May 5, 2006

Good Morning:
Top news today is more details around the TypePad/Six Apart failure. It's mentioned in the blog posting section of TDI. I'm amazed at the stupidity of some folks. Blue Security, which does a do-not-spam registry, pissed some folks off and suffered a massive DDoS attack. So they decide to redirect their DNS to their TypePad account and take down literally millions of bloggers. Best of all, Six Apart got no warning from Blue that they were doing that. How can the legitimately have "security" in their company name and do something like that. It's amateur night for sure.

We all need to remember the Internet is an eco-system and we can suffer based on the stupidity of others. Back in my motorcycle riding days (way before the wife and kids), you learn to ride very defensively and to assume folks in cars are going to do stupid things. That's how you stay alive. It's no different in the security world, you need to have contingency plans for when people do stupid things.

Have a great weekend.

Top Security News

Calculating the Impact of Privacy Breaches
So what? - No sooner had I ranted about the inability to calculate real ROI on security investments does this "Privacy Breach Calculator" hit the web. I almost keeled over laughing. Talk about making up numbers. If a CFO of a big company buys into any of this stuff, I'd be amazed. You figure they got to the pinnacle of finance by being relatively savvy, so this calculator is a joke. I guess in many organizations, some type of ROI analysis is required - even if you scribble it on the back of an envelope. I still think it's a waste of time - time that should be spent actually fixing something.
http://searchsecurity.techtarget.com/general/0,295582,sid14_gci1182844,00.html

Aetna suffers the latest stolen laptop
So what? - Guess folks are going to have to learn the hard way. Laptop get lost or stolen. Every day. If you work in a big company, it will happen to you. Aetna is the latest to report a laptop stolen with private information on 38,000 customers. First, why do these laptops have private information? Next, why aren't there adequate protections if there is an absolute business need for this? Maybe folks are waiting out the storm until we all get numb to it happening.
http://www.scmagazine.com/us/news/article/556842/aetna+laptop+breach+affected+38k+members

Review of Q1Labs new version
So what? - Unless you are new to Incite, you get that I'm not a huge fan of SIM. Looking in the rear view mirror is of limited value. But if you can look at both what's happening now and what has happened and correlate it a bit, then that is interesting. Q1Labs has added the SIM capability to its anomaly detection stuff over the past 2 years, when they realized that the network anomaly detection (NAD) market was inherently limited. Since I'm a fan of doing and not just reporting, this is a novel approach. Their biggest competition is Cisco, so by definition they are swimming upstream, but they at least have a chance because they've evolved beyond just NAD or SIM - neither of which are sustainable markets. BTW, the reviewer liked QRadar 5.0.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1186555,00.html

Storage security is heating up
So what? - In this interview with EMC's Mark Lewis, it's clear EMC wants to be a player in security. They'll buy some stuff and evolve their internal offerings as well. But part of what he says validates the Pragmatic Security work I've been doing: "Through talking to customers and research, we see this need for information-centric security." Amen to that. Securing infrastructure is different than securing information - and both customers and the market are starting to see it that way.
http://www.informationweek.com/story/showArticle.jhtml?articleID=187200322

Survey to ensure disaster preparedness
So what? - The folks at the US Cyber Consequences Unit have published a 476 question survey to help organization assess their preparedness for a disaster scenario. I'm wondering if this is some joke played by the producers of 24, but I guess not. That's a lot of questions and I'm sure many of them are not relevant to your organization. But I am a fan of asking lots of questions and something like this does surface issues and considerations you may not have factored into your planning. And as we've seen on numerous occasions over the past few years, you can never be too prepared.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1186607,00.html

Top Blog Postings

Blue Security takes down TypePad
My bud Martin McKeay covers what seems to be the cause of the massive DDoS attack that felled TypePad and Six Apart this week. It was caused by Blue Security, the folks that maintain an "Do not spam" registry. Evidently these bozos were attacked in a well coordinated massive attack and then redirected their DNS to a TypePad blog. Kaboom, millions of bloggers are out of business. The InformationWeek coverage is here. I've had Blue's website in my Drive-by folder for most of this week, as I wanted to put forth my thoughts on their approach. When I went to check out their site on Wednesday, it was down - and now I know why. I don't really remember the specifics of their approach, but evidently it is pissing off someone. If their site ever comes back up, I'll fill in the details.
http://www.computerworld.com/blogs/node/2456

"Security as an enabling technology" rises like a phoenix
Steve Lamb has revisited the age old attempt to position security as an enabling technology. Here's a quote on what he calls "effective security" - "Effective Security is the corollary of this position as it's proactive and encompasses every aspect of information flow throughout an organisation together with customers partners and suppliers." The problem is it doesn't work. If it's truly a business process enabler, then it gets buried along with some line of business application initiative. I've seen very few business owners that don't do the right thing for their business because of perceived security risk. Security is still mostly an insurance play - insurance against downtime, insurance against privacy breaches, insurance against compliance issues. But still very much insurance. Even though we as security professionals want to paint it otherwise, it is what it is.
http://blogs.technet.com/steve_lamb/archive/2006/04/29/426798.aspx

Incompetent guys should end up in a ditch
In CJ Kelly's post today she tells the story about a security admin she came across that was evidently incompetent. Perhaps security wasn't his forte, but he was responsible for it and misconfiguring a firewall and having common administrator passwords for multiple devices are big no-no's. I don't think twice about taking this guy out of the picture. Or if he's a great network and application guy, then get a real security guy. You get into trouble when you have the wrong guy (or gal) in the wrong seat and bad things happen. I guess I'm a bit cold about these issues, but if someone can't get the job done, they have to go.
http://www.computerworld.com/blogs/node/2464

FireEye's "virtual" product
One of the other companies I wanted to do a drive-by on this week is FireEye. They recently announced a new network security device that uses "virtualization" technology to protect against threats. Ellen Messmer sheds a skeptical eye on this (I love it when a beat reporter throws a beat down on a new vendor), since no one has seen it - the technology is very virtual. Check out this quote: "Virtual machine' security has to prove its mettle, showing the concept is worth the trouble and that it doesn't trigger the kind of false positives that occurred in the case of other great ideas, like the signature-based intrusion-detection systems." Ellen is pretty funny.
http://www.networkworld.com/weblogs/security/012014.html

The risk of medical identity theft
I just started reading Rebecca Herold's stuff and her coverage of compliance issues is very comprehensive and deep. I learn something with each post. But I'm not really clear on this post about medical identity theft and some of the difficulties of expunging false documents on a medical record. I need to learn more about insurance fraud to get a feel for the real risks of people adding bogus medical records. Unfortunately I don't have time to read the underlying report, published by the World Privacy Forum. I guess she assumes that everyone understands what the risks are and focused on cleaning up the data.
http://realtime-itcompliance.typepad.com/itcompliancecommunity/2006/05/medical_identit.html

Recently on the Security Incite Rants Blog

Inciting: CORE Security webcast 5/10
Next week I'm doing a webcast for CORE Security on the evolution of vulnerability management and how penetration testing plays into that. It'll be an interesting discussion and I promise to make the discussion lively. I hope you'll join us.
http://securityincite.com/blog/mike-rothman/inciting-core-security-webcast-5-10

Read Thursday's Daily Incite
http://securityincite.com/blog/mike-rothman/the-daily-incite-may-4-2006