September 12, 2006 - #114

Good Morning:
There was so much going on yesterday, I need to wade through it with hip boots. I guess 9/11 got folks riled up and many announcements were held until either yesterday or today to avoid the slower holiday week. In interesting security-land activity, the entertainment industry shows its angst because hackers seem to be winning the consumer DRM battle (here). Cool, free movies for all! Given the recent update to the PCI standard, we are going to see an acceleration of new vendors positioning magic bullets for compliance (here). And in probably the most entertaining news of the day, the Governator has met some Hackinators who have stolen some audio from his network (here). The fate of the free world hangs in the balance, clearly.

In blog-land, it must be Bizzaro day. You have Tim Wilson telling you to love your auditor (here) and Eric Ogren looking for positives out of the Cisco/Microsoft collaboration (here). Every day is Bizzaro day for me, so I just roll with it.

And a big Happy Birthday to my twins, Lindsay and Sam, who were born 3 years ago. 3 years passes in the blink of an eye. They are a bit confused because their party was Saturday (imagine 30 kids running around in a JumpZone place), but that's OK. We'll throw a few more presents their way and they'll get the picture. It's good to be my kids (besides the inevitable challenges of sharing a genetic link with me) and I couldn't be happier that my wife and I can make their early years comfortable and carefree.

Have a great day.

Technorati: Information Security

Top Security News

The Hackinator will be back
So what?- You never know what will be interesting to the bad guys and Governor Arnold is recording some conversations now. "I am not a crook" just resonates in my mind when I hear of politicians recording conversations. But in any case, it seems the Gov thinks that Latins have "hot" blood and are passionate. So now he's a bigot because he is stating a well known stereotype that in many cases is true. But Jews and Italians tend to be passionate as well, no? I hate politics. But this underscores a bigger issue, which is that only a few people had access to the digital media, so the machine was compromised. It'll be interesting to see how they assemble the pieces to figure out what happen. Was it someone stupid, who got 0wned? Was it social engineering? Was it an inside job? I said yesterday I wouldn't push my kids into auditing, even though there is assured employment. Computer forensics/incident response on the other hand is cool, and lord knows these folks are going to be busy for a long long long long time.
http://news.yahoo.com/s/nm/20060911/us_nm/schwarzenegger_hacking_dc
Link to this

Hackers 1, Entertainment industry 0
So what? - Besides advising my friends and family about security, I really don't get involved in consumer oriented stuff. I buy music that I want and am too concerned about spyware to download much of anything from the Net. But I do observe with detached amusement the futile attempts of the entertainment industry to "protect" their intellectual property. Welcome to the wild, woolly world of security. The bad guys are pretty much always one step ahead, and I don't think increasingly onerous copy protection is the answer. Pissing off your legitimate customers never really is. But this got me thinking about the many conversations I had recently about the long term importance of persistent control in data security. Data security is going to happen, though it's not clear how and when. Maybe it's DRM, maybe it's a successor technology. But in today's environment, you need to be able to control data at all times.
http://www.darkreading.com/document.asp?doc_id=103283
Link to this

Get ready for the PCI stampede
So what? - I know I run the risk of getting Shimel pissed at me, but most vendors trade on FUD (fear, uncertainty and doubt) to try to create a buying catalyst for their stuff. The updated PCI standards are just the latest in a long line of examples relative to this point. I'm calling out a new product from a company I've never heard of (New Boundary Technologies) that says the can solve your PCI problem by using security policy management to make the point. There is no compliance silver bullet. Period. Compliance is a happenstance from doing the right things along a number of different fronts, security being one of them. Some of these tools are fancy project management tools, some do security policy management (whatever that means), and others are downright snake oil. Fact is, those with a strong security posture and the ability to prove that to an auditor will be "compliant." Buy products to solve a security problem, not to crank out a report. But make sure what you buy can crank out the report. See the difference? Keep in mind, compliance is a process, not a product.
http://www.newboundary.com/company/prelease/archive/rel_060911_PCI_Launch.htm
Link to this

MMOG presents LHF - DUH!
So what? - So it seems the bad guys have figured out that the Massive multiplayer online games (MMOG) are communities in and amongst itself. What kind of community doesn't have shysters and fraudsters? None that I know of, so it was inevitable that the commerce engines of these environments would be cracked. This is LHF or Low Hanging Fruit, since there are lots of accounts to steal, lots of credit cards stored there, and the ability to do real commerce within the games. Much less risky than going into Staples with a fake credit card, don't you think? Besides the compromise of Second Life mentioned in this article, there is also another piece on Dark Reading (here) that points to how some of the games are starting to invest in security, and that's good. But like any other environment that stores your credit card, there is risk there and you should ensure the vendor has taken appropriate measures to protect that information.
http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2006/09/12/BUGQ6L3K081.DTL
Link to this

The myths of selling security
So what? - I am not above giving some props to my "competitors" when they are doing good and important work. The folks over at Forrester have taken lead in helping their security clients to "sell" security up the line. That is a lost art and responsible for many of the disconnects between what the board room thinks they are buying and the problems the CSO thinks he/she is implementing. In this report available on CSO, a couple Forresteristas dispel some myths about security reporting. Some are a little cock-eyed, like "Executives hate auditors" because they do, that's not a myth. But you don't need to like the function or the person to see it's value. I'll tell you that executives hate being on the front page of the WSJ for a privacy breach more. But they make good points about the need to benchmark and many CSO's over-reliance on ROI. All in all, this is a good background into the problem. Of course, it won't help you sell your security more effectively - but it can provide a map to some of the land mines that you are inevitably going to run into.
http://www.csoonline.com/analyst/report4075.html
Link to this

Top Blog Postings

I'll take some strong authentication to go (hold the mayo)
Strong authentication is happening, and yes it's being driven by the Financials, most specifically by the FFIEC mandate. But that is first step. Clearly passwords are not enough for many types of transactions, so having 2nd, 3rd and maybe even 4th factors is a good thing. And we'll also see mutual authentication become more prevalent, again first in the Financials and then later in other businesses (like online retailers). If you were looking for any numbers to back up these contentions, Jeff Hayes pulls some from the Phoenix survey (which I dumped on last week). But the point is the point. I'm not sold on device authentication as a panacea, but it's certainly a piece of the puzzle. I also think the ability to restrict access to certain parts of the network (oh crap, I'm talking NAC again) depending on where and what device you are using is also important.
http://mycsosolutions.net/2006/09/08/case-for-stronger-authentication/
Link to this

Product reviews and pricing
Ron Gula of Tenable is funny. He's a very smart guy and his built a number of sizable businesses. But sometimes the nuances of the "game" are lost on him. Check out this post where he has angst because he actually put the real price of his product in a review and his competitors priced out stripped down versions of their stuff to make the price lower for publication. That is the oldest trick in the book. You always use the "starting at" price and when the reviewer pushes back, asking what the real price would be - you give them pricing for something that would never scale to the need. What you don't want to do is price yourself out of the game before it even starts. If a prospect looks at that review and only has time to talk to 3 vendors, you don't want to be disqualified on price before they even make the first phone call. Sure, the prospect is a bit peeved when they see the "real" price, but by then you've got them, no?
http://blog.tenablesecurity.com/2006/09/sc_magazine_sim.html
Link to this

Do you love your Proctologist too?
Tim Wilson at Dark Reading has an interesting perspective on audits and auditors in this week's blog post. His point is that auditors are here to stay and so you better get used to it, and maybe even learn to love it. Yet, then he goes on about the potential evils, including the fact that knowing the auditor is going to come and find something, you maybe won't be as diligent. But this is all lots of folks flapping their lips, the point is right on. CSOs and security folks need to figure out how to work the auditors into their process, and you need to do it proactively. You don't want the auditor figuring out for themselves how they are going to muck up your stuff, now do you?
http://www.darkreading.com/blog.asp?blog_sectionid=327
Link to this

Looking for positives out of NAC/NAP
Looks like Ogren must have taken his happy pills on Friday because he actually has something nice to say about Cisco NAC and Microsoft NAP interoperability. Of course there are positives if Cisco and Microsoft really decide to work together, but let's just say I remain quite skeptical. Product delivery is still a year away and once these offerings are released into the market, it's amazing at how arch-enemies start to behave. But Eric does make some good points, most notably the fact that integration of network management, endpoint security, and security policy is a good thing. Right now, most security administrators need to do that integration in their own head. It would be nice if part of that was done already. So this is something to watch, but I would disregard any of the hype until there is something real to deploy.
http://www.computerworld.com/blogs/node/3427
Link to this

Recently on the Security Incite Rants Blog

Vendor Tales
My piece the other day on ways to piss me off resonated with many readers. Some even took the time to add their best stories to the comments section. Thanks for that. Vendors out there, read this piece and don't do these things. They just piss off the people that you are trying to sell to. That's not a recipe for success.
http://securityincite.com/blog/mike-rothman/vendor-tales

NetworkWorld Column: IBM legitimizes managed security
In this week's NWW column, I cover the IBM/ISS deal and some of the ways it brings managed security services into the big time. You'll also want to read this if you have any interest in learning how many GulfStream V's or Bentley's you can buy with $1.3 Billion.
http://securityincite.com/blog/mike-rothman/networkworld-column-ibm-legitimizes-managed-security

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-09-11