September 22, 2006 - #122

Good Morning:
Looks like we are at the end of the Apple wireless exploit drama. Thankfully. Of course, the answer seems to be as murky as the whole situation (here). Hopefully, SecureWorks will tell their side of the story as well, just so we can figure out what actually happened and hopefully not repeat this fiasco. We also see a little more clarity around what EMC's security strategy is and I like what I see (here). Of course, the fact that it's in close alignment to my Pragmatic Security architecture doesn't hurt and the interview further validates my ideas around why they did the Network Intelligence deal.

In blog-land, Ed Moyle reminds us that people have been stealing proprietary information since the beginning of time. So the advent of USB drives shouldn't get us all hot and bothered about how "easy" it is (here). I also give Chris Walsh a little lesson (at his request) in MSS market dynamics, since he is perplexed as to why there isn't any room for a boutique MSS provider (here).

Finally, I get some emails (and comments on the blog) about people wondering why I don't tell them when I'm going to be in their town. I do. I said I was going to be at the Security Standard (here and here) and I also mentioned that I was going to be at Interop (here). It's always great to meet up with readers and friends when I'm on the road, so I'll continue to let you know where I'm going to be - if I have time to meet up. Alternatively, you can send me a note letting me know where you are, and if/when I end up there - I'll be happy to send you a note.
 
Have a great weekend. It'll be very busy in my house, since it's a holiday weekend. So to all my Jewish friends and readers, L'Shana Tova - a happy and healthy New Year.

Technorati: Information Security

Top Security News

Apple wireless fiasco resolved?
So what?- In the aftermath of Black Hat, the Apple wireless exploit (or not) was big news. SecureWorks took the high road and didn't engage in mudslinging and now the truth is out, sort of. Apple has admitted (and fixed) some wireless exploits, but are these the same ones that were originally found? I'm more confused now than I was at the beginning of this fiasco. Thanks to Dave Goldsmith of Matasano for clarifying what seems to be an outright murky situation. But what can we take out of the situation? First, Apple needs to improve their communication around vulnerabilities. Second, the "responsible" disclosure process worked in this case, but only due to SecureWorks not acting irrationally and releasing the exploit code (assuming it does exist). Let's hope we don't see more of these he said/she said battles.
http://www.matasano.com/log/509/apple-wireless-security-update/
Link to this

A view to EMC's security strategy
So what? - I can't help it. Even though I try not to pat myself on the back, sometimes I nail the analysis. Checking out this interview with EMC's security strategy guy Dennis Hoffman, my take on the EMC/Network Intelligence deal is pretty close. First they see the world pragmatically, there is "perimeter-centric" and "information-centric" security. Yep. And relative to the Network Intelligence deal, he mentions three aspects of NI's technology - log management is first. Surprise, surprise. I guess EMC did know they were getting into the log management business. Then SEM, where NI is weak, but their SMARTS offering can play and finally SIM, where they think NI's reporting is good. This is very consistent with how I called it (here). Maybe I should think about becoming an analyst or something.
http://www.channelweb.com/sections/allnews/article.jhtml?articleId=193004361
Link to this

CSO <> Better security
So what? - Not that we need more examples of the fact that senior executives don't want to deal with security. In this piece Ira Winkler picks apart a survey by ESG, which draws a correlation between security and a CSO and the conclusion that a CSO makes the organization more secure. Ira does a good job of contradicting those conclusions with a couple of good points. The best security folks I know DON'T think they are secure. Maybe it's a personality flaw, but these folks know all the exposures and they know they are at risk. They've got a well defined program to close as many issues as they can. But they are not comfortable with their security posture - ever. I agree that this survey data is suspect, and they probably asked the wrong questions. I will say that when the inevitable compromise does happen, having a CSO is helpful because they move to fix the problem aggressively. It is their job on the line after all.
http://searchsecurity.techtarget.com/columnItem/0,294698,sid14_gci1217036,00.html
Link to this

My Dad can beat up your Dad
So what? - Remember those silly little games you played growing up. My this is better than your that? Well it seems that some security vendors are not beyond bringing back this schoolyard behavior and the media is all too willing to cover it. In this case, a McAfee guy says application security code scanners only pick up 1% of the vulnerabilities. Huh? A fuzzer will find hundreds of problems and the commercial scanners find lots of stuff as well. Certainly more than 1 or 2%. And McAfee doesn't have any products in this space, so I guess it's in their best interest to throw some FUD around whether these tools work. In my experience, it is helpful to run a scanner against an application. It will find stuff that the developer neglected. Of course, a secure development process is best, but let's be realistic. It's not like developers are embracing that in large numbers yet.
http://www.networkworld.com/news/2006/091906-hitb-security-advances-not-keeping.html
Link to this

Top Blog Postings

Keep new threats in context
That's the message here from Ed Moyle and he's exactly right. The media and everyone else continues to be all fired up about USB drives and other portable storage means. As Ed points out, people have been committing fraud since the beginning of time and they'll continue to do that. Sure a 4 GB thumb drives gives the bad guys more of an opportunity to do more damage and it's arguably easier, but don't think you can stop it. That being said, I'm still a fan of trying to make it harder and some of these endpoint security offerings that can lock down the USB ports is a good thing. But just don't be deluded into thinking you can eliminate all of the threat.
http://www.securitycurve.com/blog/archives/000451.html
Link to this

Newsflash: Identity is hot
Since I've only been saying if for a year, I figure I may as well point to another analyst out there that is now on the Identity train. Looks like Jon Oltsik of ESG when out to a Identity conference and came back a believer. Users are interested, projects are getting bigger, standards are jelling. Man, you should get out more often - this stuff has been obvious for a long time. Consolidation (for the most part) has already happened, so it's a lot of big players with big services engines that are driving identity projects. Identity also has a positive ROI and compliance impact, given that things like provisioning and password reset actually help a company operationally. And yes, as SOA based applications proliferate, identity becomes much more important. So I agree with Oltsik on his findings here, I'm just wondering what took him so long.
http://news.com.com/2061-11203_3-6116140.html
Link to this

Why MiSS Consolidation will be back
I guess Chris Walsh over at Emerging Chaos missed the MiSS Consolidation post (here) because he asks why a smaller MSS boutique like Counterpane must look for a deal. I'm not sure if I can get there in 10 seconds, but it's pretty simple. Over time every market commoditizes, and then size and scale become critical. Smaller folks cannot compete on price, so they need to continue to innovate. Counterpane hasn't done that. They could go down market and target SMBs, where its more about presence in their channels than technical innovation. But VARs are going to increasingly target that market with their own MSS offerings (buy a few boxes, run traffic through them - it's MSS). In this segment, that will work - so the low end is cooked also. That's why folks like Counterpane get squeezed. And that has nothing to do with the fact that VC's have put in lots of money and they want it back. Or to write it off. But having a company to just exist in the Hall of the Walking Dead is not interesting to them.
http://www.emergentchaos.com/archives/2006/09/10second_mba_por_favor.html
Link to this

Who watches the watchers?
Shhh. Don't tell anyone, but admins with root privileges on email servers and for other key applications can pretty much get to anything they need to. So protecting root passwords is critical (thus the interest in password vaulting technology) and also logging who is doing what on your systems. And having unalterable logs that can't be accessed by the administrators because if an admin wants to do damage, they'll probably have an idea of how to cover it up. You can't eliminate the risk because they need access. but you can at least let them know that someone is going to be watching.
http://www.computerworld.com/blogs/node/3541
Link to this

Recently on the Security Incite Rants Blog

Interop NY 2006 wrap-up
Let's just say I was less than impressed with Interop NY. Part of it is that networking isn't that interesting anymore and there are lots of other VoIP, wireless and security shows. The other part of it is yearning for days gone by. I was in the networking space when networking was cool. I was young and single when these shows attracted a real partying crowd. So when I heard Interop was "back," I must have misunderstood. The Interop I attended was more like my back-side.
http://securityincite.com/blog/mike-rothman/interop-ny-2006-wrap-up

Facebook's Misplaced Balance
Most of the time I don't deal with some of the wackiness I see in other parts of tech-land. But when I read about some of the behavior from Facebook's 22-year old CEO during billion dollar deal negotiations, I just couldn't help myself. Obviously I'm a long way from 22 and my deals were more about who was buying the keg that weekend, I can't imagine I would have pulled some of these stunts. Not even if my girlfriend was in town.
http://securityincite.com/blog/mike-rothman/facebooks-misplaced-balance

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-09-21