CONFIDENTIAL

CONFIDENTIAL

Top 10 Bogus Tech Quotes of 2008

Paul F. Roberts

Senior Analyst

Enterprise Security Practice

CONFIDENTIAL

What's on tap...

• About The 451 Group• Those bogus tech quotes• Q&A (if there's time)

CONFIDENTIAL

What is The 451 Group?

CONFIDENTIAL

What is The 451 Group?

• Technology analyst firm• Focus on enterprise IT • 40 analysts with deep domain expertise• Offices in New York (HQ), London, Boston, San

Francisco• Syndicated research, advisory services,

conferences

CONFIDENTIAL

Who uses us?More than 500 organizations subscribe. By revenue:

•60% are vendors – IBM and EMC to two guys in a garage– Marketing, CorpDev, CxO & sales

•20% are investment banks– Very large to boutique– Investment bankers and research analysts

•10% are venture capitalists– From angel funds and up; Partners, research analysts

•10% are end users– F500 – Finance, Energy, Pharma, Spooks (bleeding edge adopters)– Architect, strategist, CxO, etc

CONFIDENTIAL

Why do they use us?

• Focus on Innovation– Financing, technology, distribution, pricing, personnel and

customer demand for seismically disruptive technologies

• Domain expertise– Live and breathe that space, from Middleware and SOA to

storage, trends minor or major, that's what we do.

• Objectivity– No pay-for-play, no white papers or consulting

• Value for Time– Daily, succinct, relevant and thorough

CONFIDENTIAL

451? What's that all about?

• Think Ray Bradbury• We don't burn books.

Now for those bogus quotes...

What makes a quote bogus?

• Its wrong, disingenuous or just plain silly

• It speaks to a larger problem or failing in the enterprise IT security space

• It often understates the enormity of that problem

• We find it interesting or illustrative• Feel free to nominate your own

bogus quotes

CONFIDENTIAL

Bogus Quote #10

"We might have the ability to understand the signature of an attack before it is launched...I think it could become an early warning system that might be able to detect an attack before it is coming."

-- DHS Chief Michael Chertoff, speaking at RSA Conference, April, 2008

CONFIDENTIAL

The 451 Take

• From the man who brought you the Hurricane Katrina recovery...

• Govt. now apparently has clairvoyant detection technology that can spot attacks before they happen...? Really?

• Talk of cyber 9/11 aside, War on Terrorism has dangerously sidetracked cyber security as an issue.

• US Govt. has bigger fish to fry. The Cassandra Syndrome?

• Reports of Chinese espionage suggest the worst.

CONFIDENTIAL

Bogus Quote #9

“Oh, and how exactly do you know Gadi on LinkedIn is Gadi, if I may presume? =).” -- not_gadi_evron, aka Shawn Moyer (Agura Digital Security), and Nathan Hamiel, (Idea Information Security) from their Defcon 16 presentation “Satan is on my friends list”

CONFIDENTIAL

The 451 Take

• This is actually a big deal. • Security researchers set up profiles

for Evron, others then drew friends to them.

• Increasing use of professional social networks = goldmine for social engineering attacks.

• No clear way to “prove” identity online.

• Personal and brand reputation risk.

CONFIDENTIAL

Bogus Quote #8

“Good quarter, guys!” -- Unnamed securities analyst on IPS

maker Sourcefire's (FIRE) Q2, 2008 earnings call. The company reported losing $3.1m in the quarter, triple the

year-ago losses.

CONFIDENTIAL

The 451 Take

• FIRE's March, 2007 IPO was supposed to light the way for other IT security companies.

• Instead, other security companies have gone the opposite direction (notably Barracuda, Fortinet, Sophos)

• FIRE's stock price is down more than 50%• A hostile bid by Barracuda for $8.25/share

was rejected. The stock now trades at $7.64.

CONFIDENTIAL

Bogus Quote #7

“Dan has the goods. Patch now, ask questions later.”

--Thomas Ptacek, Matasano Security after learning the details of a wide

spread DNS flaw from Dan Kaminsky

CONFIDENTIAL

The 451 Take

• Ptacek and others accused Kaminsky of sensationalizing a flaw in DNS.

• Matasano (though not Ptacek) accidentally leaked details of the flaw via a blog post (albeit post-patch), giving hackers a head start on attacking it.

• Kaminsky's admirable work mobilizing cross industry attention to a critical problem is undercut, but...

• Kaminsky's “don't think of an elephant” advice to security researchers had opposite effect.

• Fix now, do Blackhat next year!

CONFIDENTIAL

Bogus Quote #6

"Yes. I came from that space so it is red hot. We cannot respond to it but I think there is a huge opportunity for us to message around that so that people understand our position on it so look for something short term on that."

--John Burris, President of Sourcefire, responsing to a question about virtualization - which he apparently made Hot, 2008

CONFIDENTIAL

The 451 Take

• Virtualization as IT whitewash • “Message around that” -- beware!. • Magical thinking about virtualization

obsucures what a security nightmare it can become.

• (And, no, we're not talking about hypervisor rootkits)

CONFIDENTIAL

Bogus Quote #5

“+ Rapid adoption starting to occur + Pipeline now 11x plan + Education continues to lead, but pipeline is shifting

to enterprise”

-- Powerpoint presentation from NAC vendor Lockdown Networks, January, 2008. (Lockdown closed its doors in March, 2008)

CONFIDENTIAL

The 451 Take

• Vendors lie.• Lockdown cited "economic trends and slower than

predicted adoption of Network Access Control (NAC) technology" as contributing factors to its demise.

• Lockdown raised an estimated $20m in three rounds. The most recent, an $8m series C round, came from lead investor Cargill in Q2 2007.

• NAC was supposed to be the next big thing. Hundreds of millions of investment and VC, enterprises decided that NAC was more of a feature than a product.

CONFIDENTIAL

Bogus Quote #4

“Even right now, as we're preparing to leave for DEFCON, we spent most of last night working on a fix for a worm, which was targeting people on Facebook and placing messages on Walls urging users to view a video that pretends to be hosted on a Google or YouTube website. We've identified and blocked the ability to link to the malicious websites from anywhere on Facebook. Less than .002 percent of people on Facebook have been affected, all of whom we notified and suggested steps to remove the malware.”

-- Max Kelly, Facebook security chief, blogging in response to reports of a Facebook worm, August 2008

CONFIDENTIAL

The 451 Take

• Blacklisting the drive by download site provides seconds of protection.

• Hmm... .002 percent infection rate x 100 million users = 2,000 accounts owned? Not too bad!

• Did that worm outbreak put a crimp in your DEFCON wardrobe selection? The nerve!

• Is anyone else having Code Red flashbacks?

CONFIDENTIAL

Bogus Quote #3

“AV giants McAfee, Trend Micro and Sophos all failed to secure Windows Vista SP1 in Virus Bulletin's latest

round of VB100 certification testing.”-- Press release, Virus Bulletin, April,

2008

CONFIDENTIAL

The 451 Take

• The platform in question — Vista SP1 — was released shortly after the deadline for product submissions to VB.

• Not every vendor was even able to get a copy of SP1 for testing before submitting their wares to VB for certification.

• Certification is based on accuracy identifying Wild List malware samples – hardly confidence inspiring in todays fast changing scene. Emerging AMTSO standards will change this.

• Does anyone believe that anti virus software works anymore?

CONFIDENTIAL

Bogus Quote #2

AND THIS IS VERY ILLEGAL!(So the following material is for educational use only.)

-- From “Anatomy of a Subway Hack” Powerpoint presentation by MIT students Russell Ryan, Zack Anderson & Alessandro Chiesa, blocked by court injunction from Defcon 16, August 2008

CONFIDENTIAL

The 451 Take• Note to MIT students: don't boast about being

l337 h4x0rs, then hide behind your academic creds and the First Amendment!

• District Court Judge in MA slapped an injunction on students (later over turned) equating presentations on hacking with actual hacking -not a good precedent, and totally avoidable.

• Reverse engineered CharlieCard Mag stripe card, but also found that social engineering was just as easy. MBTA embraced security through obscurity.

CONFIDENTIAL

Bogus Quote #1

“We have taken aggressive steps to augment our network security

capabilities. (Our company) doesn't collect, know or keep any personally

identifiable customer information from transactions."

-- Hannaford Supermarket President and CEO Ronald C. Hodge, March

2008Z

CONFIDENTIAL

The 451 Take

• Bit about not knowing or keeping PII is nice bit of sophistry.

• Hannaford apparently only learned of breach from credit card companies worried about fraud patterns.

• Malware on POS terminals appears to have been used to sniff card numbers.

• The company waited more than two weeks after it learns of the breach to notify authorities, customers.

• The company wraps itself in PCI compliance flag to avoid blame - “We couldn't have done anything wrong – we were PCI compliant!” (Note: PCI executives dispute this)

CONFIDENTIAL

Security in 2011

Enterprise Security Today

► The Big Red Circle Same model since the 1990s, and defense-in-depth

This model is under pressure

► Mobile workers

► Outsourcers, partners

► SaaS, MSSP

► Web apps, resourcesSafeun

SaaS

Outsourcing

RemoteStaff

Open-ticket Items at start of 2008

► Perimeter security, remote access De-/re-perimiterization Settling on remote access standard nVPN/tunnel

► Compliance Budgets, siloed drive to point-product compliance

► Endpoint security End users tell us: ‘This is a catastrophe!’

► Identity and access management/NAC IAM has no context NAC is a $1B disaster for Cisco and a mess for all

An Industry in Transition

► Vulnerability assessment/Code testing These become increasingly key Open standards, protocols

► Endpoint agents must unify Encryption, classification, behavior-based detection

► IAM must expand to provide context Currently good at ‘who’; OK at ‘role’; hopeless at

context

► Security mgmt and network mgmt must merge Silos stink

ADL discussion shifts to data protection, ILM and enterprise rights management

High-level Trends ► Data-leakage technology commodifies

Adds context to IAM, TAD, NBAD… Anti-malware, networking (switch) and IAM vendors most

likely acquirers, in that order

► But the issues surrounding data loss are much broader “You can’t just go and… turn on some box that shows

you everything that everyone’s sending out of here.” – Your lawyer

“You mean to tell me you knew this kind of data was walking out your doors three years ago and you did nothing?”

– Plaintiff’s lawyer, to you on the witness stand

High-level Trends

► Security metrics play increasingly important role in enterprise IT budgets

► Code analysis moves to dev…finally

► Urgency to secure virtual environments increases

► Year of Mobility – 2009 – solidifies all these security trends

CONFIDENTIAL

Paul Roberts

paul.roberts@the451group.com

Senior Analyst

Enterprise Security Practice

(617) 261-0677