The Ashimmy Blog

A foundation of much of our security strategy today is to deploy security solutions to protect us. As an industry we have put policy and process in the back seat to technology. But is our blind trust on security technology justified? I have seen some evidence lately that says no. In fact I am not sure that all of these appliances and software that we use work at all.

What makes me say this? Let me give you some evidence:

1. Kelly Jackson-Higgins has a good post up on Dark Reading about the research done by Larry Suto on web application scanners. According to the report which you can download the pdf of free at Dark Reading, most of the scanners missed almost 50% (one half) of all web app vulnerabilities! Think about it, scanning your web apps, you might be missing one out of every two vulnerabilities!

I was shown this report a few days ago by my friend Matt Cohen of NTOSpider. To give Matt and his team credit, they did lead the pack with 94% accuracy. But overall the numbers were pretty bad.

Qualys in particular was pretty low with only about 28% accuracy. It should be noted that they only have a “point ‘n click” test though. But still you have to ask yourself, if 2/3rds of the vulnerabilities are getting by, why bother?

Is it any wonder that being PCI compliant is meaningless from a security point of view? You can use a web app scan, check the box on your PCI audit and still have a security posture that is like swiss cheese on your web app!

2. The NSS tests. I have written before about the great work Rick Moy and the folks over at NSS have done. But go read this article in GCN by William Jackson interviewing Rick.

It is downright scary that after 5 years in the prime time, IPS still does not catch such a large percentage of attacks. We all knew that signature based detection alone was not going to see all attacks. But we have deluded ourselves about anomaly and behavior based detection, somehow making our signature based technology actually work.

Yes, IPS may catch rudimentary types of attacks, but how can we sleep at night with some of these well known IPS devices on the job?

3. Anti-virus – another false sense of security! For all of the millions of dollars spent by the AV vendors (a small fraction of the billions they rake in) on better detection what have we got. A day late and dollar short technology I am afraid. Our AV is great against last years attacks, but is pretty weak on this years threats.

That is of course assuming that your AV is actually up to date. In most organizations what percentage of mundane AV updates are failing? From my NAC experience I was surprised that even on some of the most sensitive networks in the world, the number of AV update failures across the network is pretty high. It only takes one bad apple.

4. Patching is a lot like AV. How many failed patches are not pushed out to every machine that needs it? Too many is the answer.

We could go on and on. Don’t even get me started on NAC and DLP. In general our reliance on technology that does not work as well as we hope, think and pray it does is more dangerous than if we had nothing at all. At least then we would be serious about the policies and process that we need to put in place.

In the meantime we need to rethink if we are as protected as we think we are. If not, we need to take measures in response.

Here is the 2nd episode of the security.exe podcast. Unfortunately Mitchell Ashley is unable to join me. Mitchell's wife has been battling breast cancer for almost 5 years and her condition has taken a turn for the worse. We wish Mitchell and his family strength and prayers at this trying time.

I do have two great guests on this episode though. Morey Haber of eEye and Alex Quinonez from CyberRoam join me to discuss what is on the security horizon for 2010. I think you will find it an insightful conversation!

We talk about Aurora, iPad, Cloud Security and a bunch of other topics that we see as being relevant to the discussion around security 2010. I hope Mitchell will be able to join us again soon. Until then we will have some special guest hosts and other special guests on the podcasts.

Enjoy!

Security.Exe, episode 2 -eEye and CybeRoam talk Security ...

Security.Exe powered by The CISO Group with Alan Shimel &...

I am thinking about starting a new feature here on ashimmy.com. The dumbest phish of the month award. Most phishes are pretty dumb and easy to spot. Especially if English is your native language. But don’t be fooled there are some phishes that are not quite as obvious. The will fool even some of us who are much more paranoid about this stuff.

Anyway, the inaugural dumb phish award goes to kenlad35@yahoo.com.  Ken wrote me the following email. It is actually pretty typical of the “your hotmail or windows live account will be closed” variety. Asking for username and passwords and stuff.  But Ken if you are going to make believe you are from Windows Live, maybe you should lose the yahoo email address and the little yahoo ad at the bottom of the email.

No matter what you do for a living, even a phisher, at least try to be the best you can be about it!

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

I came across a Google alert today for network access control (I admit it, I still follow the NAC market). There was a link to an article interviewing the CTO of HP ProCurve, Paul Congdon. I assumed it was a link to an old article (as sometimes happens with Google Alerts), but clicked anyway. Was happy to see it was dated today and it was in fact a new interview with Paul.

Paul had been the CTO of ProCurve a few years back when I concluded a relationship between StillSecure and HP ProCurve. He had taken a quasi-leave of absence to continue his education and I have not spoken to Paul in a few years now. It would appear that he is back. If so what a great thing for ProCurve!

