The Daily Incite - January 16, 2007

Submitted by Mike Rothman on Tue, 2007-01-16 10:36.
Today's Daily Incite

January 16, 2007 - Volume 2, #8

Good Morning:
Gosh, after a long weekend I kind of have a little analysis/paralysis about what to write about. I could talk about how all 3 of the kids are sick (none with the same stuff), so the winter of kid's discontent continues. Though the pediatrician is probably psyched. We make lots of visits. Or I could talk about how much I like to see live comedy. We saw Darren Carter on Saturday night. Very funny guy. I got a headache from laughing so much. I know, it's retarded - but nothing a few Advil doesn't take care of. Or I could talk about 24, which was great and then not so great and then great again - all in the space of two nights. But lots of folks do that.

What I should talk about is the reason many of us were off yesterday, to celebrate the life of Dr. Martin Luther King, Jr. The "I have a dream" speech was a transformational moment in my childhood. Of course, I wasn't alive for the original, but when I was finally old enough to comprehend the depth and levity meaning of his words, it really put a lot of my culture in perspective, as well as gave me tremendous empathy for the folks that continue to struggle against discrimination in today's world. So some folks just considered yesterday a day off, but we really can never lose sight of the bravery and substance of all the men and women that fight against injustice.

Back to lighter topics, like how screwed up our security is. But evidently not as screwed up as the storage software market, since Symantec pre-announced an earnings miss for Q4 (here). They blamed the data center business and also an ERP implementation run amok, which drove up costs. It'll be interesting to see which public security companies can maintain the Q3 momentum, and which drove into a ditch over the holidays. Too much egg nog may have been the culprit. In blog land, Kurt rants a bit about wipe and reinstall (here). Regardless of your approach to fix a compromised machine, make sure you pay attention to what happened and ensure it won't happen again.

On Friday, I also got a chance to finally post my analysis of the Cisco/IronPort deal. You can check that out here.

Have a great day.

Technorati: ,

The Pragmatic CSO
The Pragmatic CSO is Here!


Read the Intro and Get
"5 Tips to be a Better CSO"


www.pragmaticcso.com

Top Security News

Symantec misses
So what?- For better or worse, there are a few companies that are considered "bell weathers" in each sector. Since the big get bigger, most of the investment community figures that if the big dog misses, then there is something wrong with the market. The question relative to Symantec is whether it was (once again) an execution issue or whether there really is something slowing in the data center software market. It'll be interesting to see what EMC has to say about that, especially now that they are playing much more heavily in security. What was supposed to be 1+1 = 10 when Symantec bought Veritas, looks to be -5 or so nowadays.
http://biz.yahoo.com/iw/070116/0203484.html
Link to this


10 worms, some chum, and a phishing kit
So what? - Given the various hacking toolkits out there, it was just a matter of time before someone packaged up a "phish in a box" that gives even the least sophisticated of dummies the ability to go phishing for themselves. But a rough analogy to consider was the launch of packaged vulnerability scanners for the bad guys to poke at every network all the time. Did those tools help to compromise more devices faster? Did they make most companies finally take perimeter security more seriously. Absolutely. So we will see an acceleration of dummies continuing to get compromised, but we will also see that result in much more aggressive anti-phishing defenses being implemented. Finally.
http://www.realtime-websecurity.com/articles_and_analysis/2007/01/are_phishing_kits_the_latest_t.html
Link to this

Top 10 security interview questions
So what? - This is an interesting list from Daniel Miessler on a few questions to ask folks interviewing for an information security job. You want to make sure they can think and adapt, and also get a feel for any baggage or biases the candidate would be bringing to the table. I always had candidates do a series of interviews with various members of my team and would ask my folks to dig into a different (yet coordinated) aspect of the candidate's background. The one thing my interviews weren't is ad hoc. Like everything else, you need to plan your staffing and personnel strategies. Define (before you start looking) what you need, and then structure interviews to ensure you are going to get it. A bad hire costs you a lot more than no hire at all.
http://www.cybercrimelaw.org/blog/336/10+Questions+To+Ask+During+An+Information+Security+Interview.html
Link to this


Getting users to follow the security policy
So what? - In another Top 10 list, Dark Reading goes through some stuff that can get users on board with the security policy. The one thing I didn't see was to fire everyone. That is pretty much the only sure way to get everyone to follow the policies. But there are some good, simple thoughts here, like "write simple, understandable policies." If the users can't understand the policy, how are they going to follow it? You also need to "get the support of the company's top brass," which is absolutely critical to putting teeth in any enforcement plans. Speaking of enforcement, you need to enforce the policies - and that means a periodic public execution or two. If the users think the policies are for someone else, they won't take them seriously.
http://www.darkreading.com/document.asp?doc_id=114409
Link to this


Top Blog Postings

Grade A(nton) 2007 Predictions
Dr. Anton has weighed in with his 2007 predictions. More firesales, no panaceas for things like the insider threat. Here here. Most interestingly, the A-man is calling for a shrinking in NAC this year, not growth. That all depends on what your definition of is, is. NAC is everything and everything in security will grow this year. If he's talking about pre-admission control, he could very well be right. Post-admission, not so much. But that was a ballsy call. Lots of other goodies here too.
http://chuvakin.blogspot.com/2007/01/my-security-predictions-for-2007-go.html
Link to this

Inline vs. out of band religion
Religion has no place in the CSOs toolkit. God (or whatever you believe in) won't stop the hackers from owning you if you do stupid things. Hope is not a strategy. Take a case in point, Shimel rants (here) about the idiocy of a 3Com guy's perspective that security can (and should be implemented) inline (bump in the wire). Hoff must respond and defend the honor of hardware engineers everywhere. Break it up jokers. You are both right. In many cases, out of band is a good first step and then over time (as networks get rearchitected) you add capabilities in-line and then eventually in the fabric. Virtualizing and putting things on blades, blah blah blah. Fundamentally, you are either seeing traffic because it goes through your box or because you are pulling traffic off a span port or a tap. PERIOD. There are times and places for both. Virtualization hasn't changed the fundamental laws of network architecture. And if what Alan is really asking is whether there is a need for a ASIC-based security device on the edge of the network, the question is irrelevant. Customers want to be protected and they want it to keep pace with the speed of their networks. If you can do that in software, bully for you. If you choose to spin ASICs, that's great. But don't forget that these technical nuances are usually lost on the customer.
http://rationalsecurity.typepad.com/blog/2007/01/upchuck_shrubbe.html
Link to this

P2P BU
Alex points to a new peer to peer service that provides backup in a seemingly flexible manner. You can use their off-site storage, you could back up to another device in your network, or innovatively you can back up to one of your buddy's machines (presumably not in your house). There are bunch of these types of offerings, and I think they are important. Not just for the home user, but it's appalling how many companies don't back up their laptops. Then the machine craps out (or is pilfered) and data loss and mayhem result. It's not that hard. Even if you pay for something like Carbonite (which I use) for $5/mo. for your remote people, at least their machines will be backed up. Personally, I replicate data between computers on my home network, as well as back-up the data offsite. But I've lost data before and I don't care to repeat the experience.
http://riskmanagementinsight.com/riskanalysis/?p=76
Link to this

Wipe and reinstall is the right answer
You have to hand it to Kurt Wismer, he is a passionate guy. In this post, he goes on a tirade about lazy administrators and the like that would rather just re-image a compromised machine than do a "surgical" malware removal. Kurt's heart is in the right place. He makes the point that you need to understand the root cause of the problem (at least that what point I think he's making) and put defenses in place to ensure you don't get lots of those compromises. But I want to be very clear in that I think that re-imaging a machine is the right approach FOR CLEAN-UP. But not for investigation. So before you blow away the compromised device, figure out what happened. Make sure it won't happen again. Surgical malware removal is not dependable, not with today's rootkits, etc. that can remain hidden from all but the most savvy malware researchers. Blow the thing away, but only after you understand what happened.
http://anti-virus-rants.blogspot.com/2007/01/why-wipe-and-reinstall-is-wrong-headed.html
Link to this

Recently on the Security Incite Rants Blog

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite

Submitted by Refried (not verified) on Wed, 2007-01-17 11:00.

 

That's 'bellwether', not 'bell weather'. One word, no 'a'. 'Wether' is an old English word for a sheep. Other sheep tend to follow the one wearing the bell. Hence the term.

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.