August 16, 2006 - #96

Good Morning:
Boy I'm bushed. Those mid-week late nights are challenging, but the Dave Matthews show was great. He's one of the artists that just jams. 10-15 minute jams that start out like a song you recognize and then just morph. It's great fun and he packs 'em in. I know I'm getting old because we skipped the encores to get out of the parking lot before the rush. Guess that's pretty lame, but it was a school night.

It's a pretty news-light day here in security-land. A bit of channel stuff (here), a little observation on customer buying cycles (here) and a bit on the disconnect between security developers and researchers (here). But overall, the most newsworthy thing is the seeming ease of cross-site scripting (XSS) attacks on pretty prominent web-sites (here). The good news is the problems are easily fixed, but you need to care.

I'm on family duty this AM (just call me Mr. Mom), so all will be quiet on the blogging front. But I do need to respond to Lindstrom's thrashing (here) on my security metrics negativity. Suffice it to say, it's time for Pete et al to put up or shut up relative to metrics. I'm tired of hearing about bad metrics vs. good metrics. If there are good metrics out there, please educate us - instead of berating guys like me who call it like I see it. I guess I'm asking "where's the beef?."

Have a great day.

Top Security News

Bide your time, sell your product
So what?- The enterprise buying cycle is always very interesting, just in that after a certain amount of time certain technologies become "acceptable" enough for more conservative companies to buy. Over the past 18 months, we've seen that with IPS. What's funniest is that most customers don't really know why they are buying the products, but it's in the budget - so they buy it. So a couple of years after a new category emerges, the mainstream figures it must work (because it's still around) and they put it in the budget. Seems that next up on the list is NBAD (network based anomaly detection) and as this story shows, database security. Basically the CSO of the Justice Department says as much. We're a lot better at protecting the perimeter (meaning they've already bought this other stuff), so now we need to do the databases. Not that this is wrong, you want more layers and solutions targeting internal and data security is the next logical place. But the buying cycle is what I find interesting.
http://www.informationweek.com/story/showArticle.jhtml?articleID=191902504
Technorati tags: procurement, database security
Link to this

Security is an organization-wide initiative
So what? - Hold on, STOP THE PRESSES! "Security is evolving from a department-level concern to become an organization-wide initiative," or so says the 200 or so folks that Heavy Reading spoke to in developing their overview of the security business. I guess I'm surprised that this is news to anyone. The auditors and compliance folks tend not to start in the lines of business, right? The line of business IT folks tend to worry about the applications that run their businesses, right? Sure those are generalizations, but I'm not sure I need to talk to 200 people to figure out that security is important. Or that "customers are looking for products with a broad range of capabilities." The question is what are customers going to do about it? If any of you have $5000 lying around, maybe this report will illuminate you and then you can illuminate me.
http://security.tekrati.com/research/News.asp?id=7640
Technorati tags: analyst business, Heavy Reading
Link to this

Gentlemen, start your channels
So what? - I've been pretty vociferous about the need for security start-ups to get their channel strategy right and to do it early in their lifecycle. Many customers find comfort in buying from a trusted party, even if it's unproven technology from a new vendor. Their VAR wouldn't steer them wrong... But you continue to see security companies embrace the channel in a more significant way. This little round-up hits 3 companies that are putting it "all-in" with the channel - ConSentry and Crossbeam adding GE's Access Distribution and moving towards more of a two-tier model, and Websense finally formalizing a new program in North America and using Ingram as the distributor. Given the complexity of security solutions nowadays, customers need help and that what the channel should provide. The reality tends to be different in some cases, but that's a story for another day.
ConSentry: http://biz.yahoo.com/bw/060814/20060814005263.html?.v=1
Crossbeam: http://biz.yahoo.com/prnews/060814/nem006.html?.v=65
WebSense: http://www.websense.com/global/en/PressRoom/PressReleases/PressReleaseDetail/?Release=0608141247
Technorati tags: security channel, ConSentry, Crossbeam, WebSense
Link to this

If a tree falls in the woods...
So what? - So the OMB "mandate" for data protection has come and gone. Due to be in effect by Aug 7, did I miss something about imminent enforcement actions? Has anyone come forward and say they are in compliance? The only thing worse than doing nothing to address the privacy issue is to make some ridiculous mandate and then not enforce it. Which is pretty much like every other mandate we've seen from the Feds, relating to security anyway. Overall I do think that compliance has increased the security of our systems, but that's because of the fear of non-compliance - not the reality of enforcement.
http://www.darkreading.com/document.asp?doc_id=101259
Technorati tags: compliance, OMB
Link to this

Stiennon on safe data
So what? - My "rival" Richard Stiennon provides an insightful (but not really inciteful) column on data protection. I've been saying for sometime that infrastructure (network, servers, etc.) security is different from data security. Richard has thrown a few product categories into this data security bucket, including encryption, USB device control, and outbound content monitoring (though he uses the vendor driven leak prevention moniker). I'd also throw database monitoring and security into the mix and further define a need to do enterprise key management to make encryption really work as a "utility." But for those doing nothing today, the categories that Richard mentions are worth checking out. Of course, buying a product does not equal security. So ensure whatever you buy fits into a grand security scheme of sorts.
http://www.darkreading.com/document.asp?doc_id=99804
Technorati tags: data security, encryption
Link to this

Top Blog Postings

Thank you sir, may I have some more spyware!
In Webroot's quarterly spyware report (here), lots of folks still have problems. They claim 89% of consumer PCs are infected, but that number seems too high to me. They may be including tracking cookies or something like that as an "infection." But the actual number is pretty much irrelevant. Spyware continues to be a problem especially in the SMB space, and the defenses offered by Big Security seem to be ineffective. So what do you do? I say layer, layer and layer some more. Do web filtering at the gateway, put personal firewalls on devices and start looking at application control technologies. Unless I missed a new attack vector, spyware requires running an executable on the endpoint. Application control will not allow the executables to run. Yes, there are false positives, so it gets back to how tightly do you want to manage your systems?
http://blogs.zdnet.com/Spyware/?p=848
Technorati tags: spyware, Webroot
Link to this

XSS attacks are the new script kiddies
Looks like cross-site scripting (XSS) attacks are being commercialized. This post from Security Monkey (which links to a very interesting article on informit) goes into how XSS works and how easy it is to compromise servers. Looks like some Russian folks have also shown that some pretty significant security brands (like Cisco and eEye) are vulnerable to these attacks on their own websites too (here - thanks to Sunbelt). So XSS is real and the monkey has the right idea at the end of the post. Secure coding is not an option, code reviews by someone that is not you is also the right thing to do. Also throw in some application vulnerability testing and you can make sure your site is not vulnerable to the new script kiddie.
http://blogs.ittoolbox.com/security/investigator/archives/successful-hacking-with-xss-cookies-session-ids-11098
Technorati tags: XSS, application security
Link to this

The disconnect between breaking and fixing
This is a good post over on the Arbor blog trying to draw a distinction between security researchers and security developers. The security researchers spend lots of time breaking things and the developers are building new stuff. But it seems there is a lack of communication and their initiatives are not in alignment. At Black Hat, I did see a number of folks talking about to protect yourself from these newly found attack vectors, but some didn't as well. I wasn't at USENIX to figure out what folks are trying to build. I'll also throw the concept of intelligence into the mix. There also have to be folks that are tasked in figuring out what the bad guys are doing. It's sort of research, but more trying to figure out when an attack is coming - as opposed to what to attack. That'll be the topic of my next NetworkWorld column.
http://asert.arbornetworks.com/2006/08/hax0rs-vs-ivory-tower-vs-demoscene/
Technorati tags: security research
Link to this

YOU are the weakest link
It's funny, I just wrote a column for SearchSMB that talks about endpoints being the weakest link in the chain right now, and that's what is causing so many client-side attacks. That should appear over the next couple of weeks. But Farnum distills the discussion down a bit further relative to the human "problem" and the problem lies right at the feet of us security folk. The bank example Farnum uses is horrifying, and also commonplace. When I was in the email security business, all we had to do was turn on outbound filtering and all sorts of interesting data would be caught. This banking guy doesn't think he's doing anything but helping a customer. So he clearly needs to be trained as to why it's a bad idea to have a customer send personal information in email. He needs that training NOW, which is Farnum's point.
http://www.computerworld.com/blogs/node/3230
Technorati tags: security awareness
Link to this

Recently on the Security Incite Rants Blog

Inciting: The Security Standard
I'll be participating on a strong authentication panel at the upcoming Security Standard conference in Boston, September 6-7. Hope to see you there.
http://securityincite.com/blog/mike-rothman/inciting-the-security-standard

Corporate blogging: Security Risk?
I was also recently quoted in a CIO update story regarding the security risk of blogging. I am of the opinion that its a much bigger brand issue than a security issue. Check out the details.
http://securityincite.com/blog/mike-rothman/corporate-blogging-security-risk

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-08-15

Technorati: Information Security