However, people are saying Net Neutrality is needed because of the worry of large providers blocking traffic from small providers and carriers. I wonder if I am just naïve, because I really can’t see the big telecomm providers just outright blocking that traffic from their competitors. Mess with, screw up, delay, hold back, etc.? Yes, I see that potentially happening. They can do that with no real backlash because even if someone accuses them of it, they can deny it. As Ed Felten says in his Net Neutrality Whitepaper, “… it is often difficult to distinguish between performance problems resulting from undesirable forms of discrimination and ones due to other causes.” Basically, how do you prove conclusively that a large provider is discriminating? It would be difficult.

But if a large provider simply kills their competitor’s traffic, even if they are doing it legally, I see them being lambasted in the media and the blogosphere and losing customers. That is not fair play. Maybe I’m wrong here, but I just don’t see it happening.

[RANT ALERT!!!] So let’s argue for Net Neutrality on its real merits, namely that the large providers should not be able to control the Internet just because it is their routers the traffic is passing through. Ed Whitacre needs to get a grip and stop spouting that his competitors are simply using his “pipes free.” That is a load of bull. These guys pay telecomm providers millions and millions a year. If they need more speed, they buy it. You are getting your money, Mr. Whitacre. The only reason you are against this is because you don’t want legitimate competition for your future plans for fiber in every home. You want to have the lines and the play time with no threat of other services keeping you form making a couple of more bucks. Please…

Vet

Once those execs know who you are, what’s next? This is where it gets real, folks. You actually have to define your job. Not just DO your job, but actually sit down in front of your laptop, desktop, writing pad, whatever, and get a solid idea of what you do. I am not talking about a job description. I am talking about the tasks you work on daily and weekly and monthly and so on. Tasks you have to perform to make your network secure and your information safe.

Make out your list ASAP. It will help you get organized. Then, print it out and slip it under your boss’s door. Maybe it will wake someone up (or it might just piss ‘em off – either one is OK).

Now I have to admit that it is often difficult to get started on a list like this. There are so many things that you do that it seems like it would be simple to put it down. But it sometimes is just not that easy. So, here’s a sample of what you might have to do as a security person. It won’t apply to everyone, of course, and I have also included some network admin and engineering tasks that many security people won’t do. It is definintely not exhaustive. But for those busy security admins who do double duty on the network, then some might work. Hope it helps. Feel free to comment and add more.

IPS Maintenance
Firmware Upgrades
Signature Updates
Tuning
Reporting

IDS Maintenance
Firmware Upgrades
Signature Updates
Tuning

SIM / SEM Maintenance
Firmware Upgrades
Tuning
Alert setup
Reporting

Email Gateway Maintenance
Firmware Upgrades
Real Expression Maintenance
Delivering blocked emails
Reviewing message logs for false positives and false negatives (tuning)
Checking forums for new spam / viruses that require expressions for filtering
Maintaining blocked extension database
Reporting

Corporate Firewall Maintenance
Firmware Upgrades
Policy setup
VPN setup and maintenance
User access setup
Rule auditing
Reporting

Remote Firewall Maintenance
Firmware Upgrades
Policy setup
VPN setup and maintenance
User access setup
Rule auditing
Reporting

Router and Switch Maintenance
Firmware Upgrades
Access maintenance
VLAN Maintenance

Servers
DNS Maintenance
DHCP Maintenance

Network Monitoring
Baseline configuration
Threshold alert setup

General Security
Password Auditing
Vulnerability Scanning
Rogue device scanning
Wireless device scanning

Telecommunications
DNS Maintenance

Router maintenance

Internet
Domain Maintenance

Extranet Maintenance
Firmware Upgrades
Group and User maintenance
Rules maintenance

Documentation
IP address list (public and private)
Network and security infrastructure drawings
Update acceptable use policies
Update security awareness presentation
Update DR policies and procedures
Update HIPAA policies and procedures

Training
Orientation
Security Awareness

Vet

As I was reading, I came across his recent post about laptop encryption. My comment to his post is below. You can read it here or view it on his post.

Mr. Bianco,

I must ask that you clarify who you are speaking to in the last paragraph of your post. I can somewhat gather from the next to last paragraph that you may be speaking towards execs, owner types, sales guys, etc. (and possibly lazy “security” guys who don’t bother with due diligence), but you also speak directly to the security pro in the first sentence of that paragraph by saying “If mobile users need access to data in the field, make them VPN back to the corporate network and work on it there.”

I am seeing no thought or exception for those security pros who work for cheap or brainless execs / owners who see no reason for the measures of which you are speaking. If you are referring to all security pros, including those who have fought the battle but have lost, then you are really beating up on the wrong people. Yes, those security pros can leave that brainless company, but that is not always an immediate consideration. Many companies bring in security guys to make themselves look like they are serious about security, then they don’t give them any resources with which to do their job. There are those of us who fight this day in and day out and cannot make a dent. Sorry if I sound like I am whining, but the truth is the
truth.

I really don’t mean this as an attack. I just want to make sure that people know the difference between lazy security admins and those of us who fight and fight for stuff and can’t get it.

Vet

What I am seeing so far from this is EMC basically leaving RSA alone so they can keep doing their thing.  Joe Tucci calls it EMC’s “string of pearls” approach.  Mike Rothman basically says the same thing in today’s Daily Incite:

“But historically, EMC leaves their big acquisitions alone – integrating technology where it makes sense, but letting them operate in the way they need to for their respective markets.”

This does position EMC perfectly for the wackos to come out of the wood work to start accusing them of trying to take over the world.  Just watch and see.

Vet

OK, I just have to think about this one for a while. I’ll get back to you…

OK, everything is better.  I am not at all worried now.  Vets, you can quit worrying.

Uh huh…

Vet

“…healthcare organization[s] continue to invest in security, but it’s to protect private information (to avoid the negative brand impact of a breach) and also to improve patient care (identity management and SSO stuff), but it ain’t because of HIPAA.”

Here’s the question: Will healthcare exec’s actually continue to invest in security if they see that HIPAA is not a real threat to them or their organization, even with the concerns that Mike states?

I know from personal experience that IT is typically not a healthcare executive’s favorite place to spend money. They would (somewhat justifiably so) rather spend it in the clinical areas, where they see the money being made. With HIPAA not being enforced and non-government compliance agencies like JCAHO not really looking at the IT side of things (unless you have an EMR (Electronic Medical Records) system, what is the incentive? I know many state (and likely federal soon) governments are forcing companies to notify when they have a breach, and that is a serious consequence, but I am not convinced that it is enough.

So have healthcare security pro’s ridden the HIPAA train as far as it will go?

Vet