Monthly Archive

I get many strange invitations in my email. Todays selection is from a that calls themselves Biztime Limited, based in the UK. They have a new Social Networking idea - called Jamparii. Sure we can use that (pun). Their plan is to let me make a profit as they become the next MySpace and Youtube. In other words, they want my money.

The invitation came by an Ecademy group. I quit Ecademy 18 month ago because back then I felt many users where only interested in MLM and promoting scams. Even though I have canceled my account, and no longer are available on Ecademy, they continue to send me emails from their forums. That is another post, I guess!

So back to Jamparii - they ask me to give them £1 000,- in exchange for a Founder Life Membership. And a potential revenue share:

Our strategy is to create a small group of just 250 Founder Life Members, who will be the centre pillars of Jamparii and will benefit both as life members but also financially as shareholders. We already have a number in place but there are still plenty of places left. Your investment will be under £1,000 and you will have the opportunity to earn and win more shares during the first year or so.

So - I will win more shares during the first year or so. Sounds like the MLM game that took Europe by storm a few years back - you played around with virtual stocks, and made a profit based upon how many people you recruited. World Game Inc. it was called, before it was called a bluff.  

Further fuel to my presumption is the fact that 3 750 Founder members are also invited. So - we have Founder Life members who will win shares, and Founder members who pay to enter. Then add regular, paying members - they will provide the profit up the lane. Or so it may sound.

They start their story like this:

When we hear of the huge sums of money that are being paid for these web platforms do you wish that you had thought them up or had a stake in them?

Well here is an opportunity for you to do just that! - Read on and see for yourself!

I am sorry. If I had such an idea, last thing I would do is to tell everyone. I would have people use it. Not try to sell it like a scam.

Thus, I suggest Jamparii is a scam, and time will show who is right. I will have to appologize if they actually end up like MySpace or Youtube - walking away with a huge lump of money.

Today, I made a major mistake. Mixing up two bloggers in a rant is not a good idea, nor a credibility builder. Period. Luckily for me, it was discovered quite soon - unluckily for me, it took a reader to discover it. And the only way he got there, was through the RSS-feed, so I know the story is widespread and the disaster may be huge!

What happend?

This morning, I read a rant by Michael Farnum over at An Information Security Place. He was explaining what a Bot is, and how it operates. He got a comment by a user, who questioned his authority in the matter because he had not written any security books. Hey, what a questions is that, anyway? Michael then got caught in the fire, and made a hot reply. I thought this was funny, and tried to make a point that branding and marketing is key if you want to get heard out there. 

What was wrong, is the fact that I mixed up Michael with Marcus Ranum, a security specialist with a high profile. Mixing up like that is a bad mistake. Really bad. On the boarder of being unforgiving, actually. 

Do what you preach, father!

I always tell people to make their research right. Make sure to double check and control again before posting or publishing something. It never looks good to get undressed because you did a shortcut.  

Sometimes I need to take my own pills, I guess. I messed up. I bet I will mess up again in the future. But at least this time I realize the error, and I will make sure to spend more time researching and Q/A of my posts in the future.

So - Michael Farnum, my readers, Marcus Ranum - I am terribly sorry to have messed up your names in my post.  Andy - thank you very much for pointing it out - if you had not, chances are no one would have, and I would have been the standing joke the rest of my time. 

So how can you learn from my mistake?

1. Research research research - make sure you get the story right, and use the right names.

2. Discover an error? Fix it!

3. Learn from your mistake! 

This post is edited - I have made a huge mistake - thinking Michael Farnum to be Marcus Ranum. Wow - that is a mistake not even sleepless nights may explain! I have edited the post to reflect the correct name.

--------------------------------

Michael Farnum, a superhero of security, is having a hard time with people not recognizing him as the authority he is. Of course, after around 20 years in a business where whatever he says and does is hailed upon, it must be easy to get cocky. Guess I need to do a Security Profile on him to see if he really is.

So - Michael had a problem with Douglas Schweitzer's blog post describing bots. And as the helper Michael is, he jumps in and immediately explains that Douglas is mistaking, and then describes a bot as it should be. Of course this starts off a fire.

All this was brought to my attention by Michael posting his frustration on his own blog today. It turns out in the post someone posted a comment on the Douglas story, telling Michael to turn away, since he has not

"written any computer security books "

This should get a gun like Michael to laugh out loud. It sure made me do that. Especially since the comment is made on his own blog!

And I did not laugh only because there are people out there who do not know Michael . But to see Michael actually fire up as he does because someone out there actually do not know about him!

So Michael - the lessen for you and the rest of us is simple. It is not about writing a book - it is about branding. You may write a lot of books, and you might not. If no one knows your name, you are nobody. And to David, you are obviously a nobody. And to impress David, it takes a book!

Imo, there is no need to get angry and fire yourself up just because there are people not recognizing you as the security expert you obviously are to many others. It should wake you up - it might be time to revise your marketing and branding strategy to the changes in the market space?

"I don't care if they see boobies!"

Those where the words of consultant Jennifer Jabbusch, a US-based security consultant. A successful one, I might add. Her specialty is to teach users how to relate to internet threats. Her users are teachers and other relevant personal at schools.

Her success made her write up a white paper on content filtering in schools. When she first told me, I have to admit I expected another technical oriented moch-up that seems to make every non-technical person turn away. So I kind of looked it up just to be able to tell her "I have seen it".

Of course the introduction grabbed my attention. And I kept on reading, realizing Jennifer is spot on, in a language every teacher should understand. And as she relates threats and risk to her self, it is easy for the reader to understand too.

If you are looking for a good explanation about why content filtering is a good idea for schools - and home, I might add, this white paper is all you need.

Recently, I posted a question on LinkedIn. I asked LinkedIn professionals and everybody else how they define Information security. The reason behind the question is simple - I meet a lot of people thinking I am a IT-security guy. And allthough I do know what a firewall is, and how to operate an IPS, I am an Information security specialist. To me, that means I deal with information - not only the technology we use to communicate.

Not surprisingly, many answers where in the technology-sphere:

• I define it as the protection of the confidentiality, integrity and availability of sensitive data.
• interpretation is the building of a Digital Infrastructure ( D.I ) to be able to authenticate and verify the real person versus an imposter.
• the technological methods deployed by the intruders to hack this information versus technological methods used by you to protect this data

To me, technology is merely the tools we apply to get a part of the job done. So it is only important when the information itself resides or communications using technology.

A few smart comments where made as well:

• I'd rather clearly view the difference between information and desinformation.
  

Juri here points directly as one important feature of information security - the control of information, and the extension of using the same control to impact your environment. An example is from the spying business, where disinformation is used to create FUD. The same is applied by vendors in their sales process, making the customer uncertain about choosing the competitors products.

Although disinformation is not widely focused upon in the industry, I find it very interesting and important. Not necessarily to use it, but to understand that others might be.

---

Not surprisingly, Bruce Schneier's definition surfaced, in Jennifers wording:

Security is a defense against something intentional; Safety is a defense against something accidental.

My favorite is the definition made by Bruce Hallas. He will smile now!

"Security is about the management of commercial risk stemming from the interaction between people, both known and unknown, with an organizations information and information systems."

---

Imo, when security personal cries about not getting heard by their management, I believe they are responsible themselves. The purpose of security is not security it self, but the control of risks related to the organization.

John Fitzgerald over at The SANS Institute asked me to promote the SANS Oslo event - a SANS training camp taking place at Telenor Expo (Forneby, Oslo) the 24. to 29. september 2007.

In addition to the high-quality trainings, there will be two Sans Community Nights. These are free of charge, and open to all interested parties. I will make sure to be there myself! 

I have been known to rant about peoples lack of care or understanding when it comes to publishing information on the Internet. Most people are either incredibly naive, plain stupid or just do not care. (I do realize they probably just do not want to know).

This Youtube came to my RSS reader today (thanks Gnucitizen).

So as a reminder to my readers, please take a look at this video. It is your identity at stake. Your future.

Christofer Hoff is ranting about security people who act like the security guard and still expect to be treated like security pros.

He is right on the spot. If your security officer hides away in the bunker and asks for more cash to spend on security, it is time for you to up the requirements. Security is not rocket science. It is about managing risk - just as you do every day, and has been doing every day since your birth.

Take a kid learning to ride a bike. As a parent, you prefer not to look. Still you know the kid has to try, and actually fall. Not once. Not twice. But many times. Why? So the kid himself can learn and relate that bicycling is dangerous, it does hurt to crash, and thus the action taken must be adopted to the possible pain. 

In other words - learning to ride a bike is learning to relate risk (possible pain) with action (possible outcome - riding the bike). You know that by mastering the bike, and adopting the approach, you reduce the risk for getting hurt. But as kids are stubborn, and need to experience pain in order to understand it, you have to let them try.

It is the same thing when you grow up and start working. As a manager, you have your targets, actions and risk. As with the bike, you have to adopt your actions to reduce the risk, while maximizing the outcome.

And your security officer is supposed to actually help you maximize the outcome by managing the risk. If he do not realize that, get rid of him. If you do not realize it, it is time to wake up - he is there to serve the company.

Read the Hoff rant, and make sure you send it to your security people as well!

Martin McKeay – a long time security specialist and popular blogger is next up as Security profile. He has been in the industry for more than a decade, and moved on to StillSecure a couple of month back. He probably got one of the best jobs in the world – evangelizing about Cobia. He loves getting attention to Cobia, and if you let him start, you end up using Cobia yourself.

Martin has his own security blog over at http://www.mckeay.net/. I have enjoyed it for quite a while as he expresses interesting and educated views. He has maintained this blog in more than 3.5 years (June, 2007). It has made him many new friends, he have learned a lot, and enabled him to share his knowledge – something we all know he just love!

Lately, he has maintained most focus on the Cobia blog – a job he blogged himself into according to himself: Blogging has expanded my horizons, introduced me to new friends and made it possible for me to become the Cobia Product Evangelist. I love to learn and love to share it with others, which made the position a perfect fit, Martin says.

The interest

Martin found his interest in Information Security in a manner many of us will recognize:

M: I've always thought of the security implications of IT, even as desktop support. It amazed me at the time how little people thought of handing their computer over to someone who claimed they worked for the IT department, not to mention passwords on stickies.

When I took over my first network, I continued making security one of my primary concerns, and several years later when an opportunity to become an IDS administrator for a major state agency came along, I jumped at it.

Sounds like someone you know, right?

M: I got interested, and remain interested, in Information Security because of the challenge of thinking of what could go wrong and doing your best to make sure it doesn't happen or happens in a controlled manner.

I like the challenge of thinking about how someone might try to gain access to my network or business and how to stop them.

Controlling your resources

When asking Martin about his view on the role of Information security in the organization, he makes it clear that technology itself is only a measure to enable controls.

M: Security is about controlling what happens to your resources, whether it's the computers on your network or the data on their drives. If someone else controls your resources, your not secure, it's that simple. All the rest is in the details of how you do it.

K: How can you make yourself a secure environment?

M: If you keep in mind that security is about maintaining control over your resources, not what technology or vendor you use; you're more likely to end up with a secure solution in the end.

K: So by looking beyond technology itself, you are able to better control your business environment?

M: I used to think of security as a set of absolutes, but I've come to learn of it as a viewpoint, especially when you get to the board room. We know what the problems are, how to fix them, but sometimes we don't understand how it affects the rest of the company. So when it comes down to it, security is about doing business, and if a security measure is going to interfere with business, it's security that's going to have to change.

Business impact

Martin is making a very important point here. Security only exists in order to support business goals.

M: I think that one of the trends in security for the last few years has been the realization that security is an integral part of any business and should be treated as such. No longer are the IT and IS departments their own fiefdoms, they're now considered as part of planning from the beginning in many corporations.

This shows that we're maturing as an industry, but it also means we're more responsible for understanding the overall business rather than a small part of it.

K: Do you find security integrated in a good manner today?

M: I think the need to integrate with the rest of the business structure will continue to be major theme this year and the foreseeable future. We've started down the road to integration, but so far it's only a few companies that really have security involved in all projects from the ground up.

But some day this will be the standard rather something only exceptional companies are doing.

K: What about compliance and regulations?

M: Industry and government regulations, such as HIPAA and PCI will continue to play a major role in companies as well. The benefit of such regulations is that they give businesses a specific checklist of items they need to secure; the downside of such regulations is that many businesses only deal with the security requirements on the list and don't examine their enterprise outside of these regulations.

As an example, all of the PCI regulations are aimed at keeping credit card information secure. Which means you might be able to pass an audit but still have gaping holes in your security somewhere not covered by PCI.

New challenges or new solutions?

K: I know the readers would love to hear about how you view the security market 2007. What are the challenges you see?

