December 10, 2009 by amritw
Riddle me this: When one does not know what it is, then it is something; But when one knows what it is, then it is nothing…what is it?
Recently we have witnessed a series of high-profile leaks, this in and of itself is nothing new we have been experiencing an orgy of disclosure since the early part of the decade, but the latest “disclosures” highlight the law of inevitable disclosure, which goes something like – if more than one person knows it then it will at some point in time be disclosed. Continue Reading »
Posted in Security | Tagged Climategate, data accountability and trust act, data breach notification bill, security screening process, TSA | 1 Comment »
December 10, 2009 by amritw
AT&T has openly admitted that their data coverage sucks (here) and all but admitted defeat in the telcom data wars. although they are the sole service provider of the iPhone – the world’s most pervasive handheld data device – AT&T has decided that for them to maintain the service quality (which already blows) they will need to implement new fees to encourage folks to limit their use of the iPhone. Wow, seriously, so they suck even more than I thought when I first railed against AT&T (here). Continue Reading »
Posted in Security | Tagged Apple, AT&T, De La Vega, iPhone, Verizon | 1 Comment »
December 8, 2009 by amritw
From Computer World UK (here)
Black Friday and Cyber Monday have come and gone. Now it’s time for Amrit Wednesday, or Thursday, or Friday—oh, whatever—to pay our industry back for all the dubious cheer it spread in 2009. Believe me, when it comes to this list, it’s much better to give than receive. Here goes:
Continue Reading »
Posted in Security | Tagged Cyber Monday, Digital Economy Bill, Gartner, Graham Cluley, Hackers for Charity, Information Security, Johnny Long, Magic Quadrant, malware, McAfee, Oxford Dictionary, PCI, Robert Parker, RSA conference, Sophos, Symantec, US cyber czar, Websense | 2 Comments »
November 11, 2009 by amritw
Image from United States Department of Veterans Affairs (here)
We should all be extremely grateful for the commitment, the difficulties and the sacrifices those in our armed forces go through so that we all can enjoy and experience the freedoms of our great nation.
Posted in Security | Tagged armed forces, gratitude, Veterans day | Leave a Comment »
October 22, 2009 by amritw
A storm is brewing throughout the analyst community as one of the largest and most influential technology analyst firms comes under fire for one of their highest prized research artifacts – The Gartner Magic Quadrant (MQ) – ZL Technologies has filed a lawsuit alleging damages from Gartner’s Email and Archiving MQ and the MQ process as a whole, in which ZL has been positioned as a Niche player since 2005.
From ZL technologies website (here)…
ZL Technologies, a San Jose-based IT company specializing in cutting-edge enterprise software solutions for e-mail and file archiving, is challenging Gartner Group and the legitimacy of Gartner’s “Magic Quadrant.” In a complaint filed on May 29, 2009, ZL claims that Gartner’s use of their proprietary “Magic Quadrant” is misleading and favors large vendors with large sales and marketing budgets over smaller innovators such as ZL that have developed higher performing products.
The complaint alleges: defamation; trade libel; false advertising; unfair competition; and negligent interference with prospective economic advantage.
For those unfamiliar with analysts, Gartner and the Magic Quadrant let me provide a quick overview:
Continue Reading »
Posted in Security | Tagged Analysts firms, Dave Kellogg, Defamation, Gartner, Magic Quadrant, Mark Logic, ZL Technologies | 15 Comments »
October 1, 2009 by amritw
Posted in Security | 2 Comments »
September 21, 2009 by amritw
Posted in Security | Tagged 451 group, Aaron Bawcom, Adam Shostack, Adobe Systems, Al HUger, Alex Hutton, Andy Purdy, antivirus, Arbor Networks, Ben Natan, beyond the perimeter, BigFix, Black Hat, Brad Arkin, Charles Dodd, Cisco, Concord Hospital, Conficker, Cyber Command, Dan Philpott, Dave Watson, David Mortman, Defcon, Doug Washburn, Dr. Peter Tippet, Economics, eIQ networks, EMA, EMC, Enterprise Management Associates, FAIR, FCRA, FIPS, FISMA, Forrester Research, Gartner, government security, Guardium, Hackers for Charity, HIPAA, IBM, Immunet, Information Security, ISS, Jack Daniel, Jeff Jones, Jeremiah Grossman, Johnny Long, Jose Nazario, Joshua Corman, Kaiser, Kaspersky, malware, Mark Starry, Mede Finance, Melissa Hathaway, Men in black, Michael Dahn, Michael Santarcangelo, Michael Smith, Microsoft, Mike Rothman, Nick Selby, NICOR, NIST, patch management, Patric Peterson, Paul Roberts, PCI, Peter Kuper, podcast, Project Quant, Reflex systems, Rich Mogull, Rick Wesson, Risk, RSA, Ryan Russell, Sam Curry, Scott Crawford, Scott Johnson, Sean Goings, Security b-sides, Securosis, Situational awareness, stelaing the network, Support Intelligence, TAC Americas, Technical Publishing, Timothy Mullen, Verizon Business Services, Virtualization, virtualizaton, Web Applicaiton Security, White Hat Security | Leave a Comment »
September 9, 2009 by amritw
I recently had the opportunity to sit down with Peter Kuper and discuss the impact the economic crisis has had on the IT security industry on the latest Beyond the Perimeter podcast (here). Peter Kuper, former analyst Morgan Stanley and SC Gowen, now associated with the IANS (Institute for Applied Network Security) organization notes that IT security spending is down, and with it, investments in security start-ups and innovation initiatives. Kuper believes that good new technologies and well managed companies can still attract investors and customers. Furthermore, the industry supports tier of robust, established private IT security companies weathering and even prospering in current conditions. While the short term remains challenging, Kuper believes that good technologies and companies can still get a foothold in the current economic environment. You can read more from Peter at the IANS blog (here), below are some recent comments from Peter (here)
Continue Reading »
Posted in Security | Tagged BigFix, economic crisis, IANS, innovation, Peter Kuper, Qualys, start-ups, the great depression, VC funding, Verdasys | 3 Comments »
August 28, 2009 by amritw
CNET’s Declan McCullagh recently posted an article on aspects of the Cybersecurity Act of 2009 “Bill would give President emergency control of the Internet“
The new version would allow the president to “declare a cybersecurity emergency” relating to “non-governmental” computer networks and do what’s necessary to respond to the threat. Other sections of the proposal include a federal certification program for “cybersecurity professionals,” and a requirement that certain computer systems and networks in the private sector be managed by people who have been awarded that license.
There has been a lot of discussion and debate about how the new administration would address cybersecurity. With a string of disillusioned Cyber Czars, advisers, and a dizzying array of federal agencies vying to lead the efforts President Obama has certainly been in the unenviable position of setting the future direction to secure critical infrastructure and to ensure our prosperity.
This is a massive logistical problem, growing even more so as technology advances and becomes adopted as part of our digital fabric. Unfortunately there will be mistakes, errors in judgment, and poorly written policies that may very well lead to significant self-inflicted damage. The concept that the President, under an emergency situation, can take control of aspects of the Internet is very troubling.
Conceptually, and given the events of 9/11, it would seem logical that under a massive sustained attack on our critical infrastructure and our digital assets – both public and private – that it would be warranted for the administration to do whatever would be required to regain control and eliminate the threat. The reality is that this is extremely difficult to do and more importantly enables a malicious actor to create a situation that forces the administration to respond and in doing so create more havoc than could have been created by the malicious actors on their own.
This is a recipe for disaster and provides a very real vector for attacking the entire United States in a way that would not normally be afforded to those who wish to do us harm. Continue Reading »
Posted in Politics, Security | Tagged CNET, Cybersecurity, Cybersecurity Act of 2009, Declan McCullagh, President Obama, S.773, Sen Rockefeller | 2 Comments »
August 27, 2009 by amritw
Is there a rock star in your midst?
We’re talking about sysadmins here—the unsung rock stars of IT. The kind of sysadmin that plays the network blindfolded and upside down like Stevie Ray Vaughn, makes ch, ch, changes faster than David Bowie, smashes hackers like Pete Townsend does with guitars, keeps the show going like Bill Graham, and does it all with Ringo’s good humor.
Sysadmins can really rock your world. Now it’s time to rock it back. Continue Reading »
Posted in Security | 2 Comments »
As part of the administrations continuing efforts to actually do something tangible to improve the security posture of US critical infrastructure and to better deal with a severe lack of technical talent the CSIS (Center for Strategic and International Studies) announced the US Cyber Challenge (here) to identify and develop 10,000 cyber security specialists.
