November 2, 2006 - #148

Good Morning:
It's Thursday and I know I've been pretty quiet on the blog. I'm not an excuses kind of guy, nor do I apologize for much (just ask my wife), but it's been as busy a week as I can remember. Lots of both personal and professional activity that has kept me on the go from sun-up on Monday and will keep me going through tomorrow morning. I'll be casting my vote this morning in next week's election (in GA you can vote up to a week ahead of time) and then taking the boss to see Josh Blue tonight. If you don't know of Josh, he is a comedian with cerebral palsy. He won the Last Comic Standing contest this summer and is really inspirational, while being funny as hell. So I'm really looking forward to seeing him in person tonight.

But enough about me, I feel compelled to poke some holes in some of the stuff I've read today. First, encryption does not equal secure email (here). This article talks about a secure email strategy and leads with encryption. That's kind of like reading James Joyce or Homer as one of your early chapter books. OK, sorry about the random literature remark. No, I don't have my Dennis Miller costume on today. But my point is that of all the things I'd start with in securing my email, encryption ain't it. Next up is a tip on how to harden your network posture and stop zero-day attacks (here). The only problem is that nothing the guy says really stops a zero-day. Details, details. Do these editors not get that people actually read this stuff and sometimes they even follow the advice. Sheeesh.

In blog-land, let me point to one of the burning questions of the day. Are all the contributors on the Security Catalyst site bald (here)? There is a bald guy right in the banner, so is that a bad assumption to make? Anyhoo, a new contributor with a hairline to be named later, Joe Knape puts up a post railing on those railing on passwords. Maybe I'll make my new password that everyone knows "I!!AM@@NOT##BALD$$" - that's pretty strong, no? What about those layers? Michael Wright tells a good story (here) about how a layered approach (yes even including IPS) avoided a nasty situation for him. Have I mentioned the importance of layers lately?

Have a great day.

Technorati: Information Security

Top Security News

Do you have a secure email strategy?
So what?- I've got secure e-mail on the brain today. I guess my head is still polluted with all the slides and discussion around secure email during my SearchSMB webcast yesterday (here). The event went well (I was on my game) and we had a lot of great questions from the audience. So when I looked into my articles from last week and saw this Network Computing piece on email security, I figured it was timely. My problem with the article is that it seems to equate encryption with secure email. That couldn't be further from the truth. Encryption is maybe 10% of the requirement and a pretty specialized one at that. Besides that little issue, the article does a pretty good job of briefing discussing the main options for email encryption and also a bit on stopping spam and viruses at the gateway. They finish up with a little on securing mobile devices (which I don't think is really an issue as long as the device is password protected and will blow up if a brute force attack is attempted). Over all, this is a decent overview - but I think my recent webcast did a better job of summing up the issues. But maybe I'm a bit biased.
http://www.networkcomputing.com/showArticle.jhtml?articleID=193302955
Link to this

Security must protect the brand
So what? - As part of my Pragmatic Security research, I've identified 5 core imperatives for security. Maintain availability, protect intellectual property, limit corporate liability, ensure compliance, and protect the corporate brand. This article in the Enterprise Systems Journal, which covers a study from the CMO Council puts numbers behind the fact that while most marketers and corporate executives know security is an issue - they don't really highlight that in how they talk about what they do. That's probably because it doesn't work. Even worse, only half of the respondents say they have a crisis-containment plan in place. Now that's a problem. I'm no fan of surveys, but this verifies a lot of the anecdotal evidence I get through my travels and conversations. I've never been sold that positioning as a "more secure" alternative is a winning marketing strategy. But I can tell you that if something does blow up and you are perceived to be "less secure" or to have violated the trust of your customers - that is surely a losing strategy.
http://www.esj.com/news/article.aspx?EditorialsID=2249
Link to this

There is no easy way to contain zero-day threats
So what? - This tip on SearchWindowsSecurity is a bit misleading. Entitled "Harden your network services and contain zero-day threats" it goes through 6 things you can do at your network to address "zero-day" attacks. Some of these tips range from good network security practices, like using VLANs to segment the network to ensure a meltdown on one segment doesn't crush the entire network, using NAC to ensure only authorized machines get onto the network, and locking down wireless access points. But some are out of date, like employing perimeter protection with a firewall. Huh? Who doesn't have a firewall now? They should be beaten with a stick. Or even worse, he suggests using IPSec. For what? Internally to encrypt every packet on my network? That's not going to happen. Or using an IDS. Aren't we talking about a zero-day attack? Unless I'm missing something, an IDS isn't going to be much help against SOMETHING YOU'VE NEVER SEEN BEFORE. I don't think these techniques do much against a zero-day. A machine could be authorized (so they'd get past the firewall and NAC) and have an IPSec client, and still be owned by a zero-day and wreak havoc on your network. No? Let me know if I'm missing something, but that's my read.
http://searchwindowssecurity.techtarget.com/tip/0,289483,sid45_gci1226686,00.html
Link to this

Deal: EMC acquires Avamar
So what? - Though it's not security related, I thought this deal was very interesting. Back in 2002, I tried (unsuccessfully) to get a company going to build a disk-based backup appliance. In doing my research for the idea, I came across Avamar, which I thought had very cool technology - that basically eliminated the need to store redundant data. They could reduce backup (and other storage) requirements by an order of magnitude. But the price of storage kept coming down, so the technology never really became pervasive. With EMC taking them out for $165 million, it creates a lot of interesting, if not counter-intuitive possibilities. Remember EMC sells a lot of storage for backup purposes, and this is a technology that helps you make more efficient use of the stuff you already have. But it also signifies that there are no sacred cows in EMC-land, and given the position they have taken in protecting data (read RSA) - that's an interesting insight. They are not scared to challenge the golden goose, if it can potentially provide competitive advantage.
http://www.emc.com/news/emc_releases/showRelease.jsp?id=4696
Link to this

Next Stop for the Big Yellow Train is SMB
So what? - All Aboard!!! Looks like the Symantec train is heading to SMB-land. It makes a lot of sense, given their strength and brand in consumer. SMB (at least the S part anyway) is a lot closer to consumer than it is to enterprise. But if you look at the new packaging for the SMB offerings, the 4 buckets (Data Security and Availability, System Security and Availability, Application Security and Availability, and Policy Compliance Management) are pretty clean and concise. Don't see anything to address networking issues (I guess that stuff is in Juniper's court now), but data, systems and applications are the key categories. Where it gets confusing is one level below, in that each bucket has 3 or 4 separate products that don't seem that related. Backup Exec and AntiVirus Corporate Edition are brothers in arms. Huh? So this is more about reorganizing the price list (which isn't a bad thing), but what SMB-types really need are more integrated bundles that simplify the life of the mid-sized IT professional.
http://www.symantec.com/about/news/release/article.jsp?prid=20061101_02
Link to this

Top Blog Postings

Passwords ain't going anywhere
I wonder if Joe Knape is bald. I know, that's a pretty strange question. But now that he's writing on the Security Catalyst site, which is run by Michael Santarcangelo, who is the bald security expert. What about the other contributors, are they bald? This will be killing me all day, so if you have answers to these critical questions - please let me know. But Joe's first piece on the site is good, calling bunk on yet another call that passwords are dead. Joe's assessment that "beatles##white##ALBUM" is a stronger password than "S!wiA3p_" is a way to make the point. Fact is, passwords will always have a place and depending on what you are protecting, I'd even contend that a long password is more trouble than it's worth. Authentication must become contextual. For a low risk transaction, a weak password should suffice. To transfer $10 million, you probably want to really make sure it's the right person. But to say passwords are going away is just wrong.
http://www.securitycatalyst.com/2006/11/01/the-death-of-passwords-is-premature/
Link to this

More evidence for layers
Michael Wright is piling on all of those folks that pooh-poohed IPS/IDS last week. I love to see a guy throw another shot in, even after he's said his piece. I've been known to kick a dog or two when they are down as well. By illustrating a real-life example of how layers of security (including his IPS) helped avert what could have been a mess, Michael continues to lend credence to the position that IDS/IPS can be a legitimate part of a layered defensive strategy. I don't feel like taking on the entire NIPS/HIPS battle right now, but the reality is that layers are important and Michael brings up a good case in point. You can't count on people to act rationally or with any intelligence, so you have to have contingency plans and fall back positions to ensure that your entire network isn't compromised if some joker connects the internal network directly to the DMZ.
http://mcwresearch.com/archives/338
Link to this

Five steps to data protection
I need to keep my mouth shut. By challenging the Mogull yesterday (here) to simplify his complicated data protection hierarchy, he's actually doing that. Crap. And even worse, it'll only be available for Gartner clients. Double crap (unless you are a Gartner client, of course). Yes, I'm joking. I look forward to picking apart Rich's latest creation, as a little birdie is sure to send me a care package, and I agree with Rich that this dialog between us professional windbags is new, exciting, and helps to advance security thinking for everyone. But Rich did throw us a bone by repurposing a Gartner press release from this summer providing 5 steps to protect your data. So as to not raise the ire of Gartner's brand police, I'm not going to reprint them here either (check out Rich's post) - but this is good, tactical advice. I've got some ideas as well on how to simplify how we talk about data security, but I'm not giving anyone any more ideas until I have it done.
http://securosis.com/2006/11/01/top-five-steps-to-prevent-data-loss-and-information-leaks/
Link to this

Are IM and X.400 separated at birth?
In another digression from all security, all the time - let me poke a bit at a fellow analyst. I've known David Ferris for a long time. We were both following the messaging space in the early 90's and in this blog post he tries to draw an analogy between what we saw in the X.400 world and today's instant messaging networks. For those without as much gray hair as me, X.400 is an ancient messaging interoperability protocol that has since gone the way of the dodo, since being supplanted by SMTP. Besides the fact that neither X.400 interoperability nor IM interoperability really worked, I don't see many parallels. X.400 was designed to provide that interoperability and it failed. There is no IM interoperability protocol. Furthermore, X.400 was a "standard" promoted by the big standards bodies. IM has no standards body, so you are depending on a number of vendors to decide to play better in the sandbox. So David's analogy is a bit lost on me.
http://blog.ferris.com/2006/11/todays_state_of.html
Link to this

Recently on the Security Incite Rants Blog

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-11-01