Research

This is the next installment in what is now officially the longest running blog series in Securosis history: Database Encryption. In case you have forgotten, Rich provided the Introduction and the first section on Media Protection, and I covered the threat analysis portion to help you determine which threats to consider when developing a database encryption strategy. You may want to peek back at those posts as a refresher if this is a subject that interests you, as we like to use our own terminology. It’s for clarity, not because we’re arrogant. Really! For what we are calling “database media protection” as described in Part 1, we covered the automatic encryption of the data files or database objects through native encryption built into the database engine. Most of the major relational database platforms provide this option, which can be “seamlessly” deployed without modification to applications and infrastructure that use the database. This is a very effective way to prevent recovery of data stored on lost or stolen media. And it is handy when you have renegade IT personnel who hate managing separate encryption solutions. Simple. Effective. Invisible. And only a moderate performance penalty. What more could you want? If you have to meet compliance requirements, probably a lot more. You need to secure credit card data within the database to comply with the PCI Data Security Standard. You are unable to catalog all of the applications that use sensitive data stored in your database, so you want to stop data leakage at the source. Your DBAs want to be ‘helpful’, but their ad-hoc adjustments break the accounting system. Your quality assurance team exports production data into unsecured test systems. Medical records need to be kept private. While database media protection is effective in addressing problems with data at rest, it does not help enforce proper data usage. Requirements to prevent misuse by credentialed users or compromised user accounts, or enforce separation of duties, are outside the scope of basic database encryption. For these reasons and many others, you decide that you need to protect the data within the database through more granular forms of database encryption; table, column, or row level security. This is where the fun starts! Encrypting for separation of duties is far more complex than encrypting for media protection; it involves protecting data from legitimate database users, requiring more changes to the database itself. It’s still native database encryption, but this simple conceptual change creates exceptional implementation issues. It will be harder to configure, your performance will suffer, and you will break your applications along the way. Following our earlier analogy, this is where we transition from hanging picture hooks to a full home remodeling project. In this section we will examine how to employ granular encryption to support separation of duties within the database itself, and the problems this addresses. Then we will delve into the problems you will to run into and what you need to consider before taking the plunge. Before we jump in, note that each of these options are commonly referred to as a ‘Level’ of encryption; this does not mean they offer more or less security, but rather identifies where encryption is applied within the database storage hierarchy (element, row, column, table, tablespace, database, etc). There are three major encryption options that support separation of duties within the database. Not every database vendor supports all of these options, but generally at least two of the three, and that is enough to accomplish the goals above. The common options are: Column Level Encryption: As the name suggests, column level encryption applies to all data in a single, specific column in a table. This column is encrypted using a single key that supports one or more database users. Subsequent queries to examine or modify encrypted columns must possess the correct database privileges, but additionally must provide credentials to access the encryption/decryption key. This could be as simple as passing a different user ID and password to the key manager, or as sophisticated as a full cryptographic certificate exchange, depending upon the implementation. By instructing the database to encrypt all data stored in a column, you focus on specific data that needs to be protected. Column level encryption is the popular choice for compliance with PCI-DSS by restricting access to a very small group. The downside is that the column is encrypted as a whole, so every select requires the entire column to be deencrypted, and every modification requires the entire column to be re-encrypted and certified. This is the most commonly available option in relational database platforms, but has the poorest performance. Table / Tablespace Encryption: Table level encryption is where the entire contents of a table or group of tables are encrypted as one element. Much like full database encryption, this method protects all the data within the table, and is a good option when all more than one column in the table contains sensitive information. While it does not offer fine-grained access control to specific data elements, it more efficient option than column encryption when multiple columns contain sensitive data, and requires fewer application and query modification. Examples of when to use this technique include personally identifiable information grouped together – like medical records or financial transactions – and this is an appropriate approach for HIPAA compliance. Performance is manageable, and is best when the sensitive tables can be fully segregated into their own tablespace or database. Field/Cell/Row Level Encryption, Label Security: Row level encryption is where a single row in a table is encrypted, and field or cell level encryption is where individual data elements within a database table are encrypted. They offer very fined control over data access, but can be a management and performance nightmare. Depending upon the implementation, there might be one key used for all elements or a key for each row. The performance penalty is a sharp limitation, especially when selecting or modifying multiple rows. More commonly, separation of duties is supported by label security.

CNET is reporting that last week the European Commission is proposing consumer protection laws be applied to software. Mentioning specifically anti-virus and video game software, commissioners Viviane Reding and Meglena Kuneva have proposed that EU consumer protections for physical products be extended to software in an effort to protect customers and implying that consumers would use more and buy more if the software was better. “extending the principles of consumer protection rules to cover licensing agreements of products like software downloaded for virus protection, games, or other licensed content,” according to the commissioners’ agenda. “Licensing should guarantee consumers the same basic rights as when they purchase a good: the right to get a product that works with fair commercial conditions.” In reality I am guessing some politician took notice that few in the voting public are for crappy software. Or perhaps they took notice that anti-virus software does not really stop malware, spyware, phishing and viruses as advertised? Or perhaps they still harbor resentment for “ET: The Game”? Who knows. I had to laugh at Business Software Alliance Director Francisco Mingorance’s comment that “Digital Content is not a tangible good and should not be subject to the same liability as toasters.” He’s right. If your toaster is mis-wired it could kill you. Or if you used it in the bathtub for that matter. If people are not happy with a $45.00 piece of software, and no one died from its use, do you think anyone is going to prosecute? Sure, Alvin & the Chipmunks really sucked; caveat emptor! Even if you should find a zealous prosecutor, if something should go wrong with the software, who will get the blame? The vendor for producing the code? The customer for they way they deployed, configured, and modified it? How would this work on an application stack or in one of the cloud models? Was the software fully functional to the point in time specification, but the surrounding environment changes created a vulnerable condition? If anti-virus stops one virus but not another, should it be deemed defective? There is not enough time, money or interest to address these questions, so the legislative effort is meaningless. I appreciate the EC’s frustration and admire them for wanting to do something about software quality and ‘efficacy’, but the proposal is not viable. Granted there are the few software developers who look upon their craft to build the best the best possible software, but most companies will continue to sell us the crappiest product that we will still buy. The only people who will benefit are the lawyers who will be needed to protect their clients from liability; you think EULAs are bad now, you have seen nothing yet! Do not be surprised if you see the software quality bandwagon rumble through Washington D.C. as well, but it will not make security software better because you cannot effectively legislate software quality. Meaningful change will come when customers vote with their dollars. Share:

Someone has finally captured my vision of what a data centric society without privacy rights looks like. This video is really funny … and scary. Law enforcement and drug companies have been doing this for years. And even if it is not public knowledge, many insurance companies are doing this as well. Orwell had no idea how deep the rabbit hole goes. Share:

A lot of security related news this week in the mainstream press. What with Nuclear Secrets being a fringe benefit to eBay shopping. Other big names like McAfee exposing users to a CSRF and MI-6’s operations nixed on a missing memory stick. With security this bad, who needs Chinese hackers? What gets me is the simple stuff that gets missed. Unencrypted hard drives and memory sticks. WTF? Fighter jet plans and power grid control systems on networks, directly or indirectly attached to the Internet? Whoever thought that was a good idea needs to be discovered and fired. Anyway, enough negativity, and you don’t need to read my rants when there are this many good articles to read this week. The funniest thing I saw all week was from last night: Rich and I were having dinner, waiting for the 10:00 PM premiere of the new Star Trek movie, when Rich decided he was going to have some fun and do some ‘live #startrek’ tweets. Not real, but live. Rich was on a roll as we started to joke about plot lines and just making up character twists and throwing BS on Twitter. I must say, he has Trekkie cred, because he knows a heck of a lot more than I do about the entire genre. We were having a great time just making $%(# up. After dinner we went to the theater and got dead center seats! We were not 5 minutes into the movie when one of Rich’s tweets came alarmingly close to the real thing. Another 5 minutes, and Rich nailed another plot line. I am not going to say which ones, you will just have to go see the movie. Oh, and we both really liked it! A must-see for Star Trek fans. But for a little amusement, before you go to the movie, check Rich’s tweets. I know Rich said it last week, but I wanted to mention it again – if you’d like to get our content via email instead of RSS, please head over and sign up for the Daily Digest, which goes out every night. And now for the week in review: Webcasts, Podcasts, Outside Writing, and Conferences Martin and Rich on the weekly Network Security Podcast. I did a series of three videos and an executive overview on DLP for Websense. It was kind of cool to go to a regular studio and have it professionally edited. The videos (each about 2 minutes long) and Executive Guide are designed to introduce technical or non-technical executives to DLP. It’s all objective stuff, and cut-down versions of our more extensive materials. Favorite Securosis Posts Rich: Adrian’s post on Oracle’s acquisition of Sun. I haven’t seen anyone else take this perspective! Adrian: Rich’s post on There are no Trusted Sites; the Security Edition. Poignant as always. Favorite Outside Posts Adrian: With all that free time on his hands, Chris has been turning out some good stuff. His post on Cloud Security Will NOT Supplant Patching is dead on the mark. Rich: Rsnake’s Silver Bullet Metric post. Top News and Posts Big news this week was the Torpig Hijack. The paper is long but filled with interesting details. Interesting developments between AdBlock creator Wladimir Palant and NoScript creator Giorgio Maone. Yeah, but so what? We know it is possible, and we know someone will be motivated by fame or fortune and do it again. The problem is someone will eventually do it well. Ryan Naraine’s coverage of the Google Chrome Security Flaws . Ron Gula of Tenable on understanding Vulnerability Assessment Results . I don’t know what the availability of this device is, but MiFi looks pretty cool!. Handy tip on disk wiping . The Marriage of Figaro, oddly sans frogs. New NERC standards. Naraine and Dancho on PowerPoint ZeroDay. Blog Comment of the Week This week’s best comment was from Nick in response to Spam Levels and Anti-Spam: Since the McColo shutdown we have seen a gradual rise in spam only returning to pre-McColo levels about a month ago. We are a small fish and only deal with about 20,000 emails per day including spam. But I have not been able to recognize the “return to normal” that everyone was talking about several months ago. I would actually estimate that after the shutdown, we have been sitting about 20% lower than usual, until this past month. Not including the first period of time after McColo. Share:

It’s kind of Apple Day here. Rich has been stuck in a ‘Genius Bar’ time warp all morning with a handful of dead Mac minis (Probably died from processor envy when the new Mac Pro arrived). Despite the recession, if you lose your appointment slot, you are going to be waiting a long time, as the AZ Apple stores are always packed. I would gladly have switched places with him, as I have spent all morning trying to decipher alien runes AT&T iPhone pricing plans. My cell phone provider, QuestQwest, is dropping all its cellular services and I now need two new phones. I thought this would be an easy decision as everyone I know seems to have an iPhone. Most people I know in the security profession have had their iPhones for a year or more and they love them. They really like to show off their eye-candy apps and what a powerful mobile computer the iPhone really is. But if 95% of your use is going to be phone calls, is it worth it? As bad as the AT&T pricing is, the real issue is service. AT&T coverage and clarity sucks, or SUCKS, depending upon where in the country you live. I get phone calls from from friends and associates, usually someone I know who has some comment about how my recent blog post demonstrated a complete lack of knowledge, and I should really have done my homework prior to posting. And that person is really smart and is probably making really compelling arguments, but it comes across as a small child making motorboat noises while facing away from the phone. I can’t help myself and laugh out loud. My laughter and saying “Dude!” really pisse them off, but the it is really hard to hear! And this is just the Securosis side of things. My wife and I drive lots of places where a clear connection is critical, and might have a life-threatening need to reach out and speak to someone who can help. In cases like this, a cool gadget loses every time to a reliable call. I love all the Apple products I have purchased and will seriously consider the iPhone. But AT&T is not Apple, and when it comes down to it, service is the bulk of what I am paying for. I was really hoping the rumored Verizon branded iPhone Nano would happen as I could get the Apple product and have good coverage. I have been cruising Mac Rumors every day to see what’s new. We’ll see. There is a rumor that AT&T is dropping prices, which is nice, but Verizon is running a 2 for 1 sale on Blackberrys, which is even more compelling. I have another month or two of service before I have to make a decision, by which time the new iPhones should be out, and then I will make the decision. Share:

I was reading the Network World coverage last night of the McAfee Spam Report stating spam rates were down 20%. While McAfee’s numbers are probably accurate, my initial reaction was “Bull$#(&”, because I personally am not seeing a drop in spam. If the McAfee report, as well as Brian Krebs’ posts, show the totals are down, why am I getting a lot more spam, increasing weekly to the point where I am becoming actively annoyed again? I was wondering how much was due to the launch of the new Securosis web site, which was the ‘cat and mouse’ cyclical changing of spam techniques, and how much was an anti-spam provider not keeping up. I spent a couple of hours last night combing through Postini alerts, my internal junk folder, and the deleted spam that had made it to my inbox. What I found was a linear progression from the time we started with Postini until now, with increasing rates getting caught by my internal spam filter, and a corresponding linear increase getting into the Inbox. Not sure why I allowed this to capture my efforts on Cinco de Mayo, especially considering I have developed a really good margarita recipe that deserved some focused appreciation, but hey, I have no life, and the article grabbed my interest enough to go exploring. Anyway, I think that Postini is just falling behind the curve. We switched over September of 2008. My email address was broadcast when I joined Rich last July and I was surprised that there was not more spam. When we added the Postini service, no spam was getting through for a while, and every evening I would get my Postini status digest of the one or two spam messages it had intercepted. I still get these, and the digest always shows 1-2 emails captured. However, I am getting several dozen in my internal spam folder and another 15-20 in my inbox. And it is the old school blatant “Bank of Nigeria” and “Lottery Winner ” stuff that is sneaking in. Even the halfway well-executed Citibank/Chase/BofA Security alert phishing attempts are getting caught my my personal filters, so how in the world is this stuff getting through Postini? This is not the 97-99% percent blockage that I talked about in the past, and customers have reported to me. I just did a survey 9 months ago and it may already be out of date. It’s time to make a change. The beauty of spam filtering as SaaS is that we can change without pain. I am on the lookout for a 10 seat SaaS anti-spam plan. Got recommendations? I would love to hear them. Share your advice and I will share my margarita recipe. Share:

On Monday at the RSA conference I learned that Oracle is purchasing Sun Microsystems. I was so busy/exhausted from the conference that I forgot about it until this week. This is pretty exciting! Whether it’s really a good or a bad thing depends upon your perspective. Technology-wise it’s a good match, but the corporate cultures are very dissimilar. I have spoken with a few current Sun employees who are really worried about what life will be like at the Big-O. However I heard very much the same concern from many PeopleSoft employees, and the catastrophic fallout anticipated as part of that merger never happened; with the current economic situation, it probably won’t happen this time either. I also have to say this is a much better fit, with Oracle being the acquirer, than it would have been with IBM or HP. The product lines are more complimentary than IBM’s or HP’s, and I suspect there will be fewer layoffs than if either of those companies had made the acquisition. Sun’s people may not like the culture, but I have been hearing complaints from current and ex-Sun employees for years that they were unable to win market share despite having really innovative technologies, and there will be a sense of pride in having the products you worked on effectively marketed and sold. When I worked at Oracle way back when, it was amazing to watch the sales dynamic that was going on. If the customer was making a $20M purchase of hardware and software, let’s say $17M of that was for the hardware. However, the customer’s motivation for the purchase was they needed a solid database platform. That meant the $3M Oracle purchase is what mattered to the customer, and how well Oracle performed on the hardware was the deciding factor in the purchase. This meant the smaller database software company held sway over the larger hardware vendors. For years Oracle has used this incredible leverage over their hardware partners and ‘squeezed’ them on pricing. Now Oracle is the huge company with great margins, but the market dynamic is really changing, and commoditization is moving right up the stack and squeezing their core business as well. It’s not just about the database any longer. Look no further than Cisco getting into the Server/Switch business and offering a unique take on virtualization and provisioning. Several people I spoke with at the RSA conference all said the same thing: Oracle needs to own more of the data center in the coming years if they want to continue their growth curve. I believe Mr. Ellison meant “We’ll engineer the Oracle database and Solaris operating system together. With Sun we can make all components of the IT stack integrated and work well.” quite literally, and it reflects Oracle’s long-term growth strategy. Bundling Solaris with whatever virtualization technologies are at their disposal, InfiniBand Switches, and a full array of servers, gives Oracle a chip-to-web-app presence in the data center that makes the LAMP stack look like a child’s toy. From a security perspective, Oracle now has some really compelling technologies at their disposal. Trusted Solaris is the most secure general purpose OS in the world. Sun’s data encryption and authentication/key management may not be best of breed, but they are solid products that could generate considerable revenue in the hands of Oracle’s professional service arm. And while it is really difficult to secure a JVM properly, it can be done, and the beauty of the Java programming language is that it flat out has the best object model I have ever used. I can properly encapsulate and protect objects, and the language syntax is far easier to read and analyze for coding and security flaws than C++ or other commonly used environments. If Oracle decides to knit these components together within their Data Vault variant of the Oracle database, you will have all of the elements for a very secure development environment. One of the rumors that I was hearing was that Oracle would kill off MySQL. This has been covered in some of the blogs as well. I personally think this is nonsense. MySQL is a very well-designed database. It is modular and cannot only be tuned like an Oracle database, but is instead configured more like a Linux kernel to meet the user’s specific needs. MySQL has a rabid following and what I am estimate at around 15 million installations around the world. When you couple this with the BEA pieces in place and the Java programming language and associated tools/platforms Sun has, you have a really phenomenal web application development suite. Oracle no longer has to ‘compete’ with MySQL – now they have a real answer to PostgreSQL (No, Oracle Lite fans, that was not the answer) without undermining their core database business. What Oracle really needs to do is provide a PL/SQL parser/pre-processor for MySQL, thus providing developers not only the option to use existing SQL/PSM, but the Oracle-specific procedural language most DBAs are familiar with. This would keep the existing MySQL users happy, and offer a migration path into the core Oracle database platform should they outgrow MySQL’s capabilities. Also keep in mind that Oracle purchased Innobase InnoDB, which is not really a database, but rather an underlying storage engine that is commonly used by MySQL. One of the cool things about MySQL is that you can configure it with different storage backends, such as clustering or ISAM. So Oracle owns MySQL and one of the commonly used storage technologies for it, and that platform has strong user affinity – now they just need to find a way to leverage that and make money from it. Letting that community wither and die just does not make sense. To me this looks like a very complimentary acquisition. Share:

Another interesting news item during the RSA show that I am just getting time to comment on is LogLogic’s announcement they have acquired Exaprotect. When LogLogic announced a partnership with Exaprotect a few months back, my initial reaction was “Who”? Actually, I had heard of the company, but knew very little about the technology. I had not heard any of the companies I speak with on a regular basis mention them, so I had not been paying very close attention to this small firm. When I went to Exaprotect’s website to see what products they offered, I really was unable to tell. It looked like a carbon copy of the LogLogic product benefits summary! It is amazingly difficult to understand what differentiates one product from another on corporate web sites when they are all attempting to cover the current market drivers, and do so at the expense of explaining what they actually do. The company is not very well known by those of you who do not follow this space closely, but they do offer a security event management product, along with a couple of other interesting pieces in the areas of configuration management and policy management. The reason this acquisition is important is two-fold. First, this is the removal of the last line of distinction between log management vendors and SEM vendors. ArcSight, LogLogic, eIQ Networks, Q1Labs, LogRhythm, NitroSecurity, and so on are all covering log management and security analysis. Granted, the degree to which each vendor provides the respective capability varies, and each has its own strengths. All in all, these systems collect disparate events, analyze the events in relation to some policy, and provide storage and reporting. The difference was the type of events collected, the speed with which the analysis was conducted, and the audience for the results. These distinctions were usually split down the middle, either near-real-time security response or a forensic analysis and event correlation. What we will see in the coming quarters is adjustment in vendor architectures for these offerings to be efficiently merged into seamless offerings, continuing to provide evolutionary updates to near-real-time and forensic offerings, and looking for ways to differentiate from their competitors. The second reason is that it spotlights the technical and value path this market segment is (and needs to be) headed down. The tough question, now that the vendors collect just about every relevant piece of security & operational data available, is what do you do with that data? How do you differentiate yourself? How do you provide the customer more value? Sure we are going to see new features appended to the core offerings, a la database protection, but the more important feature/functions will have to do with configuration management, business process verification, and policy management/enforcement. Configuration management provides the vendors with a big missing piece of preventative control and baselining of systems that are critical for most compliance efforts. It’s not that difficult to implement, fits nicely within a log management architecture, and offers value to several buying centers. Policy management, provided the vendors actually can take a business policy and automatically map that to the underlying data streams available, will also provide a huge leap in value to customers and speak to non-technical audiences. The final piece of the puzzle is a flexible analytics engine, so policy verification can be performed in an appropriate time-frame in the specific customer environment, in order to verify business continuity and efficacy. I use the word ‘verification’ because enforcement is not really the customer requirement, and more importantly blocking is not typically the appropriate way to remediate problems – the solution is often more complex. All three of these offerings show SEM moving up the stack and making sense of business processing and compliance in the business context. I look at the LogLogic acquisition as a step necessary to compete, not just the in basic SEM infrastructure of near-real-time event processing, but in all three of the evolutionary ways security event management is heading. That’s not an endorsement of the Exaprotect technology – I have not gotten my hands on it and could not tell you how well it works – but it does encapsulate the segment trends. I intend to delve into each of these trends in more depth. Share:

Wanted to post my highlights of the RSA show. Rich and I meant to post daily updates about our experiences during the show, but we were quite literally in meetings or gatherings from 8:30 AM until we went to bed each night. No chance of writing and posting from a secure connection. I have a stack of 70+ business cards sitting here on my desk, and I gave out almost all of the 200 I brought with me. I can barely remember talking to that many people over the course of the week. The weather was awesome. Warm. Actually, very warm. For those of you who don’t get to San Francisco too often, it was about 20 degrees hotter than it was supposed to be Sunday through Wednesday. Rich and I usually stay at a funky little hotel that is close to Moscone; it’s cheap and we are never in the rooms for very long. However the older hotels lack air conditioning. In fact, if you want to get cool air, you open the window. Sleeping in a 90 degree room with big city traffic outside your window does not make for a restful visit. When you combine 15 meetings a day on four hours of sleep, things begin to blur together. But both Rich and I had an awesome time, and spent the entire weekend recovering from sleep deprivation. Best Food: The Venrock party was held at ‘Two’, which is a nice little restaurant off Howard and somewhat hard to spot. The food was simple ‘Cowboy’ fare: barbequed tri-tip – carnitas like shredded pork and roasted chicken, but simply amazing. We were planning on going out to dinner but our plans were promptly discarded when we tasted the food. We ate until they took the trays away. I am going to have to go back there for dinner! Best Party: The Security Bloggers event, if for no other reason that there were so many interesting people there that I talked until my voice gave out. Good friends, good food, good drink, and good fun! Best Presentation: I am probably disqualified from this category, but I am putting out my nomination anyway. I was only able to attend a half dozen presentations, and I knew both the people on stage for my favorite, however there was one clear winner from what I saw. Rich Mogull and Chris Hoff on Disruptive Innovation simply rocked. Biased? Sure. Small sample size? Sure. But on a Friday morning, to fill a conference room and have no one leave is pretty amazing. To cover 160 slides in 50 minutes and make sense is astounding. When it becomes available on the RSA site, you tell me if it was not the best preso! Special mention goes to Brian Chess and Gary McGraw for another interesting Friday talk on secure coding and the release of the Building Security In Maturity Model. http://www.bsi-mm.com/ Attendance: Officially I was told that the numbers were off about 22%. Lots of the vendors along the edges of the exhibitor hall were complaining that they were not getting anyone by their booths, but I have seen that first hand in past years as well. What I did not see were the people with shopping bags loaded with tchotchkes and stuff – instead I saw people legitimately there to see what the vendors offered. Seemed like the people who had company budget to show up were there to learn from the sessions, visit a couple vendors they were interested in speaking with, and that was about it. Not many people looking for innovation, but their existing vendors to get better at what they do, or in some cases, what they are supposed to do. Biggest Surprise: How many of you knew Webroot has a complete email and web security service offering? I cover the space and I did not even know until this week. Kind of a strange time to start, but the service based offerings makes switching very easy to do. And if Postini’s ability to filter spam continues to slide, I think Rich and I will begin looking at other vendors. If we are, I will bet others would consider this as well. Favorite event: First annual Securosis Recovery Breakfast (which will be named The Disaster Recovery Breakfast in the future, thanks Mary Catherine) was a big hit. Jillian’s was really nice to us and gave us the entire restaurant. We had about 70 people show up. No screaming over the noise, no elbow to elbow crowds, lots of chairs and good food. It was different than anything I have been to at RSA, and I am glad Rich had the idea. Relaxing fun, so we will definitely do it again next year. Theme: Security. This may seem obvious to some of you, but it should not be. We have gone through previous years where every vendor was a one stop shop for solving your compliance problems, and we have seen every gadget and appliance marketed to us as the one and only solution for Governance, Risk and Compliance. I expected to see 500 vendors telling me how they could secure the cloud, but I only saw a smattering of that. While I know a very large percentage of revenue is derived from compliance spending, the message was back to security, and I think that is a good thing! The buyers are beginning to see that operational controls, compliance, and security are closely linked needs. Saddest Scene: It’s a security conference. We are security professionals. We read about how easy it is to hack wireless end points, and that man in the middle attacks are sometimes trivial for a skilled hacker, but common traffic sniffing is usually sufficient to gather user accounts and passwords. This is not a big secret. Yet there was always a group of people grouped around the wireless access points, gathering their email and checking their eBay bids. Are you freakin’ nuts? RSA needs its own “Wall of

The big news at Securosis this week was the launching of Project Quant! Not only are we excited about working with some of the team members at Microsoft, but we are going to be really pushing the boundaries of our Totally Transparent Research process. Rich has been furiously setting up the infrastructure all week to support the public discourse for the project, and he just got it finished in time for launch. We are grateful that there is a ton of interest out there as we have been getting numerous tweets and email on the subject, and well as a ton of press on the project from eWeek, Dark Reading, ZDNet, and Dennis Fisher at ThreatPost. Jeff Jones posted an announcement on his Security Blog, plus there is coverage by Peter Galli on Microsoft’s Port 25 blog as well! There won’t be a lot of content pushed out next week as we are crazy-busy next week, but this will be a full time effort come May. On the personal side, I got a couple phone calls again this week. You know, the “My computer is doing FOO, and it stopped working” phone call from friends and family. As sure as the sun rises in the morning, I got another call today from a friend who has their machine infected with some form of malware. IE is completely locked, and when they try to use it now, all they get is an advertisement to purchase AV and anti-malware! After a few hours of someone in the family browsing risky sites and downloading music from dubious locations, it looked like they had managed to get infected with something that was not going to easily surrender. It passed the Eye Chart test, but I was not convinced that it was (or was not) Conficker. The next question of course is “How do I fix it?” and my response is “stop doing what you did to get it infected in the first place!” The snappy retort does not make me very popular, but why fix it and have them do it again a week later? Almost immediately I feel bad for them and go ahead and fix it. Most of the people who call use their computer to run their business. This is how they make their living. They are hosed. They will lose two or three days of revenue and piss off their clients if they don’t get back up and running ASAP. Can the virus be removed without permanent damage? Maybe, maybe not. A fresh install is probably the only way to be sure you got it. Serious education on what not to do is what it would take to keep it from happening again. Any way you slice it, this is a painful process. There are a lot of commonalities across this group: They use IE 6.x on Windows. They do not make backups. They do not keep the original software media or software licenses. They use their machines for their business. Their machines run very slowly, and have for a long time. They browse -everywhere-. They have never met an email link they would not click. They download lots of applications and music. They install a lot of free Internet applications just to see what they are. They have never uninstalled a program. They do not run disk cleanup. They have Norton or McAfee. They have malware and adware on the machine. They do online banking. There is no password on the machine. The machine is multi-use by/for all family members. They have never looked at IE settings. They are unaware that there are other browsers. I feel bad half the time, because I cannot fix the problem without a re-install. When I do re-install, getting the computer to where it was before the infection is a full day’s work … spread out over a week or more. Man do I have sympathy for the corporate IT guys who have to put up with this for a living! “Where are my bookmarks?” “Why does the computer do this?” “I can’t print!” “Why is this over here when it used to be over there?” Part of me wants them to feel a little pain, in order for them to appreciate that performing every risky act on your computer has consequences, but what really needs to happen is some education for the home user. I have been on this topic for some time, and I feel fairly strongly about it. Enough so that I even bought “Security Mike’s Guide to Internet Security” when it was still vapo-bookware to loan to family members to raise their awareness. Not that they would have read it before their computer imploded, but it would be there for them as they waited for InstallShield to complete its tasks. I know that security professionals need to help not just the vendors and IT organizations who have security challenges, but the end users as well. I am going to be cherry-picking a bunch of our old posts and putting them into the new Research Library for end user assistance and tips. Certainly not our focus, but something we will continue to build. And now for the week in review: Webcasts, Podcasts, Outside Writing, and Conferences: Martin and Rich on the weekly Network Security Podcast. Rich joined Amrit Williams of BigFix on the Beyond the Perimeter podcast. Favorite Securosis Posts: Rich: Our guest post from Marker Advisors on A Financial Analyst’s Perspective. Adrian: Pin Crackers post, raising some discussion points to Kim Zetter on the Wired Threat Level site in regards to “PIN cracking”. Favorite Outside Posts: Adrian: I liked Ronald McCarthy’s down-to-earth discussion of Ubuntu Security. Rich: Alex’s comments on Project Quant. Don’t worry Alex, we are all armed with ‘Multitools’ and chewing gum! Top News and Posts: An Examination of the Twitter Worm. The Verizion Data Breach report is out. It’s good. Read it when you get the chance, but some of the editorial posts are advised as well,