July 18, 2006

Good Morning:
Sorry you are getting TDI a bit late this AM. I had some network difficulties this AM. Thanks BellSouth! I can work anywhere, but changing horses (I mean devices) mid-project is a challenge without network access to sync up my machines. Grrrr...

A decent amount of activity in the security space yesterday, with the most activity around this "open source" research that McAfee published. To be clear, I think information is a good thing and if the bad guys are sharing it with each other than the good guys have access too. How is that bad? This way we'll know what's coming at us. I just remember back to each of the tools that were initially vilified (SATAN, nMap, Nessus, metasploit) because they give powerful tools to the bad guys. If anything, these tools have INCREASED our security by leveling the playing field.

Another apology is in order, since I screwed up the Technorati tags in yesterday's newsletter. Let's just say I've figured it out. Have a great day.

Top Security News

Security Market Evolution
So what?-  This interesting feature in SC Magazine gets out the crystal ball and attempts to figure out what's going to happen in the IT Security market. Per usual, most of the folks out there are washed up. One man's opinion is that there will continue to be too many security companies chasing the large enterprise and not enough solving problems simply for the SMB sector. I think opportunities will remain on the fringes of the market for real innovation, but these innovators will be snapped up earlier and earlier in their lifecycle (like SiteAdvisor) by Big Security looking for differentiation. We may see a couple of security IPOs, but those will be few and far between.
http://www.scmagazine.com/us/news/article/568659/industry+evolution/
Technorati tags: security market futures, M&A
Link to this

Grappling with ITIL(a) the Hun
So what?- I'll admit it, I don't know much about ITIL. But I know I need to learn since it's taking the large enterprise by storm. This Q&A is a start and given some of my work with big outsourcers (whose customers pray to the God of ITIL), I'll be learning a lot more. Suffice it to say, ITIL is a structure that strives to ensure IT alignment with business initiatives, managing expectations with the business, and reducing costs/increasing efficiencies. For new categories of security, ITIL won't be as relevant - but for things you know and love and are pretty much "operational" in nature at this point, ITIL will be a factor.
http://www.esj.com/news/article.aspx?EditorialsID=1994
Technorati tags: ITIL
Link to this

The Fish that ate True North
So what? - Gary Fish is at it again. FishNet Security acquired the commercial division of True North to continue to broaden his geographic coverage. In the world of the Security VAR, clearly "Big is the new small" as well, which makes sense. With the expanded geographic reach, the path to channel success in the security business clearly goes through Kansas City.
http://www.fishnetsecurity.com/company/Media+Room/News/70422.aspx
Technorati tags: FishNet Security, M&A, VARs
Link to this

The impact of open source on hacking
So what? - The trade rags are all aflutter about McAfee's Sage report that focuses a large portion on open-source and it's impact on hacking. I took a few press calls as well, which means every other analyst must have be on vacation this week. There is also a lot of activity (which I'll mention in the blog section) relative to the malware search engine, but I think this is much ado about nothing. Fact is, the bad guys share techniques just like the good guys. At least with the open source stuff, we know what's coming at us. It's the folks sitting in a dark room not talking to anyone that scare me. That's where innovation happens and that's what we may not be prepared for. Just like there are lots of bad guys masquerading as good guys to "case a joint," you've got lots of good guys that hang out with the bad guys to figure out what they're up to.
http://www.informationweek.com/story/showArticle.jhtml?articleID=190500229
Technorati tags: hacking, open source
Link to this

Would you take this job?
So what? - Big shocker that the czar of cyber-security at Homeland Security is still vacant. Who would take that job unless it's radically overhauled? You'd have no empowerment to drive change within the different agencies and everyone knows you'd largely be a figurehead. Sign me up! Did we mention the pay cut you'll take?
http://www.informationweek.com/story/showArticle.jhtml?articleID=190400674
Technorati tags: homeland security
Link to this

Top Blog Postings

Malware search hits the big time
When John Battelle covers security, you know we've hit the mass market. I guess all you need to do is come up with a multi-colored logo pasted onto a search engine and you are golden. That is until Google files a cease and desist anyway. Lots of the uneducated are coming down on HD Moore (the Metasploit guy) regarding his expanding the malware search engine broader than just Websense stuff. I don't have an issue with this because again, it's out there and the bad guys know how to find it. At least this gives the good guys a way to more easily get a feel for what's coming at us. Information is not bad folks, it's good
http://battellemedia.com/archives/002732.php.
Technorati tags: malware, search, metasploit
Link to this

If the stove is hot, don't open that file
OK, so I'm mixing metaphors a bit here. But one of my favorites is "the stove is hot, don't touch the stove, OUCH!" and then to see my kids do exactly the same thing 5 minutes later. The same idea applies to bozo's that open up attachments from folks they don't know. Or get files from people they may know, but shouldn't be sending a file. Most folks don't send me PPT files unless I have a briefing coming up, so that is one clue for a guy like me. Other folks (like my Thursday drinking buddies) never send me PPTs. So if these folks send me something, I call them up and ask if the file is legit. On more than one occasion, I've discovered machines has been compromised because they sent me some crap. But the fact remains, if you don't know the person and are expecting a file from them, DON"T OPEN THE DAMN THING.
http://www.computerworld.com/blogs/node/2991
Technorati tags: malware, security best practices
Link to this

Two factor is good after all
I'm flattered that Ed Moyle reads my stuff and would even make an addendum/correction about his position (that I mentioned yesterday) relative to two-factor authentication. I agree with Ed's clarification that stronger authentication is a good thing, but it's NOT a panacea to stop phishing. Citi can attest to that. Actually, let me clarify that a bit in that OTP (one time password)-based authentication is not an answer to phishing. But I believe that keystroke dynamics are. There is no way for a phishing site to get in the middle of an authentication protected by keystroke dynamics since they'd need to reenter the password and they'd get nailed. I guess if you knew the keystroke algorithm you could do it, but that's more theoretical.
http://www.securitycurve.com/blog/archives/000419.html
Technorati tags: authentication, phishing, keystroke dynamics
Link to this

Risk management - not so much
Farnum continues his good series on what it takes to be an effective security manager and he brings up some more good points. For those new to the space, learning about defense in depth is a good thing. Trying to keep your users aware of the latest hacking and social engineering techniques is also a good idea and something we should be spending a lot more time with. In CONCEPT, having a risk-oriented perspective (as opposed to threat or vulnerability) is also a good tip, but this is where most people screw up. In order to really get down to "risk" you need to have a value component in there. In some cases the value is obvious (like the order management system), in others not so much. But more importantly, you need to get a feel for the RELATIVE value of stuff (is the finance system more important than the customer management) before you can figure out where you should be spending your time and money. That is not a technique for the unsophisticated or those without significant political mojo. If you are new to the space, you are best off initially focusing on the stuff within your control, like defense in depth and security awareness.
http://infosecplace.com/blog/?p=145
Technorati tags: security best practices, risk management, defense in depth, security awareness
Link to this

Recently on the Security Incite Rants Blog

NetworkWorld Column: EMC + RSA = A new force in data security
In this week's NetworkWorld column I take on all of the detractors of the EMC/RSA deal. I continue to be pretty happy that everyone thinks it's a bad idea, since the crowd is usually wrong about most things. I got into why I think the deal makes sense, but it will take a couple of years for everything to shake out.
http://securityincite.com/blog/mike-rothman/networkworld-column-emc-rsa-new-force-in-data-security

Read yesterday's Daily Incite
http://securityincite.com/blog/mike-rothman/TDI-2006-07-17