The US utility industry has rushed to install smart meters, completely trusting the meter manufacturers to ensure they are secure, predictably without systematically analyzing the security risks involved and without verifying the vendor's efforts were effective against known threats. -- Alan Paller, Director of Research for the SANS InstituteSrc: SANS NewsBites Vol 12 Num 25
QOTD - Paller on Smart Meters
QOTD on Security
The days of security for security's sake are past. -- Jonathan Gossels, President and CEO of SystemExpertsSrc: Economic recovery strategies for information security professionals - Information Security Magazine
QOTD on Safe Online Banking
If you are using online banking you should be using a hardened system that is not used for anything else but online banking.-- Jay McLaughlin, CIO CNL Bank
Src: Can Ubuntu save online banking? - Computerworld Blogs
QOTD on Tracking
If you don't know what you have and where it is, then how can you put the proper security controls in place to protect it? And what do you tell management when they ask what was on the CFO's laptop when he left it in the taxi? -- Kelly Jackson HigginsSrc: Tech Insight: Make The Secure Path Easy For Users - DarkReading
QOTD - FBI on Cybercrime
If we fail to act, the cyber threat can be an existential threat, meaning it can challenge our country's very existence, or significantly alter our nation's potential. I am convinced that given enough time, motivation and funding, a determined adversary will always -- always -- be able to penetrate a targeted system. -- Steven Chabinsky, Deputy Assistant FBI DirectorNote: emphasis mine.
Src: FBI Underboss Says Cyber Criminals the New Mafia - www.esecurityplanet.com
QOTD on Security
Whenever information security is mentioned within most organisations there is a collective groan; the board don’t want to engage, staff don’t want to be encumbered and the IT department sometimes lack the guidance to implement anything effective.Security On A Shoestring | Business Computing World
[...]
To be attractive, security needs to be cheap to implement, validate, verify and maintain. But cheap must never mean sub-standard and this is the point at which the balance must be struck. -- Martyn Smith
QOTD e-Records & Malware
So the malware sits on the doctors laptop, waits for him to log in ... and the malware is reading the data at the same time the doctor is. They [hackers] did not need to log in on your behalf. They did not need to crack passwords. They did not need to go to the hard drive and decrypt the data. They sat in the middle of the application. -- Dr. Taher Elgamal, CSO at Axway, was key in the development of SSL at NetscapeSrc: As health data goes digital, security risks grow - BusinessWeek
Infosec Spotlight - OWASP
A quick post to encourage information security minded people to check out events and news from your local OWASP chapter; OWASP has locations in 160 different cities. OWASP "is a 501c3 not-for-profit worldwide charitable organization focused on improving the security of application software." OWASP meetings are usually free, but often feature state of the art content. I have been to several in the Twin Cities area and have not been disappointed.
Whether you're a student, a government employee, a consultant, or work in the private sector, if web application security is in your scope, you ought to get involved with your local OWASP chapter or at least attend some of their events.
Link: OWASP Website
Link: OWASP Newsletters - OWASP
Whether you're a student, a government employee, a consultant, or work in the private sector, if web application security is in your scope, you ought to get involved with your local OWASP chapter or at least attend some of their events.
Link: OWASP Website
Link: OWASP Newsletters - OWASP
QOTD on Security
If human intelligence can create technology, it can also devise a way to defeat it.Src: SIGNAL - AFCEA's International Journal
QOTD on Beta Privacy
Unlike a lot of tech products, consumer privacy cannot be run in beta. -- Ms. Pamela Jones Harbour, outgoing Federal Trade CommissionerSrc: Google Buzz Exemplifies Privacy Problems, FTC Commissioner Says - Digits - WSJ
QOTD on Social Networks
We have no choice but to think of cyberspace as the real world now. It's all become too intertwined to think of it as anything else. If you avoid dark alleys at night in the real world, you should avoid dark alleys online. -- Bill Brenner, Senior Editor, CSOonline.comSrc: Tweeps and Facebook Friends, Let's Smarten Up - CSO Online - Security and Risk
QOTD on Complacent Security
We need to combat the complacency that sometimes prevails in our industry, the way that things have always been done may no longer be the *right* way to do things. Just because your incumbent security system tells you everything is rosy, it doesn't mean you're clean, as many corporations are discovering to their cost. -- Rik Ferguson, spokesman for Trend Micro
Src: Malice in Wonderland | CIO.co.uk
QOTD on Privacy
The fact that you can be auctioned off in 12 milliseconds or less just illustrates how privacy in this country has rapidly eroded. -- Jeffrey Chester, executive director of the Center for Digital Democracy.
Src: Advertising - Instant Ads Set the Pace on the Web - NYTimes.com
Src: Advertising - Instant Ads Set the Pace on the Web - NYTimes.com
QOTD by Schneier
Security systems that are good enough to protect cheap commodities from being stolen are suddenly ineffective once the price of those commodities rises high enough. Application security systems, designed for locally owned networks, are expected to work even when the application is moved to a cloud computing environment. -- Bruce Schneier is Chief Security Technology Officer at BT
Src: Security and Function Creep | Schneier.com
Src: Security and Function Creep | Schneier.com
QOTD by Paller
There is reasonably good evidence that nation-states have been taking remote control of computers and power companies for years. If you were a country that might have to go to war with another country, you would put spies in place to map the power systems, identify the weaknesses, and pre-place weapons so that if and when you go to war, you are prepared to do real damage. -- Alan Paller, Director of Research at the SANS InstituteSrc: Critical condition: Utility infrastructure - SC Magazine US
QOTD - Schneier on Function Creep
Far too often we build security for one purpose, only to find it being used for another purpose -- one it wasn't suited for in the first place. And then the security system has to play catch-up.Src: Security and Function Creep | Schneier.com
[...]
Sometimes it's obvious that security systems designed for one environment won't work in another.
[...]
The real problems arise when the changes happen in the background, without any conscious thought. -- Bruce Schneier is Chief Security Technology Officer at BT
QOTD on People & Security
The human element is the largest security risk in any organization. Most security incidents are the result of human errors and human ignorance and not malicious intent. Therefore, it is critical that significant effort is focused on education and awareness to reduce these occurrences. -- Stephen Scharf, CISO at Experian and the former CSO at BloombergNote: I realize that not everyone will agree with this statement. Still, there is much we can do to get people to think before they click.
Src: Weakest link: End-user education - SC Magazine US
QOTD - Mueller on Cats & Mice
"We are playing cat and mouse and, unfortunately, the mouse seems to be one step ahead most of the time" said Robert Mueller, Director of the FBI, regarding the threat of cyber-terrorism
Src: AFP: Cyber-terrorism a real and growing threat: FBI
Src: AFP: Cyber-terrorism a real and growing threat: FBI
QOTD - Mueller on 1,000 cuts
If hackers made subtle, undetected changes to your code, they could have a permanent window into everything you do. Some in industry have likened this to death by 1,000 cuts. We are bleeding data, intellectual property, information, source code, bit by bit, and in some cases terabyte by terabyte. -- Robert Mueller, FBI Director (US)Src: FBI Director: Hackers have corrupted valuable data | ComputerWorld
QOTD on Cybercrime
In the third quarter of 2009, small businesses suffered $25 million in losses due to online ACH and wire transfer fraud.Src: FDIC: Hackers stole more than $120M in three months from small businesses
[...]
Hackers are definitely targeting higher-balance accounts, and they're looking for small businesses where controls might not be very good. -- David Nelson, an examination specialist with the FDIC.
QOTD on Cyberwar
We grew up fearing the mushroom cloud, now we should fear a roomful of hackers with their electricity and internet bills paid for by a government. -- Raimund Genes, Chief Technical Officer of Trend MicroSrc: Britain applies military thinking to the growing spectre of cyberwar - Times Online
QOTD - Infosec R&D
Without effective [information security] research we will continue to fall behind the cybercriminals. Being proactive and moving ahead is necessary for our critical infrastructure, with a combination of government, university, and industry research. -- Timothy Brown, SVP and distinguished engineer, CA Security ManagementSrc: RSA Conference: Cybercriminals are filling the research gap - SC Magazine US
RSA 2010 Keynotes - Dealing with Sophisticated Threats in Cyberspace without Creating Big Brother
This panel featured Quentin Hardy (moderator), National Editor, Forbes Magazine; Marc Rotenberg, Executive Director, Electronic Privacy Information Center (EPIC); Michael Chertoff, Former U.S. Secretary of Homeland Security; and, Richard Clarke, Chairman, Good Harbor Consulting.
[refresh regularly until 2pm PST for live updates from the conference floor; please note that any errors of transcription or attribution are omissions due to the nature of this live blog]
[Mr. Hardy made a slip of the tongue and talked about "this great concert" instead of "this great conference."]
Mr. Hardy discusses information security issues related to boundaries, privacy, responsibility (govt vs industry)
Discussion of "Cyber Shockwave" by Mr. Chertoff. Counterpoints by Mr. Clarke: there is little difference between attacks from governments vs organized cyber-criminals.
Mr. Clarke: 20-30 nations have cyber warfare capabilities, including the US. Hackers "are stealing anything that's worth stealing," and later said "and we can't stop them." Mr. Clarke then points out the potential of cyberspace activities to increase tensions between countries.
Mr. Rotenberg: points to the need for a debate about what we (government) can and should do. "We need to come up with solutions that are smart." Later, he said "transparency and openness is very important."
Mr. Clarke: "the problem is that the government has discredited itself in the last decade. [...] The cyber command that's being stood up is NSA." Mr. Clarke said that the NSA is "the right organization to defend the military, the wrong organization to defend the public." He then mentioned that the government should not be in the business of snooping; however, it could, via regulation, ask the private sector (tier-1 or backbone ISPs) to do it.
When Mr. Rotenberg said this could be a slippery slope (my words) that would lead to commercialization, Mr. Clarke returned that that would be a role for government, to ensure that ISPs are not simply mining packets with deep-packet inspection (DPI) for pure commercial benefit.
Mr. Clarke: "The stuff [the IT & security technology] is obviously not good enough." Points back to how ISPs can help check for malware on-the-wire, before it hits the enterprise or the home.
[...]
Mr. Clarke: "Cyber-crime is not script kiddies anymore." He then argues the need to talk to other countries specifically about information security.
Discussion about whether the US is engaging in cyber-war activities. Mr. Clarke argued that it would be foolish to think that we are not. More discussion about attribution, preparation, and response.
Mr. Clarke: "Why is the electric power grid connected to the Internet?" He then points to FERC not having enforced regulation.
Mr. Rotenberg: "Privacy ends up being the collateral damage in the cyber-war battles."
Mr. Chertoff: "We are really bad at educating people at operational security." Points to the need to take into account the way people behave (not security people, the average person).
[...]
Discussion about the cyber pearl harbor, and Mr. Clarke said that we should not wait to act until a major event happens because instead every day, we have mini pearl-harbors. Mr Clarke: "We're prosecuting a very tiny percentage of cyber-crime."
Mr. Chertoff: this is a field in which "we need to attack the problem in multiple ways simultaneously."
With respect to cyber-espionage, Mr. Clarke said "we are losing our competitive advantage."
[refresh regularly until 2pm PST for live updates from the conference floor; please note that any errors of transcription or attribution are omissions due to the nature of this live blog]
[Mr. Hardy made a slip of the tongue and talked about "this great concert" instead of "this great conference."]
Mr. Hardy discusses information security issues related to boundaries, privacy, responsibility (govt vs industry)
Discussion of "Cyber Shockwave" by Mr. Chertoff. Counterpoints by Mr. Clarke: there is little difference between attacks from governments vs organized cyber-criminals.
Mr. Clarke: 20-30 nations have cyber warfare capabilities, including the US. Hackers "are stealing anything that's worth stealing," and later said "and we can't stop them." Mr. Clarke then points out the potential of cyberspace activities to increase tensions between countries.
Mr. Rotenberg: points to the need for a debate about what we (government) can and should do. "We need to come up with solutions that are smart." Later, he said "transparency and openness is very important."
Mr. Clarke: "the problem is that the government has discredited itself in the last decade. [...] The cyber command that's being stood up is NSA." Mr. Clarke said that the NSA is "the right organization to defend the military, the wrong organization to defend the public." He then mentioned that the government should not be in the business of snooping; however, it could, via regulation, ask the private sector (tier-1 or backbone ISPs) to do it.
When Mr. Rotenberg said this could be a slippery slope (my words) that would lead to commercialization, Mr. Clarke returned that that would be a role for government, to ensure that ISPs are not simply mining packets with deep-packet inspection (DPI) for pure commercial benefit.
Mr. Clarke: "The stuff [the IT & security technology] is obviously not good enough." Points back to how ISPs can help check for malware on-the-wire, before it hits the enterprise or the home.
[...]
Mr. Clarke: "Cyber-crime is not script kiddies anymore." He then argues the need to talk to other countries specifically about information security.
Discussion about whether the US is engaging in cyber-war activities. Mr. Clarke argued that it would be foolish to think that we are not. More discussion about attribution, preparation, and response.
Mr. Clarke: "Why is the electric power grid connected to the Internet?" He then points to FERC not having enforced regulation.
Mr. Rotenberg: "Privacy ends up being the collateral damage in the cyber-war battles."
Mr. Chertoff: "We are really bad at educating people at operational security." Points to the need to take into account the way people behave (not security people, the average person).
[...]
Discussion about the cyber pearl harbor, and Mr. Clarke said that we should not wait to act until a major event happens because instead every day, we have mini pearl-harbors. Mr Clarke: "We're prosecuting a very tiny percentage of cyber-crime."
Mr. Chertoff: this is a field in which "we need to attack the problem in multiple ways simultaneously."
With respect to cyber-espionage, Mr. Clarke said "we are losing our competitive advantage."
QOTD by Scott Charney
Scott Charney, Microsoft's Corporate Vice President Trustworthy Computing (TwC), gave one of the keynotes at the RSA 2010 conference. Speaking about the need to address the advanced threats and the difficulty of attribution, he said:
We need to start to realize this and think about it in a different way, assign actors and motives when we can, and think about what to do when we can't.Src: Microsoft's new anti-botnet strategy revealed :: SearchSecurity.com.au
[...]
The attacks are happening at light speed and we need to react in a different way.
RSA 2010 Keynotes - Howard Schmidt
Howard Schmidt, White House Cyber-Security Coordinator
Jokes about the way to "register" for RSA back in the day, using pen, paper, & fax!
Be proactive! Compares security to fire-fighting & early days of fire-departments.
"How do we make things more resistant to the attacks that we're seeing?"
"You all are the ones making the difference," he said, recognizing the important roles that all of us here at RSA play.
Schmidt mentions his work to harmonize, make efficient, and make effective security across multiple areas of government. Refers to President Obama's May 2009 speech about our need for cyber-security.
"You can be FISMA compliant and not [be] secure."
"We'll beat them [i.e. our adversaries] because we will become stronger."
Jokes about the way to "register" for RSA back in the day, using pen, paper, & fax!
Be proactive! Compares security to fire-fighting & early days of fire-departments.
"How do we make things more resistant to the attacks that we're seeing?"
"You all are the ones making the difference," he said, recognizing the important roles that all of us here at RSA play.
Schmidt mentions his work to harmonize, make efficient, and make effective security across multiple areas of government. Refers to President Obama's May 2009 speech about our need for cyber-security.
