Your Moment of Zen

With apologies to the Daily Show, I present- your Moment of Zen:

"Your systems are vulnerable and will be compromised"

It may be shocking at first, but it is true and you know it.  You may argue about the definitions of "vulnerable" and "compromised", but that misses the point.  Our systems are vulnerable and will be compromised.  Now what do we do? 

• Focus on the things you can actually accomplish.
• Accept that we really do need a "Plan B", (and maybe C, D...) 
  • Work on those plans.
• Prioritize work based on real exposure.
• Think about risk
  • There are many "deep thinkers" in the Risk field, but start with a little "shallow thought" and work your way up.

I have been thinking about this for a while and a panel discussion at RSA really crystallized the idea for me (and many others).  It is not a new idea, Chris Hoff has expressed it in his move from "Rational Security" to "Rational Survivability".  Mike Rothman's "Pragmatic CSO" includes elements of it.  My belief that moving forward, even incrementally, is better than trying to solve all of the big problems also touches the idea.

Possibly more significant than the agreement of esteemed panel (Mike Rothman, Ron Woerner, Rich Mogull, David Mortman and Martin McKeay) was the general agreement from the audience.  It has always been true, but now it is OK to accept it- and move on.

 

Jack

The "Theme" of the Expo at RSA

I am working on a few posts on RSA, things like "Your Moment of Zen" and "Confessions of a Booth Babe", but first...

One of the oft asked questions at RSA was "What's the theme?" There was an official Turing theme, but it didn't really take. I spent quite a bit of time in the Expo with all of the vendors, so I proposed:

"Simple solutions to complex problems"

Rich Mogull suggested this refinement:

"Meaningless, content-free answers to important questions"

From the Expo floor there was also a strong undercurrent of:

"Buy our product and you will be (fill in the blank) compliant
(and thus secure)."

No surprises, really, but it is depressing how few people selling stuff (any stuff, not just security stuff) are aware of their own market. Security is hard and the odds are against "winning", so the hyperbole (100% effective against SPAM!) and oversimplification just annoy and offend the educated customer.

Don't get me wrong, overall I had a great time at RSA, but the stupid sales weasels just amaze and appall me. Keep in mind that I have spent the past thirty years in and supporting the car business, I know stupid sales weasels when I see them.

Jack

RSA Security Bloggers Meet-up

Several people have already written about this, so I'll keep it short. I really enjoyed it; I reconnected with some people, met some Internet acquaintances and Security Twits in person for the first time, and met new people, too. I had a great time and I'm already looking forward to the next one.

Thanks again to Jennifer Leggio (Mediaphyter), Martin McKeay, Rich Mogull, Alan Shimel and everyone else who helped make it happen.

Mediaphyter's blog post has a pretty thorough list of attendees, scan it and you'll see why I am not trying to repeat the effort here.

Jack

Security Bloggers Meetup at RSA

I am looking forward to the Security Bloggers Meetup at RSA next week.  A couple of weeks ago at SOURCE Boston I got to put faces (not just avatars) to Twittering and blogging friends I only knew through online interactions- I expect to make many more face-to-face connections at the RSA meetup.  Given the reputation of RSA evenings in general and the Security Blogger Meetup in particular, I can't be sure that I will remember much- but I know there will be video to help jog my memory.

See you there?

 

Jack

Astaro, RSA, Bloggers, and Beer

OK, this post is much more "commercial" than anything I've done before, but bear with me on this...

A handful of factoids:

• The San Francisco RSA conference is coming up in a few weeks.
  
• I'll be there covering the event.
  
• Astaro will be there, promoting their new (and of course, current) product line.
  
• I blog, and I work for Astaro.
  
• Getting press credentials for RSA means you are solicited by everyone who wants press for their products and services.

Now to connect some dots. Several people have commented on the barrage of email invitations to schedule meetings and other such things. Some have commented on the cluelessness of some of the PR and Marketing people. I see two primary issues; first is that some PR and Marketing types don't have the time (or possibly skill) to do a good job (see this post at the Mediaphyter blog); second is that many people do not realize that bloggers and traditional press may have some overlap, but are generally very different people with different situations (see this post at Martin McKeay's blog).

I don't mind the mountains of email invitations. I'm getting into the event with a complimentary Press/Analyst pass and the vendors want to get their message out- that's how this works. I do think many of the messages and invitations are excessively verbose and hype-laden, but some are pretty well done. The well done ones are much more likely to get my attention, both before and during the conference.

Here's the Astaro connection: Astaro wants to get attention from bloggers and I think they are trying to do it right. Tuesday afternoon (you'll be ready to sit down, have a beer and jump on the Internet by then) there will be a "Beer and Blog" event at the Astaro booth; meet Astaro people including the CEO, see the products, talk about whatever you want. And beer. The invitations are short and to the point, and they are only being sent to bloggers. Yes bloggers, Astaro wants your attention, but they are trying to do it right. If you are registered as a Blogger for RSA you should get an invite- if you are interested please RSVP, it would be bad to run out of beer. If you don't get an invite, let me know. And let me know what you think.

Now, back to your irregularly scheduled blogging.

Jack

Upcoming Conferences and Events

A few upcoming events of note. Unfortunately, I will not be able to attend any of the local ones.

Source Boston
March 12-14. A new security conference, featuring keynotes by Dan Geer, Steven Levy and Richard Clarke. Featuring a wide variety of presentations in three tracks: Business and Security, Application Security, and Security and Technology. Presentations include a reunion of L0pht Heavy Industries and talks by several industry luminaries including Rich Mogull, Chris Hoff, Mike Rothman and many others.

BU Security Camp
March 14. The "Security Camp" is a free one day conference for university system, network, and security administrators. The goal of the conference is to share the experiences of those responsible for maintaining computing security in the higher education environment so all may benefit from our collective experience. Opportunities to network with other University staff will be provided throughout the day.

[Yes, the above conflict. No, apparently they are unaware of the wonders of Google and calendars]

MIT Spam Conference
March 27-28. Topics for 2008 include not just plain spam, but "other cybercrimes" such as phishing, IM spam, SMS spam, MMORPG spam, blog spam, trackback spam, photo spam, stock pump-and-dumps, email con games, exploit marketing, zombie bots and bot armies, setting up antispam systems, and antispam countermeasures including hardware, software, wetware, and blue-ware (i.e. employing the police).

RSA
April 7-11. I will be covering RSA for the blog this year and will "Twitter-cast" (more on that later) from RSA as I did at Shmoocon. I may even take a recorder and try to get some interviews, or at least put some folks on the spot. No, I am not going to start YASP (Yet Another Security Podcast), but if I get anything good I will post it somewhere and post links from the blog. Besides lurking in the press room, wandering the floor, attending sessions and attending the Security Bloggers' Meetup, I will be working with people from my "day job" to help set up a smaller blogger event. More on that as it develops.

I am disappointed that I will not be able to go to the events twelve miles from my office, but I am looking forward to RSA- even if it is 3200 miles away.


Jack