SBN

The Daily Incite – 12/03/09 – Not so GRRRRREEEEAAAAATTTTT!!!!

Today's Daily Incite

December 3, 2009 – Volume 4, #35

Good Morning:
With the holiday season coming up, I know it’s hard to get presents for
me. I want for nothing and if I do want something, more often than not
I just go and buy it. Within reason, of course. So I know it’s a
challenge for folks in my family to get me anything. But I can only
imagine how hard it is to buy a present for a guy like Tiger Woods.

Yeah I'm sad, the model is taking half my stuff...Yes, that Tiger Woods. The
one who makes over a hundred million a year. And who married the
Swedish model. If you were to ask almost everyone, if they could pick a
perfect life – I’d say most would say Tiger’s got it pretty good.

Evidently not. I was pretty disturbed when the news of his
"transgressions" hit the major media yesterday. First of all, this
story has outweighed little issues like sending 30,000 more troops to
Afghanistan over the past week. But I shouldn’t be surprised. Our
celebrity-centric US media engine means they’ll sell a lot more page
views by talking about Tiger’s dick than the tens of thousands now in
harm’s way. Got to let that one go.

At least Tiger didn’t pull a Steve Phillips. The stripper or
whatever is pretty decent looking. But still, he married a SWEDISH
MODEL. Really seriously I just don’t get it. Is this guy’s life so good
that he has to go and screw it up because he can? Because a dream for
99.999999% of the population has just become commonplace. Please, help
me understand it.

Is it the need to exercise power? Is it the feeling of being
invincible? I guess all the psychologists out there are having a field
day trying to figure it out. I guess now that I’m writing, I’m just
sad. Sad that what seems like the perfect life I guess isn’t so
perfect. Sad that this guy has to face his failings in such a public
way. But ultimately sad that once again, human nature has trumped any
sense of logic.

Claroty

That old adage about money doesn’t buy happiness, I guess is true. It
seems a Swedish model doesn’t make you happy either. I guess for Tiger
being the best golfer ever is not enough. Having untold riches is not
enough. Having a beautiful family isn’t enough either. After all, in
Tiger-land I guess things aren’t really that
GRRRRREEEEEAAAATTTTT!!!!. 

Have a
great weekend.


Photo: "The
world’s saddest tiger, part deux
" originally uploaded
by peppergrasss

Technorati: , ,
,

The Pragmatic CSO

The
Pragmatic CSO:


Available Now!



Read the Intro and
Get


"5 Tips to be a
Better CSO"

www.pragmaticcso.com

Follow
me on Twitter:

@securityincite

Twitter

I’m not sure where I’m going, but I’ll get there in 140 characters – or
less…

Incite 4 U

It’s nice to be flexing the analytical muscles again. I can say I’ve
gotten a bit soft over the past 15 months. But like all muscle memory,
the cynicism, skepticism, and general venom will be back before you
know it. Alan and Mitchell invited me to participate
in their podcast yesterday
, which was great fun. We laughed,
we cried, we made fun of people, but mostly we laughed. Enjoy.

  1. It’s not just
    a job, it’s an adventure
    – Happiness is a fleeting
    concept. It’s here for a few minutes, then it’s gone, then it’s back.
    Hopefully it’s not gone for too long. I wanted to send a shout out to AndyITGuy
    for doing some good analysis of where his head was at
    after
    he got laid off recently. It was a heartfelt and candid post. We all
    have days where we feel like that. The reality is security is a hard
    job – on a good day. And if we are going to find any measure of
    happiness, you have to be able to understand you can do only what you
    can do. Sometimes you just need to move on, especially if the
    organization isn’t going to give you the opportunity to be successful.
    But many of us thrive on challenge and don’t believe anything is
    impossible. That’s why you do security.
  2. If you aren’t
    breaking your stuff…
    – Someone else is. That’s right,
    it seems driven by the recent Rapid7/Metasploit deal, pen
    testing software is back in the spotlight. The folks over at Dark Reading did an analysis of the market,
    and Nick Selby also weighed in on what he
    expects in that market
    over the next year. I’m glad folks are
    starting to see the importance of what I call "security assurance." If
    you are a company of size, you should have someone on your staff
    breaking things every day. And they should be using live ammo. Vuln
    scanners are important too (if only to see the depth of your issues),
    you really need to take it to the next level and see what can really be
    exploited. It’s also good to see higher level application attacks
    starting to show up in the app scanners as well. 
  3. Ramping up
    the "cyberwar" hype cycle
    – Here is the reality:
    technology is an intrinsic part of everything today. Why do I need to
    state some an obvious truism? Because folks continue to want to
    convince us that there is something new here. Take McAfee,
    for instance – they recently did a report on "cyberwar,"

