Several clients have recently been asking about "Virtual Network Segmentation" products that claim to segment networks to reduce PCI compliance. They may use ARP or VLANs to control access to various network segments. These type of controls work at Layer 2 and the hacker community is well versed at using tools such as Ettercap or Cain & Abel to bypass those controls. We've recently written about Network Segmentation for PCI as part of the PCI X-Ray series.
While rereading the PCI Wireless Guidance document, I came across this nugget that puts a nail in the coffin of using VLANs as a security control:"Relying on Virtual LAN (VLAN) based segmentation alone is not sufficient. For example, having the CDE on one VLAN and the WLAN on a separate VLAN does not adequately segment the WLAN and take it out of PCI DSS scope. VLANs were designed for managing large LANs efficiently. As such, a hacker can hop across VLANs using several known techniques if adequate access controls between VLANs are not in place. As a general rule, any protocol and traffic that is not necessary in the CDE, i.e., not used or needed for credit card transactions, should be blocked. This will result in reduced risk of attack and will create a CDE that has less traffic and is thus easier to monitor."
Just this week on Tuesday, NIST published release 1.0 of the smart grid interoperability standards. Most notably, this is the first attempt to address cyber security in smart grid deployments. This release points to various standards that can be used for implementing interoperability and security controls, and it’s fair to say that it plants the seeds for what should become comprehensive, control-driven guidelines for implementing various aspects of smart grid.
The timing of this report is perfect, as current smart grid rollouts are often criticized for lack of proper security controls. Our utility customers have shown similar concern about the lack of planning for information security before the roll out phase. This lack of security and risk management perspective in the smart grid ecosystem can jeopardize the overall objective of these smart energy initiatives, and it’s about time that we devise a game plan going forward.
The NIST publication will be an important piece of work as it brings various standards, bodies, and regulators like IEEE, NERC, and FERC to the table. Note, this is not a control based standard like others published by NIST, but a guideline to other frameworks that should be referenced when working in a smart ecosystem. A more control based work on cyber security in smart grid is in development and the draft of these standards is available for public review.
A few important highlights to pay close attention to in the cyber security sections are:
Ambrose Bierce’s The Devil’s Dictionary is a wickedly witty piece of work (and website). It slyly redefines common words and phrases, usually with a bitter, contrarian, or comic touch. But why should Mr. Bierce (or more correctly, his estate) have all the fun? It is time for one in the information security field. Here are a few nominations. Most of these are original, but a few were gleefully filched from others:
ALE: an intoxicating liquor that gives imbibers perceived omniscience and discernment, but with one unfortunate side effect: it causes their pants to spontaneously fall down
Advanced persistent threat: a security product manager hyping new categories
Blended threat: a hemlock smoothie
Claims: a more expensive form of assertions, officially sanctioned with George Orwell’s posthumous blessing. cf “flatbread” v. “pizza”
Collective intelligence: the dawning epiphany that the cyber-villains have already won
Data leak prevention: adult undergarments for stopping electronic incontinence
Device control: using Super Glue to plug holes in the sides of laptops
Full disclosure debate: a ritualistic Kabuki performance that ends with a fist-fight amongst members of the audience
Actionable: providing information of sufficient detail and clarity to enable one party to sue another*
2009 was a miserable year for tech vendors, especially for sellers of capital equipment like PCs, servers, routers, and licensed software, and for systems integrators who helped implement that software. 2010 will be a much better year, especially for these very same vendors. We’re not talking boom yet, so we are not predicting double-digit growth rates across the tech market (though some categories will see those kinds of growth). But, as our latest tech market report shows (http://www.forrester.com/rb/Research/us_and_global_it_market_outlook_q4/q/id/53384/t/2), we do think there will be a solid tech recovery in 2010, with growth rates in the high single digits.
Given that other IT advisory firms are predicting that tech markets will see growth of 3% to 4% in 2010, why are we so (relatively) bullish with our predictions of 6.6% growth in the US tech market, and 8.2% growth in the global tech market (when measured in US dollars)? Three reasons: