Sunday, July 31, 2005

If U see say...

This image of today's security awareness is self explanatory...
When we look at security awareness the simpliest universality principles always apply. Security can not be implemented by a very limited resource policy force in the public or in the corporate domain. Security is everyones business. Moreover this principle applies well to: logical security, information security, personal security, homeland security...

Saturday, July 30, 2005

Can security be measured in time?

Sometimes the simplest ideas stand the test of time... one can easily remember e=mc2...

What if one could apply a similar simple principle to security. "Time Based Security" was published by Winn Schwartau back in 1998, but still today stands the test of time (ISBN 0-672-31341-3). The foundation of Time Based Security (TBS) is centered around a simple equation designed to
contrast the importance of Protection, Detection, and Reaction. The equation put forward P>D+R provide the simple key elements of TBS; in which The time provided by Protection (controls and countermeasure) must be greater than the the time required to Detect (release a breach has taken place) and React (respond effectively to attack).

The principle is quite simple, no security will ever work if we focus only on protection (fortress mentality). One must spend much more effort the detection and response to attacks. The level of security we can achieve will be highly dependent on that level of agility.

Timebased security book

Failures of Security starts with U

We continue to deploy sophisticated technologies in security. These technologies include: firewalls, anti-virus, anti-spam, intrusion detection, biometrics, encryption and many more... But no matter how sophisticated it never seems to be enough. The attacks continue to bypass these and sometimes which quite little ease. So today's in-security requires much more than technology.

The latest phishing attacks provide simplest form of proof to how fragile really is our infrastructure based on on-the-run technology.

Security in today's world requires to very simple elements. Easy to say, but much harder to implement. These elements are:
- up to date skills, knowledge and awareness
- discipline (the process must occur and not be bypassed)

So next time U think security: are your processes and skills up-to-date...

Major Vendor Harasses Security Researcher

Colleague Bruce Schneier, highlights the fact in today's busine$$ focused world though decisions about information security disclosure must be made every day...

Cisco Harasses Security Researcher..."

I've written about full disclosure, and how disclosing security vulnerabilities is our best mechanism for improving security -- especially in a free-market system. (That essay is also worth reading for a general discussion of the security trade-offs.) I've also written about how security companies treat vulnerabilities as public-relations problems first and technical problems second. This week at BlackHat, security researcher Michael Lynn and Cisco demonstrated both points.

For those which want to know more about this critical exposure...Cisco--IPv6 Crafted Packet Vulnerability. Cisco devices running Internetwork Operating System (IOS) "that have been explicitly configured to process IPv6 traffic" are susceptible to a denial of service (DoS) and potentially the arbitrary execution of code (Buffer Overflow).
The Cisco Advisory can be found here.