An Information Security Place

Let’s look at a scenario. 

Most security managers will limit the ports users can use going out to the Internet.  You typically allow http and https, and maybe ftp. It just doesn’t make sense to allow “Any” out to the Internet.  This will limit your attack vectors by not allowing IRC and other such dangerous protocols.  There are also other things you can do to block what the firewall won’t see (protocol blocking, proxying, layer 7 filtering, etc.).

In the same manner, most organizations block incoming ports as well if they are not needed.  Why allow http or ftp traffic in if you don’t have a web or FTP server?  But if you do have these types of servers on your network, you might implement another layer of security by using non-standard ports on your webservers to help combat ID theft and other attacks.  Basically, instead of using port 443 for SSL, you might set something like 8000 or 8700 or 8900…  And many security admins and managers attest to the success of this approach.  They claim to see fewer attacks because your typical script kiddy is going to be using scanning tools to look for standard ports and will just skip over those sites without those ports.  Makes sense.  Colleges and universities are a big advocate and user of this approach.

But what about the security admin / manager who practices limits the ports his users have access to but also has a user staff with a high percentage of professionals who have to access those very schools and other organizations that implement this type of security by obscurity (SBO)?  Many are working on their degrees.  Many are researchers that have regular access into university networks.  These are legitimate needs for these types of professionals, so he can’t say “too bad, do your work at home”.  If they were all accessing one or two different networks, then no big deal, but it just ain’t that simple. 

What you have here is a “security collision”. 

Basically, the security manager of the organization with staff trying to access these sites using SBO has to open ports to allow the traffic.  But then you cause potential security problems because malicious insiders and malware (bots, etc.) might take advantage of those ports.  So you try to limit that exposure by narrowly defining the policies by using specific source and destination IPs in the policy.  That becomes a headache quickly because of the sheer number of policies this has the potential of creating.  So what is this security manager to do?

Looking at this narrowly, SBO raises it’s head as the issue.  I have spoken for SBO in the past, and I continue to think it is a legitimate tool in the security managers arsenal.  Some people argue that if you have appropriate security measures in place you won’t need it.  I contend that SBO can be one of those “appropriate security measures” and you should have layers.  But it can cause headaches for others.  Should that deter the security manager from using it?  Probably not.  You have to look out for you data and network first (and if some admin from another company calls me and starts griping that I am using non-standard ports, and it is causing him headaches, he might find himself on the “blocked IP” list quickly). 

However, the above scenario is merely an example of the problem.  There are other security collision problems out there.

Another example is caused by the fight against spam, namely reverse DNS lookups.  Here is an excerpt from this 2004 Security Focus article:

 

1.4.1 Host-less and vanity domains

The reverse lookup approach requires email to originate from a known and trusted mail server located at a well-known IP address (the reverse-MX record). Unfortunately, the majority of domain names are not associated with static IP addresses. Omitting cyber squatters, the general case includes individuals and small companies that want to use their own domain rather than their ISP’s, but cannot afford their own static IP address and mail server. DNS registration hosts, such as GoDaddy, provide free mail forwarding services to people that register host-less or vanity domains. Although these mail forwarding services can manage incoming email, they do not offer free out-going email access.

Reverse-lookup solutions cause a few problems for these host-less and vanity domain users:

• No reverse-MX record. People sending email from a host-less or vanity domain simply configure their mail application to send email from their registered domain name. Unfortunately, a lookup of the sender’s IP address will not find the sender’s domain, and a lookup of the sender’s domain may not find the correct reverse-MX record. The former is particularly common for mobile, dialup, and other users that frequently change IP addresses.
• No outgoing mail. One possible solution requires relaying all outgoing email through the ISP’s SMTP server. This would provide a valid reverse-MX record for sending email. Unfortunately, many ISP’s do not permit relaying when the sender’s domain is not the same as the ISP’s domain.

In both cases, someone that uses a vanity domain, or a domain that does not have its own mail server, will be blocked by reverse-lookup systems.

