You are currently browsing the archives for the Main category.
| M | T | W | T | F | S | S |
|---|---|---|---|---|---|---|
| « May | ||||||
| 1 | 2 | 3 | 4 | 5 | ||
| 6 | 7 | 8 | 9 | 10 | 11 | 12 |
| 13 | 14 | 15 | 16 | 17 | 18 | 19 |
| 20 | 21 | 22 | 23 | 24 | 25 | 26 |
| 27 | 28 | 29 | ||||
11. May 2009 by Bryan Glancey.
I am a big believer in common sense. It’s amazing how uncommon common sense really is, and how important it is.
One of the guiding principals of Information Security is independent review. The network administration team and the Network security team set the rules and protections, they set up up, then you hire someone from the outside to come in and try to break them . This happens all over the place in the world: the CFO makes the budget and documents expenses then you hire an independent auditor to verify; before you get that life threatening Brain Surgery you request a second opinion - checks and balances, second opinions, peer review - it keeps everyone sharp and protects us all from bad advice, or being sold a $2000.00 vacuum cleaner when we have hardwood floors.
Currently, cooking in the government is the Comprehensive National CyberSecurity Initiate. It’s secret, no one can know what in it until they decide to release it. The concerning thing about it is who is influencing the choices - is it someone who knows the difference between a Hash Algorithm and Hash Browns? Do they know the difference between a rainbow table and the rainbow coalition?
My hope is that the government open the CNCI to industry input, even though the ensuing carnival may be painful. Yes, someone will come in and present why token ring is more secure then ethernet, wasting everyone’s time, but at least there will be a intelligent discussion.
If the vendor conversations are too loud, perhaps just a good survey of the Hacker community, INFOSEC professionals in the NSA’s own IAM/IEM certification program or CISSPs . Some how some intelligent debate needs to enter the Cybersecurity realm and move it from Lip Service to Reality.
How about CyberSecurity Stimulus? You think I’m kidding? When we spend endless hours of debate discussing the already lost manufacturing jobs, we are letting an industry that the United States has a significant advantage and resource in blow in the wind. Every other major world power spends more on Cybersecurity then the United States, why don’t we wake up and join the 21st Century. The jobs yielded by Security applications would pay on average twice that of the manufacturing jobs that we spend billions to keep and bailout.
Posted in Main, Blogroll, Uncategorized | Print | No Comments »
10. April 2009 by Bryan Glancey.
One of the important differentiators in the INFOSEC market is certifications. Certification don’t, in themselves, make software better - they just remove risk by forcing independent review of products and technologies.
We all know, now-a-days, with tainted milk from China and poisoned pet food how important it is to have some controls in between you and lowest cost manufactures. A number of security solutions have gone this way, with very little separation between the people creating the solutions to protect us and the people that we want to be protected from.
Call it Globalization, call it out sourcing, call me crazy but just as we are combating botnets and espionage from China a great number of people are having their security application written their on the cheap. The wonderful thing about Standards like The Federal Information Processing Standards (FIPS) or Common Criteria (CC) or even NSA Code reviews is that someone is ‘Watching the Watchmen’ (’quis custodiet ipsos custodes’ for you Watchmen Fanatics).
You would not believe the number of ’security’ companies that don’t keep up their certifications even companies that are supposed ‘industry leaders’. Their FIPS is lapsed, they have no Common Criteria - or it’s a joke of one (make sure you look at the evaluation level and protection profile).
SO net net — CAVEAT EMPTOR , there area number of people out there that would like nothing more then to sell you not so protective protection. Check their certifications yourself on www.nist.goc/cmvp (FIPS Cryptography certification) and www.commoncriteriaportal.org (for Common Criteria). Take note that you can click on their certification and see exactly what they are claiming they do (in FIPS it’s called security Policy in Common Criteria it’s called Protection Profile) - you will find for yourself that it’s often a complete joke.
The more everyone learns about security, the faster vendors can be ordered to make secure software. Perhaps someday it will be CAVEAT VENDITOR - let the Vendor beware - and companies will produce secure and independently verified software that truly delivers protection.
Posted in Main | Print | No Comments »