Cloud security: Root of trust

02/02/10

I've been thinking a lot about public cloud security lately. Not simply mulling the theoretical question of "is cloud more or less secure than my own infrastructure", but looking at practical approaches to cloud security. At Nemertes Research we have been "sipping our own champagne" (like eating dogfood, only less disgusting) by using cloud computing extensively. For several years we used the cloud for test and development and in mid-2009 we moved production servers into the cloud.

Mobile malware will test Android and iPhone

01/12/10

2009 ushered in mobile malware with the first (and second) iPhone worm appearing just before Christmas. I strongly suspect that 2010 will be a pivotal year in the development of mobile malware. Smartphone software platforms and devices have become sophisticated and flexible enough to allow self-propagating malware and in a world where 9-year-olds are seen holding BlackBerries, the exposure surface is certainly big enough.

Hot security predictions for 2010

12/16/09

Looking forward to 2010 while trying to erase the memory of 2009 -- here are my security predictions for the new year.

Security review: Good riddance to 2009

12/01/09

Looking back at 2009, I'm sure I will not be alone in celebrating the end of the year with gusto. 2009 was a difficult year for most, with a slow recovery and challenging business conditions. Let's see how I did predicting security trends in 2009.

iPhone security problems bring new risks

11/11/09

In just four days, not one but two worms targeting the iPhone have emerged. Both of the worms target the same vulnerability, a default password in the SSH server that is installed on jail-broken iPhones. While one worm is a mostly a nuisance, the second siphons personal information from the iPhone, which makes it a serious identity theft threat.

Practical identity protection you can use

10/27/09

Is it Christmas already? I'm beginning to receive informative e-mails about evil hackers who want to steal my identity during the dangerous (and ever lengthening) holiday season. As usual the advice ranges from lame to impossible.

New secure password rules

09/29/09

Between hardware keyloggers, software keyloggers, trojans and shoulder surfing, the whole idea of keeping a "secret word" is ridiculous.

Cloud security through control vs.ownership

09/15/09

Cloud computing makes auditors cringe. It's something we hear consistently from enterprise customers: it was hard enough to make virtualization "palatable" to auditors; cloud is going to be even harder. By breaking the links between hardware and software, virtualization liberates workloads from the physical constraints of a single machine. Cloud takes that a step further making the physical location irrelevant and even obscure.

Data leakage prevention going mainstream

09/01/09

Data leakage or data loss prevention systems have gradually entered the mainstream as their increasing maturity has allowed increasing adoption. From barely registering in our research two years ago, we now find different forms of DLP in about one-third of enterprises in Nemertes Research's spring 2009 benchmark study.

Managed security services all the rage

08/19/09

It's an understatement to say that IT organizations face exceptionally challenging times. For many, budget cutbacks for 2009 were worse than predicted.

Security job security

08/05/09

It's a good time to work in the security field. Nemertes has completed it's research benchmark for the first half of 2009, incorporating interviews with IT and security executives during a recession. The research participants told us that they consider security and compliance spending to be "recession proof", third only to data network and voice/telecom spending.

The cost of not reaching IT project closure

07/08/09

All things, good and bad, eventually come to an end. Philosophers have told us this in many variations for at least three or four thousand years. In IT we seem to have exquisitely intricate plans for starting new things: projects, applications, users, policies. Yet we seem to always forget to plan for their eventual end: the closure of projects, the removal of applications, the retirement of servers and the departure of users. Why do we find it so hard to achieve closure?

Iran's data leakage 'problem'

06/24/09

In the wake of Iran's statistically and historically dubious election results, the world has been glued to screens (both TV and IP) watching the unfolding protests and violence. Despite a complete media and communications blackout, the videos, photos and messages are leaking out continuously. But how are all these leaks occurring?

Building a data center security architecture

06/10/09

Data center architecture has been changing quite dramatically over the past few years. In many data centers, organic growth had left them broken up into application silos. The standard three-tier architecture was copied for each application leading to a fairly hierarchical network. In this architecture, some core security services, such as firewalls and intrusion prevention, were concentrated at the root of the network tree, closest to the ingress routers and around any DMZs.

Why we need a single, strong federal privacy law

05/26/09

Regulatory compliance continues to be the main driver for security spending in almost all industries. But in essence, compliance is assymetrical warfare: it costs a lot more to comply with new regulations than it does to write them.

Dark cloud computing

05/12/09

Cloud computing offers tremendous promise for the future of computing. In the cloud you will be able to link together remote computing resources to achieve massive amounts of computing without any of the capital infrastructure costs.

The Kilo-Day threat and mundane security

04/29/09

In the security business we spend a lot of time worrying about the "zero-day" threat that appears out of nowhere and immediately starts attacking a hereto unknown vulnerability.

UC security: When the shoe doesn't fit -- compress the foot

04/14/09

If your security model is location-centric and depends on keeping things separate, how do you respond to a disruptive technology like unified communications? This is a pattern that keeps repeating in many different areas: the security paradigm looked good until a technology comes along, changes the assumptions and reveals the inadequacy of the model.

Do I own my machine?

03/31/09

The built-in Webcam light is on. It shouldn't be on. I'm not using any recording, video-conferencing or photo applications. Why is it on? Is someone watching me? It's at times like this I get the eerie feeling that I don't actually, fully and completely own my machine. Turns out it was a driver problem, all fixed now. But I still can't shake that feeling.

Digital healthcare stimulus brings opportunities, risks

03/18/09

Healthcare in the United States is going digital, which brings both tremendous opportunities and security risks. Digital healthcare brings the promise of increased quality of care, reduced errors and reduced cost and overhead in the provision of care. Yet the United States lags other countries in the use of technology in healthcare records. Fewer than 10% of hospitals and 16% of doctors use electronic health records. This is about to change.

The fantasy and reality of government security

03/03/09

In the movies the government has always got the best toys, the cutting edge technology and the tightest security standards. Those who have worked on security projects within the government know that in real life government security standards and implementations can vary all across the range from quite serious to laughable.

ATM hack: Organized crime or market forces?

02/17/09

In November of 2008, a single scam netted more than $9m in a global ATM heist. According to the FBI the attackers compromised pre-paid payroll cards from RBS WorldPay and gift cards, launching a coordinated attack against more than 130 ATMs in 49 cities around the world. The cards were exploited by "cashers" who withdrew money during a single 30 minute window.

Rogue Firefox add-ons bring security risks

02/03/09

Security is as much about choices as it is about policies. Which software solution you pick is as important as how you configure and use it. With the vast majority of threats today coming from the Web, the choice of browser is critical. With few exceptions, most Web sites are cross-browser compatible. Choosing a browser is less about compatibility and more about usability and security.

Virtualization security: So far nothing

01/20/09

In April 2004 I wrote my first article on the topic of virtualization security. I was trying to bring attention to the security aspects of this "new" technology that was getting quite a bit of hype at the time. The hope was that this time security would not be an afterthought, that we would reverse the equine-escape/egress-closure sequence. The naivete of youth!

On botnets, encryption and mega-worms: Security predictions for 2009

12/30/08

My predictions for information security in 2009 are just predictions, not recommendations. I am trying to guess what will happen, not suggesting what should. As always, take these with a grain of salt.

More