The Ashimmy Blog

I know we dribble all over ourselves about the cloud and web based services. Isn’t it grand to be able to access stuff anywhere anytime. But there is a deep, dark side to the web based world we are living in. That is when something goes wrong.

We have all probably dealt with this one way or another. These web based services are built to scale to millions, tens of millions and more users. When they work they are great, when they don’t though, God help you.  Try getting support from Microsoft Hotmail, Yahoo, Google, Facebook or any of their brethren.

I first ran into this when my blog was hacked a few years back. I was locked out of my typepad, go daddy, hotmail and yahoo accounts and couldn’t get anyone there to do a damn thing about it following their usual support procedures.

Finally I had to resort to calling people I knew at each of these companies to get my problem resolved. But the average person would be up the creek.

That was a few years ago, but it is no better today. Today I experienced a similar story with Hotmail. I use hotmail for my personal mail and my The CISO Group mail for business. I get a ton of email on Hotmail though.  I noticed that I had not received anything though since early this morning. That is very unusual due to all of the Google alerts and other notices I receive in hotmail.

Both my iPhone and Outlook showed I was connected to Hotmail, there was just no new mail. I logged into Windows Live and it showed the same thing. I sent an email from my CISO Group mailbox to my hotmail box and it never made it there. I then sent a hotmail mail to my CISO Group and it came through in a matter of seconds.

So the problem seems to be that I can send and receive mail sent from within my hotmail account, but can’t receive anything from outside of it.  That is a problem. I get withdrawals without my email.

I logged into Hotmail help and followed the link to support. That is when I knew that something was very wrong. It took like 2 or 3 trys to pull up live support. When I did it took a few minutes for the page to load. Other web sites are running fine. Obviously there is a something rotten in Denmark with Hotmail today.

Do you think someone there has the sense to post something and let people know? Of course not. Is there anyway of contacting anyone? Of course not. Is this acceptable service? OF COURSE NOT!

So know I have to go through my contacts and go call someone from Microsoft who might know someone from Hotmail. I may get lucky or I may just have to wait until they figure out what is wrong and do something about it.

In the meantime mass market, cloud based service will never win until uptime issues like this and a better level of support are in place!

I was all set to write a blog article today on the new Cisco switches and borderless networking heralding a new age of true convergence. But that post has been interrupted and will be written another day. While I was digging around on the subject I ran into this video by Marcus Ranum and Gunnar Peterson. It is yet another “Hitler finds out” one.

This is what happens when Hitler finds about a security incident in the cloud effecting the 3rd Reich’s data.  You will love this:

Great work guys!

Image via Wikipedia

Yeah, Yeah I know they signed a deal with McAfee. BFD. Facebook is not serious about security. If they were, they would do something about all of the phishing, spam and misleading questionable ads they are getting paid to run.

How many of you have clicked on ads on the right margin of your wall? How many of those have wanted you to install a “toolbar”? How many are scams? Facebook will take money from anyone regardless of what they are trying to foster on their precious members.

But here is why I really know Facebook doesn’t give a rat’s ass about the security of their members. I have a childhood friend of mine whose account was compromised months ago.  Since then my friend has changed his password lots of times, he has opened and closed his account several times. In spite of this, everyone who is friends with this person is still receiving messages and wall to wall posts several times day with links to malware infested sites purporting to be You Tube or something else. You know the type with the word LOL or “you have got to see this”.

Of course I know better than to click on these links, but I know several other mutual friends who have and have had to spend money and time cleaning their machines out as a result.

I have reported this to Facebook 6 times or more. I have reported the messages as spam probably 50 times or more. I have walked my friend through reporting it to Facebook numerous times.

What has Facebook done? Not a frigging thing. They refer you to some canned FAQ with things you might be able to do. The result is that probably half of my friend’s friends have dropped him as a friend. Its easier than dealing with the spam, phishing BS.

Facebook won’t get serious about security until it hits them in the pocketbook. What they don’t realize is it all ready has. They may just be killing the goose that lays the golden eggs.

Twitter on the other hand seems to be really starting to crack down on the twitter spam and rogue accounts.  Good for them, #FAIL on facebook.

That seems to be what Robert McMillan is saying over on ComputerWorld. His article “Update: Security industry faces attacks it cannot stop” states that “despite billions of dollars in security spending, it's still surprisingly hard to keep corporate networks safe.”  Fresh off RSA, McMillan laments that botnets like Mariposa and attacks types such as APT (I know you are sick of hearing that term already) make the security industry powerless to protect our networks and information.

He goes on to say that endpoint anti-malware is just not capable of providing blanket, complete protection and frankly neither is anything else.

So does this mean that as an industry we have failed? I say no! 100% security is a pipedream. If anyone is seriously telling you that their product or service can deliver that they are a snake oil salesman. If you as a security exec or administrator are trying to architect that, you are doing a disservice to yourself and your organization.

Security is about managing risk. You can never eliminate the risk, you can just make it less likely to occur. But doing that is more than just throwing dollars and the latest fancy anti-APT stuff at it (now there is a new category of security devices waiting to happen).

Good security is about having process and procedures in place. Among those should be incident response. Part of good security is planning for a breach or incident. You cannot stop everything, it is going to happen. As important as trying to stop an incident is how you handle when an incident occurs.

Maybe if we gave as much thought and put as many resources into incident response as we do into trying to build a “bullet-proof” shield, we would have an overall better security profile and not feel like a failure every time an incident occurred.

Related articles by Zemanta

• The ugly truth: Security vendors can't solve many threats (infoworld.com)
• Update: Security industry faces attacks it cannot stop (computerworld.com)

A few weeks ago I took exception to the usual pre-RSA press releases touting “another record breaking year” by several NAC vendors. First I called out one of my favorite whipping boys (there I admit it), Forescout and then I did the same with Bradford Networks.

My reasons for this were several. First of all private companies touting record revenues without actually giving numbers is meaningless hyperbole or even worse BS. Secondly, in today’s economic conditions, its the bottom line that counts baby. If you are not profitable, people are going to question your viability. That isn’t my rule, that is the way of the world. No where in either of the two releases I called out was a hint of the word profitability. Therefore, I have to assume neither are profitable. That is an important yardstick when even on orders for a few thousand dollars customers are asking for vendors financials.

Further in a market that the analysts are unanimous in saying shrunk this past year, the fact that both of these companies grew by roughly the same large amount of customers is just a little stinky, don’t ya think?

But let me be clear. It has nothing to do with whether or not the products are any good or not. In fact I think Forescout has made a ton of progress over the last two years in improving the product. I also like the direction that Bradford is taking, away from a pure NAC message. I was strictly speaking about stupid marketing tricks and how it makes the company look foolish.

However, it seems to have set off a bit of a comment war. Eric Irvin who is a regular reader of my blog made a few comments and now Bryan Marlatt, Director of Engineering at Forescout has responded. Rather than leave these excellent comments to the side show of comments on old posts, I thought I would give them both the bright lights of center stage along with my response. So here are the comments in question:

Eric Irvin· 2 weeks ago

I think the big problem with Forescout, is a lack of market identity and swagger. When I was shopping NAC for a very large health organization, we met with Forescout, Symantec, and a few others. There was nothing that really sold us on their SEs and Sales guys really being passionate about their product, or feeling they were the market leader that could do x, y, and z better than anyone else. In the end, you want a product that works and isn't that expensive. We never found out if it worked or not, because we were unsure if they would still be in business in a year or two. The NAC providers change so much from year, to year, when you see depressed sales people, either the company is tanking, or a merger is being worked out, from my experience. :)

3 replies · active 2 weeks ago

alan shimel 2 weeks ago

Eric, you are right passion on the part of sales people and other employees is a good indicator of what is going (on) usually. Forescout is not the only company guilty of this. I do know they have had some changes at sales and other personnel. The NAC market remains very liquid. Thanks for commenting!

Bryan Marlatt· 3 hours ago

While I enjoy reading Alan's blog, I find it always to be a bashing towards ForeScout. I find it interesting that you feel the need to beat up ForeScout just because your past employer's product is failing in the NAC market. I have enjoyed speaking with you at in ATL airport and past conferences. I think we've had some good conversations. I think it would be more beneficial for you to have discussions about competing products and not just try to crush them.
In regards to Eric's message above. I'll have you and your readers know that I was the engineer that presented to Eric and his team. I found it odd to read Eric's message above when he quickly invited me to connect with him on LinkedIn after the conversation we had. I'm one of the biggest proponents of the ForeScout CounterACT NAC solution. While I feel it important to explain the major differences between CounterACT and the competition in the NAC market, I don't feel the importance of 'bashing' the competition. I think the CounterACT stands on it's own merits.
I think it says something that every other vendor out there is working to push customers away from ForeScout. ForeScout has a product to be reckoned with and I think our competitors feel the pain when losing so often to ForeScout. I welcome any conversation you wish to have with me or ForeScout to "DISCUSS" the CounterACT NAC solution.
Bryan Marlatt
Director of Engineering
bmarlatt@forescout.com
404-242-0144

Eric Irvin· 3 hours ago

Bryan, you are right, I was excited to meet with you, and think you are an excellent resource for ForeScout. I still stand by my words, I never felt the swagger and general excitement about how ForeScout approached NAC. In comparison to some of the other vendors we observed, Symantec, and Cisco specifically, ForeScout brought more to the table in terms of the technology working without requiring a huge investment in software deployment, or hardware repurchasing. The hardsell for us was, our senior leadership was nervous about NAC. NAC has a bad reputation for causing more problems than is solves. If you recall our conversation, Bryan, you will remember I told you this. NAC also has a blackeye because each year, the Gartner report on NAC loses a handful of companies, and gains a few more.
Also, to be fair, one of the biggest reasons I felt this way, was because we also got the impression that Bryan was an army of one. I hope you take that as a compliment more than anything. When you see the Director of Engineering selling you the product, and you hear most of your engineering-related problems would be solved by the DoE, you are excited about the attention, but you also wonder if the Director is the team.
That said, I think Bryan may have a point... Alan should consider interviewing Bryan on the blog, and give him his chance to address the direction of ForeScout, and their future plans.

