Looks like the latest IBM ISS Proventia update is causing some havoc on networks. Go see here.
Thanks to SamVR for pointing me to the article.
I am in Citrix NetScaler training for most of this week.Â I have heard good stuff about this product, but I am interested to hear about anyone else’s opinion.
Another interesting thought.Â Now that I am not responsible for the security of a network, I have no issue posting on my blog what I am going to be doing for the next couple of days.Â I feel so free!Â
I posted a couple of weeks ago about me doing a talk at Alert Logic. Misha Govshteyn is the founder and CTO of AlertLogic was in the group as well, and we talked for a bit about various things. If you have not talked to Misha, he is a very informed person, and he is clearly intelligent with clear cut and well thought out opinions about security.
By the way, I WAS NOT PAID FOR THE TALK, AND I DO NOT HAVE ANY STOCK OR INVESTMENT IN ALERT LOGIC.
Anyway, one of the issues that came up was the possibility of Misha starting a blog. To my knowledge, he has not started one yet. However, Alert Logic has a blog that has been kept under wraps. Until now, that is. I have been given the honor of revealing their blog to the world (they chose me because of my thousands and thousands of readers and fans – **HACK, COUGH** – sorry, hairball).
But in all seriousness, I have read some of the stuff on the blog, and it looks good. The writing is often very witty and well though out (this Jeremy Hewlett guy has some great skills with the written word). And I have found them to be very informative as well. Go check ‘em out here.
Of course, now that you Alert Logic guys have been exposed to the world, be prepared for comments and criticisms. I hope you have some thick skin. It ain’t easy out here sometimes!
I just wrote a post over at Computerworld entitled The Security of Web 2.0 – an Oxymoron. Then I find this story about Senators McCain and Schumer proposing legislation that will require sex offenders to register their IM names and email addresses. I need to read more about this bill. Like typical security legislation passed by our government, this one appears on the surface to be nothing but security theater and something else to boost Schumer and McCain’s appeal before the presidential elections.
Think about it. How difficult is it to create a different IM name or email address?
The registration provisions would make failure to notify the authorities of all e-mail addresses a felony punishable by up to 10 years in prison.
Uhhh, so? These perverts are already breaking the law and facing jail time and some serious nastiness in the big house (child molesters supposedly don’t fair well in prison – though I have no proof of that). What makes anyone think they are going to change their ways because of another law?
Don’t get me wrong. I am fully on board for catching these “people”. I have children and would unleash all hell if one of these sick, twisted individuals even came close to one of my kids. But another law on the books that effectively does nothing to help the situation is just words on paper. Just make the behavior illegal (which it is) and make the punishment such that if the perv is caught he never sees the light of day again (there are a couple of punishments that would fit that description – you decide which one is right for you).
CJ Kelly, a blogger at Computerworld, proclaimed yesterday that the Internet is safe from DDoS. She says:
…maybe 5-8 years ago this was a possibility, but I donâ€™t think itâ€™s possible to do a large scale DDoS attack any more.
Man, I am so happy to hear this news. You can’t fathom the relief at hearing Ms. Kelly announce our new found safety. I am so indebted to Ms. Kelly for fixing the Internet yesterday right after she posted this announcement.
What was that? What happened yesterday? Well, let’s see. A business web service provider called CrystalTech went down for four hours due to a DDoS attack (it happened the same day she wrote her post). I am glad that isn’t going to happen anymore.
Oh, and EveryDNS was hit hard last week with a DDoS attack that took them down for 1 1/2 hours. I am totally relieved that we won’t see that again.
I also seem to remember a company called Blue Security closing its doors in May because a nutty spammer decided to DDoS them and started causing trouble all over the Internet. Here’s a quote from the article:
The attacks not only disrupted Blue Security’s operations but knocked out the Web blog hosting service Six Apart and a handful of Internet service providers, including Tucows.
Man, I am so happy we are done with DDoS attacks.
OK, I guess that is enough. CJ Kelly’s post is nothing short of ridiculous. I mean, really. Does she write from a black hole where the only articles she can find to support her are Cisco press releases and product whitepapers? I’m not kidding. Look at her links to Cisco. It is friggin’ Cisco propaganda that she calls “informational pages”.
Holy crap, my head is about to explode.
Ms. Kelly, please do some research. Please read the news. If you are a “real world Information Security Officer” as it says in your CW bio, I beg you to better serve your company and the information security industry by informing yourself before you start writing.
I usually don’t post about my personal life, but I have to share some stuff from this weekend.
First, my five year old son is in Taekwon-do. Normally, a white belt would go to yellow tab, then yellow belt, green tab, green belt, and so on. But with juniors, this group makes them go through degrees of white belt (black stripe, red stripe, blue stripe, and green stripe) before they can get the yellow tab. Well, he’s been going for about 4 months now, and he finally got his yellow tab (first step towards black belt, is what they say). So congratulations to my boy.
Second, I learned about some exciting stuff happening with my son’s Taekwon-Do class. There is a “secret seminar” on December 9, and I have been given the lowdown by Mr. Howard, the owner and instructor at Global Taekwon-Do. I don’t want to give out any details, but if this turns out to be as cool as I think it is going to be, then I recommend going out to the website in a couple of weeks. I am excited about it.
Third, after I got over all the excitement of the Taekwon-Do stuff, we woke up this morning went to church, and my 2 year-old daughter fell in Sunday School and split her chin WIDE open. My wife and I were trying to teach a class full of crazy 4 year olds, and they came in and grabbed my wife without telling me what was going on. So here I was, wondering what was happening, and starting to freak out. Finally, they came and told me, then found some other teachers to take our class, and off we went to the clinic. She ended up having 5 stitches.
So here I am, trying not to cry and trying not to hit something at the same time while my little girl is screaming at the top of her lungs because the nurse and doctor are cleaning this gash, then putting other stuff to deaden the pain, then sewing it up. It was horrible. And the kicker is that neither one of my 5 and 4 year old boys have ever had a cut or broken bone (thank God), and my two year old daughter isn’t half their age and she’s already got 5 stitches to her name. Well, at least it is under the chin and not out there for everyone to see.
It may be sexist, but I don’t want my little girl to have any scars like that. I don’t care if my boys have a couple of scars. Scars just make men interesting, and it gives them plenty of material to make up cool stories (not that I would condone that – by the way, did I ever tell you about the time I stormed a bunker and jumped on a grenade to save 20 soldiers?).
And fourth and final, my Dallas Cowboys pulled out a win over the NY Giants. That was awesome.
So anyway, crazy weekend. Here’s to hoping for a quiet week!
My friend Martin McKeay posted a few days back about email privacy. Another friend, the great Alan Shimel, responded with some thoughts of his own. In light of these posts, I found interesting the following story from another friend (not a blogging buddy).
Here’s the story: My friend works at a rather large national sales-type company. He has worked there for about the last 10 years. Recently, the company cut quite a few staff in an effort to get rid of some bloat they had accumulated over the years. My friend was passed over by the cuts. He actually got a promotion out of it because he was placed in charge of a territory that was previously run by 5 sales managers and several account managers (so either they did have substantial bloat, or they are trying to kill my friend instead of firing him).
After my friend received his promotion and started to take over the operation of his new territory, his boss informed him that the IT department had been instructed to forward all emails of the previous managers to his inbox. This was done for obvious reasons, and my friend got ready for the deluge of emails. What surprised him was that he started recieving the emails of an additional 5 sales people that were now his employees, and he knew that neither he nor his boss had requested this to be done.
After scratching his head for a few minutes, my friend decided to check with his boss to see what was going on. You can probably see where this is going, but basically, they found that one of the previous managers that got the axe was spying on his sales people. According to my friend (and I believe him), this guy was a micro-manager from hell, and he would not let his sales people make any decisions without his explicit approval. He basically beat his employees into submission and made them little more than robots doing his will. But he was smart enough to keep this from his boss.
He made sure that his boss knew nothing about the emails being forwarded to him by going directly to a single IT person and asking to have this done. I have no clue about the company’s change management process (it is obviously pretty weak), but I guess this IT guy was either bribed or just charmed into doing this without ever letting anyone else know about it. And the IT guy could not really be held accountable after they discovered what had happened because he had taken an early retirement option that had been offered when the company was cutting back (they ended up letting 48 IT people go by either layoffs of early retirement).
So what are some lessons here? First, change management is important. This could not happen (or would be less likely) if the company had a strong change management process that made requests go through the system, and those requests were checked by more than just one individual. Second, system reviews are important. Even if something like this slips by, having a regular review of systems from someone outside this particular responsibility area would have likely turned up something fishy. Third, your privacy is never guaranteed, especially in email and in an employment situation. Though this was done incorrectly, and these employees (according to my friend) did not know they were being monitored, it is still within the rights of the company to check up on the employee’s corporate email.
Here’s the article.
So the presentation went over very well. Let me break down a bit why I went to talk to Alert Logic and some specific points on the talk.
Sam Van Ryder is a friend of mine who is a sales guy at Alert Logic. He wanted me to come in and present to the sales staff what a Security Manager’s job entails. I jumped at the chance because it gave me a chance to show sales people what trench warfare in security is all about.
How I approached it was from the standpoint of an SMB security manager type. Since this type of security manager is usually low on resources and high on duties (and since this is the most common type today), I figured showing them the daily grind of the just how much work a security manager has to do. I broke the day down like this:
7:35 AM â€“ 9:00AM Check security logs
9:01AM â€“ 10:30AM Check spam filter
10:31AM â€“ 12:00PM Answer voice mails and email
12:01PM â€“ 12:45PM Lunch (maybe)
12:46PM â€“ 1:59PM Run network scans
2:00PM â€“ 2:59PM Check helpdesk tickets
3:00PM â€“ 3:45PM Install patches
3:46PM â€“ 4:30PM Tune IDS/IPS
4:31PM â€“ 6:45PM Administrative crap
6:46PM â€“ 7:30PM Drive home (maybe)
7:31PM â€“ 7:29AM Worry
That all got a good laugh, but I assured them that this is often not far from the truth, and this was not everything a security manager had to deal with.
