April 4, 2007 - Volume 2, #56

Good Morning:
Why doesn't Microsoft have fanboys? Or Cisco? Or Oracle? Or SAP? You know, those folks that follow everything that Apple does. Or RIMM. Folks that set up websites, like they are cheering for Britney Spears or something. "Ooooh, what did Steve wear at that keynote." "He changed his glasses. Aaaaah." You seriously have folks that talk about this stuff. Not sure if you folks watch American Idol here in the States, but do you remember that little girl from a few weeks ago that was just sobbing in the presence of Sanjaya (that joke)? They kept putting this girl on camera and it was kind of funny, but in a sad kind of way.

That's what fanboys are like. They can't contain their enthusiasm and if they ever got to be in the presence of someone like Steve Jobs, my bet is that they sob like that little girl on Idol.

But that's not what I want to rant about today. Microsoft (or any of the other huge technology shops) doesn't have fanboys because they elicit no passion in their user community. Their software is utilitarian, useful (most of the time), and doesn't really change anyone's perception of how things should work. Love them or hate them, Apple does that all the time. RIMM does it too. That's the secret folks. It's all about passion. If you can't elicit passion from your customer base, then you better hope you either have a monopoly position in something or you buy every company that could potentially compete with you.

It was George Ou's post (here) on Microsoft's issues patching the ANI (friggin' cursor) hole that originated this line of thinking. But what occurred to me is that Microsoft is truly in a no-win situation. Even if you look at Microsoft's account of the process to fix ANI (here), it'll never be good enough. Not only does Microsoft have no fanboys to defend them against this chatter, the industry has totally unrealistic expectations relative to how quickly they can get things done, without breaking everything.

What's even worse is that they have decided to go with a level of transparency that you will likely never see from the likes of Apple, Oracle, Cisco or anyone else, relative to how their security process actually works. While everyone wants to beat down Microsoft (Seltzer adds his two Passover cents here), I'm going to be a bit contrarian on this one.

I'm all in with Rob Graham of Errata (here), who provides a bit of an explanation regarding why it took Microsoft over 3 months to fix this problem. Great post Rob. He paints a realistic pro and con of this situation and actually has some suggestions for how to make it better.

And at the risk of raising the ire of fanboys everywhere, let me send an atta-boy over to Microsoft. Maybe not on the ANI issue, but you can't hit a home run in every at-bat. Kudos for fixing your process in general. For seeing a real danger and accelerating the patching process to keep customers safe. You've set the bar to a place that other vendors with your resources and attack surface probably won't get to. Ever. It'll never be good enough for the Redmond-haters out there, but given where things were 5 years ago - even getting this done in 3 months is great progress. It's too bad everyone has such short memories.

Have a great day and if you happen to be in the Milwaukee area, I'll be there next week. Come visit. Details here.

Technorati: Information Security, CSO

The Pragmatic CSO is Here! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

Protecting those laptops
So what? -  Since lost laptops are such a huge issue, we can continue to expect a vendor feeding frenzy relative to what laptop security can and should be. The OS makers (Microsoft and Apple predominately) are jumping on with their OS level disk encryption capabilities. You've got a third party cottage industry of folks that can take a policy onto a laptop encryption engine. You've got PC makers that figure things like fingerprint readers and the TPM modules are the answer. You can get a feel for the types of solutions out there in this Information Week article (here). My position is that first you need to figure out if the private data should even be on that laptop. Think data first. If there is a legitimate business reason, then it doesn't much matter to me how the data is protected. Something with a central management capability is interesting in that you add the ability to enforce central policies and audit on whether they are in use. But as long as the data is protected, it's all good.
Link to this

Rootkits, bots and other bad stuff
So what? - I'm currently "teaching" a lesson in SearchSecurity's Messaging Security School on next generation attacks. The podcast portion of the lesson has to do with new attacks that AV can't catch. The lesson appears on April 17, so keep an eye out for that. Not to steal my own thunder, but the #1 attack that AV can't catch - rootkits. So this article (here) kind of made me laugh. Yes, rootkits are still a problem. Yes, more and more machines are being compromised with rootkits daily. Yes, they are still very hard to detect and even harder to clean. The problem is perception. Rootkits tend to be just part of the package. It's not exciting anymore, but the risk continues to be real. Rootkits are also at the heart of the zombie issue, since that is the technology that is usually deployed to hide the malicious bot activity from the machines defenses. Kevin Beaver goes through how to detect bots in this piece (here). A lot of these functions are include in the "assurance" part (Step 10) of the Pragmatic CSO methodology. And if you find something wrong, save yourself some time and just re-image the machine. You are keeping data on a separate partition, right? You've got a standard build image, right? 
Link to this