Paul was one of the brightest people I have dealt with in my many years in technology. A true visionary, he also is one of the nicest gentlemen you will ever meet as well. He is a big supporter of open standards and is always thinking of what is on the next horizon.

Now that I know he is back, I will have to reach out to Paul and see how things are with him. But keep your eyes out for what Paul says. I can guarantee you that you will learn something!

Welcome back Paul!

The Security Bloggers Network brings me in contact with a wide range of great and interesting people. Last year on the eve of the RSA security bloggers meet up, I received a request to join the SBN and an to be invited to the meet up from Dr Boaz Gelbord. Boaz was the author of a blog and a good security guy, but what got him the last minute invite was that he promised to bring me some real Brooklyn pizza. Real NY’ers know that you can keep the tourist stuff they sell in Manhattan, the best pizza is made in Brooklyn.

Boaz came to the meet up sans pizza, but was a charming fellow and a great addition to the SBN. I heard from Boaz just recently when he contacted me about potentially sponsoring the podcasters meet up at Shmoocon. He told me he was launching something new.

Today he announced his Security Scoreboard. Security Scoreboard “seeks to help security practitioners and executives find the right information security vendor.” They have set up a data base of many of the security vendors out there with links to analyst reports, product reviews and other pertinent information.

Besides and alphabetical listing, there is also a listing by category. Something like this is really good if for example you are looking for a DLP solution and want to see the players. Of course you could pay out the big bucks for a Gartner report and play magic quadrant bingo.

The real power of Security Scoreboard though will come from you. That’s right, you reading this blog right now. The Security Scoreboard gives each and every one of us the ability to post our own review of a product or company. Sort of Amazon comes to information security.

Right now there are not a lot of user reviews on there. Ultimately the usefulness of Security Scoreboard to the security community will be based upon how many reviews are posted there.

So if you agree with me that this could be a great resource for the community, take the time and give a thumbs up or down to some of your favorite or least favorite security products. In the meantime good luck to Boaz and Security Scoreboard.

I was reading a blog post from Don Dodge today that reminded me of something an assistant principal in Junior High School used to tell us when I was a kid.  She used to say “reach for the stars children, if you only make it to the planets, think of how far you have come”. I still remember her. Her name was Mrs. Smith. She was a very tall, African-American woman. Mrs. Smith was always well dressed, well spoken and always pushing us to reach higher than we thought possible.

Don’s article describes just this attitude that is a fundamental mindset at Google.  For those of you who may not know Don Doge, Don was one of the chief liaisons’ from Microsoft to the start up and VC community. Great guy, he was tireless in promoting Microsoft to a very highly skeptical community. Over the years, Don was a great friend to the start up scene. My friend Brad Feld introduced me to Don and I always enjoy reading his blog. A few months back, Don was laid off by Microsoft (a terrible move by Microsoft in my opinion). He was quickly picked up by Google with a similar mission.  Anyway, enough about Don, you can read his blog if you want to know more.

The idea at Google is to over achieve beyond anything you think possible. Set goals and objectives on a quarterly, not annual basis. Don’t worry about whether you actually achieved them. Don says it best, “Achieving 65% of the impossible is better than 100% of the ordinary“. That is the key to me. That kind of shoot for the stars attitude and working with brilliant people is what is driving Google’s rise to prominence.

Too many companies judge worth based upon completing 100% of goals. So the goals start to get set low to give a feeling of accomplishment and the illusion of progress. Then what happens is you wake up 2 years later and realize that though short term goals were met, they were lay ups. In the big picture, you did not move the ball where it has to go. A culture of mediocrity replaces the shooting for the stars attitude.

One of the things I love about start ups is the drive, the passion to set high impossible goals. You may not achieve them, but if you stretch beyond what you think you could, you still have accomplished something to be proud of. Losing site of that objective can signal the beginning of the end for many start ups.

I guess after all these years, I still remember the lessons of Mrs. Smith. Maybe the Google guys had a Mrs, Smith too. Keep reaching for those stars!

