February 25, 2008 - Volume 3, #18

Good Morning:
How many folks can you call when you get into a jam? Seriously. Folks that will drop everything to help. You kind of wonder, but you never really know. Until you need to know. I had to know on Thursday and Friday of last week, and I was overwhelmed by the answer. 

I guess I should provide some context. Our best friends from MD lost a parent last week. It was expected, but it still sucked. The Boss wanted to be there for the service on Friday morning and to help out with all of the events that need to be staged, catered, and cleaned. For some reason Jews think they have to have at least 3 days of solumn gatherings to properly mourn. So you need to buy a ton of food and have people in your house for days, which is the last thing you want to do when you've just lost a loved one. But there was a pretty serious fly in the ointment. I was traveling and couldn't physically get home before Friday morning.

So we made a few calls and found 3 separate families willing to take one of the kids on Thursday night. Note this was on about 2 hours notice and all of these folks have their own kids and crap to take care of. But every single call we made was met with a "no problem, when are you dropping them off?" Unbelievable.

But it gets better. I was supposed to be home around noon on Friday, in plenty of time to collect the kids and get things back into the normal routine. That was SUPPOSED to, but a combination of the horrible Hertz NeverLost interface and my own stupidity put more flies in the ointment. Instead of being directed to the right airport, with an hour to spare. I was directed to the wrong airport with 50 minutes to spare.

That's the issue with those nav systems. I'm a big fan, but there is a tendency to stop thinking when you have the "voice" telling you where to go. I thought I entered the right destination, but I didn't. OH CRAP! When I finally did resume my thinking, I was 50 minutes from the airport - and 60 minutes until my flight was taking off. It didn't look good and it wasn't. I missed the flight, which turns out to be a very bad thing on a Friday when there is bad weather in the Northeast. 

I was lucky to get another flight on Friday and I still had the issue of what to do with the kids. So I got back on the horn. I called some of our friends and family and they came up big. My sister-in-law picked up Leah at the bus and hung out until another friend could pick her up for a sleepover. We had someone else pick up the twins at pre-school and do a play date until I got back (about 8 PM after delays and the like). The kids had fun and they never even knew the depths of their Dad's stupidity.

When I called and said "I'm in a jam." Each one said, "what can I do to help." No hesitation. No thinking. No worrying about their tennis lesson or coffee appointment or anything else. They were just concerned with what they could do to help. Of course, I would do exactly the same thing (and have), but it's still mystifying to me when other people are willing to do that for us.

Those were hard calls for me to make. I'm not one to ask for help. But it's really great to know that when I need it - people that we care about are willing to step up big time. It's all too easy to take these kinds of relationships for granted. I was guilty of that. But I learned a lot of important lessons last week. First, a nav system doesn't give you the right to turn off your brain. When I started learning how to build things, the old adage was "measure twice, cut once." Evidently check the destination twice before you let the nav system direct you.

Second, when someone calls and needs a favor - just say yes. Unless it's not humanely possible to help out, you say yes. You never know when the shoe will be on the other foot. So I've got some homework for you today. Call up 3 good friends and thank them. For nothing in particular, just thank them for dealing with your idiosyncrasies and being there when you need them. They'll be surprised and pleased, and you will too. It's not that hard, and it means a lot.

Have a great day.

PS: This week we'll finish up the Days of Incite. Look for #7 later today.

1. Express Your Inner Bean Counter
2. It's time for an audit revolution
3. Best of Breed DOA
4. Weaving security into the network fabric
5. Night of the Internet Dead
6. Laptop encryption hits the big leagues

Circle of Friends statue available at MexicanImports.com
Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

How do you spell xenophobia?
So what? - Last week 3Com and Bain help up their hands and gave up their attempts for the buyout transaction, scuttled (at least publicly) by the US Government's objection to Chinese vendor Huawei's presence as a minority investor. This all seems a bit fishy to me. Stiennon draws some comparisons to the Check Point/Sourcefire deal, but realizes both of these situations are all about politics. My boy Richard was one of the only voices saying CHKP/FIRE was a bad deal, but it wasn't about threat of the Israelis controlling Snort. He just thought it was a crappy deal on fundamental terms, which gets back to Richard's long standing disdain of anything IDS. Given FIRE's two blown quarters right out of the gate, he's not wrong. 3Com's deal falling apart is different. It's largely because of Huawei, but in reality Bain could easily have written a check for the additional investment and taken Huawei out of the deal - if they wanted to close it bad enough. Clearly they didn't, so they didn't. I'm not going to get into a debate about whether Chinese companies can be trusted owning US technology assets. The reality is they already do. Where do you think a lot of the capital that funds our trade deficits comes from? Every big tech company is crawling all over themselves to figure out how to sell more to China. The technology is already there. The US Government's hurdles for foreign ownership of technology assets is now too high, and that means a reasonable exit path for a lot of companies is now out the window. Play out the thread a bit more and it will have a chilling effect on investment (since liquidity is now that much harder to come by) and ultimately on innovation. It's a global world now folks, if global capital can't find a home in the US - it's going to find a home somewhere else - and that isn't good for American competitiveness.
Link to this

VMware desktop vulnerability found - start your hype engines
So what? - The folks at Core Security found another attack vector for the shared folder capabilities within VMware desktop. The attack allows a malicious program to jailbreak through the shared folder capability. VMware hasn't fixed the problem, rather recommending that customers just turn off the shared folders. But the real question is more fundamental, and that is how long will it be before real 0-day's start showing up targeting hypervisors? And does that mean all of this noise about virtualization security will become more than just noise? Basically I'm not there yet. I do believe that the hypervisor is an operating system and thus needs to have all the protection and process to keep that operating system secure. I also believe this is a problem that VMware should be solving. If Microsoft was starting to build Windows from scratch, knowing what they know today, do you think there would be an AV market? So I'm still skeptical there is a long term market for "virtualization security," though I do know that our virtualization needs to be secured.
Link to this

Can Google be trusted with health records?
So what? - You do have to hand it to Google, they are definitely throwing a lot of crap against the wall to see what sticks. The latest effort is partnering with the Cleveland Clinic to pilot a system that allows the sharing of patient medical records. Of course, the privacy hounds are barking at the moon, and it appears that moving your health records to a third party (not a healthcare provider) gets around HIPAA privacy requirements. Who cares? It's not like HIPAA has any teeth anyway. The reality is you can't really manage your own health care records even if you wanted to. They are spread out amongst a variety of providers and getting a comprehensive view is near impossible. So if Google gets involved, it will spur innovation and eventually (after 3-5 iterations) we'll get to something that works for a majority of the patients out there. John Soat has an interesting perspective on his InformationWeek blog. Unfortunately the innovation process is messy. Things will be done wrong, people's information will be compromised. It'll be sad. But it needs to happen because there is no other way to do it. It will take years to gain consensus on how much privacy is enough and how those records can/should be used. That's years we don't have. My take is bravo to Google and the Cleveland Clinic for trying. I'm looking forward to 5 years from now, when we are a lot closer to the right answer - so I can take control of my own medical records.
Link to this

The Laundry List

Top Blog Postings

The quicksand of database encryption
The Mogull and his bionic shoulder are starting a multi-part, multi-level analysis series on database encryption. It's pretty complicated stuff and the only thing DBAs hate more than security people is security people that want to mess with their databases. Understanding why you are thinking about DB encryption is a critical first step. But I'll add one additional layer of complexity, especially to the idea of DB encryption to facilitate separation of duties (and protect content from administrators, compromised machines, etc.), and that is the compensating control. Most organizations think about DB encryption because there is a compliance gun to their heads. Not because they have nothing better to do and DB encryption seems like fun. With PCI's compensating controls clause, these same organizations will be able to put alternative defenses in place to achieve largely the same goals. I suspect there are only a few legitimate use cases where DB encryption is going to make sense, but we'll leave that to the Mogull to say, since that is his bag.
http://securosis.com/2008/02/12/introduction-to-database-encryption/
Link to this

FDE has DLP in an arm bar
Who would win if the data leak prevention market got in the Octagon with full-disk encryption? I feel compelled to steal the thunder of my Day 9 of Incite post (on DLP) because Chandler does a great back of the envelope calculation that shows why full-disk encryption makes a lot more sense in the short-term than DLP. It's all about assessing the real risk to your organization and comparing that to the cost of deploying a solution. I could belabor the point, but this really says it all: "DLP costs more, reduces risk less (including some specific, high-profile regulatory risks), is much harder to implement, much costlier to support, and at the end of all that, is less likely to actually make a difference in our losses (IMHO)." Once again, Chandler is right on the money. Farnum also has some thoughts on the DLP market, and he still has a lot of questions about the ultimate value proposition around the technology. He's not alone.
http://thurston.halfcat.org/blog/2008/02/20/bote-analysis-of-dlp-vs-full-disk-encryption/
Link to this

Get out of the excuses business
Michael Howard (one of the leader's of Microsoft's SDL initiative) has a great post here about what it takes to really adopt a secure software development process. Basically the entire organization needs to change, and the only way that happens is by a top-down edict. If excuses are tolerated, then very little progres will be made. In Microsoft's case, it was Bill Gates telling everyone they are going to change or they can find somewhere else to build software. Ultimately it's a cultural thing. Secure software doesn't get built by hoping it will be secure or by making excuses as to why some changes aren't being made. Every software company can and should learn a lot from Microsoft's journey. Because those that don't remember history are bound to repeat it, and I suspect a lot of software companies are going to learn that lesson the hard way.
http://blogs.msdn.com/sdl/archive/2008/02/21/the-first-step-on-the-road-to-more-secure-software-is-admitting-you-have-a-problem.aspx
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://sm-blog.securitymike.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite

February 21, 2008 - Volume 3, #17

Good Morning:
I'll admit it, I'm human. Some days I'm just not as motivated as I need to be. My list of things to do is overflowing and there are so many cool projects to do, so why can't I get the motor in gear some days? It's kind of like when you are thinking about dinner and you pop open the fridge and NOTHING looks good. So you go to the pantry, still no dice. What about the freezer? Not so much. So you make a turkey sandwich and watch some bad TV. That usually takes care of it.

The reality is that it's about recovery. As much as I love what I do, there are some days when I'm just fried. Maybe I've been traveling a lot. Maybe I'm a little blocked in driving a writing project to conclusion. Maybe I'd just rather surf the web and do "research" for a large portion of the day.

The good news is that I have the ability to do that. I'm accountable to my clients and readers to get some stuff done, but I do have a lot of flexibility in when I do that stuff. There are some days when I get very little done during the day for any number of reasons. But I kick ass at night after the kids go to sleep.

Ultimately I'm finding a way to align my work processes with my internal rhythms of when I am engaged in my activities and when I'm not. I know, I'm a pretty lucky guy to have such an unstructured gig that lends itself to adapting.

What do you do if there are some days when you feel like you are just going through the motions? Basically, write the day off. Seriously. Figure out the 1 or 2 things that you absolutely need to get done. Periodic laziness shouldn't result in you being thrown out of the car at a high rate of speed. Do those things and do them early in the day. Even if you don't want to. Then work on some other projects. Maybe hit YouTube. Go roam around the shop floor or talk to some users. Call a friend you haven't chatted with in a while. Go work out. You can even play hookie. Your boss probably won't even notice. Just get out of your typical work process because you need a break. 

And don't feel guilty about it. Everyone needs to recover. Be candid with yourself. As opposed to sitting there, looking at your computer screen and revving your guilt engine, go make the day great and memorable. The work will be there tomorrow. I promise.

There are some cultures that embrace this reality, like Google. They force employees to take 20% of their time to work on projects not related to their day job. That is truly prescient. It allows folks to chase their passions, yet also be respectful of the reality that some business needs to get done.

You may not work at Google, but understand that renewal process is important - even if you have to do it informally.

Have a great weekend.

PS: I've posted the next two Days of Incite Posts. 7 will hit today and I'll finish up next week.

1. Express Your Inner Bean Counter
2. It's time for an audit revolution
3. Best of Breed DOA
4. Weaving security into the network fabric
5. Night of the Internet Dead
6. Laptop encryption hits the big leagues

Fishing image uploaded by Altus

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Maybe try a nuke
So what? - I couldn't wait to crack open the CRN article called "SonicWall CEO: How to beat Cisco." It was kind of like waiting for a train wreck. You see the guy sitting in the tracks, blissfully unaware the big train is about to mow him down. The CEO makes the points that technology is a differentiator and Cisco is too expensive, which ultimately means the channel can make more money. The first I don't get. UTM is a commoditizing business, at least in the mid-market SonicWall serves. Those folks don't care about technology, they care about getting it done and saving money. At least the folks I'm talking to. What about the price thing? That is actually true. Cisco is not the low cost provider. They don't have to be, so why would they? In line with this full frontal assault on Cisco, SonicWall also announced a series of bigger UTM boxes. Of course, it's easy to poke at the leader. Cisco probably spends more on toilet paper and soda than SonicWall sells in a quarter. It's not like they are going to respond and squash SonicWall like a bug. Since this is a CRN article, the takeaway is for the VARs. Aggressive vendors will bribe you with higher margins and more attractive accelerators to try to move their boxes. In a lot of cases, that's a good idea. Yet, don't forget to factor in the extra time it will take to sell the deal because you've got to overcome the resistance of not going with the leader. I'm all for competition and like the fact that SonicWall is taking off the gloves. That's good for everyone, it's just entertaining because I've seen this movie so many times before.
Link to this

Value depends on what you are testing
So what? - I'm a big fan of testing, I think I say that once a week. You need to exercise your defenses because the bad guys do that every single day. So what techniques do you use? Most use scanners to pinpoint vulnerabilities. Others take it up a level and have application security personnel try to find the logic flaws in their Internet-facing applications. Some also use automated pen testing tools like Core Impact and Metasploit to pinpoint real exploitable vectors. All of these techniques should be in use as part of a structured security assurance process. Speaking of Metasploit, HD Moore's employer - Breaking Point -  is now sending out gear for reviews. Network Computing puts the BPS-1000 through it's paces and it's pretty impressive. It can break your networking stuff. It also starts at $185,000, so it's not like Joey's Bag of Donuts is going to be taking delivery of one. But if you have to protect an environment where downtime minutes is measured in millions of opportunity cost - then something like this makes sense. Is it a huge market? Nope. But it's definitely an interesting niche.
Link to this

PKI waking from it's NAP?
So what? - With Windows Server 2008 on the streets (or almost), now we are going to start seeing why upgrading is important. I think Microsoft proved with the Vista launch that security isn't really enough of an issue to push upgrades, but that is also for client machines. Doing something to secure servers (where the important information is), certainly makes more sense to consider. You'll be hearing a lot about Network Access Protection (NAP), which is basically Microsoft's NAC approach. This SearchWindowsSecurity tip pokes a bunch of holes in NAP, mostly because of weak enforcement methods (like DHCP). But using NAP in combination with IPSec, does that change things? The concept is that if you have a certificate issued onto a machine, then you can allegedly "trust" the client that is connecting to the network. It's still pretty porous if you ask me. Yet it gets back to NAC with unmanaged vs. managed clients. If your endpoints are managed, then you can install an agent and have more control. If they are unmanaged, IPSec isn't going to help. So once again, you need to think in terms of layers. That's a big change.
Link to this

The Laundry List

Top Blog Postings

Never sell past the close
We are all sales people. I don't care who you are and what you do, you are selling something to someone. Maybe it's your project team at work or your kids at home. If you are trying to persuade anyone to do anything, then that is a sales process. One of the best pieces of advice I ever got was: "Never sell past the close." That means once you have agreement from someone, SHUT UP. Don't talk anymore. Take your win and move onto the next battle. I must say that a couple of times a week to the Boss, once she's "convinced" me of something. Tom Evslin has a great series of posts about training the Nerd CEO, but the ideas (which also include "the power of silence" and the "first employees") are more universal. It's basically just good advice on how to deal with people. Now that you are convinced, I won't press my luck and sell past the close.
http://blog.tomevslin.com/2008/02/morph-of-a-nerd.html
Link to this

Compliance is SUBJECTIVE
Anton makes a good point about whether there is a list of "exactly" what you need to log in order to be PCI compliant. There definitely is not. It's basically based upon the whims of the auditor/assessor that shows up. The process is totally subjective. The good news is that PCI is certainly more specific than any of the previous regulations, but it's by no means a firm checklist of things to do. Sorry, I know a lot of lazy practitioners would rather a bunch of empty suits at the credit card companies to tell them what to do. So you deal with this uncertainty by always focusing on DOING THE RIGHT THING to protect your stuff. Remember - security FIRST! Then your audit becomes more about defending and substantiating the controls you've put in place, rather than trying to compare to some mythical checklist.
http://chuvakin.blogspot.com/2008/02/must-do-logging-for-pci.html
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://sm-blog.securitymike.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite

February 20, 2008 - #45

Mike's Pep Talk:

In a perfect world, security begins at the beginning of time. Unfortunately, as AndyITGuy points out, the world is far from perfect.

In today's Pep Talk, let's revisit the skills that are absolutely critical to being a successful security professional. First, let's focus on the technical stuff. You need to understand web applications and a bit about web application security. That is going to be the attack vector that is most commonly used for the next few years.

Go get that JavaScript book and make sure you understand the fundamentals of AJAX and can see how an XSS happens. You'll also want to familiarize yourself with CSRF attacks.

But that's the easy stuff. As I mentioned in the 2007 Incite called ["CSO Next"] - the technical stuff is not going to determine success or failure for today's security professional. It's the ability to persuade, cajole, stiff-arm, and ultimately get the other senior managers (both within and outside of IT) on board with the need to think about security early in the process.

Back to Andy's situation because we can all learn from his post. First of all, change doesn't happen overnight. Yet with persistence and consistent effort, it will happen. Andy started with a few project managers, and then got some structural process change (his signature required to deploy an application).

