Here is where I am having a little bit of mindset shift.  Because virtualization drives consolidation (side note: I attended an investor conference where a VMWare guru talked about the efficiencies of theoretically collapsing 1,000 servers into 10 with VMWare - I wonder how that helps parent company EMC sell more storage!), more valuable data will reside within fewer entities, such as Amazon EC2 (Elastic Compute Cloud), which has standardized on Xen.  So, I expect the bad guys to actually focus on attacking entities like EC2 as a matter of economics, which means they aren’t just profiling the attack surface of the underlying hypervisor, but the enabling technology and processes wrapped around virtual machine platform for provisioning, management, etc, which may or may not be as well vetted as core VM components.  So, while I do think there is a reasonable, if not perfect, focus on securing the hypervisor,  I see these  pseudo-application layer attacks targeted at the virtual infrastructure providers as both inevitable and profitable.  We need some level of reorientation of our focus on virtual security.

So I’ve been dealing with CVE (http://cve.mitre.org/) for several years now, first as an “oh that’s neat” and later as an “if we comply with this standard, I will feel 37% less suicidal” (which is a good thing, finding competent tech writers is tricky). I used to email Steve Christey with additions and corrections, but then lost the will to live for a little while (here’s a hint: making a tech writer write essentially the same thing over and over 10 times a day for 6 years will literally suck the life from them).

I recently had an opportunity to talk to Christey, who like most of us, has a finite budget and a virtually infinite amount of work to do. Myself, I’d like to be able to apply CVE numbers to issues that do not yet have a CVE number. A match made in heaven or simply two people struggling to do their own thing? A match made in heaven, I talked to Christey about him outsourcing some of his work (i.e. giving blocks of CVE numbers to people, not for new issues, but for application to known issues), which has the benefit of giving him what he wants (more CVE submissions with minimal work) and giving me what I want (applying CVE numbers to issues I need to track).

Chances are I will get what I want, even if Christey reads this (which is pretty likely since I’m emailing him a copy). Why? Because I’m making sure he gets what he wants. Ultimately I can’t make anyone do what I want them to, I can certainly encourage them (for example by holding their family hostage), and I cannot force them to, as evidenced by the movie “Firewall” – no, seriously.

Open Source is a perfect example of outsourcing costs, everybody gets what they want (I get free software, the project gets updates and bug fixes). So why not apply this to other aspects of your life? No seriously, why not? Some people call this “win-win”, others call this “NLP”. Whatever you call it; if everyone involved gets what they want, then everyone goes home happy.

“Security isn’t a dirty word…. Crevice is a dirty word. Security isn’t.”

A free beer to the first person to identify the quote. Conditions and rules may apply. Offer not valid where cash, credit or debit is accepted.

Vasco disclosed that they are providing the new strong authentication token for Blizzard Entertainment’s World of Warcraft gamers and that it is selling well so far.  An interesting uptake of tokens on the consumer side.

Microsoft announced that they have achieved ISO 27001 certification.  Will others follow?

See how new technology can block Facebook and MySpace once and for all!

There is something vaguely “English as a second language” about the ad, but no matter. What got my attention about this claim was the notion that this message might actually appeal to information security professionals with money who don’t reside in the Peoples Republic of China. Is this really a compelling product feature in 2008 or did I stumble upon an industry wannabe who is going to fail miserably?

My career went on the information security offramp some time around 1993. My primary profession as a network architect, helping enterprises integrate their computer networks with mainframes, minicomputers and now the Internet, took a fateful turn. The excitement of being on the Internet quickly turned into the terror of being on same. The IT departments that hired me to install 3270 gateways now were asking me to install firewalls to tame this beast. We had a lot of fun in those early days, but one customer in particular stood out. My main point of contact was an IT administrator with an IQ of about 200. He asked me to setup the firewall with all rules disabled, reasoning that people would let him know what they needed the Internet for and he would best be able to implement a rule set with a “deny all except that which is explicitly permitted” design. Funny enough, people did let him know, to the point that he almost firewalled himself out of job. As it turned out, this company had some visionaries that were betting the business on the Internet, and taking a few risks was not out of the question.

Which brings me back to 2008. I have an outpost on a few of the popular social networks out there. I am far from a power user, some of my friends certainly have more interesting lives and keep their profiles filled with cool stuff, although many of them seem to Twitter which airport they are in way too much. My kids were early adopters and still use them, but are mostly bored of them and are on to other things. But I get it. I see the power of the serendipitous discoveries, mobilizing the masses and how talented people can leverage social networks for fun, profit and even altruistic causes. Even I have used a social network to conduct real, useful business. I would wager in your business that the top 10% of your employees use social networks more than the bottom 10%. So, are information security professionals really spending their days trying to block Facebook? I really hope not, the risks a social network poses to your business is probably a lot less than the risk of ostracizing the top 10% of your workers. I think even the horror stories of the exploitation of children through social networks is likely way overblown, strictly from a numbers perspective.

The Web 2.0 technology popular social networks use is complex, and does in fact create a target-rich environment for hackers to attack networks. However, the proper formulation of our security strategy should be to make social networking safer and more effective, so an organization can increase its innovation and productivity. That’s risk management. Or, we can marginalize ourselves and party like its 1993.

Governance, Risk Management and Compliance (GRC) could arguably be nominated as the buzzphrase of the year. Analysts, vendors and the media are touting GRC as a key overarching strategy to transform the modern corporation. What is GRC and is it useful to your business?

As popular as GRC seems to be, it defies an easy and universal definition. The conventional wisdom is that the organizational overhead from onerous governance requirements and a checklist approach to compliance hurts the organization, making it less secure and less competitive. We recommend that you think of GRC as aligning and integrating each of the three components to improve the quality of results each component provides. OCEG, a non-profit association championing GRC, uses the term “Principled Performance” to describe this concept. PwC, who first coined the term, uses “Integrity-Driven Performance”.

There clearly is some logic and common sense embedded in the definition. Take the example of a vulnerability assessment of IT assets that must be conducted for compliance purposes. A vulnerability assessment of a large enterprise will typically create a huge report of compliance tasks that will be difficult to accomplish. Using risk management can help cut down the tasks to those that really matter, streamlining compliance.

One problem with some approaches to GRC are that they are so comprehensive in scope that it is literally business process re-engineering on a massive scale. Organizations are reluctant to undertake huge initiatives that are not clearly aligned with the business in the name of improving performance, as the business case data is only beginning to emerge.

At Neupart, our view is it is not about buying into the GRC hype, but asking yourself whether or not some of the GRC research can be applied in your company in an incremental way. We feel there are some sound principles flying under the GRC banner which are useful for those with responsibilities in areas such as IT compliance, information security and operational risk. Our view is that the application of special purpose content management technology with workflow capabilities – such as that developed by Neupart – can solve problems that save you from a significant amount of redundant manual work:

• Repeatable Audits and Risk Assessments. The ability to capture compliance audit and risk assessment tasks and responsibilities within a workflow system allow you to save significant time and money if those projects ever need to be repeated – which is almost always the case.

• Rationalization of IT controls. Documenting all IT controls and mapping them to frameworks such as COBIT and ISO27002 can allow an organization to identify overlapping and redundant controls. Rationalizing controls can streamline processes, eliminate unnecessary hardware and software and focus your employees on more productive work.

• Standards compliance. Using technology to map your corporate policies to recognized standards simplify the job of defending your business practices to new regulators and business partners – “future proofing” your compliance.

We believe that the concepts of GRC should be applied pragmatically, with a low cost barrier to entry, mindful of the big picture. We encourage you to look at GRC implementation one step at a time and Neupart would be delighted to be your GRC partner.

I look at it from a different perspective, and I have a hard time thinking of significant security breaches of a technical nature that I didn’t first see the groundwork of at Black Hat. It is not as simple as crystal ball sessions called Attacks 2012, but if you connect the dots, the Zero-Day vulnerabilities, web hacking and virtually everything else has been pretty well laid out. There are several other good events, like CanSecWest, so I don’t want to single out BH for kudos, but a security event can’t control the type of hype created by the mainstream media, which is still very one dimensional about information security.

Although I do very much like Vegas and might not go to it if it were held in Outer Mongolia (are the Pussycat Dolls there?), I actually plan on attending sessions, how about you?

Insider threats have always been an issue.  Generally insiders try to evade system controls, but given how reluctant corporations are to report and prosecute computer crime, what is to prevent more mafia-style shakedowns by narcissistic systems administrators and Dr Strangeloves of the IT department?  Maybe we should think about renaming the “superuser” account so prevalent in many systems to the “systemwideaccessbutdontletitgotoyourhead” user.