Related articles by Zemanta

• Google scoops up ex-Microsoftie Don Dodge (news.cnet.com)
• Don Dodge Dumps Microsoft After it Dumps Him (cloudave.com)
• Microsoft's Loss, Google's Gain. Don Dodge Gets A New Job (techcrunch.com)

OK for the first time in public, here are the finalists for the 2010 Social Security Blogger Awards! The finalists were chosen by our blue ribbon panel of judges (Mike Fratton, Bill Brenner, Kelly Jackson-Higgins and Larry Walsh). The members of the Security Bloggers Network will be recieving ballots shortly with the names of the finalists and they will cast the deciding votes for who this years lucky winners are. So without further delay, the finalists are:

Best Technical Security Blog

SANS Internet Storm Center

Evil Bytes by John Sawyer

Praetorian Prefect

Darknet.org

Frequency X ISS blog

Best Non-Technical Security Blog

Security Uncorked

Schneier on Security

Krebs on Security

ThreatPost

TaoSecurity

Best Security Podcast

PaulDotCom

SANS ISC Stormcast

An Information Security Place

CSO Security Insights

Security Catalyst

Best Corporate Security Blog

JEREMIAH GROSSMAN (White Hat Security)

SOPHOS GRAHAM CLULEY BLOG

MICROSOFT SECURITY RESPONSE CENTER

FORTIGUARD BLOG

CISCO SECURITY BLOG

Most Entertaining Security Blog

Rational Survivability by Chris Hoff

Security Incite by Mike Rothman

Uncommon Sense Security by Jack Daniel

SecBarbie by Erin Jacobs

Emergent Chaos by Adam Shostack and ensemble

What an all star list of finalists. Each and every blog and podcast on this list are deserving of winning. It is a testament to the quality and quantity of blogs that the security industry has spawned. Congratulations to each and every one of them. May the best blogs win!

I also want to point out some honorable mention blogs and podcasts that did not make the finalists because they were not eligible, though they were nominated:

Securosis Blog

Network Security Blog and Podcast

and my own Ashimmy, after all these years.

Of course the winners will be announced at the Security Bloggers Meet-up at RSA in just over a month! Good luck to the finalists and hope to see you at the meet up.

I just found out that yesterday was International Data Privacy Day. Also the House of Representatives passed a bill declaring it National Data Privacy Day too. A bunch of states have done similarly. Great! Anything to raise public awareness around data privacy and security can’t hurt.

Now tell the truth, how many of you out there knew yesterday was the day? Come on let me see a show of hands. Just what I thought, not many of you. Don’t feel bad, either did I. That is the problem. Why didn’t we make this a bigger deal? Were we all in a dark cave and missed the memo?

If we are going to be serious about this the media can’t wait until the actual day of it to tell us about it. We need to do a better job of getting the word out! Maybe we can design a colored ribbon that we could put on blogs and stuff? If we as an industry don’t make something of it, don’t expect others to.

In a recent podcast with Mitchell, he and I were bemoaning the fact that it is just so hard for non-technical users to not get gamed or scammed on line. One of the type of scams I hate the most is the rogue AV and rogue security software scam. What a kick in the butt. Using fake security software to infect a computer.

Tonight I came across another type of rogue software I want to call out. What made this one worse is that Trustwave is certifying these folks. What these people are doing is wrong, Trustwave giving them a seal of approval is worse though. Did anyone at Trustwave even check this out? Come on now, I would expect more from Trustwave!

It all started when I realized that my Windows 7 install did not have Windows Media Player. I did a search for Windows Media Player in Bing (BTW, Google didn’t have this link, I checked later). The first link in Bing, which is I guess a paid link was for a site that advertises Windows Media Player 11. The blurb says download Windows Media Player 11 – 100% guaranteed. I clicked the link and went to a domain at http://mediaplayer.11-now.com/. It had a very Microsoft look and feel, though it did have a disclaimer down at the bottom. There are two big click to download buttons and I did. Instead of download though I was taken to a page for an order sign up.

Turns out they want me to pay 19.95 for the year or 12.95 a year for 3 years. For this they are going to give me:

Technical Support When You Need It

Awesome "Up to date" Flash Tutorials

Unlimited Software Downloads

Complete Downloads

Never Pay a Download Fee

Instant Access After You Sign-up

Access to the Hottest Software

This service is run by a company called Software-HQ and their domain is http://www.software-hq.net.  They claim to have all of the hottest software for you to download. Programs like Winzip, Paintshop Pro, Ifran and more. All shareware programs that you can download anywhere on the net. If you buy these programs and register them, the makers of the program offer you support. So what exactly is software-hq giving? Ice cubes in winter that’s what! They are going to let me have unlimted software downloads, that are complete and the latest versions? Right after I pay them they will give me instant access to these hard to find programs? Stop! Stop! Stop! This is ridiculous.

Think of some of your relatives who might be duped by this and turn over the 20 bucks. Do you think they are getting value? I don’t think so, I think it is just another rat hole on the Internet that needs the light of day shined on it.

Trustwave what are you doing certifying this? Would you certify a ham sandwich? Where is the quality control here? You are a security company supposedly, you should know better!

Regardless of whether you think the  Aurora/Google/China incident was a simple hack or the most sophisticated thing since the cotton gin, I think it is going to mark a historical demarcation line. From this point forward the PA (post-aurora) era will have governments, corporations and individuals the world over recognizing that the new battleground is a cyber zone.  This is a lesson that the folks in the US Department of Defense have recognized for a long time. While we were busy every year yelling about FISMA and so forth, the people on the front lines of this cyber cold war have been trying to stay afloat against a sustained assault on our networks that has been going on for years. They are not perfect, but the fact that a genuine disaster has not occurred as a result is no small testament to their diligence, hard work and intelligence.

Whether you take the position that Rich Mogull has laid out in his firestarter post on APT, namely that this is espionage and not warfare and we just need to deal with it or the NY Times approach that the Google/Aurora incident was part of the ongoing digital warfare that is underway, is I think irrelevant. When I boil it down, it is only a matter of degree. Espionage is an act of war, punishable by death. You can have cold wars and hot wars and then there are simmering wars. This new war is of a different type of war, but the stakes are no less dear. It is for control of the world. 

We are in the 2nd decade of a new century. There are many countries who think that it is their manifest destiny to become the "America" of the 21st century. This war, like many before it is for economic dominance. This makes private corporations that are economic powerhouses targets. Don't think for a second that we here in the US are not gearing up for this type of war either.

For me the real issue is that the game and the rules have changed here. We have not yet come to terms with how this game should be played or even what the rules should be. We are still a cold war generation. Our rulers learned the game during the cold war rule set. We yearn for a deterrent that will put the brakes on an adversary going beyond what we deem to be the line.

In the good old cold war we had MAD. Mutually assured destruction was what we could bank on. The Soviet Union  didn’t want to end the world anymore than we did. We and they knew that if we allowed things to go to far, there was no turning back. So we could have our little “hot wars” in Korea, Vietnam, Afghanistan without pushing either side too far. Only the Cuban missile crises really brought us to the brink.

Of course we let our surrogates fight the fight the world over. We supported them with weapons, money and training. So did the other side. There were lots of little skirmishes that did not directly have our troops involved, but were part of the game nonetheless. The bottom line is that there was an understanding of what would be tolerated and what would not be tolerated. The prodding and probing was as ritualistic as anything from the feudal societies of the middle ages.

In cyber warfare (sorry Rich it qualifies as warfare. The stakes are as high in terms of human life and resources as any other war. Especially when we are talking about critical infrastructure) there needs to be a tacit understanding of what will be tolerated and defended versus what goes to far. We need to decide what are the repercussions for going to far.

Having Google pull out of China is one remedy, but if one nation or faction or entity violates the rules of the game, the consequences need more bite. They should be ostracized by all the others. It should be made clear that the cost of undertaking such action, far outweigh the benefits. Whether the Aurora incident was with the knowledge of the Chinese government or not, the message has to be to “take care of your own”. They are responsible.

I don’t have the hard and fast answers as to what those consequences should be. But we need to set the rules now. Right now it truly is a Mad, Mad, Mad World. The game has changed. The players are making up new rules as they go. You can’t play a game without rules. That become anarchy. But the balance will be restored, it always does. We just need to make sure the rules are understood by all parties and that it is better to play by the rules than outside of them.

Related articles by Zemanta

• US National Security Policy And Nuclear Weapons: Perspectives on the Nuclear Posture Review (dailykos.com)

So it seems some researchers from Zscaler have found the Aurora malware resident on a Chinese government website.  Anyone going to the site would be infected by the same thing that Google, Adobe and others a few weeks ago. Up until now though it was suspected the attacks were Chinese based, whether or not the Chinese government was involved or tacitly approved of the hackers actions was a very touchy subject.

Byron Acohido over at USA Today broke this story. You would need root access to put this on the server according to Achohido.  So how did it get on the Chinese governments server? Good question.  I will be doing a full blown follow up to this whole matter tonight, so stay tuned. But for now, is this the smoking gun?

 Well we are at it again! Mitchell and I debut our old/new podcast under the Security.Exe brand. Of course it is powered by The CISO Group our new company. But it is the same old Mitchell and Alan. Besides talking a bit about The CISO Group (not enough in my opinion), Mitchell and I spend a bit of time going down an Alice in Wonderland rabbit hole. We talk about Google/China, APT, why we are not secure in general, what consumers want in security and a bunch of other things. I was about to break out some beers, as the two of us wax on (or is it wax off) poetically about things.

Anyway, now that we have that out of the way, Mitchell and I will be podcasting quite a bit. We hope to be joined by our fellow CISO Group partners, Parker, Josh and Bobby in future episodes. Of course we will have special guests as well. So stay tuned as we crank this baby up

Security.Exe powered by The CISO Group with Alan Shimel a...

Security.Exe powered by The CISO Group with Alan Shimel &...

