August 7, 2006

Good Morning:
Anyone have some Advil and Gatorade? I've got to kick this Black Hat news hangover. Things are decidedly slower this morning, and it's giving me an opportunity to revisit some news from last week. So that's not all bad. We're starting to see some "blacklash" (Black Hat backlash) about why some of the Black Hat stuff was wrong this week. As I comment here, that's missing the point. Some of the research will turn into real problems, others...not so much. But to get into full battle regalia about some theoretical stuff makes me think there are lots of folks without enough to do.

As I look over the news and blogs I assembled today, there really is no distinct theme. I hate when that happens because it shows there is little rhyme or reason as to what makes the TDI every day. But I'm sure you already figured that out. That being said, there continues to be an increasing focus on information/data security. Though I have a hard time believing it's the biggest problem facing IT today (here). We'll continue to see tighter integration of security into content management (as EMC Documentum announced this AM - here) and also the need to ensure Web applications don't provide easy pickin's for phishing attacks (here). 

I also enjoy pointing out thought-provoking battles between smart folks that happen to blog. I point out a little riff Alan Shimel writes about a position that Richard Stiennon takes relative to NAC here. I also feel like picking a fight this AM, so I voice some opinions about security metrics here. Suffice it to say, I think a lot of smart folks are wasting a lot of time trying to figure the metrics thing out. But that's one man's opinion.

Have a great day.

Top Security News

Database security is IT's biggest problem
So what?-  Let me start off this week by calling out some alarmist media idiocy and awarding the Chicken Little award to David Litchfield. Clearly he has database security chops and is a pretty courageous guy in taking on Oracle somewhat single-handedly about their ridiculous patching process and strategy. But, quotes like these also show self-importance alarmist syndrome, since he believes that database security is the "biggest problem we face in IT today." It is clearly the most important problem for those that specialize in hacking databases. How about dealing with decreasing budgets, increasing availability requirements, and little things like compliance? Database security is a big SECURITY problem and is a significant point of exposure for private information, but to put it on the level of world peace - give me a break man! And shame on TechTarget for giving this story airtime. And also shame on me for getting pissed about what I know to be the media business model. It's all about page views baby, and Litchfield gives good quote - so alarmism will continue, much to my chagrin. David Ramel has a good post on his frustrations here (http://www.computerworld.com/blogs/node/3155).
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1207274,00.html
Technorati tags: database security, media
Link to this

Big Brother is...Mom and Dad?
So what?- It was only a matter of time. Both that scum would start showing up on social networking sites like MySpace and also that a counter-response would appear to track what was going on with these networks. A new company called BeNetSafe has appeared that promises to be the "online chaperon" for what your kids to with MySpace. In concept, this is great. Being a parent of 3 small kids makes me acutely sensitive to the dangers online. But my day job makes me start to think about how these techniques can be used to provide surveillance on more than just your kid. I guess PI's and the like have been able to do this for a while and the objective here is in the right place, but we also have to factor in the privacy discussion. Not that dependents have any privacy rights (from their parents anyway), but how do we ensure it's only the parents (and not the bad guys) that are accessing this information?
http://biz.yahoo.com/bw/060807/20060807005283.html?.v=1
Technorati tags: social networking, BeNetSafe
Link to this

Persistent control coming to content near you
So what? - Anyone who has been reading my stuff for more than a week gets that I consider infrastructure security and information/data security as different problems. My Pragmatic Security architecture lays all that out (here). But now we are seeing some of the first vestiges of data security not really standing alone, but being baked into a larger content management application. Folks like Documentum have always paid lip service to security, but beyond that there wasn't much there there. But as a result of the Authentica acquisition from earlier this year, EMC Documentum now can start building some security chops into their stuff. And this WILL differentiate from other content management applications. So we'll start to see a rush of content and security relationships - which is a very good thing.
http://www.emc.com/news/emc_releases/showRelease.jsp?id=4535&l=en&c=US
Technorati tags: EMC Documentum, encryption, data security
Link to this

Aiding and Abetting the Phishermen
So what? - I've been sitting on this article from McAfee's SiteAdvisor folks for a little while, but figured today was as good a day as any to revisit. Basically SiteAdvisor goes through chapter and verse about how a website vulnerability on AMEX's site opened an opportunity for phishers to compromise data through what looks like a cross-site scripting attack. Suffice it to say, the article is very informative. But the bigger is issue is shame on AMEX! With the level of web scanning tools out there, a high profile site (that gathers personal information by definition) should not be subject to these types of vulnerabilities. It's hard enough to protect your brand and your customer's personal information by doing the right things - making it easy for the bad guys is pretty boneheaded.
http://blog.siteadvisor.com/2006/07/phishing_express.shtml
Technorati tags: phishing, web application security, SiteAdvisor
Link to this

Big Security takes on compliance
So what? - Compliance is not new or particularly newsworthy anymore. But it's interesting to me that last week both Cisco and Symantec announced new offerings to address the compliance issue. Cisco looks at it from the change management standpoint, ensuring that any widespread changes to the network infrastructure will be logged and reported on. Cisco sees opportunity with folks like Alterpoint and Opsware are hanging out. Jumping on compliance is just trying to make the problem relevant. Symantec updated their BindView stuff to add some new reports and more platforms that can be managed in an "agentless" fashion. So what? These are two pretty innocuous product announcements - but underscore a bigger issue. Compliance is not a thing - it's everything. So NO ONE - not even Big Security - is going to have all the answers. To me, compliance is about security valuable assets and information and being able to report on it. It's not a product, it's a process.
Cisco: http://www.informationweek.com/story/showArticle.jhtml?articleID=191600571
Symantec: http://www.symantec.com/about/news/release/article.jsp?prid=20060802_01
Technorati tags: Cisco, Symantec, compliance
Link to this

Top Blog Postings

The Black Hat Crystal Ball
Larry Greenemeier is right on the money is in this post relative to how we need to process the information coming from Black Hat. To be clear, many of the issues presented at the conference were research projects. That doesn't mean they couldn't be turn into "commercialized" attacks very quickly - but most do not represent clear and present danger. Larry's point is that doesn't mean we should be disregarding what was said at Black Hat either. These types of shows give us an opportunity to see what is coming, and shame on us if we don't spend at least a few cycles trying to figure out the impact.
http://www.informationweek.com/blog/main/archives/2006/08/black_hat_hows.html
Technorati tags: information security best practices, Black Hat
Link to this

Mac Wireless Holes - Do you care?
It seems the Mac protection racket is out in force, trying to debunk the device driver issues presented last week at Black Hat. Thomas over at Matasano weighs on on a long discussion (of which I have neither the patience or desire to wade into) basically wondering if these "protectors" are willing to risk their own reputations relative to slinging mud at the guys who discovered the hole. My opinion is pretty straight-forward. This is a pretty low risk attack - but it IS a valid attack nonetheless and Mac bigots that stick their respective heads in the sand and don't acknowledge that our beloved white (or silver or black) beauties are not perfect do no one any good. Why is it so hard to comprehend that their could be device driver issues with Intel hardware? Get over it and use this as a way to once again go back to the user community and educate them as to how and when they should be using their wireless cards.
http://www.matasano.com/log/409/debunktraq-more-mac-wireless-chaff-posts/
Technorati tags: wifi security, Mac
Link to this

Shimel KO Stiennon - or NAC is back baby!
Shimel is a New Yorker (like me) and takes no crap. In this post, he takes our mutual pal Richard Stiennon to task for trying to both revive an old argument. I'm with Alan on this one. Not leveraging endpoint, server, and application data (as is Richard's supposition) to make the network smarter and more secure seems stupid to me. My bigger issue is that Richard is trying to define his own vernacular for the space. That's clouding my ability to grasp Richard's position. Great - just what we need. Aren't their enough friggin' marketing folks trying to define irrelevant product categories without us research-types complicating factors? Personally, these feels to me like a semantics issue. How Richard describes his secure network fabric is pretty much post-admission NAC, but built into the switches. Or am I missing something? My position is clear, we need to be able to control the flow of traffic on our networks. Period. The idea of NAC does that. But at this point, none of the solutions are particularly mature. We'll get there, but it will take some time.
Shimel: http://www.stillsecureafteralltheseyears.com/ashimmy/2006/08/richard_stienno.html
Stiennon: http://blogs.zdnet.com/threatchaos/?p=383
Technorati tags: NAC
Link to this

Security Metrics are bull-shiitake
My pal Ogren is fired up about security metrics. Two other guys I like, Andy Jaquith and Pete Lindstrom have been beating the drum for security metrics for a while, and Andy's even started an "organization" to delve into the topic (here). Maybe I'm missing something (since that's never been known to happen), but folks typically use metrics to show improvement and basically justify their existence. That's all fine and dandy, but security is more binary. Something bad happened today, or it didn't. And metrics saying you are great will go over like a lead balloon if half of your network went down yesterday because some moron brought an infected device back from the airport club. I'd still rather folks spend time fixing stuff and reporting on what they are fixing. That's what auditors are interested in, not some arbitrary metrics that may or may not represent security posture. I'm sure Andy will weigh in, and I look forward to him trying to convince me I'm wrong.
http://esgblogs.typepad.com/erics_blog/2006/08/security_metric.html
Technorati tags: security metrics
Link to this

Recently on the Security Incite Rants Blog

Black Hat: The Sessions
In this post, I highlight some of my most significant take-aways from the Black Hat show. Namely that we are pretty much hosed. But there is more to it than that, and going out to Black Hat has created some urgency in getting some of my ideas on how security should be done documented. Let's just say I have some cool ideas on how we need to change the way we think about security and I'm currently enlisting some very smart people in helping me flesh out these ideas. Stay tuned, but in the meantime you can check out what I learned in Vegas last week.
http://securityincite.com/blog/mike-rothman/black-hat-the-sessions

EAC Blog: Dealing with the death of the moat
In the final installment of my blogging at TechTarget's Expert Answer Center, I deal with the fact that the bad guys are no longer exclusively out there. They could be "in here." Which has a pretty dramatic effect on how you do security. Some call it the insider threat, and I don't much care what label the problem gets - but it is a problem and it will pretty much change the way we need to deal with security.
http://securityincite.com/blog/mike-rothman/eac-blog-dealing-with-the-death-of-the-moat

Read Friday's Daily Incite
http://securityincite.com/TDI-2006-08-04