July 11, 2006

Good Morning:
Gosh I have a lot to day today, and I'll apologize ahead of time if some of the snippets are not as tight as they should be. I just kept getting thoughts and other ideas that just absolutely needed to be in there. So you'll forgive my rambling, no?

On the news front, two of the more interesting things I saw was Wachovia announcing a new secure email service to communicate with customers. I did a bit of research into that space earlier in the year as a side project and found that not too many banks were doing much with email, so to see a super-regional taking the ball is a good thing. In blog-land, I highlight another Farnum post about all of the things that a security administrator needs to do. The one thing he left off is DEFINE SUCCESS, and it's a biggie.

Have a great day.

Top Security News

PCI isn't getting there
So what?-  I know I've seen this movie before. PCI feels a LOT like HIPAA to me. This NetworkWorld feature makes the point that a majority of retailers are nowhere near meeting the PCI security standard a year after it goes into effect. These retailers are "subject to fines," but I'm not aware of any enforcement actions besides maybe the CardSystems debacle. So does it have any teeth, and who is going to do much now when Visa and MasterCard are due to update the PCI requirements any day now? That being said, what PCI aims to do is important, but you'll get those retailers (and it's more than a few) that figure it'll be cheaper to pay whatever fines and clean up the damage of an issue, then to do the right thing proactively. In that aspect, PCI is exactly like HIPAA.
http://www.networkworld.com/news/2006/071006-visa-security.html

MXLogic patents the spam cocktail - tasty!
So what? - Thanks to Spamroll for pointing me towards this announcement that I missed. MXLogic has been awarded a patent for what seems to be a spam cocktail. Basically using fuzzy logic to combine multiple detection techniques to detect spam. Normally I don't care much about patents because most of the companies out there (unless they are huge or desperate) don't do much in the way of enforcement. BUT every anti-spam, I mean, email security company uses a cocktail-like technique in their detection engine. So depending on how the patent is actually written, pretty much everyone is exposed. As you get somewhat mature Big Security looking for top-line growth and other interesting assets to acquire - like email security companies, this patent makes MXLogic look a lot better. Sure they are a fraction of the size of Postini and MessageLabs, but they've got the patent. Maybe. This will be interesting to see play out.
http://www.mxlogic.com/news_events/press_releases/07_07_06_patent.html

NWC NAC analysis
So what? - Network Computing does a "product analysis" of the NAC space in this article, but I find the information kind of confusing and inconsistent. Alan Shimel's thoughts are here. What they don't do is describe what problem is solved, but define 5 seemingly arbitrary and overlapping function that may be associated with NAC. That's the conundrum with the NAC market today, it means everything and nothing. But users do want to make sure devices that connect to the network are clean and also to control the flow of traffic on the network. I'm still of the opinion that NAC will happen, but it will take some time and there will be a lot of paths to get to the promised land.
http://www.networkcomputing.com/showArticle.jhtml?articleID=189602326

Wachovia breaks the seal on secure email
So what? - A lot of financial institutions pay a great deal of lip service to rolling out security, and with good reason - customers don't make their decisions based on security. Yet, that is. But some folks like E*Trade and now Wachovia are moving to get out ahead of the requirement by offering the ability to communicate with customers securely via email. To facilitate this offering, Wachovia has chosen Tumbleweed's staging server to drive the technology. It's a pretty clean solution, but kind of a hassle for those folks that live in Outlook since they need to use yet another mail interface. But it's no more of a hassle than picking up the phone or driving to the local branch, and it's good to see Wachovia leading the way on this one.
http://www.tumbleweed.com/news/press_releases/2006/2006-07-10.html

Protecting higher education for 50% off
So what? - So yesterday I smacked Vontu for an empty announcement trying to piggyback on the OMB mandate for data privacy. Today, I'll try the carrot by pointing to an Ingrian promotion that makes more sense. Clearly secondary education holds a lot of private data, but due to the nature of their customer-base (basically students) who don't like to be told what they can and can't do, there is a real need to secure the environment from the inside-out starting with the data. That's "information" security in Pragmatic Security speak. Given some of the high profile security breaches (Ohio University, USC, etc.) this is a top of mind issue for the education sector. So Ingrian is basically trying to get something moving over the slow summer season by discounting their encryption boxes into that vertical. I think this is a good promotion, since it targets a market with a real need and it does so with a solution that has a chance to solve the problem. Take note Vontu...
http://www.ingrian.com/news/pr061010.html

Top Blog Postings

The IW opinion on their own survey
Patricia Keefe shares her opinion about the InformationWeek security survey (which I covered yesterday) in this post. She makes the point that it feels like the more things change, the more they stay the same and I think there is some truth to that. BUT as hacking has become a business and privacy breaches hit disastrous proportions, the status quo is not acceptable. So we've got to break the mold and I don't think spending more money on more widgets is the answer. We need to think differently about security. Basically we need to think pragmatically, cause what we're doing now ain't working.
http://www.informationweek.com/blog/main/archives/2006/07/same_old_securi.html

Farnum's a busy guy
Michael Farnum makes a pretty insightful post about the typical tasks that a security administrator is responsible for. And the list is daunting. Now I'm all for making lists of all the things that you need to do, but the thing I didn't see as the first step is to DEFINE SUCCESS. 90% of job success is managing expectations and if your senior management has different expectations than you about what your job is and what is considered successful, it doesn't work out too well. Let's just say I've seen that movie before and it involves being walked to the door. So yes, you have a lot of things to do on a daily basis, but don't forget to spend sometime selling yourself and ensuring that expectations are in the right place.
http://securityplace.blogspot.com/2006/07/some-more-advice-for-security-admins.html

Secure coding success story - Microsoft?
As the Matasano guys toot their own horn about being picked up in Dark Reading, they make an interesting point relative to secure programming by pointing to Microsoft as a clear success story. Especially relative to other "security" companies that continue to have problems. There are tools and processes that can help and they do, but only if developers are willing to change the way they do things. It's taken years, but Microsoft has made that transition out of necessity. Now they've got enough old stuff out there and to be clear, there will ALWAYS be security issues with big software programs, but as Thomas says Microsoft has proven that if you throw enough money at the problem you can achieve some level of success.
http://www.matasano.com/log/356/dark-reading-on-secure-programming/

Tape backup - RIP
I don't spend a lot of time on disaster recovery and business continuity, but I get that many of my readers also are responsible for that. George Ou basically makes a cost/benefit comparison between tape and disk-based backups and the news ain't pretty for tape. It's going to go the way of the dodo bird, but it will take a while. There are lots of status quo built around tape backup processes and that takes time to change. The biggest issue with disk is the challenge of getting it off-site. In fact, I tried to start-up a company in 2002 to do a "backup appliance" for the SMB market segment. I couldn't get funding (nothing really got funded in 2002), but the idea was right on the money.
http://blogs.zdnet.com/Ou/?p=267

Recently on the Security Incite Rants Blog

EAC blog
Nothing new posted yesterday (at least at 7:30 AM EST, but the new post should be up sometime today). I riffed on why RFPs are still relevant for security purchases and it's not for the reasons you may think.
http://snipurl.com/svaf

Earnings Miss: Web(non)sense Misses Bookings
Websense announced a light bookings quarter and tries to spin it by blaming sales execution and the length of time it takes to transition to a 2-tier distribution model. I don't think these arguments hold much water because I've been there having to make the transition myself and sure there are issues, but inability to win new business is not one of them.
http://securityincite.com/blog/mike-rothman/earnings-miss-web-non-sense-misses-bookings

Read yesterday's Daily Incite
http://securityincite.com/blog/mike-rothman/the-daily-incite-july-10-2006