[SecurityRatty] tag: centric

Talking Engagement

Fri, 14 Nov 2008 06:46:00 +0000

So, it finally happened. I was invited to talk at an Information Security Conference and I went and talked.

My talk was about the risks of information leaving the organisation but I decided to add in the risks of information not leaving the organisation.

This may sound counter productive but in these though times your IT department should really be looking at using services such as GMail, your Marketing department should be looking at using Facebook, Twitter, Blogs etc. Your HR department should be looking through LinkedIn for new staff.

If your Security Department is too tough on information leaving the organisation then you are missing out on opportunities. Of course, if you are too lax then information will make its way out and that can't be good for the company either.

Information Classification is key. As is awareness.

My speech was very well received, achieving over 8/10 for the different areas and I have been invited back to speak again.

I must admit that my speech was aimed at business decision makers and not technical people and yet the people who showed up were more technical people. There are very few companies in South Africa (with my employer being a noted exception) that treat Information Security as a business issue and not (only) a technical issue.

I'm not really one to tooth my own horn but I wrote this blog entry to thank a number of people who made my speech possible.

Firstly thank you to the two blogs that I feel are on the forefront of Information-centric Security - Securosis and Rational Survivability. I used some material from both sites and some that was sent to me by Richard Mogull from Securosis.

I used some speaking tips that I got from Presentation Zen so I didn't put everyone to sleep (even though my speech was at the danger time of 3:30pm when everyone is tired and wants to go home) and I used some (free!) graphics from Stock Exchange.

When I was preparing for the speech, I revisited some of my old Blog posts which I think I need to repost as I have some more ideas about them.

Innovation In Security--Lessons from TelePresence and Cloud

Tue, 11 Nov 2008 21:00:00 +0000

Innovation in Security is a theme that we at EMC and RSA strongly believe in— it was central to my keynote speech at the NCA Security and Technology Conference in Seattle on the 29th of October. Yet, as the day progressed, I could not help but think of how extensively we need to innovate in our security deployments, to enable vibrant new information exchange capabilities, and to sustain the rapid changes in our information-centric lifestyles.

And are we being hit with Change!
Carlos Dominguez, the SVP at Cisco, spoke to the profound impact of Web 2.0 and TelePresence [TP] technologies on our business and social lifestyles...

When Markets Collide

Sat, 08 Nov 2008 08:29:59 +0000

One of my favorite Motley Fool analysts is Bill Mann, yesterday he wrote an article on China that re-set a number of the investing thesis themes in the current global situation:

Things are so bad in China that its gross domestic product growth rate may fall from double digits to the dowdy level of 8%. Eight percent, by the way, is a level at which the United States is unlikely to ever grow again. It can't. Our economy is simply fully developed. Thus the sobriquet "developed economy." I know, not exactly catchy.

..

All of the headlines show China sitting at a crossroads. But the reason I have faith in China is that it has historical proxies. Since 1970, with the exception of a few OPEC members, only four economies have made the transition from emerging to developed markets (meaning their per-capita incomes exceed $15,000 per year): Taiwan, Singapore, Hong Kong, and South Korea.
These four economies have two things in common. First, they have few natural resources; and second, they are dominated by Chinese values and the traditional Chinese work ethic. Mainland China is different only because it got a later start.

Also, China reportedly has currency reserves $1.6 trillion. That means that China has a better balance sheet than the US, plus 1.6 trillion beats minus 12 trillion if you are scoring at home.

Given that the Chinese stock market is down 70% in the last year, its an interesting time to look at Chinese stocks. A few weeks back Mohamed El-Erian made the bull case for buying the MCSI Emerging Markets index which gives you exposure to the BRICs plus a lot of other countries.

Speaking of El-Erian, his book "When Markets Collide" was just voted Best Business Book of the Year. If we could have voted for a book that we wished everyone had read in 2007 he would have won that too, he said

“When I wrote the book, I thought I was writing about the future. When it was going to press, I thought it was about current affairs. Now I wish it was about history.”

This part below reminds me a lot of 1995 security architectures used to defend 2008 integrated applications

The present crisis had been triggered because the international financial system had undertaken activities that had “far outpaced the ability of the infrastructure to sustain them”, said El-Erian.

And it was not just the markets that could not cope with their own changes, but governments as well. Significant weaknesses had been exposed “from the firms, to the regulatory agencies, to governments, to multilateral oversight”.

“Turbocharge that with financial innovations, which history tells us we tend to overproduce and overconsume, and it’s inevitable that you will get a series of market accidents,” he said.

In a Robert Garigue sense, in computer security our infostructure (users, apps and data) are outpacing our infrastructure-centric security models

Blue Box #83: SIP and Asterisk vulnerabilities, voice biometrics, P2PSIP, Aircell blocking Skype, VoIP security news and more

Thu, 16 Oct 2008 06:48:11 +0000

Synopsis: Blue Box #83: SIP and Asterisk vulnerabilities, voice biometrics, P2PSIP, Aircell blocking Skype, VoIP security news and more…

Welcome to Blue Box: The VoIP Security Podcast #83, a 39-minute podcast from Dan York and Jonathan Zar covering VoIP security news, comments and opinions.

Download the show here (MP3, 18MB) or subscribe to the RSS feed to download the show automatically.

NOTE: This show was recorded on September 4, 2008.

You may also listen to this podcast right now:

Show Content:

00:20 - Intro to the show, contact information and how to provide comments. Welcome to all the new listeners - and to all those listeners who have been here for so long!
Programming notes:
- Three-year anniversary of Blue Box coming up on October 24th - any thoughts you'd like to share with us? (Please send them to us by October 23rd.)
Remote DoS in reSIProcate
Remote root shell in Trixbox
Second route of VoIPShield Cisco/Avaya/Nortel vulnerabilities
AST-2008-010 – IAX2 ‘POKE’ Resource Exhaustion
AST-2008-011 – IAX2 Firmware Provisioning System
Saunderslog: Squawk Box – July 10, 2008: Voice biometrics and VoiceVerified.com
Saunderslog: Squawk Box – July 9, 2008: P2PSIP
IETF: P2PSIP Security Requirements
Voice of VOIPSA: “Aircell blocking VoIP on a plane” – part 1 , part 2 and an update
Voice of VOIPSA: Shawn Merdinger’s series on “Asking The Cisco IPICS Expert” – Questions 1-5 – 6-10 – 11-15 – 16-20 – 21-25
Voice of VOIPSA: Asterisk ‘hack’ to show blocked Caller-ID points to larger trust issues with SIP (and SpeechTEK speech)
NetworkWorld: Georgia student arrested for hacking grades, VoIP
CRN: Analysis: Hacking VoIP as easy as 1-2-3
Ari Takanen starts blogging at InfoWorld
InfoWorld: Motivation for VoIP Fuzzing
TMCnet: How to keep your tech career afloat
New analyst report: Security Threats Loom Over Unified Communications pointing to Light Reading report and article
VoIP Companies to Fight For Market Share
IEEE approves 802.11r standard
Google Chrome – upgrading the web to be application-centric
Items on my DisruptiveTelephony blog… Skype 5th birthday, Asterisk future, Digium/Nortel
No comments this week.
Review of the last week's traffic on the VOIPSEC public mailing list
Wrap-up of the show
39:08 - End of show

Comments, suggestions and feedback are welcome either as replies to this post or via e-mail to blueboxpodcast@gmail.com. Audio comments sent as attached MP3 files are definitely welcome and will be played in future shows. You may also call the listener comment line at either +1-415-830-5439 or via SIP to 'bluebox@voipuser.org' to leave a comment there.

Thank you for listening and please do let us know what you think of the show.

Integrating Event/Incident and Problem Management

Tue, 14 Oct 2008 14:00:59 +0000

Change, Change, Change. What needs to change as IT organizations move towards sophisticated virtualized infrastructure? Event/Incident and Problem Management integration of course!

We have been conducting polls of our customers and of IT professionals at technology trade shows for the past two years and the results are in: Pulling together all of the management pieces and processes is even more crucial in a virtualized environment.

So what does this mean for you? You will need to refine your incident and problem management processes with new technologies in order to reduce downtime and maintain end user performance. But of course even the most basic technologies are not well integrated even in today’s world.

I recently participated in a Gartner Conference and watched to my amazement a real-time electronic survey of the audience. To my disbelief, the audience, filled with 300+ people from Fortune 2000 companies provided real-time responses to the question:

What level of integration does your IT org have between event management and service desk applications?

None: 10%
Manual Phone call from IT ops to IT service desk staff member: 46%
Manual click button on event manager to open trouble ticket: 20%
Automated event management system automatically opens trouble ticket without requiring human oversight or approval: 24%

Unbelievable… still very few of the survey respondents have yet to formalize problem management systems with event management systems. For 56% of the audience the process is still manual!

Another interesting real-time survey question at the Gartner Conference was:

Who in your organization is responsible for critical problem processes and resolution?

IT Service Desk 13%
IT Operations 49%
Process Team 12%
Other 9%
Responsibility not formalized 17%

Virtualization adoption and the speed with which things change in a virtualized environment require automation and will transform Incident and Problem Management. Clearly with this new technology we are required to re-think Organizational, Behavioral and Cultural Challenges required to take advantage of the opportunities that virtualization provides.

Incident and problem management processes and metrics must bridge organizational silos that have been the norm within IT. With virtualization, people have to work more closely together in the different silos than ever before. IT leaders need to break down the walls between the technology-centric silo mentalities.

Business Imperative Action Plan:

What can you do today? –Understand the impact of virtualization on incident and problem mgt. workload, provide technology training for helpdesk/service desk staff.
What can you do in the next 12 months?

Formalize problem management processes, metrics and personnel.
Invest in tools and processes for systems on virtualized servers.
Long term: On the Radar Screen!
Instill teamwork into all groups responsible for the virtualized environment service and support. Map components and configuration items directly to end user services.

Final Thoughts: Know the management pieces and ensure that they fit together. It’s great to buy new technology, but be demanding to ensure that your vendors show you have they will help to link all these pieces together - Change, Inventory, Incident, Problem, Server, Capacity, Performance, Configuration, Event, and Integrated Workflow.

A horse's ass approach to virtualization security

Mon, 13 Oct 2008 21:52:00 +0000

The interest and excitement around virtualization is palpable. However, it seems like the security approaches in this area are similar to the constrains that a horse's ass put on the space shuttle design.

Virtualization security solutions today primarily focus on protecting the virtual OS, the virtual networks, or the hypervisor software itself. More specifically, most current virtualization security technologies are focused on preventing hypervisor root kits, providing intrusion detection, anti-malware, anti-virus, network security, etc. In the physical world, this is similar to individually protecting hardware, operating systems, and the networks that connect them. That is, the focus is mainly on protecting infrastructure and perimeter, not data. Protecting that data, however, should be the single most important aspect of virtualization security.

Here is why: Any execution environment requires four elements: devices/hardware/OS, networks, applications, and data. With the advent of virtualization, physical devices/OS are being replaced by flexible, on-demand virtual “devices,” networks are being virtualized and applications are being streamed down from virtual environments. Therefore, the only remaining “constant” element is the data itself - which also has a longer lifetime than the ephemeral virtual environment. While protecting the virtual infrastructure is important, I believe the primary focus for protection should be the data – the true IT asset.

Virtualization is a game-changer for computing and has forced the IT world to rethink its infrastructure; now virtualization security has to be rethought as well. An information-centric approach to persistently protecting the data itself is the only way to really benefit from virtualization and keep the data truly secure.

Or thinking about it another way - why was Google's approach to navigate the web using search better than the initial Yahoo approach of hierarchical mapping? Coz Yahoo was mapping an old yellow-book approach to managing data, while Google took advantage of the new medium.

I shall try and elaborate on my thoughts in upcoming posts...

User-centric security begs for process overhaul

Wed, 08 Oct 2008 20:00:00 +0000

Ferrum College overhauled people and processes when it implemented user-centric access control.

Access control: The evolving tool set

Wed, 08 Oct 2008 20:00:00 +0000

Enterprises struggle to find a sweet spot -- in cost, complexity and capability -- for user-centric access control.

Perimeter-centric Regulations in an Information-centric World

Mon, 06 Oct 2008 20:00:00 +0000

Last week I took a trip out to our Executive Briefing Centre in Cork, Ireland. I was there to present to senior IT folk from pretty much all of the UK’s Police Forces as part of a two-day agenda that had been lined up for them by my colleagues from many of EMC’s lines-of-business.

I guess there are few other organisations where the lines between physical and virtual security are brought so sharply into focus than in one where you are dealing – first-hand – with criminals in the way that our police officers must every day of their working lives.

During our conversations we mused on various aspects of keeping information secure in such a fluid and volatile environment...

Fraud Detection in Financial Services Reloaded

Sat, 20 Sep 2008 18:36:27 +0000

I read an interesting post by the former CTO of out-of-business Kaskad Technology, where event processing colleague Colin Clark respectfully disagrees with my assesement of the (lack of) capabilites in current-generation “CEP engines” for detecting complex fraud in financial services. I’ll respond with a quote from my September 2007 post, End Users Should Define the CEP Market.

“Experienced end users are very intelligent.

These end users know the complex event processing problems they need to solve; and they know the limitations of the current COTS approaches marketed by the CEP community. Even in Thailand, a country many of you might mistakenly think is not very advanced technologically, there are experts in telecommunications (who run large networks) who are working on very difficult fraud detection applications, and they use neural networks and say the results are very good.   However, there is not one CEP vendor, that I know of, who offers true CEP capability in the form of neural nets.

Almost every major bank, telco, etc. has the same opinion, and the same problem. They need much more capability than streaming joins, selects and rules to solve their complex event processing problems that Dr. Luckham outlined in his book.   The software vendors are attempting to define the CEP market to match their capability; unfortunately, their capabilities do not meet the requirements of the vast majority of end users who have CEP problems to solve.

If the current CEP platforms were truely solving complex event processing problems, annual sales would be orders of magnitudes higher. Hence, the users have already voted.   The problem is that the CEP community is not listening.”

Not to be overly repetitive, but the last part of this quote from a year ago is worth highlighting:

“If the current CEP platforms were truely solving complex event processing problems, annual sales would be orders of magnitudes higher. Hence, the users have already voted. The problem is that the CEP community is not listening.”

Frankly speaking, nothing in the “CEP world” has changed, technologically speaking, since this September 2007 post was written. From a sales perspective, we have seen less CEP-related sales in 2008 than in prior years. If these so called CEP products were actually capability of detecting “real” complex network-centric situations (threats) in real-time, they would be selling faster than a cup of ice water in the blazing hot Sahara desert.

Don’t shoot the messenger. Build better detection engines!

On the other hand, maybe complex detection is too hard for most of these companies and that is why they focus on routing, mediation and relatively simple rule-based scenarios, versus complex event processing?