Systems and security management is difficult, ineffective, costly and becoming ever more so in increasingly distributed, heterogeneous, complex, and mobile computing environments…
- 98% of all external attacks take advantage of poorly administered, misconfigured, and unmanaged systems (Source: Verizon Data Breach Investigations Report 2009)
- A locked down and well managed PC can cost 42% less than an unmanaged one (Source: Gartner – The Total Cost of Ownership: 2008 Update)
- The direct costs incurred in a “somewhat managed” PC are only slightly lower than the direct costs of an unmanaged PC, because of expenses to maintain underutilized or dysfunctional management systems (Source: Gartner – The Total Cost of Ownership: 2008 Update)
The benefits provided by server virtualization are being realized as server consolidation has enabled cost reduction and efficiencies in data center/server management. This is of course leading many to ask the question “why can we not virtualize our desktops as well?” Continue Reading »
Posted in Security, Technology | Tagged citrix, cloud computing, DaaS, HAL 9000, Microsoft, skynet, the Death Star, Virtualization, VMWare | 1 Comment »
Consolidation is the major benefit or “killer app” for server/data center virtualization. Standardization is the major benefit or “killer app” for client-side virtualization.
As I was pondering the challenges of current systems management processes, researching the latest and greatest from the client-side virtualization vendors, and talking to a lot of large organizations I was trying to find that one thing that explained the operational benefits of client-side virtualization. There are more than one, but it really does come down to standardization, allow me to explain… Continue Reading »
Posted in Security, Technology | Tagged anti-virus, biodiversity, citrix, Data Breach, Data security, diversity, Gartner, HVD, IBM, Microsoft, standardization, VDI, Verizon, Virtualization, VMWare | 1 Comment »
To address the increasing cost and complexity of managing dynamic IT environments organizations are trying to understand how to adopt virtualization technologies. The value proposition and “killer app” are quite clear in the data center, however less attention has been given to the opportunities for endpoint virtualization. Even though there are multiple methods to address client-side virtualization; hosted virtual desktops (HVD), bare-metal hypervisors, local and streaming virtual workspaces and a range of options that layer on top of and between them all, such as application virtualization, portable personalities, and virtual composite desktops, there is still a tremendous amount of confusion and even more misconceptions about the benefits of client-side virtualization than with server virtualization. The major architectural flaw in almost all of these solutions is they remain very back end and infrastructural heavy, which reduces the benefit of cost-reduction and lower complexity.
Unlike server virtualization, which drove adoption from the bottom up, that is from the hypervisor and then through the other stacks, adoption of endpoint virtualization technologies is moving top down, that is starting with single applications within an existing OS. Application virtualization adoption will accelerate over the next 12-18 months with Gartner life cycle management analyst suggesting that it will be included in the majority of PC life cycle RFP’s in 2010 and beyond. Workspace/Desktop virtualization will follow over the next 24-36 months, as will the endpoint virtualization infrastructures. The adoption of both workspace/desktop and endpoint virtualization infrastructure will align with organizations desktop refresh cycles. Considering the average is between 3-5 years and considering that many are looking at desktop refresh to support Vista, although it probably only has about a 10% market adoption, and Windows 7, it is conceivable that we will begin seeing accelerated adoption of desktop and infrastructure virtualization over the next 24-36 months as organizations rethink their current systems management processes and technologies.
Let’s look at the 3 client-side virtualization models I believe will become the most prevalent over the next 3-5 years… Continue Reading »
Posted in Rants, Security, Technology | Tagged application virtualization, AppV, citrix, FAIL, Gartner, HyperV, Hypervisor, life cycle Management, Microsoft, Security, systems management, ThinApp, VDI, Virtualization, VMWare, XenDesktop | 5 Comments »
Early after President Obama was nominated I wrote an open letter to President Obama for actions that I believed the administration would need to take in the first 90-days “Open Letter to Barack Obama: Securing Critical Infrastructure – The First 90 Days” These included a policy review and some suggestions on methods the administration would need to implement to secure our digital infrastructure. President Obama appointed Melissa Hathaway to lead the review, which has now been completed. Continue Reading »
Posted in Security | Tagged Barack Obama, Critical Infrastructure, cyber security, Melissa Hathaway | 1 Comment »
Given the media hype around the Conficker worm (and now Gumblar), and the constant barrage of alarming disclosure announcements, I thought it would be a good time to take a calmer look at some of the security myths, misconceptions and mistruths that plague the industry.
