September 26, 2007 - Volume 2, #136

Good Morning:
Today let's talk about futility. I'm about to embark on my annual golf trip this morning. Actually it's my friend Todd's annual golf trip and his college buddies are kind enough to let me tag along for another year. I fear my golfing efforts will provide a surplus of futility because I haven't picked up the sticks since last year's outing. I had the best intentions of getting some lessons, going out to hit a few and maybe even playing somewhat regularly during the year. But alas, life continues to happen. With all the travel I do and my work schedule ramping up, the idea of taking 4-5 hours out of a weekend just didn't work out.

Thankfully I'll be in the high handicap group. You know, the guys that are not on the look out for their ball (which is usually in the woods or the lake), but rather the beer cart. That'll be me. Where else can you pay $4 for a 25 cent can of beer and be happy as a clam? I'll take 10. As long as I don't hit any good shots and fool myself into thinking that I can actually play, it'll work out great. Four days of hack, chase, hack, drink, hack, drink, hack, drop, hack, drink, putt, putt, drink, putt and then mercifully take a snowman. That's an 8 for all of you golf mavens. We cap it at double par, which is a good thing. But it'll be fun. So I'll be out on tomorrow - no Incite for you.

Back to futility. I know a lot of security professionals feel like they are just banging their heads against the wall, day in and day out. Most have nice, thick calluses on their forehead, so it doesn't even hurt too much after a while. With all the bad news out there, whether it's yet another 0-day (this time it's GMail) or another data breach or another government contractor not doing their job and the Feds not knowing about it for a year (yes, it's Unisys/DHS) - it's hard to stay optimistic.

Sure the data breaches are worse, but there seem to be less of them. Sure PCI is making folks jump through hoops, but at least it's a decent set of hoops to be jumping through. Sure applications have more holes than swiss cheese. But at least there aren't an infinite number of hackers out there, and there is so much exposed attack surface that odds are they'll pass you by.

That makes you feel good, doesn't it? I'm sure your boss will appreciate it when you say, "Yeah, our defenses suck. But they are better than the other guy's, so we are probably OK." Yes, I jest, but not that much. It's kind of true. As I've long maintained, if a skilled attackers wants into your stuff - he/she is going to get in. We design our clean-up and incident response plans for those folks. Our defenses are largely built to stop the unsophisticated that use simple tools and exploit sophomoric exposures. And that's what we do.

In a weird way, this is an optimistic rant. The advent of these hacker tools (like phishing kits and black markets for exploits) make it actually easier to defend. We know what the bad guys are going to do (most of them anyway) because they are pretty much lazy and if a tool is out there, they'll use it. Thus, we defend against the tools and live to fight another day.

So then you can go chase a white ball around some beautiful landscape in a tropical place for 4 days. That will give me plenty of futility to go around when I return. And maybe some optimism, since I'll be way ready to get back into the mix by Sunday afternoon.

Have a great day and rest of the week. I also need to send a shout-out to my kid brother, who's birthday is today. Happy B-day kid, although you aren't a kid anymore. Guess when we have our own kids, we can't really be called kid anymore.

Technorati: Information Security, CSO, Security Mike, Internet Security

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

Get Your Special Report: 6 Easy Steps to Protect Your Identity and pre-order your copy today www.securitymike.com

Top Security News

Easier said than done
So what? - In last week's column, Roger Grimes talk about securing devices. Yes, we should get users to stop clicking on things they shouldn't. See, I said it. That's the secret to information security. But how do you do it? I see two reasonable solutions. Fire all your employees. That will stop them from clicking. Or you could remove their hands, but I guess that's a bit barbaric. Or maybe put them in handcuffs when the come into work to keep them from getting into trouble. But I hear voice recognition is getting better, so that may not even work. Actually Roger does have some good tips that most of you already know. Use malware protection and stop bad emails from getting through. Patch your machines and don't have users running as administrator. Use strong passwords. Yep, all of those are good things to do. But I'll add some training mojo on top of that. Yes it will help. And then make sure you are monitoring your stuff because a users will do something stupid and you will need to clean it up.
Link to this

Less breach, but more severe outcomes
So what? - Longtime Incite readers know of my disdain for surveys. And this work from CompTIA is no different -  they say there are fewer breaches, but they are more severe. Who knows? Who cares? Fact is, we don't know about most data breaches and neither do the users - until it's too late. But even if I indulge them, I'll agree that the breaches are getting worse. 45.6 million is the only number you need to know. Yes, that's the number of identities stolen in the TJX breach. But soon we will be even more numb to data breaches, and we'll finally realize there is no such thing as privacy. You'll need to lock down your credit and move on. And you'll be happy because when your data is stolen, you'll get to go to an exclusive sale from the company that lost your data. Speaking of my favorite data breach punching bag, TJX has offered $30 and a 15% "customer appreciation sale" to make it right. So you get to go in and save another 15%. Actually, it's probably not that bad a deal. Sure I was inconvenienced, but since I expected to get a big fat zero, the opportunity to get anything is probably a net positive. We'll see whether it's a net positive on TJX's market cap over the next few quarters.
Link to this

