September 26, 2006 - #124

Good Morning:
OK. I'm done rejoicing. For a few weeks anyway. I need to call some folks out today because conflict is good for business (here). It really is. I'm not sure that explains my daily behavior, but it at least gives my rationalization engine something to work on when I'm dismantling yet another vendor telling me it goes to 11. How about the TSA (here)? Now we can bring on little bottles of Scope? And drinks that we bought in the airline terminal? Maybe Starbucks was complaining about decreasing sales in airport terminals.

In security-land, it seems that a majority of consumers out there are just idiots. I guess we already knew that, but it's hard to see it in print. This survey from AuthenTec (here) makes the point that 24% think protecting themselves from identity theft is TOO EXPENSIVE. More expensive than having some joker run rampant at Target with your credit card? And it looks like Check Point is back in the business of poking their OEM's in the eye (here). I know they don't have too many strategic options to make themselves exciting, but that's how they treat their friends? I guess it's true, conflict is good for business.

Do we have any right to privacy anymore? The Constitution says we do, but can that be enforced anymore? The Mogull takes on that topic today (here) and it's making my brain hurt. Pandora's privacy box is open and it's not clear we'll ever get it back under control. I guess there go my political aspirations, since there are a ton of skeletons in my own Internet closet probably logged somewhere. Finally, I don't much care how many bugs my browser has (here). The industries pre-occupation with vulnerabilities, as opposed to RISK is annoying. I'll need to stir up some conflict there too because it seems we spend a lot of time fixing stuff that is not an issue (here).
 
Have a great day and Happy Birthday to my brother Barry. We rejoiced last night, so now it's back to the business of being grumpy.

Technorati: Information Security

Top Security News

Do you get what you pay for?
So what?- There are over 800 security companies out there. They all want to figure out how to charge you for their widgets and do-dads. But do you need them? I can assure you, not all of them. There are lots of free tools out there that can do a decent job, especially for the technically savvy. Of course, you know about Snort, Nessus, and NMAP. Maybe even about Metasploit and ModSecurity. There will a be a lot more because this kind of business model (free stuff, with a "premium" commercial version) is working. In this article, Roger Grimes goes through some of his favorite free tools. From SysInternals to tools like Fscrack and HackPack - Roger mentions the ones he likes and then points to insecure.org - who maintains the Top 100 Network Security Tools list. The role of the security admin is to do an effective job in the most cost effective way. So depending on your level of expertise, some of these freebies may work for you.
http://www.infoworld.com/article/06/09/22/39OPsecadvise_1.html
Link to this

Low and slow - get used to it
So what? - I write frequently about how the security business has changed. The economic motive, as opposed to the nuisance motive. That has precipitated a new type of attack and it's the most dangerous kind. The attack that you don't know about. The one that is designed to evade detection. They don't take enough to make you notice, but you are still owned. This article is more mass-market focused, but it provides a good overview of some of the new tactics being used by the bad guys. They are much more effective in targeting their attacks. They can use some local knowledge to gain credibility. And then you are done. How do you defend against it? Like everything else. With layers and fail safes. By tracking what's running on your machines and viewing traffic statistics. By looking for behavior that is out of the norm, and investigating. But most of all, it's by not having your users do stupid things. Don't minimize the impact of security training. When these other defenses fail (and they do), it's the only thing you have left.
http://biz.yahoo.com/ap/060925/slow_computer_viruses.html?.v=6
Link to this

What do consumers think about identity theft?
So what? - I'm not big on vendor-sponsored surveys. The questions are slanted, the data is manipulated and most of the time the conclusions drawn are suspect. Yet, I came across a survey from biometrics vendor AuthenTec and it gives me the opportunity to make a couple of points. These folks wanted to get a feel for how run of the mill folks view identity theft. The answers are not surprising, but a bit confusing to me. 73% are concerned about it. The other 27% must be stupid. Got it. 54% believe they are responsible themselves to protect their own identities. Huh? The other 46% are really stupid. If you think your bank or ISP gives a crap about you, think again. The extent of their worry is how loud a mouth you have, how it will impact their brand, and how much its going to cost them to make it right. 27% don't know how to protect themselves. I believe that. But 24% think it's too expensive. Now that's interesting. Talk about an insurance mindset. A full quarter of those surveyed thought protecting themselves was too expensive, which really means - it won't happen to me. We seem to have a lot of ostriches out there. Head in the sand, hoping the problem goes away. Now that I think about it, my categorization of users (here) probably applies to consumers as well.
http://biz.yahoo.com/bw/060926/20060926005272.html?.v=1
Link to this

We don't need no stinkin' appliances
So what? - It's time to roust Chris Hoff from his slumber. It seems that his friends at CheckPoint have gotten into bed with Intel and broken through a number of performance barriers (press release here). They are claiming 10Gbps of throughput, 2 million packets per second and 3.17 Gbps of encrypted VPN throughput. Most interesting is how CheckPoint is once again spinning the virtues of software on an industry standard platform, as opposed to custom security appliances. I guess they are dead set against bringing their own "custom" platforms to market, even though Nokia and Crossbeam at least slowed the erosion of their customer base by bring the products to market in a form factor customers wanted to buy. And who is to say that some of these appliance vendors won't be using Intel's newest processors to drive their "custom software appliances?" For 95% of the world, speed is not the deciding factor in what platform they buy. It's manageability. It's ease of use. It's the ability to make things simpler. That's why customers like appliances. Now they want more stuff in those appliances (beyond FW, VPN, and IPS) and they want better integration of the pieces. I wonder how Intel is going to help CheckPoint with that.
http://www.eweek.com/article2/0,1895,2016675,00.asp
Link to this

The toiletries packaging conspiracy
So what? - It seems cooler heads have prevailed at the TSA and now US travelers can bring travel-sized toiletries aboard airplanes. That's a relief. I couldn't take much more halitosis on all of these folks that flew to Interop last week and seem to have forgotten to buy more toothpaste when they landed. Maybe I'm watching too many movies and reading too many spy thrillers, but do you think the plastics industry had anything to do with this? They are going to sell a crapload of those little Scope bottles and small toothpaste packages now. Obviously I jest, but it just goes to show how ridiculous these reactions from the TSA are. Lots of folks have weighed in, so I can't add much to the discussion of how to make air travel safer, besides to point out how the terrorists have been remarkably effective at dramatically impacting the daily life of the typical US citizen. It's sad.
http://news.yahoo.com/s/ap/20060925/ap_on_go_ca_st_pe/air_travel_security
Link to this

Top Blog Postings

Conflict is good for business
A lot of people ask me why I'm such an ass most of the time. Seriously. I stir the pot, call people out on the carpet, ruffle feathers, and make no apologies for it. Why? As the 37Signals folks point out in this post, it's because conflict is good for business. It really is. No one is interested in a bunch of guys getting into a room and agreeing. Conflict is healthy. Conflict pushes people out of their comfort zones. Conflict makes you think about what you say. But there is a fine line between pushing for greater depth of analysis and being an ass. I don't really know where that line is, but that's another "feature" of my personal operating system. One of the first rules of marketing is that everyone needs an enemy. A muse. Someone to force you to bring your A game - every day. That's why being the first in any market is so hard, you've got no one to target. No one to push you. But if your idea is right, you will and soon. Then you can embrace conflict like the rest of us.
http://37signals.com/svn/archives2/conflict_is_good_for_business.php
Link to this

Privacy shmivacy - The Mogull's Rules
Maybe it's me. Maybe I'm a heretic and a heathen. Maybe I just don't understand the ramifications, but these constant privacy arguments are starting to bore me. Maybe that's because I don't have an answer, but the discussion continues. This time The Mogull takes on Anton Chuvakin relative to when and where logging is cool and brings it around to a set of "rules" that reflect where we are at. Anton works for a log management vendor, so it's no surprise that he thinks logging is cool everywhere. Rich doesn't, but believes that when at work - there is no expectation of privacy. So I'm with both of them to this point. But what about your personal life? Are you entitled to privacy in what you do on your own time? The US Constitution says yes and I'm cool with that. It's enforcing it that's the problem. How are we going to enforce privacy rights in the digital age? It's a non-trivial discussion and it's making my brain hurt. Rich believes that monitoring and logging is OK for law enforcement, but how and where do you draw the line? I don't have the foggiest idea. Ultimately, I guess I come down in the camp of Scott McNealy - "You have no privacy, get over it."  That may be the wrong answer, but it's the only answer I can see.
http://securosis.com/2006/09/23/sorry-logging-is-a-privacy-risk/
Link to this

Going through life - one quarter at a time
It seems that end user land is treating Mike Murray pretty well. He's got time to think. This post is pretty thought provoking because it underscores many of the ills of the technology market and probably broader industry. We in technology think of things in terms of maybe quarters (am I going to make my number?) or product cycles - which are maybe 12 months, but more likely 4-6 months. And those aren't getting any longer. Not too many companies have the luxury of thinking long term and strategically. That's a shame because in many cases these short term decisions have resulted in one step forward and two steps back. If you didn't have to worry about next quarter or paying the bills, what would you do differently? I'm not sure I have any conclusions about how my work should change or how yours should, but it's something to at least think about.
http://episteme.ca/cblog/index.php?/archives/21-Taking-the-Long-View.html
Link to this

I don't care how many bugs my browser has
I wrote about what I thought was the most interesting aspect of Symantec's threat report yesterday (here) - the increasing targeting of consumers, which will require the ISPs to step up and do something about all of those zombies lurking on their networks. It seems I was wrong. The most interesting part (according to the media anyway) is that Firefox has more vulnerabilities that IE, but they get fixed faster. Who gives a rat's ass? If you want to secure browser, then use Opera. No one else does, so you don't have to worry about the hackers targeting you. I want to know that my browser will be updated when something breaks. Firefox seems to have an advantage there. But most of all, I want and need a productivity tool. I use Firefox not because I'm anti-establishment, but because it has plug-ins that make me MUCH MORE PRODUCTIVE. I've got lots of other defenses in place to make sure even if my browser is buggy, that I'll still be protected.
http://www.computerworld.com/blogs/node/3566
Link to this

Recently on the Security Incite Rants Blog

Security State of the Union - Status quo
I just had to weigh in on the discussion (started by Bruce Schneier) regarding whether we are winning or losing the security battle. I pretty much think it's status quo. Some areas are improving and others...not so much. Also in this post, I characterize many of the end users I run across into 4 buckets. That's worth reading the post, but my net-net is that we aren't going to change human behavior and the economic impact of crime will ensure that there are always new and innovative ways to perpetrate a fraud. But I've also said many times that you don't have to be 100% secure, you just need to be more secure than the other guys.
http://securityincite.com/blog/mike-rothman/security-state-of-the-union-status-quo

Does PCI have teeth?
I did a real quick post here about what seems to be MasterCard and Visa increasingly starting to enforce the PCI standards. That's a good thing because any regulation (listen up HHS about HIPAA) that has no real enforcement teeth is an empty suit. We are all too busy to deal with empty suits.
http://securityincite.com/blog/mike-rothman/does-pci-have-teeth

NetworkWorld Column: Security awareness Cisco-style
In this week's NetworkWorld Column, I cover how Cisco does security awareness. As many of you know, I think security awareness and training are a critical part of any security program, and Cisco shows once again why they are the pre-eminent practitioner of poster child marketing.
http://securityincite.com/blog/mike-rothman/networkworld-column-security-awareness-cisco-style

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-09-25