Seems like Cisco has partnered with Cybertrust in creating some kind of PCI-geared hardware package / solution. Cybertrust is supposedly giving this amorphous hardware blob (I guess a hardware package can be customized for each scenario) the PCI checkmark. OK, so which company is going to purchase this package for its stores and tell its auditors, “we’re PCI complaint because we bought this crap”?
From their news release:
Part of the Cisco PCI Solution for Retail, a set of recommended and audited network architectures that can be tailored for each retailer’s specific store footprint and application needs, Cybertrust has provided its PCI subject matter expertise to validate that the Cisco solutions are optimized for PCI compliance. The Cisco PCI Solution architectures provide guidelines that help retailers manage the complexities associated with the PCI Data Security Standard.
Computerworld Australia warns against this as well.
I just found this security blog because the author put me in her blogroll, and Technorati let me know about it. The blog is titled Princess of Antiquity. It looks like the author is a 17 year old student in the Phillipines. It is kind of a mixed perosnal / security blog, with a heavy emphasis on security. There is some good stuff in there, and coming from a 17 year old, I have to say that this young lady has no where to go but up. And since she is linking to my blog, you know she is smart!
On a side note, technology is amazing to me sometimes. Even though I know the Internet is world wide and people can check out just about anything from anywhere., it still floors me when someone rom the Phillipines can find my blog. Too cool.
Well, I am back from our annual sales kickoff meeting. The week was rough, but the content was great, especially the last day (we had a three of our top SE’s teaching our processes and how to be a more effective SE – the sales people were in there as well, so they got a good idea of what we have to deal with). I am more jazzed up now about working for Accuvant. The people I met were great. Everyone is stoked about 2007. I am convinced more than ever that this was a good move for me.
I know. Everyone is highly motivated by these meetings, and it will probably wear off. I agree to a point, but what you have to understand is that I have never worked anywhere that I felt like a part of something good. This is the first company that I am proud of being a part. It is a good feeling. Maybe that’s a little cheesy, but that’s the way I feel.
It was held at Copper Mountain in Colorado. Very nice location, but we never had any time to get out and enjoy it since we were in meetings the whole time. Oh well.
I could barely breath up there. I think it is somewhere around 9,500 feet where we were staying. Since I live in Houston, which is about 6′ about sea level, I was completely unprepared for the thin air. I had a headache the whole first day and was gasping for air all night when I was trying to sleep. That REALLY sucked. I got about an hour of sleep that night.
I got used to it the next day, but I was so friggin’ tired that I still don’t remember much of the day. I slept like a baby the second and third night, and I was fine just walking around. Next time I will be taking as much of this advice as I can.
I have been in Denver all week for Accuvant’s annual sales kick-off. Today the SE’s and consultants were in a bunch of vendor mini-trainings for the SE’s. Can you say death by PowerPoint???
Anyway, one of the vendors presenting is a well-known security vendor that has some products around web app security. Up pops their obligatory reference slide of companies who use their products, and guess who is on the list? Yep, you guessed it: TJX (read about TJX here is you are not aware of the story).
It was weird because the reference slide was all text and must have had about 30-40 companies listed, but my eyes were immediately drawn to TJX. The presenter had paused to take a breath, and I said quickly commented, “I don’t think I would have TJX on my reference list.”
Now understand that almost everybody in the room were SE’s, security consultants, security assessment people (pen tests, social engineering, etc.), and compliance people. These people, including me, take pride in being up on current security issues. The room went silent, and just about everyone looked at the slide. The presenter just kind of froze. Then a couple of chuckles were heard, and everyone was kind of like, “Holy crap.” The presenter, after he unfroze, said that TJX probably had some of their other products and not their web app stuff. Good recovery, dude.
Truthfully, the vendor in question has some great stuff, and they are one of our top partners. But if they would have used this slide at a customer that was knowledgeable and up on events, they probably would have been screwed.
Michael Santarcangelo posted here about the launch of the Catalyst Community forums (I kissed Michael’s ass the other day,… uhhh, I mean I wrote about Michael the other day here). This is a small step in a much bigger project. Go see and join the forums if you are interested in security.
Martin wrote about it as well. Pay attention to his edit about the naming conventions.
