February 14, 2008 - Volume 3, #15

Good Morning:
Another year, another Valentine's Day. The time of year concocted by the flower business in cahoots with the chocolate industry and the greeting card folks. Let's just say I'm not a big fan of this annual February ritual. Yes, the fact that I'm so romantic is not lost on the Boss. I've been apologizing for almost 14 years now.

When you think about it, Valentine's Day is pretty kooky. Let's celebrate our love by eating chocolate. Huh? And not like a good 2 lb bar of Hershey's. It's got to be those weird chocolate things will gooey filling. Life is like a box of chocolates, you never know what you are going to get... It worked for Forrest Gump, not for me. Could they think of a worse, more addictive vice to use in celebration? Why didn't they just use opium if they wanted us to revisit our addictions every February. We could set up a big neighborhood hookah and party. Maybe we'll have a free basing lesson for the kids. Now that would be festive, wouldn't it?

I'll also admit to not being a flower guy. I'm horrified to admit that more than once my kid brother sent flowers to the Boss and signed my name to the card. Actually not that horrified or I wouldn't be telling you. Yes, my brother is a good, considerate guy. And me...not so much. He saved me from a bunch of hot water through the years.

I don't get flowers. They die. They don't smell that good to begin with and if you leave them in a vase for a few days they start to get funky. What's the use? I guess they add a little color to your house for a few days. If I want color, I could get fake flowers. At least they last a little longer, and they don't smell.

But that would once again put me in the soup with the Boss. She doesn't like the fakes. So I shelved that plan. 

What works for me is a card. I know the greeting card folks are in on the conspiracy, but that's OK because I like cards. It might have something to do with the fact that I write for a living. I usually pick a cards that are funny and then I take a few minutes and write a nice note inside. A heartfelt message. One that is timeless and that she'll be able to look at in the years to come and remember that I'm not always a total jackass.

Another thing that I like is cards last forever. I still break out the first Valentine's Day card I got from Leah in 2001. It says, "To my First Valentine..." It's awesome. It's in the draw right next to my desk and has been for 7 years. Try doing that with a flower.

Have a great weekend, and oh yeah, Happy Valentine's Day. Also enjoy President's Day on Monday. It's a Daddy weekend that is bleeding over until Monday - so I'll be back Inciting on Tuesday.

PS: I've posted the first two Days of Incite Posts. The 3rd hits later this morning and the 4th tomorrow.

1. Express Your Inner Bean Counter
2. It's time for an audit revolution

 
 dead flowers image uploaded by lolla_sig

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Will my speech recognition understand "ostrich"
So what? - Vulnerability research used to be a waiting game. The researcher would find an issue, report it to the vendor and then hopefully at some point be mentioned in the patch announcement. Notice I say "used to be." I'm not going their now, but there is little incentive for researchers to do anything but publicize what they've found - when they find it. But what happens after that? Usually nothing. That's been the case with the Vista speech recognition hole that George Ou found last year. For those folks that require speech recognition, this is pretty bad. But Microsoft has decided (for lots of reasons I'm sure) not to fix it and George is calling them on it. Will it have any impact? Probably not because it's a low footprint issue, given the number of folks that are likely vulnerable. You can't fix everything, so something has to fall off the list - I get that. If people were setting up MySpace pages with these kinds of voice exploits, it may get a higher priority. But until then it's back to the ostrich game. I hope the sand is warm. 
Link to this

Passwords still good enough
So what? - Here we go again. About every 18 months, a bunch of vendors get together and try to convince everyone that passwords are a problem and they really need to buy tokens. Now the tokens are a lot cheaper (you can get one from PayPal for $5), and sort of standardized now with OATH 2.0 hitting the streets a couple of months ago. Here is a good overview of OATH at Network Computing. But the fact remains that almost no one cares about strong authentication. The FFIEC did, so the banks had to spend the end of 1996 adding things like mutual and two-factor authentication to their banking sites. Last time I checked I was still able to get into my online banking system with a simple password. In fact, it's a password that can have NO MORE than 8 characters. How friggin' strong could that be? But are they going to issue tokens to everyone? Not a chance. It's cheaper for them to pay for the eventual fraud, then it is to fix the problem. Yes, it's risk management gone wild, but it's all about the economics. I actually use very strong passwords (I use 1Password on my Mac to manage them) and thus I feel as safe as I'm going to. But the reality is that as long as it's cheaper to suck up the costs of fraud, passwords will be good enough.
Link to this

