tag:blogger.com,1999:blog-71857313785512460272009-12-20T09:32:28.627-05:00Techniques, trends, and tidbits for Information Security ProfessionalsSteven McElweehttp://www.blogger.com/profile/11941856369020054122noreply@blogger.comBlogger35125tag:blogger.com,1999:blog-7185731378551246027.post-5527968607697651282009-12-20T08:39:00.002-05:002009-12-20T08:41:51.367-05:00

When it was discovered that video feeds from U.S. Predator and Reaper unmanned drones were being hacked by insurgents in Iraq, it became evident that cybersecurity has a long way to go to become more secure. The natural reaction is to point the finger at software producers, the government, and the push for functionality over security. But it may be that a different model is needed for the

Steven McElweehttp://www.blogger.com/profile/11941856369020054122noreply@blogger.com0tag:blogger.com,1999:blog-7185731378551246027.post-61202341794984254392009-12-16T07:00:00.001-05:002009-12-16T08:10:03.971-05:00

When designing or reviewing a system, it is common to ensure that trust is established between end-users and the applications. Trust in this context means that the users are trusted because they have proven their identity, and their authority to access the application has been verified. Many times, trust between system components is overlooked. This can be a deadly sin for software design that

Steven McElweehttp://www.blogger.com/profile/11941856369020054122noreply@blogger.com0tag:blogger.com,1999:blog-7185731378551246027.post-51678966819197230852009-12-15T07:00:00.003-05:002009-12-15T07:29:20.123-05:00

Take a look at Google trends for the word "cybersecurity", and see what you find. In the third quarter of 2008, there were two small blips on the radar for this search term. In 2009 there was a sharp rise throughout the year. What will 2010 look like for cybersecurity, and are we at the beginning of a cybersecurity bubble?The Internet bubble was driven primarily by new web technologies and the

Steven McElweehttp://www.blogger.com/profile/11941856369020054122noreply@blogger.com0tag:blogger.com,1999:blog-7185731378551246027.post-76054746811075725382009-12-14T07:00:00.000-05:002009-12-14T07:08:14.613-05:00

With the increasing attention to cybersecurity in the government sector and in critical infrastructure protection, the Department of Homeland Security announced in October that it would be hiring for as many as 1,000 cybersecurity jobs. DHS is moving forward on that promise with a virtual job fair.The job fair can be accessed at http://www.dhs.gov/xabout/careers/cyberjobfair, and it works like a

Steven McElweehttp://www.blogger.com/profile/11941856369020054122noreply@blogger.com0tag:blogger.com,1999:blog-7185731378551246027.post-6666591972476760972009-12-13T09:26:00.000-05:002009-12-13T09:32:02.993-05:00

How sensitive is your data? You may use highly confidential data at work or at home. If you are concerned about the potential exposure of that data, encryption may be a good solution for ensuring that your data remains protected. One tool that you can use to encrypt your data is TrueCrypt. It is a free, open source program that works on Windows 7/Vista/XP, Mac OS X, and Linux.TrueCrypt is a very

Steven McElweehttp://www.blogger.com/profile/11941856369020054122noreply@blogger.com0tag:blogger.com,1999:blog-7185731378551246027.post-8989187064504939122008-04-28T20:58:00.005-04:002009-12-11T23:50:30.909-05:00

Server virtualization is taking hold. It boasts so many advantages that it is likely to become the standard for data centers around the world. It saves money by maximizing hardware resources. It reduces the number of physical servers, which reduces power consumption. It also revolutionizes server deployment by allowing servers to be copied as easily as files on the file system. Add to this the

Steven McElweehttp://www.blogger.com/profile/11941856369020054122noreply@blogger.com0tag:blogger.com,1999:blog-7185731378551246027.post-15630128776008965372008-04-16T22:18:00.007-04:002009-12-12T17:28:15.156-05:00

Virtualization technologies have been compared to the movie, The Matrix. In this, Neo and other humans, are captured in a virtual world. Neo is offered a blue pill or a red pill. The blue pill will return him to his normal unreal world in the matrix. The red will set his mind free by exposing the matrix. When it comes to virtualization technologies, the red pill and blue pill have similar

Steven McElweehttp://www.blogger.com/profile/11941856369020054122noreply@blogger.com0tag:blogger.com,1999:blog-7185731378551246027.post-22584925254039118212008-04-13T09:47:00.004-04:002009-12-12T17:29:29.434-05:00

As more and more companies adopt virtualization in their data centers to reduce the number of physical servers and save money, security strategies need to be developed in parallel. While security may push back on this movement and resist its adoption, it will be far more beneficial to develop security strategies to deal effectively with advancing virtualization technologies.Patch management is

Steven McElweehttp://www.blogger.com/profile/11941856369020054122noreply@blogger.com0tag:blogger.com,1999:blog-7185731378551246027.post-16675083778517569752008-03-11T18:37:00.005-04:002009-12-12T17:30:01.028-05:00

After you have moved through the define, measure, analyze, and improve stages of your Six Sigma for Security project, you are ready to move into the control phase. Your security operations should always operate in the control phase. If so, the control phase for Six Sigma is merely a matter of adding your improvements into your existing controls.Here are some tools that you may find helpful in the

Steven McElweehttp://www.blogger.com/profile/11941856369020054122noreply@blogger.com0tag:blogger.com,1999:blog-7185731378551246027.post-34090582569144126812008-03-08T16:45:00.004-05:002009-12-12T17:30:27.769-05:00

You have made your security program measurable. You have identified problem areas that keep you from meeting targets in your critical to quality (CTQ) goals. Now it is time to move on to making improvements and measuring their effectiveness.One of the great things about Six Sigma is that improvements are tied to specific metrics, with a goal to reduce variation and improve your average. To make

Steven McElweehttp://www.blogger.com/profile/11941856369020054122noreply@blogger.com0tag:blogger.com,1999:blog-7185731378551246027.post-43732149187454344512008-03-06T22:09:00.005-05:002009-12-12T17:31:49.723-05:00

Making security measurable is only the beginning of Six Sigma for Security. The purpose of security metrics is not the metrics themselves but what you do with them. The next phase is to analyze the data and find opportunities for improvement.The analysis phase is what makes Six Sigma stand out. In it you will use statistics to find where you can make improvements. There are two improvements in

Steven McElweehttp://www.blogger.com/profile/11941856369020054122noreply@blogger.com0tag:blogger.com,1999:blog-7185731378551246027.post-6855878846501681202008-03-05T21:26:00.006-05:002009-12-12T17:32:17.209-05:00

After you have defined the Critical to Quality (CTQ) goals of your security program, the next step is to determine how to measure them. Creating a measurement plan for security is like creating a scoreboard. It allows you to gauge at any time how successful you are and your level of protection.Keep in mind that at the outset of this Six Sigma project we determined that we would not just measure

Steven McElweehttp://www.blogger.com/profile/11941856369020054122noreply@blogger.com0tag:blogger.com,1999:blog-7185731378551246027.post-52646070110247328732008-03-01T19:27:00.007-05:002009-12-12T17:32:49.291-05:00

How do you measure the effectiveness of your security program? Unlike business metrics which have tangible goals, such as revenue growth, inventory reduction, and sales force effectiveness, security's goal is to prevent internal and external breaches. Your goal in security should be to have nothing to measure - no virus attacks, no external breaches, no successful social engineering attacks, no

Steven McElweehttp://www.blogger.com/profile/11941856369020054122noreply@blogger.com0tag:blogger.com,1999:blog-7185731378551246027.post-65105574246146848612008-03-01T08:33:00.007-05:002009-12-12T17:56:01.575-05:00

Why would I want to hide from web beacons and consolidated web traffic analysis? I don't have anything to hide. We each make decisions about how much privacy and security to give up to gain convenience. The settings in web browsers - to save passwords, accept third party cookies, and keep authenticated sessions persistent over many days and across many sites - make using the web easier. For some

Steven McElweehttp://www.blogger.com/profile/11941856369020054122noreply@blogger.com0tag:blogger.com,1999:blog-7185731378551246027.post-71048203430308886392008-02-06T06:40:00.004-05:002009-12-12T17:57:01.600-05:00

Since web beacons from outsourcing companies may be able to track your every move, you may wonder what they are doing with your information. This post discusses the positive side of collecting and using this information. It also touches on the issue of anonymity and privacy.AnalyticsIf you are running a web site today, you are probably using some form of web analytics. From the multi-billion

Steven McElweehttp://www.blogger.com/profile/11941856369020054122noreply@blogger.com0tag:blogger.com,1999:blog-7185731378551246027.post-88603945978275859182008-02-05T06:14:00.002-05:002009-12-12T17:57:40.724-05:00

Web beacons are snippets of Javascript or HTML that create one pixel by one pixel image requests to a different web site that collects the data. This single pixel is invisible to the viewer of the web site. It is usually placed just inside the closing "body" tag of the page, although some analytics companies recommend that it be placed inside the opening "body" tag to improve accuracy.There are

Steven McElweehttp://www.blogger.com/profile/11941856369020054122noreply@blogger.com0tag:blogger.com,1999:blog-7185731378551246027.post-576594672410779982008-02-04T05:48:00.004-05:002009-12-12T17:58:19.156-05:00

