Archive for Security Mgmt
Author: Myrcurial
April 23, 2008 at 12:05 pm · Filed under Security Mgmt
Click to enbiggen…
Harvey Wallbanger (a frequent commenter) asks: “How different is the reality of work for a CISO compared to the average 9-5er?”
Well… Let’s start with how busy it is…
Basically, I don’t have much of a life beyond work. There’s a certain “Superman” tendency amongst those who do this which leaves them unable to just walk away from the strain, stress or awareness of unmitigated risk at the end of the day.
For the most part though, I wouldn’t change it, I’m hacking an entire organization instead of one or two piddling little machines.
What would you say is the part of your work which sets you apart from the average 9-5er?
Why do you do what you do?
Gaze into your navel and let us all know in the comments!
Tags: security management, self actualization, new age douchebaggery
Author: Myrcurial
April 21, 2008 at 9:33 am · Filed under Ranting, Security Mgmt
I can’t believe it’s freakin’ Monday again. Seriously. When will this treadmill end?
If you joined us last week, you’ll know that we’re here to discuss all of those things you could be doing, but aren’t.
This week, short and sweet. Update your Intranet site.
Click for more…
More after the jump »
Author: Myrcurial
April 18, 2008 at 7:47 am · Filed under Ranting, Security Mgmt
You’ve lost that lovin’ feeling,
Whoa, that lovin’ feeling,
You’ve lost that lovin’ feeling,
Now it’s gone…gone…gone…wooooooh.
Now there’s no welcome look in your eyes when I reach for you.
And now you’re starting to criticize little things I do.
It makes me just feel like crying, (baby).
‘Cause baby, something in you is dying.
When the week is almost done, and you find yourself staring up from the abyss like El Jefe (see post 1, post 2, post 3, and numerous tweets) what is there to do besides roll over and let the sweet embrace of complacency take you down?
Well.
I could launch into a speech worthy of a summer blockbuster, but that’s not going to do it. The cliches are too many.
The system is such that it will attempt to suck the life right out of you. That’s what it does. Being the paranoid type that you are, you’re focused on those “high order” risks that the rest of the seething mass of humanity around you doesn’t seem to care about.
And at the end of the day, that’s all you’ve got.
I can’t give you a good reason to stay and accept the mediocrity of your employer and your fellow employees.
In time of revolution, with perseverance and courage, a soldier should think nothing impossible.
That line comes to us from Napoleon, and I think he’s got a point. The world is shifting - slowly, but inexorably - towards doing a better job of Information Management. With every FAIL on the part of those entrusted with information, the average joesephine is becoming more aware of the value of her information and less willing to entrust it to the incompetents and fools that are the basis of the remediation work of your life.
Hang in there, change is in the air. Ass will be kicked. And hey, it’s Friday!
Tags: ranting, security management
Author: Myrcurial
April 16, 2008 at 8:58 am · Filed under Ranting, Security Mgmt
The middle of the week.
The hump.
The point where you’re starting to think of the blessed relief of alcohol coursing through your veins for the weekend.
And yet, there’s so much to do, Monday’s MITs are still on your sheet as incomplete, there’s 4 new incident tickets in your queue and inbox zero is a fond memory of the past?
Yeah.
Same as me.
What to do?
I’ve considered giving up - capitulating - standing on the deck of the ship in my fishnet outfit and signing some sort of unconditional surrender.
I decided this morning that I wouldn’t go there. Especially not the fishnet. You can thank me later.
Instead, I’m going to divide and conquer. I’m going to put on some headphones, hang up the DND sign, hop on the internet and surf around looking for more ideas on how to be productive… no. wait. not that.
Pick up one thing, do it.
Then repeat.
And remember that it’s almost the weekend.
If you don’t count Thursday and Friday.
Tags: ranting, goofing off, gtd, humpday
Author: Myrcurial
April 14, 2008 at 9:33 am · Filed under Security Mgmt
In an effort to keep El Jefe off guard, here’s the return of what was supposed to be a feature… back when I did the first one.
It’s a Monday morning in my part of the universe, and I’d like it to be the kind of Monday morning where good things happen for you all too.
In this week’s episode of “Do your REAL job…” we’re again going to pull ourselves out of the weeds and have a look at what today’s IT Security Professional should be doing with some of that rare spare time.
It’s time to re-evaluate your Threat Profile…
Click for more
More after the jump »
Author: Myrcurial
April 11, 2008 at 10:33 am · Filed under Ranting, Security Mgmt
In this episode… the triumphant return!
Previously on LSD…
There are many copies…
Sigh.
So it’s been a while since I’ve posted. Something that El Jefe Lewis (over there with the smirk) takes up with me every.damn.time.we.talk.
So I’m working to remedy that.
This week, in reasons that you shouldn’t walk away from the steaming heap of nonsense that is your day job, I’d like to relate a little story. It’s a story with good guys, bad guys, challenges, and solutions. Also, it does not have Ewoks.
Click for more…
More after the jump »
Author: Dave Lewis
April 9, 2008 at 10:03 pm · Filed under Data Security, Security Mgmt
From Computer Weekly:
Given the vital importance of the information held within corporate and government databases it is surprising that the security of these databases is often of unknown provenance, at least as far as those charged with information security duties are concerned.
I am not setting out to offend an entire section of the IT industry by picking on database administrators. However, I believe database administrators and security managers need a better mutual understanding so that the security of these vital resources can be improved without overly database performance.
One of the common refrains I hear from database administrators is that they are unable to implement security mechanisms as the associated performance hit is too high. It is not my intention to explore the various intrinsic database security mechanisms or to discuss their strengths and weaknesses. My purpose here is to suggest methods of securing information while shifting the burden of securing databases from the administrators and not excessively impacting performance.