"You can be FISMA compliant and not [be] secure."
"We'll beat them [i.e. our adversaries] because we will become stronger."
RSA 2010 Keynotes - Defeating the Enemy - The road to Confidence
10AM Keynote by Enrique Salem, president and chief executive officer of Symantec
We can't control what employees say about themselves; we can try to control what they say about the company.
2010 State of Enterprise Security Report: over past 12 months, 75% of companies in survey had had a cyber attack. 100% of companies had a "cyber loss" in 2009 (e.g. internal or external).
Some of the way hackers got in: IMs with malicious links or PDFs with malicious payloads.
[Here comes the "mobile" pitch]
2009 "Sexy Space" worm attack on the Symbian platform.
"Malicious insiders are able to embed new malware in our environments..."
Speaking about the insider threat, Salem said "ultimately, you can never be sure who you can trust."
[nice animation of galaxy-like cloud]
Patching virtual machines should be easier to patch... patch once and all VMs should be updated.
Announcing "Data Insight" to solve data ownership problem to automatically determine data ownership, scan file shares exposed to all, and who is accessing what files.
[Video of Amazon.com CTO]
"Information will be our greatest asset."
Security is about "how do we securely manage diverse environments."
"If we work together, we can help the information economy reach its full potential."
Award for excellence in the field of Public Policy goes to: CSIS, Center for Strategic & International Studies for their work in the Commission on Cybersecurity for the 44th Presidency.
Aware for excellence in the field of Mathematics presented by Ron Rivest. Award goes to: Dr. David Chaum
We can't control what employees say about themselves; we can try to control what they say about the company.
2010 State of Enterprise Security Report: over past 12 months, 75% of companies in survey had had a cyber attack. 100% of companies had a "cyber loss" in 2009 (e.g. internal or external).
Some of the way hackers got in: IMs with malicious links or PDFs with malicious payloads.
[Here comes the "mobile" pitch]
2009 "Sexy Space" worm attack on the Symbian platform.
"Malicious insiders are able to embed new malware in our environments..."
Speaking about the insider threat, Salem said "ultimately, you can never be sure who you can trust."
[nice animation of galaxy-like cloud]
Patching virtual machines should be easier to patch... patch once and all VMs should be updated.
Announcing "Data Insight" to solve data ownership problem to automatically determine data ownership, scan file shares exposed to all, and who is accessing what files.
[Video of Amazon.com CTO]
"Information will be our greatest asset."
Security is about "how do we securely manage diverse environments."
"If we work together, we can help the information economy reach its full potential."
Award for excellence in the field of Public Policy goes to: CSIS, Center for Strategic & International Studies for their work in the Commission on Cybersecurity for the 44th Presidency.
Aware for excellence in the field of Mathematics presented by Ron Rivest. Award goes to: Dr. David Chaum
RSA 2010 Keynotes - Creating a Safer & More Trusted Internet
9AM Keynote by Scott Charney, Corporate Vice President, Trustworthy Computing at Microsoft
What changes in the cloud, and how end-to-end trust is affected by the cloud.
Traditional & more advanced threats. "Why is it so hard to understand the threat?"
5 issues:
1. Lot of bad actors & many different types
2. Many types of motives: espionage, cyber-warfare, predators
3. Attacks look the same, hard to figure out how to respond
4. Shared and integrated domain mingles everything into the cyber environment
5. Worst case scenarios are devastating and scary
"There are millions of botnets in computers around the world, and most of them are consumer computers."
[Slides show Waledac botnet geographic data and other diagrams from recent Microsoft report]
Microsoft used the court process, and blocked Waledac control domains.
[remove one head of the hydra and another one comes back]
Charnay talks about kid & mom getting the security dialog box and clicking OK.
Analogy with smoking (personal health issue and also health issue for others around you) and internet safety (making sure that you're not polluting the Internet space around you).
