Wednesday, December 31, 2008

Happy 2009

In what will most likely be my last posting for 2008, here is a bit of advice for all.

I read somewhere that news is never really all that useful. Its interesting. But its not useful. The stuff that you need to know about to go about your daily life is not going to make news.

To get some more perspective on this, I highly recommend that you visit The Onion online newspaper and browse a bit especially at the "Area" reports. (It is humour and is intended for 18+)

One of the interesting news stories of 2008 that I can think of the Dan Kamisky DNS issue that made headlines for all sorts of reasons. DLP made headlines. TJX made headlines.

What is more interesting is what didn't.

Here are some bits of news that you won't see:

"Company patches all servers"
"Awareness given at Company. Stronger passwords result"
"Good user management led to less options for Hackers"
"Antivirus updated led to viruses being blocked"

What did made the headlines today (thanks to Amrit and Dominic for alerting me to this... everyone will be talking about it soon) is the attack on MD5 certificates that makes trusting Web Certificates less of a good idea. The information is here, but this is a big deal so expect this to make the news.

The thing is, that this yields big rewards for the hackers but is also a lot of work. Social engineering methods such as bogus email, phishing, fake antivirus etc are so much easier to do and have big enough rewards as it is. So too do worms and the like that attack old vulnerabilities that should already be patched.

My though for the year is thus:

Hackers are mostly successful by exploiting the boring holes and really do not have to work hard at all. By using tools that are already available such as Firewalls, IPS, Antivirus and doing the boring bits such as choosing strong passwords, updating patches, updating antivirus patterns and being aware at what mails we should not open - we win 90% of the battle already.

I think next year will be very very interesting for us. I hope everyone reading this has a great 2009!

Tuesday, December 23, 2008

Merry Christmas, Happy Hanukkah, etc

In typical Security Thoughts style, here is an Information Security story that relates to the holidays.

It seems that, in Germany, a company sent a Stollen, which is a traditional German Christmas cake to a newspaper via a courier company. Two subcontractors decided that they wanted the cake so they took it and replaced it with another parcel.

This parcel just happened to be confidential data with banking transaction details and it managed to find its way to the newspaper in place of the cake. Obviously, the newspaper was happy with their Christmas present and printed the story. The bank was not so happy.

I think that the theme for 2009 will be "Third Party Security" but in the mean time I wish you all a pleasant holiday and please be responsible if you decide to have a drink or two.

Friday, December 19, 2008

Egg on face

In the interests of showing the world that I am not perfect, I just had to Blog about this incident.

I sent an email with an attachment out to the wrong person. Its the classic case autocomplete messing up - typing some letters and recognising the person's first name. Click send and then realise your mistake when the wrong Jason (it wasn't Jason in this case...) sends back an email asking "huh?!"

Its one type of "oops" that DLP is supposed to prevent.

The interesting part of it all was that the email went out (of all the people in the world) to the sales rep I've been dealing with who has been trying to sell me DLP...

I guess this just makes it more difficult to say "no".

Wednesday, December 17, 2008

Automatic Networks (Part 1)

If you are like me and like to know how the future of IT will impact Information Security then one Blog that you have to read is Rational Survivability by Chris Hoff.

He has a rather "interesting" writing style but his content is amazing. He is a strong voice of reason in how Virtualization, Cloud Computing, etc etc which are all the new buzz words can seriously impact Information Security unless controls are built in.

His latest post is about a new concept where latency of network flows are measured. If a Service is suffering from latency then the Virtual Machine that the Service runs on is moved closer to the User of the Service. Latency is gone. It is an interesting concept and obviously has Security implications which Chris goes into.

I pretty much agree with most of the post but I would like to introduce a new angle on it:

In my last post I introduced a concept that I gave a lot of names. The one I liked the most is Context Sensitive Information Protection (CSIP). I didn't invent the idea but I think I outline it quite nicely in that post. Basically the concept is that everything on the network is aware of what Information is being accessed and acts accordingly. Add this to the concept in Chris's post and your solution becomes secure again.

I think I need to come up with an example. Watch this space.

Friday, December 12, 2008

The future of DLP (DLP is dead, long live DLP)

DLP is made up of two main parts - the "knowing" part and the "watching/blocking" part.

The "knowing" part is built up over time and is generally an understanding of what a piece of information is. Generally, the systems look at a document and label it but it is becoming apparent that the meta-information is also very important. Who is sending it, where is it going, why would someone be using documents at midnight, etc etc.

In an earlier post of of mine I wrote that what we now know as Information-centric Security (and I fully support this) will develop into what I called "Process-centric Security". I think I'm going to trademark BCS (also Business-process protection (BPP) and Business Process Security (BPS) and Context Sensitive Information Protection (CSIP)). This the ability for some system (lets call it DLP) to know what is happening to a document and why.

DLP as we know it today then takes this information and implements some action - block, report, log, etc based on whether the action is allowed to perform the action or not.

Recent developments in the DLP world (See Dominic's comment and Securosis comment) have changed this for the better. Now, DLP does the first bit ("knowing") and passes on the second bit ("blocking") to another tool - a DRM tool. The blocking bit can be done by all sorts of systems and this is where it gets interesting - set up the switch to block, the firewall to block, the mail server to block (and send a "sorry but..." mail), the IPS to block, the PC to block, the application to block, etc etc.. essentially everything can be set to block access to some sort of functionality for documents based on what the DLP Server tells them to do.

Further, all these systems can be set to inform the DLP System what is happening too.

Your network and everything on it becomes aware of how the business works and helps it along, preventing what shouldn't be happening.

The box that makes the ultimate decisions and keeps the database of "good" processes (call this the DLP brain) will not go away. The part of the DLP that enforces and monitors will become part of the network infrastructure and will become a feature of everything from switches to software applications.

DLP as we know it today as a product and fully enclosed system will die off and DLP as a ubiquitous system with tentacles into everything will be born.



My Blog runs on Blogspot which is a free service but I am currently paying for my homepage and assorted other internet services.

These come to about R200 ($20) a month and I figured that I'd use my blog to generate some of that.

So, I have added an advert at the bottom of this Blog. I hope it is out of the way enough that it doesn't distract from the Blog message. I may add an advert along the side of the Blog too.

Hopefully these will bring in some money to make my online life a little cheaper. I hope noone feels offended and I'd love to have no advertising but it seems that I need to sell out to The Man.

Tuesday, December 9, 2008

DLP is dead. (Not yet, but soon)

Ever since Richard Stiennon came out with his "IDS is dead", he started a trend which even he subscribes to by declairing any big technology to be dead. I really believe though that Information Security products go through a cycle.

I was explaining this cycle to Dominic White a couple of weeks back and we were rudely interrupted by the meeting that we were in fact attending. Had I managed to finish then maybe he would be able to answer the question he asks on his blog. (This is also assuming that he agrees with me, which is not a foregone conclusion.)

The first part to any Information Technology solution is to slide the technology in making the least amount of pain for users and fixing the maximum amount of problem.

