May 16, 2006

Good Morning:
Finally, some activity happening in security-land after a few slow days. I actually had to choose from a number of stories today. I also want to remind security folks that whining is for babies. I don't even let my kids whine, so I have no tolerance for a bunch of CISSP's that are worried about whether a "provisional" CISSP for students is going to dilute their hard earned certification. Try this on for size, keep your network safe and you'll be in demand - regardless of whether a college punk has a CISSP-lite piece of paper. A piece of paper does not make you unique, your skill set and experience does. Folks with self-esteem problems just annoy the crap out of me. OK, off soapbox now.

I know I've also been beating up on Forrester a bit lately. To be clear, the folks over there that I know (the old guard security folks) are pretty bright. But they keep publishing these reports that are 6 months behind the market. End users look to analysts to keep them out AHEAD, but maybe they are positioning as a CYA (cover your ass) replacement for the G-people. Then they can be late, but their brand is nowhere near the other guys, now is it?

Have a great day.

Top Security News

VoIP security
So what? - Crank up the hype meter, we are going to start hearing a lot more about VoIP and the inherent security issues. NetworkWorld does a good section on VoIP in general and Dave Piscitello has a pretty detailed treatment of VoIP security in this part of the section. Should you be worried? Nah. It's kind of like mobile security, the threats are theoretical (like SPIT) and the attacks look pretty much like denial of service and session credential hijacking. Given all the other things on your plate, it's just not a priority. Over time, security VoIP pipes will be part of the UTM boxes and security VoIP apps needs to be within a "content security" platform. But only the bleeding edge need to really think about buying equipment to solve the problem right now. But read the article and learn what you need to know and watch for.
http://www.networkworld.com/research/2006/051506-voip-guide-security.html

Free security - what's the catch?
So what? - Sometimes I see press releases that make me laugh. This one from a company called Advanced Interactive Marketing, portrays to offer "the most powerful computer security available" for free. It sounds like BackOrifice to me (anyone remember BackOrifice). Hmm. Security coming from a marketing company. Let me check this out on the new Scandoo service - they don't know about it. I would check on SiteAdvisor, but that broke Yahoo Mail and I haven't tried it since. I go over to the site and they seem to offer a simple personal firewall - but as part of what looks to be a huge adware client. Don't think I'm going to download this today, but now you can see how easy it is for unsuspecting consumers to get all sorts of crap on their machines. At some point, I'll get a virtual machine set up, so I can play around with this stuff.
http://biz.yahoo.com/prnews/060515/lam117.html?.v=32


Deal: VASCO buys Logico for smart card technology
So what? - Normally a $1.5M deal would be worth 10 words in TDI, but strong authentication is hot - driven by the banks need to both authenticate their users more reliability and authenticate themselves to the users. It is interesting to see what look to be different strategies from VASCO and RSA. RSA has been very aggressive in acquiring (and spending some big numbers to do the deals) companies like Cyota and PassMark to get a foothold. VASCO has a good foothold in consumer authentication (especially outside of the States) and Logico, a very small Austrian company, gives them some internal smart card technology. But I think they are missing the boat by not having anti-phishing or website authentication technologies to compete more effectively with RSA.
http://www.vasco.com/about/press/fullstory.html?press=425

Image-based spam defense
So what? - CommTouch announces an upgrade that detects spam images. There has been technology out there to detect image spam for a while, but it wasn't very good. Assuming it works (which I won't), this can add some long needed differentiation for CommTouch's OEM partners, like Blue Cat, SendMail, Mirapoint and Tumbleweed. Customers should be expecting all of the vendors to keep pace or have a good explanation as to why they don't.
http://www.commtouch.com/Site/News_Events/pr_content.asp?news_id=705&cat_id=1

Enterasys - not dead yet?
So what? - Everybody loves an underdog story and in the movies, they usually come out on top. Not in the real world though. There are few happy endings. The new CEO at Enterasys hit the road this week to convince the press (and thus get some reach to their customers) that they aren't dead. They do have lots of customers, but unless they start innovating and getting a higher profile, they are going to miss out on the upcoming campus re-architecture - driven by NAC. I've seen this movie before and the odds against them are long. Current customers should have a plan B, so when it's time to upgrade you are in a position to do so thoughtfully.
http://www.channelweb.com/sections/allnews/article.jhtml?articleId=187202763

Top Blog Postings

Check your browser
Darknet revisits an old browser test that pinpoints some pretty common configuration and vulnerability exposures on the browser. Given that a majority of malware happens through the browser, it's always good to periodically make sure you haven't missed anything. This is a fine solution for technical folks, but you need some type of automated process to check all of the devices (both desktops, laptops and servers) and keep them up to date. You may call it "patch management" or "configuration management" or whatever, but do it. If you try to keep up to date manually, you'll screw something up.
http://www.darknet.org.uk/2006/05/browser-security-test-check-your-browser-now/

What to look for in a SOX solution
For those of you that are responsible for "compliance" in addition to security, the Big4Guy is a must read. He does a fairly detailed post every day about some aspect of audit and compliance. Today's bears mention because everyone thinks they need a "solution" to keep the SOX examiners happy. You definitely do need a reporting engine to make generate the documentation, but there are few other things detailed in this post (controls documentation and a place to store tests for effectiveness) that are good to keep in mind.
http://big4guy.com/index.php/2006/05/16/sarbanes_oxley_software_features_6_thing

NAC is top-of-mind
Sometimes (maybe 10%) I wish I had 10 people on my research team and huge sales force doing the hard work of building the business. But most of the time remembering the drama of having all of those folks with their problems and the additional mouths to feed is a pain in the butt. Back to business, the Forrester folks have the horsepower to do surveys and their latest one says that NAC is top of mind. Once again they are right on time, glad to see they are still out ahead of the market and for $250 you can be out ahead of the market on this one too.
http://www.forrester.com/Research/Document/Excerpt/0,7211,38276,00.html

What's all the fuss about CISSP?
Ed Moyle covers the ongoing debate about college students being given a provisional CISSP that seems to have some folks in the security community up in arms. Personally, I could care less. I'm not a CISSP and though I have thought about taking the test, it hasn't cost me business or credibility yet - so I'll probably just wait until it does. I think having programs for college students to learn about security is GREAT. If getting a paper cert will keep them focused on actually learning the material, that's great too. I think lots of those CISSP's out there need to pull the stick from out of their collective backsides. You get a job not because of the paper, but because of your practical experience, skill set, and ability to work in an organizations' culture. Stop your whining, it's not going to cost you any jobs unless you suck.
http://www.securitycurve.com/blog/archives/000390.html

Recently on the Security Incite Rants Blog

You get what you pay for
The website has not been stellar of late, so this is my apology and explanation. I'm not really an excuses type of guy, so suffice it to say this is one of those risk/reward decisions we all need to make.
http://securityincite.com/blog/mike-rothman/you-get-what-you-pay-for

Security is needed - but that doesn't make it a good VC investment
I came across a post this AM from an Israeli VC bitching a bit about the lack of compelling exits. I think this is a good thing, since crappy companies with crummy management teams and me-too products don't deserve good exits. The conclusion of having to build companies on the cheap is a good thing too. I've spent a lot of other people's money and I wouldn't do it again. It's good to be capital constrained - it keeps you focused.
http://securityincite.com/blog/mike-rothman/security-is-needed-but-that-doesnt-make-it-a-good-investment

Read Monday's Daily Incite
http://securityincite.com/blog/mike-rothman/the-daily-incite-may-15-2006