May 23, 2006

Good Morning:
Another day, another identity theft - or so it seems. Yesterday's big news was the loss of 26 million personal records from the VA, due to a laptop theft. Technology will help (but you actually have to buy it and implement it), but the key missing ingredient needs to be education. It's strange to me that this guy (who had the laptop) would have taken that much data (how big is a database with 26 million records) home with him. Why? What could the business justification for that be? But it just goes to show, you can build the moat wide and deep, but you need to pay attention to the information side of the equation as well.

Have a great day.

Top Security News

Nortel takes a page from the Book of Cisco
So what?- Nortel has sold a bunch of their Alteon application switches, a bunch with CheckPoint stuff on it. They are facing the same issue as Cisco, how do I get them to upgrade boxes they already have. Nortel's answer, add Symantec stuff to the box - force an upgrade and add a subscription layer on top of it. They are also positioning this as a "internal security solution," but Nortel is about two generations behind the functionality offered by other app switch vendors (F5, etc.). And picking Symantec as the partner? If you are going to add security to a box, Symantec's IDS technology (the old Recourse stuff they they drove into the ground) probably isn't the first offering to come to mind. Who knows, maybe Symantec needed a few PBXs, so they did a little barter.
http://www.channelweb.com/sections/allnews/article.jhtml?articleId=188100278

NAC for ISPs - Stop the zombies
So what? - I noticed a company called Simplicita raised some money from investors I never heard of. These folks offer software (or so it seems) that can identify and quarantine zombies on ISP networks until they can be remediated. The approach seems like the endpoint admission capability of NAC, basically figuring out what is happening on each PC and then enforcing a policy to keep the machines in compliance with the policy. I don't know how the technology works, but I'm going to find out more. The blind spot is whether ISPs really want to solve the problem. Even if this stuff is automated, Aunt Bessie is going to be pissed if she can't get on the Internet for her weekly game of online poker because she has spyware. And how do ISPs communicate a policy of what is allowed on their networks and what isn't. Technology aside, I see some real adoption issues because the ISPs maintain this isn't their problem.
http://biz.yahoo.com/bw/060522/20060522005035.html?.v=1

SIM review by NWC
So what? - Network Computing dug deep and evaluated 8 SIM packages. They run from appliances to high end software, have different pricing models and in most cases do a good job of telling you what's happened in your network. But I'll again harp on the fact that what's happened is far less interesting that what is happening or what is going to happen. Sure you need artifacts about what you've done for security to keep an auditor happy, but I still don't buy the need for this market.
http://www.networkcomputing.com/channels/security/showArticle.jhtml?articleID=187203569&pgno=1

Phil Zimmerman back in the news
So what? - The creator of PGP is back in the news with his new new thing called Zfone, which basically encrypts VoIP sessions. Of course, it doesn't work on PSTN replacements (like Vonage) and Skype is a closed system so it won't work for that either. But hey, for all 10 Gizmo project customers - now they can make sure the NSA isn't snooping all their calls. I think this is kind of ridiculous. Given the sheer volume of traffic on the net, if someone wants to compromise my traffic - I don't think snooping my VoIP sessions is how they are going to do it.
http://www.darkreading.com/document.asp?doc_id=95252
 
From the self-serving analyst files
So what? - I love it when analysts tell us what we already know, and then try to spin in into why customers should buy their services. Yankee Group is today's offender. They did a survey (you know how much I like surveys) of some small business owners and amazingly enough SMB folks are worried about security. WOW! They also end up deferring some security investments because of budgetary issues. Shocker! The insurance gets deferred because they have to pay the electric bill. Then an association of VARs points to the Yankee survey to highlight the "dangers" of taking security advice from peers. Of course, what they need are VARs to tell them exactly what to do, which amazingly correlates to which vendor is providing the best SPIFFs this month. Sometime marketing folks make me nuts.
http://security.tekrati.com/research/News.asp?id=7061

Top Blog Postings

VA takes the (identity theft) cake
Yep, the heist of one employee's laptop made the VA (Veteran's Administration) yesterday's villain. It seemed this PC had information on 26 million Veterans with personal and medical history. Martin McKeay and Michael Farnum, both Veterans, were dismayed (as they should be) and Martin asks the right questions. Why the hell did this guy have 26 million personal records on a machine outside of the VA network? Even if it's "against" policy, that is ridiculous. Data points like this validate the need to think about both infrastructure and information security - as described by Pragmatic Security. Rebecca Herold also weighs in on the situation by stating the obvious need for education on the policies because this guy clearly didn't get the message.
Martin's post: http://www.mckeay.net/secure/2006/05/what_was_he_doing_with_26_mill.html

Farnum's post: http://securityplace.blogspot.com/2006/05/two-blogging-veterans-are-worried.html

Rebecca's post: http://realtime-itcompliance.typepad.com/itcompliancecommunity/2006/05/yet_another_lap.html

Security researchers running scared
TechDirt points out the inevitable consequences of raking security researchers over the coals. At some point, they stop trying to help and that's bad for everyone. My opinion is that you'll always have security researchers trying to make a name for themselves, so this is short term blip. The best and fastest way to gain notoriety in this space is to  find something, adhere to reasonable disclosure practices and then take credit for what you've found. That provides credibility that is important for the day jobs of many of these researchers. So, the folks that were really trying to help probably will fall by the wayside. The other group of capitalists trying to build their businesses are willing to take some lumps for the exposure.
http://techdirt.com/articles/20060522/1626242.shtml

Microsoft wants to be a security force
Larry Walsh in his VARBusiness column puts some datapoints together (including this week's acquisition of Whale) to make the point that Microsoft is now going to go after the SSL VPN folks, in addition to AV and anti-spyware. Thank you, Captain Obvious. Microsoft wants to control the whole enchilada, so they need to have technology across the whole enchilada. They'll continue buying technology (likely 2nd tier vendors when a market hits maturity) to fill out their offering for the foreseeable future. Larry's most interesting tidbit is the hardware aspect of the Whale deal. But Microsoft has always worked with hardware partners, and at the end of the day Whale wasn't doing anything novel in their hardware, so they just bundle the capabilities as a superset of ISA server on whatever hardware appliance maker wants to push it. Microsoft will be factor, especially at the low end of the market that doesn't know any better.
http://www.informationweek.com/story/showArticle.jhtml?articleID=188101148

What happened to PGP?
Spamroll wonders what happened to PGP in this post. It's true they have been keeping a lower profile on the consumer side (though that remains a cash cow), but seem to be doing well selling encryption architectures to large enterprises. Their whole disk encryption technology is also timely now, given all the laptop thefts. But Spamroll's point is taken, PGP should be out there quite a bit more since it's not clear to everyone how and why they need encryption.
http://www.spamroll.com/blogarch/2006/05/pgp_still_a_for_1.php

Recently on the Security Incite Rants Blog

Policy makes migration hard
Reading a NetworkWorld article from last week about the difficulties of migrating firewalls to a new vendor got me thinking about why. The answer is policy, so in this post I delve into why some vendors have stayed around long past their usefulness and why migration tools aren't necessarily a good thing.
http://securityincite.com/blog/mike-rothman/policy-makes-migration-hard

NetworkWorld Column: You say you want a revolution
In this week's NetworkWorld column I discuss the evolution (as opposed to revolution) to the new NAC-based campus networks. There are lots of ways to get there, but the message of the column is that we are going to get there.
http://securityincite.com/blog/mike-rothman/networkworld-column-you-say-you-want-a-revolution

Read Monday's Daily Incite
http://securityincite.com/blog/mike-rothman/the-daily-incite-may-22-2006