May 17, 2006

Good Morning:
I'm a big fan of strong enforcement of policies. Without enforcement, the policy is not worth the paper it's written on. There is a great story about how GE Consumer Finance enforces their policies that I suggest you read. Though it's hard, if you want to be successful in security you'll need to make a public example of folks. Nothing gets the message across that you are serious better than a public execution in the town square.

In breaking news, Blue Security has shut down (check out Brian Kreb's coverage here [1]). They've decided not to fight the spammers and close it's doors. Good riddance to these jokers. It just goes to show that spamming spammers is not the way to make them stop. It's not like these guys are worried about playing fair or running afoul of the law. What did he expect them to do? Stop most of the crap at the email gateway and move on. Spam happens, just deal with it.

On a personal note, congratulations to my oldest daughter Leah, who graduates from pre-K today. I know, it's a little ridiculous to "graduate" from pre-school and they are even putting her in a cap and gown. But to me it's more of a milestone. In what seemed like the blink of an eye, almost 6 years have passed and now she's starting the next phase of her educational journey. She's not a baby anymore, which she reminds me of almost daily. So I'll be with my family most of the day, which is one of the advantages of working for yourself. I can do stuff like this.

Have a great day.

Top Security News

GE on prosecuting security breaches
So what? - Make a mental note not to mess with GE Consumer Finance. In this user profile in NetworkWorld, GE Consumer Finance's head of enterprise security talks about public hangings, vehement prosecution and ultimately setting a tone that employees (and others) know that there are consequences for misdeeds. There are lots of ways to educate your users, the iron fist is clearly one of them. This may not be the best approach for everyone, but historically I've seen it be very effective.
http://www.networkworld.com/news/2006/051506-ge-security.html [2]

Does outbound email filtering = compliance?
So what? - For some customers the answer is yes. They are wrong. While it is true that a majority of the information leakage that is a compliance problem for companies happens through email, it's hard to envision an email only solution being strategic for customers. A broader solution (like extrusion prevention) encompassing all traffic types makes more sense to me, as opposed to just focusing on one protocol. That being said right now extrusion prevention has fairly limited remediation workflows (compared to the email security folks), but those will improve rapidly. The email security folks are not standing still, in this news clip IronPort tries to gain parity with Proofpoint and CipherTrust by announcing new outbound stuff. Per usual, IronPort leaves the heavy lifting to PostX for the HIPAA compliance dictionaries.
http://www.ironport.com/company/ironport_pr_2006-05-16.html [3]

[4]
Check Point is going after Cisco and Juniper
So what? - Check Point announced their new Safe@Office UTM appliance yesterday. Most folks saw it as a rebranding of existing stuff, but they missed the boat. Check Point is going after the SOHO market, clearly targeting Cisco, Juniper and Fortinet with their OWN appliance. Sure they've had the old SofaWare stuff for a while, but that didn't have all the pieces, but this new thing does. They are still shying away from competing with their own hardware at the high end (leaving that to Crossbeam and Nokia), but by announcing this at ISPCon - they are clearly focusing on going downstream. Is it too late? Probably. The Juniper (former Netscreen) boxes work fine and Fortinet is gaining steam if full UTM is interesting. Of course, premium buyers go for Cisco every time, so that doesn't leave much room for Check Point. But at least they are doing something. Also check out the box - it looks very yellow to me - possibly paying homage to Symantec, the original Big Yellow.
http://www.checkpoint.com/press/2006/safe@adsl051606.html [5]

And you thought the AV market was saturated
So what? - The Russians are coming! The Russians are coming! It seems that Kaspersky Labs is now serious about competing against Symantec and McAfee. They just announced an upgrade [6] to their AV engine and a broader security bundle and a push into the retail channel. The best quote in the release is: "Although Kaspersky Lab is not yet a household name in the U.S. and Canada..." Right. CA isn't even a household name in the retail channel, so I think this is a stretch for Kaspersky. These guys seem to be having an identity crisis. I'm sure it's a nice business and I like that they are trying to push it to the next level, but some focus is needed. Are they an OEM play? Are they a consumer play? Are they trying to get into alternative channels? Are they hyping advanced technology? But the answer cannot be all of the above. We know how that works out.
http://biz.yahoo.com/bw/060516/20060516005226.html?.v=1 [7]

Will the real trustworthy computing please stand up?
So what? - With all the vulnerabilities flying around, it's no wonder that folks are starting to focus a bit more on the OS side of the equation. This is an interesting overview of what the big server OS vendors (Sun, Red Hat, Novell, Microsoft) are doing from a trusted operating system standpoint. I am a fan of a positive security model (unless explicitly allowed to do something, you aren't), but it must be easy to use and not require a lot of tuning. That has always plagued the trusted OS offerings in the past. Clearly protecting the devices (desktops and servers) is important, so this is a space to watch. But keep user experience in mind because security loses every time you need to make a trade-off.
http://www.eweek.com/article2/0,1895,1961947,00.asp [8]

Darwin and spam
Mark Gibbs goes through a little treatise in this post about how spammers have evolved to continue to evade detection. That is the challenge facing all of security - not just anti-spam. The bad guys continue to come up with new ways to compromise information and we (assuming we are the good guys) need to continue to combat that. It's a never-ending cycle, so get used to it.
http://www.networkworld.com/columnists/2006/051506backspin.html?page=1 [9]

How stupid can this bank be?
Check out this post by Winn Schwartau to learn what not to do if you are protecting private information. Winn runs us through a story that shows the bank acting like a phisher and scammer. How he could continue to do business with this bank after these activities is beyond me. I'd be gone THAT DAY. But read it, there are lessons here for anyone in charge of stewarding private data.
http://www.networkworld.com/columnists/2006/051506schwartau.html [10]

The new anatomy of a hack
It's been a while since I've seen good analyst slides (besides my own, of course). But in this post, Stiennon revises the thinking on the hacking process and it's good work. Today's world is different and the time-honored ways being used to compromise systems are no longer useful. Does this thinking describe exactly how to protect something? No. But it does give some context for how the process has changed, which is the first step to understand how to defend against these new threats.
http://blogs.zdnet.com/threatchaos/?p=330 [11]

It's all about prioritizing
Tim Wilson, the site editor of CMP's new Dark Reading site gets today's Captain Obvious award. But these things need to be said again and again and again for them to stick. He uses a bunch of vendor datapoints (not my preferred way to make a point, but whatever) to show that it's not about gathering the information - it's about using that information to determine what is most at risk and prioritizing efforts to fix things. This quote sums it up nicely: "Around the industry, we are seeing greater interest in tools that can help integrate the barrage of data that security managers receive each day, and make good decisions on what to fix first." Asset centricity is critical to dealing with the sheer number of things that can go wrong today.
http://www.darkreading.com/blog.asp?blog_sectionid=327 [12]

NAC Attack Part 4: Varying opinions on NAC
There is a lot of noise flying around about what NAC is, what it isn't, and whether anyone will give a damn. I weigh in by going over again the problems that NAC solves and a couple of different ideas about how we can get there.
http://securityincite.com/blog/mike-rothman/nac-attack-part-4-varying-opinions-on-nac [13]

Read Tuesday's Daily Incite
http://securityincite.com/blog/mike-rothman/the-daily-incite-may-16-2006 [13]