September 8, 2006 - #112

Good Morning:
This morning I'm feeling old. I know I'm not, but I just don't recover like I used to. In the days of yore, I could get by for days on 4 hours of sleep, including lots of partying and other mischief. Not anymore. I'm also looking back and appreciating how simple life was years ago, before the kids and other responsibilities that get piled on. My biggest issue was having enough Advil and Gatorade in the house to ensure I could function when the alarm went off the next morning.

A couple of things I found this AM got me thinking about how security has really evolved and become a business. And it makes me feel old because I've been in this space since pretty much the beginning. Besides Chris Klaus of ISS riding off into the sunset (here), we've got constant fraud on Google (here) and the bad guys are more in your face now. I was talking to someone yesterday and they mentioned how the trust factor is gone. He's right. If you get an email from your bank, you immediately think it's bogus. Guilty until proven innocent is the prevailing wisdom.

On the news front, the updated PCI standards have hit to very little fanfare (here), which is pretty surprising. There aren't really substantial changes, and I'm still thinking that until Visa and/or MasterCard execute someone in the public square for not playing ball, PCI's impact will be minimal. It's just another way to justify stuff you already want to buy, as opposed to changing behavior. I'll also point to a new log management service introduced by VeriSign and LogLogic (here). The managed security train has left the station folks, and one of the key questions you should be asking yourself is whether you can get someone else to do those rote functions better, faster, cheaper.

Have a great weekend.

Technorati: Information Security

Top Security News

VeriSign and the Lumberjack
So what?- Thankfully football season has started again. I just can't take any more of having to watch those crazy strong man or lumberjack competitions on ESPN 2. Speaking of lumberjacks, let's talk about the evolution of logging and log management. Yesterday, VeriSign announced a new log management service (driven by LogLogic equipment) and this is the right direction to be going in, especially for the mid-market. Logs require a crapload of storage and most of the time you aren't really looking at that data unless something goes really wrong. Why not make storage, retention, etc. VeriSign's problem? They can apply economies of scale and make it cheaper for everyone. I suspect we'll be seeing a bunch of logging services emerge over the next quarter or so. I just hope they are planting trees to replace the ones being harvested.
http://www.marketwire.com/mw/release_html_b1?release_id=0159874
Link to this

Spyware is like gray hair
So what? - I'll admit to not being an authority on much. But I know a lot about gray hair. My hair started turning gray when I was in my early 20's, so I learned pretty early on that pulling out the gray hair is a losing battle. You pull one and 10 grow back. Kind of the same thing with these spyware and anti-spam litigation efforts. Now that's a random analogy, huh? Litigation is nice because it puts some teeth into what the bad guys do, but it's not going to stop the behavior. You fine 10 companies and extract a couple million bucks and those folks are out of business. But another 100 are ready to take their place. Same goes for the spammers. Sure Jeremy Jaynes is going to do real time, and I think that's great. But that hasn't stopped the spam cascading into my spam filter, now has it? Until something is done to remove the economic incentive to send spam and compromise machines, none of this is going to get any better. My only advice is to make sure you are a bit more protected than the next guy. Hacking is very much about the path of least resistance.
http://biz.yahoo.com/ap/060907/spyware_settlement.html?.v=2
Link to this

Santa Klaus retreats to a virtual North Pole
So what? - One of the overlooked aspects of the IBM/ISS deal is that slowly, but surely as "big is the new small" takes hold we are losing a lot of the security pioneers built this business. Chris Klaus, the founder of ISS, has not really been engaged with ISS for a long time, but this wide ranging interview with NetworkWorld jogs the memory. Chris describes his inspiration for doing ISS and also what he's up to now - which is not security related. I guess  these kinds of discussions make me long a bit for the early days of this industry. When it was more of a crusade and less of a business. But time waits for no one, and as the business continues to mature - there will be less characters and more corporate. I guess that's progress, right?
http://www.networkworld.com/news/2006/090106-iss-ibm.html
Link to this

Is that wireless network secure?
So what? - This TechTarget step by step guide on wireless security testing is pretty good. Kevin Beaver walks through the tools and processes that you'll need to figure out whether all of those access points create a problem for your business. It's pretty straight-forward stuff, like using Netstumbler and Kismet - but I really like the fact that this kind of information is available for free. There were days (and they weren't that long ago), where this kind of information was only available from high-falutin network security consultants and you had to pay big bucks just to figure out what tools to use. To be clear, reading a guide on SearchSecurity is not going to make you an expert. But it gives you enough information to start the process of becoming that expert or being able to call the bluff of an empty suit consultant that comes in to sell you a bill of goods. Now that really is progress.
http://searchwindowssecurity.techtarget.com/general/0,295582,sid45_gci1213806,00.html
Link to this

AV is here to stay
So what? - Roger Grimes just likes to stir the pot. In this week's column, he talks about anti-virus and wonders whether we still need it. Of course we do. It's another one of those layers that I spend so much time talking about. It's true that AV is ill-prepared to find truly new threats, but it's awfully good at making sure we are not compromised by the things we already know about. And that's important. Roger gets there by the end of the column, but he also makes a good point that through a combination of strong perimeter and host protection techniques you can get by without AV. But Roger is not your run of the mill consumer. He doesn't need that safety net. But the other 99.999% of the folks out there do. So the rumors of AV's demise have been greatly exaggerated.
http://www.infoworld.com/article/06/09/08/37OPsecadvise_1.html
Link to this

Top Blog Postings

PCI: The Sequel
It's very interesting that there has been virtually no news coverage of the PCI standard update. I get that most of the changes (PDF outlining the changes here) have already been discussed by MasterCard and Visa, but still. PCI is one of those things that could either be very significant and change the way anyone who sells anything manages data security, or it could be an empty suit like HIPAA. It all gets back to enforcement. I know I've made these points before, but nothing has changed. It's still not clear what the ramifications of non-compliance are, which in my opinion is a problem.
http://www.mckeay.net/secure/2006/09/pci_11_is_out_heres_the_change.html
Link to this

Don't forget the reporting
The Mogull makes a pretty important point about interfaces in this post. I learned this the hard way when I was in the security services business. We were pushing to add products to our bag of tricks, but all of the stuff our internal people used was built FOR THEM, not for the customer. Productizing is more than just putting an SKU on a tool you use internally. The interfaces were terrible, so I definitely agree with Rich that interface and user experience are absolutely critical - especially as a market scales and functional differentiation evaporates. But I'll also add reporting into that category as well. Most folks don't think about the reports too much when they are buying a system, until they end up contracting a severe case of "pivot table-itis" the first time they have to do a log dump into Excel and perform unnatural acts to convince someone the new product works or just figure out what the hell is going on. The real problem is that technical guys would rather spend time building cool new features, as opposed to polishing the one's that customers are paying for.
http://securosis.com/2006/09/07/its-all-about-the-users-interface/
Link to this

What's in your backup?
Reading this post about Guy Kawasaki's issues recovering from a hard drive failure over the holiday weekend are very instructive. Those of us that work for larger enterprises have all sorts of multi-layers backup strategies to protect the centralized data that we can easily get to. But what about all of those laptops out there? Is there important data on those? What are you doing to make sure they are consistently backed up, if anything? I've made mention of my own backup process (here) and that works for me. I also want to expand the discussion a bit to encompass data protection, not just recovery. Remember, it's not sufficient to only backup. If there is any private information on the device, you also need to protect.
http://blog.guykawasaki.com/2006/09/why_smart_peopl.html
Link to this

Trust is a myth
This post from Steve Gold makes me sad. He thumps Google on the head because AdWords can be gamed, but I take it more as an indictment of today's technology based society. This is kind of big picture, but bear with me a bit. In the old days, fraud still happened. Every day. It's not like we just invented bad guys. But the fraud was somewhat contained. In the age of globalization and the Internet, fraud is everywhere. Of course, fraudsters are gaming Google. And Google is too damn big to worry about it. Like a bank, they just figure a certain percentage of clicks will be fraudulent and that some number of accounts will use bad credit cards. They manage their business with those risks in mind. I guess I'm just ranting a bit, but I don't think there is an easy answer. Until this starts costing Google real money and/or a less fraudulent alternative emerges - it is what it is. But that doesn't mean we should be happy about it.
http://securityblog.itproportal.com/?p=468
Link to this

Recently on the Security Incite Rants Blog

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-09-07