Podcast updates

It has been a while since I reviewed my list of security podcasts and a few new ones have made it into rotation since I last visited the topic. My regular listens and a link to the Getmon Security Podcast list are in my Podcast.com widget (over there on the right, scroll down a bit and you'll see it). Click away at any of the titles for episode details, links to Podcast.com pages, or to play episodes.

My previous recommendations still stand:

• Pauldotcom Security Weekly
  • Pauldotcom has grown into an empire, with video and webcasts and an entire community involved.
• The Network Security Podcast
  • Rich Mogull is now Martin McKeay's cohost and his addition has expanded the perspective of this great show.
• CyberSpeak
  • Brett and Ovie continue to deliver informative and entertaining forensics and cyber-crime content on a quasi-weekly basis (They are busy guys).
• Security Now*
  • Steve Gibson and Leo LaPorte talk security, and stuff.
  • *figure out the asterisk for yourself.

And newer in the rotation:

• Risky Business
  • This one is a must-listen, an outstanding weekly podcast featuring news and interviews hosted by Patrick Gray (Patrick Gray is great, and he also has a weekly networking and systems podcast, "A Series of Tubes").
• The Silver Bullet Podcast:
  • In-depth conversations with leading security gurus, hosted by Gary McGraw, sponsored by IEEE Security & Privacy Magazine.
• Radio Free Security
  • A good podcast aimed at the small business IT administrator produced by WatchGuard LiveSecurity Service reporters.
  • NOTE- this shares a feed with their "Firebox Special", a podcast dedicated to the WatchGuard Firebox. Unless you are a customer, you may want to skip those.

And a few seem to have faded away, but I haven't completely given up on them:

• The Security Roundtable [UPDATE: The Round Table is back, see comments below]
• The Rear Guard
• Sploitcast*
  • *Not quite dead.

Happy Listening!

Jack

Your Moment of Zen

With apologies to the Daily Show, I present- your Moment of Zen:

"Your systems are vulnerable and will be compromised"

It may be shocking at first, but it is true and you know it.  You may argue about the definitions of "vulnerable" and "compromised", but that misses the point.  Our systems are vulnerable and will be compromised.  Now what do we do? 

• Focus on the things you can actually accomplish.
• Accept that we really do need a "Plan B", (and maybe C, D...) 
  • Work on those plans.
• Prioritize work based on real exposure.
• Think about risk
  • There are many "deep thinkers" in the Risk field, but start with a little "shallow thought" and work your way up.

I have been thinking about this for a while and a panel discussion at RSA really crystallized the idea for me (and many others).  It is not a new idea, Chris Hoff has expressed it in his move from "Rational Security" to "Rational Survivability".  Mike Rothman's "Pragmatic CSO" includes elements of it.  My belief that moving forward, even incrementally, is better than trying to solve all of the big problems also touches the idea.

Possibly more significant than the agreement of esteemed panel (Mike Rothman, Ron Woerner, Rich Mogull, David Mortman and Martin McKeay) was the general agreement from the audience.  It has always been true, but now it is OK to accept it- and move on.

 

Jack

RSA Security Bloggers Meet-up

Several people have already written about this, so I'll keep it short. I really enjoyed it; I reconnected with some people, met some Internet acquaintances and Security Twits in person for the first time, and met new people, too. I had a great time and I'm already looking forward to the next one.

Thanks again to Jennifer Leggio (Mediaphyter), Martin McKeay, Rich Mogull, Alan Shimel and everyone else who helped make it happen.

Mediaphyter's blog post has a pretty thorough list of attendees, scan it and you'll see why I am not trying to repeat the effort here.

Jack

SOURCE: Boston 2008 (updated)

SOUCE: Boston 2008 has just ended and it was great. Source is a little hard to categorize; it was part executive-level symposium, part hacker con, with a few other things tossed in for good measure.

I was only able to attend on Wednesday, but I kept up on things from my desk on Thursday and Friday by following a very active Twitter stream from the event.

Wednesday kicked off with introductions followed by a short talk by Tito Jackson*, the IT Director for the Mass Office of Business Development. Jackson's talk was very upbeat about the state of technology in Massachusetts (as you would expect), but some of the numbers really are impressive given the current economic situation. Jackson was followed by a keynote from Richard Clarke. Clarke is a very good speaker and started (after the obligatory Elliot Spitzer joke) with a recap of the history and current state of cybersecurity in the United States and recent events which have refocused attention on cybersecurity. Unfortunately Clarke started wandering away from his real areas of expertise and eventually jumped the shark and ventured into bogus generalizations and speculation. His strong statements on privacy violations could have brought him back from the brink, but by the time he suggested ideas like laws regulating secure code and requiring ISPs to clean up the Internet for us he had lost a large part of the audience and it was just residual respect and decorum which kept him from being heckled.

After the keynote the three tracks split up and the choices became difficult (always a good sign at a con). The tracks were loosely defined as "Business and Security, "Application Security", "Security and Technology" and not being a coder I wasn't tempted by much in the Application track- but I later heard there were some excellent ones, such as Andrew Jaquith's Anti_virus preso. I chose to hear Mike Rothman's "How Compliance Can Get You Killed"- but really wanted to see Roger Dingledine's "Making TOR Play Nice with the Internet" talk, too. I'll have to wait for the videos to see Roger's, but Mike was as entertaining and informative as always.

The next tough choice for me was between Michael Rash's "Advanced Linux Firewalls" and "Disruptive Innovation and the Future of Security" by Rich Mogull and Christofer Hoff. I couldn't pass up the dynamic duo and they didn't disappoint. It was their first pass at what is an evolving presentation- it was good and will improve with a little polish. They tried to cover more Disruptive Technology topics than would fit in the time allotted and that limited the depth of the presentation, but even in "rough cut" form it was a refreshing change from most of the mundane "Business of Security' kind of talks.

The tough choice for the end of the day was between Andrew Jaquith's "Anti-Virus, not dead but twitching..." and James Atkinson's “Telephone Defenses Against the Dark Arts”. I opted for the phone security session and spent the next two plus hours in the ultra-nerdly and technical preso. It was great- see my guest blog post about it on the SOURCEBoston blog.

The evening's reception was fantastic as a large crowd gathered on the sixteenth floor to eat, drink and talk. The conversations continued throughout the evening and eventually moved downstairs and went on until the small hours of the morning.

Although I didn't get to attend on Thursday or Friday, the Twitterfeed had a steady stream of news. Wednesday's keynotes by Dan Geer and Steven Levy received rave reviews, as did Friday's L0pht Heavy Industries' "reunion" panel (There is was a somewhat-confirmed baseless rumor that L0pht is getting back together in some form or another- See Space Rogue's comments below).

Where is this "confirmed rumor" coming from? Basically Symantic owns all the L0pht IP, they even have the domain name. I suspect if we tried to doing anything under that name they would probably have something to say about it, not to mention that Silicosis still works there.

I suspect that there may be some individual collaboration between a few ex-l0pht folks in the near future but getting back together as a full group just ain't gonna happen.

- SR

It is clear that I missed many very good presentations, the full list is at http://www.sourceboston.com/sessions/.

A special bonus at SOURCEBoston was the chance to meet several other Security Twits in person for the first time, notably "old friends" Ryan Naraine from eWeek and Jennifer Leggio, Keeper of The List.

Now I'm waiting for word on next year's conference.

*"Tito Jackson"? Poor guy, going through life with a famous name like that- what were his parents thinking?

Jack Daniel

Available vs Too Available, or how to simplify DLP

One thing that is largely missing from discussions of Data Loss/Leak Prevention is the idea that taking some data offline is a simple and effective means of preventing data loss. Information needs to be accessible in our "Information Age", but how accessible is too accessible?

 

Let's make this more tangible. Suppose you are headed out for a night in "the Big City", are you going to carry all of your financial records, safe deposit box keys and stock certificates with you as you navigate the subway?  Or will you carry just enough cash for the evening, only one or two credit/debit cards (maybe just one "firewall account" card), and tone down the jewelry?  Good choice- you NEED to have access to all of those high-value things, but you don't need immediate access at all times.  In fact, immediate access at all times is a pretty bad idea- that's why you have stuff locked away in the safe deposit box, right?

 

Maybe you don't need all of your data immediately available, either.  Maybe a virtual file or database server can host some of your data- and only be brought online as needed.  I know it isn't always that simple and that individual databases often house both mundane and confidential data, or house both frequently and infrequently accessed data (there's another issue, eh?), but think about taking data offline to protect it instead of just adding more layers of defense and complexity.

 

If you want a thorough introduction to DLP check out Rich Mogull's DLP primers at Securosis.  As Hoff pointed out, though, if it takes seven posts and 10,000 words to provide an introduction to something, it may not be ready for prime-time.

 

Jack