July 1, 2008 - Volume 3, #61

Good Morning:
Happy July y'all. I hope everyone closed out the first half of the year with a bang. Get your minds out of the gutter, even though the summer months do tend to bring out the "best" in people. Must be something to do with swimsuits or something. The thing I most enjoy about the summer is that work tends to slow down a bit. Not too slow, but slow enough to start thinking about what new things I can/should learn.

When was the last time you took a "course" of some sort? Spent some time investing in yourself and expanding your own vision? Back in May, the Boss and I went to a seminar to expand our view beyond our cultural upbringings. It wasn't about security per se, but it was designed to give both of us a broader perspective about the big world out there. And it worked. 

You see, if you are too busy bailing the water out of the boat - then you may miss the big picture. So over the summer, I assemble a pretty big reading list of books - both non-fiction and fiction - and I like to spend a day or two a week just reading. I don't get to do this during the rest of the year because of the number of things I'm expected to do.

This is valuable time for me and I suggest you think about how you can expand your mind this summer as well. And don't just go to some ethical hacking class. Sure you can expand your technical capabilities, but keeping our adversaries at bay is about more than just technical competence. You need to understand them and their motivations, in order to have any chance of winning.

So read some books. Take a course. Maybe even take a week off and go somewhere you haven't been before. It's easy and comfortable to do the same things over and over again. I'm very guilty of that. But we are impeding our own development and effectiveness by not stepping out of that comfort zone. The bad guys have very little to lose, so they continually try new things. In order to have a snowball's chance in hell, we'll have to see their innovation and raise them one. 

And you don't get there by doing the same things day in and day out.

Have a great day.

Photo: "expand your mind" originally uploaded by mandydale

Technorati: Information Security, CSO,Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and get access to Security Mike's Portal today www.securitymike.com

Top Security News

Malware is growing fast...and!
So what? - F-Secure tells us what we already know. The amount of malware out there is growing fast. They say there are 900,000 new things (though it's not clear what a malware is, just that there are a lot of them) and that it's going to get worse. And. And. And. Bueller. Bueller. I'm not sure what the point is of this kind of data. Basically all they are pointing out is the futility of continuing to count specific pieces of malware, and trying to build a negative security model (signature matching) to keep up. As Jaquith has been saying for a long time, the traditional anti-malware model is breaking down (if not already shattered in pieces on the floor), so it's going to be increasingly important to address the issue using different tactics. The good news is that no AV vendor (that I know of anyway) is still relying exclusively on signatures, so once again I think this entire discussion is kind of idiotic. So this'll be the last time I point malware stats. We all know how screwed up things are, what's going to stem the flow. That's what I'm interested in hearing.  
Link to this

Find first, protect later
So what? - The sad truth is that most organization don't know what data they should be protecting because they don't know where the sensitive data is. Further complicating matters is that the commercial-grade tools to find sensitive data are pretty big and expensive. This piece on Dark Reading goes through some of the more reasonable tools (like open source) that can spider through your stuff and find the obvious regex (regular expression) data that shouldn't be there - like SSN and account numbers. I'm glad to see my alma mater Cornell front and center with their spider tool, and some others are listed as well. Remember, you are only as secure as your weakest link. And if you have a treasure trove of information sitting in chest in the front yard - it doesn't matter how many bars and locks you have on the doors and windows - now does it? That's why throwing a product at a problem is rarely the answer. There needs to be a process underlying the technology.
Link to this

Shove that CPU where the sun don't shine
So what? - No I'm not talking about that fancy Xeon or even a classic 386, it's the Oracle Critical Patch Update. The folks at Sentrigo came out with another survey that says most DBAs don't patch their stuff. Michael Cobb weighs the pros and cons in this SearchSecurity tip. Is this a good thing or a bad thing? Does it really matter? It's heresy to not patch Internet facing machines, but what about those machines that aren't Internet facing, like a database? Now I get the complexity of patching databases, with availability requirements and application regression and the like. But at the end of the day, assuming that your database isn't accessible is a bad assumption. It's like not locking the vault when the bank is closed because no one can get to it. Thus I favor building a process to ensure the database patches can be applied. Yes, it's a pain in the butt. And no, this shouldn't be the first thing you do if you have gaping holes in your applications. But in terms of thinking in security layers, making sure you don't leave any low hanging fruit via the database is just common sense.
Link to this


The Laundry List

Top Blog Postings

It is unreasonable to expect "reasonable controls?"
The Verizon Business (nee CyberTrust, nee TruSecure) security blog is the gift that just keeps on giving. In this post, they go over the fact that many of the breaches they got called in to investigate could have been avoided by using "reasonable" controls. Like patching a system within 6 months. Or changing the default passwords. Or actually knowing there was sensitive data on the machine. Now, I'm not going to argue about how much data was gathered. Or whether the sample set isn't representative because it's just the folks that actually called the big guns into clean up the mess. That stuff doesn't matter. The important point is that you don't need to be a PhD to not end up road kill. You actually just need to do the simple stuff, like securely configure the devices and make sure they are patched. Will that ensure you are 100% protected? Of course not. But it will eliminate the low hanging fruit that makes it so easy for most attackers to pwn you. And unless you are being specifically targeted by a talented bad guy (then you are screwed), it will probably be enough.
http://securityblog.verizonbusiness.com/2008/06/19/reasonable-controls/
Link to this

It's July 1, do you know where your WAF is?
The big day is here. PCI 6.6 goes into effect, which means anyone that handles private credit card data should be doing code reviews and have a web application firewall to protect the app layer. Or you can do just one if both is just too hard. So guess what a majority of the folks out there are going to do? Right, it's not a surprise that a box wins over process every day of the week. But are WAFs worth the time? Dre over at TS/SCI (with some help from Rohit Sethi) does a five day series that questions the value of WAF. It starts with the Top 10 reasons to wait on WAF, and then goes through a variety of other topics. As you can expect, they bring up some good points. But I still think that for most organization's a WAF is the right initial approach. In the world of low hanging fruit, a WAF will stop many of those attacks. Not all, but many. Usually. Does it maybe create a false sense of security? Probably, but the alternative continues to be that users do nothing - and there is no way that's a better answer. To be consistent, I also think that folks should be looking at evolving their app dev process to be more security-aware. But that is a multi-year process for companies of size, so in the meantime check the WAF box and get your assessor off your ass.
http://www.tssci-security.com/archives/2008/06/23/week-of-war-on-wafs-day-1-top-ten-reasons-to-wait-on-wafs/
Link to this

The Pain of dealing with PR folks
Many of you think my job is pretty cushy. You know, read most of the day. Write here and there. Maybe a couple of times a month get up in front of a crowd and wave my hands a lot. Drink a lot of Starbucks iced tea/lemonade. And you would be right. But one of the downsides (and many bloggers have found this out the hard way) is dealing with PR folks. Good one's are a pleasure to deal with and make my job a lot easier. The bad ones suck the life out of my day and make me want to reach for the closest cup of Hemlock. Yes, there are a lot more bad ones. A LOT MORE. For those of you looking for a laugh, check out Stephen O'Grady's post listing 7 suggestions for PR folks. It's good stuff, especially the stuff about calling me 10 times to talk about some point release that I don't care about. That's why I say on my voice mail to send me email. It's a lot easier for me to delete a ridiculous request in email (though the iPhone visual voice mail does make things a bit easier). If you need a refresher on not pissing me off, check out the classic. 
http://redmonk.com/sogrady/2008/06/27/badpr/
Link to this