That makes a lot of sense. Now in this vision, do you see still a role for a small security upstart?

Oh, of course. And there always will be just like, again, using the automotive example, there are small companies that build safety equipment. But the thing is they're not going to sell to the end-user. If you're going to be a security start-up five years from now, you're going to sell your products or services to the operating system vendors, the networking vendors, to the large IT outsourcers. Your goal is going to be to get your idea, your product, your service, your patent, whatever your technology is, embedded in these larger product offerings.

Gotcha. Now to switch gears a little bit. I know you're quite an expert on encryption. Do you think the data on laptops and handheld devices – will that ever just be secure?

Again, I mean, we're talking about absolutes again. Will you ever be secure from murder? Of course, the answer is 'No', there will always be some risk. My laptop is encrypted, I use PGP disks, I'm very happy with it. It's a full disk encryption and my data is secure. Is it absolutely, 100% secure? Of course not. Is it good enough for every purpose I can think of? Well, pretty much, yes. So, sure, I mean, these are not hard problems. But yet, we have to get out of the absolute thinking. And that's very much computer thinking. No one would ever imagine saying "But you're still at risk for murder" even if you wear a bullet-proof vest – when are we going to fix that problem. We realize that problem never gets fixed. You know, laptop encryption is no different.

Now what do you see the timeframe on this? I mean, obviously, it's happening right now. Do you think five years in the future or?

I'm sorry, timeframe for what?

This encapsulation of security into the end product.

You know, I'm really hard at timelines. I figured it would happen already. We're seeing the signs of it. How fast it goes really depends on the appetite of organizations for buying larger IT products and services, for buying big contracts, like the kind that IBM Global Services, BT Global Services, AT&T Global Services provide. As those become more ubiquitous, the technology starts becoming embedded and then gets sort of encapsulated away.

Posted by pschooff in Podcast | Permalink | Comments (0) | TrackBacks (0)

Just wanted to make sure my readers were aware that the internet content security company, Trend Micro, fell victim to a massive Web attack last week. According to CSO online, the attack happened last Thursday and more than 20,000 pages were effected by the attack, infecting them with malicious code that tried to install password-stealing software on visitors' computers.

I see this attack like cops see those people who attack cops -- you hit back with overwhelming force, because anyone who would attack a cop wouldn't hesitate to attack a regular old civilian. So how did these hackers get at Trend Micro, and what does that mean for us civilian websites?

Quick note: this is all the more reason to bone-up on what attacks we can expect in the future by attending ebizQ's Threatscape 2008. Sign up right here.

Experts aren't certain how the attackers did it, but all the infected web pages did use Microsoft's Active Server Page (ASP) technology, which is used to create dynamic HTML pages. Also, the effected pages were not directly infected, but the hackers added a bit of JavaScript the redirected visitors' browsers to an invisible attacks launched from servers in China. This same trick was used last year on the Miami dolphins website previous to last year's Super Bowl.

One good thing is users whose software is up-to-date were not at risk, but McAfee warns that some of the exploits are for ActiveX that controls for online gaming, not altogether ubiquitous, but rare enough that someone may not think to patch it.

Trend Micro is not the only company to end up hacker chum, as this past January CA's Web site was infected with a similar type of attack. And what does that mean for us: Be wary, but what can you do but business as usual.not the only company to have had its Web site hacked in recent months. In January, parts of CA’s Web site were infected with a very similar type of attack.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

I hate to say it, but the way things are lining up, it's almost a certainty that things are going to get worse before they get better. And this comes at a time when almost anyone you ask on the business side of things (i.e. accounts payable) is sick to death of hearing about this threat and that threat which invariably leads to pay this and pay that.

But all of the things that make offices more efficient also works just as well for hackers. And the net is still relatively young, and who knows what it's going to look like and how we're going to interact with in 10 years from now (but if you want to know what threats to expect in the next few years, I highly recommend signing up for ebizQ's Threatscape 2008). One of the problems is, the killer security app has just the same chance of being invented as the killer security vulnerability.

I did have a fascinating conversation with Bruce Schneier about the very future of security, which I recorded, so make sure you look for it this Thursday.

