September 21, 2006 - #121

Good Morning:
I'm back in chilly ATL after a quick trip to NY for Interop. I hoped to stay another day, but family obligations brought me back early. But not before I had one of those famous New York moments. Running through the airport trying to get an earlier flight home, I see American Idol's Randy Jackson and The Biggest Loser's Caroline Rhea chatting it up with basketball legend Scotty Pippen. I guess for folks that hang out in LA or NY a lot, star sightings are commonplace. But in the Northern suburbs of ATL - not so much. Another interesting point is that Randy is shorter than I thought. And Pippen is taller. On to business.

I'll do a Interop wrap post this AM to go into my thoughts a bit more, but there was a bit of news in security-land. We saw one example of rear-view mirror analysis here. But I guess when you are the G-people, you don't need to look forward. We also have another Big Yellow positioning (here), jumping on the "Everything 2.0" bandwagon. I'm sure they are just tickled pink that there are folks like me, who actually remember history to point out that Symantec is on at least version 8.0, if not 13.0. And when security industry heavyweights go at it, it's fun to watch. So check out a little discussion that Ranum and Schneier have about maintaining the security of strategic software (here).

And this HPGate scandal is getting out of control. Now it seems that HP was sending reporters basically a Trojan e-mail to track whether they were reading the messages and who they sent it to. Is it illegal? Probably not. Is it ethically murky territory, absolutely. Read more in this ZDNet story here. And it seems that CEO Mark Hurd was in the loop on this (here). There is no way he escapes unscathed. This guy works for two years to turn HP around, and now his credibility is shot because he approved snooping on reporters. Now look for the spinning to start to salvage Hurd's "brand." And marketers take note. Do something stupid and years of hard work go poof! We all know that, but sometimes forget.
 
Have a great day.

Technorati: Information Security

Top Security News

CIO is not wearing SoX
So what?- Sometimes I dig through the archives because I fell like ranting. I'm finally getting around to covering a story I put aside because it just annoyed me. Then my ADD kicked in and I forgot about it. The gist of the story is whether CIO's are stepping up enough relative to Sarbanes-Oxley and a number of folks (that happen to sell stuff to CIOs) are saying no. That's crap. SoX is all about FINANCIAL CONTROLS, which mean the CFO. The CIO is an enabler, but not the driver. This kind of self-serving FUD mongering bothers me. I know part of the game is creating demand and these analysts/vendors need to keep themselves relevant, but I'm of the opinion that IT is an enabler, but the business leaders (in this case the CFO) needs to drive key business process efforts, including SoX compliance.
http://www.esj.com/news/article.aspx?EditorialsID=2111
Link to this

Breathing is a risk too
So what? - I can't help it. I'm going to rant about some Gartner research that clearly falls into the category of Captain Obvious, and even worse - it's getting coverage. At the G-people's annual UK security conference, they list the "top threats" and they include new and groundbreaking attacks like Cyberattacks with a financial motive, Identity theft (the difference between the first two is?), spyware, social engineering, viruses, and rootkits. Thankfully they added rootkits or else this list could be from the 1870s. How about some new thinking folks?!? We know rootkits are going to be an issue for the next 5-10 years. What about virtualization? What about SOA? How are those going to produce new risks? It just seems to me that the G-people look backwards a hell of a lot more than they look forward. But I should be careful what I wish for because opportunities abound for folks like me because of research like this.
http://www.infoworld.com/article/06/09/18/HNrootkitidthefts_1.html
Link to this

Symantec 2.0 my ass
So what? - Looks like Symantec is trying to reinvent itself yet again. I wish I was in town early enough to catch CTO Mark Bregman's Interop keynote because I need a good, hearty belly laugh every so often. Symantec 2.0? Give me a freakin' break. This is like Symantec 8.0. I guess no one remembers the good old days of PC utilities. And then buying Norton to consolidate that space. And then anti-virus. And remote computing (PCanywhere). And then John Thompson coming in and remaking them as a true security company by jettisoning some of the systems management stuff. And then buying some storage management stuff. And then the big daddy Veritas deal and security giving away to "availability." But I will say that Symantec is playing much better in the sandbox than they ever have before. Though the JNPR/SYMC deal was two drunks holding themselves up (here), this next deal with Dell for "Secure Exchange" is the right thing to do. By baking their technology into a lot of other solutions, SYMC will be taken along for the ride. And they won't have to worry about competing in games that over time they won't win - like against Microsoft and Cisco.
http://www.informationweek.com/story/showArticle.jhtml?articleID=193004118
Link to this

Big Yellow Application Security
So what? - I believe Symantec will make a move in the application security space before the end of the year. I'm going out on a limb here because none of my sources have sent me on that trail, but if you check out this survey from the Big Yellow, you see the signs everywhere. So they ask 400 software developers about security. They all say it's important, but don't want to change their dev process. We already knew that. But what's interesting is that Symantec doesn't really have an application security offering, unless you count some pro serv guys doing some application pen tests. The first rule of marketing is never to create demand for something you can't sell. But I think Symantec is using the application security services as a red herring to figure out whether this market is real. It is. And it actually sits at the intersection of the security and data center markets, which is where SYMC is trying to play. There is a lot of leverage here. So maybe they buy an app scanner (Watchfire, SPI) or more likely a web application firewall. Or maybe they take out a mish-mash of application/database security stuff like Protegrity. But they are going to do something.
http://www.symantec.com/about/news/release/article.jsp?prid=20060919_01
Link to this

AIMbot is not new or news
So what? - So it seems that lots of folks are hot and bothered relative to a new attack launched via AIM (AOL Instant Messenger for you neophytes) that is turning innocent machines into bots. First, this is not the first attack we've seen via IM and it won't be the last. And this is only the latest of about a million ways that the bad guys are compromising machines and turning them into bots. This is another on a long list of social engineering ploys and education is the best defense. Don't open any attachments (either in email or IM) from folks you don't know. PERIOD. End of story. You wonder why I have to repeat myself over and over and over again. Because someone isn't listening out there and candidly, I think corporations and the ISPs continue to be at fault, especially the ISPs. I assure you that if owned machines were quarantined by an ISP and they lost their privilege to use the network until they clean things up, they would pay attention. But none of the ISPs have the stones to do that. 
http://news.yahoo.com/s/afp/20060920/ts_alt_afp/afplifestyleitinternet
Link to this

Top Blog Postings

Ranum and Schneier duke it out
When Marcus Ranum and Bruce Schneier get into a fight, lots of people pay attention. Of course it's a war (well not even a war, more of a discussion) of words, but if these two went at it, my money is on Marcus. He's physically bigger and plays with guns. I don't mess with guys that play with guns. Maybe the Celebrity Deathmatch guys can make this battle come to life. Now THAT would be entertaining. But I digress. In this discussion, these two go at it about "strategic software," and really about who controls that software. This was driven by the inability of CheckPoint to buy SourceFire because it was deemed too sensitive. Marcus makes the point that a lot of the stuff we use is "strategic" and it's controlled by foreign companies. Check Point already controls Zone Labs, which is basically a "good rootkit" because it totally controls the IP stack of a computer. And then he mentions that RIM (a Canadian company) basically drives the communications of the US Government. He makes lots of good points. Then Schneier weighs in with reality. Reality says there will be back doors and we won't find all of them. So we need to rely on security layers and defense in depth. Exactly right. No one thing can be trusted implicitly - now that's a good message.
Ranum: http://www.ranum.com/security/computer_security/editorials/point-counterpoint/strategic.html
Schneier: http://www.schneier.com/blog/archives/2006/09/is_there_strate.html
Link to this

IT as a utility - finally here (for SMB's anyway)
I read a lot of regular tech blogs to stay on top of the bigger IT trends and also to make sure I'm on board with the security implications of these macro trends. This post from David Berlind on his ZDNet blog underscores a seismic shift that will change how security people need to do things. Of course, outsourcing is not news. But this is the first piece I've seen that makes a compelling case for why SMB's should not run or manage their own IT stuff. The good stuff doesn't start until about half way down, and then he makes the case for why IT is like a utility (here comes the IT as a utility pendulum swinging back). But let's think about this from the security perspective. This now means that our data is going to be somewhere else. Are you comfortable with how that someone else protects the data? Updates the servers? Protects the storage? You better be, because it's your data. As an aside, the first half of the article is about Berlind meeting with RSA for most of the day and hearing all about the consumer authentication stuff. Strong authentication is becoming more visible and more mass market by the day.
http://blogs.zdnet.com/BTL/?p=3642
Link to this

FUD is HTS - Deal with it
Arthur on Emerging Chaos vents a little bit about the FUD (fear, uncertainty, doubt) that the trade press uses to tell a story about reacting to security breaches. Duh! The fact is FUD is HTS (here to stay). Why? Let's try this again. Fear sells security. Enabling new business processes does not. It's really that simple. And over-dramatized stories generate page views and sell magazines, and that's what the media does. You only have to watch the evening news for about 5 minutes to understand that's what drives the media today. I'm just numb to the FUD at this point. You just adapt to it and look to the real value in each story. And as Arthur points out, there is value there. But it will continue to be wrapped in layers of FUD and other crap. Just get comfortable wearing hip boots to work every day. It's not like the vendors don't spew their own brand of FUD every day as well.
http://www.emergentchaos.com/archives/2006/09/cso_breach_sop_fud.html
Link to this

OS/2 vs. Windows: It's about playing nice in the sandbox
I had to laugh at this post from Andy, the IT Guy about OS/2. If you are asking what OS/2 is, then I feel really old. Those of us in tech marketing for any length of time can point to countless examples where the best technology got smoked and marginalized by better marketing and/or business development. It seems Andy started his career at the tail end of the demise of OS/2. Well I was there as it happened and there are many lessons to be learned. Much of these lessons make their way into my writing every day. OS/2 lost because it was not a PLATFORM. IBM did a crappy job of getting developers to write apps for it. Microsoft did a masterful job. That's why they won. OS/2 was better. A lot better. But IBM was so arrogant that they took for granted they actually had to ask ISV's to develop software and help them build a business around that software. Microsoft didn't. Of course, once Microsoft had that monopoly they changed, but not in the early days. That's why in this world of "Big is the new small," business development is so critical. If you are Microsoft or Cisco, you can bring something to market and not worry about who else plays along. Millions of customers give you that comfort. But if you aren't a behemoth, you better play nice in the sandbox. Gosh, even Symantec is playing nice nowadays (here). The world really has changed.
http://andyitguy.blogspot.com/2006/09/os2-you-could-have-been-so-much.html
Link to this

Recently on the Security Incite Rants Blog

Deal: MiSS Consolidation - SecureWorks/LURHQ merge
In yesterday's deal de jour, SecureWorks and LURHQ merge. Of course this is yet another data point on MSS consolidation, so I provided the analogy to MiSS Consolidation - who was a lady we all knew from high school. This is a good deal for the new SecureWorks, especially since they get to dump the LURHQ name (which evidently means something according to Mike Murray here). Check out the comments on this post as well, since Stiennon actually agrees that this one represents true consolidation. I guess wonders never cease.
http://securityincite.com/blog/mike-rothman/deal-miss-consolidation-secureworks-lurhq-merge

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-09-20