Wanted to get the word out on this to anyone interested. Some of the security podcaster/blogger crowd are planning a meet up at ShmooCon. They are in need of some very simple gear and technology that is really in the hundreds, not thousands of dollars.

If any company seeking to influence some security influencers wanted to make a great investment of a few hundred dollars, this would be a great opportunity.  If your company or someone you know may be interested, please leave a comment or email me.

BTW, I won’t be at ShmooCon and am not organizing this event. Just trying to help out some fellow security bloggers and podcasters.  Hope you can help!

One of my favorite authors, commentators and people is Thomas Friedman. I just think he is so dialed in to what is going on in the world. He not only points out what is wrong, which many of us can do, but he suggests ways to fix it. Why he is not in public office or part of the administration is beyond me.

Anyway he has a great Op-Ed piece up in the Times today.  He urges President Obama to learn the lessons of Massachusetts and correct the mistakes of the past year. Return to the working with the people, not Harry Reid and Nancy Pelosi. He urges a program to create real permanent jobs. He says we need to make this year the “year of innovatoin” and the year of “Start up America”. 

He says it better than I ever could, so just head over and read it. But I agree with him 100%!

Hey I know this is a case of the pot calling the kettle black, but at least I learned from my mistakes. There was an interesting article in the NY Times the other day based on a report from Imperva. It seems despite all of the publicity around ID theft and hacking, a sizable number of people still use ridiculously easy passwords to protect their most valuable information. You know the kind I am talking about. You need a 6 character password and you pick 123456. Is your password – password? Does every single person need to get hacked into before they will change? I am afraid so.

The information for the Imperva report came from a posted list of 32 million passwords hacked from a site called RockYou. This is believed to be one of the largest list of passwords made available to both hackers and researchers outside of the FBI or Homeland Security. It is a fascinating look across a wide swatch of what people are doing for passwords.

So if no amount of education is going to change this, what should we do? When will we move to keys, tokens or smart cards. It is painfully obvious that there is something about humans and strong passwords that just doesn’t compute. I say stop beating the dead horse here and lets put our efforts into something that has a chance of success.

Big news today in USA Today and PC Mag (I used to love to read PC Mag every month when it was a real paper magazine) about Comcast throwing out McAfee in favor of Symantec. The numbers are pretty big. 15.7 million subscribers in both home and business.  USA Today said it could be for big bucks. Big bucks or not (and I will discuss that later) it is free to Comcast customers. I think that is the real story here.

I wrote about one angle of this on The CISO Group’s security.exe blog tonight. That was more about how customers look to security experts to choose technologies, but at the end of the day it is not about the technology really.

But there is more to this story. No doubt the vast majority of Comcast users really don’t care whether it is Symantec or McAfee. They just want security and both companies have big names. As to the money won or lost, my guess is that Symantec gave this away just to take it away from McAfee. It gives them something to crow about. But I don’t think it was for big bucks (relatively speaking).

The big thing here though is that consumers should start expecting security for free. Whether it is Microsoft’s Security Essentials or getting your AV and security from your ISP, it won’t be long before the notion of paying for your own security will be anathema to most consumers. The problem is if they don’t pay for it, will they value it. I don’t know but I would not want to be in the business of selling security to the consumer market right now.

Related articles by Zemanta

• Facebook Now Running Virus Scans on Users' PCs (readwriteweb.com)
• Comcast Partners with Symantec to Offer Award-Winning Norton Security Suite to Its High-Speed Internet Customers (eon.businesswire.com)
• Microsoft releases free Security Essentials download (telegraph.co.uk)

Well I have been blogging here since October 2005. That is probably longer than most of you have been reading this. Over the years this blog has been the place where I put my voice and opinion out to the world. In retrospect it has been a great bully pulpit for me to add my 2 cents to many a discussion.

But over the years and months I have wanted to expand both my brand and online presence. Twitter and Facebook are nice (you can follow or friend me on either. @ashimmy on Twitter and ashimmy on Facebook) but they are not the same as blogging. For sports I have discovered the Bleacher Report. It is an open source sports blog. I blog on the Steelers and Yankees there and it spares most of you from reading my sports stories. With the start of The CISO Group, I have the new security.exe bog and podcast too (by the way my partners Josh Karp and Parker Yates have been blogging a storm up over there, you should check it out too!)

But I have been looking for another outlet for my technology ramblings. I am proud to tell you that as of today I have another home! I am the newest blogger at NetworkWorld.com!  My blog is on open source and is called “Open Source Fact and Fiction”.  I have already put three articles on open source there:

1. Ladies and Gentlemen, Your Top 10 Rookies of the Year in Open Source

2. Are open source business models successful?

3. Nothing in life is free (so why do governments love open source?)

I think all three are great articles on open source. I will be adding to the content there over the days and weeks to come. I need your help to make my NetworkWorld blog successful. The blogs there are judged by page views, not be subscribers. They want to see twitters and diggs on the articles. So if you like what you read, please pass it along. Give me a Digg or a Tweet. I appreciate it.

Of course I will still be blogging here, as this is my primary home. I probably won’t cross-post very often. Most of the open source stuff will be on the NetworkWorld site. So please keep reading here and there!

Wish me luck and let me know what you think. So many of you have been so supportive of me over the years. I hope I can count on you to support me at NetworkWorld too!

You have to love it when general interest type business publications delve into security. BusinessWeek has an article up telling us that all of the Google/China stuff bodes well for the security industry. They specifically site Symantec, McAfee and Checkpoint as being poised to profit from everyone else’s misfortune.

The evidence they use are the recent stock prices of Symantec, McAfee and Checkpoints. They also talk about Mike Carpenter, who heads up McAfee’s public sector sales. Mike says since the Google/China news broke he is really busy.

OK here is my ashimmy analysis on this:

1. I think most technology stocks have seen a decent jump over the last few months. The rising tide lifts all boats including these coffin-ridden vampire ships. Yes there might be a short term jolt from the Google affair (like the Dreyfuss affair. Extra points if you know what that is), but I don’t think long term it will be a big effect.

2. Mike Carpenter has been saying he is in meetings day and night for years. Mike and his public sector sales team at McAfee do a great job of convincing the government that ePO everywhere is somehow a successful security strategy. Then Mike spends most of his time in meetings explaining that they will integrate one day with 3rd party apps, why HBSS can or can’t do whatever you want it too and why to really get the value you have to buy even more McAfee software. I don’t think Mike’s schedule has anything to do with the state of the security market.

3. These kinds of articles make the whole security industry seem like a bunch of blood suckers. We wait around for doom and gloom to befall potential customers, before we swoop in and suck them dry for bigger profits. I know vampires are cool these days, especially with younger girls, but is this really the image we want portrayed of our industry? I don’t.

4. I agree with Brent Thill of UBS from the BusinessWeek article. He says security stocks do better during the downtimes then they do in the economic recoveries.

So, yes the Cyberwar is on. The truth of the matter is that it has been on for years. Just not everyone knew it. We as an industry rather than being seen as shadowy creatures of the night should be out front leading the fight. I would rather be the GI Joe of the Cyberwar, than the vampire of the security gold rush.

I am going to be appearing on a Symantec virtual roundtable entitled: SECURING 2010: PERSPECTIVES FROM INDUSTRY SECURITY BLOGGERS. It is scheduled for January 27th at 2pm EST. You can register for the webcast here.

Joining me on the roundtable are Martin McKeay and Scott Wright. I have not been on a show with Martin in a while, so it should be fun. If you are available it promises to be a good show and the price is right (free)!

I saw an article on C/Net tonight that caused me to have a deja vu moment. Dave Rosenberg wrote about IBM grabbing the largest cloud deployment to date. IBM will host for Panasonic at first up to 100k Lotus Notes live users “in the cloud” and moving up to 300k. Hosting Lotus Notes in the cloud. Wow, cutting edge! My CISO Group partner Parker Yates, will get a kick out of this one too.

It was just about 10 years ago that Parker and I were at Interliant. We had just gone public a few months before and neither of us knew that we were staring into the precipice of the dot com bubble bursting. Interliant was a pioneer in what was called ASP – application service provider for you kids out there. Our bread and butter hosted app?  Lotus Notes on Lotus Domino servers. Domino R5 was the hot stuff then. We were a major partner with IBM and probably the largest hosted Notes provider in the world.

Reading Dave’s article about what IBM was offering in this record shattering cloud deployment, I went to the wayback machine and had a look where Interliant was then. Here is what we were offering right before 9/11:

Customers access Notes mail and applications on Domino servers that reside at an Interliant data center. Users' Notes clients (or Web browser) access servers at Interliant over the Internet or via a direct connection such as Frame Relay. In addition to mail and application servers, customers' Internet Gateway (SMTP) and "hub" servers all reside at Interliant, thus fully leveraging Interliant's world class facilities.

Sounds pretty cloud like to me. What about you? Frame relay? Pretty cool, huh? I know, I know, you are saying, what about the security? How can you have a cloud without security?

Well here is an excerpt from the managed security solution listed on the same web site:

Our INIT SECURITY solutions are based on best-in-class firewall and Virtual Private Network (VPN) technologies, coupled with qualified security architecture design as well as monitoring and management services. INIT SECURITY solutions leverage state-of-the-art security products from industry leaders, such as Check Point^TM, Nokia^®, and other major vendors. We analyze your security requirements, and tailor a secure hosted solution, available 24x7.

We take away the overhead — you don’t need to buy the software and hardware, or manage the devices. This service-based, hosted approach accelerates your speed to functionality, and allows you to sidestep e-vulnerability concerns.

INIT Managed Firewall Service

This service provides full security consultation, configuration, and on-going maintenance and management of a client’s specific security requirements as they relate to a hosted environment. The service includes set up and installation, monitoring and management, logging and reporting, policy management, firewall updates, as well as quarterly performance audits and policy review.

INIT Remote Managed Firewall Service

This service enables customers to outsource the design, implementation, monitoring, management and maintenance of their on-site firewall hardware and software to professionally certified Interliant security engineers. INIT Remote MFS adds industrial-strength professional services to protect against malicious intruders and potential hackers. The offering includes an initial security assessment, design, implementation, 24x7 monitoring and management, logging and reporting, policy management, firewall updates, as well as quarterly performance audits and tuning.

Key advantages include:

Peace of Mind: INIT SECURITY solutions shield your organization from the anxiety of network and Internet vulnerability — our experts work 24x7 to ensure that your applications and data are always protected                 

Tailored, Best-in-Class: INIT SECURITY experts evaluate your environment to understand where and how you are vulnerable. This means analyzing your business practices and IT infrastructure. We leverage best-in-class technologies from security leaders to protect your environment, and design security solutions to provide tailored support and peace of mind                  

Relevance: INIT SECURITY experts rapidly update and reconfigure your security solution to address emerging threats and changes in your business operations                   
Simplicity: INIT SECURITY solutions allow your organization to sidestep IT complexity — such as deployment and management of your security solution                   
Reduced Cost of Ownership: INIT SECURITY solutions offer hosted access to best-in-class security solutions. You don’t have to extend funds to buy, install, and update the technologies                   
Investment Protection: INIT SECURITY solutions allow you to choose the best solutions today, without worrying about their ability to address tomorrow’s threats. We migrate your solution to harness state-of-the-art security technology. You’re never saddled with obsolete infrastructure

Interliant recognizes the business challenges in today’s competitive global environment — we’ll take total responsibility for your IT requirements, liberating you to focus on your core business.

Guys this was 10 years ago. It could just as easily be on today’s web sites.  Pretty weird right? Are you having a deja vu? So how the hell did we go bankrupt? Maybe we were just up in the cloud before it was cool?

Many of you have asked and I suppose just as many of you don’t really care. But ready or not, we are launching our new company today.  Take a deep breath, its a great day to launch. The name of the company is The CISO Group. I am one of 5 principals or managing partners in the company. We are starting off with a rather narrow focus, but like most I guess we have plans to expand in due time.

I will get into the who’s and why’s in a moment, but let me get this stuff out first. We have an excellent new blog/podcast we have started for the new company. It is called security.exe and the URL is http://www.securityexe.com. Here is the press release announcing The CISO Group.

My first post on security.exe is titled “Why the CISO Group”. I am going to paste it in here for you all to read. But before you do, I wanted to say thanks for all of the good wishes and support I have received from so many over the last few months. Making The CISO Group successful is going to take a lot of hard work on our part. But knowing that we have so many friends out there helps.  Thanks again!

Why The CISO Group?

A few people have asked me why I have decided to join with my fellow founding members bringing The CISO Group to market.  Excellent question. The economy is far from good right now, there are lots of security companies chasing limited dollars and the safe thing to do would be go look for a job and steady paycheck. But once an entrepreneur, always an entrepreneur. I have not taken a "job" in a very long time. For me work is about passion. If I can't be passionate about what I am doing, I can't be successful. Part of that passion is knowing that I am building something.  Other people build bridges and roads, I like to build companies.

Mitchell Ashley and I have spoke about doing another company ever since he left StillSecure 3 years or so ago. We work very well together and most of all we have fun together.  Working with Mitchell we usually have at least one good belly laugh a day.  Josh Karp is another fellow I have worked with and traveled around the country with. He is a great talent, but again most importantly someone that is fun to work with. Parker Yates is someone I worked with 10 years ago or more.  But Parker and I had such a good time, while being successful, that we always stayed in touch over the years.  Bobby Dominquez, my other fellow founding partner is actually someone who has been a customer of mine for years. I have known Bobby while he was CSO at several different companies.  Yes, he is a finalist for CSO of the year for two years running, but Bobby is someone I have fun working with.