Another reason for layers
So what? - Can we move past PDF? That's the question asked by a Symantec researcher on their blog (H/T to Ed Moltzen for pointing it out). That's an interesting question. My answer is an unqualified no. We can move on from PDF no sooner than we jettison DOC or XLS or PPT. PDF is the way a lot of information gets sent around. Now to be clear, Adobe needs to bring their A game (like what Microsoft has done) because they are now a target. They need a structured patching process and to invest a crap load of money in security research to be able to respond to the threats. But ultimately it's software, which means there will be holes. What to do? Don't leave all your eggs in one basket. You need layers, strong anti-spam that stops a lot of the solicitations from getting through, web gateways that protect users from themselves, and endpoint protection just in case the other stuff doesn't get it done. And then you'll still get nailed. Then you kick your incident response plan into gear. I guess if I think about it, we could stop using PDF. In the same way we could unplug from the network as well. That's definitely one way to stay protected.
Link to this

The Laundry List

Top Blog Postings

Yet another reason for DLP
In my 2008 Incite (#9), I pretty much took a dump on DLP. Though to be clear (and I will be when I write the Days of Incite post) it's not because DLP doesn't solve a problem. It's really a market acceptance issue. The parallels I see between DLP and SIM are significant. Both are hamstrung by taking a long time to get value and there are other ways to solve the problem for a lot less money that are good enough. Not perfect, but good enough. Before we write off DLP, let's get back to the problem. The fact remains that our data is pretty much everywhere now and although controlling is a losing battle, we need to fight the good fight. Tom Olzak brings up another use case, and that is the online collaboration applications. I'm starting to use Google Docs for some work I'm doing and over time I'm sure I'll be doing more of that, not less. My data isn't that important, but yours might be. I don't think this will be enough to push DLP through the chasm this year, but it's certainly something to think about.
http://blogs.ittoolbox.com/security/adventures/archives/the-promise-and-the-threat-of-webbased-productivity-suites-22412
Link to this

PCI Marketing gone wild
Last year I was going to do a series called "Security Marketing Gone Wild" because I was seeing some pretty egregious transgressions out of some security marketers. I never got around to it, which is too bad. We, as an industry, have an issue with this. More than a fair share of CFOs and CEOs already think security is the equivalent of snake oil because our practitioners can't really tell them what the value is. As the little niche market has become an industry, we've got our share of carpetbaggers and those sorts that are here to make a quick buck, as opposed to solving a problem. Mark Curphrey destroys a recent campaign from Barracuda for being this kind of snake oil. He's absolutely right. Barracuda's idea of "plug and play PCI compliance" is more than a little offending. It just doesn't work that way. PCI compliance is a journey, not a destination, and it's not something you can solve by putting a web filtering gateway on your Internet connection. But as long as companies keep falling for this ruse, unscrupulous vendors will keep pushing their own little bit of snake oil. And the customers who's data is compromised ends up holding the bag. I guess some things never change.
http://securitybuddha.com/2008/02/07/security-marketing-spinning-further-out-of-control/
Link to this

27002 + PCI = what?
In one of SearchSecurity's Compliance School lessons Richard Mackey talks about how a structured framework like ISO 27002 could be used within the context of PCI compliance. He makes a couple of good points, though using all the vernacular does get a bit confusing. So I'll try to clarify things a bit. As I've said a million times, focus on SECURITY FIRST. You can do that via a framework like ISO 27002, which is going to define a lot of the stuff that you could do from a security standpoint. Mackey's idea is that 27002 is the large umbrella and you can use the PCI subset of requirements as a place to get started. The danger in this approach is that you never get to some of the other stuff. I would much rather folks figure out what they need to protect (and why), use the framework to define the best way to protect the data, and then compare that to the regulation. Then you are protected and compliant. As opposed to compliant, but not necessarily protected.
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1295905_tax309647,00.html
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://sm-blog.securitymike.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite