December 9, 2009 – Volume 4, #37

Good Morning:
Like many of you, I’ve got some friends that are pretty hardcore geeks.
They measure not just aggregate number of computers in their house, but
also the ratio of computers to people. Some are in the 1.5-2 range, and
others have embraced personal virtualization, so their ratio is off the
charts.

But that isn’t a relevant measure for me. I’ve got my share of devices
and I’ll be building a lab over the next few months, so my ratio will
dramatically "improve," in the eyes of my geeky friends anyway. But I
was reading an interview with Tom Petty in Rolling Stone last night,
and he made a statement like "it’s really was better back then."

Now, to be clear, lots of
things are better today then they were. Connectivity, computing power,
content have all improved. One place where we’ve taken a huge step back
in flushing power. That’s right, I’ve got angst this morning about the
current state of toilets. Don’t laugh, this is a serious problem.

You see, I eat a lot of roughage. Being a vegetarian, there isn’t much
else for me to eat, but it’s also good for my digestive system and
helps keep my mass in control. But there is a downside to all that
roughage. I don’t just drop the kids off at the pool, I drop a
village. 

Today’s low flow toilets are not built for guys like me, who are not
small and eat a mostly green diet. With a clog rate hovering around
75-80%, which means I need to have plungers. EVERYWHERE. I basically
have close to a 1.5x plunger to bathroom ratio in my house. Well, for
most clogs the mini-plunger will do and each bathroom is outfitted with
one as standard equipment. But sometimes you need specialized tools,
like the plunger with flanges. Or maybe the orange plastic one that
looks like an accordion. I’ve also got 2 different snakes when plunging
doesn’t get it done.

Yet, sometimes even a toilet snake doesn’t work. About once a year
(usually corresponding to one of the kids trying to "hide" an entire
roll of toilet paper in the toilet) I have to get out the heavy
artillery. I have a device that uses compressed air to pretty much blow
anything stuck in my toilet clear to the treatment plant. Now that is
cool, but I have to remember to wear my Intel bunny suit to keep
clean. 

Thankfully my kids haven’t figured out the meanest thing they
can do to me is to hide the plungers. And I’m counting on all of you to
keep my secret. I guess that’s kind of like my Kryponite.

I think maybe the Europeans have this one right. They don’t worry about
low or high flow. They just figure if it can be solved with a toilet
brush, it’s not really a problem.

Have a
great day, and may the force be with your alimentary canal.

Photo: "Poopy
the Plunger" originally uploaded
by zoomar
Technorati: Information
Security, CSO,Security
Mike, Internet
Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Follow me on Twitter: @securityincite I’m not sure where I’m going, but I’ll get there in 140 characters – or less…

