.
http://www.darkreading.com/blog.asp?blog_sectionid=403
Link to this

The Daily Incite - May 6, 2008

Submitted by Mike Rothman on Tue, 2008-05-06 08:44.
Today's Daily Incite

May 6, 2008 - Volume 3, #43

Good Morning:
I was wrong. It's not the first time it's happened, and I'm pretty sure it won't be the last. I figured the Microsoft/Yahoo! deal was a slam dunk [link]. Intuitively it made sense. The premium was 62% and that was before the start of negotiations. Both Microsoft and Yahoo have been sucking Google's exhaust for years. Neither had been executing well to gain market share. The market is rapidly maturing and that means the big companies need to get bigger to survive.

Microsoft swallows Yahoo - NOT!I could go on for days, but I'd still be wrong. My fatal flaw (once again) is to look at the situation from a logical standpoint. There were lots of reasons for the deal to go through. What logical CEO would walk away from that kind of premium, knowing how fun it is to get your teeth kicked in by Google every day? I know Microsoft is the universal enemy of these companies, but why not just box up the whole things and make it Redmond's problem.

Who knew that Yahoo! would become a blowfish once in Microsoft's clutches?

I usually get the analysis right, but I also tend to forget about the human part of the equation. In this case, it's the sin of EGO. That's right, ego killed this deal. I think buyer's remorse had a bit to do with it as well (which made it easier for MSFT to walk away), but ultimately Jerry Yang's arrogance killed this deal. They walked away because they couldn't squeeze another 10% out of the deal. Unbelievable. It will be years before Yahoo's stock sees $33 again. Maybe it never will.  So now  the Yahoo's! will get to deal with mopping up 3 months of diversion, a couple emboldened competitors, and a couple hundred class action lawsuits.

The old adage, "be careful what you wish for," seems very appropriate now. Yahoo! is again independent, carving their own trail. Yang and his executive team made some big promises to make the case for independence. Now they'll need to deliver. Notwithstanding this is a team that has executed poorly for years. I doubt it will be any different moving forward. Personally, I used to be on Yahoo! pretty much all day. Now, if I'm there once a day - that's a lot. I'm on Google now all day. And I'm not alone.

Good luck to the Yahoo's. They are going to need it, especially when Google's search results drive 2x the cash flow of Yahoo's internal systems. They may as well just burn the place to the ground. It would save us all a lot of time.

Have a great day.

PS: My "shut down day" experiment went swimmingly. I didn't touch the computer all day and my cell phone was off for an entire 24 hours. You know what happened? Life went on. I was with the Boss all day, so she had her phone - in case of emergency, but the trains ran on time. The kids got up and went to sleep (with no help from us), we got to where we needed to be and even ate a few meals. Basically it was a good reminder that I can (and should) unplug more often.

Photo: "Microsoft is taking over Yahoo!" originally uploaded by gnal

Technorati: , ,,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com
Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com

Security Mike's Guide to Internet Security

Top Security News

A good bot is still a bot.
So what? - This SearchSecurity story brings up a pretty interesting ethical quandary. If you had the ability to neutralize compromised machines and eliminate the Trojan that is controlling it, should you? At first glance, the answer is probably no. Sony got hammered a few years ago when it came to light that they were using stealth rootkit technology to drive their DRM function. If the good guys use the same techniques as the bad guys, how do you know the difference? What if you dig a bit deeper and maybe use a healthcare analogy? If your kids had a dormant virus that at some point would awaken and turn them into a criminal, and you had a way to eliminate the virus without them ever knowing they'd been infected, would you? That seems like a no-brainer, right? Of course, in the court of public opinion it's not a no-brainer. A few vociferous individuals could create an uprising against tactics like these, even if they are good for you. And then as opposed to focusing on doing the right thing, the company creating the vaccine is defending themselves. No wonder why it's usually just a lot easier to let folks blow each other up.
Link to this

Should PAM stand alone?
So what? - NetworkWorld published a review of a couple of privilege account management tools (PAM) last week. These tools basically protect the account information and passwords for root and administrator accounts. Why is that an issue? Basically it's about separation of duties and accountability, mostly from a compliance standpoint. Administrators typically just use root to make whatever system level changes are required. They share the root password amongst themselves and they go about their business. But what if a machine is compromised? And it turns out it was because of a change that was made by the root account? How do you know who to investigate? How can you prove compliance and that you are protecting user data, when you can't say which administrator made what changes? Right, you can't. So for big companies, these kinds of tools can make sense. But why isn't this a function of the server and system management hierarchies that are already in place? Right. It will be, it's just a question of when. 
Link to this

Everyone wants it... but no one wants to pay.
So what? - I love these little profiles of Internet luminaries that have made their money and now play. I remember Dan Lynch from the Interop days when I was just a lowly networking analyst at META Group. Networld+Interop was the networking worlds RSA and it was a great show. Things were still new and shiny. Dan made some investments, I guess he made some money, and now he teaches. That's fantastic. Evidently he is still investing in some start-ups, but it seems his investment strategy is a lot less cogent than his analysis of the security market. He says: "Security isn’t easy to monetize, he says. “Everyone wants it but no one is willing to pay much for it. And even if you have a security solution, getting it adopted usually means a serious change to something someone’s doing.” I don't think any of us argue that case. But if I was an independent investor, and I knew Dan's statement to be true, do you think I'd be investing money in the latest, shiniest security widget? Especially when I could maybe find some other things that could be more easily monetized. Ah, another quandary of the security industry. Ultimately a few start-ups will make money, but most won't. And I understand that, so even if I could invest in security start-ups (I can't), I wouldn't. 
Link to this

The Laundry List

  1. Webroot is the "first" to offer web filtering in the cloud to SMBs? Really? I suspect MessageLabs, ScanSafe, WebSense's Black Spider and bunch others would differ. Could a beat reporter do a little bit of homework (and maybe not take a vendor claim at face value) before he writes something asinine, please? - NetworkWorld coverage
  2. But it's an excuse to poke at Microsoft? The spat about Microsoft's COFFEE incident response toolkit is much ado about nothing. I guess you need to let the Captain Privacy's out there run wild every so often. They don't get out much. - John Sawyer's Dark Reading blog
  3. Didn't hear much interesting out of Interop, but at least Barney makes an appearance. Blue Coat gets Vericept to join their partner program. Wonder if I could pick 35 PURPLE at the roulette table? - Blue Coat release
  4. If you are interested in CSRF attacks (and you should be), check out Jeremiah's slide deck on the topic. - Slideshare presentation