Many of these cyber security myths have been around for close to a decade. They have driven marketing campaigns and have sold a lot of traditional newspapers. But for the most part these threats have proven much less dangerous than ballyhooed. Worse, they distract us from addressing the routine problems that lead to a more secure global IT environment. Until we can address every day vulnerabilities threats, how can we justify focusing on exotic edge cases? Continue Reading »
Posted in Security | Tagged anitvirus, AV, China, Conficker, cyber security, End of the Internet, gumblar, hacking, Insider threats, mobile malware | 1 Comment »
So apparently the latest version of the Qualys Laws of Vulnerabilty Report has Qualys jumping to some pretty outrageous claims about how cloud-computing – invented by Qualys according to Courtot (insert cute smiley here) – can secure IT more effectively or allow people to not patch any more or some such nonsense (thanks to Hoff for the heads up).
Anyway so the logic flaw goes something like this -> Continue Reading »
Posted in Security | Tagged Altiris, cloud computing, DLP, endpoint security, Gerhard Eschelbeck, IBM, Law of vulnerability, Luke Skywalker, Micro, Microsoft, NAC, Philippe Courtot, Quays, SCCM, silly proclamations, SMS, Storm trooper fail, Symantec, Wolfgang Kandek | 6 Comments »
Posted in Politics, Rants, Security | Tagged botnet, Col. Williamson, cybercrime, cybergeddon, cyberwarfare, DDoS, FBI, Shawn Henry, war is hell | 4 Comments »
I recorded a podcast with eWeek’s Mike Vizard last week discussing the media, hype, conficker and why so many organizations are falling behind in implementing even a basic level of systems and security management (here)…enjoy!
Posted in Security | Leave a Comment »
Quotes from a recent SC Magazine article “Increased Mobile Working Has Caused a Rethink on Endpoint Security” (here) focuses on encryption, cloud-computing and desktop virtualization… Continue Reading »
Posted in Security | Tagged anti-virus, AV, cloud computing, daa breaches, Desktop Virtualization, encryption, endpoint security, mobile computing, SC Magazine | 1 Comment »
Their back!
It has been awhile since we had a good old fashioned, highly publicized, hysteria inducing, globally distributed, mass-infecting worm. The AV vendors (here) and (here) must be ecstatic that 2009 is really turning out to be the year of the largest security incidents since the beginning of forever as I predicted it would be back in January (here). Of course you could make that prediction every year for the next 20-30 years and pretty much experience an 80%+ success rate, it’s like predicting that as social media becomes ubiquitous we will experience more social media related security threats, or that as the economic condition worsens it will drive even more financially motivated cybercrime buoying an already burgeoning digital black market, or that there will be more high-profile data breaches – all no brainers. Continue Reading »
Posted in Security | Tagged anti-virus, Botnets, cloud comnputing, Conficker, Fred Ward, Hollywood, Kevin Bacon, McAfee, Microsoft, NAC, Network Access Control, Network Securty Monitoring, Richard Bejlitch, Symantec, Tao Security, Tremors, Verizon Business Services | 2 Comments »
Sam Curry from RSA recently posted some thoughts on a paper we have been working on and presented at Source Boston (here)…in the coming weeks we will detail the research and the modifications we have made since first presenting the draft over a month ago. Continue Reading »
Posted in Security | Leave a Comment »
Trend Micro posted on a recent location-aware malware scheme to target individuals using local information (here) – hat tip to Krebs for the post (here)
On Monday, security firm Trend Micro began warning people to look out for bogus “Reuters breaking news” e-mails warning of explosion or other various calamities that have supposedly broken out in a city near you. The message content pulls data from so-called “geo-location” services that can use the recipient’s Internet address to make a semi-accurate guess of their nearest town.
For example, a user who lives in Fairfax, Va., might see this subject line in a missive sent by Waledac: “Powerful explosion burst in Fairfax this morning.” The message authors also append a Wikipedia link and a Google search link at the bottom to add to the fake alert’s legitimacy.
I talked about this as one of the potential security problems associated with GPS enabled smart phones in a post entitled “iPhone creates mobile malware tipping point” by enabling new and interesting methods for malware proliferation (here) at the time many of the press I talked with didn’t understand how this would work… Continue Reading »
Posted in Security | 3 Comments »
There is a new podcasts series that we have recently announced. You can review the first series of podcasts (here) – we have some really exciting guests lined up and rumor has it there will be a co-host joining me as well – enjoy!
Posted in Security | Leave a Comment »
February 19, 2009 by amritw
I had an interesting conversation with a peer recently that started with a statement he made that “innovation was all but dead in security”. The implication was that we had done all we could do and that there was very little more that would be accomplished. Of course I felt this was an overly simplistic and narrow view, not to mention that it completely ignores the rather dramatic impact changes in computing infrastructures will have over the next 5-10 years and beyond.
How have enterprise architectures evolved over the past 10 years and how will it continue to evolve? Simply put we are pushing more of our computing assets and the infrastructure that supports them out into the Internet / cloud. It began with mobile computing devices, remote offices, and telecommuters and is now moving into aspects of the traditional internal infrastructure, such as storage, application / service delivery, and data management. This has forced IT to, in some cases, radically redefine the technologies and processes they implement to even provide the basics of availability, maintenance and security. How does an IT organization maintain the health and availability of the evolving enterprise while securing the environment? How do they ensure visibility into and control over an increasingly complex and opaque infrastructure? Continue Reading »
Posted in Security | Tagged Amazon, cloud computing, endpoint security, evolution, Google, hype, information technology, Microsoft, mobile computing, smart phones, Trend Micro, VC, VDI, Virtual Center, Virtualization, VMWare | 9 Comments »
February 2, 2009 by amritw
Few things can evoke more uncertainty and doubt than fear (here)…
The threat of cybercrime is rising sharply, experts have warned at the World Economic Forum in Davos.
Online theft costs $1 trillion a year, the number of attacks is rising sharply and too many people do not know how to protect themselves, they said.
On-line theft costs $1 trillion US dollars a year? We have certainly come a long way since the Dark Avenger first crafted his polymorphic virus in the late 80’s but a $1 trillion a year? Seriously? Where the hell did the figure come from? To give you some perspective of size the total US GDP is about 14 trillion and that includes EVERYTHING.
But it gets worse…
“2008 was the year when cyber warfare began.. it showed that you can bring down a country within minutes,” one panelist said.
Cyber warfare began in 2008 – between which countries? It showed you can bring down a country within minutes? Seriously, bring down a country, really, are you kidding? Is this some kind of sick world economic forum humor or just sheer ignorance?
So people are unable to browse to youtube or update facebook, or download Goth porn, or make their way over to my blog and up my readership – these things are all terrible, no question, but bring down a country? I can hear the threats now “Either your country surrenders or we will DoS you back to 1995″, just doesn’t have the same kick as “bomb you back to the stone age” does it.
There is no question that we have a problem, the increased reliance on technology, the ubiquitous nature of broadband connectivity and more digital commerce all create an environment that will breed crime. I believe that awareness is important, people should understand the dynamics and risks inherent in this new digital environment, but FUD doesn’t work, it drives up hysteria and then it crashes into ambivalence, FUD is the drug of the security industry and apparently many are addicted.
Posted in Security | Tagged Craig Mundie, Cyber Warfare, cybercrime, Dave Dewalt, DAVOS, DoS, facebook, FUD, McAfee, Microsoft, youtube | 3 Comments »
January 20, 2009 by amritw
F-Secure is reporting that 9 million PC’s are now infected with the conficker/downup/downadup/kido worm (here), which would make it one of the largest and most infectious worms we have seen in a long time. In an era of sophisticated, stealthy, financially motivated cybercrime it is interesting, to say the least, that this worm is garnering so much attention, but what is far more disturbing is how many computers were infected and how easily this could have been avoided through more effective and efficient patch management, antivirus updating, and basic security controls. It is absolutely astonishing that this worm has been able to infect as many computers as it did when all of the infection points take advantage of basic security lapses and why it is more critical now than ever that we revamp our ability to maintain the health and improve the security of our computing infrastructure Continue Reading »
Posted in Security | 3 Comments »
January 20, 2009 by amritw
Dear President Obama,
As America enters a new era that has already begun to reflect the leadership, the change, and the hope of your presidential campaign, it is imperative that we take this opportunity to implement a vision for how the United States and the world will securely and efficiently maximize the value of technology for the betterment of all. Continue Reading »
Posted in Security | Tagged Barack Oabama, CIS, critical infrastructure protection, cyber security, cybercrime, DHS, NIST, organized crime, security configuration management | 4 Comments »
Older Posts »
