Security Pie

After Dutch holey cheese, there now is a Dutch font with holes as well.

Is it a gimmick or a genuine attempt to change the environment? Will we see other manufacturers adding “holes” to improve energy consumption and go green? 

I like the marketing advantages, not to mention the “in the press” section:

It is not possible for us to keep up with all publications about the Ecofont. If you happen to read an (English written) publication about the Ecofont, please let us know. Thanks in advance. 

See more here: http://www.ecofont.eu/ecofont_en.html

Profile Manager - click to enlarge

There is no such thing as absolute security. Security is relative and multidimensional. If you follow my advice, you will be relatively more secure than you were before.

More than that, you will probably be more secure than the rest of the pack. This is very important, for the reasons I already mentioned in the story about the bear.

The scenario I want to cover is this very common one:

• You use a single browser on a single machine
• You browse to “random” sites as well as browse to a small number of “secure” sites – your bank perhaps. There’s a clear distinction between the two.

Read the rest of this entry »

So the California state government is going to regulate olive oil (in this case, California will follow Connecticut). Case in point are adulterated cans of olive oil that are marked with 100% Extra Virgin Olive Oil (See http://news.yahoo.com/s/ap/20081121/ap_on_re_us/olive_oil_standards).

Now I am typically against government regulations, with a few exceptions. Maintaining integrity of everything from investment firms to branded products to olive oil pressings is one such exception.

Why? Well, take Bernard Maidoff, as example. SEC completely missed that one causing even more damage to a battered financial system. Our savings will bleed some more because of this. Phishing exploits the integrity of brands and reduces the usefullness of email. Etc. Integrity is key to confidence, and confidence propels humanity forward.

And as for olive oil adulterated with peanut oil? Well, apart from me frying something in what I believe to be Omega 3 rich stuff pressed by Italian farmers that may actually be inexpensive soybean or peanut oil, what about the poor sod who is allergic to peanuts and get an anaphylaxic shock?

Loosing integrity can (and will) turn fatal quickly.

Hurry up California. Purify my olive oil supply NOW. 

Speaking of olive oil, remember to stock up regularly. Oils are highly perishable, so replace every 6-12 months regularly (before they oxidize and turn rancid).

Yet another zero-day emergency patch released by Microsoft http://www.microsoft.com/technet/security/bulletin/ms08-078.mspx following last months equally dangerous vulnerability. Patch it ASAP. This one allows remote execution of code on your machine, and it affects all versions of IE.

This is getting weary. Time for Microsoft to start contemplating IE infrastructure from a security perspective.   

Meanwhile, Mac OS users are contemplating whether an AV makes sense for a Mac or not.

Great craftsmen use tools to manipulate raw material into something great. Luthiers painstakingly select the proper wood for the application and work it into emotion inducing string instruments. Great chefs select great products and use various techniques to convert the products into something better. The better security professionals select the tools that will help them advance the state of security (of being secure) throughout their organization.

All this assumes great craftsment and professionalism in their art. Without a great Luthier, it does not matter how good the planes and cutters and bridge setter tools are. Or how long the Maple, Spruce, Ebony or other wood has been aged. The violin will just not sound right. Similarly, an awfulcook can take the best products and convert them to something that can be both disturbing and toxic.

Competent professionals work with determination and aplomb

An incompetent security professional can spend many resources on the wrong product and technologies. Even worse, the incompetent professional might lead their organization to a false sense of security (Which oddly reminds me of the famous Monty Python sketch about the “machine that goes ping” http://www.youtube.com/watch?v=arCITMfxvEc; I have this vision of John Cleese as a security guy saying ”we have this doohiky here and therefore we are secure – What? … Nah – Did  we need to install it?”).

What sets apart the great practitioners and professionals from the incompetent wannabees is a keen focus on the issues at hand and a mastery of the techniques and methodologies prevalent in the field. Good practitioners understand the focus and know what needs to be done and execute, while the best professionals are able to understand the ecosystem of the current techniques and methods and extend their boundries in order to adapt to a changing landscape.

And yet I keep hearing and reading generic discussions surrounding security that are uprooted from any meaningful scenario (a time and place, and sensitivity to risk). Current topics I read about on a daily basis are the security of cloud services and the security of virtualized applications/platforms. I call these “security quibbles”.

Discussing these topics without planting one’s feet on the terra firma of a scenario is utterly meaningless. For example, lets review a current discussion topic of which is better: SAAS or Hosted Server or Hosted Virtual Image. Let’s try to avoid the standard silly audiophile style discourse (my Mark Levinson Amplifier sounds better than your Krell; there is more “air” around the resin of the violin) so, let’s say, that the data is the codes for the US strategic defence ICBM missiles. For this scenario, all 3 are equally bad. In fact, anything that is connected to any public network is too risky for this application (IMHO). What about a banner ad server for Google ads? Probably all three work equally well, perhaps overkill. Another part of the equation is the quality of your security team – better teams can better provide security for their organization.

It is the fad/fashion of the day and thus better left to such professional magazines as People magazine and the National Enquirer. It has no place in the security discourse.

Product selection processes are yet another such area that is prone to qibble mentality of generalities and fads/fashions. But sales of any sort (be it toys, game console, car, house, submarine, nuclear missile, plane, ECG machine, power plant, AV system or any other “large enough to be substantial” expense) is more a matter of psychology than a scientific method. As a result, in many cases where needs should drive product selection the opposite happens.

Outsourcing is another oft blogged entry. Outsourcing is neither good nor bad for security. It has its risks.

The security professional should stop thinking about technology trends as good-or-bad. But instead analyze the risk, identify the critical business factors, and make sure they are articulated properly to the decision makers/vendors. The different options will be layed out with the associated risks, and any suggested modifications to SOP (methods and techniques) should be highlighted. Similarly, critical business factors should then drive the selection of any products that should compensate areas of increased risk.

I will concede on one point. the security quibble is what keeps us interested. The security quibble is the pornography of the security world. When I get some time, reading security blogs is amusing and fun. But the best has got to be Bruce Schneier. His books sometime read like a “coming of age” stories, except for the security “spin”. The cryptographer ”coming of age” and realizing that the world is not perfect. To which I agree – it is not.

Shamelessly copied from Internet Security and Operations Intelligence 6 (ISOI)  meeting agenda. 

I wish I could be there but I have better plans.

Gadi,  I hope that CC copyrights do not apply.

So Sharon posts some on the imperva blog. A nice blog was about data loss at companies that do database monitoring. http://blog.imperva.com/2008/12/protecting-the-database-less-i.html 

It does not surprise me that people who monitor more lose less. They know more about where their data is, and how is it being used. And they assume less. So their time is better spent, focusing on “what is” vs. “Hmmm… perhaps they are doing this and maybe they are doing that“. It is somewhat a statement of the obvious.

So we are back to what most practitioners of security know (or should know): That governance is key. In order to do security right, you must KNOW what the crown jewels are, where are they, what are employees doing with these jewels, etc. At that point you can secure, you can prevent, you can assess risk, you can make decisions based on factual data (not imagined ones).

Pamela Fusco continually drives this point forward. In her presentations (and example of which can be found at http://www.securedenmark.com/2007-Presentations/Fusco%20Denmark%20final.ppt) she typically reflect on a multi year strategy for the correct way to build a security practice. She actually recommends starting higher than governance – she starts with the business drivers (you can’t have governance without understanding the business). She is dead on!

Governance can exist without security (it is merely a decision based on acceptable level of risk). But security without governance? No chance.

Are SMTP messages the cockroaches of the Internet?

1. There are lots of them
2. They multiply exponentially
3. They have been around for a very long time (in Internet years)
4. They are extraordinarily resilient

/al

PS since are readership is global, I want to ensure that everyone is aware of which cockroach we are talking about: Periplaneta Americana (American Cockroach). Below is a picture of an adult female

There are other cockroaches (like the German Cockroach and the Madagascar Hissing Roach which makes for an adorable hissing pet for other people). But they are not the topic of this discussion.

I would expect plumbers to be doing some good business with all the $100 bills clogging the sewers of downtown New York city (under the smoldering ruins of Bear Stearns and Lehman Brothers).

Well, today it became clear that some of these dollars came from Bernard L. Madoff the former Chairman of NASDAQ and head of Madoff Securities LLC. Some $50b were flushed down the toilet. Madoff admitted to his employees that his hedge fund was “one big Ponzi scheme”. Which means that investors who got their money out early f****d the investors who were late to pull out. As always, timing is not everything, it is the only thing.

This action is sure to help restore confidence in the financial management of our stock exchanges.

C’mon guys. There are rules. People who wear Italian suits and shoes, walk around with leather bound notebooks, sign cheques with elaborate fountain pens, and drive Bentleys should not lead $50b ponzi schemes. Especially if they operate from well appointed mahogony trimmed offices in lower Manhattan. Offices with rows of computer displays that provide real time market analysis data. I mean: How would we differentiate them from the experts?

NB. Sharon will let me know in a reply to the post that:
1. “Flushing money down toilets” is not a literal statement. It is a figure-of-speech, and figures-of-speech do not clog sewers. But even Sharon will have to agree that had New York bankers tried to flush the paper equivalent of the amounts of money that they destroyed, the sewers would have been clogged shut.*
2. Sharon would claim that I am wrong: Bernard Madoff’s $50b ponzi scheme is NOT sure to restore investor confidence but is actually most certain to cause it to drop even more. To which I retort: Can it?  How low can confidence go?

*Note: Lucky for them that the only thing that suffered in their office was a shift register that no longer uses (or needs) the MSB. That and the 500,000 American employees who are newly converting to stay-at-home bloggers (damn competition).

Yahoo! is reducing costs and sending people home. In my opinion they could have saved a lot of money just by not sending all those proxy letters and tons of other items to my address. (Yea, I have some few shares). As expected, the internal presentation explaining how to cut employees was leaked to the Internet. I guess that the Internet Protocol (IP) doesn’t really work that well when the Do Not Forward bit is defined as text on a Power Point.

As a second thought, maybe there’s an opportunity for a new start up to create the technology to embed ‘Do Not Forward’ text into packets that can never leave the network.

So Aaron got the sack and articles regarding the threats of a slugging economy and recession era (such as this) are common.   Organizations should protect sensitive data at all times based on their risk management strategy. Unfortunately, such times help us to understand the risk better. I’m not saying that the damage of leaked presentations (BTW, I think that the content itself is good, but the context is awful) is on Yahoo!’s top risk matrix, but I do think that organizations should set their strategy for data protection.