The Daily Incite - June 5, 2006

Submitted by Mike Rothman on Mon, 2006-06-05 09:33.
Today's Daily Incite

June 5, 2006

Good Morning:
Happy Monday. Running a bit late today as we had to get all of the kids ready for their first day of camp. New routines always take a bit more time until you get into the flow of things. I'm sure you are all very interested in that. Lots of news stories, many of which I couldn't get to - so I'll be sending out a separate post later today highlighting some other topics I found interesting this morning.

In terms of stuff I want to highlight, you are going to be hearing a lot more about pandemic outbreaks in the near term. These disasters do have some ramifications on how you should be thinking about recovery and also security. So expect a lot of vendors to start positioning their stuff as the cure to the outbreak situation. Looks like we may have found the new "compliance" for security folks always trying to find some way to create a buying catalyst for stuff customers just don't need. I'll also point out that in some markets, Microsoft is literally years behind in capabilities. If you look at what they are planning to do in Exchange 2007 for security, it feels like I just stepped out of a time machine. But at the end of the day it always gets back to pricing, especially in the mid-market and that's where Microsoft can be years late and still have an impact.

Have a great day.

Top Security News

Security execs confirm - we are worriers!
So what?- Evidently my Mom taught me well since folks like me - information security professionals - tend to be a worrying lot. This NetworkWorld article about a survey (you know that I just love surveys) sponsored by Courion confirms this tidbit. These tend to be identity management type folks (or what else would they be doing at a Courion user conference), but their perspectives reflect a lot of what we see every day. Unauthorized access is a consistent issue, whether it's about systems, endpoints or networks. That is a big part of what is driving identity management and the hype around Network Access Control. I continue to mention these kinds of news items because it's about watching the trends, as opposed to being focused on exactly what each survey says. Access and authentication continue to bubble up all the time, and it is that consistency that drives a lot of my research.
http://www.networkworld.com/news/2006/052606-execs-security.html?page=1

Are you ready for a pandemic outbreak?
So what? - There are lots of disaster scenarios we need to worry about as security folks. The latest is a pandemic outbreak - like bird flu. The impact of an outbreak is that many employees won't be able to go to the office. So are you prepared for that? Do employees have laptops or have some way (like Citrix) to run applications (or control their desktops) remotely? If they do, how are you protecting the data? From an architectural perspective, this is not a hell of a lot different than any other disaster recovery situation, but to not give some thought to how it's different for your specific organization is not doing diligence. So get thinking about how Bird flu would/should change your operations, besides skipping the weekly Chick-Fil-A outing.
http://www.informationweek.com/story/showArticle.jhtml?articleID=188701102

Imperva monitors the database
So what? - From a security point of view, monitoring is not very interesting. The idea of knowing what has happened, without really doing anything about it - strikes me as a waste of time. But that is if your job title has SECURITY in it. If you are an auditor or compliance officer, the last thing you want to do is remediate. Getting in the way of stuff is a no-no. Imperva has announced a database gateway that pretty much logs transaction level detail and can take it to that next step by determining which user in which application committed the transaction. Any of you that have spent time trying to secure an application like SAP or Oracle Financials knows that the application basically opens up only a few anonymous sessions with the database, so you have no idea which user did what within the database. So this is cool. Imperva has also integrate the database monitor with the front-end web application firewall, so depending on policy, you can remediate if need be.
http://www.imperva.com/company/news/2006-jun-05.html

Exchange 2007 security - ho hum
So what? - This story from Ferris basically illuminates us on what we'll see in Exchange 2007 from a security standpoint. Hmm. TLS between Exchange servers. That's novel. And you can even be "opportunistic" so if a non-Exchange MTA supports TLS, encrypt those messages as well. Welcome Microsoft to the year 2004, when TLS because prevalent on mail gateways. Unbelievable. Slightly more interesting is Microsoft's Message Level Security initiative, which is basically PKI - but storing public keys in the DNS records, making them more easily accessible. Since Sender ID (where you store mail authentication information in the DNS records) has been such a resounding success (yes that is sarcasm talking), why wouldn't they just put more stuff in DNS? I'm skeptical because gateway to gateway encryption isn't hard, it's figuring out what to encrypt which is the issue. But Microsoft is clearly positioning Exchange 2007 as a legitimate gateway alternative. I think that would be a very bad idea for users.
http://blog.ferris.com/2006/06/exchange_2007_s.html

Yes, we need an IDSP - but Symantec?
So what? - As I've gotten pretty deep into the Identity Management space, the need for an objective third party to vouch for online identities is clear. These Identity Service Providers (IDSP) can do a bit more than making sure you have a valid email address to ensure the authenticity of an individual. eBay's reputation oriented approach is inherently limiting in that it takes a while (at least a fraudulent transaction or two) before the community figures out someone is a shyster. VeriSign is in a pretty good position to do this, and part of its VIP Network is targeting this exact issue. But it will take a while for folks to get comfortable with this IDSP concept, but it's needed to truly remove a lot of the friction for ecommerce moving forward. BTW, I don't think Symantec is a legitimate option to be an IDSP, though with their consumer AV base - they've got the critical mass to get it rolling. My issue is the objectivity part of the equation.
http://www.networkworld.com/news/2006/060106-symantec-ponders-internet-id-management.html

Top Blog Postings

Web site checkup - before the bad guys make you sick!
Eric Ogren has a good post here to remind us that hackers can get most of the information they need to compromise web sites through pretty simple scanning tools. And yes, that means us folks responsible for protecting those sites should be using the same tools to figure out what the bad guys are going to learn - hopefully a step or two ahead of them. Remember, there are application vulnerabilities as well as system/OS vulnerabilities and you need to pay attention to both.
http://www.computerworld.com/blogs/node/2673

Top 10 passwords - so what?
Darknet has a list of the Top 10 passwords used in the UK. They are pretty simple, but should we be concerned? I think not for a couple of reasons. The first being password cracking is pretty sophisticated nowadays, so if someone wanted to brute force your account - they will. More importantly if your systems will allow a brute force attack (and not lock intruders out after 5 failed attempts), then shame on you. But you need to have other layers in place besides the password because to mandate hard to crack passwords (you know the type, a few letters, a few numbers and a special character) will drive your help desk costs up with password resets. Or buy a self-service password management tool, but it may be cheaper just to reset passwords. Or look at something like BioPassword, which can make weak passwords pretty strong.
http://www.darknet.org.uk/2006/06/the-top-10-most-common-passwords/

Risk scoring continues to be a waste of time
It's good to see some of the broader security community come around. For a long time, we all wanted a number. How secure are you? Or the converse - what is your risk? But at best, all of these cock-eyed equations and concocted math don't prove much at all. So you can spend time trying to quantify your risk, or you can spend time addressing that risk and fixing things. I think you all know where I sit in the discussion. But TaoSecurity's Richard Betjlich weighs in on a column by Donn Parker that gets a little deeper into the futility of risk score-based security. The most interesting part of this is the idea of "due diligence" which is basically saying to do what the other guys do and you'll be ahead of the game. You won't be at the cutting edge by intentionally reverting to the mean, but you'll be much better off than most. Watch this space, let's just say I agree with this approach and am going to be doing something about it.
http://taosecurity.blogspot.com/2006/06/risk-based-security-is-emperors-new.html

Do they really need that information?
This is a great post by Martin Brown about how easily people just give away personally identifiable information. For a donut or something similarly trivial, people will pretty much tell you whatever you want to know. That is ridiculous. Martin is spot on about needing to understand the rules and don't be afraid to question whether folks really need the data. A personal case in point was taking my kids to a new dentist last week. My wife called me to get my social security number, since the dentist's office had it on the form. I wouldn't give it up and it turned out the dentist didn't really need it, it's just on the form. Yes, I have some of my own user education to do at home, but the fact is the same. Get in the habit of saying no and making the organization justify why they need personal information.
http://www.computerworld.com/blogs/node/2664

Recently on the Security Incite Rants Blog

Read Friday's Daily Incite
http://securityincite.com/blog/mike-rothman/the-daily-incite-june-2-2006