December 4, 2006 - #165

Good Morning:
Let's talk about passion today. Not passion as in passion-fruit. I've been known to opt for a somewhat fruity cocktail at times instead of my usual cerveza, but that's not where I'm going. I'm also not talking about any kind of sexytime passion either. This is a family blog after all. I mean having passion for what you do every day. Since it is December, and we all should be taking stock of what we did in 2006 and what we should be doing in 2007, I guess I'll do my assessment in a more public forum.

What's triggering this? Basically a post from Mr. Security Career, Mike Murray - who makes a great point about how being laid off (or even canned) can be a transformative event (here). I know from personal experience that it's true. You can look at every crossroads as an opportunity to revisit what it is you like to do and how you want to spend your days. I screwed that up the first time. I just pushed to do the same old thing because that's what I thought I was supposed to do. It involved uprooting my family and chasing the dollar. Let's just say it didn't work out as I anticipated.

Thankfully I learned from that experience. The next time I found myself in that same situation, I took a different tack. I decided it was time for me to be in control of my future, not another crazy tech entrepreneur. And that's what I did. How do you decide what you should do? As Mike says, find your calling. I call it passion. If you can't get excited about it, don't even bother. If you do what you love, you never have to work a day in your life.

Speaking of work, it's a slow news day. I'm really stretching to have anything interesting to talk about. It seems the December news doldrums have set in. But, that's OK because I'm knee deep in finalizing the Pragmatic CSO manuscript this week. So I expect to be pretty quiet besides your daily TDI. Come January, when the P-CSO book is done and the community is launched - I'll be back with a writing vengeance. I really appreciate you all sticking with me while I push the rock up the mountain. I'll be worth it - I promise.

Have a great day.

Technorati: Information Security

Coming January 2, 2007

Top Security News

Do you know where your data is?
So what?- New e-discovery rules went into effect last week, which inevitably will leave some roadkill on the curb. Hopefully it's not you. Basically, as opposed to just keep email (or making sure to destroy it consistently based on a reasonable policy), now you need to pay more attention to all sorts of electronic documents. And you have 120 days to find it all after a request. So what? Basically your CIO is now incented to have a much more sophisticated content management system in place, and that means very sensitive data will be stored and categorized for longer, and this stuff will be easier to find. Clearly a security concern, no? So the age of data security is upon us, driven by new application architectures and now more stringent e-Discovery. I hope you love your data because us security folk are going to get very familiar with it real soon.
http://www.informationweek.com/showArticle.jhtml?articleID=196600853
Link to this

Chicken Little's new PR strategy
So what? - It seems there is a new PR strategy that is guaranteed to generate lots of media interest. Mention al Queda and financial systems in the same sentence and watch the media twister spin out of control. That's what happened on Friday when the US Feds sent out a nebulous warning about a terrorist attack on financial web sites. Remember that the job of terrorists is to create terror, which could be real or perceived. I do believe that many financial institutions (especially the smaller ones) are exposed and could be effectively targeted, but is that going to create terror? Nope. They'd need to compromise the markets and I just don't think that's going to happen. It's kind of like a casino, in that they KNOW they are going to be targeted and by fraudsters, so they've got lots of fraud detection in place to make sure transactions are kosher. How would a terrorist attack be different? Maybe I'm being naive here and I don't have enough of the "security mindset" to think that every system can be compromised. But given the scalability and fraud control inherent to market-based systems, I figure those would be as hard to crack as anything out there. Tell me if I'm wrong.
http://www.informationweek.com/showArticle.jhtml?articleID=196600823
Link to this

DDoS that goes to 11
So what? - DNS attacks tend to be more the purview of ISPs and carriers, but that doesn't mean that we don't need to understand how they work. Dave Piscatello (writing for the folks at WatchGuard) provides a great overview of how DNS DDoS amplification attacks work. It's interesting stuff and really contingent on a DNS server being compromised. Even your most novice security manager will get that it's important to harden devices that reside in the DMZ, but this is a good reminder. If any of those devices are owned, it could get ugly. So reduce the type of stuff you need in the DMZ, and harden the crap out of those devices. Also make sure your DNS servers are configured properly to make sure yours is not pulled into this kind of attack.
http://www.corecom.com/external/livesecurity/dnsamplification.htm
Link to this

Does anyone think Vista is bulletproof?
So what? - I continue to be confused by the AV vendors. They are talking out of both sides of their mouths. On one hand, Vista is great and does stop some prevalent attack vectors that were very problematic for Windows XP. But they maintain you still need their stuff because social engineering is still out there. What? Sophos' point is that users are still vulnerable to social engineering? And that using a 3rd party e-mail product with Vista won't stop lots of prevalent malware. OK. So what? This continues to be a ridiculous way to position a value proposition for 3rd party AV products. No one that I'm talking to is planning to leave endpoints unprotected, even with Vista. The point for the AV vendors is to tell a compelling story about how the requirements of endpoint protection are changing, which require things like application control and data encryption (for mobile devices). Microsoft has moved the bar relative to the OS, now the AV vendors have to move theirs. And it just hasn't happened yet.
http://www.informationweek.com/showArticle.jhtml?articleID=196600583
Link to this

Top Blog Postings

Is Microsoft setting unrealistic expectations?
While we are on the topic of Vista and security, let me point to a post Ed Moyle did on Friday about Microsoft and whether they are promising too much. The post starts by pointing out that security is now a mainstream topic, which is a good thing for all of us. But I'm not sure I buy the rest of the argument, which is that Microsoft has built up Vista's security to a point that it can do nothing but disappoint. As I've said numerous times before, Microsoft is between a rock and a hard place relative to this security stuff. The AV vendors are fighting for their lives, so they will continue to bitch, snipe, and basically do anything possible to create FUD about Vista. What Microsoft hasn't said is that Vista is bulletproof. They've said it's better (and it is). They've said that they are using a new software development process that is more security-aware (and it is). But with the exception of a stupid comment from Jim Allchin that was taken out-of-context, they've not said additonal security software is not needed anymore. I'd say Apple is a much more significant offender of deceiving customers relative to the security of their platform. As a security professional, you don't assume Vista is anything but another OS that needs to be protected by a number of layered defenses. Same old, same old.
http://www.securitycurve.com/blog/archives/000487.html
Link to this

Are your policies in place?
Captain Privacy, Martin McKeay, brings up a great point about policies. As you read this post, it's easy to see that Martin's perspectives on privacy have been developed the hard way over many years of dimwitted employees doing the wrong thing. I'm a bit more optimistic, but I'm also of the opinion that every business has to both determine and also communicate to what degree employees can expect privacy. In Martin's story, the manager in question is wrong. He had no right to demand to see an employee's email. But not because he isn't entiltled being the manager, but rather because this was not CLEARLY communicated to the employees. Thus, Martin's correctly refused the request and then put in place a privacy policy to more specifically document what can and can't be done. All organizations need to very clearly define the rights of the employee, in writing and they must communicate that. It is not out of the realm for a company to say they can look at anything at anytime, if it uses company resources. But not if you don't communicate that. So revisit your policies because if you keep coming across one-offs that require senior management to get involved, then you did a crappy job of crafting your policies in the first place.
http://www.mckeay.net/secure/2006/12/privacy_of_emails.html
Link to this

Recently on the Security Incite Rants Blog

The Righteous Path of the Analyst
As Amrit and Stiennon head back to vendor land, it got Thomas Ptacek to wonder whether being an analyst is just a training ground for a high-level marketing position at a vendor. Given that I was an analyst, then became a marketing guy, and am now back to being an analyst, you'd figure I'd have an opinion on the topic. Well, you'd figure right. Check it out.
http://securityincite.com/blog/mike-rothman/the-righteous-path-of-the-analyst

Read the most recent Daily Incite
http://securityincite.com/TDI-2006-12-01