When everyone worries, but no one does anything
So what? - You all know how much I love vendor-sponsored surveys. Especially the sponsored ones performed by bastions of objectivity like the Aberdeen Group (here). This one, sponsored by the folks at Tumbleweed, states what we already know. Most companies are spending money to keep spam, phishing and other inbound attacks at bay and not really focusing on outbound email data leakage. Firstly, this is a very email centric view. Doing leak prevention (and subsequent message encryption) on just email is not enough. The auditors aren't interested in stopping a portion of the data leaks. You also have a standard, early market where leadership is being established, technology is maturing, and there haven't been enough public train wrecks based on leaky data to create a buying catalyst. It'll happen and I suspect a majority of the customers out there will opt for a broader solution rather than just a bolt-on to their email gateway. 
Link to this

The Laundry List

Stats #1 - Fortinet talks about the top threats in March. I don't see stupidity on that list, so it can't really be complete. - here
Stats #2 - FaceTime tries to justify their existence by saying IM/P2P attacks grew 6% last quarter. Sorry guys, you are a feature on a good day. - here
The G-men speak. Virtualization is dangerous. OHMYGOD! Tell that to the thousands of customers that are spending billions of dollars on virtualization software this year. - here
TippingPoint gets the Carnac award. They caught the ANI issue two years ago. It's better to be lucky than good. - here  (Rob Graham points out that TippingPoint is only unique in their ability to crank out press releases here)

Top Blog Postings

Revisiting the sNACdown
Has it really been almost a year since we assembled the panel of "experts" to talk about NAC? My, how time flies. So yesterday Stiennon got into a self-congratulatory mode because he questioned the validity of the endpoint during that session, and some German folks hacked the endpoints to fool Cisco's NAC solution. Hoff just couldn't let that lie, and he really shouldn't have. Richard is telling some revisionist history. I think we need Warner Wolf to go back to the video tape, but my recollection is similar to Hoff's. We all agreed that the endpoint cannot be trusted, though I made the point that not checking it at all was stupid. Trust, but verify. NAC is bigger than ADMISSION CONTROL. Richard seems to have forgotten that about 70% of the conversation was about whether access control should be in the network or as an overlay. I can only state my position so many times. The perimeter is still needed and requires an integrated platform to run multiple security applications. Over time, network security on the intranet (which is really access control) will be deployed at the switch layer. Application and data center oriented security will happen in those specific domains (NOT in the switches). I'm sure Hoff will pick some bones with that description, but it's hard to net out the future of security in three sentences. Hoff should know a bit about that. He can hardly say hello in less than 1500 words.
http://rationalsecurity.typepad.com/blog/2007/04/its_a_snacdown_.html
Link to this

Fear sells (and Sex too)
Farnum is channeling the Zen Master himself in this post. It's actually entertaining to see folks start to learn about how security gets marketed and sold. You start out in this business pretty idealistic. Most folks actually want to help people be more secure. Then the reality of quota and mortgages and the like sets in, and you start looking for anything that will help sell a product. It's too bad some enterprises soul hasn't figured out how to link sex and security, since that would sell like hotcakes. Instead we always default back to fear. Fear of what doesn't really matter, but security really is like insurance. No one buys insurance willingly. They are scared they will get sick or die or get sued. They figure a little money now is better than the slim likelihood that it will be a lot of money later. But Farnum's point is well taken, in that you really need perspective to be good at security. There are lots of fires all through the house, you need to figure out which one to put out first.
http://www.computerworld.com/blogs/node/5294
Link to this

Is AV still relevant?
That's the question that MCW asks in this post. You certainly have a number of different camps, like George Ou who hasn't used AV for years. I probably should, but I still don't have AV on my Mac. Do you just dump the AV and deploy something like HIPS? You need to answer that question on a number of levels. First, layers are good, so if AV catches 50% of the stuff, that ain't great - but it's 50% of stuff you don't have to hope your other defenses catch. And layers aren't just about protection at the desktop, you should have perimeter and server protections as well to maximize the chance you'll catch badness. Next, things like HIPS and anti-spyware and application control are increasingly being bundled into the AV "suite." So it's not really just the AV engine anymore, it's a broader endpoint suite. 
http://mcwresearch.com/archives/451
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite