June 13, 2006

Good Morning:
Lots of news today, which is good heading into the summer doldrums. I'm starting the day a bit grumpy because of continued deceptive marketing practices. Did you see that ridiculous Microsoft statistics release? The media jumped all over it because most of them are not too bright. And they also became writers because their math skills left a bit to be desired. Thanks to Frank Hayes who points out that 60% of all machines DO NOT have Trojans as the release would lead you to believe. Seems like fuzzy math, as Ross Perot used to say. It turns out that only about .3% (.003) of all machines that use Windows (the update service anyway) have malware. 60% of those have Trojans/rootkits and a subset of those will be part of a zombie network. That being said, it's a big number - but I just HATE when these marketers spin a number out of context to get people fired up.

I also want to point you towards some very practical advice for security practitioners from Michael Farnum below. You cannot forget who you work for and how they want to be dealt with. The successful security folks I've dealt with understand how to play the game to get what they need to do the job. End users listen up. Don't ever forget that security is a means to an end to allow your company to create value by selling something.

Have a great day.

Top Security News

UBS soap opera continues
So what?- Thankfully I don't have time to sit in front of the tube all day. I fear that I'd be captivated by stuff like CourtTV and other crap like it. Following this UBS trial is very interesting and kudos to InformationWeek for having a correspondent there. They understand how important this trial is to setting precedent and being able to prosecute insiders that do the wrong thing. But seeing the defense unfold (a lot of people could have done it) and the prosecutions systematically assembling a view of a very bitter and vindictive insider is instructive. I think we all knew as many bad guys were inside the house as out, but this gives us a better idea of how we need to gather the data to bring those folks to justice.
http://www.informationweek.com/story/showArticle.jhtml?articleID=188703447

RedSeal launches - does modeling config data matter?
So what? - A new company called RedSeal launched yesterday. I met with them on my last trip out to the West Coast and they've taken an interesting approach to trying to "quantify" risk. Basically they take configuration files from your network and security devices and visually model it to allow you to figure out which devices are misconfigured and based on your own policies, what needs attention first. I'm no fan of the "security risk management" category, but being able to prioritize what needs to be done is important. Can you get that data just from looking at config files? Maybe, especially for large environments with lots of devices. Configuration management is a real bear in big shops. At least initially, these guys just tell you what's wrong, as opposed to fixing it - so that's a limitation. I also question whether this is worth their starting price of $50k. But if you are a big security shop, it's probably worth looking at.
http://www.redseal.net/news/index.html#product

Roles are the next wave of Identity Management
So what? - Identity management is really a world unto its own, so having it split out in the Pragmatic Security architecture was the right call. You are going to increasingly see Role management as broken out from access management and provisioning, mostly because companies need to report on who is doing what and ensure segregation of duties for compliance purposes. It also gives vendors an additional thing to sell. What's different? Hasn't role-based access control (RBAC) always been part of these products? The answer is yes and no. RBAC has traditionally been used to streamline the access policies, as opposed to treating roles as separate entities that need their own lifecycle management. That was a long winded introduction to Courion's RoleCourier, which they are bringing out as another module in their provisioning suite. All of the big stack players have role-based controls, but they are not as defined, but you can expect these capabilities to be broken out sooner rather than later.
http://www.courion.com/news/releases/2006/RoleCourier_pr2006.asp

Vontu review
So what? - Say that 10 times fast and it will get your mouth moving first thing in AM. This eWeek review is interesting in that it's clear that extrusion prevention technology is maturing quickly. The Vontu stuff works and checks multiple protocols, but two things really jumped out at me just reading the summary. The first is the price tag, starting at over $100k. Sure, Fortune 500 companies can do that, but I spend a lot time in the mid-market and they are leaving a huge gap there. Someone is going to "Barracuda" them. Second was the need to define policies to check for every kind of data. Hmm. That feels like a signature-type of approach to me. What if you don't know what the data looks like? Just because you didn't model that type of data doesn't mean it's not a compliance violation if it leaks. But as with everything else, you need to protect against both what you know (signatures) and what you don't (heuristics). Look for both when you are evaluating these solutions.
http://www.eweek.com/article2/0,1759,1973637,00.asp

Patents only matter if you enforce them
So what? - AirDefense claims they have the "broadest and earliest" patents in the wireless security market. Given how that market has changed and basically is becoming a feature of other infrastructure protection devices, the logical progression when it's hard to compete is to sue. Especially for litigious types. But I'm sure the competition has some thoughts on whether the patents will hold up to scrutiny or not. Having been on the marketing side, it's fun to see companies not keeping their web site up to date. AirDefense's CEO has been gone for over a month, but is still listed on the web site. Someone, I'm sure, is being poked in the eye about simple stuff like that and thankfully it's not me anymore.
http://www.airdefense.net/newsandpress/06_12_06.php

Top Blog Postings

Thank God someone can do math
So the big news yesterday was Microsoft's malware study, which is one more data point that some marketers are one step above slugs and maggots in the evolutionary scale. Talk about a set of deceiving datapoints. When my inbox started popping with offers to talk "experts" about the rash of malware (60% of computers had a Trojan!) my bullsh*t detector went off big time. Thankfully Frank Hayes clarifies the numbers in this blog post. It's actually 1/3 of 1 PERCENT (.003) that are infected. And 60% of those devices have a Trojan and are part of a bot net. To be sure, that is still a big number, but the world as we know it is not ending. Shame on those deceptive Microsoft marketers trying to make a friggin mountain out of a mole hill.
http://www.computerworld.com/blogs/node/2743

More VoIP FUD
It's funny to see InformationWeek pat themselves on the back for identifying that IP networks are subject to denial of service attacks, spam, eavesdropping, and spoofing. Of course, they are talking about VoIP and trying to draw a contrast with traditional phone networks. I think this whole line of thinking is crap and I think I'll do a separate post later today to vent a bit. Suffice it to say the PSTN is subject to all of those types of attacks with the exception of a denial of service attack. Though if anyone tried to vote on American Idol, the end results of that (constant busy signals) seemed kind of like the same thing. But I digress.
http://www.informationweek.com/blog/main/archives/2006/06/voip_its_securi.html

It's layers Alex, it's layers!
The Scrapture blog continues to annoy me, but I keep mentioning posts there. Go figure. Yesterday's was about the relative merit of doing desktop security vs. web filtering at the gateway. Sorry to tell you Alex, but the answer is both. You can't mandate VPN use and mobile professionals don't need to go via the gateway if they aren't in the house. And there are anonymizing techniques that allow savvy users to get around gateway protection anyway. Customers also need to protect against end users installing malware via USB and optical drives. So the answer to all the world's woes is not a UTM gateway. I wish you'd stop making it sound so easy, it's disingenuous and just wrong. You need to protect the desktop as well. And 60 million web sites in YOUR "surf protection database?" Don't you mean ISS, who bought the database from Cobion? Since that's who you license the content from. That's OK, small companies like Astaro can't be expected to have all the technology and it really is the integration that makes the difference, but I'm a fan of telling the whole truth and you haven't been doing that lately.
http://www.scraptureblog.com/2006/06/surf_protection_one_desktop_at_1.html

The softer side of security
Read Farnum's stuff. He talks the talk and clearly walks the walk. This post gets us brings us back to reality very quickly. Sure the technology is cool and outsmarting the hackers provides great job satisfaction, but unless you are able to toot your own horn and interface with the folks writing the checks, your impact will always be minimal. Michael lists some pretty obvious stuff (like make eye contact) that you'd be appalled a how many security administrators don't or can't do. Security is a sales job like anything else, you have to sell the powers that be to invest in what you think you need to do the job. The only way to do that is to talk in business terms and to EARN a seat at the table.
http://securityplace.blogspot.com/2006/06/practical-lesson.html

Recently on the Security Incite Rants Blog

Why do I blog?
Every so often I think it's healthy to question everything. Why do you do what you do every day? Does it make a difference? Does it make you happy? I asked those questions of myself yesterday and I liked the answers. I'm enjoying blogging immensely and it is having a positive impact on my business, so it's all good. Check out my thinking and let me know what you think either via blog comments or email. You'll feel better about how you spend your day.
http://securityincite.com/blog/mike-rothman/why-do-i-blog

Read Monday's Daily Incite
http://securityincite.com/blog/mike-rothman/the-daily-incite-june-12-2006