August 4, 2006

Good Morning:
Back in the ATL after my quick Black Hat jaunt. Why are folks surprised by the amount of press coverage that Black Hat received, even from the mainstream media? There was real content there and it was controversial. What do you think the media craves? Not product announcements to be clear. Black Hat is about thought leadership in defining the next wave of information security issues that we'll need to deal with. The RSA conference is about vendors making themselves feel special. Comparing the two shows is ridiculous. It feels like comparing an apple and a cinder block.

I want to highlight two thoughts this AM, the first being the increasing presence of the Feds in the security community. This is a good thing and a public/private partnership is critical to success. So that's good, but we also need to do some more public hangings of the bad guys. There isn't much we can do to enforce the rule of law over hackers in eastern Europe right now, but if we find someone doing the wrong stuff in the US - put their head on a stick.

The other thought is about the increasing number of vulnerabilities reported on security products. I've weighed in on this in the past and my position hasn't really changed. Security research is now a competitive lever for companies to make their competition look bad. Of course, they don't position it that way - but the PR value of these "findings" is evident. We are going to see a lot more of this. It also highlights that tools exist to find holes early and often in software. Developers need to change their process and within a year, it won't be an option. The status quo ain't working.

Have a great weekend.

Top Security News

CIOs should take heat for security problems
So what?-  This article on SearchSMB is kind of interesting. The main point is that now the CIO is responsible for security breaches. When was the CIO NOT responsible for a breach? Right, never. A politically-savvy CIO may have other fall guys to blame in the event of an breach, but ultimately it's on his/her watch, no? But the article does bring up a good point relative to the empowerment of the CIO to enforce the policies that are already in place. If you are a CIO and you can't enforce simple security stuff - go find another place to CIO. It's not if, it's when those bozos you work for are going to get nailed. And you don't want to be on the plane when it crashes into the mountain.
http://snipurl.com/ue9f
Technorati tags: information security, accountability
Link to this

The Feds can't do it alone
So what?- It seems the FBI is making progress, at least relative to the reality that they cannot do everything themselves. This article highlights a number of the FBI initiatives to nail down the bad folks faster, and by some measures it's working. But I do think they need to publicize the successes because unless you spend a lot of time in Washington (which I don't anymore, though I have friends that do) - you really don't know what is going on. To be clear, this is not about getting credit for finding bad guys (which is a lot of the vendor's motivations for getting involved in these activities), it's about doing the right thing and showing the bad guys that they are up against a formidable opponent.
http://www.networkworld.com/news/2006/080206-black-hat-fbi-joins-with.html
Technorati tags: FBI, hacking
Link to this

Who forgot to take the McAfee out?
So what? - Sometimes the trade press gets it right and even makes me chuckle, like this headline about these consumer security services being "old fish wrapped in new paper." This article calling bunk of all of McAfee's "innovations" for their Falcon technology is right on the money. Of course, it's all re-packaged stuff they've had for years. That's the point. Personally I've been using McAfee's AV "service" for YEARS on one of my PC's. Falcon maybe adds more pieces for less price, but that is packaging innovation - not technical innovation. But none of this actually matters because McAfee did something that Symantec has been having a lot of trouble doing. THEY GOT IT DONE! Maybe they started further into the game, but they still got the repackaging over the finish line. There is a lot to be said about getting something done.
http://www.darkreading.com/document.asp?doc_id=100533
Technorati tags: McAfee, security services
Link to this

FISMA <> Panacea
So what? - I read with interest this article, from earlier in the week, that wonders if FISMA could address any of our security woes. The answer is no. A resounding no. Actually, there is nothing fundamentally wrong with FISMA, it's pretty good relative to giving folks direction about what they should be doing. But so is COBIT and ISO-17799, no? It's about execution and action. There is no lack of knowledge about what the right stuff to do, it's actually doing it where everyone seems to get tripped up.
http://www.gcn.com/print/25_21/41401-1.html
Technorati tags: FISMA, security best practices
Link to this

Long live the CNAC framework
So what? - Kudos to Kevin McLaughlin @ CRN for calling Cisco out on how they've totally repositioned their NAC offerings. The big framework is now more of a "vision" than anything else and Cisco is pushing customers to the NAC Appliance. Why? Because customers don't and can't gut their networks overnight - so the "framework" was going nowhere fast. This quote from Cisco's CSO sums it up best: "We've also learned there are customers looking for immediate, short-term results where they can deploy NAC quickly--and to a degree seamlessly--without changing their network topology." You also need to give props to Cisco, who realized this market reality and changed to meet it. Lots of other companies (Intel, for instance) stay married to technologies and architectures that customers just don't want. But don't write off the framework just yet because in 5-7 years when pretty much every Cisco switch is framework-enabled, it'll just be there. But it ain't happening now.
http://www.informationweek.com/story/showArticle.jhtml?articleID=191800267
Technorati tags: Cisco, NAC
Link to this