Top Blog Postings

Mirror mirror on the wall...
How many of you out there spend more time bitching than doing something? Be honest. Do you go home and kick your dog because your executives don't really care about security or what you do? It wouldn't be surprising and you certainly wouldn't be alone. It's time to take a look in the mirror. Yes, it will probably tell you that the VP of the Data Center is the fairest one of all. He/she does have the halo of virtualization over their head right now. In this post, Micki Krause talks about a self-assessment products by Billi Lee that can provide some insight for you. Amazingly enough, she even has a "12-step" program, or at least 12 questions to distill where your head is at. Personally, I never really found it useful to fill out a form to tell me what I already know. If you are grumpy, acknowledge it. If you feel marginalized in your environment, you need to accept that fact. Then you have some decisions to make. Is this the right line of work for you? Is it still your passion? Has the game beaten you down and now you dread making the commute to work? You already know the answer(s), but fear may be clouding your objectivity. I get it, I've been it. Now I'm past it. And it's a good place. Now go do 10 hours of meditation. Your boss probably won't even miss you and maybe you'll get some clarity.
http://www.bloginfosec.com/2008/04/08/are-you-a-savvy-ciso-learn-how-to-assess-yourself/
Link to this

Is Defense in Depth overrated?
Friggin' Matasano Thomas. He wakes up to write every couple of weeks and hurts my head. Fact is, I've gotten away from a lot of the knee-deep technology and it's been many years since I wrote code. So when he writes a provocative piece questioning the validity of defense in depth as a legit application architecture, I need to shake out a bunch of cobwebs and really think. It's much easier to not think, so that annoys me from the get-go. The first distinction I'd make is that Thomas (and his other big brained Matasano fellows) is talking about application architecture. I'm still a fan of full system defense in depth (you know, some layers on the network, some on the data center, some within the database and more within the application). Though you could probably make a lot of the same arguments, given if you can compromise the application then you will likely get a free pass through a lot of the other layers. The Matasanos basically dismantle a lot of the old, tried and true security architecture ideas, like attrition, delay, deterrence, and predictability. The answer seems to be one single "well-defined" defense. Is that kind of like the "1' that Curly talks about in City Slickers? This single defense should work, but what if it doesn't? Or something changes. So it worked yesterday, but it's not going to work tomorrow. Kind of makes me want to pack it in. But I can't do that, since my mirror (see above) says I need to keep fighting. Maybe I spend less on trying to stop attacks and more on figuring out I'm being successfully attacked and containing damage. Hmmm... Maybe there is a way to not just react faster, but to react BETTER.
http://www.matasano.com/log/1044/defense-in-depth-reconsidered-is-information-security-anything-like-war/
Link to this

The Mogull hits the doo-doo list
I always know a good piece of analysis because I get pissed that I didn't think of it. Per usual, the Mogull takes a minute to expand my own pea brain with what should be the 2nd corollary of the REACT FASTER doctrine. You need to react not just FASTER, but BETTER. Argh. So simple, so elegant, and so correct. I wonder how many hours of meditation it took Rich to spit out that insight. Probably not too many, and that's why he's on the doo-doo list. Of course Rich uses an emergency medicine metaphor to discuss his point, but don't lose the applicability to security. Rich says it a lot better than I could: "Don’t just react- have a response plan with specific steps you don’t jump over until they’re complete. Take the most critical thing first, fix it, move to the next, and so on until you’re done. Evaluation, prioritize, contain, fix, and clean." Of course, a lot of Rich is talking about is laid out in Step 8 of the Pragmatic CSO (Contain the Damage), and amazingly enough it works. But only if you do the work AHEAD OF TIME. The wrong time to find out your incident response plan is crap is when you are in the middle of an incident.
http://securosis.com/2008/05/02/react-faster-and-better-with-the-a-b-cs/
Link to this

The Daily Incite - May 1, 2008

Submitted by Mike Rothman on Wed, 2008-04-30 15:24.
Today's Daily Incite

May 1, 2008 - Volume 3, #42

Good Morning:
I tend to be one of those hyper-connected guys. I don't do twitter, but besides that I don't really have email too far away and I can be found in my RSS reader a couple of times a day. I like to think I'm "in the loop." A lot of the time I'm not sure how healthy it is. At night, there are times when I have to specifically repress the need (dare I say addiction) to hit the iPhone slider and see what has accumulated in my inbox.  

UnplugBelieve me, there isn't that much interesting stuff in my email. But I like to see it anyway. And it's a constant battle. I suspect many of you fall into that category as well, battling those same demons.

Thus, when I saw this post on Web Worker Daily about "Shut Down Day," I was intrigued. The picture to the left is called "Unplug for safety," but this concept is more about unplugging for SANITY. Can I actually shut down my machine(s) and not be connected? Yes, even my iPhone. For a full 24 hours? Is it possible?

The honest truth is that I don't know. But I'm going to try. It'll be easier for me for a couple of reasons. First, it's not like I'm trying to do this during the week. Saturdays are somewhat manageable and although I've been known to work a bit over the weekends, it's definitely possible for me to skip it.

Second, the Boss and I will be tied up all day at an event. And I mean all day. So now I have a fighting chance, since it would be a lot harder to unplug if I was in the house watching some crappy baseball game.

So we'll see how it goes. I'm kind of excited by the possibility of becoming the master of my domain again. I don't expect to need to unplug very often, but it will be nice to know that I can.

Have a great weekend.

