Friday, February 24, 2006
The article below talks about FISMA compliance where it seems that neither means the other one...
'The high grades could mean a lot of compliance, but not a lot of security. The low grades could mean that there's plenty of security in place, but it just wasn't verified on paper properly.' "
"ISPA said that the UK government had won the award for 'seeking EU wide data retention laws which will force ISPs and telcos to retain more data for longer without proper impact assessment'."
I see a lot of business for SIEM and log management vendors here...
From "Issues Discovering Compromised Machines" by Anton Chuvakin - "One of the latest security books I read had a fascinating example in the preface. The authors, well-known and trustworthy experts in the field of security, made an outrageous [is it, really?] claim that most of the Fortune 2000 companies have already been penetrated by hackers (and have been in that state for years!). Hackers move in and out at will through the backdoors and other covert channels without the security personnel knowing or even suspecting it. Without being able to verify the validity of this, I decided to look at the problem of reliably discovering the compromised machines on corporate networks..." Read on.
Windows Incident Response: "The Windows Incident Response Blog is dedicated to the myriad information surrounding (and inherent to) the topics of incident response and forensics on Windows systems. "
I tend to agree. There will be consolidation of the existing security companies accompanied by a birth of many many new ones. As for CA - well - we'll see, but some indicators do point in this direction... After all, who else was called a seller of "worst of breed" security tools? :-)
Thursday, February 23, 2006
This issue troubled me for a while. Somebody smart :-) told me some time ago that Tor license and legal FAQ actually prohibits such monitoring and (?) filtering. Specifically, it says:
"Q: Should I snoop on the plaintext that exits through my Tor server?
A: No. You are technically capable of monitoring or logging plaintext that exits your node if you modify the Tor source code or install additional software to enable such snooping. However, Tor server operators in the U.S. can create legal and possibly even criminal liability for themselves under state or federal wiretap laws if they affirmatively monitor, log, or disclose Tor users' communications, while non-U.S. operators may be subject to similar laws. Do not examine the contents of anyone's communications without first talking to a lawyer."
My response that was that the above goes against common sense, but I was told that law and common sense have nothing to do wich each other...
"2.7. Logging Considerations
Although logging is part of all the previous sections, it is
important enough to be covered as a separate item. The main issues
revolve around what gets logged, how long are logs kept and what
mechanisms are used to secure the logged information while it is in
transit and while it is stored."
The weird part is that the document advocates "exception logging", rather than a full audit logging of network connections. Is that because those ISP usually have huge network pipes? Or is there some legal requirements to not have discoverable data on connectivity?
» Gartner is like a mainframe in 1979 Between the Lines ZDNet.com: "Gartner is like a mainframe in 1979. Ripe for deconstruction.' So says Redmonk analyst James Governor in his post about transparency and the analyst business."
Agreed? Do you still like what they say [sometimes]? Even though it is highly fashionable to slam Gartner as a bunch of 'you-know-whos' :-), I [with some fear] admit that I often like how they organize the information.
Whether you love or hate your position in the famous Magic Quadrant, this information organization and presentation tool is pretty brilliant!
What he likely meant is that they are not connected to the real problems people ... :
- ... suffer from right now
- ... are willing to pay for solving
- ... will trust those vendors to solve
So, check your latest security startup for matching the above criteria. If you miss one, congrats - you operate without adult supervision! :-)
Wednesday, February 22, 2006
On the other hand, many software vendors say: "... but shooting elephants is sooo much more fun than swatting flies and squeezing rodents in their holes."
Tuesday, February 21, 2006
- Web application firewalls primer
- Threat analysis using log data
- Looking back at computer security in 2005
- Writing an enterprise handheld security policy
- Digital Rights Management
- Revenge of the Web mob
- Hardening Windows Server 2003 platforms made easy
- Filtering spam server-side"
The article by Kevin Schmidt on "Threat analysis using log data" is my favorite!
Here is a fun bit from Bruce Schneier's latest Crypto-Gram newsletter from February 15, 2006: "Counterpane monitored someting like 100 billion network events, world-wide, in 2005. "
Think about it, "100 billions per year." How HUGE is that? Well, not huge at all. Its just a bit less than 3200 events per second.
Any commercial SIM product, such as netForensics, likely handles the volume like this for each of its large customers ...
Monday, February 20, 2006
As many other RSA observers agreed, under each tree you now see a NAC. Many folks who were anti-worm a year ago (Mirage, ForeScout, Nevis, etc) are now NAC solutions. 802.1X, agents, switch blocking, other things are all over the place. It seems that a NAC train is about to leave the station. Adjacent to NAC was supposedly emerging "LAN security" vendors, such as ConSentry. They all claim to be "NAC+" and additionally guard against internal threats and malware.
Application security, in all shapes and forms, is heating up quickly. Even Cisco showed some secure web gateway device; other vendors related to app security, database security (and information leak prevention) were well represented. Gartner preso directly spoke about needing to centralize application logs and events in 2006.
Network anomaly detection is, surprisingly, taking off, after decades (!) of unsuccessful research. ISS OEM of Arbor and other vendors' offerings attest to that. Also, I saw a number of secure messaging players; their space doesn't seem to be very hot, but, still, I would guess they were second only to NAC in numbers.
About one botnet owner: "The young hacker doesn't have much sympathy for his victims. 'All those people in my botnet, right, if I don't use them, they're just gonna eventually get caught up in someone else's net, so it might as well be mine,' 0x80 says. 'I mean, most of these people I infect are so stupid they really ain't got no business being on [the Internet] in the first place.'"
About the victim: "He eventually opted to buy a new PC rather than spend the time and money to repair the infected one. 'It just made more sense for me to get a new $300 Dell that came with a free monitor that was better than the one I had,' he says."
About one botnet fighter: "When Norris called the company with the bad news, its poorly trained network administrator had no idea how to respond. "I call this guy up and say, 'Hey, you've got 10,000 infected computers on your network that are attacking me,' and this guy is basically, like, 'Well, what do you want me to do about it?' ""
UPDATE as of 02/21/2006: thru image metadata leakage, some folks actually identified the small town and a possible place where the "botmaster" lives. Check out this discussion for more details. The lesson? Watch the metadata when posting documents online! It not only applies to DOCs and PDFs, but also pretty much all common image formats!
Microsoft Frowns on iDefense Hacking Challenge - Yahoo! News: "Security intelligence outfit iDefense Labs is offering a $10,000 reward to any hacker who finds a worm hole in Microsoft's products, but the software maker isn't exactly thrilled by the gambit. Security intelligence outfit iDefense Labs is offering a $10,000 reward to any hacker who finds a worm hole in Microsoft's products, but the software maker isn't exactly thrilled by the gambit. Security intelligence outfit iDefense Labs is offering a $10,000 reward to any hacker who finds a worm hole in Microsoft's products, but the software maker isn't exactly thrilled by the gambit. "
Security Curve Weblog: My mysterious disappearance and RSA aught six: "So was it worth it? Absolutely. But not because of the keynotes, the workshops, or the expo floor. So was it worth it? Absolutely. But not because of the keynotes, the workshops, or the expo floor. "
Friday, February 17, 2006
Also see this comment after the paper about what DID come after the 20s - "The Great Depression." Specifically, the reader says: "There are many, many companies who are about to be useless, just like the article says. In a decade, security will be a non-issue as big vendors catch up and actually write software in a secure way from the IDEA up. "
I am actually preparing a longer blog post on that very subject... And, as a preview, the answer is "no, security will never be 'done'" even if secure coding practices become more widespread (and they won't).
Wednesday, February 15, 2006
Friday, February 10, 2006
I'd side with Forrester on this one - it might take some time and standalone folks might still better, but the anti-virus vendors will catch up and eat their lunch. Anybody to argue? Anybody wonna bet?
You've got to be pretty insane to do that :-) Enough said.
Wednesday, February 08, 2006
Treat this as a puzzle right now, I will explain why I am asking it when I get a semplance of a representative set (maybe 50-100 votes).
I esp liked their "search by SSN" technology :-)
Security Curve Weblog: Apple Dunkin': "Awesome! So, there's a 0day that's still out there that lets hackers have full control of my Mac? Thanks, Apple - I think I'm starting to 'think differently' now..."
So, how does one think different? I think it is pretty certain that:
- "here's a 0day that's still out there that lets hackers have full control of my ..." Windows PC
- "here's a 0day that's still out there that lets hackers have full control of my ..." Linux system
- "here's a 0day that's still out there that lets hackers have full control of my ..." *BSD system
- "here's a 0day that's still out there that lets hackers have full control of my ..." Solaris system
Here they are:
#1: Using Windows to administer Unix
#2: Abandoning minimalism for convenience
#3: Failing to practice preventative management
#4: Focusing where the risk isn't
In the discussion following the article some folks criticize the #1 for being "platform zealotry" and I tend to think that even though Windows workstations and laptops used for Windows can be secured, they rarely are and it makes the mistake valid in the real world.
Monday, February 06, 2006
I expecially like this one (see full example for details)
> You can destroy the Emperor ..
- It is your destiny!
This is yet another message by Marcus Ranum that should be looked at!
Its a bit hard to follow since it started from an unrelated subject of firewall appliance selection, but it got to a rare depth of log analysis discussion, with Marcus Ranum leading the pack.
It is started with this interesting quote: “It's not what you know or who you know, but who knows you” by Susan RoAne. So, enjoy The Art of Schmoozing!
Sunday, February 05, 2006
If you want to attend one of my presentations on various security topics, ranging from log analysis to security metrics, check out the schedule.
Saturday, February 04, 2006
FUD? ROI? ALE? ROSI? There are many approaches for "selling security" to management that are practiced [with various degree of success!] by security professionals.
All things being equal, it is sad to know that "having experienced a catastrophic security failure" still facilitates security adoption much better than other things.
Despite the painful problems with amazing multitude of virus and worm names, CME initially didn't enjoy wide recognition. However, the recent worm outbreak brought it to light and the name CME-24 was used in some press and advisories instead of Kapser, Nyxem, KillAV, Tearec, W32.Blackmail and other names for the same piece of malware used by the antivirus vendors.
You can get more info on CME at http://cme.mitre.org/data/list.html
This is a significant development which will increase the importance of standards in information security. The worm itself will likely end up being a non-event, but the fact that many sources referred to it as"CME-24" sure has long term consequences.
Wednesday, February 01, 2006
For example, here is one bit that relates to Microsoft views on security in 2006. MS Security VP Mike Nash replies to this question: "given that security is a major topic on IT manager's minds these days with security flaws and patches practically making front page news of some publications, what do you feel is going to be the main focus for security in 2006 for yourself and the industry as a whole? "
Read the answer at the above link!
Here is one bit that talks about how much the endpoint security will grow: Enterprise Systems The Shape of Endpoint Security to Come - "Will 2006 be the year of endpoint security? A number of network-access-control approaches are finally coming to fruition."
Are they? The year is still young ...