Subscribe in a reader
Blogs
NetworkWorld Column: IBM legitimizes managed security
In this week's NetworkWorld column, I go through some of the thinking behind IBM's acquisition of ISS. Of course for loyal readers none of this will be new. But if you are interested in how many Gulfstream V's or Bentley Continental GT's you could buy with $1.3 Billion dollars - read on.
http://www.networkworld.com/columnists/2006/091106rothman.html
The Daily Incite - September 11, 2006
September 11, 2006 - #113
Good Morning:
I was in Logan Airport on 9/11/2001 about the same time as the bad guys, flying into Boston for my weekly trip to SHYM HQ. Like many of you, I'll never forget my experiences that day. But today I'm pissed off that 5 years later we have let the terrorists impact our daily lives (have you flown lately?) and they've co-opted one of our days. Co-opted? How many of you would choose to have a child born on 9/11? Not many. My wife and I prayed that the twins would stay put until 9/12. Thankfully they did. 9/11 is this generation's "Day of Infamy" and that's too bad. But it is what it is.
Let's turn this into a positive and celebrate the lives of those lost that day. I can only hope that it's not only this day that we remember. The folks that died that day deserve better. Douglas Schweitzer says he remembers every day (here). I can't say the same, but I remember a lot. Those that forget history are doomed to repeat it.
Has anything really changed in the past 5 years relative to cyber-security? Unfortunately not much (here and here). Security is much more top of mind, but if anything we've taken a significant step backwards because hacking is now a big business with much more at stake. It was mostly fun and games back in 2001. Now it's all business. Even to the point where some folks are questioning whether to even track worms anymore (here).
And to continue piling on vendor sales guys, check out today's Dilbert (here). I've seen that movie before. If you've been in technology for more than a month, you have too.
Have a great day and if you lost friends and/or family 5 years ago - my thoughts and prayers are with you today.
Technorati: Information Security
Top Security News
Five years - what have we accomplished?
So what?- Larry Greenemeier does a nice job in this InformationWeek post of summing up a lot of the activity that was prompted by 9/11. We've had some steps forward and a lot of false starts, but that is to be expected, no? Clearly we have take a number of shots to our right to privacy. But how important is your privacy if you are dead? McKeay just threw up and we need to find the middle ground. The real question is whether we are better prepared to deal with a disaster like this again? I can't speak for governmental bodies because I don't really spend much time there, but by and large I think corporations are far better prepared. Backup and disaster recovery processes are much cleaner and tighter (though they could always be better) and we are starting to see technology being used to aid first responders. No, it's not there yet, but I think 5 years from now we'll be in a much better position as more private entities bring capabilities to the table. Much like what we saw from folks like Wal-Mart and Home Depot during the aftermath of Katrina. They filled the gaps that the government couldn't handle themselves. Is that optimistic Mike making a cameo appearance?
http://www.informationweek.com/blog/main/archives/2006/09/post_911_five_y.html
Link to this
Survey says Gov NOT ready
So what? - Somewhat substantiating what I said above, this survey from nCircle shows that most corporations think they are pretty well prepared for another disaster. Most also think the Government is not. Many of us in the business world are used to being nimble, but we also don't operate at the scale of the Federal apparatus. I'm not making excuses and I'm in the camp that says Government operations need to be run in a much more business-like fashion, but the scope of the problem is enormous. And I would hope that Katrina once again showed the holes in the disaster recovery process to the powers that be, and that the processes continue to be refined and tightened. I hope we never find out the answer to the question, but inevitably we will.
http://www.darkreading.com/document.asp?doc_id=103285
Link to this
Speaking of improvement
So what? - Evaluating one's self is always a dangerous game. You get lots of idiots with opinions and keyboards (like me) that make sport of dissecting your every word. Especially when you work at Microsoft and you are talking about how your security posture has improved. Ben Fathi says that 5 years ago, they got a D. Now they are at a B+? Not so much. There are some aspects of their world where they really are a B+ or even an A. Like patching. But Microsoft will always be constrained by their legacy. Vista will have problems because of the legacy of Windows 2000 and XP. Requiring compatibility creates holes, so I say that for the next 7 years or so (until XP is all but gone) - Microsoft will mire at a C, at best. Those folks in new, greenfield installations will get better results (maybe even that B+), but the rest of the world will need to continue cleaning up the mess.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9003087
Link to this
Landfill or crypto?
So what? - If any of you doubt whether we are going to see encryption for data at rest sooner rather than later, just check out this story. Chase is now in the position of hoping that some backup tapes with Circuit City card holder customer data is at the bottom of some landfill. Hope is not a strategy. Of course, we'll never know - so now they get to notify all of those cardholders and monitor their credit for the next year. Or they could have implemented encryption for the data at rest. I'm not saying that this is a particularly easy or cheap option, but I suspect it's cheaper than the alternative of notification and monitoring.
http://www.securitypronews.com/news/securitynews/spn-45-20060908ChaseDumps26MCustomersInLandfill.html
Link to this
Symantec hits bottom
So what? - Over the weekend I saw this SmartMoney article and also a write-up in Barron's that basically are starting to espouse the logic of the Symantec/Veritas merger. Clearly availability is a watch word and security and storage are key parts of it. But what has Symantec done to warrant this now favorable press coverage? Have they executed on the story any better? No. Have they rolled out new products that show any leverage of the deal? No. What they have done is not screwed things up as bad. Expectations have gotten so low on Symantec that unless their execution went from bad to worse, there was bound to be Wall Street upside. And that's what we are seeing now. But to be clear, I don't think Symantec has made much progress at all on realizing any of the "synergies" Thompson sold to customers and shareholders when doing the deal.
http://yahoo.smartmoney.com/Techsmart/index.cfm?story=20060908&afl=yahoo
Link to this
Top Blog Postings
HP saga continues
Evidently the HP board has been meeting over the weekend to determine the fate of Chair Patricia Dunn and also to determine the public stance relative to the privacy violations divulged last week. Just in case you were wondering whether any actual laws were broken, Chris Wysopal (who is now a contributor on Matasano's blog) makes a pretty compelling case about imminent litigation. But more interestingly, he provides a bit of background on pretexting and social engineering, which are very instructive. Clearly private investigators use all sorts of social engineering attacks to get the information they need, and some of those techniques are coming to light. Companies that house personal data must be aware of these attacks and train their folks to recognize them. Oh crap. that training word again. But since there aren't really technical defenses for pretexting (though I guess you can add increasing layers of authentication), we've got to depend on the front line folks to be able to recognize that kind of attack.
http://www.matasano.com/log/485/finger-79tcp-wysopalveracode-hp-pretexting-and-social-engineering/
Link to this
Dr. Hoff, I presume
We security folks are always looking for analogies, and the human immune system is a common one. Chris Hoff hates it, and he's right. John Chambers is the latest offender of the immune system analogy in his Security Standard keynote, and it just doesn't resonate for me either. We are setting the bar too low, since we get sick all the time. If we are going to go with the healthcare analogy at least base it on science fiction - where illness is all but eliminated. Like in the Six Million Dollar Man where the aliens with Sasquatch have a miracle drug that cures all illness (here). Do I know how we get there? Of course not. But I do know that when you have systemic issues (HIV/AIDS) that constantly defeat the immune system, evade defenses, and kill people then you may not want to model your success scenario after that. I will admit that given the ability for the bad guys to evade our defenses and get our devices sick, the analogy does hold a bit today - BUT NOT IN A GOOD WAY.
http://rationalsecurity.typepad.com/blog/2006/09/the_immune_syst.html
Link to this
Recursive auditing
Steinnon thinks we should be auditing the auditors, given that they've been shown remarkable untrustworthy to protect a company's data. He's right, but it's very disappointing and makes me wonder when/where does it end? Do we need to hire other external auditors to audit our internal audit of our external auditors? Is this some auditor conspiracy to make accounting seem like a fun profession? Or is this just another example of shoddy controls on the part of auditing firms that are too damn busy writing reports for over the top legislation and forgetting to track what is really important? I think you know where I stand on this one. Because I happen to like my kids, I'm not sure I'd push them towards a career in auditing - but it does seem like there is assured employment for the foreseeable future.
http://blogs.zdnet.com/threatchaos/?p=402
Link to this
Worms go on the endangered species list
Not real worms, of course - but the virtual kind. Shimel points to an Anton Chuvakin post basically calling some vendors out because they are repositioning as NAC vendors after having started in the anti-worm business. Worms are not exciting anymore because there is little money in them. That's a fact. Second, if you are calling folks out, then you shouldn't stop with just two. NAC is a phenomenon that has become common nomenclature over the past 18 months. All of the companies that sell so-called "NAC" solutions have been in business for longer than that. So they ALL started out doing something else, so call them ALL out. Some were in place early enough that they actually launched with another message and then reacted to market hype and re-positioned. We are seeing this right now in a space Dr. Anton holds dear. Lots of SIM vendors are now repositioning as "log management." Anti-spam vendors became "email security." This is part of the game, the vendors go where they think the money is. So get used to it.
http://www.stillsecureafteralltheseyears.com/ashimmy/2006/09/if_the_worm_die.html
Link to this
Recently on the Security Incite Rants Blog
Top 5 ways to piss Mike off
I've certainly had my share of crappy vendor briefings over the years. The latest was on Friday, but it got me thinking that I should at least document some of the consistent ways I've seen vendors just make my blood boil. I list the Top 5 here, but the briefing on Friday was special because the ass talking at me both questioned my integrity and then interrupted me after our discussion was over to retrieve a white paper he'd offered. Sometimes you just have to shake your head and wonder how some folks get employed in the first place.
http://securityincite.com/blog/mike-rothman/top-5-ways-to-piss-mike-off
Read Friday's Daily Incite
http://securityincite.com/TDI-2006-09-07
Top 5 ways to piss Mike off
As an analyst, talking to vendors goes with the territory. They are trying to pitch me on why they are great, and I'm always looking for additional data points to keep me in touch with the market and validate the information I'm getting from the end user side.
Most of these discussions are interesting, some even enjoyable. But then there are the ones where I want to slit my wrists halfway through and wish I had become more adept at gracefully bowing out and moving on to my next thing. I had one of those meetings this morning, and it made me think about 5 things that vendors do that consistently piss me off. This joker made every single one of these mistakes.
- Be enamored with your technology - This guy today was in the authentication business. And he proceeded to launch into why his technology was great before telling me why customers care about what they do. Before you tell me about bells and whistles, you are better off making sure I understand that there is a need and that I agree with that.
- Show me a meaningless demo - Once I couldn't get my arms around why his technology was different, he figured he'd launch the demo. Bad move. Besides the fact that the demo was crappy, I still didn't understand his differentiation. Any demo should map both the user and administrator experience. Show differentiation, make it clear how the stuff works and how it is integrated into a customer's environment.
- Name dropping - There is a high likelihood that I know more people than you do. So dropping names just annoys me. I don't care if a Fortune 10 bank stopped by your booth and is "very interested" in the technology. Half the time I don't even care about folks that have WRITTEN YOU A CHECK. And if you sell an enterprise product, don't make your customer references about podunk hospital of Topeka. I'm only interested in references after I get a feel for your value.
- Talking at me, not with me - I've been doing this a long time. You probably aren't going to tell me much I haven't seen before. Leave the PPT at home unless you are unable to tell your story (and then you should be looking for another job, no?). I like to have conversations, not listen to 30 minutes of you showing me crappy, incoherent slides and waxing poetically about how great you are.
- Not taking feedback well - I appreciate that a vendor takes time out of their day and talks to me. So I try to add a little value and provide some constructive feedback on positioning, pricing, messaging, etc. I've sat where you are sitting and I've pretty much screwed everything up twice. So maybe I can make a suggestion that will help. You may not agree with me and that's fine, but at least listen and be respectful. Let me make my points, you may even learn something. Ultimately, you may think I'm an idiot and disregard everything I say. I'm OK with that. But I will remember if you are rude about it.
Now those 5 things are pretty consistent. But what made my meeting this morning unique was the sheer lack of class this guy showed. At one point he questioned my integrity when I disagreed with him, basically asking if I was on retainer with one of his competitors. I'm not, though I do consider some folks with the competitor personal friends.
And then he had the gall to ask if what he was telling me was going to go straight back to the competitor. To be clear, an analyst with a big mouth that doesn't know how to keep a secret is not going to be in this business for very long. At this point, I said goodbye because there were too many potential weapons within grasping distance.
But that wasn't enough for this ass. He had given me a white paper early in the meeting. Then this guy storms up to me as I'm talking to someone else across the room and asks for it back. It's pretty rare that I am speechless, but this was one of those times. I was happy to give it back because it was going to be filed in the circular bin anyway. And any other response would have probably landed me in jail. But still, to interrupt another conversation I'm having to do something petty like that was the straw that broke the camel's back.
So the wonderful thing about having a blog is that I get to share these stories. And hopefully you can learn from my pain. Now I'm going to go enjoy my weekend since I've gotten this off my chest. I hope you do the same.
The Daily Incite - September 8, 2006
September 8, 2006 - #112
Good Morning:
This morning I'm feeling old. I know I'm not, but I just don't recover like I used to. In the days of yore, I could get by for days on 4 hours of sleep, including lots of partying and other mischief. Not anymore. I'm also looking back and appreciating how simple life was years ago, before the kids and other responsibilities that get piled on. My biggest issue was having enough Advil and Gatorade in the house to ensure I could function when the alarm went off the next morning.
A couple of things I found this AM got me thinking about how security has really evolved and become a business. And it makes me feel old because I've been in this space since pretty much the beginning. Besides Chris Klaus of ISS riding off into the sunset (here), we've got constant fraud on Google (here) and the bad guys are more in your face now. I was talking to someone yesterday and they mentioned how the trust factor is gone. He's right. If you get an email from your bank, you immediately think it's bogus. Guilty until proven innocent is the prevailing wisdom.
On the news front, the updated PCI standards have hit to very little fanfare (here), which is pretty surprising. There aren't really substantial changes, and I'm still thinking that until Visa and/or MasterCard execute someone in the public square for not playing ball, PCI's impact will be minimal. It's just another way to justify stuff you already want to buy, as opposed to changing behavior. I'll also point to a new log management service introduced by VeriSign and LogLogic (here). The managed security train has left the station folks, and one of the key questions you should be asking yourself is whether you can get someone else to do those rote functions better, faster, cheaper.
Have a great weekend.
Technorati: Information Security
Top Security News
VeriSign and the Lumberjack
So what?- Thankfully football season has started again. I just can't take any more of having to watch those crazy strong man or lumberjack competitions on ESPN 2. Speaking of lumberjacks, let's talk about the evolution of logging and log management. Yesterday, VeriSign announced a new log management service (driven by LogLogic equipment) and this is the right direction to be going in, especially for the mid-market. Logs require a crapload of storage and most of the time you aren't really looking at that data unless something goes really wrong. Why not make storage, retention, etc. VeriSign's problem? They can apply economies of scale and make it cheaper for everyone. I suspect we'll be seeing a bunch of logging services emerge over the next quarter or so. I just hope they are planting trees to replace the ones being harvested.
http://www.marketwire.com/mw/release_html_b1?release_id=0159874
Link to this
Spyware is like gray hair
So what? - I'll admit to not being an authority on much. But I know a lot about gray hair. My hair started turning gray when I was in my early 20's, so I learned pretty early on that pulling out the gray hair is a losing battle. You pull one and 10 grow back. Kind of the same thing with these spyware and anti-spam litigation efforts. Now that's a random analogy, huh? Litigation is nice because it puts some teeth into what the bad guys do, but it's not going to stop the behavior. You fine 10 companies and extract a couple million bucks and those folks are out of business. But another 100 are ready to take their place. Same goes for the spammers. Sure Jeremy Jaynes is going to do real time, and I think that's great. But that hasn't stopped the spam cascading into my spam filter, now has it? Until something is done to remove the economic incentive to send spam and compromise machines, none of this is going to get any better. My only advice is to make sure you are a bit more protected than the next guy. Hacking is very much about the path of least resistance.
http://biz.yahoo.com/ap/060907/spyware_settlement.html?.v=2
Link to this
Santa Klaus retreats to a virtual North Pole
So what? - One of the overlooked aspects of the IBM/ISS deal is that slowly, but surely as "big is the new small" takes hold we are losing a lot of the security pioneers built this business. Chris Klaus, the founder of ISS, has not really been engaged with ISS for a long time, but this wide ranging interview with NetworkWorld jogs the memory. Chris describes his inspiration for doing ISS and also what he's up to now - which is not security related. I guess these kinds of discussions make me long a bit for the early days of this industry. When it was more of a crusade and less of a business. But time waits for no one, and as the business continues to mature - there will be less characters and more corporate. I guess that's progress, right?
http://www.networkworld.com/news/2006/090106-iss-ibm.html
Link to this
Is that wireless network secure?
So what? - This TechTarget step by step guide on wireless security testing is pretty good. Kevin Beaver walks through the tools and processes that you'll need to figure out whether all of those access points create a problem for your business. It's pretty straight-forward stuff, like using Netstumbler and Kismet - but I really like the fact that this kind of information is available for free. There were days (and they weren't that long ago), where this kind of information was only available from high-falutin network security consultants and you had to pay big bucks just to figure out what tools to use. To be clear, reading a guide on SearchSecurity is not going to make you an expert. But it gives you enough information to start the process of becoming that expert or being able to call the bluff of an empty suit consultant that comes in to sell you a bill of goods. Now that really is progress.
http://searchwindowssecurity.techtarget.com/general/0,295582,sid45_gci1213806,00.html
Link to this
AV is here to stay
So what? - Roger Grimes just likes to stir the pot. In this week's column, he talks about anti-virus and wonders whether we still need it. Of course we do. It's another one of those layers that I spend so much time talking about. It's true that AV is ill-prepared to find truly new threats, but it's awfully good at making sure we are not compromised by the things we already know about. And that's important. Roger gets there by the end of the column, but he also makes a good point that through a combination of strong perimeter and host protection techniques you can get by without AV. But Roger is not your run of the mill consumer. He doesn't need that safety net. But the other 99.999% of the folks out there do. So the rumors of AV's demise have been greatly exaggerated.
http://www.infoworld.com/article/06/09/08/37OPsecadvise_1.html
Link to this
Top Blog Postings
PCI: The Sequel
It's very interesting that there has been virtually no news coverage of the PCI standard update. I get that most of the changes (PDF outlining the changes here) have already been discussed by MasterCard and Visa, but still. PCI is one of those things that could either be very significant and change the way anyone who sells anything manages data security, or it could be an empty suit like HIPAA. It all gets back to enforcement. I know I've made these points before, but nothing has changed. It's still not clear what the ramifications of non-compliance are, which in my opinion is a problem.
http://www.mckeay.net/secure/2006/09/pci_11_is_out_heres_the_change.html
Link to this
Don't forget the reporting
The Mogull makes a pretty important point about interfaces in this post. I learned this the hard way when I was in the security services business. We were pushing to add products to our bag of tricks, but all of the stuff our internal people used was built FOR THEM, not for the customer. Productizing is more than just putting an SKU on a tool you use internally. The interfaces were terrible, so I definitely agree with Rich that interface and user experience are absolutely critical - especially as a market scales and functional differentiation evaporates. But I'll also add reporting into that category as well. Most folks don't think about the reports too much when they are buying a system, until they end up contracting a severe case of "pivot table-itis" the first time they have to do a log dump into Excel and perform unnatural acts to convince someone the new product works or just figure out what the hell is going on. The real problem is that technical guys would rather spend time building cool new features, as opposed to polishing the one's that customers are paying for.
http://securosis.com/2006/09/07/its-all-about-the-users-interface/
Link to this
What's in your backup?
Reading this post about Guy Kawasaki's issues recovering from a hard drive failure over the holiday weekend are very instructive. Those of us that work for larger enterprises have all sorts of multi-layers backup strategies to protect the centralized data that we can easily get to. But what about all of those laptops out there? Is there important data on those? What are you doing to make sure they are consistently backed up, if anything? I've made mention of my own backup process (here) and that works for me. I also want to expand the discussion a bit to encompass data protection, not just recovery. Remember, it's not sufficient to only backup. If there is any private information on the device, you also need to protect.
http://blog.guykawasaki.com/2006/09/why_smart_peopl.html
Link to this
Trust is a myth
This post from Steve Gold makes me sad. He thumps Google on the head because AdWords can be gamed, but I take it more as an indictment of today's technology based society. This is kind of big picture, but bear with me a bit. In the old days, fraud still happened. Every day. It's not like we just invented bad guys. But the fraud was somewhat contained. In the age of globalization and the Internet, fraud is everywhere. Of course, fraudsters are gaming Google. And Google is too damn big to worry about it. Like a bank, they just figure a certain percentage of clicks will be fraudulent and that some number of accounts will use bad credit cards. They manage their business with those risks in mind. I guess I'm just ranting a bit, but I don't think there is an easy answer. Until this starts costing Google real money and/or a less fraudulent alternative emerges - it is what it is. But that doesn't mean we should be happy about it.
http://securityblog.itproportal.com/?p=468
Link to this
Recently on the Security Incite Rants Blog
Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-09-07
The Daily Incite - September 7, 2006
September 7, 2006 - #111
Good Morning {!firstname}:
Running a bit late this AM. Sorry about that. I'm not in the excuses business, but I do want to mention that my hangover this morning was sponsored by Chris Hoff. Thanks for your hospitality buddy. I'll be feeling those Guinesses for most of the day. I'm still at the Security Standard conference for part of the day and John Chambers of Cisco did his keynote to kick things off. He always puts on a good show and I'll have a summary later today. In general I think the conference has been pretty good and brings up some issues relative to how to interface with the executive branch, as opposed to the technical issues many of these conferences typically address.
In security-land I want to call out Entrust for announcing just a ridiculous guarantee for FFIEC compliance (here). First, they have a bunch of caveats and the legalese is so think you need a bull-shittake cutter to get through it. Next they say their software is not the only thing compliance can be based on. Huh? Finally, you only get a year of support if they mess up. Now that's some guarantee. Thank you sir, may I have another!
I also attack idiocy on a number of other fronts (yes my heartburn and hangover have made me grumpy), first being an asinine position from the G-men about what Microsoft should be doing post-Vista (here) and why it's not an issue for security vendors to actually warn us about security problems (here). And the fun doesn't end because I pile on with Oltsik and Ogren about the Cisco/Microsoft NAC-NAP deal (here). All in all, lots of crap to wade through today. Glad I brought my hip boots up to Boston.
Have a great day.
Technorati: Information Security
Top Security News
The new "HP way"
So what?- Being security professionals in many cases we get pulled into some less desirable situations and work with HR and legal folks to either substantiate or refute a compliant or accusation. But there must be a line and that line is defined by the law. Clearly the Chairman of HP, Patricia Dunn, doesn't understand where the line is. By snooping on other BOD members, she likely broke the law to try to find out who leading information about an HP strategic decision. We have technology to snoop data, read emails, intercept phone calls and the like. But that doesn't mean we should use it haphazardly. These tools need to be used judiciously and with the full support of your company's legal council. Ms. Dunn will fall for this, and there will probably be legal ramifications. And it's all because she didn't want to confront her fellow BOD members to figure out about the leak. I'm a fan of confrontation, so I'm happy to say I'll always opt for that path.
http://www.forbes.com/2006/09/07/hewlett-packard-dunn-cx_po_0907autofacescan01.html
Link to this
Guaranteeing FFIEC compliance
So what? - Guarantees are a slippery slope. It seems that Entrust thinks their spiked boots will stop me from calling them out on a "guarantee" that any customer that commits by mid October will be "FFIEC compliant" by the end of the year deadline. Think again, this is a marketing stunt. There are no specifics about what FFIEC compliance really means, so pretty much anything that you do relative to assessing your risk and adding multi-factor authentication can show "compliance." They put in caveats about how their software will not be the "sole basis" to evaluate the online application. And what do you get if they don't get you there? One year of support. That's it. Here's more: "Under no circumstances shall Customer be entitled to any refund of any amounts paid to Entrust in respect to the Software System..." That's pretty funny, no? You voyeur lawyers out there can check out the legalese here.
http://www.entrust.com/news/2006/6363_6625.htm
Link to this
Those that can't do, analyze
So what? - It annoys the crap out of me when folks overstep their bounds. They impact their credibility and most of the time come off looking like an ass. Back when I had product management responsibilities, the first rule was to NEVER design the product. That's what the engineers do. You just tell them, VERY specifically what the product and/or feature needs to do. So help me understand how an analyst from Gartner knows anything about what Microsoft can/should do with their post-Vista operating system. This analyst must have built OS's in the past. Actually he hasn't, but he knows best, clearly. And how many end users are really worried about Microsoft's next gen OS today? Right, none. This is annoying chest thumping to set an agenda for a vendor and make themselves feel smart knowing that no one will remember when this guy turns out to be dead wrong in 5 years. Stick to your knitting G-men, which is to help end users with TODAY'S decisions. Not helping vendors design products. If you could do that, you wouldn't be an analyst - now would you?
http://www.informationweek.com/news/showArticle.jhtml?articleID=192503689
Link to this
It's a bird, it's a plane - no it's BrowserShield
So what? - Speaking of slippery slopes, Microsoft is working on some technology that will intercept "malicious" code and rewrite it before it renders in the browser - allegedly to prevent malicious code from executing. That involves a lot of trust, no? And what do they rewrite it with? Didn't Google get into trouble for intercepting traffic and changing the way a web page renders? I guess we trust the AV and anti-spyware software to flag malware, so I guess this is a logical extension, and there aren't really that many details about how it will be deployed. So I don't want to crap on this quite yet. But I'll take an initially skeptical stance.
http://www.eweek.com/article2/0,1895,2011765,00.asp
Link to this
Foxes and hen houses and conflicts of interest
So what? - This opinion piece by Johanna Ambrosino of InformationWeek is dead wrong. She rants a bit about how Symantec and McAfee are the bad guys because they both issue security warnings and have products to solve the problems. You know, the fox guarding the hen house, which is what everyone does in the business. Clearly she isn't very familiar with how security works. End users rely on vendors as sources of information, but only the idiotic don't scrutinize that information themselves and make their own decisions. But my biggest problem with her idea of separating church and state is speed to reaction time. You can't tell me CERT is exactly responsive. The last thing we need to do is extend the vulnerability window, so I'm all for vendors providing information and end users actually using their brains to figure out what is right for them to do.
http://www.informationweek.com/blog/main/archives/2006/09/airing_dirty_se.html
Link to this
Top Blog Postings
Openness or interoperability?
Jon Oltsik from ESG goes on a bit rampage here about the NAC/NAP interoperability agreement. As I mentioned (here), this is a non-factor and an attempt by both Cisco and Microsoft to freeze the NAC market until their products catch up to their PowerPoints. Jon is a bit partial to TCG, which I think is misguided because in an early market standards are a red herring that are leaned on by those folks without market power to try to equalize things. Most of the time standards only come into play as a market matures and commoditizes. We aren't even close with NAC right now. Jon's colleague Eric "EO" Ogren weights in here as well, basically supporting my position. Shimel weighs in as well (here) making the point that networks are heterogeneous, which isn't true for 60-70% of the world that buy all of their stuff from Cisco.
http://news.com.com/2061-11203_3-6112960.html
Link to this
Pressure is not an excuse
Boy, pointing to Tom Olzak two days in a row. How about that? But this post from over the weekend makes an interesting point. Change management policies are there for a reason. Depending on the scope and reach of your computing resources, changes may take from a few hours to a few days to be rolled out. Of course the business folks want their applications fixed or their new locations rolled out or their new laptop. And that's fine, the IT group's job is to meet those needs. But it needs to be done within the parameters of your change control process to ensure that haste introduces exposures. That being said, we should be trying to continually compress those change windows to react faster and to be more responsive.
http://blogs.ittoolbox.com/security/adventures/archives/desperation-doesnt-justify-bad-security-11441
Link to this
Link scanning needs to be integrated
Brian Krebs discusses how he's played around with a link scanning service (this one from Exploit Prevention Labs) to see what is going on with the web sites he's navigating to. These are interesting services because having an idea about what is lurking behind that link will help to contain some web-oriented malware vectors. My issue with these web site-based deployment models is that it requires the users to change their process. They need to go to the LinkScanner site before they click on a link. That's unlikely. Scandoo requires that you do searches from their site (at this point anyway). I won't use them, even if I should because it would dramatically slow down my work process. SiteAdvisor has the best integration with the way I work, but unfortunately I still haven't been able to get it to operate without breaking Yahoo! Mail. It also broke the web browser on the home PC that my kids use, so there are still problems, but the browser integrated model makes the most sense to me.
http://blog.washingtonpost.com/securityfix/2006/09/scan_those_links_before_visiti.html
Link to this
Abstracting your identity
It's been a while since I've discussed identity. It seems that Roger Sullivan, one of the identity gurus at Oracle is now blogging. In this post he vents about the lack of a centralized body to process address changes. Since it's been two years since I moved to ATL, those wounds are mostly healed - but Roger has a point. To date, no convincing business model has emerged to allow these kinds of address changes to be leveraged and scaled. Of course, Roger works this to make the point that via standards like SAML and WS-* (Roger is VP of the Liberty Alliance after all) this kind of integration is possible today and that he'd pay for this kind of service. I agree that there is a big opportunity for that "IDsp" (Identity Service Provider) to integrate all of this together, but to be clear this is a non-trivial task.
http://rogerksullivan.blogspot.com/2006/08/miles-to-go-before-we-sleep.html
Link to this
Recently on the Security Incite Rants Blog
The Security Standard: The Pendulum Swings Back
Here is the first of my posts from The Security Standard and I deal with the idea of whether security is an enabler or a defensive capability. It seems that every 4-5 years we see the pendulum swing back and forth and now it seems folks want to start considering security as an enabling technology. I'm of the opinion that we've seen this movie before and we always get back to defense. Defense aligned with business requirements, of course, but defense nonetheless.
http://securityincite.com/blog/mike-rothman/the-security-standard-pendulum-swings-back
Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-09-06
The Security Standard: Pendulum swings back
I'm here at the Security Standard conference and I'm seeing the pendulum starting to swing back. What pendulum? The pendulum that swings like a metronome between security as a defense and security as an enabler. It seems to swing back and forth every 4-5 years or so. Of course, this is a "business" oriented security conference, so Black Hat it ain't. But business folks are trying to figure out how to pitch security as an enabler, that much is clear.
I'm a bit disturbed as to this trend because we've all seen this movie before. So I'll make it very very clear. Security is not a business enabler. It is a cost of doing business. You cannot do new things because of security. You do open up new revenue streams and add value to customers via new applications that reflect new (or updated) business processes. It may be ill advised to put these new business processes on the web without adequate security, but you CAN do it.
I know. Once again, I get to play Mr. Wet Blanket. Or maybe I'm just playing off of semantics. But I think the nuance is important. The first presentation by Cathy Allen, the CEO of BITS (a Financial Services roundtable group) solidified things for me. Financial sector CEOs and CIOs want to believe that security will help them get new customers and open up new revenue streams. I don't think so.
I can tell you that organizations, especially financials will LOSE customers if they have continual publicized security problems. But is that defense or offense? I say defense. E*Trade was the first to start marketing security (remember the tokens?) and that has had arguably no impact. We've seen Bank of America and Wells Fargo make statements as well. Again, I'm skeptical that there's been any impact thus far.
What about other businesses? Is anyone trying to differentiate on being "more" secure? Retailers, no. Manufacturers, no. Utilities, no. Now that I'm thinking about it, is there anyone? That doesn't mean it isn't happening, but it's not making an impact yet.
Maybe I'm just over-reacting. Or the scar tissue that I have from trying to sell PKI as an enabling technology in the late 90's is aching. Whatever it is, I am very respectful of history. And history says that when money gets tight, these "enabling" initiatives get tossed over the side.
But defense persists - which is why security became all about defense during the tech nuclear winter (2001-2003) and during the AV renaissance that drove the security business from 2003-2005. And I don't think that this time is any different - but tell me why I'm wrong. That's what comments are for.
The Daily Incite - September 6, 2006
September 6, 2006 - #110
Good Morning:
Greetings from Beantown. Flew up yesterday (yes, flying is still miserable) for The Security Standard show at the Hynes. If any of you are going to be there, check out my session at 3:20 this afternoon on strong authentication. It'll be fun and educational. And if you want to grab a cup of coffee or something, just drop me a note and we can meet up.
In security-land today, it's seems to be AV day. I discuss alerts (here), sharing information (here), and which AV detection techniques will win over time (here). The answer - all of them. In blog-land, I rant a bit (here) about why it's important to encourage failure and teamwork in all of our personnel. And no, I am not on drugs. If security folks are afraid to make a mistake and treat both internal and external auditors like the enemy - the system is not going to work. We need checks and balances to make sure we are truly protected from the bad guys. That doesn't work if the enemy is us.
Have a great day.
Technorati: Information Security
Top Security News
Bean counters weigh in - Network Security is BIG
So what?- Must be that time of the year again, the quantitative analysts are out there beating the drum for how big the network security market is. And it is big weighing in at over $1.1 BILLION in Q2. And that's a good thing. I've found that folks like Infonetics are much better at looking backward than forward, so their numbers are probably pretty close. Biggest surprise? Check Point falls from #2 to #3, now behind Juniper. That's got to kick ol' Gil right in the bread basket. It's also interesting that they say "integrated security products and software" is 85% of the market, with IDS/IPS at 15%. Is that 85% UTM? Or just a FW/VPN? Or all of the above? You can't really buy a firewall without VPN anymore, can you? So that number feels like a red herring to me. But no matter. It would also be interesting to see about unit growth, as opposed to revenue reporting. But clearly pricing is coming down in the more mature spaces.
http://www.marketwire.com/mw/release_html_b1?release_id=0159874
Link to this
AT&T hack two-step
So what? - We still haven't seen a lot of specifics about the AT&T website hack, but in the meantime let's point to some articles that are reminders of the obvious. If you handle credit card info, then your website is a target. Duh! That's what PCI is all about. If anything, this is the path of least resistance, since taking over machines and stealing information individually is brutal and time-consuming. Hacking into an e-commerce system and taking credit card numbers - not so much. So I'll make the point again, which is web apps need to be scanned and pen tested. You'd rather someone you are paying finds the holes, not the bad guys. Trust me on this. Also check out this article (here) that talks about how the bad guys are using elaborate and individual phishing attacks to get EVEN MORE personal information from those compromised. Scary, but goes to show that you should always verify with the vendor if they are asking you for personal information via email. And yes, I expect that we'll see mutual authentication become more prevalent anytime you are updating profile information, not just on banking sites.
http://www.informationweek.com/news/showArticle.jhtml?articleID=192500500
Link to this
Boys will be boys
So what? - I continue to be amazed that people are surprised when vendors act like vendors and try to derail their competition. The only analogy I can think of is my 3 year old son starting to hit things (like me) with hard objects (like sticks and bats). Am I pissed? Sure, it stings. BUT HE'S A BOY. He's supposed to hit things. Of course, you tell him NO, but secretly I'd be much more concerned if he wasn't acting a bit more aggressive. Don't tell my wife, OK? Of course vendors are going to use alerts to make themselves look good, obscure information, and throw FUD at competitors. And the reseller quoted here has a point about the channel providing information to make sense of the mess. But don't kid yourself, the resellers take every opportunity to cut each other down too. That's what competition does. That's what free markets do. Remember it's a zero-sum game. If you win the deal, everyone else loses.
http://www.informationweek.com/news/showArticle.jhtml?articleID=192501689
Link to this
Sharing virus information is novel?
So what? - Early senility is a drag. I could swear I called bunk on Microsoft's Virus Information Alliance a while back, but I can't really remember. Having spent time at TruSecure way back when, I became familiar with the WildList, which is basically the same thing but not vendor controlled. Well, I guess it is because CyberTrust owns it, but it's not AV monolith controlled. Now I don't blame Authentium for playing along (which is this news peg), it certainly can't hurt. But anyone that paints Microsoft's initiative as being new or novel hasn't spent much time in the security space.
http://biz.yahoo.com/bw/060905/20060905005161.html?.v=1
Link to this
AV signatures vs. behavior
So what? - While we are on the topic of AV, let me point to a recent Stiennon-ism on signatures vs behavior-based AV. Richard is right in pointing out that the number of updates is not relevant, it's the effectiveness of those updates. I don't buy that more updates is bad (everything is pretty much automated now, so it's not like folks are sitting there testing AV updates that drop 2 or 3 times per DAY), but crappy updates are certainly a problem. But the real point here is that there is not one technique that is used to stop the bad stuff, it's lots of techniques. Everyone uses signatures and they should. Shame on us if we are compromised by something that we've seen before. But you also need protection from the stuff that you haven't seen, and there are a number of ways to skin that cat. And all of them should be used. So we should be losing the religion is all aspects of security.
http://blogs.zdnet.com/threatchaos/?p=398
Link to this
Top Blog Postings
Groundhog Security Day
So Farnum has decided the front lines are no fun anymore and he'd rather be running the supply trucks. Suffice it to say, Accuvant's customers will be happy they've got someone with front line experience because you never know when the supply line is going to be ambushed. But Michael brings up a systemic issue for the security industry and another reason that Managed Security is a inevitable outcome. Being a security manager is like being in the Bill Murray classic, Groundhog Day. Really. You wake up and are back at the same place. People are trying to get in, and you need to stop them. They'll try different attacks and most days you'll be OK. Some days you won't. But the only constant is that the next day they are going to try again. Having someone else manage the repetitive, fairly simple stuff is one way to beat the burnout that pushed Michael to reseller-land. That he'll likely dramatically increase his comp probably doesn't hurt either. But that will depend on his ability to sell stuff, now won't it?
http://infosecplace.com/blog/2006/09/05/one-of-the-reasons-i-am-getting-out-of-security-management/
Link to this
Accepting Mistakes and Checks and Balances
Captain Privacy, Martin McKeay changes gears a bit and talks about auditing in this post. He makes a good point, which is that no one is perfect and we call need checks and balances to ensure the right stuff gets done. But there is the key issue of security practitioners not feeling comfortable admitting they have made a mistake and thus the internal auditors are usually treated more like the enemy than the cavalry. This is a huge problem because everyone (even the external auditors) are on the same team. And managers (CIO and CSO-types) need to ensure their people can make mistakes and not worry about their jobs. Back when I managed people (feels like 100 years ago), I consistently made the point that I expected mistakes. Failing was OK. Not trying was not. Being safe was not. Of course, we want to minimize errors, but since I'm pretty sure we all have humans working for us - they are going to happen. It's how you handle it that determines whether you have a team aligned against stopping the bad guys - or a breeding ground for internecine warfare.
http://www.mckeay.net/secure/2006/08/audit_then_audit_again.html
Link to this
Limiting Liability on WiFi
This post by Preston Gralla has me remember back to the classic Lite Beer commercials, "Taste Great, Less Filing" as he takes the Terminator to task for WiFi warnings and not dealing with the WiFi piggybacking. Will warning signs help and maybe get more people to deploy security? Maybe. But what's the harm? Do warning labels on cigarettes help? Probably not, but this is not about protecting networks. This is about limiting liability. In the age of tort mayhem, I actually think that the warning labels are a good thing. It's only a matter of time before some ambulance chasing idiot sues Linksys because some unsuspecting consumer got hacked via their wireless network. "The vendor should have told me!" Well now they are going to, and hopefully we'll avoid more litigation silliness. While I'm at it, what's wrong with piggybacking? If you have a water fountain on the side of your house, is your neighbor stealing if they take a drink? Or if they shoot hoops on your basketball court? Aren't you just being neighborly? As long as they don't try to break into my house (and that's what my security system is for), what's the issue?
http://www.computerworld.com/blogs/node/3376
Link to this
Virtually Saturday Night Fever
When I read this post from Tom Olzak, all I could think about was a flashing disco floor (a la Saturday Night Fever) in Second Life. I must still have that Blogging for Babes picture on my brain - scary. But Tom's architectural construct here is a good one. It's not brain surgery (folks have been using VLANs to segment internal networks for many years), but the virtual floor analogy is new to me. But I suspect these virtual floors will give way over time to virtual "rooms" or portals that provide visibility only to those resources that the user has access to. This will take much more sophisticated security being baked into the network, but we are going there (Secure Network Fabric lives). There is no reason that we need to be restricted to an access group based on our geographic location over time. But until we get there, this is a useful way to manage network traffic flows and firewall off segments as needed.
http://blogs.ittoolbox.com/security/adventures/archives/virtual-floors-can-help-meet-b2b-security-challenges-11474
Link to this
Recently on the Security Incite Rants Blog
Read yesterday's Daily Incite
http://securityincite.com/TDI-2006-09-05
The Daily Incite - September 5, 2006
September 5, 2006 - #109
Good Morning:
Ready, set, GO! Now that we are back after the official "end" of summer, it's time to focus on what needs to be done between now and the end of the year. Maybe it's a good time to revisit those plans that you built about this time last year and see how things are coming along. What needs to be changed? What needs to be added? Are your priorities still in the right place? Call it your Fall cleaning exercise.
Things will gradually ramp up this week from a security news perspective. As I've mentioned previously, a lot of vendors now announce new products before Labor Day and thus leaving the short holiday week somewhat devoid of interesting news. We'll see how it pans out this year, but there wasn't anything that groundbreaking this AM, so I mopped up a bit from last week.
Have a great day.
Technorati: Information Security
Top Security News
Pile on Web apps
So what?- Yep, it's a pile-on. Web apps are getting pummeled of late relative to the security risks of applications that are accessible to anyone at anytime. Of course, AT&T's recent issue is example number one, especially since they were using a hosted e-commerce company to run the site. Let's get something straight here, every application is vulnerable. Web apps maybe a little more so because of their relative immaturity, but there are such compelling advantages to the hosted model that we are not going to close Pandora's Box, that's for sure. So we as security professionals need to make sure our applications are safe. Yes, that means scanning for the simple stuff and also periodically having a human try to break the application. Especially if you have private data accessible via that application.
http://www.informationweek.com/story/showArticle.jhtml?articleID=192501235
Link to this
Building a farm team
So what? - I always find it interesting that more Big Security companies don't do more to sponsor information security programs within the large research and technical colleges. After all, aren't those kids the future of our business? Wouldn't it make sense to train them in what we do? So maybe it costs a few shekels for equipment and software, but isn't that a good marketing investment? This is the "farm system" that we need to make sure there are enough people to continue to battle the bad guys over time. In this article, the folks at Symantec are getting with the program by sponsoring a Georgia Tech competition to come up with "usable" security targeted at consumers. And who knows, maybe one of these teams will even come up with something that could make it's way into a yellow box.
http://biz.yahoo.com/bw/060901/20060901005046.html?.v=1
Link to this
Lines are blurring around IPS
So what? - This story from Dark Reading is interesting regarding the future of intrusion prevention. But not because lots of folks with a vested interest are poking holes at the current model of how IPS works. That's not the point. This discussion hearkens back to one of my 2006 Incites about "losing the religion" (here) because I still believe that customers don't care what techniques are used, but they need some way to stop intrusions. That is what IPS is supposed to do, no? There is some truth that the existing model needs to change and needs to get smarter. There is a lot of data out there that IPS' just don't use to figure things out, and they should. But I think it's a fool's errand for folks in the NBAD or NAC business to start calling their boxes IPS, even if they do stop intrusions. Guess it's time to fire up the category generator and figure out what the new IPS' are going to be called.
http://www.darkreading.com/document.asp?doc_id=102608
Link to this
Problem Plus
So what? - Many of my vendor clients have heard chapter and verse about "Problem Plus," which is how I structure a product positioning exercise. This article by Rob Enderle underscores many of the same concepts. But Rob's main point is that IT buyers are looking to solve their problem. What is ailing them today. Any vendor needs to make sure they are solving the customers PROBLEM before discussing anything else. Once you've got the prospect convinced that you can solve their initial problem (which is what they have funding for), then (and only then) do you start to focus on the PLUS, which are the additional differentiators that should swing the deal in your favor. That's why I call it "Problem Plus." But I spend a lot of time with confused users that don't really know if a vendor can solve their problem because they are weighed down by 50 page slide decks that talk about how the vendor solves every problem under the sun. That approach doesn't work folks...
http://www.darkreading.com/document.asp?doc_id=102145
Link to this
Passwords in a Word file?
So what? - Sometimes you read stuff from well-known tech journalists and you are appalled. It seems that Rafe Needleman (who's stuff I read religiously) keeps his website user names and passwords in a Word file. Holy accident waiting to happen Batman! That's asinine. Now I get that it's hard to keep track of all of those credentials and maybe something like OpenID (which is the subject of his post) will help sometime in the future. But it's not there now. And for God's sake, kill the Word file. You browser at least stores the userID and passwords securely. And it may be a hassle, but I've been known to have to reset my password every time I use a site because I can't remember the credential. But what I DON'T DO is store my passwords in a Word file.
http://reviews.cnet.com/4531-10921_7-6634615.html
Link to this
Top Blog Postings
Closing out disclosure
There's been lots of mumbling and rumbling about responsible disclosure of late amongst the security punditry. Thankfully Thomas Ptacek has closed out the conversation in this post. Of course, he does so by referring to all of the stuff that he's written about before (and folks like Lindstrom and Mogull are talking about now). I'm pretty sure this concludes the discussion. I had this fraternity brother way back when that had this unique talent of being able to kill whatever conversation he joined almost instantly. Unlike Thomas, who shuts down this conversation through fact, this guy would change the subject or say something so ridiculous we all had to set our sites on him. Most of the time it was pretty annoying, but sometimes when a conversation dragged out and the same points were being re-hashed over and over and over again, his talent was welcome. This is one of those times.
http://www.matasano.com/log/456/mogull-and-lindstrom-are-smart-but-have-nothing-new-to-say-about-disclosure/Link to this
Cover your POS
Karn points to a recent Visa security bulletin about the woes of POS data, and how to protect it. Since a primary focus of my research is mid-sized business and lots of mid-sized businesses are retailers (or folks that take credit cards), this was of particular interest to me. Of course, there is nothing earth shattering here, but the suggestions make sense. Things like ensuring your POS software doesn't store too much and not trusting the vendor to get it right. You need to go into the database and ensure the sensitive information is not being stored. If you deal with credit cards, these are good tips.
http://security-guru.blogspot.com/2006/08/visa-issues-data-security-alert.html
Link to this
The right way to take someone out
We all pay a lot more attention to the "insider threat" now, but more of trying to protect against the damage an insider can cause. Jeff Hayes has a pretty interesting perspective on trying to find what is the root cause of a large percentage of insider attacks - disgruntled employees. Of course, most grumpy employees don't take retribution, but why take the risk? Lots of grumpiness involves how employees are terminated and I've got a decent amount of experience with that (on both the giving and receiving ends, by the way). It's a hard thing to do, but it can (and should) be a productive experience for both. A termination should NEVER be a surprise and the company should be fair with the employee economically. Not that they have to, but that they should. It's the right thing to do. And that kind of respect for people goes a long way to stopping insiders before they get so upset that they do something stupid.
http://mycsosolutions.net/2006/09/04/disbruntled-employees/
Link to this
Encryption is cheaper than a hammer?
Not to be outdone, the Mogull needs to remind Stiennon of the law of large numbers. Richard has been talking about data destruction of late and came to the conclusion that disk drives and cell phones should just be destroyed. But Rich provides some context as to how that can be problematic for large companies. If you are talking about a couple of PC's, the old hammer will work fine. But if you have thousands of spindles in your couple of terabyte SAN, you probably need to look at a different approach. So in this case, it was a lot cheaper for this large enterprise to just encrypt all the data on the SAN, rather than destroying failed drives. That's pretty interesting, and goes to show that the mid-market and large enterprise markets continue to diverge relative to the technologies that will secure them.
http://securosis.com/2006/09/01/encryption-is-cheaper-than-destruction/
Link to this
Recently on the Security Incite Rants Blog
What's Mike Reading?
One of the cool features in my RSS reader (BlogBridge) is the ability to keep other folks "reading lists" close at hand. So when they change something, it's automatically updated in your reader. The folks at BlogBridge were kind enough to publish my security reading list and you can check it out in real time. It's also available via OPML if you don't use BlogBridge.
http://securityincite.com/blog/mike-rothman/whats-mike-reading
SearchSMB column: Endpoint security: The weakest link
As many of you know, I write a monthly column/tip for SearchSMB about security. In this month's missive, I detail why endpoints are the favored attack vector for the bad guys and provide some pointers on how to protect the devices. Of course, given the crowd many of these techniques are pretty rudimentary, but since I'm a fan of both simplicity and repetition, I think it's a good idea to remind yourselves of the things you already know pretty frequently.
http://securityincite.com/blog/mike-rothman/searchsmb-column-endpoint-security-the-weakest-link
Read Friday's Daily Incite
http://securityincite.com/TDI-2006-09-01
What's Mike reading?
A while back I published my OPML reading list (here), so you could get a slight glimpse of what I'm reading. Unfortuately that service is static and I'm too lazy to keep it up to date. But my friend Pito Salas, who does BlogBridge (my RSS reader) has graciously published my dynamic reading list as a BlogBridge expert guide. I'm not sure I'm the expert of anything, but nonetheless...
Basically this is a list of the top security blogs that I read. BlogBridge has this cool rating system where I use 1-5 stars to rate each blog. Then it is organized accordingly when new material comes in, which makes getting through my news much easier. I track close to 100 security blogs now, but only about 30 rate 3 or more stars.
So check it out those 30 here. The OMPL link is here.
If you happen to use BlogBridge, this is really cool. You can add my reading list as new guide. Go to Guides-Add Guide. Then click the "reading list" tab and hit the plus button (on the bottom left) and add the OPML link: http://www.blogbridge.com/directory/folder/1592.opml. Then any time I update my reading list, yours will be updated automagically.
Thanks Pito. BlogBridge is great.
Technorati Tag: information security
SearchSMB Column: Endpoint security: The weakest link
In this month's SearchSMB column, I provide a primer on endpoint security and why it's important. I also include 5 tips to ensure the security of your endpoint. Attacking the endpoints is the vector de jour and for obvious reasons. The one's with the controls (basically you and your users) have that little issue of human nature that forces them to click on stuff, even when they know they shouldn't. So here are some ideas on how to take that vector out of play. Of course, nothing is foolproof, but it's a start.
http://searchsmb.techtarget.com/tip/0,289483,sid44_gci1213598,00.html
PS: Also keep in mind this is for SearchSMB, which means mid-sized businesses. Some of the stuff I discuss in this specific column are better suited to this segment (100-1000 users). So you enterprise folks can put your guns back in the holster.
Recent comments
4 weeks 5 days ago
4 weeks 6 days ago
5 weeks 21 hours ago
6 weeks 6 days ago
7 weeks 3 days ago
7 weeks 4 days ago
7 weeks 4 days ago
7 weeks 6 days ago
7 weeks 6 days ago
7 weeks 6 days ago