Why go for cloud computing?

I recently attended a workshop run by ISSA (The Information System Security Association) on cloud computing  where I was part of a group of security professionals discussing the benefits of cloud computing; in effect asking the question “why would a business want to make use of cloud computing services?” We also went on to consider the risks of taking that step why you may think twice before considering a cloud computing solutions, you should certainly think at least once! – But more of that later.

In this first posting I will look at some of the reasons a business might wish to consider a cloud computing solution.

We can see from the fact that cloud computing is such a hot topic these days that there must be something in it for business. Of course the concept is not new – it is using the same business model that was used in the days of batch computing bureaus where you get someone else to do your computing and pay for the service. The improvements in networking and the growth of the internet have now made it practicable to offer this service on line today.

So what will your business get out of Cloud Computing?

Cost Savings

The benefit that probably sits at the top of the list is cost savings – in today’s economic climate we all need to make savings wherever we can and anything which offers the ability to cut the IT budget is going to be worth looking at. Reducing cost and complexity is shown to be the largest issue facing organisations in the next 12 months according to a recent IDG Research survey carried out for Citrix, and this is one of the things cloud computing can do for your IT operation.

If someone else is running the business application for us then we can reduce the IT infrastructure we need, that means less hardware and software costs, less staff needed to run and maintain our systems – no need for complex and costly software upgrades and patching schedules, and a reduction in power bills with less hardware to run.

We can save on training costs as we don’t need skilled staff to manage our business applications or our IT systems.

The result is that you can not only save, but also move cost from the capital budget to operations budget, which frees up capital to be focused on core business functions to improve competitiveness.

Improved Quality of Service

Cloud computing also gives us the possibility of better quality of service. Because the provider is delivering the same service to many organisations they have the opportunity to become expert in that service, rather than it being one of the many tens or hundreds of applications the IT department are trying their best to support, usually with too few resources.

Green Credentials

We will also be supporting the world’s Green Environment initiative in that we are reducing our resource consumption – although we are using some resource from the service provider, because they can make economies of scale the final environmental impact should be much smaller.

Business Agility

A major benefit to your business of using cloud computing services is the agility it provides to be able to respond quickly to changing market needs. As business requirements change you can much more easily move to different cloud services or engage new ones to meet your needs much faster than you would of you had to build a capability in your own data centre. This gives you a huge competitive advantage. It is also a big advantage to start up companies – a new idea can be brought to market faster by cutting out the need to build a data centre and the relevant business applications. You can buy in the services from existing providers.

So there is a lot to be said for using cloud computing services to improve profitability and give your organisation the competitive edge that may make the difference between success and failure in today’s difficult marketplace.

Of course all these benefits don’t come without a price – and I don’t mean only the service charges – there are risks involved and I will look at these in a future posting.

When ‘Twitter’ Becomes Goldfish …

Today’s cyber world brings you the capability to control a Toast Maker in your kitchen @ California while you stay at a beautiful beach resort in Mauritius!  No wonder… if people stay connected with their Friends n Family and rest of world… just @ their fingertip!!!    The fantastic part of this life is the time and speed at which the information becomes public and instantaneous reflections to the changes made by the user and eventually everyone watching it!

Today I am going to take you through chronicles of when Twitter becomes “Goldfish”!

Cyber Evolutions are not very new to us, as we look back @ the first world wide website got published over internet 40 years ago… We use those innovations to make our life easy, simple and Fast! Of course, the usefulness of the knowledge that is being spread @ fingertips within fraction of seconds is undoubted ….

However, the realities of using such greatest powers come with responsibilities and it follows the characteristics of the Human Nature as it’s used by Still Humans!

Obviously, a set of like minded people go separate ways, make different choices and follow the freedom of thoughts and form a group or a community. One of the best parts of human life is Social Networking and we love being together, communicate with each other, express ourselves, we help each other, we care and love each other and we stay with the community.  The same principle goes into the Cyber World today and we can see a lot of opportunities to Connect, Share, Express ourselves and we can practically live a second life with our own way and within the network of our own choice!

There is always a dark side attached to the Light, where things goes beyond a level of control and a series of human acts to gain more power or to accomplish their desires with an intention or motive… This can be a threat … and that is when the simplicity becomes an easy source for Personal and Confidential Information!  

Having said that, this may not be the prime purpose of the social networks… however the amount of personal data, pictures, videos and lot of such stuff in there, creates attraction to your profile and by making use of someone’s information … No matter who we are and what we do … We put ourselves and our valuable information at a risk as long as we keep ignoring the real time essence of public nature attached to the social networks. 

Today the dark arts in the cyber world are not limited to a matter of Just for fun thing … but it’s getting sophisticated and has the capability to become a Life Threat.  Let me take you thru some of the real time examples as we see: Using Someone’s information people exploit a person’s natural tendency and they trick their victim into performing malicious action.

Cyber Bullying has grown up from teasing fun or just hurting emotions … and it has involvement for taking innocent human lives!!! The key factors for losing their life by the innocent victims, as they are repeatedly tormented, harassed, humiliated, embarrassed or otherwise targeted by another people with bad intentions…   

“Twitter” is a service for friends, family, and co–workers to communicate and stay connected through the exchange of quick, frequent messages.  People can write short updates, which are often called “tweets” These messages are posted to your profile or your blog, sent to your followers, and are searchable on Twitter search.

Few months ago a hacker was able to access a Twitter employee’s personal e-mail account … once there, the bad guy could access the employee’s Apps account which contained Documents, Calendars, and other applications and notes used by the employee. Such incidents raise some serious questions – not only about password system security itself, but also consequences and the risk which wqas not anticipated before.

Social Engineering Attacks are not very new … it’s been used since historical times by exploiting a person’s natural tendency.  Before the innovations like Internet, the attack medium is via Telephone, via in person, via snail mail etc. etc.  And now online social networks are the additional tools to gain more and sensitive information within fraction of seconds !!

Such attacks on the social networking sites are being taken seriously and have legal involvement due to the amount of information stolen and published or misused !!

However the responsibility also lies with us, as we are the users of such great inventions and we admire the flexibility and simplicity by its design itself.

Now… the simple question that comes in mind is what can I really do for this???  And I would ask the same question to myself… What I know about the tips and tricks?  Let me tell you some of them ….

I will share and Engage only with those people who I trust!

I will understand more about the Privacy Settings … and spend some time to match it with the level of comfort to my profile and network and I will review them frequently. 

Be cautious about posting Cell Phone Number, address, name of your school or school team which can identify and locate you offline.

I will not give away information that could help someone to find me. I will be careful of posting photos with things like car registration plates or identifiable landmarks in them. Look at the backgrounds of the pictures to make sure I am not giving out any identifying information without realizing it.  I avoid posting messages to blogs which says “I usually walk home down the lane by the railway tracks”.

Because there are some people out there who will piece together these little pieces of information about you over a long period of time. 

Report users and content that you feel suspicious to the appropriate channel.   

Remember, unless you’re prepared to attach something in your profile, don’t post it!

Don’t assume everyone you meet online is who they appear to be … Remember that the positive aspects always outweigh the negative ones !

Some sites and services ask you to post a “profile” with your age, sex, hobbies, and interests. These profiles help you connect and share common interests, but the bad guys can and do use these profiles to search for their victims.

You can’t really “take back” the online text and images you’ve entered. Once online, “chat” and all other web postings become public information. Many web sites are “cached” by search engines, and photos and text can be retrieved long after the site has been deleted.

Block and delete any unwanted messages or friends who continuously leave inappropriate comments. Report these comments to the networking site or Internet Service Provider if they violate that site’s terms of service.

Set privacy so that people can only be added as your friend if you approve it.

Set privacy so that people can only view your profile if you have approved them as a friend.

Remember that posting information about your friends could put them at risk.

Protect your friends also by not posting any names, passwords, ages, phone numbers, school names, or locations. Avoid making or posting plans and activities on your site.

Always remember what you post online are not private.

Can you imagine yourself working with pen and paper files and using your mechanical typewriter today?

Just imagine E-Mail System is unavailable to you for 5 days?

You are only allowed to visit internet upon your supervisor’s personal supervision?

I would like to bring in here the value of Information, freedom and usage of Social Networks at workplace. Official information sharing and Official Documents sharing with friends or related workgroup communities over the internet is getting popular, according to the study many businesses are still worried about lost productivity and due to employee’s activity on social networking could endanger security at the company.

Also a twitter message could be cyber criminal at work! Some officials say cyber crime has become beyond the drug trade as a money maker. “Cyber criminals have been targeting Twitter users by crating thousands of tweets embedded with words involving trending topics and malicious URL’s.”

In the United States, the FBI reported a 33 percent increase in Internet crime last year. According to a survey of 1000 firms worldwide, Companies lost an average of $4.6 million in intellectual property last year.  Within fraction of seconds skimmed credit card numbers and other personal-identity information stolen from computers can be found for sale on Web sites, and when police shut these Web sites down, they just mushroom up some other place within the network group somewhere!

According to Sophos, around 40% to 50% of all businesses don’t control access to Facebook, Twitter, and MySpace while few groups of enterprises allow their users to use the more business-oriented LinkedIn.  

However, enforcing policies, procedures, creating controls, compensating controls May not adequate enough and does not protect the system completely … But when I ask a simple question to myself and start developing myself with simple habits we discussed in the things I can do, this is going to bring in security and help me in protecting information from social networking attack online!

I will sum this up with simple thoughts and a small recap:

•  Being Social is Human Nature; however the Internet is a place where things are very different. The virtual nature of the internet by design brings in risk for your information published!
• As a user, we tend to admire only the simplicity, beauty, and elegance of social networking.  We often ignore simple habits of staying safe. Responsibility lies with us to protect our Information published online!

Let’s bring ‘Immunity’ under our control by integrating security habits into our thoughts, processes and operation.

As we help, care, collaborate and share our contributions back to the community!

Consider:  When twitters become like goldfish everyone outside can watch you closely and make use of your information.

So, let twitter ‘buzz’ all over the world, but with “tweets” that keep you out of danger!  

Thank you!  Please leave your comments, thoughts and valuable suggestions here!

The Morning Show – TV3.

Colm Murphy from Irish IT security company Espion explains to Sybil Mulcahy the risks of online shopping and shares useful tips for safe Christmas shopping! (it starts at minute 24.25)

Steve Francia, CIO at Portero.com

My time on Twitter (@CDMmedia) recently brought me to Steve Francia (@spf13), CIO at Portero.com, an online retail site that sells pre-owned, luxury goods. Steve’s blog, spf13.com, as well as his Twitter feed focus on technology and social media. His IT expertise includes development, technology turnaround, strategy, organizational planning, restructuring, cost reduction, funding, productivity, and the translation of business needs into technical implementation and delivery. My questions below focus on IT security. Enjoy! 

What is your security plan for Portero.com in 2010 and how has your strategy changed from the previous year?

My approach to security has consistently been to provide access to the smallest possible group. I joined Portero in late 2007 and stepped into a position where the prior policy had been one of convenience. We decided as a company that one of our primary concerns in 2008 would be security. We established critical policies and held many security focused training meetings. We found this combination provided us excellent compliance with the policies. In 2009 we built on the successful foundation laid by taking a more proactive approach to security.

Success in security is largely conditional on the users following the policies. Through training and effective policies we have brought security to the forefront of our employees thoughts. Having laid a solid foundation the prior two years enables us to really utilize 2010. One area we will be focusing on is furthering our disaster recovery plan and abilities. We will continue with the practice of holding user training and education sessions. We will continue to hold self audits.

There have been plenty of stories in the news lately of customer’s information being stolen, what strategies do you use to ensure that Portero’s customer information is safe?

