Skip to main content

Posts

Showing posts from November, 2012

Preventative -v- Detective Security

There's an Italian proverb which reads 'vivere da malato per morire sano' - living like an invalid to die healthy.  Whilst that is looking at one lifestyle extreme, looking after your body is generally seen as a positive if you want to live a long and healthy life.  Prevention is indeed, generally seen as being better than the cure.  The same concept applied to information systems can produce some interesting results.

From a non-security perspective, I would say, most management approaches and project budgets, are focused on the reactive.  IT has historically, not always been seen as an efficiency provider for the business, with budget often only being assigned, when it's acknowledged that the business front line would be negatively impacted if a system, project or team would were not present.  From a security perspective, I think reactionary policy is still deep in the mindset too.


Reactionary Security When you casually think of information security tools and products…

Cyber Security Part V - Critical Infrastructure

The final part in the cyber security series, will focus on the issues critical infrastructure environments face.  Supervisory Control and Data Acquisition (SCADA) systems and Industrial Control Systems (ICS) are two of the standard environments that can constitute a critical environment.  Whilst many financial services environments can be described as critical, critical infrastructure is more focused on the key assets described by a government as being essential to the standard function of the society and economy.  This would include key utilities such as electricity and water supply, public health institutions and national security groups such as policing and the military.

In recent years they have been subject to specific and prolonged attacks, opening up long standing vulnerabilities.

Difference of priorities: CIA to AIC The standard information security triad consists of confidentiality, integrity and availability.  The priorities for many business information systems will follow …

Protect Information Not Data

In an ideal world, should we not be protecting information instead of data?  This is an interesting concept.  We backup data.  We secure data.  We create and manage access control lists that allow the subject, access to an object.  The object is generally classified as data.  We talk about 'big data'.  Moving data to the cloud and so on.  But is the data component actually that important?  Obviously certain individual pieces of data are very important.  Certain documents, files and so on, have significant importance and exposure levels.  But on the whole, is an organisation run on data or information?

I guess we need to define both of the key terms here.  What is 'data' and what is 'information' and more importantly what are the differences?

What is 'data'? A basic technical definition would be that data is the low level bits and bytes of an object.  This object on its own, comprises of basic, raw and unorganised facts.  The actual word would have a Lat…

Infosec Product Release Review - 16th Nov

An overview of recently released information security products, services, frameworks and policies from the last 7 days:


NETGEAR Debuts More Powerful Version Of Popular VDSL13 Nov 2012 In addition, like other members of the ProSecure UTM family of security appliances, ... As the second entry in the NETGEAR ProSecure UTM S product line, the UTM25S ... Inc. an InformationTechnology services company based in New York.
Cloud Security Alliance Releases Security Guidance 1.014 Nov 2012 The Cloud Security Alliance (CSA) has released version 1.0 of the "Security... Additionalinformation about Trend Micro Incorporated and the products and ...

Who Do You Trust?

This is a tough question, whether it's focused on technology or real life.  'Who can you trust?' is often an easier angle to take, but ultimately that is a precursor to the main scene.  Peeling the onion a little, you can focus on bite sized chunks and respond with, 'trust with what?'.  If it's my life then the picture changes substantially.  I might trust Google with my search engine results, but perhaps not with diagnosing a disease.

The context will obviously help to determine the scope of who and what are trusted, but the decision making process will generally take on the same route.  We ultimately start off with a blank canvas of pre-decision making, slightly marked by some bias and framing, before ending up with a person, product or service that we then utilise to perform an action we can not perform ourselves.  Once that 3rd party has been chosen, we often fail to perform the checks again, placing our trust in them implicitly and explicitly.  This when i…

Skyfall - Cyber War Becomes Cool

I went to see James Bond's 23rd outing in Skyfall yesterday - for a second time this week I admit, I do love a bit Bond.  The film is great - go and see it! - and intertwines the new world action film, with all the old world British spy touches that has made Bond the longest running movie franchise of all time.

Gone were the gimmicky gadgets of old, with megalomaniacs trying to run the world, destroy the world or recreate the world, and in came a cyber terrorist with a personal vengeance.  Technology has always played a part in Bond.  The British secret service, Bletchley Park and GCHQ have all had their fair share of computer-related innovations, from encryption through to surveillance, so seeing a control room full of screens 'processing' unintelligible code and instructions is nothing new.  However, this time around, it was more the concept of cyber war that was more prominent as opposed to the technology.

Cyber Security Part IV - Consumer Protection

This is the 4th part of the cyber security series I started, and I want to focus on the consumer a little more.  Cyber attacks have been well documented in their ability to damage large organisations, government websites and critical infrastructure.  However, there is still a large volume of non-technical home and mobile users who are ending up as the victim of on line attacks and identity theft.

"The use of more portable devices, including smart phones, has increased user convenience, but also opened up a can of worms when it comes to security.  Smartphones are not really phones.  They're computers, that happen to make calls"

Cash, Credit Cards, Convenience and Security

I was recently asked by Microsoft to make a comment regarding the concept of 'User Convenience -v- Security' from a software perspective.  Security is often seen as restrictive or inhibitive, so is generally not the first thing many (non-technical) users think about or implement.  Also, from an SDLC perspective, security is often seen as an add-on and left to the QA and audit teams to implement before an application or piece of software is released into the wild.  Convenience in both counts, takes hold, reducing security to a post-incident action.

Convenience Wins Out The same can be applied to many things.  Convenience versus safety is another angle.  How many of us don't bother with the seat belt on a roller coaster, flight or car journey if it's too tight and uncomfortable?  If it's restrictive we avoid it, even though in those examples, our lives could be at stake.  A broader view could look at the market for insurance.  The inconvenience component is the cost …

Social Networking Security Management

Like it or loathe it, social networking is omnipresent.  From the youthful party picture posting, to professional networking and virtual discussion boards, your on line personality and data sharing can be both powerful and an exploitable vulnerability.

The usefulness of many social networking sites is often increased, the more of your personal information you make available.  This in recent years, has seen many criticisms of the likes of both Facebook and Google+ for how they manage and make use of your personal identifiable information (PII).  Whilst there can be risks will publishing any personal data on line, careful management and protection of such data makes social networking less risky and more powerful than ever before.