Earlier this week, the Associated Press reported that MySpace has reached an agreement with more than 45 states to help prevent sexual predators from misusing the social networking site. This is a step in the right direction, but there’s more work to be done.

In its current form, the Internet is no place for an unsupervised child. A child’s innocence can quickly be lost – and never regained. To address this concern for children’s safety online, proposals for safer Internet security measures by way of authentication and verification methods for identities have been proposed by state governments in conjunction with various sites.

Social sites can do more to reach out to school districts. One step is to provide schools with special authentication based on the school’s enrollment. The advantage would be a safe harbor for children to socialize that would keep the majority of predators out. It would be the equivalent to the “drug free zone” you see when driving next to schools – but in this case, a “predator free zone” for the virtual school body. It’s a start, but children are worth protecting.

With a majority of states embracing embedded chips containing biometric information for additional authentication, does that mean that our driver’s licenses will soon include assigned pin numbers to help verify one’s identity? If so, we will achieve better verification, however, it will cause additional headaches and privacy issues, lawsuits against “big brother,” infrastructure costs to customers (to include verification technologies), and nothing substantial will be accomplished. Although I do not question the intent of the measures being enacted to protect users, I do question the method being used. How can one guarantee legitimate identity through an anonymous Internet? There have been many cases where identity was misrepresented –including from authorities (sting operations on sexual predators).

The fact is that the status quo must change. Predators must be stopped. Starting a “new and safe Internet” is too cost prohibitive to customers, and questions of who will patrol it and enforce rules are a subject of much debate. Commercial enterprises are stepping up – in part because of concern for the consumer, but also because of fear of litigation. These companies will incur development costs, and in the long run, the consumer pays for it.

Since his arrival at McAfee, our CEO Dave DeWalt has advocated for changes in cybersecurity legislation in Washington. I commend Dave’s outreach to legislators and completely agree with the fact that as a nation we need to be proactive and address the fact that new policy is needed to curb the trend of cybercrime.

Within the specific confines of enterprise IT security, however, politics within the security environment can lead to overspending, pet projects, and causes too much effort in doing what is right – at a cost which impacts the true health of a project. We use politically correct terms of “compromise” and the like, but have we stepped back and looked at these words in the context of our security solutions? Do we really want compromises in our security? Sometimes, we must make a stand for the security solution that satisfies the requirements, is scalable, and flexible to meet our future needs.

Why compromise on correlation of information, collaboration of products for total security health, consolidation of consoles and agents, and let’s not forget compliance? Sometimes, you get what you bargained for. What is the solution? Education and common sense. Common sense mandates the inclusion of the right people from day one of the project, and involvement throughout the project to completion. Education will help in a properly vetted process and procedure that takes your goals and policies in account.

The technologies will emerge as an integral part of a properly constructed solution which meets your objectives and addresses proper policies. Lastly, eliminating politics allows the security solution to be accepted by your staff, which will support your project by supplying the care and feeding of the solution.

If we properly architect a solution which satisfies the relationship between people, process, and technology, we can then prevent some, if not most of the “Pain Points of Projects” listed above, and get something that can grow with our needs, be flexible and comprehensive enough to be proactive in our security posture, and be easily adopted and managed by our employees.

With Internet browsing as a major vector for malware and abuse, Google announced last week it had acquired GreenBorder. After all, the Web is the backbone of Google’s business.

So why did Google purchase a sandboxing technology for browsing? I believe it is an attempt to provide “up selling” opportunities to businesses and possibly home users. Google is the default search engine in a lot of homes and businesses these days. What better platform to sell something?

Unfortunately, there are a few things that put Google behind the “8-ball” with regard to security.

First, it is coming into security with a point product, not a complete solution. GreenBorder has some interesting technology, but it’s not for everyone. Sandbox technology may be acceptable for a generic Web browsing experience, however, when advanced features such as interoperability with back-end systems, or potential e-commerce scenarios are needed, sandboxing has inherent deficiencies by definition.

Secondly, there is more than one vector of attack that malware and such can get through (email, IM, VoIP, etc). To use the analogy of a home security system: you may alarm the front door, but the criminal can get through various back doors and windows. You need a true solution to cover the whole house, not just one entry point!

Lastly, since Google’s main business is the Web and all that it encompasses, how serious will the company be in keeping up to speed on research efforts to ensure the latest security vectors are addressed? And will this be a passing fancy? Something to offer to keep frivolous legal issues from coming up or simply an “up selling” opportunity for them? Regardless, Google’s mainstay is still the Web, not security.

Only time will tell how much influence this acquisition will have in the security space, and what other acquisitions Google may consider. As for me, I am confident that when dealing with issues of data theft, protection, and countermeasures, there is no substitute for dealing with a company that is 100% about security in research, development and comprehensive solutions.

As Carl alluded to in his blog last week, “Starbucks Stalking” is a very real crime.