As long as he doesn't position security as Dr. No or yet another hurdle to jump over, his rock is rolling downhill. It will gather speed and within a reasonable planning horizon (it could be months or years depending on the culture) security will be an intrinsic part of all technology efforts. And that is definitely a hallmark of CSO Next.

Photo credit: Gari.baldi

The importance of awareness training

Since we are revisiting a couple of Pragmatic CSO hallmarks this week, let's touch on security awareness training as well. I dug through my archives and found this survey from last year covered in InformationWeek. It's horrifying for a guy that evangelizes the need to have layers of defense deployed to stop as many attacks as possible.

YOUR END USERS ARE A LAYER. Just like a firewall, that is in front of an IPS, that is front of a web application firewall, that is in front of a network security monitor, that is in front of a database monitor, that is in front of a partially encrypted database - you want a number of synergistic layers in place to ensure that if one control fails - things don't go south. Your end users can be another important layer of defense against a world of increasingly malicious client-side attacks.

Unfortunately, your users are not born with an instinct to defend themselves against cyber-predators. They've got to be taught. And you have to teach them.

It's easier to just buy a product, or outsource a function and hope the problem goes away. Yet you know that hope is not a strategy. You need to use all of the resources at your disposal, and your end users are certainly one of them.

Buy It Now!

Ready to buy the Pragmatic CSO right now? Good, I'm sure you'll find the process of value to your organization. But if not, then remember you've got 30 days to tell me it sucks and ask for your money back. Click on the links below and go right to the shopping cart. A journey of 1000 miles begins with one step, take that step today.

 

---

February 19, 2008 - Volume 3, #16

Good Morning:
The Boss went away for the long President's Day weekend. So it was me and the kids all weekend. Talk about the inmates running the asylum. I did a quick check of the paper to see what fun activities we could do. We've been to the Children's Museum and the Aquarium plenty of times. Then I saw it. THE CIRCUS. Not any crappy circus. Ringling Brothers. The real deal. The Greatest Show on Earth. Now that will be fun.

We'll even make it truly an adventure by taking the train into the city. Yeah, we could have driven, but what fun would that be? Nothing like mixing up with the residents of our fine city. I guess I shouldn't have been surprised, when a clown walked up to us as we were waiting for the train. This guy was in fully clown get-up. Thankfully the kids don't have an aversion to clowns. Not yet anyway.

This wasn't any plain clown. This was Beebo the Wonder Clown. Think Roscoe P. Coltrain (from the Dukes of Hazzard) as a clown. A beer belly, a think Southern drawl and pocketful of balloons. And a pile of business cards, just in case I wanted to hire Beebo for the kid's next Birthday party. Thanks, but I'll pass.

Then we got to the arena. And the merchandising began. $14 for an elephant mug. Not a chance. $28 for 2 lemonades and 2 popcorns. Wow, I'm glad I went through the couch and got that extra change before we left. It wasn't going to be one of those budget activities.

The kids loved it. The acrobats and the clowns (normal clowns, not Beebo) and the tigers and the elephants. They drank it up. Truth be told, when the trainer was surrounded by the 10 tigers, I was amazed that the fellow didn't become dinner. Even one tiger could have made quick work of that little guy with the whip. I'm glad they were behaved. I shudder to think of the therapy bills for the kids if they saw that dude get mauled. 

As we were on the way home, I asked each kid what their favorite part of the circus was. The twins liked it when a clown got out of a very little car. They thought that was cool. Leah couldn't make up her mind. She liked it all.

What was my favorite part? Seeing the look of wonder as my kids got to experience the Greatest Show on Earth. That was priceless.

Have a great day.

PS: I've posted the next two Days of Incite Posts.

1. Express Your Inner Bean Counter
2. It's time for an audit revolution
3. Best of Breed DOA
4. Weaving security into the network fabric

Scary Clown Cake II image uploaded by meltzerbakery

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

ArcSight gets the deal done
So what? - In a horrible market, ArcSight got their public offering done last week. It went out at $9 (at the low end of the range) and traded between $8 and 9 Thursday and Friday. It's a tremendous accomplishment to get a security public offering done, so the team at ArcSight should be congratulated. But now what? The business is lumpy and security management is well...security management. George Hulme talks a bit about the SIEM market, but it's pretty much yesterday's analysis. He goes into the history of why many of the SIEM vendors have struggled. By the way, it's not about firewalls and IPS maturing, it's about time to value. Yet driven by regulations, security management is evolving, integrating traditional SIM with log management and a bunch of other stuff. The latest example of this trend is NitroSecurity's new box, which brings a lot of these functions together. The real question is whether a public, standalone security company makes sense anymore. I suspect not, and we'll see how it plays out. Sourcefire certainly had a train wreck in their first two quarters as a public company. 
Link to this

Do they make Rolaids for fast-flux phishing?
So what? - I'm always intrigued by how the bad guys constantly innovate all in the name of masking their identities and covering their trails. This SearchSecurity tip by Ed Skoudis details a new technique called fast-flux. This entails the bad guys using round robin DNS to distribute their phishing sites among a large number of bots. This eliminates the single point of failure issue (when the ISP takes down the site) and also puts yet another layer of abstraction between the victim and the criminal. If it wasn't nefarious, I'd say it was really cool. OK, it's really cool. What would be cooler was if we could get these folks to apply some of their innovation to the right side of the law. Alas, being good pays like crap, so it's not going to happen. Especially when these guys continue to find ways to make it a lot harder to find them and bring them to justice.
Link to this

Firefox 3 coming up - security takes front and center
So what? - Mozilla continues their evolution of the Firefox browser. I've been a FFX user for many years, although I have cheated at times with Safari and Camino. Yet, I always go back to the Fox. It's really all about the plug-ins. As Ryan Naraine reports, Firefox 3 is getting close and there is a lot of new security goodness in there. Beta 3 is out, which means hopefully we'll see the finished version by mid-year, if not sooner. New phishing filters and other structures to make it a bit safer for browsing use. But there is only so much they can do. At the end of the day, it's still a browser and it's still software, which means there will still be problems. So why do I push Firefox whenever I can? NoScript. It's as simple as that. Mozilla really should just integrate NoScript into the main core. Unfortunately that would probably scare off a lot of mass market users because it does break a lot of Internet stuff. Of course, it's the stuff that should be broken (like evil scripts, XSS attacks, and malicious Java), but that's beside the point. Ease of use trumps security - every time.
Link to this

The Laundry List

Top Blog Postings

TJX is still a good example to use
Interesting post here on Cigital's blog from Sammy Migues about the fact that TJX hasn't really suffered from a business standpoint due to the data breach. The reality is unless the identity theft results in a lot of lost money or lost time and heartburn to recover that lost money, most consumers don't care. They get a new credit card and they go about their business. As Sammy says, TJX runs a good sale - so lots of consumers go back and buy stuff. And truth be told, the consumers should. The idea of paying for everything in cash to avoid potential identity theft is ludicrous. We will all have our identity stolen, multiple times, and there isn't much we can do about it. I guess you could move to a remote island, but they'll probably find a way to get to you there also. More of the point is whether TJX has lost its luster as a train wreck that will shock dimwit executives into spending some money on security. My answer is still a resounding yes. Remember that train wrecks are used to GET ATTENTION, not get funding. You need to make a case as to why the expense is important to get the funding and TJX couldn't do that for you. Even if they went out of business, TJX couldn't do that for you. But the couple hundred million bucks TJX will spend cleaning up the mess will open some eyes in the board room. Now their eyes are open, what are you going to show them?
http://www.cigital.com/justiceleague/2008/02/07/please-dont-fud-the-animals/
Link to this

Chandler's excellent metrics adventure
I love the blogosphere. Why? Because everyone can now be exposed to the sausage factory, you know, how the things we do are done. For a long time, there were only a set of in-the-know insiders who really understood what was going on and aggregated information from lots of sources and popped out some trends. Companies used to pay tens of thousands of dollars a year for access to these insiders. A lot of companies still pay for IT research, but the value will continue to go down as more of this information is now available for free. Folks just need to know where to look. Like Chandler's ongoing series about his struggles with metrics. It's great to see how his thinking is evolving and over time what is working and what isn't. We need discussions like these to get some level of consensus about what should be counted and how to count it. I'll point to a couple of posts that bear reading. First, Chandler's KPI #1, which is about understanding the % of hosts centrally managed and "protected." I'm not sure what protected means, but it's certainly a good place to start. His second KPI is trying to gauge "how secure they are?" by focusing on risk assessment gaps that are closed vs. made exceptions and where in the process the gaps occur. My issue with this one is that each application is different and it'll be hard to get apples to apples comparisons. But I'm a fan of trying stuff, so it'll be interesting to see if this yields any useful trending analysis over time. If not, then he can tune it. And we'll be able to watch and learn. That's what it's all about.
http://thurston.halfcat.org/blog/2008/02/14/kpi-2-how-secure-are-we/
Link to this

