September 25, 2006 - #123
Good Morning:
I am particularly guilty of not celebrating enough. It's a "feature" of my personality that I'm always looking for what is wrong and not focusing on what is right. That makes me well suited to what I do for a living, but also gives me lots of heartburn when I step back and think about all the broken stuff. Thankfully there are holidays throughout the year that pretty much force me to spend time with the family, remember what's important and how fortunate I am. I spent part of this weekend rejoicing and it was nice. So I want to go through each of today's news items with that in mind.
In security-land, we have a pretty major article on encryption (here [0]) that draws the conclusion that it's not for everyone, but does solve a number of security problems. I suspect it will be for everyone sooner rather than later, but it will upend some existing security markets and also become the purview of the Big Technology. We also have a couple of data points on the wave of "free" product distribution. eEye is now giving away a personal version of Blink (here [0]) and Breach Security has bought the company that managed the open source web application firewall, ModSecurity (here [0]). We are going to see a lot more "free" stuff out there because it's a pretty powerful distribution model, especially for start-ups.
In blog-land, let me dust off the old Risk Equation (here [0]), which is a pretty interesting way to look at the problem of what to protect and what not to. There are lots of different takes on this, but I think considering the frequency of attack and the likelihood of success are commonly overlooked by those of us trying to figure out what to do. On the tail end of that discussion, I also want to highlight yet another idea on how to position security as a business enabler (here [0]). I get that the realization that security is insurance is kind of offensive to some (especially if you know insurance people), but that's what it is.
Have a great day and remember to rejoice - if only just a little.
Technorati: Information Security [1]
Top Security News
http://www.informationweek.com/news/showArticle.jhtml?articleID=193004775 [2]
Link to this [2]
here [2]), Ross Brown of eEye uses his blog to do a product announcement. Given the recent Microsoft VML issue and the 3rd party patch from ZERT, I guess now is as good a time as any for him to announce that eEye is giving away a home version of their Blink host security product. This is a distribution model that we'll see over and over again because it works. Get security savvy folks to download your stuff and try it out, and then if they like it - they'll buy it. Of course, there will be some that don't and violate the agreement - but those are the same folks that use Lands' End sheets for a year and then return them. You know who you are! Most law-abiding netizens will do the right thing and buy the software.
http://technobabylon.typepad.com/tb/2006/09/the_mother_of_a.html [3]
Link to this [3]
http://www.symantec.com/enterprise/threatreport/index.jsp
[4]Link to this [4]
http://www.breach.com/news_press_detail.asp?id=117 [5]
Link to this [5]
http://www.informationweek.com/story/showArticle.jhtml?articleID=193004849 [6]
Link to this [6]
Top Blog Postings
http://riskmanagementinsight.com/riskanalysis/?p=24
[7]Link to this [7]
here [8].
http://blogs.zdnet.com/BTL/?p=3648
[9]Link to this [9]
here [10]), but it doesn't help. But I'm still not ready to tell people I like to turn off AV. Yes, a properly configured network and hardened OS will reduce the risk to a point that you can probably dispense with AV. George provides some of his techniques in this piece as well. But if you are running a laptop, what happens when you connect at the local coffee shop? You think those networks are properly configured? Not a chance. So I will once again make the case for layers. Sure all of these additional security controls add overhead, but how much? Whether it's worth it is a personal and professional decision and not mine to make. But I still hold to another old adage that it's better to be safe than sorry.
http://blogs.zdnet.com/Ou/?p=327
[11]Link to this [11]
old paradigm [12]." I focus on what works. And this doesn't.
http://www.bloginfosec.com/?p=68
[13]Link to this [13]