Daily Incite
The Daily Incite - March 22, 2006
Good Morning:
We are the good guys. Always remember that. Reading a story about the cost of data loss reminded me that information security is important. We may not win all the battles, but we must win the war. People get hurt when scammers and fraudsters are successful in compromising personal data. Keep that in mind next time you get discouraged because of the 1000th stupid thing some user did.
On a lighter note, The Daily Incite is evolving rapidly. Each morning I'm going to list what I think are the TOP 5 security news stories. I'll apologize for burdening you with 8-10 stories each day because I thought they were interesting. I always need to remember (and pay attention) to my role, which is to save you time. I'll still post the blog stories that I think are interesting, but the filter on those is going to get tighter as well.
Finally, in some cases you'll see a "snipurl.com" link for the news stories. This is intentional as some of the URLs that the trade pubs use (got to love those content management systems) are long and very ugly. SnipURL gives me the ability to shorten them.
Have a great day.
Endpoint Security RoundUp (http://snipurl.com/nx6g)
So what? - Yes, endpoint security is still happening. In this story, SearchSecurity mentions a couple of different news items focused on controling endpoints from doing bad things. It may be using USB thumb drives to steal data or having a risky wireless profile, but the issues are similar. Enterprises need to gain more control of their devices by enforcing policies to make that happen. How granular and draconian the policies are will vary, but not being able to control those devices is a mistake.
The High Cost of Data Loss (http://www.informationweek.com/security/showArticle.jhtml?articleID=183700367&pgno=1)
So what? - InformationWeek's cover story this week is about privacy and data loss. It's worth a read. Not because it tells you things you don't know. But because it reminds of the personal cost that the bad guys extract when they are successful. When things get tough and you are overwhelmed, these are helpful stories and anecdotes to keep you focused.
Data Centers Do Not Have Risk Management Plans (http://www.informationweek.com/story/showArticle.jhtml?articleID=183701425&cid=RSSfeed_IWK_winsecurity)
So what? - AFCOM, an association of data center managers, did a survey that showed 17% have no risk management plan. Usually I am suspect of surveys, but this one was used to bolster a prediction (as opposed to sell products). That prediction, "Within the next five years, one out of every four data centers will experience a serious disruption;" is right on the money. So not having a clear, practiced plan for disaster recovery is career suicide. Organizationally, the data center organization and the security group may be separate, but I'm not in the excuses business. By the way, neither is your boss. So make sure there is a plan to recover from any type of system compromise and keep the business operational.
Following the Money (http://www.cdt.org/privacy/20060320adware.pdf)
So what? -Very interesting report at this link by the Center for Democracy and Technology. They break down how adware networks permeate their ads through unsuspecting (or uncaring) advertisers. They actually spoke to a couple of sites and exposed the fact that most of these folks have no idea who is advertising on their site. If you have time, it's a good read.
VeriSign Offers Managed Skybox (http://www.verisign.com/press_releases/pr/page_037248.html)
So what?- VeriSign introduces a new Security Risk Profiling Service, based on technology from Skybox Security. This offering produces a report detailing known issues with a customer's environment. Skybox's technology is well regarded, so this is a good move for them and also VeriSign to differentiate in increasingly undifferentiated MSS circles. Will customers pay above and beyond for "risk profiling," instead of risk fixing? That's always been the problem with vulnerability scanning. It tells you what is broken, but then you are left with even more stuff on your to-do list. I'm going to do a drive-by on Skybox later today to be posted this afternoon.
Securing a Solution to Data Theft
Patricia Keefe on the InformationWeek blog follows up on their "Cost of Data Loss" story with some ideas and suggestions to deal with the situation. The fact is it is a messy, non-trivial issue that will take years to solve. The reality is the sooner I can get truly sensitive private information back in my control, using user-centric identity technology, the better. But that is going to take some time before my key online vendors will accept an assertion in the form of an InfoCard or some other Identity token. So in the meantime, you need to stay on top of your own assets and watch them diligently. The sooner you can pinpoint an issue, the sooner it gets dealt with.
Link: http://www.informationweek.com/blog/main/archives/2006/03/securing_a_solu_1.html
StillSecure Endpoint Security Index
Alan Shimel of StillSecure mentions his company's "endpoint securty index," which is a pretty cool set of tests they run monthly to figure out how "bad" it is out there for devices surfing the net. Statistics driven by vendors are more of a PR tool than anything else, but at times can be useful to provide some perspective. You can check out the index at http://stillsecure.com/endpointindex/index.php.
Link: http://ashimmy.typepad.com/ashimmy/2006/03/honeypot_stills.html
The Daily Incite - March 21, 2006
| |
| Good Morning: Today's Incite is pretty long, but there is a lot going on. A few vendor announcements (but as always, are related back to a bigger theme) and also some vulnerability and attack news. It also looks like Microsoft is ramping up it's global legal team to go after phishers. Good luck to them on that. I'd also like to wish my wife Jodi a Happy Birthday. As captain of the household, she keeps things running and lets me sit in my office and bang away at the keyboard. She was also a major influence when I decided to start Security Incite. Her support and confidence in my abilities is unwavering. I couldn't have asked for a better partner. Have a great day. |
| Top Security News It's Raining IT Security Surveys (http://snipurl.com/nwt7) So what? - NetworkWorld provides some insight into IT security surveys in this article. This quote says it all: "Leading security vendors, looking to scare up interest in their products, pumped out more than twice as many of these surveys last year as in 2004, and this year are on an even more aggressive pace." They do the surveys because they are counting on peer pressure to be a catalyst for activity. In many cases, the survey tool is suspect and can present biased results - but I guess that's the point. This topic get me kind of fired up, so I'm going to do a longer blog posting later today. Cyber-Ark Delivers User Management Support (http://www.cyber-ark.com/networkvaultnews/pr_20060320.asp) So what? - Cyber-Ark is bringing their vaulting technology to bear on the problem of managing administrator passwords. This is a big problem because the administrator password usually provides the keys to the kingdom, so they need to be handled wisely. The idea of monitoring admin password use is also important because not only do you want to protect the keys, you want to know how and where they are used. New Zero Day Bug Crashes IE (http://www.informationweek.com/news/showArticle.jhtml?articleID=183700672) So what? - This time a one malformed HTML tag can bring down IE. That's comforting. It's not clear that the exploit can result in a hijacked session, but nonetheless IE remains problematic. But in this case, there is actually an easy fix. Use Firefox. That's what I do. Get Ready for More DoS Attacks (http://snipurl.com/nwu6) So what? - The folks over at VeriSign where hitting the circuit this week talking about a new wave of denial of service attacks on the horizon. These are kicked off by compromising name servers out there and using them to amplify the attacks. The most interesting nugget here is that these are FOCUSED attacks. They are not trying to take down the entire Internet, but rather a few targeted sites. Just more evidenced that hacking is a business now. Hobbyists need to get back to their train tables. Fallout from Poor Government Security? (http://snipurl.com/nwub) So what?- In this searchsecurity article, the author posits whether the US Federal governments continually failing IT security grades will prevent the private sector from sharing information. I don't buy it. I have a hard time believing that a commercial company is going to say no when DHS or the FBI come asking for help. I'm not sure how often this happens, but there tends to be a great halo effect for helping out the Feds and I don't see vendors walking away from that.
|
| Top Blog Postings Microsoft Solving the Spyware Problem? Richard Stiennon has rejoined the ranks of the security analysts. This is the guy that pronounced IDS to be dead with great fanfare a couple of years ago. In this posting on his Threat Chaos ZDNet blog, he's at his sarcastic best. He's right in saying that we cannot prematurely annoint Microsoft the spyware savior. In my view, that's because there is no answer. It's just like AV and soon will be a feature of AV. There will always be bad guys out there and spyware is another attack vector. It's a battle we'll all need to fit indefinitely. Link: http://blogs.zdnet.com/threatchaos/?p=294 More on Security Surveys Ellen Messmer on her NetworkWorld blog adds a companion piece to the IT security survey article (mentioned above) with some more data. This one references the same PGP/Ponemon study that I ranted about yesterday. The reality is that surveys are a marketing tool like anything else. If the data helps support your decision, that is great. If not, disregard it because if you look (and you don't need to look that hard) there will be holes in the methodology and the survey tool. These are vendors doing this study, not a university professor looking to publish bulletproof results. Link: http://www.networkworld.com/weblogs/security/011538.html Sophos Cracks the RansomWare Password Mark Gibbs, on his NetworkWorld blog, mentions that Sophos has solved the ransom attack of last week. These jokers would make a password encrypted zip file of your key files and then demand $300 to get the password. Kudos to the folks over at Sophos who cracked this. The password actually looked like a file name, so anyone looking at the source would just pass right over it. Ingenious. Link: http://www.networkworld.com/community/?q=node/5120 It's Tax Season for Phishers Douglas Schweitzer on his ComputerWorld blog refers to a CW article that this is high time for IRS phishing scams. Folks are pretty sensitive to all issues tax, so this is a pretty effective ruse to separate folks from their personal information. I've personally seen a bunch of these show up in my spam quarantine, so it's happening. Link: http://www.computerworld.com/blogs/node/2048 Ed Moyle Doesn't Trust E&Y I think I've lost the title of the most pissed off security pundit. Ed Moyle rants on E&Y in this blog posting about them being hypocritical and wondering why we take their advice. It's actually a great question because it gets to the heart of trust. Why do you trust an organization and most importantly what do they need to do to maintain that trust? Link: http://www.securitycurve.com/blog/archives/000362.html Open Source Log Analysis Randy Bias points us towards a new Ruby-based open source tool to do log analysis and find vulnerabilities called Oedipus. This is the first of what I expect will be many new open source initiatives aimed at simplifying and democratizing big fat and expensive security software. If something like this, over time, can provide 80% of the functionality of SIM - then that is one more nail in the coffin of that sector. Link: http://www.randybias.com/archives/000246.html No Such Thing As Privacy CJ Kelly on the ComputerWorld blog posts some pretty disturbing thoughts about how much information Google is learning about all of us and how that may be used against us. It did get me thinking a bit, but as Scott McNealy once said, "there is no privacy, get over it." The fear of losing my privacy is not as great as trying to figure out how I'd do my job without tools like Google. Link: http://www.computerworld.com/blogs/node/2046 |
The Daily Incite - March 20, 2006
| |
| March 20, 2006 Good Morning: Today's Incite has a focus on the channel, which is becoming very important in the security world. Also a pretty active weekend in the blogosphere, so lots of interesting posts there. Hopefully you all enjoyed the weekend (the weather was great down in Atlanta), and are ready to jump back in this week. Have a great day. |
| Top Security News Screwed Up Updates - The Sequel - Microsoft OneCare This Time (http://www.informationweek.com/story/showArticle.jhtml?articleID=183700356&cid=RSSfeed_IWK_winsecurity) So what? - Microsoft is the latest vendor to bungle a product update (after McAfee and Apple last week). Again, this stuff is going to happen, so don't be surprised. At least Microsoft can say "it's still beta." What is McAfee's excuse? ScanSafe Announces Integrated Managed Service for IM and Web Security (http://www.scansafe.net/scansafe/news/story?id=129591) So what? - Clearly IM security is a feature. At this point, all of the email security service providers have announced an integrated IM security offering and now ScanSafe coming at it from the web traffic security world. Many of the email security appliance makers have also brought IM solutions to market. Now IM traffic looks a lot more like web traffic than email, so architecturally you favor folks that have expertise dealing with web traffic. But ultimately all of these functions need to be enforced under the same policy on a common gateway platform or service provider network. Channel Focus - VARBusiness and CRN are kind of like the USA Today of the technology world. You can read these books in about 10 minutes and its more about the money than it is about the technology. That is refreshing, since the technology trade press is so enamored with new cool widgets. If resellers can't make a buck, then you can be assured that CRN will not be covering it. Here are few recent selections about what the channel folks thinks is important. Channel Focus: SMBs Ripe for Secure E-Mail (http://www.channelweb.com/sections/allnews/article.jhtml?articleId=181502843&cid=ChannelWebNews) So what? - SonicWall, a darling of the channel, recently bought MailFrontier [link to Deal coverage here] to gain exposure to email security. Suffice it to say, SMB has been interested in email security for quite a while, so this is not news. It was also interesting in this story that the two SMB email security gorillas - Barracuda and Postini were not mentioned. But as the enterprise business continues to be very messy, SMB is looking attractive. We'll see a lot more activity in this space. Channel Focus: VARs Eye Threat-Management Security Appliances (http://www.channelweb.com/sections/allnews/article.jhtml?articleId=181501952&cid=ChannelWebNews) So what?- I've been saying for a while that we'll see more integration of security functions on the perimeter (No mas box). CRN provides a news clip overview of a number of recent offerings from the likes of Symantec, D-Link, Juniper, IronPort, and Imperva. Of course, many of these boxes are apples and oranges (Imperva protects internal applications, while the new IronPort appliance is focused on managing all the other IronPort appliances out there), but why let the truth get in the way of a good story. Channel Focus: Security Vendors Expanding Channel (http://www.channelweb.com/sections/allnews/article.jhtml?articleId=181501928&cid=ChannelWebNews) |
| Top Blog Postings US Federal Government Security Report Cards are Out Ellen Messmer of NetworkWorld covers the recent "report card" on how various US Federal agencies are doing relative to security. There is also a link in there to the actual report card. It's very interesting in that the overall grade is still D+, there are some agencies that have their act together. I also think that this will not get better anytime soon, as the Feds keep rolling out new requirements (like HSPD-12 for authentication) as a large portion of the government cannot do simple blocking and tackling. Link: http://www.networkworld.com/weblogs/security/011517.html Securing USB Ports Douglas Schweitzer on the ComputerWorld blog points out the difficulty of securing USB ports. One of the anecdotes involves actually gluing USB ports shut. Wow! That's pretty stupid. But it brings up an important point, which is that USB hygiene must be part of any endpoint security capability. That does bring up some sticky issues including whether to allow iPods to be used on work computers. Link: http://www.computerworld.com/blogs/node/2041 Even Security Pros Don't Use Encryption Rebecca Herold on her IT-Compliance blog points out that most of the vendors at the CeBit show didn't use encryption. Why would they? The point of putting up an access point at a trade show is for branding. You want someone to try to connect and see your company name. It's not about keeping people out of a public network. She goes on to say encryption is "easier to use and stronger than ever." This strikes me as pretty naive. Encryption is NOT easy to use (except SSL) and it's not clear what problem it solves. Are we talking about encrypting data in motion or data at rest? Or both? I do think that unsophisticated end users will continue to buy encryption because some expert says it will help with compliance. My opinion is that encryption is a tool in the compliance tool bag, and a misused tool at that. Link: http://realtime-itcompliance.typepad.com/itcompliancecommunity/2006/03/even_informatio.html Cybercrime a Bigger Threat than Physical Crime Alan Shimel of StillSecure mentions a few studies on his blog that continue to indicate that end users are worried about the "internal threat." This is exactly right as most folks feel reasonably comfortable with their perimeter and now we all need another windmill to chase. Network Access Control or NAC will be a huge beneficiary of this need, so look for this technology to break out this year and mature rapidly. That will also bring the inevitable consolidation. Link: http://ashimmy.typepad.com/ashimmy/2006/03/cybercrime_a_bi.html Server Patching in a Few Easy Steps Mark Shavlik talks about best practices on patching servers in this post. Obviously his perspective is self-serving, as it should be, but the post brings some good points to light. End users pick a patching vendor because they trust that they get it right. Shavlik talks about their QA and regression process to make sure patches don't break stuff. Sure, you can take a precautionary stance and test everything yourself, but you may be dead by the time you figure out the patch worked. In the early stages of a technology, I'm all for caution. But at this point, patching (and Microsoft's process) is fairly mature. That doesn't mean they won't screw things up, but taking the time and resource hit of testing everything yourself just doesn't make a lot of sense to me. Link: http://shavlik.typepad.com/mark_shavliks_blog/2006/03/server_patching.html It's Time to Fix Banking Security From the Ground Up George Ou on his ZDNet blog makes a very insightful post on the fundamental issues of banking security. By basing everything on a shared secret (your PIN number), you don't build any fail-safes into the system, especially when that PIN is stored whenever anyone uses a Debit card (did I mention I NEVER use debit cards at POS terminals). Is the answer a smart card? Or a one-time password? Or "contextual authentication" that would require more data if coming from a POS terminal rather than the banks online banking site? I'm not sure any of us know the answer, but the fact that it's broken is pretty clear. Link: http://blogs.zdnet.com/Ou/?p=173 |
The Daily Incite - March 17, 2006
| |
| March 17, 2006 Good Morning, Happy St. Patrick's Day from the least Irish guy I know. Today's daily update is light, since there was little news. So buzz through it and enjoy the rest of your day. Also, maybe take some time to relax a bit today. If you are a basketball fan, this is the nirvana weekend with the NCAA hoops tournament. I can only speak for myself in that I run fast always, and sometimes you need to just take a breath. I'm going to go watch some games and drink some green beer this afternoon with a friend NOT in the security or tech business. I suggest you do the same, if at all possible. Have a great weekend. |
| Top Security News Man Charged with Hacking into GM Database (http://news.yahoo.com/s/ap/20060315/ap_on_hi_te/gm_security_breach_3) So what? - If this guy was dead, he'd definitely be a candidate for the Darwin awards. The perpetrator was a contract security guard who got into GM's databases to get their social security numbers to find out what kind of company vehicles they had. Then he sent them emails from a Yahoo account asking them what they thought of the cars. If he wanted some references, he probably just could have gone into the cafeteria. Clearly not the sharpest tool in the shed, but the real questions remain. How could a contract security guard get personal information about GM employees? It's also a reminder that the human element is the weakest link in any security architecture. Never forget that. Macs Just As Vulnerable to Wolverine Attack (no link) So what?- Part of my goal with The Daily Incite is to save you time. So this story is a joke about the fact that both Macs and PCs are just as vulnerable to being physically attacked by a Wolverine. The text is funny, but you have better things to do with your time. Oracle Siebel Applications Get Common Criteria (http://biz.yahoo.com/prnews/060316/sfth014.html?.v=40) Is RFID Vulnerable? (http://www.informationweek.com/story/showArticle.jhtml?articleID=183700423&cid=RSSfeed_IWK_winsecurity) |
| Top Blog Postings The Banks are in Trouble CJ Kelly on the Computer World blog says the recent security breach extends beyond just Citibank. I think we already knew that. But it still does indicate that the banks are going to get a black eye about this. But I'm not sure throwing more widgets at the problem is the answer. CJ is correct in saying it may be time for the banks to really re-evaluate how they do security. Link: http://www.computerworld.com/blogs/node/2030 Block Ad Serving Cookies in IE and Firefox Dave Piscitello of Core Competence writes for Watchguard about a couple of Firefox extensions than can help block ad cookies. I'm going to try these later today. He also makes a point to thank the open source folks, which I agree with. securityincite.com is driven by an open source CMS called Drupal. It is truly amazing the type of support you get in the forums and the fact that for the most part, the software just works. So, thank you open source folks. Link: http://www.watchguard.com/RSS/showarticle.aspx?pack=RSS.FiFoxCookies Has Linux Patching Surpassed Mac and Windows George Ou on his ZDnet blog posits that due to the architecture and multi-vendor and multi-module nature of Linux itself, it is more adept as patching 3rd party software. Mac and Windows focus (and do a decent job) at patching their own stuff. That is when the patch works, right Apple? This is a very interesting position and I think he's right. Even the commercial patching products are focused on the management and completion of patches from Microsoft, as opposed to potentially other damaged software. Seems like an opportunity for the Shavlik's and BigFix's of the world to extend their patching prowess to other products and maybe even sell an update engine to other vendors that have less sophisticated means. Link: http://blogs.zdnet.com/Ou/?p=172 |
| Recently on the Security Incite Rants Blog Drive-By: RedCannon - Your Life on a USB Drive? - Not Yet - This is the first of a new content type I'm calling the "drive-by." Basically I see an interesting article or press release and check out the company behind it based only on their marketing literature and web site. I DO NOT TALK TO THE COMPANY (YET). Then I go through my thinking on whether the announcement makes sense. That's why I call it the drive-by. They won't know it's coming. In this first installment, I go through my thoughts on a USB access device by RedCannon Security and tell you that based upon what I can see, this is a technology looking for a problem. http://securityincite.com/blog/mike-rothman/drive-by-redcannon-your-life-on-a-usb-drive-not-yet How Secure Are Wireless Networks? - A recent study by Panda Labs showed that 60% of wireless networks are unprotected. Do you care? Should you care? If you care, what should you do about it. This post is a bit of a rant about consumer vs. business wireless security considerations and some other random WiFi topics (like how I secure my home network). http://securityincite.com/blog/mike-rothman/how-secure-are-wireless-networks Read Yesterday's Daily Incite http://securityincite.com/blog/mike-rothman/the-daily-incite-march-16-2006 |
| The Daily Incite is a service of  |
The Daily Incite - March 16, 2006
|
| March 16, 2006 Good Morning: I'm incrementally improving the layout of TDI. Let me know what you think. In terms of activities in security-land, we continue to see innovative techniques to hack your systems. Whether it's the Cryzip Trojan or VM Rootkits, there are new attack vectors that we need to make sure our security architectures factor in. The goal of the architecture is to ensure you don't have to respond to every new attack, but there will always be some types of reaction required. That's just the nature of the beast. Have a great day. |