Example - Firewalls back in the old days were open by default and as problems were detected, the Admin would close ports and fix routes until the problems were gone. I call this Generation 1. This worked fine until the admin was too much and firewalls started being configured closed by default and opened as needed (Generation 2). I think that the third generation of this is "closed by default, opened for business reasons". We may think we are there but we are not really.

If you use a tool like websense or surfcontrol to control web browsing then you'll be at Generation 1 for browsing. Antivirus is Generation 1. Email is Generation 1.

I believe that we will see a jump to Generation 3 for all of these tools but the uptake will be very slow.

Generation 3 is where every action that someone takes has a strict business reason. A user sends an order to a supplier. The email system knows who the user is and whether they should be ordering something or not. Based on that - the email goes through.

Does this sound like some sort of workflow application? Bingo!

Now, consider DLP and DRM...
DLP is Generation 1 - allow everything and block bad things from happening. DRM is there too - let your staff decide what restrictions to put? Doesn't work. Put them together and you get closer to Generation 2 (assuming that you are prety tough with your DLP rules - otherwise - why waste your time?). Generation 3 is where things get interesting - Dave in finance creates a document and lables it "financial results". Workflows are built up automatically around the document and are enforced as such:

The file server is configured to allow only Finance people to access document. Auditors can open the document but make no changes. The firewall will not allow the document out of the organisation, mail server will not allow the document sent out. The antivirus (horrible word - very Generation 1.. lets use "application handler" for Gen 2+) will only allow certain programs like excel to access the document. Anything else is blocked and an alert is fired up.

At a certain date the document is "allowed" to be sent to the communications department who can't make any changes.

You may have a DLP box watching what is happening. You'll certainly have a box with policies and workflows on it (I have a feeling Microsoft want to control this) but everything from smartphones, routers, switches, mail servers, PCs, programs, databases will be "process-aware".

DLP will become part of the "defense in depth" solution but everything will have content protection built in. Welcome to the future.

Thursday, December 4, 2008

What if the cloud is MORE secure?

My job usually involves the normal, boring day to day security stuff and so I don't want to bore my readers (both of them) and give away company secrets. So, I like to stay ahead of the game and blog about what the future holds.

I honestly still think that the past is where we are heading (see my earliest posts). Actually, I think that the future will be summed up thus: "New exciting technologies; good, old-fashioned security".

Some of my most valuable sources are Gartner, Securosis and Rational Survivability. They don't all agree but I use the best of each to make up my own mind.

One technology that all of them have touched on is "Cloud Computing".

This is a lovely concept which has no formal definition. Essentially, it seems to be this: you take all your systems and send them out somewhere to some company who will then host the systems for you. By "systems", I mean applications or technical functions.

The level of control that you have is very variable too but I think that one of the benefits of cloud computing is that you give up having to worry about the nuts and bolts and focus on the benefits. This is wonderful but it can also be a curse - you lose control of your processes and the protection of your data.

For a company that makes widgets not to have to take care of a data center, is excellent. And, you get to leverage off best practices in that you use experts in their own fields to manage your IT. So, you use a dedicated mail place (like GMail or Hotmail), a dedicated storage place, a dedicated CRM place, etc.

Those places can use economies of scale so that it gets cheaper the more people who use their services.

Everyone wins. And especially nowadays that CIOs (at the request of CFOs) are looking to bring their costs down.

The main issue is one of Security. Although, connectivity could be an issue as well. (Your link goes down and you are at the southern most tip of Africa and your presentation is on the other end of a broken link, in North America.. the CEO is waiting..)

But back to Security.

Obviously a company that holds private information for a number of companies would be a target for online criminals so you'd be giving your information to a company that is a target. More than that - you still hold the risk if the information is leaked but you lose the control of knowing where the information is at any one time or what is happening with it. You really only have the company's assurance that they will take good care of your information for you.

It seems that a great a number of Cloud-providers are very vague about what security measures they have in place. There is one that stands out for me though - BoardVantage. I don't use their service (or have anything to do with them really) and have no idea how secure they are but they certainly claim to be very secure - they detail what their controls are and they have had a SAS70 type 2 audit done.

Assuming that they do everything that they say that they do - they are streets ahead of most corporate networks. Going by Verizon's Breach report thing - most companies are breached by methods that are very simple and vulnerabilities that have patches that are very old. So, it may be more secure to use this company than to keep the information on your own network.

PS. I know that there is no one Cloud but as things stand at the moment most "clouds" are really walled gardens (confused yet) and so each provider takes care of their own part of "the cloud".

The answer is that you would have to really consider using a "cloud provider" instead of dismissing them off-hand. And if all major "cloud providers" became more secure then security would not be something holding this idea back but could be a good reason to investigate using the cloud.

Monday, December 1, 2008

The "A"

Information Security sits in a strange area somewhere between Business and IT in a little space that really hasn't been properly defined. It is exciting here.

Generally, most people in Information Security today did not start out as pure Information Security people, they evolved. And where they evolved from gives one a clue as to their mindset and how they see themselves.

Some come from an Audit background and you'll recognise these guys from their love of lists and frameworks - they dream of Cobit controls and little boxes that are waiting for ticks. Somehow they have tons of documentation and they know it all and can find it all. They generally drive Volvo's and like order.

But most InfoSec guys come from an IT background and it shows. I guess that, having said that, most hackers come from an IT background too. And it shows.

Now, lets consider the C-I-A triangle thingum. Quick lesson for those who don't know it - there are three aspects of information that Information Security wishes to preserve - the Confidentiality, the Integrity and the Availability. From my experience, most IT people are governed by Availability - the "A". In fact, when an IT contract is drawn up - there is no SLI or SLC but there will always be an SLA. With very specific terms, measurements and penalties.

If the Firewall crashes and has to be rebuilt. What will the IT manager be most interested in? The A - how fast can you get the traffic moving again?

So we have tools to measure uptime in 99.999999999999999s and such and anything that can cause network downtime (or if the network is up and the services such as mail are down - same difference) is taken care of. Spam, worms, viruses etc.

I guess that hackers (those that define what we do) are also IT background people. They seem to be more concerned with big-bang, widely deployed DoS attacks and stealing IT resources. At least, they used to be, until they discovered that they could make money from stealing information. Actually, I may be naive but I don't believe that the hackers we have today are the same as those we had in the past... I believe that we have a new generation of hackers - criminals who merely use the Internet to steal money because that it where the money is easiest to steal.

The problem is that we were lucky in a way that our old tools worked against the threats that we had - firewalls, antiviruses, etc etc. They don't work against people breaking into our networks and stealing information. For that we need a new generation of Information Security people (or the old generation to update their game)...

Here is a quick poll to see which generation you are in:

1. What is the one piece of information on your network that your competitors would love to see?
2. What is the percentage of mails coming into your network that are spam?
3. What mail is going to competitors?
4. What is the process for someone to order a pencil?
5. What is a blog?
6. Who in your organisation uses facebook for business?
7. How many of your PCs have up-to-date antivirus?
8. What is the worst virus out at the moment?
9. Do you believe that your Firewall is configured correctly?