This may not be a huge problem, but I have seen a couple of problems caused by this over my years in IT and Security.

Many people would say that these problems can be fought by sticking to standards, but baddies often rely on us doing that to make their job easier.  That is seen specifically in the first example.

I am not trying to create FUD here - these are just things I see in my job.  In reality, I do not think this is some gargantuan issue that we need to start putting a lot of effort into.  I think it many of the security collision issues have to be taken care of on a management level.  But it something that I and other security managers have to deal with on a fairly regular basis.  So what can we do?

Stop waiting for an answer… I’m asking you!

Vet

OK, let’s imagine you are an international company that has a product used by thousands of companies  all over the world.  Hundreds of people call you daily to get support for your product.  Your HQ is in Florida.  You know a hurricane (actually, a Tropical Storm) is heading your way.  In fact, you have had SEVERAL days of warning.  Do you, or do you not, redirect calls to an alternate call center?  My vote: you do!

Obviously Citrix doesn’t think the same way.  I am writing this post at friggin’ midnight because I have been working on a Citrix issue, and I can’t contact Citrix in the US because they are closed due to the weather, and “thanks for the understanding”.  No advice to call another country (like Australia) or even an attempt to redirect calls.  Just “too bad, so sad”. 

Come on, Citrix.  This is crap and you know it.  I hate it that another storm is hitting Florida, but who is running the show over there?  Sheesh!

Vet

Thanks to the SecurityCurve blog for posting this about Apple.  The Mac users are going to get hard one day, and they are not going to be prepared.  Yes, many of them use AV software, but my suspicion is that many do not run it because they don’t see a reason for it.  Take a look at this post to see if you think I am wrong.  Though the author admits that it may happen one day, he is just so smug (to use SecurityCurve’s analogy) that his Mac is just wonderfully immune right now.

What I see is this: Malware is more and more specific now days.  It is written for monetary gain, not for kicks (it is possible someone may write something just to prove Apple wrong, but who knows).  Apple will get more and more of the market.  Their servers, because more people are using Macs in business, will start to get more popular (just like with Windows).  Then more and more valuable data will be stored on Apple servers, and the possibility of monetary gain will increase.  So the possibilty of malware will increase.

Vet

This story talks about using third-party patches for security flaws instead of waiting for the vendor to put out a patch.  Personally, I am dead-set against it (I posted a while back about it, but I am too lazy to go look for it) for the same reasons the security pros in this article are against it. 

• It can open other avenues of attack, since the bad guy is likely to start studying the thrid-party patch for security holes. 
• Potential problems caused by the unofficial patch when installing the official vendor patch
• Management headache of uninstalling the unofficial patch
• Possibly causing support problems with the vendor because of unofficial patch

And I am sure there are more issues.  One of the main points brought up in the article is that if you have a good defense-in-depth infrastructure, you can maintain good security without the need to install patches right when they come out.  One comment struck me:

Using a mitigation strategy like blocking certain ports or shutting certain programs is the better solution. The user may have to go without a feature for a week, but it’s better than taking a risk with a third-party fix that you then have to go and uninstall before installing the real patch.

I couldn’t agree more.  And if you have a good IPS vendor with a quick signature turn-around, then you can probably have the ports turned back on or the features back in operation much quicker.

I talked about this on Alan Shimel’s podcast a few weeks back as well.  He asked me what Patch Tuesday was like for a security manager like myself, and I besically told him that it was no big deal really.  I trusted in the security I had in place.  I’m not saying I’m invulnerable.  But locking down the infrastructure and paying attention to current threats and responding to them in a timely manner is the key to stop attacks before patches are available.

Vet

Thanks to Mike at MCWResearch for letting me know that Akismet was down today.  I got a good amount of obvious spam, but they caught it pretty quick and everything seems OK now.  I didn’t notice it because it is Sunday, and I just happened to check my email.

I can’t say anything bad about those guys at Akismet.  Thanks for all you do over there.