    making the point that an increasing number of attacks seem politically
    motivated. And what’s new about that? If you want to sabotage a
    competitor, why not break into their systems? Or rob a bank? Or bring
    down critical infrastructure? Or get intel on an enemy’s defenses? Of
    course, a technology attack is the first, best path. You only bring in
    the Black Ops guys when you really need to. I’m not challenging the
    findings, I’m just wonder why this is news?
  4. SMBs like SaaS
    – Directly from the Duh! files, the folks at Dark Reading are hyping a report they wrote
    about how SMB organizations should be protecting their stuff
    .
    One of the conclusions is that Security as a Service (SaaS) is an
    attractive alternative. Really? And then they start throwing the
    numbers out. $38K for a web gateway software vs. $15K for a managed
    service. If you know how to use Excel, you can make the numbers say
    anything you want. But the reality is not really about cost savings,
    it’s about expertise and leverage. A lot of these security devices need
    daily tuning, care and feeding and that just doesn’t work for an
    overworked IT guy in a smaller company. So to me the interesting part
    of SaaS isn’t how much money you can save, which may or may not
    materialize. It’s the leverage that can be gained by having someone
    else manage the crap you don’t have time to manage.
  5. If Big J says
    I’m doing it wrong…
    – We are still very early in the
    evolution of application security, and that means we are still
    subjected to religious battles like white box vs. black box testing.
    Thankfully Jeremiah Grossman provides some much needed
    perspective here
    , in terms of making the point that BOTH is
    the right answer. There are some things that code review are better at
    finding, and you cannot minimize the need to automate using scanners
    and other tools. As with everything else in security, there is no one
    silver bullet for application security. It’s about minimizing the risk
    that you’ve missed something and using every tool, technique and
    process at your disposal is just the right thing to do.
  6. Whitelisting
    good
    – Normally reviews don’t interest me that much,
    unless it’s really indicative of a changing market. So this piece by
    Roger Grimes for XWorld (all the IDG properties seem to share
    content now) testing a bunch of white listing products
    is really indicative a market that is mature enough to disappear. Huh?
    That’s right, once a large set of products actually work and solve the
    problem, then the capabilities can and should be subsumed into a bigger
    category and that’s exactly what is happening. First of all, I’m a big
    believer in white listing. The old way to find malware (checking
    against signatures) isn’t getting it done. And over time, we’ll see all
    of the big AV vendors move to a hybrid "cloud" (meaning the extended
    sig database is in the cloud) and white list driven approach. And it
    still won’t work, but that’s another story for another day.
  7. Think dummy,
    think

    Adam says it all. We don’t do
    enough of this.
  8. Damage
    control, the 30,000 foot view
    – Sometimes I like to check
    out "security tips" targeted towards a mass market audience to see how
    closely some of this stuff maps to reality. The good news from this
    post on how to respond to an incident from
    VentureBeat
    is pretty good. To be clear, it’s VERY high
    level, but for this audience that’s fine. They don’t want to hear about
    chain of custody, enCase or BackTrack. They need to understand the
    general process, not the details. The very high priced forensic guys
    can worry about the details. But as I’ve said countless times, it’s not
    about being perfect (you can’t), it’s about making sure an incident
    doesn’t become a catastrophe.

*** This is a Security Bloggers Network syndicated blog from Mike Rothman's blog authored by Mike Rothman. Read the original post at: http://securityincite.com/blog/mike-rothman/the-daily-incite-12-03-09-not-so-grrrrreeeeaaaaattttt

Avatar photo

Mike Rothman

Mike is a 25+-year security veteran, specializing in the sexy aspects of security, such as protecting networks and endpoints, security management, compliance and helping clients navigate a secure evolution to the cloud.

mike-rothman has 38 posts and counting.See all posts by mike-rothman