Thursday, March 6, 2014

Elizabeth Martin System Hardening Rant.......

Interesting rant from Elizabeth Martin. I'm a new fan!


[EM]: "I went off on a bit of a rant today about hardening. In the interest of disclaimers, I would like to make it abundantly clear that I was raised in a world where *hardening is king*. If you didn't harden you were compromised very quickly. Unfortunately it is now at least 10 years later if not more and still very few, if any, systems are hardened.

Of course I asked the twitters and frankly they did not give me the answers I sought. I was looking for answers such as "Of course we harden our systems." or, "Naturally most of the clients I work with harden their external systems." Well I didn't get those answers. The best I got was "I am just happy if they patch." .... [ouch.]

Awesome Comparison of Risk Methodologies


Absolutely love this research from Gartner. Fantastic job guys.
You Care Because: There are several viable risk management frameworks our customers can use for assessing and building security into Vblock Systems. The program is far less important than the execution. There are several similar sports, business, and personal analogies.  

Gartner For Technical Professionals - Comparing Methodologies for IT Risk Assessment and Analysis       

Authors: Ben Tomhave, Erik T. Heidt & Anne Elizabeth Robins

To access this research, visit www.gartner.com.

In-Scope Methods:

  • FAIR
  • ISACA COBIT 5
  • ISF IRAM
  • ISO/IEC 31000:2009 and 27005:2011
  • MAGERIT
  • NIST Special Publication 800-30
  • OCTAVE Allegro
  • RiskSafe 

Summary of Findings (page 3)

Bottom Line: Which method you choose for IT risk assessment and risk analysis is far less important than ensuring that the selected methodology is operationalized and a good fit for the corporate culture. It is more important to start somewhere, getting a process in place that integrates with existing or emerging risk management processes, and then scaling and evolving practices over time. The selected approach must be able to produce output that is meaningful to management, and supporting processes must account for assumptions, documentation and potential gaming of the system. Tools should be leveraged, where possible, to ease method adoption.

 

Tuesday, February 18, 2014

Cisco 2014 Annual Security Report - An Erosion of Trust


Get the report here: http://www.cisco.com/web/offers/lp/2014-annual-security-report/index.html 
 
Selected highlights:
  • 100 percent of companies have systems calling malicious malware hosts. Investigations of multinational companies show evidence of internal compromise. Suspicious traffic is emanating from their networks and attempting to connect to questionable sites.
  • Threats grow: 14 percent year over year – new alerts
  • Market verticals: The rate of malware goes up or down as the value of a particular vertical’s goods and services rises or declines.
  • 37 billion “intelligent things” connected to the Internet by 2020.
  • Old blogs and idle domains: Millions of abandoned blogs and purchased domains sitting idle, and many of them are probably now owned by cybercriminals. Cisco security experts predict the problem will only worsen as more and more people in emerging Internet markets around the globe establish a blog or a website, only to let it languish later.
  • Making noise: DDoS attacks are increasingly being used to conceal other nefarious activity, such as wire fraud before, during, or after a campaign
  • Talent shortage: It’s estimated that by 2014, the industry will still be short more than a million security professionals across the globe.
  • Cloud computing: For smaller organizations or those with budget constraints, a well-protected and well-managed cloud service can offer more security safeguards than a business’s own servers and firewalls.
  • Security Objectives for 2014: Verifying Trustworthiness and Improving Visibility
Special note for Java:
  • 76 percent of enterprises using Cisco solutions are also using the Java 6 Runtime Environment, in addition to Java 7. Java 6 is a previous version that has reached its end of life and is no longer supported.
  • Java comprises 91 percent of web exploits.
  • 97 percent of enterprise desktops run Java
Impressive statistics – Cisco evaluates:
  • 16 billion web requests are inspected daily through Cisco Cloud Web Security
  • 93 billion emails are inspected daily by Cisco’s hosted email solution
  • 200,000 IP addresses are evaluated daily
  • 400,000 malware samples are evaluated daily

Monday, December 23, 2013

Upcoming Security Conferences

Coming off of an awesome time freezing in the cold night around a large fire pit, eating brisket with friends at David Cowen's home. Called man night, it's a time for a bunch of old hacks to tell stories of early day phone phreaking, ISP hacking, and other stuff that was usually benign and flat-out funny. Thrown in the mix, stories of partying and playing pranks at early hacker conferences. Just a fantastic group of guys.

So…  This jumped out at me while reviewing the weekly Cisco Cyber Risk Report. Here is a list of upcoming (larger) conferences that may be of interest:
  • SHMOOCON 2014: January 17–19, 2014
  • Cisco Live Milan: January 27–31, 2014
  • RSA Conference USA 2014: February 24–28, 2014
  • Cisco Live Melbourne: March 18–21, 2014
  • Black Hat Asia: March 25–28, 2014
  • Infosecurity Europe: April 29–May 1, 2014
  • Cisco Live 2014: May 18–22, 2014