Portero prides itself on trust and authenticity. Naturally, I’d love to say we have this insanely intelligent and complex system and strategy to protect customer or other sensitive data, but in all honesty, this is a romantic, but unrealistic notion. In each story I’m familiar with, each failed to adhere to even the most basic of best security practices. In reality, adhering to the best practices will take you farther than an overly complex system.

Largely, we make sure that all our bases are covered, strictly enforcing best practices including: using secure pass phrases instead of passwords, forbidding customer and other sensitive data from leaving secured servers, restricting all information and access on an absolute need to have basis with fine-grained ACL, all data transfer over secured encrypted tunnels, storing encrypted archives in a secured location, restricting physical access to all server rooms, and keeping all systems patched and up-to-date. Lastly, we hold training sessions to ensure that policies are understood and followed. I could provide a long list, but the point is to cover all your bases, especially the ones that are not enforceable through technology which are all too often forgotten.

You have a blog and are an active Twitter user, what precautions do you take in order to protect your personal information while using these social media sites?

In this, the information age, privacy is rapidly eroding. Generation Y is growing up in this public environment and seem unable to even recognize the loss. We live in an era where so much of our personal information is either public or in the hands of enterprises, to think one could be truly “off the grid” seems unrealistic. So the question becomes, how does one apply the right safeguards to protect their personal life and family?

I realized a few years ago that every professional is a celebrity in their own right in that each has a public brand to maintain. Name/Brand recognition is critically important, and obtainable through social media in a way the world hasn’t seen before.

Personally, I maintain two separate online presences. A professional one via my blog (http://spf13.com) and sites like LinkedIn and Twitter. I rarely tweet anything about my family or my personal life. On the personal side, I maintain a separate “invite only” family blog. Truly sensitive information is only posted on the blog, which is really only intended for close friends and family. 

In your opinion, what is the biggest security concern with regards to cloud computing?

I see two major concerns:

1.  Cloud?

What is a cloud? In the past couple years, it has become a heavily overused marketing term. Since each “cloud” is built on completely different technologies and concepts, speaking of security as it pertains to “cloud computing” is a dangerous proposition because of how vague the question is. Since each implementation possesses it’s own unique set of technologies and problems, it’s difficult to have a meaningful discussion on security.

2.  We don’t know what we don’t know yet

It’s obvious why there is all the hype surrounding “cloud computing.” CFOs love it because there is no upfront cost, no depreciation, and a pay for what you use model. But, cloud computing is relatively young and I’d be concerned about putting any mission critical or ultra sensitive information in the cloud. I think people typically think of a cloud as being engineered from the ground up, but in reality, each is composed of piecing together many different pieces, some very mature, some very immature. 

We typically understand the points of attack (or vulnerability) in a traditional hosting environment. The cloud with its multi-tenant nature presents all sort of new potential concerns. The vendor is now providing their (largely) home built separation layers between customer data and access.

I remember a few years ago people were saying that they didn’t need an SLA from Amazon because their infrastructure was so redundant and reliable and AWS hadn’t had any meaningful outages. Many built businesses on this mentality. Here we are years later and with more mature technology and a handful of major outages have occurred this year alone including ones on Amazon and Google. Use common sense. Just because we haven’t yet experienced a widespread security breach in the cloud doesn’t mean that we won’t.

No provider currently has a PCI compliant cloud. Does PCI compliance ensure something is safe, or that something that isn’t PCI compliant isn’t? No. But this does speak to the immaturity of cloud computing that not a single provider has a cloud secure enough to store credit card data.

I believe that the cloud is a fantastic resource and has great potential. I was an early adopter of the AWS cloud when I was at Takkle.com. We built a transcoding farm on EC2 to process a huge volume of user uploaded video. Without EC2 we would have had substantially higher hosting costs, which would have prevented us from incorporating this feature. However we never transmitted any data to EC2 that wasn’t already public, nor did we put any mission critical services on it. We used common sense, mitigated risk and benefited largely as a result.

What security trends and issues do you foresee for 2010?

As budgets have been trimmed industry-wide, my biggest concern is that enterprises shortchange security, gambling with their (or their customers) data. I don’t believe that anyone intentionally would weaken security, but as staff is thinned out, essential processes become forgotten. Proper training may be elusive. Seemingly small removals here or there could quickly add up to disaster.

As social media and mobile computing converge and continue to penetrate into more aspects of business, privacy will become increasingly challenging to enforce. The smart phones on the market are capable of recording or capturing data of any kind, via camera, audio recording or by acting as a network, Bluetooth, or USB drives. They also have the ability of transmitting and/or broadcasting any of this data instantly and bring their own unmonitored network. Today’s smart phone is the ultimate spy device, even James Bond would be jealous.

Social media is very powerful. Used correctly it can be a fantastic tool. Used incorrectly it can have catastrophic results. People don’t realize that once they hit that send button the tweet, post, message, email, etc. is instantly and irrevocably being broadcast to the entire world. Yes there may be a delete button, but once it’s public, it is broadcast, copied and cached and that can never been undone.

I think proper education and instruction is the answer here. Proper instruction enables an organization to embrace all the good that social media provides, but even a perfect execution would only minimize the risk. While some groups (e.g. NBA) may be able to control usage of social media, doing so will prove extremely challenging for most businesses.

Хэд хоногийн өмнө нь зарим сайтууд дээр FreeBSD8  гарлаа гэж зарлаж, татахаар оруулж байсан боловч FreeBSD өөрийн сайт дээрээ албан ёсоор мэдээлээгүй байсан, харин өнөөдөр FreeBSD үйлдлийн системийн 8. 0 хувилбар гарсан гэж албан ёсоор зарлажээ.Би лав суулгачихлаа.

Ганболд ах гарсан өөрчлөлт сайжруулалтыг сайт дээрээ бичжээ.

Source:http://www.mnbsd.org/article.php?story=20091125100424482

• syscons шинэчлэгдсэн бөгөөд консол дээр UTF-8-ийг 8.1 хувилбарт дэмжихээр болсон байна.
• Шинэ USB стэк. USB флашийг umount хийлгүйгээр салгахад сервер гацдаг байсан асуудлыг шийдсэн байна.
• DTrace-ийг порт хийх ажил дууссан байна.
• SMP системд зориулж оновчтой болгосон шинэ ULE 3.0 scheduler.
• superpages-ийн дэмжлэг
• Портуудыг параллелээр бүтээх боломж
• Jail v2:o Нэг jail дээр хэд хэдэн IP ашиглах боломжo IPv6 болон SCTP-ийн дэмжлэгo Шаталсан jail болон CPU-тэй уях боломж.
• Xen dom-U болон Sun VirtualBox-ийн дэмжлэг.
• fdisk/bsdlabel-аас gpart руу шилжсэн.
• ZFS-ээс ачаалах боломжтой болсон.
• Олон routing table-ийн дэмжлэг.
• Сүлжээний стэкийг виртуалчлах боломж.

Татах

Job Duties:

Ensuring Daily Operational Needs are Met

• Develop, maintain, publish, and enforce corporate information security standards and guidelines encompassing data and intellectual property security.
• Proactively protect the integrity, confidentiality, and availability of information in the custody of, or processed by, the company, providing reports to superiors regarding the effectiveness of network and data security and making recommendations for the adoption of new procedures and technologies as required.
• Ensure the company’s ability to maintain IT business continuity by ensuring an up to date, workable, appropriate and practical disaster recovery plan.
• Ensure systems are developed and maintained within an enterprise security environment.
• Evaluate and remediate areas of risk with the IT organization by working closely with business leaders and Internal Audit and Controls Department.
• Execute internal control procedures and exercise initiative to identify and explain variances and unusual items.

 Planning

• Evaluate, plan, and execute software implementation effectively to meet standards for IT security requirements.  Work with application and project teams to assure all Disaster Recovery, security, and compliance issues are integrated into new applications or updates to existing applications to effectively protect the company.
• Design, review, and recommend for approval policies, processes, and procedures to improve operation’s efficiency and safeguard corporate assets.
• Stay abreast of the Company’s business to proactively identify potential accounting, reporting, and systems needs.

 Communication

• Oversee and interact with both external and internal auditors related to financial results, flux analysis, and trend analysis.
• Participate in management meetings regarding day-to-day operations and long term strategy of the department.
• Manage relationships with external vendors and security experts.
• Partner with key stakeholders in Legal, Finance, IT, and others to ensure effective communication and coordination across the enterprise. 
• Provide, through effective leadership, timely and accurate reporting services to senior management.
• Monitor compliance against all policies and appropriately drive remediation activities for non-compliance.

 Cost Management

• Drive improvement in existing processes.  Partner with other process participants to explore improvements and to implement project plans that will deliver best in class workflow and controls.

 Business Controls and Policies

• Comply with all corporate policies and procedures.
• Maintain a “center of excellence” for compliance activities around IT, or identify specific experts within the company as reference points for compliance.
• Manages and coordinates compliance for required audits by helping to identify issues, anticipate and solve problems, and provide customer service to internal and external customers based on ability to prioritize and initiate solutions.

 Management of Team

• Develop successor to the position.
• Manage all staff reporting to the position so as to effectively recruit, train, evaluate, motivate, delegate, and monitor their activities.
• Promote independent thinking and sound judgment.
• Perform all activities in a safe manner and ensure the safe work practices of those supervised.

Position Knowledge, Skills, and Requirements:

Education

• Bachelor’s Degree in Computer Science or a related field or the equivalent education and/or experience
• Highly desirable to hold one or more of the following certifications:
  • Certified Information Systems Auditor (CISA)
  • Certified Information Systems Security Professional (CISSP)
  • Certified Information Systems Manager (CISM)
  • SANS-GIAC certifications
  • System Security Certified Practitioner (SSCP)
  • Certified Protection Professional (CPP)
  • Certified Network Security Professional (CNSP)

 Experience 

• Ten (10) years of relevant and progressive IT experience
• Four (4) years of security/infrastructure protection and information security audit experience
• Three (3) years performing in a leadership role

 Other (Highly Desirable)

• Solid multi-platform knowledge.  Experience in Windows, Linux, and IP intranet and internet security environments including firewalls, intrusion detection, incident response, policy writing, vulnerability testing, operating system hardening, regulatory compliance and data classification.
• Experience with identity management solutions. 
• Experience architecting and implementing security solutions, policies, and technologies relating to transactional web sites is a plus.
• Solid knowledge of Sarbanes Oxley compliance, HIPAA, Payment Card Industry (PCI), corporate security and network policies and procedures, and experience in a compliance management leadership role.
• Working knowledge of ISO 17799/27002 Security Standards and SAS 70 auditing techniques.
• Experience linking legal and regulatory statutes with corporate policies.
• Negotiation skill necessary to successfully resolve differences while maintaining positive working relationships.
• Strong sense of importance of maintaining and demonstrating confidentiality with extremely sensitive situations and information.
• Excellent written and verbal skills ability to express complex technical concepts effectively, both verbally and in writing.
• Create an atmosphere where employees succeed and contribute to a high performance team.
• Capable of managing the current business needs while planning and forecasting for future needs.
• Exceptional organizational skills as well as detail and results-oriented while remaining cognizant of the overall goals and vision.
• Strong multi-tasking skills necessary to prioritize and achieve results in a fast paced, dynamic environment.

Contact me if you are interested. Questions can be posed as a comment below or directly to me.

As Cyber Monday looms, Irish information security company Espion is urging shoppers to be cautious when buying Christmas presents online.

The term Cyber Monday was originally coined by the online retail industry in the US, and refers to the Monday immediately after Thanksgiving, when online sales hit its highest levels. This year Cyber Monday falls on 30^th November.

“While originally applied to America, Cyber Monday is a concept affecting Ireland and Europe as well. It marks the beginning of the busiest period of the year for online retailers. Recent surveys show we are number 10 in the world for online shopping. We are one of the most Internet savvy consumers in Europe and traffic to online retail websites multiply in the run up to Christmas,” explains Colm Murphy, technical director with Espion.  

According to Eurostat, Ireland has one of the fastest growth rates in online purchases in Europe. According to Murphy, Irish online shoppers should be aware of the risks.

“Cyber Monday will see a huge increase in online shopping. Taking this fact into account, online criminals may try their luck by attempting to exploit weaknesses in online retailers’ systems to gain access to information about shoppers. There is also the risk of encountering hoax retailers and other non-reputable sites,” he adds.

“There are no absolute guarantees of safety on the Internet. With a little common sense and some basic security awareness, you can avoid any problems with your online shopping experience.”

Some of the risks of buying items online include…

-Mis-use or interception of your credit card details

-Getting charged for goods or services that you did not purchase

-Not receiving goods you have purchased

-Unacceptable delays

-Receiving goods other than what you paid for

-Poor after sales service

Tips for Safe Online Shopping-

- Never hand over any sensitive personal and/or financial information to anyone over the phone or email.

- Use reputable retailers that you know OR look for sites with payment safety standards; or PayPal verified sites.

- If you are using your credit card, make sure the site is secure: a website with an address which starts with https://’ (rather than http://) is secure.

- Read shipping, refund and return policies.

- Check the site’s privacy policy.

- Always keep a record of your Internet transactions.

- Choose your credit card over your debit card, as credit cards offer security features that debit cards don’t have.

- Know that if you buy from traders in other European countries you have many of the rights that apply in Ireland. However, this might not be the case when buying from retailers outside Europe (USA, etc). Check that company has a physical EU address.

 - Beware of unrealistic bargains: if it sounds too good to be true, it probably is.

November 23, 2009:

Most of us in IT Security are used to “certain” foreign netblocks being a haven for malware/criminal activity. That said, it’s always an eye opener to repeatedly see threats coming from an American netblock.  So today I’ll highlight a netblock that I’ve been seeing a lot of activity from. This is a netblock you should consider dev null’ing (block) all traffic to/from.

Today’s NoS (Netblock of Shame) winner is:

With the ongoing security problems with hosts within this netblock, not too sure I’d look to these folks for much of anything for obvious reasons.

Some IP’s you can run through your favorite search engine (be careful):

…..and more!  Obviously not an isolated incident, need I say more?

With the level of malware activity on this netblock, a reasonable question to ask is are they “malware friendly” hosting or just flat incompetent when it comes to security/monitoring? As always, do your own research and form your own opinion on the folks named above.

Монголын Кибер Довтолгоотой Тэмцэх Төв үүсгэн байгуулагдсанаасаа хойш мэдээллийн аюулгүй байдлыг монголд хөгжүүлэх зорилгоор үйл ажиллагаа явуулж ирсан бөгөөд энэ удаад өөрийн улсад “ёс зүйтэй хакер”-ын тэмцээнийг 2009 оны 12-р сарын 05-06 хооронд зохион байгуулах болсон тул мэдээллийн аюулгүй байдлын чиглэлээр ажилладаг, суралцдаг монгол залуучууд, оюутнуудыг тэмцээнд идэвхтэй оролцохыг уриалж байна. Тэмцээнд тэргүүлсэн эхний гурван байр мөнгөн шагналтай. Тэмцээнд оролцохыг хүсэгчид МКДТТ-ийн байранд өөрийн биеэр ирэх юмуу онлайнаар бүртгүүлж болно. Тэмцээн эхлэх үед өөрийгөө баталгаажуулахын тулд 4х6 цээж зураг болон иргэний үнэмлэх (жолооны үнэмлэх байж болно) –тэй ирнэ үү.

Хаяг: Мэдээллийн Технологийн Үндэсний Парк 323 тоот, Монголын Кибер Довтолгоотой Тэмцэх Төв

Утас: 70113151   www.moncirt.org.mn

A team of researchers has implemented support for ‘trusted computing’ in a commercially available version of the open source operating system Linux, breaking new ground in the global drive toward more secure computing environments.

The latest release of openSUSE, a Linux version sponsored by software maker Novell, comes packaged with software that allows users to set up a trusted computing (TC) environment on their computer, enhancing security beyond the antivirus programs and firewalls that frequently prove inadequate at keeping bugs, viruses and spyware at bay.

Promoted and developed by major chipmakers and software companies in the international Trusted Computing Group, trusted computing uses both hardware and software to create a trusted and secure environment, whether on a home PC, a web server, in a data centre or over a corporate network. At the core of the technology is the trusted platform module (TPM), which is a chip that, among other security-boosting features, generates and manages cryptographic keys, verifies the identity of the computer on a network and protects software and data from malicious changes.

Awakening the dormant chip

Many new laptops and increasing numbers of desktop PCs and servers already have TPM chips as standard, while chipmakers such as Intel and AMD have started incorporating the technology directly into their latest generation of processors. However, most TPM chips are currently lying dormant, awaiting activation with the arrival of software that can make use of their enhanced security features.

“The hardware is there… what is needed are operating systems and software to exploit it,” says Herbert Petautschnig, a researcher at Austrian technology group Technikon.

Technikon led a consortium of 23 research and business partners, including AMD, IBM, HP, Infineon and Novell, in developing open source software and applications for TC environments as part of the EU-funded OpenTC project. The group’s implementation of TC support in openSUSE version 11.2 involved building a trusted software stack (TSS) for Linux, developing universal virtualisation layers (including improvements to the Xen hypervisor virtual machine monitor) and creating TC and TPM management software. It constitutes a pioneering implementation of TC technology.

“openSUSE is now the first operating system to offer full TC support,” Petautschnig notes. “Until now, TC had been implemented for specific applications, such as Microsoft’s BitLocker hard drive encryption in Windows Vista and Windows 7 or the fingerprint reader on some HP laptops… With the OpenTC platform we are extending the TC environment to the full operating system and beyond,” the project manager adds.

Unlike traditional security technology that operates only at the software level and only starts protecting a computer after it is loaded, TC technology provides security from the moment the power button is pressed. As the system boots and runs, the OpenTC platform continually monitors the computer for changes and ensures that only trusted, verified software is functioning. In a networked environment, it verifies the identity and integrity of the computer. And it allows different pieces of software and data to be “compartmentalised” so there is no exchange between them even as they share the same computing and/or network resources.

Safer online transactions, trusted corporate networking

OpenTC developed several proof-of-concept applications for the technology. In one, called private electronic transaction (PET), the team showed how it can verify and secure online transactions, such as accessing a bank account. In another, they showed how TC compartments can provide secure remote access to corporate networks, both keeping company information safe on an employee’s home PC and ensuring that the employee’s personal information, photos and games are not visible to their employer.

The ability of TC technology to keep data and processes safely isolated from each other can be extended to enable virtual data centres. As demonstrated by IBM in the OpenTC project, TC software could be used by data centre operators to provide virtualised resources to different clients while sharing the underlying physical infrastructure, thereby ensuring different companies’ data remain separate and secure.

The logical next step, which members of the OpenTC consortium plan to explore in a new project, is to extend TC to cloud computing to enhance the security of services and computational resources provided over the internet. Another project, TECOM, a follow-up initiative to OpenTC that has also received EU funding, will aim to develop TC solutions for embedded platforms, focusing particularly on smart phones and mobile computing applications.

Several of the project partners are commercially exploiting the results of the OpenTC project internally. Petautschnig says they are also open to investor interest to support further development of TC technology. Consortium members are also active in standardisation efforts, helping to extend trusted computing to mobile platforms and the Java programming language, for example.

Despite controversy, a bright future

In the past, TC technology has stirred controversy, not least over its potential for abuse by software and hardware makers to restrict what computer users can do and its applications for digital rights management. However, Petautschnig believes the future for trusted computing systems is bright as the technology starts to be seen as an essential tool in the fight against an intensifying onslaught of hack attacks, viruses and spyware bombarding the world’s computer users.

“Most people will not know that TC components are running on their computers keeping them safe. Conversely, at present most do not know what information is being leaked and stolen by spyware and viruses running on their machines,” Petautschnig notes.

Compromising Web sites has become cybercriminals’ favorite method of getting malware installed on computers. Here are 10 ways to beef-up Firefox, making it more difficult for the bad guys.

Enter Here

The subject of compliance as it pertains to information security continues to demand a great deal of attention…for some very obvious reasons. There is a big difference between compliance and security. To consider yourself compliant, doesn’t necessarily mean you’re secure. Generally, compliance rituals such as assessment and audits are conducted either quarterly or annually, and the results of these “point-in-time” activities only offers a snapshot of your current state of security at that time. So to assume that your secure because you passed an audit today that states you’re compliant, doesn’t equate to you being secure tomorrow. This is probably best illustrated by some of the very well publicized breaches that took place over the last couple years – like Heartland, Choicepoint and TJX, just to name a few. Each of these notable entities thought they were compliant, and thus secure…boy were they wrong, and they are still recovering from the damage.

More often than not, compliance (specific to information security) is viewed as a project not as an ongoing, strategic business requirement. Here in lies the problem, but more importantly, the opportunity. The key is to make compliance activities part of the normal course of business operations:

If you consider the subject of risk management as it pertains to compliance, many companies today who have compliance requirements are faced with the monumental task of establishing and maintaining a compliant state.

For many, compliance is;

• A semi-automatic task at best, that leverages a basic policy structure, with the absence of any form of automated remediation to address any risks once discovered. This method is both expensive, and time consuming, and certainly puts any company faced with addressing compliance requirements in this manner at risk.

• For those that are more fortunate – a quarterly process may exist, that may leverage some form of best practice based policy structure, as well some measure of remediation and reporting. This approach is much improved vs. the semi-automatic method…however, there are still gaps. Without a more “real-time” approach, the gaps in time between each quarterly assessment could pose a significant potential for risk. Even with a positive audit result, with the ever increasing number of threats companies are being exposed to these days, even great vigilance is required.

• The best approach, is what I will categorize as “continuous compliance”. This approach is one fully supported by management, and measured like any other critical business operational requirement.

To achieve this, the following approach should be taken…

Establish a measurable set of security policies (controls), that are standards based, and well recognized. Examples of these can be found via ISO, NIST, ITIL, etc. Additionally, the frequency by which these established controls should be measured should be monthly or weekly if possible…thus leaving no stone unturned! It’s also important that you apply the appropriate level of automation to the process, to ensure that the process of assessment, decisioning, remediation and reporting are completely automated.

The impact to the business by adopting some form of measurable, repeatable means of ensuring compliance will not only save you money, but drastically reduce your potential for risk. I can assure you…it will be money well spent.

Dave Eike
Shavlik Technologies

Terence Eden änderte kürzlich sein Twitter-Passwort, weil ihn der Dienstbetreiber warnte, dass es  möglicherweise kompromittiert worden sei. Doch nachdem er damit sozusagen das Schloss der Eingangstür getauscht hatte, stellte er fest, dass der Dienstbotenzugang in Form der OAuth-Anmeldung nach wie vor sperrangelweit offen stand.

Mehr auf: heise online – Hintertür bei Twitter schließen.

The Security Threat from Within – Espion recommends measures to combat insider theft

Email is the most used method to steal information from corporations by employees, according to Ireland’s leading computer forensics and information security company Espion.

 The old-fashioned hard copy printouts are the second most popular method used to steal information from employers. Mobile devices, such as USB memory sticks and data CDs, are not as commonly used, accounting for less than 10% of the cases where data has been stolen from an organisation.

“As employees become concerned about their own welfare, regardless of their loyalty in the past, there is a greater likelihood that they may turn on their employers. When employees feel that their position is threatened, or they are on notice, they may look at sensitive data as a valuable commodity that can be used for their own gain – to the detriment of their employer,” says Colm Murphy, technical director with Espion.

 “As companies take steps to safeguard systems and data from external attacks, they need to turn their attention to the threat that exists from within the company.”

 Murphy highlights the need for companies to incorporate inside threats in to the Information Security programmes. “Insider data theft often goes unnoticed as the perpetrator has all of the required permissions for accessing data. No alarms are triggered and the crime can be committed virtually undetected.”

In today’s digital world, a company’s most valued, sensitive data is no longer under lock and key. Information is stored in files and folders, accessible virtually and in daily use by huge numbers of users. Keeping it secure from an internal breach, while allowing it to remain accessible to the majority of non-malicious employees, is a challenge.

“Not only is digital information easy to access from the inside, removing it is also quite straightforward. Email, printed copies and USB memory sticks make the transfer of stolen data extremely quick, easy and very discreet,” adds Murphy.

Combating Insider Theft

-Review the lists of which employees have access to which parts of the network – restricting access to sensitive material to less people.

-Ensure computers are equipped with programs that required difficult to crack passwords and password-protected screensavers.

-Administrator privileges that give users broad access to systems should be tightly managed. Although users often request rights to carry out legitimate activities, such as a defragmentation, they could also use this ‘access all areas’ for more malicious reasons.

-Watch out for any users repeatedly trying to access data they are not supposed to.

-Deploy monitoring/alert systems to provide real time alerts to suspicious network activities. 

-Audit paper and electronic documents of any employees leaving the organisation.

-If there is a notice period, the IT department should actively monitor employee’s access to the network to make sure sensitive and confidential data is not being downloaded or send to the employee’s personal email account. Additional measures should be considered in the event of an acrimonious departure, those employees that leave an organisation on bad terms are more likely to steal data.

-Ensure that as an employee leaves an organisation they no longer have any access to the company’s networks – they can not log-in remotely from home etc.

heise online – Warnung vor Wanzensoftware für BlackBerry.

BlackBerry-Anwender sollten vorerst ihr Gerät nicht mehr freiwillig aus der Hand geben. Das US-CERT warnt offiziell vor einer kürzlich erschienenen, frei verfügbaren Spyware, mit der sich BlackBerrys von Dritten in eine Wanze verwandeln lassen. So genügt nach der Installation des PhoneSnoop genannten Programms ein Anruf von einer vorher definierten Nummer (Trigger Number), um das Lauthören ohne Wissen des Besitzers zu aktivieren und beispielsweise das im Raum Gesagte mitzuhören.

Mehr unter: http://www.heise.de/newsticker/meldung/Warnung-vor-Wanzensoftware-fuer-BlackBerry-843512.html

• SANS: First Security Certification Paper Based on the Morris Worm
• Cyber Criminal Video Seminar
• Host-Based Intrusion Prevention Video
• HIPAA Security Regulation Article
• HIPAA: Email Security Whitepaper for HIPAA Collaborative of Wisconsin
• HIPAA: Physical Security Whitepaper for HIPAA Collaborative of Wisconsin
• IP Surveillance Article
• Wireless Security Article
• Reference to Cyber Security Seminar for UMACHA

Ifølge PricewaterhouseCoopers årlige Global State of Information Security Survey, der netop er offentliggjort i samarbejde med CIO og CSO Magazines, fremgår det, at flere virksomheder, herunder offentlige myndigheder, bekymrer sig om datasikkerheden.

Således viser undersøgelsen, der er baseret på interviews af 7.200 globale ledere, at i forhold til sidste år, har 41% af virksomhederne nu ansat en IT-sikkerhedschef (CSO) sammenlignet med blot 27% sidste år. Stillinger som CISO (Chief Information Security Officer), der bedst kan oversættes som den ansvarlige for informationssikkerhed og som Chief Privacy officer (CPO), der på dansk kan betegnes som den ansvarlige for privatlivsbeskyttelse er også skudt i vejret. CISOs er nu ansat i 44% af de adspurgte virksomheder, sammenlignet med 29% sidste år, og 30% af virksomhederne gør nu brug af en CPO sammenlignet med 21% for et år siden. Hertil kommer at yderligere 32% af virksomhederne siger, at de har planer om at oprette en stilling som CISO eller CSO.

Ifølge Mark Lobel fra PricewaterhouseCoopers, der i anledning af offentliggørelsen har udtalt sig til Forbes, kan den øgede opmærksomhed på security og privacy hos direktionen, til dels tilskrives den globale økonomiske afmatning. Antagelsen om, at økonomisk tilbagegang udmønter sig i øget cyberkriminalitet sammen med en risiko for utilfredse tidligere medarbejdere, der har været udsat for massefyringer, har tilsyneladende skabt ny frygt for datasikkerheden, hævder Lobel.

Og han fortsætter: “I sådanne nedgangstider oplever folk, at store risici er på vej. Hvis dit security budget ikke beskæres, har du brug for en chef, som kan udnytte budgettet effektivt og fornuftigt”

Det fremgår endvidere af undersøgelsen, at 38% af de adspurgte planlæggger at øge udgifterne til IT-sikkerhed sammenlignet med 12%, som har til hensigt at skære ned på budgettet. Det er et tegn på, at sikkerheden forbliver vigtig i nedgangstider omend af mindre betydning i starten af den økonomiske nedtur. I den samme undersøgelse sidste år, svarede 44% af de adspurgte, at de havde til hensigt at øge udgifterne til IT-sikkehed, mens kun 5% planlagde at skære ned.

Selvom der ikke foreligger oplysninger om, hvor mange danske virksomheder, der har deltaget i undersøgelsen, er der imidlertid ikke noget der tyder på, at udviklingen ikke også i en vis udstrækning vil gøre sig gældende i Danmark. At IT-sikkerhed stadig er vigtigst underbygges således af en dansk IDG undersøgelse, der også netop er offentliggjort og omtalt af Computerworld.

Download hele undersøgelsen, der behandler en lang række andre IT-temaer, her.

Although some might not aware, occurrences of security incidents in an organization were derived from within the organization. This is what we called insider threat. This threat could be in the form caused by fraud, human error, disgruntled employees, or simply caused by an employee playing around with hacking tools.

Hackers outside an organization – the external threat – prefer to perform social engineering targeted to employee rather than to waste efforts to technically hack into the highly secured modern technology. Social engineering is a technique to psychologically manipulate or trick user to do something that might be dangerous to your data or system. These techniques succeed well with uneducated users.

But does our employee have the ability to hack? Nowadays, hacking literature can easily be found easily just by using search engine in the internet, and also available in major bookstores all over Indonesia. These books explain steps to perform hacks and accompanied by CD that contains scripts and tools to enable reader exercise hacking steps. The books are in Bahasa Indonesia with detailed steps, making it easy to understand.

A receptionist bought a hacking book and executed the Cain & Abel software, even during her lunch break. She ran this to capture network packages to get user IDs and password from the targeted computers. This really happened a few months ago in some company in Jakarta, and it might happen to your organization too, if you don’t put security measures in managing this risk.

The above also show that intruders known as hackers may be a novice (called also script-kiddies). In the other side, it also shows that IT personnel within that organization were not prepared to handle such attacks. This is why security awareness in an organization is critical.

Information security and the protection of information assets and intellectual property begin with awareness and education. To develop and preserve a culture of security in any organization, it must be recognized that responsibility and accountability resides with all employees.

Whether it’s checking e-mail, browsing, answering a telephone, installing new application software, or only logging on and off the computer, employees must be encouraged to consider the security aspect into each action and decision made. To make it effective, concept of security must be embedded into culture and habit of the people within the organization. All employees need the training on security awareness, especially those that does not have a clue on what is security which more likely be vulnerable to social engineering, like the receptionist story above.

Employees must be educated so they are able to spot warning signs of social engineering when an intruder poses as a legitimate party like a customer, network administrator, or vendor representative, and attempts to pass of sensitive information from an employee. Just as an antivirus product scans files for virus, employees must have knowledge to detect the sign of the social engineering.

It is essential that the users obtain, at minimum, the general knowledge on information security, to enable them avoid risky activities. By educating users with the threats and how to avoid them, it will minimize your organization’s operational risks and financial losses. Information Security Awareness is not only about defense, it is about creating habits and mindset of security in every activity. More education and simple tips on how users should choose and manage passwords may avoid the problem of weak passwords, human errors, and exposure to intruders.

Employees are more likely to forget or ignore advices that have no relevance to their job, and “one lesson for all” just doesn’t work. Therefore it is important that employees make the connection between the lessons taught and the task at hand. For example, employees involved in accounting or transaction processing in a business that takes on-line credit card orders is far more likely to remember security lessons focused on protecting credit card files and personal customer information and on privacy issues.

The awareness program must be dynamic and designed to evolve in order to meet the future needs of the company and employees, current activities will need to be modified or new activities will need to be developed to maintain program relevancy. Furthermore, the awareness program must also address the issues that arise due to rapidly advancing information technology.

Now, ready to develop your very own security awareness program? There are 5 factors needed for an effective and successful security awareness program.

Implementing a successful Security Awareness Program may seem like an uneasy task. However, with the proper executive support, appropriate planning and an organized approach, the message of “I can make a difference to my company’s security” will ring loud and clear to your employees. By including the human factor in your security infrastructure via an effective Security Awareness Program, you will be implementing the ultimate defense of depth.

We must, however, understand that information security is a business requirement on top of being an ethical and legal requirement. We therefore need to be constantly aware about certain Information Security issues and ensure that proper resources are engaged and best practices adopted.

Apabila suatu perusahaan memutuskan untuk mengimplementasikan ISO 27001 sebagai standar pengamanan informasi, banyak sekali keuntungan yang diperolehnya, terlebih jika perusahaan sudah mendapat sertifikasi ISO 27001, keuntungannya antara lain:
1.    Membantu organisasi terkait dengan kesesuaian terhadap kebutuhan standar keamanan informasi yang sudah teruji (best practice dalam pengamanan informasi)
2.    Membuat pengaruh positif dalam hal citra perusahaan, nilai, dan persepsi yang baik dari pihak lain
3.    Memastikan bahwa organisasi memiliki kontrol terkait keamanan informasi terhadap lingkungan proses bisnisnya yang mungkin menimbulkan risiko atau gangguan.
4.    Meningkatkan kepercayaan pelanggan, pihak ketiga, dan seluruh stakeholder yang ada terhadap pelayanan yang diberikan melalui organisasi.
5.    Membantu organisasi dalam menjalankan perbaikan yang berkesinambungan di dalam pengelolaan keamanan informasi.
6.    Membuat pelaksanaan setiap proses menjadi lebih sistematis dan merubah budaya kerja organisasi.
7.    Meminimalkan resiko melalui proses risk assessment yang professional, terstandarisasi dan komprehensif dalam kerangka manajemen resiko
8.    Meningkatkan efektivitas dan keandalan  pengamanan informasi
9.    Diferensiasi pasar
10.    Salah satu standar pengamanan informasi yang diakui di seluruh dunia
11.    Kemungkinan rendahnya pembayaran premi asuransi yang harus dibayar kepada perusahaan asuransi karena standar yang sudah teruji
12.    Patuh terhadap hukum dan undang-undang seperti UU ITE, dll
13.    Meningkatkan profit  perusahaan
14.    Menunjukkan tata kelola yang baik dalam penanganan informasi
15.    Manajemen senior memiliki tanggung jawab keamanan informasi, sehingga staf lebih fokus terhadap tanggungjawabnya.
16.    Adanya review yang independen terkait ISMS dengan adanya audit setiap tahun
17.    Dapat digabung atau dikombinasikan dengan system manajemen lainnya seperti ISO 9000, ISO 14000, ISO 20000, ISO 38500, ITIL, COBIT dll
18.    Adanya mekanisme untuk mengukur berhasil atau tidaknya kontrol pengamanan