September 6, 2006 - #110

Good Morning:
Greetings from Beantown. Flew up yesterday (yes, flying is still miserable) for The Security Standard show at the Hynes. If any of you are going to be there, check out my session at 3:20 this afternoon on strong authentication. It'll be fun and educational. And if you want to grab a cup of coffee or something, just drop me a note and we can meet up.

In security-land today, it's seems to be AV day. I discuss alerts (here), sharing information (here), and which AV detection techniques will win over time (here). The answer - all of them. In blog-land, I rant a bit (here) about why it's important to encourage failure and teamwork in all of our personnel. And no, I am not on drugs. If security folks are afraid to make a mistake and treat both internal and external auditors like the enemy - the system is not going to work. We need checks and balances to make sure we are truly protected from the bad guys. That doesn't work if the enemy is us.

Have a great day.

Technorati: Information Security

Top Security News

Bean counters weigh in - Network Security is BIG
So what?- Must be that time of the year again, the quantitative analysts are out there beating the drum for how big the network security market is. And it is big weighing in at over $1.1 BILLION in Q2. And that's a good thing. I've found that folks like Infonetics are much better at looking backward than forward, so their numbers are probably pretty close. Biggest surprise? Check Point falls from #2 to #3, now behind Juniper. That's got to kick ol' Gil right in the bread basket. It's also interesting that they say "integrated security products and software" is 85% of the market, with IDS/IPS at 15%. Is that 85% UTM? Or just a FW/VPN? Or all of the above? You can't really buy a firewall without VPN anymore, can you? So that number feels like a red herring to me. But no matter. It would also be interesting to see about unit growth, as opposed to revenue reporting. But clearly pricing is coming down in the more mature spaces.
http://www.marketwire.com/mw/release_html_b1?release_id=0159874
Link to this

AT&T hack two-step
So what? - We still haven't seen a lot of specifics about the AT&T website hack, but in the meantime let's point to some articles that are reminders of the obvious. If you handle credit card info, then your website is a target. Duh! That's what PCI is all about. If anything, this is the path of least resistance, since taking over machines and stealing information individually is brutal and time-consuming. Hacking into an e-commerce system and taking credit card numbers - not so much. So I'll make the point again, which is web apps need to be scanned and pen tested. You'd rather someone you are paying finds the holes, not the bad guys. Trust me on this. Also check out this article (here) that talks about how the bad guys are using elaborate and individual phishing attacks to get EVEN MORE personal information from those compromised. Scary, but goes to show that you should always verify with the vendor if they are asking you for personal information via email. And yes, I expect that we'll see mutual authentication become more prevalent anytime you are updating profile information, not just on banking sites.
http://www.informationweek.com/news/showArticle.jhtml?articleID=192500500
Link to this

Boys will be boys
So what? - I continue to be amazed that people are surprised when vendors act like vendors and try to derail their competition. The only analogy I can think of is my 3 year old son starting to hit things (like me) with hard objects (like sticks and bats). Am I pissed? Sure, it stings. BUT HE'S A BOY. He's supposed to hit things. Of course, you tell him NO, but secretly I'd be much more concerned if he wasn't acting a bit more aggressive. Don't tell my wife, OK? Of course vendors are going to use alerts to make themselves look good, obscure information, and throw FUD at competitors. And the reseller quoted here has a point about the channel providing information to make sense of the mess. But don't kid yourself, the resellers take every opportunity to cut each other down too. That's what competition does. That's what free markets do. Remember it's a zero-sum game. If you win the deal, everyone else loses.
http://www.informationweek.com/news/showArticle.jhtml?articleID=192501689
Link to this

Sharing virus information is novel?
So what? - Early senility is a drag. I could swear I called bunk on Microsoft's Virus Information Alliance a while back, but I can't really remember. Having spent time at TruSecure way back when, I became familiar with the WildList, which is basically the same thing but not vendor controlled. Well, I guess it is because CyberTrust owns it, but it's not AV monolith controlled. Now I don't blame Authentium for playing along (which is this news peg), it certainly can't hurt. But anyone that paints Microsoft's initiative as being new or novel hasn't spent much time in the security space.
http://biz.yahoo.com/bw/060905/20060905005161.html?.v=1
Link to this

