March 15, 2007 - Volume 2, #45

Good Morning:
They like me. They really like me. The folks over at ITSecurity have named yours truly (and pretty much all my blogging buddies) as a few of the top 59 influencers in IT Security (here). Not that I like to kick a gift horse in the mouth, but eat some New Balance Secretariat. How did they arrive at 59? They couldn't find 60? But I am flattered to be recognized. My Mom will be really proud. I'm sure your RSS readers will be all aflutter with folks linking to the list. Maybe this is IT Security's sweeps week, so they are trying to juice page views or something.

I also appreciate all the SIM vendors that sent me another message telling me I'm an ass and that they really are different and "next generation." Yup. My broker just called and said he's got a bridge he wants to show you. Evidently a great deal. Maybe I am an ass, but this ass will tell you what I think - whether you like the answer or not.

Which brings me to a point, though I'm not sure what it is. OK, now I remember. I'm working on some really cool stuff now and I spent the day with a buddy (that many of you know, but it's a secret - shhhh) planning out how we are going to really push forward the practice of security education and training. We'll be making a big announcement at the end of the month, and it will be BIG. We both left the meeting really jazzed about the potential of what we can build and the impact that it can have.

But that's all I can say about that right now. Don't you just love folks that pre-announce stuff with no details to pique your curiosity? Me neither, but I pretty much can't contain my excitement, which is a rarity. Really a rarity. So I think I'll enjoy it for a few minutes. Tick tock tick tock tick tock tick tock. Ding. OK, fun time is over - back to work.

Have a great day, a restful weekend (I'm spending a boys weekend with my son and my Dad), and I'll see you on Monday.

Technorati: Information Security, CSO

The Pragmatic CSO is Here! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Top Security News

So that is Web 2.0
So what? -  Our friends at ComputerWorld were kind enough to assemble a crack list of how-to's for securing Web 2.0 technologies (here). Having a blogging policy is a good idea, but I suspect that most employees realize that a blog is a publicly accessible document. So it would be a bad idea to post the Coca-Cola recipe on one. Interestingly enough, USB thumb drives and instant messaging fit into the Web 2.0 bucket. So does user education and awareness training. Maybe Web 2.0 means "whatever I need to call this article to get some search engine optimization." Not that I'm sure what Web 2.0 means, but I'm pretty sure thumb drives aren't one of the key technologies. 
Link to this

Security is a feature - coming right up
So what? - I've been saying for a while that security eventually becomes a feature of the infrastructure. That's right, baked right into the network fabric and data center. Of course, this is going to take some time (maybe as much time as Art Coviello's prediction of new more security start-ups), but it is going to happen. Meru's announcement of enhanced security on their WLAN controllers is a case in point (here). Most of the wireless infrastructure folks do some security, and as happens with every technology market - over time it's going to get better. So does that leave an opportunity for those folks selling stand-alone/overlay security capabilities? Not really and not for too long. These folks (wireless IPS, anyone?) better find a chair soon - because at some point the music will stop - and those without partners will go away. 
Link to this

iBankers run for your lives
So what? - I guess I missed the lesson where I was told if you don't have anything nice to say, say nothing. When a part-time editor from InformationWeek starts doing merger analysis, we all better head for the hills. The apocalypse is nigh! Don't look back, you may be turned into a pillar of salt. If this article (here) wasn't so damn wrong, I would have let it go. But this shows you cannot learn how and why tech mergers take place by talking to one lawyer who clearly doesn't have a clue. Mergers (or acquistions) have very little to do with strong balance sheets. Or a tired founder. Give me a break. Microsoft buying TellMe isn't about some octogenarian selling out the family business because the next generation is a bunch of prep school nincompoops. Tech mergers are about either growth or getting assets on the cheap. There is very little in between. What's next, a tutorial on the P/E ratio? I guess today is "be frustrated with Tech media" day.
Link to this

The Laundry List

Apple's MSU (massive security update), driven by MOAB. Where is Ahab when you need him? - here
Fortinet finds ePO holes. Telegram for Mr. DeWalt. Hot poker in the eye, courtesy of Ken Xie. - here
Postini finds bot nets killed JFK. - here
HiJack finds a Trend (who also are worried about their reputation) - here

Top Blog Postings

Desperately seeking blog fight club
I think we need to start a Blog fight club. We had a few good rumbles last year, but now with Stiennon in vendor land (where his memory has been erased by the Haitian guy on Heroes), Niehaus gone who knows where, and Shimel back on his Ritalin - I haven't jumped into a good scuffle in quite a while. Hoff makes his best attempt in this post, by using the magic of Google to feed Stiennon his words through a straw. But as much as he keeps knocking, I don't think anyone is home to engage. I think it's a pretty useless discussion, frankly. Customers will buy a technology that solves a problem - regardless of what IDC or Gartner call the friggin' category. Device consolidation is a real driver for UTM, even if they are trying to just upgrade their firewall or IPS. And Fortinet does UTM, evidently until it's not convenient to do so after a whole mess of other vendors enter the fray and muddy the market share waters. I think I'm going to do a "dunce of the week" starting next week and call out some folks. What the hell? F Kumbaya, let's get ready to rumble.
http://rationalsecurity.typepad.com/blog/2007/03/the_semantics_o.html
Link to this

One more thing on pen testing
Matasano Dave expands a bit on the Schneier/Ranum love fest on pen testing by making a few more points about why customers with a clue actually do pen testing. I have another reason. To help prioritize what needs to be fixed NOW. You run a scan and inevitably the list of vulnerabilities will be long. Do you fix them all? Do you have 48 hours in a day? Are bears toilet trained? As part of a P-CSO baseline (Step 2) or assurance (Step 10), a pen test helps you to figure out what needs to be done RIGHT NOW. Then when you've fixed that stuff, you can celebrate your victories (another key tenet of a P-CSO) and market the hell out of your accomplishment - as pointed out by MCW here.
http://www.matasano.com/log/719/more-on-pen-testing-2/
Link to this

Fix the app issues (regardless of what PCI says)
Since I'm looking for a fight, I think I'll pick on Jeremiah a bit. This could prove to be a very bad idea because he does ju-jitsu and likes to fight in a cage. But I'll take my chances. In this post, he shows a bit of angst on whether the PCI steering committee will extend web application defenses to CSRF (cross-site request forgery) attacks. I guess most folks would fail, but does that mean it shouldn't be part of PCI. NO. Does that mean that web sites should be off the hook to solve the problem and fix the hole. Hell NO! Yes it's hard (and if Jeremiah says it's hard - I believe him), but if the threat is real and credit card data could be compromised - then PCI should mandate web sites fix it. For some reason I was under the impression that PCI was about protecting data, not what is easy to implement and scan for. If they basically sweep it under the rug, then PCI will have no more teeth than Bernie Ebbers after a week with Bubba as his roomie.
http://jeremiahgrossman.blogspot.com/2007/03/big-trouble-if-pci-dss-requires-csrf.html
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite