The Daily Incite - August 15, 2006

Submitted by Mike Rothman on Tue, 2006-08-15 08:29.
::
Today's Daily Incite

August 15, 2006 - #95

Good Morning:
Dark and dreary here in the ATL today. Hopefully it will burn off, since I'm going to see Dave Matthews tonight. All work and no play makes Mikey pretty grumpy, so it'll be nice to go and spend some time with my non-tech friends, listen to some outstanding music and knock back a few. So forgive me if I'm in a bit of a rush to get through the things that need to be delivered today.

In security-land, I have an interesting take on the Cisco CSO interview (here) that has gotten a tremendous amount of attention this week. Suffice it to say, I've seen the movie before and it's right out of the Cisco playbook. I also address how integration is also applying to other markets than UTM (here). In blog-land, there are no excuses for writing crappy code (here) and I also rant a bit about how liable software companies are for their code (here).

In the humorous post of the week, the Tekrati folks have an active imagination about the NAC/SNF battle. But it makes a good story anyway (here).

Have a great day.

Top Security News

Phase 2 of Cisco's Security Domination Plan
So what?- One of the hottest news stories yesterday was an interview in NetworkWorld with Cisco's CSO John Stewart. Most security folks would cringe and run away screaming if asked to discuss their security strategy in a trade pub. But I've seen this movie before. Cisco has systematically discussed their network, ecommerce and now security strategies to paint a compelling picture of how they eat their own dog food and it tastes good. I'm sure lots of vendors have reached for the barf bags, but this stuff works. Cisco is a huge Fortune 50 company and when they say "we've secured our stuff," big time CIO's believe it. And that makes them more comfortable with paying a premium. Of course, that positioning is great until a high profile attack happens and then they are mud - but until then this is right out of the Cisco playbook.
http://www.networkworld.com/news/2006/081406-cisco.html
Technorati tags:
Link to this

Don't forget to penetrate your clients
So what? - Get your head out of the gutter, man! Here Roger Grimes covers both Core Security's latest update on their automated pen testing product (here) and also a deeper discussion about why it's important to test client-side risks as well. Clearly the prominent attack vectors nowadays are both targeted and going after the clients. Why? Because the perimeter is hard enough to crack now, that it's not worth the effort. So go in on a trusted protocol (typically SMTP, HTTP, or IM) and then take advantage of end user stupidity. Besides figuring out what specific devices are vulnerable, client-side testing can be a very useful educational endeavor as well. When the user opens an email (for example), activates the exploit and then gets a message reminding them not to open untrusted email, it's pretty effective. For 10 minutes, at least.
http://www.infoworld.com/article/06/08/11/33OPsecadvise_1.html
Technorati tags: , ,
Link to this

Back to school "sale" on security advice
So what? - With my oldest now in the public school system here in GA, I am certainly concerned that she doesn't get access to the bad stuff on the Internet. This set of tips for security from Secure Computing is interesting, but not really useful because I suspect teachers and school administrators don't spend a lot of time trolling the news wires. But initiatives like Blue Coat's K9 are important because we can lock down our home machines and try to teach our kids about what's right and wrong relative to online behavior, but if they can do whatever they want at school... So, per usual, it gets back to education and it starts at home, but needs to be both reinforced and enforced at school.
http://www.securecomputing.com/press_releases.cfm?p=irol-newsArticle&ID=895792
Technorati tags: , ,
Link to this

Integration not limited to UTM
So what? - Sure UTM is all the rage, but we are seeing a lot of integration in other security domains as well. Take content security for example. Anti-spam started the game, but now evaluating outbound email and encrypting specific messages is getting more important. You are also seeing the perceived need to secure IM traffic as well. But customers don't want 3 boxes to do all of these functions and the DEFINITELY don't want 3 management consoles. So integration is where it's at, as evidenced by this announcement between ProofPoint and FaceTime. Customers want single box solutions and I've seen this sway deals since, for the most part, the functionality part of the equation is not very differentiated. There's been lots of Barney announcements between email, encryption and IM security players, but not enough in the way of real integration. But as customers start voting with their dollars, it'll happen.
http://www.facetime.com/pr/pr060814.aspx
Technorati tags: , IM security, ,
Link to this

