May 29, 2006
Enterprise Security – IT Security Solutions: Concepts, Practical Experiences, Technologies edited by Fumy and Sauerbrey
This book has the look and feel of a business school textbook, moving from topic to topic in a fairly academic matter. It is a combination of 14 essays from prominent authors in the topics they are writing on. This allows for a book that can treat a wide range of concepts and still maintain credibility and a tone of expertise with the downside being the structure of each essay is slightly different between authors. As such, it is meant more as a higher-level introduction to concepts and ideas that swirl around the information security industry but it is couched in the language of business in the hopes that enterprises will adopt a measure of culture change in the area of security. The book seems to have a more European focus, but it is not without value to an American audience.
The book begins with an introduction by the editors laying out what they view as three areas driving enterprise security and what they hope to accomplish with the book. They finger security threats, creating new business opportunities, and regulatory compliance as the main drivers of security investment for the enterprise. In their experience, the editors see businesses still creating processes and applications designed around speed and convenience with security being an afterthought. The editors then establish 4 items they wish to see changed in industry: review of information security requirements, assuming legal liability for poor security practices (it'll never happen), creating a security-aware culture, and security against insider threats. The rest of the book doesn't seem to truly address how to bring these four changes to fruition.
The rest of the book is divided into three sections: (1) Concepts & Trends (better described as emerging security technologies), (2) Practical Experiences, and (3) Technologies & Standards. As far as organization, it would seem better to have Practical Experiences come last in the book and address the technologies discussed previously; however this is not a serious deficiency in the book.
Parts 1 and 3 are presented to the reader from a high-level perspective. It assumes little prior technical knowledge and thus is accessible to a wide audience, particularly the business community. It helps the reader understand why these technologies are beneficial from an economic standpoint. Readers who are technically savvy may get easily bored from this section unless they are trying to develop a "business case" for the adoption of security mechanisms for their organization. In that regard, these essays help bridge the gap between "tech heads" and the "pointy-haired management".
The Practical Experience section is a collection of four case studies of four different organizations facing four different problems. It helps the reader to understand the challenges and obstacles in actual implementation of technologies. It helps bridge the gap between book-learning and real-world experience. 3 of the 4 essays revolve around PKI and digital identities. It is clear based on the focus of the editors that authentication is important to them, however and expansion of case studies based on their other goals would make the text that much more effective.
All in all, the book is a valuable primer for consultants and non-savvy managers who are seeking to get their minds around security and how best to sell the investment of security.
Posted by John Bambenek at 4:59 PM | Comments (0) | TrackBack
March 16, 2006
So how long til my CC info hits the web?
I was in a Washington Post article today in which I basically was quoted calling all the online credit card thiefs n00bs. I'm starting a pool, how long til they DoS me...
John Bambenek, a security incident handler at the Bethesda, Md.-based SANS Internet Storm Center, which monitors hacking trends, agreed."The reason there is often a delay is that a lot of the people who actually install a lot of these keylogger programs are not that sophisticated," Bambenek said. "In most cases, they're teenage hackers who flip the information to more organized criminal groups for some quick cash."
The scourge of keylogger programs is pervasive and growing, Bambenek said. He recently conducted an analysis for SANS estimating that nearly 10 million U.S. households own a computer that is infected with some type of keystroke logging program. Although not every PC user whose keystrokes are being logged has experienced financial losses -- perhaps because hackers are busy sifting their illicit logs for rare kinds of data -- Bambenek estimates that organized-crime groups have access to roughly $24 billion in bank assets from accounts associated with the owners of those infected machines.
Then there is this article where the reporter only mentioned my comments about porn sites. Awesome.
John Bambenek, a research programmer for the coordinated science lab at the University of Illinois, said some segments of retail on the Internet are not as trustworthy as others. "Porn is particularly bad," he said. "They'll take your credit card information and sell it to someone else. Since they're a dime a dozen, you have no idea who you're dealing with."
Posted by John Bambenek at 9:29 PM | Comments (0) | TrackBack
February 9, 2006
SANS Handler of the Day Diary Up
I got my Internet Storm Center Diary up. 5 critical security updates for Windows coming next Tuesday...
Fun.
Posted by John Bambenek at 7:08 PM | Comments (0) | TrackBack
September 7, 2005
Light Posting Today
I'm busy at with my shift at the Internet Storm Center so probably light posting today.
Posted by John Bambenek at 8:19 AM | Comments (0) | TrackBack
August 11, 2005
TippingPoint: An IPS That Doesn't Work and Support That's Even Worse
I recently got some demo equipment from TippingPoint to evaluate at my office, particularly their intrusion prevention system. This device may work for you, it may not, I simply have no idea because I never got a functioning device. The first one they sent out had major packet loss as soon as I turned on the IPS functionalist. After two days the sent out a new one. If that one was even plugged into the network (even in Layer 2 / dumb hub) mode, it dropped all packets.
I’m fair, sometimes things get broken in shipping or maybe you got a bad card but I wasn’t about to give them a third shot. After reporting the second device’s problems it took them a week to get back to me via email to get my address to send out a third device. By then I had already shipped all the devices back. If it takes them a week to get back to me without phone calls to tell me what I already know, it is doubtful that their support is up to par if I ever had a problem when this thing got into production.
It is simply not that hard to do rudimentary testing on a device for problems. Hint: if it drops packets, it’s broken. It’s much less hard for support to give you a courtesy call to let you know they haven’t forgotten about your failed and under-warranty device. In the end, they may write the greatest rules in the world, but their devices (or at least their testing of them) suck and their support is deplorable.
Posted by John Bambenek at 8:48 PM | Comments (0) | TrackBack
February 22, 2005
Cyberterrorism does not exist
Singapore ramps up against cyberterrorism
(Begin Rant)
There is no such thing as cyber terrorism. Doesn't exist. It's simply a word people use to either extract grant money or raise taxes. This tendency to laber things as "terrorism" is really ridiculous and is fast making it a meaningless word. Let's break it down.
Terrorism... Terrorize... to bring terror to.
There is a reason the word "terror" is in the word. It does not mean, "make someone's life inconvenient", or "cause the loss of money", or "clog up your inbox with spam". Terrorism is the intentional attack on a civilian population with the intent to terrorize, or psychologically manipulate a civilian population.
There is no such thing as terrorism because people will not be wetting themself for anything that happens to their computer. Sure, inconvenient, perhaps in some cases, dangerous, but not terrorism.
When and until someone figures out how to send anthrax (and I mean the powder, not the next variant of Bagle) through e-mail, there is no cyberterrorism.
Posted by John Bambenek at 7:34 AM | Comments (0) | TrackBack
