logo
Published on Security Incite: Analysis on Information Security (http://securityincite.com)

The Daily Incite - July 22, 2008

By Mike Rothman
Created 2008-07-22 09:24
Today's Daily Incite

July 22, 2008 - Volume 3, #63

Good Morning:
The first day back from vacation is always fun. Even though I did a decent job of keeping up with the news (so my RSS reader wasn't overflowing), there were a lot of details, follow-ups, deliverables, and the like that needed to be addressed once back in the saddle. There always are, and that makes the first couple of days back pretty intense.
Smack all you want, another mole will appear
Yes, it's just like whack-a-mole. No matter how many of those little critters you whack, there is always another one ready to poke his ugly little head up at you, demanding more attention. Of course, one way to handle the situation is to think about all the things on your list, and all the things that aren't getting done. 

I track my daily commitments on a 2x2 piece of scrap paper. I figure if I can't fit it on that little paper, then it probably won't get done anyway. Though on days like yesterday, I forget how small I can write. 

So I ended the day with about 75% of the list not finished. It's a pretty crappy feeling, but it's not worth getting crazy about. More will get done today and everything will be done by tomorrow. I ended vacation relaxed, but ready to get back to business. Why let some internally generated angst take me right back into the muck?

When I had a real job, I used to see that all the time. Folks would go on holiday. It would take them 3 days to unwind from all their angst. Three days before they come back they'd start worrying about what's not getting done and have more angst. If their vacation was only a week, they'd have a sum total of one day of relaxation. They'd return from vacation totally stressed out because they were away for a week and all this crap piled up.

That used to be me. But not anymore.

You wonder why folks are dropping dead from stress in their 40's and 50's? I don't. It's this 24/7 totally connected "lifestyle." Just as trees don't grow to the sky, you cannot continue to improve productivity 10% every year, year after year after year. Yet, that's what seems to be expected in today's business environment. It's not rational, it's not sustainable, and it's making most of us miserable.

Chew on that. Have a great, stress-free, satisfying day. I dare you!

Photo: "whack" originally uploaded by simplerich [1]

Technorati: Information Security [2], CSO [3],Security Mike [4], Internet Security [5]

The Pragmatic CSO [6]
The Pragmatic CSO:
Available Now!

Read the Intro and Get
"5 Tips to be a Better CSO"

www.pragmaticcso.com [7]
 Get Your Special Report:
6 Easy Steps to Protect Your Identity
and
get access to Security Mike's Portal today

www.securitymike.com
 [8]
Security Mike's Guide to Internet Security [9]

Top Security News

The folks at Google have made their internal web application assessment tool - called ratproxy - freely available [10]. It's not the tool that is interesting, but it gives me yet another opportunity to reinforce the need to be constantly testing your stuff (networks, systems, web apps, etc.) from the bad guy's view. No one tool is totally comprehensive, so you need to use many tools. No one person is totally comprehensive either, so you need to use many people - some internal, some external. Of course, this is gated by the value of the information accessible via the web app. Obviously you don't pay a bunch of money to test applications that don't house private data - UNLESS that application would provide a path to the vault. That's why segmentation (physical, logical, otherwise) is so important. Even the least important app can kill you if it provides a path to some important data. So application architecture and operational provisioning continue to be important, and not only when you first roll out the application. It makes sense to revisit the entire application eco-system every so often (maybe quarterly) just to make sure the architecture and segmentation plan make sense. 
Link to this [11]

NetworkWorld summary [12] points out some of the issue to be concerned with. Fact is, these are things we need to worry about in any kind of computing environment. You know, things like privileged user access and compliance. There are some unique aspects to worry about relative to cloud computing, but it's not anything we haven't seen before. And that's a key idea in this cloud-based, web 2.0 reality we all seem to be rushing headlong into. None of this stuff is turning security on it's ear. 90% of it is doing the stuff we should already be doing right. Of course, if you aren't doing that stuff right - then it's another issue.
Link to this [13]

the Mogull's initiative with Mozilla to institute a model to track risk within Firefox over time [14]. I get the need for this type of initiative, especially given the fact that bug counting in browser code is irrelevant to the true security of the application. The most important aspect of the initiative is that Mozilla is going to be tracking these numbers over time, and presumably (though I shouldn't assume anything) use that trend analysis to pinpoint issues in their development process. Of course, we really shouldn't confuse counting aspects of the dev process (like the time to route an issue to the appropriate developer) with the risk presented by that bug. Maybe this will positively impact Mozilla's dev process, maybe it won't. Ultimately I don't think it matters. This is about marketing against an entrenched competitor who has done a good job of equating security with bug counting (in the minds of most customers anyway). When it's hard to win, change the rules. And that's what Mozilla is attempting to do.
Link to this [15]


The Laundry List

  1. Switching is switching is switching. At least that's what Brocade hopes will happen when they drop $3 BILLION on Foundry. Big is the new small, even in the networking space (which would include storage networking). - Brocade release [16]
  2. He's baaaack. Jim Bidzos takes over at VRSN, while they search for yet another CEO. Sure he knows the company, but Bidzos has never run a $50 million dollar company, certainly not a billion dollar one. - VeriSign release [17]
  3. Head I win, tails you lose. Check Point goes high end with their appliance and further competes with their appliance customers (who license CHKP software to run on their boxes). They should have done this years ago. - Check Point release [18]
  4. Patent litigators start your engines. McAfee loses IPS case to DeepNines for $18 million. Sure they'll appeal, but Sourcefire and TippingPoint and probably all the UTM folks should be expecting their law suits. I guess when you can't compete in the market, it makes sense to compete in the courtroom. - Barron's blog [19]

Top Blog Postings

the hyper-connected Mogull [20] gets smart Matasano's on the line to verify that it's a big issue [21]. Of course, based on the law of unintended consequences, Halvar's generic speculation [22] led to a domino effect of Matasano inadvertently spilling the beans. Of which Thomas had to make a public and gut wrenching apology. The moral of the story, you can't have your cake and eat it too. Dan played with fire in terms of pre-announcing the DNS flaw when the patches were release, and that created the environment where someone was going to figure it out. Security by obscurity works, but only if you are truly obscure and thus not a target. Dan put a big target on the DNS flaw by talking about it, and this is what happens.
http://www.matasano.com/log/1105/regarding-the-post-on-chargen-earlier-today/ [23]
Link to this [24]

http://www.gnucitizen.org/blog/tiger-team-operations-vs-penetration-tests/ [25]
Link to this [26]

first post [27] really sets the stage by going over a bunch of assumptions. Are the assumptions accurate? Who knows? That's the problem with assumptions. If they aren't right, then everything else you say is crap. Thankfully Rich waters things down to a few statements (like bad guys are focused on web apps, and code is generally insecure), which I'd say are fact. Yet it's the second post that really gets interesting. Basically it's Rich's short manifesto on why monitoring is the only way to address the issue. He adds a bit of protection to that (making the acronym ADMP - application and database monitoring and protection), but that's more because some folks will actually try to block stuff and they should (for the most obvious issues). Rich also goes through a potential use case that I think has some legs in building a somewhat isolated, application specific experience that will wall off the computing from everything else on the device. For banking applications (most like high value banking), this approach makes a lot of sense. Philosophically, there are abstractions we can take from these ideas. I'm all about the monitoring because (as I've probably said about a million times) we don't know what tomorrow will bring us. But we do know if it causes some unexpected behavior, traffic patterns, transactions, etc. If you are aren't collecting data from all aspects of the system (from browser to database, as Rich says), then you can't really get the big picture. Of course, it's still very hard to collect and make sense of all this data, but it's our best near-term hope for addressing the gaping hole that are web applications. Longer term, we have to change the game and secure the data directly, but that is a LONG way off.
http://securosis.com/2008/06/27/the-future-of-application-and-database-security-part-2-browser-to-wafgateway/ [28]
Link to this [29]

Source URL:
http://securityincite.com/blog/mike-rothman/the-daily-incite-july-22-2008

Links:
[1] http://www.flickr.com/photos/simplerich/2361712507/
[2] http://technorati.com/tag/information%20security
[3] http://technorati.com/tag/CSO
[4] http://www.tecnorati.com/tag/Security%20Mike
[5] http://www.technorati.com/tag/Internet%20Security
[6] http://www.pragmaticcso.com
[7] http://www.pragmaticcso.com/
[8] http://tdi.securitymike.com
[9] http://tdi.securitymike.com
[10] http://googleonlinesecurity.blogspot.com/2008/07/meet-ratproxy-our-passive-web-security.html
[11] http://securityincite.com/TDI-2008-07-22#TSN1
[12] http://www.networkworld.com/news/2008/070208-cloud.html?fsrc=rss-security
[13] http://securityincite.com/TDI-2008-07-22#TSN2
[14] http://blogs.zdnet.com/security/?p=1424
[15] http://securityincite.com/TDI-2008-07-22#TSN3
[16] http://biz.yahoo.com/prnews/080721/aqm113.html?.v=47
[17] http://biz.yahoo.com/iw/080703/0412936.html
[18] http://biz.yahoo.com/bw/080707/20080707005958.html?.v=1
[19] http://blogs.barrons.com/techtraderdaily/2008/07/21/mcafee-ordered-to-pay-18-million-in-patent-case
[20] http://securosis.com/2008/07/08/dan-kaminsky-discovers-fundamental-issue-in-dns-massive-multivendor-patch-released/
[21] http://www.matasano.com/log/1089/dan-kaminsky-could-have-made-hundreds-of-thousands-of-dollars-with-this-dns-flaw/
[22] http://addxorrol.blogspot.com/2008/07/on-dans-request-for-no-speculation.html
[23] http://www.matasano.com/log/1105/regarding-the-post-on-chargen-earlier-today/
[24] http://securityincite.com/TDI-2008-07-22#TBP1
[25] http://www.gnucitizen.org/blog/tiger-team-operations-vs-penetration-tests/
[26] http://securityincite.com/TDI-2008-07-22#TBP2
[27] http://securosis.com/2008/06/25/the-future-of-application-and-database-security-part-1-setting-the-stage/
[28] http://securosis.com/2008/06/27/the-future-of-application-and-database-security-part-2-browser-to-wafgateway/
[29] http://securityincite.com/TDI-2008-07-22#TBP3