Wednesday, December 28, 2011

Your Portable vCloud Director Lab

How many times have you been called upon to audit, evaluate, or comment on a new technology you've never seen? As auditors we like to experiment, touch, and learn about the technologies we're assessing. Here's a fantastic way to get up to speed on vCloud Director. You can install vCD on a laptop, carry it to a team meeting, and show off the highlights.

Giving credit to the source where I first read about this - Duncan Epping's YelllowBrick blog post found here: http://www.yellow-bricks.com/2011/11/18/doing-a-vcloud-director-proof-of-concept was sent to me by Jeramiah Dooley. Both maintain blogs I highly recommend.
"...no more installing Red Hat, Oracle and vCloud Director. Just download the appliance and deploy it. On top of there is a great vCloud Cloud Director Evaluators Guide which will help you to evaluate the product.
If you haven’t done anything with vCloud Director before the following articles might also be worth reading, note that these are 1.0 based articles but most of the content is still valid today.
Here is the list of resources found on the vCloud Director virtual appliance download page under Installation and Configuration. Note that these just scratch the surface of all the resources VMware offers.

Product Documentation


Technical Whitepapers

Thursday, December 15, 2011

VMware Compliance Checkers

How about something for FREE!

Some people were asking about this today and I thought I would share here.

There are hundreds of compliance tools and checkers on the market. How about these two gems from VMware? Do you have concerns with PCI and environment compliance with the Data Security Standard? How about a free tool from VMware that checks this for you? How about another free tool that checks your environment against their VMware vSphere Hardening Guidelines? Free.

Tuesday, December 13, 2011

Friday, December 9, 2011

Cloud Security and GRC: Internal Controls

Environmentally Friendly.

Here's the flow of a security presentation I sometimes use to stimulate thought and focus around controls and how they can be orchestrated, coordinated, to deliver contextually rich information security and cloud auditing relevant views of the environment.


Environmentally Relevant. 

The enormous data set produced by monitoring and management tools delivers useless information if the data isn't comprehensive of the its environment. Several years ago I worked for a Network Access Control (NAC) company. During Proof of Concept demonstrations we often found more devices on the network than the organization thought was possible. It wasn't uncommon to discover 15-20% more than a company thought they had on the network. One particular example found - not kidding - 20,000+ devices more than their estimated 40,000 devices the company thought they had worldwide. Yes, this is extreme. But it's also those experiences that drive my belief you have to know what you have before you can secure it. 

Here is how I summarize action items during discussions around this topic.


Thursday, December 8, 2011

FedRAMP is Official.

Just a quick note to let people know if they hadn't already heard about it. The SP 800-53 rebranding that produced Government Cloud 1.0 (my words), or FedRAMP, is now official.

There are some key takeaways from this that perhaps we'll go into more detail later. First, you can find out all about FedRAMP here: www.fedramp.gov, and you can find the NIST Cloud landing page at www.nist.gov/itl/cloud. Note the requirement for a third party audit from an authorized organization prior to authorized operations. See more of that here: 3PAO Information.
"Please attend the Industry Day on December 16, 2011 for additional information on the Program and the 3PAO application process. Please register for the event by COB Wednesday December 14, 2011 via the following URL: http://bit.ly/FedRAMP3PAOIndustryDay"
The main takeaway is that notice the security concepts didn't change. You still have access controls. You still have perimeter defenses. The same control standards (SP800-53) applied to today's systems were applied to this new fearsome beast called the cloud. Do the solutions and implementations change? Certainly! And the fundamentals still remain the same. Now onto the next post:).

Mapping Controls: Challenges, Opportunities, Surfing

One Man's Challenge.

Mapping controls is all the rage (pun) and today's faddish exercise. Come on. You know you want some of that. Can you think of anything more fun than trying to find all of the standards, regulations, vendor guides, best practice documents, and Christmas Cookie recipe books?? How about actually reading them?? And then creating a massive spreadsheet mapping (your best) interpretation of what (you think) might be individual controls across each of them so that you can track your compliance? And... wait for it... just as we're getting started in all of this, don't forget that every good corporate citizen is intimately familiar with the policies you've painstakingly written and tracked back to each authority document.

Is Another Man's Opportunity.

Enter the likes of the IT Unified Compliance Framework (ITUCF) (with their nice snazzy website update over the last year..). Their objective early in the game several years ago was to identify and correlate authority sources and documents from government agencies, standards bodies, and vendors. Massive undertaking. Simply massive. This is the classic case of how to put an elephant to sleep. Read one authority document at at time.

Opportunistic entrepreneurs and vendors created software tools to help manage the C in GRC. Many leverage (license) in whole or part the work of the ITUCF. Some target the entire enterprise, and others only IT. Consider the following from the well respected Michael Rasmussen of Corporate Integrity:
"The GRC software space is vast with numerous vendors.  In fact, in my market models there are over 400 GRC software providers that span 28 primary categories (with numerous sub-categories) of GRC related software.  Nine of these categories encompass components of an enterprise GRC platform (though no vendor does all nine components), 19 of the categories are focused in specific business functions/processes of GRC.  Of the 400 vendors, it is under 50 that market and present themselves in the enterprise GRC domain."
Enjoy the Wave Dude. Enjoy the Wave.

OK - So maybe it's not perfect, or you consider it biased, or have some other stigma that prevents you from enjoying the Magic Carpet Ride that is the Forrester Wave. I personally don't have the time to learn about every technology niche and vendor play. The summaries are fantastic. I've learned to filter the content and appreciate the organization. The best part? Someone else does the work, and the winner of whatever contest is showcased usually pays for your right to view the content. Why? Because they paid someone off? Or because they are thrilled with the results and want to showcase their peer praise to the world? Enjoy the Wave. It's a short ride.

And on the Short List.

The Forrester Wave™: Enterprise Governance, Risk, And Compliance Platforms, Q4 2011, led by Chris McClean, includes the following vendors: 
ARC Logics, BWise, Compliance 360, Enablon, IBM OpenPages, Mega, Methodware, MetricStream, Protiviti, RSA Archer, SAP, SAS, Thomson Reuters
The Forrester Wave™: IT Governance, Risk, And Compliance Platforms, Q4 2011, led by Chris McClean, includes the following vendors: 
Agiliance, ANXeBusiness, ControlCase, Easy2Comply, Modulo, RSA Archer, Rsam, Symantec

Please note
(1) There may be perfectly suited vendors that are NOT on this list because they address your particular market niche, pain point, or existing entrenched people/processes/technologies. 
(2) Plugging my Parent Company, EMC. RSA Archer was the only vendor listed as a Leader in both enterprise and IT GRC tools. I know the product well, know parts of the roadmap, and I really like what I see here. 
(3) Links to the Wave documents lead to RSA because of licensing. No registration required. Just click on the direct link on the right side of the landing page. 


Wednesday, December 7, 2011

Cloud Audit: Quality Services and Technical Briefs

Deliver a quality service. Keep the Customer Informed.

Have you ever taken a luxury car into the service department? The department knows you paid top dollar for that car. They want to make the experience as positive as possible. Notice how well informed you are about every detail? Notice how the service department goes to extraordinary lengths to ensure they are as non-disruptive as possible to your day. They are careful to keep you informed and set your expectations. You don't want to be there, and they know this.

One Small Secret to Great Service.

There are dozens of dirty little sales secrets you can adopt to improve the customer experience. One of my favorites is the Technical Brief. Starting a new audit? Do you receive common questions around a few topics? Would it be helpful to have informative short documents explaining what you will be doing with the systems and what tools you will use? How about the general audit process explaining what will be done, how long it typically takes, and the how the data will be used? I've written up dozens of these over the years to explain a particular technology, process, tool, system usage, etc. Each are intentionally short, about a page or two in length, with the understanding that they can ask for additional detail if needed. 

Friday, December 2, 2011

Contextual Intelligence: A DARPA Project Wicked Cool Example

VMR: Visual Media Recognition
A fantastic video analogy for explaining rich context. 

