The Daily Incite - June 16, 2006
June 16, 2006
I hate Patch Tuesday. It's become more of a media circus that anything useful nowadays. So instead of focusing on what needs to be done, most security administrators need to focus on what needs to be patched. Or not. And that takes up more time because in reality, existing defenses reduce (if not eliminate) the impact of many of the vulnerabilities being patched. Maybe it's just my ADD showing, in that these discussions are just not interesting anymore. If you do the right stuff, then there shouldn't be this crazy urgency to patch - you are protected via other defenses. But the lemmings need something to write about, so there you have it.
I'm taking next week off. So you'll get your next Daily Incite on June 26. But don't fret, I've got some surprises in store for you next week. Suffice it to say, you'll be hearing from me at least once a day (probably not by 10 AM though) and it will be Inciteful!
Have a great weekend.
Top Security News
Check out the new Microsoft guy
So what?- No, I'm not talking about Ray Ozzie's promotion, but the first interview with Microsoft's new security czar, Ben Fathi. Nothing earth shattering, but it's very clear that Microsoft is not in a rush and they do listen to customers. In the past, Microsoft has always told us what was good for us, but at least relative to security they seem to be listening better, as evidenced by the user account control (UAC) changes and more flexible ActiveX controls in the latest Vista beta. Most interestingly, Fathi did not portray to know all the answers. He's OK letting the markets tell them how much security should be integrated into the OS, and I like that approach. But this guy has his work cut out for him because no matter how much he does, it's not enough. Talk about a thankless job.
McAfee be nimble, McAfee be quick
So what? - McAfee is making Symantec look like a dinosaur right now. This AM they announced open betas for two new products, the so-called "Falcon" suite and also a new version of VirusScan. While Symantec won't commit to delivering anything at any time, McAfee is just getting it done. Beta in June means availability sometime this year, unless it totally sucks. Interesting to both suites is the spyware focus and the integration of SiteAdvisor, so for $60 million McAfee now has something that no one in the AV space has had for years, interesting differentiation. Microsoft is going to take share from someone, AV is a zero sum game after all, but it doesn't seem like it's going to be McAfee. The hole for McAfee (at least from a desktop perspective) continues to be rootkits, and they should just buy Exploit Prevention Labs and be done with it.
Administrators write down passwords too
So what? - More survey crap telling us what we already know. This time it's Cyber-Ark, who determined that 40% of IT administrators store passwords on a bits of paper. So I guess one of the job requirements to be an IT administrator is a photographic memory. And of course, Cyber-Ark sells a product that securely stores passwords. Yet, I'm not sure I'm comfortable with the idea of SSO for all administration consoles because if that credential gets compromised there are literally no defenses. At least having a few passwords/logins for different admin consoles gives some measure of a fall back position. No? Let me know what you think about this, since clearly my position is still forming.
Barracuda boots an AV update
So what? - So Barracuda sent a bad AV update yesterday and a bunch of folks didn't get mail. This is a good indication that Barracuda is selling a lot of boxes because this is news. Having been in this space, I wouldn't say it's routine to have bad AV signatures come down, but it does happen and it's not news. That's the difference between having 1500 customers and 30,000. Interesting to me was that their box got the bad update and STOPPED forwarding mail. I actually think that's a pretty solid way to handle an outage. Sure, there are lot of folks that say to fail open, but if there was a coordinated attack (knock out the defenses and then compromise the internal) failing closed would have worked well. And none of the mail was lost, just delayed. Don't look now, Barracuda is becoming a real company because I think they handled this well.
Like everything else, patching evolves
So what? - Given all the consternation around Microsoft's Patching escapade this week, this review of Big Fix Enterprise gives a bit of a perspective on where things are going in that market. As we've seen throughout history, products solve one problem and then they broaden to solve others, and patch management is no different. The folks at eWeek Labs like Big Fix, but realize it's more of an asset management platform, than patching nowadays. They also throw some spyware mitigation technology in there as well, which is similar to the direction Shavlik is taking. To me, all of these tools are systems management oriented and large enterprises like to buy them from large systems vendors (IBM, CA, HP, etc.), so there is an inevitable consolidation on the horizon. But we've been saying that for years and all of these folks remain independent.
Top Blog Postings
Skype in the Enterprise
Ken Camp writes a book in this post about the good and bad regarding Skype, sort of from a security standpoint. The most interesting nugget is "I think most enterprises block Skype by policy, with few implementing technology blocking that actually blocks Skype." Ken also makes a number of points regarding adhering to policies (even if you don't agree with them) and the risk of P2P applications moving forward. It's an interesting read.
Patch Tuesday is overblown
In Larry Seltzer's eWeek column, he dissects the recent Patch Tuesday and comes to the conclusion that other defenses would have eliminated the risk of each vulnerability. EXACTLY. That's why I am absolutely nauseated by Patch Tuesday now. I feels to me more like a media event than anything else. Bloggers get to blog, writers get to write, and I suspect customers don't give a crap. Larry's point is great in that by doing the stuff you probably already do (AV, IPS, firewalls) you are protected from most of these issues. Defense in depth baby! And Larry even shares a shred of hope in that he's "optimistic about security," which is surprising since most days he's as grumpy as I am.
Wisdom from Mitnick
Kevin Mitnick is a very gifted social engineer. Perhaps the most famous hacker, he's done time in the big house and now makes a pretty good living showing folks about social engineering. I've seen him speak and it's both compelling and scary. Kind of like watching a train wreck. He pulled some bloke from the audience and within two minutes had enough information to apply for a credit card. He's interviewed here on CNet and does have some stuff to say. Fact is, there are no technical defenses for a well orchestrated social engineering attack. We cannot forget about training our people to know what's right and wrong and when to share data. Every time you see Mitnick, think of that - as opposed to how much money the guy is making because he spent some time as Bubba's girlfriend.
The weakest link is you
This is a quick post by Dave Piscitello, but it says a lot. He refers to discussion on an IDS/IPS/Firewall forum and the wisdom from Chris Blask is stunning. "Good firewalls managed badly suck, "weak" firewalls managed diligently and used with the right collateral don't." Amen to that. Gaping configuration holes will kill even Fort Knox type security. Configuration gets back to the administrator. Always keep that in mind.
Recently on the Security Incite Rants Blog
SearchSMB Column: Security VARs -- Buyer Beware
The first of my new monthly column on SearchSMB appeared yesterday. I clarify the role of the Security VAR in building a security architecture, as well as discuss some stuff customers need to be wary of. Finally there are the 5 questions you absolutely must ask your VAR.
Read Thursday's Daily Incite