Vet

Just some random thoughts here on why I write this security blog:

1. Simply, I enjoy writing
2. Simply, I enjoy security
3. I enjoy people reading and commenting on my opinions
4. It might make me famous one day!
5. It helps me become a better security professional because I have to research to write viable and informed opinions
6. It helps me to become a better writer
7. I get to meet great people (Martin, Alan, Mike, Chris, Mitchell, etc.)
8. It gives me something to do when I am up at 1am in the morning (I need to go to sleep)
9. Looks cool on my resume
10. Some other stuff

Vet

Mike Rothman takes issue with my SIM post.  Basically, I said that it is a good thing that Arcsight is trying to create a standard log format for SIM’s. Mike disagrees. 

Let it be known that I DO have a SIM in place now, and I have received some value from it.  I think the value that anyone gets from SIM depends a lot on how your environment and how the SIM is implemented.  This is the same as any security product.  Is SIM living up to it’s expectations?  No, it is not.  I agree with Mike on this point.  But I do not believe that SIM is dead. 

So I stand by that assertion that a common reporting standard for security appliances is a good thing, though I agree with Mike that it will be years before this has any real benefit because of the delay of vendors to move on such things.  I also agree with Mike that SIM does not meet expectations right now.  Vendors very clearly point out what their product will do and then steer away from those security appliances and products that it will not support, so the ol’ bull shitake meter definitely hits the high scale when they try to push something on me.  But I don’t think it is a lost cause necessarily.

Here’s a quote from Mike about SIM:

It’s all about being able to 1) prioritize efforts and remediate faster, and 2) crank out a report to keep the auditor happy. 

The point is that if we can get a common standard, number one can be met.  Should we just throw out SIM if there is a possibility of having a standard that may give us what we are asking of SIM now?  No, I don’t think so.  There can be some value now if, again, you implement well.  But the problem here is what Mike says about the timing and when we would see value.  So if you do not have a SIM yet, I would say do a LOT of research before getting one, and I would possibly recommend against it at this time (and with the advent of UTM’s, you may not need to get one if you go that route).

On point two, I think Mike’s really big analyst’s hat is getting in the way.  He is forgetting about us little people!  Auditing is a REALITY that I and my fellow security managers have to deal with.  I am all about securing my network and getting everything else out of my way.  If I can satisfy and auditor and get him out of my hair by producing a report from a SIM, I am damn sure going to do it.  If a SIM makes ‘em happy, then I will spend the money.  That is value to me right there!  That may not sound fiscally responsible, but the less I have to answer questions from some dude who is reading off of a script, the more time I have to actually do my job.

So overall, I disagree with Mike that the common format is not a good thing.  I think Mike is trying to throw out SIM when there is a possibility of it actually giving a lot of value later down the road.  But if you do not have SIM now, take a long, hard look before buying.

Vet

You’ve got anywhere from six to 60 security applications and tools in your data center, and most of them work pretty well. There’s just one problem: None of them speak the same language.

ArcSight today attacked that problem by proposing a new log management standard, the Common Event Format, that could enable security devices and applications to present and exchange event data in a common way. The net result: Security managers might soon be able to analyze security incidents from a single screen, without plowing through event logs and data on a dozen different apps or appliances.

Amen brother.  SIMs were supposed to fix so many problems by pulling logs together and alerting on them.  But so many devices that spit out syslog messages use different formats, and then the SIM vendor has a choice: either partner with every security vendor out there, or partner with a few but accept syslog and make you create your own alerts.  Something needs to happen, and badly.  This os one of the reasons security management outsourcing is becoming so popular.

Vet

Just to let all my thousands (yea, right) of loyal readers know, I am going through some transition right now.  I will explain more fully later, but that is the reason I have not been posting this week (and the fact that I am preparing for our annual audit here at work).  I hope to get some time this week to look at the news more closely and develop some opinions (developing opinions is not too difficult for me, as you may well know).