Top Blog Postings

SMB security - some will, most won't
In the duh! camp, here is this post about how many SMB's don't take security seriously enough. This is absolutely true and also discusses a trend towards brute force attacks towards SMBs. Most hackers are not very sophisticated and they use the logical equivalent of a battering ram to try to compromise your network. I've always said there are very few defenses against a motivated and knowledgeable hacker, but unsophisticated folks can and should be taken care of with pretty simple stuff. A UTM box protecting the direct pipe to the Internet. Endpoint security stuff on each device to both protect the data both in the office and out. A default-deny posture on routers and firewalls. Do some web application scanning on web facing apps. None of this stuff is hard, you just need to do it and do it cost effectively. But alas, a large percentage of SMB's won't do this stuff and most will be lucky and not have a problem. But the bad guys are oversubscribed picking the low hanging fruit that does nothing. There is nothing I can really do for them, but the point is that you shouldn't be one of them.
http://www.computerworld.com/blogs/node/3135 
Technorati tags: best practices, SMB
Link to this

The race we can't win
It takes pretty big cajones to admit you are wrong publicly, and Ed Moyle has those. In this post, he basically says the advent of new bug finding tools are changing the economics of being in the software business. This is only going to get worse with "security analyzers" and other fuzzing-type techniques. When you can quickly test pretty much every possible combination of inputs and attacks, you are going to find broken stuff. And broken stuff will be publicized. Ed says he doesn't know the answer and I know that making bug-finding illegal IS NOT IT. One man's opinion is that we need to blow up the software development process and introduce techniques like fuzzing and the like into every step of the process. From unit tests to regression analysis, we need to be constantly looking for holes at all times and fixing them before code gets launched. This will slow down the process, but it has to. It's certainly not in customer's best interests to get software with holes so big that a hacker can drive a truck through, now is it?
http://www.securitycurve.com/blog/archives/000430.html
Technorati tags: fuzzing, application security
Link to this

Security products are targets
Keeping on this topic, Chris Harrington displays the laundry list of recent vulnerabilities disclosed against security products of late. Yes, security products will be targeted, but no they are not unique. Every piece of software is vulnerable. The interesting dynamic that is developing is that you've got competitors banging away at products now, and publicly disclosing the vulnerabilities. I ranted a bit about this when discussing Symantec's recent set of reports about the security of Microsoft Vista. If I learned anything at Black Hat, it's that pretty much everything is vulnerable. But using those vulnerabilities as a competitive lever is new, but it's how the game is played today - so get used to it.
http://www.infosecpodcast.com/industry-news/2006/08/security-vendors-in-the-crosshairs/
Technorati tags: vulnerabilities
Link to this

Shimel and Arkin make up
It seems that Ofir Arkin of Insightix had some hard feelings that folks pulverized him in blog-land after he called bunk on NAC. What did he expect? Evidently it was all nay-sayers to call him and discuss the issues before publishing anything. Well, that's not going to happen. But kudos to Alan for meeting with Ofir at Black Hat and resolving some of the differences. I've said it a bunch of times and I'll say it again, NOTHING is a silver bullet. You can beat NAC and pretty much everything else out there. The point is when you deploy layered security, you minimize the chance that it will happen. But you don't eliminate it, capice? I also have no compunction about calling someone out if they say or write anything stupid. No warning, just venom. And I expect folks to do the same with me. Why? Because the uneducated and ill informed are not in a position to know the difference. Maybe the press ran with Ofir's story and maybe he was misquoted. But that doesn't matter to me. Too bad for him. I didn't see him writing anything to correct the misconceptions. Did you?
http://www.stillsecureafteralltheseyears.com/ashimmy/2006/08/ok_maybe_not_a_.html
Technorati tags: NAC
Link to this

Recently on the Security Incite Rants Blog

Black Hat Rocks!
Without going into a lot of technical details (lots of other folks have done that), I wanted to share a bit about what I found at Black Hat. It was a very positive experience, I learned a lot, and got to see a lot of great people. What was laid out here are my thoughts about why Black Hat rocked, and what hopefully some other of the security shows can emulate - because most of them just suck.
http://securityincite.com/blog/mike-rothman/black-hat-rocks

Observations from the airport
I usually keep my posting to security-related topics, but I ran across a couple of folks on my flight back to ATL that just needed to be called out. Not sure if any of you care, but documenting my interactions with these folks sure made me feel better.
http://securityincite.com/blog/mike-rothman/observations-from-the-airport

Read Wednesday's Daily Incite
http://securityincite.com/TDI-2006-08-02