October 30, 2006 - #145

Good Morning:
Fall back baby! Over the weekend, here in the US anyway we set our clocks back to standard time and gained an hour of sleep on Saturday night (or partying, if that's your thing). The extra hour was good, but I'm surprised by the effect a little sunshine had when I went out to the bus stop with my oldest daughter this morning. Although it was early, it didn't feel as early because it was light. Strange and clearly psychological, but a welcome change from the dark, dreary and cold bus stop runs of the last 2 months.

Today's theme is "going through the motions" and we have a lot of datapoints on that topic today. First, the FBI is going through the motions in protecting the TSA going through their own motions, given a graduate student brazenly put up a web site to print out boarding passes last week (here). You expected a different response? And you hear about some US agencies attempt to apply security metrics (here) and they are clearly going through the motions. Compliance is hard, so you see lots of organizations struggling and putting on their game faces about things like HIPAA (here), but you guess it - they are really going through the motions.

In blog-land, the debate is on about IDS/IPS and its usefulness (here). Again. What these guys are forgetting is that lots of organizations just go through the motions and no one really argues when you want to buy IDS/IPS, so folks build it into the budget and then they buy it - regardless of what it does. Yes, these organizations are going through the motions. But Amrit questions whether we have stopped questioning (here) and this is a great point. Lots of people go through the motions every day. Just like lots of computers are compromised, lots of networks broken into, and lots of fraud perpetrated. But that doesn't mean you have to accept that outcome.

Control the things you can control, and do the best job that you can. Don't accept the status quo and go home knowing you did a good job today. That much we all can do. Have a great day.

Technorati: Information Security

Top Security News

What do you mean your name is J. Edgar Hoover?
So what?- Looks like the media has its meme for the week in the poor sap that posted the Northwest boarding pass generator for all to see, and won an all expenses paid trip to FBI HQ. Seriously, what did people expect to happen? Most airline security is for pomp and circumstance, a potential deterrent while the real intelligence heroes are trying to figure out where the next attack is going to be. So when a guy so flippantly shows how to circumvent a key part of the "show," of course the FBI is going to pay a visit and in high likelihood make an example out of the fellow. I agree with Adam at Emergent Chaos (here) that they are focusing on the wrong stuff, but this is how they are playing the game. So no, Chris Soghoian will not pass go and he won't collect $200. He'll be lucky if he just gets a slap on the wrists.
http://blog.washingtonpost.com/securityfix/2006/10/boarding_pass_hacker_gets_visi_1.html
Link to this

Is that a razor in your apple or are you just happy to see me?
So what? - It is Halloween week, and that's always a lot of fun. Pumpkins galore and the kids really get excited about dressing up and doing their thing. This tongue-in-cheek (and long) article in ComputerWorld brings up a number of good profiles of folks that we security people need to be aware of. From the "Privileged Executive" for whom the rules don't apply to the disgruntled sys admin, these are folks that likely exist in your organization. Some of the "remedies" suggested aren't really useful and in reality, there isn't much we are going to do about a librarian that has access to sensitive documents. Having that access is his/her job. But we can be aware that these folks are there and that you need to have some type of contingency plan in place, just in case these folks do try something ghoulish.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9004538
Link to this

Put those metrics down, before someone gets hurt
So what? - I've read all the management books about measurement and constant improvement, et al, so I get the need to quantify things and use that baseline to show improvement. When I was a marketing guy, I was a quant and statistics hound. How else do you prove your worth? And yes, contrary to popular belief, I do see the need to measure security and show improvement. The question becomes what do you measure, how often, and does it really prove anything. Then I see articles like this, and want to commit ritual hara-kiri. So some of the US Federal agencies are embracing metrics, like upgrading XP workstations to SP2 and getting 80% of the AV signatures updated daily. And the goal is to reduce 2 or 3 unscheduled "emergency" software or config changes down to one by 2007. Is it just me, or are these metrics ridiculous and just going through the motions just to track some number and try to show improvement? At least now I know my tax dollars are hard at work measuring stuff.
http://www.gcn.com/online/vol1_no1/42400-1.html
Link to this

The Long, Hard Road to Compliance
So what? - Some of the recent talk about relaxing some of the more onerous restrictions of SarbOx is a step in the right direction. The mega-enterprises can (and do) throw people at the problem until they get a report the auditors are happy with. Smaller organizations don't have that option. This CIO article is HIPAA focused, but it really applies to all the regulations. I know of a number of healthcare institutions who have basically just given up on HIPAA. They've set aside a budget to deal with the penalties, should they get caught, but they focus on running their business and trying to do smart security stuff, as opposed to being "compliant."  And as the article points out, there haven't been any "perp walks" that would get these folks to change their mind. So something has to give. We either continue going through the motions or try to evolve the regulations to be more relevant to helping organizations protect private data within the context of their businesses.
http://www.cio.com/archive/101506/comply.html
Link to this

Is there anything new with sender authentication?
So what? - So what if Microsoft decides to make SenderID a free and open specification? Historically sender authentication has not added anything to our ability to detect spam because its trivial for a spammer to publish their own record. But with the advent of zombies sending most of the spam out there, sender authentication could have a resurgence. But ultimately for users, this should be transparent. When you set up your outbound SMTP gateway, you should set up your record (either Sender ID or DomainKeys or both) and then you don't worry about it. The magic algorithms within my email security gateway should figure out how reliable sender authentication is and act accordingly. No? But I guess the marketeers need something to talk about in an increasingly uninteresting email security market, so we'll probably hear more about this.
http://www.infoworld.com/article/06/10/26/44NNemailauthentication_1.html
Link to this

Top Blog Postings

IDS/IPS is another way to go through the motions
Looks like a good old fashioned blog pile-on happened over the weekend over how useful IDS/IPS is. Mr. Tao, Richard Bejtlich started it up, Thomas Matasano weighed in and Amrit had to say his piece as well. Shimel (who kindly includes links in his post) agreed with Amrit in making the assessment that IDS has not lived up to expectations. I've got a different take. IDS/IPS has been around long enough for most end users to be comfortable with the technology. Whether folks turn on blocking or not (IDS vs. IPS), it's become non-controversial for users to deploy some type of signature-based solution to detect (and maybe block) attacks. SO THEY DO. You talk to many users and ask, "why are you rolling out IPS?" and the answer is because it's in the budget. Yes, most people go through the motions and that means probably not asking hard questions about what value the technology is going to add. Maybe I'm being harsh and unfair to the diligent ones out there, but sadly they are the minority. But I also believe that IDS/IPS does have a place in larger networks that can use it as one data point to figure out what's going on. It shouldn't be the only data point, to be clear.
http://www.stillsecureafteralltheseyears.com/ashimmy/2006/10/the_peak_of_inf.html
Link to this

Question everything
Speaking of going through the motions, Amrit posts a pretty thought provoking piece here about the "Allegory of the Cave" and makes the point that it is up to all of us to question our perceptions and assumptions every day. I think we run a real risk in just "giving up" relative to security because we just accept that it's bad and there is nothing we can do about it. Folks will continue to go through the motions (because they have to), but if the battle seems bleak enough for long enough - most people just give up. That's obviously a bad thing and we are sorely in need of some disruption in our little space to knock us out of the status quo and get everyone thinking differently. If I knew what that disruption was, by the way, I'd be doing that instead of just writing about the need for it. But I just keep seeing "innovation" from vendors to mean faster, cheaper, or a few more things bundled in. And that's not going to get the rank and file energized about battling the bad guys. We need to think we can win.
http://techbuddha.wordpress.com/2006/10/30/the-allegory-of-the-cave/
Link to this

The law of unintended IPO consequences
One of the things you tend not to think about in all of the excitement about a high profile security industry IPO is the "quiet period." So now Marty Roesch won't be saying much of anything for the next 3-6 months as they move the Sourcefire deal through the process. Given the millions of reasons Marty has to listen to the lawyers, I certainly agree with his stance. But this does make you question the quiet period and wonder whether it's past its useful life. I guess if Marty said IPS is wonderful on his blog, that could be perceived as promoting his own deal - but still, that's what the guy believes. So I didn't really think about the fact that with every IPO, you lose a certain number of voices weighing in on critical topics for a period of time.
http://securitysauce.blogspot.com/2006/10/sourcefire-files-s-1.html
Link to this

Clarifying my Risk Management thinking
Thanks to the Mogull for succinctly saying what I was trying to last week, when I made the brazen comment that firewall admins should be managing firewalls and not a risk management program. All security staffers need to be aware of what they are protecting and why. I'm a big fan of full disclosure and more information, rather than less. But Rich's point is right on, that folks in the grungies of managing equipment do not have the context to make resource allocation or priority decisions about how much should be invested where to protect what. That was really my point and I'll stand by the statement that Risk Management is for MANAGERS, in that they ultimately need to be arbiter of what gets done because we all have to make choices every day. Doing everything is not an option. 
http://securosis.com/2006/10/27/risk-management-set-your-domain-experts-free/
Link to this

Recently on the Security Incite Rants Blog

Plan B: Blogging via email
At the end of a long week, I felt the need to play around a bit - so I experimented with blogging via email. Given the Internet connection mysteries of Incite Central, I figured having a Plan B to make sure I can get my publishing done wouldn't be a bad thing. So this post was done via Outlook (still figuring out the nuances of the Blackberry), but it does give me some flexibility to do my thang, wherever I am.
http://securityincite.com/blog/mike-rothman/plan-b-blogging-via-email

Read Friday's Daily Incite
http://securityincite.com/TDI-2006-10-27