Like

Unlike

Related posts

• No related posts.

Like

Unlike

Related posts

• The Asymmetry of Security (0)
• Snort Rocks! (2)
• Security as a Career (0)
• Press Coverage – March 2009 (0)
• Press Coverage – July 2009 (0)

First of all, lets define what we are talking about. There is a simple definition for Cloud Computing, and three models of operation as held by NIST, these are:

Definition:

Cloud computing is a model for enabling convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or service provider interaction. This cloud model promotes availability and is composed of five essential characteristics, three service models, and four deployment models.

Models of Operation:

Cloud Software as a Service (SaaS). The capability provided to the consumer is to use the provider’s applications running on a cloud infrastructure. The applications are accessible from various client devices through a thin client interface such as a web browser (e.g., web-based email). The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, storage, or even individual application capabilities, with the possible exception of limited user-specific application configuration settings.

Cloud Platform as a Service (PaaS). The capability provided to the consumer is to deploy onto the cloud infrastructure consumer-created or acquired applications created using programming languages and tools supported by the provider. The consumer does not manage or control the underlying cloud infrastructure including network, servers, operating systems, or storage, but has control over the deployed applications and possibly application hosting environment configurations.

Cloud Infrastructure as a Service (IaaS). The capability provided to the consumer is to provision processing, storage, networks, and other fundamental computing resources where the consumer is able to deploy and run arbitrary software, which can include operating systems and applications. The consumer does not manage or control the underlying cloud infrastructure but has control over operating systems, storage, deployed applications, and possibly limited control of select networking components (e.g., host firewalls).

Now, I am pretty sure that during my long career, I have seen a lot of companies doing IaaS and PaaS as a “Business as Usual” activity, haven’t you? In my experience, IaaS is nothing more than a traditional infrastructure outsourcing arrangement, as undertaken with IBM, HP/EDS or BT, while PaaS is just a simple hosting service offered by most ISP’s (I accept I am simplifying here). So what are we really talking about when the press pickup and pedal the term “cloud computing”. Looks to me like they are talking about SaaS, which again, has been around for a while, Hotmail anyone?, but not really taken off in the enterprise until it became “cloud computing”. So is this just a media spin to pedal Hotmail to the enterprise or just a natural progression from outsourcing boxes to apps? What is revolutionary here, I am yet to see.

Related posts

• The Asymmetry of Security (0)
• Snort Rocks! (2)
• Security as a Career (0)
• Press Coverage – January 2010 (0)
• PenTest Straw Poll (0)

Accountancy Age – August 2009 – Dark Pools of Talent

Like

Unlike

Related posts

• Press Coverage – March 2009 (0)
• Press Coverage – July 2009 (0)
• Press Coverage – January 2010 (0)
• Press Coverage – February 2009 (0)
• Press Coverage – April 2009 (0)

Sheffield Star Business Monthly – July 2009 – Hacking

Like

Unlike

Related posts

• Press Coverage – March 2009 (0)
• Press Coverage – January 2010 (0)
• Press Coverage – February 2009 (0)
• Press Coverage – August 2009 (0)
• Press Coverage – April 2009 (0)

computing.co.uk – April 2009 – Malware
computing.co.uk – April 2009 – Risk in the recession
pcauthority.com.au – April 2009 – Microsoft
computing.co.uk – April 2009 – Microsoft
crn.com.au – April 2009 – Risk in the recession
whatpc.co.uk – April 2009 – Security
computing.co.uk – April 2009 – Malware
Searchsecurity.co.uk – April 2009 – Conficker & Patching

Like

Unlike

Related posts

• Press Coverage – March 2009 (0)
• Press Coverage – July 2009 (0)
• Press Coverage – January 2010 (0)
• Press Coverage – February 2009 (0)
• Press Coverage – August 2009 (0)

Insurance Times – March 2009 – Data Loss Issues

Like

Unlike

Related posts

• Press Coverage – July 2009 (0)
• Press Coverage – January 2010 (0)
• Press Coverage – February 2009 (0)
• Press Coverage – August 2009 (0)
• Press Coverage – April 2009 (0)

Computer Fraud and Security – February 2009 – Ethics & Hacking

Like

Unlike

Related posts

• Press Coverage – March 2009 (0)
• Press Coverage – July 2009 (0)
• Press Coverage – January 2010 (0)
• Press Coverage – August 2009 (0)
• Press Coverage – April 2009 (0)

North West Insider – August 2007 – IT Security
North West Insider – August 2008 – BERR Survey

Like

Unlike

Related posts

• Press Coverage – March 2009 (0)
• Press Coverage – July 2009 (0)
• Press Coverage – January 2010 (0)
• Press Coverage – February 2009 (0)
• Press Coverage – August 2009 (0)

Consider these examples:

1. From an effort perspective, the effort required to secure a system is significantly less than that required to exploit it.
2. From a cost perspective, it is less expensive to prevent a serious data breach than it is to clean up and recover from one.

Point 1 above was illustrated very clearly to me on the IISP’s TopGun event I attended recently, and is a scenario that you have to step back from to fully appreciate. Eg. If you have a smallish network, with most modern services such as web, email, mobile, databases, websites etc, then the effort to secure that is quite mammoth. You have to consider the perimeter, the information, how its stored and used, what services are on offer and the impacts etc. Then you have to consider every conceivable vulnerability, patching strategies and stay on top and at least up to speed with the curve of change. All of these efforts equate to a team of people, but all it takes to break in, is 1 person with a brain, motive, and a few freely available tools.

Point 2 of course, was illustrated very well by a study by the Pnemon Instutue LLC in conjunction with PGP and Vontu (Symantec), this study evaluated the true cost of a breach of data security and considered factors such as direct and indirect costs, and has trended the data over the last few years with enlightening results.

Despite both of these points clearly illustrating that the best way to tackle the security conundrum is head on and proactively, those of us in the industry will all surely testify that getting the right backing, funding, and often, even the right audience with the business, is still a hard task. From my perspective, I will keep on trying, and keep on flying the flag in the hope that one day reality sets in and my job / life gets easier!

Like

Unlike

Related posts

• IISP Top Gun event, Manchester, 30 June 2008 (0)
• Anything that can be engineered by mankind….. (0)
• ACME Supercomputing Inc – Roadrunner Beware (0)
• Snort Rocks! (2)
• Security as a Career (0)

The first thing I want to say on the subject is that Security is more of a state of mind than anything else. I have a saying, to be good in security you need to be sceptical with a healthy dose of paranoia! This point of view will serve you well when it comes to security as it will allow you to be objective and not accept things at face value. Secondly, you need an inquisitive nature and a thirst for knowledge, To be the best at security you simply need to be able to hunt out the truth and learn the latest concepts and techniques very quickly. Finally, you need to be a good generalist, I realise this point is contentious, but I truly believe that you need to have a good general grasp of everything technology related as well as your preferred specialism in order to cover the breadth of security. Of course you can be an expert in your chosen specialism, but you must have a grasp of how “everything” fits together in order to be good.

OK, so where do you begin? Well, for starters, you need to have a long hard think about what you want out of life. What I mean by this is, are you a “techy” or are you a “manager”? I realise you can be both (as I am), but when your starting out, the subject is so broad you need a direction to head. If your a techy,  then you probably heading down the threat, vulnerability and controls path, with topics such as ethical hacking, intrusion detection and firewalls on your learning list. if however, your more of a manager, your probably heading down the opposite path towards topics such as strategy, assurance and governance. Once you have figured this out, you can start to look at the material, courses and support networks available for each road to help you get going.

One important factor that should always be included however is your own personal growth and development. What I mean by this are the softer skills such as communication, empathy, leadership, coaching etc. All of these skills are fundamental to your success and should be developed in equal measure with your chosen subject specialisms. The biggest issues I face as an employer in this sector is finding good security people with excellent soft skills. Its too easy in this game to get trapped in a world of regulations or bits ‘n’ bytes, and forget that all your knowledge is pointless if you cannot make use of it and educate the world.

Like

Unlike

Related posts

• The Asymmetry of Security (0)
• Snort Rocks! (2)
• Press Coverage – January 2010 (0)
• PenTest Straw Poll (0)
• PCI-DSS Is it dead? (0)

So what I hear you cry!

Well think of this, Cloud computing is here to stay and can yield some massive processing potential, but its still quite young and clouds tend to be privately owned and sold to the highest bidder. But what if we could all club together and build a cloud so big, so powerful it blew the Crays and IBMs of this world out of the water?

Again, I hear the crys of yeah right!

Well, ask yourself this, do I own a PS3? if the answer is yes, welcome to the “PSCloud”

The concept is simple, in a PS3 there is an IBM Cell Processor with 8 CPU cores, a very powerful CPU indeed! and guess what, IBM’s Roadrunner uses them too, yes, the Roadrunner has just short of 13,000 Cell Processors in it, of course it has quite a few AMD’s as well (6.4K), but the cells are the bulk of it.

So lets look at the facts, the same basic architecture used for the supercomputer market is in our homes, and cloud computing is here to stay, well I’m no rocket scientist but I reckon if we put these two concepts together, Roadrunner and Jaguar have a problem on their hands.

As of November 2008, over 16 million PS3’s have been sold around the world, of which we can assume by the design and nature of the unit, that nearly all of them are connected to the internet, so if we were able to join them into a single cloud, what sort of processing power could we achieve?

I ask you this….. If 13,000 Cells and 6K AMD’s get you 1.6 Petaflops, what would 16million Cells get you?

All we need to make this happen is a software/firmware update to turn the PS3 into a cloud member and a peer based command and control mechanism, any programmers out there?

Like

Unlike

Related posts

• The Asymmetry of Security (0)
• Anything that can be engineered by mankind….. (0)
• Snort Rocks! (2)
• Security as a Career (0)
• Press Coverage – January 2010 (0)

Its a simple mantra, but one that has served me well in security.

Think of of this way, it doesn’t matter how intelligent you are, someone, somewhere is more intelligent! When it comes to security this is never more true. As we all know, security is asymmetric, in so much that the effort required to secure something is significantly more than that required to break into it. Given this point, it makes the mantra even more relevant! If security was symetrical, you would have a 1:1 effort relationship, however, as its not, (we will for the purposes of this article assume its 2:1, i.e. double the effort required to secure), it would theoretically take less brain power than it took to create the control to break it.

Obviously I accept that this is a very simplistic representation of the point, but one I think is valid.

Like

Unlike

Related posts

• The Asymmetry of Security (0)
• ACME Supercomputing Inc – Roadrunner Beware (0)
• Snort Rocks! (2)
• Security as a Career (0)
• Press Coverage – January 2010 (0)

Which Penetration Testing Qualification is best from a Testing perspective:
Note: There is a poll embedded within this post, please visit the site to participate in this post's poll.

(NB: I have deliberately excluded “accreditation schemes” such as CREST and CHECK)

Like

Unlike

Related posts

• The Asymmetry of Security (0)
• Snort Rocks! (2)
• Security as a Career (0)
• Press Coverage – January 2010 (0)
• PCI-DSS Is it dead? (0)

lets put it into perspective. First of all, you have to accept that open source software is your friend, then accept that just because it doesn’t have a “GUI” doesn’t mean its any more complex. Ok, now that you have accepted an alternate reality, it is time to look at some comparisons. Lets look at some good, typically expensive security controls, typically, usually reserved for Banks, because “they have the budget for it”.

We will start with IDS “Intrusion Detection System”, specifically, the network variety (NIDS), deployed across the infrastructure, and designed to spot malicious traffic flowing across your network and highlight suspicious activity that may be happening under the radar. If you were to buy one of the very excellent and very expensive commercial solutions, on a medium size network, you could be spending 6 figures before breakfast. That’s a serious hole in a security budget, so what other options exist? Well, for a start, “snort” an open source, well maintained and mature project that’s been around for years. Its 100% free, and will only cost you the physical hardware and some administrative overhead getting it up and running. Its very scalable, equally configurable and its signatures are maintained by a community of experts in the field. What more could you ask for? Ok, so the reality is, in our scenario of 6 figures for the commercial solution, the free one would likely cost you 10-20K in hardware and specialist labour, but whats 20K compared to £200,000K, I know which one I would prefer to sign off.

Next, lets look at another hot topic, SIMS “Security Information Management Solution”. This is another typically large investment to essentially, analyse logs generated by the infrastructure. Again, the concept has been available in open source for years. Syslog servers shipping logs to each other with some sort of Perl analysis scripting has been around forever, and again, its just the labour and hardware costs to consider.

What about Firewalls? The staple diet of all organisations of any size. Now, these can be quite cheap or ridiculously expensive. I have built, deployed and managed most of the top end ones, and can after a career of using them, I can happily say, I would deploy a well configured “iptables” firewall in Linux over a Cisco or Checkpoint any day of the week. Ok, so you don’t get the nice gui with all your 200 firewalls in, but, there are options…. Gui’s exist, and again, a specialist can easily make this whole concept easily manageable for any organisation. Now, if a key control for limiting the impact of a hack is through network segregation, then the ability to deploy low cost firewalls can only improve the overall security of the network

So, if I had a 1000 user network to protect, a budget of 500K and full autonomy. I would spend 100K on every open source solution available, home grow some of my own, contract a team of top class Linux / security gurus to get it all up and running, then sit back in my SOC “Security Operations Centre” and wait for the siren to go off! Of course, I would take the other 400K as my bonus

Like

Unlike

Related posts

• Snort Rocks! (2)
• Linux Defence Tweaks (0)
• The Asymmetry of Security (0)
• Security as a Career (0)
• Press Coverage – January 2010 (0)

C|EH (Certified Ethical Hacker). Anyone who has been in that area of work for a number of years will state that the C|EH is rubbish, and, of course, they are right. Having done the qualification, I can vouch for the fact that it is a tools based approach to hacking, with a heavy slant towards using windows as your attacking platform (which is wrong for so many reasons). It does however, give you the basics, and teaches you about basic methodologies etc. …..So, you might ask, why do I say I am a C|EH, if I know its pointless? Simple. To a purist hacker, its a waste of time, but commercially it has value as it is recognised by clients and companies alike as the de facto standard for hacking. This difference in perception is a prime example of how a qualification can bring credibility with the audience you want. All of my team are C|EH, because, when I write a proposal for a client, I can say, all my team are “Certified Ethical Hackers”. They of course understand this and as a bonus, the first two words add a level of “comfort” to what sounds like a venture into the dark side!

Now, let’s look at another qualification (CISSP) “Certified Information Systems Security Professional”. This is about the best baseline security qualification in play today. It is very broad in it’s syllabus and well maintained through its CPE “Continual Professional Education” requirement. This qualification really does work on both sides of the fence. Clients like it and so do the professionals What it doesn’t do is guarantee that the holder of the qualification is a deep specialist in a given area, but what it does very well, is mandate a baseline of knowledge with real width in the subject of security.

Here are my views on how they pin together:

Some example credentials that mean something to your peers:

• GIAC’s (Any of them!)
• CITP
• OSCP

Some example credentials That mean something to your clients or employers:

• ITiL
• PRINCE2
• C|EH
• CCNA

Some example credentials that mean something to everyone:

• CISSP
• CCNP

This is not the most exhaustive list, but is a start. The underlying piece of advice here is, when your picking a credential to study for and invest in, think how it will add value to you and your situation, and see if there is a better option available. Knowledge can be learned for free, credentials have to be bought!

Like

Unlike

Related posts

• The Asymmetry of Security (0)
• Snort Rocks! (2)
• Security as a Career (0)
• Press Coverage – January 2010 (0)
• PenTest Straw Poll (0)

I can definatley say its come a long way. It was much easier to install, and only took a small amount of syntax debugging to figure out the configs. During my research / re-learning curve though it would seem that version 2.8 with the stream5 processor is not as good as version 2.4 with the flow processor at detecting portscans. This was certainley the concensus of the community, and after a bit of playing I can agree. However, I now have sfPortscan running with stream5 and its seems pretty accurate to me, so I am certainly happy with the results.

BASE is also a welcome move onwards from what used to be a very clunky interface. It seems light and intuitive, with decent features. I think it could do with the addition of some basic graphs, rather than having to use the graph engine to define your graphs each time, but on the whole i think it is certainly a good alternative to spending a large amount of money on a commercial product. Certainly the ability to abstract the managemnet interface, data storage and sensors from each other gives you a highly scaleable model to use a basis for a large scale deployment.

Of course, if you don’t fancy the pain of compiling code from scratch, or your just dam lazy, check out EasyIDS for a complete “IDS in a box” that gives you everything I just said with none of the hastle!

….You just can’t ingore the momentum that opensource has gained

Like

Unlike

Related posts

• Linux Defence Tweaks (0)
• Free Security for All! (0)
• The Asymmetry of Security (0)
• Security as a Career (0)
• Press Coverage – January 2010 (0)

Ok, so the basic concept is simple, setup three primary work streams or “functions”, 1 is a Risk Asssesment and Classifcation Function, 2 is a People / Process/ Awareness, and 3 is Controls, both protective and detective as needed.

The idea is that the risk assessment process runs in a cycle with inputs and outputs at the core of the system which serves as the engine for security. Its easier to explain in a diagram, take a look:

Genious or Madness, its your decision, I like it because its simple and can be applied to any situation. Of course I agree with arguments such as “where is the governance?”, “what about strategy” etc, but quite simply, thats not what this is. This is a simple security process that allows you to feed information in and get solutions out.

Like

Unlike

Related posts

• The Asymmetry of Security (0)
• Snort Rocks! (2)
• Security as a Career (0)
• Press Coverage – January 2010 (0)
• PenTest Straw Poll (0)

PCI on the other hand has a few cards left to play, first we see the move from 1.1 to 1.2, and although the content is still uncertain, it is likley to include calrifications of “what they actually meant” and additions. Aside from the revisions now and future to the PCI-DSS, PA-DSS, and other relevant standards are likeley to appear to help ensure that those organisations we entrust with our data, do the minimum to keep hold of it.

of course, we have seen some clarifications and “movement” on the existing standard, as well as finally, some teeth being displayed by the PCI through fines.

In my view, PCI is by no means dead, or even old news, its just part of the legislative landscape that is a part of business today, not to be ignored.

Like

Unlike

Related posts

• The Asymmetry of Security (0)
• Snort Rocks! (2)
• Security as a Career (0)
• Press Coverage – January 2010 (0)
• PenTest Straw Poll (0)

As I mentioned in the opening CEO article, the inaugural Top Gun event in Manchester was a great success on many fronts.  We had 20 participants, organised into the Red and Blue teams, plus 5 members of the Control Team, and the day just seemed to fly past, so intense was the concentration, interaction, ingenuity and fun.

We cannot give too much away as to the content of the case study or the processes we followed on the day, for fear that we might spoil some of the element of surprise for participants in future events.  Suffice to say that those who were there threw themselves into the exercise and, accordingly got the most out of it, as well as proposing a few additional suggestions for developing and improving it for future players.

Let us however, convey the particular views of a member of one of the teams, and let them tell you what they thought of the event.

“TopGun, The Blue View. (Jay Abbott, PwC)

I have to admit, I was genuinely sceptical about the TopGun event as the idea of playing the Security equivalent of Battleships during one of my busiest times of the year was not one that featured far up the “to do” list, that said, I am genuinely pleased that I made the time to attend. We arrived with very little information about what was planned, and were immediately split into two teams, Red and Blue, The Red were of course the attackers, and Blue were the defenders and the teams split had been pre-planned by the organisers to ensure that a good cross section of skills rested in each team to keep things fair.

The remit was simple, we each were given suitable pieces of a puzzle, i.e. some deliberately sketchy information related to the organisation, typical of that you would find on your first day of work or your first information gathering exercise. From there it was a case of building a better picture of what you have and figuring out the best way forward (sound familiar?). At this point, the teams were physically split and departed into adjacent “war rooms” to prepare their respective strategies. We each could communicate with our “control” staff, who acted as the coordination of the event and holders of information. The co-ordination role was pivotal in the success of the event as they were able to coordinate the virtual attack and defence strategies in real-time to keep the feeling of real-life and to ensure that the game was fair.

From a blue perspective it was business as usual, we had a budget and an environment to protect, we had to evaluate the skills in our team, establish specialism’s that could work in key streams, and run the entire thing like a project.

All in all it was a very worthwhile day that created a great deal of discussion and provoked much debate. What I personally took from the day was something that I see all too often, but is perhaps not as obvious to all, to quote Paul Dorey on the day it is summed up in the phrase “Security is Asymmetric”. Put simply this is the fact that someone attacking an organisation need only find one hole or vulnerability in order to succeed, while those protecting the organisation must try to plug every hole and mitigate every vulnerability to be secure.”

Event wrap-up discussion and lessons learnt – great work everyone!

The participants captured their comments on an evaluation form and we are reviewing and acting on those comments.  They also scored the event out of a scale of 1 to 5, and rated the event at 4.3 overall, but with specific scores of 4.5 for facilitation and presentation, and 4.6 for opportunity to discuss and exchange ideas.  A great success by any measure.

Thanks to all involved, and to PwC, our hosts for the day.

Courtesy of the Institute for Information Security Professionals

Like

Unlike

Related posts

• The Asymmetry of Security (0)
• Snort Rocks! (2)
• Security as a Career (0)
• Press Coverage – January 2010 (0)
• PenTest Straw Poll (0)