So it looks my hot topic this week is how full of beans most vendors are and how it is making life difficult for security admins looking to choose the right product.  I already wrote about how some vendors claim customers use their products for functions that they do not. I wrote about how customers are hounded by sales people calling and writing, blowing smoke about products and solutions they don't want.  BTW, on a comment to that one, Greg Ness writes a very insightful piece that I want to paste in here:

I think we're seeing the tale end of the era of "entrapment marketing" whereby someone downloads a white paper or watches a webcast and then gets swamped with calls from salespeople. As a marketing VP I get about 5-6 calls a day. They're so disruptive that I've turned my ring off and batch process the calls once a week.

I think the quantity and quality of the traditional downloads has declined since the early 2000s, so that real people get even more calls than they used to. I've become a big believer in social media (no registration required) and inbound registration/interest.

I have a netsec blog at: www.archimedius.net where I talk about issues. I launched it last year after seeing our google analytics scores register large social media inbound traffic to our website. Three top blogs were generating equivalent visitor eyeball minutes on our website to leading pubs.

Social media is less disruptive, usually is part of a broader, real-time technology conversation and helps you to establish better relationships with prospects, all in exchange for sharing your view of the world.

Now I was reading a recent analyst report on NAC and almost choked when I saw some of the data passing for information in this report. To be fair the analyst does preface their report by saying they can't vouch for any of the factual information supplied by vendors,  But my God does anyone tell the truth anymore?  Funny thing is it is the usual suspects up to their same old, same old fudging their numbers. 

So not only do we have misleading press releases talking about customers who don't really use the products as announced, we have analyst reports that have glaring factual errors that are not checked and people rely on and customers who are swamped with slick sales people.  What can we do as an industry to bring sanity to all of this?  Am interested in what your take on all of this? Is security marketing worth the paper it is written on anymore?

So it looks my hot topic this week is how full of beans most vendors are and how it is making life difficult for security admins looking to choose the right product.  I already wrote about how some vendors claim customers use their products for functions that they do not. I wrote about how customers are hounded by sales people calling and writing, blowing smoke about products and solutions they don't want.  BTW, on a comment to that one, Greg Ness writes a very insightful piece that I want to paste in here:

I think we're seeing the tale end of the era of "entrapment marketing" whereby someone downloads a white paper or watches a webcast and then gets swamped with calls from salespeople. As a marketing VP I get about 5-6 calls a day. They're so disruptive that I've turned my ring off and batch process the calls once a week.

I think the quantity and quality of the traditional downloads has declined since the early 2000s, so that real people get even more calls than they used to. I've become a big believer in social media (no registration required) and inbound registration/interest.

I have a netsec blog at: www.archimedius.net where I talk about issues. I launched it last year after seeing our google analytics scores register large social media inbound traffic to our website. Three top blogs were generating equivalent visitor eyeball minutes on our website to leading pubs.

Social media is less disruptive, usually is part of a broader, real-time technology conversation and helps you to establish better relationships with prospects, all in exchange for sharing your view of the world.

Now I was reading a recent analyst report on NAC and almost choked when I saw some of the data passing for information in this report. To be fair the analyst does preface their report by saying they can't vouch for any of the factual information supplied by vendors,  But my God does anyone tell the truth anymore?  Funny thing is it is the usual suspects up to their same old, same old fudging their numbers. 

So not only do we have misleading press releases talking about customers who don't really use the products as announced, we have analyst reports that have glaring factual errors that are not checked and people rely on and customers who are swamped with slick sales people.  What can we do as an industry to bring sanity to all of this?  Am interested in what your take on all of this? Is security marketing worth the paper it is written on anymore?

A clue to how cephalopods disguise themselves so quickly came to Dr. Hanlon when he and his colleagues reviewed thousands of images of cuttlefish, trying to sort their patterns into categories. "It finally dawned on me there aren't dozens of camouflage patterns," he said. "I can squeeze them into three categories."

One category is a uniform color. Cephalopods take on this camouflage to match a smooth-textured background. The second category consists of mottled patterns that help them hide in busier environments. Dr. Hanlon calls the third category disruptive patterning. A cuttlefish creates large blocks of light and dark on its skin. This camouflage disrupts the body outlines.

It's not often you can find research on the intersection of security and squid.

There’s little doubt that virtualization is an important and disruptive technology that will, in a relatively short period, change the face of the data center. Because virtualization is so disruptive, it also will clearly change the rules for how enterprises secure their data and their computing infrastructure. And, while we don’t believe that virtualization should remain off limits until a security strategy is fully nailed down, smart organizations will develop security and management strategies as they develop deployment plans for virtualization.

ETTING SECURE
Help will probably come in two forms. First, it’s likely that as virtualization becomes more mainstream, hardware vendors will design end-user systems from the ground up to provide administrator-controlled VM partitions and hypervisor layers, making it harder for malware to enter systems.

A better fix uses the Trusted Platform Module found in most new x86 based systems. Using the TPM, software authenticity can be tested and inter-VM traffic can more easily be encrypted. Using the TPM’s ability to sign software makes it easier to determine that a system image has been altered and that it should be assumed to be compromised. Since the TPM is designed to be a tamper-proof hardware approach to encryption and software signing, it should help substantially in validating that software of all stripes hasn’t been corrupted by malware or by other means.The other substantive threat is a byproduct of how multiple virtual machines communicate with each other on the same system; that, along with the ability to move running VMs from machine to machine, renders most network-based security products much less effective.

One of the first production uses for x86 virtualization has been server consolidation. The idea is that a single powerful server running a number of VMs can replace potentially dozens of older, lightly loaded individual servers. With so many VMs running on a system, the amount of communication between them can be significant. For intraserver communication between VMs, all virtualization products create a virtual switch, which is then shared by all VMs on the server. External network security tools from firewalls to intrusion detection and prevention systems to anomalous behavior detectors are all, by definition, blind to network traffic that never leaves the physical server.One approach to securing multiple VMs on a single server is to ensure that all the VMs are running similar operating systems and that each has been properly patched. The notion is that if all systems running on a given server are similarly secure, their communications will be, too. Security products like host-based firewalls should be in place to provide what security they can.

A better solution is to use tools that are specifically intended to improve the security of virtualized environments.

Virtual appliances are, as the name suggests, VMs with a minimized and hardened operating system that’s been configured to precisely meet the needs of the appliance’s one application. The idea is to minimize or eliminate any operating system configuration work on the part of the end user, permitting rapid and consistent deployment with relatively little expertise required from the installer. Applications for virtual appliances range from grid computing to SaaS to security.

Though a virtual appliance can be created for any virtualization environment, VMware is ahead of the field and has created a marketplace along with a try-before-you-buy Web site. More than 100 security-related virtual appliances are listed on the site. Only a fraction of those are from commercial vendors. The rest are applications created by internal groups or open source collaborations.Among the vendors listed are Astaro, with a unified threat management appliance; Blue Lane, with a virtual patching appliance; Catbird, with a security agent; and Reflex, with an intrusion prevention appliance. As this group indicates, virtual appliances, much as their physical-world kin do for the legacy data center, can fill many of the security gaps created by a virtualized environment.

Also In This Report

>> Chipset futures: We look at the latest offerings from Intel and AMD and analyze how their architectures affect security

>> From the experts: Insights from Intel’s Steve Grobman, Citrix’s Simon Crosby, and VMware’s Mendel Rosenblum

Get the full-length report at businessinnovation.cmp.com/
governance

While the tools to create a secure virtualized environment are now showing up, it would be a mistake to think that virtualization security is just about buying a different set of security tools. Greg Shipley, CTO of security research company Neohapsis, offers this advice: “Take a hard look at what threats you actually think you’re facing, and what tools or techniques (which might not involve a technology purchase!) are out there to help mitigate them.” Shipley maintains a healthy skepticism of security software vendors. He “can’t help but wonder if some of the vendors out there are simply looking at all the virtualization going on and saying, ‘Hey, how do I sell security to all these VMware shops?’ I think part of the burden on us users/consumers of the technology is to discuss what the true threat vectors are and then look to at tools.” Virtualization will change the face of computing from the desktop to the data center. Getting security right requires reassessing the approach to and goals for security. Platform and network security, which have been the mainstay of most security efforts to date, will give way to securing data and restricting its use to only those who are, by policy, allowed to use it.

Source

]]>

Some other interesting news items have appeared in the recent past.

1. Germany’s respected weekly, Der Spiegel, reported that China was thought to have hacked into the computer systems of Germany’s chancellery, as well as systems at three ministries, infecting the networks with spy programs. The alleged attacks occurred just before Chancellor, Angela Merkel, visited Beijing. Computers in the chancellery and the foreign, economics, and research ministries were targeted. The German Federal Office for the Protection of the Constitution (BfV) conducted a comprehensive search of government IT installations, and prevented a further 160 giga-bytes of information from being transferred to China. The scale and nature of the stolen data suggested that the operation could have been steered by the state.

2. Australian IT reported  that Chinese hackers had allegedly tried to hack into highly classified government computer networks in Australia and New Zealand as part of a broader international operation to glean military secrets from Western nations. New Zealand Prime, Minister Helen Clark, confirmed that foreign intelligence agencies had tried to hack into government computer networks, but had not compromised top-secret data banks. The Chinese government has denied any involvement.

3. In its annual report to Congress, The U.S.-China Economic And Security Review Commission  said, “Among the disruptive capabilities China is fielding is the ability to conduct cyber attacks. General James Cartwright, then Commander of the U.S. Strategic Command (USSTRATCOM) and currently Vice Chairman of the Joint Chiefs of Staff, testified before The Commission that China is actively engaging in cyber reconnaissance by probing the computer networks of U.S.government agencies as well as private companies. The data collected from these computer reconnaissance campaigns can be used for myriad purposes, including identifying weak points in the networks; understanding how leaders in the United States think; discovering the communication patterns of American government agencies and private companies; and obtaining valuable information stored throughout the networks."

Today, cyber espionage enables you to get information that may have taken years to collect through human intelligence, only in a matter of minutes, in a single download session. So it’s a no-brainer for many, the McAfee report estimates 120 countries engaged in web espionage operations, but most of these operations are not very sophisticated. But the Chinese approach of targeting key industries and economic sectors, placing Trojans in those systems to be activated if/when necessary, is like having a sleeper cells that get activated on demand. This should serve as a wake-up call to governments and businesses around the globe that in today’s competitive environments, spending the time, effort, and money to protect your sensitive information assets is the key to keeping your competitive advantage.

#1: Write an email policy. If you do not already have one in place, the first thing you must do is to create an email policy. This is necessary to educate users but also to ensure that employees are aware that the company is monitoring their emails. This will protect your company against possible employee lawsuits regarding invasion of privacy. Have your users sign the email policy to confirm that they have read and understood the regulations. For more information on what to include in your Email policy, got to the blog article Ten points to include in your email-policy.

#2: Train users; Regularly train users in applying the email policy. Help users send effective emails by informing them of best practices, explain that offensive jokes and remarks can be much more harmful than they seem and stress that employees that witness abuse of the email system must report this to their supervisor. This will boost productivity and help avoid many of the email risks.

#3: Install anti-virus software. Even though nowadays almost all companies have virus software scanning files on the server and client machines, not all companies do the same for email. Be safe rather than sorry and scan all your incoming and outgoing emails for viruses too.

#4: Install a spam filter. There are many spam filters out there and most of them will do a good job at blocking spam. However, not all spam filters will allow your users to review their own spam mails, offer customization per user or allow for detailed message tracking.

#5: Content check emails; Even though you have educated your users, you cannot assume that all employees will adhere to the policy. Therefore you need to install software that can check all emails for inappropriate content. For internal mails this is to protect users from an unsafe work environment. For external mails this is to protect the reputation of your company and to avoid libel lawsuits. You must also check attachments and use word filtering to avoid confidential data leaving the company. For instance you can block external emails containing Social Security Numbers, credit card details or patient information.

#6: Add a disclaimer; In order to disclaim against company liability, ensure confidentiality and comply with regulatory rules you must add a disclaimer to all sent emails. Disclaimers must be added to internal mails as well as external mails. It is also a good idea to add a different disclaimer for internal mails to specifically address the unsafe work environment issue. For instance in your internal mails you can include a line saying ‘Employees are expressly prohibited to make offensive, disruptive or defamatory statements.’

#7: Compress attachments; by compressing attachments you can reduce the size of files by up to 95 percent. Needless to say this will save bandwidth and network storage.

#8: Limit personal emails; Personal emails not only cause loss of productivity, they can be the source of viruses and bandwidth hogging attachments. You might want to allow some personal use, but in your email policy you must stipulate in exact terms what is allowed and what is not.

#9: Archive emails; Many industries now face regulations that require them to archive emails for a number of years, including the health care, legal and financial industry. Fail to archive your emails and your company might face substantial fines. In addition, you need to be able to quickly search and access messages in case you need to retrieve emails on a court order.

#10: View reports on usage; Check how the email policy is being implemented by looking at email usage reports. Find out what attachments users are sending and their size. View reports on email policy violations and determine which rules are being violated and by which users. On the basis of this information you can adjust your email policy, tweak your email filtering software, or schedule further trainings to re-iterate certain email policy rules.