Go Long On Glue Manufacturers

FLASH TRAFFIC: This just in!

The Washington Post is reporting a new wrinkle in cyberwarfare. In the article Defense official discloses cyberattack, the Post reports that “malicious code placed on the [flash] drive by a foreign intelligence agency uploaded itself onto a network run by the U.S. military's Central Command.” Perhaps SkyNet has become self-aware, as this malware appears to be able to “upload” itself onto a military network. We ARE nearing August 29th

Fascinating. Blame the flash drive. Expect the USB bashing to start again soon. SysAdmins all over will be buying up the world’s supply of epoxy and shoving those nasty USB ports full of that goop. Go long on glue manufacturers.

According to Deputy Defense Secretary William J. Lynn III, "It was a network administrator's worst fear: a rogue program operating silently, poised to deliver operational plans into the hands of an unknown adversary." This must be one awesome piece of code – sentient, silent, and “poised.”

Read more


Introducing The Smart Grid Security Market Overview

Security in the Smart Grid ecosystem is getting more attention by the day. Although many of the traditional security measures are applicable to the Smart Grid environment, there’s a need for the specific tools to handle emerging security vulnerabilities. This Market Overview will focus on the security vendors in the Smart Grid space. The role of security is evolving gradually in the Smart Grid ecosystem, and therefore our utility as well as non-utility customers are asking about vendors that can provide secure solutions.

The Smart Grid IT market is still emerging and security seems to be a promising component of it. We see four vendor categories when it comes to security market:

Read more


Think You Know About All The Big US Government Regulations Coming Up? All 191 Of Them?

There has been an interesting PR battle in Washington over the last few weeks about the number of massive regulations still on the administration's agenda. House Minority Leader John Boehner wrote a memo to President Obama citing a list of 191 proposed rules expected to have a more than $100 million impact on the economy (each!) and asking for clarification on the number of these pending rules that would surpass the $1 billion mark. The acting head of the Office of Management and Budget responded, saying that the number of "economically significant bills" passed last year actually represented a downward trend, and the current number on the agenda is more like 13.

For those of you wanting a little more clarification, you can search through the OMB's Unified Agenda and Regulatory Plan by economic significance, key terms, entities affected, and other criteria. Making sense of all of these proposed rules will take time, but it will help you get an idea of issues that your organization may have to face in the near future.

Coincidentally, my latest report, The Regulatory Intelligence Battlefield Heats Up, went live yesterday. In this paper, I offer an overview of different available resources to keep up with new and changing regulations as well as relevant legal guidance.

Read more

Intel-McAfee: Horseless Carriage Vendor Buys Buggy-Whips

This morning Intel announced plans to buy security vendor McAfee for $7.7 billion, valuing the company at a 60% premium over their market cap as of closing-time yesterday. The valuation is about 5 times the last trailing four quarters’ revenues, which is about typical for M&A deals in the security industry, and it suggests that both parties negotiated well. The price is not so high that it makes Intel look like Daddy Warbucks, but not so low that it looks like McAfee was desperate to sell.

But of course “a not so high price” is all relative. Nearly $8 billion is a lot of money. What on earth does Intel expect to get for all of the money it is spending on McAfee? I’ve been scratching my head over this, and despite McAfee CTO George Kurtz’ helpful blog post, I am still struggling to figure this one out. Let’s look at some of the stated rationales for the deal:

Read more

The Rationality Of Re-Using Passwords

Internet security vendor BitDefender recently published the results of a study that found, unsurprisingly, that “75 percent of social networking username and password samples collected online were identical to those used for email accounts.” The SecurityWeek story reporting on the BitDefender study also noted that the report “advised users to be extra careful while creating passwords for social networking and email accounts and avoid using the same password just for the sake of convenience.”

The key word here is convenience. From the perspective of most consumers (and many enterprise employees), re-using the same password produces the most economic utility. This is the “Poor Man’s Single Sign-On” strategy (PM-SSO). It costs nothing to implement, requires the user to learn no new technologies or change habits, and is a relatively error-free operation. Moreover, the downside risks are low. With respect to identity theft, for example, most credit card issuers will refund your money if they determine your identity was stolen online. So speaking rationally, why wouldn’t you do this instead of fooling around with CardSpace, Norton Identity Safe, OAuth, OpenID, Facebook Connect or any number of enterprise SSO tools? Exactly.

Of course, from the security practitioner’s viewpoint, this is a rotten idea. It is insecure! It exposes you to risks! And it places you at the mercy of identity thieves, scammers and those nasty people that BitDefender (not to mention Mr. McAfee and Mr. Norton) has been talking about for years. Plus it is just not the right thing to do! ...somehow.

Read more


Preview Of PCI DSS 1.3 – Oops 2.0 – Released

The PCI Security Standards Council released the summary of changes for the new version of PCI — 2.0.  Merchants, you can quit holding your breath as this document is a yawner — as we’ve long suspected it would be.  In fact, to call it 2.0 is a real stretch as it seems to be filled — as promised by earlier briefings with the PCI SSC — merely with additional guidance and clarifications. Jeff, over at the PCI Guru, has a great review of the summary doc so I won’t try to duplicate his detailed analysis. The most helpful part of the doc is an acknowledgement that more guidance on virtualization — the one function per server stuff — will finally be addressed.

Suffice it to say, it doesn’t look good for all those DLP vendors looking for Santa Compliance to leave them a little gift under the tree this year. I’ve been hearing hopeful rumors (that I assume start within the bowels of DLP vendor marketing departments) that PCI would require DLP in the next version.  Looks like it’s going to be a three year wait to see if Santa will finally stop by their house.

Remember that this is a summary of changes so there’s not that much meat yet. The actual standard will be pre-released early next month with the final standard coming out after the European Community Meeting in October.

Cyber Security Roundtable: Security In The Cyber World

 I had the pleasure of attending Open Group Conference Boston just two weeks ago. Historically, this conference aims at bringing enterprise architects together from various industries to talk about important architectural issues. This time around, they dedicated track sessions to the security topic. Among other things, I had an opportunity to record a podcast with Dana Gardner, Gen. Harry Raduege, and Jim Hietala on the topic of cyber security.

You can listen to the full podcast at the Forrester page as well as catch the synopsis of the conversation at Dana Gardner’s blog

Cyber security has gained quite a bit of attention in the past year or so. Although the concept has been discussed for almost a decade, the evolving nature of threats has created lots of buzz recently. There are numerous threat vectors and thus, diverse targets. Increasingly, data espionage, identity theft, cyber attacks on the critical infrastructure, denial of service (DDOS), and advanced persistent threats (APT) are coming to the surface. Public and private sectors alike are concerned about the targeted attacks that are aimed at stealing confidential data, which produces a domino effect and harms companies' brand names and operations.  

In the past 18 months we have seen many examples and scenarios that highlight the cyber security discussion. For instance:

Read more

Forrester's Security Forum 2010

Many of you may already know, but Forrester’s Security Forum 2010 is coming up in September. This year, the theme is “Building The High-Performance Security Organization.” Indeed, as the global economy begins to recover, Security & Risk professionals must transform from a reactive silo of technical security expertise to a true partner of the business and an enabler of forward-thinking business strategies.

This forum is all about technical, tactical, and strategic information to increase the maturity and performance of your IT security organization in this fast-changing economic climate. In the two-day forum, we will explore the principles of:

  • Aligning your objectives and measures of success with the business.
  • Giving business the tools to perform risk management.
  • Preparing for the adoption of cloud services, the consumerization of IT, the proliferation of social technologies, and an ever-changing threat landscape.

I will be running three sessions at the forum this year:

Read more

Putting RIM’s “Security” Challenges In Perspective

Research In Motion has been in the news a lot over the last few days. Last week, the news broke that the governments of the United Arab Emirates and India threatened to suspend service to RIM customers in their countries because of alleged threats to national security. I was quoted in today’s USA Today about this unfolding story.

But let us be clear: the “security problem” that officials in these governments were citing had nothing to do with actual security. As we have written about extensively, the BlackBerry device is well-designed from a security perspective. Its cryptography modules are FIPs-certified, and all of its communications are encrypted using industry-standard algorithms. We have called the BlackBerry the “gold standard” of secure corporate devices and continue to stand by that assessment.

Read more

Post-PC Devices: What Is Your Definition?

Greetings. Here at Forrester, we are encouraged to think Deep Thoughts about Matters of Great Importance. Looking across the broader landscape of IT — of which security and risk is just a small part — we can see that one of the biggest and more important matters today is the influx of consumer-grade mobile gear into the workplace. Whether you call it Tech Populism (a favorite Forrester term) or Executive Bling (a favorite term of mine), it is no secret that enterprise CIOs are receiving lots of pressure to support unsanctioned devices like the iPhone and iPad in the workplace.

Today, Forrester published my report “Apple’s iPhone And iPad: Secure Enough For Business?” In it, we describe how the capabilities of Apple’s iOS 4 make these devices secure enough for many businesses to use safely. We define seven security policies every enterprise should implement to keep its email and corporate information safe on Apple mobile devices, whether or not the enterprise owns them. We also define additional security "high-water marks" — policies and processes you can implement — based on your risk profile and regulatory exposure. I hope you’ll read the report, and I welcome your comments and questions.

Read more