Ellen Messmer's bemused take on the recent Gartner Firewall report.
While I agree with Gartner's take on the commoditization of the market, I'm a bit skeptical of their push towards intelligence and the placing of the 'immature' market label. An evolving market, yes, but immature?
As for intelligence, we've seen this battle before. Anyone remember Checkpoint's MSLI fight with the TIS Gauntlet proxy folks?
Winn Schwartau tells the tale of a reporter finding US Gov't classified information about the whereabouts of an aircraft carrier. Not to mention, all sorts of juicy information about the captain.
An interesting read that reminds us all that most organizations' data is available electronically. And without proper security measures and access control to protect the sensitive data, well, anyone- even the US Gov't, can get googled.
"A group of security vendors will give the first public demonstration of the new Service Provisioning Markup Language for identity management at the Burton Group's Catalyst Conference July 9."
This is yet another *ML in the long line being developed at OASIS to support, among other things, web services data exchange between and among companies. The players involved in this standard include some of the biggest in Identity Management, including Waveset and Entrust. Conspicuously absent from the Provisioning Services TC, the group working on SPML are Identity Management companies Netegrity and IBM.
Easy exchange of identity and provisioning information will help companies extend their identity and provisioning frameworks to business partners and other outside companies and could ease integration work when companies merge.
If you're going to be at Catalyst, and have an interest in Identity Management, stop by the demo to get a better idea of how it will work.
"Wi-Fi is hot, but it's not the only wireless network in town. To help integrate and manage the variety of wireless platforms and protocols available to enterprise users, several vendors are readying WLAN products that support not only Wi-Fi but Bluetooth and WANs as well.
At the 802.11 Planet show here last week, Red-M Communications Ltd. introduced Red-Alert, a wireless probe that detects unauthorized 802.11 and Bluetooth signals and runs on the Red-Access box."
What happens when a 'just in time' company loses access to air space? This article at NWFusion, takes a look: "During 9/11 and its aftermath, Cisco found itself scrounging wherever it could to come up with spare switches and other equipment to give to customers whose gear was blasted to smithereens in the attacks."
From IDG News Service: "The National Association of Securities Dealers (NASD) informed its roughly 5,300 brokerage firm members Wednesday that they must retain their instant messaging records for at least three years. Under federal law, every securities firm doing business with the U.S. public must be a member of NASD."
Course they'll need good information harvesting tools to sift through all the "Hey, Thai or Mexican for lunch?" exchanges.
In the most recent issue of the SANS Newsbites (Vol. 5, Num. 24), Marcus Ranum reports: 'In private communications with Stiennon (the Gartner analyst), he offered the shocking fact that - for all that they are hyping IPS - the team at Gartner "doesn't know anyone who is using an IPS in inline mode." That runs utterly contrary to the perception they are trying to create that IPS is the "wave of the future" It just shows that P.T. Barnum underestimated severely when he made his famous assessment of Gartner's customer base. "There's a Gartner Customer born every minute."'
A+B is a law firm that specializes in legal issues pertaining to Information Technology. They've got also got a very useful privacy library that addresses both US and International privacy regulations.
"The Federal Trade Commission (FTC) has settled a case with clothing and accessory vendor Guess Inc., in which the agency had accused the company of not taking appropriate measures to secure its Guess.com Web site."
Not the first time the FTC has gone after a company for exposing customer data, they also slapped the hands of MSFT for Passport issues and Eli Lilly for shipping out an email with the email addresses of almost 700 Prozac users, but this is notable because Guess is a clothes merchant. So anyone collecting personal data on a web site needs to address their security and privacy architectures to avoid similar cases against themselves in future. Goes without saying that they should be doing this anyway, but if fear of FTC notice gets folks to take the issue more seriously, that's as Martha would say, "a good thing."
SearchSecurity's Article quotes some research, from AFCOM and D&T among others, that seem to indicate that insider threats aren't the biggest worry.
Have to say that surprises me. Having been inside plenty of large corporations and seen where the problems occur, insiders do, indeed, pose a real and substantial threat.
