It is said that unhappiness results from either not getting what you want, or getting what you don’t want. I’m pretty sure strep throat qualifies as something you don’t want, and it certainly is causing some unhappiness in Chez Rothman. Yesterday, I picked up 4 different antibiotics for everyone in the house except me, which must qualify me for some kind of award at the Publix pharmacy.

How do you get it to bend like that?

I like to think of myself as a reasonably flexible person who can go with the flow – but in reality, not so much. I don’t necessarily have a set schedule, but I know what I need to get done during the day and roughly when I want to work on certain things. But when the entire family is sick, you need to improvise a bit. Unfortunately that is hard for a lot of people, including me. So when the best laid plans of sitting down and cranking out content were subverted by a high maintenance 6 year old – who wanted to converse about all sorts of things and wanted me to listen – I needed to engage my patience bone.

Oh yeah, I don’t have a patience bone. I don’t even have a patience toenail. So I got a bit grumpy, snarled a bit, and was generally an ass. The Boss was good in pointing out I’m under a lot of stress heading into a big conference and to give me a wide berth, but that’s a load of crap. I had my priorities all screwed up. I needed to take a step back and view this as a positive and figure this is another great opportunity to work on my patience and show the flexibility that I claim to have. So I chat with my girl when she’s done watching Willy Wonka, and I go out to the pharmacy and get the medicine.

Here is the deal – crap is going to happen. You’ll get sick at the most inopportune time. Or your dog will. Or maybe it’s your kid. Or your toilet will blow up or your washing machine craps out. It’s always something. And there are two ways to deal with it. You can get pissy (like I did this morning), which doesn’t really do anything except make a bad situation worse. My other option was to realize that I’m lucky to have a flexible work environment and a set of partners who can (and do) cover for me. Yes, the latter is the right answer. So I cover at home when I need to and soon enough I’ll be back to my regular routine and that will be good too.

Um, I’m not sure who wrote this post, but I kind of like him.

– Mike

Photo credit: “Be Flexible” originally uploaded by Chambo25

Incite 4 U

I’d like say it’s the calm before the storm, but given that 4 out of the 5 people I live with are sick, there’s no calm on the home front, and there is always the last minute prep work involved in getting ready for the RSA Conference that makes the week before somewhat frantic. And that’s a good description of this week thus far.

If you are heading out to San Francisco, check out our Securosis Guide to the RSA Conference 2010 (PDF), or the bite-size chunks as we post them on the blog this week. That should help you get a feel for the major themes and what to look for at the show.

Finally, make sure to RSVP for the Disaster Recovery Breakfast we are hosting on Thursday morning with the fine folks of Threatpost.

  1. Without exploits, what’t the point? – Andy the IT Guy wrote a piece about whether pen tests require the use of exploits. He cites some PCI chapter and verse, coming to the conclusion that exploits are not required for the pen testing requirement of PCI. Whether it is or is not required is up to your assessor, but that misses the point. Yes, exploits can be dangerous and they can knock stuff down. But pen testing using real exploits is the closest you are going to get to a real world scenario. That old adage that any battle plan doesn’t survive contact with the enemy – it’s true. So your vulnerability scanner will tell you what’s vulnerable, not what can be exploited, and I can assure you the bad guys don’t just stop once they’ve knocked on your door with Nessus. – MR
  2. IE6 + Adobe = Profit! – An article by Brian Krebs on a new experimental tool to prevent drive-by malware on Windows got me thinking. Blade (BLock All Drive-by Exploits) doesn’t stop the exploit, but supposedly eliminates the ability to install a download without user approval. Assuming it works as advertised, it could be useful, although it won’t stop horny users from installing malware in attempts to view videos of nekked folks. But the interesting part is the statistics from their testing – over 40% of attacks are against IE 6, with a whopping 67% of drive by attacks targeting Adobe Reader or Flash. If those numbers don’t give you at least a little juice with management to update your applications and get off IE6, or to prioritize Adobe patches, perhaps it’s time to polish the resume. – RM
  3. Socially Inept – Security Barbie had a good post on the Rapid 7 incident in “My ode to Rapid7” where a few sales people Twitter & LinkedIn spammed the bejesus out of the entire security community. Or at least the echo chamber of folks most likely to bitch about it. “Fine, fine. I’m gonna take them off my list of successful people today.” I am not poking fun at Rapid7, but there are strange boundaries of what is appropriate and inappropriate behavior on venues like Twitter. It’s fine to ask my friends what they think of a product or company, but not OK for people I don’t know from that company to offer an opinion. Every corporation out there has a PR and media strategy for social media, and usually approaches it in a totally anti-social way. A corporation acting like it’s my friend on social media is, well, creepy. It’s not like a corporation comes to my house to have a beer and watch a UFC match, especially since I don’t have cable TV. Following tweets to gauge customer acceptance is one thing, but trying to participate with me like we’re buddies is more about managing perceptions than socially interacting. But people representing companies on social media venues is a grey area. Frankly, one of the reasons I don’t tweet more often is much of what interests me in security is now (my) business, and I am uncertain where to draw the line. – AL
  4. Business Advice from Van Halen – This is an awesome way to tell if your vendor isn’t paying attention. It’s the business version of asking if the product supports RFC3514 or RFC2549. A former coworker would ask vendors about LRF support. Similarly, I’ve thrown all sorts of bizarre requirements into contracts and RFIs just to see what the responses are, and whether people are paying attention. What are your indicators that vendors are just going through the motions? – DMort
  5. It’s about the Business, Stupid… – I absolutely love this response from a CIO in response to why a CISO candidate didn’t get a job. Right, it’s not about ‘us’ and our security problems. It’s about relating value to business problems and showing how security can help the business achieve its goals. It seems a lot of security folks don’t get senior management because they don’t understand how important security is, and how not doing security well puts the company at risk. Read this, and make sure it’s not you with such a myopic view of the business. – MR
  6. An Agile Crust, Tinged with a Risk Reduction and a Side of Backlog – J.D. Meier posted on Agile Security Engineering this week, talking about overlaying security activities on top of an “Agile software cycle”. He broke down security tasks and mapped them to Agile phases. The post raised several red flags for me, because the security tasks mapped to the iteration cycle a) are not performed on every iteration, b) don’t necessarily fit in the iteration time line, or c) are part of the implicit test-driven development. Agile is good at getting high priorities attention very fast – the middle ground is the killer. Security ‘stories’ end up on the project backlog, with mid-to-low priority levels, and the “buckets” described are never pushed up the queue for web applications because there is no end state for web application development programs. If J.D. is making this work I would love to see a fully fleshed out case study, because this describes a model I find to be broken. – AL
  7. You Can’t Outsource Thinking – Bejtlich tackles whether it makes sense to outsource incident response, and honestly I did a double take. Did someone really ask that? OK, Richard basically says in a very nice and politically correct way that it’s not a very good idea. Being neither nice nor politically correct, I say that’s security career suicide. It gets back to my philosophy that the only thing you can’t outsource is thinking. Everything else is fair game. So you can get some help with your incident response. But you need to run your IR team, just like you need to run your security program, though parts of it can (and should) be outsourced. – MR
  8. Don’t Catch a Social Networking Disease – I am completely fascinated by the larger historical implications of social networking and technology over time. Years ago I wrote a post on the potential political implications once we reach a point where all politicians grew up with social technologies. Can you image George W. Bush having to deal with tweets like, “Crashed daddy’s car into tree on lawn and told him he’s an ass. Need more beer.” Andy the IT Guy writes about the dangers of poor social networking policies using an example from reality TV. If you don’t have a clear policy and educate employees (and prospects), you’re leaving the door open for problems. And don’t forget to balance your policies with the need to attract and maintain workers, or you might end up like Forrester. – RM