Jun 10 2009 2:57PM GMT
Posted by: Margaret Rouse
Security,
pen testing,
penetration testing,
ethical hacking
 |
Most security assessments follow a structured methodology in that an initial meeting is held, an agreement is reached, and the assessment is performed. The assessment typically runs from three days to two weeks. Afterwards, a report is written and a meeting is held with the client to discuss the finding or findings.
Michael Gregg, as quoted in Ethical hacking and countermeasures: Network penetration testing intro |
Today’s WhatIs.com Word of the Day is pen testing. It’s short for penetration testing, a strategy for finding security vulnerabilities.
Ironically, when I was a kid we used to play a game that involved pen testing. We called the game “spys.” A guy named Luke Reed and I would team up against our younger sisters and try to break in to each other’s forts. One of the forts was a sauna and the other one was a garage, but that didn’t really matter. What mattered was doing reconnaissance to try and discover the enemy’s vulnerabilities so we could infiltrate their fort, get their valuable information (find out what they were talking about) and get out undetected. We played this game for entire summers.
If the enemy was getting too good at spying, we’d set up a pen test. Basically that meant talking Luke’s little brother into being a double-agent. He’d join our sisters’ team and pretend to be on their side so he could see how they were exploiting our own vulnerabilities and report back to us.
There was almost always a security hole. Literally. A hole between the garage and the sauna where the electrical wires ran. It let you pretty much hear everything that got said on the other side.
Ahh…the summers of youth. The times when “playing” meant “learning” and valuable life skills were being developed through intricate games filled with double-agents, treachery and lots of sneaking around between swims.
You know what Luke grew up to be?
A security director. For real. 
May 13 2009 5:36PM GMT
Posted by: Margaret Rouse
Security,
Compliance,
PCI DSS
Friday’s WhatIs.com Word of the Day is Payment Card Industry Data Security Standard, better known as PCI DSS. If you’ve ever had your debit card replaced without your asking, you’ve been affected by PCI DSS. The standard is managed by a consortium of credit card companies. David Taylor explains how (and why) merchants are hooking up to promote a new standard.
From its humble beginnings as an effort to rationalize and harmonize the Visa, MasterCard and AMEX security guidelines and turn them into a single standard, the PCI SSC continues to raise the bet by launching more and more standards to address different aspects of the payment security business: Payment application security (PA-DSS), PIN entry device security (PCI-PED), Hardware security modules (PCI HSM), Kiosk and ATM security (PCI UPT), etc.
Even though these standards are emerging through a participatory process, some merchants and vendors clearly see this game as “rigged” – run by the card networks, enforced by the card networks, with fines imposed by the card networks. The merchants and vendors may be allowed to offer advice; they are not “players” in the game. But now this could be changing.
Apr 29 2009 3:55PM GMT
Posted by: Margaret Rouse
Virtualization,
Security,
hypervisor,
botnet,
zombie army,
DMZ
Today’s WhatIs.com Word of the Day is virtual machine escape. In theory, an attacker could get access to the hypervisor (if it was mis-configured or had some other vulnerability) and use it to control all the other virtual machines on the host.
Bob Plankers explains more in What is VM Escape?:
Since the hypervisor controls the execution of all of the virtual machines, an attacker that can gain access to the hypervisor can then gain control over every other virtual machine running on the host. Because the hypervisor is between the physical hardware and the guest operating system, an attacker will then be able to circumvent security controls in place on the virtual machine.
Can you image the power of a zombie army that included an almost infinite number of virtual machines? An army that once established, had the power to create new soldiers (VMs) which one click? Holy moly. Big money there.
Apr 24 2009 3:01PM GMT
Posted by: Margaret Rouse
Agile development,
enterprise risk management,
lean production,
lean management,
lean software development,
extreme programming,
kanban,
theory of constraint
 |
A Kanban Board shows the current status of all the tasks to be done within this iteration. The tasks are represented by cards (Post-It Notes), and the statuses are presented by areas on the board separated and labeled ToDo, Doing, and Done. This Kanban Board helps the team understand how they are doing well as well as what to do next and makes the team self-directing.
Kenji Hiranabe, Visualizing Agile Projects using Kanban Boards |
Today’s WhatIs.com word of the day is Theory of Constraints. It’s an approach to systems management that can be used by anyone in just about any type of management field.
Let’s say you have a very simple system where components A + B + C + D = Output. In the 1950s, the conventional American approach would be to make sure that each component in the system was optimized to its fullest so that the total output would also be optimized to its fullest. (Component A would be optimized, componenent B would be optimized, etc.)
The Theory of Constraints proposes that you should forget about trying to optimize each part of the system. Instead, you should look at the system holistically and identify the weakest component in the system. The weakest component — the constraint — will determine, ultimately, how successful the entire system is.
A constraint is a bottleneck. It impairs or stops throughput. Because the bottleneck ultimately rules the sucess of the entire system, THAT is what you should place your attention. The Theory of Contraints proposes that every working system has at least one bottleneck but no more than three (or the system wouldn’t work at all).
So the question becomes, how do you identify the bottleneck? In a manufacturing plant, you might be able to physically see the bottleneck — it might be a machine that’s backed up. But what if the system is distributed or the one you’re managing is knowledge-based? That’s where Kanban comes in.
Kanban is Japanese for “card.” In manufacturing, it’s a sign or signal in an inventory control system. As supplies are used up, new supplies are requested simply by sending a re-order Kanban card to the supply point. The new supplies are being “pulled” instead of being “pushed” a la Lucy and Ethel at the candy factory.
Agile software development teams have adopted kanban as a way to track progress and identify bottlenecks in the development process. It’s a pretty common practice to see big sticky-note charts on a wall of a project room. Now you know the name for those charts — kanban. And the part of the chart where the sticky notes are jammed up together and overlapping? That’s a visual representation of a constraint.
David J. Anderson explains how he uses kanban to identify bottlenecks and manage software engineering projects.
Apr 8 2009 5:37PM GMT
Posted by: Margaret Rouse
Security,
gap analysis
 |
It’s important to note that the gap analysis is not a one time activity. Each organization should execute a gap analysis of its cybersecurity approximately once per year and draw upon the results to adjust cybersecurity activities to meet new regulatory or compliance requirements or simply growth of the organization and its supporting information technology infrastructure.
From the book Cyberwar, Cyberterror, Cybercrime by Julie Mehan |
Today’s Word of the Day is gap analysis. I think Dr. Mehan is the only expert I’ve read who says “do a gap analysis once a year.” I love it.
Mar 24 2009 1:31PM GMT
Posted by: Margaret Rouse
ActiveX,
Malware,
Security,
IE 7,
IE 8,
Internet Explorer
 |
Because so many ActiveX controls turn out to be malicious, Microsoft designed Internet Explorer 7 so that it displays a warning every time a site attempts to use an ActiveX control. The problem is that the casual user does not typically understand what an ActiveX control is, or what the consequences of allowing an ActiveX control to run might be.
Brian Posey, ActiveX security improves with Internet Explorer 8’s security features |
Experts are predicting that there’s no end in sight for ActiveX exploits. It makes sense — because even criminals want to be cost-efficient. If you’re trying to find vulnerabilities to exploit, you to make sure you can affect the highest number of people — and IE is still #1.
Mar 10 2009 1:20PM GMT
Posted by: Margaret Rouse
VPN,
Security,
IKE,
ISAKMP,
WAN
 |
IKE negotiation sends and receives messages using UDP, listening on port 500. This can be a problem if you have a firewall in front of your VPN router or are trying to establish an IPsec client connection through a firewall.
Michael J. Martin, IPsec VPN router configuration: The ISAKMP policy |
I wish I had read this earlier — Michael says “Remember that IKE is a protocol that supports ISAKMP — ISAKMP makes the rules, and IKE plays the game.”
If you’re thinking about implementing a VPN, be sure to read Lisa Phifer’s excellent breakdown on IPSec VPN clients. Our newest sister site also has some good resources — SearchEnterpriseWAN.com.
Mar 5 2009 4:04AM GMT
Posted by: Margaret Rouse
Database,
RFID,
identity management
 |
Real ID creates the largest single database about U.S. people that has ever been created. This is the people who brought you long lines at the DMV marrying the people at DHS who brought us Katrina. It’s a marriage we need to break up.
Tim Sparapani, as quoted in National ID Card Rules Unveiled |
Real ID is back in the news. Secretary Janet Napolitano (Department of Homeland Security) is looking at cost effective alternatives…the most controversial of which is an “enhanced” driver’s license with RFID. It’s making big waves with privacy advocates who see the technology being used for nefarious purposes.
Feb 17 2009 1:04PM GMT
Posted by: Margaret Rouse
electronic health records,
EHR,
Privacy,
Security
 |
The $787 billion American Recovery and Reinvestment Act that passed Congress last week allocates $19 billion to establish centrally linked health data infrastructure to contain the health information of “each American” by 2014 and to set up the new office of the “National Coordinator for Health Information Technology.”
Fred Lucas, ‘Exceptions’ in Stimulus Bill Allow Sale of Health Records |
The banking industry successfully moved to electronic records. What’s really so different about health care?
For the life of me, I can’t understand what the holdup is for electronic health records. It seems like a no-brainer with a lot of components, like HIPAA already in place. Yesterday’s article in the Washington Post attempts to explain some of the issues — but as I read it, I found myself shaking my head.
I don’t buy “privacy” or “security” or even “lack of standards.” Like all things, it probably comes down to money and profit. Let’s hope Obama’s $19 billion finally gets the ball rolling.
