November 10, 2006 - #154

Good Morning:
Shhhh! Can you hear that? No? Good neither can I. That is the sound of silence in my house as my wife took my oldest one away for the weekend and the twins are in school. It's a Daddy weekend (for the twins anyway) and I'm looking forward to that. It's funny, I really enjoy my solitary time. But you do get used to the chaos of having a lot of activity and mayhem around you most of the day.

In security-land, I can only hope that our next import from the UK will be ISP responsibility (here). The vociferous few (in that great British accent) are calling for the ISPs to take responsibility for DDoS attacks. Here here. Boddington's on me!!! Next (here) I want to rail on the so-called "site certifications" like HackerSafe, SecurityMetrics, and one certain former employer of mine (TruSecure/CyberTrust). A questionnaire and a vuln scan does not give me comfort that my data is safe. But I guess like the TSA show at your local airport, these little seals put on a show that someone cares about security (at least enough to pay a couple hundred bucks to go through the process). But don't be misled, there is only a slight correlation between these programs and data protection.

In blog-land, Michael Wright misses the old days when worms roamed the earth and security was easy (here). I don't. Now we see who has talent and who is a pretender. Who can talk business and who can't. Sure it's harder, but what fun is it if it's easy? But maybe that's just me. Looks like Stiennon is using his NetworkWorld pulpit (here) to rail on pre-admission NAC (again). Shocker! But we've already played that one out here in blog-land and nothing I'm seeing is changing my opinion that both pre- and post- are important.

Have a great weekend.

Technorati: Information Security

Top Security News

Put ISPs on the hook for DDoS - YEAH!
So what?- And who said the only innovation coming from the UK is in reality TV? HA! Of course for my British friends, I'm kidding. That means I don't want to be email bombed with the Union Jack all weekend. But this perspective from a UK ISP conference had a lawyer advocating that the ISPs should be liable for DDoS attacks leveraging their networks. As the article posits, there would be an uproar from the ISPs, but it's the right thing to do and would force ISPs to address their zombie/bot issues. BT has been the first to look at spam bots, but that won't help much when a DDoS is launched. And the technology exists today to do this, the ISPs just don't want to. But they will and maybe it will be a government mandate. Just maybe.
http://www.newscientisttech.com/article/dn10494-isps-should-be-responsible-for-hacker-attacks.html
Link to this

Laptop encryption must integrate with endpoint security
So what? - I usually like Larry Seltzer's column. He does a good job of calling bunk on stuff and actually has an opinion (which makes him kind of unique for security columnists that are not me). But this one gets a "you missed the point" award. He's really talking about advanced in disk drive technology and how whole disk encryption are becoming part of the plumbing. That's fine, but to me the real discussion is about how laptop encryption should fit into the enterprise security hierarchy. Folks like PGP will chew on your ears until they bleed about why whole-disk encryption needs to be part of the "encryption architecture." And if you have an "encryption architecture," you'd be right (and also on the cutting edge). To me, laptop encryption (and the enterprise control and management therein) is a feature of endpoint security. The agent I have on my laptop should fight malware, enforce access policies (right, a NAC agent) and protect my data (encryption). I don't want 3-5 agents all doing different things. I want one agent. What is so damn hard about that? 
http://www.eweek.com/article2/0,1895,2054615,00.asp?kc=EWSTEEMNL110906EOAD
Link to this

Big 3 NAC players?
So what? - Maybe it's just me, but I continue to be confused by this focus on Cisco, Microsoft and the TCG for all things NAC. My pals over at SearchSecurityChannel post a whole bunch of NAC links here that are good background info. But back to the topic, only 3 NAC players? OK, I get Cisco. They created a lot of the buzz around NAC and though the Framework is going nowhere fast, they are moving a lot of Cisco NAC Appliances. But Microsoft? NAP is still depends on Longhorn, so that is 2008. If you count the Cisco interoperability and Vista, it's still late 2007 as Vista is deployed - best case. And the TCG? As many of you know, I've not been a huge fan of the TCG and I'm still not sure why I care about standards for NAC. But that's me. I just think this reliance of perspective that NAC = Cisco, Microsoft and/or TCG is just wrong. There are a bunch of other solutions out there that do some aspect of NAC (no one does everything well yet) that are not from the Big 3... at least for the next 12 months or so until the early market plateaus and the consolidation and erosion starts.
http://weblog.channel-marker.com/?p=43
Link to this

Do "site certifications" make you safe?
So what? - I've got pretty eclectic reading tastes. My BlogBridge has over 300 different feeds ranging from security to sports to marketing to some investing. I saw an interesting article on market direction (an interest after the election) and it led me to a site called "ETF Digest." This is a subscription site on market direction, but what really piqued my interest was the huge seal on the site saying "Identity Theft Protected by SecurityMetrics." REALLY?!?! So I checked out these guys and like HackerSafe, they do a scan (can be from annually to daily) of your network for over 3,600 vulnerabilities. What about the other 97,000? And as a recent expose on HackerSafe showed, those web sites aren't really safe. So I just wanted to call bunk on these shylocks that sell vuln scanning (which is important, but not a panacea) to SMB customers and let them claim things like "Identity Protected." I know at least 10 guys that could break this site in about 10 minutes. That wouldn't defer me from buying the newsletter (if I thought it was valuable), but I'm not so naive to think that my identity is "protected." But I know a lot of people do believe that. Until they learn the hard way that it's wrong.
http://www.etfdigest.com/index.php
Link to this

Google likes Kama Sutra (who doesn't?) - scan your outbound mail
So what? - When I said yesterday that there was no real security news, a few kind readers poked me in the eye and told me about the Google faux pas of sending out the Kama Sutra worm (oh, that Kama Sutra, drat!) in a blast email. I actually did see this yesterday AM and didn't think much of it. But upon further reflection, I've come to the same conclusion. Yes there is a lesson to be learned here. You should also scan your OUTBOUND mail for viruses. And I'll also let you in another little secret. Your email security gateway can do that for you TODAY. All you need to do is direct your MTA's to send to your gateway and your gateway will scan and then forward on to your ISP. This will catch a stupid mistake like Google made, and it'll also identify if any of your machines are spam bots. If your inbound mail is substantial, you may want to get another device specifically for outbound mail, but this is a common practice and a good idea.
http://www.informationweek.com/story/showArticle.jhtml?articleID=193700219
Link to this

Top Blog Postings

I don't miss the old days
Michael Wright misses the old days, when worms made us miserable - but things were easier. It was easier to get budget, it was easier to show value, and it was easier to make a ton of money on stocks. But those days are gone. Get over it. I actually think these times are much more interesting. More frustrating, for sure - but more interesting. Anytime everyone is doing it, it's not that hard. That was the Internet bubble. Every idiot out there was building companies, selling stuff, and continuing to hope that trees grew to the sky. Well they don't. Now is where the wheat is separated from the chaff. Now is when you need to really understand how security works and how it relates value to the business. Michael makes the point that he is not subject to regulations, so that puts a big crimp in his ability to get budget. The compliance train is going to pull into the station soon enough and it won't be pretty. Because like the hangover from the Internet bubble, a lot of aspirin and Gatorade is going to be needed to kick the compliance blues. It's been too easy, and now the folks with the checkbooks want to know what they've bought. So as frustrating as it is, folks that focus on things like the stability of the network and the protection of intellectual property will be better off in the long run.
http://mcwresearch.com/archives/342
Link to this

Stiennon on NAC
Looks like my pal Stiennon is wearing his new NetworkWorld column well. With an original name like "Stiennon on Security" it's all good. For some reason they didn't like my original "Security Incite" (which is what the column was), but instead opted for 'Security Insider." But enough about me. Richard's first "official column" is on NAC and he stays in character, poking at pre-admission integrity checking, but espousing the value of controlling who gets to what resources. As we've discussed a lot (and even had a Mobcast on the topic), NAC means a lot of different things to a lot of different people. I've published my thinking in the NAC attack series and other pieces (here) and I agree with Richard that the access control part of NAC is most interesting. But I also believe that there is a role for host integrity checking, as well as the IDS/IPS like worm mitigation that some solutions provide as well. So yes, the answer is (D), all of the above.
http://www.networkworld.com/columnists/2006/111306stiennon.html
Link to this