M: What will always be the biggest challenge in security is always going to be dealing with a landscape that is constantly changing. Ted Demopoulos calls it securing a moving target, Michael Dahn refers to the need for 'continuous security'.

The business is growing and changing around us, and we need to adapt as well. As much as we'd like to rest on our laurels from time to time, business is changing too quickly for that to happen.

I don't think we face to many really new challenges in IS. We have new solutions to answer the challenges with, but it's always the same problem we're trying to solve. Network Admissions Control was the big buzzword a few years ago, but the real issue was controlling the network endpoints.

New technology, but the same old problems.

A big thank you to Martin!

Read more on Martin:

Personal blog

Cobia blog

Today I became a member of the Security Bloggers Network over at Feedburner. Boy, am I proud? That means Alan at Stillsecure have visited and found my blog to measure up to the high standards. (I did have to poke him a couple of times, though!)

I am proud and honored!  If you do not know the Security Bloggers Network, I suggest you pay it a visit!

Thursday this week Martin Mckeay, the Cobia evangelist, veteran security blogger and Information Security podcaster will show up here as the Security Profile.

if you do not know Martin yet, head on to his blog!

Social networks has taken over much of the communication and networking these days. By setting up one (or many) profiles on LinkedIn, Facebook, Xing, MySpace or any other tool out there, you get to share ideas, thoughts and images with your peers, friends and the public.

Somehow, a large number of people seems to forget the last word - public. Somehow, they expect to be protected against cut'n'past of questions, comments, images and profiles. Even though they put the information into these tools themselves.

Over at LinkedIn, there has been several discussions about privacy - or what people think is privacy. Ray van den Bel, a top-linkedIn and online strategist, has a problem with LinkedIn sending his public questions to his connections. Somehow Ray is confusing privacy with public information. He posted a question (several in fact) on the Answer section of LinkedIn - a public service. Then he starts complaining when LinkedIn sends his question to other LinkedIn users. Wake up Ray, there is two reasons to post questions on LinkedIn (and similar services) - to get answers from as many as possible, and to promote yourself.

 There are other discussions on the LinkedIn Answer covering the same thing - for example someone worrying about someone copying their answer and republish it somewhere else - on blogs, Digg etc. I mean, WAKE UP! You post your ideas, thoughts, answers ONLINE! And on a public website. Hey - you have NO control over that information. If you do not like that, then keep your comments to yourself. Or pick up the phone. 

Internet is transparent. It will become more transparent. You are responsible for your own actions, and need to be in charge. 

For your information - every answer you put on LinkedIn is publicly available. If you post someting on Xing, it is even indexed by search engines. Using CoComment? It is open for the public to subscribe to YOUR comments!

In this cyberworld, you need to recognize that everything is public. If you do not like it, do not use it. It may not be entirely like the toilet wall?

Discuss your view below! 

http://xkcd.com/c277.html

Enjoy! I wish you all a nice weekend, I will be gardening!

I just posted a question on LinkedIn Answers - "How do you define Information Security". I ask:

I welcome your thoughts on this matter below!

Martin McKeay asked the question about "How did you get into security?". 

I will let you in on my story! It all began back in the 80s, playing around with my father's IBM PC. It had a modem attached, and I used it to play around on BBS's. That soon got me into networking, both physically, and people-networking. 

Fast forward into the 90s - I had studied marketing and communication, and combined that with computer knowledge and understanding. Soon I found myself helping large corporations to deal with Internet - developing and implementing communication strategies, understanding the dynamics and potentials.

One thing soon became very important - to control the message. Soon I found myself advicing about security in general, with anti virus, anti hacking, anti domain thieves. Helping ISPs setting up their security, helping multinational securing their global, yet still internal communication and network traffic. 

My focus was, and still is, on the conceptual and managerial side.  I do know my way around TCP-IP, firewalling and networking, but that has never been my focus. I prefer to advice on solutions, and although I do have my own testing rack in my house, I leave the technical stuff to pros! 

Over the years, I have had a lot of fun, learned a lot, failed a couple of times, and had the opportunity to travel many places to do my consulting. And I just LOVE it!

Today, I facilitate security processes, I coach and train management, and I train and develop understanding and awareness of employees. I have a small team of specialist consultants who help me help clients. 

So what is your story? No blog? Just add your comment! 

David Whitelegg has his reply here!