Some reasons for the low report numbers could be attributed to companies desire to keep internal attacks quiet and unreported. Another contributor? Most organizations are doing more monitoring and forensic work on external attack vectors. If your web site goes down, the whole world knows about it and you're going to do mitigation and investigative work to keep it from happening again. If an employee runs off with some R&D plans and sells them to the competition, the forensic work can be a lot hard to complete.
In other words, I think a lot of internal attacks are 'under the radar' and therefore not hitting survey results like these.
Newsforge weighing in on bandwidth and security issues with XML. This article contains a short, focused review of where SAML and other XML security initiatives are today and what that means for organizations deploying XML/Web Services solutions.
Phil Dowd provides a unique and humorous set of instructions for protecting PCs from theft. About as useful as the old "How do you protect your machine from the Internet?" Answer: don't connect. But a funny read nonetheless.
Dan Blum has a good article on Liberty and SAML (Security Assertion Markup Language) in this week's Network World.
As with any complicated security technology, remember to keep expectations in line with reality. SSO and Identity Management can be powerful support tools for organizations that want to reduce risk. But due to the complexity of most enterprise environments and the emergence of multi-vendor web services offerings they're far from being 'pop and drop', solve all your problem solutions.
When a technology's complexity is ignored backlash often occurs. Think PKI, Biometrics, and IDS just to name a few.
Marty Roesch, CTO of SourceFire and author of Snort, a highly deployed sniffer/IDS counterpoints the recent Gartner 'dump your IDS for firewalls' point.
Ellen Messmer takes a practical look at why AES (Advanced Encryption Standard) hasn't deployed more quickly.
IBM Expands Tivoli Risk Manager Support.
Guess IBM doesn't care if the Gartner thinks the market is obsolete...
Yesterday Gartner released an attention grabbing release that declared in the headline "Intrusion Detection Systems a Market Failure: Money Slated for Intrusion Detection Should Be Invested in Firewalls". The release goes on to say that the market will be obsolete by 2005.
Now there's a bold statement, it comes from the Gartner "Hype Circle", but could be ID'd as hype in and of itself. What's most interesting to me is that they declare IDS a market failure. Not a technical failure, nor one that doesn't deliver some business value, but a marketing one.
One of the reasons for the failure? "An increased burden on the IS organization by requiring full-time monitoring (24 hours a day, seven days a week, 365 days a year)." Ummm, hold on folks, is Gartner saying that a technology shouldn't be monitoring the network 24/7/365?
There's no question that end-users have been disappointed in the hype v. reality of IDS. False positives, inability to monitor traffic in high throughput situations, and signature latency issues have plagued the space. But while the market may be shifting, the basic technology of looking for intrusions on the network, host, and applications, is still valid.
Whether it will persist as stand alone offering, or continue to be embedded in operating systems, switches, routers, and firewalls is another matter. But to declare the entire market obsolete is more hype than responsible analysis.
On Friday, the DHS (Department of Homeland Security), introduced the National Cyber Security Division (NCSD) to "combat cyberthreats."
The announcement sounds good, but there are some doubts about its effectiveness. The former "Cybersecurity Czar", Richard Clarke, reported directly the Bush. While the Cybersecurity Director of this new division, the position remains unfilled, will report into Tom Ridge, the Secretary of DHS.
I'm waiting to see who the Gov't picks to head the new division. A figurehead or a real leader who can drive the division?
In the past a sound storage policy meant that systems and critical data could be recovered quickly and easily. Mains concerns were cost and speed of the system. Little thought needed to be given to the security of the storage solution. But that's changing.
Federal regulations like HIPAA, NASD 3010&3110 and SEC Rule 17a-4 that directly address the storage of personal information and email communications require that companies take a closer look at the security of their storage infrastructure. Though some of the regulations, like 17a-4, have been around for years, they're being enforced more strictly due to scandals where email communications really mattered, as it did in the case of Enron.
Vendors, seeing an opportunity, have come out with a new segment, CAS (content-addressed storage) and a variety of tools and offerings to help companies comply with the requirements. Which is good news.
But before you go to a vendor to purchase, read through the regulations that affect your company's market segment and go to the vendor with a list of your own requirements. And then shop around. While regulations do affect what and how information needs to be stored, the most basic rule of storage thumb, still holds true: 'don't spend more to protect less.'
Russ Cooper, the Editor of NTBugTraq and "Surgeon General" for TruSecure, weighs in with his detailed comments on the OIS "Security Vulnerability and Response Process." Definitely worth a read.
Back when broccoli was relatively new to many US consumers, circa 1928, EB White drew a cartoon for "The New Yorker" that showed a child turning up her nose at the new vegetable with the above tagline.
Speaking at the Gartner Conference this week Jamie Lewis commented, "enterprises should worry more about their intellectual property leaking out through employees or small-time hackers than their entire networks crashing from attacks of organized cyberterrorists."
What do the two things have in common? That companies are still making the same mistakes with their approach to risk management that they have been for years. Focusing on the latest threat, it's cyberterrorists today, but it was the gnarly, evil hacker back in the mid to late 90's.
When I was doing audit work companies used to ask me, and the teams I worked with, to check their firewall for vulnerabilities while ignoring the rest of their overall security framework. Unprotected PCAnywhere access to a desktop through a phone line? Insecure connections to corporate divisions in other countries? Forget about it. It wasn't cool and many auditees didn't want to hear about the more difficult, and less 'glam' vulnerabilities to their data. "Just check the firewall."
Broccoli isn't spinach and a company's greatest threat has and does come from insiders.
The security research and consulting firm, @Stake, recently released a Security Evaluation of the MS .NET framework and IBM's Websphere as platforms for secure web application development.
The report is favorable towards .NET, giving it the edge over WebSephere, which has a lot of tongues wagging in the security community. One- because the report was reportedly "commissioned by Microsoft" and two- because @Stake started out as vulnerability exposer The L0pht, a team that pledged to prove theoretical vulnerabilities real, especially MS vulnerabilities. For historical reference, The L0pht were the authors of L0phtCrack a tool that sniffed the network for NTLM (NT LAN Manager) password information and decrypted it.
So is the report skewed? Does MS' payment for the report's work mean that it's tainted? Only @Stake's hairdresser knows for sure. But my interpretation of the the report's findings is is that .NET is easier to secure, especially for application developers that aren't well versed in security, because it comes out of the box with less moving parts and a friendlier development environment. Simply put, it's easier to use and harder to mess up.
But that doesn't mean WebSphere isn't a very valid platform to development that can be used to make secure applications, just that it may require more knowledge. Is that a bad thing? Not really, web application developers ought to have knowledge of basic InfoSec in order to write secure apps. That they often don't is a sad reality though.
So take a look at the report and draw your own conclusions. Any web application developers that want to send me their own feedback on the two platforms are welcome and encouraged to do so.
The Organization for Internet Safety, is a coalition that includes, @stake, BindView, Caldera International (The SCO Group), Foundstone, Guardent, ISS, Microsoft, NAI, Oracle, SGI, and Symantec and is chartered "to make it easier for security researchers and vendors to work together to fix security vulnerabilities."
So any end-user or vendor that has an interest in how application, network and sever vulnerabilities are reported to the media and public at large and even to products such as IDS and Security Information Management (SIM) Event Correlation Tools, among others, would do well to keep abreast of the group's progress.
Specficially, the Organization just released their DRAFT of a Security Vulnerability Reporting and Response Process with request for comments. Head on over to the site at take a read through, if you've got something to say contact the OIS at: draft-feedback@oisafety.org.
Here's your chance to have a say on the process that the above vendors use to report vulnerabilities. If you care about this subject, take action and have your voice heard.
More woes for Intel's Centrino with VPNs. Originally, reports were that using Centrino with only the Nortel VPN caused a Blue Screen of Death on Windows clients. But it appears the problem may be even larger and affect VPNs from other vendors as well.
Intel's recommendation is for users to disable the Adapter Switching Feature - that's the one that supports automatic roaming between hotspots.
Hmmmm, interesting advice from a company that claims Centrino was "built from the ground up for mobility"
Tom Clancy quoted the above from Louis Pasteur in what eweek writer Dennis Fisher termed "a rambling and somewhat odd keynote speech at the Gartner IT Security Expo".
