July 21, 2006

Good Morning {!firstname}:
TGIF or so they say. Felt like a very long week and getting longer. But again, busy is good. Not busy is bad, so I'll stop whining and get on with it. Actually a lot of interesting activity going on, including the conviction of the UBS insider. It seems the good guys won this one, but we all need to take some lessons about how to make sure you can get the bad guy dead to rights if something goes down.

On an unrelated note, I know many of you travel pretty frequently. You've got to check out this post on the Dilbert blog (yes, Scott Adam's Dilbert) where he rails about "phone whores." If you've been in an airport more than once in the past year, you'll both laugh and cry at Scott's description of his recent experience. I tend to have pretty eclectic reading tastes and I really enjoy Scott's blog. It makes me laugh and also think about stuff that isn't security. I heard he writes a comic strip too - maybe I should check that out.

A portion of you at one time or another have worked for yourselves. Whether it's a boutique security consulting/integration shop or trying to start the next great security vendor, this post by Brad Feld about hiring folks too early is a must read. Having been through the entrepreneurial process a few times myself, this advice is golden. Never forget that cash is king and paying someone else before you are ready is the best way to make that cash disappear.

Have a great weekend.

Top Security News

UBS guy going to the big house
So what?-  The UBS insider, Roger Duronio, has been convicted (link here). That's a good result. If he had skated away (given what was overwhelming evidence against him), that would have made prosecuting insider attacks very very difficult. Have fun and send us a postcard, Roger. Make sure Bubba (your new soul mate - I mean cell mate) signs too. All kidding aside, this article provides some good tips about what UBS did right and wrong from the investigator on the case. Again, a lot of this stuff is common sense (look for outside help, backup), but I'm a fan of reminding myself of the simple stuff frequently because the complicated stuff will burn up all your time if you let it.
http://www.informationweek.com/story/showArticle.jhtml?articleID=190900365
Technorati tags: security best practices, insider attacks
Link to this

Dark Reading Debunks Security Myths
So what?- Dark Reading continues to have the irreverent tone of it's forebearers - Light Reading and Byte & Switch. I can't say I always agree with what they say (I don't always agree with anyone), but I like the way they say it. They recently published the Top 10 myths of IT security and go into each one if a fair amount of detail. I'm going to start a series (first post will be later today) commenting on these "myths." I'll do one or two per day and see what happens. In general they are pretty good, with catchy titles like "Anything but Microsoft" and "Employees are always trustworthy." Check them out for yourself and then you see what I have to say about them over the next week or so.
http://www.darkreading.com/document.asp?doc_id=99291
Technorati tags: Dark Reading, security
Link to this

Is that a password in your pocket?
So what? - I'm becoming a fan of InfoWorld's Roger Grimes. Not due to the content, but due to his attitude. His column persona is a grumpy and abrasive, and he gives no quarter. I haven't met him, so I'm not sure if he's really like that, but there is something to be said about someone who pulls no punches. This week Roger takes on password length vs. complexity. His opinion is that a LOOOOOOOOOOONG password is just as safe as a "complex" one (which requires special f*!#king characters), so evidently size does matter. Personally, he's probably right, but I'm of the opinion that it doesn't matter. When the greatest threat to your password security is the yellow sticky note and social engineering. Long, short, Spanish, Swahili - it's all the same to me. In terms of length, there is a direct correlation between longer passwords, yellow sticky notes, and help desk calls. Everyone needs to figure out for themselves how long is long enough. Now administrator passwords are another story altogether and these password vaults that protect admin credentials are gaining in importance. With good reason because admin credential do represent the keys to the kingdom.
http://www.infoworld.com/article/06/07/21/30OPsecadvise_1.html
Technorati tags: passwords, authentication
Link to this

See you in court AT&T
So what? - AT&T and the government's attempts to get the "frivolous" lawsuit about them eavesdropping on phone calls have failed. So they'll actually have to defend themselves in court. I believe that law enforcement needs to have broad capabilities to take action WHEN WARRANTED. But not without checks and balances. In this case, there were no check and no balances and probably a lot of bad judgment. A court will figure out if they are liable, but in either case the PR damage will be significant. And that's a good thing. Violate the trust of your customers and there is a price to pay.
http://www.informationweek.com/story/showArticle.jhtml?articleID=190900465
Technorati tags: AT&T, eavesdropping
Link to this

VeriSign hits the number
So what? - VeriSign announced their Q2 results last night and it's now clear that they are not really a "security" company anymore. Sure they do security, but when you read what the Wall Street folks say - it's much more about mobile content and telco services. Security is growing, but it's not the "exciting" part of the business. I suspect it will be getting more exciting as security services continue to be adopted and when they close the GeoTrust acquisition - which will pretty much give them a monopoly in issuing SSL-certificates. As Vista (and Firefox) figure out how to leverage high-assurance certs, there will be a lot more folks interested in SSL. With GeoTrust, VRSN gets a different and rapidly growing path to market as well (link here).
http://biz.yahoo.com/prnews/060720/sfth085.html?.v=49
Technorati tags: VeriSign, VRSN, SSL
Link to this

Top Blog Postings

Duke it out over outsourcing
In these posts, Farnum talks about how he is considering security outsourcing and Shimel clarifies a bit and then steps in some poop. Yes, I have young kids. To be clear, none of these decisions are generic. For things that are mature and commodity in nature (firewalls, anti-spam, gateway AV, web filtering) having someone else do it makes perfect sense. Alan is right in that there is a time and place for outsourcing and you rarely save money, but you do save TIME. Time that a guy like Farnum can be spending selling his security strategy up the food chain or working to evangelize security to the lines of business. Time to be more strategic. Even if he hires someone (as Alan suggests) for the same money, then he has to deal with all the drama of employees and training, etc, which again costs TIME, not money. I also take issue with Alan's contention that outsourcers will use "homegrown" tools based on open source. OH THE HORROR! Especially when they can buy wonderful COTS (commercial off the shelf) stuff. Spoken like a true vendor. That's rubbish. MSSP's are responsible to get things done and they need to have the right tools to do it and if they cut corners word will travel fast. But to be clear, you don't get to outsource strategy or accountability - so choose your outsourcing partner wisely.
Farnum: http://www.computerworld.com/blogs/node/3020
Shimel: http://www.stillsecureafteralltheseyears.com/ashimmy/2006/07/is_security_out.html
Technorati tags: security outsourcing, MSS
Link to this

Vendors don't do "research"
Ed Moyle goes on a tear about slanted vendor research in this post. First of all, Ed you are not alone. I've been railing on vendor surveys and the like since I stopped being a vendor. I know the game. Vendors do surveys for three reasons, none of which are objective. First they need a catalyst to gain interest with customers, who either don't they have a problem or don't care. Second, for the folks that do "get it" the vendors need to give them ammo to sell the project/product to management. These concocted numbers can do that. Finally, they do them for sheer PR value. The media needs content and compelling statistics fit the bill. So all we (that you and me, Ed) can do is continue to rail against these tactics and call them what they are. Slanted vendor marketing collateral.
http://www.securitycurve.com/blog/archives/000421.html
Technorati tags: surveys, security marketing
Link to this

Phishing is the bank's problem
Stiennon is absolutely right here, and I've been saying this for a long time. Sure, ISPs need to try to stop phishing messages from getting to their destination, but at the end of the day the banks need to implement and evangelize two-way authentication. The first half of his post is great. It's too bad he spends the second half talking about a vendor. Great, another appliance to manage one-time passwords. Whoppie! But what about ensuring that the bank is actually the bank? I don't see how this vendor does that. To me, that is the key to stopping phishing.
http://blogs.zdnet.com/threatchaos/?p=374
Technorati tags: strong authentication, phishing
Link to this

Schneier on certifications
I saw this face off between Bruce and Marcus Ranum about certifications in this month's Information Security Magazine. Both make good points. But the thing that weighs in Bruce's direction supporting certifications (with caveats, of course) is this: "Network security has become standardized; organizations need a practitioner, not a researcher. This is good because there is so much demand for these practitioners that there aren't enough researchers to go around. Certification programs are good at churning out practitioners." Sure, certifications are a lowest common denominator, but in mature businesses that's OK.
http://www.schneier.com/blog/archives/2006/07/security_certif.html
Technorati tags: security certifications
Link to this

Recently on the Security Incite Rants Blog

Comment Watch: The role of vulnerability research
Since many of my readers don't either have the time or desire to follow the comments on the blog, sometimes when there is an interesting exchange, I'll post it. This is one of those times as Thomas Ptacek of Matasano and I debate a bit about the evolving role of vulnerability research. This discussion happened due to my coverage this week of Symantec's analysis of the Windows Vista network attack surface. After showing the blow by blow, I go into what I think will become the new role of vulnerability research - competitive intelligence.
http://securityincite.com/blog/mike-rothman/comment-watch-the-role-of-vulnerability-research

Read yesterday's Daily Incite
http://securityincite.com/blog/mike-rothman/TDI-2006-07-20