The Daily Incite – 12/03/09 – Not so GRRRRREEEEAAAAATTTTT!!!!
December 3, 2009 – Volume 4, #35
Good Morning:
With the holiday season coming up, I know it’s hard to get presents for
me. I want for nothing and if I do want something, more often than not
I just go and buy it. Within reason, of course. So I know it’s a
challenge for folks in my family to get me anything. But I can only
imagine how hard it is to buy a present for a guy like Tiger Woods.
Yes, that Tiger Woods. The
one who makes over a hundred million a year. And who married the
Swedish model. If you were to ask almost everyone, if they could pick a
perfect life – I’d say most would say Tiger’s got it pretty good.
Evidently not. I was pretty disturbed when the news of his
"transgressions" hit the major media yesterday. First of all, this
story has outweighed little issues like sending 30,000 more troops to
Afghanistan over the past week. But I shouldn’t be surprised. Our
celebrity-centric US media engine means they’ll sell a lot more page
views by talking about Tiger’s dick than the tens of thousands now in
harm’s way. Got to let that one go.
At least Tiger didn’t pull a Steve Phillips. The stripper or
whatever is pretty decent looking. But still, he married a SWEDISH
MODEL. Really seriously I just don’t get it. Is this guy’s life so good
that he has to go and screw it up because he can? Because a dream for
99.999999% of the population has just become commonplace. Please, help
me understand it.
Is it the need to exercise power? Is it the feeling of being
invincible? I guess all the psychologists out there are having a field
day trying to figure it out. I guess now that I’m writing, I’m just
sad. Sad that what seems like the perfect life I guess isn’t so
perfect. Sad that this guy has to face his failings in such a public
way. But ultimately sad that once again, human nature has trumped any
sense of logic.
That old adage about money doesn’t buy happiness, I guess is true. It
seems a Swedish model doesn’t make you happy either. I guess for Tiger
being the best golfer ever is not enough. Having untold riches is not
enough. Having a beautiful family isn’t enough either. After all, in
Tiger-land I guess things aren’t really that
GRRRRREEEEEAAAATTTTT!!!!.
Have a
great weekend.
Photo: "The
world’s saddest tiger, part deux" originally uploaded
by peppergrasss
Technorati: Information
Security, CSO,
Security
Mike, Internet
Security
The |
Follow me on Twitter: @securityincite
I’m not sure where I’m going, but I’ll get there in 140 characters – or |
Incite 4 U
It’s nice to be flexing the analytical muscles again. I can say I’ve
gotten a bit soft over the past 15 months. But like all muscle memory,
the cynicism, skepticism, and general venom will be back before you
know it. Alan and Mitchell invited me to participate
in their podcast yesterday, which was great fun. We laughed,
we cried, we made fun of people, but mostly we laughed. Enjoy.
- It’s not just
a job, it’s an adventure – Happiness is a fleeting
concept. It’s here for a few minutes, then it’s gone, then it’s back.
Hopefully it’s not gone for too long. I wanted to send a shout out to AndyITGuy
for doing some good analysis of where his head was at after
he got laid off recently. It was a heartfelt and candid post. We all
have days where we feel like that. The reality is security is a hard
job – on a good day. And if we are going to find any measure of
happiness, you have to be able to understand you can do only what you
can do. Sometimes you just need to move on, especially if the
organization isn’t going to give you the opportunity to be successful.
But many of us thrive on challenge and don’t believe anything is
impossible. That’s why you do security. - If you aren’t
breaking your stuff… – Someone else is. That’s right,
it seems driven by the recent Rapid7/Metasploit deal, pen
testing software is back in the spotlight. The folks over at Dark Reading did an analysis of the market,
and Nick Selby also weighed in on what he
expects in that market over the next year. I’m glad folks are
starting to see the importance of what I call "security assurance." If
you are a company of size, you should have someone on your staff
breaking things every day. And they should be using live ammo. Vuln
scanners are important too (if only to see the depth of your issues),
you really need to take it to the next level and see what can really be
exploited. It’s also good to see higher level application attacks
starting to show up in the app scanners as well. - Ramping up
the "cyberwar" hype cycle – Here is the reality:
technology is an intrinsic part of everything today. Why do I need to
state some an obvious truism? Because folks continue to want to
convince us that there is something new here. Take McAfee,
for instance – they recently did a report on "cyberwar,"
making the point that an increasing number of attacks seem politically
motivated. And what’s new about that? If you want to sabotage a
competitor, why not break into their systems? Or rob a bank? Or bring
down critical infrastructure? Or get intel on an enemy’s defenses? Of
course, a technology attack is the first, best path. You only bring in
the Black Ops guys when you really need to. I’m not challenging the
findings, I’m just wonder why this is news? - SMBs like SaaS
– Directly from the Duh! files, the folks at Dark Reading are hyping a report they wrote
about how SMB organizations should be protecting their stuff.
One of the conclusions is that Security as a Service (SaaS) is an
attractive alternative. Really? And then they start throwing the
numbers out. $38K for a web gateway software vs. $15K for a managed
service. If you know how to use Excel, you can make the numbers say
anything you want. But the reality is not really about cost savings,
it’s about expertise and leverage. A lot of these security devices need
daily tuning, care and feeding and that just doesn’t work for an
overworked IT guy in a smaller company. So to me the interesting part
of SaaS isn’t how much money you can save, which may or may not
materialize. It’s the leverage that can be gained by having someone
else manage the crap you don’t have time to manage. - If Big J says
I’m doing it wrong… – We are still very early in the
evolution of application security, and that means we are still
subjected to religious battles like white box vs. black box testing.
Thankfully Jeremiah Grossman provides some much needed
perspective here, in terms of making the point that BOTH is
the right answer. There are some things that code review are better at
finding, and you cannot minimize the need to automate using scanners
and other tools. As with everything else in security, there is no one
silver bullet for application security. It’s about minimizing the risk
that you’ve missed something and using every tool, technique and
process at your disposal is just the right thing to do. - Whitelisting
good – Normally reviews don’t interest me that much,
unless it’s really indicative of a changing market. So this piece by
Roger Grimes for XWorld (all the IDG properties seem to share
content now) testing a bunch of white listing products
is really indicative a market that is mature enough to disappear. Huh?
That’s right, once a large set of products actually work and solve the
problem, then the capabilities can and should be subsumed into a bigger
category and that’s exactly what is happening. First of all, I’m a big
believer in white listing. The old way to find malware (checking
against signatures) isn’t getting it done. And over time, we’ll see all
of the big AV vendors move to a hybrid "cloud" (meaning the extended
sig database is in the cloud) and white list driven approach. And it
still won’t work, but that’s another story for another day. - Think dummy,
think
– Adam says it all. We don’t do
enough of this. - Damage
control, the 30,000 foot view – Sometimes I like to check
out "security tips" targeted towards a mass market audience to see how
closely some of this stuff maps to reality. The good news from this
post on how to respond to an incident from
VentureBeat is pretty good. To be clear, it’s VERY high
level, but for this audience that’s fine. They don’t want to hear about
chain of custody, enCase or BackTrack. They need to understand the
general process, not the details. The very high priced forensic guys
can worry about the details. But as I’ve said countless times, it’s not
about being perfect (you can’t), it’s about making sure an incident
doesn’t become a catastrophe.
*** This is a Security Bloggers Network syndicated blog from Mike Rothman's blog authored by Mike Rothman. Read the original post at: http://securityincite.com/blog/mike-rothman/the-daily-incite-12-03-09-not-so-grrrrreeeeaaaaattttt