The Daily Incite - December 14, 2006

Submitted by Mike Rothman on Thu, 2006-12-14 09:56.
Today's Daily Incite

December 14, 2006 - #172

Good Morning:
First, I want to thank everyone who sent a note of encouragement as I begin my path to getting back into physical shape. My physical assessment yielded the expected results - I have a lot of work to do and that work started yesterday. But I know this is a security blog, so I'm done boring you with the trials and tribulations of my soon-to-be contracting waistline.

In security-land there was a decent flow to today's stories. First let's look at what the US Department of Energy is doing from a security standpoint (here), the organizational model is pretty interesting. Then let's riff on the insider threat a bit (here), discuss some logging (here) which can help to detect an insider attack, and finally let's see what Roger Duronio (the convicted UBS insider) will have under his tree in the big house this year (here).

In blog land, I pick on some ideas about incentive programs for security folks (here) because I think once again the risk is in incenting the wrong behavior, and when there is money involved that potential damage magnifies exponentially. Then I poke at Jon Oltsik's contention that some enterprises should just upgrade to Vista (here), as opposed to buying standalone full disk encryption. If someone is going to go whole hog with Vista, then that's fine - BitLocker will get it done. But to force a widespread panic, I mean migration, to Vista just to encrypt the disk doesn't make a lot of sense to me. 

Have a great day.

Technorati:

The Pragmatic CSO
Coming January 2, 2007
Webcast promo

Top Security News

DOE! An interesting security process
So what?- This interview of the US Department of Energy's CIO is pretty instructive. I don't really see too many government agencies acting Pragmatically, but some of the processes put in place are right on the money. Like the CIO accepting responsibility for security within the organization. No fall guys in that shop, but more interestingly is also that the various department heads also are "personally responsible" for security and data protection within their operations. DOE is also centralizing a lot of the IT ops and moving to standard configurations and images, which will also help security by eliminating the variability in software and environments throughout the organization. Also of note is their reticence to migrate to Vista because of the inevitable increase in new vulnerabilities as the bad guys start banging away. I guess that's one way to look at it, but does he think that XP won't have new vulnerabilities either? 
http://www.gcn.com/print/25_34/42704-1.html?topic=security
Link to this


Is that an insider in your pocket?
So what? - Or are you just happy to see me? Obviously, I jest but the point of this InformationWeek article from Monday is to point out the difficulties in actually detecting insider attacks. Sure you can put leak detection stuff on the edge to make sure intellectual property and private data doesn't leave the building - eliminating compliance issues. But that's far from the only place insiders can cause damage. It ain't easy, but there are a couple of tips to help deter the behavior and then detect it. First is logging. You should be logging all administrative changes. Duh! But here's the nuance. Store the logs somewhere else and do not provide access to the administrators. Thus, they can't tamper with the logs to cover their tracks. They'll need to think twice before setting backdoors and the like. As the article points out, you should also make sure administrators don't have free reign over the systems. Give them just what they need to get the job done. Ultimately, it's all about checks and balances. You need to be able to answer the "who's watching the watchers?" question.
http://www.informationweek.com/showArticle.jhtml?articleID=196602853
Link to this

Secure Windows Logging
So what? - Speaking of logging, check out this tip on SearchWindowsSecurity about how to log on Windows in a safe and secure fashion. Kevin Beaver beats the horse a bit too much about why you should log (providing the regulatory context) and not enough perspective on how you should do it. But it's a decent primer nonetheless. A good point is that you don't have to spend a lot of money to put an efficient logging environment in place. There are lots of free and open source tools, which can get the job done. Another point that Kevin makes is that logging is turned off by default in XP and is limited in Vista. So you need to go back and set the logging parameters yourself. But the most important perspective is that "there is no right answer - no one-size-fits-all solution," which means as part of your security program - you need to figure out how much logging you need to do.
http://searchwindowssecurity.techtarget.com/tip/0,289483,sid45_gci1234029,00.html
Link to this


Wish list for UBS Insider
So what? - I wonder what will be under Roger Duronio's tree for the holidays? Probably a new roomie named Bubba, now that the infamous UBS systems administrator that took down his former employers stock trading systems a few years ago has gotten an 8 year all-expenses paid trip to the big house. I'm glad they are making an example of this guy, given he cost his employer millions in direct costs and who knows how much in the opportunity cost and downtime. But let's not be insensitive here, we should put a little care package together for Roger - he's going to be gone for a long time. Maybe we should give him Knitting for Dummies! because he's banned from being a systems administrator again, so he can learn a new trade in jail. He'll need some smokes, regardless of whether he smokes or not since I guess that is currency in jail. Maybe one of those new SkypeOut subscriptions, so he can make cheaper calls during his computer time. Hmm. Do they get computer time in jail? And finally, let's throw a case of KY Jelly in there. You wouldn't want his skin to get chapped as he gets acquainted with his cell mate, now would we? 
http://www.informationweek.com/showArticle.jhtml?articleID=196603888
Link to this


Don't forget the configuration
So what? - This article on Linux.com is a good reminder that even the most sophisticated of defenses can be rendered useless with the simplest of configuration errors. There is a lot of other pretty good stuff in this article as well, like defining five goals of system configuration, trading off security versus convenience (which we all fight with every day) and why most of security is so reactive. Also a key point is that "a clear security policy that is actually enforced is necessary for awareness." That's exactly right. You need to have a public execution every so often to make sure that people remember what is at stake. 
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1233873,00.html
Link to this

Top Blog Postings

Bonuses for security folks?
On the Wikid blog, they tackle the mess of incentive plans in this post (h/t to Emergent Chaos). I can see the underlying thought process, but I have a fundamental issue with the idea of capping information security expenses to about 1/3 of the expected loss. Now I haven't read Gordon & Loeb's book, so maybe there is a reason it's 37% and not 50%. Obviously you need to show a "return" on the security investment, so it isn't going to be 100% - but whatever. Then basically you figure out a bonus pool based upon the delta of the expenses cap and the actual budget. And the costs to clean up any breaches comes out of the bonus pool, to keep folks incented to do their job. I think Mordaxus on the Emergent Chaos blog has it right. We may want to spend more than 37% (which would eliminate the bonus pool), but it also sets up an incentive for security folks to bury problems because admitting a problem will cost them money. I'm not sure what the answer is to build a comp plan to incent the right behavior from security professionals, but this one seems Wikid wrong. As Mordaxus says "Always, always beware when you set up incentives. People will act according to the incentive."
http://www.wikidsystems.com/WiKIDBlog/incentive-plan-for-an-information-security-team
http://www.emergentchaos.com/archives/2006/12/costbenefits_incentives_a.html

Link to this


BitLocker or stand-alone full disk crypto?
Running the mortal risk that Jon Oltsik will be upset with me again, I've got to poke some holes in his latest post about whether companies should upgrade to Vista in lieu of rolling out a stand-alone full disk encryption (FDE) product. If we were having this discussion 18 months from now, it may be different - but right now going lock, stock, and barrel to Vista is a total non-starter for the "large enterprises" he talks to. First, Vista still has new car smell. It's been test driven quite a bit, but that's different from actual road use. Not many large enterprises choose to be first on the block to buy the new wheels. Second, migrating thousands of machines to a new operating system is fraught with peril. All of the reviews I've seen have said to start fresh with a Vista install, so you are looking at a few hours of effort FOR EACH DEVICE, as opposed to the ability to install a standalone FDE offering in about 30 seconds. Third, many hardware devices will need to be upgraded to run Vista, so it's not just that you are trading $50-70 per unit (anyone that pays $100 for FDE in volumes is a boob) in FDE expense for $199 to upgrade to Vista (I think that's the price). You also will need to upgrade the device to make sure Vista doesn't run like a dog. So I don't have a problem with customers spending money on stand-alone FDE knowing they'll throw it out in 2-3 years. Anyone that thinks they are picking security utilities for 7-10 years is delusional. Fix your problem and move on. Don't make the problem into an all-encompassing upgrade endeavor.
http://news.com.com/2061-11203_3-6143577.html
Link to this

VM -> SCM -> ???
Shimel wonders a bit about how vulnerability management products will evolve. That's probably a good thing to think about given that he is the Chief Strategy Officer for a company that does VM. Alan's rambles a bit about compliance and remediation, which has morphed VM into software configuration management (SCM). Most SCM offerings are focused predominately on patching problems they find with an embedded scanner which test for the SANS Top 20. Maybe that's a bit simplistic, but not too far off. But what does the future hold? I think the customer will give us the clues we need to figure it out. SCM appeals to data center managers (and desktop guys) that have hundreds or thousands of things they need to make sure are configured properly and be able to pull a report to show an auditor . That's not really security. The security person, on the other hand needs to find their exposures and figure how to mitigate the risk. I see tomorrow's vulnerability management products looking an awful lot more like Metasploit (and other commercial automated pen test products) with traditional scanning capabilities as well. Not using live ammo doesn't make sense to me, and I think the scanner and the APT markets merge functionality in 2007.
http://www.stillsecureafteralltheseyears.com/ashimmy/2006/12/vulnerability_a.html
Link to this

What do we make of this Web 2.0 stuff?
The folks at McAfee's Security Insights blog (if they are going to use the name, at least provide some insight) ask an interesting question about the type of data sharing that is inherent to Web 2.0 technologies. Is this a security risk? And what can we do about it? Clearly, the ability for anyone to publish anything at pretty much anytime creates a security risk. Whether it's a developer deciding to talk about his work project on his personal blog (which happens to allude to strategic and differentiated technology) or an innocent marketer publishing some data to get the community at large to analyze it, anytime your data goes outside of the enterprise it's a security risk. So what to do? I hate to say it, but leak prevention. These products can look at all of the outgoing traffic and find intellectual property and private data regardless of the data stream. The products are maturing rapidly and will eventually end up as a part of the perimeter UTM platform. But what you can't do is predict what applications will be used, so you better get adept at sifting through the network for data that shouldn't be leaving the house.
http://siblog.mcafee.com/?p=41
Link to this

Recently on the Security Incite Rants Blog

SearchSMB Top 10 Tips of 2006
David Letterman must have a ton of angst that he never enforced his Top 10 list copyright. He'd be cleaning up given all the Top 10 lists we see every day. Oh, he is already cleaning up for getting trounced by Leno for years at a time. Yeah, I guess I don't feel that bad for him. But this Top 10 list is interesting because 7 out of the most popular tips were security-related. Even more interesting is that 3 of the 7 were written by me and I only wrote for SearchSMB for about half the year. So check out the list and see if you can learn something.
http://securityincite.com/blog/mike-rothman/searchsmbs-top-10-tips-in-2006

Read the most recent Daily Incite

http://securityincite.com/TDI-2006-12-13