One of the fundamental deficiencies of the current US critical infrastructure protection programs (there are many of them), is the astonishing lack of qualified technical security specialists. This program aims to develop the next generation of technically advanced cyber warriors and security specialists.
The United States Cyber Challenge
The US Cyber Challenge is a national talent search and skills development program. Its purpose is to find 10,000 young Americans with the interest and skills to fill the ranks of cyber security practitioners, researchers and warriors. Some will, we hope, become the top guns in cyber security. The program will nurture and develop their skills, and enable them to get access to advanced education and exercises, and where appropriate, enable them to be recognized by employers where their skills can be of the greatest value to their nation.
Improving our private and public sector security posture will be an ongoing process as we adopt new technology innovations and as the dynamic global environment shifts between hostile and friendly actors. Recruiting the next generation of technically advanced security specialists and developing the skills today to deal with tomorrows threats is key to ensuring we have a population of talent to enable continued growth and prosperity of the United States and its citizens. Like so many times in our history, the hopes of an aging nation rest on the shoulders of America’s youth.
Continue Reading »
Posted in Politics, Security | Tagged Air Force, Center for Strategic and International Studies, CSIS, Cyber Command, cyber security, DC3, digital forensics, DoD, DoD Cyber Crime Center, FBI, National Security Agency, network security, President Obama, SANS Institute, US Cyber Challenge, US Cyber Policy | 4 Comments »
Never before have so many misrepresented so much about so little…
In all my years in the security industry I do not believe I have read more misinformation than the nonsense surrounding the recent DDoS attacks. Apparently North Korea is waging Cyber Warfare, or if not an actual all out cyberwar they are behind a targeted “cyber attack”.
Let’s look at what we know…
- Multiple US and South Korean websites fell victim to sustained distributed denial of service attacks (happens all the time)
- The DDoS attack used tens of thousands of compromised hosts (I have seen bigger)
- The compromised hosts appear to have been infected using well known and easily shielded against malware (What else is new?)
- The organizations that were impacted and had taken proper measures to defend against a DDoS were not materially impacted (At least someone was thinking ahead)
This is just business as usual on the Internet – nothing to see here folks – these DDoS attacks could have been just as easily launched by an awkward prepubescent child with about 2 years of computer experience as they could have come from a coordinated, state-sponsored, North Korean attempt to test our defenses.
Just so we are clear this is no more Cyber Warfare than me running to the Mexican border and throwing 10,000 apple pies at the Mexican Federales is a coordinated US invasion of Mexico. Continue Reading »
Posted in Politics, Security, Technology | Tagged Ariel Silverstone, Cyber Warfare, DDoS, Douche bag, hype, Idiot politicians, Marcus Ranum, Media, Michael Malone, North Korea, Peter Hoekstra, Stupidity, the day after | 11 Comments »
Systems and security management is difficult, ineffective, costly and becoming ever more so in increasingly distributed, heterogeneous, complex, and mobile computing environments…
- 98% of all external attacks take advantage of poorly administered, misconfigured, and unmanaged systems (Source: Verizon Data Breach Investigations Report 2009)
- A locked down and well managed PC can cost 42% less than an unmanaged one (Source: Gartner – The Total Cost of Ownership: 2008 Update)
- The direct costs incurred in a “somewhat managed” PC are only slightly lower than the direct costs of an unmanaged PC, because of expenses to maintain underutilized or dysfunctional management systems (Source: Gartner – The Total Cost of Ownership: 2008 Update)
The benefits provided by server virtualization are being realized as server consolidation has enabled cost reduction and efficiencies in data center/server management. This is of course leading many to ask the question “why can we not virtualize our desktops as well?” Continue Reading »
Posted in Security, Technology | Tagged citrix, cloud computing, DaaS, HAL 9000, Microsoft, skynet, the Death Star, Virtualization, VMWare | 3 Comments »
Consolidation is the major benefit or “killer app” for server/data center virtualization. Standardization is the major benefit or “killer app” for client-side virtualization.
As I was pondering the challenges of current systems management processes, researching the latest and greatest from the client-side virtualization vendors, and talking to a lot of large organizations I was trying to find that one thing that explained the operational benefits of client-side virtualization. There are more than one, but it really does come down to standardization, allow me to explain… Continue Reading »
Posted in Security, Technology | Tagged anti-virus, biodiversity, citrix, Data Breach, Data security, diversity, Gartner, HVD, IBM, Microsoft, standardization, VDI, Verizon, Virtualization, VMWare | 1 Comment »
To address the increasing cost and complexity of managing dynamic IT environments organizations are trying to understand how to adopt virtualization technologies. The value proposition and “killer app” are quite clear in the data center, however less attention has been given to the opportunities for endpoint virtualization. Even though there are multiple methods to address client-side virtualization; hosted virtual desktops (HVD), bare-metal hypervisors, local and streaming virtual workspaces and a range of options that layer on top of and between them all, such as application virtualization, portable personalities, and virtual composite desktops, there is still a tremendous amount of confusion and even more misconceptions about the benefits of client-side virtualization than with server virtualization. The major architectural flaw in almost all of these solutions is they remain very back end and infrastructural heavy, which reduces the benefit of cost-reduction and lower complexity.
Unlike server virtualization, which drove adoption from the bottom up, that is from the hypervisor and then through the other stacks, adoption of endpoint virtualization technologies is moving top down, that is starting with single applications within an existing OS. Application virtualization adoption will accelerate over the next 12-18 months with Gartner life cycle management analyst suggesting that it will be included in the majority of PC life cycle RFP’s in 2010 and beyond. Workspace/Desktop virtualization will follow over the next 24-36 months, as will the endpoint virtualization infrastructures. The adoption of both workspace/desktop and endpoint virtualization infrastructure will align with organizations desktop refresh cycles. Considering the average is between 3-5 years and considering that many are looking at desktop refresh to support Vista, although it probably only has about a 10% market adoption, and Windows 7, it is conceivable that we will begin seeing accelerated adoption of desktop and infrastructure virtualization over the next 24-36 months as organizations rethink their current systems management processes and technologies.
Let’s look at the 3 client-side virtualization models I believe will become the most prevalent over the next 3-5 years… Continue Reading »
Posted in Rants, Security, Technology | Tagged application virtualization, AppV, citrix, FAIL, Gartner, HyperV, Hypervisor, life cycle Management, Microsoft, Security, systems management, ThinApp, VDI, Virtualization, VMWare, XenDesktop | 6 Comments »
Early after President Obama was nominated I wrote an open letter to President Obama for actions that I believed the administration would need to take in the first 90-days “Open Letter to Barack Obama: Securing Critical Infrastructure – The First 90 Days” These included a policy review and some suggestions on methods the administration would need to implement to secure our digital infrastructure. President Obama appointed Melissa Hathaway to lead the review, which has now been completed. Continue Reading »
Posted in Security | Tagged Barack Obama, Critical Infrastructure, cyber security, Melissa Hathaway | 1 Comment »
Given the media hype around the Conficker worm (and now Gumblar), and the constant barrage of alarming disclosure announcements, I thought it would be a good time to take a calmer look at some of the security myths, misconceptions and mistruths that plague the industry.
Many of these cyber security myths have been around for close to a decade. They have driven marketing campaigns and have sold a lot of traditional newspapers. But for the most part these threats have proven much less dangerous than ballyhooed. Worse, they distract us from addressing the routine problems that lead to a more secure global IT environment. Until we can address every day vulnerabilities threats, how can we justify focusing on exotic edge cases? Continue Reading »
Posted in Security | Tagged anitvirus, AV, China, Conficker, cyber security, End of the Internet, gumblar, hacking, Insider threats, mobile malware | 2 Comments »
So apparently the latest version of the Qualys Laws of Vulnerabilty Report has Qualys jumping to some pretty outrageous claims about how cloud-computing – invented by Qualys according to Courtot (insert cute smiley here) – can secure IT more effectively or allow people to not patch any more or some such nonsense (thanks to Hoff for the heads up).
Anyway so the logic flaw goes something like this -> Continue Reading »
Posted in Security | Tagged Altiris, cloud computing, DLP, endpoint security, Gerhard Eschelbeck, IBM, Law of vulnerability, Luke Skywalker, Micro, Microsoft, NAC, Philippe Courtot, Quays, SCCM, silly proclamations, SMS, Storm trooper fail, Symantec, Wolfgang Kandek | 6 Comments »
Posted in Politics, Rants, Security | Tagged botnet, Col. Williamson, cybercrime, cybergeddon, cyberwarfare, DDoS, FBI, Shawn Henry, war is hell | 5 Comments »
Older Posts »
