Things have been good and busy this year for me. Overall, I can’t complain. :)
![Summer News]( "Summer News")
Since June, I’ve been busy with a new corporate challenge, and it has been fun, exciting and already rewarding.
Also, this year, I’ve had the privilege of working with the good folks at Focus.com on a number of intriguing projects. In many ways, Focus.com has become my favorite hub – surpassing even LinkedIn.
My family and I have done our customary trips to Shepherd Lake, and also our spiritual retreat to Stokes State Forest. I have to write about those, but I haven’t had time as yet. The last major event for the summer will be a Bike Riding expedition just before Labor Day.
And finally, I updated the Android OS on my Motorola Droid to version 2.2 (Froyo). Quite a few good things to talk about there, but I’ll address all of these points in separate posts.
And I even have some major plans for inexpensive technology upgrades this year. (Part of the plan is to finally ditch cable/FiOS TV.)
For so many reasons, 2010 has been very different to me than all the preceding years – but it’s all about learning the lessons that are presented to you, and taking advantages that come near you, and building valuable relationships along the way.
This is just the trailer. Please stay tuned for full posts which should be headed your way over the next few weeks.
That’s my story, and I’m sticking to it! :)
I had a chance to review the 2010 Verizon Data Breach Report today, which I was alerted to by ISC.SANS.ORG. They’ve put together data from 2004 through 2009, and it is quite interesting.
These are from confirmed data breach cases.
Here were 3 of the scariest stats in the document:
- 86% of victims had evidence of the breach in their log files
- 96% of breaches were avoidable through simple or intermediate controls
- 79% of victims subject to PCI DSS had not achieved compliance
In short, 4 out of 5 organizations that were supposed to be compliant with one particular regulation were not. They were infiltrated through easily avoidable situations, and the evidence of their compromise was sitting right in their own logs, but not discovered by them.
That is a sad state of affairs…
All is not lost, however. The report did have a few bright notes. Please take some time to review it when you can.
Ever wanted to know what your children really mean when they answer your questions?
Use this handy translation guide to better understand what your children are actually telling you in response to some of your most common queries:
Q: “Have you finished cleaning your room?”
A: “Almost!”
T: “I haven’t really started, but I hope you’re not coming to check on me right now.”
Q: “Is your bedroom clean?”
A: “Yes!”
T: “Yes, assuming that we’re talking about an arbitrary 2’x2’ area in the general proximity of a bed, which contains approximately 50% less debris than its immediate surroundings. If you stubbornly cling to the traditional definitions of both ‘clean’ and ‘bedroom’, however, the answer is NO.
Q: “Have you put away all your clothes?”
A: “Yes, Mom!”
T: “I’ve moved them from the bed to another location in the room.”
Q: “Have you put the away PROPERLY?!?”
A: “Um… Yes?”
T: “Oh, you mean where everything is off the ground, the clean clothes are folded, and they’re not intermingled with any dirty clothes? I’m getting right on that…”
Q: “Why is everything so quiet up there?”
A: “Nothing! We’re just reading!”
T: “We’re playing on our Nintendo DS Lite, which you told us to put away during the school week, and now we’re trying to hide it under our pillows.”
Q: “Do you have any homework today?”
A: “No, Daddy. The teacher didn’t give us any today because tomorrow is the school play.”
T: “No, and I can prove it, too.”
Q: “Do you have any homework today?”
A: “Nope.”
T: “Huh? What? I didn’t hear your question as I was distracted by that funny commercial on the television.”
Q: “Do you have any homework today?”
A: “Um… No.”
T: “I think we had some homework, but I wasn’t paying attention at the time, and I’ve forgotten my assignment notebook at school.”
Q: “Have you finished your food?”
A: “Yes.”
T: “Well, all except the vegetables, 1/3 of the rice, and most of the salad. Oh, and any allegedly edible content that I cannot pronounce.”
Q: “Have you finished your food?”
A: “No.”
T: “See, the thing is, I really don’t want any more food, but I’ve got to hang around here until the desert gets passed out, which is what I am really waiting for. And I’ll have some juice while you’re at it too, please.”
For what it’s worth, you’ll find that the cutest answers occur between the ages of 4 and 7, with sporadic humor throughout the teenage years (mixed with a whole lot of angst!)
Enjoy them while you can, but don’t be fooled…
I’ve said it for a few years now, but host-based antivirus is really not working out anymore. Not with its reliance on signatures to detect malware.
Recently, several prominent antivirus vendors have experienced problems with faulty virus definitions:
Although all of these vendors have promised the obvious improvements to their QA and testing processes (and I have no reason to believe that they are insincere), there is no sign that these problems will diminish over time. Instead, it is pretty clear that there will be more problems as the massive increase of malware is forcing vendors to push out updates faster and faster.
There are several problems with malware protection which relies on signatures:
- Malware writers are using sophisticated toolkits which reduce the skill and time needed to produce effective malware – both new and variants.
- Polymorphic malware regularly gets around signature detection, forcing AV vendors to constantly push out new signatures – several times per day!
- There are many kinds of malware that are still not properly detected by up-to-date AV solutions with current definitions.
Where does this leave us? Host-based antivirus products are using up more and more CPU cycles to process an ever-growing list of viruses, yet are still unable to keep up with the onslaught of new malware. To make matters worse, the constant creation and release of new definition files is stressing the quality assurance (QA) process for antivirus vendors. We have reached the place where IT professionals are considering turning off automatic AV updates, and deploying labs to test the updates before release.
In short, the odds of timely detection continues to drift downward every so slowly, while the risk of friendly fire from the AV solution itself creeps upward ever so steadily. (The McAfee update issue had an impact on its clients that rivaled a major virus attack.)
We are long overdue for a different approach.
Application Whitelisting
Companies such as Bit9, CoreTrace, and Lumension have been pushing application whitelisting for years now. Microsoft has also provided this technology via AppLocker in Vista, Windows 7 and Server 2008. Even some of the major AV players have purchased or developed application whitelisting technology, but they have not been actively pushing it into the mainstream. They need to start.
Better yet, we as IT leaders and professionals need to start evaluating and deploying the technologies that better address information security concerns in 2010 and beyond, allowing us to make better use our limited budgets and resources.
Application whitelisting is a good idea, because for every environment, there are less items that fall into the “known good” category than bad code that you don’t want to run. Just consider the difference in a firewall rule-set that assumes a "deny all that has not been explicitly opened" stance vs one that tries to explicitly prevent access to all bad protocols and ports.
The frequency of change in the “allow list”, particularly in corporate environments, will be greatly reduced as compared to the “bad list”. This automatically minimizes the chance for error. It also means that the processing power needed to evaluate the former list will be far less than that needed to evaluate the current lists of malware in today’s signature-based AV products.
Mitigating Code-Enabled Data
I think that we really have to weigh the disadvantage of code-enabled data files and either abandon them outright (queue lots of whining), or at least ensure that there are centrally controlled configuration options for enabling or disabling the automation features of productivity applications.
For instance, consider how diminished the threat of macro-embedded documents has become since Microsoft enabled much better controls over macro security, including turning them off by default, and allowing them to be set via policies. Remember when macro viruses were the most common threat vector? We need to do the same for PDF exploits.
Getting a better handle on security at the host level entails not only controlling which application can run, but determining in what context, and with what functionality it can run at any given time. If we can get vendors to provide us with centralized controls regulating all of the features they integrate into their apps, then each person and each organization can determine what level of risk to assume for any given application – and in the event of an emergency, the problematic feature can be disabled or otherwise impaired on as a stopgap.
All of these options will sufficiently mitigate external risks without simultaneously increasing risks from errors. And they will consume less processing power and generate less application conflicts than our current antimalware solutions.
Using the Right Technology
Signature-based security devices still have their place within the enterprise – mostly at the perimeter. (And even there, their days are numbered.) But at the desktop, they are increasingly causing more pain than gain, and it is time for us to change our approach, lest we find ourselves slipping further and further behind the malware writers.
And whitelisting need not concern itself with every executable. Each organization can determine just how much to watch and keep track of, balancing performance, productivity and security according to a risk profile that they select.
Yes, there will be a few challenges to address in order to see mainstream use of whitelisting technology – including the integration of such technology into the patch management process – but, the gains will be well worth it. Environments that have moved in this direction are already seeing significant ROI just in terms of recovering lost administrator time from managing the AV process and from recovering from broken antivirus definitions.
If you haven’t looked at Microsoft’s AppLocker technology, or at the technology from one of the other vendors, you owe it to yourself and your organization to start evaluating, testing and ultimately deploying. Those who get ahead of the curve in the next 9-15 months will save themselves and their organizations significantly vs those who keep using the same old methods, even as the nature and intensity of the threat landscape has changed dramatically.
Blacklisting is out. Whitelisting is in. Please get with the program.
Long ago, in days or yore, it was common to complain that most information technology leaders and staff were too focused on deploying cool technology just for the sake of technology rather than ensuring that there was valid business justification for what they evaluated and implemented. CIOs and IT leaders were told to learn the language of the business and focus on things like Return on Investment (ROI), productivity improvements, cost control and revenue enhancement.
I’m not here to say that this was a bad thing. In fact, I have to admit that quite a lot of good has come from all this attention to the business by IT leaders. It has given us a chance to play an important role in generating revenue within many organizations, helped us to gain traction and credibility with our peers within organization, and improved our career opportunities.
Recently, however, I have seen a number of situations that make me question whether or not businesses have forgotten their own rules of investment. There appears to be excitement over every trend that is identified in the mainstream, business and trade press, even when no clear value can be articulated.
I can understand the hoopla surrounding cloud computing, because of the increased flexibility it provides organizations with, as well as the potential for cost savings. I can even accept the embrace of social networking, because of its ability to change the landscape and lower the traditional barriers from a marketing and customer interaction standpoint.
What I don’t get is the attraction to devices such as the Apple iPad. This is not a specific anti-iPad rant, per se, but since its release at the beginning of April 2010, the iPad has generated the most buzz within various enterprises of any device in recent memory. My question to the business is, why?
- What is the business case for even evaluating a tool that is cool looking, but provides no new business functionality over existing tools?
- What is the ROI on such a device? What is the business case?
- How will it be secured? Does it add any risk to the business, and how will those risks be mitigated?
- Is technology integration and vendor support given any consideration or only initial pricing and market appeal?
- Is it reasonable to obtain the device first, then ask IT to simply deal with it?
- Why does something as vital as information security have to be explained in painstaking detail when there is constant news about breaches and their penalties, when something like the iPad is embraced without anyone stopping to ask what the benefit will be?
Surely, we haven’t abandoned the need for coming up with real business cases before we invest valuable resources, have we? It’s not just about IT not wanting to do things, or thinking that they run the business. Nor is it some sort of fear of consumer-marketed technology.
Why is it that if IT pushes for cool or sexy “toys” for whatever reason, that the business gets up in arms about how they are not helping the organization?
Why is is that whenever the technology team questions why the business is pushing for cool or sexy “toys”, that IT is seen as not getting with the times?
I’ll grant you that there are *some* technology departments that are afraid of change – whether for good reasons or for bad ones – but most information technology teams today have embraced their modern role as information and capability stewards of the business. They understand that they need to keep up with trends, technology and process that can give them and their organizations an edge in the marketplace.
Therefore, it is vital that they have the opportunity to understand and appropriately support technology that the business uses, such that issues pertaining to productivity, security, privacy and accessibility are well addressed. The recognize this challenge, and accept that they have to accomplish it with staff sizes and budgets that are smaller (sometimes, much smaller) than in the past.
Now is not the time to resurrect the “IT is only there to serve the business” game. Every successful organization in today’s market requires management of technology at some level, and every technology team requires an organization within which they can add value. Neither element (business and IT) can operate independently, and neither element can simply do things because they are cool or because other people are doing them.
If “business value” is the standard by which all technology purchases are judged, then let’s be sure to apply that standard consistently across the enterprise. We all need to work together to ensure that our business investments, whether technology based or not, are done wisely and with a clear return on investment or with a reasonable mitigation of risk.
If you feel you have some good use cases or business justification for iPads in your organization, I would love to hear about them. Otherwise, we’re just not making business sense…