May 8, 2008 - Volume 3, #44

Good Morning:
If I've said it once, I've said it a thousand times, success in anything that you do is based on how well you manage expectations. When you expect little, you tend to be surprised on the upside. When you expect a lot, well... you know. Reading Shimmy's post on the Iron Man movie made me think about why I go to movies and what I expect to get from the time and money I spend.

Basically for me, movies are about escaping. Not that my life is bad, quite the contrary, but every so often taking a few hours to go into the land of someone else's imagination is very useful for me. I do my best not to get into the dogma of reality vs. unreality. Plot lines that don't make sense just roll off my psyche, and I spend very little time trying to understand the "true" meaning of any of these movies.

Why? Because they are movies. If I want reality, I'll go over to CNN and remind myself how screwed up things are. If I want to be overwhelmed, I'll just spend a few hours trying to keep up with my kids. When I want to escape, I take in a movie or curl up with a suspense, mystery or science fiction novel. Then I can shut off the world, if only for a little while.

Personally, I thought Iron Man was a great movie. So I guess I'm with Farnum on that. I don't know a lot about the comic book lineage, so I wasn't worried about how true they were to the Iron Man history. Robert Downey Jr. was very believable as the main character. And the idea of a supersonic flight suit? Why not? Again, if I want reality - I'll watch Survivor - since that's very real. 

I guess it's about mental health. All work and no play makes Mikey a dull boy. And given the schedule I keep and the crap I consistently add to my overflowing list of things to do, sometimes I just need to shut down for a few hours and go into someone else's world. The Boss has mandated that Friday nights are now movie night. No more catching up on the crap that didn't get done during the week. No more watching some crappy TV. Now it's about escaping from the week that was and setting the stage for the weekend to come. I think it's a great idea.

That's my story and I'm sticking to it. Have a great weekend.

Photo: "Iron Man Suit" originally uploaded by kevitivity

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

NAC is dead! Long live NAC!
So what? - It was only a matter of time before the esteemed Stiennon tried to relive his glory days and proclaim some other security technology as "dead" and try to ride that to additional worldwide infamy, I mean notoriety. Not surprisingly, he's decided that NAC is on death row and is awaiting it's three-drug cocktail into an eternity of hell fire and disappointed VCs. Of course, Shimel takes this as validation that NAC is for real, and it's not like he needs an excuse to jump on the bully pulpit and wax poetic about all things NAC-virtuous. The reality is the truth is somewhere in the middle. NAC clearly has it's challenges, I've been one of the (only) voices that drove that point home back in 2006, until it became popular to beat down NAC. Though there are still legitimate use cases for all three aspects of NAC (admission control, access control and containment). It seems Richard forgets about the first law of security (or he's gotten the mind-meld from Matasano), which is to layer your defenses. Of course, NAC isn't going to stop a clean computer from entering your network, but who says that NAC is the answer to every problem? Maybe that's where everyone is getting hung up. Let's try this again. Repeat after me, there is no silver bullet. There is no silver bullet. There is no silver bullet. There is no silver bullet.
Link to this

Are drive-bys an endangered species?
So what? - Wouldn't it be nice to live in Larry Seltzer's skewed view of reality? Sometimes the stuff he writes is pretty good. Other times, he's taken a wrong turn and fallen off the end of the world. The world is flat, don't you know. Like this week's piece about browser defenses getting better. Huh? So Vista does some ASLR and DEP (XP has limited DEP capabilities too), so what? The applications have to use those defenses, which is slow in coming. Also everyone has to have these latest operating systems and have everything patched, and we certainly know that's not the case in the real world. Larry even takes a shot at the beloved NoScript, and now he's crossed the line. Listen, a web without JavaScript is certainly sub-optimal. And I do spend a fair bit of time authorizing different scripts on the various web sites I visit. But the point is that I am making that decision, not some jackass web developer that would rather drink Red Bull than ensure my browser can't be owned via a XSS. NoScript gives me the power to choose what scripts I want to run, and which I don't. To just blame all the ills of browser-based attacks on stupid users and social engineering is missing the point. Attackers will take the path of least resistance, and now that is through the user. Something like NoScript makes it a bit harder, and that's why I tell everyone that will listen to use it.   
Link to this

Hope for everyone that isn't the market share leader
So what? - What do you do when your biggest competitor is Cisco and your main value proposition is lower cost? You commission a survey that says 77% of IT decision makers would buy network security equipment from an "alternative" vendor. Meaning an "organization other than the market share leader." Hmmm. That's interesting data. So how does Cisco (and Check Point, etc.) maintain their huge market shares if all these customers will consider another vendor. Thinking... Thinking... I got it. They are considering the other vendor for leverage. You'd be an idiot not to "consider" another vendor because that gives you a bit of power (however small) over the incumbent to break a bit on price. That's negotiating 101. I'm interested in the other 23%, who basically say they'll buy from the market leader no matter what. Just goes to show that you can get a survey to say anything you want, you just need to phrase the questions correctly. Such as, "would you consider buying a technology from an "alternative" vendor (not the market share leader) that provides more functionality at a lower price?" Hmmm. How many folks would say no? I guess around 23%. And that's why I'm such a big fan of these surveys. 
Link to this

The Laundry List

Top Blog Postings

New boss is same as the old boss
As I gradually tear through the blog posts that have piled up, I come across Sir Verbiage, otherwise known as Greg Ness of Blue Lane. I actually appreciate the fact that Greg is a card-carrying member of the why say it in 100 words when you can say it in 1000 club. That's right, Hoff is the president, but I'll get to that next. This post lays out Greg's view of 5 critical requirements of data center security, and amazingly enough they are pretty consistent with other aspects of security. Like accuracy (or no false positives0, which I hear is pretty important in an IPS system as well. Comprehensive protocol "intelligence," which basically means you need to understand not just the pipes, but also the application context. Uh huh. Appropriate exploit response, meaning diffuse the risk without killing the patient (or disrupting operations anyway, the patient may already by dead). I'm pretty sure most security folks start with a "do no harm" mantra in other parts of the environment as well. Exception-based detection? Yup, sounds like anomaly-centric views as well. Finally the last is "virtsec readiness," and that just means you need to be able to deal with both physical and virtual servers. Again, nothing we are seeing in the data center is so different than what we've seen before, there is just more of it and it happens faster. Some of the defensive architectures of latter days won't scale to the needs of the new virtualized data center, but it's not like the tactics are changing all that much.
http://gregness.wordpress.com/2008/04/25/data-center-security-five-critical-requirements/
Link to this

Where is Roget when you need it???
Since my brain doesn't hurt enough this morning, let me tackle a few Hoffian posts, just to ensure I'm a bumbling idiot within 10 minutes. You see, I can't concentrate enough to follow Hoff if I worry about things like fine motor skills and breathing. I'm glad I've been sucking pure oxygen for the past 20 minutes and hopefully I'll be able to wade through Hoff's clarifying the ideas of securing virtualization vs. virtualizing security before I pass out. The good news is that even for folks of average intelligence like me, I get this. I think. Securing a virtualized data center is about doing the same stuff we did for a physical data center, but more and faster. Sure we've got a new OS (hypervisor) to protect, but the attack vectors are largely stuff we know. Until it's not and some big brained bad guy invents a new attack vector anyway. I don't think people are being intentionally obtuse and ignoring the risks of this new virtualized reality, I just think that lacking a real attack vector that can demonstrably show that there are additional risks, people are focusing on the stuff they can control. Which isn't much. Unfortunately Hoff doesn't touch on his ideas of  "virtualizing security," since it's a totally different ballgame and is about bringing security intelligence as an overlay to the pipes and boxes that make up the fabric of your computing environment. But if I need my fix of virtualized security goodness I can always wade through some rational security archives. But since my air is about to run out, I better get on with it.
http://rationalsecurity.typepad.com/blog/2008/04/clouding-the-is.html
Link to this

Utopia RSnake-style
Ah, to see the light bulb of rationalization flicker on is a sight to behold. Yes RSnake, the good guys need the bad guys. Or else we enter a world depicted in Demolition Man, where police are unnecessary. Until they are. But the bigger point is to try to find the root cause of the issue and try to address it. And unfortunately, fraud has been around way before computers and will be around long after I'm gone. There is no panacea, there aren't any "punishment(s) that actually deter crime or a security solution that prevents it from happening entirely." Half the world figures if they become a martyr they'll live in eternity with a posse full of virgins, and they may not be wrong. So the idea of a punishment to deter crime is not feasible. People have been rationalizing bad behavior since the beginning of time, and I doubt they are going to stop anytime soon. And the only security solution I know that prevents fraud is the on/off switch. The point is not to make the problem go away, but rather to make sure you are not the lowest hanging fruit for the bad guys. Over time, perhaps we can tip the scales a bit in our favor and make it cost a bit more to do cyber-crime, but I'm not holding my breath on that one. I appreciate the frustration brother, but this is the world we live in, and I don't have a lot of cycles to contemplate why it sucks. So I don't.
http://www.darkreading.com/blog.asp?blog_sectionid=403
Link to this