I wasn't at the talk, so can't comment on whether it was rambling of not, but the basic thought sounds right to me. For IT, get people who are smart and know things outside of just their technical discipline. This holds true especially in the security field.
Why? Well in security it's because you're dealing with a lot more than bits and bytes. That's not to say that knowing the technical isn't a pre-requisite, it definitely is, but it's often not enough. More than a few times I've been asked to hire people with all the right certifications and college degrees that just didn't seem to 'get' INFOSEC despite their training. They were terrific on tasks they'd been specifically trained to complete, but got low marks on extrapolation and ability to acquire new skills.
That's not to say anyone with a certificate doesn't know what they're doing, it's a reminder that the certificate may not tell the whole story. Here's what I look for when hiring a security professional:
1. Technical experience with the products or systems to be managed or installed
2. Solid networking or application development knowledge (depending on what they're being hired to secure)
3. Technical security specific training or experience
4. Ability to learn new things - security's changing all the time, security professionals have to stay up to date
5. A passion for security technology and solutions - if someone's passionate about security they'll be educating themselves constantly
6. Very strong people skills- because much of security depends on 'the other half of the equation' the people using and trying to attack the systems
7. Ability to communicate technical and security concepts to the lay person - the jargon heavy 'dolphin speakers' get tuned out by users and management alike
8. Common sense - The most secure technology in the world isn't going to be worth a hill of beans if users don't use it properly. Security admins that force end-users to select 'strong' passwords and change them every thirty days may be following best practices but I'll bet you a lot of their users are following their own best practices and putting sticky notes with those 'strong passwords' up on their monitors
9. Business sense - security is about keeping the business running and profitable, it's not about installing the latest or coolest technology or spending more to protect less
10. A prepared mind - scary things happen in the world of security IT and being ready for them, by having the skills mentioned above, means being prepared to handle them with grace, elegance, and maximum efficicency.
And at the end of the day, IT security is really about risk management and being prepared for the inevitable failures, attacks, and curveballs. Look beyond just certifications for that preparedness, the certs help, but they aren't the only requirement.
While most WLAN switch vendors, such as Aruba, Symbol, and Trapeze are going direct after the WLAN market, Cisco has announced WLAN management features for their existing switching products.
Sounds great, especially for enterprises already invested in Cisco switch solutions. But hold on, there's a bit more to the story. The Cisco WLAN switch works with 'more intelligent' versions of the Cisco Aironet AP. What about companies that have already invested in other mfs' APs? Or that want to use a heterogenous mix of thin APs in their WLAN?
The Cisco solution looks like something Cisco heavy shops might want to explore. But if you want to keep your AP options open and flexible investigate the AP neutral switch vendors and think twice before selecting a solution that locks you into only one vendor's AP offering.
The always readable Ellen Messmer reports on ISS' 'virtual patching' this week.
The idea here is that the ISS tool will combine functionality from their scanner and IDS product to look for and mitigate risks from known vulnerabilities whether the target system is patched or not.
It's a very interesting idea but let's see how it plays out when it's delivered. It's a tall order for ISS. There's a risk of a false sense of security, "we don't need to patch we have ISS!" It remains to be seen if a scanner and IDS product can really replace the need for patching the target systems.
Overall I've got reservations about this. IDS systems can be overloaded and miss intrusions/vulnerabilities if hackers design the attacks cleverly. On the other hand, never say never. It'll be a good technology to keep and eye on when ISS releases it next month.
An eweek article that takes a look at what Sarbanes-Oxley meanrs to companies. "Of particular interest is Section 404 of Sarbanes-Oxley, which requires companies to perform a self-assessment of risks for business processes that affect financial reporting."
The take away here is that though there are companies that help provide tools that faciliate reporting for compliance, the general need for organizations to have solid, coherent reporting in place goes beyond the act. This is about making companies responsible for their reporting and risk management which is something all companies should be anyhow.
The gov't is now on the hook to make sure they spell out compliance requirements clearly so that organizations can compy.