So Bryan you raise some points and let me respond. I can’t talk for Eric though and will let his comments stand on their own.

Bryan I don’t beat up Forescout because my former employers product is failing in the NAC market. I don’t know if it is failing first of all. But I have been beating up Forescout for a long time :-)  But as I said earlier, it is not the product (or the director of engineering) I have a problem with. It is sleazy marketing schtick that I have called out again and again over the years that I bash.

I don’t want to crush a competitors product. First of all I am not a competitor. Second of all as I have written, I am not a big fan of stand alone NAC companies at this point. I think like Gartner has been saying for years, it is increasingly difficult for a stand alone NAC vendor like Forescout or StillSecure for that matter, to compete with Cisco, Juniper, Symantec, McAfee, Microsoft and the rest who are bundling NAC with their product line. That is why most of the NAC companies have been changing the message to say they are more than NAC.

Bryan I admire your pride and passion for your company. So let me break this to you gently. There are tons of deals that are going to Cisco and Symantec that you are never even in the game on. Eric is referring to this when he talks about the execs in his company being nervous. Forescout not being profitable is a reason for nervousness today. Nothing against the product itself, its the financials.

As to bashing competitors, Bryan not blaming you, but you know as well as I do that certain sales team members at Forescout used to dedicate major portions of their powerpoint slides bashing the competition. I have seen the slides, so lets not go there.

I would be happy to have you on a podcast in the future if you like to talk about NAC. Make sure it is OK with Gord and the crew and let me know.

Eric as usual you make some excellent points. I can understand the attitude towards choosing a NAC and if you do, going with a bigger company. Thanks for reading the blog and being a fan!

Last nights 4th annual Security Bloggers Meetup was perhaps the best yet.  There was a real feeling of community from so many of us who communicate all year, but only see other at RSA or a few other shows. My fellow organizing committee members: Jennifer Leggio, Sonya Caprio, Rich Mogul and Martin McKeay have gotten putting together this event down to a science. But there is one other committee member that tends to stay in the background, without whom none of this would be possible.  Jeanne Friedman of the RSA Conference is a key person in not only the Security Bloggers Meetup, but in so much of what we all experience at RSA every year. Besides always being there to sponsor our event, Jeanne just does so much more.

I am going to be announcing the winners of our Social Security Blogger awards a little later in this post. But I am really lucky to be associated with such great people who make this event what it is every year. They are the real winners!  Thanks so much to all them, especially Jeanne!

Now onto the show.  This years Social Security Blogger Awards was very close to the original idea I had with it two years ago.  Not to be too self-aggrandizing, but recognize some of the incredible talent that blogs and podcasts on security. The lists of finalists as picked by our blue ribbon panel of judges was incredible. Any one of the nominated blogs and podcasts would have been a worthy winner. 

Our own community picked the eventual winners though. So just one more time before declaring the blogs and podcast picked, let me say again. Every blog and podcast picked was a winner. Congratulations on making the finals and keep blogging and podcasting!

The winners of the Social Security Bloggers Awards:

Best Technical Security Blog - The SANS Internet Storm Center Blog

Best Non-technical Security Blog - Krebs on Security by Brian Krebs

Best Podcast - Pauldotcom

Best Corporate Blog - Jeremiah Grossman, White Hat Security

Most Entertaining Security Blog - Rational Survivability by Chris Hoff

Congrats to all of you. The entire security community benefits from your commentary and thought leadership!

I want to give a special thank you to Bill Brenner, MIke Fratto, Kelly Jackson-Higgins and Larry Walsh for serving as judges. Also a huge thank you to Kevin Riggins, of infosecramblings and Joe Franscella of Trainor Communications for all of the help in serving on the awards committee.

We will start planning next years meet up and awards shortly. Would love to hear your ideas on what we can do to make it even better!

Related articles by Zemanta

• Envelope please, and the winners are . . . (ashimmy.com)
• Vote for the Social Security Blogger Awards (ashimmy.com)

I was speaking to Adrian Lane of Securosis last night about the comment I made on their blog last week. I said, “does anyone expect to see a real live demo on the floor of RSA?”

Is there anything beyond the great bag you get when registering? Yeah, it sure is pocked full of paper, chatchkes, and CDs. Does anyone read that stuff? Do you? What is the real value of RSA to you?

The RSA show is a great event. It truly is where the security industry gathers. But does anyone actually look at demos on the floor anymore. Are we just so used to seeing paid magicians, booth babes (yeah they are here in force this year) and canned power points. Do we really want to see products working here? Hell I am not sure we really see if products are working when we buy them even.

But does that mean RSA is without value? Of course not. It is a great networking event and business development orgy. On top of that, if you don’t show up here people ask why. Did they not have enough money for a booth? Are there other problems there? Many companies spend their precious marketing dollars on the booths, the giveaways and all that is involved in bringing a team here for the show. But would they be better off keeping their powder dry?

The answer is you have to understand what are your goals for attending RSA. Based upon that you need to then figure out what resources are going to be required to achieve those goals. If lead generation is what you are after, frankly there may be more efficient ways of filling the funnel with leads. If branding and “being seen” are goals, there is not a better venue. If channel and partnerships, M&A and business development are on the agenda, RSA may very well be nirvana.

But if you have not figured out what is important before you jump in here, you are probably wasting money and time.  I see and unfortunately have been involved with companies that didn’t learn this lesson. Bringing down bloated amounts of personnel, signing up for a booth beyond their means and needs, just screams mismatch between goals, resources and methods. Don’t make that mistake. Dig in beyond the bag at RSA.

Here at the RSA show. Now I remember why I look forward to this show every year. But have to say that ATT positively sucks here in San Francisco. It is near impossible outside of the Moscone Center to get a phone call to connect. It is even impossible to send a text message.  WTF? 

I am surprised there are not more people really using their iPhone’s as bricks and throwing them right through the window of every ATT store in the city!

My bags are packed and getting ready to go. But before I do I wanted to mention a few things:

1.There are still two days to vote for the Social Security Bloggers Awards.  If you blog or podcast go to: http://www.zoomerang.com/Survey/?p=WEB22A8BWJVVAE

2. My schedule is packed for RSA. But I am sure I will wind up with some free time, so if you see me be sure to say hi, but I apologize if I don’t have a lot of time to chat.

3. Will try to blog while I am out in San Fran but with so much on my plate, don’t be surprised if you don’t see anything from me.

I think it is going to be a great RSA show this year. Hope to see you there!

I just couldn’t decide who to give my dumb phish award to this time. I had two that were equally as dumb. The first is my French PayPal friends. If I could only understand French, I may think they really do have to log on and give them my info.  Dude, you want to phish me, the bait should be in the right language at least!

Tied for this award went to these fake AV guys who were telling me that I had registry problems that needed to be repaired immediately:

Of course this came up while I was on a Mac! Dude you want to phish me, the bait should be for the right OS at least!

The final member of The CISO Group who up till now has not blogged, has joined the blogosphere.  My partner and friend, Bobby Dominguez has posted the first post on his own personal blog, DrekkinVorn. It is an Icelandic word having something to do with dragons, but you will have to google it to find out more.

Bobby is the CISO at The CISO Group. He has been a CISO at a few different companies that you have probably heard of. Bobby has also been a finalist for SC Magazine’s CSO of the year award for two years running. He has a lot to say and I think the blogosphere will be enriched with his voice added.

His first post is also cross-posted to the security.exe blog. In the future, he will be posting to both.

Welcome Bobby and be sure to follow his writings, I guarantee you will learn something.

So now Bradford Networks has joined Forescout in putting out the pre-RSA what a great year press release. Again without giving specific numbers, Bradford claims 30% revenue growth year over year. They also claim to have added “more than 150” new customers.

Do you think that has anything to do with the fact that Forescout said they added 150 new customers exactly last year? Is it a case of mine is bigger than yours in the NAC space.

What I find really puzzling is that when you speak to the analysts it was a rather flat year for NAC, especially the stand alone appliances that Bradford and Forescout sell.  So with both of them claiming record numbers, without giving out actual numbers, what should we believe?

Is someone sneaking NAC into the network and not telling us? Are we seeing NAC hype? Unheard of I know. But what the hay, it gives me a chance to write about NAC a little bit, so what is a few record years among friends.

One of the areas in security that I follow is the security device management space. There are two great companies that lead the way and neither one is one of the “usual suspects”. One is Tuffin Technologies and the other is Secure Passage. Both are led by great teams and both have been making great strides in their evolving product line ups. Starting as “enterprise firewall managers”, security device management is branching out into managing all sorts of different types of security and network devices.

Secure Passage just entered into a great deal with F5 to manage F5 infrastructure. Though best known for their load balancing, F5 has migrated to offering more security, especially to their data center customer base.  Having the deep bi-directional integration with the Secure Passage management platform is a boon to any security and network managers life.

When I call it the Secure Passage platform, I mean it. Today, Secure Passage launched their Firemon Nexus community . I spoke to Jody Brazil, CTO and President of Secure Passage about this yesterday.

A few years back it became evident to Jody that his customers wanted to get at all of the valuable information that Secure Passage was gathering as part of its management function. Opening up the data to the customers in ways and forms they wanted led to a re-engineering of the Firemon product. Jody’s team developed and published open, standard API’s, that let their customers easily access Firemon data in a variety of ways.

Everything from simple scripts to database queries, and more could be accomplished using these APIs. What the customers and Firemon were developing were called extensions.  The idea behind the extensions is that they are open and free. 

Now with the Firemon Nexus community, Jody and team have set up a clearing house and repository for Firemon extensions that all can share. It really is a great idea to extend the functionality of the product and create a community of Firemon users. You can access the Nexus community at http://nexus.securepassage.com

Borrowing from the open source community model to leverage their existing business and customers is just one more example of how companies like Secure Passage are continuing to push the envelope.

The bags are almost packed, the schedule is just about full. I couldn't fit another press briefing or even a martini in anywhere (OK, maybe another martini. There is always room for one more.) You are probably making final plans for RSA 2010 as well. Have you voted for the Social Security Blogger Awards yet? If you blog or podcast about security, you are eligible to vote.  The one catch is you must register with your valid email and blog URL. If you are already a member of the Security Bloggers Network, you are in.

There is only one week left to vote.  Voting will close next Monday morning.  The line up of blogs nominated as finalists is very impressive. A who's who of security blogging.  The full list is below. Right now all of the races are very close, so your vote could decide the winner!  Log on tohttp://www.zoomerang.com/Survey/?p=WEB22A8BWJVVAE and cast your vote. It is your right and responsibility!

See you at RSA in one week!

Best Technical Security Blog

SANS Internet Storm Center

Evil Bytes by John Sawyer

Praetorian Prefect

Darknet.org

Frequency X ISS blog

Best Non-Technical Security Blog

Security Uncorked

Schneier on Security

Krebs on Security

ThreatPost

TaoSecurity

Best Security Podcast

PaulDotCom

SANS ISC Stormcast

An Information Security Place

CSO Security Insights

Security Catalyst

Best Corporate Security Blog

JEREMIAH GROSSMAN (White Hat Security)

SOPHOS GRAHAM CLULEY BLOG

MICROSOFT SECURITY RESPONSE CENTER

FORTIGUARD BLOG

CISCO SECURITY BLOG

Most Entertaining Security Blog

Rational Survivability by Chris Hoff

Security Incite by Mike Rothman

Uncommon Sense Security by Jack Daniel

SecBarbie by Erin Jacobs

Emergent Chaos by Adam Shostack and ensemble

What if I told you that I had a survey commissioned by a reputable company in your local community. The results from a sizable sample showed that 100% of the homes in your community were broken into last year. The average loss per break in was $20,000 dollars. What would you think? What would you do?

Chances are you wouldn’t be sitting on your duff. You would be screaming bloody murder that something needs to be done about it. Hire more police, install alarm systems, give people guns. Something, anything to get this nightmare under control.

This is the exactly the situation facing the security market according to the 2010 State of Enterprise Security report  by Symantec.  100% of the respondents reported experiencing cyber losses. The average cost of these cyber losses were $2m dollars! Think about that 100% had cyber losses and the loss averaged two million dollars.

It boggles the mind why there is not a huge public outcry over this. fact. Yet  one of the biggest issues facing the respondents was a lack of resources.  I had a chance to speak with Maureen Kelly, senior director of product marketing and a chief of staff over at Symantec about the results in the report.

Once again IT Security was listed as the highest priority in the IT departments. Security budgets were up, but overall resource constraints were a major problem. Guys, security is IT’s version of the new years resolution. Lots of talk and no action. We talk about priorities every year and the next year we say the same thing. But year to year the metrics seem to get worse.

When are we going to scream bloody murder? When are we going to finally get serious about security? If these kinds of numbers don’t wake you up, what will?

The Symantec study covered 2100 companies responding from around the world. The size of company in the report was also spread among small, medium and large organizations. They have lots of great metrics and responses. If you get a chance, you should really download and take a look at it.

But more importantly, think about what you can do to make sure that in future surveys at least not every single company will suffer from cyber loss.

So Captain Privacy, my friend Martin McKeay has reacted with the expected outrage over the disclosure that a school district in Pennsylvania had installed “spying” software (not spyware mind you, spying software) on some school issued laptops. I won’t bore us all with a recap of what the Lower Merion School District did. You can read the summaries of it here and here, if you  have not already heard the facts.

Let me start off by saying using the spying software for any thing other than the legitimate use of tracking down a stolen or lost laptop is wrong! If anyone were to do that, especially without notice to an innocent party, let alone a minor, they are guilty of abuse of power.

But before we go off and castrate the school officials involved and as Martin says those “. . . who instigated and ran this program need to lose their jobs; they obviously don’t have enough of a moral compass to understand the difference between right and wrong and have no right to be working with children and teaching the next generation.”

The people who thought of installing this software may not even be the people who used it. It was a perfectly reasonable assumption they made in any event. In case the laptops were stolen or lost, wouldn’t it be great to be able to find out where they are. 

The idea of “spying” on kids when the laptops weren’t stolen was probably just not given a lot of thought. As one of the first school districts to give out laptops to all the children, there was no “book” for them to follow. They were kind of making it up as they went.

Yes this program left open the possibility of abuse in the wrong hands. We would think that school officials would be sensitive to the rights and privacy of minors. We also trust police officers not to violate the rights of the criminals. We trust soldiers not to torture POWs. Sometimes that trust is misplaced. Sometimes people disappoint us when we have trusted them.

The thing about this case though is that much of Martin’s hand wringing is over what could have happened. Only one incident of what did happen. Do we now live in the world of the “Minority Report”, where the thought police are going to prosecute people over their thoughts or worse yet over “what could have happened”.

As much as I don’t want to give up my privacy, I don’t want any thought police or prosecutions over what could have been.  Martin and the mob has jumped to worst case scenarios without knowing who these people are, what safeguards may have been in place or anything else.

At the end of the day, anti-theft measures for school owned property is a good thing. This program did not seem to have the proper checks and balances in place to prevent any potential abuse which might have, but did not necessarily occur.

Other school districts should learn from it, but should not be dissuaded from handing out laptops to kids or installing anti-theft technology. I am glad Martin’s kids don’t need to take any computers home. But I assure you that there are millions of kids in the country who do!

Related articles by Zemanta

• Spying defies belief (computerworld.com)
• Laptop-Spying School District Superintendent Covers Ass By Claiming Security Feature [Privacy] (gizmodo.com)
• School backs off on laptop spying policy in wake of lawsuit (arstechnica.com)
• School: Webcams used only on missing laptops (msnbc.msn.com)
• School Watches Kids on WebCams (momblognetwork.com)
• Pa. School: Webcams Used Only on Missing Laptops (abcnews.go.com)
• School district: Spy Webcams activated 42 times (news.cnet.com)
• US school accused of web spying (news.bbc.co.uk)
• The Pennsylvania School Spycam Story Grows More Complicated (abovethelaw.com)
• FBI said to be probing Pa. webcam case (msnbc.msn.com)
• School allegedly uses students' laptop webcam for espionage, lawsuit ensues (engadget.com)
• Hey Teachers, Leave Them Kids Alone! (trueslant.com)
• Pa. school: Webcams used only on missing laptops (seattletimes.nwsource.com)

The simple black dress never goes out of style. Or so my wife tells me every time she buys another one. Same is true for scapegoats in security.  This years whipping boy is Adobe. ScanSafe just came out their yearly report (it seems it is yearly report season. But that is better than yearly “I had another record year but won’t tell you the real numbers” press release season), at it seems a whopping 80% of web exploits involved the vulnerable, if not venerable PDF file courtesy of Adobe.

Whoa! That is impressive. I am sure many of us are just shaking our heads wondering what could Adobe be doing to improve this.

Microsoft can empathize I am sure. It used to be Windows and Office that was posting those kinds of numbers (OK not web exploits but attack vectors). Now it seems exploiting the Microsoft products has either gotten so much harder or is just not profitable enough compared to Adobe.

In any event I am looking for Adobe’s “Trustworthy Computing” initiative to kick off any day now. Until then I don’t think using PDFs is such a great idea.

This blog has become something of a clearinghouse regarding Vigilar’s going out of business and the Intense School tragedy.  I am happy to report some good news today.

Jack Koziol of the InfoSec Institute wrote me to report that InfoSec Institute has purchased the assets of the Intense School. A notice on the Vigilar site is up confirming this as well.

Jack assures me and the notice on site verifies that most of the Intense School teachers have been retained as well as the courseware and other methods, assets and IP of the Intense School.

This is certainly a happy ending to a crappy story for many of the students and teachers at Intense School.  InfoSec Institute has a great reputation.  Here is wishing them luck in continuing some of the great training that Intense School provided.

I would be interested to hear from students of the old/new program as to what their experience is.

Forescout released its annual things are great, another record setting year release today. Just in time for RSA and the press briefings they have scheduled I am sure. I have written about this kind of thing in the past.

To be fair Forescout talked about how many new customers they added (they claim 150), about how big Frost and Sullivan says the NAC market will be in 2015 (295m. What a fall from the billion dollar market called for by 2011) and that they are second to Cisco in the market (highly debatable). But no mention of record revenues.

But what is the most important not mentioned? Profits. Revenue is great, but when you are a 12 year old company, profitability is kind of required. Gord, you really want to impress me announce that you have achieved profitability and are not burning money every month.

Brocade today announced that they have entered into a “strategic relationship” with McAfee. The announcement calls for joint development by both companies to make McAfee’s ePO work with Brocade’s network management tool. There will also be further interoperability between McAfee firewalls, NAC and other network products with Brocade/Foundry’s entire campus line up.

To be perfectly frank, my first reaction was so what. This is hardly McAfee’s first “strategic relationship” with a network infrastructure provider. Previous announcements with HP and Extreme being prime examples. In fact McAfee has made a bit of a reputation over the last two years of announcing strategic relationships, that with hindsight seem more like dressing CEO Dave DeWalt in a purple dinosaur suit.

So I asked the Brocade folks why was this different? Did McAfee just tell them “me love you long time” and whisper some other sweet nothings in their ear? I was told no, absolutely not. There is actual money and resources that both sides have pledged as skin in the game for this one. From high to low, there are multiple points of contact in both organizations that are tasked to making this a success. They are going to make the ePO integration work. 

All of this sounds fine and dandy. Frankly I heard the same things before. The HP ProCurve folks swallowed the same thing. My friends from Extreme Networks were telling me the same things when that deal was announced. Well HP ProCurve went out and bought 3Com and Tipping Point. There went that McAfee strategic deal. Having my own experience with Extreme’s sales channel, I don’t think that deal is on fire either.

Frankly, unless you believe the sweet nothings McAfee is whispering to Brocade here, why should this one be different? . But there are other factors to look at here.

From Brocade’s point of view their research has convinced them that security has become a primary deciding factor in network infrastructure purchases. If they are going to compete with HP, Juniper and Cisco (whose own  security strategy seems adrift recently), they need a strong story on security. Historically, Foundry/Brocade has been a Switzerland when it came to security. They were big supporters of open standards and worked with any security company that supported those same standards. They now realize that that is not a winning strategy. Brocade has to put a stake in the ground if they are going to compete with HP, Juniper and the rest. Brocade is a monster of a company. They have the whole enchilada in terms of infrastructure and the security story is a big hole for them.

McAfee on the other hand, also has real reason to try and make this work. The HP ProCurve story is shot. Tipping Point being the “in house” brand there puts a huge damper on that. Extreme Networks is frankly something of a shambles. Their CEO just left, the numbers are down and they probably need to find a buyer. In the meantime Cisco, Juniper and IBM are breathing down their neck in network security. AV may still be a cash cow, but the days of charging for that are drawing to a close. It is not just Symantec that they have to worry about anymore. They need a big brother to give them the muscle in the datacenter and the entire campus LAN/WAN.

So it is for these reasons that I think McAfee/Brocade may just have to make this work or else. In fact, I think this could be “the start of a beautiful friendship”. It may even be that Dave DeWalt has found his buyer for McAfee. Brocade will be ready to do battle with Cisco, Juniper, HP and the rest having a major security player as their in house brand.

Related articles by Zemanta

• Symantec shares decline after analyst's downgrade (seattletimes.nwsource.com)
• Where does Tipping Point fit in the post-3Com ProCurve? (ashimmy.com)
• McAfee, Inc. Announces McAfee Security Quickstart Services for Small and Medium-Size Businesses (eon.businesswire.com)
• Facebook Requires McAfee Scan If There's A Security Breach? Is This Security Or A Marketing Program? (techdirt.com)

It is time to vote for the winners of the 2010 Social Security Bloggers Awards! In my last post I announced the finalists as selected by our blue ribbon panel of judges. In just a few short weeks the security world will be gathering in San Francisco for this years RSA conference. At the annual security bloggers meet up we will announce who has been chosen by their peers as the best of the best in security blogging and podcasting.

As I have said before the voting for the actual winners will be done by members of the Security Bloggers Network. An email with instructions has already gone out to many members of the SBN. But we don't have a master list of all the authors of the blogs in the SBN. So if you are an SBN member you can go to http://www.zoomerang.com/Survey/?p=WEB22A8BWJVVAE and vote. Just a caution. It is one vote per member blog. In order for your vote to count, you are going to have to put in your name, email and blog URL. The results will be checked by hand, so don't even bother trying to game the system.

If you are a security blogger, but have not yet joined the SBN you can still vote and become an SBN member at the same time. Go to the above link, vote for your winners and be sure to put your blog URL and email in. We will verify your blog before accepting your vote and add it to the SBN blog roll at the same time.

So be sure to vote and good luck to the finalists!

Best Technical Security Blog

SANS Internet Storm Center

Evil Bytes by John Sawyer

Praetorian Prefect

Darknet.org

Frequency X ISS blog

Best Non-Technical Security Blog

Security Uncorked

Schneier on Security

Krebs on Security

ThreatPost

TaoSecurity

Best Security Podcast

PaulDotCom

SANS ISC Stormcast

An Information Security Place

CSO Security Insights

Security Catalyst

Best Corporate Security Blog

JEREMIAH GROSSMAN (White Hat Security)

SOPHOS GRAHAM CLULEY BLOG

MICROSOFT SECURITY RESPONSE CENTER

FORTIGUARD BLOG

CISCO SECURITY BLOG

Most Entertaining Security Blog

Rational Survivability by Chris Hoff

Security Incite by Mike Rothman

Uncommon Sense Security by Jack Daniel

SecBarbie by Erin Jacobs

Emergent Chaos by Adam Shostack and ensemble

A foundation of much of our security strategy today is to deploy security solutions to protect us. As an industry we have put policy and process in the back seat to technology. But is our blind trust on security technology justified? I have seen some evidence lately that says no. In fact I am not sure that all of these appliances and software that we use work at all.

What makes me say this? Let me give you some evidence:

1. Kelly Jackson-Higgins has a good post up on Dark Reading about the research done by Larry Suto on web application scanners. According to the report which you can download the pdf of free at Dark Reading, most of the scanners missed almost 50% (one half) of all web app vulnerabilities! Think about it, scanning your web apps, you might be missing one out of every two vulnerabilities!

I was shown this report a few days ago by my friend Matt Cohen of NTOSpider. To give Matt and his team credit, they did lead the pack with 94% accuracy. But overall the numbers were pretty bad.

Qualys in particular was pretty low with only about 28% accuracy. It should be noted that they only have a “point ‘n click” test though. But still you have to ask yourself, if 2/3rds of the vulnerabilities are getting by, why bother?

Is it any wonder that being PCI compliant is meaningless from a security point of view? You can use a web app scan, check the box on your PCI audit and still have a security posture that is like swiss cheese on your web app!

2. The NSS tests. I have written before about the great work Rick Moy and the folks over at NSS have done. But go read this article in GCN by William Jackson interviewing Rick.

It is downright scary that after 5 years in the prime time, IPS still does not catch such a large percentage of attacks. We all knew that signature based detection alone was not going to see all attacks. But we have deluded ourselves about anomaly and behavior based detection, somehow making our signature based technology actually work.

Yes, IPS may catch rudimentary types of attacks, but how can we sleep at night with some of these well known IPS devices on the job?

3. Anti-virus – another false sense of security! For all of the millions of dollars spent by the AV vendors (a small fraction of the billions they rake in) on better detection what have we got. A day late and dollar short technology I am afraid. Our AV is great against last years attacks, but is pretty weak on this years threats.

That is of course assuming that your AV is actually up to date. In most organizations what percentage of mundane AV updates are failing? From my NAC experience I was surprised that even on some of the most sensitive networks in the world, the number of AV update failures across the network is pretty high. It only takes one bad apple.

4. Patching is a lot like AV. How many failed patches are not pushed out to every machine that needs it? Too many is the answer.

We could go on and on. Don’t even get me started on NAC and DLP. In general our reliance on technology that does not work as well as we hope, think and pray it does is more dangerous than if we had nothing at all. At least then we would be serious about the policies and process that we need to put in place.

In the meantime we need to rethink if we are as protected as we think we are. If not, we need to take measures in response.

Here is the 2nd episode of the security.exe podcast. Unfortunately Mitchell Ashley is unable to join me. Mitchell's wife has been battling breast cancer for almost 5 years and her condition has taken a turn for the worse. We wish Mitchell and his family strength and prayers at this trying time.

I do have two great guests on this episode though. Morey Haber of eEye and Alex Quinonez from CyberRoam join me to discuss what is on the security horizon for 2010. I think you will find it an insightful conversation!

We talk about Aurora, iPad, Cloud Security and a bunch of other topics that we see as being relevant to the discussion around security 2010. I hope Mitchell will be able to join us again soon. Until then we will have some special guest hosts and other special guests on the podcasts.

Enjoy!

Security.Exe, episode 2 -eEye and CybeRoam talk Security ...

Security.Exe powered by The CISO Group with Alan Shimel &...

I am thinking about starting a new feature here on ashimmy.com. The dumbest phish of the month award. Most phishes are pretty dumb and easy to spot. Especially if English is your native language. But don’t be fooled there are some phishes that are not quite as obvious. The will fool even some of us who are much more paranoid about this stuff.

Anyway, the inaugural dumb phish award goes to kenlad35@yahoo.com.  Ken wrote me the following email. It is actually pretty typical of the “your hotmail or windows live account will be closed” variety. Asking for username and passwords and stuff.  But Ken if you are going to make believe you are from Windows Live, maybe you should lose the yahoo email address and the little yahoo ad at the bottom of the email.

No matter what you do for a living, even a phisher, at least try to be the best you can be about it!

__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com

I came across a Google alert today for network access control (I admit it, I still follow the NAC market). There was a link to an article interviewing the CTO of HP ProCurve, Paul Congdon. I assumed it was a link to an old article (as sometimes happens with Google Alerts), but clicked anyway. Was happy to see it was dated today and it was in fact a new interview with Paul.

Paul had been the CTO of ProCurve a few years back when I concluded a relationship between StillSecure and HP ProCurve. He had taken a quasi-leave of absence to continue his education and I have not spoken to Paul in a few years now. It would appear that he is back. If so what a great thing for ProCurve!

Paul was one of the brightest people I have dealt with in my many years in technology. A true visionary, he also is one of the nicest gentlemen you will ever meet as well. He is a big supporter of open standards and is always thinking of what is on the next horizon.

Now that I know he is back, I will have to reach out to Paul and see how things are with him. But keep your eyes out for what Paul says. I can guarantee you that you will learn something!

Welcome back Paul!