Finally, the fact that many companies only spend money on security after an incident has taken place means that of course companies are going to start out with a bad feeling about our industry. And if the same company experiences a successful attack against them after deploying some security product, well, I can almost feel the resentment brewing already.

But that simply does not mean companies can just dismiss and ignore security altogether. It's going to have to become common knowledge that, in essence, "Hackers don't exploit companies unless the companies let them."

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

While it might be tempting, when faced with all the complexities and costs of security solutions, for a small to medium sized company to just look the other way when it comes to security, to just keep thinking that that's a problem for those bigger, more well-known companies, but as data breach after security attack now-a-days attests, that's exactly what hackers are hoping you do.

And the do-nothing approach, when it comes to data security, hackers are not even your main problem. If the temptation and capability is there to snoop on other people's data, many employees simply find it too irresistible to resist. And this is not just a problem for SMEs.

One big proponent of taking an active role in your security is Mike Rothman, who is hosting a security roundtable next week right here at ebizQ, called Threatscape 2008, where he's going to explore this subject in depth, along with many other threats critical to companies today, which you can check out right here.

A recent article at The Courier-Journal shows exactly how overly tempting unprotected databases can be. Employee's at Milwaukee based WE Energies, which is Wisconsin's largest utility, routinely dipped into the massive utility database. Landlords checked on tenants, friends checked up on acquaintances, girlfriends delved into the records of ex-boyfriends, and those are just the ones that got caught.

Most distressing of all is, apparently, this is common practice with utilities. The WE Energies database included stuff you would expect, like credit card info, banking history, payment history, SS#s, address, phone, and energy usage, but things you would never suspect, like income and medical info. Pretty much everything you'd ever want to know about a friend or enemy (or the new type of acquaintance, the frenemy), but would never dare ask.

Besides just being wrong, this sort of data dipping should be illegal, but whatever it is...it all starts with whoever is overseeing the database. Databases need to be locked up, and then database access needs to be monitored, or easy access like this can quickly spiral into easy lawsuits.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Just trying to finish up the list that I started two blogs ago (the first part is right here).

So, continuing with the list of the top five insider threats and how to avoid them:

4) The information leak -- with the proliferation of hand-helds, MP3s, digital cameras, USB memory sticks, along with the numerous external free email services, that it's often way too easy for an employee to walk off with a heeping helping of your company's customer list. A survey in the UK found that a fourth of all employees admitted to copying data onto mobile devices at least once a week, while 40 percent say they use USB sticks to move data around.

To avoid this, companies can use software to specify what devices can be connected to the corporate network along with what data can be downloaded, as it's not difficult to disable a USB port and remore a CD-ROM drive that's not needed. Workers also need to be educated about company data policy, and the company should also consider blocking access to web based email and data-storage services (I guess you could call that Data Theft as a Service).

5) Outright illegality -- A good reason for an employer to take the necessary precautions to prevent computer abuse at work is that, a company is responsible for everything employees do on the computer network (including illegal activities) unless the employer can prove they took certain precautions. Security experts recommend a 2-pronged approach: One, use monitoring software to keep an eye on employees activity, and two, craft an acceptable computer use policy for all employees and make sure the document is signed by everyone.

That ought to do it. And you'll see none of the steps above simply recommend trusting the employees, but as they say, Trust has to be earned, while pretty much everyone gets internet access.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Regular readers of this blog know that sometimes I counter-program, i.e. I get a little off the security topic, as my previous ten year life as a New York City humor writer refuses to stay combed down.

On that note, here's the link to a video of someone breaking into a liquor store, and this fellow has a spot of trouble, but the real trouble begins once he gets inside (and as I was watching it, yes, I admit, I was thinking wouldn't that be something if hackers who break into databases would have to go through such an ordeal). And as I'm still hobbled from a recent fall on ice (which, even though I'm tall, was only from foot height), I had to marvel at this fellows ability to fall from great heights again and again. And again.

Also, another reminder, ebizQ has a great discussion coming up on future security threats called Threatscape 2008, with several leading security minds joining the fray, I don't see how you can miss it.

Here's the video (make sure you watch until it cuts from outside to inside): Click Right Here!

