December 17, 2009 – Volume 4, #40

Good Morning:

I tend to be fairly grumpy, but no time more than during the holidays.
I’m not a fan of the cold weather. And I’ve been a Xmas hater. That’s
right, I was Scrooge personified. Bah humbug was a mantra of mine from
the time lights go up in my neighborhood Thanksgiving weekend to the
day after New Year’s when (thankfully) most folks pull them down.

You know, this classic South Park song says it
all. But this year is different. I’m not sure whether it’s the fact
that the stress of my old job is now gone. Or whether I’ve just
mellowed out, but all the same – I’m not as grumpy. And I can
appreciate the lights and the even some of the pomp and circumstance of
the holiday season. I didn’t instantly hush one of the kids that
spontaneously broke into a Xmas song.

Yet, I’m still human and there are the little annoyances. Like the guy
whose lights burn up more power than an Eastern European village
(hackers and all). I’m still not digging the constant sound of the Xmas
Muzak pretty much wherever I am. A week ago I was having sushi with the
Boss and the joint was playing Xmas tunes. Just can’t see Santa digging
on a Spicy Tuna roll, but maybe he does. Right after the big pull off
the hookah.

And what’s the deal with the emergence of Rudolf as a pitch
reindeer? Come on now, if Santa uses AT&T’s wireless network
everyone is screwed. I can just imagine it, the dude is traipsing
around the world at almost light speed, he calls Mrs. Claus to make
sure she’s got the hot coco ready when he gets home and the call drops.
Maybe Steve Jobs can get Santa one of those new iPhones that runs on
the Verizon network…

I’m even kind of looking forward to Xmas day this year. I’ll
spend it as most of my ilk do every year. I’ll go see a movie (maybe Up
in the Air) and eat a Chinese food feast with my family. And I’ll get
to do some of those tasks that always get lost in the haze that is my
to-do list. Like updating my web site.

So it’s all good. I don’t think I’ll go caroling this year,
but you never know about next year. But before you get any big ideas,
don’t be sending my any of those fruit cakes. You have to draw the line
somewhere.

Have a
great weekend.

Photo: "Santa
has a side job" originally uploaded
by ktylerconk
Technorati: Information
Security, CSO,Security
Mike, Internet
Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Follow me on Twitter: @securityincite I’m not sure where I’m going, but I’ll get there in 140 characters – or less…

Incite 4 U

1. More
   "shortcuts" to PCI compliance – Arghhh. Just as I was in a
   happy mood, I see yet another "shortcut" story for compliance. NetworkWorld’s Cisco blogger has a
   nugget of wisdom "By now
   we all know that the key to becoming PCI compliant is all about how
   well you can control the number of in-scope devices." Ah,
   not so much. A merchant with only 10 in-scope devices that gets pwned
   because they read this kind of crap is still pwned, right? What we all
   better know by now is that PCI compliance is NOT the goal. It’s
   protecting the private data, right? So then there are 5 tips in the
   post about things like segmentation and tunneling and other stuff. Not
   sure I get the one about client certificates vs. tokens, but all the
   same. I kind of shut down when the first sentence shows this guy got
   hit with the security no-clue bat.
2. Great, now we
   are all accountants – Santa takes a bit of time away from
   getting his house on wheels ready for the adventure
   (good luck man, I tend to like to know my house is in the same place
   every day, but whatever floats your boat) to try to draw the parallel
   between IT folks and finance folks. You see, evidently finance folks
   understand that all of their actions will be audited and therefore they
   act accordingly. Us IT Yahoos have no idea, so we do crazy stuff. He
   suggests we build a "culture of compliance,"
   so everyone knows their actions will be audited and they’ll do the
   right thing. How about building a CULTURE OF SECURITY? You know, where
   we protect data first and fill out reports second. I hope that’s what
   Santa means, but the idea of a culture of compliance irks me. It’s bad
   enough compliance funds everything we do, now everyone wants to make
   that the end goal. Which is just wrong.
3. Attack of the
   Prediction Stories 1 – Now I’m starting to remember why I
   hated the holidays. All these freakin’ 2010 prediction stories that say
   the same damn thing. More hackers. More breaches. We’re screwed. Enjoy
   the Yule log and maybe OD on egg nog. It’ll make the pain go away. Imperva is calling for "industrialized
   hacking," as if that hasn’t been the case for years. We all
   know there are warehouses full of folks in 3rd world nations banging
   away on netbooks hacking your stuff. And a move from "reactive to
   pro-active security." Man, the bile that just rose from my gut didn’t
   taste too good. Come on guys. Mediocre attempt here.
4. Attack of the
   Prediction Stories 2 – Next up on the prediction hit list
   is Russ Cooper from Verizon Business.
   He’s got some gems in there like the social network sites will protect
   themselves. Ah, do you think Facebook wants to be a cesspool of
   malware? Miraculously they’ll figure it out in 2010? Looks like Russ
   bypassed the egg nog and went right for the heroin. How about consumers
   getting smarter? Evidently he hasn’t left his lake house in rural
   Canada in YEARS. If what I see in coffee shops or hear at holiday
   parties is any indication, consumers are on the express train to
   Dumbville. But he does pinpoint two predictions I’m digging. The first
   being China will be blamed for everything (shouldn’t they be) and the
   other is that nothing of note happens to "non-PC’s."
5. Attack of the
   Prediction Stories 3 – Finally, let me call out a piece in CSOOnline getting predictions from
   security luminaries, including Mark Weatherford (CISO of CA)
   and Dan Kaminsky. There is stuff here from Weatherford on hiring and
   maintaining talent (good call) and moving some security functions into
   the cloud (ho hum). Kaminsky talks about how prosecution for
   cyber-crime will accelerate (that would be great) and some ineffective
   security techniques will be called out (much to the chagrin of Big AV).
   This one isn’t bad as far as prediction stories, but the only
   prediction I have is that the electricity required to power Kaminsky’s
   ego causes a Xmas brownout in Seattle. Put that in your stocking. Yeah,
   I couldn’t help it. It was right there calling to me. Like Russ
   Cooper’s heroine.
6. NSS kicks
   some IPS vendors in the nuggets – I tend to disregard most
   reviews and "certification" programs because well, folks have this
   nasty habit of not biting the hand that feeds them. Except me maybe
   (remember the NetworkWorld debacle?) So kudos to
   the NSS folks that call some crappy IPS products
   to the carpet and actually print effectiveness results. Of
   course, in the press release they don’t say which vendor got 17%
   effectiveness (it was Juniper) and which was 89%
   (yay for SourceFire), but I’m sure the happy vendors plunked down their
   $1800 to buy the report and will be happy to share it with you. The sad
   vendors are well, sad and trying to figure out how to poke holes in the
   methodology. Here’s a hint: Kevin Tolly is waiting by the phone for
   your call. For $50K, he’ll run at test that shows 100% catch rate and
   make the problem go away.
7. Hi, I’m Mike
   and I’m a… – In today’s personal development selection,
   let’s look at a post on the 37Signals blog called "Step one is admitting you have a problem."
   The point here is about work addiction and that the start-up world
   tends to breed many work addicts. They ask the right questions about
   time vs. effectiveness and the impact of that to your health. Is that
   work done between 10 PM and 2 AM productive? Is it good work? I guess
   during the holiday season the message is that we should be questioning
   everything and potentially acknowledging our problems and building 2010
   plans to address them. And maybe relaxing a bit for the slog that is
   2010.