December 21, 2006 - #176

Good Morning:
I just realized that this is the last TDI of 2006. Wow! I'm taking a break tomorrow on what I expect will be a very slow news day. Next week I'm going to revisit the 2006 Incites, do a final assessment, and close the book on 2006. So we'll end up with 176 editions of The Daily Incite in its inaugural year. I have a lot to be grateful for this year, and it starts with my family, but my readers are close behind.

For me, I've been strangely quiet about Time Magazine anointing "You" the 2006 Person of the Year. It makes me want to say "F*** U" to Time. Seriously. I feel that was a cop-out. I don't see what the big deal is. Since the early days of the Internet, communities have been forming and users have been contributing content. Sure RSS, blogs and things like MySpace and YouTube have made contributing easier and within reach of pretty much everyone. But, to me, this is more about passing the tipping point of broadband adoption, which makes something like YouTube possible, not some miraculous sea change where users are now contributing. But that's one man's opinion.

There were a few deals yesterday in security-land. I mentioned the CHKP/NFR deal yesterday (here) and Matasano Thomas weighs in here. Let's just say, he's not a fan of the deal. Websense finally did something and bought PortAuthority (here). Good for them. Even if they are wrong or bungle the integration, at least they are doing something. It's much worse to be the walking dead. If you are going to fly into the mountain, at least try to pull up on the stick.

I also rant a bit about the "checklist" mentality that permeates the security business (here). I really do wish security was as easy as following a checklist and pumping that data into an ISMS (information security management system). But it's not. That approach severely underestimates the skills of your adversary. Do that at your own risk.

Enjoy the holiday season and be safe. TDI will resume on January 2. But you'll hear from me before then, I promise.

Technorati: Information Security

Coming January 2, 2007

Top Security News

What's on your Xmas list?
So what?- Part of life is wanting more, wanting something different. You know, the grass is always greener on the other side. I've made a concerted effort this year to be happier with what I have. Of course, starting a business means you tend not to go nuts with all sorts of cool electronics or extravagant vacations or trinkets, but nonetheless I'm making due with my 2 year old Blackberry and I'm going to be happy about it. Mark Rasch in his SecurityFocus column details what he'd like out of security from Santa. Easy encryption tops the list. He's a lawyer, so I can see that need - but encryption is not the cure to all of our security ills. He also want to be able to search everything, more enforceable document destruction technology, mobile devices that replicate data (Mark, check out Foldershare - it really works), mobile access for location independent access to files (again, Foldershare provides this for me), Identity 2.0 (strong authentication with anonymity) and finally peace on earth. A decent list for Mark, what's on yours?
http://www.securityfocus.com/columnists/426/2
Link to this

Is that a switchblade in your pocket?
So what? - Remember the good old days when folks would give away USB drives as trade-show goodies? Oh, folks still do that? It's a bad idea, especially if you are a security company. Why? There is little protection for something you plug into your USB port. It's basically a direct pipe into the brain of your device. Rootkits, Trojans and lots of other nasties can be loaded onto your machine if you stick in an unknown device. Kind of makes me want to have a "chastity belt" for my USB ports. Maybe we should make up stickers that say "Don't be a USB Slut!" or maybe give away USB condoms to make the point. I guess you won't want any lubrication, eh? Of course, most endpoint security suites can turn off the devices and things like application control can make sure that no unauthorized applications run on your device (even if you stick something into the USB port). But the days of sticking cool things into your computer should be over, even if they are dead sexy. Oh yeah, the news peg is the USB Switchblade attack, which does all that bad stuff I describe above.
http://www.scmagazine.com/us/newsletter/dailyupdate/article/20061218/610005/
Link to this

The quickest way to get a lobotomy
So what? - The technology today is amazing. Years ago, if you needed a lobotomy they'd slice your head open. Then they came up with drugs to fry your frontal lobe. Nowadays it's much easier. Just publish a CHECKLIST of "best practices" and see 90% of the lemmings follow you right off the iceberg. They'd probably just hand over their brains to you, if it was on the list. Checklists could be the downfall of modern civilization (and certainly the CSO's role in it) because checklists don't make you think. Automatons can execute on a checklist-based process. Security is not for automatons. There are too many folks that know about the checklist and therefore know how to beat it. So don't run your security program on a checklist. Use your head, that's what it's there for. You can read this article on NoticeBored if you choose, but take it more as what you shouldn't do.
http://www.noticebored.com/blog/2006/12/audit-checklist-for-information.html
Link to this

Is there anything you can't insure?
So what? - I guess privacy breaches have truly become a common occurrence. I guess I knew that, but to see that insurance companies will write policies to protect against the costs related to notification and the like really brings that point home to me. Why? Insurance companies will only write policies if they have enough data to figure out the likelihood that something is going to happen. It keeps all of those actuaries busy all day. So there is enough data out there about the probability of a privacy breach to make the number crunchers comfortable. That's a lot of data. That's a lot of privacy breaches. That's a problem.
http://www.eweek.com/article2/0,1895,2073528,00.asp
Link to this

Can't we all just get along?
So what? - This brutally long CIO column from Christopher Koch brings up a lot of good points. The fact is most business people don't understand technology, and us technoids think they are doofs. The business people don't care, they just want to do their job. We are supposed to enable that. It's funny that so many IT (and especially security folks) forget who we work for. Let me clear it up. WE WORK FOR THE BUSINESS. No business, no job, no mortgage, no food on the table. It's not about "NO you can't do that," it's about "YES you can, BUT here are some things to think about." IT folks need to be MORE customer centric than anyone. We are overhead. If not, you'll be outsourced. Go back to step 1. No job, no mortgage, no food on the table. Keep that in mind as we head into 2007.
http://blogs.cio.com/node/228
Link to this

Top Blog Postings

When is security, not security?
The Mogull does a pretty deep post here about security vs. safety. For a change, that got me thinking about what we call "security." Rich makes the point that many things we call security are not really meant to SECURE you at all. They are meant to CONTROL. Web filtering is a great example. They used to call those products "employee Internet control," but that was a crappy marketing term - so Web filtering prevailed. But it's all about controlling how employee's use the Internet. But keep in mind the corporation is liable if employees do inappropriate things. So it is reducing corporate liability, and therefore "securing" the company's interest. Though I'll admit, to the detriment of employees. I guess it's a fine line and lots of gray here. DRM is similar. It's meant to control how you use the content, but within the context of securing the royalty to be paid to the artist. So "safety" is a part of security, but it may not be your safety. I think that was Rich's point. As an aside, the part about the G&R show made me laugh because I went to that tour in DC and Metallica was great and G&R - not so much. But they are still one of my favorite bands. Just skip the show.
http://securosis.com/2006/12/19/security-often-has-little-to-do-with-safety/
Link to this

The commercial opportunity in open source security
There has been a lot of discussion about security and open source. Gunnar has been pretty vociferous relative to the difficulties of the open source model when it comes to protecting applications. He's right. Security is a thankless job and if a developer is going to spend time on an open source project, it's not too sexy to make sure the security is up to snuff. Thus, the need for a commercial enterprise to test and contribute security technology to the LAMP stack. Folks like SpikeSource do a lot of the integration, but it's not clear to me how much security value they add. But there is value to someone stepping up and saying "my distribution is secure and I have a team of people working to keep it that way." They can of course, contribute the security patches to the community 7 days or so after their subscribers get the patches (kind of like what Tenable does with Nessus signatures). That's kind of interesting. VCs get on that.
http://1raindrop.typepad.com/1_raindrop/2006/12/php_security_re.html
Link to this

Matasano loves the CHKP/NFR deal
I ranted a bit yesterday about how the NFR deal isn't going to give CHKP what they need, which is growth. But they are doing something, and that is better than doing nothing. Thomas takes it a level deeper, offering lots of interesting fodder about what could be. NFR was a failure. Period. It makes no difference how much money they raised. Check Point bought technology. They can flap their lips about supporting the existing NFR business, but they won't. Not for long anyway. The idea of NFR giving CheckPoint a more convincing security switch alternative is interesting, but I think it's a low likelihood scenario. The folks that will sell a lot of "secure switches" are the folks that sell switches today. Adding "NAC" or anything else to the switch is not brain surgery. Doing it at a price point that makes it affordable is. You need volumes to get to those price points. The guys with volumes are the guys already stamping out lots of silicon to put into their own boxes. And it'll take Check Point at least a product cycle to build the NFR technology into the UTM, so this deal wasn't about growth. It was about the fact that they needed IPS technology in-house.
http://www.matasano.com/log/651/checkpoint-buys-their-way-into-last-place/
Link to this

Starbucks or a security appliance?
It's not at the point where you can give up your daily Carmel Machiatto and buy a security appliance, but it's not too far off either. That's Steve Gold's point in this piece, and it has been interesting to see things like firewall and VPN technology make it's way onto $80 consumer wireless access points. To be clear, this is not sophisticated security and the feature set is not exactly robust, but it does the job. For a change, continued success in the security business is about adding value to the commodity products. It's about maintaining inertia. It doesn't have to be a lot of value, especially if you have a large Big Security installed base to milk, but just enough to keep customers happy enough to maintain their inertia. Yes, that's very cynical, but that's the way it is.
http://securityblog.itproportal.com/?p=635
Link to this

Recently on the Security Incite Rants Blog

Read the most recent Daily Incite
http://securityincite.com/TDI-2006-12-20