We are role models...
Cutaway wonders about whether our personal activity can and should be held up as examples to the rest of the organization. He uses the news peg about the Sacramento Kings cheerleaders that were caught in pictures partying their asses off. Does that same thing apply to us? Per usual, the answer is yes and no. Personally, I don't care if Cutaway dresses in drag on his own time. And those of you that know him, know how funny that would be. I do care if he is caught doing some illegal computer work. I also care if he has his passwords taped to the bottom of his keyboard and whether he sends personal email to his work account. Why? Because we have to LEAD BY EXAMPLE. We can't expect everyone else to follow the rules if we don't. It's as simple as that. For security related things, every security professional must be a role model. And I've heard getting big, tough, military dudes to dress in drag for security awareness training day works wonders. Anyone want to suggest that to Cutaway?
http://www.cutawaysecurity.com/blog/archives/224
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://sm-blog.securitymike.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite

February 14, 2008 - Volume 3, #15

Good Morning:
Another year, another Valentine's Day. The time of year concocted by the flower business in cahoots with the chocolate industry and the greeting card folks. Let's just say I'm not a big fan of this annual February ritual. Yes, the fact that I'm so romantic is not lost on the Boss. I've been apologizing for almost 14 years now.

When you think about it, Valentine's Day is pretty kooky. Let's celebrate our love by eating chocolate. Huh? And not like a good 2 lb bar of Hershey's. It's got to be those weird chocolate things will gooey filling. Life is like a box of chocolates, you never know what you are going to get... It worked for Forrest Gump, not for me. Could they think of a worse, more addictive vice to use in celebration? Why didn't they just use opium if they wanted us to revisit our addictions every February. We could set up a big neighborhood hookah and party. Maybe we'll have a free basing lesson for the kids. Now that would be festive, wouldn't it?

I'll also admit to not being a flower guy. I'm horrified to admit that more than once my kid brother sent flowers to the Boss and signed my name to the card. Actually not that horrified or I wouldn't be telling you. Yes, my brother is a good, considerate guy. And me...not so much. He saved me from a bunch of hot water through the years.

I don't get flowers. They die. They don't smell that good to begin with and if you leave them in a vase for a few days they start to get funky. What's the use? I guess they add a little color to your house for a few days. If I want color, I could get fake flowers. At least they last a little longer, and they don't smell.

But that would once again put me in the soup with the Boss. She doesn't like the fakes. So I shelved that plan. 

What works for me is a card. I know the greeting card folks are in on the conspiracy, but that's OK because I like cards. It might have something to do with the fact that I write for a living. I usually pick a cards that are funny and then I take a few minutes and write a nice note inside. A heartfelt message. One that is timeless and that she'll be able to look at in the years to come and remember that I'm not always a total jackass.

Another thing that I like is cards last forever. I still break out the first Valentine's Day card I got from Leah in 2001. It says, "To my First Valentine..." It's awesome. It's in the draw right next to my desk and has been for 7 years. Try doing that with a flower.

Have a great weekend, and oh yeah, Happy Valentine's Day. Also enjoy President's Day on Monday. It's a Daddy weekend that is bleeding over until Monday - so I'll be back Inciting on Tuesday.

PS: I've posted the first two Days of Incite Posts. The 3rd hits later this morning and the 4th tomorrow.

1. Express Your Inner Bean Counter
2. It's time for an audit revolution

 
 dead flowers image uploaded by lolla_sig

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Will my speech recognition understand "ostrich"
So what? - Vulnerability research used to be a waiting game. The researcher would find an issue, report it to the vendor and then hopefully at some point be mentioned in the patch announcement. Notice I say "used to be." I'm not going their now, but there is little incentive for researchers to do anything but publicize what they've found - when they find it. But what happens after that? Usually nothing. That's been the case with the Vista speech recognition hole that George Ou found last year. For those folks that require speech recognition, this is pretty bad. But Microsoft has decided (for lots of reasons I'm sure) not to fix it and George is calling them on it. Will it have any impact? Probably not because it's a low footprint issue, given the number of folks that are likely vulnerable. You can't fix everything, so something has to fall off the list - I get that. If people were setting up MySpace pages with these kinds of voice exploits, it may get a higher priority. But until then it's back to the ostrich game. I hope the sand is warm. 
Link to this