Vet

Thanks to Pito at salas.com for the link to this site.  Very sweet looking speed test site.  And you can choose speed test servers all over the world.  Of course, they could be downloading malware on your PC, but hey, it is still cool!

Vet

You probably don’t need me to post this since you probably read Martin’s blog if you read mine, but he landed an interview with Bruce Schneier and got it posted yesterday.

Well, to make it even better, Bruce posted the link on his blog today. Martin is seeing some increasing traffic now for the podcast, and he is as giddy as a schoolgirl.

Way to go Martin!

Vet

Since I started blogging, I’ve seen a few people post what blogs they peruse. I guess I’ll hop on that train as well, especially since I just learned how to export my OPML file out of BlogBridge and import it into Bloglines.

There are 60 feeds (this includes news and blogs) pertaining to security that I read. Some of these are rarely updated, some are fairly consistent, and some are in between. Many are common. Some are fairly new and haven’t gained much traction yet. But the sheer amount of opinions and data there is astounding, just in 60 feeds.

So take a look my public Bloglines feed list if you have the inclination.

Vet

Here’s my “poor self esteem” question for the week. Should I be concerned that I have not been getting much comment spam the last two weeks? I am fairly sure my readership has gone up in the last month or so, but the amount of spam has gone down. I use Akismet, and it does a great job. But I was getting 20 and 30 at a time. Now I can go a day or more without one. When I do get them, it is maybe 2 or 3 at a time.

BTW, Mike Rothman’s links to my blog keep getting marked as spam, even after a few times of marking them as not spam.

What are you doing over there, Mike? I’m starting to get suspicious.

Vet

I saw this article about the rise of image spam, and I started thinking about the image spam I have been receiving. A very high percentage of it (for me) has been stock spam, just like in this article. And the author of the article mentioned that there was a rise in the value of the stock (almost 28%) from the previous day’s closing. This obviously could have been a coincedence, but it got me to thinking.

So, I bought a few penny stocks, connected to my IRC server, got a few bots going,…oh, wait. Sorry, my nefarious personality just reared his head.

Anyway, I thought it would be cool to track the effectiveness of stock spam. Does this actually work? It certainly seems plausible. Unfortunately, I delete all the spam that comes in to me, so I don’t have a good record. I thought I would hit my email gateway’s message log and filter on “stock” to get a list, but that doesn’t work too well because the spammers don’t usually include the actual word “stock” in their emails, and it definitely doesn’t work in image spams.

So, what to do? I don’t want to have to wait too long to gather a bunch of spams, especially since my filter seems to be performing better since I did some tuning. So, I thought I would look around the net for something. Lo and behold, I am not as an original thinker as I thought. Take a look at this site.

Here’s a quick screen shot as well.

Basically, this site is showing the short term gains that a lot of stocks show when a stock spam comes out. It is interesting, but this site shows that almost every stock that has been spammed shows a long term drop. This didn’t surprise me at all, but it is still an interesting point.

Go here to see an excellent FAQ about stock spam and here to see a list of spam-advertised stocks (both of these are also linked at the first site above).

Vet

I just read this post by Richard Bejtlich at Taosecurity. Basically, a guy was trying to come up with an ROI for security, trying to show management where security adds value in actual dollars. Richard is correct that there really ain’t no such animal.

I have never figured out a way to show my CEO or CFO value for putting in an IPS. I can show how it fills a security gap or helps us comply with HIPAA (though when you come up with a concrete definition for that one, let me know). But I cannot show him that the IPS will pay for itself by adding value to our company. Like Richard points out, security is insurance. The IPS will only pay for itself if it prevents an attack that would have cost the company more than what we paid for the IPS.

Of course, the problem with that argument is that you never really know what an attack would have cost you. Yes, you can quantify an asset and tell the CFO that it will cost the company $50,000 if it is lost. But not many execs put stock in something that MIGHT happen or what it MIGHT have cost. They want numbers.

Vet

Watch the video below.  I have heard and read some stuff about this, but this video really tells the tale.  It seems professionally done.  The people all seem very genuine and not actors, or they are very good actors.

Just a few of my thoughts on the issue:

• This is from a foreign country, so I don’t know if the insurance issues are the same here in the states, but basically the concern was that if there are no signs of burglary, then your insurance company won’t pay a claim.
• The claim was that this was the end of security for physical locks.  I think this is a little bit of the ol’ FUD game, but hearing it from an experienced (30 years) locksmith makes you think a little bit.
• It brings out the need for layers in security.  An alarm system is a fairly good layer, even in houses.  At least it will deter some low-level crooks, which are your typical crooks in home burglaries.
• When it comes to businesses, they will need to start looking into alarms and better locks (keypads, etc.)
• And the overall lesson, no matter what you do, if someone is determined to break in, they probably will.  All you can do is your best.

[gv data="7Uv45y6vkcQ"][/gv]

If you have a sec, go take a look this at my Computerworld blog.  It is short, but the issue really annoyed me, and it goes along with my “Security Admin / Manager advice” series.

 

The VA is now buying encryption software for their  computers, handhelds, and other mobile devices.  This makes me wonder about a few things:

1. Are they also installing it on their subcontractor’s computers?  The last theft of VA data happened at Unisys, not at the VA.  How are they going to handle that?
2. Have they EVER done a risk analysis?  I ask this because it would be interesting to see what the analysis said about remote laptops, computers, etc. before the thefts.  Did it show there was risk of this happening?  Did they actually weigh the risk and decide it wasn’t a big deal?
3. My suspicion is that they never ran a risk analysis.  So have they run one now?  Are they just knee-jerking?  Was this process under way before the last theft, or have they gone about this the right way and they just have bad timing?

Even though a risk analysis is always needed, the results are not always correct.  Even if you go about the process in the most scientific manner, you always need to plan for contingencies and the possibilities that your results are either not right or the smallest risks will still happen.

In this case, if the VA did run a risk analysis before the thefts, then they either ignored this risk or deemed it not enough of a risk to worry about.  Though we see it as an obvious risk, and though the many, many stories of laptop theft happening out there before the VA incident make it even more obvious, the VA still did nothing.  That’s why I think they either never had the analysis done, or they simply did one to fulfill requirements then ignored the results.  Both are deplorable practices.

I would really like to see some better disclosure from the VA.  Don’t give me the results of your risk analysis.  Just let us know that you are performing one.  Just like this event, make an announcement that you have a company coming in to help with this and name the company.  Even though you have an obvious hole with the laptops and desktops, you still need to perform your due diligence in making your security holistic  Do not just piece some security measures together to make everything look good to the public.

Vet

It was just reported by SANS.  Be careful if you go there.

 

Vet

This is my first post using MS Live Writer.  I got the link from here.  I am impressed so far.

Picture test

Vet

Martin McKeay posted a few days back about keylogging software on client’s of HSBC Bank.  Bruce Schneier pointed out this article this morning about the same issue.  Both came to roughly the same conclusion: this is ridiculous.

Yes, there are things the bank can do to help with this, but come one, where is the personal responsibility for the clients?  Sheesh.

Vet

Read the story here.  It looks like the process is being held up now because of legal challenges from another company that thought they should win the project.

I have held out commenting on this so far because I don’t have the expertise here to add much of value.  But what does concern me is that the company they are awarding the contract to is a an affiliate of a German-owned company.  That sounds about as smart as giving up the dock security to an Saudi-owned company.

Vet

Like Mike Rothman says today, this has been the week of NAC, so I figure I would pile on as well.  I am not an expert on NAC by any means, so forgive me and correct me where I need it.  But in talking to Alan Shimel and his StillSecure crew this week and with all the bloggers putting out some great information, I have learned more about NAC this week than I have in the last year.  BTW, a bunch of my blogging buddies and Richard Stiennon got together last night on the Security Roundtable Podcast (hasn’t been posted yet) to discuss NAC, so I am really excited about listening when it gets posted.

Anyway, to my gripe of the day.  I had a NAC vendor out today to discuss their product.  They have gone totally with the inline strategy for their solution, and it seems like a good product.  But it has weaknesses (obviously everyone of them have strengths and weaknesses).  Some of what I saw was poor ongoing posture checking, so-so unmanaged-client checking, opening of ports to allow authentication, and no remediation after quarantining.  And they partner with other vendors to do some of the stuff above.  That’s not in-and-of-itself a problem, but I just didn’t like the way they threw it all together.  To be fair, they had one feature that I REALLY liked, and that was the ability to do auditing and reporting on client file access without (so it seems) the need to turn on auditing on your servers (basically, they go to level 7 and report from there - if it works, it would be great to have because it means less CPU cycles, less disk space, and less configuration on servers - anyone else do this guys?).

I have looked at a few other vendors out there as well, and as I parenthetically said above, they all have weaknesses and strengths.  Many times, it really depends on your infrastructure and what you need.  And it may take more than one vendor to get done what you need.  Though management starts sucking bad, right now this may be the only choice we have to get a complete solution (go see Alan’s point in his post about cobbling together a bunch of security vendors for a NAC solution -  I hope he is right that this will start going away). 

As a quick aside, I am going to compliment StillSecure, and it is not because Alan had me on his podcast (well, maybe a little bit).  StillSecure’s Safe Access, thus far, seems to have the most complete solution out there (Alan, send the check to my personal address please). Now, back to our regularly scheduled program…

But one weakness or missing part or whatever you want to call it that I see across the board is the remediation of the vulnerabilities for the endpoint.  What I mean by that is that I have not seen one of the NAC solutions that includes a remediation solution.  They either partner with someone (which also seems to be going away somewhat), or they leave it up to the “discretion of the administrator.”  So please answer this question for me, oh you Alan’s and Mitchell’s of the NAC world: wattup wit dat?

I mean, I just don’t get it.  I am not speaking for the rest of the security managers out there, but I know that it just makes sense to me for someone who is going to offer quarantining to offer remediation as well.  Is it because no one has made it that far?  Is it because the market is not asking for it?  Is it because there are options available, so you just don’t want to spend the dollars to do it?  And if you are going to partner with someone for it, INTEGRATE IT.  Don’t make me manage another solution.  Tie the dang things together, and make it work.  Remember my busy security manager post?  We need help!  Give us a solution that works from A to Z.  Not A to W, then BigFix can handle X,Y, and Z (now I’ve said my ABC’s, next time won’t you…  sorry, too much Sesame Street - I have small children).

[As I was writing this, I wanted to make sure I wasn't smoking crack, so I looked closer at SafeAccess and noticed that it mentions tying together patch management with SafeAccess, and I think this happens through VAM, but I am not sure.  I invite Alan or another StillSecure employee to clarify this.]

Vet

I started doing some research, and I found this picture.  Now I am not making any political statement here, so don’t flame me.  I didn’t see this during the Bush - Gore campaign battle, and I have to say that this kinda freaked me out for a second.  Then I started laughing.

Vet

As I mentioned in my last post, I had the honor to virtually meet Mitchell Ashley, CTO of StillSecure, while recording Alan Shimel’s podcast last night.  Alan kiddingly calls Mitchell “Ed McMahon” because he is regularly joining Alan on his podcasts.

Mitchell has recently been inspired to start his own blog.  I started reading it when I saw the announcement at Alan’s blog, and I am impressed.  Mitchell obviously knows the business and is a smart guy, so i think you would do well in reading his stuff.  I know he will be successful in his endeavours (because I link to his blog, of course).

Vet

Alan Shimel from StillSecure was kind enough to have me as his featured guest on his podcast tonight.  Alan is a great guy and a great blogger, and I am proud to call him one of my blogging buddies.

We were joined by Mitchell Ashley (a.k.a. Ed McMahon), the CTO of StillSecure, who seems like a great guy as well.  He just started blogging, and you can find him at http://www.theconvergingnetwork.com/. 

I just have to say that I had a great time tonight.  The people over at StillSecure are a class act.  As I mention in the podcast, I don’t get the usual line of BS from these guys.  They tell you what is and what ain’t, and that is it.  Nice people all around.

Thanks again to Alan and Mitchell.

Vet

Politics can be fun, and it can be real ugly, and often both at the same time.  And in this digital age, everyone has a chance to get involved, including script kiddies that have a political axe to grind.  Go read the story here.  But what got me about this whole deal was this quote from Dan Geary, who runs Lieberman’s site:

“This is a direct disruption of a federal campaign,” he said.  “I have to see us go to an era where security is primary instead of the primary focus being new and innovative ways to get the message out.”

Uhhh, that deserves a big “duh”.  Dude, you run the website.  I am sure you are an activist and want to get Senator Lieberman re-elected, but running the website and securing the website is your job.  Frankly, that quote sounds more like something a politician would say rather than a web admin.  If you don’t know that you are going to be dealing this kind of stuff, then the good senator hired the wrong guy.  Sheesh.

Vet

…because you can read about it in the news, because it generally happens for the same reason (stupidity, mainly), and I get tired or writing about it.  And the same would be the case on this new VA stolen desktop (also read here), except that this is twice for the VA, and I think this one holds more importance.  Why?  Glad you asked!

1. Because this one, on the surface, seems like a targeted attack.  This was not an average house robbery.  This was stolen from a Unisys facility that was doing insurance collections for the VA.  Far be it from me to start FUD, but I think there was some definite desire for this desktop because of the data it held (why was the data on a desktop, anyway???)
2. This brings forward the point that you are just as responsible for your contractors security as you are your own.  The theft did not actually happen on a VA facility, but you can’t schluff off due diligence.

Vet

I am going to try to make this short since Treasure Hunters is about to come one, so here goes.  I posted yesterday on my Computerworld blog about some stuff I wrote for a friend of mine on two-factor authentication.  I checked back today to see if I had any comments, and I did (woo hoo for me).  I read the comment, and here is part of what I got:

What is needed is “smart” content that works with multiple trust levels, that self-authenticates not only the content but the user as well. This is done using a modified token inside the content. It also creates an audit trail within a token receipts for archiving.

Content-centric security allows content to be securely transferred globally and outside the enterprise, without centralized authority. No, there is no standard but this approach solves most, if not all, of today’s issues concerning authentication.

OK, this really gripes me.  First off, there is so much of this “we need this” and ”we need that” and it would be great if…” and ”this would solve so many problems” that I am going to puke.  I am just tired of hearing it.  Yea, there are a lot of things out there that need to be done, but since when does a “need to be” turn into something tangible overnight?  Not to mention the fact that this guy sounded like he was trying to sell something and then didn’t even link to a website or anything.

I am not arguing whether this guy is right or wrong.  I am not arguing whether or not the state on InfoSec needs to change (it does).  Basically, I just want people to be realistic and deal with what is available today.  I am not asking for status quo.  I just want people to recognize that us guys and gals in the trenches need to use products that are on the market now.  If we were supra-geniuses that could make up new technology to protect our network while sleeping, then we would do it.  But we aren’t and we can’t (I guess I should speak for myself).  We rely on those people who research this stuff to do that. 

So friggin’ stop arguing with me every time I say multi-factor authentication is a good idea!  It is what we have today.  Just because it can be compromised in some fashion does not mean I should take it out of my network.  Once again, DEFENSE-IN-DEPTH!!  It is another layer.

I am not against research and looking for something new.  I just am tired of being preached at about how something is better when it ain’t even sold by anyone yet!  Sheesh.

Vet

[gv data="6A0rwG39Jzk"][/gv]