September 25, 2006 - #123

Good Morning:
I am particularly guilty of not celebrating enough. It's a "feature" of my personality that I'm always looking for what is wrong and not focusing on what is right. That makes me well suited to what I do for a living, but also gives me lots of heartburn when I step back and think about all the broken stuff. Thankfully there are holidays throughout the year that pretty much force me to spend time with the family, remember what's important and how fortunate I am. I spent part of this weekend rejoicing and it was nice. So I want to go through each of today's news items with that in mind.

In security-land, we have a pretty major article on encryption (here) that draws the conclusion that it's not for everyone, but does solve a number of security problems. I suspect it will be for everyone sooner rather than later, but it will upend some existing security markets and also become the purview of the Big Technology. We also have a couple of data points on the wave of "free" product distribution. eEye is now giving away a personal version of Blink (here) and Breach Security has bought the company that managed the open source web application firewall, ModSecurity (here). We are going to see a lot more "free" stuff out there because it's a pretty powerful distribution model, especially for start-ups.

In blog-land, let me dust off the old Risk Equation (here), which is a pretty interesting way to look at the problem of what to protect and what not to. There are lots of different takes on this, but I think considering the frequency of attack and the likelihood of success are commonly overlooked by those of us trying to figure out what to do. On the tail end of that discussion, I also want to highlight yet another idea on how to position security as a business enabler (here). I get that the realization that security is insurance is kind of offensive to some (especially if you know insurance people), but that's what it is. 
 
Have a great day and remember to rejoice - if only just a little.

Technorati: Information Security

Top Security News

Encryption will proliferate
So what?- In one of the feature articles in this week's InformationWeek, Larry Greenemeier looks at both sides of the encryption argument. Obviously with continued issues around privacy breaches and the understanding that insiders are a legitimate threat to data - you are seeing a lot more demand for encryption. But all is not roses yet, because key management for a large enterprise ain't pretty and in many cases the user experience is impacted by the advent of encryption. It's also expensive and adds latency to the process. Things are improving and we'll soon be at the tipping point of when encryption is easy enough (and cheap enough) to just be there. Starting at the database and working out, the data will be protected at all points in the process. And we will rejoice. Of course, that will make a lot of the technology that currently does content filtering and deep packet inspection kind of irrelevant (they can't read the data because it's encrypted), so those products will need to evolve quickly. We'll also see much bigger players get into the encryption game. EMC/RSA was the tip of the iceberg. I'd be surprised if within 18 months all the big tech players (yes, Microsoft, Cisco, HP, IBM, Oracle, et al) don't have their own data protection marketecture and have spent some dinero to kick start the efforts.
http://www.informationweek.com/news/showArticle.jhtml?articleID=193004775
Link to this

When in doubt, give it away
So what? - Speaking of layered security, which is mentioned below (here), Ross Brown of eEye uses his blog to do a product announcement. Given the recent Microsoft VML issue and the 3rd party patch from ZERT, I guess now is as good a time as any for him to announce that eEye is giving away a home version of their Blink host security product. This is a distribution model that we'll see over and over again because it works. Get security savvy folks to download your stuff and try it out, and then if they like it - they'll buy it. Of course, there will be some that don't and violate the agreement - but those are the same folks that use Lands' End sheets for a year and then return them. You know who you are! Most law-abiding netizens will do the right thing and buy the software.
http://technobabylon.typepad.com/tb/2006/09/the_mother_of_a.html
Link to this

ISP's - it's time to step up
So what? - According to the latest Big Yellow threat report, home users are being increasingly targeted for financial gain. Duh! But, that's OK - we need reports with data to validate what we already know. But what is the answer to solve the problem? I'm sure the AV vendors figure it's a bigger, better, services-driven desktop security suite. They are wrong. The only answer I can see if for the ISPs to get off their ass and start enforcing some measure of hygiene on their networks. If you take zombies out of play (and maybe even charge them some money to fix it - partner with the Geek Squad), then the compromised machines will get fixed and stay fixed. ISPs are scared that they will cause additional customer churn and also increase their support costs. I don't think so. Security savvy folks will search out ISPs that will enforce reasonable guidelines. And I suspect they get a lot of calls about their "slow network" when the user's machine is a cesspool of malware - so that is probably cost neutral. Someone ISP will do it and I figure it will be soon. And we will rejoice.
http://www.symantec.com/enterprise/threatreport/index.jsp
Link to this

Deal: ModSecurity goes into the Breach
So what? - Open Source is the new "gotta have" for security vendors. Usually an enterprising technical guy releases a product and if the resulting community develops, then they build a company around it (Snort, Nessus, SendMail). But in what is a turn of events, the folks behind ModSecurity have sold to Breach Security. So now Breach has both their commercial product, as well as ModSecurity. This is a good move, though supporting both offerings for a long period of time probably doesn't make sense. Look for some technology cross-pollination between the offerings and for some sales/marketing leverage to be brought to the ModSecurity community as well. Some of the community will be disappointed (crap, now we get to hear about Breach Security), but always remember there is no free lunch. 
http://www.breach.com/news_press_detail.asp?id=117
Link to this

CSO gets physical
So what? - Lots of people ask me how I can be so confident in my market predictions. It's actually pretty easy, I pay very close attention to buying centers and dynamics on the user side. I remember back in the late 90's being pitched by RSA (it was Security Dynamics at the time) about using the SecurID for physical security as well. I laughed and told them the buying centers were different and it wouldn't fly. It didn't. Neither did the SecurID modem for that matter. Different buyers. But now we are seeing some big vendors start to collapse the offerings that focus just on information security and physical security as well. This news peg is Cisco, but you have other folks getting into this game as well. We aren't fully there yet, but I have spoken to a number of CSOs that are increasingly gaining responsibility for physical security as well. So keep an eye on this trend, since it's all posturing until the budgets are combined. 
http://www.informationweek.com/story/showArticle.jhtml?articleID=193004849
Link to this

Top Blog Postings

If it never happens, are you at risk?
Back in my TruSecure days, we had the "risk equation" drummed into our heads. It says Risk = Threat * Vulnerability * Cost. Of course, you need to grasp Peter Tippett's lingo, but it basically says threat is the FREQUENCY something is going to happen. Vulnerability is the likelihood of attack success. Folks over at Risk Analysis have dusted off this old war horse (using their own lingo, of course), but come to the same conclusion. If something is not very likely to happen, even if you are exposed, you have LOW RISK. The example used here is the Apple wireless exploit and they are right. Frequency is a key metric in understanding how you should be deploying your dollars. Lots of folks talk about the value of an asset in determining how much to protect it, and that's necessary but not sufficient to the full analysis. But don't forget to weigh in the frequency of attack as another metric in your "formula." Gosh, wouldn't it be great if we had a formula for all of this?
http://riskmanagementinsight.com/riskanalysis/?p=24
Link to this

Rethinking the second factor
I always find it entertaining and beneficial when the mainstream tech press starts poking around in security topics. Most of the time they get spun around like a top by vendors and the like, but they always provide a decent amount of context about a market. We security folk take for granted that we know how all this stuff works. As I'm reminded every time I go to a family function (what do you do again? Security stuff right? What does that mean?), a vast majority of people out there have no clue. So this piece by David Berlind on strong authentication is worth the lengthy read. Of course, FFIEC has made strong auth top of mind, but exactly what does a second factor require? Clearly tokens are a non-starter for broad deployment, because they are too hard and expensive. But things like keystroke dynamics, "soft" tokens and passkeys are legitimate 2nd factors, but don't require the distribution of hardware anything. Martin McKeay isn't sure about these other methods as he discusses here.
http://blogs.zdnet.com/BTL/?p=3648
Link to this

Another reason AV sucks
George Ou tries to put another bullet into AV. This time it's about performance. Some folks over the UK have analyzed what slows down a PC and looks like AV is one of the major culprits. Not as much as spyware and adware (as Alan Shimel points out here), but it doesn't help. But I'm still not ready to tell people I like to turn off AV. Yes, a properly configured network and hardened OS will reduce the risk to a point that you can probably dispense with AV. George provides some of his techniques in this piece as well. But if you are running a laptop, what happens when you connect at the local coffee shop? You think those networks are properly configured? Not a chance. So I will once again make the case for layers. Sure all of these additional security controls add overhead, but how much? Whether it's worth it is a personal and professional decision and not mine to make. But I still hold to another old adage that it's better to be safe than sorry.
http://blogs.zdnet.com/Ou/?p=327
Link to this

Another joker tries to sell "enabling security"
After you've been in this business long enough, you get to see everything not just once, twice - but many times. And it gets annoying after a while. Folks continue to try to find a way to position security as an enabling technology and a means to gain competitive advantage. This time it's a fellow named Ken Belva that thinks he has a better way, he calls it "virtual trust." I assure you Mr. Belva, your examples of trying to quantify how worms, viruses, etc. "weaken trust" will end up on the scrap heap like all the others. Nothing personal, but I've seen this movie - it seems like hundreds of times. And it always ends the same. One of these days you folks will get that I don't make this stuff up, and I'm not stuck in an "old paradigm." I focus on what works. And this doesn't.
http://www.bloginfosec.com/?p=68
Link to this

Recently on the Security Incite Rants Blog

Selling your security podcast
Alan and Mitchell have posted the podcast discussion I've been alluding to over the past week regarding how to sell your security strategy up the line and get appropriate funding. The panel featured Martin McKeay, Michael Farnum, Bobby Dominguez and yours truly in a wide ranging discussion of what problems many CSO's are facing and how to position your strategy (yes, that's a marketing term!) and sell it to the powers that control the purse strings. Sales, arghhhh! I know you went into technology because selling was not interesting, but deal with it. We all need to sell, pretty much every day. But check out the podcast, it's a great discussion on an important topic.
http://securityincite.com/blog/mike-rothman/selling-your-security-podcast

Read Friday's Daily Incite
http://securityincite.com/TDI-2006-09-22