The Daily Incite - March 15, 2006

Submitted by Mike Rothman on Wed, 2006-03-15 08:41.
::

March 15, 2006

Good Morning:
Kind of a slow news day in security-land, with the bigger issue being how McAfee and Apple screwed up some updates/patches over the past week. But lots of interesting stuff in blog-land, so I've put in a bunch of links for those interested. I've got 2-3 posts ready to go for Rants as well, so I'll be posting throughout the day. Have a great day.
Top Security News

Security Screw-Up 1 - McAfee (http://www.eweek.com/article2/0,1895,1937154,00.asp) 
So what? - McAfee sends out a DAT update that wreaks havoc on enterprise by deleting lots of good files. This situation was inevitable due to the velocity of threats. Response time is measured in minutes (not hours) and when you need to respond that quickly, shortcuts are going to be taken. This time it was McAfee, next time it will be someone else. But this will happen again. Users are advised to grin and bear it. I know that's a crappy answer, but you can't test every AV update - and you can't wait until someone else does. You can get pissed and think about switching vendors, but the reality is switching costs will be high and there is no guarantee whoever you pick won't screw up next month. If anything, if your renewal is coming up in the next 3 months, use this as leverage to drive the price down a bit.  

 

Security Screw-Up 2 - Apple (http://www.informationweek.com/story/showArticle.jhtml?articleID=181503692)
So what? - Apple missed some stuff with last week's patch, so they fixed it. This is also inevitable, as Apple has a lot of learning to do about the security patching process. I have my iBook set to check daily for updates, so the new patch was downloaded and I restarted and it's all good. This is a low impact issue. Told you - slow news day. 

 
Top Blog Postings

Protect your teens
Johanna Ambrosino of InformationWeek has a great piece on protecting teenagers online reflecting her personal experience. This is a huge issue for many, so if you have teenagers - read this posting. My oldest is not even 6 yet, so she's still quite happy tooling around the Disney and PBSkids sites, but it's just a matter of time before any of us with kids will need to deal with this problem. Being security professionals, we have a leg up (since we know what's available out there), but ultimately we need to equip our kids to make the right decisions, as opposed to expecting software to be a silver bullet. Also go visit K9, which is a service of Blue Coat to educate consumers about the bad stuff happening on the net.

Link: http://www.informationweek.com/blog/main/archives/2006/03/keeping_kids_sa.html

Shortcuts are a fact of life
Jim Rapoza of eWeek vents about company's taking shortcuts on protecting private information. This was driven by a court decision releasing the financial provider from liability because they didn't have proper protections on student load data. DUH! Some folks take shortcuts and it pays, for others...not so much. And we can't count on the courts to defend us. I was actually talking to someone this week that commented about healthcare companies taking shortcuts because the penalties for violating HIPAA are a rounding error. That's pretty scary, but it's true. I don't spend a lot of time agonizing over human nature, which is that people are going to take the easy way pretty much every time. So, it's reasonable to ask your bank and healthcare providers how they protect your data. And then you can decide whether that is someone you want to do business with.

Link: http://www.eweek.com/article2/0,1895,1935518,00.asp

Hack Thyself?
Interesting article by Matt Sarrel in PC Magazine (which is targeted at SMB types) called "Hack Thyself" about vulnerability management. They don't really call it that, but the article is about using a scanner to see if/how you are vulnerable. Again, as security folks, this is obvious. BUT there are lots of unsophisticated users out there that need help like this. If you are a vendor, take heed. It needs to be simple (and preferably transparent) to be mass market applicable.

Link: http://www.pcmag.com/article2/0,1895,1932661,00.asp

Military Mindset?
My old friend Jay Heiser (now of Gartner) writes in his monthly Information Security Magazine column about security professionals needing to move away from the military mindset. I am mostly in agreement with this, in that we must act pragmatically and not do security just for security's sake. BUT, this is war and the bad guys want to do a lot of damage, so having a structured containment and response process and mechanism that is practices and runs with military precision is absolutely critical to keep your information safe. The point of evolution is to leave the useless stuff behind, but improve on what works. Sure, there is some part of the military mindset this is not helpful, but a lot is - so I say not to throw the baby out with the bathwater, but to make sure that you are constantly looking for ways to do more of the right stuff and less of the wrong stuff.

Link: http://searchsecurity.techtarget.com/columnItem/0,294698,sid14_gci1171862,00.html?track=NL-102&ad=545608

Face-off on Anomaly Detection
I really enjoy the face-off's that Network World publishes. This one is about anomaly detection, and both participants make good points and are misguided on others. The reality is that behavioral-based techniques are another tool in our tool bag. It should be treated as such. It's not a panacea, nor is it a waste. In fact, anomaly detection techniques are being added to most of the perimeter defense offerings out there because it makes a good complement to traditional IPS signature and heuristic methods. That doesn't mean it's a stand alone opportunity for a vendor, but users need to figure out how to integrate all applicable techniques into their defense schemes. The answer continues to be "all of the above" regardless of what the vendors say.

Link: http://www.networkworld.com/community/?q=anomaly&nettx=031406netflash&code=nlnetflash26594

Ed Moyle on the futility of Hacking Challenges
Amen to the this! Like any test, review or challenge - inherently the answer will be biased because of how the test is set up. Users need to look as these results in context. The Swedish Mac OS X hacking challenge seemed to be a farce. The one done at U of Wisconsin may have been too. The fact is, just as stupid as it was for Oracle to claim they were "unbreakable" a couple of years ago, it's stupid to think that any OS will be free of malware and threats. They can all be broken if given enough time. Nothing is foolproof. So make sure you have layered defenses in place, so you are not putting all your eggs in one basket.

Link: http://www.securitycurve.com/blog/archives/000358.html