December 20, 2006 - #175

Good Morning:
Does it feel like Xmas time to you? Even though I don't celebrate the formal holiday, my memories of the holiday season involve cold weather, vacation, family, and some more cold weather. My definition of cold (growing up in NY) is probably different than my Canadian or Icelandic friends, but nonetheless I've been walking around in a light fleece pretty much all year. So it's kind of strange, but I like it. I guess that's one of the advantages of living in the Southern US - my snorkel coat gathers dust.

The holidays are also in large part about family. Yet, I have this nasty habit of launching new products in the first week of January. So, NO VACATION FOR YOU! I'll be cranking away at getting The Pragmatic CSO ready for publication on January 2, then I turn my attention to getting the Pragmatic CSO community up and running (target is Feb 1). For a change, it'll be a busy holiday season and January. But no better way to start the year than with a burst of activity that should drive things throughout 2007.

In security land, looks like Gil of Check Point has gotten out his checkbook and he likes the feeling (here). Yesterday, they upped the offer for Protect Data and also acquired IPS vendor on life support NFR Security. I thought NFR stood for "No F*****n Reason" to exist, but evidently Check Point saw something that not too many customers saw over the past few years. What's interesting is how different the Protect Data and NFR deals are. Protect Data (and Zone Labs before it) were leading products in growth markets. NFR is a lagging product in a maturing market. Hmmm. So much for consistency.

In blog land, it seems that Oracle still doesn't get it. I know I know, what makes me thing they'd get security after so many years of not even being close, but this blog post (here) just cements it for me. Basically it's more about not breaking the application than it is about security. In practice, I get that's the way the world works. But to put out an insecure default configuration guide because you want to make sure it doesn't break anything? That seems very strange to me.

Have a great day.

Technorati: Information Security

Coming January 2, 2007

Top Security News

Deal: Check Point buys NFR
So what?- So how do you think the Check Point board meeting went? Gil says: "We couldn't buy Sourcefire, but we still need an IPS. So we'll buy the next best thing - NFR!!" The board looks at him quizzically. Then he says, "I own more stock than you - so I'm doing it." I'm sure it didn't go down like that, and there is little risk to pay $20 million for some technology - besides time to market risk. IPS is being deployed (whether it makes sense or not is not the question), so to just buy some technology that doesn't have any momentum of customer base seems weird. They will, in the very near term, bring out a UTM with a real IPS because it's not like they are going to continue trying to fight ISS, TippingPoint and McAfee for stand-alone IPS business. In general, I think Check Point doing anything is a good thing, but given their nimbleness (NOT!) and ability to bring products to market that aren't firewalls - I'm not sure buying technology in a mature market space is the right approach to goose top line growth. In another fit of irony, Marcus Ranum's creation (he was the founder of NFR and one of the early firewall developers) is now owned by the folks that have been anointed the "inventors of the firewall." That's pretty funny.
http://www.checkpoint.com/press/2006/nfrsecurity121906.html
Link to this

The tribe has spoken
So what? - As with ever other year, there will be many CSOs voted off their respective islands this year. So Network Computing was kind enough to put together a "survivor's guide" for 2007. Highlighting the parade is data protection and that's exactly right. 2007 is the year that "information/data security" stands out on its own. I'm glad I've been talking about it since I started this gig in January. Also mentioned are the evolution of vulnerability scanners (no they are not being subsumed into NAC anytime soon), identity management, NBA and database monitoring. These are all definitely things to keep an eye on. Though, I'm not a fan of thinking about security in terms of a "shopping list" because that constrains us to arbitrary product categories defined largely by vendors. You'll see my research next year is much more focused around solving critical CUSTOMER PROBLEMS, as opposed to perpetuating the never ending stream of new product categories.
http://www.networkcomputing.com/showArticle.jhtml?articleID=196603139
Link to this

The grumpy old troll
So what? - The grumpy troll is my favorite character on Dora. Yes, I have a favorite character and if you have kids under 7 or 8 - you know what I'm talking about. I grew up watching Sesame Street and Electric Company, but the choices kids have for educational fare are great nowadays (no SpongeBob is not educational). But I digress. In this column, Dark Reading's Terry Sweeney questions whether social engineering your own users is the right approach to help them understand what they shouldn't be doing. I maintain that it is critical to your security awareness efforts. Even if your users pass the written "test" after a training session, do they really understand? There is only one way to find out. And most of the users I've worked with get the message (if only for a few months), when they've been owned during a test. 
http://www.darkreading.com/blog.asp?blog_sectionid=325
Link to this

Virtualization is coming (get ready)
So what? - Virtualization is all the rage. This introduction provides some decent context on how and why virtualization is important to your environment, which is important for security folks to understand. Remember, we are not in the business of "NO," but rather "Yes, but..." That means we need to understand these emerging technologies and figure out where the security holes are. Then we can communicate that back to the people buying the stuff and tell them what they need to do to secure it. This article discusses the security issues starting on page 3, but again - read the entire thing - and start familiarizing yourself with virtualization because if it's not happening in your shop - it will.
http://www.channelweb.com/sections/allnews/article.jhtml?articleId=196700414
Link to this

Vulnerability Management is evolving - like everything else
So what? - Yours truly was featured in a Dark Reading article about how vulnerability management is evolving. There is no use in repeating what I said (you can read the article to figure that out), but the reality is that scanning function is not going away, it's just going to inevitably change forms. Does that mean you should just toss your existing scanner? Of course not, but keep on the look out for how scanning helps you solve other problems and how the intersection of technologies like scanning and pen testing and configuration management provide some new and interesting ways to solve specific problems.
http://www.darkreading.com/document.asp?doc_id=113096
Link to this

Top Blog Postings

The top security issue of 2006?
Farnum weighs in on his opinion for the top security issue of 2006. Drum roll please... it's identity theft. That is certainly up there, but given our favorite Vet's status as one of the potentially compromised in the VA fiasco, I can see where he's coming from. And yes, I agree that we'll see a lot more identity theft in 2007. The goal of the CSO in 2007 thus is to not be one of those having to notify customers about your inability to keep their data safe. Easier said than done and what's required is certainly more detailed than I can discuss in a TDI snippet. But let's not be confused about what our key imperatives are, and protecting private data is pretty high on that list.
http://www.computerworld.com/blogs/node/4191
Link to this

Talking the talk and walking the walk
A blogger friend pointed me to this post on Oracle's security blog about why their configurations diverge from the best practices espoused by the CIS (Center for Information Security). It would be really funny, if it wasn't so sad and dangerous. Oracle makes a big deal out of their security, but time and time again it's proven to be weak and ineffective. I doubt it's a technology thing, it seems to be a philosophy thing. The main point of this post is to come up with an excuse for why weaker security defaults are OK. It's because stronger one's will break applications!!! WHAT? Then change the damn applications! But don't wonder why time and time again I hear from hackers that the first thing they do when they compromise the perimeter is head right for the Oracle database. By following this kind of "advice" - your applications will work, but make sure you budget some funds to send out millions of letters apologizing to your customers as to why their private information is posted on a bulletin board in Latvia.
http://blogs.oracle.com/security/2006/12/08#a42
Link to this

Even the auditors don't get it
Andy ITGuy tells a pretty funny story about what happened when his auditors came to visit. I'm sure in most of the environments they go to, they just plug in to any old jack and go. But Andy shows good preventative measures by making sure non-occupied jacks are dead. He even forces the finance group to call him to ask for access, which again is exactly the right thing to do. If only to prove a point. But it just goes to show that even the auditors are more about convenience than security. 
http://andyitguy.blogspot.com/2006/12/what-were-they-thinking.html
Link to this

100,000,000 is the loneliest number
ONE HUNDRED MILLION data breach victims. Wow! That is a fracking big number. Alex Hutton points that out in this post and provides some other perspectives on how to more effectively detect and respond to a potential identity breach because statistically it's going to happen to you. That's why I monitor my bank accounts and credit cards DAILY. That's why I subscribe to a service (called LifeLock) to fight my battles if something does happen and I'm compromised (I don't have time for that). As Alex says, preventing the problem is out of my control, but I can tell you that if it does happen, I'll know about it quickly and I'll be ready to take decisive action to make things right.
http://riskmanagementinsight.com/riskanalysis/?p=69
Link to this

Recently on the Security Incite Rants Blog

Read the most recent Daily Incite
http://securityincite.com/TDI-2006-12-18