Spire Security

June 19, 2006
"Security Metrics Workshop"
InfoSecurity Canada
Toronto, Canada

May 24, 2006
"Multiple Panels"
SecureWorld Expo
Chicago, IL

May 2, 2006
"Multiple Panels"
SecureWorld Expo
Atlanta, GA

April 19, 2006
"Multiple Panels"
SecureWorld Expo
Philadelphia, PA

April 13, 2006
"Security Metrics"
ISC2 Training
San Jose, CA

March 15, 2006
"Multiple Panels"
SecureWorld Expo
Boston, MA

March 9, 2006
"Security Metrics that Matter"
Archer Technologies User Conference
Orlando, FL

February 17, 2006
"Quantifying Risk - Security Metrics"
RSA Conference
San Jose, CA

December 14, 2005
"Multiple Panels"
SecureWorld Expo
Dallas, TX

December 8, 2005
"Vulnerability Management Panel"
InfoSecurity NY
New York, NY

more...

security mystery revealed...

Security Resource Planning

ph. 610.644.9064 - petelind@spiresecurity.com

There are four disciplines of security management that every enterprise must practice to secure a computing environment:

Identity Management - how we manage, authenticate, and control access for users through the assignment and management of user accounts.

Vulnerability Management - includes assessing exposures and protecting systems, platforms, and applications.

Threat Management - encompasses preparing for future attacks, identifying attacks in progress, and managing incidents.

Trust Management - how we deploy security measures to keep risk to an acceptable level while enabling computing activities.

more...

What's New at Spire

1/31/2005	Another Temp Blog

	I am in the process of updating my website. Will be fully blogging within a month. Here is another blog site (different from the previous one).


5/28/2004	Website Update - New blog

	For those of you wondering where the updates are here, I have been trying out blogging software for the website. It is still under development, but if you'd like to have a look, check out www.spiresecurity.com/blog.


1/29/2004	Also known as baloney	Spire Commentary

	We must be the laughing stock of the professional world, what with each virus having multiple ridiculous names. Heck, we have porn queens, soda pop, dogs (where we can't even get the spelling right), and a hodgepodge of everything else. Why can't we develop a system like any other group that deals with recurring phenomena? The scientific community already has its Kingdom, Phylum, Class, Order, whatever system. Meteorologists use predetermined people's names for hurricanes. chemists have naming systems. Everyone has a naming system except security folks. And everyone abides by them. So here is my top ten list of systems to use in order to name these viruses: 1. Reading primer three-letter words. Nobody would write viruses any more if they knew theirs was going to be called 'cat.' 2. The discoverer's middle name plus the street name where he or she grew up. For those folks that thought 'Melissa' was pretty cool. 3. Real viruses. Duh. 4. The date of discovery in hexadecimal form. For the geek in you. 5. The same system most people use for their passwords. At least they would be easy to remember (or guess). 6. The source IP for the first known instance. Hey, even if it is spoofed, it would be interesting. 7. Ben & Jerry's flavor names. 8. Street names in Seattle. All roads lead to... oh, forget it. 9. The Fortune 500. Maybe a lawsuit or two would shake things up for real. 10. Give me one of yours... At the very least, we should have limits, like they have to be palindromes, or they have to write a sentence that has the name as a mnemonic. Maybe we should have charity auctions where people can pay to name the virus. Money opportunity: we could sell viruses the way they sell stars. Well, all I know is that this current free-for-all is pretty ridiculous.


1/16/2004	Catching flies with honey?	InfoWorld

	This article expresses concern about the use of honeypots in the enterprise. I used to be in the same boat, and still basically believe that traditional honeypots can be time-consuming. But expanding on the capabilities slightly can lead to some interesting possibilities. Honeyresponders (HR) respond to all scans with bogus information. As soon as a source zeroes on on the HR, it blocks the ip. The premise is that there is no reason for anyone to be accessing services on the HR (because by definition there are no functional ones) and so every source headed in that direction must have malice in mind. Honeytokens deserve a lot more attention. Most often, they take the form of bogus data inserted into legitimate datastores. Anybody accessing the data should be reviewed to understand why. The hard part here is just keeping track of the records. This type of solution would be valuable for "insider threat" monitoring. By the way, I think all security researchers and ISPs should be deploying honeypots to really ascertain what is going on on the 'Net.


12/22/2003	Merging Managed Security	eWeek




12/22/2003	Surebridge joins hosted antispam game	searchNetworking




12/19/2003	BankRI customer information stolen along with laptop	ComputerWorld

	This article illustrates a problem that is so symptomatic of our space, I want to scream. So, folks, what are we doing wrong? Somehow, this CEO thinks that installing encryption and fraud detection software after an incident is somehow adequate. "'We are making certain what limited information is on [the laptops] is encrypted. We don't think there's any sensitive information on them. But we're acting in an abundance of caution with respect to those laptops,' BankRI President and CEO Merrill Sherman said." How ludicrous is that? How come we never hear all of the other banks say "Since Bank of RI got their information stolen, we realize that it could just as likely happen to us, and so we are installing encryption and fraud detection software before we get hit."?


12/19/2003	Compliance drives security investments	searchSecurity




12/16/2003	VeriSign to Acquire Security Services Provider Guardent?	eWeek

	Nice scoop on Dennis' part. This is the second of two acquisitions this week, and another 'slam dunk' when it comes to fit. Guardent needs the strength of a Verisign to penetrate into the very large accounts and Verisign needs Guardent's security expertise to expand its business.


12/16/2003	Check Point Software Buys Zone Labs for $205 Million	InformationWeek

	This was the first of two (so far)security acquisitions this week. It is pretty difficult to see any negatives from a product perspective - Check Point has needed to expand for some time and Zone has done a great job growing the personal firewall market.


12/12/2003	InfoSecurity zooms in on management, mobility	Network World Fusion




12/11/2003	Bill Gates to address RSA Conference	Infoworld

	This sounds a bit more melodramatic than I intended. The "brave" part is just a function of the animosity of the RSA crowd. I hope conference planners will be on the lookout for eggs and pies - security folks aren't known for their manners. I also hope folks begin to at least objectively evaluate the work Microsoft has done in security over the past few years. It's hard to turn an aircraft carrier, but I believe they are trying.


12/8/2003	NC-1000 gateway now has network firewalls	Federal Computer Week

	A move toward applying security solutions based on logical segmentation? Say it ain't so... This is a hot one.


11/24/2003	Enforcing Security at the End Point	Informationweek




11/24/2003	Nachi worm infected Diebold ATMs	Securityfocus

	Security of ATMs is turning into a slight rat's nest of networks connected to networks.


11/5/2003	Security Bounty Hunters	Spire Research

	On November 5th, Microsoft and federal law enforcement agencies announced the creation of a $5 million dollar fund to reward the bearers of information leading to the arrest of virus and worm writers. The first use of this fund will be a bounty of $250,000 each to identify and catch the writers of MS Blaster and Sobig (the “worms of summer”), for a total of $500,000. This announcement promises to change the playing field of Internet hacking, strengthening the position of law enforcement and weeding out script kiddies and others who balk at the increased risk involved with writing viruses and worms, an activity that has no individual payback anyway.


11/5/2003	$250,000 Bounty To Nail Blaster, Sobig Authors	Informationweek

	Attention script kiddies - one of your friends will gladly turn you in for $250k.


11/4/2003	Microsoft locks down intellectual property	searchWin2000




11/4/2003	Microsoft to offer bounty on hackers	CNet News




11/3/2003	Keeping Secrets	Computerworld




11/1/2003	All Together Now	Information Security Magazine

	This is my take on the whole "monoculture" issue. Basically, it is impractical and unrealistic to somehow change, therefore we should get over it and secure what we have.

more...

About Spire Security

Spire Security, LLC conducts market research and analysis of information security issues and requirements. Spire provides clarity and practical security advice based on its “Four Disciplines of Security Management,” an operational security model that encompasses identity management, trust management, threat management, and vulnerability management. Spire’s objective is to help define and refine enterprise security strategies by determining the best way to deploy policies, people, process, and platforms in support of an enterprise security management solution.

Pete Lindstrom

"clarity makes the security world stronger"