The answers are as follows:
1. This is ESSENTIAL to know if you want to be in the next generation. And you can't guess this. You may think that it is something financial but most financial information can be guessed by your competitors anyhow. You may think it is a recipe or special way of doing something but any established company has had their recipe ripped off anyhow and can beat any new competitor by competitive pricing. It may be new product information. It may be staff information. It may be the CEO's contact list. Don't guess - find out.

2. Who cares? Certainly not the CEO. Maybe the CIO. "We are saving you x amount of bandwidth and your users x amount of time" is nice but won't save the business from closing down due to data loss. Operationalise this and get on with your job.

3. Good to know. I'm sure that if you told your CEO/CIO "Last week we detected 5 large emails going to our competitors from inside our R&D department" you'd have his full attention.

4. Good to know. Who does the ordering? Who does the okaying? Who does the paying? If you know all of this then you know how business works. And when things go wrong - you'll be able to help.

5. And do you want your staff to use them? And if they do, what can they put on them? What are they puting on them?

6. This is an interesting question because Facebook is usually an issue of "The A" (productivity). But it can be an issue of C and I.

7. Who cares? Again, this is an operational issue. Viruses that jump onto your radar are usually ones that attack "the A" but its the ones that are pushing information out of your organisation that are sneaky enough not to have sgnatures and not to be discovered. You will have PCs without up-to-date antivirus and you will have viruses. The trick is not to let your information be stolen by viruses. Also, keep backups so if a PC does get wiped out - you can get the information back again (but this is an operational issue again).

8. Trick question - the answer is - the one you don't know about. Old generation InfoSec guys can rattle off names of viruses that are all in the top 10 at the moment.. New generation viruses are targetted and usually do their worst before a pattern is out.

9. Old generation answer - yes. New generation answer - who cares? Information flows all over including in and out of the Firewall. Firewalls also usually rely on port security but most everything runs on port 80 anyhow so the Firewall should be configured but it doesn't kep us safe - more work needs to be done for that.

I find that it is not very easy to move from old generation to new generation InfoSec. The main difference is that old generation was very technical and appealed to the technical nature of computer geeks. The new generation is business oriented and requires more interaction with people, more meetings, more time with people. Ouch.

There will always be a place for technical people in Information Security but as the tools mature and "just work" there is less demand. And a background in technology is very useful when the technical guys try to "BS" you.

And "the A" is very important too. Protecting your network from being brought down. Protecting information from disappearing. Stopping viruses. Etc. But the new generation will need to consider "the I" and "the C" as well because the attacks against these and the importance of protecting information against disclosure or manipulation will increase.

This post was done to add my voice to what Rich says so quickly and concisely in the securosis blog.

Friday, November 21, 2008

I was right!

Allen does the dance-of-I-was-right...


In my blog in July, I predicted that we would be seeing a perfect storm as cyber criminals start to see diminshing returns on PII (credit card info, mothers maiden names and the kind of things they have been going after up until now) and thus start looking at the business information that they have been ignoring.

According to usatoday, internet thieves are making big money stealing corporate info.

"Elite cybergangs can no longer make great money stealing and selling personal identity data. Thousands of small-time, copycat data thieves have oversaturated the market, driving prices to commodity levels. Credit card account numbers that once fetched $100 or more, for instance, can be had for $10 or less, says Gunter Ollmann, chief security strategist at IBM ISS, IBM's tech security division."
As I said in my original article - the only problem with this is the establishment of a market. The cyber-criminals have established a very viable underground trading system but they now need businessed to want to dip their toes in something that is highly illegal. It seems this is happening.

The scary thing is how much information is actually being pulled out of the organisation. The criminals are literally dumping everyone's My Documents directory with no real aim to a storage facility outside of the organisation and yet the companies are not aware of this.

My advice? Take measures now while the enemy are just getting established. How you manage to protect your employees' and customers' PII will determine how well you survive the next part of the battle - your company secrets.

Also, don't be tempted to get information on your competitors from shady people. They may just be doing the same thing to you.

PS1: (PII = personally identifiable information - anything that can be linked to a person and is usually stuff you don't want the public to know like your credit card details, address, salary, health, etc)

PS2: Thank you to TaoSecurity for the story. Read

Friday, November 14, 2008

Talking Engagement

So, it finally happened. I was invited to talk at an Information Security Conference and I went and talked.

My talk was about the risks of information leaving the organisation but I decided to add in the risks of information not leaving the organisation.

This may sound counter productive but in these though times your IT department should really be looking at using services such as GMail, your Marketing department should be looking at using Facebook, Twitter, Blogs etc. Your HR department should be looking through LinkedIn for new staff.

If your Security Department is too tough on information leaving the organisation then you are missing out on opportunities. Of course, if you are too lax then information will make its way out and that can't be good for the company either.

Information Classification is key. As is awareness.

My speech was very well received, achieving over 8/10 for the different areas and I have been invited back to speak again.

I must admit that my speech was aimed at business decision makers and not technical people and yet the people who showed up were more technical people. There are very few companies in South Africa (with my employer being a noted exception) that treat Information Security as a business issue and not (only) a technical issue.

I'm not really one to tooth my own horn but I wrote this blog entry to thank a number of people who made my speech possible.

Firstly thank you to the two blogs that I feel are on the forefront of Information-centric Security - Securosis and Rational Survivability. I used some material from both sites and some that was sent to me by Richard Mogull from Securosis.

I used some speaking tips that I got from Presentation Zen so I didn't put everyone to sleep (even though my speech was at the danger time of 3:30pm when everyone is tired and wants to go home) and I used some (free!) graphics from Stock Exchange.

When I was preparing for the speech, I revisited some of my old Blog posts which I think I need to repost as I have some more ideas about them.

Friday, October 31, 2008

Happy (Belated) First Birthday!

.... to my ADSL application.

Last year in October a salesperson at Telkom phoned to let me know that my phone exchange supports ADSL and do I want to upgrade my line to have ADSL?

I did the maths and worked out that it would be cheaper for me to have ADSL and have the benefit of all-time-on access to the Internet.

So, I applied and a few days later my application was processed and I had an application number. It all got to the point where I had the modem connected and ready when a technical person at the exchange noticed that "no, the exchange is potentially ready for ADSL but was not, in fact, ready."

"But, good news, there is a project to upgrade the exchange to be ADSL capable. It should be done by latest end of December 2007."

That became end of January, end of February, end of April... then it jumped to end of June.

Now it is scheduled to be completed by the end of April 2009.

The way things are looking - I'll probably be celebrating the second birthday of my ADSL application this time next year... many happy returns.

Friday, October 10, 2008

Symantec's vision...

And so it begins...

Symantec bought out MessageLabs and is (in their own words) "combining MessageLabs’ deep expertise in the SaaS market with Symantec’s rich portfolio of technologies".

The interesting thing is that Symantec does not really lead in the anti-virus market (in terms of quality, not market share. All antivirus products are about the same) or antispam (MessageLabs is excellent here).

So, what could they possibly bring to the party that MessageLabs doesn't already have?


