Virtualization is the new technology all IT Departments are headed towards in order to capitalize on unused CPU cycles. Agreed it is a good way of getting the most bang for your buck!
Initially, virtualization technology was used on the server side only. Now it is infiltrating the desktop’s also. With applications such has VirtualBoxfrom Sun Microsystems, a virtual machine can be installed on a corporate laptop. Once such an application has been installed, the corporation has no control on the endpoint anymore. To avert misuse of such technologies on the client side, whitelisting applications coupled with network based protection has to be instigated. Then comes the realm of DLP and NAC, how successful such technologies will be in averting corporate espionage.
Did you know everytime you download an application to add more bells and whistels to you social-networking website you are consenting to allowing the developers of that application access to your profile, minus your address. This even works if you have set yourself as private as you can. People remember that, if you are providing your personal information to a 3rd party, no matter which disclaimer they provide, the truth of the matter is that they have your information now and they can do whatever they want. If you make noise they will scale back and try it again. So @#$% wake up!
Still don’t understand why people are so bent upon using social networking sites, for god’s sake go out and meet with people the conventional way. Internet is good for specific things, but is definitely not a panacea for everything.
Risk Assessment methodologies have been a controversial topic for a while. There are to ways to asses risk:
One school of thought believes that Qualitative is the way to go, hence they contend with High/Medium/Low kind of ranking.
The other school of thought believes that Quantitative is the way to go where the following formula is used:
Probablity of an event occurring in a given year(p%) X Impact should the event occur(i$) = ALE
Some are proponents of Bayesian Population Analysis.
One of the Methodologies I have come across is FAIR(Factor Analysis of Information Risk) by RMI, which was presented at the TOGAF 2007, Austin, TX. The issue that came up was the amount and validity of data used in that analysis, and also the Taxonomy used.
In my opinion something like Actuarial Tables, which are used in insurance industry, must be created for IT Risk Analysis. Unless an event occurs , there is no way to predict the frequency of it happening and amount of loss incurred.
In my opinion IT Security Risk managers should get together, put up a database on the Internet and anonymously report the breaches they have experienced, the associated loss, and the frequency of it happening.
Just attended a PCI-DSS workshop organized by VISA, wow, sure was worth it. Have read the PCI-DSS docs a number of times but the whole classroom experience was very valuable.
Some important items worth noting:
- The idea behind the PCI program is to “Render the credit card data unreadable”, they way you could accomplish is: encrypting, hashing, truncation.
- PCI DSS - Is the standard itself
- AIS - Is the enforcement program
- Data that can never be stored, unless you are a credit card issuer:
- Mag-stripe data
- CVV2
- PIN/PIN Block
- As per the requirements, you must notify your acquirer of a possible breach within 24 hours
- PCI DSS has about 230 requirements
- PCI DSS is based on fundamental data security practices:
- Data controls
- Network controls
- System level controls
- Application controls (Code reviews, app testing)
- Policies
- Physical Controls
- VISA is moving PABP from “best Practices” into a formal security starndard managed by the PCI SSC as the Payment Application Data Security Standard (PA-DSS)
- PCI Security Standards Council, launched in September 2006, is a global forum for the ongoing development and enhancement of security standards for account data protections, including the PCI DSS
Came across this news article VoIP tragedy underlines need for up-to-date information, a child dies only because the parents choose to use a VoIP phone. VoIP services provide a load of features for a very low price compared to the conventional phone system (POTS). Consumers allways shopping for a bargain, with all the features, VoIP also has some drawbacks, from its inception its has had issues with 911 service.
Because of the portability of this type of phone service it becomes difficult to locate where this service is being consumed, unless the user takes ensure their address and other details are updated as they move. With POTS based phones unless you submit an request to move the service, you will not get it at the new address, and again since you are moving there there are other addres changes also.
With the advent of “PAPERLESS” bills, which we receive via emails, snail mail address no longer has any bearing. If you can get to internet, you get your phone bill, and other bills also. Hence users who rely heavily on internet for their bills via emails and paying them via internet banking, no longer need a snail mail address any more.
In my opinion this whole internet thing is good from a convenienct point of view, but like everything else it has its drawbacks, which consumers do not realize, and by the time they realize it is too late, as in this case a baby died.
BTW, cell phones also share the same issues as VoIP from 911 perspective. Triangulation is one methond of locating a subscriber, but it is still not as accurate as the good old POTS.
I shall use POTS as long as my provider is willing to provide it, and hopefully when they withdraw the service VoIP and Cell Phone service would have matured in terms of process and tracking perspective.