http://www.informationweek.com/news/showArticle.jhtml?articleID=199905838&pgno=2&queryText=
As I've mentioned many times before, computer security is taken too lightly by too many people. I hope the CIO of DHS doesn't think that way.
First off, we need a CISO *and* a CIO for an organization as complex and as bureaucratic as the DHS. The CIO and CISO should get together to formulate a strategy that will feed the needs of the IT dept (CIO) and balance it or temper it with the security ramifications that come with the needs (CIOSO).
My worry is that while Congress battles the powerful bureaucrats and while the bureaucrats expend energy in defending themselves, the door is left wide open for everyone to do what they want to do. In other words, the utter indifference to real security is what results in trojans, viruses, inappropriate and objectionable content invading the computers.
Another concern is that the computers are allowed to access the Internet! First off, you want to very severely restrict access to the 'Net, and if you must, make sure you have powerful tools to control both access as well as downloads.
Here's what a basic, 20-point policy would look like (for user-terminals/computers at least):
1. Disable floppy drives (or buy computers without them)
2. Disable CD drive (need special code to unlock and use - content to be disclosed first)
3. Disable USB drives
4. Disable any and all controls on the OS that will permit configuration changes (such as IE security level etc)
5. Disable all downloads from the 'Net (incl HTTP/FTP)
6. Disable all uploads to ANY location
7. Internal data transfer should happen through pre-mapped, controlled, and constantly-monitored, network drives - probabaly a departmentalized storage subsystem such as NetApp Filers or EMC CLARiiON etc
8. Use encryption as much as possible, both on disk as well as on the network
9. Use forced authentication at every entry point (no trusted hosts nonsense)
10. Disable installation of any kind of unauthorized programs
11. Use at least 2-factor authentication (password + random key as an example)
12. Go for biometric authentication whenever and wherever possible
13. Use AV software extensively, ensuring prompt and forced updates and reboots as needed
14. Use IDS (pref IPS also) software at every sensitive node
15. Control, monitor, and record ALL communication - IM, email, phone etc
16. Email clients should be tuned to only send mail to internal personnel - no external addresses should be allowed - EVER
17. Scan ALL incoming packets - and outgoing packets at sensitive nodes
18. NO ATTACHMENTS ALLOWED ANYTIME - email/IM - whatever mode of communication
19. Use hardware encryption devices and encrypt all data, everywhere. Use PKI devices to manage the keys
20. Finally, EDUCATE THE EMPLOYEES. Nothing works better than education
Watch this space for more ideas that DHS will probably never implement! Next I'll be focusing on actual employee monitoring details.
Be safe!
Friday, June 22, 2007
Tuesday, June 19, 2007
Security Companies Getting Bought Out...
http://creativemac.digitalmedianet.com/articles/viewarticle.jsp?id=153590
I think the recent buying binge demands at least some investigation into:
a. Exactly what these companies market
b. What does the software actually do
c. Is it ready to deal with, or can it be extended to deal with, latest threats
d. How easy is it to integrate with current solutions
e. Are these FIPS-compliant
In any case, it does look like the Security market is golden, and doing fantastically well. If you want to make a few million dollars, start with an idea, write up rudimentary software, say it patches up this threat and that vulnerability while scanning the network and making your morning coffee, and BOOM! your company's set for sale!
Seriously though, the real value of these acquisitions will come from how easily and painlessly the products integrate into current product offerings. HP just bought SPID, and if that could be merged into any of HP's products (logically so) then customers have one less thing to deploy, manage, patch, and keep inventory.
Overall, definitely a solid consolidation in the SS market is going on, and is long overdue, too, but quite importantly we should note WHO'S buying - that will indicate a stronger trend toward tighter bonding between existing enterprise management/monitoring tools and actual Security tools.
Now you could predict that IBM will have a significant share of Security-based revenues from its purchase of ISS, that EMC will carve out a bigger and bigger share of the market using RSA, that BT will reap the fruits of its bagging of CounterPane.
This is just the beginning of the trend - quite possibly we'll see the same and new software vendors buying more and more of such companies. Ultimately, one'd be hard-pressed to find a single Security ISV.
Hot areas will include:
a. Identity management
b. Patch management
c. Vulnerability assessment and management
d. Threat assessment (from internal and external sources based on patterns and trends)
e. Code and system-hardening
f. Security services and consulting operations
g. Compliance and regulatory assessment, management, consulting and validation
h. Outsourcing of Security tasks
and so on
Be safe!
I think the recent buying binge demands at least some investigation into:
a. Exactly what these companies market
b. What does the software actually do
c. Is it ready to deal with, or can it be extended to deal with, latest threats
d. How easy is it to integrate with current solutions
e. Are these FIPS-compliant
In any case, it does look like the Security market is golden, and doing fantastically well. If you want to make a few million dollars, start with an idea, write up rudimentary software, say it patches up this threat and that vulnerability while scanning the network and making your morning coffee, and BOOM! your company's set for sale!
Seriously though, the real value of these acquisitions will come from how easily and painlessly the products integrate into current product offerings. HP just bought SPID, and if that could be merged into any of HP's products (logically so) then customers have one less thing to deploy, manage, patch, and keep inventory.
Overall, definitely a solid consolidation in the SS market is going on, and is long overdue, too, but quite importantly we should note WHO'S buying - that will indicate a stronger trend toward tighter bonding between existing enterprise management/monitoring tools and actual Security tools.
Now you could predict that IBM will have a significant share of Security-based revenues from its purchase of ISS, that EMC will carve out a bigger and bigger share of the market using RSA, that BT will reap the fruits of its bagging of CounterPane.
This is just the beginning of the trend - quite possibly we'll see the same and new software vendors buying more and more of such companies. Ultimately, one'd be hard-pressed to find a single Security ISV.
Hot areas will include:
a. Identity management
b. Patch management
c. Vulnerability assessment and management
d. Threat assessment (from internal and external sources based on patterns and trends)
e. Code and system-hardening
f. Security services and consulting operations
g. Compliance and regulatory assessment, management, consulting and validation
h. Outsourcing of Security tasks
and so on
Be safe!
Tuesday, June 12, 2007
Privacy Concerns and Google
Quite interesting, the recent concerns over how Google mines data and how it might use it when combined with its recent acquisition, DoubleClick. Plus, now you have street-level, 360-degree, detailed snapshot views of actual happenings on streets that Google has covered.
Somewhat creepy, a little scary, but mostly harmless. For now.
How Google addresses privacy concerns raised by both small privacy groups and organizations like ACLU, EPIC etc is to be seen, but it's quite likely that G, whose main edict is 'Don't be evil' may be forced more and more to live up to its grand statements. Only, you don't want it going the way of 'We don't do finance'...
What is the Security concern here? Plenty, plenty, plenty. Imagine this fantastic goldmine of data that tells you all you want to know about someone's secrets and the makeup of their psyche - right from search terms to visited sites to how long they surfed those sites to your most private communication (email). Imagine this fantastic data in the hands of a hacker. There. You know what I'm saying.
So, G, which employs the most brilliant minds it can afford to buy on the strength of its balance sheet as well as brand name, needs to REALLY tighten up its environment. You do NOT want embarrassments like when someone stole G's own blog and it had to do some red-faced explaining. We don't have to teach G about security and how to protect its data, but we do have a RIGHT to expect that what G knows, only G knows and nobody else. Plus, you also hope (wish, pray, beseech, request, beg, fight) that G also has a bad memory (think data retention policies).
Anyway, the coming few months are going to be very intense as the search, advertising, and portal markets heat up with existing giants waking up and new, disruptive technologies start chipping away at the heels of the Big Ones.
Be safe!
Somewhat creepy, a little scary, but mostly harmless. For now.
How Google addresses privacy concerns raised by both small privacy groups and organizations like ACLU, EPIC etc is to be seen, but it's quite likely that G, whose main edict is 'Don't be evil' may be forced more and more to live up to its grand statements. Only, you don't want it going the way of 'We don't do finance'...
What is the Security concern here? Plenty, plenty, plenty. Imagine this fantastic goldmine of data that tells you all you want to know about someone's secrets and the makeup of their psyche - right from search terms to visited sites to how long they surfed those sites to your most private communication (email). Imagine this fantastic data in the hands of a hacker. There. You know what I'm saying.
So, G, which employs the most brilliant minds it can afford to buy on the strength of its balance sheet as well as brand name, needs to REALLY tighten up its environment. You do NOT want embarrassments like when someone stole G's own blog and it had to do some red-faced explaining. We don't have to teach G about security and how to protect its data, but we do have a RIGHT to expect that what G knows, only G knows and nobody else. Plus, you also hope (wish, pray, beseech, request, beg, fight) that G also has a bad memory (think data retention policies).
Anyway, the coming few months are going to be very intense as the search, advertising, and portal markets heat up with existing giants waking up and new, disruptive technologies start chipping away at the heels of the Big Ones.
Be safe!
Subscribe to:
Posts (Atom)