To give them a more in depth look from the technical side, I reproduced my post about all the many and varied security devices a security manager has to work on (IDS, IPS, firewalls, routers, switches, email gateways, etc.) and the maintenance on them.Â Then I hit them with the many non-technical issues a security manager has to deal with, like employee issues, meetings, project management, budgets, etc. I could see that many in the room had not thought about those as being security manager tasks.
I went a little deeper into the amount of research a security manager must do and how much training (user, IT employee, and self) must be done and kept track of.
Then I talked about the compliance issues that security managers deal with. I did it without going too deep and boring them, but I wanted them to realize how importantÂ compliance was in today’s world (especially PCI).
I talked about how security managers prioritize projects, though I honestly said that I could not really talk about how others do it. I described how I tried to keep a schedule as best I could, and how it was typically unsuccessful because of everything that popped up during the day.
Then I spoke about what makes a successful security manager and how admin crap was necessary to the job but tended to take away focus on securing the network and could lead to security problems.
Then I produced a list of what talents and skills a security manager must have to be successful:
â€¢Has strong technical skills and knowledge
â€¢Has strong documentation skills
â€¢Can talk to employees and execâ€™s in laymanâ€™s terms
â€¢Can lead and mentor a team
â€¢Has strong project management skills
â€¢Has the talent and the patience to deal with corporate politics
Before you start commenting and adding to this list, realize that my purpose here was to show just how varied and wide a security manager’s job must be. And I admitted that I was not good at the last one and that it was the main reason I got out of the security management role.
Finally, I told them about how they could help the security manager. My answer was, “Give the gift of time” (if you see this in any of the AlertÂ Logic marketinf materials anytime soon, I told them they could have it – it’s not really unique, but they liked it).
I explained that good reporting capabilities for any type of device and service such as theirs is one of the most essential time-saving tools a security manager can have. Give me a pretty (and functional) portal that I can place in front of my CIO where he can run his own reports and leave me alone, and I will pay a couple more grand right up front.
Also, make the device where it actually contributes to security and is not just a compliance widget.
There was some other stuff, but a lot more came out in the Q&A session after the presentation that was great.
That was basically it. I felt very good about it, and I received several positive comments. I’ll talk about Alert Logic as a product sometime soon (from what I have seen of it).
I have a speaking gig for the Houston office of Alert Logic today. I will be talking to the sales team to let them know about the job of a security admin / manager and how they can help him / her in the job. I will try to discuss the points of the talk later this afternoon or tomorrow.
Mike posted some rants about his vendor pet peeves this morning. I like these two alot:
Don’t spend time on your background – In 90% of the cases, I’ve trolled your website before our briefing. So I’ve read the executive bios. You don’t have to tell me you did this or did that. I pretty much don’t care. If there is something interesting in your background that I want to discuss, I’ll bring it up. I’m not a bashful guy.
Where’s the beef? – Especially if we’ve spoken before, just get right to it. You’ve asked for my time, so don’t waste it by telling me stuff I already know. Give me a 2 minute update on your business (which may take longer if I have questions or want clarification) and then tell me why I care about your news or ask for my advice on something you are thinking about. Not much annoys me more than hearing stuff I already know.
Mike is an analyst, and vendors want him to talk about their stuff. But it is amazing that the pitch is the same if you are an analyst, an in-the-trenches professional, or a sales engineer like me. Basically, vendors have this desire to tell you everything about the history of their company. History is important, make no mistake. But like Mike says, if you are coming into my company with a pitch, I have already done my research.Â Just get to what needs to be said.
As a sales engineer, I try to know my customer.Â The vendor should make the same attempt by asking me to whom he is going to be speaking so he can modify his pitch.Â And I watch my customer when the vendor is pitching.Â If the customer is more technical, and they start looking kinda bored and start twitching or something, I pick up on that and push the vendor as needed.
Basically, get to the good stuff.Â If the customer wants the fluff, he will ask for it.
I just came across a new security blog this morning. Andy, IT Guy has been writing since August, and he has some good insights into security. He commented about my Generalist vs. Expert post, which also shows that he has excellent taste in security blogs .
Welcome Andy. Happy blogging and good luck.
I have been thinking about the idea of generalists vs. experts in security (which probably translates into any field). I tend to look at the generalist as a jack-of-all-trades (joat), where the individual knows a wide range of subjects. Some people would say a mile wide and an inch thick, but I think generalists are often much more knowledgeable than they are given credit for. The strength a generalist can lend is a wide variety of experience to help solve problems in many areas. The weakness is if you need a very focused skill or knowledge base, the generalist will probably not have it.
A specialist (or expert) is generally looked at as an inch wide and a mile deep. But unlike the generalist, this is probably a fair statement for most specialists. This person is extremely knowledgeable in one or two areas. The expert can give you advice to likely solve any problem that arises in her area. But experts tend to be very tunnel-visioned and may not be able help in other areas.
I would say that a generalist has the advantage of being able to fit in many organizations, so the career path for such an individual may be better because of this. I know that I have a fairly broad knowledgebase, and it has helped me in my career because I had experience in a lot of different areas.
However, from the direction of value to the industry, I think experts have an advantage because they can answer in depth questions with much more certainty than generalists can. If you frequent forums and knowledgebases, you will find that the questions asked there are almost always very pointed questions about a particular product in a particular scenario. This type of question plays into the specialists hands.
As an example, I can see a huge value in the expert knowledge of the people in Accuvant’s assessment practice.Â These people totally kick ass in what they do, and it adds a HUGE amount of value to Accuvant’s offering.
I think generalists tend to end up in roles like security evangelists and pre-sales engineers (though I know a couple of SE’s who are very broad and deep in their knowledge of security).
So I guess you can argue this all day without coming to a consensus.Â And though I have have essentially taken the generalist path in my IT and security career, I don’t think either is “better” than the other.Â It really depends on your proclivity and your basic talent.
I just upgraded to Firefox 2.0, and I found a cool little extension while searching around. It is called Live Writerfox. Basically, it uses Microsoft’s Windows Live Writer to blog a page or selected text. Pretty sweet if you use Windows Live Writer.
Before you read this post, go take a look at my “Rules” for my blog.
OK, now that you are back, let me piss off some people.Â During this election season, I have to say that most of the security bloggers out there stayed out of the fray by sticking to what their blogs are about, namely: security.Â And my blog rules state that I will do the same.Â Basically, if you want to discuss a law or other political issue that pertains to security, then fine.Â I will do the same.Â Martin McKeay and I have had our friendly blog disagreements concerning phone tapping, phone tracing, tracking terrorists, and privacy stuff.Â Alan Shimel and I have done the same to a degree.Â All that is fine because that kind of stuff is relevant to security.Â You can make judgements and assumptions as to our political leanings based on what we have posted (and maybe the region of the country we each live in), but that is no guarantee as to where we stand because we have made no definitive statements on the subject (I haven’t read all of Martin’s or Alan’s stuff, but I haven’t seen it in any of the stuff I have read).
I say this because I read a couple of posts from security bloggers during this last election season that, in my opinion, are just a little off.Â One post was by the Great One, Mr. Schneier himself.Â He says he is glad to see the Republicans get some of the brunt of the electronic polling problems.Â He backs off of that kinda quickly, but it shows his bias clearly.Â Another is by a blogging buddy of mine, Christian Koch (might not be a buddy after I writie this, but I hope all is still well).Â In his post, he doesn’t even try to hide his feelings at all (not saying that he should have to, but you will see where I am going with it below).
First of all, I want to say that I respect everyone’s views, even if I don’t agree with them or understand them.
Second, if you have a blog, then it’s your fingers doing the typing, so you have full freedom to write about anything you want.Â I get that, and I would never say you can’t.Â
However,Â don’t we, as security bloggers, owe it to our readers to stay a level above all this mud slinging and give content that is relevant to security?Â It seems a tab bit like false advertising if you have a blog that is advertised as a security blog and you use it to blast a politician or a political party because you don’t like their politics.
And another reason not to show which side you are on is because it tends to taint your readers’ opinions of you from then on.Â If you try to come at an argument with logical, non-biased opinions, your debate will still be tainted by your blantantly-stated political beliefs.Â That is no better in my mind than if you stated that you liked TippingPoint IPS better than anyone else’s, then tried to go into a debate about IPS products and tried to stay neutral.Â There is nothing wrong with stating your opinion on the matter because you are free to say what you want.Â But your opinion will be tainted from then on.Â And you would neverÂ again be able to be neutral on the debate (at least, not for a long time) because you can’t switch to neutral once you have got in gear.
Anyway, my two cent’s worth.Â You may think I am just frustrated because I did not like the outcome of the election.Â But you really can’t make that statement, because I have never said which side I am on, regardless how many clues you think I have given.Â So there!
And Christian, just to hopefully ease hurt feelings, I thought the cartoon in your post was pretty funny.
Working on NSM today.Â Pretty sweet util that integrates the configuration of Juniper’s NetScreen security products into a single console.Â They have most of their security products on it now.Â SSL VPN is still not there, but it is coming.Â Very cool stuff.
This articleÂ just kills me.Â Wikipedia is about as reputable and reliable as a submarine with screen doors, yet people continue to go there for info.Â It amazes me.
Another thing that is funny is that Wikipedia was mentioned in a play at my church this weekend.Â Our church has a big Sunday School group that is made up of the kids and their parents.Â There are lessons that have skits, etc. in them.Â One of the actgors was playing a kid who was doing research for a school project, and he said his parents told him to use “The Google” and to stay away from Wikipedia.Â I laughed out loud I thought it was so funny!
A while back, when I was in the operations side of security, I wrote a series about how to be a good security admin / manager.Â It was fairly successful and got some good play out there in the blogosphere, so I figured that I would write something akin to those posts in aÂ blatant attempt to drive more traffic to my site.Â
Oh yeah, and I, ummm, want to make a difference in the security industry, or something… whatever.
So, how to be a good SE.Â First, let’s define the term “SE”.Â In many to most cases, that term means System Engineer.Â In my case, it means Security Engineer.Â Both perform the same function, however.Â At least they do in what I am referring to here, and that is in their pre-sales role.
AÂ pre-sales SE is often perceived as the salesperson’s lapdog, to be ordered around and told where to go and when to be there.Â This may be the perception, but it is almost always not the case.Â The real truth is that the SE is the one who follows the salesperson around and makes sure the salesperson is telling the customer the truth.Â For example: “No, Bob, this product cannot call down lightening and destroy hackers attempting to break in to the website.”Â
If you can’t tell, I have been reading “The Dilbert Principle”.
But in all seriousness, the reality is thatÂ the SE’s number one job is to protect the customer from making mistakes and buying the wrong product for their needs.Â Â That is also the salesperson’s job.Â And though I can say with all seriousness and honesty that all of the salespeople I have met at Accuvant truly are honest and try to protect their customers, this is not always the case out there.Â A salesperson has a quota, and they have pressure to meet that quota, and they don’t always have their customer’s best interests in mind.Â So the SE has to be that buffer.Â And when an SE meets with customers, he is EXPECTED to be that buffer that the technical people at the customer need.
In case you didn’t get that, I’ll type it again.Â The SE is EXPECTED to be the buffer.Â That means that the SE is expected to be honest in his appraisal of the situation.Â He is looked at as the guy who works for a living, just like the technical people in the trenches.Â He is supposed to be the guy who knows what the technical people are going through day after day, dealing with users, management, etc.Â Even if the SE has never held a true operations type job, he still will be perceived as such.Â That perception is what garners trust in the SE, and that trust CANNOT be broken.
What many people may not know is that pre-sales SE’s typically get bonused on salesÂ (they don’t get the same compensation as salespeople, but they do not have as much at stake either).Â And just like salespeople, SE’sÂ with VAR’s (like me) are often approached by manufacturers with incentives to push their product (these are often very good – money, electronics, etc.).Â This is called a spiff.Â These two things together canÂ cause serious temptation for the SE to notÂ make the customer’s needs the number one concern.
But if you are and SE, or are considering a move to this type of position, you MUST be able to resist this type of temptation.Â Notice that I am not saying it is wrong to accept these types of rewards (most of the time, you cannot take an SE job without the bonus, and I would personally think you are a little crazy if you didn’t take it -Â and taking a spiff is not wrong if you made an honest sale and kept the customer’s need on the forefront).Â But you must be able to look long term.Â The desire for an immediate reward must be superseded by the customer’s needs.Â
And when the SE does resist the immediate gratification, he will almost always see a long-term return that comes from a relationship with the customer because that customer knows he can trust the SE.Â It is often the case that once a relationship is established with a customer, the SE is the person who is contacted most.Â That is because the SE has direct knowledge and contacts with people who can solve the customer’s problems.Â So creating that bond of trust will lead to dividends for the SE’s employeer, and the SE as well.
So all that in a nutshell is this: create REAL trust with the customer by keeping his / her needs first.Â You may have to wait a little longer for your reward, but it will be a greater reward after all is said and done.Â And just so you know, I do not meanÂ only monetary reward.Â The reward of being trusted and held in high esteem is also a reward, and it can be more valuable than any earthly possession.
Everyone seems to be commenting on the Counterpane acquisition by BT.Â But unlike most of the “analyst” type comments out there (here, here, and here), I want to comment about this acquisition fromÂ myÂ not-too-long-ago viewpoint of a security manager.
First all, with all respect to Mr. Schneier, I was never impressed with Counterpane.Â They pitched to me about a year ago, and I was singularly unimpressed to say the least.Â The salesÂ person talked like she had been on the job about a week.Â I don’t mean to be nasty.Â Maybe she had not been there very long and was just learning the ropes, so IÂ this might not be a fair critique (another thought -Â maybe she was just too stunned by my dashing good looks to get her thoughts collected – hmmmm).Â But no matter what the case, she really seemed to have zero clue as to what she was saying.Â And I expected a little more from Counterpane.Â That was my first clue that they were not doing too well.Â
Also, about a week after our meeting, she called and basically went through the whole sales pitch that she should have gone through when she was face-to-face with me.Â So one of two things was happening: 1) either my suspicion about my stunning good looks is correct and she had no problem when she didn’t have to see me (though my voice is nothing to sneeze at, I tell ya’!), or 2) she didn’t receive any sales training before she was thrown to the lions.Â If the latter reason was the case, then that also did not show positive for Counterpane.
And while the engineer she brought along seemed to be knowledgable, heÂ also could not tell me what exactly brought Counterpane to the forefront in the field besides some reference to them pioneering the field (andÂ what I talk about in my second point).Â They just didn’t have anything that floated to the top.
The point isÂ that an MSSP is an MSSP is an MSSP.Â In the finer points of the trade, that statement is probably not totally true.Â But in general, they all do the same thing.Â So you have to have some fine point that makes you different, better, or just cooler.Â And they did not have it.Â By the way, I also met with LURQH and Solutionary.Â Â They all had somewhat the same stuff.Â Honestly, of all of them, LURQH had the best sales pitch and seemed overall better than the other two.
Second, as to Alan Shimel’s comment that “Counterpane was not a professional services company”, I would say that I think he forgot to tell them.Â First, just look at this page from their website.Â Second, when they talked to me, they seemed to want to push their professional services down my throat.Â Â They seemed to focus on that during a great part of the meeting, maybe even more so than their MSSP services.Â This is what they seemed to think gave them the edge (I alluded to this above in point 1).Â And I honestly got the feeling that was was a key area that they were trying to develop heavily and on which they planned to spend some focused resources.Â Maybe I put too much stock in what a couple of sales types were pitching.Â Maybe they just picked up on something and thought they should pitch that side heavily.Â Â But they way they spoke of it, I was literally waiting for an announcement with them changing focus.
Before I go on, I have to admit that this next point is a little bit “analyst-ish”.Â I ask forgiveness from the people in the trenches.Â OK, here goes…
Third (and this is again with all due respect to Mr. Schneier),Â you cannot bank your business on a hero figure, even one such as Bruce.Â Yes, he is a security master and a legend.Â Yes, he is brilliant.Â Yes, he could whip Chuck Norris in a fight (uhhh, went too far – sorry).Â But that really can only carry you so far.Â You have to produce and keep producing.Â You have to differentiate, especially in a field where most of your competitors are offering essentially the same services.Â A name just is not enough.
So, that’s my take on the deal.Â I honestly was not at all surprised to see this happen.Â I think BT is basically doing what the market is demanding, and they went the cheapest route possible.Â No more, no lessÂ (crap, another analyst comment – I need to watch that).
I’ll be the first one that says TV shows and movies are hardly based on reality.Â But when they screw up something that is near and dear to me, I get very upset.Â
For instance, I was in the Army and Army National Guard for over 7 years.Â Though I was never a career soldier, I still took it seriously, and I still do today.Â Maybe too seriously.Â I get very upset when I see a TV show or a movie that screws up things like rank insignia (Army sergeant rank on upside down in some sitcom I watched) or basic military rules (you do NOT salute indoors unless you are reporting to an officer – that mistake is in too many military movies).
This feeling also bleeds over big time into my chosen profession of information security.Â Â There is aÂ new show on NBC called KidnappedÂ that I have been watching and enjoying for the last few weeks.Â Basically, it is about a rich family’s son getting kidnapped and the family trying to get him back.Â There are all kinds of twists and turns in the plot.Â The dad used to be into some bad stuff, so it seems to revolve around someone getting back at him or trying to get some stuff from him.Â
Anyway, last week the family’sÂ hired gun (ex-military, police dude, etc.) gets asked by the FBIÂ for help.Â They want him toÂ apply for a job withÂ a civilian-run military company (basically, mercenaries) that supposedly has info on some people they think are involved in the kidnapping.Â The guy goes through some weird psych-interview, then he is placed in front on some computer by himself that has a program running with pictures flashing.Â The guy looks around, then easily opens some access panel to the PC and inserts a “remote control” device in some very conveniently-placed access port.Â Of course, I am thinking, “where are the cameras that should be watching this guy?”Â
Then, as the agent outside in the FBI van (real unique, right?) takes over the running of the program, he runs down the hall, guided by the blue prints of the inside of the building (which that type of compnay probably just publishes on the Internet) and strolls into the server room with no challenge and no lock on any door that I can see.Â There are racks of servers, switches, etc.Â Â Then he sticks another device in the “mainframe”, and away they go.Â
He does get caught, but it was only because another agent ran in the building and called a security alert in a ploy to get the main bad guy to start erasing sensitive files.Â They capture the screens (with all pertinent information on the first screen – nice, huh?), thus saving them the effort of searching through records.
Yea, ok, right.Â I know it probably shouldn’t bother me, but that just pisses me off.Â At least TRY to make it somewhat real.Â Â I think even a layperson without security experience would probably be thinking, “where’s the security here?”
Go check out this articleÂ at Dark Reading.Â Looks like this group is creating a botnet with a trojan that has a cracked version of Kaspersky AV to clean machines (except for itself, of course) to make sure it gets all the bandwidth it can to send out spam.Â It is called the SpamThru trojan.Â
This is crazy.
IÂ am impressed thus far, but I am having some serious trouble staying focusedÂ Â because I keep getting calls on the RFP I posted about yesterday.Â Oh well, the life of a pre-sales SE.
…but it is also one big pain in the neck!Â I have been thrown into the process of answering an RFP (request for proposal) for a city government down here in Texas, and I cannot begin to tell you how tedious and ridiculously complicated the whole process can be.Â RFPs can be complicated enough with corporations.Â But when you get one from a governmental entity, you have so many other things to worry about (there are a ridiculous number of special considerations and conditions when you do work for governments).
Another thing I am finding out first hand is that many government workers (not all, but I wouldn’t think it too far from the truth in saying most) are functionally inept in their positions, at least when it comes to technical matters.Â Though I have had some inkling of this from talking to peers over the years, it amazes meÂ when IÂ see it so closely.Â
First of all, the RFP is very poorly written.
Second, it is incomplete.
Third,Â when you try to ask questions toÂ work out the inconsistencies, the answers are often, “Because I say so”, or “Don’t question why our network is setup as it is.”
I don’t know if we will win this contract or not.Â If we don’t, then we have wasted a LOT of man hours.Â Â I guess it is worth the payout if it happens, but I have to wonder if anyone has figured out the cost of NOT getting one of these and compared it to the potential profit.Â I am sure someone has.Â
And if you are thinking that I make a salary, so it doesn’t matter, then think again.Â I have about 4 projects for which I am either scoping or actively talking to clients to complete.Â Two of these areÂ sure things, and twoÂ are 50% or aboveÂ on probability.Â And these aren’t some small deals you can just sneeze at.Â There is good money to be made here.Â So the more time I do this dang RFP, the less time I am working on some potentially good profit for Accuvant.Â All to work on a deal that no one has a good idea whether it will come through.
Oh well, business is business!
For anyone not aware, the new IE7 is going to be pushed out auto-magically by MSFT with auto-updates.Â Â Juniper does not support IE7 or Vista yet with itsÂ SSL VPN product.Â Here is the release by Juniper:
PSN Issue : Microsoft will soon be releasing Internet Explorer Version 7 (IE7) and Windows Vista.Â
Solution: Please be advised that neither IE7 nor Windows Vista are supported in the current releases of the Juniper SSL VPN Products (IVE/SA products). The following plans are in place to add supportability.Â Â
*Â Â Â Â IE7 support will be added to the IVE 5.3 and 5.4 branches in maintenance releases in the month of December.Â
*Â Â Â Â Windows Vista support will be available in Q1 2007.Â Â
We recommend that users of the IVE/SA products do not upgrade to IE7 until the appropriate release is made available and is installed on your device.Â
Microsoft offers a tool that will prevent the auto update of Windows machines to IE7. Please see Microsoft’s web page for more details.
If you use Juniper’s SSL VPN, download this tool (issued by MSFT) to block the download of IE7.
Here’s what they sent me:
There was a SYNC FLOOD where we were only receiving ACK to our webserver, so our Rio Rey, which is our anti-DDOS box, did not reject, because it was seen as legitimate traffic. Due to the nature of the problem, we were required to block approximately half of the internet at the Cisco level.
Anyone know what this Rio Rey product is, or maybe this is just their hostname?
I have decided to start putting down some of the day-to-day events with this new job.Â I think it will actually help stir my mind to blog more since I have not been writing near enough lately.Â So here goes.
I have actually been kinda bored since my recent job change.Â Though I have been getting in contact with our vendor partners and getting setup for training on products, the real action is out there selling and designing and proposing.Â I really want to get thrown into the fire.Â
Part of the reason I’m not out there yet is we do not have a sales personÂ dedicated toÂ the Houston market.Â We need someone badly because the guy selling in Houston is based in Dallas, and he has a lot to do up there as well as down here.Â However, he finally got down here today, and it got crazy quickly (be careful what you ask for).
The sales guyÂ flew in at 9am this morning at IAH (Houston Intercontinental), but he didn’t get in my car (I was chauffeur today) until 9:25am, and we had an appointment in SW Houston at 10am.Â For those of you who know Houston, IAH is on theÂ far northÂ side of Houston, and Houston is BIG.Â I made the trip in about 25 minutes, which I was proud of.
Anyway, the talk was basically an introduction to Accuvant and what we could offer.Â This was my first real meeting with the sales pitch thrown to a client, so I learned a lot (I learned even more through the day).Â But to be honest, I think of the term “sales pitch” as negative.Â What we did today was, technically, selling Accuvant.Â However, Accuvant really has differentiated itself quite a bit from most “security” companies because of the unique approach to the industry.Â I have talked about it before, but Accuvant just seems to do things right.Â Yes, there are always going to be internal problems, but Accuvant just seems to be a company that takes customers seriously and at face value.Â We don’t want to walk in and just sell a box then walk out until it’s time for a maintenance renewal.Â We want to partner and grow with our clients, and this is no BS.Â I am really impressed by Accuvant, and I know this compnay is going to succeed even more in the coming years.
OK, sorry.Â Anyway, the meeting went well.Â We have some strong offerings in compliance and assessment, and the client seemed to take to that well (we were talking to IT risk manager and audit types, so they loved the ControlPath product we offer for keeping track of compliance, risk, etc.).
The next client is looking at implementing Infoblox, which is a pretty sweet product in my estimation.Â Infoblox offers simple and secure DNS, DHCP, IPAM, and RADIUS services in an appliance.Â I have seen the box and how it works.Â It is very simple.Â Many companies are replacing their Microsoft-based DNS, DHCP, and RADIUS with this product, and I am seeing some great results.Â
The next client was a partial introduction – I had previously worked at this client, so the intro was more for the sales guy and Accuvant in broader terms.Â They are a property-management company who delas almost exclusively with apartments.Â They are looking at wireless access for their tenants in new complexes, which is going to be fairly daunting for a lot of reasons that I won’t get into.Â Suffice it to say that they want a lot for little.
So after that client, we went to an established client that is looking into SIM / SEM (some call it SIEM) for capturing very specific events in remote offices and centralize it to corporate (insert Rothman negative comment here).Â We are putting Network Intelligence in front of themÂ for the scalability and sheer EPS (events per second).Â To put it simply, I like this product.Â I might get into that at a later date.
Anyway, we left that client, located in Downtown Houston, at almost exactly 5PM.Â Not a good time in Houston.Â The sales guy’s plane left at 7pm, so, needless to say (but I am going to say it anyway), we were a bit rushed.Â However, we found out after we got on the road that, due to a LOT of storms down here today, his flight was delayed for over an hour, so we calmed down.Â Then, wouldn’t you you know it, we still made it to the airport in plenty of time for the original flight time.Â I guess being relaxed during the drive helped me just go with the flow better, so driving was a lot quicker than I expected.
So, that’s my day.Â It was very busy and crazy, but I finally got in the mix.Â Â I have a lot ofÂ ”action items”Â from these meetings, so that is going to help me get even more familiar with the products we sell.Â These meetings also helped me get down our philosophy (I think that sounds better than “sales pitch”), so I will be better prepared for future meetings with clients (especially since I know I will be mostly on my own until we get a sales person down here).Â Things are starting to pick up, so I got out of the house, and I am glad for that.Â I love my wife and kids, and they love me (or so they tell me), but we are all getting a little tired of each other right now!
Email string between Matt Heaton (Bluehost CEO) and me on the DDos. Not a lot of info, but here it is (start at the bottom):
It was directed at one specific IP, not a domain name. The IP was a shared IP with over 800 domains on it so it was not possible for us to just block the incoming traffic to that IP.
Matt Heaton / Bluehost.com
On Oct 5, 2006, at 11:53 AM, Michael R. Farnum wrote:
Thanks for the reply. Did the attack appear to be directed at a certain site that you host? Was it directed at a certain IP or an IP range? I understand if you canâ€™t divulge information, but I want to gather as much info as possible.
There isn’t really much to know. We mitigated most of the attack even though it looked horrible from many customers side we had blocked upwards of 80% of it. The entire attack was a total of more than 8000 ips all originating in asian countries with Japan, and Taiwan being the majority of the attack. It was sending more than 800,000 packets every 5 minutes and consuming more than 350 Mbit of bandwidth. It was a HUGE attack. I hope this helps.
Matt Heaton / Bluehost.com
On Oct 5, 2006, at 6:02 AM, Michael R. Farnum wrote:
I couldnâ€™t get to my website (infosecplace.com â€“ hosted at Bluehost) because of the DDos on one of your servers yesterday. My website is a blog dedicated to Information Security, and I would love to write about this incident. Is there any way you would be willing to share some non-confidential information on the incident so I could have kind of an â€œexclusiveâ€?
Not sure how this squares with this email from Bluehost support:
We are currently experiencing a DOS attack on this server, and so we have blocked a portion of the internet from being able to access the server. If you are in one of the IP octets that were blocked then you will not be able to access the server because our router is blocking you. Once the DOS attack stops you will be able to continue accessing your site.
Obviously I am not working from Asia, so I don’t know why I would have been blocked. So I think that explanation was bogus at best and just meant to keep people off their backs. So my site was definitely down to more than just me. But that’s what support lines do, right? Obviously, they didn’t know they were dealing with a man of superior intellect and a keen sense of information security!!! Right….