Spire Security News and Views
Spire Security is a market research and analysis firm dedicated to bringing clarity to the information security world. This is Pete Lindstrom's blog - focused on providing analysis and insight to the happenings of the day, current security trends, and missing pieces to the information security puzzle.
Home
Spire Security Homepage

Subscribe to "Spire Security News and Views" in Radio UserLand.

Click to see the XML version of this web page.

Click here to send an email to the editor of this weblog. 		 

 

Monday, March 01, 2004
 

One Last Point

One might infer from Ephraim Schwartz's InfoWorld column that I am either bitter or draconian. I am not. What I want folks (i.e. enterprise security professionals) to understand is that they need to take a strategic approach to security and really understand exactly what they are doing. The idea is to manage risks.

So my real point is: stop whining. Do what you can. Be clear and specific. Okay, that is three points.


9:44:29 AM    comment []

Security Partnerships

Almost a year ago, I was mistakenly misquoted as being a heavy skeptic of a security partnership announced at RSA 2003. Here was my reaction to that article:

"Wow. This is perhaps my worst misquote ever, and to think it came from the Associated Press. I don't recall the word "disaster" ever coming out of my mouth, and if it did it certainly was not anywhere near this context. Just to set the record straight: it is hard to poke holes in partnerships because there is always some value in groups discussing things. The real proof of success lay down the road when progress reports are made. So I tend to be lukewarm on partnerships such as this with the hope of waiting for some concrete developments."

It is just after RSA 2004 and my lukewarmth has turned cold. I am getting very close to believing the exact thing that I didn't say last year - though the use of the word 'disaster' is a bit melodramatic for my taste. But certainly suggesting that these partnerships are either neutral or likely to do more harm than good is becoming a reality.


3:08:16 AM    comment []

Software Security Data Sheets

Ephraim Schwartz from InfoWorld wrote about a discussion he and I had in his column this week. He is right, we did have a long discussion (actually a handful of discussions) and I am glad he is bringing these ideas, some of which are not incredibly unique in the security space, to the mainstream world. Anyway, it is probably worth elaborating a bit on some key topics:

On VPNs. The key takeaway should be that you understand what VPNs can and cannot do. Their primary function is to protect the confidentiality of communications. Your risk assessment should have identified this threat as important if you have a VPN. What really gets my goat with VPNs (or regular SSL for that matter) is that non-security folk often misconstrue the relative level of security that you can attain from them. VPNs are great - they are not a panacea and do nothing to protect a client or host, which are generally much easier and usually more lucrative targets.

On MyDoom and Viruses. I am a big believer in allowing the end user to do whatever he/she wants on his/her desktop. I absolutely believe that enterprises need antivirus on the mail server and if they don't want that, there are other techniques that can protect them. But MyDoom was really a virus that targeted the little people - Grandmothers and children, small businesses and home offices, etc. All of those folks who have nobody to protect them. Unless..... ISPs get more involved in this protection. I am no fan of AOL's previous actions, but I absolutely believe that ISPs need to be more involved.

On Performance and Usability. Security is always a tradeoff, and performance and usability are the two primary candidates for competition.

On Standards. Standards are a "problem" when it comes to security, but the tradeoff is extremely valuable. They are the reason the Internet exists today. So security folks have to get over it and build that into their protection plans.

On Microsoft. Microsoft has always given us what we wanted, unfortunately we are only now realizing it wasn't what we needed. It is doing an admirable job digging itself out of the hole we all created, but it will take time.

On Software Security Data Sheets. SSDSes are not intended for humans to read and take action on. Think of them more like an XML Schema that can be populated and then read on the host. There is no reason that an ISV couldn't come up with them. The real value is that the SSDS would be a hedge against software liability.

 


2:37:59 AM    comment []

Click here to visit the Radio UserLand website. © Copyright 2004 Pete Lindstrom.
Last update: 5/28/2004; 4:46:43 PM.
This theme is based on the SoundWaves (blue) Manila theme.
March 2004
Sun Mon Tue Wed Thu Fri Sat
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31      
Feb   Apr


Start-up takes a crack at blocking hackers
Securing XML
Security tool more harmful than helpful?
Firms Dig for Rivals' Software Flaws
Security product flaws attract attackers
T-Mobile Woes
Security Appliance Form Factors
Howard Stern's Website
Private Information Stolen from Providence, Utah, Office Computers
Credit agency reports security breach
If a tree falls in the woods
Matchstick Men
A Method for Protecting against E-voting Fraud
Guess What I am not Buying?
Thanks for Ruining my Sunday
Don't Rain on my Parade
Urban Legends in Security: Vulnerability to Exploit Period
Surviving the Insider Threat
Slammed by the Wall Street Journal
Email Notice: Politeness Earns Points
Plaxo, Orkut, LinkedIn and Email Invitations in General
Anti Anti-Spam: Email Backlash
False Positives: No Mistake
Ignorance vs. Negligence
A Patch in Time
The Cost of Prevention
A Bit of Pandering?
Spire Security MadLib