The Daily Incite - October 9, 2007

Submitted by Mike Rothman on Tue, 2007-10-09 08:44.
::
Today's Daily Incite

October 9, 2007 - Volume 2, #140

Good Morning:
Ah to be rested and refreshed and ready to jump back into the fray. OK, well refreshed anyway. Having a few days to think has gotten me good and fired up and ready to rant. So here goes. Check out Thursday and Friday's editions of Non Sequitur. My Dad turned me onto this comic a few years ago and I get it via RSS - so it couldn't be easier. There is some decent commentary most days, but it just doesn't resonate as often as Dilbert.

Given where the state of the security industry is and how it seems that most of the business is more about marketing now than actually solving customer problems, these two comics had me in stitches. The idea of just issuing a press release with "some geek-speak mixed in to make it sound sciency" is really relevant to a lot of the crap that makes its way into my inbox every day. Even better, when the friend (Jeffrey) asks "when does ethics ever come into the picture?" and our hero (Danae) responds, "when the client's check doesn't clear," makes me remember back to my days in the coal mine of security marketing.

Friday's version has Danae and her Dad discussing ethics. He protests for a minute, but when he realizes that the "client" has covered the mortgage for an entire year - he pretty much shuts his trap. Man, that hurts because it will hit close to home for a lot of folks reading this newsletter. It seems the security business isn't the only one where the truth has gotten lost in a web of acquisitions, potential IPOs, competitive deals, and ego. Companies routinely bend reality to fit into a nice press release which may result in the perception of leadership and some unsuspecting big company to come shopping for your warez. So the game goes on and on. Vendors announce and sell months ahead of their capabilities and typically have moved onto the next deal before what goes around comes around.

And a lot of folks have become fantastically wealthy playing this game time and time again.

I was on that path, but I seemed to have missed the fantastically wealthy part. I said things that were not necessarily LIES, but not necessarily the truth either. I positioned, I spun, I did what I had to do to compete. What I didn't do was really focus on solving the customer problem. There wasn't any time for that. It was too hard when I spent as much time fending off internal salvos (why don't we have billboards in the airport like the other guys?, just say our box is really fast) as I did trying to keep up with the competition.

After a while, it stopped being fun. So thankfully, I was given an opportunity to get off the train. Now I find myself basically making fun of the game and calling it a living. Calling folks out for what I think are disingenuous and ill-advised statements that don't help customers solve their problems. Many of you seem to get value out of my rantings and I couldn't be happier. It would be refreshing for some "good guys" that have built companies ethically and truthfully, without a lot of the marketing hype and false pretenses to get a good outcome.

That truly would be Bizzaro world.

My ranting doesn't mean that I don't like folks that do security marketing. Many are very close friends and they seem to love what they do. If you understand the game and can operate according to your own ethical compass, then it's all good. I couldn't, so I don't. But I do owe a debt of gratitude for all of the folks that slog away trying to differentiate me-too products in boring market spaces. You keep me very busy and allow me to do what I love to do. Sometimes I feel bad having fun at your expense, but not that bad.

Have a great day.


Technorati: , , ,

The Pragmatic CSO
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com
 Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
pre-order your copy today

www.securitymike.com

Security Mike's Guide to Internet Security

Top Security News

Deal: McAfee does encryption - Take 2
So what? - In the "we've seen this movie before" files, McAfee has acquired SafeBoot for a cool $350 big in cash. That's millions to you accountants out there. On what should be between $55-60 million in revenue this year, it's a good multiple. Less than CHKP paid for PointSec, but not too shabby. The funny thing is that McAfee owned PGP a few years ago and spun them out because it wasn't core to the business. And what business was that anyway? I think this is a pretty good deal for McAfee. A lot better fit than CHKP/PointSec. It's all about maintaining desktop agent real estate and continue to add more features to make it painful for customers to switch. Clearly laptop encryption is a critical piece of desktop defense and should be wrapped into the endpoint suite. The deal gives McAfee a bunch of bundling options and provides yet another capability to be managed by ePO. It also means that SYMC has to do something sooner rather than later on this front. Maybe they should buy PGP, which would just be hilarious. Maybe PGP would have better luck as part of the Big Yellow.
Link to this

Don't look now, DKIM rises from the ashes
So what? - Having proven that no one really cared about secure email during the Internet bubble (and took $30MM of investor's money with me), it's pretty funny that the good, old fashioned digital signature is having a rebirth. With eBay and PayPal deciding to send all of their outbound mail signed with Yahoo's DomainKeys technology, now users will be able to tell whether messages are actually from eBay. Presumably anyway. But this isn't a no-brainer because users will need to be conditioned to actually look for the little key in their mailer. And Yahoo! Mail isn't the only service out there, so you still need to get everyone on board (especially Microsoft for use with Outlook Express and Vista Mail). Finally, even if users are used to looking for the key, it's just a matter of time before the fraudsters figure out how to spoof the signature. Everyone thought having a SPF record to validate a sender was going to be the silver bullet. WRONG! It turns out the bad guys can publish SPF records as well. And bad guys will be able to sign mail via DomainKeys too. It'll just cost them more money, which is good. Although this is a great development, it doesn't signal the beginning of the end of spam - not by a long shot.
Link to this

CIOs to be burned at the stake for security breaches
So what? - As Bob Evans of InformationWeek posits, maybe it's time for a good old-fashioned witch hunt. Maybe it's time to force some good behavior by severely punishing bad behavior, which results in security breaches. Maybe it's time for not only the CISO to be the fall guy (or gal) when something goes south, but also to put the head of the CIO on a stick at the same time. Parade both of their corpses around the lobby to make sure everyone gets the picture. How about that for a Pièce de résistance? I actually think Bob is on the right track here. We started to get activity on cleaning up financial reporting shenanigans once we had a few perp walks and high profile CEO trials. Maybe we shouldn't stop at the CIO, but why not take the CEO out as well. Ultimately how an organization cares for customer data is the CEO's responsibility. So he/she should be accountable for that as well. But as long as there seem to be a never ending stream of CISOs to be the fall-guy, I doubt it will happen.
Link to this

The Laundry List

  1. Kerberos back from the dead also. MIT forms the Kerberos Consortium for those too young to die, but too old to actually be relevant. And no, Kerberos is not going to be "as ubiquitous as TCP/IP." - ESJ Newswire
  2. The Top 10 reasons web sites get hacked, which is a misnomer. The article is about OWASPs new Top 10 list. Which is pretty much the same as the old Top 10 list. - NetworkWorld coverage
  3. Blue Coat gets with the reputation program. They just call it "real-time protection." - Blue Coat release
  4. Just what we need, another "improved" anti-virus test. Yet another test to be gamed, but really more of a way to brake ICSA's hegemony on testing AV products. - InfoWorld coverage

Top Blog Postings

Remember what I do for a living...
I guess I hurt Dom Wilde's feelings because I propped up Fratto for having the stones to say most organizations are not ready for NAC. To Dom's point, it could be a product thing (sometimes it is) or it could be a customer thing. Candidly, I don't care what the reason is, it's my job to take positions from the perspective of the customer and to defend those positions against detractors that have a vested interest in me being wrong. There are technologies out there for 10 years and still struggling to get massive uptake - SIM or NBA anyone? In both of those cases, it's more about the customers not being able to deal with the technology than the technology not working. On the other hand you have emerging markets like DLP, where the products aren't really good enough yet and require a lot of tuning and hand-holding. NAC is probably somewhere in the middle. Regardless of Dom's day job, the reality is the hype around NAC has set unrealistic expectations. Evolving the campus infrastructure doesn't happen overnight, due as much to organizational issues as anything else. But to be clear, you haven't see a lot of wholesale swap-outs of hundreds of Cat 6500's for a reason - "secure switches" or "NAC switches" or whatever you want to call them still need some more time in the kiln.
http://www.nevis-blog.com/2007/10/is-your-nac-gla.html
Link to this

The benefits of being anti-social
I can say it's very rare that I would experience what Jeff Hayes heard. Evidently Jeff started chatting with a bloke in a sports bar, who then proceeded to divulge all sorts of goodies about his company's security tactics, defenses and tool sets. It's actually pretty common. Since I'm pretty anti-social, I tend to not engage directly with folks, but rather eavesdrop when a few beers have lubricated the lummoxes standing next to me. They go through all sorts of stuff that they shouldn't and it's easy to see how this kind of simple reconnaissance can be invaluable intelligence if you were trying to break into a shop. As they say, everything in moderation is OK and paranoia is too. Don't flap your lips on an airplane or in a bar or to a stranger. You never know who they REALLY are.
http://mycsosolutions.net/2007/10/04/loose-lips-sinks-ships/
Link to this

Are there any relevant NAC policies?
Tenable's Ron Gula asks a pretty insightful question about NAC enforcement policies in this post. It just goes to show how early we are in the evolution of NAC solutions and the maturity of the infrastructure and ecosystem to support the new technology. As technologies mature, there tend to be standards, tests and benchmarks that emerge to basically ensure everyone reverts to the mean at some point. You wonder why so much of the world is just mediocre? Ron's point is that customer's are not asking NAC vendors to test hosts against a CIS policy before entering the network, so they don't. Yet, vulnerability management suites have been doing these tests for a long time. This isn't a technology issue, this is a speeds and feeds issue. Vendors will have more impact on their business by investing in bigger, faster boxes and more enterprise-type features. Early adopters like lots of flashing lights, not to keep their operations guys happy. So things like CIS guidelines will be tested at part of the NAC suite at some point, but only when all of the other deployment issues are in the rear view mirror.
http://blog.tenablesecurity.com/2007/09/why-arent-any-n.html
Link to this

Recently on the Security Incite's Blogs

Find out what Security Mike is talking about
http://securitymike.blogspot.com

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite