Face Forward

Up Close and Personal

2008-05-12T18:19:53Z

Security in recent years is taking on a much more up close and personal style of gunplay than ever before. In our thirst for wanting to see the story behind the story, we are no longer content with a page of HTML telling us what the file is called, what it does and how many hundred registry keys it adds. The steady influx of blogs into the security landscape has allowed spyware hunters and researchers to try new avenues of exploration with regards shutting down the bad guys, instead of simply throwing in a few definitions into a database somewhere.

Frustrated by lack of progress from Governments, law enforcement and civil liberty groups, the gloves are off and people demand justice. From the security researcher to the spare-time blogger, most have discovered that ruthless public exposure and a name-and-shame attitude are two of the most effective tools available when looking to take a bad guy down. The laws, resources and penalties available to hit them with in most cases are severely lacking, and a sizeable portion of miscreants simply don't care about getting into trouble with law enforcement, because they know it's highly likely never going to happen.

However.

This approach can create numerous risks - to the researcher, their websites, the companies....anything and everyone can become a target. At that point, it comes down to a battle of wills - how confident is the researcher that they can expose and shut down the bad actor? If they wobble, even just a little, is retaliation on the cards?

Traditional wisdom dictates that you should never be visible when shutting down a Phish, Botnet, hacking forum or other shady operation. You don't want to become the victim of a DDoS attack needlessly, right? The problem with this approach, is that the bad guy never realises he is being hunted. They just put it down to their host wising up to their activities, chalk it down to experience and move on, setting up shop again in hours, not days.

This solves nothing. Nor does the idea that "If I lay low while doing this, they won't attack me". Plenty of security sites and companies get hit with DDoS attacks and infection files that target their programs and websites quite randomly and arbitrarily. If someone is going to whack you, they'll do it anyway. So why not get there first? To me, the proactive and aggressive approach is the only one that works. Everything else is a poorly applied bandage just waiting to be torn off.

With this in mind - and as blogs spill into more and more corporate environments (how many security companies now have a blog? It's probably easier to list the ones that don't) - it's interesting to observe how previously "neutral" companies (in terms of not making a big, direct public stink about someone or something) now have to adapt to tackling the bad guys on a personal level, through the medium of their blogs. I'm lucky - I've always done things in this manner so there is no need to update my approach and change my writing style. Recently though, I saw one security blog (which shall remain nameless) write about a problem with a website and they seemingly refused to actually name the site in question, even though the issue was something as basic as spam pages.

This troubles me. Every blog post carries a risk. The more upfront, the more forthright, the more critical of whatever it happens to be talking about, the greater the chance that someone, somewhere, is going to be annoyed. But do we really need to be so twitchy about what we post that we won't even do something as basic as name the site in question where this spam is taking place? Isn't that actually putting the very users of that site at risk through not telling them that there's an issue there?

Clearly, this was a blog where the corporate line is weighing down on the specifics of what can and can't be posted - and that's fine. Not everyone is going to take risks and put themselves in the firing line for the sake of some random blog post somewhere. Perhaps they have other means and methods of communication better served than their blog to get the word out. Ultimately though, it does make me wonder what use the blog is if hampered by red tape, overly zealous self-censorship and (in some cases) not even the ability for readers to leave comments and interact with the writer.

You find yourself asking, well, what's the point of writing about an issue but not actually addressing it?

As the number of security blogs continues to grow - and more and more people realise the stakes keep being raised with regards naming and shaming of the bad guys, I'm looking forward to seeing how the blogs at the more corporate end of the scale adapt and survive. Do companies actually want bad guys turning up on their sites and threatening them? Emails containing death threats (I think I'm up to three now)? Denial of service attacks hovering over their heads? How far do they want to push their blog to both expand readership and develop new ways of taking down hackers, with the trade-off being that they then open themselves up to an endless series of inventive (and probably not very pleasant) attacks? Is it worth it? Should they just forget the whole blog thing right now and walk away, not wanting the trouble?

There is the risk that the looser, more Indie blogs will just keep cranking up the level of expectation with regards the content posted, while the blogs necessarily straitjacketed from being too wild or zany revert to a list of a hundred or so registry keys or (worse) fold altogether because nobody reads them anymore. I personally think there's room for both, but I also think that if you have a security blog - corporate or otherwise - you have a duty to tackle any and all issues head on, whether it be spilling the beans on something that needs fixing, hackers that need whacking and end-users that need protecting.

Dancing around the fire solves nothing. Plunging in head first, however, tends to get results - as long as you don't mind a few scorch marks...

What exactly are "work hours?"

2008-05-08T03:57:00Z

At 3 pm today, I was in my office working on my expense reports. A colleague here at FaceTime popped his head in and said "you do your expense reports during work hours?"

What exactly are work hours?

For professional workers, there is no such thing any more. That's pretty clear to me, as I get ready to post this around 9 pm. Joe McKendrick over at the FastForward blog thinks so too. The lines between work and personal life continue to blur. Expense reports, employee reviews, press releases, product plans... they all need to get done, and it doesn't really matter when you work on them. My guess is that if employers started saying "your work hours are 8 to 5" there would be a lot less work accomplished. No one at FaceTime would ever attempt to define my work hours, for this very reason.

In contrast, though, my neighbor told me recently that the NCAA Web site was blocked by his employer during March Madness - so he called in sick on a Thursday to watch a day of college basketball from home since he couldn't get to it while at work.

Scenarios like this play out in companies all over the world every day. And when employers block or put limits on what their employees can do, does it really solve the problem? Or create a bigger one?

We've seen time and time again that users will continue to do what they need and want to do. Take something as simple as setting email size restrictions - users will find a work around, either using their personal Web mail or a file transfer via IM. Are you better off with that outcome?

According to Wordtracker, over the last 100 days there were a little over 20 Google/Web searches related to "block facebook." Presumably a combination of IT Managers, parents and educators are looking for information about how to restrict access to social networking.

But contrast that with the 359 searches by users looking to "unblock facebook." In total, more than 10,000 searches were made in the same period related to unblocking websites, social networking sites, using anonymizers, proxies and other related searches.

We're always socializing. We're always working. And users will always look for the work around when they are cut off from either.

Everything Old is New Again: Enterprise 2.0 is the new Public IM

2008-04-25T15:00:00Z

I saw some interesting articles from the NY Times and the Enterprise 2.0 blog last week about the vast number of Web 2.0 applications that are being used in corporate America - even though IT security feels that they have their environments locked down to prevent these apps from being used. In his Enterprise 2.0 blog, Steve Wylie commented on the NYT article, pointing out that "the reality is that these apps are here to stay."

We've been tracking this trend for several years, and it's definitely growing - in fact, many companies are now facing the reality head on. I spoke with a large pharma org in NJ very recently that mentioned they have already setup MySpace and Facebook pages to allow their corporate users to collaborate internally and externally using these tools.

Although this is probably frightening and new information for many security and compliance execs, this is the same trend we've seen happening since 2001 when this issue first appeared with the emergence of public IM usage within corporations. The customers we spoke with back then told us the same story that people are saying today which is, the user population feels that they should be able to use these applications because they make them more productive, responsive and connected employees.

From an IM perspective, this feeling turned out to be 100% true which is why so many companies are now broadly rolling out Enterprise IM and UC solutions. Based on that history, its important for executives to quickly understand that this trend will continue and if they want their organizations to stay relevant and competitive, they should move to implement solutions that allow for the enablement of these applications so they can be used in a secure and compliant fashion to take advantage of their value, rather than spend time and money trying to find ways to block their use outright.

A recent SC Magazine article also covers this trend very well. With Generation Z's arrival in the workforce, IT faces a new group of workers who have "never taken a breath of air without being able to Google."

What's your opinion? Block or enable?

IT Concern over Social Networking: 95%

2008-04-12T01:44:55Z

Another RSA event is in the books. It was a good week, and I always find it invaluable to have conversations with the IT mangers that are in the trenches

We also ran what I would describe as a completely unscientific survey, but thought the information would be worth sharing here. We surveyed more than 300 attendees who participated in our theater presentation on Web security, to get their thoughts on a few things. One thing that stood out was their concern over social networking. 95% of the respondents said they were "concerned" (45%) or "very concerned" (40%) about "Users accessing social networking sites from the corporate network." Of course, this level of concern is to be expected at a security conference. Only 8% said they had "no concerns."

Is the high level of concern misplaced? This information, along with the general comments of many of the IT people I spoke with suggests that the biggest threat for 2008 is clear: It's the employees themselves.

Also at RSA, our chief malware researcher, Chris Boyd (aka Paperghost), held a well-attended session with CNET senior news editor Robert Vamosi covering the habits of a new generation of young hackers targeting social networking. In addition to Vamosi's coverage and Boyd's VitalSecurity blog, InfoWorld has a nice recap of the session.

Social Networking Goes to Work

2008-04-07T19:01:51Z

It appears that social networking is everywhere these days, and especially on the enterprise network. We've unveiled an update to our Unified Security Gateway today, which allows IT managers to control, monitor and report on which applications employees are using within Facebook - over 20,000 applications today. We truly believe that social networking can be a productive business tool, and customers are asking for help as they work to understand it and how to apply it to their business.

As the WSJ's Business Technology blog commented, some people are still skeptical of how social networking helps businesses. I know I use LinkedIn as my key address book for professional contacts, and know I would be less productive without it. How are you using social networking to do your job? We've heard from customers in energy, pharmaceuticals and financials among others that their employees are using it - in some cases it's the HR teams to run informal background checks on new hire candidates.

We'll be asking some of these same questions to IT professional at the RSA conference and plan to report back here what we've learned. Speaking of RSA, it didn't get off to a great start for attendees en route from Heathrow. Our own Chris Boyd, Director of Malware Research at FaceTime, blogs and shares photos here on a terrifying flight. Glad to report he's arrived safely in San Francisco.

Welcome to the FaceTime Blog - FaceForward

2008-04-02T16:46:42Z

In a classic case of the "cobbler's kids" we at FaceTime, who are dedicated to enabling businesses to benefit from Web 2.0 technologies, find ourselves lagging in the adoption of some of those same technologies!

In the daily grind of running an emerging company (tracking product milestones, meeting prospects and customers, assuaging investors) it is easy to lose sight of the long term value of real-time communication and collaboration. These technologies help shorten decision cycles, foster better communication - both internal and external - and, as a result, lead to higher sales and lower cost.

But, they do require investment. Of time, people and money. Why not wait till later? Do we really need to do this now?

Well, you're already doing it. Or rather, your user base is already using these tools. In our latest annual Greynet Survey we found that 74% of enterprise end-users were using one or more public instant messaging networks from work.

In fact over half of the enterprise users we surveyed were using more than eight Web 2.0 applications (what we call greynets) - IM, P2P, video, etc. - at work. According to the Pew Research Center, fully two thirds of Americans between the ages of 18 - 29 use social networking sites. These are the new workers of today, and they are bringing these tools into the enterprise.

While these technologies deliver multiple benefits, they also pose a variety of risks: new channels for malware attacks, unmonitored data leakage, and potential compliance/e-discovery violations. The challenge for IT managers is how to leverage the benefits of these tools and platforms while securing against myriad risks inherent in their use.

That is where FaceTime comes in. Our mission is to enable our customers to leverage the benefits of Web and unified communications by delivering security, management and compliance across the broadest set of enterprise, consumer and Web 2.0 applications.

I would love to hear what you are doing with these technologies, what your concerns are and how FaceTime can help you meet them.

I look forward to collaborating with you!

Kailash