February 12, 2008 - Volume 3, #14

Good Morning:
Yesterday I published my 2008 Incites. You can read the post on the blog or get the PDF. Either way, check them out and join the conversation. Am I smoking crack? Are some on the money? Do they help you put the dynamic evolution of the security business in context? As always, I'm looking for feedback to ensure that my research and writing hits the mark. Don't be bashful, let me know what you think.

I know what you are thinking. Why the hell does he do those things anyway? He acknowledges that if any of the Incites turn out to be right, it's more luck than anything else. And those are legitimate questions to be asking. So let me rant a bit about why I think the Incites are important.

First, I use them to keep me honest. I synthesize a tremendous amount of information every day. I try to regurgitate that information back to you in a clean and concise format, which allows you to skim through it and figure out what you need to know. Or at least what I think you need to know.

When you are hammered every day with too much stuff to do, it takes discipline to take a step back and really think about the big picture. Truth be told, I don't have that discipline. So I use the Incites as a process to ensure that I take the time to consider macro-issues and think big thoughts.

Next is accountability. I know that a lot of end users use IT research to make purchasing decisions. Sometimes it's mine, sometimes it's other firm's research. But with that role comes a significant responsibility. When someone puts trust in my advice, it's because (hopefully) I've earned that trust. The only way you earn trust is to be credible and accountable for what you say. This is my way to be be both. 

Lastly, writing the Incites and then revisiting those trends twice this year (over the Summer with the Incite Redux series and then at the end of the year with Incite Report Cards) is fun. I know, I have a strange idea of fun. Since I know a bunch of the Incites will be off-base, I'll be able to poke fun at myself and the entire industry. The day I take myself too seriously is the day I need to find something else to do.

So that, in a nutshell, is why I'll subject you to the Days of Incite once again this year.

Have a great day.

 Where's the Beef commercial image source

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

What's old is new AGAIN
So what? - Sometimes it's hard not to see an article proclaiming something is "new" and not ripping my hair out. Given the amount of hair I have, that would be pretty painful. So when I see this article about the "powerful, new antiphishing weapon DKIM" I want to puke. DKIM has been around for 3 years, in development for over 4. That's new? Come on now. DKIM was actually ratified by the IETF about this time LAST YEAR. Next we'll hear that the innovative, ground breaking, steam engine is making a comeback. I guess what is new is that the vendors now think DKIM is hitting critical mass. Yawn. The reality is that DKIM is no panacea. It gets back to user training. Users can now do some simple header analysis and figure out (with a high probability) whether a message is a phishing attack. But 99% of the consumers out there don't know how to do that. So if all these messages will now be DKIM signed, how will users realize that it matters? I guess one way is for the mail houses and spam gateways to block messages that aren't DKIM signed. That would go over like a lead balloon. There is too much of an opportunity for false positives, so the idea of blocking is untenable. But I guess if the vendors get all hot and bothered about it, it must be happening. Yes, that is the sound of me pulling my hair out.
Link to this

Vulnerability counts going down - blame the researchers
So what? - Evidently the aggregate vulnerability counts went down in 2007. There are vendors all around the world quaking in their boots. I can hear the conversations now: "Oh God, if things are getting better, how do we prey on fear, uncertainty, and doubt. We need ILOVEYOU the sequel to make things better." OK, maybe that's pushing it a bit, but probably not too much. When I see the folks from IBM/ISS' X-Force out there taking about why the vuln count would drop, it just seems strange to me. The X-Force has be dormant externally since the deal (and most would argue for a couple of years before), so now is the time they decide to let Rouland loose on the world, and talking about this??? It seems strange to me. Before I belabor the point too much, I'll just state that I don't care about vuln counts and neither should you. You should only care about exploits in the wild that can hurt you. Even with unlimited resources, sometime in 1995 you passed the point where you could fix all the "vulnerabilities." So don't even try. How about focusing on risk? You know, the things that could actually kill you? But that wouldn't make good PR, now would it?
Link to this

Spending is going up, no maybe it's down...
So what? - One of the things that the big research houses do is project the aggregate IT spend each year. It's a really big number and to be clear, it's totally made up. It's kind of like tracking the GDP. Do we really know what the number is? Does it matter? The answer to both questions is no. But then when you get diverging viewpoints, all hell tends to break loose. The G-people are saying software will grow 8% this year, despite a slowing economy. Gosh, I would love to have that crystal ball. Yet, the IDC and Forrester's say spending is going down. That's the problem with opinions, everyone has at least one. And they change. Do you think any of these folks go back and says, "Gosh, we were just plain wrong last year. We figured spending was going to grow 8% and it only grew 3%. We're a bunch of idiots." Nope, they'll all just put these projections in the research archive and come out in 2009 with a similarly nebulous and useless set of aggregate IT spending numbers. And you'll go about your day because the reality is, this stuff really doesn't matter to you.
Link to this

The Laundry List

Top Blog Postings

Ask Rich: What can I do about this goiter?
As The Mogull continues to do his "Ask Securosis" series, for our entertainment he should list some of the wackiest questions. I'm sure some joker asked where the strangest place he hacked a network was (that would be up the butt, Bob!). But that's neither here nor there. Yesterday's post had to do with Common Criteria Certification. Rich did a very well-thought, politically correct, and considerate response to basically say it's a sham. The reality is by the time a product gets certified, there have been two or three point releases, which would have to be re-tested. So, as much fun as common criteria certification is for the vendors, the fact is it doesn't really mean much from a security standpoint. Although it is still a buying requirement in some Government circles, don't mistake common criteria with security.
http://securosis.com/2008/02/08/ask-securosis-is-common-criteria-certification-worth-anything/
Link to this

Inadvertent pretexting
Most of you know that I'm a big fan of training as a supplement to technical security controls, especially for customer facing roles. When I was in the anti-spam business, it was shocking when a company would turn on outbound filtering and see what information their customer service reps would send to customers via email. Yes, those are serious compliance violations. But dig a bit deeper and you see that most of the mistakes are inadvertent. The rep is just trying to be helpful. There are most likely policies in place to ensure this doesn't happen, but with the turnover in most CSR roles, it's hard to make sure these policies are known. Security Monkey posts a similar story about a guy who calls the phone company about a friend, only to find out that the friend's phone was shut off because he didn't pay the bills. There is no technology that is going to stop that privacy violation. So, don't forget about training when you are putting your control set in place. It's just as important as all those boxes with flashing lights.
http://blogs.ittoolbox.com/security/investigator/archives/the-hectic-ways-of-social-engineering-22276
Link to this

Herds vs. swarms - another night on Discovery Channel
Remember that guy who wrote in early 2006 about how screwed up security was? He put out this long manifesto about how everything was broken and that we were hosed. He also said he'd have some answers in his next piece, and we are still waiting for that piece. Audience, may I introduce the sequel to this legacy of unmatched expectations - Amrit Williams. Since Amrit is a friend, I'm not going to give him 18 months to not deliver something. Actually, I'm not even giving him 18 days. Based on this post (which was a follow-up to a series of posts) dealing with how to aggregate knowledge and make security smarter, I have a serious case of securitus-interupptus. Amrit's thinking is very interesting and his assumptions are also interesting, especially the one about vendors not working together to share information. We basically need a groundswell of folks that would share information outside of the vendor's purview (thus they can't control it) and then package it up so that Big Security could use it to make their defenses better. I have no idea how to make that happen, but maybe Amrit does. If he'd ever finish the damn series.
http://techbuddha.wordpress.com/2008/02/03/evolving-information-security-part-1-the-herd-collective-vs-swarm-intelligence/
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://sm-blog.securitymike.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite