September 29, 2006 - #127

Good Morning:
Today I want to talk about repenting. None of us are perfect, and I am no exception. Most days I feel like I'm screwing more stuff up than doing right, but that's part of the process. I try to learn from every mistake and know that if I'm not pushing out of my comfort zone, I'll never improve. And this coming Monday, I'll make my peace, repenting for the ill-advised, inconsiderate, and just plain stupid things I did over the past year. I guess some folks repent constantly, but that's not for me. I'm too busy screwing things up.  So there will be no Daily Incite on Monday.

In security-land, the big news this week is DEMO. It never ceases to amaze me how crappy security ideas are able to get some visibility from folks that should know the difference (here). I only wonder about the security companies that didn't make the DEMO cut. I'm sure there were some beauties in there. Let me also point out an interesting offering from CyberTrust (here) to help police partners and other companies that are granted access to your network. It's a good use of the MSS model, even for those folks that want to continue managing their own stuff.

In blog-land you MUST check out Ross Brown's post on how to compete with Microsoft (here). Ross has been there and done that, both successfully (with Citrix) and unsuccessfully (with IBM) and you can learn from him. The bit about Symantec making the same mistakes as IBM in the OS/2 days had me rolling, but it's scarily true.

Since many of my readers do their own blogging, Steve Rubell wonders whether it's better to join the "blog herd" or be you own cow (here)? Do you do original work or just link to and add depth to the discussions of other folks? Both Steve and I figure the answer is both. Each day, I use the Daily Incite as a way to focus attention on the things that I think are most important, providing my spin on each news item. But I also try to do at least one other original post each day, to make sure I'm pushing myself to think and document that thinking consistently. Obviously there is a pretty steep time commitment to do both, and that's not for everyone.
 
Have a great weekend and I'll see you on Tuesday.

Technorati: Information Security

Top Security News

DEMO this
So what?- Everyone gets all hot and bothered about the annual DEMO extravaganzas, where 80 or so companies show the new new thing and try to generate some buzz for what they are doing. Security is becoming increasingly represented at DEMO and that's good. But it seems the offerings leave a bit to be desired. Trend previewed their anti-bot offering (which I covered here) at the show and that's pretty cool. But one-time public keys? Not again. PKI is the star in Night of the Living Dead. You just can't kill it. I'm skeptical of its consumer applications unless these folks from Data Security Systems Solutions can make the technology disappear. Hocus pocus I say. And a company called MyPW is trying to do token-based authentication as a service. Whoop de do? Can they do some hocus pocus on the key fob? That's the only way something like that is going to take off. And in what seems to be the first example of a user-centric identity service, PerfPass is trying to abstract a users preferences from their actual credentials (NetworkWorld coverage here). It's got a big adoption curve (you need both sites and users to play), but this seems to be the most promising thing I heard of from the show.
http://www.eweek.com/article2/0,1895,2021837,00.asp
Link to this

How's that security program?
So what? - I say pretty consistently that security is a process, not a product. And in order to have a manageable process you need to take a programmatic approach to security. Sounds kind of squishy, I know, but it's important. So important, that I've got some ideas and will be publishing my methodology to build a security program before the end of the year. But there are lots of structures and templates you can model, like COBIT and BS 7799. Shon Harris provides some perspective on the security program in this piece, which give a high level overview of 7799, but the most important point is the criticality of executive support. Without that, don't even bother - you can't be successful.
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1210562,00.html
Link to this

Policing your partners
So what? - It's said that security is only as strong as the weakest link in the chain. It's true. But how can you figure out what your trading and business partners are doing? Especially if they are accessing some of your back-end systems you are particularly exposed. It's hard enough to stay on top of your own stuff, so you clearly don't have the resources to keep track of everyone else's crap - so you'll rely on managed service providers to do this. This coverage of a CyberTrust offering is the first I've seen to be packaged specifically to address the issue, but it won't be the last. MSS providers are built for this, with their tools and processes focused on determining exposures remotely. But ultimately it will get down to a pricing discussion. If the MSS folks price this type of offering effectively, then it's a no brainer for anyone that provides access to partners. If not, then it's too easy for senior execs to pay ostrich (here) and wait for an issue before taking action.
http://www.darkreading.com/document.asp?doc_id=104437
Link to this

NBAD is (n)other tool in the bag
So what? - I can say there is more interest about network based anomaly detection out there. I'm not sure why beside the fact that a few products have been out there long enough to gain some measure of comfort for customers looking to burn up whatever money they have left in the 2006 budget. I'm sure I could help them with that. All kidding aside, looking for anomalous behavior is one of the techniques that should be brought to bear to protect networks. Is it a stand-alone function? That is directly correlated to how big an environment you manage. Carriers and ISPs need it because they can suffer real outages (and have grumpy customers) if they don't track flows. SMBs not so much, but it could be useful as long as it's integrated into the other stuff (like UTM). So NBAD isn't going away, but I also don't think it's stand-alone except in the largest 1000 networks in the world. Cisco's got its thang (MARS), but the others don't. So look for some long awaited deals to happen in this space soon.
http://www.networkworld.com/news/2006/100206-specialfocus.html
Link to this

GE takes on Cisco
So what? - Yes, that GE. They have decided to get into the LAN switching game. I'm sure Cisco is quaking in their boots. NOT. But GE is not going after the commodity switch business (isn't it all commodity switching now?), but rather infrastructure for physical security systems. A week ago, Cisco made a big announcement about how security video will travel over the data network and they are right. Physical and cyber security are coming together, driven by the need to leverage infrastructure. So why would you want to roll out some shiny new GE equipment to build a new overlay data network for your surveillance cameras? Right, you wouldn't and shouldn't. I guess we should give GE some props for not taking Cisco's intrusion into their physical security patch lying down, but plumbing is plumbing. And Cisco owns the network plumbing.
http://www.networkworld.com/newsletters/lans/2006/0925lan1.html
Link to this

Top Blog Postings

How Ross competes with Microsoft
If you are a vendor, it seems that sooner or later you are going to need to face the Redmond-sters. Inevitably if you've done your job and created a market, they will be interested in it and then you'll face ruthless competition Microsoft-style. One approach (practiced by some) is to run to the authorities in Europe. Another set of tactics are described here by Ross Brown, who has seen both successful competition (Citrix) and not so successful (IBM). Ross goes through 8 specific points, but to me it gets down to one thing - focus on your customers. Can it really be that easy? Of course it's not easy, but it is that straight-forward. Folks like Google, Intuit, and Citrix show every day that you can compete with Microsoft. Best quote of the piece in talking about OS/2 and how Symantec has seen that movie before:"IBM was exerting tremendous amounts of energy into teams and research on "how to beat Microsoft" and Microsoft was focused tremendously on how to make customers happy.  Watching Symantec under John Thompson, Tom Kendra and team (all ex-IBM Software) make the same mistake again is like watching a slow-motion car crash all over again." Those who forget history are doomed to repeat it.
http://technobabylon.typepad.com/tb/2006/09/how_to_compete_.html
Link to this

Amrit on anti-zombie elixir
Seems everyone is joining this blogging bandwagon nowadays. Amrit Williams is the latest analyst to throw his hat into the ring. Amrit's day job is working with the G-people, but I guess has found some extra time to wax poetically about security topics for the rest of us. Welcome to the neighborhood. In this post, Amrit details a bit about the history of zombies (and claims Network Associates coined the term) and also expresses some skepticism as to whether customers will pay for more technology to stop the issue. The point is that customers won't pay. But the ISPs have to. They will face a crisis of trust which will impact their business if the botnets are allowed to continue flourishing. And that doesn't factor in any of the additional bandwidth and management costs of continuing to allow zombies to roost in their house. I don't think cost is the real issue here. The issue is whether the ISPs will do the right thing and quarantine 0wned machines on their network.
http://techbuddha.wordpress.com/2006/09/28/how-to-survive-a-zombie-attack/
Link to this

The downside of SaaS
Michael Wright is frustrated. The man has told him to pipe down and connect his network to a service provider that evidently provides a pretty valuable service. Michael's protestations are right on the money. Connecting directly to someone else's network creates all sorts of opportunities for bad stuff to happen. And in a subsequent post he is forced to use static routes as well. What's a boy to do? Grin and bear it, for one. And document the crap out of everything. So if something goes down - his hind section is covered. But there are also things to be done at the beginning of the procurement. Force yourself into the discussion early and ensure the service provider's security is up to snuff. As Michael is finding out, protesting after the service provider is entrenched is a challenging thing to do right. And employ layers to segment as much of the network away from the service provider as possible.
http://mcwresearch.com/archives/316
Link to this

This is the Grim Reaper calling
Talk about a bad day. The last call you may ever get is from investigative security reporter Brian Krebs saying your ecommerce site has been compromised (here) and your customers credit card info is being stolen as he was speaking to you. Ouch. I certainly feel for these companies being victimized and of course, the customers whose information was stolen, BUT if you are first learning about a security issue from Brian Krebs - you probably have taken your eye off the ball. Thanks to Martin for pointing out this article and he brings up a couple of good points relative to what data should be stored and whether it's encrypted or not. As Brian points out, even those HackerSafe seals are no protection and at worst present a false sense of security. Given the prevailing environment out there, you are best off storing the least amount of data possible. And protecting it. I know that's easier said than done, but you don't want to be on the other end of a call from the Grim Reaper, now do you?
http://www.computerworld.com/blogs/node/3603
Link to this

Recently on the Security Incite Rants Blog

Can Oracle succeed in security?
Yours and my favorite database and everything else vendor is out on the road talking to customers about security. A little birdie dropped off the presentation, so I thought I'd spend a little while going through it and figuring out how credible Oracle is going to be in the space. The answer is not much, but they'll still be someone a user needs to factor into a decision just due to their brute force method of buying entire markets (or so it seems). There are lots of analogies between the CA of old and the Oracle of today as well, but Larry's minions are not much on history - so those lessons will likely be lost.
http://securityincite.com/blog/mike-rothman/can-oracle-succeed-in-security

NetworkWorld All-Stars: Rained Out
I rant a bit about NetworkWorld's Enterprise All-Star's feature here. I love case studies, but only when there is enough information to learn something. The way NWW packaged this information is terrible and it's a shame - because I'm sure there is a lot we all could have learned from the real experiences of 40 companies.
http://securityincite.com/blog/mike-rothman/networkworld-all-stars-rained-out

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-09-28