logo
Published on Security Incite: Analysis on Information Security (http://securityincite.com)

The Daily Incite - December 6, 2007

By Mike Rothman
Created 2007-12-06 10:29
Today's Daily Incite

December 6, 2007 - Volume 2, #161

Good Morning:
Yesterday I screwed up. I hate when that happens, but it's my responsibility and duty to make it right. Given the amount of stuff that I write, I'm actually kind of surprised I don't screw up more often. But when I do, I need to set the record straight and amend my thinking.

Dunce-capOne of my top news items in yesterday's Incite was the Reconnex OEM deal with IronPort [0]. Sometimes in my haste to get things over the finish line, I don't pay as much attention as I need to. In this case I was guilty of reading the release and seeing what I thought should happen, not what was written. I wonder what my shrink will have to say about that.

So I write up about how Cisco has given those folks the "kiss of death," when in reality it was nothing of the sort. Basically, Reconnex is OEMing the PostX encryption engine, so they can remediate (encrypt) data based on detection within their own DLP engine. I don't think I could have gotten this more wrong if I tried. Maybe it's time to get back to the optometrist. Of course, there was the customary Barney stuff about going to market together and doing joint programs, but in reality this is about Reconnex understanding they need to remediate some of the content problems they detect.

There was no validation of Reconnex's technology, though this is an indication that PostX isn't dead yet. It just went into Cisco-induced hibernation for a while. If there is a nugget of good news here, my observation about the best way to make sure you AREN'T acquired by Cisco is to do a technology OEM with them still stands. But not in this case. D'OH!

Now I will proceed to spend some time in the corner with my dunce cap on. Once again I'm sorry for the mistake and thanks to the alert reader who set me straight. 

Have a great weekend.

Dunce image originally uploaded by Quiet Nights of Gotham [1]

Technorati: Information Security [2], CSO [3], Security Mike [4], Internet Security [5]

The Pragmatic CSO [6]
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com [7]
 Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com
 [8]
Security Mike's Guide to Internet Security [9]

Top Security News

So the combination of these two is a good thing [10]. Roger Thompson, XPL's lead research guy will head up research for the larger company and I think that's a good thing too. It was always clear that XPL was not stand-alone, but it's interesting to me that Symantec, Trend or even Webroot wouldn't have seen compelling functions to add to their endpoint suites. I think the bigger AV players missed one here. But it does make a cat with 18 lives like Finjan a bit more attractive now, since they are finally figuring out that their malware detection technology can and should be spun into a search engine plug-in [11]. 
Link to this [11]

Roger Grimes gets on his soapbox and talk about why RBAC (roles-based access control) is a good thing [12]. Theoretically he's right. If we could reduce all functions into a set of roles that could then be enforced on all of the networks, servers, applications and the like running within our environment, then life would be good and certainly more secure. But it's that little niggling issue of broad platform support and interoperability that make RBAC a lot easier in theory than in practice. There's another little issue, which is that most security folks are so busy doing things, they don't have the time to take a step back and actually figure out what those roles are supposed to be. I remember back to the mid-90's when I was working with clients on the networking and security aspects of big ERP implementations. These folks would all nod their heads about the logic of really implementing SAP's RBAC capabilities, which were robust. Then they'd get into the mess of actually making sure the right widgets got manufactured, shipped and invoiced, and good old RBAC sunk to the bottom of the list faster than Vonage's market cap. RBAC is good, and if the roles definition process doesn't kill you, it will leave you more secure.
Link to this [12]

his most recent SearchWindowsSecurity column about SSL [13]. Those three letters are pretty much what most of the great unwashed think security means. They see the lock in their browser and figure everything will be OK. Of course, SSL is necessary but nowhere near sufficient to actually secure much of anything. It hits on one requirement of the 12 that PCI demands (the one where you need to protect data in motion), but there are so many other ways to break a web app and snooping the traffic is perhaps the least attractive of them all. So the lock is a good start, but if your developers think that's what Internet Security means - then you've got a lot of work to do in educating them.
Link to this [13]

The Laundry List

  1. Speaking of RBAC, it seems that Cisco has gotten roles-based religion by introducing their TrustSec architecture. Intel and Ixia jump on board. 2 down, 10,000 other partners to go before this can get broad enough support to matter. More specifically, this is an indication that security is making its way into the Cisco switches. In-line NAC vendors, the clock is now ticking... - Cisco release [14]
  2. Websense weighs in with their 2008 predictions. More attacks, more vectors, more sophistication from the bad guys. Really?  - Websense release [15]
  3. The Ukraine votes for Ron Paul, or at least their botnet does. Interesting analysis of the botnet-driven spam campaign. At least we know that Ron Paul isn't the botmaster.  - InfoWorld coverage [16]
  4. WhiteHat goes down market, now will cover a web application for a measly $10K per year. That's it? I'll take 10. - WhiteHat release [17]

Top Blog Postings

http://www.schneier.com/blog/archives/2007/12/security_in_ten.html

 [18]

  • [19]Stiennon - Richard focuses on a lot of malware types of stuff, like how these social networks will hurt us. He also figures much of the issue will continue to originate in China and former Soviet-states. It remains all about the money as attacks are more targeted and increasingly disruptive to the financial institutions. Again, nothing even somewhat optimistic. No wonder most security professionals are grumpy, we can't find a shred of hope out of all this chaos.
    http://blogs.zdnet.com/threatchaos/?p=496 [20]
  • Hoff - Captain Innovation is pretty focused (as the others) on specific attack vectors, and none of the news is good. Basically, Chris' predictions are focused around every piece of new technology will be broken. Statistically he's right. Sometime in 2008, it's fairly likely that either hypervisors, social networking sites, SaaS vendors, eBanks, cyberbattacks, SCADA and/or mobile networks will be compromised. All of them, no way. Some of them, absolutely. But that's not a lot different than the list we'd make in 2007. Some of it happened, most of it didn't. But at least now we know all the places where we can be killed.
    http://rationalsecurity.typepad.com/blog/2007/12/2008-security-p.html [21]
  • Kevin Tolly - After 12 years as a NWW columnist, Tolly is hanging it up. I guess taking vendor money to show that a product can blast packets .0001% faster takes up a lot of time. In his last piece, he talks mostly about how general computing platforms will impact how SMB's and the like do security. He doesn't predict the demise of ASICs, since large enterprises and service providers will need focus and horsepower. But everyone else, open source and general computing platforms. Hmmm. I don't much care what the computing platform or pricing model is, it better be easy. Unless it's easy (like Staples button easy) it won't work for the SMB.
    http://www.networkworld.com/columnists/2007/120307tolly.html [22]

    • Link to this [22]


    http://sm-blog.securitymike.com [23]

    Check out the latest on the Security Incite blog
    http://blog.securityincite.com/ [24]

    Read the most recent Daily Incite
    http://securityincite.com/security-incite-rants/daily-incite [24]

    Source URL:
    http://securityincite.com/blog/mike-rothman/the-daily-incite-december-6-2007

    Links:
    [1] http://flickr.com/photos/randomjerry/1001027733/
    [2] http://technorati.com/tag/information%20security
    [3] http://technorati.com/tag/CSO
    [4] http://www.tecnorati.com/tag/Security%20Mike
    [5] http://www.technorati.com/tag/Internet%20Security
    [6] http://www.pragmaticcso.com
    [7] http://www.pragmaticcso.com/
    [8] http://tdi.securitymike.com
    [9] http://tdi.securitymike.com
    [10] http://news.yahoo.com/s/zd/20071205/tc_zd/220921
    [11] http://biz.yahoo.com/prnews/071205/ukw051.html?.v=8
    [12] http://www.infoworld.com/article/07/11/30/48OP-secadvise-go-rbac-now_1.html
    [13] http://searchwindowssecurity.techtarget.com/tip/0,289483,sid45_gci1284395,00.html
    [14] http://biz.yahoo.com/iw/071205/0336047.html
    [15] http://www.websense.com/securitylabs/blog/blog.php?BlogID=163
    [16] http://news.yahoo.com/s/infoworld/20071205/tc_infoworld/93839_1
    [17] http://biz.yahoo.com/prnews/071204/netu061.html?.v=28
    [18] http://www.schneier.com/blog/archives/2007/12/security_in_ten.html
    [19] http://blog.mozilla.com/security/2007/11/30/critical-vulnerability-in-microsoft-metrics/
    [20] http://blogs.zdnet.com/threatchaos/?p=496
    [21] http://rationalsecurity.typepad.com/blog/2007/12/2008-security-p.html
    [22] http://www.networkworld.com/columnists/2007/120307tolly.html
    [23] http://sm-blog.securitymike.com
    [24] http://blog.securityincite.com/