MessageLabs has DLP but it is very simple and not really worth very much. The framework is certainly there though. Add some good DLP and voila - you have a product that is worth something.

Wednesday, September 3, 2008

Google's New Browser

So, Google have released a new browser called Chrome...

What does that mean from an Information Security perspective?

Not very much and a lot, depending if you are looking at the short term or long term.

So, lets get into the short term - there is a new browser. It will have bugs and vulnerabilities. These will be exploited.

Most of the browser is based on webkit which is sorta what kde uses and sorta what safari uses and sorta what a number of cell phones use. It is becoming browser number 4 after IE, mozilla/firefox and opera. This means that hackers (online criminals) will start to notice the browser (if they haven't already). Assuming that the open source promise (many eyes make fewer bugs) stands true and that Google will be quick with patches then this is merely part of the daily application vulnerability race. And if Google is quick with paches then this browser should not be any more unsafe than the others.

There are a few extra security features in this browser - that is always a good thing. For more information read here. Of course the feature that is most interesting - "each-tab-running-separately" has been compromised.

So short term - move along, nothing to see here. Lets move on to the long term...

What is most important in my mind for the long term is the "why" of this browser - why would Google want to jump into a market where they can't be the biggest or the best or even a very effective niche player? Especially since they have a good relationship with Firefox and their product is almost entirely webkit? And their browser is essentially all open source so all the good bits will be analysed and added to Firefox anyhow or improved upon and added to Firefox.

The answer is simple - Google want their browser to fail.


Well, that may a bit unfair but they really don't care either way.

Google is the search engine leader. They are also slowly becoming the Internet. This blog is hosted by Google, its feed is hosted by Google. If I need to host video, pictures, sound etc then I would probably choose Google - they are really good at hosting and why bother looking elsewhere when I already have a Google account?

So, almost all of my public information is hosted by Google. What about my private information?

Well... no.

That is all stored safely on my laptop for four reasons -

  1. I don't trust Google.
  2. I don't trust the Internet.
  3. The tools for creating private documents are so much better than the online ones.
  4. I can get to my documents when I am offline.
  5. The Internet is too slow.

But a lot of my computer day is spent in Microsoft Office. That is a lot of advertising opportunity lost. And if Google can access my personal files then they will have a better idea of what adverts to send my way. Which in turn will make their advertisers happier and Google stock go up.

And all it would take is sorting out the above 5 points.

I was going to go into each one but this post is already getting quite long. Just note that the three features that are most important in Chrome are:

  • Security and stability
  • Offline application mode
  • Fast running and standards based application engine
In other words - helping making it easier to use Google's online applications. Most of the factors are going to be taken care of with Chrome and its kids.

What will happen is that Firefox will catch up with Chrome but Google won't care what you use to access their online applications - just as long as you access them. And that is their game plan.

What this leaves is the final question - all things being equal - is your information more at risk on Google's servers or on you laptop at home?

That is a good question but one we should be looking at.

Thursday, July 17, 2008

The Perfect Storm

Its time to get your raincoats and lifeboats - the perfect storm is finished brewing - it is about to rain down upon us.

This may sound dramatic but I think that I may not be conveying the amount of pain that Information Security is about to receive. We will certainly have to step up our game.

Symantec and Verizon have done some interesting research into the underground hacker community and their findings are rather interesting. A bit scary too.

There is an entire community of totally different players that all work together to get from the point where a nerdy kid finds a vulnerability to where a hacker uses that to get into a PC, steal personal information and credit card details, sell them or use them and move on.

So far, it seems, that the community has been quite lazy and have just discarded company information to get to the credit card information and personal information (ID numbers, social security numbers, addresses etc).

This has provided us in Information Security with a perfect opportunity. We have been able to observe how hackers work while they have been taking information that is not our own. Companies that have credit card information have been the ones that were most under attack but those that don't handle credit card information have largely been ignored by hackers except for some members of staff who have been caught out but then they have only lost their own personal information.

There just really isn't a (black/underground) market for information that is not credit card or personal finance related.

However, it was always my feeling that the credit card/personal finance market would become saturated at some stage and the loosely-bound-but-still-very-organised-and-co-ordinated underground market would start to look elsewhere.

Essentially, the infrastructure is there for wide-scale information theft but the will wasn't there. I have thought this for a while my question was always - when will the will be there? When will Jack-the-hacker decide that credit card theft is no longer worth his time and start to deal in company information ?

Adrian Lane from Securosis thinks that the falling prices in the underground economy is humorous. I disagree. I look at it as very scary and the final puzzle-piece.

I think that the perfect storm is about to be unleashed.

Thursday, July 3, 2008

Virtualisation - Welcome Back to the 90s.

I've been thinking about this for a while but this blog post by Pascal Meunier pretty much sums up my feelings about Virtualisation.

Back in the 90s when the Internet was new-ish and just becoming important all the machines running it were Unix boxes. (Maybe not all, but most). And a 386 would typically run DNS, sendmail, telnet (shell accounts), ftp and apache. All on the same box.

Security wasn't so tight in those days but it was usually good enough and the box could happily do what it needed to do.

Along came Microsoft and produced the idea of "one box - one service". You can't seriously consider running your domain controller as a file server. What are you thinking? And to put mail on the same box? No way. In fact, your SQL server is running under significant load, chain a few together.

And companies would buy into this concept. Microsoft were happy - more licenses. All the PC guys were happy too - more money. More complexity - more jobs.

Essentially what has happened now is that Moores Law has kicked in and has caught up with the complexity of Microsoft's software to the point where one server box can run multiple applications on it. Imagine that. But Microsoft has planted the one-service-one-box concept so well that it is now part of IT law. File server and mail server on one box? But wait...whats this button over here....? Vir-vir-virtualisation.

And now we have the tools to allow us to once again run multiple applications on one server without having to admit that one-application-one-server never made sense.

To be fair - Virtualisation does have other advantages - running multiple Operating Systems for example, being able to easily move a virtual machine from one box to another (without configuration issues), being able to make a snapshot backup of a system.

But running multiple applications on one box is not a huge win.

Tuesday, July 1, 2008

Andy sees the light

As per usual the man-in-the-trenches Andy-It-Guy comes up with some excellent observations.

He has found an example of what Bruce Shneier calls movie plot security. What is also known as "whack-a-mole" security or knee-jerk reaction. Essentially, something goes wrong and we put in controls in case it happens again. Then something else goes wrong ... we put in something different. Ad infinitum.

(The name "whack a mole" comes from the game where you have a mallet and you keep whacking plastic moles on the head. Every time you are successful a new mole pops up.)

This is a solution but its not the best solution. And in case you think that it is a terrible solution think about what anti-virus, anti-spam, anti-spyware, firewalls, IPS, patch management etc etc are... point solutions to single issues. Whack-a-mole solutions. Knee-jerk reactions to problems that crop up.

The one technology in the above list that is unfairly listed is Firewall. Best practices state that you should block everything and enable only what you need. But in the past Firewalls were generally configured to block only what was bad and to open up everything else. Then they started to "by-default" block everything in and allow everything out. We have learned our lesson with Firewalls.

Antivirus too is starting to move from a "detect and delete the following..." to a "detect strange happenings from all software... but ignore this that we know is supposed to have extra access."

Note the move from "allow all and block specific known bad" to "block all and allow specific known good".

I think that the challenge going forward will be for us to create an environment where it is possible to tie down exactly what every single person in the organisation does. Make sure that the technology supports this. Make sure that deviations are blocked.

And on top of that allow for agility.

This is not impossible but it won't be easy. But there won't be turn-key technology solutions to be able to achieve this.

Friday, June 20, 2008

CISSP is here to stay! Sorry, Dre.

Dre wrote an article in which he put the argument down that the CISSP is on its way out. What he really argues is that a "generalist" Information Security position is no longer very important, specialisation is the only way to go.

I disagree. I am a CISSP and an InfoSec "generalist' but that is not why I disagree.

I love it when I read a blog and then read another about a totally different topic but that in some way relates to the first blog. And the second blog I read today is Mr Andy, IT guy's blog. In his blog entry he complains rather tongue in cheek about how many meetings he attends.

While Andy and I are many miles apart it amazes me just how similar our lives are and, yes, I also spend ages in meetings. On average I spend about 2 hours of my day not in meetings. And I love it. Every meeting that I attend makes me more educated by how the business I work for - works. I also give my input and hopefully touch on all the people just how important protecting information is.

Just like Andy, I was a techno geek until recently. I was a Firewall specialist. A Check Point Firewall specialist. I could read the pseudocode it would chuck out. I could edit the configuration with a text editor. I could read log files. I knew the system backwards. I am now employed in a company that doesn't even have a Check Point Firewall. I have moved onto something totally different.

There is a need for people who can configure security devices, perform active directory magic etc, etc. Even guys who are experts in logs. But you certainly don't want these guys tied up in meetings the whole day. You want them working on the systems that they know well.

You also want someone who can go to meetings and interface with business. Someone who can make a risk decision or at least know who to speak to. This person must be technical but also able to chat formally and informally to business and must always be thinking security. He must understand that meetings are not a waste of time but time spent educating business about security.

It is my belief that this person is not just important for a large organisation like the one I work for but even a one person shop should have one. Obviously, in that case a consultant should be used rather than a permanent employee but it is important.

The person does not have to be a CISSP but it is a good way to show that they are interested in an InfoSec career.

On a related note - I, like Andy, miss the technical side of InfoSec. But I also enjoy the ability to see my larger ideas implemented. I also enjoy selling InfoSec, something I am passionate about. In short, I enjoy my job and am happy I moved from being a techie to being an analyst. They are very, very different jobs. There are some people who may not be as happy as me. I know some, they are techies and are really good at what they do and they have no want to move to anything else. They want to specialise. In South Africa, these people are not rewarded for their knowledge and that is a problem because there is a need for the specialists. Hopefully, as demand increases and there are some techies that shine, they will be rewarded.

Friday, June 6, 2008

The Future of Information Security in Two Sentences

I just realised how verbose I really am. I have written a few posts about what I think the future of Information Security will be in the future and it seems that I am in total agreement with Gartner. The problem is that it has taken me many posts and much typing to put onto the Internet what Gartner sums up in two sentences:

“The next generation data center is adaptive – it will do workloads on the fly,” [Neil MacDonald, vice president and fellow at Gartner] says. “It will be service-oriented, virtualized, model-driven and contextual. So security has to be, too.”

I particularly like the term "model-driven". I have been using "process-centric security" to describe my vision which I believe is an extension of "info-centric security".

Thursday, June 5, 2008

Henry Ford and Agility (Once you are secured - whats next?)

Since I read this post by Andy Willingham I have had an idea for a Blog post in my head. But, in my new job, I am very busy and have very little time for Blogging so I left the thought in my head. Today, I had some time and started going through my blog list and saw this article by Jeff Lowder and then I knew I just had to write this article.

Its amazing how two people can take in the same story and both get similar but different conclusions out of the story.

Andy basically relates the story of how Henry Ford lost out on market share because he was not prepared to make cars of different colours. He was basically so in the “make it quick and cheap” mindset that he would rather lose out to everyone else than change his beliefs.

You can read Andy’s article for his take on the story but I’m going to relate my take on the story.

Basically Henry Ford had an idea and it literally changed the world. For better or worse – cars are now cheap because of what he did. He missed out on the next step (making cars of different colours) and lost a lot of market share.

But bringing the conversation back to Information Security and IT – computers are now cheap because of efforts by companies such as Microsoft and IBM and Intel to make computers accessible to the man in the street. Of course, in doing so they have made Information Processing (creating information, storing it, working with it, moving it) very messy. Information flows all over and some of it gets lost and falls into the hands of people who shouldn’t have it. This is very similar to the mess of Car Manufacturing that Henry Ford was faced with. He then realised that getting rid of the mess and flurry that making a car entails and formalising the process would mean that cars could be made quicker. And with better quality.

I think that the next step for Information Security is proactively improving business processes so that Information Processing and hence Business Decision Making can be done with the minimum amount of “mess” (think maximum amount of CIA).

The problem with doing this is that Information Security will start to make the business slower and more restricted as processes are followed.

HOWEVER, and this is where Henry Ford went wrong, once the Information Security Nirvana state is achieved (and this is possible) that process can start to expand in ways that were not possible before. This is where the holy grail of ROI starts to show itself.

It takes some serious introspection to get to this point – if a business does not know what all its processes are (or should be) then the general feeling is to allow everything. Once it is known what the process should be then it is possible to manage the availability of information, the confidentiality and the integrity. More importantly you should be able to know who does what and what Information they need to do it.

We can also then know what the process should be doing and add in the nice-to-haves over time making the organisation more agile.

I guess the whole point of this post is that the fight is not “Information Security vs Ability” but “Knowledge vs. Ignorance”.

Henry Ford got to the point where his organisation (at least the manufacturing part of it) was self-aware and everyone knew what their part in the process was. He reached Nirvana but he never took the next step – expanding the process to be more agile.

I believe that the race is on now to get our Organisations to the “Nivana” point by introspection and using Information Security to tie processes down. And then to take it one step further by expanding the process and beating competitors.

Thursday, May 22, 2008

Information Centric Security is dead!

Ok,ok, I just want to jump on the bandwagon. It seems you are not regarded as an innovative and forward thinking Information Security Blogger unless you declare something dead so I will do that with Info-Centric Security.

So, what do I elect to replace this with? Process-centric Security.

I think that as we get closer to Information Security Nivana (and isn't that what we really want?) we will start to get closer to the point where we look at Business and how it uses Information to do what it does. We define processes, work out what Information is needed, add in resources and voila we have all the information (process, standard, information classification, user details, etc) that we need to properly define and hence secure a process.

If this brings back bad memories of Flowcharts and the like then maybe, just maybe, flow charts are what we really need to secure our businesses. Maybe when we decided to throw out all of those tools we had way back when, we did it without thining of the repurcussions. The goal to get a "Fast Company" and "be more adaptable" and "beat our competitors" just made us more sloppy and insecure. It may be a good time now to reassess.

And, by the way, Information Centric Security is not really dead... its just part of this larger idea, just like IDS is part of IPS.

Thinking out the box

I am going to predict the future of the WWW and how Information Security will have to adapt in the next few years.

This will take some time to secure and will take some time to get accepted but this is (IMHO) coming so brace yourselves. Life is going to get very interesting, especially for the Information Security guys out there.

This is actually not a new concept - Novell and Sun were working on these ideas about 15 years ago but the world and the Internet were not yet ready. They are now or, at least, they soon will be.

WEB 1.0
This is the Internet as we know it. HTML with some scripting for the pretty factor. Some media added in. Not much interaction. Security is easy here. Make sure that no wiggly things make it from the web onto your network. Make sure that users don't visit sites that waste time and shock people.

Web 2.0
This is the big catchword but I don't think we are where we should be. Web 2.0 is a taste of things to come but we are still chained to web 1.0 thinking. Information is swopped but format and location of information are still king. XML is just starting to come into its own and information is starting to become self-aware. The same information can be represented in totally different ways on different pages but the tools are new and websites are built around specific purposes. Sites with open APIs like Facebook are starting to take hold. Security is starting to become difficult - we have to make sure that internal data doesn't become external data.

Web 3.0
This is the new buzzword but I think it is merely more extreme web 2.0. Early examples of this are Yahoo Pipes, facebook's API etc. Sites with open tools to manage information. Information flows and is not bound to a certain site, location or format. Information Centric Security becomes key here. I think that the tools have not been developed or have not been properly developed.

Web 4.0
Cloud computing. This has been around for a while but it will soon come into its own. Combine GMail, Google Reader and technology like AJAX (of course), Google Gears and Mozilla Prism. I'm sure that Microsoft and Yahoo etc all have their own versions of the above and there will probably be some small niche players too.

Keep all the above free (with advertising) and you get a very useful and smart Office Suite that allows for collaboration and features such as backup and works wherever you are. This is exciting stuff but the assumption is that your data will be safe.

This is a bad assumption. This is Information Security's next headache. The problem with this is that like wireless and portable devices and USBs and the Internet etc etc.. cloud computing will happen. Businesses will need to do it and they will do it. We need to make it secure. Applications such as Microsoft Office etc are already terminally ill, it is just a matter of time...

The next race between Microsoft and Google and Apple will be in this space. I believe that the winner will be the one who can ensure the security of the information stored on their network.

Of course, cloud computing is a walk in the park compared to what will be next:

Web 5.0
This is where it all gets mad. Think Web 4.0 mixed with P2P such as Skype and Bit-torrent. Add in a bit of virtualisation. Your data is hosted on 100 different people's personal machines. In exchange you host 1000 people's data on your machine. A piece of your company's still-to-published annual results are split up between a mac in Japan, an iphone in brazil, 3 pcs in the US and a linux server in the UK. It is xored with Bill Gates's personal phone list and another 6 people have spare copies. If the UK box falls off the Internet then another box picks up where it left off. Processing is done by a further 3 machines, one in Namibia and 2 in China. Each time you access your data the communication takes a different route bouncing off 10 machines between you and all the places that your data is. At any one time you have no idea where your information is. Information Security becomes part of the network - all files have to be encrypted and there are numerous copies of it.

Tuesday, April 29, 2008

Because Hackers Don't Care... (Why Metrics Don't Work)

Lets start with some statistics:

99% of all workstations with up-to-date antivirus
Antivirus blocks over 99% of all malware.

That is amazing! That is great stuff to show the IT Director, CIO, CSO, mom and to put on the wall. But, yet, a company I know (not the one I work for) still managed to get a virus which brought about some painful downtime.

The virus was one of the 1% that the antivirus doesn't block and it spread through the organisation like wildfire. Essentially the saving grace was that it infected a small part of the network, brought that down and didn't spread from there. Luck. It was also non-destructive other than network downtime. Luck.

The metrics lied.

You could say that there was residual risk but it really looks quite small. What is 1% between friends? But that 1% is precisely what any hacker (or virus writer etc) worth his salt is targeting.

So, where to from here?

I won't throw the baby out with the bathwater. 99% of PCs with antivirus is certainly safer than 50% or 0%. 99% of PCs fully patched is safer then 70% or even 100% of PCs almost fully patched. But 99% of PCs with antivirus is not a guarantee that no virus will find its way to destroying your network. It is important that your boss(es) know this and more important is that you know this.

And have plans in place when the 1% risk becomes reality.

Security Catalyst Forums

I've written often about all the ways I have met people. My network has certainly grown in the last year between facebook, linkedin, the numerous blogs that I read and the numerous blogs that they all link to.

One place that has certainly been a terrific place to meet smart people interested in Information Security and to harvest some of their ideas are the Security Catalyst Forums. Registration is free and gets you access to some really amazing people.

Each week someone volunteers to sum up the last week's postings and this week is my turn so here goes...

Andrew Hay is doing his CISSP and has been given a lot of advice by the members. Generally it is agreed that is a good resource but always ready to jump in and start new Security Catalyst initiatives, Michael wants to put together a resource for those Catalyst Members studying for the CISSP.

I personally did the official CISSP boot camp training course and found it well worth doing. I bought the official ISC2 guide but found it to be too wordy and technical. It is a great resource though and I have used it many times since my exam but at 10pm after a days work it is the last thing your eyes want to see.

Education seems to be a theme at the moment - Didier Stevens write his GSSP-C exam and Kevin Riggins is debating doing a Masters in Information Protection/Assurance.

Information Security is slowly becoming so much more more than just Firewalls and Antivirus and the education needed is becoming vast. I think it has already come to the point where it is impossible to know everything and practitioners now need to work out what section of Information Security they want to get into.

I personally am interested in the management side of InfoSec but if I choose that then I will not be able to get deeply into any particular part of InfoSec anymore. I have my CISSP and would love to get a Masters like the one above but GSSP-C would be too restrictive for me but to each his own. Well done Didier and good luck Andrew, Kevin and all those that are looking to grow their knowledge.

Don Weber raises an interesting question - should businesses be monitoring search queries via their proxy servers. My feeling is that yes, they should. Companies should monitor everything and they have the right (in South Africa at least) to do so. However, (there is always an however with me) context is everything. One has to use the information that one gets from logs as a guide and try to understand exactly why someone browses so much or such strange sites or whatever. I believe that Information Security has to become a central part of the organisation and has to make connections with all departments. All browsing issues must be driven by HR with technical and policy help from InfoSec.

There were other discussions, jobs posted and conferences listed but I'm not going to go into them all. The last thing I'd like to say is that I asked a question on the Security Catalyst Forums and got some quality replies - all different but all quality that will allow me to do my job that much better.

Wednesday, April 16, 2008


So, here I am.

It has been quite a quiet year for me blog-wise and it is not because I have been busy.

