Charles Gardner’s Effective IT Blog

Over at the Matasano Chargen blog, Thomas Ptacek challenges the conventional wisdom of Defense in Depth by taking to task the comparison of InfoSec and war strategies. Analyzing the analogies we use is an excellent exercise to better refine when and where they truly apply. Defense in depth is a very useful analogy, but as with any trite saying can become diluted and useless when overused.

The best point made in Thomas’ post has to be from Eric Monti:

“It irks me when vendors talk about ‘defense in depth’,” he says, but “I generally take it as good sign when customers do.”

BINGO. The depth mindset is great for implementers, as it shows an honest assessment of the situation. When used correctly, depth shouldn’t be for depth’s sake though.

Why go deep? Generally we recognize a weakness and add another layer to help compensate for the weakness in the first layer. Followed logically, we should be shooting for as shallow a depth as possible while adding something meaningful at each layer. Also logically, we can say that the need for deep layering may represent crappy raw materials. Hence the agreement with Eric’s assertion about vendors.

So, go deep, but not one layer more than absolutely necessary. And if you find yourself getting really deep in it, maybe you need to wonder just what “it” is.

Rants

As you may well know by now, Apple recently decided that they would “leverage” their existing client base to their advantage.  If you didn’t know, check Martin McKeay’s post about this.  If you are running Apple’s software updater, they decided you need to bloat your system some more by installing Safari, whether you want to use it or not.  Now if you’ve consumed the Apple Kool-Aid, you might not mind, and that’s your business.

I do have a big problem with this though.  A vendor using an update conduit to install new software is just plain wrong.  As network and security professionals, we generally preach the need to keep systems up-to-date.  Generally we endorse the need to run update conduits and keep patches current.  It becomes much harder to endorse this though when a vendor expands the updater outside of updates.  There’s a bit of a paradox here.  On the one hand, if you have something like QuickTime that seems to frequently hang in the vulnerability wind, you probably want to stay current with patches.  On the other hand, if that patching process injects new software onto your system and therefore increases your potential attack surface area, you really don’t want to run that patching process.  Hmmmm….

Now in the Microsoft world, I generally deal with this kind of thing on the corporate network by using WSUS.  With WSUS, you can act as the informed filter for your users.  If something comes down from Redmond that you don’t like, simply don’t approve it.  I like that kind of control.  Is there something similar for Apple updates?  I don’t know, but you can bet this will lead to some checking into it.

What do you think?  Is this abusive by Apple?  Does this set a bad precedent?  Is this a harbinger of Armageddon?  (Just checking if you’re still awake.)

Rants, Security

….or at least I’d like to kill it.

I wasn’t going to comment on this whole parade of postings, but the camel’s back just broke. So here goes.

The first post I saw was No ROI? No Problem from Richard Bejtlich. I read it and thought that sounded in line with my understanding. Good enough.

Then Richard followed up with Security ROI Revisited to further the conversation.

The feed reader then produced Cutaway’s Security ROI is in the Eyes of the Beholder.

Also I caught Anton Chuvakin’s Security ROI Pile-Up! that hashes through several posts and some ‘in-house’ experts.

Finally we come today with Mike Murray’s I hate ROI.

I’ve got to start with the most foundational understanding I have, and that is that spending money is not the same as investing. An expense is not an investment. Investment is defined as “the investing of money or capital in order to gain profitable returns, as interest, income, or appreciation in value.”

Mr. Murray makes an example using a company that purchases a product for $100k that displaces $1.4M worth of payroll employees. He asks:

Now, did the product produce a return on the investment of $100K into it? You’d be hard-pressed to say that increasing company net profit by $1.3M as the result of a purchasing decision is not a return on the investment.

The problem is it wasn’t an investment in the first place. Yes, the fictitious company did cut costs, and of course that trumps ROI anyway. But let’s not call spending money on the overhead of a business an investment.

If we have to have yet another three letter acronym, let’s start using DUH. On second thought, that’s not an acronym. Still it works. “DUH, saving money is a good thing.” “DUH, protecting our butts might be smart.”

Grrrr…..

Rants

We’ll put this post squarely in the category of rants, but I just have to go there today.

One of my running pet peeves of the last year or two is the schism between antivirus and antimalware products. Frankly when antivirus vendors came out with antimalware products, I fully expected them to get folded back into the AV products themselves. In some cases it has, but in too many it has not.

What does it tell you about a vendor that releases an antimalware product separate from their antivirus? Well you can draw many conclusions, but the one that jumped out at me initially is this: The vendor just admitted that their antivirus won’t catch all the bugs you might expect it to catch, and rather than add that functionality to keep their AV current, fresh, and relevant, they’ll be tapping your wallet again. Correct me if I am wrong here, but isn’t a virus a type of malware? Shouldn’t one cover the other?

Now today I saw this Dark Reading piece: Symantec Unveils Anti-Botware. Yep, that’s an anti-bot app. Huh? There has got to be entomologists that are green with envy at the ability to slice bugs up into so many categories.

This should be a no-brainer. By the time you have a bot on your system, it’s over. Done. Fin. Game Over. Hasta la vista, baby. Wipe & reinstall. No excuses, no exceptions, no kidding. And shouldn’t the antivirus/antimalware crowd be taking care of the inbound pathways the bots use?

Maybe I’m just cranky. What do you think?

Rants

It was interesting to read Martin McKeay’s post today about stepping down as the Cobia Product Evangelist. It struck a chord with me because I’ve been recently looking at ways to improve my own career. Martin’s experience reminds me of a bit of ancient wisdom – Know thyself.

I know that personally I learn best from experience. Trying things is a great way to learn. You may learn more about a skill or technology, or you may learn you don’t want to do that job again. The important thing is that you learn from the experience. Far more learning happens in the deep end of the pool than the shallow end.

So kudos to Martin for trying something, for stepping out and going after an opportunity. And kudos to him for knowing when it’s time to try something else. You never truly know unless you try.

For me, I’m thrilled that 8 years ago I left a salaried position to start my own company. In the rougher times I contemplated shutting down and taking a job, but I know myself well enough to know that wouldn’t have been best. Sure a steady paycheck looks nice when things are tough, but it wouldn’t have lasted. The urge to roam would have come up as sure as tomorrow comes.

Looking forward, I am going to pursue more work in the realm of infrastructure. Many of the projects I’ve truly enjoyed have been around infrastructure so I will make a concerted effort to push in that direction. And if a little further down the line it’s not working, I’ll just look back at this post and think of trying something new. Whether it works or not, I should know myself a little better.

Rants

Here’s a linear expansion of three articles that caught my interest: The first from Andy, ITGuy (Did complacency kill the cat or was the cat already wounded) refers to a post from The Daily Incite (Complacency killed the cat) which comments on a Small Biz Resource article (Report: SMBs Overconfident on Security).

I’ve worked inside small business, then enterprises, then consultant to large enterprise, and now consultant to SMBs. Frankly I prefer to work with small clients most of the time, but one of the big challenges is education. A large part of my job is educating the client so that we can then implement. It’s both a pleasure and a pain to do.

So, what’s education got to do with it? In many cases I think the complacency that’s being seen is really coming from ignorance. If a business owner / manager clearly understands the gravity of a situation they will be less likely to see roses everywhere they look. If, like most small businesses I’ve worked with, their #1 concern is just keeping it running, they feel success when they reach a state of system or network maintenance. When those same folks learn enough to understand the types, severity, and frequency of threats they face, they will be more likely to engage and work to improve their security. With that understanding, a simple firewall and AV deployment will turn from being seen as Fort Knox to my kids’ pillow fort.

Rants, Security