November 14, 2006 - #156

Good Morning:
It's Tuesday and I'm in a pretty good mood. And when I'm in a good mood, I like to poke some other folks. I know, I probably should talk to my therapist about that, but it's not about making other folks feel bad (though that can be a result), it's to save my readers time. By calling bunk on product certifications (here), pointing to the idiocy of a survey that says 20% of people don't see a threat from insiders (here) or some more of the silly security awards (here), hopefully you won't spend any of your day thinking about this stuff. The fact that I enjoy poking holes in stuff is besides the point. 

In blog-land, Amrit calls for us to start to think differently and evolve our processes to keep up with the changing threat-scape (here). He's right and thought provoking. Read that post. I also want to point to a piece done by Joel Spolsky (here) on how some folks game metrics in application development land, and we should expect a similar situation in security. That's why we need to really consider what metrics are used very carefully. Incent the wrong behavior and no one wins. Finally, Jeremiah does a good job of categorizing the vulnerability scanning market (here), so check that out. 

Have a great day.

Technorati: Information Security

Coming January 2, 2007

Top Security News

Burton says "Big is the new small" too
So what?- Seems that Dan Blum, who is one of Burton Group's senior analysts was down at the CSI show giving a lay of the land. Most of this stuff is DUH! Like "integration is also expected to simplify security oversight" and "the key is not getting trapped on a treadmill of having to buy a new security tool every time a new attack vector is discovered." But Dan also recommends "narrowing it down to one "primary" security vendor plus a limited number of others to fill in and ensure better security coverage." The coverage has some non-sensical statements on big vendors being able to keep up with new attacks, but for the most part this advice is decent.
http://www.darkreading.com/document.asp?doc_id=109786
Link to this

Certification ransom
So what? - I'm not a huge fan of excuses. And I've probably heard them all. Especially from struggling reps who for some reason or another couldn't figure out how to sell my products/services. All of you marketers are familiar with the "it's marketing's fault" excuse, if we only had that certification or reference account or piece of collateral, I could sell a boatload of stuff. Now that is a rash generalization, so all of my sales friends, don't go nuts. If you are still employed and carrying a bag - odds are you focus more on selling stuff than making excuses. What got me going on this rant? A "BITS Tested" press release from SafeBoot. So basically, organizations like BITS (and ICSA Labs and the pirates that do Common Criteria certification) hold vendors for ransom. Why? Because these organizations have done a good enough job working end users that the certification shows up as a check-mark on a bunch of RFPs. So you end up needing to pay to have any chance in the deal. I guess that's the way the game is played, and I'm just venting a little, but it still annoys me because these certification fees tended to come from the marketing budget.
http://www.safeboot.com/Press/Repeater_DataSource.aspx?NewsID=28
Link to this

The other 20% have their heads up their butts
So what? - I found this survey to be just beyond comprehension. Sendmail is trying to push their new outbound email security product, so they contract with Aberdeen Group to do a survey to concoct some data to justify the market need. They say that "80% of companies are aware of the threat of loss of confidential data by insiders." HUH? What rock are the other 20% under? This is the kind of stuff that makes me crazy. I guess you can't really say 100% of people say it's a risk because what fun would that be? Then they make up some other numbers like "80% of every organization's compliance, privacy and corporate governance violations" are due to email. Really? I guess lost laptops have nothing to do with it? Or USB drives? Or Podslurping? Give me a break. I feel for these folks that have to make stuff up (or have a 3rd party to do it for them) because they are trying to create some demand for their stuff. But that doesn't make the numbers make sense.
http://www.sendmail.com/company/news/20061113/
Link to this

Security comes to a hosting provider near you
So what? - It's just a matter of time before the carriers get more involved in managed security. We can argue all day about how dumb the telecom providers are, but what you'll see is that customers will increasing want to buy a service that provides a clean pipe. Right now, mid-sized businesses spend an awful lot of time and money doing security and a lot of the crap can be filtered out in the network. Like it or not, telecom providers are pretty well positioned to do that as the technology continues to mature. Hosting providers, like Rackspace, are jumping in a bit ahead of the curve to try to add some value as their business continues to commoditize as well. So Rackspace has partnered with Alert Logic to provide an "IDS" offering for to protect those servers hosted by Rackspace. They'll try to upsell the IDS (as opposed to the managed firewall they already provide as part of the service), but that won't be long lived. Ultimately, the hosters will be using security as a differentiator for the next few years, until the telecom providers can get out of their own way in the space.
http://www.rackspace.com/mediacenter/release.php?id=136
Link to this

The security silly season
So what? - Kind of like the golfing year-end "silly season" where there is no real use (besides to make the golfers even richer), we in the security space have our own little silly season and the purpose is to make SC Magazine, BusinessWire, and PRNewswire richer. The voting will be open soon for the SC Magazine awards, where for the paltry price of $200 you can nominate yourself to get on the list. Haven't done the correlation between advertisers and finalists, but I suspect it's high. And then the popularity contests begin. You will see lots of little "vote for me" campaigns on websites and via email blasts (I know because I used to have to play this ridiculous game). Then if you win, a little birdie tells you that you absolutely need to be at the awards gala event at the RSA Conference. You want a table for 10, right? Break out your tux and eat some rubber chicken while you are at it. Actually, the SC Awards are not as ridiculous as the Info Security Products Guide, but I wouldn't be signing a PO because of the win either.
http://www.f5.com/communication/press/2006/release111406.html
Link to this

Top Blog Postings

Of course information security must evolve
Amrit does a good job of categorizing the shifting sands in the security business, that are really making it more evident every day that the status quo is not the path to success. Though obvious a statement like, "People, process and technology need to adapt to these drivers or face extinction," sums up the situation. If we keep looking backwards, chasing the vulnerabilities, and doing 10 Hail Mary's that today won't be the day, this situation is going to become even more untenable. As velocity increases, and the attack surface multiplies (just wait until SOA throws everything for a loop) - we need to think differently. Seriously.  Amrit's key concepts are some good ideas to keep in mind. I won't repeat them here, so click the link and learn something. Of course, most folks won't really know how these concepts should change what they do on a daily basis, but that's what the Pragmatic CSO is for. (of course, I couldn't miss the opportunity to flog it some more)
http://techbuddha.wordpress.com/2006/11/13/information-security-must-evolve/
Link to this

The downside of metrics
Most of you should know by now that I'm not a fan of metrics. From a security standpoint, the only one that matters is whether you have been compromised, and that's pretty binary. But I get that six-sigma heads and other quants need to have something to measure. But be very careful when determining what to measure. Joel (of Joel on Software) has a great rant here about measuring function points in an application context and how it can reward the wrong behavior. His conclusion is: "The whole fraud is only possible because performance metrics in knowledge organizations are completely trivial to game." And that's the key, we need to figure out what is the right security behavior and what metrics reflect that, and minimize the chances are that the system can be gamed. Time to patch and AV updates just don't feel right. I know that some folks (like Yankee's Andy Jaquith) are working on this, but suffice it to say - we need to be very careful. Define the wrong metrics and you'll be paying for a long time to come.
http://www.joelonsoftware.com/items/2006/11/10b.html
Link to this

Workplace privacy - not on my watch!
Tom Olzak has a pretty interesting post that warrants some thinking. It seems that some employees expect that they have some right to privacy relative to what they are doing with company owned assets. It seems Tom's policy makes it clear that company assets cannot be used for non-business purposes. That's pretty straight forward, no? That is until a court ruled that because the employer was not consistent in monitoring behavior and didn't apply sanctions for misuse, then they lost the right. Thankfully an appeals court overturned the ruling, but this message should be loud and clear. If your policy says you are going to monitor employee online behavior, then you need to do that CONSISTENTLY. That includes monitoring email as well. The last thing you want is to have your hands tied when you really need to enforce the policies.
http://blogs.ittoolbox.com/security/adventures/archives/workplace-privacy-vs-computer-abuse-investigations-12898
Link to this

Vulnerability scanning - bring your checkbook
Vulnerability scanning needs to have a place in every security practitioners toolkit. How else do you know what is exposed. Of course, vuln scanning is only the start of the process and generally returns a list of broken stuff so long that it will take until the next Ice Age to fix it all. But the problem with today's vuln scanning is that there are lots of different domains and a lot of different products/services you'll need to get full coverage. Jeremiah Grossman does a good job of categorizing what you'll need and even has a nice chart with some of the leading scanning vendors listed to show what they do (and what they don't). Yes, it's annoying and this wreaks to me of further consolidation needing to happen. Not just assembling a full suite of scan tools, but then integrating with remediation capabilities as well - so then you can actually fix what's broken.
http://jeremiahgrossman.blogspot.com/2006/11/vulnerability-stack.html
Link to this

Recently on the Security Incite Rants Blog

Coming Soon: The Pragmatic CSO
I'm really excited to announce my upcoming book, the Pragmatic CSO: 12 Steps to Becoming a Security Master. Security hasn't really gotten better, and most security professionals are totally overwhelmed and having a hard time putting in place a program to be strategic, as opposed to firefighting. So the Pragmatic CSO is the Security Incite methodology for "doing" security, allowing you to focus on what's important and show value to the folks that write the checks. There will also be a web community and training programs to support the book as well. You can check out the Pragmatic CSO teaser site here.
http://securityincite.com/blog/mike-rothman/coming-soon-the-pragmatic-cso

Year-end webcast and seminar promotion
In order to support (and properly evangelize) the Pragmatic CSO, I want to be speaking anywhere and everywhere about pretty much anything related to information security. To do that, I'm making it very attractive for vendors and associations to book my talking head for the first 6 months of 2007. Check out the promotion and sign up quick, since the promotion only lasts until the end of the year, and I expect slots will be going fast.
http://securityincite.com/blog/mike-rothman/year-end-webcast-and-seminar-promotion

Read Friday's Daily Incite
http://securityincite.com/TDI-2006-11-10