It would be funny—if it wasn’t true. The fact is that if you have data that would attract a thief, your morning latte could end up quite expensive. A new twist for the old industrial espionage game is to stalk executives or key players in a corporation, and find their favorite watering hole near their offices. The executives themselves are not the desirable object per se, but their laptops are. “Starbucks Stalking” is a growing trend, and for obvious reasons: it’s less risky, easier, and just as fruitful as physically stealing a laptop computer if your goal is data. And today, that’s the goal.

A more sinister version of this crime is “Barrel Phishing.” This takes place when the data stolen, let’s say from a Starbucks Stalking, is a springboard to a targeted phishing scheme that tries to convince the victim with some threads of truth, and ultimately lull the victim into believing the whole letter or correspondence is legitimate. Data gathered from a laptop can contain personal information, contact information, internal memos, spreadsheets and other privileged information. Any one of those can add enough legitimacy to the contact lists stolen to pull off a highly successful phishing scheme.

So what can be done? Security risk management has to deal with these new techniques of data theft, especially if the physical theft is not married to the data theft and is overlooked as a high risk to a company. A good place to start is listed in the CIO Update article. The desire is clear: reduce existing and future risks (so that a trip to the coffee house won’t get you in trouble, or worse, result in having to implement your corporate business continuity and disaster recovery plans).

It used to be that inspecting data was too “intrusive” or even against policy. Now, it is commonplace with intrusion prevention, content filtering, web filtering, etc. Before, we didn’t have to think about a theft of an asset as a trigger for our risk assessments and business continuity plans. Today, unfortunately, we can no longer consider a “theft by taking” a simple theft, but rather, we must role-play the worst—case scenario as a deliberate theft for the purpose of gaining access to the data deposited on the laptops—and invoke the appropriate damage controls.

Common sense dictates that we take proactive measures against such theft and don’t leave our assets without protecting them. And we ought to consider employing the best technology WITH the appropriate processes. It goes back to people, process, and technology. These three steps must be maintained in order to provide valid protection. Education, obviously, is a large part of it, but we don’t have time for that – my coffee break is over.

Now, where did I put my coffee?!

I was quite intrigued, recently, by a question posed by the author of Securosis.com and his answer:

“So how do you build the mindset?

You immerse yourself in security, and I don’t mean the job. Don’t read books on cryptography, go read some quality spy novels and security tales with ultra-paranoid protagonists that consistently improvise creative solutions to hopeless problems.”

As the senior evangelist for McAfee, I reflected on what made me interested in security, and how I built up my security mindset. Unlike the author’s suggestion further on in his article of looking at some spy novels and movies for inspiration, mine came from going with my father on Saturdays when he helped install mainframes in data centers. One gentleman said to me one visit, “there won’t be any money in installing and fixing these things, but you can be sure that more things will rely on them, and somehow, someone will figure a way to trick them!”

Growing up with (very) basic computers, I found that there were commands which could be used to extend the capabilities of a standard program. With imagination, and experimentation, I was able to rewire and reprogram hard copy terminals into printers for my Atari 800 computer. I continued to explore naively, when someone was able to put an unwanted program on my floppy disk in a computer lab without my knowledge and executed it. Only then did I realize there was a “dark side” to this computer hobby, and there were two directions one can go. It started with the Commodore VICs, Commodore 64s, Apple II, Atari, IBM XT, DEC VAX, AT&T 3Bx systems, NExT, SUN, IBM Mainframes — you get my point.

It took a few years, and considerable time going through manuals, “poking and peeking” on the systems to understand limitations, and how to go around them. It was MORE of a challenge to secure them, as I found out from one of my mentors Dr. Robert Stafford at Temple University. He showed me the other side of the security coin – the defense of the system and hardening. It was not easy, but I did learn volumes of lessons as he played the “hacker” and I the system admin. I was hooked.

Lessons learned:

1. Anyone can go around a system given enough time and/or resources.
2. It takes more time and energy to learn about security the RIGHT way in hardening, and architecture and design.
3. Security is an ongoing lesson in life – Just jump in when you can and keep learning. New techniques and technology are always evolving.
4. You can build a better mousetrap, but rest assured that the mouse is getting smarter too, so keep developing your skills.
5. To build a security mindset, you must take the lesser traveled path. If you follow the status quo, you won’t get to really learn something intimately and discover its strengths and weaknesses. Take the time to discover.
6. Do your best in all things but realize that you don’t know and can’t know everything. Don’t be intimidated that there are better people than you. Make sure you learn from them, and continue to learn about your area of expertise.

For building a strong security mindset, I would recommend not trying to cover every topic. Pick one or two things that interest you. Learn them. Explore them. Dig into them. If you fully understand them, contribute to the securing of that technology. If you get bored, add to your skills and knowledge. There is a lot out there. But above all – have a passion for what you do, as that will carry you through some lackluster times and dry books, but the end result is that you will be a better security professional, and your mindset will be directed to one focused on security.