Security Management

McAfee rolls back the clock with Artemis cloud security service

Tech companies are masters at taking an old technology or service, shining it up a bit, giving it a new name and trotting it out as a completely new idea. But it’s not often that a company does that with its own idea, but that’s exactly what McAfee Inc. seems to be up to with the launch today of its Artemis technology, a security-as-a-service offering. The service is meant to deliver antimalware protection over the wire, giving users protection against new threats by analyzing new samples submitted automatically by users and sending out protections if a new threat is identified.

Stop me if you’ve heard this before.  That’s right, it’s the new and improved MyCIO.com. Back in the day (read: 2000), McAfee, then known as Network Associates, had a short-lived subsidiary that delivered antimalware protection as a service, albeit with a slightly different twist. The original MyCIO.com model had a couple of hosted services, including IDS and vulnerability assessment, and also included an antimalware service that used a modified peer-to-peer architecture to deliver updates to users more quickly. This was before the days when automatic updates were standard practice, so the idea of a handful of users inside an enterprise serving as local update points was innovative. It enabled the first few users who signed onto the network to pull down the newest update files and then begin serving them to other local users as they came online.

The MyCIO.com model turned out to be a little ahead of its time, and the company was subsumed by parent NAI in 2001. A former exec with the company told me a couple of years after MyCIO.com shut its doors that NAI executives just didn’t have the stomach to ride out the bumps and hiccups in the ASP market. But now that companies such as NetSuite, Salesforce.com and others have shown that the model itself is a viable one, we’ll have to see how it plays out this time around for McAfee. So-called cloud computing is the new hotness for technology vendors in all sectors, and can provide some real benefits in terms of cost savings for some enterprises, so it makes sense for McAfee to take another run at it. Like the man said, everything old is new again.

Intel & Symantec tout app virtualization

Intel Corp. and Symantec Corp. executives touted the benefits of application virtualization in a roundtable discussion with reporters Thursday in San Francisco.

Virtualization at the application level separates the application from the operating system, preventing applications from modifying system files and avoiding DLL conflicts, said Mike Ferron-Jones, marketing manager at Intel. The technology allows applications to run on clients and be administered from a central location.

“It’s a great way to deploy applications in a way that eliminates the root cause of many helpdesk calls,” he said.

Application virtualization offers IT organizations the ability to save money and maintain control over licensing and patching while giving end users the mobility and performance they need, Ferron-Jones and Brian Duckering, senior product marketing manager in the Endpoint Virtualization Group at Symantec said.

“You can strike a balance between the user and IT needs,” Duckering said.

Virtualization, however, doesn’t eliminate security problems, the executives said.

“An unpatched virtual application is just as vulnerable as an unpatched local application,” Ferron-Jones said.

Duckering cautioned that companies shouldn’t deploy virtualization just for the sake of it. “Understand why you’re doing it and what you’re trying to accomplish.”

Symantec is working on a virtualized security system for Intel’s vPro platform, but a published report last summer said licensing issues were delaying its release. The system will be isolated from the primary OS with the goal of making it tamper resistant.

In a statement Friday, Symantec said customers have been beta testing the first version of the virtual security system and “that customer input will be used for virtual security solutions going forward, but we do not have any dates set for a product release yet.” The company said it’s continuing to work with Intel and its vPro platform from an endpoint management standpoint.

The changing face of information security

In the last eight years or so, I’ve probably been to more than 100 security conferences, workshops, trade shows and seminars, and I’m hard-pressed to come up with one that’s been more informative or entertaining than the Workshop on Economics in Information Security that’s taking place at Dartmouth College this week. As you might expect, the workshop is focused heavily on economic issues that influence information security and is light on technology talk. The thing that struck me most about the sessions today is the number of people who are doing serious work on this topic. Security has historically been one of the last refuges of the hard-core techie, but some of the brightest minds in the industry are now focusing their energies on thinking about the ways in which security, economics and other disciplines intersect. A quick look around the audience found Ross Anderson of the University of Cambridge, Bruce Schneier, Stuart Schechter of Harvard University and Phil Venables of Goldman Sachs.

I had the privilege this morning of speaking on a panel, with my friends Ryan Naraine and Scott Berinato, as well as Byron Acohido of USA Today and Brian Grow of BusinessWeek, about the media’s role in communicating security information to the public. The session produced a number of really interesting discussions. One attendee asked how difficult it is for journalists to get information about attacks and defenses from the government and enterprises who have been affected. The short answer is: virtually impossible. I’ve had some success with this over the years, as have the other panelists, but the truth is that the public at large, as well as security professionals, are being poorly served by the severe lack of objective data on attacks, breaches and cybercrime. (More on that later.)
Ross Anderson brought up another important topic, which many reporters struggle with on a daily basis: how to walk the line between responsible reporting of attacks and vulnerabilities, and pure fear-mongering. It’s not an easy task, I’ll say that, but if you go too far down the scare-tactic road, people tune out pretty quickly, and that’s counterproductive for everyone. The reality is that many of the things we write about and you deal with every day ARE scary, and people should be afraid of them. Some level of fear is healthy in this business, but we are all better off without the gratuitous bogeyman-in-the-server stories that serve no purpose other than to turn off smart readers.

Bruce Schneier also raised a good question regarding the value of stories about attack and defense tactics versus those about the reasons those attacks are successful and the societal and organizational failures that lead to them. A lot of the value depends on the audience. Byron and Brian both made the point that their audiences are less interested in the deep technical aspects of security than the SearchSecurity or ZDNet audiences are, which is an important point. But while the technical details will always have a place in the stories we write here, the psychological, organizational and economic aspects of why security succeeds or fails should have a seat at the table as well.

Fighting security FUD

I recently tripped over a blog write-up from independent analyst Eric Ogren about his irritation with security vendors using FUD to sell products. It’s an older posting from 2006 but his message is as relevant today as it was two years ago.

Building his case around a threat report Websense released at the time, he wrote, “I’m not sure that the world is better off with yet another security vendor telling us that Phishing, malicious websites, malicious code, hacking tools, P2P, IM and Chat attacks have all increased.”

He dismissed the report as FUD marketing designed to create demand for security products, but that he believed the reports could actually have the opposite effect by pointing out the futility of security products to stop attacks.

He’s not the first security expert to rail against the FUD factor. Security luminary Bruce Schneier has devoted huge chunks of his time speaking out against security ‘theatre’ — policies and products that are more about offering the perception of security rather than addressing the actual risks.

And, rightly or wrongly, the Apple crowd is constantly crying FUD whenever something is written about a security flaw or malware affecting their beloved Macs.

I bring up the issue because it’s long been a source of irritation for me. As a security writer, I’m constantly buried beneath tons of voicemail and email from vendors looking for attention, and the PR machinery almost always uses FUD to make a case for buying the latest compliance-out-of-the-box appliance or the “first of its kind” bot/spyware/worm/common cold zapper.

Along the way, the PR community likes to invent new words or phrases to define the threat, many of which start with the letters “ph” (phishing, pharming, phlooding).

I’ve been looking back through four years of writing for the sake of nostalgia. The big thing that strikes me is that we’ve written a lot of stories about the latest flaw or exploit and someone is always banging on the alarm bell with a hammer.

In the final analysis, it’s prudent to flag the latest flaws and exploits because IT security professionals need to be aware of these things and incorporate the information into their patch management process. Heck, alerting them to these things is what we’re here for. But the tone and level of alarm that should go into these stories is always something we wrestle with.

Everyone has a role to play in information security, from the IT pros to the vendors, analysts and media. But from the content I look back on, I see little evidence that vendor-generated fear has ever made a difference.

Warnings about some flaw or exploit opening the door for a catastrophic Internet-ending event are never followed by the big doom. On the other side of the spectrum, the epidemic of data security breaches shows that all the FUD and security spending in the world can’t prevent the bad guys from punching through. The recent Hannaford supermarkets breach proves you can respond to the fear and spend a lot of money on new technology and still get whacked.

I recently asked Rhode Island-based network engineer Edward Ziots whether he jumps at every exploit warning. Here’s what he told me by email:

“We don’t jump, it would be imprudent to do so. Basically I read up on how the exploit works, even look at the code offline to ascertain if it would be available to be downloaded or how much effort would it take to be in a working exploit. Next, you basically need to adjust your risk assessment based on the controls you have in house, and how many systems could be affected and in what manner.

“Lastly communicate the adjusted risk assessment to management, security and await decision on whether to raise priority for patching, or to deploy other security measures to mitigate until all systems can be patched.

“Honestly, it makes it very difficult with exploit code in the wild and reports of working exploits not to raise your risk level and deploy extra manpower and time and effort to get all systems patched. It’s just due diligence.”

My advice is to take the FUD with a grain of salt and remember that while cyberspace is a dangerous place and you’ll sometimes have to raise your level of alertness as Ziots does, most enterprises will survive with the proper mix of security tools, policies and a calm awareness of the risks.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

Flaw fixes for Firefox, Mac

A couple of notable security fixes to flag this morning:

First, Apple has patched the Safari Web browser flaw that famously earned a researcher $10,000 at the CanSecWest conference last month. Independent Security Evaluators researcher Charlie Miller used the vulnerability to compromise a MacBook Air laptop. The flaw is rooted in the WebKit open-source HTML rendering engine Safari and several other Mac OS X programs use.

Next, Mozilla has released Firefox 2.0.0.14, fixing a critical security hole in the JavaScript engine of Firefox. The advisory said, “Fixes for security problems in the JavaScript engine described in MFSA 2008-15 (CVE-2008-1237) introduced a stability problem, where some users experienced crashes during JavaScript garbage collection. This is being fixed primarily to address stability concerns. We have no demonstration that this particular crash is exploitable but are issuing this advisory because some crashes of this type have been shown to be exploitable in the past.”

Oracle preps CPU for 41 flaws

Oracle said Thursday that it is prepping a Critical Patch Bulletin (CPU) to address 41 security holes across its product line.

According to the database giant’s advance CPU bulletin, attackers could exploit the most severe flaws to compromise the database server or the host operating system. Affected products include Oracle
Database, Oracle Application Server, Oracle E-Business Suite and Applications, Oracle Enterprise Manager, Oracle PeopleSoft Enterprise and Oracle Siebel SimBuilder.

Oracle releases its security patches on a quarterly basis, and the April 2008 installment will be issued Tuesday.

RSA 2008: Firm makes log management a priority for compliance

Ira Hanson-Ralph of EnCana explains why the oil and gas exploration company made log management a priority as part of its compliance program. Hanson-Ralph is EnCana’s group leader of IS compliance and controls monitoring. The interview was conducted at RSA Conference 2008.

Hannaford and the industrial compliance complex

This week’s headline may not fit perfectly with the analogy I had in mind yesterday, but I’m running with it anyway because all week I’ve been thinking of what the lessons are regarding the recent data security breach at Hannaford’s supermarkets.

The biggest lesson was eloquently explained in a column by my colleague Dennis Fisher, in which he cites the decline in emphasis on security in favor of a sometimes maniacal focus on compliance with various standards and regulations that has created a climate where passing an audit or satisfying a regulator is deemed more important than actually doing what’s necessary to protect critical assets.

There are plenty of vendors out there who link the use of their products to both compliance and security, and I’ve spoken to many a public relations flak who talk about the two as if they are the same thing. As Dennis points out, they are not the same thing. True, a lot of the work that’s required for the sake of compliance can improve enterprise security. But security is about so much more than buying a bunch of technological tools on some assessor’s checklist and plugging them in.

Being a history geek, I always find myself looking for historical references to match up with the things we’re writing about, and this case reminded me of the farewell speech President Eisenhower gave a few days before leaving office in 1961 in which he warned of the military industrial complex.

Now, I know you’re waiting for the big analogy, and in the end there isn’t much of one to make. The military industrial complex is something far different than the compliance complex I see today. But I do see a few similarities worth mentioning.

Ike warned that as the U.S. fought the Cold War, it needed to “guard against the acquisition of unwarranted influence…by the military-industrial complex,” which included members of Congress from districts dependent on military industries, the Department of Defense and privately owned military contractors like Boeing, Lockheed Martin, and Northrop Grumman. Ike feared that the military-industrial complex inspired policies that might not be in the country’s best interest and he feared that its growing influence, if left unchecked, could undermine American democracy [see more detailed description from Encyclopedia Britannica]. 

I’m not trying to suggest that compliance vendors are trying to influence the course of American policy. As I admitted earlier, this is an imperfect analogy.  But I do believe there’s a danger of individual businesses being influenced by a compliance complex in which execs desperate to pass the compliance test fall under the spell of vendors promising that their tools will not only help them pass the test but keep them secure. In the end, some make decisions that are not in the best interests of the company’s security program. In other cases, the technology purchased does its job well but the company fails to implement a bunch of other security measures technology alone can’t address — because the vendor or assessor assured them that investing in their product would be all that’s needed.

The Hannaford breach has sent shockwaves through the retail world because it turns out the company had achieved PCI DSS compliance. Many were stunned to see a living example of a compromised business that spent a lot of money on compliance products and thought they were secure.

The silver lining around the Hannaford breach may be that other companies are broken of the compliance complex. Dennis does a good job of mapping out what security is really about, but I leave you with some blog chatter from security experts who make similar points this week:

Burton Group analyst Randall Gamby writes in his company blog that PCI DSS and the work of complying with it has achieved a false sense of security in many corners.

“I’m not saying PCI isn’t important, after all this breach may have never been found if PCI measures weren’t put in place, but enterprises have to look beyond the task of being compliance and take whatever additional steps may be needed to secure their data against breaches,” he writes.

Security management expert Mike Rothman makes the point more bluntly in his Daily Incite blog: “If security professionals think that an audit makes them secure, they are idiots.”

Rothman goes on to say compliance does not equal security. Maybe it makes the senior folks sleep a little better, he writes, “but they’d be dumb, too.” Anyone in a position of power needs to understand about risk and containing risk, he says.

I’m probably going to get a bunch of emails telling me how stupid my analogy is, and one of them might even come from Mike. But instead I’m hoping to hear what readers have to say about the points he and others are making.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

Researcher: IFrame redirect attacks escalate

It’s been a couple of weeks since security researcher Dancho Danchev raised the red flag about IFrame redirects attackers have been using to corrupt hundreds of thousands of websites, and how the likely culprit is the infamous hacking group known as the Russian Business Network (RBN).

Overnight, Danchev emailed me with an update, and it doesn’t look good. Based on his ongoing investigation, the attacks seem to be continuing unabated.

The latest high-profile sites getting targeted includes usatoday.com, abcnews.com, news.com, target.com, packardbell.com, Walmart.com, Rediff.com, Miamiherald.com, Bloomingdales.com, Patentstorm.us, Webshots.com, Sears.com, Forbes.com, Ugo.com, Bartleby.com, Linkedwords.com, Circuitcity.com, Allwords.com, Blogdigger.com, Epinions.com, Buyersindex.com, Jcpenney.com, Nakido.com, Uvm.edu, hobbes.nmsu.edu, jurist.law.pitt.edu, boisestate.edu.

This on top of those he listed two weeks ago:

NCSU Libraries - lib.ncsu.edu - 372,000 pages bushtorrent.com - 147 pages
ChildCareExchange - ccie.com - 131 pages
The University of Vermont - uvm.edu - 120 pages
Hippodrome State Theatre - Gainesville, FL - thehipp.org - 112 pages
Minnesota State University Mankato - mnsu.edu - 94 pages
The California Majority Report - camajorityreport.com - 16 pages Danchev wrote in his blog. “

Vista SP1 experiences: The good and the bad

Yesterday I wrote a story about the reaction from Windows administrators to Microsoft’s release of Vista SP1, and the response was mostly one of caution and frustration.

The challenges people are running into are the same ‘ol items: incompatibility with third-party programs, device driver glitches, a sleep mode problem and endless reboots.

One of the folks I touched base with is Michael Pietroforte, a systems administrator who heads up the IT department at the University Library of the Ludwig-Maximilian University in Munich, Germany. He tested Vista SP1 extensively and created a useful list of challenges and possible solutions in his 4Sysops blog.

Pietroforte’s entry inspired me to dig further for blogs with something useful to share about the service pack. Here’s a bit of what I found:

Longtime computer product reviewer Scot Finnie wrote that Vista SP1 has been running on a couple of his test machines for the past month and a half. He offered IT pros this verdict:

“You don’t need this thing right away. If you’ve kept up with Vista security patches, then you’re fine. There’s no need to rush into it.”

For those who dare to tackle the service pack now, he said the biggest pain one will likely encounter is the driver trouble during or after installation.

He writes that Vista SP1 has only one true reason for being — to help Microsoft sell Vista to enterprise customers, among whom the conventional wisdom has been to wait for the first service pack. “What’s actually new and not available separately is, to my perception, more marketing hype than reality,” he says. “There’s nothing wrong with SP1, but there’s absolutely nothing compelling about it either.”

Over at Blorge.com, Triston McIntyre wrote up this warning:

“The list of users who are experiencing more than a little difficulty with the new Service Pack 1 grows longer every day; it seems more and more users who boot multiple operating systems are experiencing grief as well,” he writes. “Before installing Vista Service Pack 1, be sure to check out the boot systems you’re currently using if you use Windows Vista Enterprise or Vista Ultimate, otherwise your PC might end up the victim of a faulty SP1 install.”

John Rundag, technology coordinator for the Logan Elm School District in Ohio, wrote in his blog about the slow Vista SP1 download process he endured. He warned that the process will take longer than anyone would want.

Once downloading Vista SP1, he says he clicked on the install and left for the day. When he returned to the office the next day, his computer looked the same as he had left it, with the exception of the install screen for SP1.

“One of the issues I had been experiencing was slow file copying to and from network drives,” he wrote. “A lot of times I just copied large files to a flash drive and then moved it to the server on my MacBook. Moving large directories was a nightmare. The first thing I did after I verified I was running SP1 was to move some files to the server.”

Fortunately, he reported, the system has been stable since installation and he hasn’t experienced any major issues.

Nick White, a product manager in Microsoft’s Vista department, offered a laundry list of the feedback Microsoft has received in the Windows Vista Team blog and promised to keep the lines of communication open.

Expect more frustration to flow from the blogosphere as IT pros try to get their arms around Vista SP1. But whatever the problems may be, Microsoft does deserve credit for trying to keep customers informed.

Eventually we’ll all get a grip on Vista. But it’s going to take a long time.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.