September 7, 2006 - #111

Good Morning {!firstname}:
Running a bit late this AM. Sorry about that. I'm not in the excuses business, but I do want to mention that my hangover this morning was sponsored by Chris Hoff. Thanks for your hospitality buddy. I'll be feeling those Guinesses for most of the day. I'm still at the Security Standard conference for part of the day and John Chambers of Cisco did his keynote to kick things off. He always puts on a good show and I'll have a summary later today. In general I think the conference has been pretty good and brings up some issues relative to how to interface with the executive branch, as opposed to the technical issues many of these conferences typically address.

In security-land I want to call out Entrust for announcing just a ridiculous guarantee for FFIEC compliance (here). First, they have a bunch of caveats and the legalese is so think you need a bull-shittake cutter to get through it. Next they say their software is not the only thing compliance can be based on. Huh? Finally, you only get a year of support if they mess up. Now that's some guarantee. Thank you sir, may I have another!

I also attack idiocy on a number of other fronts (yes my heartburn and hangover have made me grumpy), first being an asinine position from the G-men about what Microsoft should be doing post-Vista (here) and why it's not an issue for security vendors to actually warn us about security problems (here). And the fun doesn't end because I pile on with Oltsik and Ogren about the Cisco/Microsoft NAC-NAP deal (here). All in all, lots of crap to wade through today. Glad I brought my hip boots up to Boston.

Have a great day.

Technorati: Information Security

Top Security News

The new "HP way"
So what?- Being security professionals in many cases we get pulled into some less desirable situations and work with HR and legal folks to either substantiate or refute a compliant or accusation. But there must be a line and that line is defined by the law. Clearly the Chairman of HP, Patricia Dunn, doesn't understand where the line is. By snooping on other BOD members, she likely broke the law to try to find out who leading information about an HP strategic decision. We have technology to snoop data, read emails, intercept phone calls and the like. But that doesn't mean we should use it haphazardly. These tools need to be used judiciously and with the full support of your company's legal council. Ms. Dunn will fall for this, and there will probably be legal ramifications. And it's all because she didn't want to confront her fellow BOD members to figure out about the leak. I'm a fan of confrontation, so I'm happy to say I'll always opt for that path.
http://www.forbes.com/2006/09/07/hewlett-packard-dunn-cx_po_0907autofacescan01.html
Link to this

Guaranteeing FFIEC compliance
So what? - Guarantees are a slippery slope. It seems that Entrust thinks their spiked boots will stop me from calling them out on a "guarantee" that any customer that commits by mid October will be "FFIEC compliant" by the end of the year deadline. Think again, this is a marketing stunt. There are no specifics about what FFIEC compliance really means, so pretty much anything that you do relative to assessing your risk and adding multi-factor authentication can show "compliance." They put in caveats about how their software will not be the "sole basis" to evaluate the online application. And what do you get if they don't get you there? One year of support. That's it. Here's more: "Under no circumstances shall Customer be entitled to any refund of any amounts paid to Entrust in respect to the Software System..." That's pretty funny, no? You voyeur lawyers out there can check out the legalese here.
http://www.entrust.com/news/2006/6363_6625.htm
Link to this

Those that can't do, analyze
So what? - It annoys the crap out of me when folks overstep their bounds. They impact their credibility and most of the time come off looking like an ass. Back when I had product management responsibilities, the first rule was to NEVER design the product. That's what the engineers do. You just tell them, VERY specifically what the product and/or feature needs to do. So help me understand how an analyst from Gartner knows anything about what Microsoft can/should do with their post-Vista operating system. This analyst must have built OS's in the past. Actually he hasn't, but he knows best, clearly. And how many end users are really worried about Microsoft's next gen OS today? Right, none. This is annoying chest thumping to set an agenda for a vendor and make themselves feel smart knowing that no one will remember when this guy turns out to be dead wrong in 5 years. Stick to your knitting G-men, which is to help end users with TODAY'S decisions. Not helping vendors design products. If you could do that, you wouldn't be an analyst - now would you?
http://www.informationweek.com/news/showArticle.jhtml?articleID=192503689
Link to this

It's a bird, it's a plane - no it's BrowserShield
So what? - Speaking of slippery slopes, Microsoft is working on some technology that will intercept "malicious" code and rewrite it before it renders in the browser - allegedly to prevent malicious code from executing. That involves a lot of trust, no? And what do they rewrite it with? Didn't Google get into trouble for intercepting traffic and changing the way a web page renders? I guess we trust the AV and anti-spyware software to flag malware, so I guess this is a logical extension, and there aren't really that many details about how it will be deployed. So I don't want to crap on this quite yet. But I'll take an initially skeptical stance.
http://www.eweek.com/article2/0,1895,2011765,00.asp
Link to this

Foxes and hen houses and conflicts of interest
So what? - This opinion piece by Johanna Ambrosino of InformationWeek is dead wrong. She rants a bit about how Symantec and McAfee are the bad guys because they both issue security warnings and have products to solve the problems. You know, the fox guarding the hen house, which is what everyone does in the business. Clearly she isn't very familiar with how security works. End users rely on vendors as sources of information, but only the idiotic don't scrutinize that information themselves and make their own decisions. But my biggest problem with her idea of separating church and state is speed to reaction time. You can't tell me CERT is exactly responsive. The last thing we need to do is extend the vulnerability window, so I'm all for vendors providing information and end users actually using their brains to figure out what is right for them to do.
http://www.informationweek.com/blog/main/archives/2006/09/airing_dirty_se.html
Link to this

Top Blog Postings

Openness or interoperability?
Jon Oltsik from ESG goes on a bit rampage here about the NAC/NAP interoperability agreement. As I mentioned (here), this is a non-factor and an attempt by both Cisco and Microsoft to freeze the NAC market until their products catch up to their PowerPoints. Jon is a bit partial to TCG, which I think is misguided because in an early market standards are a red herring that are leaned on by those folks without market power to try to equalize things. Most of the time standards only come into play as a market matures and commoditizes. We aren't even close with NAC right now. Jon's colleague Eric "EO" Ogren weights in here as well, basically supporting my position. Shimel weighs in as well (here) making the point that networks are heterogeneous, which isn't true for 60-70% of the world that buy all of their stuff from Cisco.
http://news.com.com/2061-11203_3-6112960.html
Link to this

Pressure is not an excuse
Boy, pointing to Tom Olzak two days in a row. How about that? But this post from over the weekend makes an interesting point. Change management policies are there for a reason. Depending on the scope and reach of your computing resources, changes may take from a few hours to a few days to be rolled out. Of course the business folks want their applications fixed or their new locations rolled out or their new laptop. And that's fine, the IT group's job is to meet those needs. But it needs to be done within the parameters of your change control process to ensure that haste introduces exposures. That being said, we should be trying to continually compress those change windows to react faster and to be more responsive.
http://blogs.ittoolbox.com/security/adventures/archives/desperation-doesnt-justify-bad-security-11441
Link to this

Link scanning needs to be integrated
Brian Krebs discusses how he's played around with a link scanning service (this one from Exploit Prevention Labs) to see what is going on with the web sites he's navigating to. These are interesting services because having an idea about what is lurking behind that link will help to contain some web-oriented malware vectors. My issue with these web site-based deployment models is that it requires the users to change their process. They need to go to the LinkScanner site before they click on a link. That's unlikely. Scandoo requires that you do searches from their site (at this point anyway). I won't use them, even if I should because it would dramatically slow down my work process. SiteAdvisor has the best integration with the way I work, but unfortunately I still haven't been able to get it to operate without breaking Yahoo! Mail. It also broke the web browser on the home PC that my kids use, so there are still problems, but the browser integrated model makes the most sense to me.
http://blog.washingtonpost.com/securityfix/2006/09/scan_those_links_before_visiti.html
Link to this

Abstracting your identity
It's been a while since I've discussed identity. It seems that Roger Sullivan, one of the identity gurus at Oracle is now blogging. In this post he vents about the lack of a centralized body to process address changes. Since it's been two years since I moved to ATL, those wounds are mostly healed - but Roger has a point. To date, no convincing business model has emerged to allow these kinds of address changes to be leveraged and scaled. Of course, Roger works this to make the point that via standards like SAML and WS-* (Roger is VP of the Liberty Alliance after all) this kind of integration is possible today and that he'd pay for this kind of service. I agree that there is a big opportunity for that "IDsp" (Identity Service Provider) to integrate all of this together, but to be clear this is a non-trivial task.
http://rogerksullivan.blogspot.com/2006/08/miles-to-go-before-we-sleep.html
Link to this

Recently on the Security Incite Rants Blog

The Security Standard: The Pendulum Swings Back
Here is the first of my posts from The Security Standard and I deal with the idea of whether security is an enabler or a defensive capability. It seems that every 4-5 years we see the pendulum swing back and forth and now it seems folks want to start considering security as an enabling technology. I'm of the opinion that we've seen this movie before and we always get back to defense. Defense aligned with business requirements, of course, but defense nonetheless.
http://securityincite.com/blog/mike-rothman/the-security-standard-pendulum-swings-back

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-09-06