I recently tripped over a blog write-up from independent analyst Eric Ogren about his irritation with security vendors using FUD to sell products. It’s an older posting from 2006 but his message is as relevant today as it was two years ago.

Building his case around a threat report Websense released at the time, he wrote, “I’m not sure that the world is better off with yet another security vendor telling us that Phishing, malicious websites, malicious code, hacking tools, P2P, IM and Chat attacks have all increased.”

He dismissed the report as FUD marketing designed to create demand for security products, but that he believed the reports could actually have the opposite effect by pointing out the futility of security products to stop attacks.

He’s not the first security expert to rail against the FUD factor. Security luminary Bruce Schneier has devoted huge chunks of his time speaking out against security ‘theatre’ — policies and products that are more about offering the perception of security rather than addressing the actual risks.

And, rightly or wrongly, the Apple crowd is constantly crying FUD whenever something is written about a security flaw or malware affecting their beloved Macs.

I bring up the issue because it’s long been a source of irritation for me. As a security writer, I’m constantly buried beneath tons of voicemail and email from vendors looking for attention, and the PR machinery almost always uses FUD to make a case for buying the latest compliance-out-of-the-box appliance or the “first of its kind” bot/spyware/worm/common cold zapper.

Along the way, the PR community likes to invent new words or phrases to define the threat, many of which start with the letters “ph” (phishing, pharming, phlooding).

I’ve been looking back through four years of writing for the sake of nostalgia. The big thing that strikes me is that we’ve written a lot of stories about the latest flaw or exploit and someone is always banging on the alarm bell with a hammer.

In the final analysis, it’s prudent to flag the latest flaws and exploits because IT security professionals need to be aware of these things and incorporate the information into their patch management process. Heck, alerting them to these things is what we’re here for. But the tone and level of alarm that should go into these stories is always something we wrestle with.

Everyone has a role to play in information security, from the IT pros to the vendors, analysts and media. But from the content I look back on, I see little evidence that vendor-generated fear has ever made a difference.

Warnings about some flaw or exploit opening the door for a catastrophic Internet-ending event are never followed by the big doom. On the other side of the spectrum, the epidemic of data security breaches shows that all the FUD and security spending in the world can’t prevent the bad guys from punching through. The recent Hannaford supermarkets breach proves you can respond to the fear and spend a lot of money on new technology and still get whacked.

I recently asked Rhode Island-based network engineer Edward Ziots whether he jumps at every exploit warning. Here’s what he told me by email:

“We don’t jump, it would be imprudent to do so. Basically I read up on how the exploit works, even look at the code offline to ascertain if it would be available to be downloaded or how much effort would it take to be in a working exploit. Next, you basically need to adjust your risk assessment based on the controls you have in house, and how many systems could be affected and in what manner.

“Lastly communicate the adjusted risk assessment to management, security and await decision on whether to raise priority for patching, or to deploy other security measures to mitigate until all systems can be patched.

“Honestly, it makes it very difficult with exploit code in the wild and reports of working exploits not to raise your risk level and deploy extra manpower and time and effort to get all systems patched. It’s just due diligence.”

My advice is to take the FUD with a grain of salt and remember that while cyberspace is a dangerous place and you’ll sometimes have to raise your level of alertness as Ziots does, most enterprises will survive with the proper mix of security tools, policies and a calm awareness of the risks.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

(ISC)2 Executive Director Ed Zeitler talks about the unique security challenges facing the financial industry and whether the current turmoil in the financial markets could put a strain on IT budgets. Zeitler has 23 years of experience in developing, implementing and managing information security programs at financial firms. Most recently, he served as chief information security officer (CISO) for Volkswagen Credit, where he created and implemented its information security program. He also served as CISO for Charles Schwab & Co., Inc., Fidelity Investments, Bank of America and Security Pacific National Bank.

This week’s headline may not fit perfectly with the analogy I had in mind yesterday, but I’m running with it anyway because all week I’ve been thinking of what the lessons are regarding the recent data security breach at Hannaford’s supermarkets.

The biggest lesson was eloquently explained in a column by my colleague Dennis Fisher, in which he cites the decline in emphasis on security in favor of a sometimes maniacal focus on compliance with various standards and regulations that has created a climate where passing an audit or satisfying a regulator is deemed more important than actually doing what’s necessary to protect critical assets.

There are plenty of vendors out there who link the use of their products to both compliance and security, and I’ve spoken to many a public relations flak who talk about the two as if they are the same thing. As Dennis points out, they are not the same thing. True, a lot of the work that’s required for the sake of compliance can improve enterprise security. But security is about so much more than buying a bunch of technological tools on some assessor’s checklist and plugging them in.

Being a history geek, I always find myself looking for historical references to match up with the things we’re writing about, and this case reminded me of the farewell speech President Eisenhower gave a few days before leaving office in 1961 in which he warned of the military industrial complex.

Now, I know you’re waiting for the big analogy, and in the end there isn’t much of one to make. The military industrial complex is something far different than the compliance complex I see today. But I do see a few similarities worth mentioning.

Ike warned that as the U.S. fought the Cold War, it needed to “guard against the acquisition of unwarranted influence…by the military-industrial complex,” which included members of Congress from districts dependent on military industries, the Department of Defense and privately owned military contractors like Boeing, Lockheed Martin, and Northrop Grumman. Ike feared that the military-industrial complex inspired policies that might not be in the country’s best interest and he feared that its growing influence, if left unchecked, could undermine American democracy [see more detailed description from Encyclopedia Britannica]. 

I’m not trying to suggest that compliance vendors are trying to influence the course of American policy. As I admitted earlier, this is an imperfect analogy.  But I do believe there’s a danger of individual businesses being influenced by a compliance complex in which execs desperate to pass the compliance test fall under the spell of vendors promising that their tools will not only help them pass the test but keep them secure. In the end, some make decisions that are not in the best interests of the company’s security program. In other cases, the technology purchased does its job well but the company fails to implement a bunch of other security measures technology alone can’t address — because the vendor or assessor assured them that investing in their product would be all that’s needed.

The Hannaford breach has sent shockwaves through the retail world because it turns out the company had achieved PCI DSS compliance. Many were stunned to see a living example of a compromised business that spent a lot of money on compliance products and thought they were secure.

The silver lining around the Hannaford breach may be that other companies are broken of the compliance complex. Dennis does a good job of mapping out what security is really about, but I leave you with some blog chatter from security experts who make similar points this week:

Burton Group analyst Randall Gamby writes in his company blog that PCI DSS and the work of complying with it has achieved a false sense of security in many corners.

“I’m not saying PCI isn’t important, after all this breach may have never been found if PCI measures weren’t put in place, but enterprises have to look beyond the task of being compliance and take whatever additional steps may be needed to secure their data against breaches,” he writes.

Security management expert Mike Rothman makes the point more bluntly in his Daily Incite blog: “If security professionals think that an audit makes them secure, they are idiots.”

Rothman goes on to say compliance does not equal security. Maybe it makes the senior folks sleep a little better, he writes, “but they’d be dumb, too.” Anyone in a position of power needs to understand about risk and containing risk, he says.

I’m probably going to get a bunch of emails telling me how stupid my analogy is, and one of them might even come from Mike. But instead I’m hoping to hear what readers have to say about the points he and others are making.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

Covering the security breach at Hannaford Bros. Supermarkets this week was a particularly interesting experience for me. Unlike the other breaches I’ve written about, this one really hit me where I live.

Of course, the bank did send me a new debit card after my old one was compromised in the TJX data breach, but that’s only because of one purchase I made there during the period when the data raids were in progress.

I shop at Hannaford’s every week. Even though there are several supermarkets closer to home, I’ve been making the longer trek to the store in Hampstead, N.H., because I found the prices and food quality better than the others. Despite, the breach, I won’t stop shopping there. My bank was quick to issue me a new card and I think the retailer will do what’s necessary to prevent a repeat. Of course, the company will lose a lot of money to fines and lawsuits in the meantime.

Of course, after any data breach it’s important to explore how it happened and what the affected company could have done better from the outset, and Hannaford’s is no exception.

I found plenty of security bloggers doing just that. Here’s some wisdom from two blogs high on my favorites list:

Rich Mogull, former Gartner analyst and founder of security consultancy Securosis, wrote in his blog that since the information was stolen during the authorization process and was distributed over many locations, a compromise of the central authorizations system or the credit card processor is the likely source. “It could be as simple as sniffing unencrypted communications, or a more complex compromise of a database or application,” he said. “My money is 70% on sniffing, 30% on something in the database.”

Of Hannaford’s claim that no personal data such as names, addresses or telephone numbers were divulged — just account numbers, Mogull wrote, “This can’t be true. Without names, the card numbers are unusable.”

Mogull also used Hannaford’s PCI DSS compliance as an example of how he believes “PCI is worthless” if the chain was allowed to be ruled compliant in the first place.

“The fraud was detected by the banks or credit card companies, then it took a little under two weeks to contain,” he wrote. “Not great, and indicative of either a little sophistication on the attacker’s part, or a lack of sophistication on Hannaford’s part. How to prevent this? We won’t know until more information is out, but since they shouldn’t be PCI compliant if they transmitted credit card numbers in the clear, perhaps my guess of sniffing is off. I’m still laying odds on that, and if so, encryption is the answer.”

Security blogger Martin McKeay wrote of a silver lining in the Hannaford’s breach.

“Hannaford does not associate card numbers and expiration dates with the cardholder names and addresses,” he noted. “This in a day when your local grocery store offers you a discount if you’ll just enter your phone number at the PIN pad so they can track every single purchase you make and send you a personalized weekly ad. Most stores would have had card numbers, your home address, the names of all of your relations and possibly the name your teacher in first grade. Well, maybe not the last one, but they would have every purchase of every embarrassing purchase you’ve ever made.”

The downside to this lack of association between card numbers and cardholder names, he wrote, is that they have no way of knowing who should be contacted in the breach. He said he’s not sure if that will absolve Hannaford’s of having to contact anyone or make it necessary for them to contact all of their customers. They probably haven’t figured that one out yet either, he said.

Good points from both. I’ll end by saying that the big reason Hannaford’s won’t lose me as a customer is because I see them as more of a victim than a villain.

Through my own reporting on PCI DSS compliance I know the company had made investments to bolster the security of its point-of-sale machinery and wireless set-up.

Some are making much of the fact that this breach happened even though Hannaford’s was PCI compliant. Surely, they say, this speaks to the weaknesses of PCI DSS itself. I actually explored that angle in the wake of the TJX breach, and most of the analysts, IT pros and vendors I talked to defended the security standard. After all, it turned out, TJX was nowhere near being where it needed to be for PCI compliance.

Regardless of what one thinks of PCI DSS, it does appear that Hannaford’s was and still is working to improve its security.

But as a police officer once told me after my house was burglarized despite the burglar alarm we had installed, if the thief wants to get in badly enough, they’ll find a way.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

We’ve been reporting for some time that the NAC market is on shaky ground, with demand for the technology failing to meet the expectations of a couple years ago. We saw more proof of that this week, when Lockdown quietly posted this message on it’s website:

“Lockdown Networks today announced that it is ceasing operations effective March 18, 2008. Due to overall economic trends and slower than predicted adoption of Network Access Control (NAC) technology, the company was unable to raise additional sufficient venture capital to continue. Lockdown is contacting customers and partners directly to provide more information. Certain employees have been retained to oversee the shutdown of the company and entertain offers to Lockdown’s intellectual property. Anyone with questions and inquiries can call 206.285.8080 x110.”

Though the NAC market has had its difficulties, this announcement is surprising, since Lockdown raised $14 million in venture funds from Ignition Partners, Intel Capital, Integral Capital Partners and Cargill Ventures last fall.

We’ll be updating this news as more information becomes available.

Earlier today my colleague Rob Westervelt wrote about VMware’s plans to unveil what it calls VMsafe — a partnership program with Symantec, McAfee, the Internet Security Systems division of IBM, EMC’s RSA security division, and Check Point Software Technologies. The security risks and benefits associated with virtualization is a subject very much on our minds these days.

In recent weeks I’ve been interviewing many security experts about virtualization for an article I’m putting together, and along the way I’ve come across quite a few blogs that focus on the subject. Here are just a few of them:

Petri IT Knowledgebase: The people behind this site cover much more than just virtualization, but when they do turn their attention to the subject they do it well. Here’s an excerpt from the most recent entry on virtualization, from expert David Davis: “A lot of people think that if you virtualize, let’s say, a Windows 2003 Server, that virtualized system should be secure because it is completely separate from the VMware ESX Server operating system and it could be, potentially “protected” by VMware ESX Server. This is not true and there are a lot of things you need to know about virtualization security.” He goes on to offer plenty of helpful advice on how to properly secure virtualized servers.

Virtualization for Everyone: This site, among other things, keeps track of the latest virtualization news, with commentary throughout. Its latest entry, in fact, is on VMsafe.

Rational Survivability: This is the blog of security specialist Christofer Hoff. It covers all aspects of security, but the latest entry is about what looks like a pretty useful research paper from Andreas Antonopoulous from Nemertes called “A risk analysis of large-scaled and dynamic virtual server environments.” By the way, Chris, I’m interested in talking to you about this if you have time.

Smart Security: This is the blog of Dharmesh Mehta, a security specialist based in India. His latest entry asks the question: Is virtualization secure? Here’s a bit of what he has to say about that: “Virtual machines are sometimes thought of as impenetrable barriers between the guest and host, but in reality they’re (usually) just another layer of software between you and the attacker. As with any complex application, it would be naive to think such a large codebase could be written without some serious bugs creeping in. If any of those bugs are exploitable, attackers restricted to the guest could potentially break out onto the host machine.”

Do a Google blog search on the subject and you’ll find many more sites to sift through.

Now, as I said earlier, I’ve been doing a lot of interviews with security experts about this, but to date I’ve been unlucky in my attempts to connect with an IT administrator or two who might be willing to talk about their own virtualization security experiences.

And so this is my plea for someone out there to come forward. This article will explore the pain points and successes of virtualization and it simply won’t be complete without the user experience.

Thanks.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

The simple fact that there is an IT governance, risk and compliance market, spawning start-up companies like Agiliance, underscores both the growing maturity of IT and IT security and the business and regulatory pressures that are compelling companies to be accountable for their operations.

Agiliance, just over two years old, announced the acquisition of Phulaxis, and incorporated its technology as the Controls Automation module for its Agiliance IT-GRC 3.0 product. The module provides automated user access controls for identity management systems, middleware, databases and applications.

Governance, risk and compliance have generally been scattered in silos throughout large organizations, even those in sectors like financial services, which have matured governance and risk models and a long history of regulatory control. IT operations have become far more complex, and extend to global partners and customers, many of them demanding evidence of strong controls. SOX and PCI-DSS have brought have forced companies to ride herd on their operations as never before.

The real value of IT GRC tools like Agiliance’s and others is to bring unify processes that are scattered in business silos, and automate, to some degree, the costly, resource-intensive operations required to meet internal and external requirements.

The acquisition of Phulaxis adds an important piece—the identity management aspect of compliance, particularly for SOX 404. Monitoring, auditing and, as needed, addressing abuses of user access privilege is an increasingly important part of IT governance and compliance that reaches across many segments of the IT security market, from GRC to SIEM to NAC.
- Neil Roiter

My colleague, Dennis Fisher, has already blogged about Sears using spyware on its customers. But since I’ve come across plenty of blog chatter that reflects his opinion and mine, I’ve decided to offer my two cents. So thanks for indulging me this week…
Every now and then, a big company does something to remind us how easy it is to get burned when conducting commerce in cyberspace. The latest example comes from retail giant Sears, which has decided it’s OK to use spyware on its customers.

Ben Googins, a senior researcher in CA’s antispyware division, tripped over the practice during some online holiday shopping and outlined his experience in a CA blog posting.

Here’s how he explains it in his write-up:

“Visiting Sears.com (and Kmart.com) a few weeks ago, I was offered a chance to join My SHC Community, for free, but what I received was, from a privacy perspective, very costly. Sears.com is distributing spyware that tracks all your Internet usage — including banking logins, email, and all other forms of Internet usage — all in the name of ‘community participation.’ Every Web site visitor that joins the Sears community installs software that acts as a proxy to every Web transaction made on the compromised computer. In other words, if you have installed Sears software (the proxy) on your system, all data transmitted to and from your system will be intercepted. This extreme level of user tracking is done with little and inconspicuous notice about the true nature of the software. In fact, while registering to join the ‘community,’ very little mention is made of software or tracking. Furthermore, after the software is installed, there is no indication on the desktop that the proxy exists on the system, so users are tracked silently. An interesting note, the spyware Sears distributes is ‘genetically’ related to software CA Anti-Spyware has detected for a few years by the name of MarketScore (and other aliases) and distributed by other Web sites.”

Rob Harles, a senior vice president of Sears Holdings Community (SHC), denied Sears is monitoring customers with spyware in a response to Googins blog posting. “The vast majority of members of My SHC do not participate in any form of tracking, and those that have explicitly signed up do so after having been presented with simple, easy to understand language to which they have agreed,” he insisted.

Looking around the blogosphere, I see that several security experts are as unmoved by Harles’ claims as I am.

Let’s start with a blog analysis from Benjamin Edelman, whom I consider to be one of the best antispyware researchers out there.

Edelman writes that he reviewed the installation sequence and agrees with Googins that it offers very little mention of software or tracking and otherwise falls short of industry standards. He then offers a step-by-step breakdown of his own review.

“The email invitation provides vague notice midway through a lengthy paragraph that, according to its topic sentence, is otherwise about another topic,” he writes. “The first sign-up page makes no mention at all of any downloadable software. The privacy policy and license agreement describe the application only in the tenth page of text — where few users are likely to find the disclosures.”

Of Harles’ claims that the installer provides “a progress bar that they [users] can abort,” Edelman writes, “I disagree. The video and screenshots are unambiguous: The SHC installer shows no progress bar and offers no abort button.”

Security luminary Bruce Schneier writes in his blog that if “a kid with a scary hacker name did this sort of thing, he’d be arrested.” But, he continues, “this is Sears, so who knows what will happen to them. But what should happen is that the antispyware companies should treat this as the malware it is, and not ignore it because it’s done by a Fortune 500 company.”

I agree. Companies that do this love to hide behind their user license agreements, which are often bogged down with legalese and confusing to customers who often accept the terms anyway because they lack the legal aptitude to see what they’re getting into. In this case, Sears buries the truth of what they are doing.

Consumers need to know that when they do business online, the vendor is doing everything possible to protect their personal information. Once in awhile, we find that a vendor’s network security efforts were insufficient, allowing hackers to access that data. That’s what happened at TJX.

But as far as I’m concerned, it’s just as bad — if not worse — when it’s the company you’re doing business with that uses specialized code to invade your privacy.

If Sears is going to insist that there’s nothing wrong with this practice, the only solution is to do business someplace else.

About Security Blog Log: Senior News Writer Bill Brenner peruses security blogs each day to see what’s got the information security community buzzing. In this column he lists the weekly highlights. If you’d like to comment on the column or bring new security blogs to his attention, contact him at bbrenner@techtarget.com.

It’s that time of year where we in the news business love to make lists of the top news stories of the year. I’ve drawn up a Top 5 list of my own for your amusement, but admit that my judgment could be off. And so I ask you, the reader, to look over my list and tell me if there’s anything you would add or detract. I’ll work your feedback into our final Top 5 story.

My list:

5.) Problems slow the deployment of Windows Vista

IT professionals struggled mightily to make sense of Microsoft’s Windows Vista, but compatibility problems slowed enterprise-wide deployments to a crawl.

4.) Security of the iPhone in doubt

Apple’s iPhone — the year’s most hyped piece of technology — quickly gained the attention of hackers eager to find security weaknesses. It didn’t take them long to find something.

3.) The pain of PCI DSS

The Payment Card Industry Data Security Standard (PCI DSS) got plenty of attention as the list of data breaches grew and compliance deadlines approached. By year’s end many were still struggling to meet all of PCI DSS’s requirements, but that didn’t stop some experts from insisting on even tougher provisions.

2.) Malware takes cyberspace by Storm

When Storm was first discovered in January, it looked like another typical worm outbreak. But Storm kept spreading throughout 2007 and it soon became clear that the malware was the creation of sophisticated botnet builders. By year’s end, it was continuing to spread in the form of smaller, more customized botnets capable of launching a variety of attacks.

1.) TJX data breach exposes 94 million records

TJX acknowledged a massive data breach in January that ultimately exposed more than 94 million records to online fraud. To date, it is the biggest systems breach in history.

The SANS Institute released its 2007 Top 20 threats list today (They still call it the Top 20, even though there are only 18 items on this year’s list), and the main takeaway is pretty much the same as last year: The bad guys are preying on gullible users and flawed applications such as Web browsers and media players to break into company networks and steal sensitive data.

In the bigger picture, the SANS Institute said it has observed:

– Significant growth in the number of client-side vulnerabilities, including vulnerabilities in browsers, office software, media players and other desktop applications.

– A continuing trend where users practice careless Web-browsing habits on work machines, increasing a company’s overall risk.

– Web application vulnerabilities in open source as well as custom-built applications that account for almost half the total number of vulnerabilities discovered in the past year.

– Default configurations for many operating systems and services continue to be weak and continue to include default passwords.

– Attackers are finding more creative ways to obtain sensitive data from organizations.

During a conference call with reporters this morning, SANS Research Director Alan Paller and Rohit Dhamankar, director of the SANS Top 20 project and senior security research manager at TippingPoint, said the main lesson this year is that companies need to have more vigorous URL blocking and further restrict what users are allowed to do on company computers.

Looking over the details, I’m reminded of the reaction to the 2006 SANS threat report, when some questioned whether it’s still useful to even have these reports when the takeaway doesn’t change much from one year to the next. And so I reached out to several IT security pros this morning for some reaction.

I invite you to weigh in via the comments section in this blog. For now, here are some comments sent to me by email:

Cris V. Ewell, chief security officer of Seattle-based PEMCO Corp.: “In general, the report represents only the technical aspect of security and deals with the vulnerabilities in the applications and OS. This is not new, and while important, I expect the security engineers to deal with these types of issues on an ongoing basis. We have multiple systems to do vulnerability/threat/intrusion checks monthly, and mitigate the issues long before the Top 20 is published. The report is a good reminder of best practices that should be used in the enterprise, but there is nothing new in the report that would force me to change established practices and goals we have set for the company.”

Susan Bradley, a Microsoft MVP and IT administrator at Tamiyasu, Smith, Horn and Braun Accountancy Corp. in Fresno, Calif.: “What this gives is ammo to the administrator to lock down the browsing.”

Jeff Jarzabek, IT director for Oakbrook Terrace, Ill.-based Matocha Associates: “Do any of these specifically hit home at our company? No. Everything on the list except for the last 2 items is taken care of by educating your users. We have always told our users that if they suspect something is up, to notify a member of the IT staff. I think the SANS reports are now used mostly for raising awareness and as a reminder to some, myself included. I feel there is nothing new or shocking that most IT staffs shouldn’t already be doing considering the impact on the company if security is neglected.”

Gadi Evron, security architect for Afilias global registry services: “I believe this report reflects that indeed, client-side attacks are the danger most of us face today to our corporations being compromised, while agreeing that server-side attacks are once again on the rise by the use of web application vulnerabilities.”