March 31st, 2011 by peter.bassill

You have to wonder some days, I certainly do. Today I find myself wishing further people dont add more weight to the whole APT argument. This week alone I have had three phone calls from vendors sales people asking how I am addressing the APT, and when I challenged them on exactly what an APT is, I got three different answers of which only one was vaguely close. I was very interested to discover that the vendor interest has been pricked up by good ol Bill Brenners challenge to Josh Corman.

In many ways, dealing with people is what we as security professionals are here to do. There will always be a threat of someone at the keyboard but with good monitoring and a handful of controls we can spend quality time understanding the people.

Afterall, who is better placed to stop the APT threat, us as security professionals or the colleague who sits next to them and has taken the security message to heart?

But is that the answer? What about the other half of the equation, the organisational teams with access to excellent resources, well trained skills and the tenacity to continue hitting their chosen target until they achieve their goals? How well can we defend against those?

I would suppose that defending against the latter half comes down to the embedded security ethos within the target. If the targets coders adopt the rugged philosophy, abide by simple secure coding practises such as OWASP and have a security baked in design to IT infrastructure, architecture and future programme, then the target will be very tough to crack right? Again it comes to down people.

March 28th, 2011 by peter.bassill

If there is one thing in the security industry we are drowning in, it is acronyms dreampt up by over payed and over played marketing teams. Not that I think ill of the marketing people, they do a brilliant job and I just wish we had some more of them in our business. APT, or Advanced Persistant Threat, is the latest fad of the marketeers and the box shippers. The amazing and crazy thing about an APT is that it does not exist. In fact, all the APT is is the human between the computer and the keyboard (pink fluffy computer is my preferred term).

As I was thinking about this following yet another phone call from a nameless vendor who has a box to resolve the APT issue, I read through Bill Breeners article here where he is commenting on a conversation between Josh Corman of the 451 Group and security-privacy-compliance expert David Mortman. As every, worth a read.

March 13th, 2011 by peter.bassill

ISACA, a global association of 95,000 IT assurance, security and governance professionals, has launched a new customizable audit program to help enterprises address the complex and emerging area of social media governance.

The Social Media Audit/Assurance Program focuses on effective policies, training and awareness, and monitoring. ISACA also recently released audit/assurance programs for Apache Web Services Server, MySQL Server, VMware Server Virtualization, Microsoft Internet Information Services Web Services Server, Windows Active Directory, Mobile Computing Security, and Cloud Computing Management.

Norman Kelson, author of ISACA’s audit programs, says the audit programs are developed in response to the requirements of ISACA members and their employers. “Social media is one of the major technologies emerging during the past year and ranked high on the list” of priorities, Kelson says.

Social media differs from traditional advertising and marketing methods, “in which anyone with an Internet-attached device can, with near anonymity and without accountability, participate in public or private information or disinformation sharing, depending on access privileges to a social media Web site,” Kelson says.

Robert Stroud, ISACA vice president, says social media “is rapidly becoming part of business as usual for many organizations, playing a fundamental role in marketing and communication programs.”

As with all other communication and customer contact programs, Stroud says, the effective controls need to be in place “and these need to be audited to ensure the effective management of the media and, more importantly, the information flow and management of risk.”

The audit programs provide guidelines and direction for the practice of IT audit and assurance and can be used as a roadmap to complete a specific process, according to ISACA. All audit programs are free for ISACA members and $45 for nonmembers.

Read more about it audit in CSOonline’s IT Audit section.

Other stories by Bob Violino

March 11th, 2011 by peter.bassill

Infosec Europe 2011 – 19th to 21st April, Earls Court

Join Peter Wood and myself as we explore the world of social media attacks – http://bit.ly/eK14wY

March 11th, 2011 by peter.bassill

Andrew W Morse, Founder, Digital Tsunami “Communications Evolution” recently asked the question; “With the increased complexity of polymorphic malware and the increased use of social platforms, do you have concerns for increased network intrusion via ever-increasing corporate cloud computing?” on Linkedin.

It gave a fair amount to think about so I thought I would share my opinions with you all.

What a great question and thank you for asking it. Ok, do you have more or less security by renting a 1U server from a server farm in a datacenter? Do you have more or less security when rather than rent that server from a server farm you physically house it in your datacenter? There are a number of players out there in the market that would have you beleive that a server in the “cloud” is vulnerable to attack but the truth is that any server with a connection to a public facing network is going to be attacked at some point in time.

From my point of view, the biggest security concern is one I am not hearing about much and that is the disk. Say you rent a cloud server with 100gig and you then use this for some data processing and once you have finished, you close down your server and remove it from the system. That disk is still there.

It is possible to rent a single cloud server and get it up and running in only a few minutes. Once done, add a few cloud disks to it and run standard forensics recovery tools over the disks you have provisioned from the pool. What are the odds of successfully recovering someone’s information? A number of cloud vendors put some form of protect infront of the physical layer, but when we are talking disk, how much work does it take to recover a previous tenants data?

Still worried about network intrusion? Have your admins build and secure your cloud servers properly and maintain a good patching program alongside good security practises for access control.

Worried about a disk recovery attack? Encyrpt your data in the cloud and then carry out a DoD standard 7 pass wipe of your data areas prior to deprovisioning your server.

Worries about security still? Think about risk and not particular technology points.