Security Pie » Security

Are We There Yet?

sharon — Tue, 09 Feb 2010 23:59:48 +0000

RSA Conference, the biggest security event of the year will take place next month.

IMO now is a good time to review how we are doing as an industry, fulfilling our destination (that is, securing).

On Jone 2003, Gartner declared that IDS are dead and “recommends that enterprises redirect the money they would have spent on IDS toward defense applications such as those offered by thought-leading firewall vendors that offer both network-level and application-level firewall capabilities in an integrated product.”

6.5 years later, are we there yet?

Clear Passwords

sharon — Fri, 07 Nov 2008 01:06:48 +0000

2008 is almost over but still there are respectable and notable companies that act like security is non of their business. I find it very irritating that some companies that promote security as a product and company differentiators act in a non secure fashion. Following the “no one want to see an obese promotes healthy food” analogy, I would expect companies nowadays to act in a secure fashion. Most of the web sites will send you a thank you letter after registering at their web site, but as I discovered today, some will send you an email confirming your registration alongside your username and password in cleartext.

As a service for those who forgot, here’s how email privacy works:

How email works

And here’s the message that turned me mad (Identifiable elements deleted to protect the innocent):

Balancing Security’s Opposite Pairs

sharon — Fri, 03 Oct 2008 20:12:22 +0000

HWY 101 is jammed again, which gives me a lot of time to stare at the billboards. Symantec (big yellow) caught my attention with a “you need the speed” sign promoting their latest anti virus release. Apparently, they started a huge campaign around the speed of their anti virus, it’s weightless etc. No too many words about security.

You Need The Speed

I am not trying to pick on Symantec’s Norton Anti Virus. In today’s commercialized and commoditized environment, the messages should be catchy, fast and appeal to the common dominators. But this ad allows me to rant on some of the two non-changeable variables couples or opposite pairs that makes data security such an interesting field.

Here are some opposite pairs

Connectivity versus Security: Good security requires analysis. The more analysis one performs the more latency (aka, less connectivity) occurs. Think about your application needs: pass it fast, or perform Deep Packet Inspection. The more DPI you perform, packets and streams should be queued.
False Positive versus False Negative: False Positive (FP) disturb the security team and ops team. Security solutions configured to block will interrupt legitimate traffic. On the other hand, avoiding FP can create False Negative (FN) which means that one was able to pass your security systems.
Thorough versus Fast: Similar to the connectivity versus Security conflicting pair. One would like a system to act fast, on the other hand, think about the TSA agent – in order to perform his job properly, there must be some kind of a long line…
Enterprise manageability versus Simple-to-use: We all want to live in the fast track, have it all in just “one click” but then enterprise manageability requires many capabilities such as directory integration, load balancing High Availability (HA) etc. Tasks that can not be achieved with just one click.
Best of breed versus Good enough. Best of breed requires different vendors and sometimes more work (less “one clicks”) than good enough solutions.

Where does it takes us? Security solutions can’t be like a pie (if it taste good, it’s not healthy). There must be balance between the opposite pairs. Security buyers (home users or enterprise customers) are expecting the right kind of solution that has all the ingredients.

Yes. I do expect it not to slow my system.