October 25, 2006 - #142
Good Morning:
One of my favorite TV lines came from A-Team [1]. You remember the A-Team, right? Basically, all hell was breaking loose and then miraculously everything works out in the end, at which point Hannibal Smith - the leader of the A-Team - would always say, "I love it when a plan comes together." I'm not going to get overly specific at this point, but I'm launching some new stuff in January and I'm spending a large portion of my time working on that now. All hell is definitely breaking loose, but it's all good because I know this plan is going to come together.
In security-land, it seems that PatchGuard has already been broken (here [1]). Which is a shocker, NOT! Basically backwards compatibility sentences us to continuing to be vulnerable to lowest common denominator attacks. The deal of the day is BT buying Counterpane (here [1]), it increasingly seems there is less and less room for independent MSS players. And finally it looks like Websense has stopped the bleeding (here [1]) relative to making their numbers in Q3. BUT, the question remains (not just for Websense, but for every other security company too) who is going to win as these functions come together.
In blog-land, there was lots of activity, so let me hit the highlights. Amrit brings up a good point about defending against the "less than zero" attacks (here [1]) and eLamb does a bit of personality typing and psychoanalysis on security folk (here [1]). Let me also highlight a good series of posts (here [1]) on compensating controls which gets at the question of how many layers do you need.
Have a great day.
Technorati: Information Security [2]
Top Security News
here [3]) and Shimel (here [4]) for pointing me towards the big security news this AM, which is that Authentium claims to have figured out how to bypass Vista's PatchGuard by utilizing a loophole (I mean feature) meant to help Vista support older hardware. This is the fundamental truth of Microsoft's problem. As long as they are constrained by requiring backwards compatibility, the problem is NOT going to get better and we are not going to make much progress. Period. End of story. So it looks like we are in for another 7-10 years of grinning and bearing it, that is until we finally disrupt the status quo desktop driven computing paradigm and move everything to ultra thin clients built on a Secure OS utilizing ubiquitous bandwidth that only accesses locked down web-based applications. Someone get me that Blue Pill [5], I must be having those delusions about a world where we are not controlled by hackers again.
http://www.eweek.com/article2/0,1895,2036585,00.asp [6]
Link to this [6]
http://www.btplc.com/News/Articles/Showarticle.cfm?ArticleID=386c1b2f-0860-4afc-8f4a-26a066c12d10 [7]
Link to this [7]
http://biz.yahoo.com/prnews/061025/daw028.html?.v=76
[8]Link to this [8]
http://biz.yahoo.com/prnews/061024/latu113.html?.v=60 [9]
Link to this [9]
http://www.networkcomputing.com/showArticle.jhtml?articleID=193104452 [10]
Link to this [10]
Top Blog Postings
http://techbuddha.wordpress.com/2006/10/25/nba-for-network-wide-visibility/
[11]Link to this [11]
Myers-Briggs [12] personality test. There are 16 different personality types and it's a bit narrow to try to bucket security people into just two, but the points are valid. You have some aggressive, outgoing types (ESTJ) that are trying to catch bad guys and do so by building rules to abide by. That's what turns their crank. Then you have more reserved folks (INFP) that are focused on results and know that sometimes you need to think differently and cut corners to get the job done. I am a combination of these types - as an INTJ [13] (which is 1% of the population) I'm always trying to find a better way to do things and give people plenty of latitude to figure it out themselves. They just better be right. My point is that you have folks from all different walks of life and perspectives that end up having to do the job. Security is not a job that is ever "done," nor can you put every permutation into policy or manual, so regardless of your personality type to not want to slit your wrists every day, you need to get comfortable with the idea of failing and understand that you never know what's going to get thrown at your head each day.
http://elamb.org/there-is-no-such-thing-as-security/
[14]Link to this [14]
here [15], Part 2 is here [16]. Part 3 goes through the math, which is something we made a big deal of at TruSecure. If you use 5 layers of compensating controls that each eliminate 80% of the risk, then your applicable risk is less than .03% (.2*.2*.2*.2*.2 = .0003) Of course, the challenge in not in the math, it's in figuring out which controls are truly compensating (or synergistic in TruSecure lingo). But you don't need to take my word for it, just do the math and think logically. Layers work.
http://dcssec.blogspot.com/2006/10/layering-controls-100-compliance-3.html
[17]Link to this [17]
http://blogs.zdnet.com/threatchaos/?p=427
[18]Link to this [18]