Did you ever notice how a web site you have never visited before knows your interests enough to give you targeted advertisements? Sometimes, the ads are based on the content of the site, but other times, there appears to be no connection. There is an approach to collecting user information that crosses web site boundaries and maintains a history of your preferences.You may ask, how is this

Steven McElweehttp://www.blogger.com/profile/11941856369020054122noreply@blogger.com0tag:blogger.com,1999:blog-7185731378551246027.post-14313816618409481672008-02-01T06:11:00.002-05:002009-12-13T09:40:15.709-05:00

Security managers are often plagued by the question, “How do I make security measurable?” Since security does not produce a product or have a positive impact on the cash flow of a company, creating meaningful measurements that justify an organizations expenditure on security is challenging. This is where ISM3 provides a great tool for measuring security.ISM3's level five is about taking all of

Steven McElweehttp://www.blogger.com/profile/11941856369020054122noreply@blogger.com0tag:blogger.com,1999:blog-7185731378551246027.post-82793074999248221142008-01-31T06:30:00.002-05:002009-12-13T09:40:44.939-05:00

Level four of ISM3 adds the remaining security processes in the model. This level requires the highest investment, but provides the highest level of protection against technical and internal threats. The security processes in this level are necessary if your organization operates in a highly regulated environments with information assets that are targets for attackers. Examples include stock

Steven McElweehttp://www.blogger.com/profile/11941856369020054122noreply@blogger.com0tag:blogger.com,1999:blog-7185731378551246027.post-2288764186634434182008-01-30T06:18:00.002-05:002009-12-13T09:42:27.135-05:00

The third level of ISM3 requires significant investment, but it provides a high level of protection against technical security threats. This level is important for organizations that have high security risks and many critical assets, especially externally facing applications.The jump from level two to level three does not add many processes, but the processes require more people and time

Steven McElweehttp://www.blogger.com/profile/11941856369020054122noreply@blogger.com0tag:blogger.com,1999:blog-7185731378551246027.post-31320524362033672362008-01-29T06:45:00.002-05:002009-12-13T09:43:04.551-05:00

For most businesses, level one will not provide enough security to protect their information assets. If a company needs to demonstrate due care to its business partners, has many users of server-based applications, and sensitive information, it needs to move up to the security processes listed in ISM3's second level.Level two provides additional protection against technical security threats. It

Steven McElweehttp://www.blogger.com/profile/11941856369020054122noreply@blogger.com0tag:blogger.com,1999:blog-7185731378551246027.post-10825710067049310932008-01-28T05:45:00.002-05:002009-12-13T09:44:20.042-05:00

How mature is security in your organization? Thanks to the ISM3 Consortium, we have a framework for measuring the security maturity of any organization. ISM3 looks at security as a set of defined processes. Each level of maturity has its own processes. Organizations can decide how much security is enough for their type of business and ensure that the processes at that level are defined and

Steven McElweehttp://www.blogger.com/profile/11941856369020054122noreply@blogger.com0tag:blogger.com,1999:blog-7185731378551246027.post-28093017799090080422008-01-25T06:38:00.001-05:002008-03-02T16:41:21.001-05:00

This post wraps up the series on secure coding practices. Remember that secure coding begins with having coding standards that are communicated to software engineers. Awareness of the secure coding practices alone will help improve the security of your software applications.Next, remember that source code must be reviewed. This practice may be performed by software engineers, by a security

Steven McElweehttp://www.blogger.com/profile/11941856369020054122noreply@blogger.com1tag:blogger.com,1999:blog-7185731378551246027.post-10091635406351531082008-01-24T09:56:00.001-05:002008-03-02T16:40:42.515-05:00

Overall code quality is important for secure applications. Software bugs may create opportunities for attackers to exploit the application or gain information they should not have about system internals or even user credentials.Security professionals may not know enough about the code they review to understand what is a defect and potential vulnerability. Some developers also overlook coding

Steven McElweehttp://www.blogger.com/profile/11941856369020054122noreply@blogger.com0tag:blogger.com,1999:blog-7185731378551246027.post-78542880787823574432008-01-23T06:04:00.001-05:002008-03-02T16:40:12.544-05:00

One of the security professional's concerns is the availability of systems. Although this may seem like the sole responsibility of the IT operations department, security assesses the risk to the availability of critical information assets. This is because attackers may not care about retrieving information or gaining access to your systems. They may simply want to attack your system to make it

Steven McElweehttp://www.blogger.com/profile/11941856369020054122noreply@blogger.com0