July 14, 2006

Good Morning:
With the exception of the SurfControl/Black Spider deal yesterday, most was quiet on the information security front. Which after this week, is a good thing. I'm way behind on my "real" work, so it's catch-up day. Public security companies continue to struggle, with Check Point announcing another high level defection and Blue Coat investigating the options mis-pricing and pulling guidance. Now why do you want to go public again? Spamroll is highlighted in the Blog section today twice calling bunk on two hype-riddled stories from this week - VoIP phishing and the PPT exploit. More people (besides me and Spamroll) should be calling bunk on this stuff. It's not news.

On an unrelated to security note, Steve Rubell (a PR macher) does a great post on why "Only generous bloggers influence" (http://www.micropersuasion.com/2006/07/only_generous_b.html). I call this type of behavior "doing the right thing." It's too bad that so many people don't do the right thing, but on the other hand it creates a great opportunity for those of us that do.

Have a great weekend. I'm planning on upgrading the Security Incite web site to the latest version of Drupal over the weekend. So if you swing by some things may be a bit disheveled. I'm also going to tune the Daily Incite format a bit for Monday as well. I'm sure you'll let me know what you think.

Top Security News

Security IPOs: Not anytime soon
So what?-  The SCUR/CT acquisition has given me the opportunity to touch base with many of my financial sector contacts, and those on the investment banking side continue to wring their hands about the lack of companies willing to do an IPO. Netscreen was the last security company to get it done in 2001 and there probably won't be another for a while. This street.com article paints a lot of reasons why. Maybe early 2007, best case. Leading candidates continue to be Fortinet and Sourcefire. Not IronPort, by the way. They've been in full spin mode since the CT acquisition, but I think that would be a very challenging deal to get done, especially since they don't control much of their IP and spend money like drunken sailors. In the age of SOX, I'm not sure why anyone would want to go public anyway. CipherTrust sold for more than Blue Coat is worth on the open market today, and they got 70% cash - and SOX is not their problem.
http://www.thestreet.com/newsanalysis/techsoftware/10296450.html

3 chiefs on Identity Theft
So what?- This NetworkWorld interview with Dean Drako of Barracuda, John Zicker of Sana, and Jay Kidd of Network Appliance is kind of interesting. Not in what they really say, but in the selection of those 3 to discuss Identity Theft. Maybe they were the only guys in town when they did the interview. With the exception of NetApp, the other two's relation to ID theft is tenuous at best. But nonetheless, a few tidbits in the interview - including the sea change about whether our employees can be trusted. I'm not sure we ever really trusted employees, but we didn't have a lot of capabilities to track or enforce policies. Now that we do, it's become obvious that the insider threat is real and that we need to do something about it.
http://www.networkworld.com/news/2006/071006-security-chiefs-see-changes-in.html

The exodus at Check Point continues
So what? - This time it's Kevin Maloney, who ran worldwide channels for them. He left for higher ground at Network General? The sniffer is hot now, don't cha know? Interesting move, but underscores some of the strategic challenges at Check Point. They've got to nail down a strategy and start doing stuff. The strategy may be wrong, but you can change it later. But continue to do nothing and you'll see your best talent leave for places where they can do something. That's one man's opinion anyway.
http://www.channelweb.com/sections/allnews/article.jhtml?articleId=190400075

People get grumpy when you turn off their applications
So what? - In this follow-up piece to a column I covered previously, Roger Grimes gives no quarter. Evidently and predictably he got a raft of crap from people about his suggestions to shut down unauthorized applications. I am a fan of application control, if you've got the political mojo to get it done in your organization. It dramatically reduces the number of exposure points and takes control out of the hands of the users, who have been known to do stupid things before.
http://www.infoworld.com/article/06/07/14/29OPsecadvise_1.html

Top Blog Postings

Get used to "Good Enough"
Alan Shimel becomes a bit unglued in this post, which I love to see. Bravo Alan! He rails against this mentality of "good enough" security and uses that metaphor to generate some thinking about other aspects of life. I like posts that make me think. But unfortunately Alan, you are barking up the wrong tree. Security is still viewed as a necessary evil, pretty much insurance against something catastrophic. I carry a decent amount of insurance personally because I don't want some joker coming after whatever modest assets I have. Most folks try to get away with the least amount of insurance they need. Just like security. Most folks will do the bare minimum because we have continually FAILED to build a business case to business people about why security can either add revenue or cut costs. Now it's just another toilet to flush money down.
http://www.stillsecureafteralltheseyears.com/ashimmy/2006/07/is_good_enough_.html

You screw up - you get fired 
So the CIO from Ohio University takes a bullet. Big whoop. I don't know him, so it would be a bit bold to call him incompetent. But based upon the multi-year history of successful attacks and privacy breaches, the job wasn't getting done. So now he's gone. That's the way it works in the big city. Personally, I think an execution in the public square was more warranted. They should probably shoot the president of the university as well. It happened on his watch too. The opportunity cost this school will suffer by violating the trust of students and alumni is immeasurable. Fool me once, shame on you. Fool me twice and shoot me in the head. That's the way it's got to be.
http://www.computerworld.com/blogs/node/2970

VoIP phishing is just social engineering
Wait! Stop the presses! There is a new attack vector called the telephone. This is the first time in history we've seen fraudsters try to scam people over the phone - NOT. It is true that VoIP scammers are harder to track than folks that use the good ol' PSTN, but come on now. This isn't new. And thanks to Spamroll for pointing this out.
http://www.spamroll.com/blogarch/2006/07/voip_phishing_t.php

Who cares about the PPT exploit?
I'm sure some of my former bosses are distraught at the idea of not being able to use PowerPoint. But hat's off to Spamroll for saying what we are all thinking - who cares? Fact is, it's another exploit. It can be patched. It will. Let's move on. 3 out of the 4 news topics in my Dark Reading newsletter this week were about patch stuff. That's ridiculous. Get off your asses and find some real news to talk about.
http://www.spamroll.com/blogarch/2006/07/powerpoint_atta.php

Recently on the Security Incite Rants Blog

EAC blog: Your vendor is bought, now what? and Thinking positively about security
I'm not sure I understand the posting process over at the EAC blog, but now we are fully caught up. These two posts delve into stuff that I think is pretty important for end users to think about. First is the whole acquisition thing, if a key vendor of yours gets bought. The other is looking at implementing positive security models (unless I say you can do it, you can't) as opposed to negative (I'll look for every conceivable bad thing that could happen and stop that). Check it out, only two more days in the Expert Seat.
http://snipurl.com/svaf

Deal (of the Day): SurfControl buys Black Spider
The deal of the day pace continues with more consolidation in the content security space. SurfControl buys their UK neighbor Black Spider to get an option to offer an email and/or web filtering service for those not wanting an appliance. This was just the right size deal for SurfControl at $36 million, but as with every other deal - they need to aggressively work to eliminate channel conflict and offering confusion in order to be successful.
http://securityincite.com/blog/mike-rothman/deal-of-the-day-surfcontrol-buys-black-spider

Read yesterday's Daily Incite
http://securityincite.com/blog/mike-rothman/the-daily-incite-july-13-2006