The Daily Incite - December 18, 2006

Submitted by Mike Rothman on Mon, 2006-12-18 10:12.
::
Today's Daily Incite

December 18, 2006 - #174

Good Morning:
Happy Monday. I hope everyone had a good weekend. Let's talk about disintermediation today, since I had a great experience of how the Internet has changed everything over the weekend. As you all should know, I'm pushing to get the Pragmatic CSO over the finish line and that involves having some design/illustration work done (poster, book cover, web site graphics). So I call a designer friend of mine, who does really great work and he gives me a bid, which was more than I wanted to spend.

So what did I do? I went to Elance and posted an "RFP" to the community of freelancers. Within 24 hours I had 8 bids, the highest being 25% of my friend's bid. You read that right, the HIGHEST bid was 75% LOWER. So I actually contracted with two designers to do the project, to reduce the risk that I won't like the outcome - and I'm still chopping 2/3 of the price off the first bid I received. Wow! Looks like more Hanukkah presents for the kids, like they need more toys!

Slow day in Security-land and even slower in Blog-land, looks like folks are hunkering down for the holidays and to close out the year. So I'll be scraping together the last few TDIs for the year and then focusing next week on revisiting (and putting to bed) the 2006 Incites. Off to train and continue preparing for the big launch!!!

Another reminder there will be no TDI tomorrow.  Have a great day and I'll see you on Wednesday.

Technorati:

The Pragmatic CSO
Coming January 2, 2007		 Webcast promo

Top Security News

Creating double agents
So what?- RSnake has a very interesting new attack idea in this column for Dark Reading. He tends to see 3000 or so bots probing around his stuff on a daily basis. Since he knows they are already compromised machines, why not just attack them (you have the IP addresses), take them over and turn them into a "double agent" doing your dirty work as well? Well, there is no reason you can't and once again providing a huge reason why the ISPs need to step up to the bar and start taking action. They are the only folks in a position to neutralize the bots (or at least impact their operational activities) and this problem will keep getting worse (more spam, more phishing, more identity theft) until they do something about it.
http://www.darkreading.com/blog.asp?blog_sectionid=403
Link to this

Security as a differentiator for banks?
So what? - No way. Way. Am I changing my tune on whether security can actually become a revenue center? Not exactly, but this data from a Ponemon Institute study (Is it just me, or is Ponemon everywhere - he must have a good sales guy) sponsored by Unisys shows that upwards of 80% of consumers would switch banks for better security. First of all, what is "better security?" And if I'm a consumer, how do I know I'm getting it? That's why I have such problems with these kinds of surveys. If you ask a consumer, OF COURSE security is important to them, and OF COURSE they are going to go with the bank that gives them the best security. But that only happens after they've had a security issue. So no, I'm not changing my tune. Security (and the "perception" of security) are not differentiators for banks, they are the ante to play in the consumer game nowadays.
http://www.unisys.com/about__unisys/news_a_events/12148740.htm
Link to this

The "Secure OS" is smoking
So what? - With all the hype around the additional security features in Vista, don't forget that there are lots of other operating systems in use, especially for large, older legacy systems. You know, the one's that run your business. HP has added some capabilities to HP-UX to bolster its security posture and this is a good thing. Encrypted file systems - check. Wait a second, are we worried about an HP refrigerator being taken right out of the data center? And does anyone really store a high value application on direct attached storage (as opposed to a SAN)? But it gets better adding a "trusted computing" chip to protect onboard crypto keys, as well as the ability to compartmentalize and isolate data within the OS using fine-grained privileges. Will anyone actually do this stuff? Maybe not because managing security one server at a time is brutal (unless you have one server), but having the capabilities there - presumably to be managed more effectively with an enterprise management system will help keep some of those critical applications on HP-UX. 
http://www.hp.com/hpinfo/newsroom/press/2006/061218a.html
Link to this

Vista could improve Internet Security?
So what? - You have to hand it to Dennis Fisher at SearchSecurity. At least he has an opinion. Of course, he tends to write his opinion about 4-6 weeks after everyone else says the same thing, but that's OK because again, he has an opinion - which is more than most that write for Big Media. This piece on PatchGuard and UAC (user account control) is correct in that Microsoft is changing the model of how applications interact with the OS and it's causing consternation because it also changes the model for how security vendors need to protect the desktop.  Of course, anytime you change a well-established operating model - there is a ripple effect relative to the fallout and Dennis is right in saying "... these protections should function as a digital safety net. They may annoy more advanced users in the short term, but the Internet as a whole will be better off for it in the long run." Well said.
http://searchsecurity.techtarget.com/columnItem/0,294698,sid14_gci1234575,00.html
Link to this

Trying out the NBA
So what? - I have to admit to being pretty bored by the NBA. You get a bunch of overpaid babies and thugs that get to play street ball for a living, but they can't manage to behave and not throw haymakers at each other. It would be interesting to see how Carmelo Anthony fares in a venue like the UFC (Ultimate Fighting Championship) where the other guy knows the punch is coming. But I digress. NBA is also an acronym in our little security planet, which stands for Network Behavior Analysis. Growing out of the idea of anomaly detection, these products basically look at the flow of traffic on your networks and figure out whether something is amiss. For those customers with huge networks and/or lots of complexity, an NBA may be the only way to really figure out if your network is out of control or not and one of the key skills of the CSO (as stated in the Pragmatic CSO) is to make sure you know EXACTLY what is going on in your network. This is a quick review of Lancope's StealthWatch, but there are few others to check out as well (Arbor, Mazu, etc.) if you are ready to move down that path.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1235157,00.html
Link to this

Top Blog Postings

Spam Spam Spam Spam Spam Spam Spam Spam Spam Spam Spam Spam
Have you been getting a lot of spam of late? Me too. Even on my sacred Blackberry where I've literally NEVER used that email address. Well, they found me to the tune of 3-5 message a day. Sure a minor annoyance, but an annoyance nonetheless. So what's going on? Richi Jennings has a couple of ideas in this post. He pokes a bit at the anti-spam vendors who are making crazy claims and pushing wacky stats to stand out. Richi's point is that things are worse, but not that much worse and for the most part the anti-spam vendors are keeping pace. I guess, but I can tell you I get about 10 spam a day now and a few months ago I got one every three or four days. So it's noticeable and annoying to me anyway. It also means we'll continue to see bloody replacement battles for email security gateways, since that business is saturated - so every two years or so the typical enterprise will go with something else.
http://www.computerworld.com/blogs/node/4182
Link to this

Insiders are the risk
Adam Dodge, over at the Security Catalyst site, rants a bit about whether our job is to fight hackers or protect information. Adam comes to the same conclusion I did (and even references my first thinking), but he adds to the discussion a bit by pointing out that hackers tend to target individuals and web sites. Insiders target corporate data. Which is more dangerous to your business? Right, so although I'm not saying that we forget about protecting our assets from the hackers, we need to pay attention to the insiders more.
http://www.securitycatalyst.com/2006/12/18/stop-thinking-hacker-start-thinking-insider/
Link to this

Recently on the Security Incite Rants Blog

Read the most recent Daily Incite
http://securityincite.com/TDI-2006-12-15

Your and RSnake's comments about what SPs ought to be doing.
Submitted by Roland :Dobbins (not verified) on Mon, 2006-12-18 11:20.

1. ISPs, even the big ones, have very thin margins on broadband subscribers. One support call is often enough to blow their margin on an individual customer for a year. Who is supposed to pay for this services? Are consumer-level ready to pay?

2. In terms of commercial users, many of the major ISPs today offer both managed security services for the Customer Premise Equipment (CPE) and 'Clean Pipes'-type DDoS mitigation services. Companies can subscribe to these services in order to receive notification and mitigation of both outbound (from compromised hosts on their own network) and inbound (from compromised hosts on other peoples' networks) DDoS. These same services are available for hosted and colocated properties, as well.

3. Most SPs participate in various online mitigation communities, some open, some closed and vetted, and they do a tremendous amount of work deal with DDoS attacks and outbreaks of worms with DDoS-like propagation characteristics, identifying, infiltrating, and taking down botnet C&C servers, phishing sites, etc. All this happens behind the curtains, as it were, but it's taking place every minute of every hour of every day.

4. As to your and RSnake's suggestion about hacking into already-compromised hosts and somehow using them as sources of information, there are most certainly many reasons why SPs can't do so, starting with the fact that it's illegal to do so in the United States and in most other jurisdictions in other parts of the world. Even if it weren't (which it most definitely is), the opex to do so would be prohibitive (see #1) and it's unclear what the SPs would be accomplishing by trying to do this, as there's already a lot of reconnaissance taking place in terms of botnet C&C servers (see #3).

There is a ton of information out there about what SPs are actually doing in order to detect and mitigate security threats; a few queries into the Search Engine Of Your Choice (SEOYC) can provide a great deal of insight (as well as 'incite', heh) into what's actually taking place. I strongly suggest both you and RSnake take a look, I think you'll find it very interesting and enlightening.

RE: NFR/Check Point
Submitted by netsecguy (not verified) on Wed, 2006-12-20 09:11.

RE: NFR

I could see someone buying NFR for their customer base and not the tech.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.