Archive for the ‘Security’ Category

Are you on the List?

May 30, 2007

Thanks for pointing this out Matt!

Are you on The List?

Excerpt from the list:

  Apr. 24, 2007 Baltimore County Dept. of Health
(Baltimore, MD)
A laptop containing personal information including names, date of birth, Social Security numbers, telephone numbers and emergency contact information of patients who were seen at the clinic between Jan. 1, 2004 and April 12 was stolen. 6,000
         

Hosted eMail Services

February 16, 2007

There has been much debate and many new reports about hosted eMail services lately. A lot of this is due to the increase in SPAM, regulations, and viruses traversing the internet. MS has commissioned a paper on the benefits of hosted solutions over in-house messaging management….

David Spark asked me to look at this paper on Microsoft Exchange Hosted Services. From the looks of it, the same ask has been making the rounds to Terry Zink and Alec Saunders….but there aren’t very many opinions expressed on the wiki or the discussion group…I started to input my thoughts on the subject and the absense of supporting research…..

The paper itself seems to be based on Osterman Research work and there are some interesting research points that simply aren’t supportive of the claims in the paper. Some of the issues are…..

  1. In general the paper’s “findings” are not supported by the research quoted
  2. No discussion of the existing market is included
  3. No context is given for claims of cost savings or reliability
  4. Enterprise environments are not considerred
  5. Comparison against tenured appliances is not included
  6. Labor is generalized as high cost with no numbers to back it up

Now I’m sure there is plenty of data to support and refute the six items above in the context of hosted messaging services (especially in the case of the Microsoft Exchange Hosted Services)…..but they are not included in the paper and there is an opportunity to include them for people to see…..

So if you have an interest in hosted messaging components, you might want to take a look and ensure there is a consise opinion on the wiki fro the community (and other vendors) at large.

If you don’t have the time to comment, at least go vote on the hosting poll….

(results from the poll to be posted soon)

Security updates on CD

August 11, 2006

This is really cool…. Ed Bott has the details of where to get a bulk ISO image of all the latest security patches. Now admins can update their servers without having to connect to a resource that was on the web. This is great for building new systems, high security environments, and anywhere else someone might be paranoid…..

Thanks Ed!!

Everyone is hacking

August 10, 2006

Defcon this year gave us some exciting news….. you can now hack Blackberries well you can get malware onto the device which will in turn open a backdoor to your network and both will effectively be compromised. Praetorian Global’s Jesse D’Aguanno will post the details of the hack soon on their site.

RIM was obviously notified ahead of time, they were able to post a couple of documents, Protecting the Blackberry device platform against malware and Placing the BlackBerry Enterprise Solution in a segmented network at the end of July.

An interesting aspect of this, is that now blackberries could let the outsiders steal data, and soon the inside users will be able to steal more data with the Camera Blackberry. Is this RIM’s way of telling the US government (who like to ask RIM for secure BBs) they shouldn’t have allowed the patent suit through the courts?

With good security practices these issues can easily be avoided

Required Attributes of Security Solutions…. continued

July 27, 2006

I came across a post on Jesper Johansen’s site today about the Required Attributes of Security Solutions. It is an interesting list of attributes that any security solution should have. Being that I am in the midst of an accounting class, I quickly made an association between the attributes of the two….

First the Principles of Design

Cost-Benefit Principle – This Principle states that the benefits derived from the system should be equal to or greater then the systems total cost. This holds true for both accounting and security systems, for instance it would not make sense to purchase a security system at a cost of $1m (with a 5yr lifetime) that could only ever prevent $500k in damages (material or immaterial) over the same lifetime.

Control Principle – This principle requires that the system contain it’s control procedures so that data are reliable. This means several things to the system. The system should allow for risk assessments as an input to allow for changing environments. It also means that there must be control activities in place like policies and procedures to govern how the system is used. Other activities that are lumped here are authorization, so that controls of changes to the system are authorized. 

Compatibility Principle – The system must be in tune with the organization’s business and operating environments. If there is a distributed company in different cities or countries, the system should be designed specifically for that environment. On the other side of the fence, if the company goes through a transition and moves from several remote offices to a single HQ, the system must be re-evaluated to address the new needs of the company.

This continues to hold true for people and the actual business of the company. Training the employees on how to use the system is critical. This means proper classification and other human components. If the company is in the business of selling wheat, the system should know how to secure those transactions and the operations of that kind of business.

Flexibility Principle – The system must be flexible enough to allow for growth of the company. This includes being able to handle new product lines, different ways of handling business, and regulatory changes that may affect the requirements of the system

Measurement

The Matching Issue – Matching situations with when they occur is critical to ensuring they are measured properly. Events and transactions must be matched with the time in which they occur. If event ‘A’ and event ‘B’ are both discovered on day 15, it will be very important to know that event ‘B’ happened on day 3 and event ‘A’ happened on day 10. This enables a view into the relation of the two events and their potential impact is more apparent.

Adjustments – Adjustments must be included in the measurement. If an operator adjusts the system, this must be measured so that it can later be reported on properly. Without this type of measure, malicious or mistaken operators can cause problems for the business.

Reporting

    Regular reporting – regular generation and distribution of reports is important. This includes external regulatory bodies, internal audit departments, managerial staff, and executive leadership. It is crucial to have this reporting based on the design and measures discussed above. These reports must also have the conventions below so that the consumers of the reports can make real decisions based on the content. 

Conventions to assist in interpretation 

    Compatibility and consistency – The data collected and the method it is presented in must be similar through time. Without this, changes in the environment cannot be followed and problems will not be immediately apparent. Management needs to be able to read the reports and make quick decisions based on those reports. Should the company decide to change it’s practices, it must be a very well thought out process that allows for plans to relate the old way to the new way of measuring the environment.

Materiality – This refers to the relative importance of an item of event. So if an item or event is material or relevant enough that a decision would be different without the knowledge, and then the system must include it. As an example of this we can look at a case where several users are bothered by someone regarding a test system upgrade, a couple of weeks later a test system begins to act up and needs to be rebooted, a couple of weeks later the same thing happens in production, and week after that the production web farm is compromised. Had the relevancy been given to the first two incidents, this could have been prevented.

Conservatism – This one is pretty basic, the system should not “cry wolf”. A system that begins this kind of life will have a very short life. No events and reports should be over emphasized, only if something is actually serious (in the opinion of the team that runs the system), it should be brought to senior management’s attention.

Full Disclosure – This one differs a little between the two systems, although it is important to tell people what you are monitoring for security, it can also be a benefit not to do this.

Cost-Benefit – Repeated again here, the cost benefit of the system’s reporting capabilities must outweigh the risks it prevents.

To compare this with Jesper’s original list 

  1. Comprehensive  <- ->  Materiality, Compatibility
  2. Comprehensible  <- ->  Cost-Benefit, Compatibility
  3. Adaptable  <- ->  Flexibility Principle
  4. Centrally manageable  <- ->  This is not listed above – but as a basic attribute does this make sense for a global company with multiple HQs or separate operating entities?
  5. Enforceable  <- -> Control
  6. Reportable – Measurement, Reporting, Compatibility and Consistency

So let me know what you think, Do you agree on these, did I miss anything or not account for anything that was more important in Jesper’s post……