I've sat through a number of presentations and sessions about security and virtualization in recent times and can't help thinking that people are falling into the old trap of going after the possible rather than the probable.
Most discussions I've seen around security and virtualization center around subtle threats to the hypervisor layer, and whether its possible to jump from one virtual machine to another. Then there are the circular discussions about whether its provably more secure to perform AV and intrusion inspection from inside the virtual machine, or have the host perform all the functions.
All pretty tedious if you ask me. I reckon we've some much bigger problems in a virtual world.
The Hannaford data breach was of course all over the news last week. It is reported that Hannaford's internal practices were considered PCI compliant, yet they suffered a massive data breach. It begs the question whether PCI requirements were sufficient.
While many companies still lag behind in terms of achieving PCI compliance, quite a few organizations have gone above and beyond to protect their critical operations. I call those "next practice" adopters (as opposed to best practice). For instance, PCI requires that you scan your computing assets quarterly. Many of the next practice companies would scan their most critical assets weekly or even daily.
So, what should you consider as your critical assets. Here is a list to get you started:
- Web applications (those that handle online transactions)
- Web servers (those that interface with external Web users)
- Database servers
- Application servers that serve up your core applications
In the course of doing research for my upcoming Internet threat report, I came across some worrisome statistics. A Google researcher recently reported approximately 1.3% of all Internet queries would return at least one URL that contain malicious content. A year ago, March 2007, this number was 0.3%. The same report also indicates that 6,000 out of the top 1 million most popular URLs, have been, at one point or another, classified as malicious.
These statistics are indeed worrying. The top one million URLs are the most frequently visited sites, and the fact that a non-trivial percentage of them could be malicious is a previously unknown phenomenon. This underscores the rising difficulty of Web threat detection and defense. The latest statistics from the anti-phishing working group have that the average life time of a phishing site is now at three days (2006 statistic was 4.5 days). Not only are Web threats more wide spread, they are more dynamic as well.
Think for a moment about the very simple, used-to-death castle analogy with its walls, gates, guns, guards, etc. and how these parts related to early network security. The analogy certainly had its shortcomings already back then – but it nevertheless got popular because of its inherent simplicity.
IT risk management is a nebulous topic at best. There are many different ideas as to what risk means and how it should to be applied within an IT organization. In an effort to bring some consistency and clarity to this discipline, Forrester is developing an IT risk management framework. Once developed, the framework will help IT organizations identify major risk areas, identify scenarios linking risks and controls, and establish a common risk language to clearly communicate with business leaders.
In order for the framework to have a solid risk-based foundation we will be using many of the principles of COSO. In particular, the framework will be based on event identification, risk assessment, risk response, and control activities. The IT context is established by utilizing the ITIL framework for IT service delivery. IT services are used to identify risk events. Scenarios are developed for each identified risk outlining the actions necessary to realize the risk. Controls are then mapped to each scenario to either prevent or detect the actions.
For those who didn’t know, the Formula One racing series has recently started in Australia and Asia. While high-speed enthusiasts in the US flock to NASCAR or the IndyCar series, the rest of the world is hooked on the F1 racing circus (kind of similar to the situation with football/soccer…).
Anyway, as a security professional you have probably heard of last year’s massive data theft involving several high profile Formula One teams like Ferrari, McLaren, and Renault. What you might have not heard is how the technical data got stolen: Well, in the ultra sophisticated and technologically advanced world of Formula One racing, design plans and test results were simply copied to a bunch of floppy disks. Yes, floppy disks - those early versions of portable media devices that never really made it into the new millennium!
A few days ago, the official Chinese media reported that Shanghai's Intermediate Court sentenced three malware producers, who used Trojan horse software to steal money from victim's bank accounts (all Chinese banks), to between six and a half and eight years of prison time. The three apparently stole more than 100,000 yuan. Considering that the average monthly salary in the affluent first tier cities is approximately 4,000 yuan, it's a pretty hefty sum. Researchers have been noticing an increase of spyware and malware from China. Cyveillance, an Internet threat monitoring company, reported a rapid increase of malware hosting sites in China. An interesting fact is that the majority of world's malware distribution sites are still in US and Europe, but they point to malware hosting sites in Asian countries such as China. This is especially interesting because it points to the fact that hackers from those countries are compromising high traffic Websites in the US and Europe to help distribute malware (the difference between malware distribution and hosting site is that the former typically contains a link or a small amount of code that points to a hosting site). The use of malware distribution and landing sites (as opposed to a straightforward malware hosting site) is a newer and more stealthy way to distribute malware, which only became popular in 2007.
In the course of researching mobile authentication and mobile signatures -- using a cell phone as the alternative to a token for identity, authentication, and signing purposes -- this post from Finextra’sChris Skinner on why mobile banking and payments don't work (yet) caught my eye. Hint: People don't want them. But why?
Given that my colleagues serving eBusiness, channel, and product marketing professionals are also officiallyskeptical about the prospects of mBanking and mPayments, I expected him to trot out one of the usual rationales for this, including: