Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
FW: Security Wire Perspectives, Vol. 6, No. 25, March 29, 2004
- From: Howell, Paul
- Date: Mon Mar 29 07:17:22 2004
-----Original Message-----
From: Security Wire Perspectives
[mailto:searchSecurity@lists.techtarget.com]
Sent: Monday, March 29, 2004 4:01 AM
To: Security Wire Perspectives
Subject: Security Wire Perspectives, Vol. 6, No. 25, March 29, 2004
Security Wire Perspectives is published by Information Security, the
industry's leading magazine for security news and information, and
SearchSecurity.com, the Web's best security-specific information resource
for enterprise IT professionals. Additional newsletters available at
http://searchsecurity.techtarget.com/?track=NL-358&ad=479188&Offer=swp
IN THIS ISSUE:
A READ ON THE NEWS
*Pink Slips Motivate Policy Compliance
*OPINION: Will Microsoft Ever Get Its Act Together?
HEADLINES
*No Cone of Silence for This Malcode
*Markle Task Force Hammers Government Again
*Apache Upgrades, Plugs Three Security Holes
*Cisco to Acquire Riverhead; Brightmail Files for IPO *Customers Shouldn't
Have to Pay for Patching, MS Says *Federal Spam Lawsuits Fall Short of
Target
THE KINGDOM OF IMPERVIOUS
Episode III -- His Majesty Issues a New Decree (and Gets a New Robe)
LINKS TO THE INDUSTRY
YOUR TWO CENTS
Readers sound off on virus cost estimates
TO UNSUBSCRIBE, REFER TO THE INSTRUCTIONS AT THE END OF THIS MESSAGE
=====================================================
SECURITY WIRE PERSPECTIVES IS SPONSORED BY: NetContinuum
Free White Paper: Deploy Secure PeopleSoft Applications
PeopleSoft applications house some of the most critical data within an
organization. Because of this, data confidentiality, integrity and
availability are paramount. NetContinuum protects the entire PeopleSoft
application environment and simplifies the network and security
infrastructure required to deploy a new PeopleSoft application. Get the
paper:
http://searchSecurity.com/r/0,,26969,00.htm?track=NL-358&ad=479188&netcontin
uum
=====================================================
A READ ON THE NEWS
*PINK SLIPS MOTIVATE POLICY COMPLIANCE
By Lawrence M. Walsh
Public executions are necessary for ensuring security policy compliance,
says Dr. John Halamka. "There's no second chance if you violate trust," he
said.
As CIO of both Boston's Beth Israel Deaconess Medical Center and Harvard
Medical School, Halamka is charged with enforcing the policies and
procedures that ensure the security of 9 million patient records and 70
terabytes of data.
Most people would think that medical professionals working in a world-class
hospital and university would be above the temptations of records surfing,
unauthorized downloads and abuse of computer resources. They're not. Each
year, Halamka says, three or four doctors -- ranging from green residents
and interns to well-weathered practitioners -- are fired for violating
security and acceptable use policies.
Sometimes, doctors are looking up medical histories of their competitors to
embarrass them or to gain a business advantage. Other times, they're simply
curious about a famous patient and look up his lab tests. On occasion,
they're caught releasing confidential records or billing information to
unauthorized parties. And, of course, there are the porn surfers, online
gamblers and cyberstalkers.
"You run into two kinds of folks: those who will accept the consequences and
those who deny everything and must be presented with the preponderance of
the evidence," says Halamka. "That's why you need public executions to
reinforce good behavior and to protect resources."
Most organizations take pains to hide or downplay employee dismissals due to
policy infractions. As with hacker incidents, enterprises fear that public
disclosure of policy violations will damage their reputation and open them
up to action.
That's changing, however. Regulations such as HIPAA and the California
Security Breach Notification Act are making rigid policy enforcement an
imperative. An even greater driver, though, is the maturation of security
and IT in the workplace. As these groups gain more cachet, they're able to
drive their agendas beyond the data center and into HR and legal groups.
Enterprises are recognizing the need for strong policies and enforcement
standards -- and the occasional public execution.
"It's not the name before the '@ sign' that's going to get in trouble; it's
the name after [it] that will," says Michelle Drolet, president and CEO of
ConQwest, a security assessment and integration firm.
For tips on creating awareness and enforcing policy, read the entire
feature:
http://infosecuritymag.techtarget.com/ss/0,295796,sid6_iss346_art666,00.html
?track=NL-358&ad=479188
*OPINION: WILL MICROSOFT EVER GET ITS ACT TOGETHER?
By Nick FitzGerald
I write this in the wake of March's "Patch Tuesday" -- the second Tuesday of
each calendar month that has become a day many Windows system and security
managers rue.
However, March was relatively quiet, as these things go. Aside from the
usual Patch Tuesday activities, I noticed that Microsoft had also revamped
the design of its security bulletins, as published in the security section
of its TechNet Web site.
So, why is a Web page redesign worth an opinion piece?
Well, we're talking about Microsoft's premier resource for technical,
security update information. Further, Microsoft has now spent a little more
than two years campaigning hard to convince its customers that it has now
"seen the light" and that security is now its No. 1 priority.
It's more than slightly ironic, then, that the TechNet Web site redesign
rendered the most important technical information from the security
bulletins unreadable to users with the most securely configured Web
browsers. The "problem" was that the new design used some formats from the
associated stylesheet to control the visibility of those sections, and, in
turn, the application or removal of those styles was controlled by links
activating client-side scripts that partially rewrote the page.
When one recalls that client-side scripting has been all but indispensable
in exploiting most Web browser vulnerabilities -- even when the problem
hasn't been in the scripting engine -- the irony deepens further. Add that
Microsoft's own browser seems to have been especially heavily endowed with
such vulnerabilities and it would be laughable, were Microsoft not so
haughtily astride its "security above all else" promotional kick. I could
continue about Microsoft's attractiveness as a target for hackers, the lack
of use of TLS on these pages, the frailty of the trust we can hold in
VeriSign-issued certificates if such was used, and so on, but the point
should be clear, at least to those who understand risk analysis.
My posting on this topic to three widely read computer security mailing
lists resulted in a few complaints that I had been unduly harsh about the
Microsoft Security Response Center folks, who really were just providing
content. I apologize for using MSRC as the focal point for my barrage when
really the fault lies squarely with Microsoft as a whole.
Sadly, MSRC has "addressed" the problem. Did it get the Web designers to
create a new design without the scripting issues? No -- it reformatted the
content so it doesn't contain the evil JavaScript links unless scripting is
enabled. Thus, when viewing the page in a securely configured browser, the
full content is in view and there's no need to click links to get the
technical details sections and such to "unhide" and become readable.
However, when you load the pages with scripting enabled, the new scripting
causes additional tags to be written around the "hidden" sections, producing
the same initial effect as the originally served pages regardless of the
state of scripting in your browser.
Why is it sad that Microsoft chose this solution? Well, it's hard to say
from the outside looking in, but it seems unlikely the current solution
raised any security or responsibility issues with the Web designers. It and
the MSRC content producers just had to tweak what they were doing to quiet a
squeaky wheel.
NICK FITZGERALD worked as a support consultant in the IT department at the
University of Canterbury for close to 10 years, before moving to the UK to
take up the editorship of Virus Bulletin in 1997. For the last several years
he has worked as an independent antivirus consultant and as a contract
antivirus researcher in New Zealand.
Have an opinion on this article? E-mail your letters to Shawna McAlearney (
mailto:smcalearney@infosecuritymag.com ), and include your name, title and
organization. Letters may be edited for space and clarity.
=====================================================
HEADLINES
A look at other significant industry happenings from our sister publication,
Security Wire Daily
*No Cone of Silence for This Malcode
SearchSecurity.com
Peer-to-peer networks have been a boon for people who like free music and
software. But swappers may find themselves downloading a worm or virus
instead of the latest version of some video game.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci95674
0,00.html?track=NL-358&ad=479188
*Markle Task Force Hammers Government Again
SearchSecurity.com
A Markle Foundation task force report suggests ways for government to get
data it needs without violating individuals' privacy or civil liberties.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci95666
4,00.html?track=NL-358&ad=479188
*Apache Upgrades, Plugs Three Security Holes SearchEnterpriseLinux.com The
latest release of the Apache Web server closes three potentially worrisome
security holes.
http://searchenterpriselinux.techtarget.com/originalContent/0,289142,sid39_g
ci956441,00.html?track=NL-358&ad=479188
*Cisco to Acquire Riverhead; Brightmail Files for IPO SearchSecurity.com
Cisco Systems announced a definitive acquisition agreement to purchase
Riverhead Networks for $39 million. Antispam vendor Brightmail plans to go
public.
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci95652
5,00.html?track=NL-358&ad=479188
*Customers Shouldn't Have to Pay for Patching, MS Says SearchWin2000.com
Microsoft will continue to provide "basic" patch management for free,
Windows Server executive Steve Anderson says. In an interview, Anderson
describes what customers get gratis.
http://searchwin2000.techtarget.com/qna/0,289202,sid1_gci956422,00.html?trac
k=NL-358&ad=479188
*Federal Spam Lawsuits Fall Short of Target
SearchExchange.com
Microsoft was among the first to sue spammers in federal court under the CAN
SPAM Act. Industry watchers say those lawsuits will amount to little more
than a paper chase, but there are other reasons for optimism.
http://searchexchange.techtarget.com/originalContent/0,289142,sid43_gci95643
8,00.html?track=NL-358&ad=479188
=====================================================
Live expert webcast: New directions in VPNs
After half a decade in the field, where do secure VPNs stand? Join Lisa
Phifer, owner of consulting firm Core Competence and contributor to
SearchSecurity and Information Security magazine, for an interactive
discussion on the status of IPSec and SSL VPN technologies. You'll learn how
new trends like managed service outsourcing and wireless are changing the
VPN landscape and factors to consider when choosing the right combination of
VPN technologies to meet business needs.
Pre-register for this live webcast on Tuesday, March 30 at Noon ET.
http://searchsecurity.com/vpn1?track=NL-358&ad=479188
=====================================================
THE KINGDOM OF IMPERVIOUS
Episode III -- His Majesty Issues a New Decree (and Gets a New Robe) By Bill
Kirkendale, CISSP
You will remember from our last episode, the king came under great pressure
to comply with the canons thrown down by Regulatius, so he summoned his
council of noble advisors.
Fearing the King's wrath, the noblepersons tenuously approached the throne.
"It has come to my attention that some kind of witchcraft, invisible evil or
black magic lurks at our perimeter. I know this for it is written.
"It is also written that if I do not attend to this immediately, I will need
a bigger inseam. Isn't that right, Levi?" Levi was the King's tailor who had
just finished weaving a new robe.
The king, though quite bewildered by the whole thing, was pretty wise. He
knew how to use the intellect and strengths of his subjects to his
advantage.
"Therefore, thus and furthermore, I will issue a decree to establish a basis
by which all measures to protect the kingdom from this horrid black magic
will be performed. I will convene a council of constituent representatives.
Priorities will be established. A great writ will be published and all in
the kingdom will abide."
So he ordered his favorite Burgher, the Duke of Fries and a McVicker, to the
great room with the others for his lord's first Council of Impervious.
After three grueling days and nights of nothing but fast food and endless
debate, the council emerged with its recommendations.
A great gathering commenced in the square. Trumpets sounded and the King and
his royal orator emerged on the balcony.
"Hear ye! Hear ye! From this day forward, all subjects of Impervious will
honor His Majesty's decree, damning the wicked magic that lurks at our every
port. Know that it is no longer enough to build (fire) walls and supply
antivenin. For if we remain as one, convicted to staving off the evil
illusionists, we will retain our illustrious, impeccable, unimpeachable
state of Impervious!
"Those who do not comply, insiders who aid or abet, or anyone known to
willfully compromise the sanctity of Impervious, shall -- after a brief exit
interview -- be loaded in the catapult and launched across the moat." Be it
so ordered by the King!
Network and system noblepersons standing at the King's side, breathed a sigh
of relief. Not only had they not been singled out for what they originally
feared was their failure to secure the kingdom, but they now had a framework
from which to operate and the full cooperation of the land.
BILL KIRKENDALE, CISSP, has been an IT professional for fourteen years and
is a former United States Marine.
Next Episode IV: At Risk: Gaps, Targets, the registry at Bloomies ... a
shoplifter's paradise.
Have an opinion on this article? E-mail your letters to Shawna McAlearney (
mailto:smcalearney@infosecuritymag.com ), and include your name, title and
organization. Letters may be edited for space and clarity.
=====================================================
*INFORMATION SECURITY DECISIONS*
Time's running out to apply to Information Security Decisions coming to NYC
April 19-21. Join a senior-level audience of your peers for unprecedented
technical content and the best 3-day investment you'll spend out of the
office this year. Gain expert insight you can't find anywhere else at any
price. Apply today:
http://infosecurityconference.techtarget.com/?track=NL-358&ad=479188&Offer=i
sdad
=====================================================
LINKS TO THE INDUSTRY
Happenings
New England Network Security Forum
W-Th, September 8-9
Waltham, Mass.
Roundtables and case studies with all-new topics for 2004, including
application IDS and firewalls, patch management and wireless security.
Optional workshop on September 7.
http://www.ianetsec.com/forums/ne_forum/ne_splash_2004.htm
Current industry events:
http://searchsecurity.techtarget.com/bestWebLinks/0,289521,sid14_tax281973,0
0.html?track=NL-358&ad=479188
Security training:
http://searchsecurity.techtarget.com/bestWebLinks/0,289521,sid14_tax281975,0
0.html?track=NL-358&ad=479188
Market Monitor
Current security company stock prices:
http://searchSecurity.com/r/0,,22258,00.htm?track=NL-358&ad=479188&n/a
SearchSecurity.com Top 10
Weekly recap of top news stories and security tips by our sister
site:
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci91316
1,00.html?track=NL-358&ad=479188
=====================================================
YOUR TWO CENTS
Have an opinion on a Security Wire Perspectives article? We're interested in
your feedback. E-mail your letters to Shawna McAlearney (
mailto:smcalearney@infosecuritymag.com ), and include your name, title and
organization. Letters may be edited for space and clarity.
*What's Up With Virus Cost Estimates?
http://searchsecurity.techtarget.com/tip/1,289483,sid14_gci956157,00.html?tr
ack=NL-358&ad=479188
Webmasters collect lots of statistics mostly because Web server software
makes it easy to collect lots of statistics. Many of those numbers are as
useless as Mi2g's virus damage estimates. If antivirus products
automatically supplied infection rate numbers, we'd see lots of AV
statistics. And many of those would be useless, too.
The real dirty little secret: in most organizations virus infection rates
are so low that the effort to collect meaningful statistics isn't worth it.
We know where the biggest virus problems lay -- email-spread viruses and
roaming laptops. AV software on e-mail servers is mostly solving the first
problem. Nobody's found a cost-effective solution to the second problem. We
don't need a bunch of expensive-to-collect statistics to tell us that.
--Rex Sanders, US Geological Survey
I'm glad to see Rob Rosenberger's note about the absurdly 'accurate' cost
estimates. I've been tilting at this particular windmill for about 10 years,
including publishing several letters in trade magazines and writing to the
publishers of one of the best known surveys, the CSI/FBI annual report.
The 2003 CSI/FBI report admits, "It is certainly true that survey recipients
are not randomly chosen. They come from a group of security professionals
and, among that wider group, they are self selected. ... Of course, it is
also possible that this group might have reason to overstate their losses,
as a way of arming themselves with dire statistics to bring to their bosses
when the budgeting season rolls around. While this may have seemed likely in
the several years when total financial losses moved inexorably upward, it's
harder to support this theory given the significant drop in reported losses
in this year's survey." They then go on to justify why they believe their
numbers are accurate (e.g., because they're consistent year to year).
Nowhere does it admit that the reason the numbers might have shifted
downwards is simply that a different set of respondents filled out the
questionnaire.
Nowhere in that report, either, is there any justification of the absurd
accuracy claimed. As an example, the 2003 report claims that the average
loss in 2003 due to theft of proprietary information was $2,699,842 and the
loss due to telecom fraud was $50,107 (these numbers with 530 self-selected
respondents to the survey, of whom 47% were able to quantify the economic
losses). I doubt that any organization could specify to seven significant
digits the cost or loss due to a cyberattack, and averaging such a small
sample doesn't give that much accuracy. In fact, I'd be surprised if there
was more than one significant digit of accuracy, and perhaps not even the
right order of magnitude. Political pollsters, who use much larger and
randomly selected sample sizes, routinely publish their sampling error rates
(e.g., "Smith is ahead of Jones by 54% to 46% with a +/- 3% margin of
error"). The lack of even this rudimentary methodology hardly lends credence
to the results.
Of course, the motivation for these absurdly "accurate" numbers is that they
look much more persuasive in a presentation or a press release than "about
$3 million" or "about $50,000." Too bad they're little more than the output
of a random number generator.
--Jeremy Epstein, senior director, product security, webMethods Inc.
::::::::::::::::::::: ABOUT THIS NEWSLETTER ::::::::::::::::::::::
Security Wire Perspectives (BPA E-Mail Audit Report, June 2002*) is an
e-mail newsletter brought to you on Mondays and Thursdays by Information
Security magazine, a TechTarget publication. Copyright
(c) 2004, Information Security and TechTarget. No reuse or redistribution
without the express written authorization of Information Security and
TechTarget.
Permission requests, questions or comments should be e-mailed to Shawna
McAlearney, online editor, mailto:smcalearney@infosecuritymag.com.
*A copy of the BPA Audit is available for download at:
http://www.bpai.com/library/statement_files/s343h0j2.pdf
_____________________________________________________________________
To unsubscribe from "Security Wire Perspectives":
Go to unsubscribe:
http://SearchSecurity.com/u?cid=479188&lid=559334&track=NL-358&ad=479188
Please note, unsubscribe requests may take up to 24 hours to process; you
may receive additional mailings during that time. A confirmation e-mail will
be sent when your request has been successfully processed.
Contact us:
SearchSecurity
Member Services
117 Kendrick Street, Suite 800
Needham, MA 02494
------------------------------------------------------------------------
To unsubscribe from netsec, send mail to majordomo@merit.edu
with a body consisting of the words "unsubscribe netsec" --
without the quotes. For more help, send a message to majordomo@merit.edu
with the word "help" as the body.
------------------------------------------------------------------------
|
