October 27, 2006 - #144

Good Morning:
Sorry I'm a bit late on this rainy Friday here in ATL. The boss was under the weather this AM, so I got to play Mr. Mom and get the kids ready for school. As hard as I try, "Daddy's working" doesn't seem to sit will with rambunctious 3 year old twins who are very interested in whatever is on my computer screen at any given time. So I gave up, put on the Backyardigans and toasted some waffles. And it was nice. All work and no play, well you know how that ends.

No real themes emerged today in either security or blog-land. McAfee beat the number (here), so Wall Street is all aflutter, but let's see what happens two quarters down the road, deep in the midst of integrating 3 new companies. There shall be no victory lap before it's time. I'll also point to a PC Mag interview with rootkit queen Joanna Rutkowska (here), which is interesting. You can find out about her first computer, how she became interested in computers, and what she uses to protect her own PC. Truthfully, I'd rather stick to hearing security people talk about security (which is the 2nd half of the interview), since personal profiles of security folks are not very interesting to me. Most are normal, some are freaks. If I want drama, I watch Access Hollywood. There is a much higher percentage of freaks in Hollywood than in security anyway.

In blog-land, Martin says we need a blogger code of ethics (here), which is fine. Personally, I just accept that a percentage (rather large I might add) of folks everywhere (not just in the blogosphere) are going to be scum. So I calibrate my expectations accordingly. Let me also highlight a good piece on acquisitions on the SCADA Security blog (here). For the most part, customers always get screwed when a key vendor gets bought. But it's part of the game, so if you are a user and you are not experienced in putting together Plan B when a vendor gets bought, do not pass GO and do not collect $200. That is security vendor management 101.

I also need to correct a statement I made in TDI yesterday. Given it was #143, this is the first correction - so that's pretty good. The kind folks from Proofpoint pointed out to me yesterday that they do in fact have a reputation capability within their MLX technology, they just don't talk much about it. So I stand corrected, but if anything this bolsters the point that anyone without a reputation capability (either built or bought) will be at a marketing disadvantage to those that do.

Have a great weekend.

Technorati: Information Security

Top Security News

Dial M for McAfee beating the number
So what?- After seeing McAfee's numbers yesterday, the Street is even more unimpressed with Symantec's showing. McAfee showed growth across all its businesses and all geographies. Revenues were up 14% to $287 million and bookings up 16%. Of that, about 60% was corporate/enterprise. Consumer, IPS and content security (email and web filtering) led the way and overcame some difficulties in the SMB space. But this was still Samenuk and Weiss' quarter before they got shot. The real question becomes can McAfee's field start to understand all the new pieces to the story (leak prevention, remediation, policy compliance), while the new executive team and sales leadership takes root. Yes, this was a good quarter - but McAfee has a significant integration job ahead of it to make what's a good story become reality. And integration will be a moving target because with $1.2 billion in cash on the balance sheet, they are sure to continue acquiring lots of stuff.
http://www.mcafee.com/us/about/press/corporate/2006/20061026_191010_m.html
Link to this

Too late to stop bots?
So what? - Looks like Larry Seltzer finally decided to weigh in on the bot discussion and he comes to the same conclusion I did a few months ago and some others have more recently come to. The ISPs need to step up, take action and control the bot population running on their networks. Larry then talks about StreamShield (which BT is using) and Simplicita (which I've mentioned a few times) as emerging technologies for the ISPs to use. Fact is, it's getting harder to determine the command and control, so like Bin Laden - getting the head of the snake is going to be hard. But you can chop up the body and minimize its effectiveness by detecting rouge bot behavior and quarantining those devices until they can be cleaned. The ISPs need to step up and within a year I suspect most of them will.
http://www.eweek.com/article2/0,1895,2037121,00.asp
Link to this

Talking rootkits w/ Rutkowska
So what? - The security world's Kournikova is Joanna Rutkowska, who specializes in rootkits and other stealth malware stuff. This PC Mag interview provides a bit of background that you groupies may be interested in (her first computer was a 286) and has her going through why AV is ineffective and she's right. AV won't help you much with rootkits. But as I said yesterday, there is a time and a place for AV. Interestingly enough, Joanna surfs commando without AV or HIPS. She does her research to show the industry about its failings, which I don't have an issue with. Also interesting, her perspective is that current malware defense focuses too much on the bad and not enough on making sure machines are adequately configured. She's like to see a product based on checking the integrity of all system components and verifying that code sections haven't been modified. Sounds sort of like what VI Labs is trying to do, but can you do it scalably? Hmm.
http://news.yahoo.com/s/zd/20061026/tc_zd/192403
Link to this

Browser 2.0 is about security
So what? - With the exception of the bogus IE7 exploit, I haven't really weighed in on the new browsers, IE7 and Firefox 2.0. I am, and remain a Firefox user. Yes, I have IE7 on my PC (the one I have left) and it works a lot better than IE6. Good for them, but it ain't Firefox. I am a multi-platform kind of guy, so I need a multi-platform solution. I also need a number of the 3rd party add-ins (Scrapbook, Adblock and Fasterfox are my favorites) to streamline my work process. So I'm sticking with Firefox. But last night I loaded up an optimized version of FFX 2.0 on my MacBook (get it here) and it SCREAMS. Seriously, it's noticeably faster. I can't wait until Microsoft Office comes out in a Universal Binary next year, as at that point it may be time for me to bid adieu to my PC. But I digress. Both browsers have added some new security capabilities in the area of phishing and additional privacy capabilities. So whether you swing IE or FFX, upgrade to the new stuff and have all your users do the same.
http://www.securityfocus.com/brief/337
Link to this

Global security differences
So what? - Sometimes reporters just get it wrong. If you look at this story, which covered a panel at the InfoSecurity show this week about how security is becoming global, the conclusion is that "both IT and physical security are likely to be driven by government regulations and business needs and are likely to move offshore." Huh? Is the world global today? Yes. Do some companies employ a follow-the-sun monitoring approach on their networks and security because it's more cost effective to have people monitoring networks during their day. Yes to this as well. But I'm not ready to start moving NOCs and SOCs to India or China just yet. Even for mega-enterprises. Ask Dell how their customer support experiment offshore worked out. So what do I suggest? Support locally and monitor centrally. You can gain some leverage by centralizing monitoring and some simple remediation, but that doesn't necessarily mean offshore. But if you can maintain service levels and responsiveness, it wouldn't be a bad thing - I'm just saying it's not a foregone conclusion.
http://www.channelweb.com/sections/allnews/article.jhtml?articleId=193402428
Link to this

Top Blog Postings

The Ethics of Blogging
Edelman (the global PR firm) is in hot water for doing a couple of sly blogs for Wal-Mart without disclosing that the blogs were sponsored and misrepresenting who wrote them. The blogosphere is in an uproar. Me, I'm pretty sanguine about the whole thing. Why? Because I don't trust anybody. Or more truthfully, I trust very few people. Ethics are ethics, whether you are talking about a blogger, analyst, journalist, or end user. I disclose when I do work for people, if I say something about them. That's the right thing to do. But lots of folks don't, which is what I expect. So when an analyst that I know is in the pocket of any number of vendors says something, I take it with a grain of salt. One of Martin's points is to educate the blog consuming public that some folks writing blogs may be unethical scumbags and to not believe them. I think that's the point. Blogs are another form of media like anything else. If anything, it's more anonymous and more fraught to have shysters misrepresent themselves. So you put a confidence metric on what you read and you move on. If someone wants to spend time writing a "bloggers code of ethics," that's fine, but I'm not sure it will make a difference.
http://www.mckeay.net/secure/2006/10/bloggerethics.html
Link to this

Poking statistics in the eEye
Ross Brown used to be a stats head, that's why he so elegantly and succinctly can pick Microsoft's stats apart piece by piece, questioning their conclusions and challenging their methodology. Ross is right, but I'm not sure it matters. So what if Microsoft is jumbling together lots of attack vectors and their payloads? The fact is (and on this Microsoft is right) malware is still bad and not much we are doing from a security standpoint is helping. Maybe that's a bit pessimistic for a Friday, but that's what it is. Ross does bring up a number of good points basically calling Microsoft's bluff that they don't really talk about how to eliminate the infection, but rather how to clean up the sick patient. Microsoft is in the prescription drug business, not really preventative healthcare - so there is no incentive for them to talk about how to eliminate stuff in the first place. Since Ross does have a day job (there's not much money in teaching us statistics), he works all the way around to how a new type of endpoint security model is required, which is what eEye's Blink is all about (just ask him). I'm not going to get into whether he's right or wrong quite yet, because I'm doing a piece within the next couple of days about the future of endpoint security and all will be revealed then.
http://technobabylon.typepad.com/tb/2006/10/the_illusion_of.html
Link to this

Are acquisitions good for customers?
This post on the SCADA Security blog brings up a number of thoughts. Dale uses the BT/Counterpane "mercy killing" to illustrate some of the issues with smaller companies being acquired by bigger ones, but also rationally figures that's the way it goes. I've been through a number of acquisitions myself and can tell you first hand - there are initially issues for the customers of all deals. Integration is a hassle, there is a lot of turnover and momentum is impacted. But 6 months later, things will either be a lot BETTER or a lot WORSE. Once a key vendor gets taken out, every customer should be starting to work on Plan B. If things get better, that's cool. If not, then you put Plan B into effect and save your own hide. There is no honor in going down with someone else's ship. Dale also wonders a bit towards the end about whether functions like SCADA Security are the purview of control system software and hardware vendors or IT Security? The answer is both. Clearly the control system vendors need to add security into their infrastructure and the core systems (like networks and servers) will be protected by IT security. See, layers. Layers is good.
http://www.digitalbond.com/SCADA_Blog/2006/10/security-vendor-consolidation.html
Link to this

Will the Blackberry stay secure?
A couple of days ago, James O'Connor on the Symantec research blog posted on his experience checking out the security of the Blackberry. First things first, it must be pretty cool to every couple of days have your boss swing buy with a new gadget and tell you to try to break it. That sounds like fun. But James is pretty impressed with the Blackberry, so all of your Crackberry addicts can rest a bit easier. Communications are encrypted, risky Bluetooth capabilities are disabled, it's all good, right? Well, not exactly. If you have private or sensitive information on the device, then you should make sure to password protect it (10 wrong passwords deletes all the data), just in case you leave it in a cab or something. James is correct in his assessment that the challenge will be maintaining that security posture as more consumer features find their way on to the Blackberry. 
http://www.symantec.com/enterprise/security_response/weblog/2006/10/hacking_the_blackberry.html
Link to this

Recently on the Security Incite Rants Blog

Stiennon sends a love note to Check Point
The word is out, Stiennon is filling my NetworkWorld columnist slot and he starts off with a bang. In an open letter to Check Point's Gil Shwed, Stiennon provides his thoughts on what CHKP needs to do moving forward. I clarify, disagree (a bit) and expand on Richard's ideas in my own piece. Of course, Gil will ignore both of us (because that's what Gil does), but at least we've said our piece.
http://securityincite.com/blog/mike-rothman/stiennon-sends-a-love-note-to-check-point

SMB is the new enterprise
It wasn't that long ago that the SMB market got no love. Best case, they got fat, bloated and expensive software that the enterprise was already done with. But the money was in the large enterprises, so that's where start-ups focused. But through the wonders of open source, the rise of consumers, and the success of a few companies built to serve the SMB space, targeting the enterprise is passe. Check out my thoughts on why and how it's going to change the way many security companies go to market.
http://securityincite.com/blog/mike-rothman/smb-is-the-new-enterprise

Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-10-26