Skip to main content

Posts

Showing posts from 2010

Is Social Networking a Fad?

In the last 24 months social networking has seemingly come to a head of steam.  Facebook, MySpace and Bebo have been around for a number of years, but in addition we now have the likes of LinkedIn for professional networking and any number of micro-blogging and commentary sites.  This is not to mention Twitter...

Social Networking is really what the internet was invented for.  Shame it's taken the best part of 15 years to come together.  Many people now see email as a dying breed of communication, probably due to the increased 'spam', increased volume and lack of clarity it brings.  If only 65% of your emails are useful to you, you're wasting 35% of your "mail" time.  Full stop.  Time is one thing social networkers do NOT like to waste.  Everything has to be quicker, smaller and more customized.  Rapid execution is the key underlining factor.


This bubble of attention and innovation with regards to small, simple and rapid execution based socnet sites is seemin…

Security Over Configuration?

Many recent software development frameworks use the term "Convention over Configuration".  The main idea behind this, is to remove the need for a programmer to explain every detail of an application and instead only specify what the unconventional aspects will be.  This should in theory, remove coding unnecessary aspects of the application that otherwise should be taken for granted.  This results in faster development, simplified code and ease of management.  Anything that doesn't fit the 'convention' needs to be 'configured'.

I wonder if this approach could be applied to the view of security, not only from a software perspective, but in general every day life?  Security in terms of software is often seen as an add-on, an extra, something to do at the end or if something erroneous occurs.  This shouldn't be the case.  Security should be built from the ground up from a technical perspective and from a process perspective should be considered equal to t…

Is Your Smart Phone Security Smart?

With the ever increasing popularity, sophistication and internet-ready nature of many mobile phones, comes an increased risk from data loss, identity theft and general costly misuse.  Over 5000 mobile phones are allegedly stolen each day in the UK, not to count the many attempts at 'hacking', 'cracking' and remote attacking.

A mobile phone is no longer just that.  It's a web browser.  It's a camera.  It's a calendar and personal organiser.  It's a data store.  In combination with the several thousand apps available for the various platform types, it's also a utility capable of once cumbersome and time consuming tasks, games and activities.  Hence the newly termed 'smart' phone.  This object in your back pocket is basically a tiny laptop.


Most smart phones will generally have some basic security measures built in, such as a console lock which is pin protected.  Is this used?  Is it ever changed?  A recent survey by Vodafone suggested that 50%…

Security - Where's the Problem, People or Technology?

As part of my job I am fortunate (at times) to be able to travel to different locations including new countries and cities.  This is mainly within Europe but sometimes the Middle-East and North America.  Most parts of the travel itinerary are booked automatically through my employer using a web based travel portal.  This generally contains basic personal information such as name, date of birth and next of kin often required not only for air line bookings but also border security.

Last week I was fortunate to be back in Spain, Madrid to be precise.  A lovely city, great food and friendly people to work alongside.  My one concern was the handling of my personal information during the trip.  Since 2004, in the aftermath of the Madrid bombings, EU states now require Advanced Passenger Information data to be collected prior to an individual traveling to and from EU states like Spain.  This is non-negotiable as far as I am aware and no information is publicly available as to how this inform…

Microsoft AD Analytics in OIA

Active Directory has become synonymous with corporate authentication over the last decade.  Most organizations with over a hundred users will generally have a directory service based authentication framework and in many organizations that tends to be AD.  The reasons for this are plentiful I'm sure, but not the scope of this entry.

The popularity of AD has several impacts.  Firstly, the increased usage, as with any piece of software, is a catalyst for a growing support community including things like best practice papers, forums, consultancy firms and so on.  However an increasing reliance on AD often leads to key system administration concerns such as how to manage the users, groups and resources housed within the directory. 

Key concerns for any administrator and increasingly audit and compliance officers is how to manage things like the number of orphan accounts, redundant accounts, terminated accounts, redundant groups, misaligned groups, share management, share ownership and…

Safe Chips Anyone?

Last week saw the announcement that chip giant Intel is to procure McAfee in a £5bn deal.  With this came many intriguing comments and questions about how Intel will utilize the deep engineering skills at McAfee as well as the large brand loyalty created by many of the anti-virus and anti-malware products now at their disposal.

Intel have commented that they see the coming months and years as a critical point in the cybersecurity landscape with increasing attention now being placed on protection at the hardware, software and applications level.

Security at the desktop level has primarily been focused on virus and malware protection for the last 12-14 years since the large Windows based virus's from the late 90's.  In addition, firewall protection also became apparent at the desktop level, with many desktop operating systems now providing a basic software based firewall.

However with the increasing focus on Cloud Computing and anything-as-a-service, security at the stack level …

Hacker - hero or villain?

I recently watched a documentary on UK satellite TV that seemingly portrayed the life of a computer hacker as glamorous, edgy and cool.  The hackers interviewed were all American, male, typically geeky with a fake hate of institutionalism and popular culture.


Many argued they 'hacked', or 'cracked' as some term it, simply for the enjoyment and prestige of being able to 'beat' large corporations or public organizations, that have spent vast sums on securing information systems and networks.  The thrill of a one-man-band crusade and coming out on top, spurs many individuals on to continually attempt to break and overcome security controls.  They argued that in fact they were helping the internal security teams by simply identifying where weak controls exist, before 'real' damage could occur.  Who and what caused the 'real' damage still seemed unquantified by the hacker community interviewed by the program maker.


In defense of that argument, the te…

The Threat of the Insider

Most organizations and indeed security vendors have traditionally focused on the outsider threat when it comes to company security.  By this I'm referring to external hacker threats or threats from the internet and public untrusted networks.  These areas are generally out of the control of the organizational, unable to be manipulated by internal security controls and procedures.  Historically therefor the emphasis was placed on protecting the internal corporate network and resources from users, hackers and services that originated from outside the control of the organization.

Firewalls, Intrusion Detection Systems, Intrusion Prevention Systems and SQL Injection Attacks are amongst the commonly used vocabulary when referring to security from a best practice, education and vendor perspective.



However in recent years the concept of the insider threat has increased.  By this I refer to a systems attack generally originating from someone from within the organization.  Attack in this se…

Successful Certification

Certification in identity management is generally used to confirm or revoke existing user accounts and HR information.  The focus being on existing accounts is used to distinguish between general access request approval workflows and post approval workflows.  During the access request phase a manager or IT owner will approve or reject whether someone should have additional access to a system.  This is not a new concept and was managed perfectly well, long before this process was automated using provisioning solutions.



Certification or attestation is more concerned with analysing users who have already been granted access to a current system.  This periodic post approval process is more to do with seeing if previous access request actions are still needed.  This also leads to other analytical steps such as identifying users who may have moved jobs, or left the organisation.  Another useful bi-product of analysing existing users is to locate what's known as 'orphan accounts'…