Get Charney some Ambien
So what? - Were you wondering what keeps MSFT security honcho Scott Charney up at night? No? Me neither, but I guess it's not the bad Turkey sandwich he ate out of the cafeteria a day earlier. Maybe MSFT should get the Rolling Stones' cook or something. Since the Dead's chef works at Google, they should get someone at least as fancy. Maybe with that $30 billion cash hoard they could get Wolfgang Puck. That'll make MSFT a destination for all those smart young engineers, no? You can't be having your main security guys hitting the Tums all day from crappy cafeteria food. I'm sure Charney is working his way through the case of Tums anyway, just due to the huge target on everything Microsoft does. So what is he scared of? The bad guys, of course. They are smart and they are evolving, and they've figured out how to reverse engineer the patches and prey on those dimwits that can't patch in a reasonable time frame. He also talks about having a decent relationship with the security researchers and it's true. If you look at the news, many of the bug hunting press whores, I mean "research guys" are increasingly targeting Apple and Google. That seems to be much more fun. And generates more press hits too. Sounds like a win-win.
Link to this

The Laundry List

Top Blog Postings

Depends on your definition of what is (NAC) is
EO issues a call to arms to the NAC vendors to get their marketing and positioning in gear after StillSecure decides to give away like 5% of their NAC functionality and Cisco and Microsoft get closer to actually having product every day. Again, we continue to get caught up in semantics about what NAC is and where the value is. The idea of only doing host integrity checking is NOT INTERESTING. So if any of the NAC vendors are still flogging that feature (ahem...starts with a C and ends with an -isco...Ahem) as the big jammy are missing the point. I will give Shimel and his band of merry men (and women) some props for taking the bull by the horns. This is a pretty innovative way to get folks to kick the tires and maybe even make the case for why they'd need NAC. But the reality is, ENFORCING the policy is the entire ballgame. Guess they've been reading the story of the Trojan Horse.
http://www.computerworld.com/blogs/node/6245
Link to this

D**k in a box, it's not.
The folks at Intel have ramped up their security blogging efforts and it's some decent stuff. Given the title of this post, I was hoping something similar to the classic SNL skit. Not so much. This post talks about a bunch of stuff, though it would be helpful if the points were structured to reflect some kind of rational thought. Do I ask for too much? But the point of folks continuing to look for the security "God-box" is true. And the vendors keep promising it, so why wouldn't customers expect it? The point of continuing the constant exploit-patch cycle is also well taken. We need to think more strategically about who the attackers are, what they could be looking for, and what's the best way to stop them. It's a pretty pragmatic way to think about the problem, but most folks would rather just continue to use FUD and alarmism internally to shake some coins out of the CFO's pockets. As this post says (I think it says this), that's a fool's errand. Sooner or later the money men (and women) catch on and realize it needs to be about business value.
http://communities.intel.com/openport/blogs/it/2007/09/24/security-in-a-box
Link to this

You mean shelf ware doesn't count?
After reading Bejtlich's horrifying assessment of what may have happened with the DHS/Unisys situation, I kind of wonder a few things. First, how do those folks in Blue Bell sleep at night? I could do a lot of damage with $1.75 BILLION and it wouldn't be sitting under someone's desk. But here in the US, we believe in innocent until proven guilty. Though we all like a good perp walk every so often. Then I wonder what the hell is going on at DHS. So there is NO ONE responsible for a $1.75 BILLION contract? They don't have status meetings to say, where the hell are my boxes? Where are my reports that should be coming from those boxes? Why the F*** is my data being sent to the Chinese? And then these folks try to cover it up? Bad bad bad. Also trying to hide behind a C&A? Bad bad bad some more. On the positive side, like the Dupont database breach, I'm glad we accidentally found out about this stuff, but the fact that it happens in the first place is downright scary and depressing.  
http://taosecurity.blogspot.com/2007/09/dhs-debacle.html
Link to this

Recently on the Security Incite Rants Blog

Check out the latest on the Security Incite blog
http://blog.securityincite.com/

Read the most recent Daily Incite
http://securityincite.com/security-incite-rants/daily-incite