Index of All Posts

Title speaks for itself

Here is a list of all the posts on this site.

Smart Grid (SG) is, in a word: complex; and complexity is security's nemesis. The greater the diversity of systems, devices, and their interactions translates directly to the spectrum of potential error, gaps, and avenues of attack, and more importantly the potential impact of a security breach. SG is anything but a greenfield scenario and represents the convergence of everything from cutting edge technologies and internetworking to vast legacy systems and processes.

Future Ethical Hacker

Thursday 26 August 2010 at 6:03 pm

Look around you. From an information security perspective things are getting very interesting. Laws and regulation are expanding and growing teeth, geopolitical hacking is commonplace, information privacy – or the lack thereof – dominates society, identity theft is an accepted risk we now have insurance for, digital espionage is an old hat, hackers are sophisticated and highly organized – and virtually impossible to stop, and the threat of cyberwar looms. All of which was the basis of campfire tales to scare CEO's into buying newfangled firewalls in the early 90's. Who'd thunk we'd be wading neck deep in a nightmare we only speculated about two decades ago?

Adaptive Security Management Architecture

Thursday 12 August 2010 at 12:46 pm

It's done! After several years of writing, starts and stops, and modifications to really tune the content, I've finally completed my third book; and it's now in the more than capable hands of Auerbach Publications.

The book hits the shelves November 18th and you can pre-order a copy from sites like Amazon. Also, look for me speaking at various security events early next year and I'll have copies to hand out. I'm always interested in feedback, and if you have some use the "Email Jim" link above.

What’s in a Word?

Thursday 12 August 2010 at 11:27 am

Last week Gen. Alexander, head of the US Cyber Command and NSA, spoke at the Armed Forces Communications and Electronics Association's LandWarNet conference in Tampa, FL about US cyber threats, noting that the DoD's 7M computers on 1500 networks are probed 250,000 per hour by more than a 140 foreign spy organizations seeking to infiltrate US networks.

Putting Your Chips on the Table

Tuesday 27 July 2010 at 09:03 am

Hey, where did you buy that router? Do you know who made the components, wrote the drivers, or the embedded code that makes it tick? Or how about the chipset in that new server or smart meter? Com'on, be honest, you know squat. Well, no biggie, right? It's just a chip, some basic instructions to process a few bits through a pile of transistors. Sorry to burst your bubble, but the bad guys know better.

Cyber Theater of War (Part 2)

Friday 09 July 2010 at 09:40 am

In part 1 I provided a short recap on the topic of cyberwar and gave some basic perspectives of how military tactics have changed to accommodate different enemies and environments in history. Most importantly the integration of the enemy making it difficult to distinguish friend from foe and the fact that status can change without warning, what we currently see with insurgents and reflective of the cyber theater of war. Another point I wanted to hit home with you is the arsenal of military weapons we have at our disposal have been, in some cases, rendered moot.

CyLab Report

Wednesday 23 June 2010 at 4:10 pm

Carnegie Mellon University's CyLab, the largest university-based research and education center for computer security, in collaboration with author Jody Westby, a CyLab distinguished fellow and CEO of Global Cyber Risk, a security risk advisory company, produced a survey report titled, "Governance of Enterprise Security: CyLab 2010 Report" demonstrating enterprise boards are losing focus on security. I've read this report and wanted to provide additional perspective.

Cyber Theater of War (Part 1)

Monday 21 June 2010 at 2:24 pm

Cyberwar will be fought in the ether, and as discussed, a more appropriate expression of this is a "cyber theater of war". As with many new things, we attempt to take what works today and apply to what is emerging. A very natural human reaction; use what you have and "don't reinvent the wheel" are common. However, in the domain of cyberwar the application of traditional military strategy will not entirely work and usher in new theories of war that will ultimately influence 21st century - and beyond – warfare tactics in both the physical and cyber worlds.

Cyberwarfare

Thursday 10 June 2010 at 5:46 pm

At this point in this series of posts about cyberwar (see previous postings Cyberwar and Weaponization of Cyberspace) I want to touch on cyberwar theory and talk about the physical manifestations of cyberwar.

Weaponization of Cyberspace

Wednesday 09 June 2010 at 1:04 pm

There are a number of folks in the security industry that have downplayed the realities of cyberwar. In some circles the conversation of cyberwar will elicit some interesting reactions and many tend to deny its potency relative to traditional warfare and traditional weapons. Moreover, many begin to blur the lines between cyberwar, cyberterrorism, and other cyberattack scenarios confusing the topic. In virtually every conversation of this nature I’m the one that stands out as the lone voice saying they’re not only wrong, but woefully underestimating the situation.

Cyberwar

Tuesday 08 June 2010 at 5:27 pm

You can’t pick up a paper, read a news article, or scan a blog without something about Cyberwar in there somewhere. Moreover, there are a number of books surfacing and, conservatively speaking, a great deal of activity in the government sector concerning cyberwar. This will be the first of several posts I’m planning on this topic. I want to talk about war, the cyber element, what’s happening today and things we can expect, what governments are up to, the physical realities of cyber war, and most importantly, the weaponization of cyberspace.

Adaptive Security Management Architecture

Monday 26 April 2010 at 10:06 am

When attending the InfoSec Security Conference in Orlando last week I had the opportunity to sit down with Rich O’Hanley, editor in chief for CRC Press, and Stephen Fried, author of “Mobile Device Security” to talk about my book.

China Syndrome

Thursday 08 April 2010 at 10:52 am

I vividly recall the movie in 1979 about a nuclear power plant on the verge of self-annihilation that upon catastrophic failure would melt a hole to China. Of course, adding to the movie’s popularity was its ominous reflection of life as the Three Mile Island Nuclear Generating Station in Pennsylvania suffered a cooling system failure twelve days after the movie was released. Interestingly, the device that ultimately failed was called the “12 valves” that controlled coolant flow to the core. For reasons I cannot fully explain, every time I read another story about China hacking other countries, especially the US, I think about that movie and the fear that resonated with the public so deeply for decades. If China doesn’t change their policy on how they approach other nations concerning these attacks, it will dramatically change their future and undermine their potential.

Misled by APT

Tuesday 30 March 2010 at 12:32 pm

There is much hoopla concerning advanced persistent threats (APT) that has found a home in an industry abuzz with increasingly sophisticated hackers. APT is a new acronym and concept that is receiving enormous attention as if it was something completely fresh and enlightening, and it isn’t. I have come to the conclusion that it isn’t the threat that is necessarily changing, but rather our acceptance and acknowledgement of the change.

Side Channel

Monday 29 March 2010 at 5:33 pm

Today we have the reemergence of discussion concerning side channel attacks. Although the discussion is surfacing once again (with almost Cicada-like predictability), the topic has been the bane of security since communications left paper for the ether. The core issue is the ability for attackers/eavesdroppers to discern informative details of a communication channel that is presumably secure. It’s interesting to me that this problem still exists and I think few in the industry speak of it regularly – me included. It’s a huge security problem and the advent of the cloud will only make it much worse.

Death of the OS

Thursday 25 March 2010 at 1:17 pm

I was having a conversation recently with someone who just finished a project implementing a very large scale virtual environment. Once complete, their first customer said, “OK… we need 2000 servers provisioned, today.” The discussion was interesting, as was the customer’s request, and has rolled around in my head for weeks. Ultimately, I concluded that I was fascinated by the focus on “servers”, something I feel will vaporize in the near future and will have interesting implications for security – good and bad.

US Government Fails Cyberattack Simulation

Tuesday 23 February 2010 at 10:11 am

Before you unplug your computer, hop off the grid, and go buy that S&W M&P 15 you’ve been eyeing at the local gun store because you’re convinced the government couldn’t stop a thirteen year old with an iPhone, let’s look at this result a little deeper.

Why Cloud Computing Isn’t More of the Same

Wednesday 10 February 2010 at 4:08 pm

Depending on whom you are speaking with when the topic of cloud computing surfaces you will certainly get a number of different perspectives. As I’ve shared in past writings, cloud computing is generally quantified into one of three buckets: revolutionary, evolutionary, and more of the same. While the first two have merit, it is the last one I feel is a bit short sighted… and here is why.

DIACAP for the Enterprise (Part 3 of 3)

Tuesday 02 February 2010 at 08:42 am

It is one thing to talk about securing a system, but quite another when determining how much and to what depth security should be applied. All too often we talk about securing something, but do not necessarily do so in a proactive manner based on a consistent model. Moreover, one that takes into consideration of the entire system, not just the server, but the network, interactions with other systems, applications, and data stores. DIACAP is an evolutionary approach to certification an accreditation that sets a common criteria of security that takes into account the broad, interconnected nature of today’s technology infrastructures.

Google Hires Hackers

Monday 01 February 2010 at 11:30 am

Chris Evans of Google Chrome Security announced on a blog post last Thursday they will pay $500 to anyone reporting interesting vulnerabilities with Chrome. And with a little wink to the hackers, a potential reward of $1337 is being considered for the really interesting findings. The question it seems that has been raised is: is it a good idea or is Google subsidizing the development of tomorrow’s hackers?

Years of Security Experience

Thursday 28 January 2010 at 3:01 pm

I consistently hear people say they’ve been in the security industry for 25 years or more and they’re in their late 30’s or early 40’s. I find many people encompass all things security into their experience, which on the surface seems to make sense, but I’m not sure it does, or at least worth further discussion. It can be argued that security is the second oldest profession, but that doesn’t mean what was done 20, 50, or 100 years ago is applicable today. However, how do we balance applicability with experience… the difference between knowledge and wisdom?

DIACAP for the Enterprise (Part 2 of 3)

Saturday 23 January 2010 at 3:57 pm

DIACAP is fundamentally a security governance model. It is a collection of processes, procedures, tools, methods, and trained people with specific roles and responsibilities targeted at managing the full security lifecycle of a system. Let’s take a high-level look at the DIACAP processes and how these can related to the enterprise. DIACAP is founded on five activities, also known as phases.

DIACAP for the Enterprise (Part 1 of 3)

Tuesday 22 December 2009 at 12:14 pm

This is a multipart series looking at how the Department of Defense Information Assurance Certification and Accreditation Process (DIACAP) can be valuable to traditional, private enterprise organizations. It’s not all that common to propose that an enterprise adopt government processes. However, within the context of security many organizations are performing some of these DIACAP activities organically, but not to a level of granularity in management found in the DoD, which I feel is a missed opportunity. My goal for this series it to introduce the basics of DIACAP and how enterprise organizations can greatly benefit from it.

It’s All About the Data

Monday 14 December 2009 at 09:06 am

First up – sorry to my regular readers for the week or so without a recent post. I’ve directed much of my writing time towards my book, which is coming along nicely, but a huge undertaking nonetheless. The complexity of the topic has been challenging and time consuming. Now that’s out of the way… the security of data is arguably the root of security and no doubt the one of the most difficult things to wrap your arms around.

Wetware vs. Software

Friday 20 November 2009 at 10:08 am

Since the advent of SATAN the question of tool verses whitehat has permeated the security industry. The question is founded on the effectiveness of a tool in finding system vulnerabilities when compared to what a human can do. How does all this play into application testing?

NSA and Windows 7

Thursday 19 November 2009 at 11:04 am

Earlier this week NSA’s Schaeffer stated in a meeting with Congress that the NSA collaborated with Microsoft in the development of Windows 7 by leveraging their “…unique expertise and operational knowledge of system threats and vulnerabilities…” As one would expect there are a number of mixed reactions in the security industry.

The State of Security (Part 4 of 4)

Tuesday 03 November 2009 at 08:54 am

Adding to the malaise, each state will look at what others are implementing and implement their own version. In short order you will have – as we currently have with iterations of SB-1386/AB-700 in several other states – different laws with very similar demands, but differences in expectations. It will take time for the federal government to normalize as a singular law, but by then the states will have moved on to a new regulatory target and the cycle repeats.

The Conspiracy Theorist in me

Monday 02 November 2009 at 08:36 am

Admittedly, I may not have all the information. Nevertheless, a cursory glance makes me tilt my head in wonder. Last Friday, Facebook was awarded $711M in fines levied against Sanford "Spamford" Wallace, who gained access to numerous accounts on their site to send porn-promoting spam to their unsuspecting friends. This represents the second largest judgment based on the CAN-SPAM Act in history. Interestingly, the largest, $873M was also awarded to Facebook because of Canadian spammer Adam Guerbuez in 2008.

The State of Security (Part 3 of 4)

Friday 30 October 2009 at 09:12 am

Look at this phenomenon from an executive perspective. You run a business and use IT and information assets to achieve objectives and grow the company according to your mission. You implement security to protect those assets for three very basic reasons: 1) reduce impact to your consumers, 2) reduce impact to your company brand and value, and 3) reduce legal liability. Now, the question becomes, which one of these is most tangible from a negative impact perspective? Of course, the answer is “it depends.” Let’s walk through these.

Windows 7 and the University Model

Wednesday 28 October 2009 at 09:45 am

Microsoft launched Windows 7 last week to mixed reviews from the security industry, but seemed to resonate a little better with the larger business community. Many of the perspectives of 7 are based not necessarily on what is new, but rather the differences from Vista, specifically less hardware requirements offering greater longevity for existing systems. But when viewed through the lens of evolving business IT strategies, one could see that 7 may be Microsoft’s swansong for the windows product line and act as the catalyst for dramatic changes in IT and security that are just now beginning to materialize.

The State of Security (Part 2 of 4)

Monday 26 October 2009 at 10:35 am

There are basically two fundamental approaches to security: do what you have to do, and do what you need or want to do. These are not mutually exclusive and you find many scenarios where these are mixed. However, this does not mean there are not companies that simply do only what they have to and in these cases it resonates with a minimalistic approach, which many refer to as the “checkbox” approach. On the other end of the spectrum are organizations that implement security because they need or want to in order to reach a level of assurance that is supportive of the business or organizational mission.

The State of Security (Part 1 of 4)

Thursday 22 October 2009 at 1:25 pm

Arguably, regulations have done a lot for security. I vividly recall a world with no HIPAA, GLBA, SOX, PCI, HITECH, and many others where security was predominantly based on FUD – fear, uncertainty, and doubt. If you couldn’t prove there was a need, security was marginalized and open to interpretation and opinion. The degree of security implementation was founded on culture, risk, and valuation of information and not external forces. The advent of regulations helped to “push” security by providing additional reasons for sound security. However, over time, will the explosion of regulatory oversight threaten true security?

Unified Security Theory

Wednesday 14 October 2009 at 1:55 pm

In 1687, Sir Isaac Newton published the first edition of Philosophiæ Naturalis Principia Mathematica containing the three laws of motion and described universal gravitation creating the foundation of classical mechanics that stood unchallenged for more than three centuries. Science used Newton’s vast perceptions of the universe to define much of what we observe, and still employ to this day. However, as we moved into the 19^th century, our ability to observe more deeply, especially the very large and very small through advances in science, challenged Newtonian physics and ushered in new thinking from the likes of Einstein, Planck, Curie, and others of the time. Now we are pushing the bounds of theoretical physics from Quantum Mechanics moving to String Theory in search of a constant law that will bind all observations. All the while the universe remained, and still does, fundamentally the same – it is our perception and understanding of the universe that changed.

Inside Social Engineering

Wednesday 07 October 2009 at 08:58 am

Throughout parts 1, 2, and 3 we talked about threats, defined a test and artificial threats, and ultimately about ensuring alignment between threats and controls. Although these basic concepts are applicable to all types of security testing, it is social engineering that raises the most interesting interactions between threats, controls, testing, and the business. In this part we round out the topic by touching on when to push the edges of the test and when not to. Lastly, I’ll cover the value of a test to the business.

Inside Social Engineering

Monday 05 October 2009 at 10:38 am

In part 2, we dove into what is a test and the two basic approaches: identification and exploitation. From there we reviewed the artificial nature of a test and the inherent and imposed limitations that make it impossible to fully mimic a real threat. We ended with exposing that through business and security processes we’ve identified addressed threats (part 1) and that any misalignment between the test’s representation of a threat relative to a control designed for that threat will render the test meaningless. And the fact that within the context of social engineering this is very likely if not orchestrated effectively. In this part, we will discuss why this is the case.

Inside Social Engineering

Thursday 01 October 2009 at 8:29 pm

In part 1, we explored the very fundamentals of security philosophy when it comes to defining threats. We asked the biggest of all questions: Is there perfect security? To which, and is assumed, to be No. As a result of this fundamental, we also determined that there are threats that we cannot stop. From this foundation we ultimately quantified accepted threats, the ones we will not compensate for with controls, and addressed threats, the ones we have implemented controls for. Now, we’ll talk about the concept of testing relative to threat.

Inside Social Engineering

Monday 28 September 2009 at 12:03 pm

I come across a number of social engineering scenarios and typically find that people underestimate the process and overestimate the effectiveness of the results when using oversimplified methods. As you might expect, I have a perspective. And that perspective is based squarely on what exactly are you testing and the relationship of that test to some very fundamental security concepts that everyone accepts, but do not incorporate in their formation of security activities.

The Encryption Apocalypse

Wednesday 23 September 2009 at 6:25 pm

In the first week of September this year the IEEE Spectrum published a news report titled, “Quantum Chip Helps Crack Code” which highlighted that researchers at the University of Bristol, in England, report the first factoring using Shor’s algorithm on a quantum chip. In short, what they did was to successfully factor the number 15. This seemingly benign event in using a computer to do what any small child could accomplish in as much time masks a much, much larger development. If we don’t acknowledge this event, it has the potential cast us back a millennia.

Risk Appetite

Tuesday 22 September 2009 at 10:05 am

Anyone who knows me or has subjected themselves to my writings knows I have some uneasiness with today’s role of risk. It’s not the process, but more of how there is so much focus on risk as if it was a science, and it’s not. Not even close. Risk management is, of course, extraordinarily important to a security program, but I regularly see it being positioned as “the” security program with all things stemming from risk measurements as if it were an absolute. One of the things I hear a lot is “risk appetite” and I’ve even used this phrase many, many times. But what is it?

Having to Opt-In Security

Monday 21 September 2009 at 10:03 am

Appearing in a blog last week a Google employee, “Marie”, commented that they will be allowing Google Docs to be searchable in google.com and other search engines in a few weeks. For the millions of people and groups using Google docs as a platform for managing documents this may be disturbing, especially if they made the mistake of assuming their information was private. Nevertheless, Google has provided a “stop publishing” option to that your documents won’t get crawled.

Almost, But Not Quite There

Thursday 17 September 2009 at 3:43 pm

I’m not one to shoulder ISPs with the responsibility of policing the Internet. There are very good arguments on ensuring ISPs are providing wide open, unfettered access to the Internet. This is analogous to buyer beware from the user’s perspective. However, ISPs are in a unique position in helping to sanitize the Internet from the obvious undesirable, dark side of the Internet. This is not about perfectly cleaning the Internet, but one can’t deny - as a community - they could potentially wipe out some of the most damaging threats, like botnets.

HITECH Privacy and Security

Wednesday 16 September 2009 at 5:42 pm

HITECH In early August I wrote a short piece on the HITECH Act that is part of the American Recovery and Reinvestment Act (ARRA) of 2009. Granted, it was a bit tongue –in-cheek, so I wanted to write something that really boils down the act into salient points that will actually help people within the realm of information security.

Whitehat Gone Too Far

Friday 04 September 2009 at 11:06 pm

oldschool First of all... HEY! I’m back! Well, at least the one or two of you out there may have noticed I wasn’t writing for the last week or so. My previous web host was r-e-a-l-l-y slow so I decided to switch… and it was actually more economical anyway. This one is a bit better. I think some of my performance issues are actually due to the code I use to generate this site. Anywho… nothing ventured, nothing gained. Through the transition the site was always up, but very complicated to keep content flowing, so I just took a break. Nevertheless, what’s up with all those CDs getting shipped out from whitehat MicroSolved out of Ohio?

PCI Security

Friday 21 August 2009 at 08:58 am

not so smart I can’t really explain why this bothers me so much. Does it really matter in the big scope of things? Not really. In fact, not at all, but that doesn’t change how I feel about it. Recently, PCI Security Standards Council released an updated version of the PCI DSS making it now version 1.2.1. The date on the title page says July 2009, but the properties of the MS Word version say August 10^th. The date is of no real consequence to my point, but the MS Word version is.

Why Compliance Does Not Equal Security

Tuesday 18 August 2009 at 10:21 am

intent verses audit Just when you thought it was safe to go outside after SOX and PCI, ARRA’s HITECH regulation concerning privacy and security raises its head. And rest assured this is simply the tip of the iceberg of what is going to come. Security regulations are a fact of life. However, the implications and impacts of emerging regulations are becoming intense. HITECH provides teeth to HIPAA and introduces arguably the first nationwide breach notification law representing an evolutionary approach to regulations. How you deal with regulations moving forward need to be changed dramatically.

ARRA’s HITECH Privacy and Security

Monday 17 August 2009 at 09:22 am

HITECH HIPAA On Tuesday, February 17, 2009, 26 days after taking the presidential oath, President Obama signed the American Recovery and Reinvestment Act (ARRA) of 2009. A 407 page document containing no less than 23 titles in two major divisions. Needless to say there is a lot in this act. However, from an information security perspective, what really standards out is Title XIII, Health Information Technology, or more commonly known as the Health Information Technology for Economic and Clinical Health Act (HITECH). Comprised of several parts, subtitles, and sections, this comparatively small part of ARRA adds serious teeth to HIPAA. We knew it was coming, so strap in, we’re going for a ride.

Twitter and TinyURL

Thursday 13 August 2009 at 09:17 am

dna There are a lot of ways to get hacked (duh) and manipulating URLs a prevalent tool for hackers in facilitating an attack. It may not be “the” attack, but it’s a common stage in the attack vector. Links can be misleading, used in SPAM, and in XSS attacks. They can also help people legitimately make money through click-through warehouses and even by manipulating affiliate programs. Now, look at Twitter and TinyURL through these lenses and you sorta see where I’m going.

R-e-s-p-e-c-t, Just a little bit

Tuesday 11 August 2009 at 09:30 am

matrix You’re a CISO and you’ve just left an executive briefing explaining various compliance gaps and risk knowing full well you don’t have enough clout, control, or fairy dust to do anything about it. Well, rest assured you’re not alone and your CEO is not the only executive that can’t seem to connect the security dots. Security experts are dropping like flies in the government with virtually all the top spots being vacated due to lack of authority.

Endpoint Appreciation

Monday 10 August 2009 at 10:58 am

laptop A number of technologies are available for endpoint security and rest assured more are coming. The move toward a “work anywhere from any device” strategy is quickly gaining speed. Add to this the adoption of cloud computing, specifically SaaS, and deperimeterization activities, endpoint security has all the characteristics of skyrocketing.

Controls vs. Threats

Friday 07 August 2009 at 2:29 pm

lock Let’s face it, security can be complex and the fact that attackers are always finding something new to test the industry’s capability make it difficult to know the real capacity for a control’s effectiveness. As an industry we tend to layer things on one another applying a defense-in-depth strategy, which is a proven strategy and makes perfect since. But, do we really look at various security controls through this lens or are we just putting something in because we think it will help?

Big Security

Wednesday 05 August 2009 at 6:03 pm

mask There are a number of attributes within very large organizations that tend to put them at a disadvantage concerning security. Not that these corporate characteristics are unique to large companies, but rather that highly diverse and multi-layered environments act as enablers to those elements that may knowingly or unknowingly conspire against the company as a whole. Add to this the enormous dynamics occurring in the technology and security spaces, the lethargic nature of some organizations results in adopting technologies and facilitating initiatives that are outdated before the first box is plugged in.

Demonstrating Value

Monday 03 August 2009 at 9:34 pm

money There are a number of practices concerning metrics and measuring security activities, and I’ve written on the importance of capability maturity in the security program (look for more articles from me on the topic of CMM in security). An increasing activity, especially in the light of recent economic pressures, is managing, monitoring, tracking, and reporting on the effectiveness of the security program in the employment of resources and budget.

BlackHat Standard Fair

Friday 31 July 2009 at 12:38 pm

bug BlackHat has been around for a while and become very popular as a platform for researches to expose their interesting research in the discovery of foundation-shattering vulnerabilities. Although this type of exposure occurs in other “hacker” events, the media focus on BlackHat is unparalleled making it a well publicized event. Although it’s just getting started, a couple disrupting things have already been presented.

Security and Mobility

Thursday 30 July 2009 at 10:27 am

Security in the mobility space is not all that new. We’ve seen our fair share of worms, spam, and attacks against cell phones, PDA’s, and smart phones. Over the years various products and solutions have surfaced in an attempt to address these challenges with varying degrees of success. Nevertheless, as cell phones become more and more sophisticated gaps in security are becoming alarmingly huge.

F-Response

Wednesday 29 July 2009 at 09:38 am

smart There is no shortage of technology in the information security industry. As time passes, there are fewer and fewer cases of truly interesting and compelling solutions that have the potential to revolutionize the industry. However, they do come along on occasion; with no fan fair and hidden in the back of some massive vendor expo hall, but sneak up on you and the next thing you know is you can’t live without it. So, expect to be buying F-Response in the near future.

Over Simplifying Cloud Security

Tuesday 28 July 2009 at 2:13 pm

I will tell you right up front that I’m not a cloud computing expert. I “get it” as most people do and can see the pros and cons. You don’t have to be a brain surgeon to connect the dots of virtualization, stacking, web services, “X”aaS, and the like to see that the cloud is extraordinarily compelling to business and is the future of IT as we know it. Seeing that most people have connected the dots, it’s no surprise that security in the cloud (or lack thereof) is seen as the most significant barrier to adoption. As a result, security solutions for the cloud are beginning to come out of the woodwork. This is expected and needed – progress in this space is good. However, I’m not seeing anything necessarily revolutionary and simply, well, more of the same. The problem isn’t these standard security solutions that are tweaked to support the cloud aren’t meaningful; it’s just simply they are addressing an old problem and not really the more fundamental problems businesses are thinking about and beyond.

IneSCAPable

Monday 27 July 2009 at 10:21 am

speaker NIST, specifically the Computer Security Research Center (CSRC) has become a significant security force in the public and private sectors. With the series of Special Publications covering everything from FIPS and PKI to Keys and physical security – and everything in between – NIST has provided a substantial collection of valuable materials. Some of these take off and become core industry practices, while others remain in relative obscurity. A recent addition from NIST has all the making of something that could become very interesting - Security Content Automation Protocol (SCAP), or SP 800-117.

A Mature Security Program

Wednesday 22 July 2009 at 11:17 am

geek There are a lot of security standards and practices defined within the industry. Moreover, there are enough regulatory demands facing a broad range of companies and organizations to fill the ocean. Nevertheless, what always seems to be missing or rarely heard of is the maturity of the security program. I think companies are missing out on something that could be of enormous value to the business and the security group.

Cloud Security Challenges

Monday 20 July 2009 at 1:50 pm

plug Why does the cloud represents such a huge issue for security? Let's talk "high-level" and very general for a little. First and foremost, what is "the cloud"? In pretty simple terms, a cloud is a collection of technology (systems, networks, processors, applications, etc.) that are provided to users and companies as a service decoupling the computing experience from the computer and all this implies. Later, we’ll see this fundamental element as the challenge to security and the relationship to data (and information) and trust.

Cloud Security

Monday 20 July 2009 at 1:31 pm

cloud There has been a great deal of discussion concerning cloud computing. In the past we called these hosting solutions, managed services, and other less sexy things. However, I'll admit that today's cloud computing concepts go way beyond what we've seen in the past and have set in motion a technical revolution that has the potential to change the very foundation of what we have come to understand as computers and the Internet. As a result, information security will become far more important than it ever has. However, what will it look like? How will it function? Is security going to evolve and if so, will it in time?

Security and the Digital Disease

Friday 17 July 2009 at 1:27 pm

science Epidemiology is a fascinating subject, one I believe the information security industry can learn from. An interesting element is the sharing of information concerning viruses. When Bird-Flu (H5N1) was decimating the Indonesian community, local scientists studied and obtained critical RNA data on the virus, which provides the key on formulating a vaccine. However, they didn’t share this information with the rest of the world right away. Why? And what can security learn from this?

The Cloud Application

Wednesday 15 July 2009 at 10:34 am

supercomputer Many enterprise organizations are typically focused on infrastructure security, such as firewalls and IDS. This is understandable because of history and compliance pressures. However, there are regulations touching on the application layer driving certain technologies and many of those same organizations are performing code review, application testing, and evolving secure software development practices. But, not only is this not enough, but as organizations attempt to move to the cloud they are going to hit huge challenges and will likely force-fit their needs – right or wrong – into the provider. The result will ultimately be the migration of poor security philosophies into the cloud and the overall stagnation of what the cloud can provide. We need to per deeper into how applications function given the vast level of abstraction that is occurring and the implied trust that exists.

Passwords, again?

Tuesday 14 July 2009 at 08:42 am

chalk Is it me or does the topic of password security pop up regularly? It’s like a broken record. To be fair, security in general is having difficulty evolving, so why shouldn’t discussions concerning passwords surface regularly, we’re not really changing anything. Nevertheless, there has been a surge lately and I feel somewhat compelled to comment.

Microsoft knew for a year

Monday 13 July 2009 at 08:15 am

wheel It looks like Microsoft finally admitted it knew about the IE6 & IE7 bug in ActiveX control "msvidctl.dll" file that supports streaming video content which is vulnerable to arbitrary code execution with the privileges of the current user for more than a year. On the surface this vulnerability doesn’t sound any more spectacular than others like it in the past. However, people are steaming over the delay, but I think there are a number of interesting moving parts worth noting.

The Legalities of Spying

Friday 10 July 2009 at 5:02 pm

spy Released today, an unclassified report on Bush's Presidential Surveillance Program (PSP) written by the Office of Inspector General of the DoD, DoJ, CIA, NSA, and Office of the Director of National Intelligence. In short, Congress mandated an investigation to ultimately determine the legal precedence of the PSP, which involved massive collection of communications within and beyond the US.

A knight in shining Chrome

Thursday 09 July 2009 at 5:06 pm

google With Google’s announcement they’re entering into the world of operating systems with Google Chrome OS has generated some controversy – mostly around security. Statements such as, “And as we did for the Google Chrome browser, we are going back to the basics and completely redesigning the underlying security architecture of the OS so that users don't have to deal with viruses, malware and security updates. It should just work.” are very bold indeed. Essentially, Google is going to eliminate security problems that have haunted the Internet since its inception. You know what? I say go for it G-men, more power to you. But, please know the world of bad guys don’t take such claims lightly.

MasterCard Changes Level 2

Thursday 09 July 2009 at 10:17 am

java Last month MasterCard (MC) changed the requirements for level 2 merchants to include an on-site assessment as opposed to performing a self-assessment. The definition of level 2 by MC is processing more than 1M and equal to or less than 6M transactions a year. However, there is an added feature by MC stating that level 2 can be defined by competing brands, such as Visa, Amex, Discover, etc (note: actually MC defines this for all the levels). These changes immediately translate to a dramatic increase in the number of merchants globally that now require a report on compliance (ROC) as opposed to simply completing the self-assessment questionnaire (SAQ). Nevertheless, I think this runs much deeper when one looks at the history and progress of PCI.

Policy Purgatory

Wednesday 08 July 2009 at 5:20 pm

alien I see a lot of questions about security pop up asking everything from what’s the best way to secure a PDA to controlling the use of USB ports on laptops. In every case, without exception, there is always someone who pontificates on the need for a policy. Ok, granted a policy can be more than a document stating what is expected and separating good from evil for all to partake. Policies can be technical manifestations, like group policies in Microsoft, Linux, and other systems that set requirements, like minimum password length, but that’s not what I’m talking about. I’m talking about the oldest security-punt of all time, the fall-back point of, “Do you have a policy for that?” Referring to some document that everyone from the CEO down had to approve of when all I wanted was to stop the use of USB ports. Polices are important, but they’re only one part of the picture and not the first step.

ISSA / ISACA / InfraGard Event Presentation

Sunday 21 June 2009 at 06:32 am

I spoke at an event this week (6/19/09) in Tampa, Florida. The Tampa Bay Chapters of ISSA, InfraGard, and ISACA hosted an all day event at the Tech Data Corporation headquarters in Clearwater. A few folks asked for a copy of the presentation I gave becasue I think it struck a chord with some of the audiance.

Compliance vs. Security

Friday 24 April 2009 at 4:10 pm

twoface Ask any security professional, “Does compliance mean you’re secure?” and you will get a resounding “No!” But, let’s think about that for a moment. Before the wave of compliance security was barely considered. I vividly recall a meeting with my boss where I showed him the floppy that contained access control lists for the new fandangle Cisco thingy called a router that will help “…protect us from the Internet by blocking unwanted traffic.” “Protect us?” He exclaimed, “The Internet is essential. I don’t want to stop anything.” Sometime later we suffered from a security related event and ended up investing in more controls, and frankly this was the impetus of me getting into security as a career. So, before compliance, security was a shot in the dark. Now, the bipolar-ism of compliance verses security raises some interesting questions about the future.

Security Kung-Fu

Friday 24 April 2009 at 1:17 pm

lock As difficult as it may be to see through the fog of economic uncertainty, there is enormous opportunity -- and today’s challenges should be seen as a tipping point for the evolution of security. Given the vast challenges and comprehensive threats facing organizations, security is more important to the survivability of the business today than it has ever been. As companies are weakened by unfortunate, but necessary cuts, even the best recovery plans can be undermined by a publicized attack. Security can play a pivotal role in providing a secure environment to help executives focus on effectively implementing strategic initiatives. As well, there are other dynamics occurring in the depths of business that can be leveraged to translate today’s security activities into tomorrow’s security alignment with the business. Understanding these nuances will allow security groups to not only demonstrate value in the current economic condition, but also provide the foundation for enabling the business for the future.

It’s not ROI, it’s VOI

Friday 03 April 2009 at 08:53 am

puzzel If you’re a reader of this blog, know me, or have seen me speak you know that I’m very much about security enabling the business and operating in business terms. For years security had been an afterthought and seen as a barrier to the vast business opportunities that lie out in the Internet and the complete utilization of growing IT capabilities. Many security professionals wanted desperately to gain attention of the business. After the wave of regulations, most notably SOX, executives gained more appreciation for the role of security. Then a mixture of highly publicized attacks, advances in methods and technologies, and a massive increase in IT complexity has thrown security squarely in the boardroom. Be careful of what you ask for.

Security is not an Adjective

Tuesday 17 February 2009 at 2:58 pm

I spend a lot of time traveling and always see interesting stuff within the context of security in airports, hotels, and the like. I won't bore you with standard jokes about the TSA’s security practices - way too easy of a target - and I won't go into detail about how hotels are a criminal’s best friend. I’m always astounded by the lack of security, especially when it is implied. I don’t typically bother with it - it’s just how things are in the real world, but it’s still fun to break security controls if even only in your mind. Nevertheless, it seems the practice of putting the word “security” before something - not necessarily a new thing - is increasing in practice and it’s rather annoying.

State of the PCI industry before PCI DSS?

Sunday 08 February 2009 at 09:28 am

His question:

Hi folks,

I know that there is research material out there that can address the state of the PCI industry prior to the DSS requirements. But I wanted to get your personal view point on what issues existed at that time (when there was no PCI DSS). What was predominately in place as a security program at that time? Anything at all? (e.g. ISO 17799)

Also, does PCI DSS seem like a mature standard in your opinion? Is it getting better quickly or is it taking longer than what you had hoped? Is the standard reactive or proactive? Or is it both?

Thanks for any insight,

Farhan

Here is my answer that Linkedn wouldn't accept.

ISO-27000 Series

Monday 21 May 2007 at 11:04 am

I read in article recently that finally pushed me over the edge concerning security terminology and how the ISO standards are referred to. The statement that did me in was, “We performed an assessment against the ten tenants of ISO-27001.” The article - interviews with several CSOs - went on and on with quote after quote relating to ISO-27001 incorrectly. May be a little nit-picky on my part, but the reality is security is complex enough without people getting it wrong and it seems everyone is getting it wrong when it comes to ISO-27000 series.

Changing Threats

Thursday 22 March 2007 at 12:38 pm

Sometimes you have to state the obvious just to make sure the message sinks in and this is an important message we all need to acknowledge: The threat landscape has changed dramatically and fundamentally. Back in early 90s hackers were hobbyists looking to cause harm and gain some street cred in the process. Viruses were a painful nuisance, but at least you knew you had one. As time passed, the fundamental culture of the dark side didn't change. Of course, we began to see more aggressive worms, tools, and attack strategies, but the goal was pretty much the same with only a few elite hackers tearing into systems and people for financial gain. Today, unfortunately, attacking for money is the norm, the goal, the culture, and it's going to get a lot worse.

Hacker 2050

Wednesday 07 March 2007 at 3:46 pm

In 2050, information is everything and access to it will be omnipresent and seamless. Connected micro-technology will be commonplace, embedded in everything from chairs, car tires, and beds to clothes, medicine, and the plates from which we eat our food. The human experience will be based on colors, sound, and the ability to interact with everything based on instantaneous information about that person, place, or thing. Technology will make decisions for us and respond to the environment faster and more accurately. Our trust will not come easy, but time will prevail and the memories of driving a car, dialing a phone number, or downloading music will fade away with each passing moment.

Complicated Basics

Monday 19 February 2007 at 6:19 pm

So, you’re tracking the number of worms stopped at your firewall, the number of patches deployed, and the volume of vulnerabilities in your environment and present to the CIO as security metrics. Unfortunately, I may have bad news for you. These are not metrics and they won’t make any sense to the CIO. Oh, don’t get me wrong, she’ll understand them and get it, but won’t be able to apply to the business in business terms. Why? Because they’re not metrics and they’re not tied to the business. Good news, you’re going in the right direction and what you have so far is useful. All you need now is a basic framework that can be, well, complicated.

Close the Gap, Before you Fall in it

Sunday 04 February 2007 at 10:03 am

I became immersed in security back in 1990, or shall I say thrown into it. Working as a mechanical engineer for a research and development firm designing unique valves that help produce the sweetener that the world consumes in soft drinks, I received a tiny little box (Pandora’s to be more accurate). Inside was a golf ball sized version of the value that our organization invented and manufactured. Normally, this wouldn’t have surprised me except for the fact that our valves were 3 tons and as big as a truck. Turns out someone stole the designs that found their way to an emerging pharmaceutical company in Europe. Unfortunately for the computer criminal, he failed to mention that the transaction was illegal, so the European company proudly shipped us their prototype for review. (BTW, it was brilliant, engineering magic at its best, a work of art.) Nevertheless, in the long run it hurt the company.

The Art of War

Wednesday 17 May 2006 at 09:16 am

There are several books, articles, and models providing guidance for assessing information security risk. Nevertheless, regardless of the amount of information one consumes, determining risk remains more art than science. One must consider the threats, vulnerabilities, potential of occurrence, and impact to draw conclusions of risk appetite. For me, one of these elements represents an area few delve deeply into, and that is threats.

Virtual Security

Friday 05 May 2006 at 8:01 pm

In 1996 I found a tiny package floating around the Internet called VMware. I booted up my Linux laptop and proceeded to install this little animal. Within minutes I started the application and booted my first virtual PC. Compelled to investigate further, I decided to load Windows 95, completely convinced that it would fail miserably - Win95 on Linux, are you kidding me? To my surprise, I was browsing the web using IE, in Windows 95 from a virtual PC running on Linux in just a few hours. Little did I know at the time, virtualization would make the huge rebirth that it has today.

Security Answers the Call

Wednesday 22 February 2006 at 09:47 am

In 1998, I was working in Germany designing a 5000 site IPSec VPN solution encompassing 125 countries for a logistics company. The options were few. Timestep had the best product during that time with many other IPSec products emerging, such as Altiga, Novell's BorderManager, and Checkpoint. Of course, Cisco was very interested, but didn't have solid IPSec code. Cisco got involved and insisted with a little work they could have a meaningful solution. This bode well for the client given that they used Cisco for all their networking gear, making the whole philosophy very attractive.

Bigger Picture

Saturday 04 February 2006 at 11:57 am

There has been a great deal of industry static about Microsoft’s WMF vulnerability and the giant’s reaction to the critical gaping hole. In short, the WMF vulnerability provides the opportunity for a hacker to embed code in an image. When that image is displayed in a browser, document, e-mail, or whatever, the code is executed. It’s important to understand that the user did nothing unordinary for this to occur. Just going to a site with one of these "trojaned" images is enough. Clearly, this has significant implications and will be with us for some time.

The Lion and the Gazelle

Monday 05 December 2005 at 4:37 pm

There are many discussions concerning infosec’s value to the business and its role in the value chain. Every company produces, ultimately, goods and/or services that are the culmination of a series of events or actions encompassing people, process, and technology. The ability to introduce efficiencies - resulting in greater savings without derogation to the product or service - within the value chain presents a significant benefit for the producer. This tenet will impact security professionals like no other in the next few years.

ISO-17799:2005

Monday 24 October 2005 at 7:11 pm

In 1996, the British Standards Institute (BSI) published the BS-7799 information security management standard defining a management system for the oversight of information security. Three years later, Part 2 was published providing a foundation to perform audits and to ultimately attain a certification from the BSI. The International Organization for Standardization (ISO), in collaboration with the International Electrotechnical Commission (IEC), drew from the BS-7799 to create the ISO-17799 security standard, published in 2000. In February 2005, the ISO/IEC published an update to the ISO-17799, setting a new standard for information security management. Once again drawing from previous standards, but making key additions that has resulted in a comprehensive guideline for organization worldwide.

Measuring the Maturity of Your Security Program (Part 1)

Tuesday 06 September 2005 at 6:28 pm

Today, organizations have expended significant resources in implementing various security controls. Thanks to best practices, the evolution of technology, and the increasing number of skilled professionals, many organization have an established security posture. However, we are entering a new age of information security. Although regular oversight and diligence is required to maintain investments, few have addressed a comprehensive and pragmatic approach to governing their security posture. This article will discuss the reasoning, approach, and tangible value to the business when a practical measurement of the maturity and capability of a security governance structure is performed regularly. It is the objective to demonstrate the importance of maturity, discuss the process of how to determine your effectiveness, and demonstrate how this will help you gain long-term valuation of your security investments.

The Walls of Jericho

Friday 02 September 2005 at 4:47 pm

In February of this year the OpenGroup established a new forum called Jericho, whoes vision is focused on developing and promoting a new security architecture, one devoid of a perimeter and referred to as de-perimeterization.

Visa, Everywhere You Want to Be

Saturday 06 August 2005 at 7:30 pm

Fraud is the bane of the financial industry's existence. Financial institutions are constantly battling forgery, impersonation, and out-right theft and the advent of computers and the Internet, while increasing capability and efficiency, have exacerbated the problem. Visa has stepped in and started a information security program that seeks to revolutionize the industry.

Diminishing Perimeter

Tuesday 02 August 2005 at 11:54 am

For years the perimeter has been the focal point of security technology. What was once routers with access control lists designed to block traffic founded on basic characteristics has evolved into a myriad of sophisticated devices inspecting every detail of communications. However, successful attacks are on the rise with increasing impact to organizations. While perimeter technology may appear to have evolved significantly, it pales in comparison to the advancements in tactics, tools, and the cleverness of today's threats. To add to the malaise, companies are seeking to fully leverage the Internet and new application development strategies in an effort to support comprehensive information sharing needs of the business.

Inside Out

Sunday 12 June 2005 at 10:13 am

Ninety-seven CIOs sat watching the presentation about infosec in an extravagant 19th century grand ballroom in downtown Philadelphia. There were executives from financial companies, insurance firms, manufacturing organizations, banks, and even a few government agencies, each attending a regular local society meeting to collaborate. The presenter polled the audience, "Who is concerned with a hacker gaining access to their network?" A few halfheartedly raised their hands. The presenter then asked, "Who is concerned with security threats from within?" Nearly everyone in the room thrust their arms into the air.

Network Security Rebirth

Saturday 28 May 2005 at 09:17 am

As soon as there were networks there were people using them to gain unauthorized access remote systems. Today, networks are everywhere and the Internet is the ultimate network with more and more systems becoming assimilated. What once was just computers communicating over the Internet has now expanded to include phones, game platforms, entertainment systems, and even home security systems with no end in sight. The growing use of a global network represents significant opportunities to businesses and consumers.

Infinite Loop

Saturday 28 May 2005 at 08:32 am

Although information security has gained unparalleled business-level attention in the last few years, people remain enamored by hacker tools and technical tricks of the past. Promoting security based on fear, uncertainty and doubt (FUD) unfortunately remains as the proverbial black hole of the security universe potentially stifling the expansion of security in the business.

Digging Trenches

Friday 06 May 2005 at 12:42 pm

With the increasing demand from the business to better utilize IT and vast amounts of information more effectively, web services and service oriented architecture (SOA) solutions are the new frontier of the Internet. The ability to comprehensively leverage information and systems to drive competitive services and products through enhancing customer, partner, and employee collaboration is the impetus for the explosion of custom application development in the 21st century. However, this new business approach has become the breeding ground for sophisticated attacks with a broader potential for impact. Meanwhile the hacker community is significantly more organized, well armed, and are seeking new methods to acquire revenue of their own.

Hackers Ahead

Friday 06 May 2005 at 08:20 am

As far back as I can remember I’ve always heard the axiom, “Hackers are always ahead of you.” It’s a saying that has the potential to release you from the torment of insecurity, or torture your character. The former finds solace in knowing that there is nothing they can do to get ahead of the prognosticating hacker. However, the latter tend to believe hackers are just not that smart.

Did you sign that?

Tuesday 19 April 2005 at 09:40 am

With the increased demands being placed on organizations to ensure privacy, integrity, and confidentiality in digital domain, the need for non-repudiation and the use of digital signatures is beginning to raise its ugly head once again. The biggest challenge for most people is the technical representation of non-repudiation and the non-technical. To add to the malaise, there is a great deal of discussion about what information should be signed to support non-repudiation, and that is where things get even more confusing.

The Last Rights for Passwords

Friday 08 April 2005 at 08:48 am

To be completely forthright, I have no clue when the first password was used to control access to a computer and I don't really care. I do know that it set in motion a standard for providing access that continues to this day, and that I care about.

Your Identity

Thursday 31 March 2005 at 9:21 pm

More and more companies are expressing interest in Identity Management (ID Mgt) solutions to compensate for the increasing number of user management directories & databases, support broader regulatory compliance efforts, and address a core security issue that has been around for years - access management.

Got Spam?

Thursday 31 March 2005 at 6:24 pm

According to Symantec's March, 2005 threat report, spam, usually defined as junk or unsolicited email, made up over 60% of all email traffic during the reporting period from July to December 2004. By anyone's definition, that's a lot of junk e-mail. But, as security professionals know, spam is much more than annoyance and can adversely affect system and data integrity. Moreover, its existence can be an indicator of a much larger issue.

Title speaks for itself

Search Articles

Categories

TagCloud

Archive

My New Book

MyBooks

SideBar

Blog Roll

Disclaimer: