Subscribe in a reader
The Daily Incite - October 20, 2006
October 20, 2006 - #139
Good Morning:
It's Friday already? Some weeks go slooooow, but not this one. Travel usually does accelerate the week and having a lot on the ol' plate doesn't help either. But since I was gone last weekend, there will be lots of catching up around the house and with the family this weekend. Kind of an eclectic day in security-land, with earnings on a lot of security stalwarts hitting (here) this week. I get a lot of good perspective and detail from the earnings calls, but they are very time consuming. Until I found the SeekingAlpha site (here), where they publish earnings call transcripts for free. It's pretty cool, so check it out if that's your thing.
In other security news, I found a couple of MSS related stories that I found interesting, such as Counterpane going deeper into the application layer (here) and also a selection criteria article for SMBs looking at MSS (here). In blog land, I look to some of the early information on IE7 including the first potential vulnerability (here) and also point to a very interesting post by Ed Moyle about who is at fault for pretexting and social engineering if done with nefarious intent (here). Thanks Ed for making me think.
Have a great day and enjoy your weekend.
Technorati: Information Security
Top Security News
Earnings Watch: Good quarter in security-land
So what?- This was the big earnings announcement week for many security companies. CheckPoint, VeriSign, Juniper, Citrix, and a couple others announced. The security businesses of all were pretty strong. Citrix got pummeled, but that's more about growth leveling out in the presentation server business. Juniper had good growth on their security gateway business, but saw stand-alone IDP (their IPS platform) go down. This is not surprising as IPS is increasingly subsumed into UTM platforms - the marginal players in the market will erode first. VeriSign has bundled their security business into a new group called Internet Services - so it's hard to tell how their MSS operations are faring. But SSL certs are growing about 12% organically, 50% if you include the GeoTrust deal. CheckPoint had a pretty good quarter as well, but Wall Street remains skeptical without a broader strategy announcement and/or a few acquisitions to convince investors about Check Point's longer term staying power.
CheckPoint (here), VeriSign (here), Juniper (here), Citrix (here)
Link to this
Meet 2 of the Security 7
So what? - TechTarget gives out an annual set of awards called the Security 7, focusing on big accomplishments in 7 different verticals. They've published two of these award winners and the stories are pretty good. One, highlighting Larry Brock of DuPont who espouses the benefits of influence as opposed to setting policies. Collaborating with other business leaders may be the single most important success criteria for CSO's today. The other, Craig Shumard of CIGNA who discusses risk, as opposed to security. But what I took from this profile is the reminder that it's about process, as opposed to products and users with the right training have an opportunity to do the right thing. This is the kind of information and perspective I hoped to get from NetworkWorld's Enterprise All-Stars, but that topics been picked over a bit, no?
Larry Brock, Dupont (here) and Craig Shumard, CIGNA (here)
Link to this
Stronger passwords don't increase security?
So what? - I've been saying for a while that you can find data to support pretty much any position that you want to take. We've seen a lot of contradictory data about strong passwords. Some security folks are huge proponents, others - not so much. This study, from Nucleus Research and KnowledgeStorm, showed that the only impact of strong passwords was to get more employees to write them down. I happen to agree, but am a bit skeptical that biometrics is the answer. They've been talking about biometrics for years and years and we still don't have ubiquitous readers and there are pretty significant accuracy and user adoption questions. So what to do? One option is contextual authentication (though it's pretty early) where you add additional authentication steps based on what is being done or accessed. Or you can add something like keystroke dynamics to a weaker password, though there has been some push back on accuracy here as well.
http://money.cnn.com/2006/10/17/technology/bc.life.passwords.reut/
Link to this
MSS extends to the application
So what? - This release from CounterPane hit two weeks ago, but I think it brings up an important concept. Basically Counterpane is moving into the data security services business by protecting databases and applications, predictably the big ones like SAP, Oracle and Microsoft SQL Server. This isn't brain surgery because they are just aggregating and analyzing logs, but it's interesting because they aren't just firewall or IPS logs - which is what most MSS providers focus on. The problem is Counterpane may be a bit early on this, as many customers hardly have their infrastructure security house in order and they usually focus on that, then look for an MSS before even tackling the application side. But I do think that over time, mid-sized (and even some enterprise class) customers will need more horsepower to protect data/information and MSS could provide that. Especially since MSS is increasingly the purview of big players with data center credibility (IBM, Symantec, etc.).
http://www.counterpane.com/pr-20061009.html
Link to this
SMB MSS selection criteria
So what? - While I am on the topic of MSS, I found this little tip on SearchSMB talking about how to select a MSS provider. Joel Dubin goes through what MSSP's do and provides some guidance to figure out what you actually need. It's high level, but pretty good. The best guidance here is to shop around. MSS is a very competitive business and it's only going to get more competitive. There are the big MSS players that Joel mentions, but also talk to your trusted VARs because they're getting into the MSS business as well. Ultimately you need to be comfortable that the MSSP will get it done for a fair price.
http://searchsmb.techtarget.com/tip/0,289483,sid44_gci1225401,00.html
Link to this
Top Blog Postings
Maybe they should call it "Oy Vey7"
As Jeremiah points out, it didn't take long for someone to break IE7 (here). Which is not surprising because although most hackers aren't looking for notches on their bedposts anymore (there's no money in that) - there would be some mojo for the guy/gal that broke IE7 first. Jeremiah does think it's pretty serious, but with a relatively small community (it doesn't go mass distribution via Microsoft Update until next month), the damage should be contained. More to the point as George Ou points out - for those of you that require IE for business, IE7 is a good thing for you. And his points about the restrictions are good as well. You should be running XP SP2. Personally, I'm a Firefox guy and that's not going to change - but for those applications that require IE I'll be upgrading my PCs to Oy Vey7.
http://blogs.zdnet.com/Ou/?p=349
Link to this
Trust is fleeting
The Mogull has a good summary of the Apple iPod Windows virus fiasco. Rich support my contentions about it just being Apple's focused marketing messages, but then goes on to discuss how Apple is playing with their customer's trust and that is a dangerous game. I agree on these points as well. Apple is maybe the most arrogant consumer electronics company to ever exist. Even when they were sucking wind before iPod mania, they were still evangelical and if you didn't get it, they didn't have time for you. Now at scale, this cultural arrogance (which comes right from the top) is manifesting itself everywhere. Not just in the brazen marketing messages, but also in how they deal with customers that have problems with their machines, as GigaOm's Liz Gannes relates here. Fact is, Apple elicits passion, but positive and negative. That's what makes them great. Microsoft, not so much. They are "pedestrian," which in marketing is not really a good thing.
http://securosis.com/2006/10/18/apple-security-and-trust/
Link to this
Who's watching the watchers?
I recently read Dan Brown's Digital Fortress, which was very entertaining. Some folks get hung up on reality and editorial license, etc - but not me. I ripped through it and enjoyed it, which is good enough for me. But the main point of the book (without giving anything away) is that someone needs to be watching the watchers. This is a point that Ed Moyle makes first by talking about how he's not going to talk about Apple. Then he builds a case that the investigators in the HP pre-texting fiasco may not have been wrong. Huh? That was my reaction as well, but then Ed goes into how the same methods could be used in a penetration test. Under the guidance of a CIO (or CEO), if a pen tester does something bad - who takes the brunt of the fall-out? The pen tester is doing his/her job and I personally believe in using those methods in pen tests because that's what the bad guys will do and you need to know how you'll fair. But it's getting a bit murky. Then he further complicates the matter by positing a scenario where the CEO could be acting unethically and using pen testers to get information that he shouldn't have. Hmmm. So I'll get back to the point, who is watching the watchers? It's advisable to have lots of checks and balances to make sure that no one (not even the CEO) can do things without having to answer for them. We should have learned this lesson from the Tyco, Enron, and MCI fiascoes.
http://www.securitycurve.com/blog/archives/000468.html
Link to this
Preventing Identity Theft
Thanks to Identity Theft Spy for pointing out a pretty comprehensive guide on protecting your identity. I've had two friends (including Mitchell Ashley here) who've had bad checks written to their accounts in the past two months. Let's just say it's a big pain in the ass. The banks do the right thing, but it creates a lot of angst and worry. There are a number of good points in the guide, like shredding personal documents before tossing them and not responding to anyone requesting personal information over the phone (or even email). The reality is, you could do all these things and still get nailed. Or you don't and you can hope that you'll remain lucky. Kind of like smoking. You hear of those people that smoke for 85 years and live to 100. But that's a statistical anomaly. You are better off taking all appropriate measures to protect your personal information. Remember, hope (or luck) isn't much of a strategy.
http://www.identitytheftspy.com/2006/10/how_can_a_regul.html
Link to this
Recently on the Security Incite Rants Blog
Read Wednesday's Daily Incite
http://securityincite.com/TDI-2006-10-19
How about cognometrics? [Cognometrics n. class of personal authentication techniques based on measuring innate cognitive abilities of the human brain (e.g. ability to recognize a familiar face). C21: from Latin cognoscere, to recognize + Greek metro, measure.]
Passfaces is a cognometric authentication technology based on the universal human ability to recognize familiar faces. Unlike passwords, Passfaces can't be written down or guessed - yet are almost never forgotten. And unlike biometrics, Passfaces are non-identiying, don't require any special hardware and can be changed if compromised. Try the demo at www.passfaces.com/demo .