Photo: "Unplug for safety" originally uploaded by mag3737

Technorati: , ,,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com
Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com

Security Mike's Guide to Internet Security

Top Security News

DEFCONs just want to have fu-un. DEFCONs just want to have fun.
So what? - When the s*storm hit last week about the new contest to come up with interesting ways around malware detection suites, I could only laugh. Of course, Cyndi Lauper's "Girls just want to have fun" was also thundering in my eardrums because that's what this is about. In the immortal words of Sgt. Hulka, the AV vendors need to "Settle down, Francis." It's like the PwnToOwn context at CanSec. Some folks will find some interesting holes and the vendors will patch them. Same deal here. Maybe the AV vendors are worried that the crazy kids at DEFCON will pierce their veil of their marketing hype. Maybe the big world of all those stupid lemmings will finally realize that any machine can be owned at any time by some rather mediocre hacking talents. We wouldn't want them to learn that now would we? And I'll also punch a hole in the idea that there are already enough samples to keep researchers busy. Who knows, maybe with a minor financial incentive, the DEFCONs will find something interesting. Something (oh the horrors) that we may not already know about. I'm good with this contest and I think these are valuable endeavors. First, you get kind-of smart folks trying to break things in a semi-controlled environment. Second, you are teaching these folks how to think like hackers, which is one of the first things that security professionals need to master.  
Link to this

NAC client game is over
So what? - Tim Greene makes a decent point (even if it was spoon fed to him by MSFT PR folks) about the imminent death of the NAC client at the hands of the bundled NAP client. With Windows XP SP3 being deployed over the next few months (it takes a few months for these things to be widely deployed), the NAP client will be within most of the Windows devices out there. That means this idea of client vs. client-less is largely done. Of course, it's been a moot argument for quite a while since the answer has always been both. For some managed devices, a client makes sense. For other devices you don't control, you need a client-less option, and pretty much all the NAC vendors can do both. We could split hairs about disolveable vs. Nessus-based plug-in's vs. active-x, but it's all the same to me. If I put on my Stiennon suit, does that mean I'll trust the endpoints any more than I did before? Of course not. I still need to verify who they are, and more importantly monitor what they are doing. Just in case. But having the client out there can't really hurt NAC adoption. But I'm not sure it's going to help either. Hold that thought for a few seconds...
Link to this

NAC less interesting to users, which may be a good sign
So what? - It's funny in that every market goes through a series of phases. Jim Rapoza gets it mostly right in this eWeek slideshow. My classic "Farce of Market Sizing" post back from 2006 hits the same topic, but from a different angle. And NAC as a market has certainly gone through a bunch of phases. This latest NWC reader survey about NAC doesn't bring good news on the surface. Fewer customers are interested in NAC this year, than last year. Isn't that bad? Maybe not. Given the macro-economic backdrop, I suspect most users are focusing on those projects they absolutely need to get done, and the one's that are a bit less critical get put on the back burner. At least it seems the users are being honest with themselves about where NAC falls on the priority list. But this isn't really bad, it's natural. There is no question that the concept of LAN Security (bigger than just NAC, more about campus network evolution) will take root. The question is when. I think if the hype around NAC deflates a bit, then folks can think a bit more rationally about how best to move towards a secure LAN environment. Which is really what they should have been thinking about all along.
Link to this

The Laundry List

  1. Learn about Stiennon's new gig. Ask him to bring back a koala when he goes to visit the mother ship. - NetworkWorld coverage
  2. NetworkWorld jumps into the time machine and goes back to when Voltage first introduces IBE. A PKI without keys? How novel! And how irrelevant how it actually works. Slow news week, I guess. - NetworkWorld coverage
  3. Prevent online theft? Authentium claims their SafeCentral "prevents" malware. Big claims for sure, and seems too good to be true. - Authentium release
  4. Secure Computing also asks us to jump into the time machine and forget that pretty much every other security vendor runs their stuff in a VM image now as well. The good news is that I don't forget.  - SCUR release

Top Blog Postings

PCI: DOA in UK?
James T. Newby gets on his Trek suit (don't know if they make 7 foot tall Captain Kirk costumes) and talks about some of the differences between how security companies are marketing in the UK vs. the US. It's nice to see I have more to like about the UK than room temperature pints of ale. I hesitate to call the Brits more enlightened (Boston Tea Party anyone?), but being a smaller market with less desperate competition (and presumably a less noisy security market) they seem to have gone through the cycle a lot faster than in the US. I don't need to rehash my recent ranting, but I've hardly talked to anyone in the space over the past two weeks that hasn't wholeheartedly agreed with my contentions that Easy PCI marketing is a sham. Yet, if everyone is agreeing with me, why do I expect to continue seeing these ridiculous positions and claims for years to come? Basically because I've seen the movie before and as long as their are customers that want to believe, the vendors will be there to feed them a plate of crap.
http://robnewby.blogspot.com/2008/04/captains-blog-supplemental-pci-is-dead.html
Link to this

Endangered species - The CISO
Since I'm piling on many of my positions today, let's go over another one, which is the inevitable demise of the security "role" in an organization. Stuart King talks about his experiences in a mock trial of the CISO at Infosec that resulted in the CEO and CIO going to the big house. I guess that would be the mock big house with the mock Bubba pounding the mock CEO in places where the sun don't shine. But nasty imagery aside, the point is the point. I suspect we'll see the demise of the CISO first in the mid-sized businesses and then we'll get a very Innovators Dilemma evolution, where the security role will generally be subsumed higher and higher up the F5000 chain. Do I think the CSO of a Fortune 50 company goes away? Nah. Those organizations are so big and so complex that there will always be a role for a new CSO every 18 months to take the fall when someone on the ops team screws something up.
http://www.computerweekly.com/blogs/stuart_king/2008/04/on-trial-role-of-the-ciso.html
Link to this

Hands-off Pwnage
In yesterday's P-CSO newsletter, I did a little thinking out loud about staging a data breach and using it as a means to educate the employee base about what they can and can't do. Another key education mechanism is the idea of phishing your own folks and getting them to click on links and go to sites that they shouldn't. Of course, as long as they are sites you control, it's all cool. And as long as you use the opportunity to instruct, it's even better. Ed Dickson talks a bit in this post about some of the nastiness that's out there nowadays. So maybe after you get a set of your employee dimwits to click on a bad link, then you hammer the message home with a little video to show just how easy it is for people to be compromised. Even good people. I think this two step 2x4 educational mechanism may have a better chance than most run of the mill user awareness training. This is a topic I'll cover in a bit more depth next week.
http://fraudwar.blogspot.com/2008/04/nowadays-all-you-need-to-do-is-visit.html
Link to this

Pragmatic CSO Newsletter #53

Submitted by Mike Rothman on Wed, 2008-04-30 07:58.
Pragmatic CSO Weekly

April 30, 2008 - #53

Mike RothmanMike's Pep Talk:

"When choosing between two evils, I always like to try the one I've never tried before." - Mae West

A lot of security folks like to think of the daily battle as a good vs. evil type of thing. You know, the bad guys are evil (and wear black hats) and we - the security professionals - are the good guys. We wear white hats and ride on a fine stallion called Silver.

Let's get one thing straight. You are not the Lone Ranger. This is not about good and evil. This is about dealing with the lesser of two evils. The reality is that your environment will be compromised, and you have been entrusted by your organization to stop it.

Fork in the RoadIn a nutshell, you are in a lose-lose situation. We all are. That is the cold harsh reality of practicing security. Whether it's physical security, cyber-security, or any other type of security - ultimately this is not a game we play to "win." It's a game we play to survive.

Why the dour tone today? Did someone piss in my Wheaties? Not exactly, since this is a concept I discuss pretty frequently in all of my publications. I read news clipping like this one in NetworkWorld about most employees intentionally skirting enterprise security controls, and part of me wants to hold my hands up and start serving Blizzards at Dairy Queen.

At least then I know I'll have a job, since DQ is owned by Berkshire Hathaway and they aren't going anywhere.

Every time I start to feel this way, I need to purge a bit. I need to rant and I need to get it out of my system. Here's the deal: Our customers don't know who is good and who is evil. They can't tell the difference. If they are intentionally going around our controls, then WE ARE SCREWING UP. We are at a fork in the proverbial road, and we need to figure out how to get more relevant and work better within the context of our business. It's as simple as that.

I understand that little things like PCI and SarBox make a certain set of controls totally necessary, but ultimately we have to start thinking a bit more like risk managers and not draconian control freaks. We have to start understanding where the breakpoints are in our organizations. How tightly can you really lock something down, before the natives start getting restless?

Do you know the answer to that question? Do your corporate policies reflect that reality? If not, then you have a lot of Pragmatic work ahead of you. If the employees can't tell whether you wear a black or a white hat, then you better start looking for a more palatable middle ground.

Photo credit: Buggs

Thinking out loud: A new type of IR practice

Sometimes I have random thoughts, and although I tend to vet many of these ideas with my trusted circle of contacts, I want to bounce some ideas around in a more public forum. Thus a new section here called "Thinking out loud." I'll just throw something out there, and it would be great to hear whether you think I'm nuts (or not).

Based on my rant above about employees not knowing who the good guys are anymore, let me suggest perhaps a different way to "educate" our trusty employees. The reality is most employees will do the right thing, if they understand what is right and what is wrong. They go around security controls and flout policies, not because they are bad people (although statistically some will be), but rather because they don't really understand what is so wrong about what they are doing.

So I suggest we show them, in a way they haven't seen before.

You should have a defined incident response plan (discussed in Step 8 of the P-CSO) and you should be practicing it frequently. Or at least practicing sometimes. Most of that practice is for you and your team, to make sure the security (and risk and ops, etc.) team will respond appropriately when the brown stuff hits the fan.

What if we brought a few more folks into the "practice?" What if you staged a "data breach" within your organization, and played it out? What if you sent out a note to all of your employees talking about how your private data was breached, where the data handling errors were, and that some employees have been terminated due to those actions. Then you take the opportunity to remind them of the policies.

Of course, the breach didn't really happen. It would be staged. But that would seem to me to be a very powerful means to get the point across to the employees about WHY they need to follow the policies.

I know, I know. Intentionally deceiving employees is kind of an April Fool's joke gone wild. I'm sure there would be a number of folks pretty steamed when the truth that the breach was staged gets disclosed. And you'd need approval at the highest levels to pull off something like this, and how many CEOs would go for this kind of plan?

The odds are long that this kind of thing would work, but something tells me this idea may have some legs. Let me know if the comments section about my "thinking out loud."

The Daily Incite - April 28, 2008

Submitted by Mike Rothman on Mon, 2008-04-28 09:56.
Today's Daily Incite

April 28, 2008 - Volume 3, #41

Good Morning:
Friday night I went to go see the Boss. No, not the Boss that I live with, but THE BOSS. That's right, Bruce Springsteen and the E Street Band. I do have to admit that I'm not the biggest Bruce fan. I do love his classic stuff. But he jumped the shark with Born in the US and was in a slump for a couple of decades. A few years ago, things started moving in the right direction (IMO anyway). The Rising was OK and showed some life and the new album (Magic) is fantastic.  

The BossBut that's the recorded music. If Springsteen comes to your town, you go. Those folks put on a great show. They played for about 2:45 and took like no breaks. The band was tight, really tight. You can check out the set list, but what was most impressive was the number of audibles they called during the show. Bruce would pull a poster naming a song out of the crowd, motion to the band, and they'd launch into it.

You can tell, even after doing this for 35+ years, they all still love it. It's their passion. There isn't anything they'd rather be doing. It was inspiring and got me to thinking about how many of us can say the same thing. Is there anything else you'd rather be doing right now? Do you feel that way more often than not? 

That's a pretty instructive question. Be honest with yourself. If the answer isn't what you think it should be, then start thinking about what changes you can make. Life is too short to be doing stuff you hate. It's not always possible, but you can strive for it, no?

Which brings me to my next topic, of a guy that has maybe too much passion. The NFL draft was this weekend, which means that loudmouth Mel Kiper, Jr. was everywhere at all times. What a gig that guy has. I'm not sure what he does for the other 11 months of the year, but starting at the NFL combine, all you hear is Kiper. He's less grating then he used to be, but still. Thankfully we won't have to hear from him again until next March.

The G-men had a pretty good draft and being a Falcons season ticket holder, I'm hoping Matt Ryan lives up to the hype. The few days after the draft are always about what could be. Living in the future is OK, but sooner or later you need to get on the field and play. When does training camp start again?

It doesn't feel like Monday, does it? I think the weeks just keep running and running and running. I'm taking some time off towards the end of the week. So I'll be doing a P-CSO newsletter tomorrow and then the final TDI for the week on Wednesday. Many miles to traverse between now and then.

Have a great day.

Photo: "Bruce Springsteen & The E-Street Band en Madrid" originally uploaded by Bisharron

Technorati: , ,,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com
Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com

Security Mike's Guide to Internet Security

Top Security News

Great, 2.7 million people that have no idea what's going on
So what? - It must be good to be the ISC2 nowadays. If you believe the survey they commissioned Frost and Sullivan to do, there will be 2.7 million security professionals by 2012. The survey also goes into a bunch of skills these security professionals need. Amazingly enough getting a CISSP is top of the list. I'm kidding. The survey is interesting, but (and I know you are shocked) I have a different opinion. I think there will be 0 security professionals in 2012. That's right, ZERO. I think there will be network folks that specialize in security, and also some data center folks and even more application folks that are security specialists. OK, these are word games and a bit of semantics, but I think it's an important point. If anyone thinks their only job is going to be security in 4 years, I suspect they'll end up as a petroleum product sooner rather than later. OK, maybe not 2012, but I'm with most of the big mouth security pundits in saying security as a business will be going away within a reasonable long term planning horizon (7-10 years). So start practicing, "I do secure networks." Not "I do network security." There is a big difference. 
Link to this

Will the ASA be pretty too?
So what? - You have to hand it to Scott Weiss. After he made mincemeat of all the anti-spam players (his IronPort does more in a quarter than the other anti-spam appliance vendors combined, or pretty close to it), now Chambers has given him the keys to the entire security car. I suspect he has his branding folks working on new bezels for all of the security appliances. A pretty box is a box that sells, don't you know. OK, sour grapes and kidding aside, Weiss is out flogging the idea of reputation on all of the security devices. This isn't a unique story (Secure and BorderWare have also been espousing reputation everywhere), but there is something there. If I can get a clue about the intent of someone trying to connect to my networks, then I have a better chance of reacting a bit faster to what they are doing, as opposed to waiting for my IPS to figure out it's really an attack. Reputation has worked very well in the anti-spam business. Its utility isn't as clear in the web filtering space and even less on the firewalls, but the concept makes sense.
Link to this

NAC differentiation is hard to come by
So what? - Sometimes I just have to laugh. Or I'd probably string myself up from a tall tree in the neighborhood. Dana Hendrickson lampoons a recent Impulse Point release talking about "Green NAC." No, that's not a NAC appliance you leave outside too long and it gets all mossy. These folks figure they can save you 92% in energy costs. Is that a key NAC differentiator? That would be first I heard of that. And the basis of the argument isn't that their industry standard appliance is any more power efficient than the other guys. It's that they require fewer appliances. Boy, that's a stretch. Let's suspect disbelief and think for a minute if this was true, why not just get one of the UTM devices that claims to do NAC as well? Wouldn't that save even more power because everything is on one box. While we are at it, why don't we just run VMware on the mainframe and have everything virtualized on the Big Iron. Power to the People. Bring back the mainframe. Bring it back right now! Who knows how to tie a noose?
Link to this

The Laundry List

  1. The answer to PCI is SSO? According to an SSO vendor it is. But the byline reads like news and some unsuspecting sap is going to actually believe it. - TechNewsWorld coverage
  2. Virtual UTM is coming. You heard it here first. Blue Lane adds a firewall to their VirtualShield. Soon it'll have VPN and anti-spam. We don't need no stinkin' 1U's. - Blue Lane release
  3. Outsource incident response? Why not, if you can't do it internally? SecureWorks announces a set of services around planning incident response and then doing forensics. - SecureWorks release
  4. IBM ISS targets the mid-market with security "as a service." I guess if you can't sell them products anymore, you may as well try to sell a service or 10.  - IBM release

Top Blog Postings

Maybe a grapefruit will work better?
Chandler rues a bit on the challenges of building a set of security and/or risk metrics that are relevant to mahogany row. It's hard and it usually means that we security folks have to keep a few different "sets" of books. The reports that are focused on business relevance and the reports that are operationally centric and help to figure out what is going on. There are probably more. Chandler's main point is that the risk folks and the security folks (in financials you usually get a lot of organizational separation and disparity) aren't on the same page relative to accepting risk by enforcing policy compliance. Yeah, that's mouthful, but the reality is that the risk folks don't want to accept anything besides everyone else working to eliminate all risks. Then they can point the finger when something goes down. Not that I'm pointing fingers because it's a natural reaction. But the reality is many of these metrics are actually apples and oranges and Chandler's first (and most important) point is that many of the metrics we track do not compare well "across industries or even within industries." That's a big problem because without a relative point of comparison, you have no idea how you are performing.
http://thurston.halfcat.org/blog/2008/04/14/metrics-and-oranges/
Link to this

Another 5 from Amrit
This time the BigFixer is focused on 5 security metrics that matter. Amazingly enough, they all can be pumped out of his configuration management system. OK, low blow, but I know AW can take it. The reality is that we've already proven that having managed devices that adhere to a strong security configuration can help eliminate issues. But how many of us keep metrics along those lines? Do you just assume that all of the devices use these standard configurations? Amrit's 5 metrics aren't brain surgery, but I tend to think most practitioners can't answer these questions with data. Which is, of course, a huge problem. But as Chandler's post also intimates, we've made very little progress relative to security metrics and that's because it's hard. I'm talking a lot of the smartest folks out there on this topic and there are still a lot of disagreements about what should be counted, why and how. Until we get on our own page, how can we expect the rest of the organization(s) to get on board as well?
http://techbuddha.wordpress.com/2008/04/24/5-security-metrics-that-matter/
Link to this

Has marketing figured out metrics any better?
Since I'm not that smart, I try to find other analogies or comparisons that can serve to show how a security problem can be solved by what someone else has done in some other business. Being somewhat of a marketing hack (or former marketing hack anyway) myself, I thought I'd see if the marketing folks have figured out a way to hold ourselves accountable and prove value because marketing is an "overhead" function as well. At least if you ask most CEOs and sales folks. Sports fans, the news is not good. According to Francois, "Not only are some companies measuring the wrong things, a majority of them have no ability to measure anything at this stage." Sound familiar? It gets better. Most marketing organizations that can't prove marketing ROI have no one assigned to drive a metrics process. And a lot of marketing ROI is negative, so there is an inherent disincentive to really count and become accountable. The similarities are frankly a bit unsettling. Marketing has been around a lot longer than security as a discipline, and they've made very little progress. Are we wasting our breath even talking about this metrics stuff? Should we just stick our head in the sand and how we can still get our projects funded from the grace of a higher being? Or maybe we just learn how to tie that noose.
http://www.emergencemarketing.com/2008/04/16/measuring-marketing-effectiveness-is-hard…/
Link to this

The Daily Incite - April 24, 2008

Submitted by Mike Rothman on Thu, 2008-04-24 09:53.
Today's Daily Incite

April 24, 2008 - Volume 3, #40

Good Morning:
If I had a couple of bucks for every CTO that has tried to school me in marketing, I wouldn't have to be peddling Pragmatic CSO books at every opportunity. If I had one for every CEO who thought they could do the job better than me, I'd be spending a lot more time at the beach. But thus is the frustration of marketing. Everyone thinks they can do it, until they have to, and then they realize stress testing athletic cups is a more rewarding position.

Sour GrapesAt least Misha of AlertLogic was funny in his attempt to tell me why I was wrong to call out his company for their blatantly misleading "PCI is easy" marketing campaign. He figures there are some days I fill your inbox with baloney. I love baloney. Actually I like salami better, but I don't eat meat much anymore - so I maybe sending around some baloney is my way of making peace with the meat gods - who I now shun.

His tactics are pretty predictable. Make light of your critic and try to undermine their credibility. Compare the work to some well known gossip rags. Right out of the Campaign '08 play book. Maybe Misha fancies himself a roll in the political arena after he's done with this nasty security work. 

If you read the comments on Misha's post, he's got it right about me and my ability to take a counter-punch. I'm a big boy and I don't share a controversial opinion without expecting some return fire back. That's all good. In fact, I know quite a bit about their offering, and exactly how it can help with compliance and how it can't. This isn't about their service. It's about their marketing. It's when you read the other comments (especially from my friend Farnum) that you see that Misha has missed the point entirely.

It's not just a webcast title. Or an email marketing subject line. It's a philosophy.

Most folks think that if no one outright complains about something that it's OK. They seem to forget that most folks vote with the delete button. The vendor just loses attention and awareness and ultimately that impacts a company's credibility. Farnum is exactly right, that kind of sensationalist marketing is abrasive and annoying to folks that are in the trenches trying to do the right thing every day. Most technical folks don't understand how marketing impacts the perception of their organization. They think it's about the product (or service). They don't get that until you do marketing right, you don't get a chance to even show your product.

No CSO is going to take the time to send any offender (and of course, there are more folks guilty of "easy compliance" than AL) a note telling them they have stepped over the line. They just shop somewhere else. I guarantee AlertLogic loses every deal they don't see.

And that's the point. A long-term sustainable business is based on building credibility with buyers and then meeting their expectations every day. You can target the mid-market with National Enquirer-esque headlines and that will work for a while. But if you can't deliver, then Mr. Market will catch on. He always does. You can run, but you can't hide. Unless they figure out a way to sell out to some big dumb security company and get out of Dodge before Mr. Market figures it out.

To be clear, I'm saying that AlertLogic cannot make PCI compliance easy, simple or affordable. No vendor can because security is neither easy, simple or affordable. It has nothing to do with their service. It has to do with how hard it is to protect information. If Misha had a way to make security easy, I guarantee his company would own the security business - and unfortunately (at this point in time anyway) they don't.

Security marketers have a choice. They can try to focus on customer problems or they can go with sensationalist headlines. I've done both through my career. I've found that taking the "easy" route is always harder. Always.

Have a great weekend. And buy my book (I thought I'd just throw some more baloney in there for good measure).

Photo: "Spotted at Berkeley Bowl: I didn't know that you can buy sour grapes" originally uploaded by Raymond Yee

Technorati: , ,,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com
Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com

Security Mike's Guide to Internet Security

Top Security News

ITIL ya to pay attention
So what? - Don't we have to get somewhere before we start worrying about process improvement. I'm fascinated by the worldwide infatuation with ITIL. I know a lot of big companies basically print out the frameworks and figure they've been entrusted with the holy tablets from Mt. Sinai. They haven't. I understand it's convenient to have someone else do the thinking about a big "framework" that tells you all about all the things you need to do. And for mature operational functions (think network and mainframe), I think the idea of a nicely cogent framework makes a lot of sense. This NetworkWorld newsletter on networking stuff has some stats to back up the adoption rate of these frameworks. But for security? I guess it's the same issue I have with 27001/2 and COBIT. If folks think this is a silver bullet and it's going to give them a cookbook on how to do their job, then they are on some kind of funky peyote. But if they understand the framework is a starting point to figure out where they need to focus and to break the project up into digestible chunks, then I'm OK with it. I just fear we have a lot more of the former than the latter.
Link to this

Digging deeper into Hannaford
So what? - Never one to let the lying dogs lie, Brian Krebs digs a bit deeper into the Hannaford Bros. breach. Evidently they were PCI compliant and had some sophisticated defenses in place. Unfortunately they weren't the right ones. So now these folks will spend millions more to close probably every possible hole. Oh yeah, that's not possible. So they'll close a lot of holes, they'll spend a lot of money and they'll probably be OK. Note I said probably because they can't get to everything. Krebs focuses a lot on how to attack data in transit and that is clearly a new and clearly exploitable attack vector. So the arms race goes on. The early adopters will be start making some investments to more effectively segment networks where payment data resides (to protect it from insiders or compromised inside devices). The standards folks will work that into PCI 3.0, and most of the world will get there in 5-7 years - maybe. And between now and then there will be a lot more Hannaford's.
Link to this

My network security box is killer
So what? - I think McAfee's new branding (along the lines of "killer security" and "McAfee hacks hackers") don't really get the message across about what they do, but I don't really understand the whole describe your business in a sentence type of approach. Anyhoo, the Little Red is getting back into the network security business with a new blade server platform. They say it's the fastest thing since sliced bread. Whatever. It'll run their IPS (now called just the Network Security Platform, since IPS is all you need - don't you know?) and their content security blades. Both as separate boxes and it seems as a suite. Yes sports fans it's 75% of a UTM solution, running on a blade server. Maybe those Crossbeam were on to something. But MFE doesn't have a firewall or a VPN or authentication to put on the blades. But they do have a checkbook, so this is a problem that can be solved with money.
Link to this

The Laundry List

  1. Hershey + Rack = Passwords. Like you are surprised? Yes, we still have a lot of security awareness training to do. - WSJ coverage
  2. News Flash: We have an email security problem. Yes, it's April 2008, not 2005. Someone should tell the author of this piece he's about 3 years late. - eWeek article
  3. Laptop theft preventable? Sure, just weld the device to your CEO's hands. - SearchCIO-midmarket tip
  4. McNulty out at Secure Computing without a reason, besides maybe the blown Q1. Ryan is interim, and a CEO search is beginning.  - Secure Computing release

Top Blog Postings

CISO's aspire to be CIO? Really?
This post over on bloginfosec.com by Frank Cassano is pretty interesting. He wonders whether security officers should be in line to ascend to the CIO position at some point. Clearly (as Frank contends) many are overlooked, but are they qualified? A small percentage (dare I say the Pragmatic one's) probably would make good CIOs. They understand the business, have good relationships with the business leaders, and are skilled in persuasion amongst their peers. All good qualities for the CIO. But are they the political animals that many CIOs have to become? I'm not so sure. Frank believes a key skill for the new CIO is to be able to manage risk. Isn't that everyone's job? I guess it's how you define risk. Personally, I think the CIO should come from the business most of the time. The CIO job is also focused not just on the systems that run the business, but also how to get things done in an organization. Getting someone from the outside can be dangerous, unless they are a superstar and come with so much credibility that no one gets in their way.
http://www.bloginfosec.com/2008/04/11/cio-the-next-career-step-after-being-the-ciso-why-not/
Link to this

Bejtlich's Ten
The Zen master has been hitting the road, doing the conference circuit a bit and has drawn some conclusions about the themes of these shows. A few are about grokking the reality that we are hosed. That's right, compromises happen and almost everyone is being targeted, especially the low hanging fruit. I know it's hard to believe, but most of these themes fit very nicely into the network security monitoring religion Richard has been preaching for years. The awful truth is that we are hosed, and as theme #2 states: "We can not stop intruders, only raise their costs." I know that's an uplifting message for today, but it's the cold hard truth. So why bother? Because raising their costs is one of the best defenses. Many of these folks go after the easy targets. If you aren't easy, then you probably aren't worth the effort.
http://taosecurity.blogspot.com/2008/03/ten-themes-from-recent-conferences.html
Link to this


Pragmatic CSO Podcast #11 - The Fixer

Submitted by Mike Rothman on Wed, 2008-04-23 08:50.

Wolf is the Fixer

This week I take another tangential journey to discuss a concept I call "The Fixer." You know, when a senior staffer is airlifted in to "fix" security. The Fixer knows how to get things done in your organization, and can certainly be viewed as a threat and as indicative of the fact that security is broken.

How should you deal with the Fixer? Why is he (or she) there? Can you turn this into an advantage?

Check out podcast #11 and find out...

Running time: 6:40

Intro music is Jungle and I sign off with the classic Kool and the Gang anthem "Jungle Boogie," which is the song I associate most with Pulp Fiction. Yes, that's where I stole the term "The Fixer."

Direct Download: 11_Pragmatic_CSO_Podcast_11.mp3

SubscribeSubscribe in a reader

The Daily Incite - April 22, 2008

Submitted by Mike Rothman on Tue, 2008-04-22 08:02.
Today's Daily Incite

April 22, 2008 - Volume 3, #39

Good Morning:
After my little heretical rant yesterday, I decided to take a step back and wonder why I'm so skeptical and cynical. It makes the Boss crazy. I question everything. If I ask "why?" or "help me understand" one more time, I may get a 12" saute pan in the cranium.

Question EverythingIt's not that I am trying to be difficult. For me, it's all about PROVE IT. I've been known to just blurt out "Name that Tune" in meetings and people look at me like I'm nuts. This happens when I just don't believe what I'm hearing. So I challenge the folks around the table to do it, prove me wrong. Or to use a bad 70's game show analogy - name that tune in 3 notes.

We are security folks, and I don't think security folks ask nearly enough questions. I guess some of us are scared of how we'll be perceived. Or that we'll lose credibility because we don't know all the answers. That's why many of us need to keep looking for new jobs every 18 months or so. 

We should be questioning the senior team about strategy, especially as it relates to letting "outsiders" and customers into our systems. We should be questioning whether that remote sales person really needs a database of every friggin' customer on their laptop. We should also ask about the web application architecture before it goes live. Just so we understand the threat vectors. Yes, this can be annoying, so you have to learn to be a good, not annoying, interrogator.

I start almost every strategy meeting with a standard disclaimer. It's along the lines that I don't have any answers, but I have some ideas and I have a lot of questions. And I proceed to pepper the subjects with question after question after question. These folks probably feel subjected to a KGB interrogation. I ask all of these questions for a couple of reasons. First is so that I can understand the client's perception of the situation and then gage how realistic their views are. If they are living in fantasy-land, I need to shake them out of that pretty quickly.

Another reason I ask questions is that I'm looking for the patterns. You know, something I can grab on to and draw either a comparison or a contrast. It's usually very helpful for most folks to understand that they aren't alone, that other folks have been where they've been and probably screwed up what they are trying to do. I truly live by the old adage that if you fail to remember history, you are doomed to repeat it.

So make a little mid-year resolution. Ask a lot more questions. Don't accept what people tell you as the rule of law or as the truth. Make them defend their positions and justify why they are doing something. At the end of the day, we as security folks can't stop them (for the most part), but we can make sure they understand the risks and ramifications of what they are doing.

And the only way I know to do that is to ask questions.  Are you having a great day? See, asking questions isn't so hard.

Photo: "Question Everything" originally uploaded by dullhunk

Technorati: , ,,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com
Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com

Security Mike's Guide to Internet Security

Top Security News

"A nice little company"
So what? - I love positioning and the little barbs rival CEOs leave for each other. Looking at this NetworkWorld interview of Symantec's John Thompson makes me laugh. Thankfully he's owning up to having some issue with the Veritas deal, but that's water under the bridge. The reality is it's still not clear how the go to market model needs to work between security and storage. Despite JT's protestations, the jury is still out on that. But what makes me hysterical is when he's asked about McAfee and calls them a "a nice little company and they do a nice job." Ouch. Personally, I think this is a pretty ridiculous way to look at the competition. One of the problems with big security is that they are fat, dumb and happy. They are pleased to milk their cash cow a bit and haven't done much to really change the way things are done. If there is one thing you can say about McAfee right now, it's that they are not comfortable. The new regime is questioning everything (see above), challenging the way things are done, and basically executing much better. He similarly dismisses Microsoft's efforts in security. I'm pretty sure that one of the seven deadly sins is arrogance. Of course, I have no interest (nor am I even remote capable) in running a multi-billion dollar behemoth (I can barely run a one person shop), but I would use McAfee as a rallying cry to get my troops focused on the threats and basically uncomfortable about market position and light a fire under their backsides. But that's just me.
Link to this

Manage up or manage down? That's a challenge for every CSO
So what? - Yes, I'm still working my way through the "big thoughts" put forth at RSA. This will be the last week I still refer back to the Big Show. But when I was looking through my bookmarks, I just couldn't resist Dark Reading's coverage of CA's Dave Hansen's pitch at RSA. He made the point that CSOs need to become more relevant to the business. He even spurts an interesting statistic, which is that 46% of CSOs spend up to a third of their day just analyzing security event reports. Maybe that number is true or maybe it's not. The reality is I don't have an issue with a CSO analyzing reports for a portion of their day because they need to know what is going on in their environment. They need to see when something is misbehaving and dispatch an expert to figure out if it's really an issue. Hopefully before it becomes a real issue. Though I'm not going to minimize the need to become relevant in the boardroom. That's crucial to being considered a player. And it doesn't happen overnight. The CSOs job is clearly becoming one of persuasion, and that takes time playing the game. Maybe even 2/3rd of your time. But with the other 1/3, I don't have an issue with checking out dashboards and trying to REACT FASTER to what is going on out there. You are definitely not relevant if an attacker is in your grill for years, while you are hobnobbing down mahogany row.
Link to this

Next up for the Bay City Rollers: NBA
So what? - So I may have some fundamental issues with Network Computing's Rolling Review process, but they are certainly looking at some interesting technologies. They've done web app scanners and both inline and out of band NAC boxes. Next up is network behavior analysis products. I'm glad to hear that because hopefully it will become more clear how important the idea of baselining your networks and systems and monitoring that baseline is. Now I'm not saying NBA as a stand-alone product category is meeting that need. For those very large enterprises and carriers, it probably does. But over time, this is functionality that must be embedded in either an integrated security management platform or directly within the element management systems of the network and/or the systems. The NBA review kick-off gives a good overview of the technology and what it purports to do. I'm looking forward to seeing if the NWC folks think it actually helps them run and secure their networks. I'm also looking forward to seeing who actually shows up.
Link to this

The Laundry List

  1. PayPal says "No Safari for you." What do they have against tigers and leopards? - ebizQ coverage
  2. Make sure to send SearchSecurityChannel a holiday card this year. They give you lessons and tips from Bejtlich for free. This one is how to use Snort and Argus together to analyze the network. - SearchSecurityChannel tip
  3. DBAs start your patch engines. Oracle fixes 41 problems in this quarter's update. - SearchSecurity coverage
  4. Aladdin misses Q1 and cuts the 2008 outlook. Is this the shape of things to come or is Check Point's pretty good results? We'll know more over the next few weeks as other security companies announce.  - Aladdin earnings release

Top Blog Postings

Less invasive than a proctologist exam
I read Dennis Fisher's coverage of one of Microsoft's RSA sessions and I wonder if they are occupying the same world that the rest of us are. They are trying to make security "less annoying." Hmmm. I guess that's good news. Clearly Vista's security architecture is head and shoulders above XP, and that's a good thing. But at the end of the day, users don't want to know that security is even there. They don't want prompts (I mean the UAC nightmare), they don't want to be constantly challenged for authentication credentials, and they don't want to make a decision about a piece of code that hasn't been signed by an approved authority. Focusing on things like application whitelisting is a good thing. I'm not sure why they just didn't buy Securewave when they were shopping themselves a few years back. Regardless of anything else, you do have to give Microsoft props, they are going to spend a lot of money to solve a problem. I'm just not sure what problem they are trying to solve.
http://searchsecurity.techtarget.com/news/article/0,289142,sid14_gci1309350,00.html
Link to this

Be Secure, and You'll be Compliant
Most people think I just talk to hear myself speak. Or just to sell a few books. But I actually think sometimes the things I say may sort of have some merit. Like this idea of Security FIRST. My pal Nitesh Dhanjani believes in this approach as well and he refers to Equifax's Tony Spinelli's ideas around letting compliance drive security. I like it. But let's hit a fairly important nuance here. The CSO (or security professional) needs to be a bit schizo. On one hand, operationally, it's all about security. But from a funding standpoint, sometimes it's easier to justify an expenditure based on an audit finding or a new regulation or something else that will receive less scrutiny than most of the stuff we security people want to do. No use in beating this horse anymore, I just wanted to point out another like minded individual (who I think is pretty smart).
http://www.oreillynet.com/onlamp/blog/2008/04/be_secure_and_youll_be_complia.html
Link to this

Next in the Octagon: Belva and Shrdlu
After hearing of Hoff and Jeremiah facing off in some martial arts hijinx, I figured it would be fun to think about how Ken Belva would love to face off against Layer 8's Shrdlu after she hammered him with some naivety comments on a recent post of Ken's. My opinion is that Ken is off the reservation a bit with this one. So I'm going to act a Big John McCarthy and call the fight with a 1st round tap out. I wonder where Shrdlu learned to apply that arm bar. Basically, the original post (on Slashdot) was more whining about the fact that most executives will choose to line their pockets rather than address a security issue. I think that's a fair assessment. The point is risk is totally SUBJECTIVE. Ultimately the point of what we do is to provide enough information to the senior folks so they can make a relevant and data-based decision about how much risk to take on. Shrdlu's point is that without some objective set of risk measurements (perhaps like Jack's FAIR process) the executives can (and will) continue to do whatever they want. If anything the Slashdot guy is not naive, he's just frustrated because of the way the world works. Based on Ken's vitriolic response, I guess he doesn't take too kindly to being put in an arm bar.
http://www.bloginfosec.com/2008/04/18/slashdot-post-on-security-ethics-demonstrates-professional-naiveness/
Link to this