August 11, 2006

Good Morning:
Friday, friday, friday. This week felt pretty long to me, but I suspect not to the security industry that seems to be on vacation this week. It really is the dog days of August. Of course, the new airline security rules are top of mind for a lot of folks and flying yesterday was a real hassle. It took my father-in-law about 12 hours to get from Reagan National to Atlanta yesterday. He could have driven and saved 2 hours. And he is now without his trusty Listerine, which was confiscated at the security checkpoint. Thankfully I have an extra stash for emergencies.

This week also seemed to be the week of NAC. Last night, we (Hoff, Shimel, Stiennon and I) did a Security Roundtable podcast (or MobCast as Chris Hoff called it) with Martin McKeay on the NAC vs. Secure Fabric conversation. Suffice it to say, we had a lot of good discussion but no real consensus or answers. I guess that's what happens when you get a bunch of rock heads on the phone at the same time. Lots of sparks, but no movement. But it was fun, I love debate and there was plenty of that.

Speak of NAC, I posted some thoughts from my friend Mark Bouchard on the topic yesterday (amazingly enough Mark doesn't agree with me) and it got Hoff and Stiennon to weigh in via comments as well. So check out the piece (here) and definitely read the comments. Nothing like a good bit of back and forth.

Have a great weekend.

Top Security News

Gartner says buy more products
So what?- I love when Gartner publishes security research to the public - giving the opportunity to jokers like me poke holes at it. In this post the G-men and women attack the issue of privacy and information leaks with 5 tips on how to "dramatically limit data loss and information leaks." Are you sitting? Get ready... They say to buy 5 categories of products and your problems will go away. Between buying content monitoring, backup tape encryption gear, endpoint security, laptop encryption and database activity monitoring, your private data will be "dramatically" safer. It must be nice to spend all your time with large enterprises that seemingly have infinite budgets. Fact is, if you do have an infinite budget - another few widgets will help to secure your data. But nothing is perfect, keep that in mind. Secondly, it just feels wrong to keep telling customers to throw more and more security products at these problems. We continue to react to every new threat with a new "wonder" box that solves that very narrow problem. It's about time we started thinking differently about all this stuff.
http://security.tekrati.com/research/News.asp?id=7595
Technorati tags: Gartner, privacy, information leaks
Link to this

Is it time to go to the Opera?
So what? - Everyone that does security knows that IE just sucks. It's clearly the most targeted, and in turn is the most vulnerable. That's a given. But what about Firefox? They've needed to do a number of patches over the past few weeks to address holes and there will be more coming now that it's much more popular. So that basically leaves Opera, as the least targeted browser. This article goes through some of the new Opera security capabilities. But I don't think much of this matters to the typical user. What Opera doesn't have is a thriving 3rd party ecosystem to build cool extensions that make the browser better. I need to use Firefox because I need cross-platform support (I use both Mac and PC). I choose to use Firefox because of the extensions that make my life easier. If that means I need to patch every couple of weeks I'm OK with that. But that's me, corporates have a different decision to make, which gets back to how much it costs to do configuration management and patch all of the devices out there. That could maybe weigh in Opera's favor, but probably not.
http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1209390,00.html
Technorati tags: browser, Opera
Link to this

Are we losing the battle?
So what? - Every so often I see the tired old defeatist mindset permeate through some of the journalists and columnists out there. We are losing the battle! The black hats are winning! If you really think that (and aren't just trying to generate page views), do me and the rest of us a favor and go find something else to do. I'm sure folks need their data centers tuned or networks managed. Get out of the security business. Security people need to be primed for the battle. They need to believe that we can win. They need to know that it's a war and temporary setbacks will happen. They need to understand that it's always darkest before the dawn. And right now, I'll admit - it's pretty dark. But historically, these are the times that the most significant innovations happen. I'm not sure what that innovation is, and I tend to be more of a pessimist than an optimist, but if we don't think we can win - why even fight the battle? I DO think we are going to win, but it's clear there will be more data casualties along the way. But let's be clear that this IS a war and it will be protracted. Kind of like some other wars I can think of.
http://www.securitypronews.com/insiderreports/insider/spn-49-20060811AttackersWinningTheHackingWar.html
Technorati tags: information security
Link to this

This is the problem with NAC
So what? - Since NAC has been the topic du jour this week, I may as well end on a NAC note. Here is a "product analysis" of NAC from Dark Reading, done by the folks at Current Analysis. In a nutshell, these guys are trying to nail down what NAC means. The problem is that it means something different to everyone, and the semantics are not going to be worked out anytime soon. I also get the feeling that the early, evangelical work of Cisco NAC, Microsoft NAP, and TCG will turn out to be the bane of every company that is trying to help a customer mitigate the risk of having a compromised machine enter their network. Yes Stiennon, I get that pre-admission NAC is not foolproof, but I'm still with Hoff and Shimel in thinking there is value in doing that. But these "architectures" have set customer expectations in the WRONG place. If you ask a customer what they want- they want it ALL. That's no secret to anyone that's done field work. And the NAC architectures promised it all. It's clear they expect too much , as do many of the analysts out there that aren't me. Trough of disillusionment, anyone?
http://www.darkreading.com/document.asp?doc_id=98701
Technorati tags: NAC
Link to this

Top Blog Postings

A humorous interlude from Matasano
I'm in need of some humor this morning, so I'm going to dig a Matasano post out of the archives to make me laugh. Coming off of Black Hat, Thomas Ptacek has some keen observations making the analogy between Kubler-Ross' stages of grief and the typical vulnerability/patching process that many large vendors have adopted. This is very true. Of course, he doesn't list Apple in here, but they feel to me like they are in the "bargaining" stage. They don't restrict patching to certain customers, but their disclosure policy is less than optimal and they tend to minimize the potential damage, lest they harm the "more secure" brand positioning of OS X.
http://www.computerworld.com/blogs/node/3189
Technorati tags: vulnerability management, patching, disclosure
Link to this

Another vote for pre-admission NAC
When Microsoft says patch, many of us just jump and patch. But this post from CJ Kelly is another reason why pre-admission NAC (endpoint posture checking) can't hurt. Of course, I'm not sure she intended to say that, but that's OK. By delving a bit deeper into the true exposure of the most critical warning this week (that caused Homeland Security to weigh in and suggest the patch as well), you see that because most internal networks don't block the offending ports, a network can be compromised from the inside-out, if a contaminated machine were to join the network. A lot of the dissension about NAC is not if, but when you do pre-admission checking and if you don't have your own firewall (as CJ alludes some agencies rely on the state to do that - which is scary) - then by all means fix that first. But it's this kind of stuff that shows the value of pre-admission NAC. Again, not a panacea, but if all the other blocking and tackling is under control, then this is something to look at.
http://www.computerworld.com/blogs/node/3189
Technorati tags: NAC, patching
Link to this

It's time for the blank OS slate
Every generation you need to basically start over again. It's hard. Very hard. But at some point you analyze the cost benefit of continuing to support the status quo and figure out it may not be worth it. Steve Gold over at SecurityWatch doesn't exactly say that, but it's how I interpret his statements. By critically evaluating the fiasco that is now Vista (with all the delays, compatibility, and security issues), maybe Steve is right in calling for a total overhaul. That means there may not be compatibility with the old regime. Hmm. Is that feasible? With more and more stuff happening in the network (Software as a service), I think increasingly so. And with more mature virtualization, you provide a "compatibility-mode" that can support old applications, but firewall them off from the rest of the system. Maybe I'm just a dreamer, but it may be something totally radical like this that can get us fighting offensively and not continuing to react to every friggin' hacker bug.
http://securityblog.itproportal.com/?p=427
Technorati tags: OS security, Microsoft Vista, Apple
Link to this

Yet another analyst blogger
Looks like Gartner finally has enough security staff. How do I know? Because an in-demand analyst like Rich Mogull now has time to blog every day. I guess that's an unscientific way to draw that conclusion, but given that most clients need to wait between 4-6 weeks to get an hour call with folks like Rich - I'm sure they are pleased that he's spending time each day posting his thoughts on a non-Gartner blog. But I digress. Rich is a smart guy and has a diverse experience base, which make many of his perspectives worth checking out. In this post, he weighs in on physical security and specifically the airlines. The conclusion that "flying is going to suck" is pretty much right on the money, but his point being that there is logic behind some of the hoops they make you jump through. So check out Rich's blog and be happy that you'll get to enjoy some perspectives that everyone else gets to pay the G-men a lot of money for.
http://securosis.com/2006/08/10/security-pundits-and-airplane-security/
Technorati tags: physical security, airlines
Link to this

Recently on the Security Incite Rants Blog

On not wasting time
I have to admit that sometimes writing pretty personal stuff on my blog is weird. But it's also cathartic. A good friend sent me a pretty nasty note on a recent post, and it really made me take a step back and try to understand why I'm so bitter about my marketing experiences. The good news is that I'm so much happier now than I was a year ago. More good news is that I'm able to describe why in this post and it gets back to doing what you love without worrying about the payoff. To be clear, I hope that some of you get value out of my personal preaching, but ultimately these are ramblings that I write for me, so that at some point in the future I'll be able to look back and get a feel for what I was thinking, and remember why I do the things I do. 
http://securityincite.com/blog/mike-rothman/on-not-wasting-time

Bouchard says Scratch AND Sniff
Not wanting to be left out of the party, my old friend, former META colleague and all around great guy, Mark Bouchard was kind enough to let me post some of his thoughts on the NAC and Secure Fabric discussions that have engulfed us over the past week. Mark brings up some interesting points, but also check out the comments because Chris Hoff (per usual) takes some issues with Mark's position.
http://securityincite.com/blog/mike-rothman/bouchard-says-scratch-and-sniff

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-08-10

Technorati: Information Security