January 4, 2007 - Volume 2, #2

Good Morning:
What's up? How things this AM? I'm still recovering from the number of late nights over the past few days getting the book over the finish line, so I'm a bit sluggish this morning. But seeing Cisco buy IronPort for $830 million (here) woke me from my slumber. That is a big number. Really really really really big. But yet a drop in the bucket for Cisco. Maybe less than a drop in the bucket. So it's all relative and that's what makes Cisco such a tough competitor in the security space (and likewise Microsoft in lots of other spaces). They can pay a king's ransom for something they want and it doesn't hurt profitability. Big is the new small...

The focus today seems to be security advisories and zero days and the like. First, eEye did a piece on the new Vista zero day (here), but that's only part of the story. In many of these advisories there is a "severity score," but take that with a grain of salt (here). The only severity score that is important is the one you come up with after figuring out if you are exposed.

In blog land, Jeff Hayes makes some good points about why outsourcing some security functions is not a bad thing (here). Richard Bejtlich also rants a bit about SAS 70 and other auditor standards (here), and it's interesting stuff. I guess the message is (as always) don't believe what you read and a certification is really just a rubber stamp at the end of the day.

Finally, I'm not sure how many of you saw Dilbert on Sunday, but it's a classic. Check it out here. Maybe Dr. Anton doesn't identify with Dilbert (here), but I do. Anyone who has ever dealt with the futility of building a business case for something they really need will be hit right in the gut by this one. Scott Adams is awesome.

Have a great day.


Technorati: Information Security

The Pragmatic CSO is Here! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

Deal: Cisco buy IronPort for $830 MILLION
So what?- It's funny how time heals the road rash. It's been almost 18 months since I left CipherTrust and I'm getting over the pain of competing with IronPort. And it was painful. But whatever is was that they were doing (I couldn't figure it out, which is why I'm not doing marketing anymore), it worked. All you need to look at is the final tally. CipherTrust $273 million to Secure Computing. IronPort $830 million to Cisco. 3x the valuation. Obviously there is a lot to analyze about the deal and I'll make it a priority to do that today. BUT I have to tip my hat to IronPort. They created a lot of value.
http://newsroom.cisco.com/dlls/2007/corp_010407.html
Link to this

eEye sees a Vista zero-day
So what? - One of the key themes of The Pragmatic CSO is the need to prioritize effectively (it's actually the 2nd tip for those of you that signed up for the introduction and "5 Tips" series), so first you need to know what's important and then you need to figure out how that changes on a daily basis. Yes, you need to stay current (that's Tip #3) to be able to make those decisions. Since you read TDI, you are ahead of most folks. But there are other resources, like eEye's zero day tracker that you can get via RSS. You should take 15 minutes or so each day to make sure you aren't missing anything big. Read the TDI (5-10 minutes) and check some other resources just to make sure. Now this Vista zero-day is medium severity and there isn't a work-around out there yet. So that means you go on with business as usual, but keep your ear to the ground for something strange.
http://research.eeye.com/html/alerts/zeroday/20061215.html
Link to this

Severity is in the eye of the beholder
So what? - While I'm talking about the need to get 3rd party information on security issues, let's take a look at an announcement Cisco made yesterday where their PSIRT (product security incident response team - quite a mouthful) will add severity to risk levels. This is the team that reports on vulnerabilities in Cisco's own products. Severity is in the eye of the beholder. A critical, house is burning down exploit on the Clean Access box (didn't happen, I'm just using it as an example) is a non-issue for you if you've got compensating controls in front of the NAC box. So the point is CONTEXT. 3rd party information is critical, but it's another data point that YOU (presumably as the CSO or security technology person) need to factor in as you revisit your priority list every day.
http://newsroom.cisco.com/dlls/2007/prod_010307.html
Link to this

Do we care how long IE was "unsafe" in 2006?
So what? - I have mixed feelings about this piece. On one hand, Brian Krebs does a tremendous amount of research and is very plugged into the hacking community. Reading his stuff (which I recommend you do) is helpful to keep you on top of things that are important. But he's spent weeks compiling information about how quickly this exploit or that exploit is patched, and I'm not sure I care. He's bordering on being perceived as an ambulance chaser. I guess I feel this way because he only presents one side of the problem, and not necessarily a fix. Surprisingly he calls his column "Security Fix," but there are no fixes to be found. IE had a lot of problems last year, we know that. Firefox had less. We know that too. SO WHAT?!?!? What's the point. Do we abandon IE 7 for FireFox? IE7 wasn't around long enough last year to know whether it will be different. So I don't get the whole thing. Why do I care about this?
http://blog.washingtonpost.com/securityfix/2007/01/internet_explorer_unsafe_for_2.html?nav=rss_blog
Link to this

The pendulum swings back to Big Iron
So what? - For those of you old enough to remember, didn't it seem like everything was easier in the days of yore? We had our green screens accessing data and applications on the Big Iron, all these closed systems and the idea of a "hacker" was in some science fiction novelist's head. Well those days are gone, but in this Enterprise Systems column, the question is asked about whether we should centralize data on Big Iron because it's "more secure." Huh? In the age of SOA and standardized, web services based access to applications, how does storing everything on a mainframe help? I guess the machine wouldn't be owned and you could partition databases onto different virtual machines to firewall one from the other, but can't you do that with something like VMware today? I'll admit to a bit of ignorance relative to database architecture - but this doesn't sound like much of a panacea to me.
http://www.esj.com/news/article.aspx?EditorialsID=2362
Link to this

Top Blog Postings

There are no awards for doing it all yourself
Jeff Hayes has a good point here that he made towards the end of last year about outsourcing security. Jeff does use a bit of financial hocus-pocus to come to the conclusion that outsourcing will save you money. That is not always the case, but it isn't the point either. Security folks, especially for mid-sized companies tend to be both resource and money constrained. But in my experience, it's harder to bring on people than it is to spend money. So if you can make a case for why it's important (not to you, but to protect your critical business systems) to look at services for some security operational activities, then do that. Remember, you are paid to get the job done - not to build an empire.
http://mycsosolutions.net/2006/12/20/outsourcing-security-saavy/
Link to this

SAS 70 a joke?
This piece from Richard Bejtlich asks some pretty pointed questions about the usefulness of SAS 70 and SysTrust and some other security "frameworks" being driven by the audit community. Let me make this very very clear. Being "compliant" does not mean you are SECURE. Having auditors come in and give you a SAS 70 stamp has use, but probably not from a security context. Unless your auditors are trying to break into your network, as opposed to checking boxes on a check list, you are not doing your job. Assuring that your business systems are protected by periodically having someone break into them is absolutely critical, regardless of what you auditors do or don't do for you.
http://taosecurity.blogspot.com/2006/12/thoughts-on-sas-70-and-other-standards.html
Link to this

Of course spam works
My bud EO (Eric Ogren) does a little Captain Obvious sleuthing here to come to the conclusion that spam works. Being a true capitalist, I know that we wouldn't get so much of it if it didn't work. The only way to really stop spam is to cut off the economic benefit of using it. And since most folks don't want to pay a postage fee for every email they send, it's going to be hard to do that. But EO also mentions some good tips relative to how to avoid being taken. No, these aren't tips for you. I would really really really hope that you know this stuff already. This is more user awareness fodder because those folks are not as enlightened and may actually believe most of the bunk.
http://www.computerworld.com/blogs/node/4254
Link to this

Vuln scanner review
I saw this on the AskApache blog and thought it was interesting. These folks tried out 11 vulnerability scanners and found that eEye was the top pick, but Nessus was the best fit for them. I'm sure there are pros and cons of each of the scanners they tried. So as I say in the Buying Security Products guide, figure out which products meet your criteria, then test them out and figure out which make the most sense for YOU. Another important nuance here is that vuln scanners are not good for "cracking." This is about finding the low hanging fruit. You'd need other tools (like automated pen testing) to go that next level deeper.
http://www.askapache.com/2006/security/vulnerability-scanners-review.html
Link to this

Recently on the Security Incite Rants Blog

Holiday activity on the blog
I was pretty active on the blog during the holidays, writing a "Report Card" series picking apart each of my 2006 Incites and giving some self assessment. It was a cathartic, healthy activity and provides the accountability that I seek out for many of the things I say. There were too many posts to list individually here, but click the link and these posts will miraculously appear.
http://securityincite.com/security-incite-rants/report-card

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite