August 23, 2006 - #101

Good Morning:
Hump day and it feels like I started out behind the 8-ball. Already way behind and it's not even 10 AM here in ATL. Of course, the big news today is IBM's acquisition of ISS. It's clear to say that no companies are safe from consolidation and you are either predator or prey. Unfortunately given the recent performance of many public security companies, they all seem to be prey. There will be more to come on IBM/ISS when additional details emerge.

In other news, data security is back on the forefront. I cover a piece abut what SMB's can do to protect their data (here) and also a recommendation by Richard Stiennon that will keep both sledgehammer and disk drive companies quite happy (here). And in the story that won't die, Thomas from Matasano weighs in on the ConsumerReports AV-gate situation (here).

And before I let you go and enjoy the rest of the day, I want to comment on the misery of business travel. I took a quick trip yesterday and it was horrible. Having to check bags on a one day trip is like cruel and unusual punishment. Rental car misery (Dollar sucks!) and the summer thunderstorm delays just made the day very challenging. I'm on the verge of being OK with the Mike "Halitosis" nick-name if it means I can carry my bag on. On second thought, I'm going to look into those one-time use toothbrushes where the toothpaste is built in. If my dentist doesn't like it, I'll send him to baggage claim to get my bags.

Have a great day.

Top Security News

Deal: IBM buys ISS
So what?- The worst kept secret in the security business came to roost this AM. IBM buys ISS for $28/share. I did a quick post on it this AM (here) and will do something more detailed later today when more details emerge. Suffice it to say, given what seems to be a screwed up organizational plan (ISS will be a business unit in IBM Global Services) - it's not clear what the future of ISS' products business is going to be. So if I were a customer looking at ISS products - I'd be deferring any kind of decision until more details emerge. At least ISS will have a reason now for blowing their upcoming quarter.
http://biz.yahoo.com/bw/060823/20060823005309.html?.v=1
Technorati tags: M&A, ISS, IBM
Link to this

Mitnick hacked
So what? - In the "it serves you right" category, a number of the famed hacker Kevin Mitnick's websites were defaced. It was someone that compromised the web host and it was more of a nuisance than anything else. But it also goes to show that high profile folks in the security business are targets. So whether it's the eEye and Cisco XSS vulnerabilities or something else - security companies need to be extra diligent.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1211859,00.html
Technorati tags: Kevin Mitnick,  hacking
Link to this

Voice stroke dynamics
So what? - Given all the noise around the issues with two-factor authentication, I've been talking about keystroke dynamics as a way to supplement the security of tokens, etc. Of course, there are still technical details to work out (like how to factor in different keyboards and eventually mobile devices), but the concept makes sense. A new company called Porticus is now applying a similar capability to your voice, which will help in authenticating to IVR systems. I haven't tested the technology yet, so I'm not sure it works and what's involved or what happens when you have a cold or laryngitis - but again, I think the concept makes sense. So watch this space.
http://www.darkreading.com/document.asp?doc_id=101894
Technorati tags: authentication, IVR
Link to this

SMB data protection
So what? - Pragmatic Security dictates that you treat infrastructure security and information/data security as separate entities. For large enterprises, that is doable, but can a SMB really separate out the functions? As this article points out there are lots of things that smaller businesses can do to protect themselves. Not carrying sensitive data on laptops and encrypting the hard drives is a good start. Some of the stuff they are talking about here is overkill, but I'm not going to sit here and say to do less security. Remember it's the simple stuff, like making sure your file shares are configured properly and that your internal wireless network is secured, that will go a long ways towards protecting your data.
http://www.cio-today.com/story.xhtml?story_id=11200CTAS0UO
Technorati tags: SMB, data security
Link to this

Safe public surfing
So what? - This short article from SecurityProNews brings up a couple of good points, which is how much can/should you do in a public place? Do you check your bank account? Do you access public email? Personally I'm not that paranoid about that stuff. My email communications are encrypted (my hosted Exchange service does that automatically) and there really isn't anything in my Yahoo Mail that I'm worried about. I don't go to bank accounts, but will occasionally buy stuff from public places. I'm very watchful to make sure the connection uses valid SSL (I know that can be spoofed, but it's better than nothing). For those that are not comfortable with that, surf through your company's VPN connection. Then your traffic is secure between the public hotspot and your network and then sent to the Internet from there.
http://tinyurl.com/ohaze
Technorati tags: best practices, hotspots
Link to this

Top Blog Postings

Hard drive killers
Stiennon must own stock in a disk drive company. His latest broad recommendation is to actually pull out the hard drives and physically destroy them before either selling or getting rid of a machine. His reasoning makes sense, in that there are folks out there that can reconstitute drives even if they've been written over. And the cost of the hardware is negligible. But what about the labor cost to swap the drives? Not sure if that moves the needle either, but all of these costs add up. My opinion is that it depends on what's on the machine. I'm not sure a blanket policy like this makes sense for large companies, but perhaps for C-levels or folks with access to very sensitive data.  
http://blogs.zdnet.com/threatchaos/?p=392
Technorati tags: data security
Link to this

What is "security risk management?"
This post from CJ Kelly brings up a company that I've wanted to mention for a while. It's RedSeal and they have a new product that takes configuration data from firewalls and routers and does a sophisticated analysis to pinpoint "risk." Depending on thresholds set by the customer, this tool can help to define the priority of things that need to be fixed. I'm still not sold on the idea of using configuration data in a vacuum, but can see how it could be one of a few data sources that can help to prioritize activities. I also have an issue with the pricing starting at $25k, but the market will figure that out sooner rather than later. A bigger obstacle is just the urgency of security management. Historically customers have been unwilling to buy stand-alone security management products. I've been in this business a long time and I can count on one hand the number of stand-alone management companies that have built big businesses. And none of them did security.
http://www.computerworld.com/blogs/node/3268
Technorati tags: security management, RedSeal
Link to this

Responsible disclosure still an issue
We are going to continue to hear a lot about responsible disclosure. Alan Shimel presents some of his views in this first post relative to a Russian group pinpointing XSS vulnerabilities in some security vendor's web sites (like eEye and Symantec). But given the dust-up about how eEye was perhaps not responsible in how they briefed the press relative to yesterday's Microsoft patch of a patch (MS06-042) because Microsoft had to pull the patch because it wouldn't work with SMS. You following this? For eEye's point of view, check out Ross Brown's post. Microsoft also weighs in on their own security blog. I don't think we've heard the last about this issue, but I'm not sure there is a line in the cement relative to what is "responsible." Feel more like quicksand to me.
Shimel: http://www.stillsecureafteralltheseyears.com/ashimmy/2006/08/what_is_respons.html
Brown/eEye: http://technobabylon.typepad.com/tb/2006/08/who_runs_micros.html
Microsoft: http://blogs.technet.com/msrc/archive/2006/08/22/448689.aspx
Technorati tags: responsible disclosure, Microsoft, eEye
Link to this

Matasano on ConsumerReports AV-gate
The Matasano guys must be busy because their posts have been fairly infrequent since Black Hat. But this one is great, providing detailed analysis that sheds new light on a situation that has been picked apart by lots of other folks. Thomas Ptacek goes to town on McAfee a bit here relative to their protests about the methodology. Lots of great points here, but I think retrospective analysis also has a place. Suffice it to say, we don't know where the next attack is coming from, so the more different techniques we have to benchmark the effectiveness of our selected products is not necessarily a bad thing. The one things I do want to point out is the importance of consistency. If all of these products are compared using a consistent methodology over a long period of time, then you start to get a better feel for true effectiveness. But using different methodologies (even from the same tester) will yield apples to oranges comparisons.
http://www.matasano.com/log/434/ignore-igor-muttiks-retrospective-antivirus-testing-method/
Technorati tags: AV, ConsumerReports
Link to this

Recently on the Security Incite Rants Blog

The analysts role in what comes next...
Saw a post from Mark Shavlik yesterday about a survey they were doing to pinpoint new product opportunities. I'm cool with surveys, but Mark also mentioned that he was talking to a few of the Big Research companies about the topic. Here I riff a bit about what most analysts are good for, relative to product planning anyway. Suffice it to say it's typically not figuring out what's next.
http://securityincite.com/blog/mike-rothman/the-analysts-role-in-what-comes-next

Is resistance futile?
In today's technology markets, there are big gorillas that seem to scare everyone off when they decide to enter a market. Google is a great example of that, and in the security business - folks wonder how they can compete with Cisco and Symantec given their customer base and distribution engine. I refer to a post by the 37Signals guys and come to the conclusion that it's about being focused and innovating. It's hard to envision someone building another McAfee or Symantec at this point, but there are lots of opportunities to fill the gaps and then find a home. Not for 700 start-ups, but for quite a few.
http://securityincite.com/blog/mike-rothman/is-resistance-futile

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-08-22

Technorati: Information Security