Now focusing on the cloud. Was your cloud platform creating with an appropriate Software Development Life Cycle that ensures security is built-in?
How will we do forensics in the cloud? Example of a hospital getting contacted by a hacker claiming to have some of the hospital's data. If this happened in the cloud, hospital may want to do its own forensics, but cloud company might not allow due to multi-tenancy issues.
Multiple IDs to avoid a national online identification database. Video of German "EID" card, to be rolled out in November 2010. Starts with in-person "proofing" (using govt issued documents), "U-Prove" technology by Microsoft. Shows a student "Erika" getting access to an online bookstore and leaving a comment "gutte Classe" (i.e. "good class") about one of her classes.
Patented crypto algorithms of "U-prove" will be released today, as well as preview code and APIs.
"The cloud has the potential to alter the balance of power between the individual and the state."
Starting with telephone (& wire taps), emails (stored records), over time, government gained more access to individual data.
What changes in the cloud, and how end-to-end trust is affected by the cloud.
Traditional & more advanced threats. "Why is it so hard to understand the threat?"
5 issues:
1. Lot of bad actors & many different types
2. Many types of motives: espionage, cyber-warfare, predators
3. Attacks look the same, hard to figure out how to respond
4. Shared and integrated domain mingles everything into the cyber environment
5. Worst case scenarios are devastating and scary
"There are millions of botnets in computers around the world, and most of them are consumer computers."
[Slides show Waledac botnet geographic data and other diagrams from recent Microsoft report]
Microsoft used the court process, and blocked Waledac control domains.
[remove one head of the hydra and another one comes back]
Charnay talks about kid & mom getting the security dialog box and clicking OK.
Analogy with smoking (personal health issue and also health issue for others around you) and internet safety (making sure that you're not polluting the Internet space around you).
Now focusing on the cloud. Was your cloud platform creating with an appropriate Software Development Life Cycle that ensures security is built-in?
How will we do forensics in the cloud? Example of a hospital getting contacted by a hacker claiming to have some of the hospital's data. If this happened in the cloud, hospital may want to do its own forensics, but cloud company might not allow due to multi-tenancy issues.
Multiple IDs to avoid a national online identification database. Video of German "EID" card, to be rolled out in November 2010. Starts with in-person "proofing" (using govt issued documents), "U-Prove" technology by Microsoft. Shows a student "Erika" getting access to an online bookstore and leaving a comment "gutte Classe" (i.e. "good class") about one of her classes.
Patented crypto algorithms of "U-prove" will be released today, as well as preview code and APIs.
"The cloud has the potential to alter the balance of power between the individual and the state."
Starting with telephone (& wire taps), emails (stored records), over time, government gained more access to individual data.
RSA 2010 Keynotes - Cloud & Security Svcs
8AM keynote at RSA by Arthur Coviello, Jr., Executive Vice President of EMC and President of RSA, also joined by David Cullinane (eBay), Paul Maritz (VMware)
Comments will appear in square brackets throughout the post. Refresh every few minutes to get updates.
[I feel like I'm in a movie theater, just no 3D glasses]
[Movie narrator: ]When we join forces, we are stronger, smarter, than alone, and that's why we come together each year.
[Now the go-go girls, dancing to "walk like an Egyptian"]
RSA Lifetime achievement award being presented to: Whit Diffie
Art Coviello, Jr., Executive Vice President of EMC and President of RSA:
"Because cloud computing represents a challenge as well as an opportunity, we have to be careful, we don't end up in hell."
Analogy between being blind and not being able to enjoy the benefits of the Guttenberg printing press. Then came Braille. In security, we have a similar opportunity to ensure that companies can reap the benefits of cloud computing.
CIO study 51% [only 51%??] sited security as the biggest concern about adoption of the cloud.
"People must everywhere be able to trust the cloud, even if they, literally and metaphorically, can't see it."
Focus on basics: People, Processes, & Technology
"Convergence of roles [due to cloud] will bring new challenges."