VoIPGP?
So what? - VoIP security was one of the hot buttons at Black Hat. Unfortunately I missed those sessions because it would be an interesting academic exercise to figure out how to comprise SIP and the like. I get how breaking into applications and databases is interesting, but breaking VoIP? My calls are just not that interesting. VoIPhishing is an issue, but that is really just social engineering. As you can read here, you can't trust caller ID anymore. But nonetheless a number of vendors have been trying to position to protect these VoIP networks and now PGP inventor Phil Zimmerman has gotten a legitimate taker in BorderWare for his Zfone VoIP encryption product. Feels like a purple dinosaur announcement to me, and I suspect by the time people really figure out how to hack VoIP, tighter security will be built into the VoIP systems.
http://www.borderware.com/press/releases.php?action=v&id=184
Technorati tags: ,
Link to this

Top Blog Postings

Small team = No excuse
Anyone that's ever worked with me has heard at least a million times, "I'm not in the excuses business." That is one of my common cliches, both at home and in the workplace. So I love to see posts like Dana Epp's here which talk about how he is single handedly building a product and using good coding techniques. I've been in the meetings where the brain trust has decided that it was more important to get the code out there than to spend an extra couple of days banging on it to make sure there were no holes big enough to drive a truck through. There really is no excuse for shipping crappy, insecure code. There are enough application scanners out there to ensure that's not happening and you should use them. Nothing crunches a security brand faster than an easily avoided vulnerability. And then it's the marketing guys fault.
http://silverstr.ufies.org/blog/archives/000968.html
Technorati tags: ,
Link to this

NAC, schmack - Where's the fix?
Farnum was pretty quiet during the NAC/SNF flare-up last week, which is probably better for him. Unless provoked I tend to avoid shark tanks as well. But this post is pretty much on the money. We spent a lot of time debating where and what data should be used to make a decision, but not much talking about what the hell you do when that decision is made. Farnum is dangerous because he actually gets pitched products from vendors, and he is smart enough to have a pretty good bull-shiitake meter. So it's always entertaining to hear him rant about how vendors come in and pitch him stuff.
http://infosecplace.com/blog/2006/08/11/my-nac-happy-week-chime-in-please-give-me-remediation/
Technorati tags:
Link to this

The tort lawyer employment act
I am not a fan of ambulance chasing attorneys that have driven up the cost of pretty much everything we do, while lining their own pockets. Of course, you hear about heart-breaking medical malpractice and other negligence suits and you are glad the victims got some restitution. But what if we could start suing software companies because I used their product wrong. Or because of a configuration issue or incompatible software, I had a problem - so why don't I just sue all of the software vendors and get my pound of flesh. It gets back to the standard of negligence. I agree that if a company (any company, not just a software vendor) does something outrageous and endangers folks, then they need to be held accountable. What I don't want to see is an avalanche of ridiculous lawsuits that make it cost-prohibitive to be a small software company. Though I figure being an expert witness in these cases could be a good gig. OK, never mind. Bring on the Torts!
http://tips.vlaurie.com/2006/why-internet-security-continues-to-fail/
Technorati tags: ,
Link to this

I'll take a BLT - Hold the DRAMA, please!
Normally I don't like to link to stuff relating to me in TDI, but how Tekrati describes the NAC vs. SNF Mobcast is just too damn funny. Since the debate runs "deeper" than the Gartner-META rivalry and I faced-off against my "long-time rival" Stiennon, I guess I should clarify. Richard and I are friends. I certainly don't consider him a "rival." Alan and Chris are also friends. Guys I like to drink beer with. And Mark Bouchard has been a close personal friend of mine for over 12 years. So as entertaining as this drama is, it's more about providing perspectives that end users can use to make better decisions. I also am pre-disposed to be anti-drama, since I do live with 3 lovely ladies and I get plenty of that on the home front.
http://security.tekrati.com/research/News.asp?id=7629
Technorati tags: ,
Link to this

Recently on the Security Incite Rants Blog

NetworkWorld Column: Black Hat - No Network is Safe
Here is my bi-weekly NetworkWorld column, where I describe what I learned at Black Hat and how containment strategies (how to react when an attack is successful) are just as important as security strategies.
http://securityincite.com/blog/mike-rothman/networkworld-column-black-hat-no-network-is-safe

The NAC war of words
The "debate" on NAC between Hoff, Shimel, Stiennon and myself, bravely moderated and sound edited by Martin McKeay is now posted. It was a good debate and lots of contrary opinions have been stated. It's pretty long and we still didn't make much progress in changing any of our respective opinions, but that's what happens with religion.
http://securityincite.com/blog/mike-rothman/the-nac-war-of-words

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-08-14

Technorati: