June 9, 2006

Good Morning:
I hereby declare today to be Big Thinking Day. Sure the building is burning down and there are way too many things on the to-do list, but indulge me for a second and try to step back from our standard daily misery and think bigger picture. Every so often it's nice to do that. So I sprinkled in some articles and posts here that aren't necessarily security related to broaden our perspectives.
VoIP is already big and we ain't seen nothing yet. It promises to open up a whole new set of opportunities from a communications applications standpoint, but there will be the inevitable security complexities around that. So take a few minutes and think about how Cisco's march towards the VoIP applications space (they acquired two companies in that space this AM) is going to impact how we need to think about security.

Let's also take a few minutes to think about this digital reality that we now live in. What are the security impacts of that? Geoffrey Moore throws some ideas around in an interesting post about what the digital ecosystem means to him and its impact. But he only mentions security as important, and that it's going to need to change. No sh*t, Sherlock! I don't have all the answers, that's for sure - but shame on me if I don't get you folks starting to think about these topics as well.

Have a great weekend.

Top Security News

VoIP attack - not really
So what?- The media will be trying to add some FUD (fear, uncertainty, doubt) to the VoIP world today because a guy was caught diverting traffic to other networks without paying for it. This InformationWeek article is called "VoIP Security Alert" but it's not really a security alert. It's more about identifying a scam used by one individual to game the cross-billing systems between VoIP carriers. THIS IS NOT AN END USER PROBLEM. Sure, the VoIP providers may need to find a better way to determine where authorized traffic is coming from, but I don't see this as a big problem. VoIP is another traffic type that runs on our network, sure it has some protocol specificities that make us perhaps add some more knobs to our infrastructure security devices, but I don't really see what all the fuss is about relative to VoIP security. But maybe that's just me.
http://www.informationweek.com/story/showArticle.jhtml?articleID=188702963

Deals: Cisco buys some VoIP application engines
So what? - Just as I don't really see why VoIP security is so much different than what we do to secure every other piece of the IP infrastructure, I do see a pending storm of APPLICATION layer security issues as more sophisticated telephony functions start showing up on VoIP networks. Today Cisco bought two companies (Metreos and Audium) that provide VoIP application creation/integration environments. So what? Why should security folks care? VoIP applications are going to happen and we'll initially need some application-specific security stuff to keep them safe. Not unlike email and IM security functions, over time these capabilities will be subsumed into a content security platform, but for the time being they need to be stand-alone and we as security professional need to start tracking these VoIP applications and figuring out the risk vectors.
http://newsroom.cisco.com/dlls/2006/corp_060806c.html

Email security is a commodity
So what? - I'm sure my friends and former colleagues in the email security space will love this one. But it is what it is. This review from GCN proves what a lot of us already know, and that's the inherent lack of value-add in email security offerings. For inbound email hygiene anyway. The best buys in this review were Symantec and Barracuda, both doing a good job for less than $5000. The more enterprise class offerings from ProofPoint and IronPort don't make the grade when ease of use and quick implementation are key decision factors. And who doesn't want ease of use and quick implementation?
http://www.gcn.com/print/25_14/40896-1.html

Colleges are a top hacking target
So what? - Sometimes mainstream press articles are good to ground us at to the outside perception of what we do. This LA Times article (syndicated through The Detroit News) gives some perspective as to why colleges are a favorite place for hackers and identity thieves. I know from personal experience (of trying to sell colleges some email security stuff) that it's politically incorrect to tell the students what to do and restrict their access to ANYTHING. This inherent openness makes for some challenging network security problems in trying to secure private information. These folks are dealing with a Perfect Storm of mayhem in that they have no control over the user community, need to provide access to everyone, and have very little budget for security since they like to spend on (go figure) educational pursuits and research. It's in these perimeter-less environments that endpoint and host based security must become more prevalent.
http://www.detnews.com/apps/pbcs.dll/article?AID=/20060607/BIZ04/606070322/1013

Lots of companies are taking the OATH
So what? - OATH (Initiative for Open Authentication) was started up a couple years ago, mostly by VeriSign, to build a standard algorithm protocol for tokens, et al to provide some ballast against the RSA SecurID hegemony. If anything the OATH folks have done a good job of getting everyone but RSA to jump on board. The latest set is listed here. It's interesting to see BioPassword jumping on the OATH bandwagon and try to work keystroke dynamics into the OATH reference architecture. Fact is, OATH is very token and smart card centric and expanding their vision to other authentication mechanisms providing that second (or third) factor isn't a bad thing.
http://www.biopassword.com/BP_oath.php

Top Blog Postings

Geoffrey Moore's Top Ten Truths
My reading list is pretty eclectic. Obviously I read a lot of security stuff, but also some bigger technology thinkers like Geoffrey Moore. Right, the Crossing the Chasm guy. In this post he throws some ideas around about the Top Ten Truths of the Digital Ecosystem. Is it really security related? No, but remember - all work and no play makes Mikey a dull boy. Check these out and see how they apply to the security business. He does philosophize a bit about how security will evolve (#8) and the coming services revolution (#5), but it's mostly big thinking from a big thinking kind of guy.
http://geoffmoore.blogs.com/my_weblog/2006/06/top_ten_truths_.html

I hate Blanket mandates about Skype
For the most part, I enjoy Douglas Schweitzer's blog on ComputerWorld, but today I have a bone to pick with him. In this post, he rails against Skype and calls for a "strict policy against its use in your workplace." This is ridiculous. First of all his reasoning for why Skype is bad is flawed. EVERY piece of software has vulnerabilities. Bar none. And pretty much anyone doing anything opens your network open for attack. The only way to be truly safe is to unplug the friggin' thing. But, that's not really the point, my issue is a blanket generalization that every corporate network should block Skype. What about a virtual company with employees scattered across the globe. Skype (and it's free VoIP brethren) change the economic model for these businesses. Telecom goes from 50% of expenses to 0, overnight. Sure, if there are legitimate alternatives, Skype becomes less attractive, but security folks CANNOT be Dr. No. We need to think about things in terms of "Yes, but."
http://www.computerworld.com/blogs/node/2717

Accountants worry about security too
Who would've guessed, but for the 4th year in a row, the American Institute of CPAs has voted information security their top issue as reported by LISNews. And this is ahead of compliance and disaster recovery. Fact is, all of these topics are mutually dependent on each other, so at least they are consistent. I wonder if they used Excel to tabulate the results? But I digress. Security will remain hot for the foreseeable future, that's for sure.
http://geek.lisnews.org/article.pl?sid=06/06/08/1922248&from=rss

Web-based apps introduce data issues
On-demand applications, or whatever you want to call them are all the rage. As Richard Stiennon points out, pretty much every small business person is using or looking at these alternatives, including yours truly. But in this post, Richard does remind us of the dark side, which is that your data is somewhere else. Depending on the nature of your business that may be acceptable or not so much. And now as Microsoft alternatives begin to appear from the likes of Google, this makes it all the more important to ensure you are practicing good data hygiene. If something is sensitive, you probably shouldn't put it in a web-based spreadsheet. I'm not sure that emailing around that same data in a Excel spreadsheet is any more secure, but it feels that way.
http://blogs.zdnet.com/threatchaos/?p=337

Recently on the Security Incite Rants Blog

Feedblitz delivery is lumpy
I've started having some delivery issues with Feedblitz, so I wanted to send out a blanket message to my Feedblitz subscribers that they can get The Daily Incite directly via email one day earlier.
http://securityincite.com/blog/mike-rothman/feedblitz-delivery-is-lumpy

Read Thursday's Daily Incite
http://securityincite.com/blog/mike-rothman/the-daily-incite-june-8-2006