[SecurityRatty] tag: rsa

Speaking of Security Podcast #117

Sun, 10 Aug 2008 20:00:00 +0000

Click to Download/Listen (07:47)

In a recent RSA Web Seminar focused on the new FACTA Identify Red Flags provisions, industry analyst, Ken Herbert, with Frost & Sullivan, explained what financial institutions or creditors need to know about the upcoming November 1 FACTA deadline and provided some key recommendations for complying with the regulation. In this week's podcast, we'll share some of the questions and answers from this online event. To learn more, watch the entire webcast replay.

Fun Reading on Security - 6

Thu, 07 Aug 2008 14:01:00 +0000

Instead of my usual "blogging frenzy" machine gun blast of short posts, I will just combine them into my new blog series "Fun Reading on Security." Here is an issue #6, dated August 7th, 2008.

DNS + Karma = Boom! Enuf said. Also, hear Pete Linstrom squeal.
Fun essay on "blocking" and risk. Is it our job to stop'em from using Facebook?
MS Exploitability Index. Smart ... or misguidedly focused on "vulnerability release" (and not creation)
Chip-n-PIN, a PCI killer? I don't think so!
Mike R revisits "good enough security" - read it, then review your IR plans (...for you will be 0wned)
Very fun RSA survey here; data leakage beats malware again, people still not report incidents (to whom???)
More and more and more people point at idiocies of academic security research... Read the whole w00t 08 thread here. Weep. Laugh.
Neosploit has a bad quarter... breaks support "contracts" ... shuts down? Ah, the economy :-)
Awesome stuff from Richard Bejtlich: CAER.
"The Network Firewall is a Consensual Hallucination" :-)
More GRC-ball-kicking: here, here ("IT-GRC "vendors" are not IT-GRC vendors") - both are pretty insightful for GRC-lovers and GRC-haters)
More SIEM-ball-kicking: here ("underwhelming","ridiculous", "missing the point"), here ("dead ...unless","cripple")
Fun DLP portal launches.
Final word (?) on TerryChilds-gate here. "When management starts controlling the actions of admins, things start to fall apart." Huh? When management loses control of the business, it dies. Folks, IT vs IT security gap IS real. I never quite believed it, but this taught me a lesson. Some common security sense for a change (also here).

Enjoy.

Speaking of Security Podcast #116

Tue, 05 Aug 2008 20:00:00 +0000

The Importance of Strong Authentication for Business Continuity

New Speaking of Security co-host, Amanda VanVeen, meets with Jeff Carpenter, Senior Product Marketing Manager at RSA, to discuss how the latest release of RSA Aughtentication Manager supports organizations focusing on business continuity. When natural or man-made disasters hit, it's important that employees be able to quickly and easily access network resources, but it's equally important to know just who those new remote workers are.

What you don't know about security can hurt you

Mon, 04 Aug 2008 20:00:00 +0000

In reading an early release of an information-security survey conducted by the RSA Conference, two findings caught my attention.

PCI Compliance? Let's Talk!

Thu, 31 Jul 2008 13:35:05 +0000

During a meeting with an RSA customer earlier this week, I was asked a very detailed and pointed question about my interpretation of requirement 3.4. Specifically, the customer was using encryption to render PANs unreadable and wanted to know if their algorithm was indeed classified as "strong cryptography." Really, the customer was interested in making sure this particular encryption algorithm would pass their upcoming PCI audit. While I was happy to voice my opinion, I stressed the critical importance of open and honest communication when it comes to passing an audit and successful PCI compliance in general...

SSO Summit Wrap Up

Fri, 25 Jul 2008 09:41:07 +0000

More notes from SSO Summit - to recap I can't stress enough how a 50-200 person conference comprised of around 50-60% enterprise folk (instead of just vendors and *cough* consultants) is ideal. Real, in depth conversations instead of just "where is the party" a la RSA. Also, this conference has a laser focus on SSO, so all 150 of us are able to look through the prism from lots of angles.

Some additional takeaways

Dave Kearns has serious moderator skillz.

You can tell all the Mac users because they have to have their laptops plugged in at all times (Mr. Jobs paging Mr. Clayton Christensen)

Eve Maler can really sing

One of the prettiest drives through Colorado is here

I did my presentation on Security Token Servers today. Bob Brandt from 3M spoke on Federation at 3M, its quite interesting to think about the mix of all these technologies the same way 3M's products are composed from a grid of technologies. I see STS playing role here, enabling us to get interop across multiple token types. Bob also mentioned that the business doesn't _ask_ for SSO any more; they expect it. He mentioned (and I have seen the same) much greater SAML adoption and awareness by customers and partners. And I quite liked his quote - "If you are a SAAS vendors and you are not supporting SAML you won't be in business very long."

Kent Beck says programs are not things, they are shadows of communities. If you look at a big vendors' IDENTITY AND ACCESS MANAGEMENT SUITE - its not a cohesive product so much as a shadow of the big vendors' Visio org chart. Ping's SSO community is fast, light and Ninja; SSO functionality enabling real pros to get stuff done for real use cases.

Its a lot of fun to be at a 1.0 conference, I am pretty sure this will be 2x-3x next year.

The End of Neosploit?

Wed, 23 Jul 2008 20:00:00 +0000

The first and most important thing when trying to grow a pool of malware-infected PCs is the infection stage. The goal is to infect as many users as possible, as quickly as possible -- and remain undetected for as long as possible.

Neosploit is a brand that could be relied upon to solve that problem rather well. Designed to ease the infection stage, Neosploit is an infection kit which exploits numerous system vulnerabilities and infects PCs worldwide with any type of malware. Neosploit checks "candidate" PCs in order to find vulnerabilities, and once these are found, the PC will be infected with the malware of the criminal's choice.

However, the RSA FraudAction Research Labs recently received information indicating that we may soon see the last of this "Neosploitation".

We're Web 2.0 Crazy Here At RSA

Wed, 23 Jul 2008 20:00:00 +0000

Notwithstanding the fine bloggery that goes on at this site (excluding yours truly of course), there's a bunch of splendid social computing activity going on here at RSA. There's no better example of this than the RSA enVision Intelligence Community.

The Intelligence Community is an online community of RSA enVision customers, partners, systems engineers and product managers. It's getting quite a lot of use too, with interesting new posts around feature requests, tips and tricks and product announcements appearing every day. I was just trawling through it this morning, and I thought I'd pull out a few highlights...

Speaking of Security Podcast #114

Mon, 21 Jul 2008 13:00:00 +0000

Click to Download/Listen (05:51)

New co-host Amanda Van Veen interviews Linda Lynch, RSA® Conference Europe Manager, about this year's Conference in October. Learn about the early bird registration special as well as other helpful travel hints and session highlights. Register today: www.rsaconference.com/2008/europe.

OWASP Talk Q&A Notes

Fri, 11 Jul 2008 11:36:26 +0000

On Monday I did a talk on Web Services security at the MSP OWASP. The talk was ok, but not as good as at RSA because I Brian Chess did a better job with some of the stories than me. What was really good though was a number of questions and answers afterwards.

One person asked the old chestnut - "do we need to care about web services security if we are inside the firewall?" Now, I have heard this question many, many times in different ways, and this time my brain just shorted out, I basically said that I am not sure what difference it really makes. You don't get security from a firewall, you may get the ability to fire someone if they do something bad, but in most companies there is no "wall" and there sure isn't any "fire", at most they are speed bumps. I am *not* saying to remove them, they are part and parcel of how you operate a network but they are not really providing any additional security. Network firewalls are thought of as a security tools because they began as a security innovation and they are paid for out of the security budget.

Robert Garigue said several years ago that network firewalls are part of network hygiene like brushing your teeth. Information security should not have to help people brush their teeth, and instead should operate like a dentist helping groups work more complex and risky issues. I have advised CISOs at several companies to off load the network firewall jockeys out of infosec and into network groups. Sometimes they listen. If so, the infosec group can focus on other issues instead of managing a Visio-driven "security" device.

Why Visio? Well, the main security property from a firewall is the scary flames and brick wall on Visio. And how do you know whether or not to open up a port? You just open the org chart (in Visio) and find the level of the person who is requesting the port be opened. If VP Then Yes. Is this security? Hardly.

So one last time - Web Services are used to provide access to your main systems (which live on mainframes, big RDBMS, SAP, ERP, CRM, and so on) these are the keys to the kingdom, and lots of apps need them. The whole point of Web Services is to make it easier to talk to them. So "inside" or "outside" the firewall, do you need to care about authentication, authorization, and auditing on the systems that run your entire business???

Another interesting question from the Q & A from Jon Passki was on XML Security Gateways. We talked a fair bit about their utility in solving the aforementioned authentication, authorization, and auditing problems. I pulled up Vordel's gateway and showed how to build security workflows to deploy security as a service. Jon asked could I ever imagine a Web services security architecture without a gateway? I said I think that they are not always the starting point but mid to long term they are definitely in basically any effective security architecture I can think of. Having a place to deploy, manage, and enforce policy that is separate the code solves a lot of real world problems. People are hung up on thinking about Web services programming like it has to be Web app programming (this happens in REST a lot), but there is another school of successful web apps, arguably the most successful, and its called email.

Email app architecture looks nothing like web app design. You wouldn't read every email sent to your address would you? Of course not, it goes through spam filters, virus checkers and so on. Further its a message oriented paradigm, and you know that unless its signed/encrypted with PGP/GPG security is suspect at best. So yeah, I think gateways are an hugely important part of a Web Services security architecture.

Finally, I can also not imagine going live when you are supporting multiple protocols and token types without a good testing strategy. Mark O'Neill recently blogged something I recommend to all my clients - namely make sure you have security specific test cases, test harnesses and testing tools, like for example Vordel's Soapbox.