The common theme here is that all of the folks at The CISO Group are people I enjoy working with. They are all incredibly talented in their own right as well.  We looked at the current state of the security market. Yes it is very competitive, but there are still lots of places that represent opportunity. We think our CISO on Demand is a great concept that has worked for the CIO and CFO role in the past and is high time it worked for the CSO role. In fact it is even better suited to the CISO role.  We also see a huge opportunity in the PCI market. There are lots of people in that field, but it is a big field that promises to grow bigger.

The bottom line is that I think this is a great time to start a new company. At this stage in my life I would trade the VC dollars and dreams of building the next big thing for a solid company, working with people I enjoy and respect and most of all having fun! If in doing so we can fill a need in the market, as we think we can, what more does one person need?  I am looking forward to making The CISO Group very successful and having fun working with my partners!

Hey readers, if you are reading this on the blog site itself and not the feed, have a look at the top of the page. You should see ads from a new advertiser that I am trying out. It is from talent seeker. They should be advertising tech industry jobs from Google, Dell and others.  I figured since it is not like I make a lot of money on the blog, at least I might actually help some folks find a job.

Anyway, check out the jobs and let me know if you think these are worthwhile.  Good Luck!

I was talking to a friend tonight about his work situation. He is a very competent CSO. His most recent job is really getting to him though. He is there about a year now. He is the third CSO in the last three years at this organization. He knew about the other two before him, but he thought he would be different. I know you have heard that line before. Anyway here he is 12 months later. The CIO got the passing grade on the audit and now looks at my friend like he is the fifth wheel on a four wheel drive.

The company they work for is very successful and profitable. The attitude there about security from the top down is that it is a necessary evil. But only necessary enough to pass whatever minimum they have to for compliance sake and that is it.

My friend on the other hand is the eternal optimist. He is still trying to convince the CIO that security is important. That he needs to see the entire security plan through. Why privacy, risk management and security trump the compliance minimum.

I hate to be the one to burst a bubble. OK I like to pop a bubble. In any event I told my friend, forget it. He has a snowball’s chance in hell of changing the CIO’s attitude. At the end of the day the only thing that is going to change his mind is if they are unlucky enough to get bit. When they do, that CIO will get religion. Until then you are probably banging your head against a rock wall.  But that is fitting, because the CIO’s attitude is that of a caveman.

As I wrote over the weekend I recently upgraded my wife’s dinosaur machine to Windows 7. Everything worked great and I was very impressed with how right Microsoft got it on Windows 7.

Out of everything on her machine, hardware and software - the only thing that came up incompatible was her Print Shop Pro version 20.  Windows actually came up with a warning that said there were known driver problems with this product and even using the compatibility feature built in to Windows 7.

The kids and I use the Print Shop for a lot of their school projects, so that was a problem. We went down to Best Buy looking for an upgrade. They did not have Print Shop in stock, but had a competing product, Print Artist.

I knew Print Artist from earlier in my experience and it was by Sierra, so felt confident buying it.  It advertised on the box how it had more graphics, projects, fonts then Print Shop.

Got home, installed the software and boy what a piece of junk! What they have done is just put a ton of graphics, most of them terrible cartoons onto DVDs. There is no search feature for the DVDs. You have to go through the DVD pictures one at a time looking for what you want. Over 300,000 clip arts and no search feature!

For the clip art that came with the product and not on disk, the search feature was so limited and crippled as to make unusable. That was just the tip of the iceberg. The whole program was a joke.

It seems Sierra sold the product to Nova sometime back and they have just tried to milk the cow here without doing anything substantive. In fact the product has gotten worse.

I called the support number today and the poor guy who answered the phone could only blame the developers for being non-responsive. Lots of people complain about this. He gave me the number to call to get info to send the software in for a refund.

So I sent it back to get my 40 dollars back. Will let you know if at least Nova gets that right. In the meantime, stay away from Print Artist!

For those who read my blog regularly, I have spoken about being very busy getting my next “big adventure” going. The last month and a half have been busy talking, planning and doing.  Finally this week we are going to take the wraps off of what I and my partners have been working on. 

We will probably make the opening announcement on Wednesday. On Friday I am speaking at the ISACA WOW! event here in South Florida. While my talk Friday is about Compliance for Compliance sake giving us a false sense of security, I will also be talking about the new company.

A life lesson I learned was that there is never a perfect time to have a kid. You can always point to something that is not optimum to having a child right now. Like having children, there is never a perfect time to launch a company. There is always more work to do before the launch. Can we do more planning? Can we make the website better? Do more research?

Eventually, like the commercial says, you “just do it”.  So ready or not we will do it this week.  Look for the announcement here on the blog and elsewhere. Also if you are in the South Florida area, come down to the WOW! event at the Four Seasons Hotel in Miami. It promises to be a great event.

PS – As I Tweeted over the weekend. If you are a security person in the Tampa area interested in a potential long term engagement please contact me!