State-of-the art complex technologies handled ineffectively are ineffective. 
As a security professional, I want as much detail as possible that provides me assurance that my system's data is secure. Average auditors want enough data to validate compliance to their work papers. GREAT auditors want contextual data about the system to have assurance that data is secure, the system is operating as it should, and governance objectives (e.g. solution alignment, performance and capacity management) are met. GREAT auditors pay attention to multiple inputs during the data gathering process and correlate information in context to determine the veracity and completeness of the message.

Plain English? Push for the right controls and push for as close to centralized management and correlation of the controls into a cohesive process and system that make sense with your administrators. I spend a lot of time speaking to the organization of your information and controls because I have seen and witnessed how excellent state-of-the art complex technologies handled ineffectively are ineffective.

Now on to the Wicked Cool Project.
You probably have read stories or seen enough movies to understand the need to identify location details from a photograph or video. Maybe I watched too much Star Trek or read too many science fiction novels. This is cool!! Especially as an analogy for understanding as much about your environment as possible. This is particularly true in cloud (outsourced) environments.

There is a project from DARPA where they are "soliciting proposals for innovative research and development into creating a capability that can rapidly identify a range of information – Who, What, Where, and When– contained within a captured “noisy” photo or video image taken in theater by an adversary. The proposed research and development will investigate innovative approaches to visual image understanding, adaptation of existing techniques for novel purposes, and the integration of multiple visual processing algorithms and image datasets into a single, easy-to-use software system."

Here is the Wicked Cool Video.
http://www.darpa.mil/Opportunities/Solicitations/I2O_Solicitations_VMR_Concept_Video.aspx

Tuesday, November 29, 2011

Security and Auditing are Multidimensional. Not One. Not Two.

"Chris. Are you sure you want to move to IT Audit?"
I wasn't sure what to expect during the shift from corporate security to corporate audit. The IT Audit Manager, Mike Schiller, and IT Security Manager, Brian Wrozek, had done a phenomenal job aligning objectives and approaches. The commonality in our mission objectives and mutual respect between the two teams is part of the reason I felt so comfortable making the move.

"Mike!! Look at all the stuff I found on this one box!"
Mike wasn't impressed. "Chris. What's the objective of this system? Where is it located? What data is stored on this system? How long has it been in operation? What projects are in place that will be completed in the next couple of months that affect the controls on this system?"

My introduction to multiple dimensions... 
Mike patiently walked through every "finding" and discussed each one. When we were done, there were still issues with the system, but they were now more correctly framed in context of the business as an organic function, and not "just" a polarized point-in-time evaluation. His careful mentoring of the team built the understanding that our audits have to encompass a review of the systems, operational processes, and alignment to the business.

In a previous post, we discussed The Circle of Trust - Cloud Audit Assurance. Pulling the three cycles discussed in that post together, they overlay each other nicely to show the nice interrelationships between what you have (Assets), what you want to accomplish (Alignment), and how you are going to do it (Operations). This model is as complex or as simple as you would like. It's a question of detail. Until next time.... Here's the model again (click it for a larger image):


Monday, November 21, 2011

Circling Back: Repeatable Processes

Do you have any doubt - whatsoever - that a well-coached sports team with good talent can beat a loose gathering of the world's best talent? It takes more than talent to have repeatable success. Effective leadership and management provide purpose, methods and metrics for performing consistently at the top of your game. The fundamentals are taught early and revisited often in sports. Coaches want their players to master and lean into the basics under the stress of physical and mental exhaustion. It's what drives the extra effort in the last seconds, driving towards the goal, to square up your shot and follow through.


Mastering Fundamentals Take Time. 
Malcolm Gladwell, in his book Outliers: The Story of Success, illustrates the strong correlation between the amount of time invested in a particular skill and the outcome. Mastery, according to his research, typically occurs after 10,000 hours (e.g. ~20 hours/week over 10 years). Examples included the obvious, such as athletes and musicians. Examples also included the not-so-obvious, such as Bill Gates programming for 10,000 hours prior to his break starting Microsoft.

Now - I'm not suggesting that developing an effective IT GRC program is going to take 10 years. However, I am suggesting that developing a strategy aligned with your business purpose, goals, and constraints is difficult to create, audit, and effectively manage. Also, it will take you longer than 10 years if you never start.


The Manager Administers; the Leader Innovates.

Warren Bennis wrote a list of differences between leadership and management in his book On Becoming a Leader. Read through some of them here in the context of the three cycles we discussed in the previous blog postings. Each cycle has to be managed to function, and each cycle requires leadership to innovate and respond to changing conditions.

Here's what happens when a system breaks down from a lack of experience and maturity that develops over time, working through difficult challenges. It's a flash back to the 2004 Olympic Men's Basketball team fielded by the inventors of the sport. Basketball and Apple Pie are about as American as it gets. That, and sweet tea in the South.

The individual parts in this particular system are among the best the world has ever seen. But they failed miserably as a team. They didn't know how to work together, and they hadn't worked together long enough to infuse corrective feedback into their operations. For my friends that love American football... Love or hate the Dallas Cowboys, the insane sync between Tony Romo and Jason Witten emerge when they are under pressure. The same should happen with your own operations.

The 2004 Men's Olympic Basketball Team. [From Wikipedia]

The revamped 2004 team consisted of some young NBA  [super]stars early in their careers, such as Carmelo Anthony and LeBron James, and also included recent Most Valuable Players Tim Duncan and Allen Iverson. The team was coached by Larry Brown.

After struggles in several exhibition matches, the vulnerability of the 2004 team was confirmed when Puerto Rico defeated them 92–73 in the first game of the Olympic tournament in Athens. The 19 point defeat was the most lopsided loss for the USA in the history of international competition.

After winning close games against Greece and Australia, The USA fell to Lithuania, dropping to 2–2 in the Olympic tournament. Even after an 89–53 win over Angola, the Americans entered the knockout rounds in fourth place due to goal average, the lowest seed of their group. The Americans faced undefeated Spain in their quarterfinal game, winning 102–94.

The semi-final match saw the team defeated by Argentina, 89–81, ending the United States' hold on the gold medal. ... Before 2004, American teams had only lost two games in all previous Olympic tournaments, whereas in this one the American team lost three.

Thursday, November 17, 2011

VMware vCloud Director Segmentation: PCI and HIPAA Firewall Controls

This came up last week and I thought I would post here to keep the information easily accessible.

Yes. You can use vCD to segment environments that are required to comply with HIPAA and/or PCI.

The firewall functions in vCD in no way preclude you from using vCD to host production Primary Account Number (PAN) or electronic Private Healthcare Information (ePHI) as long as you comply with all of the other controls required to host the information. Here are the details from the requirements along with specific comments.

PCI has an entire section devoted to firewall controls (Requirement 1: Install and maintain a firewall configuration to protect cardholder data), of which the most restrictive requirements are [1] the ability to implement ACLs, and [2] SPI/Dynamic Packet Filtering.

Requirement 1.3.6 
Verify that the firewall performs stateful inspection (dynamic packet filtering). (Only established connections should be allowed in, and only if they are associated with a previously established session.) 

HIPAA has specific segmentation requirements for health care clearinghouse functions found here. Although they are specifically called out as Administrative Controls, the definition for this bill is defined as:

Sec. 164.304  Definitions 
Administrative safeguards are administrative actions, and policies  and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected  health information and to manage the conduct of the covered entity's workforce in relation to the protection of that information. 

Note the lack of any detailed requirements – intentionally – to allow a broad range of solutions to fit the requirement.

164.308(a)(4)(ii)(A)
(ii) Implementation specifications:
    (A) Isolating health care clearinghouse functions (Required). If ahealth care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. Sec. 164.304 Definitions 

The Circle of Trust - Cloud Audit Assurance

Assurance is the grounds for confidence that the set of intended security controls in an information system are effective in their application. 
(NIST  SP 800-37 and SP 800-53A)  

Cloud Audit Assurance. 
What can you do to provide assurance that your cloud infrastructure serves the purpose for which it was designed while protecting the data? Where do you start? Where does trust begin? Let's discuss three cycles that may help frame the discussion and an approach that may work for you. There's truth in the effectiveness of simple models that are easily understood and that can deliver repeatable results.

Start with the Business: Solution Alignment Cycle.
A previous post discussed GRC in the context of the business. We have to understand the objectives of the business and how the infrastructure and workloads align and support the objectives, in the context of risk, while managing compliance concerns. One of the great values of GRC tools is their ability to continually monitor and measure the effectiveness of your GRC program. A governor, or speed limiter, is a device used to measure and regulate the speed of a machine, such as an engine (wikipedia..). The important analogy is the feedback mechanism to regulate the effectiveness of the mechanical engine to perform as expected. The illustration below shows a simple cycle that is intended to be self governing.


Governance (alignment to business objectives) greatly affects how Risk (probability and impact) and Compliance (authorities, contracts, policies) are managed. Frameworks (COBIT, etc) may be used to help drive the GRC program, whose effectiveness is measured using GRC Tools. The workflow of the GRC Tool helps to continuously regulate the cycle.

Manage the Technology: Solution Delivery Cycle.
The Storage, Network, Compute, and Hypervisor (infrastructure) and Solutions (work loads), deliver a service. The effectiveness of a solution (capacity, performance, alignment/ability to meet needs/applicability) continually drives the selection and amount of technology assets required to deliver the solution. Put differently, the measurement of the effectiveness of the solution drives the hardware and software requirements.

Add Secure Operations Processes.
The PCVMR cycle was discussed in the previous post using the mission of a submarine. Provision the technology assets. Configure in accordance with your authorities, best practices, and policies. Validate against your checklists and using (as risk appropriate) additional tools, scanners, or third party resources. Monitor for deviations from your baseline. Accurately Respond and improve your processes based on what you learned.





Monday, October 31, 2011

Mission Operations - PCVMR Cycle

Reminiscing About the Past

Assurance.
Leading off the previous post, let's delve deeper into the processes that helped provide mission assurance to the crew taking the boat down to operational depth. We spoke of submarines and the mature operational approach that allowed a crew barely out of high school, most with no formal education, to not only function in these demanding environments, but excel and push themselves and their equipment to the extremes. 

Why were we successful? 
It was more than top-notch training. It was more than engineering and equipment superiority. It included a deep knowledge of operational processes that work in orchestration with the equipment and a firm understanding of the mission objectives and risks. The effectiveness of everything was measured and fed back into the processes and equipment.

Provision | Configure | Validate | Monitor | Respond
The PCVMR process cycle provides insight into how we were able to attest to the assurance of our boat to keep us safe and deliver on her mission. Here's how it works.


Provision: Equip yourself with the right systems for your mission. Submarines are equipped with systems appropriate for accomplishing their mission. Ballistic missile and attack submarines have very different missions and very different equipment... and crew and training. The highly specialized Submarine NR-1 was outfitted with equipment and capabilities not found in other subs because that's what her missions required. 

Configure: We sometimes laughed at a few of the Standard Operating Procedures (SOPs), but we respected them. Some would say, "Rules are written in blood." That's because somebody paid a heavy price for that stupid rule to check that breaker or valve lineup twice. Every system had a checklist for every operational lineup. These lineups are thoroughly tested by smart engineers, and every effort is made to follow the book. It's one thing if you're throwing your leftover litter into a McDonalds wastebasket. It's another to dump or pump it overboard underwater. One is casual. The other is very carefully handled. 

Validate: Everything was checked twice before getting underway. Every critical system was reviewed. Every change. Anyone that's spent time underway will recall the repeat-backs required on the phones as you read from a procedure to senior operator. The senior operators then repeated the same requests to watch officers for final permission. Everyone backed each other up to validate actions. Important actions were verified formally by a second person and signed off by all parties involved. Some critical actions required multiple validations and checks based on the affect of the system to the ship's mission. Once everything is known, you have entered an operational steady state, or a known state of operations. 

Monitor: Despite the best intentions to engineer flawless equipment and set everything up correctly, things go wrong. Systems are heavily monitored, automatically and manually, many both, to identify state deviations, or changes in the known state of operations. These may be intentional by the crew and known. These may be intentionally malicious from an external source, or changes could exist because of an inexperienced operator. The monitoring systems (some of which are redundant) help identify the early state of changes to give operators the most time to respond appropriately. Monitoring occurs across many complex related systems, and you need to identify issues as quickly as possible to minimize their impact. 

Respond:  It is the operator's experience and well-rehearsed drills that helps lead the best response. Realistic drills are part of every day life underway in preparation for when something bad happens. You expect something bad to happen. And it does. It's the workflow, methodical analysis, and rapid response that make the difference between "that was close!" and a new SOP. Rules are written in blood. Responses to incidents are debriefed for details that could could have managed the incident better than what was done. After Action Reviews. Post Incident Reviews. The outcomes of these meetings completes the PCVMR Cycle as they affect the Provisioning, Configuring, Validating, Monitoring, and Responding. 

Can you see how this translates to cloud security and audit? We'll dig into that next. It's time to walk out of the bubble and back into the cloud:).

Thursday, October 27, 2011

Workflow for Analyzing Security Context

We handled complex systems in the subsurface Navy, including Sonar, Navigation, Missile Controls, Reactor, Steam, Hydraulic, Water, Air, Electrical, Propulsion, and many, many others necessary to sustain life in a steal tube for months at a time under water.

There are several parallels to the complex infrastructures I work with in IT. The program for training 18-19 year old kids in less than two years to operate billion dollar reactors is incredibly effective. The success of the program hinges on several important factors, including top-notch training that I haven't experienced in any of the dozens of schools I've attended since leaving the military. They drill, drill, drill the concepts of controls in systems engineering, system integrity, monitoring, and response. You can summarize the operational processes for handling - and providing assurance for - complex systems in the five step cycle of Provision-Configure-Validate-Monitor-Respond. The workflow is show here in the Illustration below. In the coming days I will dig into this further to explain each of the processes and how they interrelate.

Monday, October 3, 2011

RSA Conference Europe


You can find me at the RSA Conference Europe next week in London covering GRC and cloud computing environments. 

Wednesday, September 21, 2011

Security Rebooted.

As reported on several news outlets and blogs... Windows 8 is giving startup malware the <a*hem*> "boot". Stories can be found on ARS Technica and Tech World. Quoting from Tech World, "Probably the biggest security addition is Windows 8’s support for UEFI 2.3.1 secured boot technology (which requires BIOS support), which stops early-booting malware from interfering with antivirus products before they load into memory."

Wednesday, August 31, 2011

Solution Security

This is a short post that's going to have to be expanded later. There are too many questions that a seasoned professional would ask about this model without having the background and scope of the model clearly defined. There are clearly shortcomings in this model as-is. However, it has also provided a fantastic simplified background for discussion to view security from more than one perspective, and to appreciate the breadth of controls that work together to provide information protection. Thank you Charles Benagh for your excellent help with this. It was during our conversations that this finally came together. (You can click on the image to expand it)

Specific to Solution Security, there is far too much than I have time for right now to address in any real detail. Here is an overview:

Monday, August 22, 2011

Compliance for the Masses - Simplified Models

This functional illustration shows how standards and regulations correlate with specific requirements, policies, controls, and audit points. I created a version of this illustration for a group of RSA SEs learning Archer as a way to quickly bridge the gap between authority documents (standards and regulations) and audits while keeping important details.

Standards and regulations - Authorities - contain requirements which when documented become policies and procedures. That's simple enough. Controls are implemented to ensure policies are followed. Again - straight forward. Controls are then audited on a periodic basis to ensure controls align with policies and required compliance mandates. Make sense?

This is a simple compliance model. There is a different model and view of security of which this becomes a component.

PCI-DSS Example
  • Authority: PCI-DSS is the authority document created by the PCI-SSC.
  • Requirement: (10.6) Review logs for all system components at least daily.
  • Policy: Monitoring Policy – States logs will be reviewed at least daily.
  • Control: RSA enVision provides real-time monitoring for all system components.
  • Audit: Auditor verifies RSA enVision is appropriately monitoring and alerting to actionable events. Audit results and evidence are stored as part of the audit.

Authorities to Audits

Thursday, August 11, 2011

Federal Information Assurance: The DoD IA Policy Chart

DoD IA Policy Chart
The Information Assurance Technology Analysis Center (IATAC) publishes a helpful chart that you may not know about unless you work with Federal accounts. The DoD IA Policy Chart does a great job illustrating the staggering number of regulations, standards, and guidance documents created by our government.

From the website: "The goal of the IA Policy Chart is to capture the tremendous breadth of applicable policies, some of which many IA practitioners may not even be aware, in a helpful organizational scheme. [...] At the bottom center of the chart is a legend that identifies the originator of each policy by a color-coding scheme. On the right hand side of the IA Policy Chart, there are boxes, which cover the legal authority for the policies, the federal/national level of IA policies, as well as operational and subordinate level documents that provide details on securing the GIG [Global Information Grid] and its assets. Links to these documents can be found in the Chart."

To the team of people to put this together: Awesome job. Thank you for the hard work.

Here is the list of resources used in the creation of the chart:

Thursday, August 4, 2011

Security Topics of Interest – Check all that apply


I joined the InterSeC community some time ago because of a banner they have on ISC2's website. The registration process includes questions about your security interests across 62 topical areas.... Have you ever wondered why it's so hard to be an expert in everything? :)

Here are the 62 security topics listed on the InterSec website: 

Access Control , Analysis & Monitoring , Anti Malware , Application Security , Audit , Authentication , Business Continuity & Disaster Recovery , Cloud Computing , Compliance Management , Computer Forensics , Configuration/Patch Management , Content Filtering , Cybercrime , Data Leakage Protection , Database Security , Denial of Service , DIACAP , Digital Certificates , Digital Forensics/E-Discovery , Digital Rights Management , DOD IA , Education/Training , Encryption/Key Management , Endpoint Security , Enterprise Security , Firewalls , Fraud , GRC (Governance Risk and Compliance) , HIPAA , Identity Management , Identity Theft , IDS/IPS (Intrusion Detection/Prevention Systems , Incident Response , Managed Security Services , Messaging Security , Mobile Security , Network Protocol Security , Password Management , PCI , Penetration Testing , Physical Security , PKI , Policy Management Enforcement , Privacy , Professional Certification , Provisioning , Remote Access , Risk Assessment & Management , Secure File Transfer , Secure Virtualization , Security Consulting , Security Metrics , SIEM , Single Sign On , Software Code Vulnerability Analysis , SOX , Storage Security or Secure Storage , VoIP Security , VPN , Vulnerability Assessment , Web Filtering , Wireless Security

Wednesday, August 3, 2011

The Best Kept SMB Secret: Cloud WAF

Allen Mohler's Gym... Kids learn discipline and work ethic.
A legend in Mixed Martial Arts (MMA) sat with me on a long flight last week. I was immediately struck by his easy going demeanor that exuded confidence. I learned that he has his own MMA gym with 500+ fighters.  His specialty is Brazilian Jiu-Jitsu, and there was no doubt he can take care of himself.

But can he take care of his website?

He's not focused on protecting his website. He's teaching boys how to be men. He needs a simple and cost effective solution to stop malicious attacks. 

Proxied web application firewalls have been around for a few years now, but surprisingly few SMBs know about them, or know how cost-effective they can be to stop malicious attacks.  

Enter the Dragon: Cloud services like Incapsula (SMB friendly) and Imperva (Commercial and Enterprise) drop malicious attacks before they hit your website. Incapsula even has a free service for websites that don't serve SSL traffic. Now, instead of having to worry about an appliance to take care of his web traffic... he can focus on taking care of his favorite students.