Network World

Security: Risk and Reward

By Andreas M. Antonopoulos

Search Security: Risk and Reward

Antonopoulos is a senior vice president and founding partner at Nemertes Research, a leading independent technology research firm. Contact him.

This column is also available as an e-mail newsletter called Security in Practice. Sign up to receive the newsletter here:

iPhone security problems bring new risks: 11/11/09; In just four days, not one but two worms targeting the iPhone have emerged. Both of the worms target the same vulnerability, a default password in the SSH server that is installed on jail-broken iPhones. While one worm is a mostly a nuisance, the second siphons personal information from the iPhone, which makes it a serious identity theft threat.
Practical identity protection you can use: 10/27/09; Is it Christmas already? I'm beginning to receive informative e-mails about evil hackers who want to steal my identity during the dangerous (and ever lengthening) holiday season. As usual the advice ranges from lame to impossible.
New secure password rules: 09/29/09; Between hardware keyloggers, software keyloggers, trojans and shoulder surfing, the whole idea of keeping a "secret word" is ridiculous.
Cloud security through control vs.ownership: 09/15/09; Cloud computing makes auditors cringe. It's something we hear consistently from enterprise customers: it was hard enough to make virtualization "palatable" to auditors; cloud is going to be even harder. By breaking the links between hardware and software, virtualization liberates workloads from the physical constraints of a single machine. Cloud takes that a step further making the physical location irrelevant and even obscure.
Data leakage prevention going mainstream: 09/01/09; Data leakage or data loss prevention systems have gradually entered the mainstream as their increasing maturity has allowed increasing adoption. From barely registering in our research two years ago, we now find different forms of DLP in about one-third of enterprises in Nemertes Research's spring 2009 benchmark study.
Managed security services all the rage: 08/19/09; It's an understatement to say that IT organizations face exceptionally challenging times. For many, budget cutbacks for 2009 were worse than predicted.
Security job security: 08/05/09; It's a good time to work in the security field. Nemertes has completed it's research benchmark for the first half of 2009, incorporating interviews with IT and security executives during a recession. The research participants told us that they consider security and compliance spending to be "recession proof", third only to data network and voice/telecom spending.
The cost of not reaching IT project closure: 07/08/09; All things, good and bad, eventually come to an end. Philosophers have told us this in many variations for at least three or four thousand years. In IT we seem to have exquisitely intricate plans for starting new things: projects, applications, users, policies. Yet we seem to always forget to plan for their eventual end: the closure of projects, the removal of applications, the retirement of servers and the departure of users. Why do we find it so hard to achieve closure?
Iran's data leakage 'problem': 06/24/09; In the wake of Iran's statistically and historically dubious election results, the world has been glued to screens (both TV and IP) watching the unfolding protests and violence. Despite a complete media and communications blackout, the videos, photos and messages are leaking out continuously. But how are all these leaks occurring?
Building a data center security architecture: 06/10/09; Data center architecture has been changing quite dramatically over the past few years. In many data centers, organic growth had left them broken up into application silos. The standard three-tier architecture was copied for each application leading to a fairly hierarchical network. In this architecture, some core security services, such as firewalls and intrusion prevention, were concentrated at the root of the network tree, closest to the ingress routers and around any DMZs.
Why we need a single, strong federal privacy law: 05/26/09; Regulatory compliance continues to be the main driver for security spending in almost all industries. But in essence, compliance is assymetrical warfare: it costs a lot more to comply with new regulations than it does to write them.
Dark cloud computing: 05/12/09; Cloud computing offers tremendous promise for the future of computing. In the cloud you will be able to link together remote computing resources to achieve massive amounts of computing without any of the capital infrastructure costs.
The Kilo-Day threat and mundane security: 04/29/09; In the security business we spend a lot of time worrying about the "zero-day" threat that appears out of nowhere and immediately starts attacking a hereto unknown vulnerability.
UC security: When the shoe doesn't fit -- compress the foot: 04/14/09; If your security model is location-centric and depends on keeping things separate, how do you respond to a disruptive technology like unified communications? This is a pattern that keeps repeating in many different areas: the security paradigm looked good until a technology comes along, changes the assumptions and reveals the inadequacy of the model.
Do I own my machine?: 03/31/09; The built-in Webcam light is on. It shouldn't be on. I'm not using any recording, video-conferencing or photo applications. Why is it on? Is someone watching me? It's at times like this I get the eerie feeling that I don't actually, fully and completely own my machine. Turns out it was a driver problem, all fixed now. But I still can't shake that feeling.
Digital healthcare stimulus brings opportunities, risks: 03/18/09; Healthcare in the United States is going digital, which brings both tremendous opportunities and security risks. Digital healthcare brings the promise of increased quality of care, reduced errors and reduced cost and overhead in the provision of care. Yet the United States lags other countries in the use of technology in healthcare records. Fewer than 10% of hospitals and 16% of doctors use electronic health records. This is about to change.
The fantasy and reality of government security: 03/03/09; In the movies the government has always got the best toys, the cutting edge technology and the tightest security standards. Those who have worked on security projects within the government know that in real life government security standards and implementations can vary all across the range from quite serious to laughable.
ATM hack: Organized crime or market forces?: 02/17/09; In November of 2008, a single scam netted more than $9m in a global ATM heist. According to the FBI the attackers compromised pre-paid payroll cards from RBS WorldPay and gift cards, launching a coordinated attack against more than 130 ATMs in 49 cities around the world. The cards were exploited by "cashers" who withdrew money during a single 30 minute window.
Rogue Firefox add-ons bring security risks: 02/03/09; Security is as much about choices as it is about policies. Which software solution you pick is as important as how you configure and use it. With the vast majority of threats today coming from the Web, the choice of browser is critical. With few exceptions, most Web sites are cross-browser compatible. Choosing a browser is less about compatibility and more about usability and security.
Virtualization security: So far nothing: 01/20/09; In April 2004 I wrote my first article on the topic of virtualization security. I was trying to bring attention to the security aspects of this "new" technology that was getting quite a bit of hype at the time. The hope was that this time security would not be an afterthought, that we would reverse the equine-escape/egress-closure sequence. The naivete of youth!
On botnets, encryption and mega-worms: Security predictions for 2009: 12/30/08; My predictions for information security in 2009 are just predictions, not recommendations. I am trying to guess what will happen, not suggesting what should. As always, take these with a grain of salt.
The security prognosticator is in: 12/10/08; At the end of 2007 I wrote a column on the future of security in 2008. Now it's time to look back at my look ahead and see how it all went.
No one gets fired for banning IM: 11/25/08; The argument for security that enables business risk where the risk brings a compelling ROI or competitive differentiation
When insiders attack: How recessions make good people do bad things: 11/12/08; Whom can you trust? In security, many of us nurture a healthy sense of paranoia and tend to be distrustful. But as human beings, as social beings, we form bonds of trust with those around us.
How to sustain security on a tight budget: 10/28/08; Whether you believe we are in or about to enter a recession, IT budgets are certainly tightening up for 2009.