StillSecure, After All These Years

From the classic movie Casablanca:

Rick: How can you close me up? On what grounds?
Captain Renault: I'm shocked, shocked to find that gambling is going on in here!
[a croupier hands Renault a pile of money]
Croupier: Your winnings, sir.
Captain Renault: [sotto voce] Oh, thank you very much.
[aloud]
Captain Renault: Everybody out at once!

The latest winner of the Captain Renault award is Lexis Nexis and its corporate sister, Choicepoint. It seems that cybercriminals were using their service for 3 years to obtain information that was used to obtain fraudulent credit cards. Then to make matters worse Lexis Nexis apparently asked for and received permission to wait for 18 months to notify people whose information may have been compromised.  This is of course not the first time that Choicepoint has been duped into giving out confidential data.

When are we going to put enough bite into the penalties so that these companies will take protecting this data seriously. How do they dare sit on this for 18 months to two years before notifying victims?  This is the kind of stuff that makes politicians want to do something, its about time they did!

OK I got back early from California (because someone I was meeting had to be hospitalized I am afraid) so have some time to blog.  It has been tough lately, but there are lots of stories to touch on.  First of all we are in full swing for the pre-RSA season.  My calendar is already filling up with appointments while I am out in San Fran.  I will be presenting at the Americas Growth Conference again this year on the Monday before RSA.  The AGC event has become a staple over the years and in these challenging times should be even more interesting this year.  Of course there is the security bloggers meet up with planning in full swing ready to rock (SBN members get an invite). Also the SC Magazine awards dinner and event which I was invited to and will be attending.  Thursday morning I moderate an all star panel on what to do about security in this economy.   All in all, RSA is shaping up as a great time! 

While I am registered as a speaker, an exhibitor and 5 year member, I was surprised that this year to attend just the expo and keynotes, there were no free passes.  In some ways it is good, it may keep some people out who are adult trick-or-treaters or resume pushers.  In other ways if you are in the local area the 75 dollars for an expo pass may stop you from attending.  Well here is where I can help. I have 4 expo passes to RSA to give away.  Leave a comment with why you deserve one and if you can convince me you win one. I wish I had full passes to give out to all of the tracks and all, but those are hard to come by. Hope to see you at the conference.

Couple of other stories:

1. Vyatta adds security to the router. I don’t know about you but this is so Cobia 2007!  Come on guys we did this at StillSecure with Cobia 2 years ago.  Plus reading the press on it, it is hard to see what special sauce if any Vyatta adds over the plain vanilla open source offerings that it is based on.  I guess it was to be expected, but I think they are going to have to do better then this to be successful.

2. Is Sun going to rise at IBM? – Looks like Big Blue might be picking up what is left of Sun.  Great, that gives IBM another database to work with (they already have DB2 and Informix), some open source stuff and another silicon design.  On the other hand, Sun has to do something as I am not sure what the future holds for them as a stand alone.

3. How to evaluate if MSSP is right for you- article in searchsecurity about how to properly evaluate whether MSSP is the right for you.  Pretty elementary stuff, but a start to making the decision.

4. NAC, its not just for compliance anymore. – Tim Greene’s article this week calls out how NAC for compliance is yet another great use of NAC.  Yes NAC can be quite the Swiss army knife of security, but is NAC as a compliance tool enough to drive a new NAC sale or just another use for a tool you already bought?  That is the big question about the NAC market.

Well this weekend was the start of daylight savings time. I always think of it as spring ahead, as opposed to fall back. It usually takes me a good week to get used to being an hour ahead.  But are you really an hour ahead. Yes it is still dark when many of us get up and it stays light longer in the evening, but do you think of it as being an hour ahead?  Maybe you should.  What is so bad about thinking of getting out ahead of things?  Nothing at all.  Especially in security, so much of what we do is reactive, after the fact.  Maybe a good security strategy would be to spring ahead.  Get out ahead of the security issues before they become incidents or big problems.  Why not make that a mantra.  The clocks have been set ahead, try to stay ahead of bad guys yourself and enjoy the extra daylight at the end of the day!

Have a great day.