AV signatures vs. behavior
So what? - While we are on the topic of AV, let me point to a recent Stiennon-ism on signatures vs behavior-based AV. Richard is right in pointing out that the number of updates is not relevant, it's the effectiveness of those updates. I don't buy that more updates is bad (everything is pretty much automated now, so it's not like folks are sitting there testing AV updates that drop 2 or 3 times per DAY), but crappy updates are certainly a problem. But the real point here is that there is not one technique that is used to stop the bad stuff, it's lots of techniques. Everyone uses signatures and they should. Shame on us if we are compromised by something that we've seen before. But you also need protection from the stuff that you haven't seen, and there are a number of ways to skin that cat. And all of them should be used. So we should be losing the religion is all aspects of security.
http://blogs.zdnet.com/threatchaos/?p=398
Link to this

Top Blog Postings

Groundhog Security Day
So Farnum has decided the front lines are no fun anymore and he'd rather be running the supply trucks. Suffice it to say, Accuvant's customers will be happy they've got someone with front line experience because you never know when the supply line is going to be ambushed. But Michael brings up a systemic issue for the security industry and another reason that Managed Security is a inevitable outcome. Being a security manager is like being in the Bill Murray classic, Groundhog Day. Really. You wake up and are back at the same place. People are trying to get in, and you need to stop them. They'll try different attacks and most days you'll be OK. Some days you won't. But the only constant is that the next day they are going to try again. Having someone else manage the repetitive, fairly simple stuff is one way to beat the burnout that pushed Michael to reseller-land. That he'll likely dramatically increase his comp probably doesn't hurt either. But that will depend on his ability to sell stuff, now won't it?
http://infosecplace.com/blog/2006/09/05/one-of-the-reasons-i-am-getting-out-of-security-management/
Link to this

Accepting Mistakes and Checks and Balances
Captain Privacy, Martin McKeay changes gears a bit and talks about auditing in this post. He makes a good point, which is that no one is perfect and we call need checks and balances to ensure the right stuff gets done. But there is the key issue of security practitioners not feeling comfortable admitting they have made a mistake and thus the internal auditors are usually treated more like the enemy than the cavalry. This is a huge problem because everyone (even the external auditors) are on the same team. And managers (CIO and CSO-types) need to ensure their people can make mistakes and not worry about their jobs. Back when I managed people (feels like 100 years ago), I consistently made the point that I expected mistakes. Failing was OK. Not trying was not. Being safe was not. Of course, we want to minimize errors, but since I'm pretty sure we all have humans working for us - they are going to happen. It's how you handle it that determines whether you have a team aligned against stopping the bad guys - or a breeding ground for internecine warfare.
http://www.mckeay.net/secure/2006/08/audit_then_audit_again.html
Link to this

Limiting Liability on WiFi
This post by Preston Gralla has me remember back to the classic Lite Beer commercials, "Taste Great, Less Filing" as he takes the Terminator to task for WiFi warnings and not dealing with the WiFi piggybacking. Will warning signs help and maybe get more people to deploy security? Maybe. But what's the harm? Do warning labels on cigarettes help? Probably not, but this is not about protecting networks. This is about limiting liability. In the age of tort mayhem, I actually think that the warning labels are a good thing. It's only a matter of time before some ambulance chasing idiot sues Linksys because some unsuspecting consumer got hacked via their wireless network. "The vendor should have told me!" Well now they are going to, and hopefully we'll avoid more litigation silliness. While I'm at it, what's wrong with piggybacking? If you have a water fountain on the side of your house, is your neighbor stealing if they take a drink? Or if they shoot hoops on your basketball court? Aren't you just being neighborly? As long as they don't try to break into my house (and that's what my security system is for), what's the issue?
http://www.computerworld.com/blogs/node/3376
Link to this

Virtually Saturday Night Fever
When I read this post from Tom Olzak, all I could think about was a flashing disco floor (a la Saturday Night Fever) in Second Life. I must still have that Blogging for Babes picture on my brain - scary. But Tom's architectural construct here is a good one. It's not brain surgery (folks have been using VLANs to segment internal networks for many years), but the virtual floor analogy is new to me. But I suspect these virtual floors will give way over time to virtual "rooms" or portals that provide visibility only to those resources that the user has access to. This will take much more sophisticated security being baked into the network, but we are going there (Secure Network Fabric lives). There is no reason that we need to be restricted to an access group based on our geographic location over time. But until we get there, this is a useful way to manage network traffic flows and firewall off segments as needed.
http://blogs.ittoolbox.com/security/adventures/archives/virtual-floors-can-help-meet-b2b-security-challenges-11474
Link to this

Recently on the Security Incite Rants Blog

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-09-05