August 30, 2006 - #106

Good Morning:
Another day, another privacy breach. Looks like some hackers got into AT&T's online store (here). That will teach you to by crappy OEM phone equipment online. They didn't mention Cingular, so I'm assuming the breach didn't hit the wireless company and it was "only" 19,000 names. Stay tuned, I'm sure we'll be hearing about a lot more incompetence as more details of the breach are discovered.

In security-land, it seems today's theme is data security. Between Network Computing's spread on protecting data (here) and Karn making the case for encrypting data at rest (here), this is a topic that will be getting a lot more discussion in the near term. I also want to point out the need for both technical and management/selling skills to thrive as a CSO today (here). It's not an either-or type of discussion. If you can't get funding and sell the value of security to the C-suite, then technical skills aren't going to help much. Likewise, all the money in the world cannot fix faulty configurations, ineffective policies, and poor execution. So the answer is both.

I also have to point out a milestone for Security Incite. I've been photoshopped for the first time. An enterprising reader with unparalleled graphics skills stuck the collective heads of myself, Chris Hoff, and Richard Stiennon on a classic BeeGee's picture (here). It's really a classic and very funny. So thanks to whoever took the time to do that. It really lightened up my day. I'm also happy to announce that Rich Lamberti was the first (and only) reader to get yesterday's trivia question, which was of course - the Theme song from Beretta. Don't do the crime, if you can't do the time. Rich, you are the proud winner of basically nothing - except the accolades of your fellow TDI readers.

Have a great day.

Technorati: Information Security

Top Security News

The seven deadly sins of records retention
So what?- Speaking of privacy breaches, more than a few have been caused by faulty records retention policies. Here is a good article in CSO about more than just security, but how we are responsible for good records retention policies as well. Add it to the list, eh? There are 7 pretty generic statement in here, but it's a good primer to at least know the right questions to ask. Of course, each business gathers different information and needs to keep it for varying lengths of time. But having a policy is a must, and consistently enforcing that policy is also a must. Deviating from that policy (like when you know the Feds are about to raid your office and deciding to shred some stuff) is a no-no. And the best point here, is that you can't depend on your lawyers to tell you what is right and wrong. They've got this no-culpability thing, so the only thing harder than getting a straight-answer from a lawyer is getting them to write it down.
http://www.csoonline.com/read/070106/record-retention.html
Link to this

It's not only who you are, but where you are
So what? - You know I'm not a fan of surveys, because they are usually vendor-contrived, skewed, subjective, and rife with inconsistencies in analysis. BUT, every so often you find one that is all of the above, but also makes a decent point. This survey from Phoenix Technologies pinpoints what is going to emerge as a pretty key attribute of any access decision - location. One of the tenets of contextual authentication is to look for things out of the ordinary. So if I log into my web site from Atlanta for 7 days in a row, and then all of a sudden am tracked back to an IP address in the Philippines, odds are there is something amiss. Maybe it's legit (especially if I'm using the same machine), but it's worth asking another question or two - or requiring a second (or even third) authentication factor. Some folks (especially the financial and also retail industries) have started to embrace location-based decisions, and we are going to see a lot more of it.
http://www.informationweek.com/story/showArticle.jhtml?articleID=192300841
Link to this

Data security is in vogue
So what? - I'm starting to see a lot more coverage and discussion about information/data security and it's a good thing. Network Computing has a pretty substantial section on it in this week's book. Don MacVittie goes into a number of the aspects of protecting data (under the guise of "identity theft protection") but many of the tips apply to protecting intellectual property as well. He pinpoints a number of areas where the data is at risk (data extraction, data leaving the enterprise, data backups stored off-site, and data used by applications), and each requires a different discipline to secure it and a different set of products. We are still very early in being able to codify a workable data security architecture, so it will require a number of new products and a bunch of customer integration. Welcome to early market-land!
http://www.3com.com/corpinfo/en_US/pressbox/press_release.jsp?INFO_ID=246648
Link to this

Protecting software from piracy and other bad stuff
So what? - Speaking of data security, a number of my old friends from SHYM/Authentica have set up a new shop called V.i. Labs to protect source code. Since one of the ways data gets compromised is by compromising an application that is authorized to access the data, ensuring the application is locked down is a good thing. The real question is where V.i.'s approach of encrypting the source code and constantly checking hashes is the best way to do that. To be clear, V.i. is more about trying to stop software piracy and help software vendors recover lost dollars - but their technology is also applicable to locking down applications from intrusion. It'll be interesting to see if software vendors perceive the lost dollars due to piracy as a big enough problem to actually do something about it.
http://www.vilabs.com/press/PR-82906-piracy.aspx
Link to this

NAC is back
So what? - Not that it ever really left, but according to Joel Snyder - a lot of progress has been made since his NAC interoperability tests in February. That's good news, but he focuses really on the big 3 (Cisco, Microsoft, and TCG), which I think is an incomplete analysis of the market sector. Sure, Cisco is out there pushing Clean Access, but they've pretty much unwound the C-NAC Framework partner program - pretty much kicking anyone out that could compete with them. Microsoft is still months (if not years) away from having the pieces of NAP that customers can deploy and TCG is basically a front for Juniper. So it's good to see the technology is maturing rapidly, but I think now it's time to focus not so much on standards and interoperability (since most customers buy one product and don't have this concern) but more on how customers are solving problems. Over the next 6 months, we'll see whether this market and technology has legs or whether it will go down in flames (and make Stiennon smile).
http://www.networkworld.com/columnists/2006/082806snyder.html
Link to this

Top Blog Postings

Yin/Yang Soft/Hard
Get your mind out of the gutter. In this post the RiskAnalys.is folks take Mr. Tao himself to task for even suggesting that "hard" technical security skills will be coming back into vogue. Bejtlich's point is that security folks have been focused on these "soft" management skills and we are still dealing with frequent security train wrecks. The answer (which is where RiskAnalys gets to) is both. Basically needing to have a set of hard skills to enforce the defenses (Yin) and be also able to practice the soft skills of selling those defenses up the line and to the users (Yang). I personally think our continued problems have more to do with the general ineffectiveness of our soft skills. If we can't sell the value of security and can't get the budget to adequately protect things and can't impact user behavior, then even the most technical astute security practitioner is going to be hamstrung. Take that Yin and Yang!
http://riskmanagementinsight.com/riskanalysis/?p=16
Link to this

So the enemy is out there again
Bejtlich just loves to say "I told you so!" Or so it seems. But here he reminds us (based upon a study by the US DOJ) that the outsider threat is still there and it's still real. I don't buy these numbers relative to percentage of threats that are outside vs. inside because I think it's a useless intellectual argument that just wastes time. Whether it's 80% outside or 45% outside, it doesn't matter. As a security practitioner you need to protect BOTH flanks. We have gotten a bit complacent relative to the strength of our perimeter and it's ability to stop brute force attacks, but brute force attacks are yesterday's news. Now it's very targeted phishing oriented attacks meant to compromise machines, steal personal data and remain undetected. Seems a lot like what an insider attack is trying to do as well. As Hoff says, we need to have lots of perimeters and we cannot assume that any one threat vector is where the attack will come from. That makes things fun, no?
http://taosecurity.blogspot.com/2006/08/again-external-threat-is-more.html
Link to this

SNMP is not your friend
I've been in this business long enough to remember when SNMP first hit the market and the hope that all of us networking folks had relative to being able to ease management by standardizing the language and vernacular. Well, 10 years later not much has changed, besides the fact that SNMP is a lowest common denominator for management protocols and also can introduce security holes into your environment. Alex Scoble's point here is that if you aren't using SNMP, then turn it off on those networking devices. He's exactly right and I'll push the discussion a few steps further, you shouldn't be running any services on any devices that aren't absolutely critical. Why leave a hole for the bad guys? As opposed to buying something new and shiny, you may want to spend a day or two ensuring that no unnecessary service are running on your devices.
http://www.computerworld.com/blogs/node/3338
Link to this

Nothing is "safe," so encrypt your data
Karn tells a story in this post that will convince you that nothing is safe. If data stored in a bank vault can be stolen and compromised, then whatever physical security mechanisms you've implemented are probably insufficient. That's why defense in depth is so important and keeping data off-site (just in case). Karn's suggestion is to encrypt the data at rest, even on backup tapes. There is something there, but the implementation is not for the feint of heart. Key management is still a bear and figuring out where all the data resides is also problematic. Ultimately data will be encrypted at rest, but it will be long road to get there.
http://security-guru.blogspot.com/2006/08/dear-bankers-your-vault-is-not-safe.html
Link to this

Recently on the Security Incite Rants Blog

Blogging for the babes
In what is definitely the funniest comment of all time on Security Incite, an enterprising reader tells me, Hoff, and Stiennon that we should be NAC-ing, YEAH! I don't think the BeeGee's ever looked so good. The comments on the page are also classic, so click the link, have a laugh (on me) and get back to your day.
http://securityincite.com/blog/mike-rothman/blogging-for-the-babes

How not to hype a new CEO
I pretty much came unglued yesterday when reading a press release about Tablus' new CEO. It's not about her or her capabilities, but how PR folks practice revisionist history and figure that no one will call them on it. Well, I called them out because I don't understand how anyone can say MailFrontier (the new CEO's old stomping ground) was a market leader or had worldwide brand recognition. So I vented and now I feel better.
http://securityincite.com/blog/mike-rothman/how-not-to-hype-a-new-ceo

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-08-29