Incite 4 U

1. Cloud
   security is overblown – Sometimes I just have to laugh at
   some of the stuff I see in the trade rags. I dug this InformationWeek
   blog post from Alexander Wolfe out of the archives because after baring
   my soul about my plunger issues, I figured I needed to take someone
   else to task for a good dose of idiocy. This guy’s position is that cloud security may be overblown because we
   already have an answer – encryption. That’s the answer to
   everything. We’ve already got the architecture, and if we’d just
   encrypt everything it doesn’t matter where it resides, right? Uh huh. I
   guess Hoff needs to find something else to do now, since all the
   thinking he’s been doing about cloud security isn’t relevant. Having
   barely survived the PKI wars in the late 90’s, I can’t say much besides
   that encryption isn’t a panacea to anything.
2. Next year’s
   PCI emerges – Many in the security industry are looking
   for what’s next. What’s going to be the next attack, regulation,
   widget, etc to spur sales of products that no one needs. I think I
   found it, it’s the HiTrust CSF. Neil Roiter does a bit of work to describe
   the opportunity to security resellers. Now to be clear, the
   concept of a framework to protect healthcare information is valuable.
   I’ve got no issue with that, but I’m already playing out the fiesta
   driven by the industry parasites to make whatever widget they are
   selling today a "key" part of the HiTrust CSF. Of course, healthcare
   organizations will be able to be "certified" through a HiTrust
   certification program. Which will likely mean as much as PCI compliance
   or a SAS70 audit. But I guess I shouldn’t complain, I’m just another
   one of those parasites, feeding off the fat of the land, calling
   everyone else a parasite.
3. Time to start
   looking for the BBD? – Over the past 18 months, many
   security folks have basically kept their head low and tried to make
   sure they weren’t on the list to be downsized. But now with the economy
   (seemingly) improving, does that mean it’s time to start looking for
   the bigger, better deal (BBD)? It depends. In this CSO article, Jack
   Phillips from IANS voices the concerns of large company CISOs that are
   worried their employees might look for greener pastures elsewhere.
   If you are staff level, I think how your company treated you during the
   downturn is instructive. If you felt abused and like a piece of meat, I
   suspect it won’t get better during the upturn because that is a
   cultural issue. The words may change, but the behaviors likely won’t.
   For managers, unfortunately now is the wrong time to try to make it
   right for team members. If you treated (or were forced to treat) your
   people like crap, blaming the economy and just letting it happen, you
   will reap what you have sown. When those employees find something
   better, don’t wonder what happened. And build a culture where people
   want to work there, regardless of the economy. 
4. Quant comes
   to the database – I’m a fan of the work Rich and Adrian do
   in their "Project Quant" initiatives. Every security person struggles
   with understanding the relevant metrics to track both security and
   operational efficiency. So spending time to decompose the actual
   process behind a function and look to quantify those functions (by
   having folks in the community share their own data) is valuable. The
   Securosis guys started with the
   patch management front and are now focusing on database
   security. This post represents early work on establishing the process model for database
   security. I suspect the goal is to build Quant models for all
   the major aspects of security, which will be a great thing for all of
   us that still can’t answer the questions about whether we suck at
   security or not. At least from an operational perspective.
5. How deep is
   the moat? – Many of us security talking heads spend a lot
   of time focusing on what’s next. So things like application security
   and database security are big issues. Unfortunately most of the world
   is still trying to figure out how an IPS works. Far too many may have
   spent some time building a moat (in terms of a perimeter security
   strategy), but really have no idea whether it works and if they are
   protected from the badness "out there." This piece by Joel Snyder on SearchSecurity reminds us
   about how and why to validate those perimeter defenses. Now
   to be clear, the cutting edge stuff represents real attack vectors and
   I’m not minimizing the importance of those aspects. I’m just reminding
   myself (and maybe all of you) that most organizations have no idea how
   to test their defenses, and they really need to learn.
6. Security and
   Business Strategy, huh? – I’m constantly reminded that
   most security professionals still think it’s about the bad guys. They
   are our foils and provide us with innovative attacks to keep us on our
   toes, but we always need to remember security is a means to an end, in
   that ultimately we have to contribute to helping the company either
   make money or save money. Here is a link to Part 1 of an interview with SANS Stephen
   Northcutt talking about some of these issues. I also like to
   ask security folks whether they know their companies mission statement
   and how often they get face time with business leaders. For those that
   don’t understand their business, they’ve got a very small shot at being
   successful.
7. Finding the
   impact of what we do – The always entertaining Shrdlu
   goes in a bit of a tirade here about the "meaning of metrics" and before
   Thanksgiving did a far better job than I have to isolate the issues
   with how we count things. The reality is we tend to focus on things we
   do, not the IMPACT of what we do. I’ve long held the belief that
   security folks have to really manage two sets of "metrics." There are
   operational metrics that indicate how well we do security. And there
   are other metrics that need to quantify the real business impact
   (either positive or negative) of what we do. Business folks don’t care
   about operational metrics, but they sure do care if they can’t take
   orders because some hacker group has poked huge holes in the e-commerce
   application. Operational metrics should be reasonably consistent
   regardless of what business or size of company you are in. Impact
   metrics will be very specific to your company and depending on culture
   may or may not be consistent even within your vertical. For better or
   worse, the success of most CISOs is directly correlated to how well
   they understand the impact metrics.