Quite the opposite. It is because really I haven't been busy.

And, strangely, now that I have moved jobs to a job where I have more resposabilities and less time I think I will blog more. I have more to think about and more to say.

My new job is very interesting. I have been dropped in the deep end and told "swim". At the moment I am still trying to work out what has been done and what still can use the Allen-touch.

Expect some good postings over the next few months and years.

As per usual - you won't get juicy details about my new employer and all thoughts, mistakes and general views are my own.

Thursday, March 20, 2008

Information Security, Governance, Compliance and Safety Belts

The state of Victoria in Australia made wearing safety belts compulsory in 1970. This is now almost universal practice.

I don't know the exact statistics but a study done in South Africa found that more people used safety belts after it was made illegal to not use them than when it was left up to the driver.

The conclusion really is that people are more likely to obey a rule because it is law than because it may just save their life.

I think that the same is true with Information Security. It won't (necessarily) save your life but it is good practice. And yet companies are only doing it because it is now law.

The problem with this is that it is not accepted by people in their hearts. I know of people who drive around without their belts on and put them half on when they see a traffic cop.

The Information Security equivalent is jacking up your InfoSec program when the auditors come to visit and letting it slide when they are not around. Or making sure that they don't see some issues that you are well aware of.

I have seen a lot of complaints about PCI and SOX etc etc in the same way that people complain about "self protection" laws like safety belt laws. The thing is that the government is stepping in only because people are very bad at self regulation. Really, what a number of InfoSec experts are trying to promote is - understand why you need to protect yourself, understand how and abide by it. Do it for your company, not because the government demands it.

That way, not only will you be "compliant" and full of "good governance" but more importantly - your company will be safe.

Friday, March 14, 2008

More from Securiosis...

While Rich was away he brought in David Mortman who wrote this gem.

I think he hits the nail on the head and together with the article I linked to in my previous post, this is the future of Information Security.

I believe the take-away quote is this:

"However, compliance is not a technology problem — it’s a business problem which needs a business solution. By instituting sustainable business processes that effectively leverage people and technology, enterprises will become not just more secure but also compliant with current and emerging regulations."

I think that everyone involved in Information Security should read that, understand it and learn it off by heart. And then practice it.

Once we can define a process and what information is used in it, who does it and when it happens - bingo - we can secure the process from start to finish. Most companies I have worked in (and I have worked in plenty) have no formal process design and so would not be able to properly enforce Information Security properly.

Security 2.0

There is a post on securiosis that I think sums up the future of Information Security quite nicely.

In the past information was very structured because of disk space issues. Then Moores law kicked in and information got messier and less structured over time.

Now because of Information Security needs the information has to become tidier and more structured again. But now I think we have tools like XML that will allow us to be able to clean up our mess and be more secure and more productive while not being totally restrictive.

It is a very interesting time and I call it Security 2.0 (even though this term is already used by the likes of Gartner and such.)

Tuesday, February 5, 2008

Productivity vs Security

This is a copy of a comment I posted on Rich Mogul's website. I thought that my answer clearly shows my present way of thinking about Information Security and the value thereof. I have edited my answer for this Blog Post but the essence is the same.

Rich was answering a question of Scott who assumed that as productivity goes up security goes down and vice versa and at some point there must be a sweet spot where you get the most productivity at the least cost to security. Scott uses the word "obviously"

Your (Rich and Scott) assumption is that all security controls actually decrease productivity. This may be the case in an example where passwords are used versus not used. But information security may actually increase productivity eg where spam is blocked and the user does not need to spend hours sorting email. Alternatively if browsing is restricted and time-wasting sites like facebook are blocked then productivity goes up.

My big security theory (which I wish I could put into practice) is that once companies achieve a security zen state (sorry if that is copyright) when security becomes part of the culture and is built into all systems then it actually increases productivity in a way that could actually help the bottom line.

In response to the original poster - if Information Security is at odds with the processes of the business then either the process is wrong or the information security is wrong.

If you tack on security after the fact your thinking will always be wrong.

A sales-rep is always on the road. Because he lives in the North part of town that is where his customers are. He has a list of customers and their details in his laptop. He also has their buying trends and banking details so he can confirm payment. The ISO sees all of this and almost has a heart attack. He implements a rule that the sales person can download only the clients that he is going to see that day onto his laptop and it must be done over a VPN. Sales guy also has to have his laptop encrypted and a password protected screensaver. He can, if he wants to, drive into work and download the information over the network but work is far from his house and his customers.

Man, productivity has gone to hell. He now has to dial in every day for a few minutes where in the past he didn't. He has to type in passwords every time he needs to use his PC. What a shlep.

But... if you think about the savings in terms of productivity compared to driving to work and getting the information, printing it out and then filing it away at the end of the day (another trip) - the complete system is amazing. It is saving the sales rep from making two trips a day into the office. All that needs to happen now is that it needs to be made secure and a few extra seconds each time information is needed and a few minutes at the beginning and end of each day to sync information is a pleasure compared to driving to work in rush hour traffic for no reason.

Friday, February 1, 2008

Prediction 3 - A major site gets hacked

I'm not so sure about this one and I have been thinking about it for too long. If I take much longer my predictions will be very accurate because it will be December and I'll have hindsight.

Online service providers (yahoo, gmail (google), hotmail (microsoft)) seem to take their security really seriously and that is great. I think that they are targets but they are aware of this and they realise that an attack could render them dead. Their business is all about trust and a loss of trust would break their business.

However, the web was never designed to be so secure and application based. It is meant to be static pages delivered non sequentially (images load up when they can). This is not a very good base to have for a service.

I see that the hackers are already playing with session keys and such. My prediction is that this year or in the foreseeable future malware (all kinds including bots) will try suck session keys from traffic and use them to steal information or do unauthorised actions on "behalf" of a user. This has happened in the past but I believe that it will become more widespread, targetted and automated.

Example possible attack scenario: "Bob logs onto Gmail from an infected PC. He logs into his account on gmail waking and wakes up the malware which either forwards the session key to the attacker or drafts an email to the attacker from Bob with a list of all his contacts. Attacker sells these good emails to spammer. Or malware downloads a preconfigured spam message and sends the message to all of Bob's contacts. All of this happens in a scripting environment and Bob is not aware of anything strange because windows don't pop up."

If this is happening already then I applogise for coming to the prediction party late.. and I'll just predict that it will increase until http is replaced with something else, new online standards are developed for services or it becomes as bad as spam is today.

Friday, January 25, 2008

Prediction 2 for 2008 - Stealth "Hackers"

Wow.. that sounds like a good name for a movie "Coming to the big screen in 2008 - Stealth Hackers!"

This isn't really a new thing. Hackers as we know them (and I use the word hacker in the evyl-skript-kiddie-with-toyz way and not the kind-open-source-guru way) are slowly moving toward the idea that "cool, we can make good money from this!"

In the past hacking was really done for the cool stories hackers could tell their friends to get street cred. Events were big and done for the headlines. Hacking was like graffiti - it was out in the open and done so people could see. Hackers didn't want to get caught but they did want their work to get noticed.

I believe that these people are still out there and still trying to do big things. I think that their work is also being converted over to the new types of hackers.

The stealth hackers are not necessarily very computer literate. They take the research and exploits of the big-bang hackers and craft it into tools like malware, root kits etc. They don't want to get caught, obviously, but they don't want to be noticed either. These are the botmasters who want to use the world' s computers to gather information that they shouldn't have. They also want to use computers to send spam and the longer they can stay undetected, the more money they can get.

There are different levels of technical ability in the realm of the stealth hackers from those that write exploits to those that deploy bots to those that sell information and those that just buy credit card numbers.

I believe that both groups - traditional hackers and stealth hackers will grow in numbers but that stealth hackers will grow much quicker.

Wednesday, January 23, 2008

Prediction 1 for 2008 - Facebook hacked

Ok, finally, here it is.

For the impatient - Facebook will be hacked. Alternatively, a major Facebook application will be hacked.

Right...the impatient can go now. The rest - read on.

[Personal note first]
I decided that my Blog was becoming too important. I have a host of blog posts that are just not quite as well written as I'd like and since my blog is somewhat a reflection of my writing skill (skillz?) I decided that I'd need to fix them up, when I have time.. well, I've changed my mind - my blog is now an indication of my thinking skills as it was always intended to be, hence the name. It is an indication of my quick writing skill and how I write under time constraints. So, ignore the strange terms, spelling and grammer. Read the content.

This is also the reason why I don't have a "my top 10 predictions for 2008". There is no list that I am working from - as I think them up, I wil blog about them.
[end personal note]

Last year when Facebook made their application language available I was very excited and signed up as an "application developer". I even wrote an application which is about the level of complexity of a "hello world" program. I think it is a box that greets the Facebook-er by name. Woopy-doo.

But what I found quite interesting is that the application runs on my server and my database but queries information from Facebook. This makes creating applications so much easier and is probably what led to the Facebook explosion in the first place. However, users may not be aware that every time they add an application they are increasing the risk that their Facebook information can be compromised.

I like to believe that Facebook is big enough to be able to throw money at security. I think that their product is simple enough to secure. So, there should not be too much opportunity to hack into Facebook. I could be wrong. Facebook certainly is a huge target for both those hackers who want to make some good money, those that want email addresses (to spam) and those that want to make a big bang and a name for themselves.

But my money is on a large Facebook application being hacked - its a way to get in through the back door.

Thursday, January 17, 2008


I have been trying to get the motivation together to blog about my predictions for 2008 but I'm not finding it. So, I've decided to break it up into smaller pieces and hopefully that will make it easier.

So, looking back...

2007 started with me being very motivated, excited and happy. It was going to be a great year with lots of promise. It ended with me feeling very down, de-motivated and depressed. But I am still optimistic for 2008 which either means I am hard to get down or just really naive. I guess time will tell.

My first prediction for 2008 is that I will be a very different person by this time next year. And I will be sitting in a very different place. If I am not - I will have failed.

I don't like to get too much into the personal aspects of my job but a lot of the energy I put into getting security to move forward has been in vain and I am feeling that I am now wasting my time trying to move forward. I have put myself into "cruise" mode while I work behind the scenes to improve myself and then with a big bang I'll be back.

There were some some really excellent moments in 2007. I think that the most important was when I started my blog. I highly recommend blogger. I also recommend feedburner. Both companies are owned by the big G.

A big thank you goes out to Alan from Still Secure who got me motivated and introduced me to the Security Bloggers Network.

While it helps that I am a member of the network and that drives some views to my blog, it has helped me more to explore and find people on the network. I have been able to populate my RSS feed list from a number of bloggers and I hope to add more. I just need the time.

So, who is honoured to be in my RSS feed?

First up is my brother-from-another-mother - Andy the IT guy. I call him that because he has a very similar job, a wife and two daughters and he has had a very similar career path to me. More importantly, I usually see eye-to-eye with him.

Next up is "Security Mike" - Mike Rothman. The daily incite is an amazing tool to get an idea of what is happening in the security blog world. How Mike can read so much still amazes me. One day I'll have saved up enough. The new Audio is also worthwhile.

Next is (this is the order I read my blogs in - obviously I'd want to get the best first) the Mogull. One can see from his postings just how much research he has done into the security field. They are well written and very useful.

Just as wordy and usually more fun is the Hoff. The Hoff is worth reading because of how he pushes the boundaries of what security (or survivability) is all about. He does not pull his punches and is not afraid to sacrifice a few sacred cows along the way.

There are other bloggers that I respect and read too - Anton Chuvakin, Randy Armknecht, Richard Bejtlich, etc etc

I think that the best part of reading all of the above blogs is that the authors all read each others blogs too. This leads to debates, arguments but hopefully lessons learned.

2007 was also the year that I learned about the Security Catalyst Forums where more debate happens. This just proves how new our industry is and how much passion is being put into finding out the answers. This can only be a good thing.

Locally I've kept up with my visits to ISG Africa which has great presentations every month.

I completed almost 100 blog entries over the year, putting into word my thoughts about our exciting industry. My "70s" entries show where we went wrong in the 80s with our IT plans and how we are putting things right again. My 7 habits show how popular business and life philosophies can be used in InfoSec to move us in the right direction. I will hopefully finish those off shortly. (Prediction 2?)

Thank you everyone who has shared their views and hard work with me via their blogs and forums and I hope all that read this blog have learned something and will continue to follow my progress and read my thoughts.

Soon I will post my predictions for 2008.

Monday, January 7, 2008

A Quote From Bill Gates

(I really haven't been doing very well with my blog these past three months.

I aim to do better. My schedule has been totally messed around and time I spent blogging has gone. I do however have more time to read.)

So, with all that out of the way...those that know me know that I am total Linux Penguin Man so Bill Gates is not my favourite person in the world. However, he is a great man and has been, I believe by following this vision throughout his life from when he was Microsoft's CEO, Chairman and now with his charity work.

"To turn caring into action, we need to see a problem, see a solution, and see the impact. But complexity blocks all three steps." - Bill Gates, 2007.

His point in context is that people want to donate to charity but find the complexity of donating too much and they just don't. Alternatively, if they do donate, the money gets used up by supporting complexity and not really for what it was intended.

But there is a bigger picture here. I was involved once in a project which developed a security tool. I saw the bigger picture of how this tool would fit into an organisation but was shot down by everyone in the company from the CEO down because they had a different view. They were too caught up with the technology and didn't see the problem they were trying to solve.

I then did some work for two other companies (not Information Security companies) and again they were too caught up in the technology and suffered from red tape. One closed down and the other struggled along.

Most recently I did work for a company that runs its Information Security department in such a way that it jumps from buzzword to buzzword without really getting more secure.

I think we should all learn from Bill Gates and see what the problems are, simplify them, rank them, and solve them.. then move on. After all, he is the richest man in the world and has become so not by giving people the most complicated software but by giving them simple software that solves their problems.

Thank you to Presentation Zen for the information.