November 1, 2006 - #147

Good Morning:
There is no rest for the weary. We weren't able to even throw out all that surplus of candy before we had to start preparing for this week's next big event, Leah's 6th birthday, which is today. Happy Birthday Leah!! But it always makes Halloween a busy time, since there are parties to prepare for, family to host and entertain, and of course, presents to procure. I'm sure all of my kids will have plenty to talk to their therapists about as they get older (living with me is no picnic, I assure you), but I think they have it pretty good. And I'm just fortunate that we can provide a good environment as they are growing up.

When you are a parent to young kids, repetition is part of your repertoire. Why say it once, when you can say it one hundred times? Or so my kids seem to think that's the way it works. Being respectful of that, today is The Daily Incite Repetition Edition. First thing is to make sure we discuss acquisitions, which is a common theme. IronPort buying PostX is a case in point (here). Another one of the Security 7 winners focuses on programs (here), not necessarily technology. Yep, I talk about that a lot. How about security awareness? I'm sure I sound like a broken record on that. So listen some more here.

There is consolidation of companies, but also consolidation of technology. I've said that many times. A case in point is a review of a "content UTM" device from CP Secure (here) that does both email and web stuff. Given the radically different traffic and protocol dynamics, that's actually a decent innovation. And finally, if you weren't tired enough of me repeating myself, I once again make the point that you can make yourself crazy if you pay attention to every useless, ridiculous item that tech media decides to push (here). I wish that would be all I had to say about any of these topics, but that's very very very unlikely. I'm sure I'll be back on my soapbox before long making exactly the same points again.

Kind of a slow-day in blog-land. I guess I wasn't the only one preparing for the ghoulish onslaught. I do point to a piece Ed Moyle did a week ago putting some numbers behind how likely you are to contract mobile malware (here). It's roughly the same as being hit by satellite launch vehicle debris upon re-entry. That's really funny. I also want to poke a bit into the security by obscurity discussion and make the point that I think bringing issues and vulnerabilities to light is a good thing, but there can be collateral damage. Jeff Hayes goes into an example of lock pickers (here) and I kind of differ relative to whether disclosure is good in this case because it's a monumental task to fix the problem.

OK, I've rambled on enough. Go get something done and have a great day.

Technorati: Information Security

Top Security News

Deal: IronPort Buys PostX
So what?- This is a very interesting deal. In an all-stock transaction, PostX throws all-in with the idea that IronPort will be able to get an IPO done. From a technology standpoint, the deal makes sense because IronPort's outbound filtering capabilities are weak and most of the stuff they use is from PostX anyway. PostX is the only one of the three amigos (along with PGP and Voltage - to call them amigos is funny because the three vendors hate each other) that had their own policy engine, which is what IronPort sorely needed. From an industry standpoint, this further polarizes the email encryption space. Though all the encryption vendors play with all the email gateway players, some have tighter relationships. Folks that have "strategic" partnerships with PostX (McAfee, Sendmail, Borderware) are exposed, as IronPort has never played well in the sandbox, and there is no reason to think they will start now. This is a very shrewd move by IronPort to part with some pre-IPO stock, in order to control their own technology in an increasingly important email security landscape. 
http://www.ironport.com/company/ironport_pr_2006-11-01.html
Link to this

More Security 7 winners
So what? - Information Security Mag continues to dribble out their Security 7 winners. I like to read profiles of folks that are doing interesting things in the space. The next two winners are Andre Gold of Continental and Dorothy Denning, who teaches at the Naval Postgraduate School. Gold has to deal with a large, distributed, global organization - so it was interesting to see him focus more on the "program" than the tools. I'm a fan of repetition, so I'm always on the lookout for 3rd party data points that are in line with my thinking. This profile is there. For Ms. Denning, she remains a major influencer in cyber-terrorism and focuses much of her time on that. I agree that there are no imminent dangers on the horizon, but it's good to see we (the US) have some significant brain power making sure our assumptions are not wrong.
Andre Gold, Continental Airlines (here); Dorothy Denning, US Naval Postgraduate School (here)
Link to this

Awareness Trumps Toys (and candy)
So what? - I've been sitting on this one for a while (it's from 10/9), but since I've been largely repetitive today - let's continue to beat the drum for some of my particular hot buttons. Many security practitioners get frustrated spending any time doing security awareness training, and I understand that. The users are not interested, they tend to do stupid stuff anyway, and you'll end up doing what you always do - clean up the mess. So why bother? This story reiterates a lot of the points I've been making for quite a while. Users remain the weakest link and education does not happen overnight. It's really as much a generational thing, as anything else. The kids entering the workforce today have grown up with technology and they are increasingly sensitive to security risks. They will be increasingly beaten over the head at home about security and we need to follow that up with reinforcements at work. Things won't change overnight, but they will change - but only if we are willing to make the investment in training.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=267209
Link to this

Content UTM
So what? - Another topic I've beaten like a drum continually is the need to consolidate functions in the perimeter. Given my recent epiphany that the perimeter is now about "secure accelerated access," we are going to continue to see new solutions that aren't necessarily innovative, but are definite improvements over what we have today. This Network Computing review on CP Secure's biggest content security gateway (CSG 2500) is a case in point. It does web, email, and FTP content filtering with low latency. Given the different traffic dynamics of each protocol, that's a big improvement. And given it's targeting the mid-sized business (pricing starts at $3k for the lowest box), folks like Barracuda better get some integration going on their platforms. Or they risk themselves being "barracudaed" by an upstart like CP Secure. CP is fine sitting next to the existing firewall/VPN solution, but the next logical step is for them to become a full UTM and add those functions. All-in-One baby, it's not just about printers anymore.
http://www.darkreading.com/document.asp?doc_id=109040
Link to this

Disregard the noise
So what? - As we finish up the repetition for today, let's talk about "signal vs. noise." One of the hardest things for a security professional to do is figure out what is important and what isn't. The media doesn't help things because they are paid based on page views (and subs), so they are forever trying to make a big deal out of everything to jack up their visibility. It can make a person a bit nutty. But it's very important to have a coarse filter and use it every day. You've got to disregard the stuff that just isn't important and not give it another thought. This whole discussion about the Windows firewall this week is a good case in point. Basically a guy at nCircle pulled the fire alarm because IF you had the Windows ICS service running AND someone was able to inject malicious code on your machine, your Windows Firewall would be disabled. Then there was a battle regarding whether to shut down ICS and how that impacts the Windows Firewall. It's all pretty stupid, if you ask me. My main point is that you don't want to be the stupidest guy/gal in the room. So you probably don't have ICS running anymore (if you do, go to your room and write me a 2000 word essay about why you are an idiot), SO THIS IS NOT A PROBLEM. Focus on the stuff that can hurt you, not what the media thinks is important.
http://news.yahoo.com/s/pcworld/20061031/tc_pcworld/127710
Link to this

Top Blog Postings

Customers define markets
It's funny to see two analysts (especially since they are friends) go at it about the definition of a market space. You do get a notch on your belt if you coin a new term (like UTM) that gets staying power, but beyond that these are just intellectual dialogs that have very little impact on much of anything. We, as analysts, don't get to pick what a customer calls "data protection" or "leak prevention" or anything else. All we can do is try to come up with an logical abstraction to help explain FUNCTIONALLY what problem the customer needs to solve and bucketize some of the myriad of technology that can be applied to the problem. So Richard has a point about one man's definition of data protection is leak prevention + encryption + device management. I don't much care how many vendors are subsumed into those buckets because I think about problems, not vendors. The Mogull's definition of data protection is much larger, which is fine. But with that expanded definition comes much more complexity. I'm not a fan of complexity. So there must be something in the middle, something that focuses on the DATA across it's lifecycle that simply shows a user how they should be protecting that data. There should be, but there doesn't seem to be. So I guess I'll have to get cracking on that. I'll add it to the list.
http://blogs.zdnet.com/threatchaos/?p=429
Link to this

Obscurity hits lock pickers
It really is amazing the parallels that we can draw to many other businesses. This post from Jeff Hayes makes the point that we in information security are not the only ones that are struggling with the "security by obscurity" discussion. Jeff, I guess, has an interest in lock picking. So if I ever get locked out of my house, I'll know who to call. Evidently the WSJ picked (no pun intended) up an article that pointed out the vulnerabilities of locks from many of the leading manufacturers. They were pissed because they felt it was giving information to the bad guys. Have you seen this movie before? There is a difference in our world, in that it's much easier to "patch" a technology vulnerability than something physical in my house. Depending on the nature of the issue, it could involve recalls, service calls, or who knows what. Besides the economic infeasibility of replacing all of those locks, fixing the problems are not as straight forward in the physical world. So the lock manufacturers do have a point. Responsible disclosure in our world works because it's relatively trivial to fix problems. We need to be careful with obscurity in other sectors because you could really impact someone's personal safety.
http://mycsosolutions.net/2006/10/28/full-disclosure-lock-picking/
Link to this

.009 chance of mobile infection - move on
I wanted to circle back to a post that Ed Moyle did a week ago about mobile malware. Let's just say I've been skeptical for quite a while as to whether it's really a threat, but never bothered to put any numbers behind my gut. Ed did that in this post and it's pretty funny. He basically goes to show that you have a similar chance of being hit by a Delta II launch vehicle upon re-entry as you do to contract mobile malware. As I recently pointed out, someone on Symantec's research team tried to break the Blackberry and came away impressed. So of all the things we have to worry about, your PDA's and smart phones having a malware problem is not high on the list. You should be much more concerned about what kind of private data resides on those devices.
http://www.securitycurve.com/blog/archives/000472.html
Link to this

I thought BOB was dead
Anyone remember Microsoft BOB? The easy to use operating system of the late 90's went over like the Hindenburg, so Microsoft killed it. But now the acronym-meisters have revived the term BOB to refer to "branch office boxes," so now we'll see the networking and security folks fawn over Bob like never before. Mitchell Ashley points to a Juniper announcement of their BOB platforms, which include router, firewall, VPN and will also include a voice gateway and telephone interface modules in early 2007. They are also integrating WAN acceleration. So that "secure accelerated access" perimeter that I talk about is really called BOB. Well, not really, but close enough. Mitchell makes a good point that to really simplify security, the BOB needs UTM functionality. But it all depends on the network architecture. If all traffic is routed back to the home office before heading out to the Internet (which is what most branch office networks look like), you can have those functions at HQ. So this is another market to start tracking, and I'm sure we'll hear more than we want to about it. 
http://www.theconvergingnetwork.com/2006/10/bobing_for_the_enterprise.html
Link to this

Recently on the Security Incite Rants Blog

Inciting: 10 Tips for Securing Your Email Webcast on SearchSMB
I'll be doing a live webcast today (November 1) at 1 PM EST on email security for SearchSMB. It's a topic that is near and dear to my heart (yes, I have a heart) and email security is something that mid-sized organizations continue to struggle with. So listen in, check it out, and ask some good questions.
http://securityincite.com/blog/mike-rothman/inciting-10-tips-for-securing-your-email-webcast-on-searchsmb

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-10-31