logo
Published on Security Incite: Analysis on Information Security (http://securityincite.com)

The Daily Incite - June 6, 2006

By Mike Rothman
Created 2006-06-06 08:31
Today's Daily Incite

June 6, 2006

Good Morning:
Welcome to the day of the Devil. 06/06/06. Today I'm going to indulge my inner devil a bit and rant about the legal system here in the US. First is the patent "game" that technology companies need to play, highlighted by Finjan's suit against Secure Computing and Webwasher. I believe that it's important to protect intellectual property, but enforcement cannot be at the patent holder's whim based upon whether the target has money or not. I get annoyed when a company sits on a patent for 8 years and then decides to enforce it when either their business is tanking or a new competitor with deep pockets emerges. Some companies even use these suits as a PR vehicle. Which clearly works because I'd never be talking about Finjan unless they filed this suit. Argggggh.

Second is the inevitable set of class action lawsuits that will happen as a result of the myriad of data breaches of late. I haven't been scouring the courts of late, so some of this may already happen - but you don't think an enterprising tort lawyer is currently figuring out how to extract money for these data breaches? It's sad, but ultimately it's not really "compliance" that is going to push companies to do the right thing relative to protecting private data, it's the fear of another asbestos or silicon implant situation that pushes good companies into bankruptcy. The difference is that we know about the problem and we have technology to fix it. It's just a matter of whether folks will use it.

Have a great day.

Top Security News

Do you really need a perimeter?
So what?- There is an ongoing, somewhat religious battle raging about the future of the perimeter. You have some folks (like the Jericho Forum) that believe there should be no perimeter and others that believe the moat needs to be deep and wide. The truth is somewhere in the middle, but you can find success stories on both sides of the fence. This TechTarget case study of the San Diego Supercomputer Center is interesting in that they have no firewalls, but take a very tight host security stance. Given the open nature of their customer base (only 5% are actually on campus), this type of approach makes sense. But it's not for everyone. To me, these kinds of stories just reiterate the importance of layers and defense in depth. If these folks can secure their network using just tight host security, if you have more layers at your disposal, you should be able to keep the bad guys at bay as well.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1191993,00.html [1]

Detailed two-factor authentication overview
So what? - In this week's NetworkWorld is a pretty detailed treatment of two-factor authentication. Clearly this is a hot space and there are a lot of options for how to solve the problem. There isn't a tremendous amount of insight here, but if you are trying to get a feel for how other companies are dealing with the issue, especially in finance and healthcare - this article is a quick read.
http://www.networkworld.com/techinsider/2006/060506-authentication-twofactor.html [2]

New healthcare group to address application vulnerabilities
So what? - This morning the eHealth vulnerability reporting program (www.ehvrp.org [3]) announced it's initiatives to secure healthcare applications. This group will give healthcare organizations a way to find out and understand application layer vulnerabilities and jointly (with the vendors) figure out effective mitigation strategies. Most interesting is the lack of vendors involved at launch. This is novel in being a truly user-driven initiative, so the likelihood of success is much greater. The group's focus on vulnerabilities I believe is limiting (since application vulnerabilities is only one piece of the security puzzle), but you do need to start somewhere. So this is good stuff. I assume we'll see a flurry of vendor announcements over the next few days pledging support.
http://www.ehvrp.org/images/EHVRP_Launch_News_Release_06062006.pdf [4]

Identity works its way into the network
So what? - Lancope and A10 announced an interesting deal yesterday where Lancope would integrate some A10 technology into the next version of their StealthWatch product line. Now Lancope can identify IP addresses by whom they belong to, making for a much more intuitive way to manage the network. I like A10's story, in that they are working to bring identity management to the mid-market, and remembering that Big is the New Small, they are increasing their footprint by getting their technology to market through other partners. Of course, I wouldn't say that Lancope is tremendously interesting, as they are sticking to their network anomaly detection knitting as the rest of the market is either moving towards security management/remediation (Q1) or looking for bigger partners to integrate NBAD into broader security offerings (Arbor/ISS). But I guess you need to start somewhere.
http://www.a10networks.com/news/060605lancope.html [5]

If you can't beat them, sue them
So what? - Looks like the next iteration of Finjan's business model is litigation. I heard that worked well for SCO. Finjan has had more past lives than Shirley MacLaine, and I guess they figure - what the hell - let's see if we can get some intellectual property royalties going. Worked for Tumbleweed, no? They are initially going after Webwasher and their parent, Secure Computing. It's interesting that they waited until the Secure-Cyberguard merger was done before taking action. Go after the deep pockets. To be clear, I believe in the patent system and protection of intellectual property innovations, but to file a suit at this point seems a bit ridiculous. So Webwasher wasn't infringing for the first 5 years of their existence? Depending on the interpretation of the patent, folks like Websense and other content filtering players could be exposed. Patent trolls, rock on! Stiennon also covered the suit on his blog (http://blogs.zdnet.com/threatchaos/?p=336 [6])
http://www.finjan.com/Pressrelease.aspx?id=901&PressLan=293&lan=3 [7]

Top Blog Postings

HIPAA needs teeth
This is a great post by Rebecca Herold about the fact that there are organizations out there that don't take HIPAA seriously. Why? There has never been an enforcement act. I've spoken to healthcare folks who basically have taken the stance that it will be cheaper to pay whatever fines may happen than to actually protect the patient data more effectively. Of course this is short sighted, but it's happening and that's because (as Rebecca points out) there have been no public executions and the governments stated enforcement policies remove any teeth the legislation has. But remember one of the "features" of the US legal system is tort lawyers and it's just a matter of time until those vultures get involved based upon the "pain and suffering" of a potential identity breach. When the VA (or hotels.com or Fidelity, etc.) get sued for $2 billion dollars that will change folk's perspectives.
http://realtime-itcompliance.typepad.com/itcompliancecommunity/2006/06/government_over.html [8]

How to be a CISO
Clearly you are a glutton for punishment, enjoy a thankless job, and are OK that a good day means nothing blew up. Cool, you are ready to be a CISO. Ellen Messmer points to a NetworkWorld management strategies article here on what it takes to be a CISO. Yes, you need to be able to talk in business terms. In my experience, successful CISO's are looking for a way to say yes to the business, within defined risk parameters that the rest of the executive team supports. CISO's who play Dr. No all day don't last too long. But that's only one part of the puzzle. The truly successful CISO's have figured out how to get integrate security thinking into the business process. So security is not an afterthought once new applications and offerings have been 90% cooked.
http://www.networkworld.com/weblogs/security/012685.html [9]

Cleaning up data breaches
Mitch Betts refers to some research that my former META colleague Jack Gold has done about what it takes to clean up after a data breach. Gold estimates $35 per notification. That is LOW. I've heard estimates ranging from $20 (the VA's assessment) to $200 to both notify the parties at risk and help them recover from any potential identity theft. In any case we are talking about numbers in the 8 and 9 figure range. Gold is right in saying it's a lot cheaper to secure each device, BUT that doesn't solve the root cause of the problem. It's faulty data control policies. Why are E&Y auditors taking customer databases off site? Why can a VA analyst keep a database with 26 million records on his laptop? Sure, we need to address the infrastructure layer via tighter endpoint security, but if we forget about the information/content side of the equation - we are going to have MANY more of these breaches. Martin McKeay asks these same questions in his post (http://www.computerworld.com/blogs/node/2680 [10])
http://www.computerworld.com/blogs/node/2685 [11]

Encryption cannot protect against dumb users
While I'm on the topic of information security (as opposed to infrastructure security), Chandler Howell covers yet another data breach at Texas Guaranteed Student Loan Corp., but this one was purely due to the stupidity of a remote contractor that had access to the customer data. This joker downloaded the data, decrypted it, and then stored it on a device that was later lost. It's examples like this that make PGP's Netshare (covered in yesterday's Supplemental Incite) interesting because by encrypting the data in the background (transparently to the user) could eliminate some of these fiasco's.
http://thurston.halfcat.org/blog/2006/06/02/encryption-security-magic/ [12]

Recently on the Security Incite Rants Blog

Network World Column: Corralling the Zombies
Zombies are the #1 threat to information security today. In this week's NetworkWorld column, I delve into the topic and highlight a new company that is working on a solution to help carriers address the issue.
http://securityincite.com/blog/mike-rothman/networkworld-column-corralling-the-zombies [13]

Supplemental Incite - June 5, 2006
There was too much news to cover in the morning edition, so I covered some additional news from folks like PGP, Postini and Ping Identity. I also give Juniper and Counterpane beatings for making silly announcements.
http://securityincite.com/blog/mike-rothman/supplemental-incite-june-5-2006 [13]

Read Monday's Daily Incite
 http://securityincite.com/blog/mike-rothman/the-daily-incite-june-5-2006 [13]

Source URL:
http://securityincite.com/blog/mike-rothman/the-daily-incite-june-6-2006

Links:
[1] http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1191993,00.html
[2] http://www.networkworld.com/techinsider/2006/060506-authentication-twofactor.html
[3] http://www.ehvrp.org
[4] http://www.ehvrp.org/images/EHVRP_Launch_News_Release_06062006.pdf
[5] http://www.a10networks.com/news/060605lancope.html
[6] http://blogs.zdnet.com/threatchaos/?p=336
[7] http://www.finjan.com/Pressrelease.aspx?id=901&PressLan=293&lan=3
[8] http://www.networkworld.com/news/2006/060106-symantec-ponders-internet-id-management.html
[9] http://www.networkworld.com/weblogs/security/012685.html
[10] http://www.computerworld.com/blogs/node/2680
[11] http://www.computerworld.com/blogs/node/2685
[12] http://thurston.halfcat.org/blog/2006/06/02/encryption-security-magic/
[13] http://www.computerworld.com/blogs/node/2664