Passwords still good enough
So what? - Here we go again. About every 18 months, a bunch of vendors get together and try to convince everyone that passwords are a problem and they really need to buy tokens. Now the tokens are a lot cheaper (you can get one from PayPal for $5), and sort of standardized now with OATH 2.0 hitting the streets a couple of months ago. Here is a good overview of OATH at Network Computing. But the fact remains that almost no one cares about strong authentication. The FFIEC did, so the banks had to spend the end of 1996 adding things like mutual and two-factor authentication to their banking sites. Last time I checked I was still able to get into my online banking system with a simple password. In fact, it's a password that can have NO MORE than 8 characters. How friggin' strong could that be? But are they going to issue tokens to everyone? Not a chance. It's cheaper for them to pay for the eventual fraud, then it is to fix the problem. Yes, it's risk management gone wild, but it's all about the economics. I actually use very strong passwords (I use 1Password on my Mac to manage them) and thus I feel as safe as I'm going to. But the reality is that as long as it's cheaper to suck up the costs of fraud, passwords will be good enough.
Link to this

Another reason for layers
So what? - Can we move past PDF? That's the question asked by a Symantec researcher on their blog (H/T to Ed Moltzen for pointing it out). That's an interesting question. My answer is an unqualified no. We can move on from PDF no sooner than we jettison DOC or XLS or PPT. PDF is the way a lot of information gets sent around. Now to be clear, Adobe needs to bring their A game (like what Microsoft has done) because they are now a target. They need a structured patching process and to invest a crap load of money in security research to be able to respond to the threats. But ultimately it's software, which means there will be holes. What to do? Don't leave all your eggs in one basket. You need layers, strong anti-spam that stops a lot of the solicitations from getting through, web gateways that protect users from themselves, and endpoint protection just in case the other stuff doesn't get it done. And then you'll still get nailed. Then you kick your incident response plan into gear. I guess if I think about it, we could stop using PDF. In the same way we could unplug from the network as well. That's definitely one way to stay protected.
Link to this

The Laundry List

Top Blog Postings

Yet another reason for DLP
In my 2008 Incite (#9), I pretty much took a dump on DLP. Though to be clear (and I will be when I write the Days of Incite post) it's not because DLP doesn't solve a problem. It's really a market acceptance issue. The parallels I see between DLP and SIM are significant. Both are hamstrung by taking a long time to get value and there are other ways to solve the problem for a lot less money that are good enough. Not perfect, but good enough. Before we write off DLP, let's get back to the problem. The fact remains that our data is pretty much everywhere now and although controlling is a losing battle, we need to fight the good fight. Tom Olzak brings up another use case, and that is the online collaboration applications. I'm starting to use Google Docs for some work I'm doing and over time I'm sure I'll be doing more of that, not less. My data isn't that important, but yours might be. I don't think this will be enough to push DLP through the chasm this year, but it's certainly something to think about.
http://blogs.ittoolbox.com/security/adventures/archives/the-promise-and-the-threat-of-webbased-productivity-suites-22412
Link to this

PCI Marketing gone wild
Last year I was going to do a series called "Security Marketing Gone Wild" because I was seeing some pretty egregious transgressions out of some security marketers. I never got around to it, which is too bad. We, as an industry, have an issue with this. More than a fair share of CFOs and CEOs already think security is the equivalent of snake oil because our practitioners can't really tell them what the value is. As the little niche market has become an industry, we've got our share of carpetbaggers and those sorts that are here to make a quick buck, as opposed to solving a problem. Mark Curphrey destroys a recent campaign from Barracuda for being this kind of snake oil. He's absolutely right. Barracuda's idea of "plug and play PCI compliance" is more than a little offending. It just doesn't work that way. PCI compliance is a journey, not a destination, and it's not something you can solve by putting a web filtering gateway on your Internet connection. But as long as companies keep falling for this ruse, unscrupulous vendors will keep pushing their own little bit of snake oil. And the customers who's data is compromised ends up holding the bag. I guess some things never change.
http://securitybuddha.com/2008/02/07/security-marketing-spinning-further-out-of-control/
Link to this

27002 + PCI = what?
In one of SearchSecurity's Compliance School lessons Richard Mackey talks about how a structured framework like ISO 27002 could be used within the context of PCI compliance. He makes a couple of good points, though using all the vernacular does get a bit confusing. So I'll try to clarify things a bit. As I've said a million times, focus on SECURITY FIRST. You can do that via a framework like ISO 27002, which is going to define a lot of the stuff that you could do from a security standpoint. Mackey's idea is that 27002 is the large umbrella and you can use the PCI subset of requirements as a place to get started. The danger in this approach is that you never get to some of the other stuff. I would much rather folks figure out what they need to protect (and why), use the framework to define the best way to protect the data, and then compare that to the regulation. Then you are protected and compliant. As opposed to compliant, but not necessarily protected.
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1295905_tax309647,00.html
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://sm-blog.securitymike.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite