November 28, 2006 - #161

Good Morning:
Change is good. I have spent much of my career doing 18-month gigs as this or that. Sometimes the change was forced on me, other times I initiated the need to do something else. Why do I bring this up? Because two of my analyst brethren have decided to head back into vendor-land. Amrit Williams has left the G-people (here) and Stiennon has also finished with this year's (IT-)Harvest (here). Good luck to you both.

Me? I'm happy right where I am. But that doesn't mean that I'm not forcing change. The Pragmatic CSO will change my business next year and that's exciting. So even though I'll never work for someone else again (I probably shouldn't say never, but I can't see it right now), I'll constantly be adding new things (and tuning old things) to add value for you and keep it exciting for me. It took me a long time to get comfortable with the fact that I'm best suited to do analyst-type things. But now I'm here and it's great.

Speaking of The Pragmatic CSO, there is a little overview of two security frameworks (here) that provides a good perspective on what and how a framework can contribute to your security program. Symantec has gotten into the security awareness training business (here) and it's a good thing. And I rant a bit about how we are supposed to know whether any of these product stop rootkits (here), since every vendor says they stop rootkits with their existing stuff. It would be nice to see an independent body do a test to validate the marketing smoke.

To keep the holiday spirit going, in blog land I point to a Security Monkey post (here) about things we should be thankful for (and I couldn't help but list a few things we shouldn't be thankful for). I also weigh in on this whole Cyber-Monday stuff (here), relative to whether we can and should prevent employees from doing some "non-productive" stuff on the company's nickel. Finally, 2007 may very well be the year of database security and provide an inflection point in data security. Amrit makes the case as to why Oracle isn't where they should be and what users should be doing (here).

Have a great day.

Technorati: Information Security

Coming January 2, 2007

Top Security News

Are security frameworks useful?
So what?- Given that I'm writing my own little methodology to implement a security program (The Pragmatic CSO), I get a fair number of questions about how it dovetails with things like ISO 17799 or SABSA (which is one I hadn't heard of) or COBIT or about 20 others that could be used. Basically, I am a fan of simplicity - so my experience with many of these frameworks is that they are overkill for most organizations and don't really give enough specific detail to be useful to those folks just trying to get something done. But that doesn't mean there isn't value. By starting out with one of the frameworks (maybe even mine), you can then adapt them to your specific protection, monitoring, and reporting requirements. The real question is how long will it take to make one of these things work for you and is that effort more useful than just doing it yourself? I can't answer that for you, but I can make sure you ask the question. If you want more info on 17799 or SABSA, check out this tutorial on SearchSecurity.
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1210555,00.html
Link to this

Big Yellow Train(ing) leaves the station
So what? - For those of you new to TDI and my ranting, you'll get pretty quickly that I'm a fan of security awareness training. Sure in a lot of cases it's frustrating, especially when users continue to do stupid things that you have to clean up. But against what are an increasing number of social engineering-type attacks, there aren't really any good technical defenses. So you have to rely on teaching the users what's right and what's wrong. But many of these programs have been hodge-podge in nature, not structured, not using a standard curriculum, and not testing for results. Symantec announced their own offering in this space today, and it's the first foray of Big Security into the training world. Good for Symantec. I don't know that the offering is going to meet all the needs initially (maybe they'll let me test it out), but it's definitely a good start and it legitimizes the need to be much more structured about security awareness. At $49/head it seems a bit pricey, but I'm sure it's more leverage that can be brought to bear (meaning big discounts) when it's time to renew all of those desktop AV licenses.
http://biz.yahoo.com/iw/061128/0188627.html
Link to this

Looking for rootkit tests
So what? - Rootkits are a pretty misunderstood plague. Everyone in security has heard of them, but it's not clear that most folks would know one if it came up and said hello. This lack of definitive information is becoming more of a problem because now you have all sorts of folks saying they detect and eliminate rootkits. The AV vendors, the anti-spyware vendors, the HIPS vendors - they all have an answer. Just ask them. But what I haven't seen is an even somewhat independent analysis of how well these products actually detect a rootkit. When I saw this article on Network Computing, given their usually good technical coverage - I figured maybe this would be it. Not so much. The article is a good overview of why rootkits are a problem, but doesn't really answer the question convincingly about what's best to protect against them. Maybe this is something the ICSA Labs can address and add to their AV and other testing criteria - as opposed to just milking their existing programs.
http://www.networkcomputing.com/showArticle.jhtml?articleID=194200011
Link to this

Security Suite review
So what? - InformationWeek reviewed 3 of the top PC Security suites in this article. They didn't anoint a winner among McAfee, Symantec and Trend, but highlighted strengths and weaknesses. All of the products make computing more ponderous (though Trend is the least obtrusive), they have pretty comprehensive protection (McAfee has the most in the box at this point), and they are all pretty easy to use (Symantec provides a balance between ease of use and control). So once again, the differentiation amongst PC suites is minimal and the performance hit is significant. But since you all will be buying new fancy dual-core hardware to run Vista, it won't be an issue - right? My experience is similar, I use McAfee on one PC and CA on the other. McAfee is very slow (both using the configuration interface and for general tasks), but my 6-year old is the only one who uses that machine, so she doesn't know the difference. I hardly even notice that the CA product is on my other PC (which I use about 50% of the time). But then again, I've got lots of layers protecting both of those devices, so it's pretty unlikely that my desktop protection will come into play.
http://www.informationweek.com/showArticle.jhtml?articleID=196513317
Link to this

Focus on things WITHIN your control
So what? - I'm not a huge fan of spending time even thinking about things that are not going to happen. So when I read this post on McAfee's blog about whether you would use security software if you didn't need to, I get a bit pissed. Basically, these theoretical discussions on very very very low likelihood events are best left to philosophers and other folks that don't have day jobs that require effort. Maybe someday we will totally start over again. New devices, new applications, new networks - built from the ground up to be secure. Then maybe I'd be willing to spend some cycles to figure out whether I wanted to use security products. BUT my friends, that ain't today and it ain't tomorrow. So let's spend our cycles more productively and figure out what the right mix of security stuff is - to maintain availability and protect our corporate assets.
http://siblog.mcafee.com/?p=32
Link to this

Top Blog Postings

Be Thankful for Security
I couldn't agree more with Security Monkey about being thankful for security. It is a bit sad that I (and many many of my friends) can make a pretty good living because we are not secure. I'm not thankful that we keep layering band-aid on top of band-aid to quilt together a hodge-podge of crap that is supposed to protect us. And I'm certainly not thankful that there are still so many unsuspecting, dense, and misdirected users out there that continue to make the same mistakes over and over again. What I am thankful for is the community of security folks that fight the good fight every day. We do our best to make the computing environment safe and protect our corporate assets, and most of all we don't give up. We've had some dark days, and there are more to come. But it's always darkest before the dawn and I'm thankful that I still get the opportunity to get up every morning and help people in that fight.
http://blogs.ittoolbox.com/security/investigator/archives/be-thankful-for-security-13122
Link to this

At some point, you need to trust your workers
Seeing Shimel dismember Farnum about whether to allow "non-productive" web use at work (like this Cyber-Monday thing) got me thinking. In general, I believe we need to trust our workers. You've got a pretty miserable culture when a productive worker can't take a 5 minute break and go see something funny on YouTube. But on the other side of the coin is the security issue, in that some of these "funny" and viral sites can insert lots of bad stuff on your desktops. But ultimately I've got to side with trusting the workers, but I'm not going to be stupid - I'm going to put in place monitoring (to make sure my trusted workers don't start abusing me or doing inappropriate things) and protections (like outbound web filtering and layers from my perimeter to my desktops) just to make sure. And it's not like you can avoid making these investments even if you lock down the worker's right to shop or surf or whatever. There are lots of what would seem to be "legitimate" sites that present problems as well. So have a little trust, and be ready to clean up the mess.
http://www.stillsecureafteralltheseyears.com/ashimmy/2006/11/the_farnum_who_.html
Link to this

Oracle security is the next gravy train
As Microsoft remains the company that most security folks love to hate, when you read a post about what Oracle faces over the next few years, you really should appreciate what Microsoft has done to improve their security posture. Sure they still screw things up, but Amrit makes a number of good points about why database security is something that everyone needs to start paying attention to. The problem is that Oracle still has a very unsophisticated process to deal with these issues and it's showing. And given how headstrong Oracle is (that's being pretty politically correct, especially for me), it will be years before they really address the issue. Think Microsoft back in 2002 and you'll get where Oracle is today. I do think they'll get the picture, but not soon enough. So many of the parasitic 3rd parties that hovered around Microsoft (read AV vendors) to address their security shortcomings, will increasingly start seeing Oracle as the next host. The consolidation will begin next year in earnest in this space as Big Security finds their next gravy train. 
http://techbuddha.wordpress.com/2006/11/25/oracle-security-where-art-though/
Link to this

U3 - be afraid
Last week Ken Camp did a piece on how some users are loading Skype on U3 smart drives to get around policies meant to stop them from using the application. Now if your business has a policy in place that doesn't allow peer to peer applications, then this is not kosher. You've got a couple of ways to stop it. First you can implement application control on the desktop, which could lock down the USB port and not allow applications to run from there. It also stops executables from running, so even thought the U3 doesn't write to the registry, the application shouldn't be allowed to run. You could also stop the traffic on the network, although that can be a challenge. My advice - focus on the desktop. Basically application control is becoming a feature of the desktop security suite, which is morphing into a broader endpoint security offering. Turn off your USB ports or lock down the applications that can run on the device. Sure you get to enforce your policy on something like Skype, but you also protect those devices against malware that would run an executable on the device.
http://ipadventures.com/?p=1437
Link to this

Recently on the Security Incite Rants Blog

Inciting: Threat Management Panel
I'll be doing a live panel on Threat Management on Thursday. Check it out and hear me rant in real-time.
http://securityincite.com/blog/mike-rothman/inciting-threat-management-panel

Passwords are dead? Long live passwords!!!
http://securityincite.com/blog/mike-rothman/passwords-are-dead-long-live-passwords

Black Friday is just another Friday
http://securityincite.com/blog/mike-rothman/black-friday-is-just-another-friday

Your Business Plan is Wrong!
http://securityincite.com/blog/mike-rothman/your-business-plan-is-wrong

Vendor Pet Peeves
http://securityincite.com/blog/mike-rothman/vendor-pet-peeves

Deal: Check Point buys Pointsec
http://securityincite.com/blog/mike-rothman/deal-check-point-buys-pointsec

Read the most recent Daily Incite
http://securityincite.com/TDI-2006-11-27