| Top Security News Cryzip Trojan Steals Files (http://www.eweek.com/article2/0,1895,1937408,00.asp?kc=ewnws031406dtx1k0000599) So what? - The innovation of the bad guys still amazes me at times. This article goes through a very targeted, innovative attack where a Trojan encrypts critical files into a password protected Zip file. The only way to get the password is to pay a $300 ransom. Some folks have cracked the crypto already, but the point is still the same. This is a BUSINESS and entrepreneurs (yes it hurts to call hackers that, but it is what it is) will continue to find innovative ways to separate people from their money. VM Rootkits - The Next Big Threat? (http://www.eweek.com/article2/0,1895,1936666,00.asp) So what?- The big news this week (well beside McAfee deleting half of a user's hard drive) has been the ability to install a root kit on a virtual machine. With virtual machines proliferating through data centers at exponential growth rates, this would create quite a problem if undetectable rootkits could be used to compromise the various virtual machines. We need to be thinking about how to apply (and enforce) policies to make sure each of those virtual machines is not doing bad stuff. So, you'll need to look at traffic patterns for those VMs and to see when something is amiss. Reflex Security Blazes New Trail with Security for Virtual Computing Environments SiteAdvisor Issues Spyware Challenge (http://www.siteadvisor.com/press/releases/03_15_06.html) Vericept Announces Version 7.5 (http://www.vericept.com/news/press_info.asp?pid=57)
|
| Top Blog Postings Gibbs on VM Rootkits Here is Marc Gibbs take on the VM rootkit issue. He's thinking about processor based remedies for this type of attack, but by the time that happens, we'll all be dead. Link: http://www.networkworld.com/community/?q=node/5067 The 5 Rules of The Regulatory Process I stumbled upon this post by Dana Epp regarding regulatory issues. The content is presented in a reasonably simple taxonomy of a few rules that should govern what you are doing. The points are simple and that's why I like it. We all spend way too much time making life complicated and hard, and if we could just get beyond our own ego (if it's easy then what's my value?) we'd be able to get a lot more done. Link: http://silverstr.ufies.org/blog/archives/000926.html Anti-Virus Recommendation - Exhaustive Testing vs. Pragmatism I was confused by this post on the Ferris blog. The point seems to be that the large AV vendors are not putting enough effort behind the validity of the big labs (ICSA labs, etc.) that validate all of these AV programs. But users increasingly rely on word of mouth to determine what works. I don't see anything wrong with that, and if anything, that's they way things are supposed to work. Sure, ICSA can figure out whether an AV product can catch every single virus known to man. But a friend can tell you if the user experience and manageability of the product works for him/her. Which is more important in a very mature market like AV, where 95% of the products are going to do exactly the same thing at the same level of effectiveness? You guessed it. Once I'm convinced the product will work, I buy off the recommendation of someone I trust every single day of the week. Link: http://blog.ferris.com/2006/03/antivirus_recom.html Quarantine - Not Delete on AV Settings Douglas Schweitzer points to an article that reminds us of a good policy, which is to quarantine files flagged by AV software as opposed to outright deleting them. That would give us some remedy when the AV vendor boots something (like our friends from McAfee did this week). Not using AV is not an option. Not having it automatically update is not an option either. So this gives a bit of a fall-back position. Link: http://www.computerworld.com/blogs/node/2021 Shout-outs for Security Incite Ellen Messmer of NetworkWorld and Mark Shavlik mention Security Incite on their blogs. I certainly appreciate the mentions. Link: http://www.networkworld.com/weblogs/security/011472.html http://shavlik.typepad.com/mark_shavliks_blog/2006/03/tim_rothman_and.html |
| Recently on the Security Incite Blog Can You Have a Review if No One Shows Up? - I got a kick out of the difficulty that SC Magazine had in getting vendors to participate in a email security services review. They shouldn't have been surprised and I explain why in this post. http://securityincite.com/blog/mike-rothman/can-you-have-a-review-if-no-one-shows-up Vendor Vigorish: Access, Not Bribes - A posting by analyst relations firm ARmadgeddon got me going about vendor's motivations on why they do analyst relations. Their position is that vendors pay for better access, not to try to win favor. There is some truth to that, but to not paint the other side of the picture tells only half the story. http://securityincite.com/blog/mike-rothman/vendor-vigorish-access-not-bribes Read Yesterday's Daily Incite http://securityincite.com/blog/mike-rothman/the-daily-incite-march-15-2006
|
The Daily Incite - March 15, 2006
 |
| March 15, 2006 Good Morning: |
| Top Security News Security Screw-Up 1 - McAfee (http://www.eweek.com/article2/0,1895,1937154,00.asp) So what? - McAfee sends out a DAT update that wreaks havoc on enterprise by deleting lots of good files. This situation was inevitable due to the velocity of threats. Response time is measured in minutes (not hours) and when you need to respond that quickly, shortcuts are going to be taken. This time it was McAfee, next time it will be someone else. But this will happen again. Users are advised to grin and bear it. I know that's a crappy answer, but you can't test every AV update - and you can't wait until someone else does. You can get pissed and think about switching vendors, but the reality is switching costs will be high and there is no guarantee whoever you pick won't screw up next month. If anything, if your renewal is coming up in the next 3 months, use this as leverage to drive the price down a bit.
Security Screw-Up 2 - Apple (http://www.informationweek.com/story/showArticle.jhtml?articleID=181503692) |
| Top Blog Postings Protect your teens Johanna Ambrosino of InformationWeek has a great piece on protecting teenagers online reflecting her personal experience. This is a huge issue for many, so if you have teenagers - read this posting. My oldest is not even 6 yet, so she's still quite happy tooling around the Disney and PBSkids sites, but it's just a matter of time before any of us with kids will need to deal with this problem. Being security professionals, we have a leg up (since we know what's available out there), but ultimately we need to equip our kids to make the right decisions, as opposed to expecting software to be a silver bullet. Also go visit K9, which is a service of Blue Coat to educate consumers about the bad stuff happening on the net. Link: http://www.informationweek.com/blog/main/archives/2006/03/keeping_kids_sa.html Shortcuts are a fact of life Jim Rapoza of eWeek vents about company's taking shortcuts on protecting private information. This was driven by a court decision releasing the financial provider from liability because they didn't have proper protections on student load data. DUH! Some folks take shortcuts and it pays, for others...not so much. And we can't count on the courts to defend us. I was actually talking to someone this week that commented about healthcare companies taking shortcuts because the penalties for violating HIPAA are a rounding error. That's pretty scary, but it's true. I don't spend a lot of time agonizing over human nature, which is that people are going to take the easy way pretty much every time. So, it's reasonable to ask your bank and healthcare providers how they protect your data. And then you can decide whether that is someone you want to do business with. Link: http://www.eweek.com/article2/0,1895,1935518,00.asp Hack Thyself? Interesting article by Matt Sarrel in PC Magazine (which is targeted at SMB types) called "Hack Thyself" about vulnerability management. They don't really call it that, but the article is about using a scanner to see if/how you are vulnerable. Again, as security folks, this is obvious. BUT there are lots of unsophisticated users out there that need help like this. If you are a vendor, take heed. It needs to be simple (and preferably transparent) to be mass market applicable. Link: http://www.pcmag.com/article2/0,1895,1932661,00.asp Military Mindset? My old friend Jay Heiser (now of Gartner) writes in his monthly Information Security Magazine column about security professionals needing to move away from the military mindset. I am mostly in agreement with this, in that we must act pragmatically and not do security just for security's sake. BUT, this is war and the bad guys want to do a lot of damage, so having a structured containment and response process and mechanism that is practices and runs with military precision is absolutely critical to keep your information safe. The point of evolution is to leave the useless stuff behind, but improve on what works. Sure, there is some part of the military mindset this is not helpful, but a lot is - so I say not to throw the baby out with the bathwater, but to make sure that you are constantly looking for ways to do more of the right stuff and less of the wrong stuff. Link: http://searchsecurity.techtarget.com/columnItem/0,294698,sid14_gci1171862,00.html?track=NL-102&ad=545608 Face-off on Anomaly Detection I really enjoy the face-off's that Network World publishes. This one is about anomaly detection, and both participants make good points and are misguided on others. The reality is that behavioral-based techniques are another tool in our tool bag. It should be treated as such. It's not a panacea, nor is it a waste. In fact, anomaly detection techniques are being added to most of the perimeter defense offerings out there because it makes a good complement to traditional IPS signature and heuristic methods. That doesn't mean it's a stand alone opportunity for a vendor, but users need to figure out how to integrate all applicable techniques into their defense schemes. The answer continues to be "all of the above" regardless of what the vendors say. Link: http://www.networkworld.com/community/?q=anomaly&nettx=031406netflash&code=nlnetflash26594 Ed Moyle on the futility of Hacking Challenges Amen to the this! Like any test, review or challenge - inherently the answer will be biased because of how the test is set up. Users need to look as these results in context. The Swedish Mac OS X hacking challenge seemed to be a farce. The one done at U of Wisconsin may have been too. The fact is, just as stupid as it was for Oracle to claim they were "unbreakable" a couple of years ago, it's stupid to think that any OS will be free of malware and threats. They can all be broken if given enough time. Nothing is foolproof. So make sure you have layered defenses in place, so you are not putting all your eggs in one basket. Link: http://www.securitycurve.com/blog/archives/000358.html |
The Daily Incite - March 14, 2006
Welcome to today's Daily Incite. Given this is the maiden voyage and a bunch of stuff piled up over the weekend, it's a bit longer than normal. But you should still be able to scan it in 5 minutes and stay on top of the security world. I also appreciate your patience as I work out the design concepts for the newsletter. I'm not there yet, but you'll see some rapid improvements this week and I nail down the process.
Have a great day,
Mike.
Identity Federation Potpourri - Ping Identity Raises $3 million and RSA announces Federation Manager 3.0.
So what? - Federation is increasing in importance as more and more companies deploy identity management. The logical first step is to clean your own house, basically implementing identity internally and then you start focusing on your trading community. That's where Federation comes in. All of the big stack players (Oracle, CA, BMC, HP, IBM) have federation products, and RSA and Ping are the most visible niche federation providers.
Links: Ping Identity Press Release - http://biz.yahoo.com/prnews/060313/sfm051.html?.v=42
RSA Press Release - http://www.rsasecurity.com/press_release.asp?doc_id=6617
Patch Tuesday - Two More on The Way - Microsoft will release two patches today (down from 5 last month).
So what? - Details are sparse, but we know that one is a "critical" issue. Ramp up your patching engines sports fans, you'll probably need to implement this patch sooner rather than later. More details tomorrow I'm sure.
So what? - It seems everyone still has a flare for the dramatic. If this is the "worst" hack ever than we'll see it on the cover of Time Magazine. I don't think that's the case. But it does highlight some of the issues of using Debit Cards (like it's your bank account, as opposed to a fraud protected credit card). There seems to be a pretty simple fix to this - don't use debit cards at point of sale terminals. I know, I know. The consumer banking folks will yell at me about the evils of credit. Blah blah blah. Not everyone has a credit card. Blah blah blah. Whatever. I don't use a debit card - EVER! So I'm personally not too concerned about this.
Links: http://www.informationweek.com/story/showArticle.jhtml?articleID=181502474
Counterpane and MessageLabs Release Joint Intelligence Report - Cyber Attacks To Significantly Impact Financial, Healthcare and Utilities Sectors
So what? - This definitely falls into the category of MASTER OF THE OBVIOUS. Yes, hacking will continue to be an issue. But MSS players see lots of data and they can point out some cool trends that most users just don't have the breadth of information (or time) to figure out. So, things will continue to get worse before they get better. No kidding. Get back to work and make sure your security architecture makes sense.
Link: http://biz.yahoo.com/bw/060313/20060313005260.html?.v=1
So what? - This is a big database of all the files out there and some idea of whether you want them on your machine or not. This kind of thing will save you time. When a machine is acting up, you usually see what applications and processes are running to see if something is amiss. Usually I'll find some executable that I'm not familiar with, so I Google it. Then I need to read a few postings to draw my own conclusions about whether it makes sense or not to have it running. This kind of database can eliminate a few of those steps, so I think it's a good thing.
Link: http://biz.yahoo.com/bw/060313/20060313005163.html?.v=1
Shavlik and Ellen Messmer of Network World on Microsoft's anti-spyware stuff - My thoughts on this are covered in the "More Musings on Spyware" blog posting.
http://shavlik.typepad.com/mark_shavliks_blog/2006/03/microsoft_micro.html
http://www.networkworld.com/weblogs/security/011401.html#011401
http://www.networkworld.com/community/?q=node/4913&nettx=031306netflash&code=nlnetflash26385
http://www.computerworld.com/blogs/node/1995
Recent comments
3 years 19 weeks ago
3 years 19 weeks ago
3 years 19 weeks ago
3 years 21 weeks ago
3 years 22 weeks ago
3 years 22 weeks ago
3 years 22 weeks ago
3 years 22 weeks ago
3 years 22 weeks ago
3 years 22 weeks ago