December 12, 2006 - #170

Good Morning:
Listen as I take a deep, cleansing breath this morning. I'm happy to say the manuscript for the Pragmatic CSO is pretty much done. I need to do another once over today before I send it off to my editor, but it's been quite an experience. I've got somewhere around 120 pages of text, unformatted and before editing. So I guess it will be pretty substantial when laid out and cleaned up. I am a bit biased, but it's pretty good and VERY different from how other people say to manage a security program. We'll see how it holds up because a few of my friends have volunteered to check out the "alpha" version. They're feedback will be interesting.

After an off-day yesterday, a bunch of stuff piled up in security-land. I like to point out when folks (especially well regarded folks) say things that are consistent with my thinking, so check out Ira Winkler's interview on Baseline (here) - there is good stuff there. Also get ready for what I'm calling the "NAC-lash," which is an increasing number of customers pushing off NAC implementations until the technology settles down a bit (here), and becomes better defined. Finally, there seems to be some question about whether Vista is more secure than XP (here), go figure since they asked Symantec and PGP what they thought.

In blog-land, it seems that analysts (presumably that don't cover security) should be covering more security (here). The more, the merrier is what I say. I'm cool with it because over time the CSO's job is to run the program, not the firewalls. Also check out a good post from Alex Hutton on a little different way to run a compliance audit (here), which is "Pragmatic," and no he hasn't seen the manuscript yet.

Have a great day.

Technorati: Information Security

Coming January 2, 2007

Top Security News

Winkler on Pretexting (and other stuff)
So what?- Guru Ira Winkler shares his thoughts on pretexting and other security topics in this Baseline interview. Interestingly enough, he speaks as much about culture and education as anything else. He also talks about why the ISPs should step up to solve the zombie problem. Seems we see things pretty similarly. I wonder if Comcast tried to dig up his yard also? The last section of the interview is most interesting to me, where Ira talks about "what's next" and it's security awareness. He also talks about the importance of getting the basics right. Which is exactly right.
http://www.baselinemag.com/article2/0,1540,2060332,00.asp
Link to this

The pendulum swings on NAC
So what? - The "hype cycle" from the G-people still amazes me. It is exactly right and we keep seeing it in literally every technology market space with the same results. But things are happening faster now. As evidenced with NAC, new technologies are hitting the "peak of inflated expectations" and the "trough of disillusionment" within 12 to 18 months now. NAC was a babe in the woods at this past year's RSA, and every vendor was frantically trying to position their wares as "NAC-like." Now at the end of 2006, according to this survey more users are looking for NAC to mature a bit more before they pull the trigger. This isn't surprising because NAC doesn't mean anything to anyone. Or more specifically, the vendors have tried to make it mean everything to everyone. Thus the confusion on the part of the customer base and the predictable pushing out of the buying cycle. Users should be focusing on the problems they need to solve - not the generic product category name.
http://www.networkworld.com/news/2006/120506-nac.html
Link to this

Put a target on my head, I dare you
So what? - The idiocy of some senior technology people stuns me. As a mentor used to say to me when I did something so stupid it was just beyond explanation, "help me understand" what benefit the VA (that's Veterans Affairs) has in saying they are "pretty confident" they will not have another large data breach. He may as well painted a "HACK ME" sign and nailed it to the front door of the VA Headquarters. I'm sure these jokers rolled out lots of encryption, but have they nailed down all their applications? I do suspect they won't have a large data breach from some idiot pulling millions of customer records off-site on a laptop. But to make a blanket statement like that is moronic. For the sake of all the Veteran's in the US, I hope he's right. But given how long it takes to both change a culture and implement broad-based security controls in a huge environment - he's probably delusional.
http://www2.csoonline.com/blog_view.html?CID=27366
Link to this

Is Vista more secure?
So what? - I can't believe I'm really asking that question. Well, if you have any doubt - check out Roger Grimes column from last week, where he goes through a portion of the new security features in Vista. Of course, he was flogging his new book on Windows Vista Security, but that's OK. I know some folks that flog their own books on their blog as well. The list is pretty long and he makes some bold predictions about Vista not being hacked towards the end. But it also seems that the AP (that security news authority) isn't sure Vista is more secure than the current XP SP2 (here). So they asked folks like Oliver Friedrichs of Symantec and Jon Callas of PGP what they thought. What the hell do you think these guys are going to say? Symantec is obviously worried about being able to continue milking their cash cow, and Vista's BitLocker will have an impact on PGP's whole disk encryption business. Read Roger's column and tell me that Vista isn't more secure.
http://www.infoworld.com/article/06/12/08/50OPsecadvise_1.html
Link to this

Thin is in? Not so much.
So what? - How Rob Enderle got a column gig at Dark Reading is beyond me. I've read a lot of his columns and candidly, he doesn't seem to know much about security. Data centers and PC's - you bet. Security - not so much. This column is a case in point. He talks about security being a driver for thin-clients, given that lots of data is lost on laptops. So his thinking is that by eliminating any data on the device, it makes it much less likely to be stolen (and result in any damage). That is true, but it's also impractical. Unless you have ubiquitous broadband networking, so you can get at your data and applications that reside on the corporate network with reasonable performance - mobile professional are out of business. So I would agree that THEORETICALLY giving replacing every device with a thin client would increase control, and therefore security. It's irrelevant because until the network can support it - it's not going to happen. He also says a big constraint has been the "lack of decent user authentication." Huh? Another play for biometrics on PC's, which continue to be solutions looking for problems. So check it out this column if you need a laugh this morning. The problem is Rob isn't joking. 
http://www.darkreading.com/document.asp?doc_id=112095
Link to this

Top Blog Postings

Security will be subsumed
It's a good thing I am a fan of fairly consistent career change. I doubt I'll get fired from my current gig because I know the boss pretty well, but that doesn't mean that your market doesn't constantly change and you better be prepared to evolve with it. I've been saying for a while that enforcing security controls will eventually be subsumed into the operational groups. Based on this post from Gunnar, looks like security analysts will be under fire soon as well. And I'm cool with that because folks that cover applications need to look at security as a pretty important aspect of what an application does. Folks that research the data center need to understand how security evolves as the entire environment virtualizes. Obviously those covering the carriers have a lot of security to think about nowadays. Me? I'm going to stay focused on the mid-sized company CSO, who will be responsible for coordinating the security program and working with his/her peers that become increasingly responsible for enforcing the security within their domains. I suspect I'll be OK.
http://1raindrop.typepad.com/1_raindrop/2006/12/james_mcgovern_.html
Link to this

Turning off Vista UAC
Speaking of Vista security, Dana Epps goes through why it's important to keep UAC (user account control) on for users and developers using Vista. I agree wholeheartedly with his assessment. First of all, let's deal with the "inconvenience" when loading up software on new machines. Why wouldn't these administrators be using standard images to prepare new machines? Unless you work for a 20-person shop, supporting a standard desktop and using pre-defined images will save you time and money. If you have to load 20 new applications on a desktop, then your image is hopelessly out of date or you are an idiot. But I digress. This continues to show why Microsoft is between a rock and a hard place. If users don't want to change their behavior to act in a more secure fashion, I guess it'll just be easier to blame Microsoft. Fact is, UAC will increase the security of your desktop, so use it - even if it pisses off your users for a day. They'll be far more pissed when you need to rebuild their machine and they lose data because their device has become a cesspool.
http://silverstr.ufies.org/blog/archives/000985.html
Link to this

Public Enemy #1 - The Agent
Matasano Thomas rails on agents in this post and lots of others have taken him to task for it. Let's be very clear, software agents that run on a device introduce risk. The number of agents that a typical PC needs (whether it's a desktop or a server) is greater than 1 and less than 5000. So you will have complexity issues. With complexity comes security risk. That is Thomas' point. The job of every CSO is to strike the balance between the added risk of additional agents and the increased security that the agents provide. So per usual, there are two sides to the story. I believe that every desktop should have ONE agent, that is a broad endpoint security offering that provides things like AV, HIPS, anti-spyware, desktop encryption and application control. We aren't there yet, but it'll happen soon. I think eEye calls this unified client security, and that's a good way to think about it. You know, UTM for the desktop. Servers should have the bare minimum of what they need, given the other layers of defense that are presumably in place in a data center. Probably a software configuration agent should suffice, but as Thomas and Dave G proved at Black Hat - those systems management agents are easy to break.
http://www.matasano.com/log/646/matasano-security-recommendation-001-avoid-agents/
Link to this

Taking the wind out of the Compliance Sails
Alex Hutton jumps on AndyITGuy a bit here relative to buying into vendor compliance hype as he went to a "compliance" seminar. Andy responded saying that the event was good for him because he took the opportunity to learn what was out there. That's fine, hopefully now you two are buddy buddy again. But the last section of Alex's post is very interesting because it's very similar to the compliance process espoused in the Pragmatic CSO. And no, Alex hasn't seen the manuscript yet. Basically, if you have a strong, risk-based security program in place, you will be compliant with whatever ridiculous hoops you need to jump through. You can make your auditor go away much faster if you focus on the process you use protect your assets and respond to incidents and much less on HOW you configure your firewalls. You'll find out a lot more on January 2.
http://riskmanagementinsight.com/riskanalysis/?p=64
Link to this

Recently on the Security Incite Rants Blog

Read the most recent Daily Incite
http://securityincite.com/TDI-2006-12-08