Virtualization is the new technology all IT Departments are headed towards in order to capitalize on unused CPU cycles. Agreed it is a good way of getting the most bang for your buck!
Initially, virtualization technology was used on the server side only. Now it is infiltrating the desktop’s also. With applications such has VirtualBoxfrom Sun Microsystems, a virtual machine can be installed on a corporate laptop. Once such an application has been installed, the corporation has no control on the endpoint anymore. To avert misuse of such technologies on the client side, whitelisting applications coupled with network based protection has to be instigated. Then comes the realm of DLP and NAC, how successful such technologies will be in averting corporate espionage.
Did you know everytime you download an application to add more bells and whistels to you social-networking website you are consenting to allowing the developers of that application access to your profile, minus your address. This even works if you have set yourself as private as you can. People remember that, if you are providing your personal information to a 3rd party, no matter which disclaimer they provide, the truth of the matter is that they have your information now and they can do whatever they want. If you make noise they will scale back and try it again. So @#$% wake up!
Still don’t understand why people are so bent upon using social networking sites, for god’s sake go out and meet with people the conventional way. Internet is good for specific things, but is definitely not a panacea for everything.
Risk Assessment methodologies have been a controversial topic for a while. There are to ways to asses risk:
One school of thought believes that Qualitative is the way to go, hence they contend with High/Medium/Low kind of ranking.
The other school of thought believes that Quantitative is the way to go where the following formula is used:
Probablity of an event occurring in a given year(p%) X Impact should the event occur(i$) = ALE
Some are proponents of Bayesian Population Analysis.
One of the Methodologies I have come across is FAIR(Factor Analysis of Information Risk) by RMI, which was presented at the TOGAF 2007, Austin, TX. The issue that came up was the amount and validity of data used in that analysis, and also the Taxonomy used.
In my opinion something like Actuarial Tables, which are used in insurance industry, must be created for IT Risk Analysis. Unless an event occurs , there is no way to predict the frequency of it happening and amount of loss incurred.
In my opinion IT Security Risk managers should get together, put up a database on the Internet and anonymously report the breaches they have experienced, the associated loss, and the frequency of it happening.
Just attended a PCI-DSS workshop organized by VISA, wow, sure was worth it. Have read the PCI-DSS docs a number of times but the whole classroom experience was very valuable.
Some important items worth noting:
- The idea behind the PCI program is to “Render the credit card data unreadable”, they way you could accomplish is: encrypting, hashing, truncation.
- PCI DSS - Is the standard itself
- AIS - Is the enforcement program
- Data that can never be stored, unless you are a credit card issuer:
- Mag-stripe data
- CVV2
- PIN/PIN Block
- As per the requirements, you must notify your acquirer of a possible breach within 24 hours
- PCI DSS has about 230 requirements
- PCI DSS is based on fundamental data security practices:
- Data controls
- Network controls
- System level controls
- Application controls (Code reviews, app testing)
- Policies
- Physical Controls
- VISA is moving PABP from “best Practices” into a formal security starndard managed by the PCI SSC as the Payment Application Data Security Standard (PA-DSS)
- PCI Security Standards Council, launched in September 2006, is a global forum for the ongoing development and enhancement of security standards for account data protections, including the PCI DSS
Came across this news article VoIP tragedy underlines need for up-to-date information, a child dies only because the parents choose to use a VoIP phone. VoIP services provide a load of features for a very low price compared to the conventional phone system (POTS). Consumers allways shopping for a bargain, with all the features, VoIP also has some drawbacks, from its inception its has had issues with 911 service.
Because of the portability of this type of phone service it becomes difficult to locate where this service is being consumed, unless the user takes ensure their address and other details are updated as they move. With POTS based phones unless you submit an request to move the service, you will not get it at the new address, and again since you are moving there there are other addres changes also.
With the advent of “PAPERLESS” bills, which we receive via emails, snail mail address no longer has any bearing. If you can get to internet, you get your phone bill, and other bills also. Hence users who rely heavily on internet for their bills via emails and paying them via internet banking, no longer need a snail mail address any more.
In my opinion this whole internet thing is good from a convenienct point of view, but like everything else it has its drawbacks, which consumers do not realize, and by the time they realize it is too late, as in this case a baby died.
BTW, cell phones also share the same issues as VoIP from 911 perspective. Triangulation is one methond of locating a subscriber, but it is still not as accurate as the good old POTS.
I shall use POTS as long as my provider is willing to provide it, and hopefully when they withdraw the service VoIP and Cell Phone service would have matured in terms of process and tracking perspective.
Published at April 12, 2008
in Security.
Attended the RSA2008 Conference, wow! what an experience.
Where else would you get all Security buffs and related technologies under one roof?
As per a RSA newsletter about 17000 Security Professionals attended the event. If you would like to get upto speed on the latest trends in security industry, RSA Conference is the place to be. As you attend sessions and talk to people, good ideas keep on sprouting in your head, you find out all the pros and cons of doing things in a certain way.
I have never attended this conference before, but the theme(s) this year was/were:
- Identity & Access Management
- Encryption technologies
- Data Leakage Protection
- Security Event Management & Logging
Overall, I would attend this conference if I had the chance of attending it again next year.
These days no one is immue to the “data binging”. The reason I say that is because everyone has an MP3 player, digital camera, and or both, not forgetting resumes, personal finance spreadsheets etc.. We are constantly moving from one system to another in our quest for “better and bigger”, and in doing so leave some data behind, which if it ends up in wrong hands will cause you your credit rating or identity theft.
If you are going to sell you laptop/desktop, please make sure to erase all data on the drive. Delete helps, but this data is still recoverable as it only deletes the address, while the data is still in the disk. This data can be recovered by the prying eyes.
I have come across an excellent utility DBAN, which is very helpful in erasing all the data on a particular drive.
Warning: You have to be absolutely sure that you do not need the data, as it will not be recoverable after the above mentioned utility has been used.
GE Money who manage credit card operations for JCPenny and other retailers, claim that they lost a backup tape containing 650000 customers private data. Backup tapes were being held at a large backup tape storage company Iron Mountain, who were not available to comment on the issue. It would be interesting to find out how the tapes went missing at Iron Mountain, which would further lead to the actual process resulting in this loss.
I feel sorry for the 650000 customers whose data is out there in the wild being exploited as we read this article, which will end up costing them their personal lives, peace of mind, and financial losses.
When will large corporations wake up and smell the F*&^ing coffee and get their acts together.
Published at January 10, 2008
in Privacy.
Although personal privacy is very important in current technology age, most countries seem to be loosing control over it. One such example is U.S. government monitoring without warrants international phone calls and e-mails involving people suspected of having terrorist links.
Hackers have posted on the internet MediaDefender Inc emails sent between the company employees. The emails contain information on how they conduct business, by trapping unsuspecting video posters and then providing that info to media companies so that appropriate action can be taken against them. Some emails also contained passwords on how to log onto their website for administering it.
My rant…..what will it take organizations to understand importance of encryption. First all information generated within the organization must be classified and then based on the classification appropriate steps taken to protect it, one of them email encryption.