The Daily Incite - August 24, 2006

Submitted by Mike Rothman on Thu, 2006-08-24 09:08.
::
Today's Daily Incite

August 24, 2006 - #102

Good Morning:
Thursday Thursday. Fun fun. Guess today is double talk day. Speaking of double talk,  I haven't heard much more about IBM/ISS from the parties. In the few press interviews they did (and not investor call), they are spinning the deal as "positive," but most of the coverage has seen through it. ISS was struggling and IBM threw them a billion dollar lifeline. That much is pretty clear. How do I get one of those? I'll dig into that more deeply later today.

Actually the word of the day is rootkit. We have a number of articles (here) and product initiatives (here and here) announced relative to combating rootkits. This attack has flown under the radar of late, so it's good to see it coming back into the forefront. If you read the NetworkWorld article, McAfee continues to complain about how hard the rootkit problem is, but at least now they are saying they'll have defenses in place later this year. I guess that's progress.

I also want to highlight a new publication from the FFIEC (here) that aims to clarify their guidance on risk mitigation and authentication. It's pretty lawyerly (which is not a good thing), but it does make it clear that they are focused on the outcome (risk mitigation for high-risk transactions), not the techniques. But it's also clear that if you aren't going to use things like multifactor authentication, you better have a good reason.

I also want to highlight the last two days of Dilbert, which pretty much reminded me why I don't really miss being a manager. Wally is a log and they started some HR actions against him yesterday (here), but today his lawyer Dogbert shows up and claims he has a laziness disability and they'll sue if he's fired (here). Man, I've seen that movie before. At least I can laugh about it now.

Have a great day.

Top Security News

Detecting rootkits
So what?- This is a good tip from SearchSecurity contributor Jonathan Hassell about how you detect rootkits. I actually got a similar question from a reader yesterday as well, so lots of folks are interested in detecting the bad stuff that AV misses. There are tools (RootkitRevealer from SysInternals/Microsoft, F-Secure's BlackLight and Sophos' new Rootkit product announced here). - but depending on the size of your organization, if you need to use Windows - you may want to get in the habit of reimaging the machines every couple of months just to make sure.
http://searchwindowssecurity.techtarget.com/tip/0,289483,sid45_gci1211955,00.html
Technorati tags:
Link to this

Fixing rootkits
So what? - So if a rootkit is on your system, what do you do? This article says the experts are "divided," but to me it's a pretty easy choice. Just re-image the machine. Why take a chance by using 3rd party technology that may or may not get all of the manifestations of the rootkit? You do need a solid desktop imaging process that stores user data elsewhere (or at least replicates it) and enforces a standard desktop with only authorized applications. Given the right process, you are looking at probably 2/3 less time to re-image, than to eradicate a rootkit. Oh yeah, I would also move to Firefox. It's not bulletproof, but it's much better than IE 6. This same article also goes into what some vendors are doing to stop rootkits in the first place, as clearly this is a big area of interest for all desktop security players.
http://www.networkworld.com/news/2006/082806-rootkits.html
Technorati tags:
Link to this

FFIEC clarifies authentication
So what? - The FFIEC mandate for stronger authentication is rapidly approaching and some institutions will inevitably panic. This panic buying should make it a good Q4 for the authentication vendors, but what is it they should buy? The FFIEC was kind enough to publish a FAQ (here - PDF) regarding their guidelines. First, they clarify that they aren't requiring "multifactor authentication," if a bank can mitigate the risk in some other way. Clearly the FAQ was written by lawyers because two questions down, they go into how an expert risk assessment would be wrong if the banking systems only use single-factor authentication for "high-risk" transactions. Hmm. Nothing like a double talking government entity covering its ass. They are also clear on the fact that they expect the risk assessment and mitigation activities to be done by year-end 2006. Looks like it's going to be a busy Q4 for banks.
http://www.scmagazine.com/us/newsletter/dailyupdate/article/20060823/588880/
Technorati tags: ,
Link to this

Information Security Products Guide is at it again
So what? - I guess it wasn't enough to publish 40 or so trumped up awards back in April, now the Information Security Products Guide has issued their "Tomorrow's Technology Today" awards. Which are, in fact, the same pay to play type of situation. I guess it really is a statement of how congested and undifferentiated the security business has become when you get not 2 or 3, but 20 or 30 vendors that feel the need to pay this ransom to get any kind of award. I have a little advice to those vendors. GO SELL SOMETHING TO A REAL CUSTOMER. There are some folks (I'll leave them nameless) that are actually selling stuff, and yet they continue to participate in these ridiculous promotions. They are more worried about their competition getting the "award," so they pay the ransom. Enough ranting about these jokers. My biggest problem is the customer that just got off the turnip truck may even think these awards are worth more than a rats ass.
http://www.infosecurityproductsguide.com/
Technorati tags: , security marketing
Link to this

Seltzer on AV-gate
So what? - I'm pretty much tired of the ConsumerReports AV-Gate, so this will be the last you'll hear of it from me, but check out Larry Seltzer of eWeek's take on the situation. It sums up a lot of what I've said over the past few days and really nets out the situation. "There's no ethical slippery slope here, there's just an attempt to test products aggressively, and that's something to applaud." Amen to that.
http://www.eweek.com/article2/0,1895,2005814,00.asp
Technorati tags: ,
Link to this

Top Blog Postings

Is PCI an empty suit?
Ed Moyle has been busy with a MasterCard recertification, and comes away from the experience pretty skeptical as to how effective the scanning part of the certification is going to be. Why? Because of pricing. It seems that there are folks that are going with cut rate pricing on the scanning part and that inevitably will affect quality. I'm not so sure. There is a concept called the LOSS LEADER, where a security assessment firm would do the scanning at perhaps a loss - with the promise of follow-on business to fix the things that they find. I'm sure there will be scanning "boiler rooms" out there that do a crappy job for a cheap price, so a merchant can say they did it. But I also think you'll find some better known services firms doing detailed scans at a loss because what they'll find will keep them rolling in the dough for months/years to come.
http://www.securitycurve.com/blog/archives/000440.html
Technorati tags: ,
Link to this

Mac as plague carrier
Though Douglas Schweitzer's post here is more about the new Sophos Rootkit detector, I took something different out of it. Basically, us Mac users should be using AV to detect and stop the PROLIFERATION of viruses, as opposed to protecting ourselves. Kind of like a plague carrier, Macs can send along malware via email or other communications methods without becoming infected themselves. So there is another reason to go and spend the $50/year to get AV (or get ClamxAV for free). You are doing a community service!
http://www.computerworld.com/blogs/node/3305
Technorati tags: ,
Link to this

The data is gone - what now?
Jeff Hayes has a good post here about what you should do in the event of a data breach. You need to engage an incident response team ASAP to understand the depth of the problem, and then you need to communicate. Fidelity was a loser in their data breach because they didn't come clean right away. Boeing did, so they got a pass. It's all about managing expectations from a communications standpoint. Your customer's data is now at risk, and they are concerned. Admit fault, and put a strong plan in place to protect them. It will cost you money, but not more than losing a bunch of customers because you violated their trust. And the technical stuff that Jeff mentions is important as well.
http://mycsosolutions.net/2006/08/23/action-following-a-data-breach/
Technorati tags: , incident response
Link to this

Don't piss off people - especially HR
This is more of a survival tip than a security tip, but it's important nonetheless. Firstly, you shouldn't be pissing anyone off. There is nothing more I hate than someone that kisses ass up the ladder and pisses down it. Those folks don't make many friends and will inevitably end up suffering retribution when senior management catches on. But there are certain folks that you never want to anger. Mike Murray's vote is for HR. I agree. But I also always went out of my way to buddy up to the admin staff (they run most offices) and also the IT group. This helped because when I was in a bind (and imagine that, it happened pretty frequently), these folks were my friends and they'd help me out. I know many of you learned "do unto others" from an early age, but it's true. And those others may not have glamorous titles, but they can make your life miserable if you alienate them.
http://tinyurl.com/hgkwu
Technorati tags: ,
Link to this

Recently on the Security Incite Rants Blog

Deal: IBM buys ISS
I did a quick analysis of the IBM/ISS deal yesterday. There hasn't been much additional information forthcoming from either company (no webcast, PPT or other strategic statements), so I'll pick apart what other sources have said in my detailed analysis later today.
http://securityincite.com/blog/mike-rothman/deal-ibm-buys-iss

Where do they get these botnet numbers?
In this post, I rant a bit about statistics. Picking apart some media quote from CipherTrust about botnet traffic, I question both their methodology and some of the conclusions they draw. Ultimately the key point for end users is basically to ignore these statistics unless you need substantiation to justify a key product purchase up the line.
http://securityincite.com/blog/mike-rothman/where-do-they-get-this-botnet-numbers

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-08-23

Technorati:

Technorati Profile