September 26, 2007 - Volume 2, #136
Good Morning:
Today let's talk about futility. I'm about to embark on my annual golf
trip this morning. Actually it's my friend Todd's annual golf trip and
his college buddies are kind enough to let me tag along for another
year. I fear my golfing efforts will provide a surplus of futility
because I haven't picked up the sticks since last year's outing. I had
the best intentions of getting some lessons, going out to hit a few and
maybe even playing somewhat regularly during the year. But alas, life
continues to happen. With all the travel I do and my work schedule
ramping up, the idea of taking 4-5 hours out of a weekend just
didn't work out.
Thankfully I'll be in the high handicap group. You know, the guys that
are not on the look out for their ball (which is usually in the woods
or the lake), but rather the beer cart. That'll be me. Where else can
you pay $4 for a 25 cent can of beer and be happy as a clam? I'll take
10. As long as
I don't hit any good shots and fool myself into thinking that I can
actually play, it'll work out great. Four days of hack, chase, hack,
drink, hack, drink, hack, drop, hack, drink, putt, putt,
drink, putt and then mercifully take a snowman. That's an 8 for all of
you golf mavens. We cap it at double par, which is a good thing.
But it'll be fun. So I'll be out on tomorrow - no Incite for you.
Back to futility. I know a lot of security professionals feel like they
are just banging their heads against the wall, day in and day out. Most
have nice, thick calluses on their forehead, so it doesn't even hurt
too much after a while. With all the bad news out there, whether it's
yet another 0-day (this time it's GMail) or another data breach or
another government contractor not doing their job and the Feds not
knowing about it for a year (yes, it's Unisys/DHS) - it's hard to stay
optimistic.
Sure the data breaches are worse, but there seem to be less of them.
Sure PCI is making folks jump through hoops, but at least it's a decent
set of hoops to be jumping through. Sure applications have more holes
than swiss cheese. But at least there aren't an infinite number of
hackers out there, and there is so much exposed attack surface that
odds are they'll pass you by.
That makes you feel good, doesn't it? I'm sure your boss will
appreciate it when you say, "Yeah, our defenses suck. But they are
better than the other guy's, so we are probably OK." Yes, I jest, but
not that much. It's kind of true. As I've long maintained, if a skilled
attackers wants into your stuff - he/she is going to get in. We design
our clean-up and incident response plans for those folks. Our defenses
are largely built to stop the unsophisticated that use simple tools and
exploit sophomoric exposures. And that's what we do.
In a weird way, this is an optimistic rant. The advent of these hacker
tools (like phishing kits and black markets for exploits) make it
actually easier to defend. We know what the bad guys are going to do
(most of them anyway) because they are pretty much lazy and if a tool
is out there, they'll use it. Thus, we defend against the tools and
live to fight another day.
So then you can go chase a white ball around some beautiful landscape
in a tropical place for 4 days. That will give me plenty of futility to
go around when I return. And maybe some optimism, since I'll be way
ready to get back into the mix by Sunday afternoon.
Have a
great day and rest of the week. I also need to send a shout-out to my
kid brother, who's birthday is today. Happy B-day kid, although you
aren't a kid anymore. Guess when we have our own kids, we can't really
be called kid anymore.
Technorati: Information
Security [1], CSO [2],
Security
Mike [3], Internet
Security [4]
 [5]The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com [6] |
Get Your Special Report: 6 Easy Steps to Protect Your Identity and pre-order your copy today www.securitymike.com [7]  [8] |
Top Security News
Roger Grimes talk about securing devices [9].
Yes, we should get users to stop clicking on things they shouldn't.
See, I said it. That's the secret to information security. But how do
you do it? I see two reasonable solutions. Fire all your employees.
That will stop them from clicking. Or you could remove their hands, but
I guess that's a bit barbaric. Or
maybe put them in handcuffs when the come into work to keep them from
getting into trouble. But I hear voice recognition is getting better,
so that may not even work. Actually Roger does have some good tips that
most of you already know. Use malware protection and stop bad emails
from getting through. Patch your machines and don't have users running
as administrator. Use strong passwords. Yep, all of those are good
things to do. But I'll add some training mojo on top of that. Yes it
will help. And then make sure you are monitoring your stuff because a
users will do something stupid and you will need to clean it up.
Link to this [9]
this work from CompTIA is no different
- they say there are fewer breaches [10], but they are
more severe. Who knows? Who cares? Fact is, we don't know about most
data breaches and neither do the users - until it's too late. But even
if I indulge them, I'll agree that the breaches are getting worse. 45.6
million is the only number you need to know. Yes, that's the number of
identities stolen in the TJX breach. But soon we will be even
more numb to data breaches, and we'll finally realize there is no such
thing as privacy. You'll need to lock down your credit and move on. And
you'll be happy because when your data is stolen, you'll get to go to
an exclusive sale from the company that lost your data. Speaking of my
favorite data breach punching bag, TJX has offered $30 and a 15% "customer
appreciation sale" to make it right [11]. So you get to go in and
save another 15%. Actually, it's probably not that bad a deal. Sure I
was inconvenienced, but since I expected to get a big fat zero, the
opportunity to get anything is probably a net positive. We'll see
whether it's a net positive on TJX's market cap over the next few
quarters.
Link to this [11]
what keeps MSFT security honcho Scott
Charney up at night [12]? No? Me neither, but I guess it's not the
bad Turkey sandwich he ate out of the cafeteria a day earlier. Maybe
MSFT should get the Rolling Stones' cook or something. Since the Dead's
chef works at Google, they should get someone at least as fancy. Maybe
with that $30 billion cash hoard they could get Wolfgang Puck. That'll
make MSFT a destination for all those smart young engineers, no? You
can't be having your main security guys hitting the Tums all day from
crappy cafeteria food. I'm sure Charney is working his way through the
case of Tums anyway, just due to the huge target on everything
Microsoft does. So what is he scared of? The bad guys, of course. They
are smart and they are evolving, and they've figured out how to reverse
engineer the patches and prey on those dimwits that can't patch in a
reasonable time frame. He also talks about having a decent relationship
with the security researchers and it's true. If you look at the news,
many of the bug hunting press whores, I mean "research guys" are
increasingly targeting Apple and Google. That seems to be much more
fun. And generates more press hits too. Sounds like a win-win.
Link to this [12]
The Laundry List
- If at first (or second) you don't succeed, maybe try an anti-bot network. FireEye hopes the third time's the charm. Doubt it. Yet another feature disguised as a box. - FireEye release [13]
- SanDisk's new partner program, SESTA, sounds more like something I need to get rid of with an anti-biotic. Again, OPSEC won't happen again, so these partner programs are just a way for BusinessWire to drive some revenue. And a 4GB thumb drive is still a commodity. - SanDisk release [14]
- Some hints to protect your BlueTooth. You wouldn't want anyone snooping your top secret calls, now would you? - CrunchGear blog [15]
- DLP for SMB? Code Green introduces a smaller box, starting at $10K. It's still not cheap enough, but it's getting there. Soon enough some of the bigger DLP vendors will get "Barracuda-ed," but maybe not by Barracuda. - Code Green release [16]
Top Blog Postings
StillSecure decides to give away like 5% of
their NAC functionality [17] and Cisco and Microsoft get closer to
actually having product every day. Again, we continue to get caught up
in semantics about what NAC is and where the value is. The idea of only
doing host integrity checking is NOT INTERESTING. So if any of the NAC
vendors are still flogging that feature (ahem...starts with a C and
ends with an -isco...Ahem) as the big jammy are missing the point. I
will give Shimel and his band of merry men (and women) some props for
taking the bull by the horns. This is a pretty innovative way to get
folks to kick the tires and maybe even make the case for why they'd
need NAC. But the reality is, ENFORCING the policy is the entire
ballgame. Guess they've been reading the story of the Trojan Horse.
http://www.computerworld.com/blogs/node/6245 [18]
Link
to this [18]
http://communities.intel.com/openport/blogs/it/2007/09/24/security-in-a-box [19]
Link
to this [19]
http://taosecurity.blogspot.com/2007/09/dhs-debacle.html [20]
Link
to this [20]