November 27, 2006 - #160

Good Morning:
I hope everyone (in the US anyway) enjoyed their holiday. For the first time in a long time, I actually took the entire 4 days off and didn't work at all. It was nice. Thanksgiving, surrounded by family and friends, was great as well. Until mid-way through Thursday anyway when a 24-hour stomach bug felled my plans for my traditional Turkey Day binge. So as opposed to turkey, stuffing, cranberry sauce, and all that other good stuff, me and my friend Pepto stayed in close proximity to my porcelain throne. That was a bummer, but I was back in sort of fighting shape by Saturday to enjoy what was left from the festive meal.

Predictably it was a slow week in security land. Besides the Check Point/Pointsec deal, I caught up on a bunch of posts I'd been meaning to write (here). As we get back into the swing of things, it's still a pretty barren security news landscape. So I rant a bit on how we get to spend the next month looking back at the prior 11 (here) and how cyber and physical security are increasingly coming together (here). I also continue to rant about metrics (here) by pointing to an article that I think is just terrible. If you (or your CIO) start mentioning these kinds of metrics to figure out how effective your security spending is, beat yourself with a Turkey Leg for good measure.

In blog land, Richard Bejtlich writes one of the better posts I've seen all year (here). In fact, I'm kind of pissed because I should have thought of this very clean analogy of how the role and skill sets of security professionals are evolving. Just great stuff. Let me also point out a good analytical post from Jeremiah Grossman about how vulnerability scanning is evolving (here), but keep in mind that these tools are no replacements for good, old-fashioned pen tests done by real humans that can find real issues.

Have a great day.

Technorati: Information Security

Coming January 2, 2007

Top Security News

Looking back, looking forward
So what?- Now that the holiday season is upon us, we'll start going through that inevitable (and mostly useless) exercise of what happened last year and what's going to happen next year. I know you need to plan and I know we need to be respectful of history (lest we make the same damn mistakes over and over again), but this annual tradition kind of bores me because everybody does it. And most people recycle the same rubbish, so not only do I need to read the rubbish in the first place - I get to read it over and over again. But enough of my grumpiness. The first 2006 retrospective that I saw was this InformationWeek overview. Threats are getting tougher. Yep. Rootkits are a problem. Check. "Polymorphics" or compound threats are harder to detect and clean. And????  But actually this retrospective was based on a research report that the newly energized Symantec research group put out, basically saying you need more sophisticated detection technology. Duh! So get ready to look back, but within the context of all the great new stuff that you'll be expected (by the vendors anyway) to buy next year.
http://www.informationweek.com/story/showArticle.jhtml?articleID=194400943
Link to this

Physical and cyber security integration - common skill sets?
So what? - Clearly we are seeing the term "security" morphing into a number of different things, but all under the auspices of protecting corporate assets. Yes, employees and facilities are corporate assets as well. So the "CSO" may also have responsibility for physical stuff, and over time this is a good thing. But initially this is going to cause some pain. Why? Because most cyber security folks know precious little about physical security (except maybe The Mogull) and many physical security folk would be pretty ineffective at tackling that intruder who happens to live in Belarus. But the logic and necessity of joining the two efforts is clear, and it's about more than HSPD-12 (the US Government's mandate to consolidate credentials). Attacks can (and will) encompass more than just cyber or physical vectors. You'll see compound attacks that can involve a physical disruption or social engineering techniques being used in conjunction with brute force and phishing cyber attacks. Scary huh? Determined criminals do not play by the rules, so we need to at least integrate reporting, awareness, and training efforts to make sure we are ready when these multi-mode attacks start to happen.
http://www.networkcomputing.com/showArticle.jhtml?articleID=194200006
Link to this

3 ways not to gauge security spending
So what? - Security metrics are obviously a hot button with me and when I see some stuff from CIO types that just doesn't resonate, I need to vent a bit. This column by Paul Strassman (an experienced big company CIO) is pretty much non-sensical and reflects the old and I'd posit, ineffective, way of trying to discern "value" from security spending. First he says to compare security spending to total IT spending. OK. But what if your business is a totally information centric environment that has significant intellectual property aspects. Is 10% too much? I don't know. Generic benchmarks are not useful. Next you evaluate "lost employee time" vs. investment in security. Huh? So I calculate what it costs to be down, and if I spend 200% or more of that on security then I am spending too much. Maybe I'm just dense, but I don't get it. And finally, measure the impact of cyberattacks on employee productivity. And how am I supposed to do that? Security spending is directly correlated to how well a business case can be made that security helps the company either make money or save money. Period. These "metrics' will do nothing but waste your time, except maybe the gauging the cost of downtime one. I can only hope your CIO didn't read this drivel, because then you'll start to see this crap on your 2007 MBO's.
http://www.baselinemag.com/article2/0,1540,2062956,00.asp
Link to this

Laundry list of Microsoft Security
So what? - InformationWeek did a big spread on Vista, which given it's release to corporate customers this week - is probably a good thing. So us security folks need to go back and revisit the new stuff and figure out what (if anything) can and should be turned on. Now Vista is going to happen for your organization. You'll buy new PCs and thus you'll have Vista, so the question is what should you use and when. This article gives a laundry list of the security capabilities of Microsoft in general (ForeFront is not Vista specific). Things like BitLocker should be put into use immediately. NAP, well maybe at some point in 2009 or 2010 when all of your switches are upgraded (to use the C-NAC/NAP interoperability) or you've transitioned all your servers to Longhorn. Other stuff, somewhere in between. But the point is that you need to have a plan because Vista is going to happen to you.
http://www.informationweek.com/showArticle.jhtml?articleID=195900155
Link to this

McAfee sends ISS a holiday greeting
So what? - When I was a marketing guy, I competitive upgrade programs gave me heartburn. But not because I was actually worried about my customers taking advantage of the program. If the customer was pissed off enough they'd buy a new device, regardless of whether they were getting an upgrade benefit or not. But the point of a competitive upgrade program is NOT to actually sell more boxes, though that would be nice. It's about putting the competition on the defensive. And these programs work like a charm for that. McAfee announced this AM a program for ISS customers. Again, most ISS customers are probably fine, and the ones that are pissed off maybe will take a look at McAfee's stuff. But now ISS' channel and more vociferous customers will start asking questions. Is this true? Are some folks really worried about the product line? If McAfee executes on this program (which involves more than a press release), ISS people will now spend time spinning why the IBM deal was a good thing, as opposed to talking about new technologies and products. Part of competing is keeping the competition on their heels, and these upgrade programs are a good way to do that. In my experience, anyway.
http://biz.yahoo.com/prnews/061127/sfm025.html?.v=75
Link to this

Top Blog Postings

Do you play offense or defense?
I could do a lot of damage with the analogy that Richard Bejtlich uses to describe how security is changing. Which team do you play for?, etc, but that would be a waste. Richard's point here is brilliant. Up till now, you either were an offensive or defensive security person and which one had a lot to do with what you did for a living. AV researchers and other product oriented folks tended to be more offensive. Corporate security folks more on the defensive side. But that is evolving (like Bobby Orr evolved the role of the defenseman in hockey - brilliant) and we as security folks need to understand that. You need to be able to think like the bad guy in order to anticipate what can happen, so those that specialize in defense better dust off (or learn) some of those skills. Likewise, even top researchers should spend some time with real customers and users to understand that it's not just about finding the next thing that's broken, but also about making sure that all that of the flanks are protected at all times. But it's going to be the folks that can think both ways that will find success moving forward.
http://taosecurity.blogspot.com/2006/11/digital-security-lessons-from-ice.html
Link to this

Spend wisely vs. just spend
It's too bad Mark Shavlik lost his blogging momentum over the past few months. He has a lot to add to the conversation. Like this post, where he pokes a bit at how some have said security problems were going away and then not so much. Mark's perspective is one from a smaller security company, so he's clearly a fan of specialists that focus on practical solutions. That's not a surprise. But what I take out of the post is focusing on solving the problem. Maybe the answer is an architectural-type of solution or maybe it's something that can be done pragmatically and for pretty short money. It's about staying focused on the set of problems that your business has identified as important to solve. And bringing to bear the technology and process to solve that problem. That's spending money wisely.
http://shavlik.typepad.com/mark_shavliks_blog/2006/11/security_battle.html
Link to this

The evolution of vulnerability scanners
Jeremiah Grossman does a good analysis of where vuln scanning is going in this post. He's mostly on the money as requiring disparate scanning products and technologies to cover the entirety of the infrastructure is a pain in the ass and cannot persist. I also think there are advantages to a managed service model for this type of offering, but that market has been unsuccessful thus far. A market of one (Qualys) is not a market. Yet I want to delve into an interesting part of the post that talks about technical vulnerabilities vs. business logic flaws. This is the crux of the issue. Sure we will continue to get better and more automated tools, but ultimately you need experts to also find those issues that aren't necessarily "vulnerabilities" but logic errors that can create an exposure. So forget about dropping those periodic pen tests, it would be a bad idea. Tools are good, but there will remain a role for people in the process as well.
http://jeremiahgrossman.blogspot.com/2006/11/what-scanners-can-and-cant-find-who.html
Link to this

Recently on the Security Incite Rants Blog

Passwords are dead? Long live passwords!!!
http://securityincite.com/blog/mike-rothman/passwords-are-dead-long-live-passwords

Black Friday is just another Friday
http://securityincite.com/blog/mike-rothman/black-friday-is-just-another-friday

Your Business Plan is Wrong!
http://securityincite.com/blog/mike-rothman/your-business-plan-is-wrong

Vendor Pet Peeves
http://securityincite.com/blog/mike-rothman/vendor-pet-peeves

Deal: Check Point buys Pointsec
http://securityincite.com/blog/mike-rothman/deal-check-point-buys-pointsec

Read the most recent Daily Incite
http://securityincite.com/TDI-2006-11-17