This blog is about understanding, auditing, and addressing risk in cloud environments. Systems and architectures are rapidly converging, hiding complexity with additional layers of abstraction. Simplicity is great for operations - as long as risks are understood and addressed.
[EM]: "I went off on a bit of a rant today about hardening. In the interest of disclaimers, I would like to make it abundantly clear that I was raised in a world where *hardening is king*. If you didn't harden you were compromised very quickly. Unfortunately it is now at least 10 years later if not more and still very few, if any, systems are hardened.
Of course I asked the twitters and frankly they did not give me the answers I sought. I was looking for answers such as "Of course we harden our systems." or, "Naturally most of the clients I work with harden their external systems." Well I didn't get those answers. The best I got was "I am just happy if they patch." .... [ouch.]
Absolutely love this research from Gartner. Fantastic job guys.
You Care Because: There are several viable risk
management frameworks our customers can use for assessing and building security
into Vblock Systems. The program is far less important than the execution.
There are several similar sports, business, and personal analogies.
Gartner For Technical Professionals - Comparing
Methodologies for IT Risk Assessment and
Authors: Ben Tomhave, Erik T. Heidt & Anne Elizabeth
Bottom Line: Which
method you choose for IT risk assessment and risk analysis is far less
important than ensuring that the selected methodology is operationalized and a
good fit for the corporate culture. It is more important to start
somewhere, getting a process in place that integrates with existing or emerging
risk management processes, and then scaling and evolving practices over time.
The selected approach must be able to produce output that is meaningful to
management, and supporting processes must account for assumptions,
documentation and potential gaming of the system. Tools should be leveraged,
where possible, to ease method adoption.
100 percent of companies have systems calling malicious malware hosts. Investigations of multinational companies show evidence of internal compromise. Suspicious traffic is emanating from their networks and attempting to connect to questionable sites.
Threats grow: 14 percent year over year – new alerts
Market verticals: The rate of malware goes up or down as the value of a particular vertical’s goods and services rises or declines.
37 billion “intelligent things” connected to the Internet by 2020.
Old blogs and idle domains: Millions of abandoned blogs and purchased domains sitting idle, and many of them are probably now owned by cybercriminals. Cisco security experts predict the problem will only worsen as more and more people in emerging Internet markets around the globe establish a blog or a website, only to let it languish later.
Making noise: DDoS attacks are increasingly being used to conceal other nefarious activity, such as wire fraud before, during, or after a campaign
Talent shortage: It’s estimated that by 2014, the industry will still be short more than a million security professionals across the globe.
Cloud computing: For smaller organizations or those with budget constraints, a well-protected and well-managed cloud service can offer more security safeguards than a business’s own servers and firewalls.
Security Objectives for 2014: Verifying Trustworthiness and Improving Visibility
Special note for Java:
76 percent of enterprises using Cisco solutions are also using the Java 6 Runtime Environment, in addition to Java 7. Java 6 is a previous version that has reached its end of life and is no longer supported.
Java comprises 91 percent of web exploits.
97 percent of enterprise desktops run Java.
Impressive statistics – Cisco evaluates:
16 billion web requests are inspected daily through Cisco Cloud Web Security
93 billion emails are inspected daily by Cisco’s hosted email solution
Coming off of an awesome time freezing in the cold night around a large fire pit, eating brisket with friends at David Cowen's home. Called man night, it's a time for a bunch of old hacks to tell stories of early day phone phreaking, ISP hacking, and other stuff that was usually benign and flat-out funny. Thrown in the mix, stories of partying and playing pranks at early hacker conferences. Just a fantastic group of guys.
So… This jumped out at me while reviewing the weekly Cisco Cyber Risk Report. Here is a list of upcoming (larger) conferences that may be of interest:
Reminded today of the breadth of Cisco security information. Sharing the direct links below. Believe that they offer a lot more information than some people realize. In particular, one of my favorites is the Cisco Cyber Risk Report. You can find this here: http://tools.cisco.com/security/center/cyberRiskReport.x