Posted on Tue, Jul 06, 2010 @ 07:50 AM
How did you do with the quiz? Answers are in bold.
- 0-1 Security fail (maybe time to consider another career)
- 3-5 Hacker's delight (see recommendation above)
- 6-8 Formidable defender (not too shabby)
- 9-10 Best practices model (worth every penny you are paid)
1. In IPSec, what kind of tunnel is first set up to initiate the VPN-creation process?
•b. ISAKMP
The tunnel is used to negotiate security parameters for the main IPSec tunnel
2. How can ports 80 and 443 be defended against Web-based threats?
- a. Web application firewalls
- b. Content filtering
- c. White lists
- d. Black lists
•e. All of the above
3. Two-factor authentication can include something you have, something you know and...
•a. Something you are
- b. Something you make up
- c. Something encrypted
- d. Something unique
This can include retina or fingerprint scans or other biometrics
4. What do corporate security executives regard as the biggest threat to security?
- a. Removable media such as thumb drives
- b. Malicious insiders
•c. Web 2.0 applications
- d. Unpatched operating systems
According to Symantec, this can include social media such as Facebook and Twitter
5. The goal of network access control (NAC) is:
- a. Remediating security shortcomings of machines before they connect to networks
- b. Making sure devices adhere to access policies once admitted to networks
- c. Linking machines with user identities to impose appropriate polices on them
•d. All of the above
And some vendors say NAC should do more
6. What means did attackers in China use to infiltrate Google's network?
- a. Social engineering using Facebook
- b. Introducing malware via cross-site scripting of Web sites
•c. Exploiting a flaw in Internet Explorer
- d. Brute-force attack of Google executive's passwords
7. Which botnet advance has made eradicating them more difficult?
•a. Embedding command and control capabilities in zombie machines
- b. Reinfection via social media sites
- c. Sheer number overwhelms defensive measures
- d. Use of rootkits to make bot software more difficult to dislodge
When command and control nodes shift, it becomes more difficult to shut them and their subject machines down
8. Which of the following is not an example of an application vulnerability?
- a. Lack of sufficient logging
- b. Fail-open error handling
- c. Failure to properly close database connections
•d. Running with least privilege
This is actually recommended to strengthen applications
9. What is one downside of public key encryption?
- a. It is less secure than using secret keys
•b. It requires trusting party to verify public keys
- c. It cannot ensure confidentiality
- d. It cannot ensure authenticity
10. Which is not a Wi-Fi security option?
•c. ICMP
Posted on Mon, May 03, 2010 @ 12:59 PM
We're all familiar with the concept of people being fingerprinted to verify identities. But now Uniloc USA, an Irvine, California company has developed Physical Device Recognition (PDR) technology that creates a unique fingerprint for networked devices. The implementation of their NetAnchor server software, security appliance and management software creates a trusted-device network in which only authenticated devices are allowed to communicate.
Authorized client machines are identified using Uniloc's PDR technology to generate a device fingerprint based on the unique and inherent characteristics of each device. The device characteristics are based both on naturally occurring manufacturing imperfections as well as intentional configuration differences. This fingerprint becomes an authentication credential that is locked to that device.
One of Uniloc's target markets for this technology are industrial control systems in industries designated as critical infrastructure; including water, power, oil and gas, chemicals and transportation. The idea is to leverage a unique device fingerprint in trusted communications between SCADA (Supervisory Control and Data Acquisition) master stations and RTUs (Remote Terminal Units) and PLCs (Programmable Logic Controller).
Most recently the company has been focusing on network security professionals with the pitch of adding another authentication credential (device fingerprint) to network edge devices. Their story goes like this:
"While there is a trend towards moving technology into the cloud, properly validating the identity of a user, or user authentication, must continue to occur on the connected device. Today's passwords are not reliable enough for advanced cloud concepts like billable edges but many authentication technologies like smart cards are too expensive and inconvenient. Uniloc's Edge ID identifies the device itself for an affordable, enhanced user authentication without any user hassle."
Will this technology fly in the long run? Or will it be just another great idea that ends up in the "that's interesting" bin of technology landfills. We'll just have to see.
Posted on Mon, May 03, 2010 @ 12:09 PM
The Transportation Security Administration (TSA) has on its website a diagram of its "defense-in breadth" strategy. I got a kick out it because you could liken it to the "defense-in-depth" strategy of many network security professionals.
The TSA says "each one of these layers alone is capable of stopping a terrorist attack. In combination their security value is multiplied, creating a much stronger, formidable system." So if you get through one layer, the argument goes you'll get caught in another layer. Maybe 21 layers is the secret number for network security as well? Just a thought.
Posted on Wed, Mar 17, 2010 @ 11:53 AM
To secure a virtualized environment you must first understand the nature of the problem. And the nature of the problem is information, content and applications are now mobile and not necessarily tethered to a fixed location. Traditional security looks at the infrastructure, via defined parameters such as firewalls, ACLs (access control lists) and VLANS (virtual local area networks).
However, in a world of mobility we must focus on the data itself - which can exist outside the defined infrastructure. And we have to think of security from a biological perspective. What I mean is think of how a human body, which is mobile, isolates and attacks bacteria that enters its body. So the data (the body in this example) must have attributes which help it remain healthy, even as it travels to strange and new locations.
Examples of mobility we see in virtual machines and appliances that can exist anywhere in the "cloud." Users of smartphones are both creators and consumers of information that move peer-to-peer as well as through centralized corporate and shared community networks.
Securing the data means that no matter where the data or application exists, at any point in time, there are rules that follow the data. Think of it like a passport issued for each data set. Access, bandwidth, prioritization, compliance policies, permissions, restrictions and traffic patterns are dynamically assigned, persistent and understood within the contextual flow of that specific data set (i.e, who is using it and its purpose) - no matter where it resides. This allows provisioning of service as well as the ability to identify aberrant patterns and hence potential security threats.
I guess we can call this concept "portable security" because it crosses domains and networks governed by disparate owners. This is not a new concept in the world of flow-based network security. But we are seeing the emerging application of flow management in areas such as identity federation and management of virtual machines that may traverse various cloud providers and corporate data centers.
There is no one application provider or solution set that has all the pieces to portable security. We should approach each situation using the fundamental methodologies of risk assessment and mitigation. That is to understand the security challenge in terms of who, what, where, why and how. Then we can start to devise the solution set that best meets specific needs.
Posted on Wed, Jan 20, 2010 @ 01:02 PM
Professor Howard A. Schmidt, White House CyberSecurity Advisor and CEO of Information Security Forum, was speaking recently on the emerging threats created by the global economic upheaval. As businesses of all size expand, via the Internet, to engage with sales, production and distribution partners around the world, new threats become imminent.
Political - Espionage, previously things of the Cold War and Hollywood entertainment have become a reality due to the ability of almost anyone to use the Internet to unearth and piece together confidential information on individuals, governments and corporations. What is illegal behavior in the U.S. may not be illegal in the other countries your business operates in.
Legal - Theft and misuse of other company's intellectual property and brand names is commonplace and laws differ across each border. Identity theft we hear about regularly on the news. Electronic evidence can now be retrieved from all sorts of communication devices and protocols between employees and the world. What you say, where you say it and how you say it must now be monitored.
Economic - Organized crime has evolved from the days of extorting storekeepers for "protection" to well-planned thefts of credit card information and kidnapping of customer hard drives via the Web. Emerging nations are using technology as a way to help their struggling economies but in the midst of that growth, criminals exploit the rudimentary architectures and security vulnerabilities.
Socio-cultural - High unemployment has exacerbated the increase of disgruntled employees and thus creates an environment for increased employee data theft, fraud, embezzlement, corruption and risk.
Web enablement of society - As more and more devices that are part of daily life become web-enabled the possibility of security incidents that have life threatening impact becomes real. An example is IP-enabled pacemakers. These devices contain a radio transmitter which connects wirelessly to receiving equipment to report on the condition of the patient's heart. Any problems are instantly reported to the doctor, and regular checkups can be done by remotely interrogating the home-based equipment. Imagine the impact on a person's life if the network were to be compromised.
5 steps to reduce global risk
The things you can do to reduce risk in this global economy, according to Professor Schmidt, include:
- 1. Get the basics right - Identify critical and sensitive information that requires special handling and secure management. Continually re-assess your risks, identify and deploy security controls and re-examine your security function activities.
- 2. Throw out assumptions - Look beyond historical data that might say "we've never had a security breach" because complacency is the point where your risk grows greatest. Question your long-held beliefs about security and about the nature of threats from employees and business partners.
- 3. Plan for uncertainty - Prepare for a whole new world where wireless communication is the norm. And where cyber criminals lurk in the alleys off each transmission. Develop and rehearse responses in the event of a security incident, much like disaster recovery drills.
- 4. Become a risk champion - Adapt to changes in your organization's risks. If previous security plans were based on old technologies that have since been updated, then update your security strategy and plans as well.
Build for the future - Maintain your capabilities to respond to incidents; collaborate with others and have an end-to-end strategy.
Posted on Mon, Mar 16, 2009 @ 06:26 AM
My view is that whether IT is a strategic investment or a utility cost depends on what the company needs information technology to do. If information technology is a key element of the firm's product, service, operations or strategy, then IT should be viewed as a strategic investment.
Firms such as Wal-mart, which uses information technology to drive costs out of the supply chain is a good example. Wal-Mart, which one does not think of as a technology company, in fact is a leading force in adoption of new technologies, such as Internet-based EDI and RFID.
On the other hand, if information technology is not a key element, then it should be viewed as a cost of doing business, seeking to maintain acceptable levels of service with managed levels of risk, at the lowest cost.
Of course, there are several positions that a firm may take between these two ends of the spectrum. One may view IT as a strategic investment but still not be leading the charge for new technologies, as Wal-Mart is doing. On the other hand, one may view IT as a cost of doing business yet still make significant investments in new systems as a platform for growth.
What's needed then, is for management to step back and decide what are the objectives for information technology, how well do the current systems satisfy those needs, and what are the actions, resources and spending needed for IT to meet those objectives--in other words, an IT strategy.