An IF-MAP in Juniper’s future? – Juniper updated their NAC solution yesterday for the first time in 2 years.  It seems like the big news is that NAC is now part of the fabric because it can interact with other security technologies using IF-MAP the the Trusted Juniper Computing Group’s standard for data sharing. Of course the problem is that it takes two to MAP.  If other products don’t support it and use it, Juniper by themselves is not going to do it.  What does it give you, you ask?  Well Juniper says according to this article by Sean Michael Kerner that now you can enforce quarantine and NAC after a device has been on the network. I say BFD to that, most NAC solutions have some sort of post-connect capability already (except Cisco of course), Juniper is just playing a bit of catch up there. But at the end of the day Juniper is all about beating Cisco so I guess that is what counts!

eEye’s any means possible – Those wild and crazy guys at eEye (they have not been as wild and crazy lately frankly) announced a new service yesterday based on services they have been providing for years (according to them anyway). It is a super-penetration testing service called any means possible.  Based on eEye research and super hacking techniques as well as social engineering., the eEye team seems to be going whole hog into services.  I don’t have a problem with it, but what does that mean about its commitment to Blink endpoint security not to mention the forgotten Retina/REM suite?  Maybe the products are not paying the bill and the any means possible name refers to eEye’s determination to keep the lights on?  In this economy no one is immune!

PCI sends two QSA’s to the principles office – Martin reports on article in tech target about two QSA’s who have been called out by the PCI council about their PCI auditing.  OK, so they are going for a proctology exam.  Are they being made examples as a warning to other QSA’s or is this the start of the PCI council starting to get more serious about enforcing standards around the huge infrastructure they have fostered?  I have a great PCI podcast panel being scheduled now, we will be discussing this very topic, so stay tuned!

We have all heard of the millennium generation. Generally it refers to people born after 1985 through now.  The older millennials are already young adults and their impact is being felt in social networking, politics and many other fields.

But it is the younger millenniums who are going to blow us away.  They are growing up in a world where the internet, ubiquitous connectivity and unfettered access to information is the norm.  They never saw an encyclopedia made out of paper. I was reminded of this tonight while getting Google tips from my 7 year old son Bradley.  Bradley was working on some Pokemon character and was looking for a picture that he needed edited.  He asked me to Google the character’s name and then grab a picture and edit it.  When I Googled the name no pictures came up.  Bradley said, “Dad put “for real” after the characters name.” When I asked why, he said that is what he does when he can’t find something on Google.  Frag (Battlestar Galactica word) if that didn’t work!  How did Bradley come up with this?  Is Google aware of it? It must change the search algorithm or something. Glad I have web filtering on the machine.

What is going to happen when Bradley and his friends grow up? What challenges will this present for the security industry?  Maybe they will help with security. I don’t know, but I do know that they have an instinctual intuitiveness around computers and such that previous generations on the whole don’t have.

Anyway, here is something you very rarely get with Mike Rothman’s Incite – a report on Friday!  Have a good weekend!

1. When open is open only if  or its about the platform stupid – Hoff has a good point today about VMware’s use of the terms open and interoperable.  These two abused terms get tossed around alot. Open used to really mean open source. You had access to the source. Interoperable in my meant that out of the box it would work with other platforms and products. Then open was not really about source, but at least the openness of the product to use generally accepted means of communication. In my mind SQL and ODBC connectivity in databases is a perfect example of this. But I think what Hoff is getting at but is not saying clearly is that now it is all about the platform.  VMware wants to be the platform here. They want you to use tools and applications, as long as you use their platform. By having to use their APIs to connect, you are locked into their platform. That is the real hook and makes it not very open at all.
2. Can IT Vendors be Objective? Probably not – Michael Farnum has a guest post up from a vendor friend of his venting about the fact that he has been “discriminated” against because he is a vendor and therefore deemed not objective.  I agree that most people out of hand say you are a vendor and therefore not objective.  Not that you can’t try. I have been accused of the same thing.  But being objective on this question, I have to say vendors can’t be objective. Not to say we would lie, but if we didn’t believe that our products were better, could we sell them? So yes IT vendors are not going to be objective.  But here is the kicker, neither can anyone else.  We all bring our own views and prejudices to the game and that effects our objectivity.  Therefore it is up to the audience to filter what they think is truth from fiction, opinion from fact. I think most people recognize that and perform that task.
3. Mogul calls BS – Rich Mogull calls out Bob Russo of the PCI council.  Seems Russo says that no business that are PCI compliant have ever been breached.  They may have been compliant once, but when they were breached they were not. Rich rightfully I think calls bull on this. I am not sure if Russo is playing semantics here or what.  Maybe he means that having a breach automatically puts you out of compliance? I don’t know but have invited Rich and a few friends I know on the PCI advisory council to appear on a podcast. Stay tuned!

So that is it for this week.  Have a great weekend!

I know you may not be feeling this way depending on where you live, but Spring is in the air.  How do I know? Easy, my anniversary has just passed.  For the 19 years I have been married, I know that once my anniversary is over it will soon be Spring.  Sort of my own bird like instinct maybe.  When we were first married we used to go to Maui every year for our anniversary.  It is always Spring in Maui, but by the time we would come home in early March, Spring was certainly on the way. Of course with the kids we don’t get to Maui much, but I watched a pre-season baseball game today, what more proof do you need then that?

So what does Spring have to do with anything?  Spring represents a rebirth. I think we need a rebirth.  We need to stop dwelling on the negative and start making our own luck and our own positives! To quote a greater thinker than I, “we have nothing to fear but fear itself”.  So take my word for it, Spring is on the way.  Start thinking about how you are going to break out of the winter/economy doldrums and attack your job, your life and your problems head on. 

Good luck with that!

1. Mike Rothman gave me a nice shout out yesterday in his blog about copying his format.  Besides thanking Mike, I want to say that I am thinking of this as just doing a few short blog/comments in one post.  I will of course add my own Shimmy schtick to it, but I like it. I will still do full posts when I see something I want to talk about. I am interested though if you readers like this type of blogging. Let me know.
2. The law of conservation of energy – Adrian Lane over on Securosis has a nice commentary up on the recent Symantec/Ponemon FUD that employees leaving their employment are taking IP and confidential data with them and that this number has gone up drastically.  As Adrian points out, no crap Sherlock! With all of the people being laid off, there are certainly more people leaving work.  The real issue though is how many of these people actually dong anything with this information. It reminded me studying science with my oldest son Landon.  The law of conservation of energy says that the amount of energy doesn’t change, just the form does. So really this is a potential threat, like potential energy. It remains to be seen if it will translate into anything more than that. Adrian says no, I say it desperate people do desperate things.
3. Dead men walking – While reading this story about Nortel laying off another 3200 people today I was reminded of a potential customer call I was on a while back for NAC. They were also looking at Nortel’s NAC solution and the CIO was telling me how good he felt dealing with a company Nortel’s size and the stability it offered over StillSecure. My how the mighty have fallen!
4. Its not a product, its a feature – Hoff loves to spout that one. I was reminded of the same thing today reading the article in Computer World by Mark Everett Hall that SaaS is not a market, just another channel. I actually agree with that statement and is one of the driving forces behind StillSecure’s recent ProtectPoint acquisition.  While many folks including Rothman question an organizations ability to sell service and product, I view the service offering as just another distribution channel.  Customers can buy our products as a hardware appliance, software or as a service. I think long term that view of SaaS is going to proven correct.
5. Firewall tools – I recorded a great podcast earlier this week with Secure Passage CTO Jody Brazil.  Jody is the former CTO of Fishnet and Secure Passage was originally spun out from Fishnet with the Firemon product. It is totally independent of FishNet now and is coming out of stealth mode.  My recording equipment messed up and am waiting on Mitchell to send me his file to edit. In the meantime Brian Prince of eWeek has a good interview with Jody. My view on this one is that PCI is totally driving this market.  The issue is will it be a victim of its own success. If it becomes big enough the firewall vendors will do a better job of packaging management tools with the firewalls and the 3rd party tools will find it hard to compete.  But who knows, maybe they get bought out by then.

Related articles by Zemanta

My friend Mike doesn’t get a chance to do his daily incite as much. I know he says that he gets 30% more readers when he just does a rant on a single topic, but everyone I speak to misses his round up of whats news in security with his two cents thrown in.  So here is my daily incite.  We will see how this goes before committing to doing more of it.

Have a good day!

The Pragmatic CSO: Available Now! Read the Intro and Get "5 Tips to be a Better CSO" www.pragmaticcso.com

How can I do a daily incite without pushing the Pragmatic CSO?  There hope everyone feels better!

1. Big Fix offers 50% off – John Dunn at Network World reports that Big Fix is offering up to a 50% discount to customers who switch to the Big Fix patch management system from a competitor when it is time to re up. There is some other fine print with the deal (3yr commitment, only seats being replaced, etc.) but the bottom line is Dave Robbins and Amrit and gang are trying to use the current economy to grab some market share solely on price.  Yeah, it is a bit of a marketing thing and the competition will match it, but then the customer wins.  StillSecure did a similar thing with our 50% off Strata Guard deal.
2. Tim Greene predicts the future looking at the entrails of dead NAC companies. Tim makes a connection that since StillSecure bought ProtectPoint to get into MSSP and Trustwave took out Mirage, there must be money in NAC. While Tim may ultimately be right, I don’t think today there is significant revenue in fully managed NAC. According to the article Mirage derived 30% of their business from managed service. I question how much 30% actually was though.  Doing managed NAC is not as easy as it sounds.  The MSSP will have to access to network infrastructure as well as the NAC solution.  Stay tuned for more details on that one.
3. Say goodbye to FISMA? As I ranted on yesterday FISMA has become the poster child for all that is wrong with compliance for compliance sake alone. Yesterday a group with lots of support from the DoD, Mitre and SANs released the Consensus Audit Guidelines. You can get details on the SANS site here on the 20 critical controls. These look to me like the kind of common sense real security policies that will make a difference in the security of networks and not drown us all in paperwork without making us more secure. I sure would like to see this get adopted more widely.
4. Security company hackers speak up. Softpedia has an interview with the Romanian hacker group that broke into several security company webs sites including Kaspersky, F-Secure, Symantec, etc.  Personally I don’t care what they have to say. I think giving these guys any play is akin to negotiating with terrorists.  What they did was illegal and wrong and they should not benefit from it.

There you have it.  Shimel’s daily incite. Good day Mike Rothman no matter where you are ;-)

For too long we in the security industry wait around for the annual FISMA grades to be published for the various Federal Government agencies and departments. A bad grade is a great invitation to go in and try to sell some security.  “We can help you raise your FISMA scores”, sounds like we work at Kumon or Sylvan Learning Centers or an SAT prep course or something.  For a long time there has been a increasingly growing number of critics like Alan Paller, of the SANS institute that say we should stop punishing Federal Agencies over bad marks on their FISMA report cards. Paller and others say that the fact is FISMA is not an accurate gauge of whether an agency or department is secure.  “It does nothing to measure an agencies ability to detect and respond to intrusions” according to Tim Bennett, president of the Cyber Security Industry Alliance. 

Since 2008 there has been talk of a new program that would more accurately show the relative security of a given agency or department.  The Consensus Audit Guidelines were released today by a coalition of private and public organizations including some US DoD and intelligence agencies. The project is headed by John Gilligan, a former Air Force and Energy Department CIO. It is the aim of the group to have CAG become the foundation for a standardized approach to securing the nation’s critical infrastructure. According to this article in GCN, the participants are: 

The National Security Agency Red Team and Blue Team, the Homeland Security Department, the U.S. Computer Emergency Readiness Team, the DOD Computer Network Defense Architecture Group, DOD Joint Task Force – Global Network Operations (JTF-GNO), the DOD Defense Cyber Crime Center; the Energy Department’s Los Alamos National Laboratory, the Army Research Laboratory, the Transportation Department, the Health and Human Services Department, and the Government Accountability Office. Also, MITRE Corp., the SANS Institute, and commercial penetration testing and forensics experts at InGuardians and Mandiant.

If adopted, CAG could easily become a standard across the board in both private and public organizations. NIST has apparently given its blessing to CAG as part of Special Publication 800-53.

The initial CAG controls and metrics are available from SANS. They are just a draft right now avaialble for public comment over the next 30 days.  Here are 20 Critical Controls with links to more information on each one from the SANS site:

Consensus Audit Guidelines Draft 1.0

• Consensus Audit Guidelines - Introduction (Draft 1.0)
• Critical Control 1: Inventory of authorized and unauthorized hardware.
• Critical Control 2: Inventory of authorized and unauthorized software; enforcement of white lists of authorized software.
• Critical Control 3: Secure configurations for hardware and software on laptops, workstations, and servers.
• Critical Control 4: Secure configurations of network devices such as firewalls, routers, and switches.
• Critical Control 5: Boundary Defense
• Critical Control 6: Maintenance, Monitoring and Analysis of Complete Audit Logs
• Critical Control 7: Application Software Security
• Critical Control 8: Controlled Use of Administrative Privileges
• Critical Control 9: Controlled Access Based On Need to Know
• Critical Control 10: Continuous Vulnerability Testing and Remediation
• Critical Control 11: Dormant Account Monitoring and Control
• Critical Control 12: Anti-Malware Defenses
• Critical Control 13: Limitation and Control of Ports, Protocols and Services
• Critical Control 14: Wireless Device Control
• Critical Control 15: Data Leakage Protection
• Critical Control 16: Secure Network Engineering
• Critical Control 17: Red Team Exercises
• Critical Control 18: Incident Response Capability
• Critical Control 19: Data Recovery Capability
• Critical Control 20: Security Skills Assessment and Appropriate Training To Fill Gaps

I have not read through the entirety of this, but from what I have read this, I am very impressed.  It would seem to me that adopting these standards would be a huge step forward over the endless paperwork involved in FISMA and are real world, easy to understand steps to actually securing these networks.  I can only hope that common sense prevails and CAG becomes the law of the land!

OK I admit it. I run these crazy Google, Forbes and Six Apart Media ads on my blog.  For a lousy 50 bucks a month I don’t know why I bother, but I do. I usually check out the ads on the blog if they catch my eye (hey clicking on them makes me money after all).  Today there was a Google adsense ad for something call PadJack. I clicked.  This is what I found:

So what exactly does HIPAA certified mean in relation to this product? I searched over their whole site and other than a definition of what HIPAA is there is nothing that says anything about what HIPAA certification is.  Can’t they just say it helps with HIPAA? I read this and think to myself these guys are a bunch of fraudsters.  For all I know maybe this product is really good, but by boasting of some make believe certification, they lose all creditability with me.

In the wake of the Heartland fiasco it is becoming fashionable to lay the blame for this mess at the feet of the PCI Council.  Almost as if the PCI folks were the ones who planted the malware on Heartland’s computers and stole the credit card info.  Mike Rothman questions “The Increasing Irrelevance of PCI” and Steve Ragan over at the Tech Herald asks “Does the Heartland breach prove PCI useless”. I say don’t throw out the baby with the bath water. Lets not confuse the good work that the PCI regs have done across the board, with the sophisticated methods of cybercriminals.  As I wrote last week, lets not confuse compliance with security!

For the majority of merchants who accept credit cards the PCI regs have led to the adoption of security measures that many of them never had before.  Anyone who doubts that, does not have the facts on their side.  Yes, many of these merchants have adopted measure solely to pass an audit and check the box, but that is still more than they had.  Expecting these merchants to get serious about security and do more than the minimum that the standards mandate is a pipe dream. The PCI standards are not supposed to be some super-hero like shield of invincibility.  They are just a set of minimal steps that merchants and those with sensitive information should take to protect that data.  They were never meant to be the be all and end all in the matter of security.

All of the above not withstanding, I do think the PCI council needs to adopt a higher standard for companies like Heartland and Cardservices that process credit card transactions.  The sheer numbers of information they process put them in a different class. I think for this class the PCI folks should put some constant monitoring of security practices in place. A yearly audit is not enough.  I also think that larger merchants need not only more often monitoring but a higher level of security.

But folks, don’t throw the baby out with the bath water.  Give the PCI council time to adjust and learn from this episode.  Those who condemn them for not anticipating this type of attack are not without sin themselves.  Who among us in the security industry have been able to stop the bad guys dead in their tracks every time? Lets not hold the PCI regulations up to an impossible and artificial standard, that no one can live up to.

Related articles by Zemanta

• Security is not the same as compliance
• May Have A New Winner In The Largest Security Breach Ever Department
• Huge Security Breach at Heartland Payment Credit Card System
• 100 Million Credit Cards Stolen in Largest Cyber Crime Ever

By now you have all read about the Heartland Payment Systems fiasco.  One thing that I wanted to point out is around PCI compliance.  For all of the money, talk and energy spent around achieving PCI compliance, an examination of the time line shows that Heartland was PCI certified in April.  That means that they had to have quarterly scans, probably twice since April. The Heartland folks became aware of a potential breach in October and discovered the malware in January (and of course announced it the day of the Presidential inauguration).

So at least one and maybe two PCI scans failed to discover this problem.  Being PCI compliant did not help Heartland from exposing the data on 100 million credit cards.  If ever there was a poster child for compliance does not equal security, this is it.  Compliance drives dollars and drives the security business, unfortunately it does not drive security.

Related articles by Zemanta

• Malware Inside the Credit Card Machine
• May Have A New Winner In The Largest Security Breach Ever Department
• Payment Processor Breach May Be Largest Ever (Brian Krebs/Security Fix)