Here’s Chris’ comment:
You are both way off-base! The reason Brian Smith was quoted in this article within this context is because Tippingpoint/3com are showing their honking M60 Security SWITCH at RSA! I think you guys are more interested in knocking the 3Com/Tippingpoint relationship than understanding what Brian was saying.
I see what you are saying (from reading your post), and I agree that I may have read that wrong. But when I read “bump-in-the-wire”, I think hardware device. Even if it is super fast and doesn’t introduce any noticable latency, it is still a device to be managed.
Also, I am not really interested in knocking the relationship. Did I like the relationship when it started? No, I didn’t. I thought it made sense for 3com, but I did not like my IPS vendor being bought by 3com because I thought they would possibly screw up TippingPoint. I thought of (and still think of) 3com as a sub par enterprise switch company that is entering the game late and will probably not be able to make up the ground they have lost. And I BS you not when I talk about their attitude.
And as far as the switch they have coming out, you point out in your article that it is a year late. I spoke of “too late” in my post. That just makes me think again of their reputation.
BTW, it is good to hear from you again. I was wondering where you had disappeared to.
Alan Shimel posted about something said by Brian Smith, co-founder of TippingPoint and chief architect of 3Com, in an SC Magazine article. Here’s part of the excerpt Alan used:
Smith says he also plans to emphasize the benefits of
the bump-in-the-wire network approach to deploying security solutions.
Rather than embedding solutions into switchers and routers, Smith plans
to suggest overlaying solutions to allow for a more converged, cheaper
way to add intelligence to the network.”
Alan rightly points out that Mr. Smith may be smoking a big crack pipe. Alan then ponders the mystery by asking, “Do the Tipping Point people resent and hate their 3Com overlords so much that they refuse to see the natural evolution of converging security and network gear?” Alan, I may have an inkling to why Smith thinks this is the best approach. And if my suspicion is correct, then you are on the right track, but their resentment is not the reason. Let me ‘splain.
When I was an infosec manager, I was a TippingPoint customer. When I bought the TippingPoint box, stand-alone devices were still all the rage. UTM and NAC were pretty much still new terms. But right about the time TippingPoint was bought by 3com, the convergence track had started to emerge. Cisco was really getting into putting different devices in their switches. Things were really starting to move in that direction, and 3com probably thought they should do the same.
But just in case things were not what they seemed, 3com decided to test the waters (conjecture on my part, but plausible conjecture nonetheless). So they surveyed their customers (or TippingPoint customers, at least). I received one of these surveys. Among other things, it asked if I would buy a 3com enterpise switch with a TippingPoint IPS blade integrated into it. Understand that I come from the network engineering world. I have installed and configured many a switch and router. And for the immediate 4-5 years before this survey hit my inbox, 3com had been about as present in the enterprise switch space as a woman at an ISSA chapter meeting. The biggest place you saw 3com was on a NIC or a little white 8-port hub in a room full of cubicles. So, I answered a definitive “not no, but hell no”.
To clarify (if the above didn’t explain it well enough), it was the 3com switch that threw me. I wasn’t unhappy with TippingPoint (except that they had been bought by 3com). I liked the box. It served me well. If I could get a TippingPoint blade for the 4506, I would have seriously considered it. But there was no way I was going to replace my Catalyst 4506 with a 3com switch, no way, now how.
Of course, I cannot answer for every TippingPoint customer who received the survey, but I can guess that many of them answered the same way. And this makes me wonder if 3com and TippingPoint are sitting in ivory towers and ignoring the trends because it doesn’t compute that people don’t like their switches.
And to add one more thing that may add some credence to my hypothesis: I also had a couple of 3com reps come out to visit me during the final months of my tenure as an infosec manager. When my boss and I told the 3com guys that we would not consider in any way replacing our current switching infrastructure with 3com because of our impression of 3com as a serious player, they were completely surprised by our attitude. Now maybe they had never received that reaction before because we were just a little more harsh and up front with our opinions. But my immediate opinion was that they really didn’t know they had that kind of reputation. Maybe it is just me that thinks this about them, but I don’t think so.
It is rare these days to meet a person with true vision. I mean a person who can just look at a topic and instinctively know what it would take to succeed in that arena. It is even more rare to find a person that is also passionate about the topic to which they are applying their vision. And the rarest find is a person who has all of the above AND the nerve and the fortitude to do actually try to do something with that vison and passion, all the while inspiring others to join up and do the same.
Well, my faithful readers, I have found one of these rare people. Many of you know Michael J. Santarcangelo, II. Known affectionately as Santa to some (play on the name for you thinking he’s fat and jolly and has a white beard and rosy cheeks and… you get the idea), Michael is founder of The Security Catalyst blog and podcast. Instead of writing a bunch of stuff about him, here’s his bio from the above site:
One of the top rated and most requested speakers on security issues and certification training, Michael is a coach, consultant, professional speaker, and leader active in reshaping the future of information security. His rare approach of blending multiple disciplines together allows him to connect with audiences around the world as he invites people to think differently. He brings this passion and energy to podcasting as the Security Catalyst and works to explain and demystify security so everyone is able to protect themselves.
Michael is the catalyst behind Security 2.0. In addition, he is the founder of the Catalyst Community, The Trusted Catalysts, Security School House (announced September 2006) and was the founding President of the Tech Valley (New York) ISSA Chapter. Michael holds a Bachelor of Science Degree in Policy Analysis from Cornell University.
Now, before you people start wondering if I have some unnatural attraction to Michael, let me state that I am writing this (and will be writing more) because I believe Michael knows the sad state security is in now days and really wants, even needs, to do something about it. How do I know? I’ll tell you how!
Michael has brought together a group of security professionals (including yours truly) to form a group called The Trusted Catalysts and the Catalyst Community. In joining The Trusted Catalysts, I have conversed with Michael via email and chat, and I thought he had a good vision. But then I actually got to talk to Michael on the phone yesterday, and it truly struck home just what Michael is all about. The guy had so much to talk about he seemed about to burst at the seams (I don’t mean that in a bad way – I asked him to explain what all he had in mind for the Catalysts, and I got it). He is a wealth of information and experience, and he wants to give that away. He’s not a selfish person who wants to be the one guy who knows it all and people have to come to. He wants to genuinely help the security community. I guess I stand corrected. That is the rarest kind of person.
I am saying all this because I want to give you a heads up if you don’t know about Michael and the Catalyst Community. You need to watch the Catalyst Community over the next year and the years to come. I think this community will grow, and I think it will become a tremendous force in the security industry within a few years. And with Michael’s vision and inspiration, it will be a truly positive force, unlike what one security focused organization has become – I won’t name names, but it starts with “(” and end s with “2″.
Thanks to Michael for his passion, vision, energy, candor, and unselfishness. I hope I didn’t embarrass you too much. And I like the hair (or lack thereof).
Update on the phishing email post below.Â From Yahoo:
Thank you for informing us of possible abuse on Yahoo! Domains. We have investigated the site and taken the necessary action. We appreciate your concern and thank you for reporting this incident to Yahoo!.
The site is dead, so there ya’ go.Â One down, with only 654 appearing in its place every second!Â That’s not a real stat, BTW.
I received a phishing email via my blog email today. I haven’t seen this one. Be on the lookout:
I didn’t download the pictures. The link is pointed to http://customercarealert.com/bankofamerica.com.
Here’s what that site looks like:
Here’s what Bank of America’s site looked like when I pulled it up this afternoon:
Here’s what I came up with on the domain after a quick dns lookup:
and a quick whois:
I sent an email to the abuse addresses and I also forwarded it to antiphishing.org for the heck of it.
Tim Wilson asks whether it just would have been easier to study than go through all the pain of hacking into the school’s grading system and trying change your grade (or someone else’s grade).
Here’s a quote from Tim:
I’m betting that these cases of grade-changing are only the tip of the iceberg.
If your bet is solid, Tim, then I would say it is probably easier to change your grade. These idiots that caught seem like low-hanging fruit. Even the class prez, who should have been smart enough not to do something so stupid, went about it all wrong.
A quote from this Dark Reading article:
A police report indicates that several witnesses saw Shrouder making the changes or heard him say he had done so.
Why in the world would he make changes in front of people or talk about it? Maybe the witnesses were students whose grades he changed. That could be the case, but he is still dumb. Intelligence must be coupled with common sense in order for a hacker to be successful. Book knowledge does not equal street smarts!
I found this post by Terry Sweeney, Editor in Chief, over at Dark Reading. He is discussing whether or not you should send out fake phishing emails to your own users to find weaknesses in your security awareness training and anti-phishing methods (he is specifically talking about Core Systems’ product).
Here’s a quote:
What the vendor doesn’t say is what you do once you’ve ensnared such users in your phishing net. Do you hoist them upside down like fresh caught marlin, then get your dockside souvenir photo snapped? Maybe feature the phished users in the company newsletter? Issue them a warning or something more draconian?
First off, security awareness testing has to be done. How else can you figure out whether or not it is working? And Mr. Sweeney, the argument of, “You cannot manage what you cannot measure” is still valid, no matter if you attempt to head it off by putting it in your blog post and sneering at it.
Second, as I said in my latest CW post, any security manager worth his salt is not going to use security awareness testing to incriminate users (unless the results uncover behavior that is unlawful or purposefully going against company policy). It is simply there to test effectiveness of the training. Employees should be coddled to some degree while this testing is going on (meaning, you should be there to hold there hand when they screw up during testing – you shouldn’t warn them ahead of time).
Third, what the security manager does with the product is not Core System’s concern. I know that can be taken to the nth degree (hacking tools, etc.), but Core System’s is provinding a commercial product that has a legitmate purpose. It is not there fault if ABC, Inc. uses it to fire all their stupid users.
Go read this over at Security Ripcord. You won’t be sorry (thanks to Martin for pointing it out to me).
Not sure why I didn’t have Cutaway on my RSS feed list, but that has been rectified. Some good stuff over there.
I usually don’t post about these things just because everyone else does. Plus, everyone who is not under a security / IT rock knows about it. But this is a big deal in the world of convergence and deserves my attention is some form.
Like Alan said here, I think this just means some of the other guys are going to get sucked up soon. Barracuda has always seemed like an acquisition target to me. And now that they have a pretty big database themselves, you might want to keep an eye out for that soon (just my opinion – I have no insider information on this, and I do not own any anti-spam vendor’s stock). And the others are going to go soon as well.
I wrote about the OLPC initiative over at CW. I think there may be some serious security concerns with this project. I am doing some more research to see what I can find.
Check out the post and let me know what you think. If you know some stuff that I don’t , please fill me in.
Found it kind of interesting that Firefox 2.0 is beating out IE7. Guess it makes sense with this being a security blog.
I also found it interesting that there are a high number of Firefox 22.214.171.124 users, and very few 2.0 users, which tells me that the people who have jumped to 2.0 are good about updating. There are still a few on 1.5, but there are also still a lot on IE 6.
These are Jan 1-2 numbers, BTW.
Congratulations to my friend Mike Rothman at Security Incite for launching his new book and site, the Pragmatic CSO.
I highly recommend this book to CSO’s and security managers of any type. It gives a good feel for the business side of securing a network. I wish I had this before I decided to get out of security management.
Alan Shimel asked me and several security pros to record a quick one minute opinion on what we thought were the biggest security stories of 2006. Then he got together with Mitchell Ashley and Mike Rothman to laugh at us, er… I mean, talk about our ideas.
Go check it out here.
The other gurus he had taking a whack at this are below:
Did a day trip to Dallas today for a lunch n’ learn on F5 iRules. Looks pretty powerful. I don’t have any real experience with their products, but they look pretty good. They are definitely growing their South-Central team. I think they are trying to grow the whole team to something like 8 or 9, which is up from 4. They have a dedicated sales rep and engineer down here in Houston now, where before they were all in and around Dallas.
Let me know what you think about them.
I have to admit that I do perform the occasional vanity Google. I usually just like to see what else pops up out there and how quickly things get indexed when I am on a podcast or comment on a blog post. I ususally don’t dig deeper than a couple or three pages, but today I dug all the way to page 9, and I found this from Whatis.com.
It looks like I am on the favorite security blog list, along with Bruce Schneier and my friend Martin McKeay (of course and of course) and a few others. This seems like a fairly obscure article since it is titled “Our Favorite Technology Blogs” and is under the “O” section in their database where I doubt anyone would really look. You also have to go down to the table of contents and click “Security” to find me. But hey, I’m honored! Thanks Whatis.com people!
I enjoyed this little case study from SANS. It talks about doing security inspections on some old laptops that all came from a company. Mostly typical findings, but it demonstrated some points that we don’t need to forget.
Getting ready for church on Christmas-eve morning, so I don’t have time to write much. But if you are reading blogs on this holiday weekend, go check out the comments on my post about the Winsnort site being defaced back in August. Let me know what you think.
Pay for some certifications plummeted in the six months from April 1 to Oct. 1, according to a wide-ranging Foote Partners LLC survey covering 129 certification categories and 124 noncertified skills. The following are some particularly hard-hit certs:
- CompTIA Linux: -43%
- CompTIA Network Technician: -36%
- CompTIA Security+: -33%
- Cisco Certified Design Associate: -22%
- Cisco Certified Network Professional: -22%
- CompTIA Certified Technical Trainer: -22%
- Certified MySQL 4.0 Professional: -22%
- Citrix Certified Enterprise Administrator: -20%
- Microsoft Certified Trainer: -20%
- Microsoft Certified Database Administrator: -20%
- Cisco Certified Design Professional: -18%
- Microsoft Certified Systems Admin: Security: -13%
- Linux Professional Institute certification: -13%
- Cisco Certified Network Associate: -12%
Honestly, is this list very surprising? The top three are CompTIA certs (I happen to hold the Security +). How many people are roaring for those (except for A+, which is still respected in the nech tech world).
CCNA has long been a joke, even though I heard it had been revamped and was tougher. I have seen personally the interest for the CCNP drop quite a bit (I don’t know everyone, but most of the people I knew that were looking at it decided not to pursue it).
Now, where’s the list where it shows the CISSP cert causing 100% increase in salary? Yea, right.
And here’s a certification that we all had in the 90′s and early 00′s:
First it was Alan Shimel on his blog turning me into the Grinch. Now Misha at AlertLogic has a picture of me Warhol-style. I think this may be the start of a trend. Anyone else want to have fun with my mugshot?
Here it is. Have fun!
Websense is buying PortAuthority for $90 million. If you are not familiar with them, PortAuthority makes a leak prevention security product. This makes sense in the Websense model, but I like the deal for another reason. This tells me that Websense may be seeing the light finally and is trying to diversify a little so they don’t implode.
Of course, we’ll see if they have learned anything at all by watching what they do to the pricing model of PortAuthority. If they follow their current structure, current PortAuthority customers might find themselves paying 100% maintenance every year.
By the way, has Websense ever bought anyone before? I need to do some research.
Alan and Mitchell at the StillSecure After All These Years podcast interviewed me last week for their podcast. It is up here at Alan’s site and here at Mitchell’s site.Â I gave an update on my move to the channel, about honesty in selling security, the converging of the security professional and the general IT professional article I wrote at CW, and some other stuff.Â It was fun.
Thanks to Alan and Mitchell for having me on again. I really enjoy talking about myself, as anyone can plainly see, and Alan and Mitchell actually seem to genuinely be interested in the people they interview. They are two great guys that I hope to meet soon at the RSA Conference security blogger gathering (not sure if Mitchell is going to be there, but I know Alan is going to show).
Thanks for the kind words, guys. You are two class acts.
And Alan, notice that I did not alter the picture in any way!Â Or did I?
I was reading through my many newsletters I receive daily, and I ran across a couple of articles about security vendors warning about spam, spyware, phishing, the mob and hackers teaming up, etc. As I was reading those headlines, I found myself quickly sneering and thinking these were nothing but more FUD from people trying to make another buck.
Then I thought, Wow, I sure am getting cynical. Though it is obvious that there can be a lot of FUD coming from these guys, that doesn’t mean that I shouldn’t read their stuff. I’m sure there are people in those companies that are sincerely trying to help the security industry. It just comes out as FUD when those dang “marketeers” get their claws into it.
Maybe I’m a little gloomy because it has been raining down here for the last couple of days. I need to take a happy pill!