November 30, 2006 - #163

Good Morning:
Hmm. Thursday and I'm out of stuff to talk about. I guess we could talk about College Football. My esteemed alma mater (Cornell University) has sucked for about a century, so that's not too interesting. What about exercise? Not sure sitting in my fat boy chair with my headset stuck in my ear qualifies as exercise - so that's a no go. Though I guess I have abnormally strong fingers based on the amount of typing I do every day. What about bunions? Anyone out there want to talk about bunions? No. Oh well, so much for small talk.

Actually, since we talked about objectivity yesterday, let's talk about ethics today. I'm thankful that things are pretty black and white to me. Like this ethical dilemma (here) about whether an IT manager should blow the whistle on his/her boss because they found some bad stuff in a shared drive. I don't see the dilemma at all. Just following orders is no excuse. And what about what's coming up in 2007? Well according to McAfee, it's pretty much the same crap we saw in 2006 (here). Now that is what I call advanced research.

In blog-land, the Mogull tries to define the security mindset (here). It's a good piece. I think they make prescription drugs to deal with paranoia, but that doesn't mean everyone isn't out to get us. And Jeremiah does a good summary (with cool looking graphs) about how the state of web application security is not real good (here). I guess there is no end to the crap we all have to worry about every day. And on that note, have a great day.

Technorati: Information Security

Coming January 2, 2007

Top Security News

Always do the right thing
So what?- My Dad told me that you only get one chance to compromise your integrity. Truer words have never been spoken. But when I read this article about the ethical "dilemma" about whether an IT Manager should report his President's penchant for storing kiddie porn in his personal directory. Help me understand the dilemma. I'm totally on board with Mitch Wagner relative to not a dilemma but a moral RESPONSIBILITY to turn this guy in. For the life of me, I can't imagine any situation where the president of the company should be storing porn on the company network. Can you? Best case, it's terrible judgment and the guy should be shot. Worst case, it's a crime and he should spend a long long time in lock up learning about how prison sex works from his cell mate, Tyrone. It could potentially cost the IT Manager his job, that's true. But ultimately, do you want to really be working in that kind of environment?
http://www.informationweek.com/blog/main/archives/2006/11/if_an_it_manage.html
Link to this

The new boss is same as the old boss
So what? - As many times as I hope that "we don't get fooled again," the fortune tellers at Big Security come out with their "what's next" assessment of what we'll see next year. McAfee drew first blood yesterday basically saying we'll see more of the same. Top of the list is that password stealing web sites will increase. Also expect to see more spam and the use of bots. That Captain Obvious suit is getting around, no? But they do sprinkle in at least one that I think is just way off. They are predicting that mobile phone attacks will become more prevalent. Nope. Don't think so. But it is amazing that McAfee is predicting nothing new. Way to think out of the box! By definition they will be wrong because I guarantee we will see new attacks and they will be innovative.
http://www.mcafee.com/us/about/press/corporate/2006/20061129_080000_f.html
Link to this

The downside of mandates
So what? - The folks over at SecureWorks have found a pretty interesting new phishing attack. Hat's off to the hackers who figured out how to mangle the FFIEC multi-factor authentication "guidance" into probably the most innovative phishing attack I've seen this year. To send a note to unsuspecting suckers asking them to sign up for their new dual authentication code and phrase, while they pilfer the original is nefariously brilliant. Given the number of crappy new companies that pitch me on their useless "innovations," they should take a page out of the bad guys book. Now that's innovation. But it also shows the dark side of mandates for new technologies, and puts the real impetus on those financial institutions to more effectively educate their customer base. Clearly it's not working if these ruses are finding success.
http://www.secureworks.com/press/20061129-phishing.html
Link to this

Does Brand Risk Matter?
So what? - This article from Wall Street & Technology (via Dark Reading) makes an interesting supposition. Are we numb to privacy breaches and does that mean the risk to an organization's brand is minimized? Having done a bit of branding through the years, I'm not sure I'd want to find out the answer to that question. As in the example they use, E*Trade got pummeled by their issue (where accounts were compromised and used in a pump and dump scheme), but Ameritrade - not so much. But what made E*Trade unlucky and Ameritrade lucky? And would I be willing to gamble my brand (which I spend millions to nurture and protect) that I end up in the lucky camp? Not a chance. Hey, if you are feeling lucky, maybe go to Vegas and let it roll. Protecting brand is a key job description for security folks. The good news is that you don't really have to do anything different, just good, old-fashioned security stuff.
http://www.darkreading.com/document.asp?doc_id=111592
Link to this

Top Blog Postings

Can you develop the "security mindset?"
The Mogull rants a bit here about whether common folks can ever develop the "security mindset." You know what he's talking about. Basically you look at everything within the context of how you would defeat it. I do that as a matter of habit. And it doesn't matter where I am or what I'm doing. When you are telling me about your stuff, I'm processing constantly, trying to find the holes. But is this just a curse that has been bestowed upon me, or has it developed from many years of having to outsmart bad guys? Actually I don't think it matters, and I don't think that you need to have the security mindset to run a good and effective security program. If you don't have that mindset, you do need to surround yourself with people (maybe pen testers or advisors or team members) that can poke holes. Over time, I do think most folks will develop the critical thinking necessary to find the holes themselves. To channel Mike Murray a bit, what I think Rich is really alluding to is whether you have the mindset to LOVE your security job. And to be "really good" at security, you need to love it. But don't mistake "really good" with effective. 
http://securosis.com/2006/11/29/the-security-mindset/
Link to this

VC opportunity: Vulnerability verifier
Dino from Matasano has a very interesting post about how the security business has changed. And how you have some folks looking for vulnerabilities because of the marketing opportunities it provides, as opposed to just doing it for fun - like in the old days. Not sure why that's surprising. Basically as every market matures, you get folks that are in it for the money - not necessarily for the love. More interestingly is some of Dino's ideas about how this hit and run vulnerability discovery process really makes the case for a 3rd party that is independent to get into the business of verifying vulnerabilities. I think it's a great idea, but I'm not sure I grok the business model. Who pays for this? The big vendors, who are presumably targeted? Don't they already have their own in-house staffs and any number of smart indies that are banging at stuff everyday to verify issues? Are end users going to pony up dollars to do their own due diligence about the software they are using? I don't know. But I suspect there is an opportunity here. It sounds like a job for Captain Matasano!
http://www.matasano.com/log/627/vulnerability-sportsmen-vs-vulnerability-hunters/
Link to this

The State of Web Application Security - We're screwed
Jeremiah Grossman does a great summary of what's going on in the web app space. Not surprisingly, the news is not good. His shop has found that 8 out of 10 websites have serious vulnerabilities, and I'm sure he wasn't trying too hard. The general problem gets back to getting developers to change their mindset and to bake security and security thinking into their development process. Changing behavior is a really hard thing. Doing it under the gun when you are already late on the project makes it pretty much impossible. And how many software projects have you seen that aren't under the gun and already late? Source code analysis can certainly help, but it's not a panacea. Basically, the tools used to build software need to have security baked in. That's the only way I see this getting fixed, and that's going to take a long time. But check out Jeremiah's graphs, it's pretty enlightening. 
http://jeremiahgrossman.blogspot.com/2006/11/web-application-security-risk-report.html
Link to this

A Day in the Life
Farnum has a good post here about what his day used to be like when he was a security manager. Boy, that's a packed day and I love the worry all night part. Because that's true. That contrasts with his day now as an SE. Which is 10 AM - 12 noon: Coffee at Starbucks. Noon - 2 PM: Lunch. 2 PM - 5 PM: Work with customers and get them to buy stuff. Of course I jest. I'm sure Michael checks email now and again as well. But if you are interested in how a security manager spends their day and what they are doing, the post is pretty enlightening.
http://infosecplace.com/blog/2006/11/28/alert-logic-talk/
Link to this

Recently on the Security Incite Rants Blog

The Righteous Path of the Analyst
As Amrit and Stiennon head back to vendor land, it got Thomas Ptacek to wonder whether being an analyst is just a training ground for a high-level marketing position at a vendor. Given that I was an analyst, then became a marketing guy, and am now back to being an analyst, you'd figure I'd have an opinion on the topic. Well, you'd figure right. Check it out.
http://securityincite.com/blog/mike-rothman/the-righteous-path-of-the-analyst

Inciting: Threat Management Panel
I'll be doing a live panel on Threat Management on Thursday. Check it out and hear me rant in real-time.
http://securityincite.com/blog/mike-rothman/inciting-threat-management-panel

Read the most recent Daily Incite
http://securityincite.com/TDI-2006-11-29