This is a refrain that I myself have heard time and again. I have also had database admins lie to my face confident that I didn’t know anything about Oracle. I’m no database kung fu specialist but, I have read enough of Litchfield and Finnigan to know they were blowing sunshine up my backside.
So, who has the keys to your data?
Read on.
Article Link
Tags: Database Security, Database Administration
Author: Dave Lewis
March 27, 2008 at 7:38 am · Filed under Infosec HR, Security Mgmt
Here is a story from last week (March 19) that I missed but, thanks to Bruce Schneier, I’m now standing here scratching my head. It turns out that the Bush administration will tap Rod A. Beckstrom “to head a new inter-agency group charged with coordinating the federal government’s efforts to protect its computer networks from organized cyber attacks.” Maybe I’m a little confused but, isn’t that part of what the DHS does?
From the Washington Post
The new inter-agency group, which will coordinate information sharing about cyber attacks aimed at government networks, is being created as part of a government-wide “cyber initiative” spelled out in a national security directive signed in January by President Bush, according to the sources, who asked to remain anonymous because they did not have permission to talk publicly about the information.
The presidential directive expanded the intelligence community’s role in monitoring Internet traffic to protect against a rising number of attacks on federal agencies’ computer systems. According to the sources, the center will be charged with gathering cyber attack and vulnerability information from a wide range of federal agencies, including the FBI, the National Security Agency and the Defense Department. Beckstrom will report directly to Homeland Security Secretary Michael Chertoff.
Reached via phone Wednesday evening, Beckstrom declined to provide any specifics about his new position, saying only, “I’m thrilled to be on the DHS team, and I am looking forward to doing my best to serve the country.”
The White House and the Department of Homeland Security declined to comment.
OK, leadership is a good thing but, what of his resume? Well, Beckstrom is an author of a book entitled “Starfish and the Spider: The Unstoppable Power of Leaderless Organizations“. He also founded the wiki company Twiki.net. So, he has management experience. But, wouldn’t one surmise that the role should have a person with security experience? Beckstrom apparently has none. I’m of two minds here. I have seen non-security folks run teams and do a fantastic job. That being said I have also seen the opposite with disastrous results.
Basically this has all the hallmarks of a corporate leader being tapped for a thankless job for which he has no experience.
A phrase just keeps rattling around in my head.
How does it go again?
Oh yeah, “Brownie, you’re doing a heck of a job”
Article Link
Author: Dave Lewis
March 7, 2008 at 7:57 am · Filed under Security Mgmt
From GCN:
When Richard Kemmerer first joined the board of Microsoft’s Trustworthy Computing Academic Advisory initiative as one of its inaugural members, he had a caveat for the software giant.
“One of the things I told (Microsoft) was that if you’re looking for a yes man, you’re barking up the wrong tree, looking in the wrong place, you got the wrong guy. I’m going to call it like I see it.”
Looking back over five years as a member of the panel, which is charged with (among other things) shoring up security, Kemmerer — currently a professor of computer science at University of California at Santa Barbara (UCSB) — still feels the same way in making what he calls a fair assessment of software and security personnel in Redmond. While he’s swift to laud the accomplishments made with the project and with the evolution of Microsoft products and services, he says, “Where security is concerned, there is still a long way to go.”
Indeed, as Microsoft celebrates half a decade of the program’s existence calling upon expertise from Kemmerer and other scholars and experts from as far away from Redmond as Tokyo and London, there remains a basic inconsistency between convenience of use and computer security that many believe can never be fully rectified. In the same way that a car alarm may lock a person out of a car for security reasons, Microsoft applications such as Internet Explorer have been known to inflict similar headaches on users recently. Additionally, some IT practitioners have suggested that Microsoft needs to help educate end users in a manner far more comprehensive than its monthly security bulletins.
To that end, Microsoft believes it’s the IT community’s job to stay on top of things and that the aim of the Trustworthy Computing movement is to gather the best objective research to achieve that goal.
Read on
Article Link
Tags: Trustworthy Computing, Trusted Computing, TCAA
Author: Dave Lewis
March 5, 2008 at 10:16 am · Filed under Security Mgmt, Web Security
Juan Carlos Perez has an interesting piece about service level agreements with web apps. A lot of people tend not to think of this aspect until after the fact. I’ve seen cases where a company purchased the “shiny machine that goes ping” only to find out that it would be down 28% of the time. Not a good number to run on when your business is web facing.
From Infoworld:
As SaaS (software as a service) adoption rises in the workplace, business managers mustn’t overlook a key issue when selecting a Web-hosted applications suite: a service-level agreement.
Such contractual agreements, known as SLAs, bind the SaaS provider to meet specified levels of service. An SLA can address various aspects of the service, such as application uptime and performance, as well as data security, backup, recovery, and integrity. The SLA outlines penalties — often in the form of credits — if certain standards aren’t met.
An SLA is of particular importance for a hosted application, since in that case, the customer is giving up control over the software and, thus, has little or no power to fix problems that arise on the SaaS vendor’s end.
In other words, a business manager must make sure that a selected SaaS vendor can provide the level of reliable service the company needs. “IT [and business] managers need to understand the consequences for their operations if there’s a problem. [They should] determine what downtime they can tolerate and compare that with what the vendor is offering,” says Eric Maiwald, a Burton Group analyst.
Once a contract is signed and the hosted applications are implemented and woven into a company’s workflow, migrating away to another provider will be costly and time-consuming.
I’ve been fortunate to have not encountered this particular problem first hand. However, I have seen it in other companies. The SaaS web app with the pretty graphics could be a dud. Get your SLA squared away before your sign on the dotted line.
Article Link
Tags: SLA, Web App Uptime, SAAS, Service Level Agreement
Next entries »
Explore
Security Bloggers Network