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

The US Computer Emergency Response Team (Cert) recently estimated that 40 percent of all security breaches happen from the inside, while another study estimated that 90 of computer crimes are committed by employees of the company. And if that person is NOT you (it's not you, right?), then here's what to look for and look out for (taken from ZDNet).

1) Insider Cyberattacks -- As Cert research found that most cyberattacks are undertaken by system administrators or other ITers with privileged access, so, as the saying goes with waiters, where you should never anger anyone who comes into contact with your food, I think it's best to try not to go out of your way to anger anyone who controls the company network. Of course, folks in IT have been known to abuse their privileges without provocation, so it's good that today there are plenty of Network Access Control tools that can keep an eye on them as well as cancel all their access the very second their employment ends.

2) Social Engineering -- Like they say, there's a sucker born every minute, and very likely, they're working in the cubical right next to you (or, God forbid, occupying the corner office). You know who I'm talking about: those sort of folk who absolutely refuse to open the email that promises them more money than Bill Gates until they've seen it for the fiftieth time.

To beat this, employee education is key, so that even if they get an email from their best friend forever asking for all of their banking information along with their key code, maybe it'd be a good idea to pick up a phone and call that best friend to tell them they never discuss their security passwords or bank info with anyone.

3) The Malicious Download -- Yes, the internet can be a great seductress, and when the average employee generally surfs the web for an hour a day on company time, the opportunities to slip-up are near infinite. With viruses increases by 50 percent each year, the best advice is to patch early and patch often, and that include patching your human resources after firing those employees who simply refuse to stop surfing those risky web waters.

My blogging time is up, so the final two I'll include tomorrow, and if you do feel quite concerned about all the upcoming threats that you know and don't know about on the internet, make sure to tune into ebizQ's Threatscape 2008.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

There are a lot of very interesting quotes on the recently published transcript from ebizQ's SOA Security roundtable, which you can find here.

The following quote is from Gunnar Peterson:

...security is really pretty much always going to be behind the curve.

When you think about it, that's pretty much how it's always going to be. Sure, security can sneak out in front the threats once in awhile, and with penetration testing, in some ways permanently, but if there's any industry that is more able to shift on a dime and change their means of attack, it's the hacker. How so? Well, as the barrier to entry for a hacker is next to nothing, if something effective is developed to stop them, they just move on en force to the next vulnerability (which they share via hacker bulletin boards).

Kind of like the mouse I recently found in my apartment. I've tried snap traps, glue traps, even tried steel wooling it out of my apartment, but I guess this mouse has seen it all, because the mouse is still around. But the one thing I have not done, and will never do, is accept the mouse.

And as a corporations will never accept the hacker's right to their data, security will always be behind the curve, blocking off the most recent exploit while the hackers move onto the next. Like a game of musical chairs, only the loser is always us.

So as SOA is pushing IT to turn everything into a service, SOA is shaping up to be one of the future battle grounds between hackers and security. All the more reason to pay a visit to our SOA security transcript here.

Also, I'm getting excited about our upcoming March security webinar that's going to dive straight into a frothing seas of future security threats, Threatscape 2008.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

According to a survey by 3,500 hundred technology professionals in North America issued by CompTIA, there's a big gap between the security skills organizations are searching for and the actual skills the workers have.

Isn't that sorta like hiring batman, and instead of riding in on the batmobile, he comes peddling on a bat-tricycle. And instead of living in the bat cave, he lives in the bat-basement below his bat-parents. OK, that's enough of that.

But the fact is, as security now tops the list of IT skills companies views as of top importance, there is a serious shortage of skill available out in the tech workplace. Drilling down into the data, 73 percent of companies identified security, firewalls, and data privacy as IT skills most important, but only 57 percent found their employees proficient in these skills. The gap proved even wider in countries with more nascent IT industries like China, Poland, India, Russia, and South Africa.

As there seems to be no shortage of hackers, and they have now gotten so sophisticated that they even test out their malware (would you call that Penetrator Testing instead of Penetration Testing?) in simulations, I wonder what the success rate is of turning hackers into CSOs. Or is it, Once a hacker, always a hacker?

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

Moody, well known for rating companies' credit risk, has undertaken an initiative to start rating various vendors security risk. This is intended to take the place of the often exhausting (for both the company and the vendor) and incomplete efforts of an extensive security assessment.

According to CSO Online, the Vendor Information Risk Rating Service will provide a ranking between 1 and 5 (with 1 the best), those scores given depending on 11 different categories such as access control, business continuity and data security.

It seems to me that this is certainly something that could be standardized, as most security assessments are trying to spotlight the same things. At this point, the business model is not yet set in stone, but Moody intends to companies $23,000 to be assessed, and on the other side, ask subscribers to pay around $1,500 per report.

Of course, for such a system to work, Moody's would have to persuade enough companies to subscribe (early interest would be in the financial sector), which would in turn create a demand for company's to be assessed. Moody's is expected to introduce this service this week, so we will see.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

My blog yesterday on the necessity of security, along with a recent forward I got from a friend about predictions for the next 100 years done in 1900, really has me thinking about the future of security.

Of course, I am not foolish enough to think that such a prediction is possible, but the trouble is, I'm also old enough to know that, whether I anticipate it or not, 100 years will most certainly pass. It was also very interesting to see the document, published by the Ladies' Home Journal, about the next 100 years, published in the year 1900. Some of the real doozies were:

There will be no C, X, or Q in our everyday alphabet: Also, English will be the most popular language (yes!), and Russian will be the second (don't think so).

Hot and cold air from spigots: they assumed we would use this method to heat and cool our home. Guess they didn't anticipate television, and the fact that we would be getting our hot air beamed into our homes everyday by the politicians.

No mosquitoes nor flies: Guess someone forgot to tell that to the mosquitoes or flies. But maybe Web 11.0 will include the animal and insect kingdom.

Automobiles will be cheaper than horses: right on that account, but in the next 100 years, who knows (although I'm not rushing out to buy stock in Purina Horse Chow).

Everybody will Walk Ten Miles: They're right, and although I think they meant we would walk that in a day, they're right if you count how much we walk IN A YEAR.

Quite fascinating documents, which you can access right here.

So what do I think the next 100 years of IT security will hold?

Well, all I'll venture a guess is that it will definitely still be around. And I feel pretty confident about making that guess, becuase the oldest known lock is estimated to be 4,000 years old, and we certainly haven't done away with locks and keys. So security will be around, and it will be both built in and external.

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)

The reason for the somewhat nonsensical title to today's blog is it's a response to some commentary on Wired by Bruce Schneier written awhile ago, which essentially wonders why security is even necessary. While this was written in May of 2007, I believe that many of the points Schneier made are still particularly valid.

Today's security is mostly built after the fact, after the exploit has been exploited, and in how many other industries would such a system work: I mean, you can't exactly sell life insurance after the guy is dead.

The entire existence of the security industry today depends on IT products and services that are not secure. This method is a very inefficient way to manage and spend security money. The most problemmatic of this arrangement is that, for all the security products and services and doomsday bluster, system and security remains effectively insecure.

Also, as Schneier says, "As IT becomes more of a utility, users are going to buy a whole lot more services than products. And by nature, services are more about results than technologies. Service customers -- whether home users or multinational corporations -- care less and less about the specifics of security technologies, and increasingly expect their IT to be integrally secure."

Why can't applications applications secure right out of the box? The fact is, things are definitely trending this way (see Rothman's excellent Penetration Testing article).

The way I look at it, you can make every application as secure as Fort Knox (by the way, is Fort Knox still the Gold Standard in security, or are they just piling gold bricks behind a hurricane fence these days?), and there is still going to be vulnerabilities. Because as I've said here time and again, the main security loophole is us: wetware, the human being, the 99 percent-of-the-time smart and savvy but only occasionally gullible and dumb-as-bricks (I'm speaking for myself here) security loophole.

So I guess if security is ever going to get truly effective, we're gonna have to get something to plug or download into us. And like they say in the military, Generals are always fighting the last war, and as far as I can see, there is always going to be an effective hacker insurgency doing active battle against our networks and data, forcing us to change strategies and troop alignments (i.e. security spending).

Posted by pschooff in | Permalink | Comments (0) | TrackBacks (0)