Phat Phish still getting caught - just ask them
I'm not a big fan of surveys, you all know that. But the media loves them. Today's case in point, Gartner's phishing survey which shows that about $2.8 billion will be lost to phisherman (and other scum) this year. I don't buy that number. Extrapolation is a very dangerous game. Unfortunately, it's the number that media loves. I will agree that it's a significant number and it remains a problem. A number that does make more sense are the average loss per victim up 5x to $1,244 and it's not a stretch to figure how much harder it is to recover when you are compromised. The conclusion I draw is that the bad guys are getting more sophisticated and though they are compromising less, they are digging deeper once they chomp on the victim's leg. The answer? 1) Education - McGruff better get his ass in gear because time's a wasting. 2) ISP oversight - if the ISPs crush the spam zombies, it pulls the rug out from these folks ability to find new meat. 3) Education. 4) Education. Did I mention education?
http://blog.washingtonpost.com/securityfix/2006/11/report_phishers_hooking_fewer.html
Link to this

Check Point next to go?
The last time I called Jon Oltsik "Captain Obvious" he got pretty upset with me. But we worked it out. Now I'd like to give him a bit of an "atta boy" here because his analysis is solid. Check Point should be an acquisition target. With 30% of their market cap as cash on the balance sheet and the cash flow printing press working overtime - it's clearly a value play. And their lack of strategy is not going to unlock the value of their stock anytome soon. Not so sure about how loyal their customer base is (or their resellers for that matter), but inertia is pretty high in the FW/VPN market, so they'll keep pushing forward and generating cash. Yet, I don't think it'll be a public company that takes them out. Private equity folks must be licking their chops at the ability to leverage that much cash, have that kind of cash flow to service the debt and be able to milk the highest net profits of any software company I know. Will it happen? Probably not because Check Point is not a US company and I'm not sure how receptive the Israelis are to hostile takeovers. Would it be hostile? I think so because Gil still holds to his vision of being the stand alone option. But if Gil ever gets sick of answering to Wall Street, I suspect there would be a line around the block of buyout firms trying to get a piece.
http://news.com.com/2061-11203_3-6134194.html
Link to this

Recently on the Security Incite Rants Blog

Cisco takes it to the next level
Cisco announced their Q1 FY2007 results and it was a stellar quarter. So as opposed to gushing about how they grew about a Juniper over the last year, I wanted to delve a bit into how integration of capabilities is really driving their strategy and what that means to the security business. I also need to speculate a little on what could derail their plans, like a new competitor (unlikely) or some anti-trust action (still not likely, but more likely). Sure it's speculation, but it's my party and I can do that if I want.
http://securityincite.com/blog/mike-rothman/cisco-takes-it-to-the-next-level

Coming Soon: The Pragmatic CSO
I'm really excited to announce my upcoming book, the Pragmatic CSO: 12 Steps to Becoming a Security Master. Security hasn't really gotten better, and most security professionals are totally overwhelmed and having a hard time putting in place a program to be strategic, as opposed to firefighting. So the Pragmatic CSO is the Security Incite methodology for "doing" security, allowing you to focus on what's important and show value to the folks that write the checks. There will also be a web community and training programs to support the book as well. You can check out the Pragmatic CSO teaser site here.
http://securityincite.com/blog/mike-rothman/coming-soon-the-pragmatic-cso

Year-end webcast and seminar promotion
In order to support (and properly evangelize) the Pragmatic CSO, I want to be speaking anywhere and everywhere about pretty much anything related to information security. To do that, I'm making it very attractive for vendors and associations to book my talking head for the first 6 months of 2007. Check out the promotion and sign up quick, since the promotion only lasts until the end of the year, and I expect slots will be going fast.
http://securityincite.com/blog/mike-rothman/year-end-webcast-and-seminar-promotion

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-11-09