October 31, 2006 - #146

Good Morning:
BOO! Scared ya, didn't I. Today is Halloween in the US, and always a big deal when there are kids in the house. It's not clear what the final costumes will be for the candy gathering extravaganza this afternoon, but I believe Leah (my oldest) will be Dorothy from the Wizard of Oz (red shoes and all), Lindsay will be a 60's Go-Go girl and Sam may be Buzz Lightyear, although Mr. Incredible still has an outside chance. It'll also be around 70 degrees here in ATL, so it should be a great day.

It's also kind of spooky here in security-land. And I'm talking about the marketing tactics we continue to see from security vendors. Today I call bunk, bunk and more bunk. You hear about the million bot march (here)? Is the number really a million? Does it matter? What about the positioning of sender reputation as a cure for cancer (here)? Secure Computing is guilty as charged. And finally Websense needs to weigh in basically trying to position automated research as the next coming of the messiah (here)? Smells like an ISS-looking paint job on that Websense jalopy to me. Sports fans, we've seen all of these movies before. But it'll keep the media churning, which keeps me churning - so I should probably not complain too much.

In blog-land, the IDS/IPS battle rages on, which I find entertaining. Ross Brown weighs in (here) and even includes his own little quadrant chart. I better watch my back, since Ross is far more insightful than a hack like me. Michael Wright (ohmygod, an actual user) runs to the defense of his beloved IDS (here), which is good. Ultimately, there is no right or wrong here, it's what works for you. So let us professional windbags blow hot air all day long, if IDS works for you - bravo.

Finally, I try to be a good boy and control my longshoreman's tongue in my written material, but today I just couldn't. Must be the goblins and ghouls that have taken over my keyboard and are forcing me to write how I really talk. But here is my entry into Dark Reading's Security Short Story contest (here) and also a book review on one of my favorite topics, Assholes (here).

Have a great day and a safe Halloween.

Technorati: Information Security

Top Security News

The million bot march
So what?- I've commented on how funky I think bot and zombie statistics are. Basically the email security vendors track which IP addresses they get messages from. They figure most mail is sent from mail servers they've seen already, so if they haven't seen an IP address before and they get mail - then of course, it's a zombie. That's probably about 85% right relative to spam zombies. But what about other types of zombies, like the dormant machines that aren't doing anything right now? So I don't buy the 1 million bot number. It may be more, or it may be less. That doesn't matter. It is good marketing from MessageLabs because it gives the media something to write about, and lord knows actually figuring out how some folks are stopping zombies would be too much work. But, to be clear, the number of zombies is greater than zero, a lot greater - so it is a problem. But I just wanted to call bunk on the number because I'm in that kind of mood today.
http://www.vnunet.com/vnunet/news/2167474/million-pc-botnet-threatens
Link to this

Reputation does not stop image spam (specifically)
So what? - In the second installment of our bunk edition, I need to call out my former colleagues at Secure Computing (formerly CipherTrust) for trying to paint reputation as the cure for all of the email ills of society. Fact is, reputation does absolutely nothing to stop image-based spam specifically. It finds spammers and spammers are increasingly using image-based spam, so by the law of ridiculous extrapolation - reputation must stop image-based spam. Not so much. I've always been a big fan of reputation and pretty much every email security company has a reputation component to their spam filtering, but to say it specifically stops image-based spam is stretching the truth a bit. Told you I was in that kind of mood today.
http://www.securecomputing.com/press_releases.cfm?p=irol-newsArticle&ID=923803
Link to this

Websense is the new ISS
So what? - Websense has a built-out and pretty mature security research organization. I've been reading their security blog (here) for a long time. So I'm a bit perplexed that they've finally decided to come up with some snazzy marketing term (ThreatSeeker) for linking up their research engine to the products. Helloooooo?!?!? This is worthy of a Rip Van Winkle award. And they used the "pre-emptive" term as well. They hardly shoveled the IBM money on ISS's coffin before Websense steps in with, you guessed it, the X-Force! Well, not really the X-Force, but something that seems awfully close to how ISS was positioning for the past two years. Which, by the way, is a good thing for Websense. Security research is a key part of making security products more timely and effective, but I'm calling bunk on a "bold new architecture" because when you work your way through the smoke screen it seems like good, old-fashioned research bolted onto a product to me. But now that I think about it, Websense could very well be the new ISS. Trying to engage the channel (again) and most likely looking for a partner sooner rather than later because the one-trick pony they are riding doesn't have the legs to make it all the way to Dodge. If we see Websense introduce a services-based offering, then the transition will be complete.
http://biz.yahoo.com/prnews/061031/latu027.html?.v=77
Link to this

190 ways to lose your data
So what? - I still love the classic Paul Simon song, "50 ways to leave your lover," but cringe when I see long lists of crap in a press release. This must be part of the newly passed, Make PRNewswire Rich Act - since they charge by the word. It's actually from a company called Palisade Systems, in the security hotbed of Ames, Iowa. That and corn are hot in Iowa, I heard. It seems Palisade monitors network protocols for content filtering violations, and they consider P2P application protocols as separate. So 20 of these so-called protocols relate to Napster. Seems like creative accounting to me. Maybe they got some of their finance folks from Jackson, MS (former home of Worldcom). I actually think more protocols is better than less protocols, and I haven't seen a list of protocols this long since some joker did a demo of a firewall configuration for me (that was years ago). Everyone is looking for an angle to differentiate, I get that. But I'm not sure monitoring protocols like Finger and DNS are really "game changers" in the content monitoring space. Don't try to be coy, Roy.
http://www.palisadesys.com/news/releases/view.php?pressreleaseid=92
Link to this

The bull(sh*t) market for security professionals
So what? - In the category of self-serving studies, let me point to the (ICS)2's recent survey of information security professionals. They engaged the bean counters at IDC to concoct some numbers to make us security folks feel good. And reading this report, we should feel real good. Kind of like a meth high (from what I've heard), feels great at the time, but the hangover kicks your ass and you find yourself in the gutter with no money. Basically, security is a problem and once again using the law of ridiculous extrapolation - the CISSP people figure it will remain a problem and you need people to solve problems (not technology), so there will be a growth in security professionals. Yes, I believe there will be a growth in security professionals. But I also believe a lot of the security functions will be subsumed into other technology domains. Security is not a stand-alone entity over the long term. Not security operations anyway. Sure, there will always be a group of a couple of folks that run the pen tests and coordinate the various security domains, but most of the work will be done (over time) in the network, data center, and applications. That's my position anyway, but I guess if I sold CISSP certifications, I'd want to think my bull market will last forever.
https://www.isc2.org/cgi-bin/content.cgi?page=1125
Link to this

Top Blog Postings

The IDS battle rages on
Ah, nothing like a rumble that you figure will last for 2 or 3 rounds, but then unexpectedly goes into the 8th or 9th round. The gladiators continue to rain hay makers on each other, to the approving glee of bystanders - who always turn out for a good battle. Ross Brown looks to share his position on IDS/IPS and correctly points out that there are certain technologies that are "successful in their ubiquity, but not necessarily proven in their usefulness." That's a pretty good description for a lot of things, but I think NIDS (network intrusion detection) was useful at one time, but as other tools have matured and attacks have changed - it's usefulness has eroded a bit. Then Ross plays analyst man and puts up a graph with usefulness on one axis and ubiquity on the other. It's a pretty interesting chart. As with most things that Ross writes, it's a bit self-serving in that HIPS is prominently placed in the "emergent" category while many of the network oriented technologies just aren't as sexy. Guess what Ross's company does for a living? But I digress. There are number of good points here (as there always are in Ross's posts), but this graph seems to me to make a point that it's one solution or the other. I believe the answer is all of the above. There is a place for Firewalls, AV, NIPS, and HIPS (though I'd call that endpoint security). Some are more useful than others, but you need them all (or at least most of them).
http://technobabylon.typepad.com/tb/2006/10/the_nipsnids_de.html
Link to this

The users weigh in on NIDS/NIPS
Since it was Richard Bejtlich that kicked this whole NIDS/NIPS debate off in the first place, it's nice to see another user - Michael Wright - weigh in with his opinion on the topic. As with many security professionals, Michael has received value from IDS in the past. What we all have to realize is that there are MANY ways to skin the cat. Some like firewalls and tight configuration management. Some use network behavior tools, others focus exclusively on the endpoints. Ultimately it's about SECURING THE ENVIRONMENT, and those too proud (or too stubborn to realize there is more than one correct answer) need to understand, it's not about how smart they are. It's about whether a user feels the tool helps them do their job better. So I'll state my position again, NIDS/NIPS is another tool in the bag. Depending on the environment, it may work or not so much. But each security administrator needs to figure out what concoction of protection is going to work best for them. And that's all I have to say about that.
http://mcwresearch.com/archives/337
Link to this

My security short story
Tim Wilson over at Dark Reading is playing off Wired's short science fiction story (inspired by Hemingway's classic "For sale: baby shoes. Never worn." short) by asking folks to come up with their own security short story. They put a few idea starters in there, like "No," the CFO said. Attackers cheered. That's pretty good, but I came up with one that I think is pretty good too: "Get the f**k off my network." Short, sweet, to the point and what every network/security professional says at least once per day.
http://www.darkreading.com/blog.asp?blog_sectionid=327
Link to this

No assholes allowed
Since it's Halloween, and I've been pretty venomous this morning, let me finish up with a nice post about a new book that Guy Kawasaki has summarized. Called "The No Asshole Rule" by Robert Sutton, this is a book that teaches you either to recognize your own asshole tendencies or how to survive in a workplace dominated by assholes. How many times can I use asshole in a sentence? But anyway, I'm with Guy - I've certainly played an asshole on TV many times and also worked with more of them than I can count. These tips seem right on the money, so if you work in a difficult workplace - this seems like a good read. Though I'm not sure it would help me much at this point, given that I work with an asshole every day - but I know him pretty well.
http://blog.guykawasaki.com/2006/10/you_have_to_lov.html
Link to this

Recently on the Security Incite Rants Blog

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-10-30