The Daily Incite - May 10, 2007

Submitted by Mike Rothman on Thu, 2007-05-10 10:47.
::
Today's Daily Incite

May 10, 2007 - Volume 2, #77

Good Morning:
Yesterday I talked a bit about "collusion" relative to 3 database security vendors announcing largely the same thing on the exact same day. As expected, I heard back from these folks - and as I expected - they pointed the finger at each other and claimed the other was copying. Just like my twins. At least human nature isn't failing me here. But as I was at dinner last night with an old friend, we got to chatting about why there are multiple companies in each sector.

In case you aren't following, it always seems that there are 2-5 companies for every emerging security (actually, probably broader technology) problem. You never just get one start-up that solves a specific problem. That's very rare. So my friend and I started throwing some ideas around as to why this is ALWAYS the case.

Then I had an epiphany. It gets back to collusion. A key part of the launch process for any venture-funded company is validation. That's when they talk to a bunch of CIO/CSO/CFO or some other high fallutin' C-level blow hard and ask them what their problems are and if they built X, would they buy it. They tend to focus on large enterprises, so you end up with a bunch of entrepreneurs that talk to roughly the same 40-50 companies and get roughly the same feedback. 

I've been there, I've done it. But I never put the pieces together. Of course, all of the entrepreneurs are going to come up with new products to solve the same problems. They are discovering the problem space by talking to the same people. Of course, the uniqueness comes in how the problem gets solved and whether they can build it, bring it to market, and compete effectively.

Next time you get pissed about getting calls from 4 vendors offering the same exact thing, just think back to the fact that if you talk to these entrepreneurs - then you are to blame. You or someone like you gave them the answer. It's your bed, now you get to sleep in it.

Have a great weekend.

Technorati: ,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"
www.pragmaticcso.com
 Pragmatic CSO Bootcamp
Maiden Voyage

June 6 in Atlanta

Sign up Now!
Only 10 slots (and they are filling fast)

Sign up for the P-CSO bootcamp

Top Security News

Not CSO, CIMO (Chief Information Management Officer)
So what? - Just do the the nature of what I do, I end up spending a lot of time with folks in the financial industry. That's where the money is, after all, so they are constantly targets. This article on Wall Street & Technology says security is more of an information management function and that security professionals have to evolve their skill set. I am certainly on board with that, and for smaller financial institutions that becomes a huge issue. The Super-Regionals just throw money at the issue, but the thousands of other smaller FIs and credit unions are continually having to rob Peter to pay Paul. Getting back to the article, the point is that it's all about the data and that a hard perimeter isn't going to get it done moving forward. They are exactly right. 
Link to this

Has the monthly patch cycle outlived it's usefulness?
So what? - Dennis Fisher asks this very question in his SearchSecurity editorial this week. He makes some interesting points about why should customers wait for the monthly patching extravaganza, especially when there is a serious issue. But I still think the monthly cycle is the right approach for the vast majority of patches and also the vast majority of customers. Any organization of size has huge issues with testing and ensuring the patches won't cause regression issues with the rest of the systems. Doing any more than once a month means patching is pretty much all they'd do. There are approaches to get patch-like functionality and use IPS signatures to block these attacks until the patches can be worked through the change control process, which does take time. So I hear where Dennis is coming from, but monthly is still the right frequency for patching.
Link to this

Is PDF your friend?
So what? - Sometimes I seem something in the broader tech press that is very relevant to what we do. This article in the PDFZone is an interesting issue that we have to deal with. I railed quite a bit about blocking encrypted zip files at the mail gateway, but that isn't the only way you can get nasty content through the gateway. PDF, as evidenced in this article, can be another way. Of course, I'm not familiar with ways to embed executables into PDFs, but you can certainly put links in there. So this could be a new fangled spam/phishing vector. The answer? Probably nothing right now, but a lot of the technologies designed to stop image spam should also be applicable to PDFs. And if the PDF is encrypted and password-protected? Right, block it at the gateway.
Link to this

The Laundry List

  1. Will browsing in a virtual machine protect you? Probably, but not always. This is a good tip from Ed Skoudis - SearchSecurity Tip
  2. Trend Micro wins an anti-spam bake-off? Huh? Guess they had the time machine set for 2004. - Trend Micro press release
  3. Barney alert. PGP shacks up with Intel to do something at some point. We're all a big happy family, eh? - PGP press release
  4. Clearswift is still around? I guess so, they updated their web filtering gateway. - Clearswift article

Top Blog Postings

F1000 bots, yes they exist
The Fortune 1000 tends to have the ability to invest a lot in things like security, but it's not always foolproof. Yes, there are owned machines within enterprises and yes, they launch bad attacks. Symantec talks about the issue in this post. In many cases, relative to the aggregate traffic, it's a rounding error, so the security folks tend to not worry about it too much. So how do you know a machine has been owned? Security monitoring, of course. If you know what's normal and then see traffic dynamics that aren't normal, then you know something is off kilter.
http://www.symantec.com/enterprise/security_response/weblog/2007/05/big_corporations_and_bots_a_ma.html
Link to this



Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite

Encrypted PDFs have their uses
Submitted by Dan Klinedinst (not verified) on Mon, 2007-05-14 15:00.
I'm not sure blocking encrypted PDFs at the mail gateway is the right solution. Unlike encrypted executables, one can make a pretty strong business case for encrypted PDFs. Since we don't yet have common email encryption or a widely deployed, standards-based PKI system, encrypted PDFs are one of the few easy ways to email confidential data with some degree of privacy. Rather than block them, I'd like to see pressure on Adobe and/or mail client vendors to decrypt them on the workstation and virus scan them before allowing the user to open them.
Threshold for risk
Submitted by Mike Rothman on Mon, 2007-05-14 16:42.

Dan,

I agree with your ideals, but in practice - that's not what usually happens. So every company needs to make a determination as to whether they can accept the risk of an encrypted PDF. To date, it's pretty rare for malware to show up in a PDF, so the risk is obviously much less than an encrypted zip. But asking Adobe to do much of anything is a pipe dream. They pay lip service to security, but at the end of the day they make money by helping folks share information in a multi-platform way and security makes that a lot harder.

 

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.