September 11, 2006 - #113

Good Morning:
I was in Logan Airport on 9/11/2001 about the same time as the bad guys, flying into Boston for my weekly trip to SHYM HQ. Like many of you, I'll never forget my experiences that day. But today I'm pissed off that 5 years later we have let the terrorists impact our daily lives (have you flown lately?) and they've co-opted one of our days. Co-opted? How many of you would choose to have a child born on 9/11? Not many. My wife and I prayed that the twins would stay put until 9/12. Thankfully they did. 9/11 is this generation's "Day of Infamy" and that's too bad. But it is what it is.

Let's turn this into a positive and celebrate the lives of those lost that day. I can only hope that it's not only this day that we remember. The folks that died that day deserve better. Douglas Schweitzer says he remembers every day (here). I can't say the same, but I remember a lot. Those that forget history are doomed to repeat it. 

Has anything really changed in the past 5 years relative to cyber-security? Unfortunately not much (here and here). Security is much more top of mind, but if anything we've taken a significant step backwards because hacking is now a big business with much more at stake. It was mostly fun and games back in 2001. Now it's all business. Even to the point where some folks are questioning whether to even track worms anymore (here).

And to continue piling on vendor sales guys, check out today's Dilbert (here). I've seen that movie before. If you've been in technology for more than a month, you have too.

Have a great day and if you lost friends and/or family 5 years ago - my thoughts and prayers are with you today.

Technorati: Information Security

Top Security News

Five years - what have we accomplished?
So what?- Larry Greenemeier does a nice job in this InformationWeek post of summing up a lot of the activity that was prompted by 9/11. We've had some steps forward and a lot of false starts, but that is to be expected, no? Clearly we have take a number of shots to our right to privacy. But how important is your privacy if you are dead? McKeay just threw up and we need to find the middle ground. The real question is whether we are better prepared to deal with a disaster like this again? I can't speak for governmental bodies because I don't really spend much time there, but by and large I think corporations are far better prepared. Backup and disaster recovery processes are much cleaner and tighter (though they could always be better) and we are starting to see technology being used to aid first responders. No, it's not there yet, but I think 5 years from now we'll be in a much better position as more private entities bring capabilities to the table. Much like what we saw from folks like Wal-Mart and Home Depot during the aftermath of Katrina. They filled the gaps that the government couldn't handle themselves. Is that optimistic Mike making a cameo appearance?
http://www.informationweek.com/blog/main/archives/2006/09/post_911_five_y.html
Link to this

Survey says Gov NOT ready
So what? - Somewhat substantiating what I said above, this survey from nCircle shows that most corporations think they are pretty well prepared for another disaster. Most also think the Government is not. Many of us in the business world are used to being nimble, but we also don't operate at the scale of the Federal apparatus. I'm not making excuses and I'm in the camp that says Government operations need to be run in a much more business-like fashion, but the scope of the problem is enormous. And I would hope that Katrina once again showed the holes in the disaster recovery process to the powers that be, and that the processes continue to be refined and tightened. I hope we never find out the answer to the question, but inevitably we will.
http://www.darkreading.com/document.asp?doc_id=103285
Link to this

Speaking of improvement
So what? - Evaluating one's self is always a dangerous game. You get lots of idiots with opinions and keyboards (like me) that make sport of dissecting your every word. Especially when you work at Microsoft and you are talking about how your security posture has improved. Ben Fathi says that 5 years ago, they got a D. Now they are at a B+? Not so much. There are some aspects of their world where they really are a B+ or even an A. Like patching. But Microsoft will always be constrained by their legacy. Vista will have problems because of the legacy of Windows 2000 and XP. Requiring compatibility creates holes, so I say that for the next 7 years or so (until XP is all but gone) - Microsoft will mire at a C, at best. Those folks in new, greenfield installations will get better results (maybe even that B+), but the rest of the world will need to continue cleaning up the mess.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9003087
Link to this

Landfill or crypto?
So what? - If any of you doubt whether we are going to see encryption for data at rest sooner rather than later, just check out this story. Chase is now in the position of hoping that some backup tapes with Circuit City card holder customer data is at the bottom of some landfill. Hope is not a strategy. Of course, we'll never know - so now they get to notify all of those cardholders and monitor their credit for the next year. Or they could have implemented encryption for the data at rest. I'm not saying that this is a particularly easy or cheap option, but I suspect it's cheaper than the alternative of notification and monitoring.
http://www.securitypronews.com/news/securitynews/spn-45-20060908ChaseDumps26MCustomersInLandfill.html
Link to this

Symantec hits bottom
So what? - Over the weekend I saw this SmartMoney article and also a write-up in Barron's that basically are starting to espouse the logic of the Symantec/Veritas merger. Clearly availability is a watch word and security and storage are key parts of it. But what has Symantec done to warrant this now favorable press coverage? Have they executed on the story any better? No. Have they rolled out new products that show any leverage of the deal? No. What they have done is not screwed things up as bad. Expectations have gotten so low on Symantec that unless their execution went from bad to worse, there was bound to be Wall Street upside. And that's what we are seeing now. But to be clear, I don't think Symantec has made much progress at all on realizing any of the "synergies" Thompson sold to customers and shareholders when doing the deal.
http://yahoo.smartmoney.com/Techsmart/index.cfm?story=20060908&afl=yahoo
Link to this

Top Blog Postings

HP saga continues
Evidently the HP board has been meeting over the weekend to determine the fate of Chair Patricia Dunn and also to determine the public stance relative to the privacy violations divulged last week. Just in case you were wondering whether any actual laws were broken, Chris Wysopal (who is now a contributor on Matasano's blog) makes a pretty compelling case about imminent litigation. But more interestingly, he provides a bit of background on pretexting and social engineering, which are very instructive. Clearly private investigators use all sorts of social engineering attacks to get the information they need, and some of those techniques are coming to light. Companies that house personal data must be aware of these attacks and train their folks to recognize them. Oh crap. that training word again. But since there aren't really technical defenses for pretexting (though I guess you can add increasing layers of authentication), we've got to depend on the front line folks to be able to recognize that kind of attack.
http://www.matasano.com/log/485/finger-79tcp-wysopalveracode-hp-pretexting-and-social-engineering/
Link to this

Dr. Hoff, I presume
We security folks are always looking for analogies, and the human immune system is a common one. Chris Hoff hates it, and he's right. John Chambers is the latest offender of the immune system analogy in his Security Standard keynote, and it just doesn't resonate for me either. We are setting the bar too low, since we get sick all the time. If we are going to go with the healthcare analogy at least base it on science fiction - where illness is all but eliminated. Like in the Six Million Dollar Man where the aliens with Sasquatch have a miracle drug that cures all illness (here). Do I know how we get there? Of course not. But I do know that when you have systemic issues (HIV/AIDS) that constantly defeat the immune system, evade defenses, and kill people then you may not want to model your success scenario after that. I will admit that given the ability for the bad guys to evade our defenses and get our devices sick, the analogy does hold a bit today - BUT NOT IN A GOOD WAY.
http://rationalsecurity.typepad.com/blog/2006/09/the_immune_syst.html
Link to this

Recursive auditing
Steinnon thinks we should be auditing the auditors, given that they've been shown remarkable untrustworthy to protect a company's data. He's right, but it's very disappointing and makes me wonder when/where does it end? Do we need to hire other external auditors to audit our internal audit of our external auditors? Is this some auditor conspiracy to make accounting seem like a fun profession? Or is this just another example of shoddy controls on the part of auditing firms that are too damn busy writing reports for over the top legislation and forgetting to track what is really important? I think you know where I stand on this one. Because I happen to like my kids, I'm not sure I'd push them towards a career in auditing - but it does seem like there is assured employment for the foreseeable future.
http://blogs.zdnet.com/threatchaos/?p=402
Link to this

Worms go on the endangered species list
Not real worms, of course - but the virtual kind. Shimel points to an Anton Chuvakin post basically calling some vendors out because they are repositioning as NAC vendors after having started in the anti-worm business. Worms are not exciting anymore because there is little money in them. That's a fact. Second, if you are calling folks out, then you shouldn't stop with just two. NAC is a phenomenon that has become common nomenclature over the past 18 months. All of the companies that sell so-called "NAC" solutions have been in business for longer than that. So they ALL started out doing something else, so call them ALL out. Some were in place early enough that they actually launched with another message and then reacted to market hype and re-positioned. We are seeing this right now in a space Dr. Anton holds dear. Lots of SIM vendors are now repositioning as "log management." Anti-spam vendors became "email security." This is part of the game, the vendors go where they think the money is. So get used to it.
http://www.stillsecureafteralltheseyears.com/ashimmy/2006/09/if_the_worm_die.html
Link to this

Recently on the Security Incite Rants Blog

Top 5 ways to piss Mike off
I've certainly had my share of crappy vendor briefings over the years. The latest was on Friday, but it got me thinking that I should at least document some of the consistent ways I've seen vendors just make my blood boil. I list the Top 5 here, but the briefing on Friday was special because the ass talking at me both questioned my integrity and then interrupted me after our discussion was over to retrieve a white paper he'd offered. Sometimes you just have to shake your head and wonder how some folks get employed in the first place.
http://securityincite.com/blog/mike-rothman/top-5-ways-to-piss-mike-off

Read Friday's Daily Incite
http://securityincite.com/TDI-2006-09-07