What we’re reading, week of 6/30

From Schneier on Security…

Security and Human Behavior

Bruce Schneier contributes this very thought-provoking post from the first “Security and Human Behavior” workshop, prompting a discussion of how perception and human psychology affect not only the way people assess their security, but the way security professionals devise solutions for problems. Schneier asserts that “[m]any real attacks on information systems exploit psychology more than technology. […] Technical measures can stop some phishing tactics, but stopping users from making bad decisions is much harder. Deception-based attacks are now the greatest threat to online security.” Agree or disagree?

 

From Rational Survivability…

VirtSec Not A Market!? Fugghetaboutit!

Christofer Hoff responds to the current discussion among bloggers of whether or not virtualization security is a market unto itself. Hoff’s position: VirtSec is simply the next step in the evolution of the existing InfoSec market.

 

From Security Fix…

Forty Percent of Web Users Surf With Unsafe Browsers

Some interesting statistics here – from a Swiss study revealing that nearly half of Internet users over an 18-month period were not using the most updated, currently patched version of their web browsers. Brian Krebs at Security Fix takes a stab at explaining why: most browsers have a woefully inadequate process for pushing updates to their users.

What we’re reading, week of 6/23

From JJ’s Security Uncorked…

Network Based Entitlement… A Rose by Any Other Name

JJ reviews Rohati’s recently-announced “Network-based Entitlement Control,” drawing the conclusion that Rohati’s approach to NAC is no different than what can already be accomplished by traditional hardware solutions available.

 

From Emergent Chaos…

Not quite clear on the subject

This blogger corrects a news story about SSL encryption on the Pirate Bay (a large BitTorrent tracker based in Sweden), explaining that encryption will have no impact on the protection of people using the site: “SSL is a great technology for protecting content. You don’t care that the attacker knows you bought something, you want to protect your credit card number. It’s not very good at protecting the mere act of communication.”

 

From Andy, IT Guy…

The nick of NAC gave me a paddy whack

Andy writes about the problems his organization has had deploying their NAC solution from a testing environment into a live one. His anecdote highlights that no product, no matter how easily implemented, can overcome the “people problems” existent in so many IT departments.

Inside and outside the network perimeter

Frank Cassano has written a series of posts at BlogInfoSec titled “Assessing Your Organization’s Network Perimeter” (see Part 1 and Part 2). We had a quick chat with NCP’s Rene Poot to get his perspective on Cassano’s analysis. Here’s what Rene had to say:

What should be mentioned as (one of the many) details would be that users within a company using WLAN although physically within the confines of the building are to be treated as remote access users. Someone outside on the street with a laptop and a malicious intent should be able to detect and possibly participate within the WLAN if not secured enough, as if they’re within the building and as one of the users. It’s therefore imperative to realize that physical and virtual perimeters do not necessarily coincide!

Another point would be how far do I want to ‘extend the perimeter’ and use the right ‘technology’ to fulfill the requirements:

Incidental access to internal resources can best be facilitated with SSL-VPN access. This allows for a limited access to internal resources by those that need it; such as suppliers/consultants/contractors and so on. This doesn’t require the user to install a ‘client’, but merely downloads the code within the browser and uses the browser to access the internal resources, and this access can be carefully controlled centrally on the SSL-VPN gateway.

Conversely a full time employee may require to have access to the ‘regular’ resources he would normally have at his desk, while he’s on the road. An ‘full access’ or ‘LAN emulation’ (working remotely as if one is sitting at one’s desk) VPN solution would be a better suited option. This would imply that the latter’s work platform is secured; not only the communication between the two points, but the remote user’s device has become an extension to the corporate network perimeter; and thus should be protected accordingly. Why attack the corporate ‘perimeter’ firewall, when one can attack and possibly use a remote access user’s machine as a stepping stone into the corporate network?!

What we’re reading, week of 6/16

From Rational Survivability…

Verizon Business 2008 Data Breach Investigations Report

Christofer Hoff summarizes and comments on the results of a report culled from over four years and 500 forensic investigations performed by the Verizon Business RISK team. Interesting bits: 73% of breaches resulted from external sources, 83%  of attacks were not highly difficult, 85%  of breaches were the result of opportunistic attacks, and 87%  were considered avoidable through reasonable controls. For more stats and discussion, see the post via link above.

 

From Information Security For Your Macintosh…

iPhone security tidbits

Among the tips listed for iPhone security: “[Use] the iPhone’s built-in VPN support where possible.” Perhaps a good place for comment about the iPhone’s known VPN vulnerabilities? Meanwhile, Michael Tsai’s blog quotes what Rich Mogull considers the most notable weakness of the iPhone’s VPN.

 

From BlogInfoSec.com…

Assessing your Organization’s Network Perimeter (pt. 1)

Frank Cassano outlines a thorough processing for assessing an organization’s network perimeter. He advises to begin with reaching a common definition to the term “network perimeter,” obvious as that may sound. Part 2 of Frank’s process is here.

What we’re reading, week of 6/9

From Rational Survivability…

Security Will Not End Up In the Network…

Hoff showcases a graph of the cycles of security investment, to rebut the pronouncement that “security will end up in the network.” “There’s no end state,” he writes. “It’s a continuum.  The budget and operational elements of who “owns” security and where it’s implemented simply follow the same curve.  Throw in disruptive innovation such as virtualization, and the entire concept of the “host” and the “network” morphs and we simply realize that it’s a shift in period on the same graph.” The accompanying post outlines a very thorough view of enterprise security.

 

From StillSecure, After All These Years…

Security – Passive versus active response

Alan Shimel summarizes some key takeaways from the Gartner IT Security Conference, based on conversations with vendors. A theme that emerges is the difference between passive security (reporting data access violations) and active security (blocking them). Shimel suggests that active-response methods will usually encounter resistance in the market before their eventual adoption.

 

From Securosis.com…

The Good (Yes, Good) And Bad Of PCI

Rich Mogull writes about the pros and cons on PCI – concluding that for all of its faults, PCI is helping security directors get the resources they need from the business – which is why PCI is a positive step in the long term.