Friday, February 09, 2007

Not just Microsoft - Outside the OS

I just got back from a trip to Germany attending an event called IT Defense in Leipzig. It's run by a reseller for the company I work for, a company called Cirosec (www.cirosec.de) I was lucky enough to see presentations from some of the worlds great talents on Information Security including Kevin Mitnick with his excellent thoughts on Social engineering and one from Marc Maifrett from eEye Security (Marc is the Chief Hacking Officer)

As well as visually showing us a hack into Vista (well that took a long time coming didnt it??) He went into great detail about the way that attackers seem to be concentrating on non-Microsoft applications. The reason is clear, Microsoft, despite their obvious issues, have gotten better at Security. People like Apple, Symantec, McAffee, IBM and Adobe are now the applications that are being exploited, and not just by the intelligent hacker. Check out applications like Metasploit (www.metasploit.org) and you will see how easy it is to take advantage of flaws within many of the applications that have become ubiquitous on many of our desktops.

The answer is clear, update to the latest versions, install the patches that have been released and understand which of your users have these applications installed (know how many iTunes users you have?)

The tools available to you currently may not offer that, so my advice is to ensure that whatever you choose, you ensure that the following criteria are met:

  1. Does your solution provide you a real time view of the applications installed?
  2. Does it provide visibility and control in heterogenous environments?
  3. Does your solution allow you to distribute patches to non Microsoft applications?
  4. Does your solution provide you with the ability to enforce policy by allowing or dissallowing applications?

I dont mind which solution you decide to use, but if you follow these key points, you can only make your user base (and therefore your data) safer.


Friday, February 02, 2007

so whats the new BIG thing???

I have been looking in on a few blogs recently, most notably those of Amrit Williams http://techbuddha.wordpress.com/ , nCircle http://blog.ncircle.com/ and Still Secure http://www.stillsecureafteralltheseyears.com/ashimmy/

These guys have been blogging about security for a long time and talking about it for longer than that, but I wonder if any of them have a clue about whats going to be the next big thing? When I say the next BIG thing, I mean the next real move in security. Alan @ StillSecure thinks NAC but then, as far as I can tell, thats what he does. Amrit, he thinks its going to be data protection, which is interesting because isnt that what EVERYONE does? I mean thats infosecurity right? Its like saying that the next big thing is boxing is going to be knocking people out? Its the point of the game.

So I made a comment on Amrits blog about the next big thing being data protection at the endpoint. The endpoint being the laptop. I have a laptop and I bet that everyone reading this blog has one too. What data do you have on it? Is it sensitive data? Is it secure?

The answer for many is that it probably IS secured by a password or encryption program but what is stopping you from giving that data to someone else?

The next BIG thing is doing what we have always done; data protection. But its about doing it everywhere.... and thats going to be a challenge.

Infosecurity - JUST a US affair??

The title of this Blog is Infosecurity - Thoughts of a Brit in Cyberspace. The Infosecurity part is obvious; Its what I do. However, I want to comment on the Brit part. Of course, it could be construed as being obvious too. After all, I am a Brit, but the role of countries outside of the US in Infosecurity seems to be to follow whatever America is doing.

I dont know if that is a good thing. The rest of the world has differing needs, different work practices and different regulations. For instance, in Germany, you are not allowed to monitor an employees machines for many different kinds of information that you ARE allowed to in the US. This leads to the majority of vendor products not matching the requirements of the companies based in Germany. Germany has some of the biggest companies (by numbers of employees) in the world.

This "internalised" view of the needs of the user is quite an annoying thing when you work for one of these companies (as I do) You feel the frustration every day. Now dont get me wrong, I am not US bashing here. I just wish that they would consider other countries when they do anything......

Thursday, February 01, 2007


Skype @ Work???



I think that Skype have a real issue to convince the Security Officers and Network Admins of this world that they should allow the use of their software within the corporate domain.

Aside from the obvious history of the people involved in Skype (Anyone remember Kazaa?) the fact that it was built to evade the efforts of all those concerned in stopping it leads many to think it should be banned as default.

I think, like all security, you need to make a call based upon your requirements and the environment the user is in. If you have travelling users then Skype can be a godsend. It can save thousands on phone bills especially when you are holding conference calls etc.

I travel regularly to the US and I can tell you, before Skype, my phone bill was astronomical, regularly running over £1000 for that particular month.

When I am in the office, however, then I can use the phone there and gain all the benefits that arise from the system that we have invested in.

So the answer, like anything, is to have a policy based on the situation....and then ensure that you have a way of enforcing it.


http://http//www.theregister.co.uk/2007/02/01/facetime_skype/