The Daily Incite - December 15, 2006

Submitted by Mike Rothman on Fri, 2006-12-15 10:37.
Today's Daily Incite

December 15, 2006 - #173

Good Morning:
Big Friday and a huge day in my house. Tonight is the first night of Hanukkah, so the kids are very excited and it's given us a pretty good disciplinary wedge over the past week or so. Every time the kids would act up, you just throw out the "OK, we're going to give one of your Hanukkah presents to charity" and that gets them back into line pretty quickly. You know where their heads are at. So regardless of how commercial our little December festivities have become, it's great to see the kids excited and it provides an opportunity to get together with family, eat some fried food, and work hard not to burn the house down since the kids love to light the candles. So Happy Hanukkah to those of you out there that will be celebrating tonight.

I'm running late today and I need to dash off to the gym before my afternoon calls, so not much time to rant. Suffice it to say security vendors need to put up or shut up about PatchGuard (here) because they are only making themselves look stupid by inferring that Microsoft doesn't have the right to change their OS. In blog-land we see the first potential issues of open source, given that it's becoming harder for communities to keep up with the number of security issues that materialize (here). It's certainly something to keep an eye on.

FYI, there will be no TDI next Tuesday. I'm taking a family day.

Have a great weekend.


The Pragmatic CSO
Coming January 2, 2007
Webcast promo

Top Security News

Guidance gets it done
So what?- Can't believe I missed it, but on Wednesday Guidance Software got their IPO done. Now trading under the symbol GUID, they had a 32% first day jump and even was up another 12% on Thursday. That's pretty good strength. But is the drought over? Are security companies back and ready to hit the IPO market? Sourcefire has already filed and there are lots of rumors of other security companies on the verge of filing as well. But we've seen this movie before, and the S-1 filing has typically (with the exception of GUID) ended up creating a catalyst for an acquisition. Anyway, congrats to the Guidance folks. Getting a deal done is a tremendous accomplishment. Now what have you done for me lately? What's Q4 look like? What are the expectations for Q1? Welcome to the world of publicly traded companies.
Link to this

The security talent shortage
So what? - Ah surveys, one of my favorite targets to rail against. So I got out my double edged sword and got ready to hack away at a study done by McAfee to get a feel for the impact of the inability for companies to hire security people. But it's no fun to hack away at a defenseless, still-born survey. The premise of the study is interesting. The execution - not so much. The problem is that the survey says ABSOLUTELY NOTHING. So as opposed to getting pissed off at McAfee for wasting all of our time, let's discuss the impact. We security folks need to build a farm system. I've supported vendors that sponsor college programs and it would be great to see more of that. But the fact remains that if you can deal with the job (and many can't), it's a sellers market for security talent and will remain that way for a long time to come.
Link to this

Go find some other plankton
So what? - I hoped all of this PatchGuard stuff was in the rear view mirror since Vista shipped. But evidently not, since Alex Eckelberry of SunBelt felt compelled to get back up on his soapbox and rail about not getting full access to the kernel. But some of the fear mongering he uses is making me sick. Alex is looking for sympathy because he won't be able to ship a fully functioning HIPS to support Vista. This quote says it all: "The bad guys are going to get into the kernel, and we won't be able to help Microsoft stop them." Boo Hoo. Get off the white horse, brother. You aren't coming to save the day or make things better for customers. You are fighting to maintain the status quo and your ability to remain parasites that eat the plankton off the back of Microsoft's whale. The Vista whale decided to go swim in other waters that are safer, but there isn't as much plankton for the parasites. Oh well. I'll reiterate my belief that Microsoft should be able to do whatever they want with THEIR OS. It's not ours and it's not the 3rd party security vendors. Maybe go figure out what customers need relative to HIPS on the Vista platform and build that. But complaining about days gone by and vilifying Microsoft for trying to protect their customers is tiresome.,289202,sid14_gci1235055,00.html
Link to this

Websense's crystal ball
So what? - Websense has jumped into the 2007 predictions fray with their attempt to decipher the messages we get from the fortune tellers. For a change, most of these predictions are obvious. "Web 2.0 security issues escalate." Shocker. Though they do point to SOA/Web Services as a major target and that has been overlooked by many of the Big Security soothsayers. "Criminal Underground Economy Increases" is another standard prediction. So what? They are pretty well organized now, and I'm not sure why we care what the mob organization looks like. We should be focused on their tactics. "Anti-Phishing Toolbar Exploits" is more interesting. Why not infiltrate the agents designed to protect the browser? That makes a lot of sense. Kind of like planting a double agent. Matasano is right in cautioning us about more and more agents on the desktops. "Enhanced Concealment of Data" is about the fact that bad guys will get better at hiding data to avoid leak prevention. Huh? Leak prevention software is not going to catch 100% of the stuff. There are probably 20% of the highly motivated folks that will figure out a way to steal the data. It's the other 80% that we want to stop and to catch those folks that do stupid things - but without malicious intent. And finally, "BOTs evolve" and will employ counter-measure to evade detection. So the arms race continues. Personally, my prediction is that we'll see a lot more useless predictions in 2007.
Link to this

Who's your malpractice broker?
So what? - I've got a number of friends that are doctors, and they rail constantly about malpractice and multi-year riders and basically how they are being squeezed between lower payouts by insurance companies and increasing malpractice premiums. I'm just glad I fought the cultural expectations that I become a doctor. But I'm not sure I avoided the problem entirely because there seems to be a movement to require licensed and insured information security professionals, which if you read between the lines would mean those professionals would have to carry malpractice insurance. To be clear, most companies carry insurance that protects them against liability caused by their mistakes. But this feels different because this kind of program (as described in the article) would define behavior and apply actuarial estimates against those behaviors. Hmm. Actuarial estimates, that sounds like fun. I guess this is yet another sign of maturity in our business, but it's kind of scary. Can you imagine a company suing you because they got hacked and you (as the penetration tester) didn't catch the exposure a month earlier? This could be a mess.
Link to this

Top Blog Postings

Chinks in the Open Source armor
This post by Gunnar is pretty interesting and the ramifications are potentially widespread. If open source projects cannot muster the support and timeliness to fix security issues in a reasonable timeframe, the pendulum will swing back to commercial offerings. The reality is that increasingly "professional open source" is really a mask for a company distributing a lower end version for free and publishing the source, and adding value on top of it by selling additional modules (for pay) and supporting the distribution. But what about the old line open source folks that don't have a for-profit benefactor that basically pays for the security team? It's going to be a problem because you only need one vulnerability that is high profile and takes a few months to patch to get customers looking at commercial solutions. Looks like open source is going to need to grow up and fast.

Link to this

Neglect awareness at your own risk
Farnum has another great post on his ComputerWorld blog about security awareness. His point is that awareness is important, and that it tends to get forgotten because it's hard. This is absolutely true and with any educational endeavor, the results are not readily apparent the next day. It's not like putting a new gadget into the DMZ and fixing a problem. Our perpetual need for instant gratification is really a big problem because there is very little gratification and it doesn't happen in an instant with security awareness. Michael also kindly points you to a resources page to get more information and links to service providers that can help you build your program.
Link to this

Specialists vs. generalists
Hoff and Shimel are at it again. These guys are friends, but they act more like brothers - fighting all the time. I wouldn't know anything about that, you can ask my brother. This time they are going at it relative to Alan's contention (here) that appliances are not like people, in that appliances tend to do one thing and people can evolve their skill sets and serve multiple purposes. Since Hoff's box can do different things depending on what software you run on it, he got a little grumpy about the contention. But once again the discussion gets back to different strokes for different folks. It really depends on how big your company is. Chris' point about many security skills not being readily transferable is right. You are not going to turn a FW admin into an IPS guru in a day, not in a large environment with millions of attacks and the need to tune signatures in real time. You need an IPS specialist. But in a smaller company, the FW guy must be the IPS guy because HE'S THE ONLY GUY. This situation calls for the generalist. So for a change, both of these guys are right - it just depends which color glasses you put on to look at the problem.
Link to this

Risky 2007 Predictions
I estimate that the risk-adjusted likelihood that Alex Hutton's 2007 predictions are anywhere near close is maybe 20%. Actually I'm kidding, but the Sultan of Risk is philosophizing about what 2007 will bring us and some of the stuff is worth mentioning. He calls for consolidation, especially in NAC. That's pretty obvious. But then he kicks Andy Jaquith where it hurts in saying that "metric efforts (mostly) disappoint." Right on, though the hope is that Andy's book at least gives us a reasonable framework on which to build the foundation. There are other interesting ones like "checklist approaches will proliferate" and "cyberterrorism remains only the dream of bad guys and FUD pushers." I hope he's right about the last one. At the end, he calls a number of us out to weigh in with our predictions. That's not going to happen until early January. I'll be wrapping up 2006 between Xmas and New Year's, and publishing the 2007 Incites on January 10, which will then commence the 2007 version of "Days of Incite."
Link to this

Recently on the Security Incite Rants Blog

SearchSMB Top 10 Tips of 2006
David Letterman must have a ton of angst that he never enforced his Top 10 list copyright. He'd be cleaning up given all the Top 10 lists we see every day. Oh, he is already cleaning up for getting trounced by Leno for years at a time. Yeah, I guess I don't feel that bad for him. But this Top 10 list is interesting because 7 out of the most popular tips were security-related. Even more interesting is that 3 of the 7 were written by me and I only wrote for SearchSMB for about half the year. So check out the list and see if you can learn something.

Read the most recent Daily Incite