January 8, 2007 - Volume 2, #4

Good Morning:
There is no free lunch. I've always known that, but I was "reminded" this weekend. My wife has been extraordinarily accomodating while I was writing the book through most of December. I try my hardest not to work weekends, but I have been and through most of the holidays I was AWOL. But payback happened this weekend, when I awoke (actually when I stopped working on Saturday AM) and found my "Honey-DO" list full of things that have been lagging for weeks. If you have a honey, you have a honey-do list, and mine was LONG. So I spent a lot of the weekend patching, hanging, moving stuff around and (sob) disassembling the twin's cribs. That's right, the twins are now in big beds. Part of me will miss the infant and toddler phase. But time marches on. It certainly does in my house.

Not a lot going on in security land, as it seems everyone is aflutter about CES and MacWorld. That's fine by me, since I still have a lot of catching up to do. I blew up the 2007 Incites over the weekend, so it's not clear they'll be done by Wednesday (especially since I'll be in the road a bit too). I just got sick of making more predications about arbitrary technology sectors. I'm taking a different tack. It'll be interesting to see how it'll be received.

I also spent a good deal of time over the weekend (when I wasn't addressing my honey-do list) laying the Pragmatic CSO out for print. That's pretty much done and the book order will be going in today. I hope to be able to start shipping books by the end of the week. You'll be able to buy the book later today on www.pragmaticcso.com.

Have a great day.

Technorati: Information Security, CSO

The Pragmatic CSO is Here! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

More mass media alarmism
So what?- Oh God. The sky is falling. Everyone run for cover. Or maybe just upgrade your friggin' Adobe Acrobat Reader to version 8. It's January 8 and the Adobe flaw has the "potential" to be the worst of 2007. By my count, that leaves 358 days to prove that asinine comment wrong. Perhaps someone can send me a malicious PDF and read some files on my machine. Maybe I'm missing something, but there are lots of ways for a determined hacker to read the files on my machine. Doing it via a PDF would seem to be a pretty hard way to get it done. This just wreaks of more alarmist mass tech media trying to stay relevant. I think one of my Incites this year should be "2007 is the year that the tech media cried wolf." That's what it feels like anyway.
http://www.informationweek.com/showArticle.jhtml?articleID=196801513
Link to this

BioPassword fills the coffers
So what? - So normally, a start-up raising some more money isn't newsworthy. First, it's a VERY slow news day, and I didn't want to cover McAfee naming a few new VPs - so there you have it. Second, consumer mutual authentication will remain hot in 2007. Yes, partially driven by FFIEC clean up, but also the acknowledgment that phishing is a big problem, passwords (alone) are not good enough for some applications (though just fine for others). I believe that keystroke dynamics is a very promising technology to add another factor to the authentication process without requiring distribution of tokens. Another little interesting tidbit is Citrix becoming a strategic investor. Citrix made some waves in security last year, and since access is their game - it's makes sense that they would want to align with stronger authentication.
http://biz.yahoo.com/iw/070108/0200538.html
Link to this

Encryption and phishing?
So what? - I know about that 1st Amendment thing, but sometimes it seems that some reporters shouldn't have a keyboard. Or at a minimum, shouldn't be able to write about stuff they don't know much about. Via InformationWeek, this CRN article examines TrueCrypt - which is an open source encryption utility. Given the need to encrypt data on mobile devices, this is pretty cool. But the headline of the article, "...Encryption Utility Frustrates Phishers" left me aghast. Unless I missed something over the past 15 years, I'm not sure how encrypting files and volumes on your machine frustrates phishers. Don't phishers try to steal your personal information by getting you to GIVE IT TO THEM? Of course they do, so TrueCrypt will help if someone steals your machine or even gets remote execution capabilities via a Trojan. But it doesn't do a hell of a lot to stop phishing.
http://www.informationweek.com/showArticle.jhtml?articleID=196801768
Link to this

Swivel those HIPS
So what? - Dark Reading has a new analysis report on the street. This one deals with HIPS. To reiterate, HIPS (host intrusion prevention) is another layer that can help to protect business systems. Actually HIPS is not a outgrowth of the old personal firewall (that's NAC), but rather a technology using all sorts of techniques to try to figure out if something funky (to use a technical term) is happening on the device. But, there is a self serving reason to point to this report. It costs $900!!! For 17 pages of HIPS-isms. So when folks wonder if $97 is expensive for a training manual, I'll just point them over to Dark Reading. And to preview a bit, when I launch the Pragmatic CSO web-community (no that isn't the name, it's how I'm referring to it), for about the same price you'll get an entire year of good stuff.
http://www.darkreading.com/document.asp?doc_id=113915
Link to this

Top Blog Postings

Inside or outside?
Given what seems to be global warming (what else can explain 70 degrees in the northeast in January) making the distinction between inside and outside less relevant - does that apply to security. The Tao master, Richard Bejtlich, believes that most effort should be spent on outside threats rather than inside threats. Lots of other folks think the insider is the devil incarnate. Me? I don't care much because I think everyone should focus on protecting BUSINESS SYSTEMS. If your business system is at risk from outsiders (maybe because the application is accessible via the Internet), then you better worry about that. If an insider can access that data and take down the system, well you know, that's something you should focus on. Enough of these ridiculous insider vs outsider delineations. Protect your damn business systems and the nomenclature will work itself out.
http://taosecurity.blogspot.com/2006/12/incorrect-insider-threat-perceptions.html
Link to this

It's still the physical layer, stupid!
Being an old networking saw, I learned a lot about the physical layer early in my career. Before managed wiring centers, distribution frames, and fiber running through conduit, there was daisy-chaining thicknet devices together and praying the protocols wouldn't lock up your machine. Those were the good old days. But alas, many of us spend our time focusing on cyber defenses when the path of least resistance is usually getting into a conference room and connecting to the network. And if the bad guy actually gets into your data center, you are hosed. Most servers are open books if you can sit down at the keyboard. Jeff Hayes makes some great points here about not forgetting about the physical layers. You may need to work with the old spook or cop that runs your physical security group, but coordinating physical and information security activities will make you more secure.
http://mycsosolutions.net/2007/01/03/importance-of-physical-security/
Link to this

Ranum on secure code
Marcus Ranum thinks ahead of his time. Given his track record (inventor of the firewall, IDS innovator, blah blah), that is clear. So when Ranum starts ranting (on his new sort-of blog) about the need to use source code analysis tools, we should listen. Now this is a security guy most likely building security products, and tolls like Fortify, Ounce, and Secure Software are trying to target the mass market developers, but there is a clear message here - especially if you build security products. Make them secure. There is no faster way to look like a schmuck than to be a security company and have a hole in your code big enough to drive a truck through. Period. So take a look at some of these tools and start working with developers to "evolve" their coding practices to be more security-aware. In 4-5 years we may actually get there.
http://www.ranum.com/security/computer_security/editorials/codetools/index.html
Link to this

Keeping it real
The Mogull looks at complexity in this post and I like the message and not just because he says nice things about my book. Or as nice as Rich can say and not get in trouble at his day-job. But it's because the point needs to be made over and over and over again until it starts to sink in. The more complex a system, the more opportunity for failure and compromise. So by continually over-complicating our defenses of systems that are already ridiculously complicated, you get? Right, a business system with enough holes in it to make a swiss cheese blush. So let's focus on eliminating complexity in 2007 and dare I say it - becoming more Pragmatic.
http://securosis.com/2007/01/05/keeping-it-real/
Link to this

Recently on the Security Incite Rants Blog

Holiday activity on the blog
I was pretty active on the blog during the holidays, writing a "Report Card" series picking apart each of my 2006 Incites and giving some self assessment. It was a cathartic, healthy activity and provides the accountability that I seek out for many of the things I say. There were too many posts to list individually here, but click the link and these posts will miraculously appear.
http://securityincite.com/security-incite-rants/report-card

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite