May 12, 2006

Good Morning:
And I thought yesterday was slow. Not a lot going on today, so I won't waste a lot of time with tangential stories. I have had my head down this week working on some client deliverables and a new subscription offering targeting vendors. So I've been busy busy. I know some of you have been trying to get a hold of me (thanks for your messages) and I'll respond today. Next week I'll be upgrading the Security Incite web site and launching the new offerings. There will be lots of new Incite to chew on in the very near term.

I also want to mention a few sites that I've added to my reading list recently. I scan about 200 different sites (about 100 of them security related) daily through my blog reader, so I won't mention them all. But a few I'm digging right now are: Matasano, Big4Guy, Dancho Danchev, Richard Bejtlich and Chandler Howell. Why do I like reading these folks? Because I learn something from almost every post they do. The bloggers that just link to news stories and don't add value are pretty annoying. It's taking the news peg and providing value-added perspective that makes it worth reading. I don't necessarily agree all the time (and usually will post my two cents somewhere), but these folks make me think and I appreciate that.

Have a great weekend.

Top Security News

Out-of-office messages are bad
So what? - This quick tip from SearchExchange is right on the money. I never use out of office messages. Candidly I don't think that anyone sending me email really cares where I am. I can either solve their problem or not. I guess in the land of instant communication, people expect to hear back immediately - but I do check email daily (even when I'm on vacation). So at most someone is waiting 24 hours. From a security perspective, out of office messages both validate that an email address exist and can indicate that you are not around (always a good sign for a robber). I say shut that capability off entirely. Or block outbound out-of-office messages at the email security gateway, so your message gets to internal personnel but not external.
http://searchexchange.techtarget.com/tip/1,289483,sid43_gci1187498,00.html

When competition becomes personal
So what? - Having spent time on the vendor side and being a reasonably competitive person, I've been in the place where Websense and Blue Coat have gotten to, according to this CRN article anyway. I've seen this movie and it doesn't end well. VARs end up confused by all the rhetoric and end up selling nothing. Customers end up losing here also because each vendor is entirely focused on the other - as opposed to solving customer problems. I had a customer tell me that my competitor would sit down with them and go through a lineage of why my company sucked. And he wasn't even considering us at the time, but figured he'd give us a call because if a vendor is so focused on one player - clearly they must be the leader. I'd look for someone to come out of the blue and put a hurt on both of these folks, like Barracuda did to me in the anti-spam business. Maybe it's ScanSafe - who is changing the web filtering model with a managed services offering.
http://www.channelweb.com/sections/allnews/article.jhtml?articleId=187202376

An AV vendor downplaying a threat? - Some one pinch me
So what? - It's not too often that you see an anti-virus vendor say something is not really a threat, but BitDefender did that yesterday. Kudos to them. By saying that the World Cup worm was not really a risk, they gain credibility the next time they say something is a risk. Without this kind of balanced outbound communication strategy, all of the AV vendors start to sound like Chicken Little (hear that McAfee?). So cross that one off your list of things to do and move on to something else.
http://biz.yahoo.com/bw/060511/20060511005934.html?.v=1

Forrester says to protect the data, not just the infrastructure
So what? - I like Paul Stamp of Forrester, he's a bright guy and good to work with. For $249 you can buy his thoughts on the importance of "information security" in addition to "infrastructure security." Hmm. Where have you heard that before? Sounds like Pragmatic Security to me. I'm starting to feel good about my long road back to analyst-land, in that what is so obvious to me takes the big guys months to get documented. I'M BACK BABY! That's another reason I love blogging and writing The Daily Incite. It forces me to document what I'm thinking and talking about. If anyone buys this stuff, let me know what he says...
http://www.forrester.com/Research/Document/Excerpt/0,7211,39438,00.html

Top Blog Postings

To Bank Online or Not?
That's the question that CJ Kelly asks in this post. She is a security person, so she does. But comes to the conclusion that her mom probably shouldn't because of the risk of phishing. Hmm. I guess I'm indifferent. I do everything through Quicken, so I'm pretty sure the software only communicates with the right bank. It would be a bad day if a group figures out how to redirect the Quicken information requests to some other site. But from an efficiency point of view, I don't know how I'd live without online banking. I guess I'd manage, but it would be painful. This again points the finger at the banks to embrace two way authentication ASAP and start building that trust back.
http://www.computerworld.com/blogs/node/2510

Fighting cybercrime backwards
Given all the hoopla this week about whether information security has failed, I like this post by Ted Richardson about what is the right way to look at the problem. We as security professionals tend to deal in band-aids. Fix the problem, not that cause. Ted assembles some ideas on what those causes are, borrowing from Deb Radcliffe and Schneier. It's an interesting read and does put some of the "futility" that we must feel in context.
http://fraudwar.blogspot.com/2006/05/are-we-addressing-cyber-crime-from.html

Matasano ThreatCon reaches LINDSTROM
The Matasano folks crack me up. Based on a lot of the "Do we suck hoopla" they needed up the pundit threatcon to LINDSTROM. I'm not sure what that means, so they should probably have a chart (like ISS and Symantec charts) to explain. But the concept is funny. Can't wait to see what the call the ROTHMAN level. I'll also point out a more detailed response to the David Berlind security is dead post from Thomas Ptacek, which is a more detailed treatment of the issues (http://www.matasano.com/log/286/we-dont-suck-enough/).
http://www.matasano.com/log/289/matasano-internet-pundit-threatcon-lindstrom/

Recently on the Security Incite Rants Blog

Inciting: SSO/Authentication tip
I published a "tip" on SearchSecurity.com this week on the intersection of strong authentication and single sign-on. I've been doing a lot of work in the Identity Management space and I'll be publishing a bunch of stuff (including the long awaited IdM battle plan) shortly.
http://securityincite.com/blog/mike-rothman/inciting-sso-authentication-tip

Read Wednesday's Daily Incite
http://securityincite.com/blog/mike-rothman/the-daily-incite-may-10-2006