Video of Paul Maritz, CEO of VMware
Coviello describes four stages of going to the cloud:
1. Moving non-critical assets
2. Virtual enterprise
3. Enterprise develops internal clouds
4. Enterprise outsource their infrastructure... hybrid clouds
["GRC," "dashboard," and "compliance" used in the same sentence]
Discussion of co-tenancy issues, example of Coke vs Pepsi running VMs on same machine.
Goals for the cloud:
Gain visibility
Asses Security
Establish Trust
Prove Compliance
Video of David Cullinane, CISO of eBay
Coviello: "The cloud will turn the way we deliver security inside out."
Consider the evolution of currency systems
Barter -> Coins -> Paper currency -> Credit Cards & bonds/stocks
"Cloud computing will indeed complete the transformation of IT infrastructures unleashed by the Internet."
Excellence in the field of Security Practices award goes to: Malcolm Harkins (Intel)
Comments will appear in square brackets throughout the post. Refresh every few minutes to get updates.
[I feel like I'm in a movie theater, just no 3D glasses]
[Movie narrator: ]When we join forces, we are stronger, smarter, than alone, and that's why we come together each year.
[Now the go-go girls, dancing to "walk like an Egyptian"]
RSA Lifetime achievement award being presented to: Whit Diffie
Art Coviello, Jr., Executive Vice President of EMC and President of RSA:
"Because cloud computing represents a challenge as well as an opportunity, we have to be careful, we don't end up in hell."
Analogy between being blind and not being able to enjoy the benefits of the Guttenberg printing press. Then came Braille. In security, we have a similar opportunity to ensure that companies can reap the benefits of cloud computing.
CIO study 51% [only 51%??] sited security as the biggest concern about adoption of the cloud.
"People must everywhere be able to trust the cloud, even if they, literally and metaphorically, can't see it."
Focus on basics: People, Processes, & Technology
"Convergence of roles [due to cloud] will bring new challenges."
Video of Paul Maritz, CEO of VMware
Coviello describes four stages of going to the cloud:
1. Moving non-critical assets
2. Virtual enterprise
3. Enterprise develops internal clouds
4. Enterprise outsource their infrastructure... hybrid clouds
["GRC," "dashboard," and "compliance" used in the same sentence]
Discussion of co-tenancy issues, example of Coke vs Pepsi running VMs on same machine.
Goals for the cloud:
Gain visibility
Asses Security
Establish Trust
Prove Compliance
Video of David Cullinane, CISO of eBay
Coviello: "The cloud will turn the way we deliver security inside out."
Consider the evolution of currency systems
Barter -> Coins -> Paper currency -> Credit Cards & bonds/stocks
"Cloud computing will indeed complete the transformation of IT infrastructures unleashed by the Internet."
Excellence in the field of Security Practices award goes to: Malcolm Harkins (Intel)
QOTD on People vs Security
There's no virus protection for stupid. -- Rodney Joffe, senior technologist at Neustar & director of the Conficker Working GroupSrc: Trojans produced by criminal gangs are on the warpath - SC Magazine UK
QOTD - Spaf on InfoSec R&D Funding
Security is an ongoing effort against those who make continuing attacks against us, in a domain where innovation and change have been accelerating. We cannot hope to succeed if we take small steps, fail to provide continuous emphasis, and focus solely on finding cheap solutions to problems in 60-90 days; our adversaries are not acting this way, and we are already behind in several important areas.Src: http://transfer.spaf.us/is-prop.pdf
[...]
It has been repeatedly noted in reports, testimony, and community gatherings that current cyber-security research is largely incremental. This evolutionary rather than revolutionary approach has prevented true leaps ahead in the technology. Thus, we continue to deal with legacy issues such as computer viruses and buffer overflows on a seemingly endless basis.
-- Dr. Eugene Spafford, Two Proposals on Cyber Security Research
Subscribe to:
Posts (Atom)